Gotta be careful. Someone dumped the firmware from their Tesla Model S and discovered info about the then-unannounced Model 3.<p>Tesla responded by disabling the car's ethernet port, downgrading the firmware, and preventing the car from receiving future upgrades to software.
> Interestingly, some of these geofences do not seem to have a clear connection to SpaceX. While we will not disclose these locations here, I will say that the SNOW_RANCH looks like a nice location to play with development hardware.<p>Most likely these are testing locations. Possibly even second homes of testers & engineers. After all, this is a product that has very different operating parameters depending on location.
Using ECC is very strange in this context. eMMC storage already provides for data correctness (and wear leveling of flash). If flash is corrupted to a point where internal error correction cannot compensate for it, eMMC will return no data, simply returning an error. This means that the additional level of error correction that they added will never ever be used.<p>Perhaps earlier revisions of this used raw NAND? Either that, or somebody got overzealous without thinking through.
Been meaning to do this myself! Great to see it. :)<p>> <i>While we would have to perform some more tests it appears that a full trusted boot chain (TF-A) is implemented from the early stage ROM bootloader all the way down to the Linux operating system.</i><p>This unfortunately means it will likely be somewhat difficult (or infeasible) to reflash it with a custom firmware that uses
actual GPS location for targeting of satellites but reports a couple km offset to the telemetry service APIs to keep my residence address somewhat private from my ISP.<p>It's a bummer they didn't share the dumps. It always bothers me when researchers act all coy about their results. Now I have to get my hands on a dish myself and do what they didn't (namely, actually publish the data).
Great writeup.<p>I haven't seen products that use geofences to verify debug flags. Would it be possible to spoof this using a fake GPS e.g. with SDR?
It appears that after they discovered the ECC encoding, they simply ignored the ECC data to extract the image. What if some deliberate (correctable) bit errors were scattered through the image? They have the code that implements the ECC algorithm. If I were them, I would have used it and perhaps even submitted a patch to binwalk so it would automatically recognize/decode the image.<p>Also, now that they have the image, they could try to override the geofence/fuse protections by running it on an SoC without the fuse blown, and a SDR-based GPS spoofer. Seems like a fun endeavor.
Hmm, I wonder if locking down the boot chain like this is GPL compliant, since apparently even GPLv2 requires the ability to modify GPL parts on the device.<p><a href="https://sfconservancy.org/blog/2021/mar/25/install-gplv2/" rel="nofollow">https://sfconservancy.org/blog/2021/mar/25/install-gplv2/</a>