RF-301 Instructor Guide

Course: RF-301 Advanced RF/SDR Engineering
Scope: Full per-chapter notes for Weeks 1-7; skeleton for Weeks 8-12
Last updated: v0.1

How to Use This Guide

Each chapter section provides: an opening hook (5 min framing story), a pacing table, the three most common student issues, the anchor weave placement, and a lab timing note. These are grounded in the week-file content — the guide is a companion to the week files, not a replacement.

Chapter 1: Advanced Filter Design (Weeks 1-2)

Opening Hook (5 min)

Open with the question that motivates the chapter: "You are receiving a 25 kHz FSK signal embedded in 2.4 MHz of bandwidth. You need a filter that passes everything inside ±15 kHz and attenuates everything outside ±25 kHz by 60 dB. How many taps does your FIR filter need?"

Let students estimate. Most will say "a few hundred." The actual Parks-McClellan answer is typically 80-120 taps — but a windowed sinc with the same stopband attenuation requires 180-240 taps. This motivates why filter design matters at RF-301 scale: computational budget on an FPGA or real-time GNU Radio system is finite, and a bad design choice can double your DSP load.

Then ground it: this is exactly the filter at the front of the Lab 1 cognitive-radio sensor chain.

Pacing Table

Common Issues

Issue 1: remez() convergence failure. Students encounter ValueError: Failed to converge when the transition band is too narrow for the requested order. Diagnosis: the ratio (f_stop - f_pass) / (f_nyq) is below the minimum for the order requested. Fix: increase N by 20-40% increments, or relax the stopband spec. The iterative search loop in Lab 1 Part A handles this automatically — show students that the loop is not boilerplate, it is the correct engineering approach.

Issue 2: IIR group delay misinterpretation. Students see that an elliptic filter has much lower order than Butterworth for the same spec and ask "why don't we always use elliptic?" Walk through the group delay comparison plot: the elliptic phase response is nonlinear at the band edge, which means a pulsed signal (ASK, FSK burst) will have its edges smeared. For OFDM, this matters less (equalizer corrects it). For symbol timing in burst-mode protocols, it matters a lot.

Issue 3: LMS μ selection. Students set μ too large, see divergence, and set it very small — then wonder why the filter never converges. The tradeoff: μ large → fast convergence but risk of divergence; μ small → stable but slow. The stability bound is 0 < μ < 2 / (N · P_x) where N is filter order and P_x is input power. Show students how to estimate P_x from the signal and compute the stability bound before guessing μ.

Anchor Weave Placement

Lyons Ch 6-7: Assign before the second lab session. Lyons has the clearest treatment of polyphase decomposition with worked numerical examples — students who skip this will struggle with Lab 1 Part D. The key insight to prime: the polyphase decomposition of an FIR filter into M sub-filters of length N/M each is not an approximation, it is an exact algebraic identity that enables the M-fold computational savings.

Academy Flowgraph: Demo in-class after Parks-McClellan Python code. The visual filter topology in the browser (source → filter → FFT display) grounds the abstract algorithm in a system context. Explicitly note the URL: portal.virtuscyberacademy.org/workbench/static/academy-flowgraph.html.

Lab 1 Timing Note

Lab 1 is 25 points and requires four distinct deliverables. Students commonly run long on Part A (Parks-McClellan order search) because they write their own loop instead of using the provided template. Suggest 30 min for Part A, 25 min for Part B (Kaiser comparison), 30 min for Part C (IIR), 30 min for Part D (LMS). The polyphase channelizer Part E is the hardest — flag it as the section where students should not try to derive the math themselves in lab; use the provided polyphase_channelizer() function and focus on interpreting the outputs.

Chapter 2: Cognitive Radio (Week 3)

Opening Hook (5 min)

"In 2005, the FCC granted experimental licenses for TV White Space devices. The question on the table: can a radio autonomously detect whether a TV station is transmitting on a channel before occupying it? The alternative was manual coordination — a database that every device had to query. The database approach won in the final rules. But the academic question — how good can autonomous spectrum sensing actually get — is still open."

Show the FCC ET Docket 03-108 quote from Week 2's opening. Then ask: "What probability of false alarm would you be willing to tolerate in a system that might block a licensed TV broadcaster if it gets it wrong?"

This anchors the energy detection threshold derivation in a real regulatory tradeoff, not an abstract statistics exercise.

Pacing Table

Common Issues

Issue 1: Confusion between P_fa and P_d terminology. Students confuse the two Neyman-Pearson operating points. Anchor with a memorable framing: "P_fa costs bandwidth (you vacate a channel that was actually free); P_d costs coexistence (you don't vacate a channel the primary is on)." The ROC curve makes the tradeoff visual — cover both axes before letting students write code.

Issue 2: Energy detection fails at low SNR. Lab 2 Part A includes a Monte Carlo sweep. Students are surprised when the detector performs near-chance at 0 dB SNR. This is the "SNR wall" for energy detection — it is a fundamental limitation, not a bug. Walk through the math: at 0 dB SNR, the signal and noise power are equal, so the detector is essentially trying to distinguish chi-squared(2N) from chi-squared(2N) shifted by a small mean. The only fix is more samples (integration time) or a different detection method (cyclostationary).

Issue 3: Cognitive cycle simulator not terminating. Students who implement the CognitiveRadio class from scratch sometimes create infinite loops in the sense() → decide() → transmit() chain when the primary returns. The fix is in the check_primary_return() + vacate() logic — the sequence must break the transmit loop explicitly. Show the provided class implementation as reference.

Anchor Weave Placement

Mitola Ch 1-2: Reading assignment before the week-2 lecture. The key passage: Mitola's description of the radio knowledge representation language (RKRL) and how it differs from a simple threshold detector. Even though students won't implement RKRL, the conceptual distinction — a radio that reasons about the spectrum versus one that reacts — is the core pedagogical payload of this chapter.

Lab 2 Timing Note

Lab 2 is 20 points with three main parts. Part A (energy detector calibration + ROC curves) typically takes 40-50 min if students do the full Monte Carlo sweep. The 1000-trial Monte Carlo runs fast in NumPy — the bottleneck is understanding why P_fa differs from the target when N is too small. Part B (occupancy map) is 15-20 min. Part C (cognitive radio simulator) is 20-30 min. Total expected: 80-90 min. Remind students that the 100-slot simulation in Part C should be deterministic — fix np.random.seed(42) so outputs are reproducible.

Chapter 3: SDR Receiver Chains (Week 4)

Opening Hook (5 min)

"In 2013, a team at Rice University demonstrated a full-duplex WiFi radio. The system achieved 110 dB of self-interference cancellation — roughly the difference in power between a laptop speaker and a nuclear submarine's sonar. They did it in three layers: antenna isolation (45 dB), analog cancellation (35 dB), and digital cancellation (30 dB). Each layer has a different mechanism. We're going to understand all three today."

This frames the full-duplex section not as a curiosity but as the engineering frontier that motivates knowing your receiver chain cold.

Pacing Table

Common Issues

Issue 1: Friis formula applied in wrong order. Students occasionally apply the Friis cascade from the last stage to the first, getting the wrong NF. The mnemonic: Friis gives you the input-referred noise of the cascade, and the first stage dominates because its noise sees the full gain of everything after it. If the first stage has high NF, everything after it amplifies that noise. This is why the LNA is always first and always has the lowest NF we can achieve.

Issue 2: IP3 sign errors in SFDR. The SFDR formula (2/3)·(IIP3 - P_noise_floor) requires consistent dBm units. Students who accidentally use IIP3 in dBm and P_noise_floor in dBW get a nonsensical result. Build a unit-check habit: always convert to dBm before applying the formula.

Issue 3: Confusing NF and noise temperature. Lab 3 uses Y-factor noise figure measurement in noise temperature terms (Kelvin). The conversion T_noise = T_0 · (F - 1) where T_0 = 290 K trips up students who have only seen NF in dB. Show both formulas side by side; confirm the AD9361 datasheet NF converts to a sensible noise temperature before they start the lab.

Anchor Weave Placement

Wyglinski Ch 4-5: Assign Ch 4 before lecture; Ch 5 (ADC and quantization) before the second session. Wyglinski has the most complete SDR-specific receiver chain treatment in the course library. The key figure to reference in lecture: the cascaded noise figure waterfall diagram showing how NF contributions from each stage roll up.

Lab 3 Timing Note

Lab 3 is 20 points with four parts. Part A (Y-factor noise figure) requires hardware access to the ANT-SDR E200. If hardware is unavailable, students use the documented AD9361 datasheet values (NF ≈ 3-4 dB at 900 MHz) as the reference baseline and simulate the two-gain-state measurement in Python. Part B (I/Q imbalance) can run fully in simulation. Parts C and D together take 25-30 min. The full hardware path (Parts A+D) requires the iio Python library — confirm it is installed in the lab environment before the session.

Chapter 4: RF Security Primitives (Week 5)

Opening Hook (5 min)

"In 2021, researchers at Virginia Tech published a paper showing that commodity WiFi chipsets could be fingerprinted with >99% accuracy using only a 4-microsecond segment of the preamble — before any data had been transmitted. The feature that made this possible: I/Q imbalance, a hardware artifact of the analog front-end that no digital calibration can fully remove. The same feature that an RF engineer treats as noise to be corrected is, to a security analyst, a persistent device identifier."

Then note the flip side: what does this mean for a threat actor who wants to spoof a legitimate device? They need the same hardware, with the same hardware parameters. That's harder than it sounds — and it's what the IMSI catcher defense analysis in Lab 4 is built around.

Pacing Table

Common Issues

Issue 1: CFO estimate sign error. The phase delta method returns a signed frequency estimate. Students who take abs(phase_delta) before converting to Hz lose the directional information. The sign matters for a carrier tracking loop. In Lab 4, TX A has +1200 Hz and TX B has -700 Hz CFO — the signed values are what make them separable in the feature space.

Issue 2: Feature space not separable at low SNR. Lab 4 Part B shows the accuracy vs. SNR curve. Students who see near-50% accuracy at -5 dB SNR think their code is wrong. It is correct — below about 5 dB SNR, the measurement noise on the CFO and I/Q imbalance estimates swamps the hardware fingerprint. The 90% accuracy breakpoint is typically around 8-12 dB SNR for the simulated parameters. Students should find this crossover empirically and report it.

Issue 3: estimate_iq_imbalance() returns NaN for constant-amplitude signals. If the test signal has near-zero amplitude variance (e.g., a perfect CW tone), E_IQ / (E_II + E_QQ) can return unexpected values. The function includes a 1e-12 guard term, but students who rewrite it from scratch sometimes miss this. Demonstrate with a pure tone input.

Anchor Weave Placement

Sklar Ch 14: Assign before lab. Sklar covers the RF link security context that motivates why physical-layer authentication exists: conventional cryptographic authentication assumes a verified channel, but the RF channel itself is unauthenticated. The IMSI catcher attack works precisely because the protocol trust model starts at the MAC layer, not the PHY layer. This is the conceptual bridge between the RF fingerprinting lab and the 5G-AKA material in Chapter 5.

Lab 4 Timing Note

Lab 4 is 15 points — the shortest lab in the course. The core simulation in Part A takes 10-15 min to run at 50 captures × 2 transmitters × 100-sample per iteration. Part B (classifier + accuracy vs. SNR curve) is the most time-consuming because the 6-level SNR sweep runs 1200 total classifier evaluations. With NumPy vectorized operations this takes under 2 minutes; without vectorization, students who use Python loops may see 10+ minutes. Flag this upfront.

Chapter 5: Cellular Protocols -- LTE and 5G NR (Weeks 6-7)

Opening Hook (5 min)

"On September 28, 2012, the first iPhone 5 shipped with LTE support. AT&T's network at the time had 24 million LTE subscribers by year-end — up from zero. How does a base station handle a hundred thousand devices simultaneously, each of which comes online by transmitting on a random access channel with no prior coordination? That's the RACH procedure. The LTE designers had to solve this with Zadoff-Chu sequences — sequences with a property so elegant that it almost seems like the math was designed for this specific problem."

The hook does two things: it gives students a concrete scale reference for why RACH matters, and it creates anticipation for the Zadoff-Chu autocorrelation property in the Lab 5 analysis question.

Pacing Table

Common Issues

Issue 1: Docker-compose ordering failures. In Lab 5, the OAI stack depends on MySQL being fully initialized before oai-hss starts, which must be running before oai-mme, which must be running before oai-enb. The depends_on in the docker-compose.yml handles ordering but not health-checking. Students who run docker-compose up -d all at once sometimes see oai-hss fail because MySQL isn't ready yet. The fix: docker-compose up -d mysql && sleep 10 && docker-compose up -d oai-hss oai-mme oai-spgwu && sleep 10 && docker-compose up -d oai-enb.

Issue 2: srsUE ZMQ port mismatch. The OAI eNB ZMQ configuration exposes TX on port 2000 and RX on port 2001. The srsUE configuration connects TX to 2001 and RX to 2000 — swapped, because srsUE's transmit is the eNB's receive. Students who configure both sides to the same port fail to connect silently; the ZMQ socket simply never receives. The asymmetry is correct; walk through it explicitly.

Issue 3: PUSCH SNR log regex not matching. The OAI log format varies between releases. The provided regex r'SNR=(-?\d+\.?\d*)' matches the develop branch log format as of course publication. If students are using a different image tag, the format may differ. Fallback: grep -i "snr" lab5-enb.log | head -20 to inspect the actual format, then adjust the regex.

Anchor Weave Placement

Kurose-Ross 9e §7.3.3+§7.4: Assign before the Week 6 lecture for LTE coverage. §7.5.3 (5G NR) and §8.8.2 (5G-AKA) before Week 7. The cross-chapter-wireless-aka-progression.md handout should already be in students' hands from RF-201 — reference it explicitly rather than re-presenting the AKA material. The cross-chapter-control-plane-architectures.md handout provides the LTE-to-5G core evolution diagram that Lab 5's OAI Docker stack instantiates.

Lab 5 Timing Note

Lab 5 is 25 points and is the most infrastructure-heavy lab in the course. Docker pull times for OAI images can be 15-30 minutes on a first pull — schedule this as pre-lab homework or provide a pre-pulled environment. The actual attach procedure (Part A) takes about 10 minutes of wall-clock time once the stack is running. The RACH annotation (Part B) requires Wireshark familiarity; allow 15-20 minutes for students who haven't used lte-rrc display filters before. The PUSCH SNR analysis (Part C) is straightforward Python once the log file is captured. Total expected with pre-pulled images: 90 minutes.

Chapter 6: Satellite Communications (Week 8)

Opening Hook (5 min)

"On February 2, 2022, SpaceX lost 38 of 49 newly launched Starlink satellites to a geomagnetic storm. The satellites were in low Earth orbit at 210 km altitude — far lower than their operational altitude — performing on-orbit checkout. The storm increased atmospheric drag, and the satellites couldn't maintain orbit. The key lesson for link budget analysis: LEO orbit altitude is not a fixed parameter. For NOAA APT, we assume 800 km. But during an ISS pass, your receiver might be tracking a target at 410 km with very different link math."

Then tie back: in Lab 6, students compute the APT link budget. They should be able to re-run it for a different altitude and understand what changes.

Pacing Table

Common Issues

Issue 1: resample_poly integer ratio required. The APT pixel rate of 4160 Sa/s from a 2.4 MSPS capture requires resample_poly(signal, up=4160, down=2400000) — but NumPy's resample_poly requires that up and down be integers. The GCD simplification (4160 / gcd(4160, 2400000) = 13; 2400000 / gcd = 7500) produces a manageable ratio. Students who use resample(signal, n_pixels) instead of resample_poly get silent resampling artifacts that corrupt the image.

Issue 2: Pass prediction tool not matching actual NOAA transmission. The predict CLI requires accurate station coordinates and TLE data. Students sometimes enter longitude with the wrong sign convention (predict uses West-positive for longitude). The result is a predicted pass that shows the satellite overhead at the wrong time, and students miss the actual pass. Verify: run predict -t weather.tle and confirm the predicted AOS time matches Heavens-Above.com for the same satellite.

Issue 3: FM demodulation normalization. The APT FM deviation is ±17 kHz. Students who normalize by fs / (2π) instead of fs / (2π × 17000) get an audio signal that's 17000× too large or clips at ±1. The apt_demodulate() function normalizes explicitly with / 17000.0 — flag this line in the code review.

Anchor Weave Placement

Sklar Ch 16: Assign before the lab session. Sklar's satellite link budget treatment has the most careful Eb/N0 accounting in the course library. The key figure: the satellite link margin waterfall showing how each contributor (EIRP, FSPL, atmospheric loss, G/T, implementation margin) compounds.

Lab 6 Timing Note

Lab 6 is 20 points. The live capture (Part A) requires advance scheduling — NOAA passes of useful elevation (>20°) occur 2-4 times per day at most latitudes. Give students the capture window 24-48 hours before lab so they can plan. For students who miss the live pass, provide the instructor-captured IQ file. Part B (noaa-apt decode) takes 5-10 min. Part C (Python pipeline) is the most time-consuming — the apt_demodulate() function is already written, but students must correctly load the IQ file and reshape the output. Part D (link budget) is 15 min of calculation.

Chapter 7: SIGINT Discipline (Week 9)

Opening Hook (5 min)

"The NSA's SIGINT classification methodology was described in unclassified form in a 2013 document released through the Snowden disclosures. What struck signals analysts who read it: the methodology is not exotic. It is the same five-stage workflow taught in academic SDR courses. Survey the spectrum. Classify the modulation. Identify the symbol structure. Extract the preamble. Form a protocol hypothesis. The classified part is not the method — it's the target database and the processing scale."

Then ground it: in Lab 7, students are working with a single 30-second capture of an unknown ISM-band device. The method is the same; only the scale differs. The professional discipline of CONFIRMED/INFERRED/HYPOTHESIZED is not an academic nicety — it is the professional obligation not to create intelligence reporting that overstates confidence.

Pacing Table

Common Issues

Issue 1: Spectral peak detection misidentifying symbol rate. The welch() PSD of |x|² technique finds symbol rate candidates as spectral peaks above the noise floor. Students sometimes identify the wrong peak — DC, harmonic of the symbol rate, or a narrowband interferer. The fix is the filter peak_freqs > 500 (filtering out DC) and checking that the candidate makes physical sense given the signal bandwidth. If bandwidth ≈ 25 kHz and the claimed symbol rate is 200 kHz, something is wrong.

Issue 2: Preamble search false matches on correlated noise. search_preamble() does an exact bit-pattern match. At low SNR, the recovered bits are noisy and the 0xAA run pattern (alternating 1-0-1-0) occurs at random roughly once every 65 bits. Students who see many preamble "hits" for a noisy signal should check the SNR first and consider that they may need a softer match (Hamming distance threshold) rather than exact match.

Issue 3: Confidence level inflation. The most common error in the Stage 5 hypothesis document is putting INFERRED or HYPOTHESIZED claims in the CONFIRMED bucket. The test: a CONFIRMED claim must be verifiable by a second independent method or a reference implementation. If the only evidence is "it looked right in the spectrogram," it is HYPOTHESIZED. Enforce this in grading — the intellectual discipline is the pedagogical objective.

Anchor Weave Placement

Sklar + Wyglinski: Sklar Ch 14-15 covers the modulation classification theory behind the heuristics in analyze_signal(). Wyglinski Ch 8 covers spectrum sensing for cognitive radio — many of the same techniques reappear in SIGINT stage 1-2. Assign Sklar before the Week 9 lecture; Wyglinski sections are useful as follow-up reading after lab.

Lab 7 Timing Note

Lab 7 is 25 points — the highest-stakes lab before the capstone. The five-stage pipeline runs sequentially and each stage builds on the previous. Budget: Stage 1 (15 min), Stage 2 (20 min), Stage 3 (20 min), Stage 4 (15 min), Stage 5 (20 min) = 90 min for the code. The SIGINT hypothesis document (20 pts of the 25) takes an additional 30-45 min of writing. Total: 2-3 hours for a thorough submission. Warn students that Lab 7 is deliberately underspecified — the unknown signal is genuinely unknown to them, and the right process is the deliverable, not a specific answer.

Chapter 8: Anti-Jamming, LPI/LPD, and Waveform Agility (Week 10)

Opening Hook (5 min)

"In 2017, ships in the Black Sea began reporting GPS positions 25+ miles from their actual location. Investigators traced the interference to a land-based transmitter operating in the GPS L1 band. The spoofing exploited a property of GPS L1 C/A that military GPS L1 P(Y) does not share: the civilian PN code is public. Anyone who knows the spreading code can generate a convincing replica. This is the fundamental difference between a system designed for interference resistance (GPS L1 C/A) and a system designed for spoofing resistance (GPS L1 P(Y)) -- and why the spreading code secrecy in military waveforms is not just a classification artifact."

Then connect: in Lab 8, students will simulate a 16-channel FHSS system with a fixed PN seed (seed=42). They can recover the hop sequence because the seed is known to them. An adversary who knows the PN code is in exactly the same position. This makes the connection between "processing gain" and "PN code secrecy" concrete.

Pacing Table

Common Issues

Issue 1: Confusing hop rate with symbol rate. Students write "the FHSS signal has a symbol rate of 1600 Baud" when 1600 hops/sec is the hop rate. The symbol rate is how many data bits per second are encoded within each hop; the hop rate is how fast the carrier frequency changes. They are independent. In the Lab 8 simulation, there is only one tone per hop and no data modulation -- the focus is the hopping pattern, not data encoding.

Issue 2: Chirp TW product with mixed units. Students apply 10·log10(B × T) with B in kHz and T in ms and get the wrong answer. The formula requires B in Hz and T in seconds; BT is dimensionless. Explicitly tell students: "write the units next to every number before multiplying." For LoRa SF7: B = 125,000 Hz, T = 0.002048 sec, BT = 256, PG = 24.1 dB.

Issue 3: Processing gain is not security. GPS L1 C/A has PG ≈ 43 dB but the PN code is public, so any receiver (or jammer that generates the correct PN) gets the full 43 dB of despreading gain. Students sometimes assume that high PG implies security. The key question is always "is the PN code secret?" -- not "is the PG high?"

Anchor Weave Placement

Sklar Ch 13: Assign before the Week 10 lecture. The key sections: §13.2 (FHSS anti-jamming derivation), §13.3 (DSSS processing gain), §13.4 (hybrid systems). Sklar's Table 13-1 (jamming margin comparison table) is the single most useful reference table in the course; reproduce it in the lecture and have students keep it for Lab 8 Part C.

Cross-chapter handout: cross-chapter-rf-301-anti-jamming-lpi-lpi-guide.md contains the processing gain formulas, common symbol rate table, and margin budget worksheet. Distribute before lab.

Lab 8 Timing Note

Lab 8 is 20 points with four parts. Part A (FHSS simulation) runs in under 2 minutes with NumPy; the bottleneck is understanding the hop sequence recovery accuracy and why it is less than 100%. Part B (chirp) is 20-30 min; the matched filter measurement loop with n_trials=50 takes 5-10 seconds. Part C (jamming margin budget) is a 10-min calculation exercise -- the hardest part is unit consistency. Part D (reflection) requires students to have understood the SIGINT pipeline failure points; allow 20-30 min for a thorough answer. Total: 75-90 min for the lab; 30-40 min for Part D.

Chapter 9: Protocol Reverse Engineering Cross-Cut (Week 11a)

Opening Hook (5 min)

"In 2010, researchers Aurelien Francillon, Bogdan Groza, and Bela Hamida published a study of tire pressure monitoring systems on commercial vehicles. They had no documentation, no vendor cooperation, and a commodity receiver. Starting from the RF physical layer, they recovered the tire ID field, the pressure encoding, the temperature field, and the checksum algorithm -- well enough to build a receiver, track vehicles by their tire IDs, and demonstrate privacy attacks against drivers. The protocol specification they produced was complete enough to reproduce; the vendor had never published it. This is the methodology you are learning in Lab 9."

Then ground it: the ISM433-MYSTERY capture is similar in structure to the TPMS case -- a proprietary OOK sensor with no public spec. The method is the same; the students are working at the same level of information availability the TPMS researchers had.

Pacing Table

Common Issues

Issue 1: Students decode payload before framing. The natural impulse is to jump directly to "what data is in the packet?" The correct order is framing first: preamble → sync word → payload boundaries → checksum field → then payload semantics. A student who tries to interpret payload bits before establishing frame boundaries will get unrepeatable results because they may be reading across frame boundaries.

Issue 2: Manchester decoding applied incorrectly. The Manchester rule is: 10 → 1, 01 → 0. Students sometimes implement it as 1 → 1, 0 → 0 for individual bits (which is just NRZ) or apply it to groups of 4 bits. The pair test -- valid_fraction = mean(pairs[:, 0] != pairs[:, 1]) -- is the right diagnostic. If valid_fraction > 0.85, Manchester encoding is likely; if < 0.6, NRZ.

Issue 3: CRC enumeration produces multiple matches. With only one or two reference packets, the CRC enumeration may find several candidate polynomials that all match the sample data. The resolution: test candidates against a second reference packet from a different capture. The correct polynomial will match both; coincidental matches will not. Students who have fewer than 3-5 reference packets cannot definitively confirm the checksum algorithm -- this should be marked HYPOTHESIZED.

Anchor Weave Placement

Protocol RE field notes handout: cross-chapter-rf-301-protocol-re-field-notes.md is the primary reference for Lab 9. It contains the encoding detection table, CRC polynomial reference, OOK demodulation steps, and confidence level definitions. Distribute at the start of Week 11a.

Lab 7 prerequisite: Students need their Lab 7 symbol rate estimate and modulation hypothesis as a starting point for Lab 9. If a student's Lab 7 Stage 2 hypothesis was wrong, Lab 9 will reveal it -- the OOK demodulation will produce garbage if the wrong symbol rate is used. This is pedagogically correct: Lab 9 is the verification of Lab 7.

Lab 9 Timing Note

Lab 9 is 20 points and is the most open-ended lab in the course. Students will take very different amounts of time depending on how much they struggle with Parts A-B. Budget: Part A (bit extraction) 20-30 min; Part B (field variability) 30-40 min; Part C (checksum) 15-20 min; Part D (spec writing) 20-30 min. Total: 85-120 min. Flag Part D as the deliverable that separates strong from weak submissions -- a complete spec with honest confidence levels requires reflection, not just code output.

Grading note: Part D is graded on completeness and honesty, not on correctness. A student who honestly marks three fields as HYPOTHESIZED with clear reasoning scores better than a student who marks all fields CONFIRMED with no evidence.

Chapter 10: Penetration Testing Cross-Cut (Week 11b)

Opening Hook (5 min)

"In July 2015, Charlie Miller and Chris Valasek demonstrated remote compromise of a 2015 Jeep Cherokee over a cellular connection from St. Louis while the vehicle drove at highway speed. The entry point was the Jeep's cellular modem -- an RF interface running an IP stack, connected to the head unit, which had a CAN bus bridge. The exploit chain ran: LTE → UConnect IP stack → head unit → CAN bus → throttle and braking. No physical access. No proximity required. The entry medium was RF."

Then state the course doctrine: RF PT must address both the RF access surface and what is reachable from it. A passive capture engagement that finds a replay-vulnerable key fob is incomplete if the analyst doesn't also ask: what happens after the attacker gets in?

Pacing Table

Common Issues

Issue 1: Students conflate passive capture with authorized engagement. Passive capture (RTL-SDR receiving RF emissions without transmitting) is always lawful under Part 15. Active transmission against a client's system requires written authorization specifying frequencies, power levels, and locations. Students sometimes ask "can I just replay the signal I captured at the hardware store?" -- the answer is no; the hardware store's device is not in the scope document.

Issue 2: "Rolling codes are secure" misconception. The Keeloq algebraic attack requires observing 65,536 codes, which is not realistic for a single engagement. The DPA attack requires physical access to the ASIC. Students learn that rolling codes are not naive-replay-vulnerable but are also not cryptographically secure -- they fall in between. The relay attack is the most realistic threat: it does not require breaking Keeloq at all, just extending the communication range.

Issue 3: ROE document too generic. Lab 10 Part C asks for a ROE document specific to the ISM433-MYSTERY sensor network. Students who write generic ROE language ("all RF transmissions authorized") score poorly. The document must name the specific frequencies, power constraints, device scope, and active/passive boundary.

Anchor Weave Placement

Week 10 architecture sidebar: The RF attack surface table (OOK fixed-code → rolling code → BLE → WPA3 → 5G NR) developed in this week's lecture is the reference for Lab 10 Part A threat model. Students should have it visible when writing the threat model table.

Lab 9 prerequisite: Lab 10 uses the Lab 9 protocol spec as the analysis target. Students who did not complete Lab 9 should use the reference spec printed in Lab 10's overview section. The analysis is possible with either the student's own spec or the reference; the student's own spec produces a more authentic result.

Lab 10 Timing Note

Lab 10 is 15 points and is the shortest lab in the v0.2 curriculum. It is primarily a writing and analysis lab, not a coding lab. Part A requires no code beyond the provided analyze_replay_feasibility() and test_bitflip_injection() functions. Part B (defense analysis) is the most intellectually demanding -- 20-30 min for students who have thought carefully about the tradeoffs. Part C (ROE document) takes 15-20 min if done well. Total: 60-80 min.

The most common grading deduction: Part C ROE documents that are not specific to the scenario. Students should reference the ISM433-MYSTERY protocol, the 433.92 MHz frequency, the warehouse setting, and the specific attacks identified in Part A. A generic "authorized RF testing activities" sentence receives partial credit.

Chapter 11: ML Modulation Classification (Week 11c, Optional)

Opening Hook (5 min)

"In 2016, Timothy O'Shea and Nathan West published 'Radio Machine Learning Dataset Generation with GNU Radio.' The dataset they released -- RadioML 2016.10A -- became the ImageNet of RF machine learning. Within three years it had been cited in 500+ papers. The key contribution was not the neural network architecture (which was simple by 2016 standards) but the dataset: 11 modulation classes, 220,000 labeled examples, a clean benchmark. Before RadioML, there was no agreed-upon way to compare AMC algorithms. After RadioML, the question became 'what accuracy do you get on RadioML 2016.10A at SNR=+10dB?'"

Then note the limitation: RadioML uses an AWGN channel. Real ISM-band 433 MHz channels have multipath fading and adjacent-channel interference. The Lab 11 experiment will reveal this gap.

Pacing Table

Common Issues

Issue 1: Training on CPU takes too long. The full RadioML 2016.10A dataset has 220,000 examples. A 10-epoch training run on CPU with batch_size=256 takes approximately 30-60 minutes depending on the machine. On a GPU, this is 3-5 minutes. If the lab environment does not have GPU access, run 3 epochs for demonstration and have students report the in-progress accuracy. Alternatively, pre-train the model and distribute modulation_cnn.pt for students to use in Parts C and D.

Issue 2: Dataset file encoding issue. RadioML 2016.10A ships as a Python 2 pickle. Loading without encoding='latin1' produces a UnicodeDecodeError. The load_radioml_2016() function in the lab handles this; students who write their own loading code will hit it.

Issue 3: Lab 7 unknown signal comparison is open-ended. Part D asks students to compare the CNN output to their Lab 7 Stage 2 hypothesis. There is no "correct answer" here -- the point is the comparison and the reasoning. A student who says "the CNN says 8PSK but my Stage 2 says AM/ASK; I trust Stage 2 because the amplitude variance is 0.4 which is incompatible with PSK" is showing exactly the right thinking.

Lab 11 Timing Note

Lab 11 is optional (20 points, replaces lowest lab score). It is the most computationally demanding lab in the course. Budget: Part A (10 min), Part B (30-60 min depending on GPU availability), Part C (20 min), Part D (15 min). Total: 75-105 min with GPU; substantially longer with CPU-only. Distribute modulation_cnn.pt as a fallback for students who cannot train in the lab environment.

Chapter 12: Capstone Preparation (Week 12)

Opening Hook (5 min)

Skip the opening hook this week. Students are 12 weeks in; they know the mission. Use the first 5 minutes to state the Week 12 agenda directly: "Today you will demonstrate that make demod runs and that you have Stage 1-2 analysis to show me. That is the Tier 1 gate. Everything else is a bonus. If your demodulator doesn't run today, we fix it now, not in Week 13."

The directness is intentional. Students who have been vague about their capstone progress need a hard check-in, not another lecture.

Tier 1 Gate Check-In Protocol

Each student gets 10 minutes. Run them in order; have students waiting outside.

1. IQ archive (0-2 min): ls -lh data/target_signal.cf32 -- confirm file present and > 1 MB. If missing, the student receives a Tier 1 FAIL flag; schedule a remediation check-in in Week 13.

2. make demod (2-5 min): Run it. If it exits 0 with non-empty output: Tier 1 gate passed. If it errors: record the error, help triage for 2 minutes, then move on. The gate is either passed or not; this session is not debugging time.

3. Stage 1 presentation (5-8 min): Student shows plots/stage1_spectrum_survey.png. Check: are all 4 plots present? Do axes have labels and units? Is the bandwidth estimate quantified?

4. Modulation hypothesis (8-10 min): Student states the hypothesis. The instructor's job: ask one challenge question ("what feature rules out AM?"). Write 2 sentences of feedback on a card.

5. Hand the feedback card to the student and call next.

Common Capstone Failures (Instructor Reference)

Failure Mode 1: Modulation wrong, uncaught before Week 13. Symptom: student's demodulator produces non-zero output but verify.py fails the "output is signal-derived" check. Root cause: Stage 2 hypothesis was wrong; demodulator was built for the wrong modulation. Remediation: run Stage 2 analysis again with the ML classifier (if Lab 11 was completed); cross-check the Lab 7 Stage 2 output.

Failure Mode 2: make demod exits 0 but output is empty. Symptom: the demodulator script runs without error but output/demod_frames.bin is 0 bytes. Root cause: the demodulator has a silent failure -- typically a threshold that is too high (no symbols pass) or a file path mismatch. Ask the student to print the number of symbols recovered before writing the output file.

Failure Mode 3: Hypothesis document with zero HYPOTHESIZED. Symptom: all fields are CONFIRMED. Challenge immediately: "How did you verify this independently? What would a second test look like?" If the student cannot answer, the field should be INFERRED or HYPOTHESIZED. This is an intellectual honesty issue; address it directly.

Failure Mode 4: Reproducibility package references files on a local path. Symptom: make demod fails on the grading machine because the path is /home/student/capstone/data/... rather than a relative path data/.... Require all paths in the Makefile and scripts to be relative to the project root.

Key Message to Students

Deliver this at the start of the Week 12 lab session:

"The capstone is not graded on whether you correctly identify the protocol. It is graded on how you handle uncertainty. A student who correctly identifies the protocol but has no HYPOTHESIZED claims in their confidence assessment will score lower on Dimension A than a student who has two wrong hypotheses in the HYPOTHESIZED bucket with clear reasoning for why they are wrong. Professional signals intelligence work is not about being right -- it is about being correctly calibrated about what you don't know."

Toolchain Integration Table (Weeks 1-12)

Toolchain Integration Table (Weeks 1-7)