Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

Overview

URH image

Build Status PyPI version Packaging status Blackhat Arsenal 2017 Blackhat Arsenal 2018

The Universal Radio Hacker (URH) is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios. URH allows easy demodulation of signals combined with an automatic detection of modulation parameters making it a breeze to identify the bits and bytes that fly over the air. As data often gets encoded before transmission, URH offers customizable decodings to crack even sophisticated encodings like CC1101 data whitening. When it comes to protocol reverse-engineering, URH is helpful in two ways. You can either manually assign protocol fields and message types or let URH automatically infer protocol fields with a rule-based intelligence. Finally, URH entails a fuzzing component aimed at stateless protocols and a simulation environment for stateful attacks.

Getting started

In order to get started

If you like URH, please this repository and join our Slack channel. We appreciate your support!

Citing URH

We encourage researchers working with URH to cite this WOOT'18 paper or directly use the following BibTeX entry.

URH BibTeX entry for your research paper
@inproceedings {220562,
author = {Johannes Pohl and Andreas Noack},
title = {Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols},
booktitle = {12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/pohl},
publisher = {{USENIX} Association},
}

Installation

URH runs on Windows, Linux and macOS. Click on your operating system below to view installation instructions.

Windows

On Windows, URH can be installed with its Installer. No further dependencies are required.

If you get an error about missing api-ms-win-crt-runtime-l1-1-0.dll, run Windows Update or directly install KB2999226.

Linux
Generic Installation with pip (recommended)

URH is available on PyPi so you can install it with

# IMPORTANT: Make sure your pip is up to date
sudo python3 -m pip install --upgrade pip  # Update your pip installation
sudo python3 -m pip install urh            # Install URH

This is the recommended way to install URH on Linux because it comes with all native extensions precompiled.

In order to access your SDR as non-root user, install the according udev rules. You can find them in the wiki.

Install via Package Manager

URH is included in the repositories of many linux distributions such as Arch Linux, Gentoo, Fedora, openSUSE or NixOS. There is also a package for FreeBSD. If available, simply use your package manager to install URH.

Note: For native support, you must install the according -dev package(s) of your SDR(s) such as hackrf-dev before installing URH.

Snap

URH is available as a snap: https://snapcraft.io/urh

Docker Image

The official URH docker image is available here. It has all native backends included and ready to operate.

macOS
Using DMG

It is recommended to use at least macOS 10.14 when using the DMG available here.

With pip
  1. Install Python 3 for Mac OS X. If you experience issues with preinstalled Python, make sure you update to a recent version using the given link.
  2. (Optional) Install desired native libs e.g. brew install librtlsdr for corresponding native device support.
  3. In a terminal, type: pip3 install urh.
  4. Type urh in a terminal to get it started.
Update your installation

If you installed URH via pip you can keep it up to date with python3 -m pip install --upgrade urh.

Running from source
Without installation

To execute the Universal Radio Hacker without installation, just run:

git clone https://github.com/jopohl/urh/
cd urh/src/urh
./main.py

Note, before first usage the C++ extensions will be built.

Installing from source

To install URH from source you need to have python-setuptools installed. You can get them with python3 -m pip install setuptools. Once the setuptools are installed execute:

git clone https://github.com/jopohl/urh/
cd urh
python setup.py install

And start the application by typing urh in a terminal.

Articles

Hacking stuff with URH

General presentations and tutorials on URH

External decodings

See wiki for a list of external decodings provided by our community! Thanks for that!

Screenshots

Get the data out of raw signals

Interpretation phase

Keep an overview even on complex protocols

Analysis phase

Record and send signals

Record

Comments
  • Enable SDRPlay in Windows version

    Enable SDRPlay in Windows version

    I'm unable to enable SDRPlay in windows version .msi

    Not sure if it requires a dll file like other sdr's in the C:\Program Files\Universal Radio Hacker directory Also i have the pothossdr suite installed and am able to use gqrx in windows with the SDRPlay, not sure if that makes a difference or not. image

    bug sdr windows 
    opened by vsboost 62
  • USRP B200: failed to start rx mode

    USRP B200: failed to start rx mode

    Expected Behavior
    Actual Behavior
    Steps To Reproduce
    1. Go to 'FILE'

    2. Click on 'Record signal' / OR Spektrum analyzer

    3. See error

    Screenshots

    https://imgur.com/a/rHIfwZ6

    Platform Specifications
    • OS: [e.g. Arch Linux]
    • URH version: [e.g. 2.5.3]
    • Python version: [e.g. 3.6.3]
    • Installed via [msi win 64] hi i used to run an old version of URH without any issue. i ve seen an update, so i ve uninstalled my current version, installed new one, and now , even it manage my usrp b205 as you can see on the screenshot, it never start rx mode. did i missed something? anything i can do in order to solv it? thank you for your time best regards herve
    windows 
    opened by nocomp 52
  • Installing on windows error

    Installing on windows error

    On windows 7 (Ultimate 64 bit), with python 3.5 (32 bit) I can not install urh via command `

    python -m pip install urh

    I am receiving error ImportError: No module named src.urh.version What should I do to run it on windows

    installation 
    opened by RYucel 32
  • Issues with USRP B200

    Issues with USRP B200

    There seem to be problems with native support for USRP B200 on Windows #589 and OSX #577. Since we do not have a USRP B200 for testing, we need some help. I see two options:

    1. Someone in contact with Ettus can arrange getting a test device for us.
    2. Someone with a USRP B series device helps us with debugging.
    sdr windows macOS help wanted 
    opened by jopohl 22
  • Raspberry Buster can't install

    Raspberry Buster can't install

    Raspberry Buster 2021-01-11 URH can't install

    Actual Behavior

    The same error with 3 diffrerent installation method: command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-i1mojk0v/pyqt5/

    Steps To Reproduce
    1. The proposed standard solution: sudo apt-get install python3-numpy python3-psutil python3-zmq python3-pyqt5 g++ libpython3-dev python3-pip sudo pip3 install urh
    2. Proposed in bug report sudo python3 -m pip install urh
    3. Proposed in another bug report: sudo su pip3 install urh
    4. See the same error
    Platform Specifications
    • OS: Raspberry Buster 2021-01-11
    • URH version: ?
    • Python version: 3.7, pip: 18.1
    opened by fenyvesi 21
  • request: add MSK modulation type

    request: add MSK modulation type

    i'm working with the cc1101 and this chip has different modulation types, which you can use: ASK, 2-FSK, GFSK, 4-FSK, MSK (offset QPSK with half-sine shaping).

    ASK and GFSK Mode works great, but if time please add also MSK modulation type.

    thx

    feature discussion 
    opened by SpaceTeddy 21
  • Can't enable device in macOS 10.12.2

    Can't enable device in macOS 10.12.2

    I've tried to install urh using pip3 and also build from sources. In each case I was not able to enable rtlsdr in settings (this option is grayed out). librtlsdr is installed. Device is physically connected to the usb and works fine in gqrx or cubicsdr.

    Log from the compilation: http://pastebin.com/ZPWTC9zu

    installation 
    opened by matix2120 21
  • LimeSDR: Failed to receive stream

    LimeSDR: Failed to receive stream

    Expected Behavior

    Capture signals and display them.

    Actual Behavior

    No signals captured. Here's the error on stdout:

    [WARNING::LimeSDR.py::receive_sync] LimeSDR: Failed to receive stream

    I can access the board fine with LimeSuiteGui

    Steps to Reproduce the Problem

    1. build limesuite from git
    2. python3 setup.py install --without-hackrf --without-rtlsdr --without-airspy --without-usrp
    3. urh
    4. try to record on a known strong freq.

    Platform Specifications

    • Python Version: 3.6.0
    • Operating System: linux
    • Version of URH: git master (1.8.4)
    • URH was installed [X] from source

    I think this may be related to issue https://github.com/jopohl/urh/issues/297 but I'm not sure. Filing this in case it's unrelated.

    sdr 
    opened by romeojulietthotel 20
  • Cannot Start HackRF Device Windows 7 x64

    Cannot Start HackRF Device Windows 7 x64

    Please use this template for bug reports. If you have a feature request or question just delete everything and write as you like.

    Expected Behavior

    Start the HackRF successfully

    Actual Behavior

    I get this error: HackRF-SETUP: HACKRF_ERROR_NOT_FOUND (-5)

    I found this odd because I have the HackRF works under SDR# and gnuradio. I have hackrf tools installed here is the output of 'hackrf_info'

    Found HackRF board.
    Board ID Number: 2 (HackRF One)
    Firmware Version: 2015.07.2
    Part ID Number: 0x00534f62 0x00534f62
    Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f5122e1
    

    Steps to Reproduce the Problem

    1. Windows 7 x64 with requirements installed
    2. Start urh and enable the hackrf
    3. Attempt to start the device by recording a complex sample.

    Platform Specifications

    • Python Version: 3.0.6
    • Operating System: windows 7 x64
    • Version of URH: 1.6.4.2
    installation windows 
    opened by KR0SIV 19
  • Global python error

    Global python error

    Please use this template for bug reports. If you have a feature request or question just delete everything and write as you like.

    Expected Behavior

    i use an usrp with gnu radio without any issue, everything works fine when launching urh, it doesn t see my gnuradio install and i can modify the path either

    Actual Behavior

    global python error https://imgur.com/a/JJpo3

    Steps to Reproduce the Problem

    1.installed .msi version 2.plugged usrp 3.launched urh

    Platform Specifications

    • Python Version: 2.7.10
    • Operating System: win 10 64b
    • Version of URH: 1.8.14
    • URH was installed: __from .msi
    windows 
    opened by nocomp 18
  • On Windows 10 UI does not render, executable is running though

    On Windows 10 UI does not render, executable is running though

    Expected Behavior

    Upon on clicking the shortcut on the desktop the program should open its main window.

    Actual Behavior

    Actually the Main program window is not showing but proces explorer shows the .exe running

    Steps To Reproduce
    1. Go to '...'
    2. Click on '....'
    3. Scroll down to '....'
    4. See error
    Screenshots
    Platform Specifications

    Windows 10

    opened by MrBambix 17
  • Y-scale autoscale feature (with a manual trigger)

    Y-scale autoscale feature (with a manual trigger)

    Is your feature request related to a problem?

    Sometimes the otherwise very useful discrete Y-scale levels prove to be a burden and a simple autoscale feature is desired. I need to emphasize that by no means the triggering should be automatic, the auto- part refers to calculating the adaptive (continuous) value upon triggering.

    Describe the solution you'd like

    It would be great to have an autoscale button besides every Y-Scale slider (or in its right-click options). The calculated scaling value should be so that the signal amplitude maximum is (exactly) at 90% of the scale. The autoscale function should also have a logic to set scaling and ofsetting correctly in case of a bipolar or a unipolar signal.

    There are two points/usecases for now. The first is to ease the visual comparison between signals amplitude-wise and the second is to more efficiently use screen estate, especially with smaller screens.

    Describe alternatives you've considered

    Due to HDR nature of RF signals manual amplitude scaling proves to be too rough even for quick visual comparisons. I found no other alternatives in the URH.

    feature 
    opened by drws 0
  • URH with X310 and Twin RX

    URH with X310 and Twin RX

    Expected Behavior

    Select supported sample rate of 50 or 100msps

    Actual Behavior]

    Double Free or Corruption shown in terminal windows upon starting spec a

    [INFO::Device.py::log_retcode] USRP-OPEN (type=x300,addr=192.168.40.2,fpga=HG,name=,serial=31,product=X310): Success [INFO::Device.py::log_retcode] USRP-SET_SUBDEVICE to : Success [INFO::Device.py::log_retcode] USRP-SET_ANTENNA_INDEX to 0: Success [INFO::Device.py::log_retcode] USRP-SET_FREQUENCY to 433.92M: Success [INFO::Device.py::log_retcode] USRP-SET_SAMPLE_RATE to 50M: Success [INFO::Device.py::log_retcode] USRP-SET_BANDWIDTH to 50M: Success [INFO::Device.py::log_retcode] USRP-SET_RF_GAIN to 0.25: Success Odouble free or corruption (out)

    Steps To Reproduce

    Start URH 2.9.3, select spec a, attempt to start with 50M or 100M in Sample rate/bandwidth. Although bandwidth is limited I think to 80MHz wide per channel on the Twin RX.

    Platform Specifications

    Ubuntu 20.04 (DragonOS) w/ UHD 3.15

    Happy to test further while I have this device available. Although, I guess it wouldn't be of much use using such a large sample rate/bandwidth in URH?

    opened by alphafox02 2
  • Better Documentation for urh_cli

    Better Documentation for urh_cli

    Is your feature request related to a problem?
    • I keep getting asked for modulation parameters but there is no documentation of proper syntax and what are my options.
    • Furthermore I am not modulating, I am only passing the -rx parameter and settings things that relate to demodulation so that also has me scratching my head and thinking, what modulation parameters?
    Describe the solution you'd like
    • Just better documentation of the cli interface in general. Some features of the GUI are also undocumented and found them through someone else's question and answer to themselves.
    • ascii files filled with ones and zeros can get huge, an option for binary output of the captures would be great.
    Describe alternatives you've considered
    Additional context
    feature documentation 
    opened by EdwinFairchild 0
  • Demodulation is significantly slower via `urh_cli`

    Demodulation is significantly slower via `urh_cli`

    Expected Behavior

    Messages should be appended to the ProtocolSniffer.messages list as soon as they are available.

    Actual Behavior

    There is a significant lag when using urh_cli compared to the URH GUI. It's almost as if messages are being polled for every 5 seconds (not saying this is the case but for explanation's sake), compared to URH where - when a signal is demodulated, it appears almost instantly.

    Steps To Reproduce

    Compare the delay between urh_cli and URH GUI when demodulating any signal. In my case, it was FSK using default settings, obviously the frequency has been changed.

    Platform Specifications
    • OS: Kali Linux
    • URH version: 2.9.3
    • Python version: 3.10.4
    • Installed via pip
    feature 
    opened by braedinski 1
  • Generate reuasable format from demodulated raw capture data

    Generate reuasable format from demodulated raw capture data

    A few tools out there specifically the FlipperZero capture raw rf data as a demodulated number sequences. Would it be possible to add support for importing and or converting these in the generator or Analysis tools? Ideally I'm looking for a way to transfer captures between devices. So it would be cool if you could also export into this format.

    Here is an example capture:

    Version: 1
    Frequency: 315000000
    Preset: FuriHalSubGhzPresetOok650Async
    Protocol: RAW
    RAW_Data: 337 -426 363 -888242 167 -356 105 -368 93 -380 327 -126 353 -126 337 -128 339 -128 337 -128 93 -358 347 -132 333 -122 341 -128 121 -370 101 -368 91 -382 317 -134 141 -362 105 -336 127 -356 95 -370 349 -130 329 -124 337 -128 337 -130 123 -3698 97 -374 129 -338 127 -342 351 -140 325 -142 335 -96 345 -126 337 -128 125 -368 341 -140 305 -132 359 -94 121 -374 101 -368 93 -384 351 -102 141 -364 103 -336 129 -372 103 -360 347 -108 361 -106 339 -130 323 -124 123 -3710 131 -360 103 -358 105 -370 327 -142 335 -128 327 -140 361 -106 343 -102 137 -352 353 -94 345 -138 337 -126 97 -376 105 -370 91 -396 331 -132 101 -358 107 -370 93 -394 101 -362 347 -106 363 -106 339 -130 355 -92 121 -3706 129 -342 129 -338 129 -340 347 -124 339 -128 369 -96 337 -128 339 -124 125 -354 347 -132 333 -122 339 -126 121 -372 101 -366 91 -382 351 -102 143 -362 105 -334 129 -356 93 -372 349 -132 329 -124 335 -128 337 -128 125 -3698 131 -360 103 -376 105 -334 353 -140 333 -126 347 -94 369 -96 371 -96 125 -370 329 -140 337 -126 351 -94 123 -372 101 -368 93 -382 351 -104 141 -362 105 -336 127 -358 93 -370 349 -132 329 -124 337 -128 337 -128 125 -3704 97 -392 103 -342 137 -334 353 -138 335 -126 361 -106 359 -106 345 -102 135 -356 357 -106 347 -102 365 -92 121 -374 103 -368 125 -366 331 -132 103 -358 105 -370 93 -394 103 -360 349 -106 361 -106 339 -130 355 -94 121 -3712 133 -358 101 -358 105 -370 363 -106 337 -128 349 -94 369 -96 371 -96 125 -370 361 -108 337 -128 351 -94 121 -372 101 -368 93 -384 351 -102 143 -362 105 -336 127 -372 105 -360 349 -106 361 -108 339 -128 355 -92 123 -3710 131 -358 103 -358 107 -370 329 -140 337 -126 351 -94 369 -96 369 -98 125 -368 363 -108 335 -128 351 -94 121 -374 101 -368 93 -382 351 -104 141 -362 105 -336 127 -374 103 -360 349 -108 361 -106 339 -130 355 -94 121 -3714 99 -392 103 -358 107 -368 327 -140 335 -128 349 -94 391 -104 359 -106 105 -362 357 -106 347 -140 329 -94 139 -342 127 -360 93 -392 327 -122 121 -350 139 -334 127 -356 93 -372 347 -132 331 -124 335 -128 337 -130 123 -3698 133 -358 103 -378 105 -334 353 -140 335 -126 347 -94 369 -96 371 -96 125 -370 361 -108 337 -128 351 -94 121 -372 101 -368 93 -382 351 -104 141 -362 105 -336 127 -358 93 -372 349 -130 331 -124 337 -128 337 -128 125 -3700 129 -340 129 -340 127 -342 343 -126 
    
    
    
    feature 
    opened by ResistanceIsUseless 7
Releases(v2.9.3)
Owner
Dr. Johannes Pohl
Interests: Wireless Security, Infrastructure Automation (DevOps), Artificial Intelligence
Dr. Johannes Pohl
Brute force attack tool for Azure AD Autologon/Seamless SSO

Brute force attack tool for Azure AD Autologon

nyxgeek 89 Jan 02, 2023
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

258 Jan 02, 2023
Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10

CVE-2021-29440 Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10 Grav is a file based Web-platform. Twig processing of static p

Enox 6 Oct 10, 2022
Tor Relay availability checker, for using it as a bridge in countries with censorship

Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are

ValdikSS 161 Dec 30, 2022
A black hole for Internet advertisements

Network-wide ad blocking via your own Linux hardware The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installi

Pi-hole 40.3k Jan 09, 2023
Sonoff NSPanel protocol and hacking information. Tasmota Berry driver for NSPanel

NSPanel Hacking Sonoff NSPanel protocol and hacking information and Tasmota Berry driver. NSPanel protocol manual Tasmota driver nspanel.be Installati

blakadder 98 Dec 26, 2022
A terminal based web shell controller

shell-hack Tribute to Chinese ant sword; A Powerful terminal based webshell controller; Usage : Usage : python3 shell-hack.py --url [URL] --w

s1mple 10 Dec 28, 2021
CodeTest信息收集和漏洞利用工具

CodeTest信息收集和漏洞利用工具,可在进行渗透测试之时方便利用相关信息收集脚本进行信息的获取和验证工作,漏洞利用模块可选择需要测试的漏洞模块,或者选择所有模块测试,包含CVE-2020-14882, CVE-2020-2555等,可自己收集脚本后按照模板进行修改。

23 Mar 18, 2021
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 9 Dec 30, 2022
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

122 Dec 12, 2022
Something I built to test for Log4J vulnerabilities on customer networks.

Log4J-Scanner Something I built to test for Log4J vulnerabilities on customer networks. I'm not responsible if your computer blows up, catches fire or

1 Dec 20, 2021
Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers

Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers New Update : adding 'on-review' tag on an issue

A N U S H 13 Sep 19, 2021
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 02, 2022
LeLeLe: A tool to simplify the application of Lattice attacks.

LeLeLe is a very simple library (300 lines) to help you more easily implement lattice attacks, the library is inspired by Z3Py (python interfa

Mathias Hall-Andersen 4 Dec 14, 2021
BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta Instalación git clone

5 Apr 09, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 09, 2022
SSH Tool For OSINT and then Cracking.

sshmap SSH Tool For OSINT and then Cracking. Linux Systems Only Usage: Scanner Syntax: scanner start/stop/status - Sarts/stops/sho

Miss Bliss 5 Apr 04, 2022
Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

BugAlert.org 208 Dec 15, 2022
Attack SQL Server through gopher protocol

Attack SQL Server through gopher protocol

hack2fun 17 Nov 30, 2022
Provides script to download and format public IP lists related to the Log4j exploit.

Provides script to download and format public IP lists related to the Log4j exploit. Current format includes: plain list, Cisco ASA Network Group.

Gianluca Ulivi 1 Jan 02, 2022