Reverse Engineering of the Starlink User Terminal

Starlink represents the world's leading satellite-based Internet Service Provider, serving more than 7 million users globally through its Low Earth Orbit constellation. Beyond its commercial success in providing connectivity to remote and underserved regions, Starlink has increasingly become critical infrastructure for military operations and disaster recovery scenarios in conflict zones with compromised terrestrial infrastructure like Ukraine. This widespread adoption and strategic importance underscore the necessity of comprehensive security analysis to identify potential vulnerabilities that could compromise its users, from individual consumers to military deployments. Prior research provided initial understanding of the Starlink User Terminal (UT), including hardware teardowns identifying components and debug interfaces, invasive firmware extraction via eMMC chip-off techniques and firmware structure analysis. A successful power glitch fault injection attack also allowed to bypass secure boot protections and gain root access to the UT. These efforts, mostly focused on initial iterations of the platform from 2021 to 2023, typically required specialized equipment and physical hardware modification. Building upon existing research, this thesis extends the security analysis of Starlink's User Terminal ecosystem architecture, software implementation, and communication protocols, with particular focus on the Starlink Mini device. The methodology begins with a black-box analysis phase to identify exposed communication interfaces and enumerate network services. This reconnaissance of network endpoints and reachability testing across multiple configurations establishes boundaries for potential attack surfaces. This phase is augmented by an analysis of API service definitions and dynamic instrumentation of client-side applications to inspect communication protocols and understand access control implementations. The insights from the initial phase inform a subsequent gray-box analysis, which is enabled by the development of a novel firmware retrieval methodology that does not require physical hardware access, overcoming a key barrier present in prior research. This stage employs a combination of reverse engineering techniques, including static analysis of firmware binaries, protocol emulation, and fuzz testing of discovered services. The firmware analysis focuses on understanding the implementation of core security features, such as request authentication mechanisms, firmware signature verification routines at device startup and software upgrades and update procedures of internal subsystems. This work advances the technical understanding of the Starlink technology through comprehensive analysis of its User Terminal architecture and protocols. A key enabler of this investigation is the non-invasive firmware retrieval technique developed during this research, which removes significant barriers that previously limited independent security assessment, enabling more accessible analysis of a platform that now serves critical civilian and military infrastructure worldwide. The findings and methodologies presented establish a foundation for continued security research, with immediate opportunities for future deeper investigation of update validation logic and interaction between internal subsystems.