RF-301 Capstone: Unknown Protocol Reverse Engineering

Points: 100 (Tier 2) + Tier 1 functional gate
Weeks: 13-14 (open lab)
Team size: Individual
Deliverable deadline: End of Week 14 + 7-day write-up window

Mission

You select a real-world RF protocol from an authorized target. You reverse-engineer it from captured IQ to a written specification. You then implement a working GNU Radio demodulator that interoperates with the original system on the receive side.

This is not a report. It is an engineering artifact with a claim: my demodulator correctly decodes transmissions from the original device. The Tier 1 gate verifies that claim. The Tier 2 rubric assesses how you got there.

Target Selection

Authorized Target Classes

You must select a target you can legally capture. All of these are pre-authorized by the course:

Target Complexity Requirements

Your target must exhibit at least:

• Detectable modulation (not pure noise)
• Recoverable symbol structure (measurable symbol rate)
• At least one identifiable frame-level feature (preamble, sync word, or periodic structure)

You are not required to decode the payload. You are required to demonstrate interoperable receive-side demodulation — your demodulator extracts the same symbols a correct reference demodulator would extract, byte-for-byte or frame-for-frame.

If You Cannot Capture a Live Signal

Use the instructor-provided rf301-capstone-unknown.cf32 IQ archive (released Week 11). This is a real capture of an authorized industrial IoT device operating in the 433 MHz ISM band. You are still expected to complete the full RE pipeline as if you discovered the target yourself.

Tier 1: Functional Gate

You must pass Tier 1 to receive any Tier 2 points. Tier 1 is not graded — it is a binary pass/fail gate.

Tier 1 Requirements

1. IQ archive. Provide a reproducible capture: capture.cf32 plus a metadata sidecar capture-meta.json:

{
  "center_freq_hz": 433500000,
  "sample_rate_hz": 2400000,
  "duration_sec": 30,
  "capture_tool": "rtl_sdr",
  "capture_command": "rtl_sdr -f 433500000 -s 2400000 -g 40 capture.cf32",
  "hardware": "RTL-SDR v3",
  "capture_date": "2026-XX-XX",
  "environment": "urban ISM band, indoor",
  "authorization": "device owned by student; authorized for testing"
}

2. Demodulator runs. Running make demod in your submission directory executes without error and produces output. See reproducibility requirements below.

3. Symbol-level output. The demodulator produces a decoded bit stream or byte stream from the provided capture.cf32. The stream is written to demod_output.txt or demod_output.bin.

4. Interoperability claim. For at least one transmission captured in the IQ archive, you can show (via side-by-side comparison, reference tool output, or OAI/srsUE log cross-check) that your demodulated output matches the expected bits or bytes. Even a single verified frame suffices for Tier 1.

Instructor checkpoint (Week 12 lab session): You must bring your IQ archive and demonstrate that your demodulator produces output. This is the Tier 1 gate check-in. If you fail Week 12, you have the remaining open-lab weeks to fix it.

Tier 2: Full Rubric (100 points)

Dimension A: RE Depth and SIGINT Discipline (40 points)

This dimension rewards how thoroughly you characterized the unknown signal before building the demodulator.

SIGINT hypothesis document (20 points):

Use the Stage 5 template from Lab 7. All six sections must be complete:

• Spectrum survey (bandwidth, duty cycle, SNR, frequency behavior)
• Modulation classification (with evidence from constellation, instantaneous frequency, amplitude distribution)
• Symbol rate and samples-per-symbol (with evidence from PSD of |x|²)
• Frame structure (preamble, sync word, frame period)
• Protocol hypothesis (protocol family, evidence for and against, residual unknowns)
• Limit of confidence (CONFIRMED / INFERRED / HYPOTHESIZED, with specific claims in each bucket)

Grading within this 20-point block:

• All 6 sections present and complete: 8 pts
• Confidence assessment present and intellectually honest (HYPOTHESIZED items do not appear in CONFIRMED): 6 pts
• Evidence cited at each stage (not just conclusions): 6 pts

Demodulation pipeline documentation (20 points):

A written description of your GNU Radio flowgraph or Python pipeline, including:

• Each stage name and function (filter → demod → resample → decision → frame sync)
• Filter design choices: why this cutoff, why this window or order
• Symbol timing recovery method
• Decision threshold derivation (measured from signal statistics, not guessed)
• Frame synchronization method

Grading within this 20-point block:

• All pipeline stages documented: 8 pts
• Design choices justified from signal measurements (not arbitrary): 8 pts
• At least one design choice that you changed after seeing initial results, with explanation of what broke and what you learned: 4 pts

Dimension B: Limit-of-Confidence Honesty and ROE Compliance (30 points)

This dimension rewards intellectual honesty and professional operating discipline.

Limit-of-confidence section (20 points):

The SIGINT hypothesis document's Limit of Confidence section must be independently coherent. Evaluate each claim in your protocol spec and assign it to:

• CONFIRMED: You can verify bit-for-bit from a reference (OAI/srsUE log, noaa-apt decoder output, published protocol spec, or two-decoder cross-check)
• INFERRED: Supported by consistent evidence across at least two independent measurements, but not directly verified
• HYPOTHESIZED: Plausible from one observation, but alternative explanations exist

The test: A grader will attempt to find a CONFIRMED claim that is actually INFERRED or HYPOTHESIZED, and vice versa. A confident claim you cannot support costs more points than an honest HYPOTHESIZED claim.

Grading within this 20-point block:

• All protocol-level claims classified: 6 pts
• At least 3 CONFIRMED claims with verification evidence cited: 8 pts
• At least 2 HYPOTHESIZED claims acknowledged (no protocol is fully verified in 14 weeks): 6 pts

ROE compliance (10 points):

Document the authorization chain for your target:

• What device or signal did you capture?
• What is your authorization basis? (owned device, receive-only satellite downlink, OAI software loopback, amateur license)
• Did you transmit? If yes, what power and on what frequency, under what license authority?
• Did your capture affect any third party's equipment or communications?

This is not a legal exercise — it is a professional discipline exercise. The answer "NOAA APT receive-only, no authorization required, no transmission" is perfectly acceptable and scores full points for ROE compliance if stated explicitly.

Dimension C: Engineering Quality and Reproducibility (30 points)

Reproducibility package (20 points):

Your submission directory must contain a Makefile with at least these targets:

# RF-301 Capstone Makefile
# Usage: make capture | make demod | make verify | make report

capture:
	# Documents the capture command; does NOT re-run automatically
	@echo "Capture was performed with:"
	@cat capture-meta.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['capture_command'])"
	@echo "IQ archive: capture.cf32 (already present in this directory)"

demod: capture.cf32
	python3 demod.py --input capture.cf32 --output demod_output.txt

verify: demod_output.txt
	python3 verify.py --demod demod_output.txt --reference reference_output.txt

report:
	@echo "See lab-notebook-report.md for full analysis"

demod.py must run with no external network dependencies. All Python dependencies must be listed in requirements.txt (generated via pip freeze).

Grading within this 20-point block:

• make demod runs without error on a fresh environment: 8 pts
• make verify produces a pass/fail output comparing against provided reference: 6 pts
• requirements.txt present and complete: 3 pts
• Capture metadata sidecar present: 3 pts

Lab-notebook report (10 points):

20-35 pages (target 25 pages). Structure:

1. Target selection and authorization (2-3 pages)
2. Spectrum survey and initial observations (3-4 pages; include all 4 Stage 1 plots)
3. Modulation classification journey (3-5 pages; what you tried first and why it was wrong, what corrected it)
4. Symbol rate and frame structure (3-4 pages)
5. GNU Radio flowgraph or Python pipeline description (3-5 pages; include flowgraph screenshot or block diagram)
6. Interoperability demonstration (2-3 pages; side-by-side output comparison)
7. SIGINT hypothesis document (2-3 pages; final version)
8. Limit of confidence and residual unknowns (2-3 pages)

Grading within this 10-point block:

• All 8 sections present: 4 pts
• Modulation classification journey describes at least one wrong hypothesis and correction: 3 pts
• Interoperability demonstration includes actual output comparison (not just "it worked"): 3 pts

Submission Package

Your submission is a directory named rf301-capstone-[lastname]/ containing:

rf301-capstone-[lastname]/
├── Makefile
├── requirements.txt
├── capture.cf32               # IQ archive (or symlink to shared instructor file)
├── capture-meta.json          # capture metadata sidecar
├── demod.py                   # main demodulator script
├── verify.py                  # output verification script
├── reference_output.txt       # reference demod output for verify.py comparison
├── demod_output.txt           # generated by make demod (can be absent pre-submission)
├── flowgraph.grc              # GNU Radio flowgraph (if using GRC); OR
├── pipeline_diagram.png       # block diagram (if using Python pipeline)
├── sigint-hypothesis.md       # Stage 5 hypothesis document (final version)
├── roe-compliance.md          # ROE compliance documentation
└── lab-notebook-report.md     # 20-35 page report

Compress as rf301-capstone-[lastname].tar.gz and submit to the course LMS.

Grading Summary

Certificate requirement: 70 points (B-) or higher. Students below 70 receive course credit but are not eligible for the RF-301 certificate endorsement.

15-Minute Recorded Demo

Submit a 15-minute screen-recording demonstrating:

1. (0-3 min) Your target: show the capture, play the audio or display the spectrum in gr-fosphor or a Python plot
2. (3-8 min) Run make demod from a clean terminal; show the output
3. (8-12 min) Walk through your SIGINT hypothesis document (one slide per stage is fine)
4. (12-15 min) Show the interoperability comparison: your output vs. reference, side by side

Upload the recording as demo.mp4 in your submission directory (or link to an unlisted YouTube/GitLab upload in demo-link.txt).

Academic Integrity

You may discuss target selection, general RF signal analysis methodology, and filter design with other students. You may not share IQ captures, demodulator code, or hypothesis documents with other students. Every student's demodulator must be independently written.

If you use the instructor-provided rf301-capstone-unknown.cf32, you are expected to have written your own demodulator without consulting other students' implementations.

Recommended Timeline