A modchip to root Starlink user terminals through voltage errors

A modchip to root Starlink user terminals through voltage errors

A modchip is a small circuit board that is mounted directly on a larger board, by pressing points on the board to make it do something it was not intended to do. We’ve typically seen modchips used with old game consoles, bypassing DRM protection in a way that a software hack couldn’t quite manage. As software complexity and thus the attack surface increased on newer consoles, software hacks have taken the stage. But on more integrated pieces of hardware, we’ll still want to go back to the old ways – and that’s it this modchip based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team poked and prodded at the Starlink user terminal, tried to gain root access, and needed to bypass the ARM Trusted Firmware boot integrity checks. The terminal’s PCB is the size of a satellite dish, so things like laser fault injection are difficult to set up – so they went the voltage injection route. Much poking and prodding later, they developed a way to reliably bug the CPU to verify a faulty firmware, and arrived at a root shell – the journey described in a BlackHat talk embedded below.

To make the hack more compact, repeatable, and cheap, they decided to move it from a mess of wires and boards to slim form factor, and that’s where the modchip design was created. For that, they put the terminal PCB into a scanner, traced out a board outline, loaded it into KiCad, and put all the necessary voltage error and monitoring parts on a single board, powered by the venerable RP2040 – this board has everything you d need if you wanted to root the Starlink user terminal. Thanks to the flexibility of the modchip design, when Starlink released a firmware update that disabled the UART output used for monitoring, they could easily redirect the signal to an eMMC data line instead. Currently the KiCad source files are not available, but there are Gerber and BOM files on GitHub in case we want to make our own!

See also  How to remove tough yellow stains from cushions without a washing machine

Hacks like these undoubtedly set a new bar for what we can achieve while bypassing security protections. Hackers have designed all sorts of modchips, for both proprietary and open technology – we’ve seen one that lets you use third-party filters in your “smart” air purifier, another that lets you use your own filament with certain 3D printers, but there’s also a which allows you to add a ton of games to an ArduBoy. With the RP2040 in particular, just this year we’ve seen it used to build a Nintendo 64 flash cart, a PlayStation 1 memory stick, and a mod that adds homebrew support to a GameCube. If you’ve been looking to build hardware add-ons that improve the technology you use, either by removing protection or adding features, there’s no better time than today!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *