Course: VCA-RF-201: Intermediate RF — Layer-1 + Layer-2 + RE Workflows Version: v0.1 pilot Target audience: Students who have completed WIR-101 (Wireless Penetration Testing) and CSA-101
Equipment Requirements
Per-Cohort (program-supplied)
| Item | Labs | Notes |
|---|---|---|
| ANTSDR E200 (AD9361 + Zynq-7020) | Labs 5, 7, 9, 11 | Primary canon platform; Ethernet at 192.168.1.10; libiio + UHD firmware; verify iio_info before each lab |
| LimeSDR Mini | Labs 5, 11 (alternate) | gr-limesdr required; verify LimeUtil --find before lab |
| HackRF One | Lab 9 (optional TX), Lab 10 | Sandboxed TX inside Faraday cage only |
| nRF52840 USB dongle (×2) | Labs 4, 6 | One flashed BLE sniffer firmware, one flashed 802.15.4 sniffer firmware |
| Faraday cage (50×30×30 cm) | Labs 9 TX, 10, 11 | Required for all transmit work |
| Alfa AWUS036ACM | Labs 3, 10 | Monitor mode + injection; carry-forward from WIR-101 |
| Instructor-controlled lab AP | Labs 3, 10 | Isolated; no internet; WPA2; WPS enabled (for Lab 10 WPS demo) |
| Instructor-controlled lab BLE device | Lab 4 | Any BLE peripheral with GATT services; ESP32 running BLE server works |
| Instructor-controlled ZigBee mesh (3 nodes) | Lab 6 | ZigBee coordinator + 2 routers/end devices; using default transport key (intentional for Lab 6 demo) |
Virtual Path IQ Archive Files
Produce and distribute to remote students before each lab:
| File | Lab | Capture specs |
|---|---|---|
| lab1-modulation-zoo.iq | 1 | GNU Radio software-generated; OOK/BPSK/QPSK/GFSK; 32 kSPS; 10s each |
| lab2-dsss-demo.iq | 2 | GNU Radio software-generated; 4 MSPS; 30s |
| lab3-80211-mgmt.pcapng | 3 | Monitor-mode capture; 2.4 GHz; includes all management frame types |
| lab4-ble-pairing.pcapng | 4 | nRF52840 BLE sniffer; includes ADV + complete pairing exchange |
| lab5-lora-868.iq | 5 | ANTSDR E200 at 868.1 MHz, 1 MSPS; SF=7, BW=125kHz; real LoRa sensor |
| lab6-zigbee-mesh.pcapng | 6 | nRF52840 802.15.4 sniffer; includes ZigBee join + NWK traffic with default transport key |
| lab7-2msps.iq, -8msps.iq, -20msps.iq | 7 | ANTSDR E200 at 433.92 MHz; OOK temperature sensor; three sample rates |
| lab9-unknown-protocol.iq | 9 | 433.92 MHz OOK protocol; 250 kSPS; real sub-GHz remote (instructor-owned) |
For lab9-unknown-protocol.iq: use a sub-GHz ISM remote you own (weather station, door chime, learning-remote). The protocol should be non-trivial: not pure OOK with simple on/off pulsing but something with a preamble, sync word, address field, and command byte.
Week-by-Week Instructor Notes
Weeks 1-2 (Modulation Theory + Observation)
Preparation: Ensure all students have GNU Radio installed before Week 1. Spend 5 minutes at the start of Week 1 confirming GRC launches without import errors.
Common issues:
- Students use GRC blocks from GR2 (old API) that have been renamed in GR3. The WBFM Transmit block is
WBFM Transmitin GR3, notWFM TX. - QPSK constellation shows only 2 points instead of 4: students did not set bits_per_symbol=2 in the Bernoulli Binary Source, or they are using BPSK Mod instead of QPSK Mod.
- Students confuse data rate with symbol rate. QPSK encodes 2 bits/symbol: at 4000 symbols/sec the data rate is 8000 bps. Have the class compute this explicitly.
Teaching note: The Wyglinski IQ-mixer diagram (Ch 6, Fig 6.2) is the single most useful diagram in the course. Put it on the whiteboard. Students who understand why the ADC sees I and Q samples understand every SDR decision for the rest of the course.
Week 3 (FHSS/DSSS/LoRa)
Lab 2 notes: The Barker sequence autocorrelation property is the central point. A student who has measured autocorr.max() vs. autocorr sidelobe max from their m-sequence code has genuinely understood why CDMA is possible. Do not skip Part 3 (optional jamming resistance) — it takes 10 minutes and makes the processing-gain concept concrete.
Common issue: Students connect the Multiply block to the Vector Source incorrectly (connecting a float output to a complex input, or forgetting to set the Vector Source data type to float). The Vector Source for the Barker sequence must be float, not complex, because the data stream is real-valued.
Week 4 (802.11 Management Frames)
Authorization: Brief the class explicitly on the authorization boundary before Lab 3. Students need to hear: "The Alfa NIC you are pointing at the lab AP is pointing at a real 802.11 radio. The deauth injection you are about to run is real. The only difference between authorized and unauthorized is: do you own the AP?" Get written AUP signatures before any injection lab.
scapy note: Students may receive OSError: [Errno 100] Network is down when trying to inject. Fix: verify the interface is in monitor mode (iwconfig wlan0mon) and that NetworkManager is not competing (sudo systemctl stop NetworkManager).
Week 5 (Bluetooth Classic + BLE)
Lab 4 note: The nRF52840 BLE sniffer requires following the Nordic Sniffer plug-in install exactly. Common failures: wrong firmware (BLE firmware vs. 802.15.4 firmware on the wrong dongle), extcap path not configured in Wireshark (check Tools → Plugins → Extcap directory).
bleak library note: In Jupyter notebooks, asyncio.run() fails because Jupyter has a running event loop. Fix: import nest_asyncio; nest_asyncio.apply() before calling asyncio.run().
Weeks 6-7 (LoRa + ZigBee)
Lab 5 note: gr-lora-sdr build may fail on some systems due to pybind11 version mismatches. Alternative: students use their own Python FIR demodulator for both Part 2 and Part 3, and skip the GRC polyphase variant. The comparison in Part 4 can be done by adding AWGN noise to the IQ file and re-running the FIR demodulator at decreasing SNR.
Lab 6 note: The ZigBee default transport key (D0D1...DEDE) is published in the ZigBee specification. Students may ask: "is this still used?" Yes, in many deployed ZigBee 2006 devices. The lab demonstrates a real attack. Emphasise: this only works because the lab is using an intentionally misconfigured ZigBee 2006 network. ZigBee 3.0 with Install Codes is not vulnerable.
Weeks 8-9 (SDR Fundamentals + GNU Radio Deep-Dive)
Lab 7 note: Some students struggle to align the three sample-rate plots on the same frequency axis because the relative frequency offset (in kHz) is correct but the absolute scale differs. The plot function should use freqs / 1e3 (kHz) not raw Hz. Verify the plot axes are labelled consistently.
Lab 11 note (ANTSDR E200 full-duplex): The most common issue is students setting TX gain too high and saturating the RX chain in loopback mode. Start with TX attenuation at 60 dB (minimum power). Verify the RX signal is visible and not clipping (amplitude < 0.9 full-scale) before reducing attenuation.
Remote student scheduling: Lab 11 has no virtual path. Schedule remote students for E200 lab-server time in pairs (2 students per 90-minute slot is comfortable). The lab server SSH access is at labserver.virtusacademy.local; the E200 IIO context is ip:192.168.2.10 (different subnet from the local default).
Weeks 10-11 (Wireshark RF + URH)
Lab 9 note — unknown protocol selection: The instructor must select the lab9-unknown-protocol.iq target carefully. Requirements: (1) real device (not software-generated); (2) protocol not in the rtl_433 database (or at minimum not with a published frame specification); (3) device instructor personally owns; (4) the protocol should have at least: preamble, sync word, address, command, and CRC. Simple on/off rolling garage door openers work well. Learning remotes (which can be programmed to learn any 433 MHz OOK remote) also work.
URH auto-detect note: URH's auto-detect is usually correct for FSK bit rate but often wrong for OOK threshold. Guide students to manually set the threshold at ~30-50% of peak envelope before accepting auto-detect results.
Weeks 12-13 (Cross-Cuts + Capstone Kickoff)
WPS lab note: The lab AP must have WPS enabled in PIN mode with a firmware that is Pixie Dust vulnerable for Lab 10 to produce the expected result. Confirm this before the lab: wash -i wlan0mon should show the AP; reaver -i wlan0mon -b <BSSID> -vv -K 1 should either succeed (Pixie Dust) or lock after 3 attempts. If neither, the AP may not be Pixie Dust vulnerable — have a pre-cracked handshake ready as an alternative.
Capstone target selection: Review all capstone target selections before Week 14. Reject targets that are pre-solved (LoRa: use something else), have unclear authority documentation, or require transmit in unshielded environments. Have 3-4 backup instructor-owned devices available for students who cannot find a suitable personal device.
Week 14 (Capstone Workshop)
Common capstone failure modes:
- The GNU Radio flowgraph processes the IQ file but outputs garbage — usually a wrong data type (uint8 when the file is complex64). Check File Source data type settings.
- The protocol specification claims an address field is "the device ID" without evidence from a second device. Push students to either test with a second device or explicitly mark this as low-confidence.
- The limit-of-confidence statement says "I'm fairly confident" without specific confidence levels. Require: High/Medium/Low with explicit reasoning.
- The report is padded to reach 15 pages with screenshots. Grade on technical density per page, not raw length.
Grading Breakdown
| Component | % of grade |
|---|---|
| Labs 1-11 (weighted by point values) | 55% |
| Capstone (Tier 2 scoring) | 35% |
| Capstone presentation | 10% |
Scaling: All components graded on 100-point basis using the weights above. Threshold: A ≥ 90%, B ≥ 80%, C ≥ 70%. Capstone Incomplete (did not pass Tier 1 gates) = course Incomplete.
SDR Hardware Troubleshooting Reference
| Symptom | Diagnosis | Fix |
|---|---|---|
| ANTSDR E200 not reachable at 192.168.1.10 | Host NIC not on same subnet | Set host NIC to 192.168.1.x/24 static |
| iio_info returns error "no context found" | libiio version mismatch or firewall | Update libiio; check firewall allows port 30431 |
| GRC PlutoSDR Source gives "no devices found" | gr-iio not installed correctly | Rebuild gr-iio from source; verify python3 -c "from gnuradio import iio" |
| RTL-SDR gives "usb_open error -3" | DVB kernel module not blacklisted | Re-run blacklist procedure from SETUP.md |
| ANTSDR TX causes RX saturation | TX attenuation too low | Increase attenuation to 60 dB; add external attenuator |
| GRC GFSK Mod outputs garbage | bt parameter out of range | Set bt=0.35 (valid range: 0.1-1.0) |
| URH bit stream is noisy (mixed 0s and 1s, no pattern) | Wrong modulation or wrong threshold | Manually check instantaneous frequency plot; try FSK if OOK gives bad results |
Legal and FCC Compliance Checklist
Instructor must confirm before any transmit lab:
- All transmit work uses the Faraday cage or RF-isolated test bench
- TX power levels are within FCC Part 15 limits (or instructor holds FCC Part 97 licence for above-limit work)
- Lab9 unknown-protocol device is instructor-owned
- Lab10 WPS/deauth target is instructor-controlled (no third-party APs in scope)
- Students have signed the lab AUP before any active RF injection lab (Week 4 onwards)
- No student transmits on any frequency outside the designated lab setup without instructor supervision