HackRF One · Volume 7

HackRF One Volume 7 — Protocol Analysis (URH, Inspectrum, SigDigger)

From IQ recording to bits, packets, state machines, and a Flipper FAP

Contents

SectionTopic
1About this Volume
2The Mental Model
3Universal Radio Hacker (URH)
· 3.1Workflow
· 3.2What URH is good at
· 3.3What URH is not good at
4Inspectrum
· 4.1Sweet spot
· 4.2Workflow with URH
5SigDigger
6Worked Example — Decoding a 433.92 MHz Garage-Door Remote
· 6.1Capture
· 6.2Look at it
· 6.3URH analysis
· 6.4Replay
· 6.5Rolling-code remotes (out-of-scope)
· 6.6Writing a Flipper FAP
7Common Protocols and Their Tells
8The rtl_433 Special Case
9Cheatsheet Updates from this Volume
10Resources

1. About this Volume

The protocol-analysis pipeline in the open-source SDR world is:

.cfile capture (Vol 5)


   Inspectrum  ────►  IQ → cursors → demod → bits-by-eye


   URH         ────►  IQ → automatic demod → protocol structure → packet diff


   GNU Radio   ────►  IQ → custom flowgraph → bits → file (Vol 6)


   SigDigger   ────►  spectral exploration + ad hoc demod


  Custom code (Python / C / Flipper FAP) ── packets → state machine → app

Three tools, each with a sweet spot. Inspectrum is the tactile cursor analyser. URH automates the demod-and-protocol-structure step. SigDigger is the modern alternative that overlaps URH and Inspectrum. GNU Radio (Vol 6) is the construction set when no pre-built tool fits.

This volume walks each, then ties them together with a worked example: capture an unknown sub-GHz remote, identify modulation, extract bits, recognise structure, and either (a) write a Flipper FAP if it’s a Flipper-known modulation, or (b) keep it as a HackRF + script workflow.

2. The Mental Model

A radio signal carries information in the modulation — variations in amplitude (AM/ASK/OOK), frequency (FM/FSK/GFSK), or phase (PSK/QAM). The decode pipeline reverses the modulation:

  1. Capture IQ at a sample rate at least 2× the signal bandwidth.
  2. Identify modulation by eye in a waterfall or spectrogram (AM looks like amplitude humps; FM looks like frequency hops; PSK is constellation patterns).
  3. Choose a demodulator that matches.
  4. Threshold the demod output to recover bits.
  5. Find frame boundaries — preambles, sync words, length fields.
  6. Recover packet structure — repeat-codes, addresses, payloads, CRC.
  7. Recognise state machine — handshakes, ACKs, multi-message flows.

Each step is a tool selection: Inspectrum is best at step 2-4; URH is best at step 4-6; GRC + custom code is best for step 6-7.

3. Universal Radio Hacker (URH)

URH^[https://github.com/jopohl/urh — open-source under GPL.] is the Swiss-army knife of protocol analysis. Pip-installable:

pip install urh
urh

The interface has three tabs that map onto the pipeline:

TabPurpose
InterpretationOpen IQ, demodulate, threshold to bits
AnalysisGroup bits into messages, identify protocol fields
GeneratorConstruct messages from a learned protocol structure for replay
SimulatorState-machine-driven replay (advanced)

3.1 Workflow

  1. Open capture.cfile (Interpretation tab). URH parses interleaved float32 by default; switch to int8 if the file came straight from hackrf_transfer -r.
  2. URH heuristically detects the modulation (ASK/FSK/PSK), bit rate, and centre frequency. Often correct on the first try; sometimes needs hand-tweaking. Adjust the Modulation type dropdown if URH guesses wrong.
  3. URH thresholds the demod and shows bits as colored squares. The Bit length slider tunes per-symbol duration; align it so each symbol is one square wide.
  4. Click into Analysis tab. URH groups successive messages, aligns them, and highlights which bits change between repeats.
  5. URH’s Field detection identifies common protocol fields heuristically: preamble, sync word, length, address, payload, CRC. Adjust manually as needed.

3.2 What URH is good at

  • Sub-GHz remotes (garage doors, wireless doorbells, weather stations) — almost everything is OOK or FSK with simple framing.
  • Quick pattern recognition — “do these 8 captures of the same button-press all start with the same 24 bits?”.
  • Replay testing — drag a learned message into the Generator tab, modify a few bits, transmit via HackRF.

3.3 What URH is not good at

  • Encrypted protocols (rolling-code remotes, BLE encrypted payloads). URH can recover the bits but the bits don’t mean anything without the key.
  • High-bandwidth digital protocols (WiFi, BLE, ZigBee). URH’s per-symbol slicing doesn’t handle the synchronisation requirements; use GNU Radio + dedicated OOT module.
  • Phase-modulated protocols at low SNR. URH’s PSK demod is basic.

4. Inspectrum

Inspectrum^[https://github.com/miek/inspectrum — open-source.] is a different kind of tool: a waterfall + cursor environment for hand-analysis.

sudo apt install inspectrum    # debian/ubuntu/kali
inspectrum capture.cfile

The interface is a scrolling spectrogram. You drag cursor-rectangles over signal regions; Inspectrum reports their statistics (amplitude, frequency, duration) and can extract them as IQ slices for further analysis.

4.1 Sweet spot

Inspectrum is the right tool for:

  • Identifying unknown signal characteristics — when URH guesses wrong, drag a cursor over a few symbols, read off the bit duration in microseconds.
  • Manually demodulating short, awkward signals — Inspectrum’s “derived plot” shows AM-demod or FM-demod inside the cursor rectangle. By eye, you can recover bits Inspectrum + URH together can’t.
  • Signal hunting in noisy spectrum — the waterfall scrolls live (with inspectrum -live) and you can pause to look at history.

4.2 Workflow with URH

Common pattern: open a capture in Inspectrum to see the signal, measure bit duration with a cursor, then re-open in URH with the bit-rate hint pre-set so URH’s heuristic gets the right answer.

5. SigDigger

SigDigger^[https://github.com/BatchDrake/SigDigger — open-source.] is a more recent tool that overlaps URH (protocol decode) and Inspectrum (waterfall analysis) in one package, with a more polished GUI. It supports HackRF directly (no osmocom source/sink wrapper) and can drive live captures or open .cfiles.

Workflow is similar to URH:

  1. Open capture.
  2. Identify modulation (built-in classifier; adjustable).
  3. Extract bits.
  4. Apply protocol templates if known.

SigDigger’s bias is toward interactive exploration rather than batch decode. It is excellent for “I have a recording and I want to poke at it”.

6. Worked Example — Decoding a 433.92 MHz Garage-Door Remote

Step-by-step, the canonical “first decode” exercise:

6.1 Capture

hackrf_transfer -r remote.cfile -f 433920000 -s 2000000 -g 24 -l 16 -a 0 \
    -n 4000000
# (Press the remote button 5–10 times during the 2-second capture.)

6.2 Look at it

inspectrum remote.cfile
# Waterfall shows ~200 ms bursts at 433.92 MHz with internal fine
# structure. Drag a cursor over one burst.

The cursor rectangle reports the burst duration and lets you measure individual symbol widths. Typical garage-door remotes use OOK (on-off keying) with 400-µs symbol time — measure to confirm.

6.3 URH analysis

urh remote.cfile
# Modulation: ASK/OOK
# Bit length: 400 µs (matches Inspectrum measurement)
# Bits emerge as a binary stream

In Analysis tab, the 5 button-presses align as 5 messages, all identical (this is a non-rolling-code remote — see §6.5 for rolling-code differences):

Message 1: 11110000 11000011 10101010 ...
Message 2: 11110000 11000011 10101010 ...   ← identical
Message 3: 11110000 11000011 10101010 ...   ← identical

URH groups them as “5× identical 96-bit message”, which is the protocol structure: there’s no rolling element, the same bits identify this remote to this receiver.

6.4 Replay

In URH’s Generator tab, drag the learned message in, set Modulation to ASK, frequency 433.92 MHz, sample rate 2e6, and Send. The HackRF transmits the captured bits. The garage door opens — confirming the decode is correct.

(Always a legal/ethical question — your garage, your remote.)

6.5 Rolling-code remotes (out-of-scope)

Modern garage-door remotes use rolling-code schemes (Keeloq, HCS200, etc.) where each press produces a different 64-bit code generated by an HMAC-like function over a counter. URH can decode the bits but cannot replay — the next press will be a different code. Defeating rolling-code requires capturing the next-N codes, blocking transmission, then replaying — the “RollJam” attack documented by Samy Kamkar^[https://samy.pl/defcon2015/2015-defcon.pdf — DEF CON 23, 2015.]. This crosses several legal lines (jamming) and is mentioned for completeness; Vol 11 covers the legal envelope.

6.6 Writing a Flipper FAP

If the protocol turns out to be Flipper-known (most fixed-code OOK remotes are), the easier path is the Flipper Zero’s built-in Sub-GHz tool. If the protocol is not Flipper-known but is decoded, you can author a FAP (Flipper App) that recognises it natively. The Flipper Zero subproject (../Flipper Zero/) covers FAP authoring; the relevant volume in the Flipper deep dive is in progress as of 2026-05.

The HackRF + URH workflow is upstream of the Flipper FAP — you understand the protocol first, then implement the recogniser. The HackRF is a research tool; the Flipper is the field tool.

7. Common Protocols and Their Tells

Quick reference for “what am I looking at?”:

Protocol familyVisible in waterfall asModulationTypical bit rateFirst-look tool
433 / 315 / 868 MHz remotesShort bursts, ~200 ms durationOOK / FSK1–10 kbpsURH
Wireless weather stationsPeriodic broadcasts every 30s–5minOOK / FSK1–10 kbpsURH
Tire-pressure monitor systemsSporadic short bursts; ID + temperature + pressureFSK9.6 / 19.2 kbpsURH (rtl_433)
ADS-B (1090 MHz)Continuous; many overlapping short pulsesPPM (Mode S)1 Mbpsgr-air-modes
Bluetooth ClassicHopping; 79 channels in 2.4 GHzGFSK1 Mbpsgr-bluetooth
Bluetooth LEHopping; 40 channelsGFSK1 Mbpsgr-bluetooth
WiFi 2.4 GHzWide burstsOFDMvarioushackrf-only — sample-rate-bound
ZigBee (802.15.4)5 MHz channels; quietOQPSK250 kbpsgr-zigbee
LoRa 868/915 MHzChirp patternCSS0.3–37.5 kbpsgr-lora
GSM (passive observation)200 kHz channels; burstsGMSK270.833 kbpsgr-gsm
RDS metadata (FM broadcast)Sub-carrier of FM; tiny bandwidthBPSK1187.5 bpsgr-rds

The HackRF’s 1 MHz – 6 GHz tuning range covers all of these. The 8-bit ADC + 20 MS/s rate makes most of them tractable except WiFi (40 MHz channel widths exceed HackRF One’s 20 MS/s).

8. The rtl_433 Special Case

rtl_433^[https://github.com/merbanan/rtl_433 — despite the name, supports HackRF too via SoapySDR.] is a specialised decoder for 433 / 315 / 868 / 915 MHz ISM-band devices: it ships with 130+ pre-built decoders for weather stations, TPMS, energy meters, garage-door remotes, water-meter telemetry, and similar low-bit-rate digital protocols. With HackRF support enabled at compile time:

rtl_433 -d driver=hackrf -f 433920000 -s 250000 -A

The -A flag tries all known protocols; matches print to stdout in JSON. For “what’s in this band?” exploratory work, rtl_433 is much faster than authoring URH or GRC flowgraphs from scratch.

9. Cheatsheet Updates from this Volume

For Vol 12:

  • URH workflow: open .cfile → Interpretation → Analysis → Generator
  • Inspectrum: drag cursor over signal, read bit duration in µs
  • SigDigger: alternative to URH with HackRF native support
  • Common encodings: OOK = on/off keying, FSK = frequency shift, PSK = phase shift
  • 433 MHz fixed-code remote: ~400 µs symbol, OOK, 24–96 bit message
  • Rolling-code remotes: bits decode, replay does not work
  • rtl_433 -d driver=hackrf -f FREQ -A for ISM-band scan
  • Flipper FAP: downstream of HackRF + URH research

10. Resources

ResourceURL
Universal Radio Hackerhttps://github.com/jopohl/urh
URH wikihttps://github.com/jopohl/urh/wiki
Inspectrumhttps://github.com/miek/inspectrum
SigDiggerhttps://github.com/BatchDrake/SigDigger
rtl_433https://github.com/merbanan/rtl_433
rtl_433 supported protocolshttps://triq.org/rtl_433/
Samy Kamkar, RollJam (DEF CON 23, 2015)https://samy.pl/defcon2015/2015-defcon.pdf
gr-bluetoothhttps://github.com/greatscottgadgets/gr-bluetooth
gr-zigbeehttps://github.com/bkerler/gr-zigbee
gr-lorahttps://github.com/rpp0/gr-lora