Classroom Glossary Public page

RF-201 Week 14 — Capstone Workshop: End-to-End RF Protocol RE

746 words

"The capstone is not a test of whether you can RE a protocol in one week. It is a test of whether the seven skills built across fourteen weeks hold up when integrated."

Workshop Format (5 hr session + independent project hours)

Week 14 is a workshop, not a lecture. The instructor is present for questions and live review. Students present their work in progress, get feedback, and complete outstanding deliverables.

14.1 Workshop Agenda

Time Activity
0:00-0:30 Student target-selection check-in (5 min per student)
0:30-2:00 Open lab: IQ capture, URH analysis, GRC flowgraph build
2:00-3:30 Individual protocol spec review with instructor (10 min per student)
3:30-4:30 Reproducibility package validation
4:30-5:00 Capstone report structure workshop (group)

14.2 Final Integration: The Seven Skills

The capstone tests the integration of seven skills built across the course:

Skill 1: IQ capture (Weeks 1-2, 8): You can configure the ANTSDR E200 (or RTL-SDR for passive capture) to record a clean IQ archive of the target signal. You know how to set sample rate, gain, and centre frequency correctly. Your capture contains the entire signal without clipping.

Skill 2: Signal characterisation (Weeks 1-3, 11): You can identify the modulation type from the IQ stream (visually in Inspectrum or URH, and numerically from instantaneous frequency analysis). You can estimate bit rate and deviation from the signal.

Skill 3: Symbol recovery (Weeks 1-3, 11): You can demodulate the signal to a clean bit stream in URH. You can handle Manchester encoding, NRZ encoding, or differential encoding as needed.

Skill 4: Frame structure RE (Weeks 4-7, 11): You can identify preamble, sync word, address field, command/payload field, and checksum from the bit stream. You can verify your field boundaries across multiple captures.

Skill 5: GNU Radio demodulator (Weeks 9, 11): You can implement the demodulator as a GNU Radio flowgraph using the correct modulation-specific blocks (FSK discriminator, PSK Demod, or custom Python block). The flowgraph processes the captured IQ archive and produces the same bit stream as URH.

Skill 6: Protocol specification (Weeks 4-7, 11, 13): You can write a protocol specification at the level a successor RE engineer would read: physical layer, link layer, application layer, and an honest limit-of-confidence statement.

Skill 7: Reproducibility (Weeks 9, 13): Your make capture command reproduces the IQ archive on the same hardware. Your make demod command runs the GNU Radio flowgraph against the archive and produces the bit stream.

14.3 Common Failure Modes

The constellation is clean but the bits are wrong: You have the modulation identified correctly but the bit encoding is wrong. Check: Is it Manchester? Differential? NRZ-L vs. NRZ-M? Test each in URH.

The CRC does not match any polynomial: Broaden your search. Some proprietary protocols use CRC-8 with a non-standard initial value (not 0x00 or 0xFF) or a custom XOR output mask. Also check: is the CRC computed over the payload only, or payload + header? Is the byte order big-endian or little-endian?

The flowgraph produces the right output sometimes but not always: Timing synchronisation. The clock recovery block (Mueller and Mueller, Poletti, or polyphase clock synchroniser) is not locked correctly. Check: is the symbols_per_sample correct? Is there a matched filter before the clock recovery?

The URH analysis finds five message types but the spec says there should be four: The fifth type may be an ACK frame, a re-transmission, or a header frame you missed in the initial analysis. Cross-reference against all captures.

The IQ file plays back correctly in GNU Radio but the signal is weaker than expected: Check IQ imbalance. GNU Radio's DC Blocker block (for DC offset) and IQ Balance block can compensate. Also check: did you set the correct complex data type (complex64 vs int16 interleaved)?

14.4 Capstone Report Outline

The capstone report template (see CAPSTONE.md for the full rubric):

Section 1: Executive Summary (1/2 page)
  - Target description
  - What you found
  - Limit of confidence rating

Section 2: Target Selection and Authority
  - Device description and ownership/authority
  - ROE statement (what you did and did not do)
  - FCC compliance note (ISM band; receive-only or authorised TX within shielded environment)

Section 3: Capture Methodology
  - Hardware used
  - Centre frequency, sample rate, gain settings
  - Number of captures; conditions (indoor/outdoor; distance to target)
  - IQ archive format and size

Section 4: Signal Characterisation
  - Modulation identification (with evidence from instantaneous freq plot or URH auto-detect + manual verification)
  - Bit rate, deviation, carrier frequency
  - Encoding (NRZ, Manchester, differential)

Section 5: Frame Structure RE
  - Preamble + sync word (with screenshots from URH)
  - Field inventory: name, length, type, observations
  - CRC polynomial identified
  - Message type inventory

Section 6: GNU Radio Demodulator
  - Flowgraph screenshot
  - Block-by-block description
  - Byte-for-byte match verification between URH and GRC outputs

Section 7: Protocol Specification
  - Physical layer (modulation, symbol rate, framing)
  - Link layer (addressing, error detection)
  - Application layer (payload fields if recoverable)
  - Limit-of-confidence statement

Section 8: Security Observations (if any)
  - Is replay protection present? (evidence)
  - Are messages authenticated? (evidence)
  - Are messages encrypted? (evidence)
  - What could an attacker do with the ability to replay/forge frames in an authorised context?

Section 9: Reproducibility Package Description
  - make capture: command and expected output
  - make demod: command and expected output

Section 10: ROE / FCC / CFAA Compliance
  - Confirmation that all capture was passive or within authorised test environment
  - Confirmation of device ownership/authority

Key Terms from the Capstone

  • Limit-of-confidence statement: an explicit declaration of which claims are confident (bytes observed and verified to match) vs. hypothetical (protocol semantics inferred from behavior); required in every capstone protocol specification
  • Matched filter: a filter whose impulse response is the time-reverse of the expected symbol waveform; maximises SNR for symbol detection
  • Clock recovery: synchronisation circuit or algorithm that recovers the transmitter's symbol clock from the received signal; required for symbol-by-symbol demodulation
  • Reproducibility package: make targets that reproduce the IQ archive and demodulation output from the same hardware and flowgraph; the capstone's primary deliverable for successor RE engineers