RF-201 Week 11 — URH Protocol-RE Workflow: Identify, Isolate, Decode, Replay

"URH is the IDA Pro of the sub-GHz world. You give it a capture and it gives you a hypothesis about the protocol structure. Then you test the hypothesis."

Lecture (90 min)

11.1 Universal Radio Hacker (URH): The Protocol RE Workbench

URH (Universal Radio Hacker) is a complete wireless-protocol reverse-engineering environment in one application. It handles: signal capture, signal analysis (modulation identification, symbol recovery), protocol analysis (bit-stream structure, encoding detection, message type identification), and signal generation (transmit crafted messages from HackRF or compatible hardware).

WIR-101 Week 9 used URH for the first "classify protocol family" task. RF-201 Week 11 runs the full RE workflow: from a raw IQ capture of an unknown protocol to a written protocol specification.

URH interface overview:

11.2 Step 1: Signal Characterisation

The first step is identifying the modulation from the IQ capture, without any prior knowledge of the protocol.

Load the IQ file:

URH supports: .complex (GNU Radio complex64), .wav (IQ-as-stereo PCM), .sigmf (SigMF with metadata). When you open a file, set the sample rate from the capture metadata.

Visual modulation clues in the URH Signal tab:

Auto-detect modulation: URH's Analysis tab has an Auto-detect parameters button. It estimates: modulation type, bit rate (from signal transitions), deviation (for FSK), and carrier offset. The auto-detect is not infallible; verify visually.

Manual verification (FSK example):

import numpy as np
import matplotlib.pyplot as plt

samples = np.fromfile("unknown-protocol.iq", dtype=np.complex64)
# Instantaneous frequency = derivative of phase
inst_phase = np.unwrap(np.angle(samples))
inst_freq = np.diff(inst_phase) * (fs / (2 * np.pi))  # in Hz

plt.figure(figsize=(12, 4))
plt.plot(inst_freq[:5000])
plt.xlabel('Sample'); plt.ylabel('Instantaneous frequency (Hz)')
plt.title('Instantaneous frequency — FSK shows two levels'); plt.grid(True)
plt.show()

Two clear levels → FSK. Frequency of each level → f_0 and f_1 → deviation = (f_1 - f_0)/2.

11.3 Step 2: Symbol Recovery

Once modulation is identified, URH demodulates the signal to a bit stream.

For FSK: Provide center frequency, bit rate, FSK deviation. URH applies frequency-discriminator demodulation and hard-decides each symbol.

Bit rate estimation: Look at the time domain. The minimum pulse width is the symbol period T_sym. Bit rate = 1/T_sym. URH shows a histogram of pulse widths to help identify T_sym.

For OOK/ASK: The threshold matters. URH shows the envelope; set the threshold at approximately 50% of the peak amplitude. Adjust if bits look noisy.

Output: A binary string like:

1010101010101010 10110001 00000001 11110000 01010101 10100011 ...

11.4 Step 3: Frame Structure Analysis

With the bit stream, identify:

1. Preamble: the bit pattern that marks the start of each frame (typically alternating 1/0 or fixed pattern)
2. Sync word: the frame delimiter (e.g., 0x2DD4 in many 315/433 MHz protocols)
3. Address field: device identifier; stable across multiple captures of the same device
4. Command/data field: varies between messages; this is the payload
5. CRC/checksum: varies predictably from the payload; URH has CRC detection

URH Protocol tab workflow:

1. Load the demodulated bit stream
2. Use Interpret Signal → protocol analysis auto-clustering identifies repeated patterns
3. Right-click on bit fields to label them: "Preamble", "Sync", "Address", "Command", "CRC"
4. Use the Compare view to correlate same-device/different-command captures

Encoding detection: Many sub-GHz protocols use Manchester encoding (each bit is encoded as a transition; "1" = 0→1, "0" = 1→0) or differential encoding. URH can test for common encodings automatically.

11.5 Step 4: CRC Reverse-Engineering

Many sub-GHz protocols use CRC-8 or CRC-16 with non-standard polynomials and initial values. URH includes a CRC brute-forcer that tests common CRC parameters against observed checksums.

For manual CRC analysis:

import crcmod

# Test CRC-8 with polynomial 0x07 (CCITT CRC-8)
crc_fn = crcmod.mkCrcFun(0x107, initCrc=0x00, xorOut=0x00)
# data is the payload bytes (before checksum)
print(hex(crc_fn(data)))
# If this matches the observed checksum, you found the polynomial

# Common CRC polynomials to test:
# CRC-8: 0x107 (0x07), 0x131 (0x31 = Dallas/Maxim)
# CRC-16: 0x11021 (CRC-16-CCITT), 0x18005 (CRC-16-IBM/ARC)
# CRC-32: 0x104C11DB7 (standard Ethernet)

11.6 Step 5: Signal Generation + Replay

Once the protocol is understood, generate test messages. URH's Generator tab constructs bit streams from field labels and transmits them via HackRF or another TX-capable SDR.

Applications in protocol RE:

• Replay attack: retransmit a captured command (e.g., "unlock" command)
• Command enumeration: send each possible command value and observe target response
• Field mutation: change the address field to impersonate a different device

Lab 9 applies all five steps to an instructor-supplied unknown protocol. See labs/lab-9.md.

11.7 URH-NG (PentHertz Fork)

URH-NG is a maintained fork of URH with extensions for automotive RF (TPMS decoding, key fob protocols), 327-protocol auto-identification mode, and improved signal processing. Install from GitHub:

pip install urh  # base URH
# Or URH-NG fork:
git clone https://github.com/gsourcecode/urh-ng
cd urh-ng && pip install -e .

The 327-protocol database includes common OOK/FSK/ASK protocols seen in consumer devices, automotive remotes, and building automation. Protocol identification confidence is displayed alongside the auto-detected parameters.

Homework

Reading (1.5 hr):

• URH User Manual (github.com/jopohl/urh/wiki) — the full demodulation + protocol RE workflow documentation
• Inspectrum README (github.com/miek/inspectrum) — the complementary IQ visualisation tool
• "Hacking the IoT with URH" (FOSDEM talk; freely available slides + video)

Hands-on (2.5 hr): Lab 9. The full URH unknown-protocol RE exercise.

After completing Lab 9, open the same capture in Inspectrum as a cross-check:

inspectrum unknown-protocol.iq
# Set sample rate in View menu
# Use Amplitude Plot to visualise OOK envelope
# Use Frequency Plot to visualise FSK frequency track

Note whether Inspectrum's visual and URH's auto-detect agree on: modulation, bit rate, symbol boundaries.

Toolchain Diary Entry

Deepened this week: URH at intermediate-RE depth (full five-step workflow)

New entries: URH Protocol Tab: the frame-structure analysis tool within URH. Use: load demodulated bit stream, run Interpret Signal, label fields, compare across multiple captures.

Inspectrum: offline IQ visual analysis tool. Displays: amplitude plot, frequency plot, spectrogram, time-frequency with variable zoom. Useful for cross-checking URH modulation identification. Note: Inspectrum is read-only; it does not demodulate or decode.

Key Terms

• Preamble: fixed repeating bit pattern at start of wireless frame; enables receiver synchronisation
• Sync word (start of frame delimiter): fixed bit pattern marking the end of preamble and start of payload; receiver latches on this
• Manchester encoding: line code where each bit is represented as a transition (0→1 or 1→0); self-clocking; common in sub-GHz ISM remotes
• CRC polynomial: the generator polynomial for cyclic redundancy check; often 0x07 (CRC-8 CCITT) or 0x1021 (CRC-16 CCITT) in sub-GHz protocols
• Protocol analysis clustering: URH groups recurring bit patterns into message types; the first step in frame structure RE
• Replay attack: re-transmit a captured frame to replicate its effect; works when frames are not nonce-protected
• Inspectrum: read-only IQ visualisation tool; amplitude, frequency, and spectrogram views; useful for modulation identification cross-check