Classroom Glossary Public page

RF-201 Week 13 — Cross-Cut: RE-Track Network-Protocol RE + Capstone Kickoff

1,038 words

"The RE-201 student who arrived from RF-201 already knows what an IQ stream looks like, what URH produces from it, and what a GNU Radio demodulator does. RE-201's job is to put that substrate to work on adversarial targets — burst-radio protocols, proprietary encodings, hardware-embedded wireless stacks."

Lecture (60 min) + Capstone Kickoff (30 min)

13.1 What This Week Is

Week 13 has two purposes:

  1. Cross-cut integration: connect RF-201's protocol-RE methodology to the RE-Track (vca-re-201 / vca-emb-201)
  2. Capstone kickoff: target selection, workflow planning, and first-hour questions

13.2 RE-Track Wireless: The Burst-Radio Problem

RF-201's URH workflow was applied to ISM-band continuous-emission protocols (sub-GHz remotes, LoRa beacons). The RE track (RE-201: Reverse Engineering of Burst Radio Signals) extends this to:

Burst-mode protocols: A "burst" transmitter is silent most of the time and transmits short frames only when triggered. Examples:

  • TPMS (Tire Pressure Monitor System): transmits one 20-byte OOK packet every 60 seconds
  • Building alarm keyfob: transmits 1-3 frames when button pressed
  • Smart meter: transmits one packet every 30 seconds on a fixed schedule
  • RFID transponder: passive; transmits only when interrogated by a reader

Capture challenges unique to burst-mode:

  • Cannot pre-sync on a preamble you haven't heard yet
  • Need to capture a trigger event (ANTSDR E200 in trigger-capture mode via gr-iio)
  • Frame duration may be as short as 1 ms (1 ms × 250 kbps = 250 bits)
  • Must capture multiple bursts to distinguish fixed (address) from varying (counter/payload) fields

GNU Radio trigger capture for burst:

# GNU Radio flowgench: energy-triggered File Sink
# Burst Gate block: passes samples only when power > threshold
# Connect: PlutoSDR Source → Burst Gate → File Sink
# Burst Gate threshold: set to ~3dB above noise floor

The gr-symbolrate and gr-burst OOT packages provide burst-detection and synchronisation blocks for GNU Radio.

13.3 The SB6141 DOCSIS RF Stage (EMB-201 / RE-101 Forward Pointer)

The SB6141 cable modem is RE-101's hardware target. The DOCSIS RF stage is the antenna-to-SoC pathway that delivers the cable signal to the cable modem's main processor.

Why RF-201 connects here: A student who has completed RF-201 reads the SB6141's RF stage as:

  • A receive-only DOCSIS downstream path: 54-860 MHz, SC-QAM (DOCSIS 3.0), 256-QAM, 6 MHz channels
  • An upstream path: 5-42 MHz, TDMA/S-CDMA, QPSK to 64-QAM
  • An OFDM/OFDMA path (DOCSIS 3.1 partial): 192 MHz downstream, 96 MHz upstream

From the RE-101 hardware-teardown perspective, the RF stage components (tuner IC, ADC, DOCSIS SoC demodulator) are now legible as hardware implementations of concepts from RF-201 Weeks 1-2 (QAM, OFDM), Week 8 (ADC dynamic range), and Week 9 (digital filter design).

The EMB-201 course (Embedded Network RE) will use the SB6141 as a case study for reading RF-stage hardware against a DSP-literacy background. RF-201 is the DSP-literacy provider for that course.

13.4 RE-201 Methodology Preview: Burst-Radio Protocol RE

RE-201's full workflow (previewed here for forward-context):

  1. Hardware teardown: identify RF IC, determine frequency range and supported protocols from IC datasheet
  2. Passive spectrum survey: characterise the RF environment around the target
  3. Burst capture: trigger-capture the target's RF emissions during operation
  4. Protocol RE (URH workflow from RF-201): identify modulation, demodulate, analyse frame structure
  5. Software cross-reference: compare RF frame structure against firmware strings or IDA analysis to confirm field interpretations
  6. Replay/mutation test: generate test frames and observe target response in an authorised environment

Step 5 (software cross-reference) is the key differentiator between RF-201's pure-RF RE and RE-201's full hardware+software RE. RF-201 gives you everything you need for steps 1-4. RE-201 adds step 5.

13.5 Capstone Kickoff

The capstone (Week 14 and beyond) is an end-to-end RF protocol RE on a student-selected real-world target.

Target requirements:

Criterion Requirement
Authority Student personally owns the device, OR device is an instructor-provided lab target, OR device is a homebrew transmitter built in HW-101
RF emission Device must transmit at a recoverable frequency (any ISM band at standard ISM power levels)
Physical layer Must be a wireless (not wired) protocol
Not pre-solved The protocol must not have a complete, published specification that your URH analysis would simply confirm

Good capstone targets:

  • Personal weather station wireless sensor unit
  • Sub-GHz home alarm keyfob (not the receiver — just characterise the key transmission)
  • Smart plug with RF remote pairing mode
  • Custom ESP32 sensor using radio (if built in HW-101 without pre-specified protocol encoding)
  • Any ISM-band device at 315/433/868/915 MHz that you personally own and have right to observe

Poor capstone targets (not acceptable):

  • Protocols with complete open specifications (LoRa: fully specified, not RE)
  • Your neighbor's home network (no authority)
  • Commercial protocols where the vendor has asked researchers not to publish

Required deliverables (see CAPSTONE.md for full rubric):

  1. Captured IQ archive
  2. URH protocol analysis with annotated symbol stream
  3. GNU Radio demodulator flowgraph
  4. Written protocol specification
  5. Reproducibility package (make capture, make demod)
  6. 15-25 page capstone report

This week's capstone task: Select your target, obtain/confirm authority to observe it, write a 1-paragraph target-selection rationale, and bring your first IQ capture attempt (even if noisy) to Week 14.

Homework

Reading (1.5 hr):

  • RE-201 preview materials (posted to course portal)
  • gr-burst documentation (github.com/gvanhoy/gr-burst) — burst synchronisation blocks
  • SB6141 FCC filing (search FCC.gov for SB6141 equipment authorization) — public external test report; the RF stage frequencies and test levels are specified there

Hands-on (2 hr): Capstone target reconnaissance:

  1. Identify a target you have authority to observe
  2. Use rtl_433 or GQRX to confirm the target is transmitting in a receivable frequency range
  3. Make one 30-second IQ capture of the target transmission
  4. Open in URH: can you see the signal? Can you identify the modulation type?

Bring your target-selection rationale + first capture to Week 14.

Key Terms

  • Burst-mode protocol: protocol where the transmitter is silent most of the time and transmits short frames only on trigger or schedule; requires trigger-capture workflow
  • Burst Gate: GNU Radio block that gates samples through only when signal power exceeds a threshold; used for burst-capture IQ recording
  • DOCSIS (Data Over Cable Service Interface Specification): cable TV plant data protocol; downstream 54-860 MHz; SC-QAM (v3.0) or OFDMA (v3.1); the cable modem RF stage's protocol
  • Trigger-capture mode: SDR configured to write to file only during signal bursts; avoids writing gigabytes of silent noise between short bursts
  • RE-201 cross-reference step: comparing RF frame structure against firmware strings or decompiled code to confirm field interpretations; the key differentiator between RF-only RE and full hardware+software RE