The creator of a small artificial satellite "Beesat-1" from the Technical University of Berlin launched it with an Indian rocket in the autumn of 2009 into a relatively high orbit more than 700 kilometers above the Earth. It is intended not only to serve as a model for the rest of the Beesats family, but also to prove that micro or picometer satellites weighing less than a kilogram can also perform similar technical functions as their big brothers. But by 2013, this celestial body no longer served any purpose. It can no longer send any useful data back to the university. With a few tricks, a resourceful hacker managed to repair the flying object from the ground and make it fully functional again for the next 20 years despite the failure of the update mechanism.
What sounded like a fairy tale became reality, as hacker PistonMiner revealed on Saturday at the 38th Chaos Communications Conference (38C3) in Hamburg. Beesat-1 was launched into space as one of the early palm-sized CubeSats, with external dimensions of approximately 10 × 10 × 10 cubic centimeters. Its main purpose is to demonstrate the performance of newly developed micro-reaction wheels and other technologies for micro-satellites.
In 2011, Beesat-1 began transmitting invalid telemetry data for the first time. Developers are particularly interested in this automatically collected raw information. After a while, the operator switches to a second on-board computer, and the corresponding communications module sends the researchers' coveted data back to Berlin. However, in 2013, the second computer also had problems. Researchers at the German Technical University had no choice but to essentially shut down operations. They can only check once every few years to see if the satellite is still responding to commands.
Computing power as powerful as a game console
PistonMiner, which has a partnership with the German Technical University (TU), is particularly interested in reviving Beesat-1 because it has a higher orbit and will remain in space for years to come. Almost all other descendants of the series were burned up in the atmosphere. To solve the problem, the student first wanted to figure out how this little friend from Earth works. According to him, Beesat-1 has two CAN buses, which are very common in cars. The communication system consists of two redundant lines, an antenna, a transceiver and a terminal node controller (TMC), with a communication speed of 4.8kbps.
The onboard computer features two redundant ARM-7-based microcontrollers clocked at 60MHz, giving the PistonMiner the computing power of a gaming console. It has a 16MB program memory, and in principle the software can be loaded via remote control commands after takeoff. Recorded data is stored in 4MB of telemetry memory. There is also 2MB of SRAM. At a speed of 7.5 kilometers per second, Beesat-1 takes 100 minutes to orbit the Earth. Communicating with it from Berlin, each of the six flybys in 24 hours lasted only 15 minutes at most. Shorter transmission times are realistic and feasible.
'Frankenstein-Bee Satellite' Provides Clarity
While operators initially believed space radiation was the main cause of the difficulties, PistonMiner pointed out that it was a software error. Among other reasons, it also found many zeros in "empty" telemetry data frames, which CubeSats only sent back after March 2013. This narrows the search for corrupted functions to those that can write to flash memory. The main suspect is the onboard computer's boot counter, which has all the functionality needed to generate a zero.
To prove his theory, PistonMiner assembled a "Frankenstein Bee Satellite" because there were no actual test models on Earth anymore. This provides him with a way to test and debug via JTAG. He was also able to obtain most of the binaries and source code and documentation, but had to manually tweak it in various places. For example, he could try remote commands to execute code and install a 300KB software image.
A virtual function table pointer written in C++ that overlays information on Beesat-1 proved particularly useful. Ultimately, both Vtable pointers and control flow (i.e. the order in which instructions are executed in the program) can be hijacked. This is the basis for bringing your own code into the system. Then, the bandwidth issue must be addressed. While support for related remote commands was planned for larger updates, this has not yet been implemented. As a result, PistonMiner had to readjust its communication systems to avoid disruptions as much as possible.
Camera sends images to Earth again
After some debugging, the students sent the necessary images to Beesat-1 in several rounds, making the telemetry system fully operational again. In September, a corresponding software update was carried out to restore the CubeSats to factory condition. During this process, PistonMiner also discovered that the onboard camera, which was originally thought to be broken, suddenly turned on automatically. This is caused by a small vulnerability in the code, according to which the command to output the memory contents also instructs the camera to take a picture. A hacker was able to send a 9480-byte photo of the Earth's surface via a download button, even though the auto-exposure didn't work that well according to him.
In principle, Beesat-1 can now be used for experiments again. Radio amateurs can also use the aircraft to acquire radio beacons for search and rescue services as well as navigation and digital transmitters, i.e. automatically operating transmitting and receiving stations for forwarding data between two radio stations. There is no doubt that PistonMiner wants the satellite to "keep alive as long as possible." He also believes that the operation, which he performed "with permission," is a model for dealing with other satellites that are no longer performing missions.