Beta -- URH-NG is currently in beta and under active testing. It will be available in the RF Swift image starting with v0.1.6.
URH-NG is a next-generation fork of Universal Radio Hacker, maintained by PentHertz. It extends URH with automatic protocol identification against 327 protocols, an automotive RF crypto toolkit with 23 ciphers, and support for new SDR hardware including HydraSDR, Harogic spectrum analyzers, and Signal Hound BB60.
URH-NG is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios. It allows easy demodulation of signals combined with automatic detection of modulation parameters making it a breeze to identify the bits and bytes that fly over the air. As data often gets encoded before transmission, URH-NG offers customizable decodings to crack even sophisticated encodings like CC1101 data whitening. When it comes to protocol reverse-engineering, URH-NG is helpful in two ways. You can either manually assign protocol fields and message types or let URH-NG automatically infer protocol fields with a rule-based intelligence. Finally, URH-NG entails a fuzzing component aimed at stateless protocols and a simulation environment for stateful attacks.
A database of 327 protocol signatures sourced from rtl_433, Flipper-ARF, and ProtoPirate. URH-NG matches captured signals against all 327 protocols using a modulation-aware scoring engine that detects encoding type (PWM, Manchester, NRZ, Miller), preamble patterns (6 types), gap structures (4 types), and field layouts (17 types).
See SUPPORTED_PROTOCOLS.md for the full list.
15 protocols auto-decode without any user input -- just capture, demodulate, and identify:
| Protocol | Algorithm |
|---|---|
| Ford V0 | XOR + bit interleave + GF(2) CRC |
| KIA V3/V4 | KeeLoq (known master key) |
| KIA V5 | 18-round mixer cipher |
| KIA V6 | AES-128 ECB |
| VAG (VW/Audi/Skoda/Seat) | AUT64 (3 key sets) + TEA |
| Somfy Telis/Keytis | Cascading XOR |
| Came Atomo | LFSR bit-flip cipher |
| Came Twee | 32-bit XOR rainbow table |
| Mazda Siemens | Parity-XOR + deinterleave |
| Phoenix V2 | 16-iter bit-shuffle |
| Security+ v1/v2 | Base-3 ternary encoding |
| Porsche Cayenne | 24-bit rotating register |
| Subaru | 24-bit serial rotation + XOR |
| Mitsubishi V0 | Counter-derived XOR |
| PSA (Peugeot/Citroen) | TEA mode 0x23 XOR |
8 guided-decode protocols with built-in key management and brute-force:
| Protocol | What You Provide |
|---|---|
| KeeLoq (HCS200/300, NICE, StarLine, etc.) | 64-bit manufacturer key (26 built-in keys, brute-force with 2 captures) |
| FAAC SLH | Manufacturer key + seed |
| Nice Flor-S | 32-byte rainbow table |
| Alutech AT-4N | Rainbow table (modified TEA) |
| Scher-Khan Magicar | Auto-detects PRO1 vs PRO2 |
| TEA (generic) | 128-bit key |
| AES-128 (generic) | 128-bit key |
| AUT64 (generic) | Key nibbles + S-box + P-box |
See CRYPTO_TOOLKIT.md for full details.
| Device | Type | Notes |
|---|---|---|
| HydraSDR | IQ stream SDR | Multi-device support, sample rate combobox |
| Harogic | HTRA spectrum analyzer | Multi-device support via HTRA SDK |
| Signal Hound BB60 | Spectrum analyzer | Native integration via Signal Hound SDK |
- PWM encoding support -- proper short/long pulse width demodulation
- Miller encoding support -- mid-bit transition detection (RFID ISO 14443, EPC Gen2)
- FrameAnalyzer -- detects 6 preamble types, 4 gap types, 3 encoding types automatically
- Modulation-aware scoring -- protocol matching considers PWM vs NRZ vs Manchester
- Field coverage scoring -- penalizes unlabeled trailing data for better protocol fits
- Sample rate combobox for fixed-rate devices
- Multi-device support for HydraSDR and Harogic
- Flipper Zero SubGHz plugin
- CI/CD workflows for multi-arch builds (
.debpackages) - Contributing guide for adding protocols, crypto, and decoders (CONTRIBUTING_DECODERS.md)
- View the installation instructions below
- Download the original userguide (PDF) (URH basics still apply)
- Watch the demonstration videos (YouTube)
- Check out the wiki for device info and SDR setup
- Capture or load a signal in URH-NG
- Demodulate the signal (auto-interpretation handles most parameters)
- Analyze -> Auto-identify protocol (PHZ DB) -- matches against 327 protocols
- If a crypto cipher is mapped, the result dialog shows decoded fields (SN, button, counter)
- For user-key ciphers: Analyze -> Crypto Toolkit opens pre-filled with guidance
URH-NG runs on Windows, Linux, and macOS. Python 3.9+ is required.
git clone https://github.com/PentHertz/urh-ng.git
cd urh-ng
pip install -e .Pre-built .deb packages are available from GitHub Releases.
In order to access your SDR as non-root user, install the according udev rules. You can find them in the wiki.
pip install urh-ngIf you get an error about missing api-ms-win-crt-runtime-l1-1-0.dll, run Windows Update or install KB2999226.
pip install urh-nggit clone https://github.com/PentHertz/urh-ng.git
cd urh-ng/src/urh
PYTHONPATH=.. ./main.pyNote: C++ extensions will be built before first usage.
Install the -dev package for your SDR before installing URH-NG for native support:
| SDR | Library | Package |
|---|---|---|
| RTL-SDR | librtlsdr | librtlsdr-dev |
| HackRF | libhackrf | hackrf-dev |
| BladeRF | libbladerf | libbladerf-dev |
| LimeSDR | limesuite | limesuite-dev |
| PlutoSDR | libiio | libiio-dev |
| USRP | uhd | libuhd-dev |
| AirSpy | libairspy | airspy-dev |
| SDRPlay | sdrplay | SDRPlay API |
| HydraSDR | hydrasdr | hydrasdr-host |
| Harogic | HTRA SDK | Vendor SDK |
| Signal Hound BB60 | Signal Hound SDK | Vendor SDK |
| GNU Radio | gnuradio | gnuradio-dev |
We encourage researchers working with URH to cite the WOOT'18 paper:
BibTeX entry
@inproceedings {220562,
author = {Johannes Pohl and Andreas Noack},
title = {Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols},
booktitle = {12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/pohl},
publisher = {{USENIX} Association},
}URH was originally created by Johannes Pohl (@jopohl).
URH-NG is maintained by Sebastien Dudek at PentHertz (@FlUxIuS).
See CONTRIBUTORS.md for the full list of contributions.
- Hacking Burger Pagers
- Reverse-engineer and Clone a Remote Control
- Reverse-engineering Weather Station RF Signals
- Reverse-engineering Wireless Blinds
- Attacking Logitech Wireless Presenters (German Article)
- Attacking Wireless Keyboards
- Reverse-engineering a 433MHz Remote-controlled Power Socket for use with Arduino
- Hackaday Article
- RTL-SDR.com Article
- Short Tutorial on URH with LimeSDR Mini
- Brute-forcing a RF Device: a Step-by-step Guide
- Hacking wireless sockets like a NOOB
See wiki for community-provided decodings.
GNU General Public License (GPL)


