Skip to content

I-CAN-hack/urh-ng

 
 

Repository files navigation

URH image

URH-NG: Universal Radio Hacker - Next Generation

CI Code style: black Blackhat Arsenal 2017 Blackhat Arsenal 2018

Beta -- URH-NG is currently in beta and under active testing. It will be available in the RF Swift image starting with v0.1.6.

URH-NG is a next-generation fork of Universal Radio Hacker, maintained by PentHertz. It extends URH with automatic protocol identification against 327 protocols, an automotive RF crypto toolkit with 23 ciphers, and support for new SDR hardware including HydraSDR, Harogic spectrum analyzers, and Signal Hound BB60.

URH-NG is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios. It allows easy demodulation of signals combined with automatic detection of modulation parameters making it a breeze to identify the bits and bytes that fly over the air. As data often gets encoded before transmission, URH-NG offers customizable decodings to crack even sophisticated encodings like CC1101 data whitening. When it comes to protocol reverse-engineering, URH-NG is helpful in two ways. You can either manually assign protocol fields and message types or let URH-NG automatically infer protocol fields with a rule-based intelligence. Finally, URH-NG entails a fuzzing component aimed at stateless protocols and a simulation environment for stateful attacks.


What's New in URH-NG

Auto Protocol Identification (PHZ DB)

A database of 327 protocol signatures sourced from rtl_433, Flipper-ARF, and ProtoPirate. URH-NG matches captured signals against all 327 protocols using a modulation-aware scoring engine that detects encoding type (PWM, Manchester, NRZ, Miller), preamble patterns (6 types), gap structures (4 types), and field layouts (17 types).

See SUPPORTED_PROTOCOLS.md for the full list.

Automotive RF Crypto Toolkit (23 Ciphers)

15 protocols auto-decode without any user input -- just capture, demodulate, and identify:

Protocol Algorithm
Ford V0 XOR + bit interleave + GF(2) CRC
KIA V3/V4 KeeLoq (known master key)
KIA V5 18-round mixer cipher
KIA V6 AES-128 ECB
VAG (VW/Audi/Skoda/Seat) AUT64 (3 key sets) + TEA
Somfy Telis/Keytis Cascading XOR
Came Atomo LFSR bit-flip cipher
Came Twee 32-bit XOR rainbow table
Mazda Siemens Parity-XOR + deinterleave
Phoenix V2 16-iter bit-shuffle
Security+ v1/v2 Base-3 ternary encoding
Porsche Cayenne 24-bit rotating register
Subaru 24-bit serial rotation + XOR
Mitsubishi V0 Counter-derived XOR
PSA (Peugeot/Citroen) TEA mode 0x23 XOR

8 guided-decode protocols with built-in key management and brute-force:

Protocol What You Provide
KeeLoq (HCS200/300, NICE, StarLine, etc.) 64-bit manufacturer key (26 built-in keys, brute-force with 2 captures)
FAAC SLH Manufacturer key + seed
Nice Flor-S 32-byte rainbow table
Alutech AT-4N Rainbow table (modified TEA)
Scher-Khan Magicar Auto-detects PRO1 vs PRO2
TEA (generic) 128-bit key
AES-128 (generic) 128-bit key
AUT64 (generic) Key nibbles + S-box + P-box

See CRYPTO_TOOLKIT.md for full details.

New SDR Hardware Support

Device Type Notes
HydraSDR IQ stream SDR Multi-device support, sample rate combobox
Harogic HTRA spectrum analyzer Multi-device support via HTRA SDK
Signal Hound BB60 Spectrum analyzer Native integration via Signal Hound SDK

Enhanced Signal Processing

  • PWM encoding support -- proper short/long pulse width demodulation
  • Miller encoding support -- mid-bit transition detection (RFID ISO 14443, EPC Gen2)
  • FrameAnalyzer -- detects 6 preamble types, 4 gap types, 3 encoding types automatically
  • Modulation-aware scoring -- protocol matching considers PWM vs NRZ vs Manchester
  • Field coverage scoring -- penalizes unlabeled trailing data for better protocol fits

Additional Improvements

  • Sample rate combobox for fixed-rate devices
  • Multi-device support for HydraSDR and Harogic
  • Flipper Zero SubGHz plugin
  • CI/CD workflows for multi-arch builds (.deb packages)
  • Contributing guide for adding protocols, crypto, and decoders (CONTRIBUTING_DECODERS.md)

Getting Started

Quick Start: Auto Protocol Identification

  1. Capture or load a signal in URH-NG
  2. Demodulate the signal (auto-interpretation handles most parameters)
  3. Analyze -> Auto-identify protocol (PHZ DB) -- matches against 327 protocols
  4. If a crypto cipher is mapped, the result dialog shows decoded fields (SN, button, counter)
  5. For user-key ciphers: Analyze -> Crypto Toolkit opens pre-filled with guidance

Installation

URH-NG runs on Windows, Linux, and macOS. Python 3.9+ is required.

Linux (recommended)

From source

git clone https://github.com/PentHertz/urh-ng.git
cd urh-ng
pip install -e .

Using .deb package

Pre-built .deb packages are available from GitHub Releases.

In order to access your SDR as non-root user, install the according udev rules. You can find them in the wiki.

Windows

pip install urh-ng

If you get an error about missing api-ms-win-crt-runtime-l1-1-0.dll, run Windows Update or install KB2999226.

macOS

pip install urh-ng

Running from source (all platforms)

git clone https://github.com/PentHertz/urh-ng.git
cd urh-ng/src/urh
PYTHONPATH=.. ./main.py

Note: C++ extensions will be built before first usage.

Native SDR Backends

Install the -dev package for your SDR before installing URH-NG for native support:

SDR Library Package
RTL-SDR librtlsdr librtlsdr-dev
HackRF libhackrf hackrf-dev
BladeRF libbladerf libbladerf-dev
LimeSDR limesuite limesuite-dev
PlutoSDR libiio libiio-dev
USRP uhd libuhd-dev
AirSpy libairspy airspy-dev
SDRPlay sdrplay SDRPlay API
HydraSDR hydrasdr hydrasdr-host
Harogic HTRA SDK Vendor SDK
Signal Hound BB60 Signal Hound SDK Vendor SDK
GNU Radio gnuradio gnuradio-dev

Citing URH

We encourage researchers working with URH to cite the WOOT'18 paper:

BibTeX entry
@inproceedings {220562,
author = {Johannes Pohl and Andreas Noack},
title = {Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols},
booktitle = {12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/pohl},
publisher = {{USENIX} Association},
}

Credits

URH was originally created by Johannes Pohl (@jopohl).

URH-NG is maintained by Sebastien Dudek at PentHertz (@FlUxIuS).

See CONTRIBUTORS.md for the full list of contributions.

Articles

Hacking stuff with URH

General presentations and tutorials on URH

External Decodings

See wiki for community-provided decodings.

Screenshots

Get the data out of raw signals

Interpretation phase

Keep an overview even on complex protocols

Analysis phase

Record and send signals

Record

License

GNU General Public License (GPL)

About

Universal Radio Hacker Next Generation (beta): Investigate Wireless Protocols Like A Boss and crack a few remotes

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 96.7%
  • Cython 2.9%
  • Other 0.4%