RF-201 closed at the protocol-RE engagement. RF-301 takes the same student to carrier scale, satellite scale, cellular scale, and adversary scale. Advanced DSP at the depth a working SDR engineer reads it. Cognitive radio anchored on Mitola. Cellular protocols via OpenAirInterface. SATCOM. SIGINT. Anti-jamming and LPI/LPD. The terminal RF-track course.
Course mission and audience
VCA-RF-301 is the RF track's terminal course. Students arrive from RF-201 having shipped a real-world end-to-end RF-protocol RE capstone: a working GNU Radio demodulator, a written protocol specification at successor-engineer depth, and a reproducibility package. They leave RF-301 able to work at carrier, satellite, cellular, and adversary scale -- scales at which the single-protocol assumptions of RF-201 break down.
Position: After RF-201 + CSA-201. Terminal RF-track course. Cross-cuts RE-201, ADV-101.
The pedagogical contract: RF-301 is RF at the scales where single-protocol framing is not enough. Every module takes an RF-201 substrate and pushes it to the domain where carrier, satellite, cellular, or adversary constraints restructure the problem. Filter design is not "choose a filter" -- it is a receiver-chain budget decision. The 5G cellular stack is not one protocol -- it is a dozen physical-layer mechanisms stacked with an IP-connected control plane that network-function-by-function decomposes the EPC.
Legal and ethical framing: Transmit work is conducted on RF-shielded or explicitly authorised equipment. Cellular stack work (LTE, 5G NR via OAI) is conducted on equipment and bands for which the student holds explicit authorisation or on isolated testbeds with no public-spectrum radiation. ITAR applies to certain SATCOM and SIGINT capability; students confirm applicability before engaging those modules in production contexts.
Foundational anchors
Primary quartet:
Joseph Mitola III, Cognitive Radio Architecture, Wiley-Interscience, 2006. Primary anchor for Chapter 2; Mitola coined "software radio" and "cognitive radio." Read Introduction + Ch 1-2 before Week 2 lecture.
Wyglinski, Getz, Collins, Pu, Software-Defined Radio for Engineers, Artech House, 2018. FREE PDF via Analog Devices.
Library: /media/laptop/data4t/books-master/Calibre_Library/Collins, Getz, Pu, Wyglinski/Software-Defined Radio for Engineers (666)/
Chapters 4-5 (advanced receiver-chain budgeting) are primary for Weeks 1-3.
Richard Lyons, Understanding Digital Signal Processing, 3rd ed. Pearson, 2010.
Library: /media/laptop/data4t/books-master/Calibre_Library/Richard G. Lyons/Understanding Digital Signal Processing, 3rd Edition (686)/
Chapters 6-13 (advanced filtering, adaptive filters, spectral analysis). Continues the Lyons arc from RF-201.
James Kurose and Keith Ross, Computer Networking: A Top-Down Approach, 9th ed. Pearson, 2021. §7.3.3 (5G NR), §7.4 (5G Core), §7.5.3 (5G mobility), §8.8.2 (5G-AKA). Primary for Week 5.
Module-specific anchors:
- Bernard Sklar, Digital Communications, 3rd ed. (Pearson, 2017) -- advanced spread-spectrum + anti-jamming chapters for Weeks 4, 9
- Marc Lichtman, PySDR (pysdr.org; free) -- advanced chapters as in-browser supplement
- OpenAirInterface community documentation (openairinterface.org) -- primary for Week 5 cellular lab
- Michael Ossmann, "Software Defined Radio with HackRF" video series (YouTube; free) -- HackRF-specific advanced work
- David Pozar, Microwave Engineering, 4th ed. (Wiley, 2011) -- selected RF-circuit chapters for Week 3 receiver-chain depth
- Marwick, Inside Radio: An Attack and Defense Guide -- supplementary for Week 8 waveform RE
Per-chapter reading assignments publish in handouts/cross-chapter-rf-301-anchor-reading-guide.md (already landed).
Chapter and week map
| Chapter | Title | What RF-201 module it scales | Weeks |
|---|---|---|---|
| 1 | Advanced DSP: filter design (FIR / IIR / adaptive / FFT-based) | RF-201 Ch 5 LoRa demodulator filter pair | 1-2 |
| 2 | Cognitive radio, Mitola; spectrum sensing; opportunistic access | RF-201 Ch 7 SDR fundamentals | 3 |
| 3 | Software-defined receivers + transmitters; full duplex; receiver chains | RF-201 Ch 7 SDR fundamentals at architecture depth | 4 |
| 4 | RF security primitives; encryption at RF layer; physical-layer authentication | RF-201 Ch 4 BLE encrypted-pairing baseline | 5 |
| 5 | Cellular protocols: LTE + 5G NR via OpenAirInterface | RF-201's cellular-mention-only framing | 6 |
| 6 | SATCOM: LEO comms; weather and military satellites | NEW domain; RF-201 didn't reach SATCOM | 7 |
| 7 | SIGINT techniques: capture / classify / decode unknown signals | RF-201 Ch 9 URH protocol RE at SIGINT depth | 8 |
| 8 | RF waveform RE: custom proprietary protocol RE at advanced depth | RF-201 Ch 9 URH at waveform depth | 9 |
| 9 | Anti-jamming + LPI/LPD | NEW domain; adversary-scale work | 10 |
| 10 | Cross-cut to RE-track advanced protocol-RE methodology | Forward pointer to vca-re-201 | 11 |
| 11 | Cross-cut to PT-track advanced wireless pentesting | Forward pointer to vca-adv-101 | 12 |
| 12 | Capstone: full RF-protocol RE + reimplementation in GNU Radio | The synthesis deliverable | 13-14 |
14-week schedule
| Week | Chapter | Lecture topics | Lab |
|---|---|---|---|
| 1 | 1 | FIR filter design: windowed + Parks-McClellan; filter specifications | Lab 1 Part A |
| 2 | 1 | IIR design (Butterworth/Chebyshev prototypes); adaptive filters (LMS/RLS); FFT-based processing | Lab 1 Parts B-C |
| 3 | 2 | Cognitive radio: Mitola architecture; spectrum sensing (energy / matched-filter / cyclostationary); opportunistic access | Lab 2 |
| 4 | 3 | Full-duplex architecture; receiver chain: LNA, mixer, VGA, ADC; SNR budget; noise figure; IP3; dynamic range | Lab 3 |
| 5 | 4 | Physical-layer authentication: RF fingerprinting; encryption at the RF layer; TRANSEC; COMSEC vs TRANSEC | Lab 4 |
| 6 | 5 | LTE: OFDMA/SC-FDMA, eNB/EPC, RACH, attach procedure; OAI architecture; 5G NR: new radio framing | Lab 5 Part A |
| 7 | 5 | 5G NR: massive-MIMO, mmWave numerology, 5G Core NFs, 5G-AKA and SUCI/SUPI; cross-chapter handouts | Lab 5 Part B |
| 8 | 6 | SATCOM orbital mechanics; LEO/MEO/GEO/HEO propagation; Doppler correction; link budgets; NOAA APT; Iridium; DVB-S | Lab 6 |
| 9 | 7 | SIGINT discipline: classification pipeline (modulation/access scheme/framing hypothesis); low-SNR techniques; gr-fosphor waterfall | Lab 7 |
| 10 | 8 | Advanced waveform RE: beyond URH; GNU Radio custom-block authoring for RE; IQ hypothesis-test workflow | Lab 8 |
| 11 | 9 | Anti-jamming: FHSS / DSSS / chirp-SS / hybrid; LPI: power control / FHSS timing / waveform design; ECCM | Lab 9 |
| 12 | 10 | RE-track cross-cut: binary RE applied to air-interface protocols; partial LTE PHY reverse | Lab 10 |
| 13 | 11 | PT-track cross-cut: advanced wireless pentest against RF-aware targets | Lab 11 |
| 14 | 12 | Capstone work + review; live 15-min recorded demo | Lab 12 (capstone) |
Time budget
| Category | Hours |
|---|---|
| Lectures (14 weeks × 90 min) | ~21 |
| Labs (12 labs × ~90 min) + capstone (~15 hr) | ~33 + 15 |
| Independent practice (reading + pre/post-lab) | ~86 |
| Capstone write-up and report | ~15 |
| Total | ~170 |
Lab index
| Lab | Week | Topic | Points |
|---|---|---|---|
| Lab 1 | 1-2 | Filter design comparative: Parks-McClellan FIR vs IIR-from-Butterworth vs adaptive LMS | 25 |
| Lab 2 | 3 | Cognitive-radio spectrum-sensing-and-opportunistic-access pipeline | 20 |
| Lab 3 | 4 | Full-duplex software-defined receiver chain on ANT-SDR E200; SNR budget | 20 |
| Lab 4 | 5 | Physical-layer authentication: RF fingerprinting of two same-make transmitters | 15 |
| Lab 5 | 6-7 | OpenAirInterface LTE attach procedure; SNR budget instrumentation | 25 |
| Lab 6 | 8 | NOAA APT weather-satellite reception and demodulator reimplementation | 20 |
| Lab 7 | 9 | SIGINT discipline: instructor-supplied unknown low-SNR capture, full classification workflow | 25 |
| Lab 8 | 10 | Proprietary-protocol waveform RE against a deliberately obfuscated target | 25 |
| Lab 9 | 11 | LPI/LPD waveform demonstration: chirped spread-spectrum transmitter | 20 |
| Lab 10 | 12 | Cellular-stack RE cross-cut: partial LTE PHY reverse | 20 |
| Lab 11 | 13 | Advanced wireless pentest cross-cut | 20 |
| Lab 12 | 14 | Capstone | Tier 1 gate + Tier 2 100 pts |
| Total (Labs 1-11) | 235 |
Architecture comparison sidebars
Five structured sidebars published as handouts/cross-chapter-rf-301-architecture-sidebars.md (v0.2 deliverable):
- OFDM vs CDMA vs TDMA vs FHSS vs DSSS -- five multiple-access techniques, spectrum-sharing philosophies, deployment cases
- Cellular generations 2G GSM vs 3G UMTS vs 4G LTE vs 5G NR -- architectural transitions across generations
- SATCOM constellations LEO vs MEO vs GEO vs HEO -- orbital regime tradeoffs, named deployments
- Cognitive-radio paradigms: Mitola academic vs DARPA Spectrum Collaboration vs FCC opportunistic-access
- 5G Core vs SDN vs Mobile-IP (shared with
handouts/cross-chapter-control-plane-architectures.md) - WPA2-SAE vs WPA3-SAE vs 5G-AKA (shared with
handouts/cross-chapter-wireless-aka-progression.md)
Tool Journal: RF-301 originating entries
~10 new entries. WIR-101 + RF-201 tools continue at capstone depth.
| Tool | Introduced | Core use |
|---|---|---|
| OpenAirInterface (OAI) | Week 6-7 | Open-source cellular stack: LTE eNB / EPC / 5G NR gNB |
| srsRAN | Week 6-7 | Alternative cellular stack: LTE + 5G NR |
| gr-satellites | Week 8 | SATCOM decoder framework |
| gr-leo | Week 8 | LEO orbital mechanics GNU Radio integration |
| GNSS-SDR | Week 8 | Open-source GPS / Galileo / GLONASS software-defined receiver |
| gr-fosphor | Week 9 | GPU-accelerated waterfall visualisation |
| gr-paint | Week 9 | Spectrogram art and SIGINT visualisation |
| USRP / Ettus + UHD | Week 6-7 | Research-grade SDR for cellular + SATCOM labs |
| gr-iio + libIIO (advanced) | Week 4 | ANT-SDR E200 advanced workflow |
| Advanced antennas (LPDA / discone / yagi) | Week 8 | Antenna selection by application |
| ARRL Extra study materials | Ongoing | Terminal amateur-radio licence tier |
| Academy Flowgraph (browser) | Week 1-2 | In-browser DSP block-graph tool for filter and signal-chain visualisation |
Assessment overview
Labs 1-11: 235 points total. Lab 7 (SIGINT) and Lab 8 (waveform RE) are the most heavily weighted individual labs.
Capstone: Two-tier grading. Tier 1 = functional gate (IQ archive reproduces, GNU Radio demodulator works, demo plays). Tier 2 = 100 points (40% RE depth + SIGINT discipline / 30% limit-of-confidence + ROE compliance / 30% engineering quality + reproducibility). B- minimum (70/100 Tier 2) for the RF-301 Certificate of Completion.
Certificate: VCA-RF-301 Certificate of Completion. Combined with WIR-101 + RF-201 + RF-301, the student is positioned for ARRL Extra, SANS GAWN, and SDR-engineer / wireless-protocol-RE roles.
v0.1 scope note
v0.1 shipped: Weeks 1-7 (Chapters 1-5), Labs 1-7, CAPSTONE.md, and INSTRUCTOR-GUIDE.md (full for Weeks 1-7). Weeks 8-12 and the remaining labs shipped in the v0.2 round and are live in this classroom.