Universal Radio Hacker - an easy way to explore digital radio protocols
Universal Radio Hacker (URH) is an incredibly simple and intuitive tool for analyzing digital radio protocols. Unlike monsters like GNU Radio, you can master it in five minutes, without torment.
The main features of URH:
- It works on all platforms - on macOS / Linux / Windows, out of the box! No need for hours to compile dependency kilometers.
- Supports popular SDR - native support for RTL-SDR, HackRF, LimeSDR, AirSpy and others.
- All in one - all the necessary tools are built into one program: a spectrum analyzer to search for frequencies, record a signal, interpreter a digital signal to automatically convert the recorded signal into digital data.
- It supports transmission - to conduct a replay attack, just select the desired signal segment with the mouse and press Replay. Sumptuously!
In the article, we will analyze the signal from the console from the barrier, using the popular RTL-SDR (radio from a cheap USB TV tuner) and macOS.
URH is written in Python 3, with C inserts via Cython. It can be used directly from the repository, without installation and compilation.
For a UNIX-like OS, it can be installed via the pip3 package manager:
pip3 install urh
SDR libraries for macOS can be installed via brew:
brew install rtlsdr hackrf
Determine the frequency
First you need to know at what frequency our keychain works. In most cases, such devices operate in the unlicensed 433Mhz range. Check if this is the case with a spectrum analyzer. This tool only shows the spectrum in the selected range, and does not allow the signal to be stored or processed in any way. Its only purpose is to visually find the desired signal. In the parameters we specify the device driver (in my case this is RTL-SDR), and the frequency.
File -> Spectrum Analyzer
The video shows a spectrum analyzer that allows you to set at what frequency the device operates.
After the frequency is found, just click on the grid with the mouse to set the found frequency as the center one.
Write the signal
Now you can save the signal of pressing the buttons for later analysis. It is important to understand that not only the selected frequency is recorded, but also all the neighboring ones that our SDR can hear. This is governed by the Bandwidth setting. Therefore, the file with the dump increases quite quickly, several megabytes per second. For our task, you can significantly reduce the Bandwidth and Sample Rate, this will reduce the amount of unnecessary captured data, but we will leave them by default, so as not to strain.
File -> Record Signal...
Video: capturing the signal from the keychain
Since the keyfob is close to the receiver, its signal is quite powerful and can be clearly seen on the waveform. In order to understand whether some kind of protection against replay attacks is used, we press the button several times. This will allow us to compare several different signals.
Analyze the signal
After closing the signal recording window, the saved dump is loaded into the interpreter, which automatically determines the signal parameters: modulation, bit length, etc., and converts the analog signal to digital. It is very convenient, I did not see anything like this in other similar programs. Usually, console utilities are used for the same, which need to manually set signal parameters.
For convenience, data can be displayed in HEX-format.
Even a quick glance is enough to see them repeat. Therefore, no cryptography is used in our console. This means that we can easily perform a replay attack. To do this, use a mouse to highlight the desired part of the signal on the spectrogram and click the replay button. But, unfortunately, RTL-SDR does not know how to transmit, but only accepts. Therefore, to conduct an attack, we need any device from the supported URH that can transmit a signal: it can be hackrf, limesdr, bladerf or USRP.
Graphic selection allows you to conveniently work with raw signal and processed data.
Separately, I want to note the convenience of working with the interpreter. When a waveform is selected on a waveform, the processed data is highlighted. This is convenient in cases where there is doubt about the correctness of the automatic parser, and you need to study the signal manually.
URH is a simple tool for working with heterogeneous signals, which out of the box supports all popular SDRs. You can master it in five minutes, without the painful compilation of GNU Radio.
If you are interested in the topic of SDR, in our Nexon Hackspace you will be able to communicate with the developers of the advanced SDR - XTRX , who this year conducted a successful company on crowdsupply. Unfortunately, XTRX support has not yet been added to Universal Radio Hacker, but you can participate in it.
All news about the life of Hackspace in the telegram channel: @neuron_news