The Universal Radio Hacker Software

Master URH to reverse engineer and analyse signals like a pro.

If you aren’t a Medium member, you can read with no paywall via Substack

We strive to provide informative articles, however, it is important for users to ensure their research is both ethical and responsible. Additionally, it is your responsibility to ensure you are compliant with all applicable laws and regulations for your region. The information provided in this article is intended for educational purposes only.

In its most basic form, a replay attack is one of the simplest ways to get started on your journey exploring wireless protocols. Devices like the HackRF even have these features baked into the firmware. However, today, things like rolling codes and authentication help to prevent these attacks.

Sometimes, though, you don’t just want to replay a signal. Sometimes, you want to cut it, slice it and analyse it at the packet level and to do this, you’ll need a decent software package to help process and investigate your captured signal.

In today’s article, we’re going to take a look at one of the best tools for doing just that. It’s called Universal Radio Hacker, and it’s an essential tool in your RF hacking toolbox. Let’s check it out!

What Is It

The HackRF Portapack is a super bit of gear for on-the-go exploring, and while it’s pretty powerful, it does come with some inherent limitations. While the software will allow you to replay a signal, it won’t let you analyse it in depth. To do that, we’ll need tools like the URH package.

One thing URH doesn’t lack is power of its own, as it’s a complete toolkit. Not only can you record a signal, but you can then use the workflow to slice it into parts for analysis, visualise the transmission bit by bit and when you’re ready, reverse engineer the entire protocol.

URH does great with known, established signals and protocols, but where it really shines is with unidentified and unknown transmission types. Here, the ability to analyse at the bit level makes the investigation process much easier to deal with.

However, due to this, it does mean that the software comes with a bit of a learning curve if you’re a beginner. Don’t let this put you off, though, as there’s good community support and the flow-like nature of URH makes it easy to develop and understand the workflow behind signal intelligence.

Remember, collecting SIGINT is one thing. Properly processing, analysing and understanding what you’ve collected is another thing entirely. So, with this in mind, it’s easy to see that taking the time to become familiar with the URH package is worthwhile.

We’ll take a look at the URH workflows in more detail in a later article.

Getting Started

While installation is outside the scope of this article, the software is set up for all platforms, meaning you’ll be able to get started quickly regardless of what computer type you use. Check out the project's GitHub for installation details and support.

If you’re still on the learning path, the best place to go after this is to the documents. Here, you’ll find plenty of information that will help you learn the fundamentals and get your head around the workflow. Once you’ve got your head around this, the next step to take is to simply use the software.

At the start, simplicity is best. So, stick to short captures that focus on easy-to-identify protocols that can make the learning process much easier. AM, ADS-B, or even FM broadcast signals are a great “hello world” opener for learning about reverse engineering.

And remember, if you’re all out of ideas and need some help, here are a few extra sources that you can use for troubleshooting.

Join the Community Slack Channel to get community support.

Check out the Wiki to get tutorials and lessons regarding reverse engineering, and then,

Share your work with the Community by writing a tutorial or review.

Common Mistakes & Tips

Once you’re established, you can try turning your hand to pretty much any signal you can imagine (and capture). However, in the early days, it's worth keeping things simple to prioritise the learning process. So, while you’re learning to use the software, keep these tips in mind.

1. Weak Signals: Avoid weak signals for now. It will add complexity and slow the learning process. Keep these for when you’re more comfortable using the software package.

2. Overdriven Receivers: With gain, you can, in fact, have too much of a good thing. An overdriven receiver will induce distortion and other noise that makes it harder to properly analyse a transmission.

3. Cropping: The ability to crop a signal is a huge advantage as it allows for the removal of background noise and adjacent signals. Learn it early and use it frequently, as, used properly, it will clean up captured signals for proper analysis.

RTFM: If you’re technically minded, you can probably muddle along without reading the manual, but if the aim of the game is to properly learn, you’ll be better equipped by leaning into the manual. It’s the best way to learn all the tricks and nuances you’ll need to fully grasp the capabilities of URH.

Pro Tip: Embrace recording! Remember, every capture doesn’t have to be a one-and-done situation. Building a signal “library” or repository of captures comes with distinct educational value. Use your library for comparison or do a re-analysis of a signal after the fact.

Over To You

In this publication, we’re big on getting you out there and doing things over hours of endless theory. So, with that said, here are two simple exercises that you can get started with once you’ve installed the URH software.

Exercise One: capture a 30s I/Q file of an FM station, crop the carrier, slice it, and identify the stereo pilot. Don’t forget to save your file and your parameters.
Share a screenshot and your notes in the comments to compare results.

Congratulations, you’ve just used URH for signal capture and processing!

Next, we’ll aim to leverage one of the key automated features of URH, pattern detection. URH’s pattern detection and frame analysis views will reveal repeating headers, checksum fields, and bit timing patterns for us.

For this, we will use APRS (Amateur Position Reporting System) packets from the amateur radio network. In the US, you can capture these on 144.390MHz. The International Space Station will also transmit them on 145.825MHz. If you can’t obtain a capture, find one on YouTube

Exercise Two: Capture an APRS sample, load it into URH, and run the automated pattern and frame-detection tools to identify headers, flags, and the bitstream.

These packets use 1200 baud AFSK, so experiment with FSK demodulation and adjust the symbol rate until the waveform looks consistent. In the interpretation view, use the pattern search to find repeating headers and flag sequences. When you find these, you’ll be able to mark the start and end of each APRS frame.

If you’re not comfortable with these exercises at this point, fear not!

We’ll be looking at URH in much more detail in future articles which will include tutorials on all of the automated processes that help make the software easier to use.

If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.

🌟 Enjoyed this article? Join the community! 🌟

📢 Join our OSINT Telegram channel for exclusive updates or

📢 Follow our crypto Telegram for the latest giveaways

🐦 Follow us on Twitter and

🟦 We’re now on Bluesky!

🔗 Articles we think you’ll like:

1. What The Tech?! Space Shuttles
2. Shodan: A Map of the Internet

✉️ Want more content like this? Sign up for email updates