WIR-101 closed at the wireless-pentest engagement. Every modulation, every frame format, every spread-spectrum trick it named was introduced and left. RF-201 pays the bills. Modulation theory at the depth a working SDR engineer reads it. Frequency hopping and spread spectrum. WiFi 802.11 capture/replay/fuzzing at intermediate depth. Bluetooth Classic and BLE protocol-RE workflows. LoRa and ISM-band experiments. ZigBee + 802.15.4. SDR fundamentals deep-dive. Wireshark RF. URH protocol-RE end-to-end. Every WIR-101 forward-promise comes due here.
Course mission and audience
VCA-RF-201 is the RF track's Part-II anchor. Students arrive from WIR-101 having shipped a five-day wireless-pentest capstone: they have personally captured a WPA handshake, characterised a 433 MHz sub-GHz garage-door opener with an RTL-SDR, enumerated a BLE GATT server, and written the client report. They leave RF-201 able to characterise any wireless protocol from a captured IQ stream, build a working GNU Radio demodulator for it, and produce a written protocol specification at successor-engineer depth.
Position: After WIR-101 + CSA-101. Gates RF-301 / RE-201 / EMB-201. Cross-cuts ADV-101 and NET-201.
The pedagogical contract: For every protocol WIR-101 introduced at first-encounter depth, RF-201 opens the modulation, the spread-spectrum mechanism, the Layer-2 framing, and the protocol-RE workflow. The course is the wireless-protocol zoo opened for inspection.
Legal and ethical framing: RF emissions propagate past property boundaries by default. FCC Part 15 permits unlicensed transmit in ISM bands within power and interference limits. FCC Part 97 governs amateur radio. ECPA prohibits intercepting communications outside authorised contexts. CFAA applies to unauthorised access even when delivered over wireless. All active transmit work is conducted on RF-shielded or explicitly authorised equipment. Students sign the lab AUP before Week 1 transmit work.
Foundational anchors
Primary pair (continued from WIR-101 at intermediate depth):
Richard Lyons, Understanding Digital Signal Processing, 3rd ed. (Pearson, 2010; ISBN 978-0-13-702741-5)
Library: /media/laptop/data4t/books-master/Calibre_Library/Richard G. Lyons/Understanding Digital Signal Processing, 3rd Edition (686)/
RF-201 reads Chapters 6-13 (advanced filtering, sample-rate conversion, signal averaging, adaptive filters, spectral analysis). WIR-101 read Chapters 1-5; this course continues the Lyons arc at intermediate depth.
Wyglinski, Getz, Collins, Pu, Software-Defined Radio for Engineers (Artech House, 2018; ISBN 978-1-63081-457-1; FREE PDF via Analog Devices)
Library: /media/laptop/data4t/books-master/Calibre_Library/Collins, Getz, Pu, Wyglinski/Software-Defined Radio for Engineers (666)/
Full text at this level. Wyglinski bridges the Lyons DSP math to the hardware RF chain. The IQ-sampling chapter (Ch 6) is a required reading anchor for the SDR deep-dive module.
Build-it-yourself (free): Marc Lichtman, PySDR: A Guide to SDR and DSP using Python (pysdr.org) Chapters 8-15 (advanced DSP, SDR implementation, IQ sampling, practical tradeoffs). Runs in-browser via the academy workbench Pyodide runtime.
GNU Radio Tutorials — Custom-Blocks Track (wiki.gnuradio.org/Tutorials) The canonical SDR-flowgraph platform at custom-block authoring depth.
Module-specific anchors (RF-201 introduces):
- Bernard Sklar, Digital Communications: Fundamentals and Applications, 3rd ed. (Pearson, 2017) — Chapters 4-6 (modulation + spread spectrum). Primary anchor for Chapters 1-2. Not in library; external acquire.
- Steven W. Smith, The Scientist and Engineer's Guide to DSP (dspguide.com; free) — deepens at advanced DSP level
Library:
/media/laptop/data4t/books-master/Calibre_Library/Steven W. Smith/The Scientist and Engineer's Guide to Digital Signal Processing (667)/ - Lyons, Streamlining DSP: Tricks of the Trade, 2nd ed. (Wiley-IEEE, 2012)
Library:
/media/laptop/data4t/books-master/Calibre_Library/Richard G. Lyons/Streamlining Digital Signal Processing_ A Tricks of the Trade Guidebook, 2nd Edition (683)/ - Michael Ossmann, "Software Defined Radio with HackRF" video series (YouTube; free)
- URH community documentation (github.com/jopohl/urh)
Per-chapter reading assignments publish in handouts/cross-chapter-rf-201-anchor-reading-guide.md.
What you will know at the end
Eight outcomes in Bloom's-taxonomy order:
-
Remember. State the seven fundamental modulation schemes (AM/FM/PM/ASK/FSK/PSK/QAM); the three spread-spectrum techniques (FHSS/DSSS/chirp); the five Layer-2 protocols (WiFi/Bluetooth Classic/BLE/LoRa/ZigBee) and their primary MAC philosophies. (Assessed: closed-book Week 3 midpoint quiz.)
-
Understand. Explain why IQ representation lets a complex-valued signal at sample-rate B carry the same information as a real-valued signal at sample-rate 2B, and why this matters for SDR architecture choices. (Assessed: Week 8-9 module reflection.)
-
Understand. Distinguish FHSS (Bluetooth Classic) from DSSS (legacy 802.11b, GPS) from chirp (LoRa); explain the spectrum-spreading and de-spreading mechanism for each and why each was chosen for its application. (Assessed: Week 3 reflection.)
-
Apply. Capture an unknown sub-GHz signal with an RTL-SDR; characterise its modulation in URH; reproduce it with HackRF in a sandboxed RF environment. (Assessed: Lab 9.)
-
Apply. Implement two LoRa demodulators (FIR + polyphase) in GNU Radio; measure performance against the same captured signal and explain the design-criterion tradeoff against Lyons Ch 7. (Assessed: Lab 5.)
-
Apply. Enumerate a BLE peripheral's GATT services and characteristics; capture an authenticated pairing exchange; analyse the cryptographic handshake. (Assessed: Lab 4.)
-
Analyse. Given a captured IQ stream of an unknown protocol, classify the modulation, recover the symbol rate, identify the framing, and propose a hypothesis for the protocol family. (Assessed: Lab 9 + Capstone.)
-
Synthesise. Ship the end-to-end capstone: characterise a real-world target's RF behaviour, reverse-engineer its protocol, document the workflow, and produce a reproducibility package. (Assessed: Capstone.)
Chapter and week map
| Chapter | Title | Weeks | What WIR-101 first-encounter it opens |
|---|---|---|---|
| 1 | RF First-Principles + Modulation Theory | 1-2 | WIR-101 Week 1 one-week RF sketch |
| 2 | Frequency Hopping + Spread Spectrum | 3 | WIR-101's "protocols mention spread-spectrum" framing |
| 3 | Layer-2 WiFi 802.11 — Capture/Replay/Fuzzing | 4 | WIR-101 Weeks 2-5 802.11 entry depth |
| 4 | Bluetooth Classic + BLE Protocol RE | 5 | WIR-101 Week 8 BLE enumeration baseline |
| 5 | LoRa + ISM-Band Experiments | 6 | WIR-101 Week 9 sub-GHz survey skim |
| 6 | ZigBee + 802.15.4 | 7 | WIR-101's "mention only" coverage |
| 7 | SDR Fundamentals Deep-Dive: IQ, Sample Rate, Dynamic Range | 8-9 | WIR-101 Week 9 brief GRC intro |
| 8 | Wireshark RF: Capture-on-Air Protocols Decoded | 10 | WIR-101 Wireshark 802.11 dissectors at advanced depth |
| 9 | URH Protocol-RE Workflow | 11 | WIR-101's "classify protocol family" tier |
| 10 | Cross-Cut: PT-Track Wireless Pentesting | 12 | Forward pointer to vca-adv-101 |
| 11 | Cross-Cut: RE-Track Network-Protocol RE | 13 | Forward pointer to vca-re-201 |
| 12 | Capstone: End-to-End RF Protocol RE | 14 | Synthesis deliverable |
Course shape table
| Week | Chapter | Topic | Lab |
|---|---|---|---|
| 1 | 1a | Modulation theory: AM/FM/PM/ASK/FSK/PSK/QAM — math + architecture | Lab 1: Modulation zoo in GNU Radio |
| 2 | 1b | Modulation in hardware: SDR observation + demodulation of all seven schemes | Lab 1 continued: spectrum + constellation capture |
| 3 | 2 | FHSS/DSSS/chirp: spread-spectrum mechanisms; pseudorandom sequences; despreading | Lab 2: DSSS transmitter + receiver in GNU Radio |
| 4 | 3 | 802.11 L2 deep: capture/replay/fuzzing management frames; scapy 802.11 | Lab 3: 802.11 management-frame fuzzing on sandboxed AP |
| 5 | 4 | Bluetooth Classic + BLE protocol RE: pairing crypto; GATT authenticated exchange | Lab 4: BLE pair-capture-decode workflow |
| 6 | 5 | LoRa chirp-spread-spectrum; 433/868/915 MHz ISM experiments; DOCSIS-RF forward pointer | Lab 5: LoRa demodulator pair (FIR + polyphase) |
| 7 | 6 | ZigBee / 802.15.4 mesh: coordinator/router/end-device; Wireshark ZigBee dissector | Lab 6: ZigBee mesh capture and decode |
| 8 | 7a | IQ-sampling theory: complex baseband; Nyquist; bandwidth = sample_rate/2 | Lab 7: Same signal at 2/8/20 MS/s; spectral leakage observation |
| 9 | 7b | GNU Radio deep-dive: custom blocks in Python; polyphase filter bank; gr-iio ANTSDR | Lab 11: ANTSDR E200 full-duplex IQ work |
| 10 | 8 | Wireshark RF dissection: WiFi + BT + ZigBee + BLE plugin pipeline | Lab 8: Wireshark RF multi-protocol decode session |
| 11 | 9 | URH protocol-RE workflow: identify/isolate/decode/replay unknown protocol | Lab 9: Full RE on instructor-supplied unknown protocol |
| 12 | 10 | PT cross-cut: Reaver/Bettercap/WiFiPhisher; RF pentesting methodology gaps | Lab 10: Wireless-pentest cross-cut on sandboxed target |
| 13 | 11 | RE cross-cut: burst-radio-signal RE methodology; SB6141 DOCSIS-RF forward pointer | Capstone kickoff + target selection |
| 14 | 12 | Capstone workshop: target RE, flowgraph, protocol spec, reproducibility package | Capstone presentations |
Per-week time budget
| Week | Lecture | Lab | Indep reading | Indep practice | Total |
|---|---|---|---|---|---|
| 1 | 1.5 hr | 2 hr | 1.5 hr | 1.5 hr | 6.5 hr |
| 2 | 1.5 hr | 3 hr | 1.5 hr | 2 hr | 8 hr |
| 3 | 1.5 hr | 3 hr | 1.5 hr | 1.5 hr | 7.5 hr |
| 4 | 1.5 hr | 3 hr | 1.5 hr | 1.5 hr | 7.5 hr |
| 5 | 1.5 hr | 3.5 hr | 1.5 hr | 2 hr | 8.5 hr |
| 6 | 1.5 hr | 4 hr | 1.5 hr | 2 hr | 9 hr |
| 7 | 1.5 hr | 3 hr | 1.5 hr | 1.5 hr | 7.5 hr |
| 8 | 2 hr | 3.5 hr | 2 hr | 2 hr | 9.5 hr |
| 9 | 2 hr | 4 hr | 2 hr | 2.5 hr | 10.5 hr |
| 10 | 1.5 hr | 3 hr | 1.5 hr | 1.5 hr | 7.5 hr |
| 11 | 1.5 hr | 4 hr | 1.5 hr | 2.5 hr | 9.5 hr |
| 12 | 1.5 hr | 3 hr | 1.5 hr | 2 hr | 8 hr |
| 13 | 1.5 hr | 4 hr | 1.5 hr | 2 hr | 9 hr |
| 14 | 0 hr | 10 hr (capstone) | 1 hr | 7 hr (report+spec) | 18 hr |
| Total | ~21 hr | ~52 hr | ~22 hr | ~31 hr | ~126 hr |
(Public-page ~155 hr total; delta is async/self-paced independent lab extension and capstone reproducibility-package build time not all students need in synchronous form.)
Lab index
| Lab | Title | Week | Hardware path | Virtual path | Deliverable |
|---|---|---|---|---|---|
| 1 | Modulation Zoo | 1-2 | GNU Radio + RTL-SDR / ANTSDR | GNU Radio with Signal Source + Throttle | 7 modulation flowgraphs; constellation screenshots |
| 2 | DSSS Spread-Spectrum Build | 3 | GNU Radio software-only | Same (no hardware required) | Working DSSS TX/RX flowgraph; spectrum screenshot |
| 3 | 802.11 Management-Frame Fuzzing | 4 | Alfa NIC (monitor mode) + scapy | Instructor-provided PCAP + scapy analysis | Fuzzing script; frame analysis notes |
| 4 | Bluetooth Classic + BLE Protocol RE | 5 | nRF52840 dongle + ANTSDR | Pre-captured Wireshark BT trace | GATT enumeration; pairing-exchange decode |
| 5 | LoRa Demodulator Pair | 6 | ANTSDR E200 / LimeSDR Mini | Pre-recorded LoRa IQ capture | Two GRC flowgraphs; performance comparison writeup |
| 6 | ZigBee Mesh Capture | 7 | RTL-SDR or nRF52840 sniffer | Pre-captured 802.15.4 PCAP | Decoded ZigBee network topology |
| 7 | IQ Sample-Rate Exploration | 8 | ANTSDR E200 (3 sample-rate runs) | Pre-captured IQ at 3 rates | Spectral-leakage comparison; analysis writeup |
| 8 | Wireshark RF Multi-Protocol | 10 | Passthrough from earlier labs | Pre-captured multi-protocol PCAPs | Annotated decode of WiFi + BT + ZigBee |
| 9 | URH Unknown-Protocol RE | 11 | ANTSDR E200 or HackRF replay | Instructor-supplied unknown protocol IQ file | Full URH analysis; modulation + symbol rate; protocol hypothesis |
| 10 | Wireless-Pentest Cross-Cut | 12 | Alfa NIC + HackRF (instructor lab) | Sandboxed VM scenario | Bettercap intercept; Reaver WPS; methodology notes |
| 11 | ANTSDR E200 Advanced IQ | 9 | ANTSDR E200 (mandatory) | ANTSDR E200 shared via lab server | Full-duplex IQ flowgraph; gr-iio pipeline |
| 12 (Capstone) | End-to-End RF Protocol RE | 14 | Student-chosen target | Student-chosen IQ archive | Full capstone package — see CAPSTONE.md |
SDR platform guide
| Platform | Role in RF-201 | Spec | Cost |
|---|---|---|---|
| RTL-SDR Blog V4 | Entry receive; spectrum survey | 500 kHz-1.75 GHz; 8-bit; RX only | ~$40 |
| ANTSDR E200 | Academy canonical platform; full-duplex MIMO; ANTSDR-specific labs | AD9361; 325-3800 MHz; 2RX+2TX; 61.44 MSPS; Ethernet 192.168.1.10 | ~$400 |
| LimeSDR Mini | Alternate TX/RX | LMS7002M; 10 MHz-3.5 GHz; USB | ~$200 |
| HackRF One | TX-capable; replay labs | 1 MHz-6 GHz; 8-bit; TX/RX | ~$350 |
| nRF52840 dongle | Bluetooth/BLE sniffer | BT/BLE 2.4 GHz | ~$10 |
| ESP32 (HW-101 carry-over) | 802.11 promiscuous-mode target + custom beacon; forward-stretch FPGA-SDR | — | ~$5 |
Architecture Comparison Sidebars
Three structured comparisons publish as handouts/cross-chapter-rf-201-architecture-sidebars.md:
-
AM vs FM vs PM vs ASK vs FSK vs PSK vs QAM. Seven modulation schemes: bandwidth efficiency, noise robustness, which deployment chose which and why. Anchored on Wyglinski + Sklar.
-
RTL-SDR vs HackRF vs bladeRF vs USRP vs ANTSDR E200 vs LimeSDR Mini. Six SDR hardware tiers: cost/dynamic-range/bandwidth/transmit-capability tradeoffs. Anchored on Wyglinski + community.
-
WiFi 802.11 vs Bluetooth Classic vs BLE vs LoRa vs ZigBee/802.15.4. Five Layer-2 wireless protocols: MAC philosophies, ranges, power profiles, IoT/consumer/industrial deployment choices. Anchored on Wyglinski + URH community.
Toolchain Diary: RF-201 originating entries
~12 new tools enter the diary; the WIR-101 corpus continues at advanced depth.
- URH-NG (PentHertz fork) — 327-protocol auto-identification + automotive RF crypto toolkit
- Inspectrum (advanced features) — offline RF visual-analysis at intermediate-RE depth
- HackRF GRC blocks (Ossmann) — canonical HackRF flowgraph corpus
- bladeRF + libbladeRF — transmit-capable advanced SDR; cross-cut platform
- LimeSDR Mini + LimeSuite — broad-frequency advanced SDR
- ANTSDR E200 + libIIO (gr-iio) — academy primary platform; full-duplex work
- Wireshark RF dissector plugins — WiFi/BT/ZigBee/802.15.4 plugin pipeline
- GNU Radio custom-blocks workflow — authoring custom GRC blocks in Python
- scapy 802.11 + BLE layers — programmatic Layer-2 frame crafting
- gr-osmocom (broader) — cellular + GPS + ADS-B GNU Radio integration suite
- Bettercap + Reaver + WiFiPhisher — PT-track wireless-pentest cross-cut tools
- ARRL General license study materials — next-tier ham-licensing pathway
RF-201-OUTLINE.md v0.1. Week files: week-1.md through week-14.md. Labs: labs/lab-1.md through lab-12.md. Capstone: CAPSTONE.md. Setup: SETUP.md. Instructor: INSTRUCTOR-GUIDE.md.