





## Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal

**Lennert Wouters** 

@LennertWo



### Starlink 101









### **Teardowns**







youtube.com/c/MikeOnSpace @mikeonspace



youtube.com/c/ColinOFlynn @colinoflynn

youtube.com/c/KenKeiter @kenkeiter



danmurray.net @DanJMurray

olegkutkov.me

#BHUSA @BlackHatEvents 4 @olegkutkov



### **Hardware revisions**

#### **Circular UT**

- 59 cm (23,23") diameter
- Residential

- rev1\_pre\_production
- rev1 production
- rev1 proto1/2/3
- rev2\_proto0/1/3
- rev2\_proto2 (SoC cut 3)
- rev2\_proto4 (SoC cut 4)

### **Square UT**

- 50 x 30 cm (19" x 12")
- Residential and RV

- rev3\_proto0
- rev3 proto1
- rev3 proto2

### **High Performance UT**

- 57 x 51 cm (22" x 20")
- **Business and Maritime**

- hp1\_proto0
- hp1 proto1

#### **Transceiver**

- External phased array
- transceiver\_rev2p0/5

This talk (but attack should apply to all UT hardware)



### Accessible connectors on V2\*





ethernet + power

JST BM10B-ZPDSS-TF(LF)(SN)

motors

JST BM05B-ZESS-TBT(LF)(SN)

**UART** 

\*V1 hardware had an extra connector, V3 does not have easily accessible connectors



### **UART – U-Boot**

U-Boot 2020.04-gddb7afb (Apr 16 2021 - 21:10:45 +0000) → (Newer firmware no longer uses this version)

Model: Catson DRAM: 1004 MiB

MMC: Fast boot:eMMC: 8xbit - div2

stm-sdhci0: 0

In: nulldev

Out: serial Err: serial

CPU ID: 0x00020100 0x87082425 0xb9ca4b91

Detected Board rev: #rev2\_proto2

sdhci\_set\_clock: Timeout to wait cmd & data inhibit

FIP1: 3 FIP2: 3

BOOT SLOT B

Net: Net Initialization Skipped

No ethernet found.

U-Boot does not accept serial input (on non-development/fused hardware)

```
Board: SPACEX CATSON UTERM
= Type 'falcon' to stop boot process =
```



## **UART – Login Prompt**

Development login enabled: no

SpaceX User Terminal. user1 login:



### **PCB** overview

**GPS** receiver



59 cm (23,23")

Clock generation





### **RF Components**



- (A) Digital BeamFormer (DBF)
  - STM GLLBSUABBBA
  - Codename: SHIRAZ
- (B) Front-End Module (FEM)
  - Codename: PULSAR(AD)

- V2 hardware and up:
  - 1 DBF → 16 FEMs



## Siliconpr0n





siliconpr0n.org/archive/doku.php?id=mcmaster:spacex:gllbsuabbba-shiraz





id=mcmaster:spacex:gea-aa12-109d-tg02-pulsarad

Thanks to John McMaster!

@johndmcmaster



- (A) System-on-Chip
  - Custom quad-core ARM Cortex-A53
  - ST Microelectronics
    - GLLCCOCA6BF (cut 3?)
    - GLLCCODA6BF (cut 4?)
  - Codename: CATSON
- (B) Secure Element
  - STM STSAFE-A110
- (C) 4GB eMMC
- (D) 2 x 4Gbit DDR3



### SoC

- through substrate image
  - GLLCCOCA6BF (cut 3?)
  - Thorlabs NIR camera
  - Mitutoyo NIR objective 50x
- Can help narrow down interesting locations for some physical attacks
- Full resolution version will be available on siliconpr0n.org!





## Identifying eMMC test points





### Reading eMMC in-circuit



SD card reader

TXS0202EVM Level shifter



What I did | What I recommend

Low Voltage eMMC Adapter by









## Extracting the eMMC dump

- Split the dump into:
  - TF-A Bootstages: Firmware Image Packages
    - unpack with TF-A fiptool
  - Flattened ulmage Tree (FIT)
    - unpack with U-Boot dumpimage
  - SpaceX Runtime (dm-verity, error correcting codes)
  - SpaceX Calibration (dm-verity)
  - SpaceX EDR (LUKS)
  - SpaceX dish config (LUKS)
- More details:
  - o beet of beet

esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware

#define CATS BOOTFIP 0 OFFSET 0x00000000 #define CATS BOOTFIP 1 OFFSET 0x100000 #define CATS BOOTFIP 2 OFFSET 0x200000 #define CATS BOOTFIP 3 OFFSET 0x300000 #define CATS BOOTTERM1 OFFSET 0x400000 #define CATS BOOTMASK1 OFFSET 0x480000 #define CATS BOOT A 0 OFFSET 0x600000 #define CATS BOOT B 0 OFFSET 0x700000 #define CATS BOOT A 1 OFFSET 0x800000 #define CATS BOOT B 1 OFFSET 0x900000 #define CATS UBOOT TERM1 OFFSET 0xA00000 #define CATS UBOOT TERM2 OFFSET 0xB00000 #define CATS UNUSED OFFSET 0xC00000 #define CATS VERSION INFO B OFFSET 0xF50000 #define CATS SECRETS A OFFSET 0xF70000 #define CATS SECRETS B OFFSET 0xF90000 #define CATS SXID OFFSET 0xFB0000 #define CATS KERNEL A OFFSET 0x1000000 #define CATS CONFIG A OFFSET 0x2800000 #define CATS KERNEL B OFFSET 0x3000000 #define CATS CONFIG B OFFSET 0x4800000 #define CATS SX B OFFSET 0x6800000 #define CATS EDR OFFSET 0x8000000 #define CATS DISH CONFIG OFFSET 0x113D1C00

U-Boot GPL sources: spacex\_catson\_boot.h

# USA 2022

### blackhat Temperature and RF channels

```
1 # This file describes the limits for thermal control.
 2 # All temperatures are in degrees Celsius.
 3 # All control cycle counts are for 50 Hz.
 5 # ------ Power-cut ------
 7 # When any sensor exceeds these trip thresholds for its corresponding
8 # persistence, the power to all DBFs and FEMSs will be cut. The User Terminal
9 # must reboot to recover. These temperatures are slightly above the maximum
10 # junction temperature of the corresponding components. MAC throttle and forced
11 # idle is intended to more-gracefully take care of all overtemp situations.
12 # This FDIR is a last-ditch response to reduce in case idling is insufficient
13 # or we have lost control of the beamformers.
14
15 center power cut.t trip 90.0
16 cpu0 power cut.t trip
                            128.0
17 pa power cut.t trip
                            118.0
18 dbf power cut.t trip
                            118.0
19
21 # The number of cycles that the trip thresholds must be exceeded for before
22 # the power-cut FDIR activates.
24 center power cut persistence limit
                                       2000 # 40 seconds
25 cpu0 power cut persistence limit
                                       2000 # 40 seconds
26 pa power cut persistence limit
                                        2000 # 40 seconds
27 dbf power cut persistence limit
                                        2000 # 40 seconds
29 # The number of cycles from when power-cut is tripped to when the UT reboots.
30 # Gives time to allow the UT to cool down.
31
32 power cut reboot delay 30000 # 10 minutes
34
35 # ------ Forced-idle -----
37 # When any sensor exceeds these trip thresholds for its corresponding
38 # persistence, all DBFs and FEMSs will be commanded to Idle mode.
39 # Once all sensors have fallen below their clear thresholds, normal
```

```
"channel id": 13,
"direction": "uplink"
"end": 14.1875,
"start": 14.125
"channel id": 14,
"direction": "uplink"
"end": 14.25,
"start": 14.1875
```

```
"laser channel definitions": [
      "color": "LASER COLOR RED",
      "frequency ghz": 192700,
      "itu channel id": 27
  },
      "color": "LASER COLOR BLUE",
      "frequency ghz": 193500,
      "itu channel id": 35
```



## Development geofences







## **Obtaining root**





### Fault injection

- ✓ Flip-chip packaging exposes die backside
  - Laser Fault Injection, Body Bias Injection, Electromagnetic Fault Injection
- x PCB is too big for our automatic XYZ positioning equipment
  - Likely cumbersome to do on a roof...
- x No development kits

- Differential clock input
  - (But PLL?)
- Reset line
- Voltage Fault Injection







### **Crowbar VFI**

- NewAE ChipWhisperer-Lite (~ \$250)
  - Glitch port is connected to the SoC core voltage
  - Momentarily shorts core voltage to GND
- Core voltage:~1V, generated by TI TPS56C230
- All decoupling capacitors untouched at this point!
- Oscilloscope triggers on serial data
  - Trigger output is input to the ChipWhisperer-Lite
- Glitch parameters controlled from Python
  - Offset from trigger point
  - Glitch width





## Example output

```
Development login enabled: [
                              7.387682] 002: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000820
     7.387702] 002: Mem abort info:
sh: 0: unknown operand
     7.3877041 002: ESR = 0 \times 960000006
yes
     7.387707] 002: EC = 0x25: DABT (current EL), IL = 32 bits
     7.387711] 002: SET = 0, FnV = 0
     7.387714] 002: EA = 0, S1PTW = 0
     7.387716] 002: Data abort info:
     7.387718] 002: ISV = 0, ISS = 0 \times 000000006
     7.387721] 002: CM = 0, WnR = 0
     7.387723] 002: user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a51fd000
     7.387730] 002: [0000000000000820] pgd=00000000a50d1003, pud=0000000a50d1003, pmd=000000000000000000
     7.387739] 002: Internal error: 0ops: 96000006 [#1] PREEMPT RT SMP
     7.387748] 002: Modules linked in:
     7.387753] 002: CPU: 2 PID: 275 Comm: syslogd Not tainted 5.4.34-rt21-gfd24730 #1
     7.387760] 002: Hardware name: spacex satellite user terminal (DT)
     7.387766] 002: pstate: 00000005 (nzcv daif -PAN -UAO)
     7.387770] 002: pc : do undefinstr+0x2c/0x1d8
     7.3877871 002: lr : el0 undef+0xc/0x10
     7.387793] 002: sp : ffffffc0145b3e70
     7.387797] 002: x29: ffffffc0145b3e70 x28: ffffff8025009a00
     7.387803 002: x27: 00000000000000 x26: 0000000000000000
     7.387808 002: x25: 0000000002000000 x24: 0000000000000000
     7.387814] 002: x23: 0000000080000000 x22: 000000000403fb0
     7.387818] 002: x21: 00000000ffffffff x20: 000000000000000
     7.387823 002: x19: 00000000000018 x18: 000000000000000
     7.387828 002: x17: 00000000000000 x16: 0000000000000000
     7.387832 002: x15: 00000000000000 x14: 0000000000000000
```



### Results

- ✓ The Proof-of-Concept works
  - ✓ Was reproduced by the SpaceX PSIRT
- ✓ Easy to produce (undesirable) faults
  - ✓ A fully booted SoC is already being pushed to its limits

- x Slow: 1 attempt every 12 seconds (one per boot)
  - x Low success rate: many hours for one good attempt
- x Unreliable: successful glitch often also results in other errors

```
Development login enabled: yes
SpaceX User Terminal.
user1 login: root
Password:
The Flight Software does not log to the console. If you wish to view
the output of the binaries, you can use:
tail -f /var/log/messages
Or view the viceroy telemetry stream.
<0x1b>7<0x1b>[r<0x1b>[999;999H<0x1b>[6n[root@user1 ~]# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),1000(signers)
```



### STM/SpaceX ARM TFA-A

#### **SoC Root of Trust**

### BSEC peripheral (eFuses)

- Root Of Trust Public Key
- Security state
- RMA state
- Rollback counters
- LUKS keys

#### **ROM Bootloader**

- Immutable
- Loads and verifies BL2
   Uses the ROTPK
- Uses internal SRAM

#### ST Mini Certificate (144 bytes)

- Magic: STM1
- Rollback counters
- SHA512 of signed data
- ED25519 signature;

#### eMMC

- BL2 (Trusted boot firmware)
- BL31 (Secure world runtime firmware)
- BL33 (U-Boot)
- Flattened ulmage Tree (FIT)
- SpaceX Runtime (dm-verity)
- Calibration/EDR/... (dm-verity / LUKS)

- 1. BL1 loads BL2 certificate from eMMC
- 2. BL1 verifies the certificate's signature
- 3. BL1 loads the BL2 firmware from eMMC
- 4. BL1 verifies that SHA512(BL2) matches the hash contained in the certificate





## **BL1 Glitch setup**

- Try to boot with (in)valid signature, hash and firmware
- Try to glitch a valid certificate into a signature verification failure









### Normal boot





### Glitched boot





## ROM Bootloader (BL1)

- Mapped at 0x30000000 and readable from BL2!
  - BSEC eFuses mapped at 0x22400000 (shadow registers)
- Emulated the ROM bootloader using Unicorn Engine
  - Fuzzed using AFL++ in Unicorn mode
- Simulated instruction skip faults in Unicorn Engine
  - Single instruction skip faults do not result in the observed behavior!
    - Code has some control flow checks and redundant operations
  - Skipping two consecutive instructions does result in the observed behavior
    - (Actual fault model is likely to be different)





github.com/AFLplusplus/AFLplusplus



## **BL1** glitch detection example

### **BL1 UART output**

INFO: BL1: Get the image descriptor

INFO: BL1: Loading BL2

INFO: Loading image id=6 at address 0x30209000

INFO: Skip reserving region [base = 0x30209000, size = 0x90]

INFO: Image id=6 loaded at address 0x30209000, size = 0x90

INFO: cert\_nv\_ctr:1

INFO: plat\_nv\_ctr:0

INFO: Loading image id=1 at address 0x30209000

INFO: Image id=1 loaded at address 0x30209000, size = 0xf178

NOTICE: BL1: Booting BL2

NOTICE: plat\_error\_handler err = -80

INFO: Authentication error !!!

Certificate has been loaded Contains invalid signature but valid digest of BL2 firmware

Signature verification succeeded!

Loaded BL2 firmware and verified hash digest

Final control flow check detects our glitch!



## BL1 glitch detection example

```
bool verify signature(long param 1,int param 2,long param 3,int param 4,long *param 5,int param 6,
  void BL1 main(void)
                                                                                                              undefined8 param 7)
4
    int iVarl;
                                                                                            int iVarl;
     int iVar2;
    long lVar3;
                                                                                            if (((param 2 == 0x50) && (param 3 + 0x40 == param 1)) &&
    char * format;
                                                                                               ((param 4 == 0x40 && param 6 == 8) && *param 5 == 0x39313535324445)) {
    undefined8 uVar4;
                                                                                              DAT 30200084 signature check val = 0x5a7cbe01;
                                                                                              iVar1 = ed25519_verify(param_1,0x50,param_3,param_7);
    long unaff x21;
                                                                                              if (iVarl == 1) {
    long unaff x22;
                                                                                                             /* Signature check succeeded */
                                                                                                DAT_30200084_signature_check_val = 0xb134f725;
    DAT 30200080 hash check val = 0x5a7cbe01;
    DAT 30200084 signature check val = 0x5a7cbe01;
                                                                                              return iVarl == 0:
    DAT 302048e4 = 0;
    printf(s NOTICE: BL1: %s 3000c1b8,s v1.3(release):f26889a 3000b058);
                                                                                            return true;
    printf(s NOTICE: BL1: %s 3000clb8,s Built : 13:04:48, Jul 30 2018 3000b070);
```

```
2  void final_error_checking(void)
3
4 {
5   if ((DAT_30200080_hash_check_val == L'\xb134f725') &&
6     (DAT_30200084_signature_check_val == L'\xb134f725')) goto LAB_3000094c;
7   do {
8     plat_error_handler(0xffffffb0);
9   LAB_3000094c;
10  } while (DAT_302048e4 < DAT_2240000c);
11   return;
12 }</pre>
```



## **Enabling decoupling capacitors**

- Decoupling capacitors are needed for later boot stages
- Experimented with:
  - N-channel MOSFETS
  - P-channel MOSFETS
  - High/Low side switching
  - Gate voltage
  - MOSFET drivers
  - Capacitor sizes
  - Timing







### Researcher access

- Demonstrated a full attack in the lab!
  - But the setup is still too bulky to be used in a practical setting (e.g., on the roof)
- SpaceX offered an easy way out: SSH access through a Yubikey
  - But I was already too far down the rabbit hole ...

```
vehicle=$(whatVehicleAmI)
    rev=$(whatRevAmI)
16
    nodetype=$(whatNodeTypeAmI)
18
    if [ "$vehicle" = "uterm" ] && [ "$rev" != "0" ]; then
19
        # Create static AuthorizedPrincipalsFile for UTs and Transceivers only.
20
        catson uuid="\$(printf "\$08x-\$08x-\$08x\n" \
21
                            $(cat /sys/bus/platform/devices/*.catson_fuses/devid[012]))"
22
23
24
        # Maintain compatibility with transceiver certificate format.
25
        principal=$vehicle
        if [ "$(whatVehicleVariantAmI)" = "starlink transceiver" ]; then
26
            principal="transceiver"
27
28
29
        echo "spacex:$principal:researcher:$catson uuid" > /etc/ssh/authorized principals
```



## Creating a mobile setup

- Replacing lab equipment with low-cost off-theshelf components
- RPI Pico replaces oscilloscope and ChipWhisperer
- Works
  - But still messy...





## PCB design

- Scanner @ 600 DPI
- Draw board outline at real size in Inkscape
  - Load in KiCad and use in the edgecuts layer







## Modchip





**Decoupling MOSFETs** 



RP2040 @250MHz PIO for triggering

and glitch generation

→ 2 channel MOSFET driver



Available on GitHub!



UT RST

0,8 mm

6 cm

2,36"



## Installed modchip

Core voltage regulator enable pin (for power cycling)

12V for MOSFET drivers and standalone power



1V8 for level shifter

holackhat USA 2022







### SpaceX strikes back

- I did a firmware update...
- Previously unused eFuse is now blown and disables UART output
- Modchip was designed to trigger on UART

```
if (L'\xfffffffff < BSEC UART EN) {
 DAT 30204160 UART EN = L'\xde486bc3';
if (DAT_30204160 UART EN == L'\xde486bc3') {
  _GLLCFF_SYSCFG_PIO_A_BASE = _GLLCFF_SYSCFG_PIO_A_BASE & 0xf1
 DataSynchronizationBarrier(3,3);
                                                                  Improvise. Adapt. Overcome
  _GLLCFF_SYSCFG_PIO_A_BASE_A0 = _GLLCFF_SYSCFG_PIO_A_BASE_A0
 DataSynchronizationBarrier(3,3);
 uVar1 = 100000000:
 if (( BOOTMODE REGISTER 09130048 & 1) != 0) {
    uVar1 = 2000000000:
 set uart baud(&UART BAUDRATE, uVar1, 115200);
 printf(s_INFO:_AUTOSTARTUP_MODE_=_%d_3000b08e,(ulong)(_B00TMODE_REGISTER_09130048 & 1));
```



## Adapt





### Overcome

- Trigger on eMMC D0 instead of UART
- Modchip could be easily adapted
  - Disconnect UT UART TX
  - Connect to eMMC D0
  - Update glitch parameters from Python
- Alternative: new PCB revision





## **Network exploration**

- All interesting communication uses mutually authenticated TLS (STSAFE)
- Added STSAFE support to the tIslite-ng TLS implementation
  - Python script to download the latest firmware updates
- Mostly IPv6 2620:134:b000::1:0:0
  - Open ports (nmap): 8001-8012, 9000, 9003, 9005, 9010, 9011

#### Protocol Length Info 3 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 4 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 UDP 133 50256 → 8010 Len=85 5 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 140 50256 → 8010 Len=92 6 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 7 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 8 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 72 42540 → 9005 [ACK] Seq=1 Ack=1 Win=503 Len=0 TSval=692614557 TSecr=2495702 9 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 626 50256 → 8010 Len=578 10 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 518 50256 → 8010 Len=470 246 50256 → 8010 Len=198 11 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 1300 9003 → 43276 [ACK] Seq=1 Ack=135 Win=8 Len=1228 TSval=2495721239 TSecr=6920 72 43276 → 9003 [ACK] Seq=135 Ack=1229 Win=503 Len=0 TSval=692618062 TSecr=249 2620:134:b000:104:af24:36:: TLSv1.2 559 Application Data 16 2620:134:b000::1:0:0 17 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 72 43276 → 9003 [ACK] Seq=135 Ack=1716 Win=500 Len=0 TSval=692618063 TSecr=249 18 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 21 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 72 39302 → 8002 [ACK] Seq=1 Ack=1 Win=64512 Len=0 TSval=692618634 TSecr=24957 22 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 279 Client Hello 23 2620:134:b000::1:0:0 2620:134:b000:104:af24:36:: TCP 72 8002 → 39302 [ACK] Seq=1 Ack=208 Win=65536 Len=0 TSval=2495721997 TSecr=692 2620:134:b000:104:af24:36:: TLSv1.2 1300 Server Hello 72 39302 → 8002 [ACK] Seq=208 Ack=1229 Win=64384 Len=0 TSval=692618809 TSecr=2 25 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 26 2620:134:b000::1:0:0 414 Certificate, Server Key Exchange, Certificate Request, Server Hello Done 27 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 72 39302 → 8002 [ACK] Seq=208 Ack=1571 Win=64384 Len=0 TSval=692618809 TSecr=2 28 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 847 50256 → 8010 Len=799 29 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 TLSv1.2 788 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, 30 2620:134:b000:104:af24:36:: 2620:134:b000::1:0:0 211 50256 → 8010 Len=163 72 8002 - 39302 [ACK] Seq=1571 Ack=924 Win=65536 Len=0 TSval=2495722373 TSecr 2620:134:b000:104:af24:36:: TCP 842 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 72 39302 → 8002 [ACK] Seg=924 Ack=2341 Win=64384 Len=0 TSval=692619193 TSecr

#### Firmware update archive

| •                                                    |   |         |
|------------------------------------------------------|---|---------|
| Name                                                 | • | Size    |
| 🔝 0ad30efd-5511-48bd-86e6-a9a5bd9c4140.uterm.release |   | 34,3 MB |
| 🔝 0ff779fe-a697-4464-8fe4-e05d4aa51754.uterm.release |   | 36,0 MB |
| 6e4bc82a-9fa9-442d-8be0-92ef529514e7.uterm.release   |   | 33,9 MB |
| 🔝 7e10fc86-eb96-4b86-a0d4-95a45017944d.uterm.release |   | 36,0 MB |
| 169171df-70e1-4858-9d6f-9ba0885891a1.uterm.release   |   | 36,3 MB |
| 29424243-0ba5-4e9b-b402-79d25cb6f8de.uterm.release   |   | 50,3 MB |
| a6b08c6e-3b2d-4346-af31-a54397819878.uterm.release   |   | 35,7 MB |
| b9b5b228-5d06-4bd5-999f-8f278d8022d4.uterm.release   |   | 50,3 MB |
| aco6c67d2-401c-4d6a-9bd2-25af7370392b.uterm.release  |   | 33,1 MB |
| c9ae03c7-e90a-4f61-87e8-fb484272f30b.uterm.release   |   | 35,9 MB |
| cd5f774c-1c0e-4da8-9411-e7538713f511.uterm.release   |   | 36,3 MB |
| de06deab-2814-4496-9ad7-bd47cc9e6ecc.uterm.release   |   | 35,9 MB |
| ffbba606-958e-40c1-9668-b8f1cbf13081.uterm.release   |   | 50,3 MB |
|                                                      |   |         |



### What's next?

- You can make your own modchip and use it to:
  - Further explore the network infrastructure
    - Not accessible as a normal user
    - Integrate the STSAFE with GRPC
  - Interact with the Digital BeamFormers and update their firmware
  - Repurpose your terminal?

```
[root@user1 bin]# ./ut_silicon_diag --dbf=1 --write_csv=false
FSW peek/poke client created successfully.
Clearing Shiraz RFFE FIFO Status register.
2.
Functional read: 2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.2
2.
Engineering read: 2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.2
2.
dbf_id,fem_id,func_reg_0F_00,eng_reg_0F_00
1,2,0x3B1C1B00C21AC3980E04AA401026414D,0x0000C4D91C25539B00621654970B3400
1,3,0xBB1A1800C21AC3980F059A040425C56D,0x8000D70A1D246099006214C945190AAD
1,4,0x36181800C21AC3980E04ACC02416416D,0x0000025E91C21509900621654970C1788
1.5.0xBA1A1A00C21AC3980E0599041226C96D.0x8000D4EB1C23529A006214C94515B1B0
```



### Conclusion

- We can bypass secure boot using voltage fault injection in BL1
  - Quad core Cortex-A53 in a black box scenario
    - no documentation, no open development kits
  - Enabling and disabling of decoupling capacitors
  - Fault injection countermeasures are only as good as the fault model that was used
- This is a well-designed product (from a security standpoint)
  - No obvious (to me) low-hanging fruit
  - In contrast to many other devices getting a root shell was challenging
  - And a root shell does not immediately lead to an attack that scales
- SpaceX PSIRT was very responsive and helpful!
  - <a href="https://bugcrowd.com/spacex">https://bugcrowd.com/spacex</a> vulnerabilityreporting@spacex.com





Demo!

/dev/ttyUSB1 115200-8-N-1 DTR RTS CTS CD DSR RI



### Thanks!

- Arthur Beckers
- Gert Van Beneden
- Tim Ferrell
- John McMaster
- Dan Murray
- Colin O'Flynn