Starshields for iOS: Navigating the Security

Cosmos in Satellite Communication

Jiska Classen∗ Alexander Heinrich∗ Fabian Portner
Hasso Plattner Institute Secure Mobile Networking Lab Secure Mobile Networking Lab
University of Potsdam TU Darmstadt TU Darmstadt
jiska.classen@hpi.de aheinrich@seemoo.de fportner@seemoo.de

Felix Rohrbach Matthias Hollick

Cryptoplexity Secure Mobile Networking Lab
TU Darmstadt TU Darmstadt
felix.rohrbach@tu-darmstadt.de mhollick@seemoo.de

Abstract—Apple has integrated satellite communication into was launched in 2007, the same year the first iPhone was
their latest iPhones, enabling emergency communication, road- released [51]. Operating a 17-year-old infrastructure implicates
side assistance, location sharing with friends, iMessage, and technological challenges by itself [84], but Apple must also
SMS. This technology allows communication when other wireless
services are unavailable. However, the use of satellites poses deal with satellites’ fast movement during transmission, high
restrictions on bandwidth and delay, making it difficult to use delays, and generally low bandwidth requirements. At the
modern communication protocols with their security and privacy same time, users need to be able to operate satellite commu-
guarantees. To overcome these challenges, Apple designed and nication intuitively under high stress in emergencies. This fact
implemented a proprietary satellite communication protocol. We necessitates fast transmissions, ideally within a minute, and
are the first to successfully reverse-engineer this protocol and
analyze its security and privacy properties. In addition, we high satellite network availability. Apple’s emergency SOS via
develop a simulation-based testbed for testing emergency services satellite proved instrumental in saving lives during wildfires
without causing emergency calls. Our tests reveal protocol and and hurricanes, when cellular network communication was no
infrastructure design issues. For example, compact protocol longer possible [52], [81].
messages come at the cost of missing integrity protection and Globalstar offers satellite network subscriptions directly to
require an internet-based setup phase. We further demonstrate
various restriction bypasses, such as misusing location sharing customers for location, text, data, and voice services [34].
to send arbitrary text messages on old iOS versions and sending In 2015, researchers revealed severe vulnerabilities in Glob-
iMessages over satellite from region-locked countries. These alstar’s satellite communication protocol and released tools
bypasses allow us to overcome censorship and operator control for decoding it [55]. We confirm that these attacks still
of text messaging services. work as of 2024 to intercept Globalstar’s services. With this
I. I NTRODUCTION troubled security history, Apple invented a novel, proprietary
protocol and only shares the Globalstar infrastructure. Apple’s
Apple introduced satellite communication support with the satellite protocol aims to protect highly privacy-sensitive data:
iPhone 14 [5], allowing users to request assistance during A location shared via satellite should only be accessible to
emergencies in areas without cellular coverage. Further fea- the designated recipients. More sensitive data leaves the phone
tures include sharing the current location with friends over during Emergency SOS via satellite: Health information from
Find My [10] and requesting roadside assistance [9]. iMessage the user’s medical ID [15], text messages, location informa-
and SMS text messaging were added in iOS 18 [14]. tion, and accurate information about the current emergency.
Apple relies on the satellite network provided by Globalstar, This work represents the first comprehensive investiga-
a company operating satellites in Low Earth Orbits (LEOs) tion into Apple’s satellite services’ security and privacy. We
at around 1 414 km height, orbiting the earth multiple times reverse-engineer previously undocumented internals to answer
a day. We found that the oldest satellite used by Apple the following research questions: RQ1: How are security
* Both
and privacy features implemented in this resource-constrained
authors contributed equally to this research.
satellite communication environment? RQ2: Can users bypass
service restrictions imposed by Apple?
Contributions. At the time of writing, only limited related
work on the security of end-device to satellite communication
exists [55], [46], [84], [86]. We are the first to analyze
Network and Distributed System Security (NDSS) Symposium 2025
24-28 February 2025, San Diego, CA, USA satellite communication implemented in the iPhone. Our main
ISBN 979-8-9894372-8-3 contributions are:
https://dx.doi.org/10.14722/ndss.2025.240124
www.ndss-symposium.org
 A. Satellite Communication
Satellite Networks for Smartphones: In 2022, Apple
Anchor
Internet was the first to launch a high-end smartphone with satellite
Target
functionality covering the U.S. , Canada, and Europe [5], [8].
Around the same time, Huawei launched the Mate 50 with
satellite SMS support in China [80], followed a year later by
the Mate 60 Pro, which introduced satellite phone calls [43]. In
2024, the Google Pixel 9 received an US-only emergency SOS
Fig. 1: Communication principle for Find My location sharing.
feature via the Skylo satellite network [74]. AT&T partnered
with AST SpaceMobile to create a new satellite that can send
• We reverse-engineer the protocols for Emergency Tex- 4G and 5G signals to Earth, reaching download speeds of
ting, Roadside Assistance, Find My, iMessage, and SMS up to 14 Mbit/s [71]. T-Mobile, together with Starlink, also
over satellite. announced satellite support for 5G smartphones in 2022 [79],
• We show how data exchanges are minimized and com- with the first satellite launched in early 2024 [25]. These
pressed to meet technological limitations, including a projects share a fast-paced development of new features com-
complex scheme to set up various encryption parameters bined with infrastructure updates. Their technology stacks
when the user has a regular internet connection. fundamentally differ: Apple uses legacy satellites but up-
• We analyze the cryptographic properties of the transmis- dated the iPhone’s cellular modem and communication stack;
sion of privacy-sensitive data. SpaceX updated its satellites to enable off-the-shelf phones to
• We create an app to send and receive arbitrary, unlim- communicate. Apple’s approach to using legacy satellites is
ited SMS-like messages over Find My location sharing arguably the most challenging from a technological perspec-
(Demo: https://youtu.be/3qYby6CeBxs). tive, with tight constraints that leave little room for security
• We demonstrate that various restrictions are only im- and privacy. Apple partnered with Qualcomm for a custom
plemented on the client side, allowing adversaries to modem supporting satellite communication [59], developed
bypass regional restrictions and enable satellite services a customized antenna to boost outgoing signals, and added
in countries where they are not supported. custom hardware to ground stations to handle incoming data
• We build a simulation-based testbed to analyze satellite
directly. In this work, we focus on Apple’s implementation.
features in iOS without communicating with actual satel- Globalstar Satellite Communication Principle: Global-
lites (Demo: https://youtu.be/igaYCdnqdjE). star satellites employ a bent-pipe architecture [34], acting as
• We propose mitigations to design secure satellite com- mirrors in space. They forward an iPhone’s signal to a ground
munication systems. station and vice versa (see Figure 1). A satellite requires the
Responsible Disclosure: We responsibly disclosed our find- iPhone and the ground station to be within range to establish a
ings to Apple, allowing for improvements in their satellite communication channel. Ground stations are connected to the
communication system. As of July 2024, Apple imposed internet, allowing interaction with services provided by Apple.
sharper restrictions on text messaging over Find My, but their In Apple’s terminology, satellites are targets the user points
system architecture prevents a complete resolution. their iPhone at, and ground stations are anchors. Globalstar’s
Ethical Considerations: Emergency SOS over satellite constellation consists of 48 satellites, with an additional four
allows a user to contact first responders without cellular cover- spare satellites [58]. The satellites orbit the earth in LEO at
age. During our tests, we never alarmed any first responders. an altitude of 1 414 km, which equates to an orbital period of
Instead, we built a simulation-based testbed to safely study about 2 h or 12 turns around earth per day [33]. According
satellite features without resulting in real-world emergency to our analysis, as of July 2024, Apple uses 28 Globalstar
calls. Furthermore, we never bypassed regional restrictions in satellites. The oldest satellite in use is M069, launched on May
countries where satellite communication is illegal. 29, 2007, and the newest one is M097, launched on February 6,
Availability: Our Artifact Appendix includes an app allow- 2013. Globalstar launched a newer satellite, M087, on June 19,
ing text messaging via satellite, the Wireshark dissector for 2022, which Apple is yet to use. Globalstar operates satellites
the satellite protocol, and scripts to setup our test environment. from two generations: the first launched before October 2010
For ethical reasons, we do not publish code for the client-side with a life expectancy of 71/2 years, and the second launched
communication restriction bypasses we demonstrate. with a life expectancy of 15 years [28]. Consequently, some
satellites are already past their expected lifetimes, increasing
II. BACKGROUND technological challenges in working with legacy hardware.
This section describes satellite communication basics with Interestingly, Apple uses satellites from both generations.
a focus on Globalstar’s setup. This setup differs from other To future-proof the constellation, Globalstar ordered 17 new
popular satellite networks, thereby creating novel challenges satellites, which are scheduled to launch in 2025 [68].
to be solved by Apple’s protocol stack. Then, we dive into Satellite Orbits: The position of objects orbiting the Earth,
Apple’s satellite features from a user’s perspective. such as satellites or space debris, is commonly specified by a

2
 a satellite. Still, their orbiting nature increases the chance that
the Emergency SOS is sent eventually.
Roadside Assistance: In 2023, with iOS 17, Apple added
roadside assistance for U.S. customers [9]. When typing
Roadside Assistance into the recipient field of the Messages
app, the user is asked to select one of the assistance providers.
Then they go on and specify the issue they are facing, as shown
in Figure 2b. Optionally, the user can add a phone number.
Then, they are again presented with the interface to help them
establish a satellite connection and send text messages.
Messaging: iOS 18, released in fall 2024, supports iMes-
sage and SMS over satellite [14]. Like roadside assistance,
(a) Emergency SOS (b) Roadside Assistance messaging is only available in the U.S. SMS messages are
Fig. 2: Satellite emergency communication questionnaires. restricted: Users can only send and receive messages if they
have already messaged the recipient in the past or they are an
emergency contact or family member.
set of parameters called orbital elements. In 1980, researchers
III. R ELATED W ORK
published the Two-Line Element (TLE) orbital element format,
together with a series of orbit models known as simplified More than 100 satellite hacking incidents have occurred in
perturbation models [42]. A TLE consists of two lines with the last 60 years [64]. The security research community has
69 characters each for punch card compatibility and precisely contributed to uncovering more security problems and pro-
encodes an object’s orbit and position therein at a specific time, posed solutions in recent years, summarized in the following.
known as the epoch. Using a simplified perturbation model, The low-latency promises of LEO satellite constellations
with the de-facto standard being SGP4 [83], one can propagate were vulnerable to Denial of Service (DoS) attacks [31]. After
a TLE to any point in time in the past or future. However, classifying further attacks, several solutions were proposed for
predictions gradually diverge from reality [27]. The TLEs must LEO satellite services [88]. Many satellite internet services are
thus be updated regularly to ensure accurate predictions. based on the DVB-S protocol, originally designed for video
broadcasting. Most services did not use encryption at all or
B. iPhone Satellite Features their encryption was weak, allowing for eavesdropping at-
The iPhone 14 was the first device with satellite connectiv- tacks [65], [66], [87], [26]. Furthermore, Jedermann et al. [46]
ity. Since then, Apple has added more features with software showed that location privacy in LEO satellite communications
updates. All satellite features mandate that Wi-Fi and cellular can be compromised by observing satellite transition events,
connectivity are unavailable. i.e. , when the satellite a user is communicating with changes
Find My Friends: Find My Friends allows people to share due to its orbit. Since their attack requires several hours of
their location with friends and family [10]. The user has to satellite communication and the iPhone only uses short-lived
set up location sharing while they have an active internet communication, it is not applicable.
connection. Next to sharing the location via internet, Apple Keeping up with the latest security developments is a signif-
added the option to share a location via satellite. Users can icant challenge for satellite hardware. While expected lifetimes
initiate location through the Find My app and their friends are on the order of 10 to 20 years, this hardware typically
can view the shared location only when they have an internet operates well beyond that timeframe. Previous research has
connection. When the iPhone has transmitted a location update uncovered serious security flaws in satellite software [84].
via satellite, it prohibits the user from sharing another location Satellite terminals operating on the ground also had major
for a cooldown period of 15 min. security issues. In 2022, an attack on Viasat satellite terminals,
Emergency SOS: In the case of an emergency, users can likely aimed at Ukraine’s satellite internet communications,
contact emergency services via satellite [17]. Emergency SOS also impacted and disabled large parts of Germany’s wind
starts with a questionnaire (see Figure 2a). These questions turbine monitoring and control system [36]. The control infras-
help describe an emergency, ensuring no essential details tructure of the satellite terminals had multiple vulnerabilities
are overlooked and reducing follow-up questions. People can that allowed adversaries to compromise the satellite modems,
continue to communicate with first responders using text disable recovery mechanisms, and perform DoS attacks [85].
messages. The maximum size for one text message is 160 byte, Yu et al. [87] created an automated test setup, evaluated
and the input is limited to text only. If the iPhone detects that nine terminals, and found 18 novel attacks. Modern terminals
the user fell or might have had a car accident, it automatically for Starlink have additional security mitigations but remain
initiates an emergency call [16], [18]. In case of no cellular vulnerable to fault injection attacks [86].
coverage, the iPhone falls back to SOS over satellite and The first sniffing and injection attacks on the Globalstar
offers the possibility of follow-up emergency texting. Falls or network were presented in 2015 [55]. However, we found that
crashes might leave users unable to point their iPhones toward Apple’s communication protocol is fundamentally different

3
at all layers compared to Globalstar’s legacy protocol and a request to the satellite subsystem in CommCenter, which
other existing satellite protocols: It uses a different modulation in turn opens SOSBuddy. The searchpartyd daemon handles
scheme, adds encryption, and includes application-specific necessary tasks for Find My in satellite communication. E.g.,
compression. As a result, we are the first to reverse-engineer it creates and encrypts location data before sending it via
the satellite communication protocol used in iPhones and satellite. The identityservices daemon coordinates keys for
identify a number of novel attacks that allow adversaries to sending iMessages and SMS over satellite.
bypass restrictions and abuse the satellite services provided Communication Protocol Analysis: Data sent over Qual-
by Apple and Globalstar. comm MSM Interface (QMI) contains privacy-sensitive infor-
Apple’s Find My network implementation over Bluetooth mation. Thus, by default, QMI log messages are replaced by
Low Energy (BLE) has been studied extensively [38], [23], the tag <private>. Apple provides a baseband debug profile,
[39], [72]. Nevertheless, neither Find My location sharing over which overcomes this limitation [7]. After installing the profile
the internet nor its satellite version have been analyzed before. on a non-jailbroken iPhone, a byte-wise representation of QMI
We find that both versions of Find My location sharing are messages is displayed in the logs. We then observe the logs
similar, but the location data is shortened to transmit only with the macOS Console app or perform a system diagnosis
the essential information. Similar to the BLE-based Find My on the iPhone [19]. The latter allows for testing satellite
network, elevation, speed, and other details are redacted [39]. communication in the field when no laptop is connected and
for capturing logs for later analysis.
IV. M ETHODOLOGY
To inspect the QMI messages, we adapt a libqmi-based
A. Reverse Engineering Wireshark dissector [20], [56]. It already includes most
Reverse engineering Apple internals is challenging, even message names, which are auto-generated based on iOS’
with access to a jailbroken iPhone or a Security Research shared libraries. With further reverse engineering, we add
Device (SRD). While Apple releases source code for some field names and reconstruct the protocol flow. Specifically,
of their subsystems [6], highly proprietary components, such protocol fields are located in the DYLD shared cache li-
as satellite communication, remain a secret until security brary libCommCenterMCommandDrivers.dylib. All fields
researchers analyze them. We describe our analysis approach, follow the naming scheme tlv::sft::*. This approach
which allows the reproduction of our results and protocol provides us with further insights about the communication.
insights. We generally use similar tools as previous work iPhone 13 Satellite Simulation: We create a safe satellite
on reverse engineering the Apple ecosystem [40], [41], [49], simulation environment to enable using an iPhone 13 that
[75], [70], [24]. Oftentimes, reverse engineering is a manual does not include satellite hardware and cannot alarm first
task, which cannot be automated, if one wants to uncover the responders. As iPhones using the same iOS version share most
full protocol and all system components involved. Automated parts of the code, the simulation environment is an accurate
testing and fuzzing approaches can be applied in some cases, representation of the satellite communication happening on the
as done for satellite terminals [87], but are not applicable for device itself. We use Frida [60] scripts to hook relevant parts
our work. within CommCenter, which allows mimicking communication
System Components: Find My over Satellite is imple- with a satellite. This setup requires a jailbroken iPhone or an
mented within multiple components of iOS. Identifying system SRD. In the following, we detail the required modifications.
components and their interfaces is crucial to understanding Upon initialization, CommCenter determines its so-called
proprietary features. Public and private frameworks abstract radio personality, which configures baseband features. Satellite
functionality executed by user-space daemons or dispatched to communication requires two properties: MobileGestalt has
hardware via the kernel. To unveil which system components a device-specific hardware configuration number, which must
are involved, we investigate logs. The iPhone under analysis be set to 0x34, and the system FeatureFlags must support
does not need to be jailbroken for this. Debug profiles increase Bifrost, which is a code name for the iOS satellite communi-
log verbosity [7]. By observing logs, we find that the daemons cation subsystem. With these two properties set, the baseband
responsible for the core functionality are CommCenter, and in is initialized with the so-called Stewie service responsible for
the case of Find My, also searchpartyd. satellite transmissions. Furthermore, other services regularly
The CommCenter daemon instructs the baseband chip to query CommCenter to check whether Stewie is enabled. They
communicate over satellite. It is the core of the satellite send a Cross-Process Communication (XPC) message request-
communication system, holding all states about currently ing the property getStewieSupport, which we overwrite in
ongoing emergency conversations, taking care of regional our scripts always to return true. When initiating satellite
restrictions, providing the baseband chip with all necessary communication, CommCenter checks if a service is allowed,
information, and parsing the baseband’s responses. The SOS- given the current preconditions. E.g., even if there is no
Buddy app is the user interface for satellite communication. cellular coverage, Emergency SOS is not allowed until a
It instructs users where to point their phones and leads them cellular emergency call fails. CommCenter keeps track of cur-
through the emergency questionnaire. SOSBuddy is launched rently allowed services in an internal state struct, represented
by CommCenter and primarily displays its internal state for as a service bitmask (see Appendix B). We overwrite the
end users. The Demo mode in the Settings and FindMy send service mask every time it is checked against currently allowed

4
services, effectively enabling us to test all services regardless
of any preconditions. With these patches in place, CommCen-
ter attempts satellite communication, even on a device that Wireshark SDR
does not support it. We further modify the functions pci
::transport::th::writeAsync, which is responsible for
QMI SC-FDMA
writing QMI packets to the baseband, and QMux::State::
handleReadData, which parses packets originating from the iOS iPhone Baseband Satellite
baseband. These two functions are the core of simulating the
Fig. 3: Intercepting satellite communication.
full satellite functionality on the iPhone 13. We re-implement
the protocol logic described in Section V-C, such that the
iPhone 13 can complete authentication and registration and 3) Intercepting On-device Baseband Communication:
receive faked message transmission confirmations. Implement- The Qualcomm baseband chip on the iPhone 14 and newer
ing the logic based on Find My transmission logs enables the supports satellite communication. As shown in Figure 3, when
emergency texting protocol stack and allows us to test without iOS sends messages to a satellite, these go to the baseband chip
alarming first responders. first, which takes care of over-the-air transmission. The inter-
We publish our scripts as part of our artifacts [37]. The face between iOS and the baseband chip is called QMI. We
scripts enable other researchers to use the same safe satellite use a reverse engineering setup that allows us to observe QMI
simulation environment. Our main script allows for debugging protocol messages as they happen, even on non-jailbroken
and change of various properties for testing. This includes phones (see Section IV-A).
usage of encryption keys, efficiency of text compression, and 4) Security Research Device: Apple has a SRD pro-
entering Emergency SOS without dialing an emergency phone gram [11], providing devices for research even without public
number. jailbreaks. However, only previous-generation iPhones are
B. Experimental Setup distributed as SRD, initially limiting us to an iPhone 13 mini
without a satellite-compatible baseband. The later provided
After the iPhone 14 release, it took 11/2 years until jail- iPhone 14 SRD is a South Korean model, which disables
breaks became available [30]. Thus, we used different research Find My Friends due to legal restrictions. Nonetheless, Ap-
options and built custom tools to analyze Apple’s satellite ple’s SRD program enables us to modify the software state
communication subsystems. We create a step-by-step guide on iPhones. We modify the iPhone 13 to simulate satel-
to recreate our experimental setup. lite behavior (see Section IV-A). Moreover, we bypass the
1) Sending Satellite Messages: Satellite communication model-specific South Korean restrictions on the iPhone 14
is enabled while the iPhone is within a supported country. (see Section VI-F). Although the phones were South Korean
Satellite services become available when no other cellular or models, we never used them in South Korea and ensured
Wi-Fi connection is possible. Deactivating Wi-Fi and using that we followed all local regulations. Both setups are helpful
an expired SIM card enables this required state. For our tests, for security research on the satellite protocol. The satellite
we primarily use Find My location sharing and observe the simulation on the iPhone 13 allows us to test emergency
behavior of the device using the following steps. communication safely without alarming first responders. In
Due to ethical considerations, we did not initiate emer- contrast, the iPhone 14 setup enables testing with physical
gency calls but instead relied on different reverse engineering satellite infrastructure.
approaches, such as our simulation environment (see Sec-
tion IV-A). Sending iMessage and SMS over satellite was not V. I OS S ATELLITE C OMMUNICATION
available when writing this paper. While announced for iOS Apple gives away no information on the protocol used for
18 [14], this feature is not supported outside the U.S. We find satellite communication and the security properties of it. We
bypasses for regional restrictions (Section VI-E) and a service reverse-engineered the entire protocol flow on the iPhone and
bitmask to enable disabled services. With these, we can also present it in this section.
test the remaining services, including iMessage over satellite.
2) Recording Signals with Software-defined Radios: A. Initial Configuration
Software-defined Radios (SDRs) can observe wireless trans- The iPhone requires an unobstructed line of sight to the
missions and send arbitrary signals in the frequency bands the satellite and down from the satellite to the ground station.
Globalstar satellite network uses. Sniffing radio signals shows The iPhone calculates the positions of suitable satellites (see
messages sent to or received from a satellite. Recording the Section II-A) to guide the user in pointing their phone in the
satellite communication requires a clear view of the sky. We right direction. The required information for these calculations
use the BladeRF [61] for a portable, USB-powered setup. The is downloaded and updated by the Trial service, requiring an
uplink channel operates in a licensed frequency band virtually active internet connection.
exclusive to Globalstar, ensuring minimal interference with Two trial configuration files are present for satellite commu-
other radio signals. The uplink signal is strong; we can easily nication: An XML property list and a Distinguished Encoding
capture it with regular Wi-Fi antennas. Rules (DER) encoded version. Both files contain the same

5
content, such as ground station locations, countries where follow a naming scheme with the prefix M, followed by
satellite communication is enabled, communication features, a three-digit satellite number. We confirm that the satellite
and frequency bands. Information is provided per country, numbers used in the Targets list match this scheme with the
allowing to geofence satellite services in software as required experiment described in Appendix A.
by Federal Communications Commission (FCC) [29], and lim-
B. Key Material Setup
iting certain satellite services only to selected countries. The
DER-encoded file is required to share the same configuration An iPhone must register a set of keys with Apple before
with the baseband chip over QMI. performing satellite communication. Internally, these keys
Based on the configuration update from May 3, 2024, have multiple terms: Link Layer Communication (LLC), trans-
Figure 4 shows countries in which satellite satellite services port, or session keys. We refer to them as LLC keys. This
are enabled, along with ground station locations. Within the section covers the key generation to the final key exchange
16 allowed countries, there are radio exclusion zones, where steps. Figure 5 shows a simplified sequence diagram of this
transmissions are forbidden even if there is satellite cover- procedure.
age. Radio exclusion zones are near astronomy sites where Key Generation: 1 The iPhone generates 30 private-
transmissions could disturb observations [29], some islands, public key pairs on the NIST-P256 curve. The keys are
and national border areas. 19 ground stations are active, with generated inside the Secure Enclave Processor (SEP), a co-
ground station indices indicating that there might be 63 ground processor similar to a Trusted Execution Environment (TEE)
stations in total. Ground stations are located across the globe, on Android [4]. Processes running on the main processor can
even in regions without satellite support, including Mexico, only indirectly access keys on the SEP through predefined
Brazil, Singapore, and Estonia. All countries use the same functions, such as copying the public key and elliptic-curve
7 channel numbers for communication: 262 336, 262 338, Diffie-Hellmann (ECDH) key exchange. For each key, the
262 340, 262 342, 262 344, 262 346, 262 348. The signal uses iPhone performs a SHA256 hash of the public key and uses the
a bandwidth of 200 kHz. Only even channel numbers are first eight bytes as a key identifier termed Ephemeral Public
specified, as each number represents 100 kHz. Key Identifier (EPKI). After initial generation, all new 30 keys
are marked as proposed and cannot yet be used for satellite
The iPhone maintains a list of TLEs from which it can
communication.
propagate the position of satellites. TLE data is maintained
Key Synchronization: 2 After local key generation, the
by the iPhone in a target property list containing a total of
keys must be synchronized with Apple’s servers, when the
15 entries. Each entry is valid for two days and contains
iPhone has an active internet connection. The iPhone sends its
TLEs for all 28 satellites currently used by Apple. These
public keys to Apple over a REST API as an HTTPS request.
files allow the iPhone to calculate the satellite trajectories
This request contains a list of all LLC public keys and a list
30 days in advance. Nevertheless, targets are updated daily
of allowed services for which these keys can be used. On
if an internet connection is available. When offline for more
iOS 16, these services are networking.st.text-911 and
than 30 days, an iPhone loses satellite connectivity because it
networking.st.find-my. iOS 17 adds the networking.
can no longer calculate satellite trajectories. When preparing
st.roadside service, and iOS 18 adds the networking.
a satellite transmission, iOS transforms the currently valid
st.imessage-lite and networking.st.sms services. In
targets list entry into a QMI message for the baseband chip.
addition, the request contains information about the current
Globalstar satellite data, including identifiers, launch date, device and the user’s Apple ID. The server links the keys to the
and TLEs, is publicly available [47], [58]. The known satellites

• Ground Station
• Country V1 1) Generate 30
• Country V2 LLC keys locally 2) LLC Public Ke
• Radio Exclusion ys

3) Generate a
server key pair for
ys each LLC key
4) Server Public Ke
5) Perform offline
ECDH key ECDH
exchange

Shared Secret
6) Use shared
secret for satellite
communication

Fig. 5: Key synchronization procedure with Apple before an

Fig. 4: Ground station and country configurations. iPhone can perform satellite communication.

6
 iOS Baseband uses the Qualcomm baseband chip for this task, which adds a
layer of abstraction. iOS sends QMI requests to the baseband
chip to start certain actions, which the baseband responds to.
In addition, the baseband can send asynchronous events using
1) Orientation QMI indications [35]. Satellite communication is an Apple-
Updates
specific QMI extension, which we observe with our reverse
2) Targets and engineering setup (see Section IV-A). Figure 6 contains the
Config
underlying protocol steps.
LLC Identifier + Sh
3) Activation ared Secret Setup Phase: 1 Successful transmissions require the user
4) Satellite Status to point their iPhone towards a satellite. The baseband does not
ished Updates
Connection Establ have a gyroscope, so iOS regularly informs the baseband of
5) Registration its current orientation. This information is used when satellite
Start Registration
6) Satellite communication is initiated, with further orientation updates
Registration
Security Config Us
age
Confirmation
supplied when needed. 2 The baseband requires additional
7) Message information to calculate satellite positions and direct its signal.
Transmission Message iOS sends the TLE-encoded target list and the DER-encoded
8) Satellite config to the baseband, enabling the baseband to perform
ation Transmission
Progress & Confirm Attempt calculations.
9) Invalidate LLC
Key Security Configuration: 3 Satellite communication re-
Fig. 6: QMI messages exchanged with the baseband chip quires a valid LLC key provisioned by Apple. In the activation
during a satellite transmission. step, iOS sends the 8 byte EPKI, uniquely identifying the key
on the iPhone’s local database as well as on Apple’s servers,
and the shared secret, derived using ECDH from the LLC key,
user’s Apple ID, which allows for the addition of subscription- which is a 256 bit symmetric key. This is configured along
based services in the future. One key is marked as the last with further information, such as the user’s country and time
resort key, allowing the iPhone to continue using satellite zone. The following communication between the baseband and
communication if all prior keys were already used. the satellite might be encrypted based on the shared secret.
3 Apple’s server generates a new server key pair for Apple confirmed this encryption layer to us in a discussion on
each LLC public key received. 4 Apple responds with all reported issues (see Section VI-B).
server public keys. The iPhone stores keys in the system’s 4 The baseband indicates regular updates about the op-
keychain together with the LLC key identifiers under the term timal satellite identifier, signal strength, and transmission
STKData, likely an abbreviation for Satellite Transmission progress. Status updates tell iOS when it can proceed with
Key. Afterward, the iPhone marks the LLC keys as settled. the next protocol steps. 5 Once a satellite is in range, the
Key Exchange and Transport Encryption: 5 When protocol continues with a registration based on the activa-
communicating via satellite, the iPhone performs an offline tion information. A ground station answers the registration,
ECDH key exchange using one LLC key and the matching which can take a while, depending on transmission conditions.
server public key. This is a standard key exchange over the 6 The Security Config Usage indication confirms a successful
NIST-P256 curve as specified by NIST [21]. Note that the registration. This confirmation contains the same EPKI as in
authentication of the keys is implicit, as they are shared over the activation step. Moreover, it contains a fresh symmetric
a secure, authenticated channel. The resulting shared secret 256 bit key, internally called GeneratedAppKey. This key is
can now be used for symmetric encryption, authentication, and generated for all communication modes and used as Master
integrity protection. Session Key for emergency texting. When the iPhone runs out
6 The shared secret and the EPKI for the LLC key of LLC keys, it reuses the last resort key in the activation step.
are transferred to the iPhone’s baseband chip using a QMI We observed that the resulting Master Session Key differs for
message. When the baseband successfully connects with the every session. Thus, we conclude that it is generated by Apple
satellite, the associated keys are marked as invalidated and and sent over satellite.
deleted afterward. Each LLC key and the corresponding shared If Apple’s servers decide to invalidate the key material, e.g. ,
secret are only valid for one communication session. When the Apple ID configuration or the allowed services changed,
using Find My over Satellite, a communication session equals communication cannot be established and the baseband indi-
a single message, while multiple messages are exchanged for cates Security Config Update Needed. Further communication
text messaging services. A new LLC key for each invalidated is only possible with a valid configuration.
one is generated when the iPhone has an internet connection. Message Transmission: 7 iOS proceeds with sending
application-specific content, such as Find My or text messages.
C. Satellite Communication Protocol The basic message format has stayed the same since the
The satellite transmission consists of multiple protocol introduction of satellite communication. However, later iOS
steps. iOS does not directly communicate with satellites but versions added new message formats to support novel features.

7
We publish a documentation of message types and formats When the user opens the Find My app in the People tab,
in our artifacts’ repository [37]. All message contents we the app will request a location update. It sends a request
observed are encrypted, adding a second encryption layer. Sec- with the friend’s location id to Apple’s servers, which notifies
tion V-D explains the Find My Friends encryption; Section V-E the friend’s device via push notifications. The device will
explains text encryption for emergency messages and roadside fetch a current Global Navigation Satellite System (GNSS)
assistance. 8 Once a ground station confirms message re- location, encrypt it, and share it back to Apple. Apple’s
ception, the baseband sends an indication to iOS to confirm servers forward the location update to the user using a silent
the message transmission. If messages are not acknowledged, push notification. Users can also request live location updates,
iOS schedules retransmissions. This process requires the user delivering constant location updates via push notifications.
to collaborate, as they must continue pointing their iPhone Find My Friends over Satellite: The user must have
towards the satellite until the transmission succeeds. friends on Find My before they initiate location sharing via
Teardown: 9 When the user terminates the communica- satellite. Once started, the iPhone requests a GNSS signal to
tion, the baseband deactivates the service to save power. In the generate a litelocation from it. A litelocation is a shortened
case of Find My, this happens automatically after the message location format that Apple uses to transfer location informa-
transmission finishes. For other applications, the user must tion efficiently. The process transforms latitude and longitude
actively end the satellite transmission. double values into a 32 bit fixed-point integer representation by
multiplying them with 10 000 000. The bytes of both integers
D. Find My Friends
are concatenated and a 1 byte integer, reflecting the horizontal
Find My location sharing normally requires an active inter- accuracy, is appended. This results in a 9 byte representation
net connection. Location sharing over satellite enables similar of the user’s location. Find My uses a similar format when an
functionality when no internet connection is available. As the iPhone finds an AirTag and reports its location to Apple [39].
satellite functionality is closely related to normal Find My Then, Find My applies the same end-to-end encryption to the
Friends, we describe both versions in this section. litelocation. The ECIES encryption adds 73 byte for the key
Find My Friends over Internet: Find My Friends uses material and the authentication tag, resulting in an 82-byte
an internet connection to send and receive location updates long message.
by default. While the Bluetooth-based Find My network has The message neither contains the linked Apple ID nor the
been studied in the past [39], [23], [38], we are the first to associated location id, which are required for friends to receive
reverse-engineer the internet-based protocol. To start, users the encrypted location information. Therefore, we conclude
can share their location using the Find My app. They can that Apple’s servers store a link between each user’s Apple
add a new person in the People tab. The targeted recipient ID, their Find My location id, and the associated LLC keys.
of location updates must have an Apple account and an iOS
or macOS device to accept the request and view the shared E. Emergency SOS
location. Whenever a person wants to share their location with
someone, the iPhone sends a request to Apple containing the This section describes how emergency communication is
recipient’s Apple ID. The recipient receives a push notification implemented, detailing the applied text compression and used
and a prompt whether they want to share their location back to encryption. We present the message format in Appendix C.
the sender. Each person sharing their location gets assigned a Initiate Emergency Texting: The user indicates their
Find My location id, which is used to retrieve location updates emergency by dialing an emergency number on the iPhone.
from Apple’s servers. Unlike other phone calls and data transmission, emergency
Find My Friends uses end-to-end encryption, preventing calls are allowed without authentication to cellular network
anyone from querying Apple’s database and users’ locations. providers [3]. Emergency calls only fail if there is no cellular
End-to-end encryption is based on the Elliptic Curve Inte- coverage at all. In this situation, prior to iOS 18, the Phone app
grated Encryption Scheme (ECIES) with a NIST-P256 elliptic shows a button for emergency texting over satellite. As this
curve key exchange (internally called keyForSharingLoca- functionality was hidden, Apple updated this part of the user
tionToFriends) and AES-GCM symmetric encryption. When interface in iOS 18 [14], allowing users to see all potentially
sharing location with a new person, the device creates a available satellite services.
direct connection based on Apple’s push notification service Efficient First Message: Shorter messages are transmitted
to transfer the private key to the newly added friend. It is faster and more likely under bad conditions. The emergency
unclear if an Apple-internal attacker could access the keys questionnaire covers the most essential information without
during the transfer. We consider this scenario out of scope, as any text. After the user has responded to the questionnaire,
iPhone users generally trust various services Apple provides. we found that their responses, current location, and battery
We compared the keys on both devices to verify that the level form the Emergency Start message sent to the satellite.
private key was exchanged. Note that a legacy version of Find Each field has a bitwise representation: The full questionnaire
My location sharing does not encrypt the location and is still only requires 3 byte of data, four battery levels represent the
available as a fallback. This legacy variant is incompatible current charge with 2 bit, and the location has another unique
with location sharing via satellite. format that only requires 8 byte.

8
 Conversations: Writing with first responders is based on uses the same encryption scheme as emergency texting and
an interface similar to the Messages app. A message can be up uses almost the same message format.
to 160 byte, like SMS. The user interface shows if the message
G. SMS and iMessage
length is exceeded but allows users to type longer texts, which
are split into multiple messages and transmitted separately. iOS 18 added text messaging features in the U.S. [13]. At
The internal message representation contains a conversation the time of writing, these features were restricted to users who
identifier and a message counter. This way, the receiver knows installed a developer beta. Since the features were not final and
if messages are pending transmission and assembles messages subject to changes, we did not perform an in-depth analysis.
in the correct order. A conversation ends if the user is inactive Sending SMS is implemented similarly to emergency texting.
for more than 120 min. The message counter uses only 13 bit, Apple receives text messages transmitted by the user over
allowing for another 2 bit of the message counter to be used satellite and forwards them to the sender’s network provider,
for the current battery level, letting first responders know if who forwards them to the receiver. Thus, users can only send
the user might stop texting due to an empty battery. SMS over satellite if their network provider collaborates with
Location Updates: When the user continues a conversation Apple. For iMessage over satellite, iOS exchanges satellite-
after a pause or the location changes, their current location specific encryption keys with other iMessage users for each
information is retransmitted. The location messages have an conversation while online. The key exchange only completes
individual counter of only 8 bit. if the other user is also on iOS 18.
Language Compression Codecs: Language-specific com- H. Physical Layer Signal
pression codecs reduce data usage. The emergency text in- The iPhone transmits satellite signals over the L-Band
terface limits inputs to UTF-8 characters without emojis or (1 610 MHz to 1 626.5 MHz) and receives signals over the
images. Then, the codec compresses the text. Depending S-Band (2 483.5 MHz to 2 500 MHz) [29]. The FCC report
on the languages configured in the user’s system, multiple specifies the modulation scheme used in the uplink as Single
compression codecs are applied, and the most efficient one Physical Resource Block (1-PRB) Single Carrier Frequency
is selected. If the compressed message is not shorter than the Division Multiple Access (SC-FDMA). We observe a channel
uncompressed one, the uncompressed text will be sent. We find spacing of 200 kHz, with 180 kHz used for the transmission
that text compression is highly efficient. Using ChatGPT [62], and 20 kHz as guard space to the neighboring channels. These
we generate 100 exemplary emergency messages and send characteristics are very similar to Narrow-band Internet of
them through our simulated environment. The average mes- Things (NB IoT), which uses a variant of LTE [1].
sage length is 34.83 characters, which are compressed to Apple optimized the standard NB IoT transmission scheme
12.35 characters, resembling a compression ratio of 2.82. for satellite transmissions. As the user points their iPhone
Message Encryption: Emergency text messages are shared directly to a satellite, multi-path effects on the signal are
with first responder coordination centers. In contrast to friends minimal, and thus, a reduced Cyclic Prefix (CP) is used.
in Find My, their identity is unknown during the online The signal start contains a training symbol, which enables
setup phase. Apple solves this challenge using the 256 bit synchronization. When sending a location message over Find
Master Session Key, retrieved during the authentication and My, the transmission consists of 7 or more bursts, each lasting
registration phase (see Section V-C). We assume that this
Master Session Key is known to Apple, enabling them to
QMI Packets 1613 1613.5 f (in MHz)
decrypt and forward emergency messages as needed. Using 262336 262338 262340 262342 262344 262346 262348Channel #
an HMAC-based Key Derivation Function (HKDF) [48] with Req: Orientation 0
SHA-256 as a hash function, iOS derives two separate 256 bit Req: Activation 3

keys, used for transmitting respectively receiving encrypted

messages. The initial message, text messages, and location
Req: Registration 21
updates are encrypted in AES256 in counter (CTR) mode
without padding. The Initialization Vector (IV) is created Req: GPS Data Update 33 Registration
from the incrementing message counter and session-specific
conversation ID. An analysis of the security properties of this Ind: Security Con g
46
Req: Send Message
encryption scheme follows in Section VI-B.
Message

F. Roadside Assistance Req: GPS Data Update 64

iOS 17 introduced roadside assistance, allowing one to re-

Message Retransmission
quest help in case of a car breakdown [9]. The communication
is similar to emergency texting, starting with a questionnaire Ind: Message Status 90
and continuing with a conversation and location updates. The t (in s)
questionnaire asks for different information, including the
user’s phone number in free text form. Roadside assistance Fig. 7: Spectrogram of a physical-layer uplink signal.

9
 TABLE I: Summary of all attacks we found when analyzing the iPhone satellite communication.
Attack Adversary Privileges Results

Confidentiality & Integrity (VI-B) A Receiving satellite signals. Likely not feasible due to multi-layered encryption.
Privacy Limitations (VI-C) A Receiving satellite signals. Identifying used satellite communication type.
Free SMS-like Messaging Service (VI-D) B Root-level device access. Misusing satellite connectivity to send arbitrary messages.
Bypassing Service and Location Restric- B Root-level device access. Using restricted services and communicating in restricted
tions (VI-E) regions.
Device-specific Restrictions (VI-F) B Root-level device access. Bypassing restrictions imposed by local laws.
Safety-critical Locations (VI-G) C System logs with debug profile. Access to critical locations of ground stations.

for 1.867 s. Each burst contains a different data type. The A. Attacker Model
supported types are ack, llc_control, registration, and A Passive and Active Network Adversaries: We con-
ucast. If the satellite connection is interrupted, the bursts are sider passive adversaries that record communication, aiming to
repeated with a fixed backoff timer per type. Each transmission extract sensitive information, such as medical information or
can be on a different channel, and the order of channels location data. We also consider active adversaries that modify
changes between transmission attempts. the transmitted data. The active adversary may change parts
Figure 7 shows a recording captured with a BladeRF of the contents, e.g. , to modify coordinates such that help
SDR. General information sent over QMI, such as activation for victims will be misdirected to the wrong location. We do
information and orientation updates, does not result in wireless not consider adversaries with quantum capabilities—ECDH,
transmissions. Once a satellite is within reach, the iPhone as used by Apple, is not post-quantum secure. These adver-
proceeds with a registration, which is the first message sent saries are found in related work as eavesdroppers receiving,
over the air. Due to non-optimal transmission conditions, the decoding and decrypting satellite communication [65], [66],
registration is retransmitted once. After being confirmed by [87], [85], [55]. In most cases, satellite communication was
the satellite, the iPhone applies the security configuration with not encrypted.
the shared key and immediately sends the encrypted message. B Individuals Bypassing Communication Restrictions:
In this particular case, it is a Find My message. Usually, a We consider adversaries with jailbroken iPhones who aim to
message transmission only consists of six bursts immediately bypass restrictions imposed by Apple. Such jailbroken iPhones
following each other. Here, the main burst of the commu- are available to the public [54], supporting the iPhone 14 up
nication, containing the actual message, is retransmitted five to iOS 16.5.1 at the time of writing. The attacker can use
more times with longer pauses until it is finally confirmed to the jailbreak to modify configuration files and the behavior
be received by the satellite. The overall transmission in this of binaries executed on the device. The motivation of the
example took approximately 90 s. Under optimal conditions, adversaries is twofold: The adversaries want to use satellite
the total transmission time is about 20 s. communication in regions that are not supported or even
declare the possession of a satellite phone as a crime [32].
Furthermore, they want to extend the available features to send
VI. S ECURITY, P RIVACY, AND S AFETY A NALYSIS
messages without paying for them and without restrictions by
possible censorship.
We perform an in-depth security and privacy analysis based C State-sponsored Actors and Terrorists: Satellite
on the results of our reverse-engineering effort. We define three communication is a backup channel in case other communica-
different attacker models. The first two attackers align with tion systems collapse. Thus, satellite infrastructure, including
our research questions RQ1 and RQ2, while the third attacker ground stations, must be well-protected. We consider an at-
focuses on the safety of critical infrastructures. tacker who aims to disrupt satellite communication, such as
Table I summarizes our findings. We find that message-layer state-sponsored actors or terrorists. During the Russian war
encryption does not protect message integrity, however, this is on Ukraine, cellular and satellite services were intentionally
protected on the transport layer (see Section VI-B). Apple has blocked, underscoring the relevance of this threat in current
not accommodated adversaries with root-level access to the times [44], [67]. We assume these attackers have access to
device: On a jailbroken iPhone, an adversary can bypass any the same information as individuals and possess weapons to
regional restrictions and modify outgoing satellite messages attack satellite communication infrastructure.
(see Section VI-E). We develop an open-source application,
to demonstrate how location sharing can be used to send B. Confidentiality & Integrity
arbitrary messages of up to 83 bytes (see Section VI-D). In Previous Globalstar Spot devices were shown to expose
Section VII we give recommendations on designing a secure sensitive user location data due to the absence of any encryp-
satellite system that introduces mitigations for most issues tion during transport [55]. We analyze the applied encryption
presented in this section. methods for satellite communication in this section.

10
 Emergency SOS & Roadside Assistance: In this section, C. Privacy Limitations
we present multiple issues with the byte-efficient encryption Offline Location Sharing: The list of friends can only
used for emergency texting and roadside assistance. The be modified when the user is online. If the user shares a
encryption algorithm used is AES256 in CTR mode with a location with their friends while offline, they cannot change
deterministic IV based on the conversation ID and the message who is seeing this location update. All friends of the user
counter. While this approach minimizes communication size, share the same key for decrypting the location update, making
which is essential in an emergency case over a slow satellite it impossible to exclude one of them without an internet
connection, it could have weaknesses exploitable by passive connection. As a result, one might involuntarily share private
or active machine-in-the-middle attacks. Because AES in CTR location data.
mode is a stream cipher, reuse of a nonce for the same Unencrypted Message Types: Although we found that the
key leads to a simple known-plaintext attack. Furthermore, transmitted private data is protected against external access,
as AES-CTR is not an authenticated encryption scheme, the an eavesdropper can identify the type of communication a
ciphertext is malleable, i.e. , it can be modified to change the user performs. By default, the message type is not encrypted
plaintext without the receiver realizing it. Every bit flip in the when the message is sent to the baseband. Even if the
ciphertext corresponds to a bit flip in the plaintext at the same message is fully encrypted, the transmission scheme allows the
position. An adversary might use this to change answers in the eavesdropper to identify which kind of satellite communication
questionnaire, which is transmitted as a bit array, or to change is happening, e.g. , location sharing always creates a pattern
the location, potentially leading emergency responders to the of seven bursts. Furthermore, text lengths become apparent, as
wrong location. there is no padding to enable faster transmissions.
The second limitation can be mitigated using end-to-end
Find My Location Sharing: As detailed in Section V-D,
transport encryption based on the LLC keys and padding to
all location updates are end-to-end encrypted using the well-
ensure all messages are the same length. However, previous
established ECIES standard with the NIST-P256 curve and
research has shown that even encrypted traffic can be analyzed
AES in Galois/Counter Mode (GCM). Adversaries who are
using machine learning [73].
able to record or intercept an outgoing location update cannot
decrypt the actual location, nor can they encrypt a fake location D. Free SMS-like Messaging Service
update. Find My Friends is based on end-to-end encryption between
the sender and the group of friends with whom the sender
iMessage and SMS: All messages sent using iMessage shares their location. Attacker B wants to utilize this feature
over satellite are end-to-end encrypted with a key that is and modify the location update, allowing them to use this
used exclusively for encrypting satellite messages between the technology as a free messaging service.
users. We could not test SMS via satellite, as our carriers do Sending Messages: To send custom messages over satellite,
not support it. the attacker modifies the encrypted location update before it
is forwarded to the baseband and sent to the satellite. The
Multi-layer Encryption: Emergency texting uses AES in
attacker can manipulate the processes involved at runtime and
CTR mode to encrypt messages sent via satellite to first
inject any custom message before the iPhone sends it to the
responders. As the encryption mode does not provide au-
satellite. The only requirement for this is a computer with
thentication and no further integrity protection is used, we
Frida or similar tooling and a jailbroken iPhone.
reported this to Apple’s product security team. They reviewed
Any message forwarded to the baseband is sent to the
the issue and described a multi-layer encryption approach that
satellite as a Find My Friends location update. Although the
they use for all satellite communication (see Appendix D). The
legitimate location update uses only 83 byte, attackers can
outer layer is encrypted and authenticated during transport,
send messages of up to 160 byte. If the attacker tries to send
i.e. , while the message travels through air and space to a
messages with more than 160 byte, the transmission is not
ground station. When the message is received, the Apple
acknowledged. The same maximum message size is used for
Satellite Service decrypts the payload and retrieves metadata to
emergency text messages and roadside assistance. Apple has
obtain routing information. The inner payload, which is still
likely imposed this size as an upper bound on the MAC layer.
encrypted depending on the message sent, is then routed to
Receiving Messages: The receiver must be a friend of the
the correct service. E.g., for an emergency message, Apple’s
attacker in the Find My app, allowing them to receive location
emergency service receives the payload, decrypts the inner
updates from the sender. The receiver can fetch the message
payload, and displays it to first responders.
in two ways: 1 By opening the Find My app and requesting
Apple did not specify the exact algorithms in use, but they the attacker’s location. However, the location update cannot be
usually adhere to well-tested encryption standards. We did not decoded because the attacker modified the contents. Therefore,
see any signs of this encryption in iOS, and it is likely that the the app cannot display the message but will log the HTTP
outer layer encryption is implemented in the baseband. Since response containing the entire message. Observing logs does
the baseband has access to the shared secret derived from the not require root access for the receiver. 2 The receiver can
LLC key, it could encrypt and authenticate all messages. send the HTTP request for the location update directly to

11
 Security Implications: Misuse can affect service stability
since satellite bandwidth is limited, reducing user experience
for others. Additionally, Apple might monetize text messaging
services through satellite connections with iOS 18. Similar
services already exist by Huawei and Motorola [22], [57].
Without added protection mechanisms, users can send text
messages for free without restrictions on the number of
messages. While Apple cannot fix this issue without significant
updates to the Find My protocol, they started enforcing the
exact message size of 83 byte after our responsible disclosure.
As they can map LLC keys to Apple IDs, they could take
further actions in the future, such as blocking users abusing
the service.
E. Radio Exclusion Zones & Regional Restrictions Bypass
Satellite transmission devices must comply with radio ex-
Fig. 8: Messenger app using satellite location sharing to send
clusion zones. iPhones apply these restrictions in software,
arbitrary messages (Demo: https://youtu.be/3qYby6CeBxs).
which complies with the FCC report [29]. The Trial-based
configuration allows Apple to update all of these settings
at any time, e.g. , if geopolitical events require adding new
Apple’s servers, authenticated with anisette data [39] and an
exclusion zones. Even users who do not update their iOS
access token. Access to these parameters requires privileged
version will receive these changes. Staying offline to avoid new
access to the system, like a jailbreak on iOS or disabling
rules does not work, as the target configuration will expire,
system integrity protection on a Mac [39]. The server response
meaning that the iPhone can no longer calculate satellite orbits.
contains the Base64-encoded message.
However, on jailbroken devices, attackers can modify the
Listing 1 shows an HTTP response containing a modified
radio exclusion zones and other restrictions by modifying
message sent using a satellite location update. The fmt set to 1
the Trial configuration. The configuration is stored in a
indicates that the location update was shared via satellite. The
human-readable XML format in the file /private/var/
location field contains our Base64-encoded message consisting
mobile/Library/Trial/Treatments/BIFROST_PROD
of the repeating letter ‘A’.
_2/.../Config.plist.
Message Throttling Bypass: Sharing a location over Find According to the Globalstar coverage map [33], their satel-
My is limited to one location every 15 min. Apple’s servers or lite services are available and legal to use across Europe.
ground stations do not enforce this limit. Instead, iOS throttles As of July 2024, Apple restricts satellite services to selected
message transmission locally using a CFPreference called European countries. We test the effectiveness of modifying the
lastLiteLocationPublish, which stores the last date of a
Trial configuration in the following experiments.
successful location share. By overwriting this setting, we can Adding Support for a Country: We add Poland to the
send multiple locations within the 15 min time window. Trial configuration and attempt satellite communication close
Proof of Concept App: We create an iOS app that works to the Polish–German border. During the Activation phase, the
for the iPhone 14 on iOS 16.1 or higher using the Dopamine iPhone indicates its location as Poland, as expected. Despite
2 jailbreak [30]. We use the jailbreak to access private frame- Poland not being officially supported, the Registration is
works and to add a tweak that overwrites Find My messages confirmed, and we can send Find My locations over satellite.
before they are sent. We do not integrate further bypasses for Roadside Assistance in Non-U.S. Countries: Another
legal reasons. Figure 8 shows the proof of concept, which we restriction is that Roadside Assistance is not available in the
also made available open source [37]. EU. We manipulate the configuration files to add the feature
to an EU country. We successfully initiate communication but
abort it before the message is sent to prevent false alarms.
{ "locationPayload" : [
{ "locationInfo" : [ {
iMessage and SMS texting outside of the U.S.: We
AAA... in Base64
"locationTs" : 17 0 7 1 3 7 1 4 4 3 6 2 , manipulate the configuration files to add iMessage and text
"location": "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF", messaging via satellite to an EU country. As SMS requires
"fmt" : 1 } ] ,
"id": "fq0UsX8ZEUUrVJHvHRMc/9qxFm5vsCIPZWSW5kdCK6I="}
collaboration with the provider, we were only able to test
], iMessage. We were able to communicate as intended with
"configVersion" : 1 , another person residing in the U.S.
"statusCode": "200" }
Security Implications: Our experiments demonstrate that
Listing 1: JSON response with custom message inside the Apple’s satellite services can be used regardless of an individ-
location information. ual’s location. Feature and location availability solely depends
on the Target configuration, which is modifiable.

12
F. Device-specific Restrictions severe implications for the physical security of these sites.
Find My Friends is unavailable in South Korea due to legal We reported this issue to Apple, but since this is an essential
restrictions [12]. Devices sold in Korea cannot use Find My, limitation of their satellite communication algorithm, they do
even outside Korea. Device model numbers ending with KH not rate it as a potential security issue.
indicate Korean devices. Existing iOS tweaks for jailbroken H. Responsible Disclosure
devices support modifying the model by changing it in the
property list of Mobile Gestalt [63]. The property list We reported all issues to Apple’s product security team. We
is obfuscated to prevent jailbreaks from easily figuring out made our first report in March 2023, and also shared the entire
configurations. We change the model number from Korea to paper with Apple before it was peer-reviewed. While we list
Poland by changing these entries: several security issues in this section, Apple did not share this
view with us. None of the reported problems were classified as
<key>zHeENZu+wbg7PUprwNwBWg</key>
<string>PM/A</string> security issues. Nevertheless, Apple made some changes after
<key>h63QSdBCiT/z0WU6rdQv6Q</key> our reports: They limited the maximum length of a satellite
<string>PM</string>
location report to 82 byte at the ground station. Therefore,
However, this approach did not fully allow Find My Friends messages longer than that may no longer be received when
on the iPhone 14 SRD linked to Korea. It is further required to using our satellite messenger (see Section VI-D). Regarding
add the following entry to allow the Find My Friends feature: the issue in Section VI-G, Apple classified the ground station
leak as expected behavior and stated that the information is
<key>FMFAllowed</key>
<real>1</real> publicly available. We confirm this by finding the location of
the ground station in Estonia online [53]. While they agreed
These preferences become effective when opening the Set- that their message encryption scheme lacks integrity checks,
tings app and selecting Reset All Settings. This step ensures they provided a detailed answer explaining how they further
that the iPhone reloads all settings from the modified file, pre- secure satellite communication on the transport layer. They
venting them from being cached elsewhere. The user must re- supported us in including their answer in this paper (see
login with their iCloud account, thereby re-fetching account- Appendix D).
specific settings. However, this approach only works with
iCloud accounts not created on Korean devices. VII. R ECOMMENDATIONS FOR D ESIGNING S ECURE
Security Implications: Our experiments show that users S ATELLITE C OMMUNICATION
are not bound to the legal restrictions of the country where Previously studied satellite communication systems lacked
they purchased a device. encryption, leaking personal data, and allowing adversaries
to manipulate messages [55]. Partly, these issues arise from
G. Safety-critical Locations the bandwidth constraints and the need to guarantee reliable
Globalstar and Apple have no openly available documenta- communication. Apple invested in designing secure and private
tion about their ground station infrastructure. We assume this satellite communication. While this system has many strong
is to protect communication sites and hide business secrets. points and solves various challenges through an internet-based
Successful satellite transmission also requires the targeted setup phase, we found several vulnerabilities.
satellite to reach a ground station. The iPhone holds a list of With satellite services also coming to Android devices [80],
ground station locations to calculate an optimal communica- [43], [71], [79], including rumors for satellite support in main-
tion path. iOS does not contain a ground station list as part line Android [50], designing secure satellite communication
of the system image but downloads it on demand over the becomes relevant to a broad target audience. This section
Trial service to keep it up-to-date. Trial assets are encrypted shows how to design a secure satellite communication system
and packed in a proprietary format, making them difficult to based on Apple’s work. We include mitigations for all discov-
download and analyze directly. ered vulnerabilities. We generalize our recommendations so
We found two possibilities for extracting the list of ground that they apply to future satellite communication systems.
stations from an iPhone. 1 On jailbroken devices, the Trial
configuration file is accessible through SSH. 2 On non- A. Enforcing Usage Restrictions
jailbroken devices, system logs contain the list of ground Satellite services must follow legal restrictions. As de-
stations. The log entries are marked as <private> by default. scribed in the FCC document for the iPhone 14, Apple
However, after installing a baseband debug profile [7], the log conforms to this by applying such restrictions in software [29].
verbosity increases and includes the anchor list. We confirm Software-based restrictions come at the risk of being modified
the ground stations are valid locations by looking them up on jailbroken iPhones and rooted Android devices (see Sec-
in Google Map’s satellite view. All of them reveal massive tion VI-D and VI-E). While jailbreaks are less common on
antenna installations. iOS, current lawsuits and legislation [78], [82] might force
Safety Implications: Ground stations for satellite commu- Apple to open iOS further.
nication are difficult to set up and cannot be moved. Once On the contrary, access to wireless firmware is increasingly
leaked, knowledge about their precise locations can have restricted to comply with radio emission guidelines [77].

13
Baseband chips enforce this by only running firmware signed VIII. C ONCLUSION
by the vendor. Thus, we consider the baseband chip firmware Apple’s satellite communication system brings a modern
as an independent root of trust. protocol to an infrastructure that existed since the first iPhone
Recommendation: We propose integrating the baseband was released in 2007. We reverse-engineered the details of this
chip into the chain of trust for satellite configurations. Con- protocol and built a safe simulation-based test environment,
figuration settings such as radio exclusion zones, country- followed by an in-depth security and privacy analysis. Apple
based restrictions, and allowed services could be signed by the designed a protocol that works offline, based on pre-fetched
vendor, with verification performed by the baseband firmware. information. Despite this limitation, each session is secured
However, mobile devices should not be considered trust- by a fresh session key pair.
worthy. Attackers could reconstruct the entire communication The security and safety issues we discovered are based on
stack using SDRs to bypass restrictions. Apple addresses this design decisions, which become apparent when looking at the
issue by enforcing legitimate usage of its services and requir- protocol in a broader context. Find My location sharing can be
ing valid LLC keys to participate in satellite communication. abused for SMS-like messaging. While this is a flaw by design,
These keys are generated within the SEP, enhancing their with the ability to modify message content outside of the
protection against extraction. Given their ability to identify baseband chip, the maximum message length was not checked
users based on LLC keys, Apple could block users if used for on the server end. In addition, we found that all regional
satellite transmissions within restricted areas or for sending restrictions—radio exclusion zones, model-based restrictions,
Find My locations more frequently than every 15 min. and unsupported countries—are purely configured in software,
Recommendation: We suggest checking for malicious allowing us to bypass them on jailbroken devices. This implies
client-side behavior on the server side and blocking users who that Apple’s satellite communication system is open for adver-
do not conform to the protocol constraints. sarial use with unintended applications. Moreover, we found
that the transmission path calculation information leaks safety-
B. Robust Cryptography critical ground station locations.
Signal modulation and transport layer encryption are han-
Cryptography ensures secure communication in wireless dled in the Qualcomm baseband chip, which is an open target
systems, including properties like confidentiality, integrity, for future research. The modularity and extensibility of the
and authentication. Usually, these properties are ensured by overall system will allow for additional use cases in the future.
complex protocols like Transport Layer Security (TLS) on the We are excited to see how this will be extended.
internet or 5G authentication for cellular networks [2], [45].
In satellite communication, any packet transfer or byte added ACKNOWLEDGMENT
to a packet leads to a longer transmission time in an order of This work has been co-funded by Deutsche Forschungsge-
magnitude that is directly noticeable by the end-user. When meinschaft (DFG) – SFB 1119 – 236615297, by the German
bringing secure communication to satellites, existing protocols Federal Ministry of Education and Research and the Hessian
must be modified to meet this constraint. State Ministry for Higher Education, Research, and the Arts
Apple solves key establishment and authentication through within their joint support of the National Research Center for
the online pre-registration of LLC keys. This way, they can Applied Cybersecurity ATHENE.
use the secure ECDH key exchange protocol [21] and directly
proceed with authentication and transport layer encryption. R EFERENCES
Apple then adds a second layer of encryption depending on [1] 3GPP, “3GPP TS 36.300 V18.0.0,” 2023. [Online]. Available:
https://www.3gpp.org/ftp/Specs/archive/36 series/36.300/36300-i00.zip
the service used. For Find My Friends locations are end-to- [2] 3GPP, “Security architecture and procedures for 5G system,” 3GPP,
end encrypted using public key encryption with pre-shared Technical Specification (TS) 33.501, 2023, version 18.4.0.
keys and secured against manipulation with an authentication [3] ——, “3GPP TS 33.102 V17.0.0(2022-03),” 2024. [Online]. Available:
https://3gpp.guru/trts/Rel-17/33102-h00.html
tag. This increases the message size of a 9 byte location by [4] Apple, “Apple Platform Security,” 2022. [Online]. Available: https:
79 byte, which is costly but acceptable for Apple during non- //help.apple.com/pdf/security/en US/apple-platform-security-guide.pdf
emergency usage. To encrypt emergency text messages during [5] ——, “Emergency SOS via satellite available today on the
iPhone 14 lineup in the US and Canada,” 2022. [Online].
SOS and roadside assistance, Apple leaves out authentication Available: https://www.apple.com/newsroom/2022/11/emergency-sos-
tags as the transport layer already integrates them. This allows via-satellite-available-today-on-iphone-14-lineup/
to save bytes when sending time-critical information. [6] ——, “Apple-oss-distributions/xnu,” 2023. [Online]. Available: https:
//github.com/apple-oss-distributions/xnu
Recommendation: For future implementations of satel- [7] ——, “Bug Reporting Profiles and Logs,” 2023. [Online]. Available:
lite communication we recommend a similar approach using https://developer.apple.com/bug-reporting/profiles-and-logs/
strong encryption and authentication modes, which protect [8] ——, “Notruf SOS über Satellit ab heute für iPhone
14 Modelle in Österreich, Belgien, Italien, Luxemburg,
confidentiality, authenticity, and integrity. We recommend den Niederlanden und Portugal verfügbar,” 2023. [Online].
32 bit authentication tags as a security and packet size tradeoff. Available: https://www.apple.com/at/newsroom/2023/03/emergency-
Furthermore, to protect against potential nonce reuse attacks, sos-now-in-austria-belgium-italy-luxembourg-netherlands-portugal/
[9] ——, “Request Roadside Assistance via satellite on your iPhone,”
we recommend using random nonces instead of message 2023. [Online]. Available: https://support.apple.com/guide/iphone/
counters. request-roadside-assistance-via-satellite-iph29bea54b5/17.0/ios/17.0

14
[10] ——, “Send your location via satellite in Find My on iPhone,” 2023. [34] ——, “Globalstar Satellite Technology,” 2024. [Online]. Available:
[Online]. Available: https://support.apple.com/guide/iphone/send-your- https://www.globalstar.com/en-ap/about/our-technology
location-via-satellite-iph2aac8ae20/ios [35] Google Open Source, “Qualcomm MSM Interface (QMI),” 2019.
[11] ——, “Apple Security Research Device Program,” 2024. [Online]. [Online]. Available: https://android.googlesource.com/kernel/msm/+/
Available: https://security.apple.com/research-device/ android-7.1.0 r0.2/Documentation/arm/msm/msm qmi.txt
[12] ——, “Find friends and share your location with Find My - Apple [36] J. A. Guerrero-Saade and M. van Amerongen, “AcidRain | A Modem
Support (MT),” 2024. [Online]. Available: https://support.apple.com/ Wiper Rains Down on Europe,” 2022. [Online]. Available: https://www.
en-mt/105122 sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
[13] ——, “iOS 18 makes iPhone more personal, capable, [37] A. Heinrich and J. Classen, “Artifacts for “Starshields for iOS:
and intelligent than ever - Apple,” 2024. [Online]. Avail- Navigating the Security Cosmos in Satellite Communication”,” Zenodo,
able: https://www.apple.com/newsroom/2024/06/ios-18-makes-iphone- 2024. [Online]. Available: https://doi.org/10.5281/zenodo.13863530
more-personal-capable-and-intelligent-than-ever/ [38] A. Heinrich, M. Stute, and M. Hollick, “OpenHaystack: A Framework
[14] ——, “iOS 18 Preview,” 2024. [Online]. Available: https://www.apple. for Tracking Personal Bluetooth Devices via Apple’s Massive Find My
com/ios/ios-18-preview/ Network,” in Proceedings of the 14th ACM Conference on Security
[15] ——, “Set up and view your Medical ID,” 2024. [Online]. Available: and Privacy in Wireless and Mobile Networks. New York, NY,
https://support.apple.com/en-ca/guide/iphone/iph08022b192/ios USA: Association for Computing Machinery, 2021. [Online]. Available:
[16] ——, “Use Crash Detection on iPhone or Apple Watch to https://doi.org/10.1145/3448300.3468251
call for help in an accident,” 2024. [Online]. Available: https: [39] A. Heinrich, M. Stute, T. Kornhuber, and M. Hollick, “Who
//support.apple.com/en-us/104959 Can Find My Devices? Security and Privacy of Apple’s Crowd-
[17] ——, “Use Emergency SOS via satellite on your iPhone,” 2024. Sourced Bluetooth Location Tracking System,” Proceedings on Privacy
[Online]. Available: https://support.apple.com/en-us/HT213426 Enhancing Technologies, 2021. [Online]. Available: https://www.
[18] ——, “Use Fall Detection with Apple Watch,” 2024. [Online]. petsymposium.org/2021/files/papers/issue3/popets-2021-0045.pdf
Available: https://support.apple.com/en-us/108896 [40] D. Heinze, J. Classen, and M. Hollick, “ToothPicker: Apple Picking
[19] ——, “Using Sysdiagnose to Troubleshoot iOS or iPadOS,” 2024. [On- in the iOS Bluetooth Stack,” in 14th USENIX Workshop on Offensive
line]. Available: https://it-training.apple.com/tutorials/support/sup075 Technologies. USENIX Association, 2020. [Online]. Available:
https://www.usenix.org/conference/woot20/presentation/heinze
[20] L. Arnold, M. Hollick, and J. Classen, “Catch You Cause I Can: Busting
[41] D. Heinze, J. Classen, and F. Rohrbach, “MagicPairing: Apple’s Take
Rogue Base Stations using CellGuard and the Apple Cell Location
on Securing Bluetooth Peripherals,” in Proceedings of the 13th ACM
Database,” in RAID, 2024.
Conference on Security and Privacy in Wireless and Mobile Networks.
[21] E. Barker, L. Chen, A. Roginsky, A. Vassilev, and R. Davis,
New York, NY, USA: Association for Computing Machinery, 2020.
“Recommendation for pair-wise key-establishment schemes using
[Online]. Available: https://doi.org/10.1145/3395351.3399343
discrete logarithm cryptography (rev. 3),” National Institute of
[42] F. R. Hoots and R. L. Roehrich, Models for propagation of NORAD
Standards and Technology, Tech. Rep., 2018. [Online]. Available:
element sets. Office of Astrodynamics, 1980. [Online]. Available:
https://doi.org/10.6028/NIST.SP.800-56Ar3
https://apps.dtic.mil/sti/citations/ADA093554
[22] Castro, “HUAWEIHuawei Mate 60 Pro satellite calling costs 100
[43] Huawei, “Huawei Mate 60 Pro is the world’s
yuan ($13) for 80 minutes of talktime,” 2023. [Online]. Available:
first satellite calling phone,” 2023. [Online]. Avail-
https://consumer.huawei.com/za/community/details/HUAWEIHuawei-
able: https://consumer.huawei.com/za/community/details/Huawei-Mate-
Mate-60-Pro-satellite-calling-costs-100-yuan-13-for-80-minutes-of-
60-Pro-is-the-world-s-first-satellite-calling-phone/topicId 280286/
talktime/topicId 280458/
[44] M. Hunder, J. Landay, and S. Bern, “Ukraine’s top mobile operator
[23] J. Classen, A. Heinrich, R. Reith, and M. Hollick, “Evil Never hit by biggest cyberattack of war,” Reuters, 2023. [Online]. Available:
Sleeps: When Wireless Malware Stays On after Turning Off iPhones,” https://www.reuters.com/technology/cybersecurity/ukraines-biggest-
in Proceedings of the 15th ACM Conference on Security and mobile-operator-suffers-massive-hacker-attack-statement-2023-12-12/
Privacy in Wireless and Mobile Networks. New York, NY, USA: [45] IETF, “The Transport Layer Security (TLS) Protocol Version 1.3,”
Association for Computing Machinery, 2022. [Online]. Available: IETF, Tech. Rep., 2018. [Online]. Available: https://datatracker.ietf.org/
https://doi.org/10.1145/3507657.3528547 doc/html/rfc8446
[24] J. Classen and M. Hollick, “Happy MitM: Fun and Toys in Every [46] E. Jedermann, M. Strohmeier, V. Lenders, and J. Schmitt,
Bluetooth Device,” in Proceedings of the 14th ACM Conference on “RECORD: A RECeption-Only Region Determination Attack on
Security and Privacy in Wireless and Mobile Networks, 2021. LEO Satellite Users,” in 33th USENIX Security Symposium.
[25] CNET, “SpaceX Puts Its First Satellites in Orbit to Connect T-Mobile’s USENIX Association, 2024. [Online]. Available: https://www.usenix.
Customers,” 2024. [Online]. Available: https://www.cnet.com/tech/ org/conference/usenixsecurity24/presentation/jedermann
mobile/spacex-launches-first-satellites-to-connect-t-mobiles-customers/ [47] D. T. Kelso, “Celestrak,” 1985, accessed: 2024-01-30. [Online].
[26] B. Driessen, R. Hund, C. Willems, C. Paar, and T. Holz, Available: hhttps://celestrak.org/
“An experimental security analysis of two satphone standards,” [48] H. Krawczyk and P. Eronen, “HMAC-based Extract-and-Expand
ACM Trans. Inf. Syst. Secur., 2013. [Online]. Available: https: Key Derivation Function (HKDF),” 2010. [Online]. Available: https:
//dl.acm.org/doi/10.1145/2535522 //tools.ietf.org/html/5869
[27] Eumetsat, “Two Line Elements,” 2023. [Online]. Available: https: [49] T. Kröll, S. Kleber, F. Kargl, M. Hollick, and J. Classen, “ARIstoteles
//service.eumetsat.int/tle/ – Dissecting Apple’s Baseband Interface,” in Computer Security –
[28] Federal Communications Commission, “Application for Mobile Satellite ESORICS 2021, E. Bertino, H. Shulman, and M. Waidner, Eds. Cham:
Service by GUSA Licensee LLC,” 2009. [Online]. Available: Springer International Publishing, 2021.
https://fcc.report/IBFS/SES-MFS-20091221-01611 [50] A. Li, “Android 14 will support satellite connectivity and partners,”
[29] ——, “14040863-S1V5 FCC SAR Report, FCC ID: BCG-E8151A, 2022. [Online]. Available: https://9to5google.com/2022/09/01/android-
RF Exposure Info,” 2022. [Online]. Available: https://fcc.report/FCC- 14-satellite-support/
ID/bcge8151a/6092766 [51] Macworld, “Macworld Expo Keynote Live Update: Introducing the
[30] L. Fröder, “Dopamine Jailbreak,” 2024. [Online]. Available: hhttps: iPhone,” 2007. [Online]. Available: https://www.macworld.com/article/
//github.com/opa334/Dopamine 183052/liveupdate-15.html
[31] G. Giuliari, T. Ciussani, A. Perrig, and A. Singla, “ICARUS: [52] ——, “How an iPhone 14 ‘literally’ saved a family trapped in the Hawaii
Attacking low Earth orbit satellite networks,” in 2021 USENIX wildfires. Family rescued after using Emergency SOS via satellite.”
Annual Technical Conference. USENIX Association, 2021. [Online]. 2023. [Online]. Available: https://www.macworld.com/article/2027967/
Available: https://www.usenix.org/conference/atc21/presentation/giuliari iphone-14-emergency-sos-via-satellite-hawaii-maui-wildfires.html
[32] Global Rescue, “Where Is Your Satellite Phone Illegal? – Global [53] Merko Group, “Kilingi-Nõmme antenna station,” 2021. [On-
Rescue,” 2023. [Online]. Available: https://www.globalrescue.com/ line]. Available: https://www.group.merko.ee/en/project/kilingi-nomme-
common/blog/detail/where-satellite-phone-illegal/ antenna-station/
[33] Globalstar, “Coverage Maps,” 2024. [Online]. Available: https: [54] mineek, “Serotonin Jailbreak,” 2024. [Online]. Available: https:
//www.globalstar.com/en-ap/coverage-maps //github.com/mineek/Serotonin

15
[55] C. Moore, “Spread Spectrum Satcom Hacking Attacking The of 26 February 2014 on the harmonisation of the laws of the Member
Globalstar Simplex Data Service,” 2015. [Online]. Available: https: States relating to the making available on the market of electrical
//www.youtube.com/watch?v=1VbmHmzofmc equipment designed for use within certain voltage limits (recast) Text
[56] A. Morgado and D. Williams, “libqmi,” 2021. [Online]. Available: with EEA relevance,” 2014. [Online]. Available: https://eur-lex.europa.
https://www.freedesktop.org/wiki/Software/libqmi/ eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014L0034
[57] Motorola, “Motorola Defy Satellite Link,” 2024. [Online]. Available: [78] ——, “Regulation (EU) 2022/1925 of the European Parliament and of
https://motorolarugged.com/en-us/motorola-defy-satellite-link/ the Council of 14 September 2022 on contestable and fair markets in
[58] NASA Space Science Data Coordinated Archive (NSSDCA), “NSS- the digital sector and amending Directives (EU) 2019/1937 and (EU)
DCA Master Catalog,” https://nssdc.gsfc.nasa.gov/nmc/, 2024, accessed: 2020/1828 (Digital Markets Act) (Text with EEA relevance),” 2022.
29.02.2024. [Online]. Available: http://data.europa.eu/eli/reg/2022/1925/oj/eng
[59] S. Nellis, “New iPhones have Qualcomm satellite mo- [79] The Verge, “T-Mobile and SpaceX Starlink say your
dem, new Apple radio chips,” Reuters, 2022. [On- 5G phone will connect to satellites next year,” 2022.
line]. Available: https://www.reuters.com/technology/new-iphones- [Online]. Available: https://www.theverge.com/2022/8/25/23320722/
have-qualcomm-satellite-modem-new-apple-radio-chips-2022-09-17/ spacex-starlink-t-mobile-satellite-internet-mobile-messaging
[60] NowSecure, “Frida,” 2024. [Online]. Available: https://frida.re [80] ——, “The first phone maker to add satellite texting to its devices is...
[61] Nuand, “BladeRF,” 2024. [Online]. Available: https://www.nuand.com/ Huawei,” 2022. [Online]. Available: https://www.theverge.com/2022/9/
bladerf-1/ 6/23339717/huawei-mate-50-pro-satellite-text-china-beidou
[62] OpenAI, “ChatGPT: Large-scale generative model,” 2023, generated [81] U. Today, “‘Lifesaver’: How iPhone’s satellite mode helped during Hur-
by ChatGPT, an AI language model developed by OpenAI. [Online]. ricane Helene,” 2024. [Online]. Available: https://eu.usatoday.com/story/
Available: https://openai.com/chatgpt tech/2024/10/11/iphone-satellite-mode-att-cell-service/75616990007/
[63] PARKasd, “locchange iOS Tweak,” 2024. [Online]. Available: https: [82] U.S. Department of Justice, Antitrust Division, “Office of Public
//github.com/PARKasd/locchange Affairs | Justice Department Sues Apple for Monopolizing
[64] J. Pavur and I. Martinovic, “Building a launchpad for satellite Smartphone Markets | United States Department of Justice,” 2024.
cyber-security research: Lessons from 60 years of spaceflight,” Journal [Online]. Available: https://www.justice.gov/opa/pr/justice-department-
of Cybersecurity, 2022. [Online]. Available: https://doi.org/10.1093/ sues-apple-monopolizing-smartphone-markets
cybsec/tyac008 [83] D. Vallado, P. Crawford, R. Hujsak, and T. Kelso, “Revisiting spacetrack
[65] J. Pavur, D. Moser, V. Lenders, and I. Martinovic, “Secrets in report# 3,” in AIAA/AAS Astrodynamics Specialist Conference and
the sky: On privacy and infrastructure security in DVB-S satellite Exhibit, 2006.
broadband,” in Proceedings of the 12th Conference on Security and [84] J. Willbold, M. Schloegel, M. Vögele, M. Gerhardt, T. Holz, and
Privacy in Wireless and Mobile Networks. New York, NY, USA: A. Abbasi, “Space Odyssey: An Experimental Software Security
Association for Computing Machinery, 2019. [Online]. Available: Analysis of Satellites,” in IEEE Symposium on Security and
https://dl.acm.org/doi/10.1145/3317549.3323418 Privacy. Los Alamitos, CA, USA: IEEE Computer Society,
[66] J. Pavur, D. Moser, M. Strohmeier, V. Lenders, and I. Martinovic, “A 2023. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/
Tale of Sea and Sky On the Security of Maritime VSAT Communica- SP46215.2023.00131
tions,” in 2020 IEEE Symposium on Security and Privacy (SP). San [85] J. Willbold, M. Schloegel, R. Bisping, M. Strohmeier, T. Holz, and
Francisco, CA, USA: IEEE, 2020. V. Lenders, “VSAsTer: Uncovering Inherent Security Issues in Current
[67] J. Pearson and J. Pearson, “Russia downed satellite internet VSAT System Practices,” in Proceedings of the 17th ACM Conference
in Ukraine -Western officials,” Reuters, 2022. [Online]. Avail- on Security and Privacy in Wireless and Mobile Networks. New
able: https://www.reuters.com/world/europe/russia-behind-cyberattack- York, NY, USA: Association for Computing Machinery, 2024. [Online].
against-satellite-internet-modems-ukraine-eu-2022-05-10/ Available: https://dl.acm.org/doi/10.1145/3643833.3656139
[68] J. Rainbow, “Globalstar soars on Apple’s $1.7 billion satellite [86] L. Wouters, “Glitched on Earth by Humans: A Black-Box Security
investment,” 2024. [Online]. Available: https://spacenews.com/ Evaluation of the SpaceX Starlink User Terminal,” 2022. [Online].
globalstar-soars-on-apples-1-5-billion-satellite-investment/ Available: https://i.blackhat.com/USA-22/Wednesday/US-22-Wouters-
[69] B. Rhodes, “Skyfield: High precision research-grade positions for plan- Glitched-On-Earth.pdf
ets and Earth satellites generator,” Astrophysics Source Code Library, [87] L. Yu, J. Hao, J. Ma, Y. Sun, Y. Zhao, and B. Luo, “A Comprehensive
record ascl:1907.024, 2019. Analysis of Security Vulnerabilities and Attacks in Satellite Modems,”
[70] N. Rollshausen, A. Heinrich, M. Hollick, and J. Classen, “WatchWitch: in ACM CCS, Salt Lake City, UT, USA, 2024-10-14/2024-10-18.
Interoperability, Privacy, and Autonomy for the Apple Watch,” Proceed- [88] P. Yue, J. An, J. Zhang, J. Ye, G. Pan, S. Wang, P. Xiao, and L. Hanzo,
ings on Privacy Enhancing Technologies, 2024. “Low Earth Orbit Satellite Security and Reliability: Issues, Solutions,
[71] E. Roth, “AT&T helped connect the first satellite 5G phone call,” 2023. and the Road Ahead,” IEEE Communications Surveys & Tutorials, 2023.
[Online]. Available: https://www.theverge.com/2023/9/19/23879527/att-
cellular-satellite-ast-spacemobile-5g A PPENDIX
[72] T. Roth, F. Freyer, M. Hollick, and J. Classen, “AirTag of the Clones:
Shenanigans with Liberated Item Finders,” in IEEE Security and Privacy A. List of Satellites
Workshops, 2022. The Targets list contains information about all satellite
[73] M. Shen, K. Ye, X. Liu, L. Zhu, J. Kang, S. Yu, Q. Li, and K. Xu,
“Machine Learning-Powered Encrypted Network Traffic Analysis: A trajectories, described by TLEs. Every TLE comes with a
Comprehensive Survey,” IEEE Communications Surveys & Tutorials, satellite identifier (69 in this case), followed by a data array:
2023.
[74] Skylo Team, “Skylo Connectivity Enables New Satellite SOS <key>69</key>
Feature on Google Pixel 9 Series - Newsroom - Skylo,” <array>
<string>1 00000U 00000A 24 26.70901532 .00000000
2024. [Online]. Available: https://www.skylo.tech//newsroom/skylo- 00000-0 58480-4 0 0003</string>
connectivity-enables-new-satellite-sos-feature-on-google-pixel-9-series <string>2 00000 51.9948 286.8188 0001510 54.0997
[75] M. Stute, A. Heinrich, J. Lorenz, and M. Hollick, “Disrupting 279.4771 12.62265350000009</string>
Continuity of Apple’s Wireless Ecosystem Security: New Tracking, </array>
DoS, and MitM Attacks on iOS and macOS Through Bluetooth
Low Energy, AWDL, and Wi-Fi,” in 30th USENIX Security Listing 2: Example TLE data for satellite M069.
Symposium. USENIX Association, 2021. [Online]. Available: https:
//www.usenix.org/conference/usenixsecurity21/presentation/stute
[76] E. TC-SES, “Satellite Earth Station (SES); Possible European standardi- We confirm that the identifier in the Targets list matches
sation of certain aspects of satellite Personal Communications Networks the satellite number. To this end, we use an open-source
(S-PCN),” DTR/SES-05007, September, Tech. Rep., 1993.
[77] The European Parliament and the Council of the European Union, SGP4 implementation [69] to calculate the satellites’ positions
“Directive 2014/35/EU of the European Parliament and of the Council from Apple’s TLE information. Figure 9 shows the resulting

16
 0 1

Type Data
WSL
EST
M043 HRR M019
M055 M061 M031
M066
M008
M083 M079SMF M052 A066 M078
| {z }
M094 M093 ASGM081 M086 A078
A083 A079 ESP A081 M092 M035
M059 M004 A094REN M063
A093 NEM A086 M048 A092
M026 M050 M041
CLF M039
SBR M068
M030
ID Type
M062
SPS
M065
MEX LPA M067 M023 00 Fake Emergency Start
M053 M002
M071
A071 M001 M006
M028 01 Emergency Start
M075 M051
M090 M073 SNG
M091
A090 M096
A096
A073 M046 MNS M095
A095
A075 M044 M080
A080
A091 M074
A074
02 Emergency Message
M056 M033
M036
M057
03 Emergency Location Update
M087
M022
M034M064
M037 M045
M054 MIS 04 FindMy Message
MKT
DUB 05 Fake Roadside Start
M072M015 M029
M088 M032 M097 M014
A072 M003M084
A084 M082
M076
A076
M070 M027
M049
M077
M025
M085
A085 M089
06 Roadside Start
A088 A097M058 M040 NZL
A082 A077 M069 A089
M042M060 M038 M024 A069 M047 07 Roadside Message
08 Roadside Location Update
09 Carrier Pigeon Message
0a Carrier Pigeon iMessage LiteMessage
0b Carrier Pigeon Fetch Message
0c Satellite SMS Start Message
Fig. 9: Map of satellites from iPhone targets list (in red, prefixed with A) and 0d Satellite SMS Message
publicly available Globalstar satellite data (in green, prefixed with M) [47]. Ground
stations are shown in black with 2 000 km coverage radius in light red. Fig. 10: Basic message format.

map together with all the ground stations. The satellites A list of all satellites currently in use together with their
retrieved from a public database are shown in green, with launch dates is shown in Table II. We can see that a range
labels following the public naming scheme M<xxx>. Satellites of satellites launched between 29.05.2007 and 06.02.2013 are
taken from the iPhone targets list are shown in red (mostly currently in use, the oldest being M069.
overshadowed by the overlapping green ones), and follow a
B. Allowed Services Bitmask
naming scheme A<identifier>, as specified in the targets list.
Ground stations are shown in black, together with a pessimistic CommCenter internally holds a structure to track currently
coverage radius of 2 000 km [76] in light red. We can clearly allowed services. Whenever the method -[CTStewieState
see that where green and red points overlap, satellite numbers setAllowedServices:] is called, we overwrite this with
and identifiers match. 0xffff. As Table III shows, this enables all services at once.

C. Satellite Messages Packet Format

There are various application-specific payloads. As they
TABLE II: Satellites in use by Apple as of November 2024.
follow different encryption and compression schemes, their
Sat Name NORAD ID COSPAR ID Launch Date packet formats are highly optimized for the specific use case.
M066 32265 2007-048C 20.10.2007 Figure 10 lists all supported packet types as of iOS 18. Each
M069 31573 2007-020C 29.05.2007 of these message types has a different bitwise representation.
M071 31576 2007-020F 29.05.2007 Emergency texting and roadside assistance follow the same
M072 31574 2007-020D 29.05.2007
M073 37193 2010-054F 19.10.2010 structure but use separate message types. Figure 12 shows
M074 37189 2010-054B 19.10.2010 the three messages used for emergency communication over
M075 37192 2010-054E 19.10.2010 satellite. The communication starts with the message shown
M076 37190 2010-054C 19.10.2010
M077 37191 2010-054D 19.10.2010 in Figure 12a, which compresses the most important infor-
M078 39076 2013-005E 06.02.2013 mation into a few bytes to be sent as fast as possible. The
M079 37188 2010-054A 19.10.2010 communication is then followed by text messages shown in
M080 38041 2011-080B 28.12.2011
M081 37743 2011-033E 13.07.2011 Figure 12b. Every few minutes, a location update is generated
M082 38042 2011-080C 28.12.2011 automatically (see Figure 12c). The display in the emergency
M083 37739 2011-033A 13.07.2011 messaging app indicates these updates.
M084 38040 2011-080A 28.12.2011
M085 37742 2011-033D 13.07.2011
M086 38045 2011-080F 28.12.2011
M088 37740 2011-033B 13.07.2011
TABLE III: Service bitmask for allowed satellite services.
M089 37744 2011-033F 13.07.2011 Mask Bit Meaning
M090 38044 2011-080E 28.12.2011 0x8000 Anywhere
M091 37741 2011-033C 13.07.2011 0x4000 Test
M092 38043 2011-080D 28.12.2011 0x0020 Satellite SMS
M093 39073 2013-005B 06.02.2013 0x0010 iMessage Lite
M094 39074 2013-005C 06.02.2013 0x0008 Roadside
M095 39077 2013-005F 06.02.2013 0x0004 Find My
M096 39075 2013-005D 06.02.2013 0x0002 Emergency Try Out
M097 39072 2013-005A 06.02.2013 0x0001 Emergency

17
0 1 57 66 82

AES GCM
4 Ephemeral Public Key
litelocation Authentication Tag

Horz.
Acc.
Latitude Longitude

0 4 8
Fig. 11: Find My message format. The location is encrypted with the user’s key for friends, and the public portion of the key
is added for later decryption.
0 1 2 10 11 13 14 17 18

Conv. Serialized Text

1 Emergency Location Unknown
ID Battery Codec Questionnaire Message

(a) Emergency start message. It contains all essential information about the emergency, entered by the user during the initial questionnaire,
along with further information like the battery level and location. The preferred codec ID indicates the language for the conversation.
0 1 3 12

Battery +
Conv.
2 Message Text Message
ID
Counter
(b) Emergency text message sent during an emergency conversation. The maximum text message length is 160 byte.
0 1 3 10

Conv. Loc.
3 Emergency Location
ID Ctr.

± Latitude ± Longitude Ellipsoidal Altitude Horz. Vert.

Acc. Acc.
0 1 22 23 45 56 60 64

(c) Emergency message location update. Sent when the user continues a previous conversation after a pause or if the location changed
significantly. The location is only 8 byte and uses a bitwise format.
Fig. 12: Emergency SOS messages in the entire protocol flow. First, an emergency start message is sent. The remaining
communication consists of text messages, with location updates sent automatically every few minutes.

D. Responsible Disclosure: Satellite Message Integrity keep in mind, all of this processing takes place within Apple
Apple Product Security, August 2024: After examining your data centers too.
paper, we determined that Emergency SOS via Satellite & Now, as for the encryption scheme you’re describing, it is a
Roadside Assistance via satellite messaging protocol is func- security measure employed by Apple data centers to safeguard
tioning as expected. When our teams designed this protocol, plaintext messages from being intercepted and forwarded
we had to factor in the extremely limited bandwidth associated between servers. This scheme first requires successful decryp-
with satellite communications. This meant optimizing the pro- tion of the link layer encryption, which already incorporates
tocol and incorporating some regulatory factors as well since a message authentication code, before the payload can be
these are messages for emergency first responders. decrypted.
Considering that the entire Emergency SOS via Satellite
First off, the entire Emergency SOS via Satellite message
message is encrypted until it reaches an Apple data center, the
is encrypted while it travels to an Apple data center. To help
extremely limited bandwidth constraints of satellite communi-
protect the integrity of the message, the “outer payload” is
cation, and the time-critical nature of emergency communica-
decrypted by Apple’s satellite service server to provide routing
tions, adding a second message authentication code to a subset
information. Once that layer is decrypted, the inner encrypted
of the payload that had already undergone authentication does
payload is routed based on the now decrypted metadata to
not provide additional benefit to the current model.
the right service. This protection ensures the confidentiality
We hope that this information helps clarify how encryption
of sensitive emergency payloads during their transit within
for Emergency SOS via Satellite works and the intent behind
Apple’s infrastructure.
the messaging protocol. Thank you again for submitting your
If it’s an emergency message, Apple’s emergency service
research to us. We appreciate your effort and look forward to
server then decrypts that inner payload. Only servers directly
seeing more of your work in the future.
interfacing with emergency services are permitted to access the
derived HKDF-keys from the Key Management Server. Please

18
 A RTIFACT A PPENDIX First, CommCenter must already be hooked early on dur-
ing its initialization to successfully set up satellite com-
We make three distinct artifacts available:
munication capabilities. To this end, stop the CommCenter
1) A Wireshark dissector for QMI satellite messages. process by executing frida-kill -U CommCenter. iOS
2) A simulation-based testbed for the iPhone 13, allowing will automatically restart CommCenter within a few seconds.
research into satellite features like emergency texting Within this time window, quickly attach the script using
without sending actual satellite messages. the following command: frida -U -W CommCenter -l
3) A satellite messenger, using Find My satellite location commcenter_stewie.js.
sharing as a covert channel to send arbitrary text mes- On the SRD, Frida does not support spawn gating required
sages. for attaching to a process on startup, and CommCenter must
We include our artifacts for evaluation to verify our claims be patched to wait on startup. We provide instructions in the
and make them available, enabling other researchers to built example cryptex.
upon our work. After attaching the script to the newly starting CommCenter,
wait for the script until you see the following message:
A. Description & Requirements
Ready to emulate Stewie on SRD!
1) How to Access: We publish our artifacts in a Zenodo [iPhone::CommCenter ]-> GsmRadioPersonality
::create called with hw_model=0x25,
repository at https://zenodo.org/records/13863531 [37]. replacing with 0x34 for iPhone 14!
2) Hardware Dependencies: Simulation-based Testbed:
A jailbroken or SRD iPhone 13 or 13 mini. While we did not This confirms that the radio personality was set to a version
have further devices available for testing, our scripts are also that has satellite support. Then, in the Frida console, enter the
likely to work with the iPhone 12 series. following command: openURL("x-apple-sosbuddy:
Satellite Messenger: Message transmission requires a jail- //request?reason=OfferEmergencyTryOut").
broken iPhone that has satellite transmission capabilities. At This should lead you through the demo mode and is required
the time of writing, the only jailbreakable iPhone with a satel- to initialize further satellite modem state.
lite modem is the iPhone 14. Dopamine supports jailbreaking The CommCenter script defines some global vari-
iOS 16.1 to iOS 16.5.1. To install our app, TrollStore is re- ables at the beginning. Use the alwaysEmergency and
quired, which supports these versions and can be downloaded emergencyType variables to choose which satellite func-
by following this guide. tionality you want to test. E.g., the type 2 is for emergency
Message reception is possible with any jailbreakable iPhone. texting, while the type 5 enables testing Find My.
We confirmed compatibility with an iPhone 8 on iOS 16. While this is sufficient to use some satellite services,
3) Software Dependencies: Wireshark Dissector: A run- the Find My implementation holds further states that pre-
ning instance of Wireshark. No specific version is required. vent simulation of sharing locations over the Find My app.
Simulation-based Testbed: The iPhone should run iOS Thus, a second script is required to be attached to search-
16.3 or 16.4.1. Frida must be installed and running on partyd. The attachment procedure is similar to the previ-
the iPhone. The host machine should have Python 3 ous one: frida-kill -U searchpartyd; frida -U
and the Python packages frida-tools, pwntools, and searchpartyd -l findmy_stewie.js.
aarch64-elf-binutils installed. Afterward, restart locationd: frida-kill -U
Satellite Messenger: We require Xcode 14 or newer to locationd. This step is only required to reset its
build the app and the Theos toolchain to compile the tweak. state, attaching a script is not required.
Theos can be downloaded from their website. Satellite Messenger: The satellite messenger can
be installed via TrollStore. Install the available
B. Artifact Installation & Configuration StewieMessenger.tipa file or build and sign the
Wireshark Dissector: The dissector is written in Lua and app binary as described in the README. Then, install the
named qmi_dissector_satellite.lua. For installa- tweak, which dynamically replaces method calls, allowing
tion, it must be copied to the Wireshark plugion directory, i.e., the app to initiate satellite communication. Copy the .deb
˜/.local/lib/wireshark/plugins/. In Wireshark, file to the iPhone and install it by executing dpkg -i
configure the DLT_USER protocol: Open Wireshark prefer- tweak.deb or using Sileo. This iPhone can now send text
ences → Protocols → DLT USER → Edit encapsulation table. messages via satellite to anyone it shares its location with on
The final table should be configured as shown in Table IV.
Simulation-based Testbed: The simulation-based testbed is TABLE IV: Wireshark configuration of the DLT_USER
enabled through Frida hooks that mimic satellite modem be- encapsulation table to use our QMI dissector.
havior towards CommCenter and overwrite flags that satellite
communication was supported. Frida scripts containing these DLT Payload Header Header Trailer Trailer
dissector size dissector size dissector
hooks are contained in our repository. Attach the iPhone via
USB to your host and execute the following Frida commands User 0 qmi 0 0
(DLT=147)
on the host machine.

19
Find My. We recommend installing the app on the recipient’s Execution: To verify claim (C1), filter for satellite
jailbroken iPhone to view the text message. messages using qmi.service_name == "QMI Stewie
Service". Then, verify that all steps match those in Fig-
C. Major Claims
ure 6. To verify claim (C2), open message number 2 905 in
Below are our major claims: the example file.
C1 We document the steps of the satellite communication Results: (C1): The steps presented in Figure 6 can be
protocol (see Section V). This can be reproduced by viewed in our .pcap file. (C2): Message number 2 905 con-
experiment (E1). tains location data for Poland (0x06). Selecting the relevant
C2 In we claim that we can use iPhone’s satellite features in bytes will highlight the corresponding hexdump on the right,
restricted regions (see Section V-E). This can be validated including the string POL—the country identifier for Poland.
with our QMI log recorded in Poland and experiment Figure 13 shows the Wireshark dissector for QMI messages
(E1). exchanged between iOS and the baseband chip. The trace is the
C3 We build a satellite simulation-based testbed (see Sec- same as used to annotate the SDR recording in Section V-H.
tion IV-A). The testbed can be set up following the steps The visible steps include the end of the config file transfer.
above, and experiment (E2) demonstrates how it works. The trace ends after a successful Find My Friends location
C4 We claim that we can misuse Apple’s satellite channel to update and then deactivation of the satellite connection.
send text messages via satellite (see Section VI-D). This 2) Experiment (E2): In this experiment, we demonstrate
can be demonstrated with experiment (E3). a simulation-based testbed for satellite communication.
How To: Extract the CommCenter binary from the iPhone,
D. Evaluation patch it, and reinstall it on the device. Next, kill the running
This section outlines the necessary experiments to validate if CommCenter process and attach our Frida scripts.
our artifacts are functional and if the results can be reproduced. Preparation: Jailbreak the iPhone and install Frida. When
1) Experiment (E1): Set up the Wireshark dissector, and using an SRD, install the example cryptex.
then open an exemplary .pcapng file, which contains satel- Execution: To verify claim (C3), follow the steps in the
lite communication. Viewing the file verifies that our dissector README. Then run the commands specified in Section B.
is functional, and by analyzing the file contents, one can verify When the simulation-based testbed is running, open the Find
the claims (C1) and (C2). My app, navigate to the Me tab, and try to send a location
How To: Install the Wireshark dissector as described in Sec- via satellite. The satellite app SOSBuddy should open in
tion B. Open the provided .pcapng file. Wireshark should Emergency SOS mode. No real emergency message will
automatically dissect the QMI messages in this file and present be sent because the iPhone 13 does not support satellite
the communication between the baseband and OS. The file can communication.
be used to verify claims (C1) and (C2). Results: (C3): The satellite capabilities should be visible on
the otherwise unsupported iPhone 13. E.g., the Share location
via satellite button in the Find My app. When trying to send
the location, the behavior is modified to use the Emergency
SOS feature.
3) Experiment (E3): Installing the app via TrollStore
should be straightforward on a jailbroken iPhone 14. You can
then immediately start sending messages via satellite.
How To: Install the app and demonstrate sending text
messages via satellite.
Preparation: Jailbreak the iPhone 14, install TrollStore, and
ensure that you are sharing your location via Find My with at
least one person.
Execution: Install the satellite messenger by sharing the
Satellite.tipa file with the iPhone and installing it with
TrollStore. Then install our tweak tweak.deb by sharing it
with the iPhone and executing dpkg tweak.deb. To verify
claim (C4), send a message via satellite.
Results: (C4): When sending a message, the user should
see the satellite interface, assisting them in pointing to the
next satellite to send the message.

Fig. 13: Wireshark dissector for the satellite via QMI.

20