HW-101 Anchor Reading Guide

*VCA-HW-101 cross-chapter reading-guide handout. Companion to the catalog page at https://virtuscyberacademy.org/vca-hw-101. Audience: Belt-3 hardware-track students arriving from the catalog's distilled "What Belt-3 Hardware Track Graduates Recognize" register. *

The catalog page tells you WHAT the course covers. This guide tells you HOW to read the canonical anchors that build the Belt-3: which books, which talks and tutorials, in which order, what to extract on each pass, and how the anchors compose into a coherent vocabulary that prepares you for RE-101 embedded teardowns, ADV-101 hardware-CVE work, and the broader hardware-hacking practitioner community.

§0. What this guide is for

HW-101 is the academy's hardware-track foundations course. Five anchors carry the Belt-3: a triple of practitioner-narrative books (bunnie Huang's The Hardware Hacker and Hacking the Xbox, plus van Woudenberg and O'Flynn's The Hardware Hacking Handbook) for the down-to-earth-narrative core, plus Joe Grand's DEF CON Hardware Hacking Village training corpus and the Adafruit Learn plus SparkFun Tutorials community as the build-it-yourself complement. Three supplementary anchors (Schlaepfer and Oskay's Open Circuits; Craig Smith's Car Hacker's Handbook; Goodspeed and PoC||GTFO writing) are mentioned in §0 framing but do not earn full per-anchor walks at the Belt-3.

The five primary anchors do not compose a textbook tour. The bunnie triple plus van Woudenberg and O'Flynn provide the practitioner-narrative depth that the discipline reads itself through; Joe Grand and Adafruit and SparkFun provide the get-your-hands-on-the-bench complement. By the end of HW-101 a student should be able to (a) discuss debug-interface inheritance (JTAG/SWD/UART/ICSP), supply-chain framing, fault-injection and side-channel attack families, and the Tang Primer 25K toolchain in the same vocabulary the practitioner community uses, (b) build small hardware projects on the bench (oscilloscope-anchored, soldering-anchored, JTAG-anchored), and (c) move into RE-101 with the practitioner-foundation literacy that the embedded-RE engagements assume.

This guide is opinionated by design. It is not a comprehensive bibliography. Anchors that other peer programs lean on (Horowitz and Hill's Art of Electronics read cover to cover; the IEEE Embedded Systems handbook; specific microprocessor datasheets read in isolation) are deliberately not the primary anchors at this level because they are encyclopedic, weighty, or out-of-genre. HW-101 graduates know the comprehensive material exists; they were trained on the opinionated material that the hardware-hacking discipline writes itself with.

The guide reads bunnie Hacking the Xbox before bunnie The Hardware Hacker before van Woudenberg and O'Flynn because the genre's foundational text comes first, the modern Shenzhen-and-supply-chain framing builds on it, and the modern applied-attacks handbook builds on both. Joe Grand and Adafruit and SparkFun read in parallel with the narrative pair: students who read while also building have the right Belt-3; students who read without building have textbook fluency and no bench fluency.

§1. The anchor reading register

Five anchors. Read in this order on first pass; revisit per the per-anchor walks below for capstone preparation.

Anchor 1: Andrew "bunnie" Huang, Hacking the Xbox: An Introduction to Reverse Engineering

Edition / pointer: Andrew "bunnie" Huang, Hacking the Xbox: An Introduction to Reverse Engineering, No Starch Press, 2003 (FREE PDF via the author's website with a Lawrence Lessig foreword; legal-precedent text). The original printed edition is hard to find; the free PDF is canonical.

Why this matters at Belt-3: bunnie Huang's Hacking the Xbox is the foundational text of the modern hardware-hacking genre. The book walks bunnie's reverse-engineering of the original Xbox's security architecture: the LDT bus tap, the TSOP flash, the eFuse, the bootloader RC4-and-HMAC chain, the jam-table protection, the public-key signature verification. The book is opinionated about why hardware-RE matters (a hardware platform is a contract between vendor and owner; RE is what lets the owner audit the contract) and about how it is done (a bench, a logic analyser, patience, and the willingness to break the platform until it talks). A Belt-3 graduate who has read Hacking the Xbox recognises the genre's voice, knows the bench's primary tools by name, and understands why the discipline frames itself as an investigation rather than as a destruction. Lessig's foreword places the book in legal context; reading the foreword installs the academy's ethical-framing register.

Suggested reading order: First. Read bunnie Hacking the Xbox before any other anchor because it is the genre's foundational text and its vocabulary is what the other anchors assume. The free-PDF availability makes the read low-friction.

Cross-link to academy artifacts: HW-101 Lab 1 (introduction to the bench; oscilloscope and logic analyser); HW-101 Lab 7 (debug-interface discovery against an academy-provided board); RE-101 Lab 8 (firmware analysis on the SB6141 SPI flash; bunnie's Xbox flash-tap analysis is the structural analog); ADV-101 (CVE-to-tool work where the target is hardware; bunnie's reverse-engineering frame is the methodology anchor).

Anchor 2: Andrew "bunnie" Huang, The Hardware Hacker: Adventures in Making and Breaking Hardware

Edition / pointer: Andrew "bunnie" Huang, The Hardware Hacker: Adventures in Making and Breaking Hardware, No Starch Press, 2017 (ISBN 978-1-59327-758-1). The Shenzhen-factory and supply-chain narrative anchor; bunnie's second book and the discipline's modern register.

Why this matters at Belt-3: The Hardware Hacker is bunnie's modern follow-on to Hacking the Xbox. Where the earlier book walks one hardware platform's reverse-engineering, the later book walks the broader practitioner ecosystem: the Shenzhen factories where most consumer hardware is made; the supply-chain patterns that determine what a hacker can buy and what they cannot; the open-hardware movement that bunnie helps lead through Chibitronics, NeTV, and Precursor. A Belt-3 graduate who has read The Hardware Hacker understands that hardware does not appear from nothing; it is manufactured under specific economic and ecosystem constraints that determine what is hackable and what is not. The Shenzhen-factory framing is the academy's primary supply-chain-as-textbook anchor.

Suggested reading order: Second. Read after Hacking the Xbox because the modern Shenzhen-and-supply-chain framing builds on the earlier reverse-engineering register. Students should treat the Shenzhen chapters as the central read; the chapters on bunnie's specific products are valuable but supplementary.

Cross-link to academy artifacts: HW-101 Lab 5 (BoM analysis on a teardown subject; bunnie's Shenzhen framing is the analytical foundation); HW-101 capstone (student-fabricated Arduino-based data logger; the supply-chain awareness is part of the engineering report); RE-101 (the SB6141 lab target is itself a Shenzhen-supply-chain artifact; reading bunnie before SB6141 makes the lab target legible). The forward-pointer to RE-101 Lab 8 is structural: bunnie's analysis of the Xbox flash tap maps directly onto the SB6141 SPI flash dump.

Anchor 3: Jasper van Woudenberg + Colin O'Flynn, The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks

Edition / pointer: Jasper van Woudenberg and Colin O'Flynn, The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks, No Starch Press, 2021 (ISBN 978-1-59327-748-2). The modern applied-attacks handbook; covers fault injection, side-channel analysis, glitching, JTAG and SWD attack patterns, chip-off rework.

Why this matters at Belt-3: The Hardware Hacking Handbook is the bench-anchored applied-attacks reference. Where bunnie's two books frame the discipline and the ecosystem, van Woudenberg and O'Flynn walk the specific attack families a practitioner exercises against embedded systems. Fault injection (voltage glitching; clock glitching; electromagnetic fault injection) is the canonical "make the chip skip an instruction" attack; side-channel analysis (power analysis; timing analysis) is the canonical "measure what the chip is doing while it does it" attack; chip-off rework (heat-gun and BGA reflow patterns) is the canonical "extract the silicon from its package and read it directly" attack. A Belt-3 graduate who has read van Woudenberg and O'Flynn knows the attack families by name, can describe what each one does at a high level, and understands which targets each attack family is appropriate for.

Suggested reading order: Third. Read after the bunnie pair because the attack-family vocabulary is most useful when the genre's foundational and ecosystem framing are already installed. Students should treat the introductory and overview chapters as the Belt-3 read; the deep-dive chapters on specific attack-tool implementations belong at HW-201 register.

Cross-link to academy artifacts: HW-101 Lab 8 (debug-interface attack progression on an academy-provided target); HW-101 Lab 9 (introduction to side-channel analysis with the ChipWhisperer); RE-101 Lab 10 (chip-off-and-direct-read against the SB6141 flash; van Woudenberg's chapter on chip-off is the methodology anchor); ADV-101 (hardware-CVE work where fault injection or side-channel analysis is the attack vector).

Anchor 4: Joe Grand DEF CON Hardware Hacking Village training corpus

Edition / pointer: Joe Grand (Kingpin), DEF CON Hardware Hacking Village training corpus (FREE on Internet Archive plus YouTube via greatscottgadgets.com and the DEF CON channel; the DEF CON 14 introduction; the DEF CON 21 JTAGulator introduction; the ongoing HHV programming). Joe Grand is L0pht alumnus, JTAGulator inventor, and the discipline's most-cited working educator after bunnie.

Why this matters at Belt-3: The Joe Grand corpus is the academy's primary build-it-yourself training reference. Where the bunnie and van Woudenberg pairs are read as books, Joe Grand's talks and tutorials are watched and walked; the videos cover specific bench techniques (probing live boards; identifying JTAG headers; using the JTAGulator to discover unknown debug interfaces) at the practitioner-tier register. The DEF CON 21 JTAGulator introduction is the most-cited single talk in the corpus; students should walk it as a Lab 7 companion. The ongoing HHV programming is the discipline's annual practitioner-update channel.

Suggested reading order: Fourth. Walk the Joe Grand corpus after the book triple because the bench techniques are most useful when the discipline's framing and the attack-family vocabulary are already installed. Students should treat the DEF CON 21 JTAGulator talk plus the HHV introductory talks as the Belt-3 walk; the deeper material belongs at HW-201 capstone register.

Cross-link to academy artifacts: HW-101 Lab 7 (JTAG discovery with the JTAGulator); HW-101 Lab 8 (Bus Pirate exercises against unknown boards); RE-101 Lab 11 (live-board JTAG probing on the SB6141; Joe Grand's methodology is the procedural anchor). The JTAGulator pattern is the canonical "discover the debug interface from a board you have never seen before" exercise; reading Joe Grand before HW-101 Lab 7 lets the student walk the lab with the methodology already in head.

Anchor 5: Adafruit Learn + SparkFun Tutorials

Edition / pointer: Adafruit Learn (free; learn.adafruit.com) plus SparkFun Tutorials (free; sparkfun.com/tutorials). Two community tutorial corpora maintained by two of the largest open-hardware retailers; the canonical entry-tier hands-on hardware reference.

Why this matters at Belt-3: Adafruit Learn and SparkFun Tutorials are the academy's primary entry-tier-fundamentals references for HW-101 students. The corpora cover thousands of hands-on projects at every level from beginner to advanced; the academy's HW-101 lab harness draws specific tutorials as Lab 1 through Lab 6 companions. A Belt-3 graduate who has walked the canonical entry-tier tutorials (basic breadboarding; Arduino IDE introduction; digital and analogue I/O; serial communication; I2C and SPI) has the bench fluency the academy assumes for Labs 7 onward. The corpora are also the academy's primary part-sourcing reference; students who buy from Adafruit or SparkFun get parts that work with the tutorials, which keeps the bench progression smooth.

Suggested reading order: Fifth. Walk the relevant tutorials in parallel with the academy's Labs 1-6 rather than reading them in advance; the tutorials are companions, not prerequisites. Students who already have entry-tier hardware experience can skim; students new to the bench should walk the Adafruit-Arduino-introduction series and the SparkFun-soldering series in their entirety.

Cross-link to academy artifacts: HW-101 Labs 1-6 (every primary lab has a named Adafruit or SparkFun tutorial companion); HW-101 capstone (the student-fabricated data logger draws on multiple Adafruit and SparkFun tutorials for component selection and wiring); the Tang Primer 25K toolchain (Adafruit and SparkFun do not directly cover the Tang Primer 25K, but the breadboarding and digital-I/O fundamentals are platform-independent).

§2. bunnie Hacking the Xbox deep walk: the genre's foundational reverse-engineering text

bunnie's Hacking the Xbox is the discipline's foundational text. Read for the genre voice and the bench-discipline vocabulary as the book's central operational primitives.

What to extract

A Belt-3 graduate should carry the following five facts from the book:

1. The book frames hardware-RE as investigation. The chapters walk bunnie's actual investigative path against the original Xbox: hypothesis, test, observation, refinement. The investigative frame is the genre's signature; subsequent practitioner texts inherit it.
2. The bench's primary tools are oscilloscope, logic analyser, soldering iron, and patience. The book introduces each tool in context. A Belt-3 graduate should be able to name what each tool does and what kinds of evidence each one collects.
3. A debug interface is the practitioner's canonical entry point. The Xbox's LPC bus tap is the book's central example; the LPC bus carried boot data the bootloader could not encrypt. A Belt-3 graduate should recognise that production hardware almost always has debug interfaces (JTAG, SWD, UART, ICSP, JTAG-equivalent) and that finding them is the practitioner's first move.
4. Cryptographic protections fail under bench-level attack. The book walks the Xbox bootloader's RC4 and HMAC chain and shows how a tap on the bus reveals the protected data anyway. The lesson is not that the cryptography is bad; it is that the cryptography's threat model did not include a bench. A Belt-3 graduate should be able to articulate the difference between cryptographic security under a software-only threat model and cryptographic security under a hardware-level threat model.
5. Lessig's foreword places the book in legal context. The book is a teaching text, not an exploit guide; the legal context (DMCA, CFAA, exemptions for security research) is what makes the discipline practicable. A Belt-3 graduate should be familiar with the foreword's argument and the academy's ethical-framing register.

What is out-of-scope at Belt-3

The book's specific Xbox-internal details (the exact RC4 key derivation; the eFuse layout; the XCodes virtual machine) are interesting period material and out-of-scope at the practitioner-foundation tier. The legal-history details belong at the academy's ethics-and-disclosure register; HW-101 students should know the foreword exists and not be expected to walk the case law.

Cross-anchor connections

bunnie's investigative frame is the foundation The Hardware Hacker builds on; reading Hacking the Xbox first makes the modern Shenzhen-and-supply-chain framing legible as a continuation rather than as a separate book. bunnie's bench-tool vocabulary lands directly on van Woudenberg and O'Flynn's attack-family vocabulary; the bench tools are how the attacks are exercised. bunnie's debug-interface emphasis lands on the Joe Grand JTAGulator material; reading bunnie before walking the Joe Grand corpus makes the JTAGulator's purpose immediately legible.

§3. bunnie The Hardware Hacker deep walk: Shenzhen and the supply-chain frame

bunnie's modern follow-on is the discipline's supply-chain-as-textbook anchor. Read for the Shenzhen-factory framing as the book's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from the book:

1. Most consumer hardware is manufactured in Shenzhen. The bunnie Shenzhen-factory chapters walk the practitioner through the actual manufacturing ecosystem; the chapters are reportage, not documentary distance. A Belt-3 graduate should be familiar with the Shenzhen ecosystem at the practitioner-narrative tier.
2. The supply chain determines what is hackable. Components that exist on the market in volume are hackable; components that do not are not. bunnie's framing is that hackability is downstream of supply-chain economics, not just engineering choices. A Belt-3 graduate should be able to articulate this argument.
3. Open hardware is a deliberate counter-pattern. bunnie has built and helped build open-hardware platforms (Chibitronics; NeTV; Precursor; the Novena laptop) as deliberate counters to the closed-hardware default. Open hardware is a discipline-internal stance, not a moral one; the academy's framing inherits bunnie's stance.
4. BoM (Bill of Materials) analysis is a practitioner skill. Reading a BoM tells you what the hardware is made of, where the components came from, and what attacks are tractable against them. HW-101 Lab 5 exercises BoM analysis on a real teardown subject.
5. Counterfeit components are real, and the practitioner notices them. The book walks specific examples of counterfeit chips that look identical to the legitimate part but behave differently. A Belt-3 graduate should know that the counterfeit-component problem exists and not be expected to recognise specific counterfeits at this level.

What is out-of-scope at Belt-3

Specific bunnie-product chapters (the Novena laptop's design rationale; the Precursor's threat model) are interesting practitioner-narrative reading and out-of-scope at the Belt-3 tier. The chapters on specific Shenzhen-internal events (the original Maker Faire Shenzhen; specific factory tours) are valuable as practitioner-narrative entertainment rather than as foundational Belt-3 material.

Cross-anchor connections

The Shenzhen-and-supply-chain framing lands directly on the SB6141 lab target: the SB6141 is itself a Shenzhen-supply-chain artifact, and reading bunnie before RE-101 makes the lab target legible. The supply-chain framing reads against van Woudenberg and O'Flynn at the lab-tooling tier (the ChipWhisperer; the Bus Pirate; the JTAGulator are themselves supply-chain artifacts the practitioner buys). The framing reads against Joe Grand and Adafruit and SparkFun: the build-it-yourself complement is supply-chain-aware by design; students who buy parts know which retailers and which components survive a teardown.

§4. van Woudenberg + O'Flynn deep walk: applied attacks on embedded systems

The applied-attacks handbook walks the modern bench-anchored attack families. Read for the attack-family vocabulary as the book's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from the book:

1. Fault injection makes the chip skip an instruction. Voltage glitching, clock glitching, and electromagnetic fault injection (EMFI) are the three primary fault-injection vectors. The shared mechanism is that a brief perturbation at the right time causes the chip to misexecute or skip a single instruction, which can bypass security checks (signature verification; PIN comparison; secure-boot gate). A Belt-3 graduate should know all three vectors by name.
2. Side-channel analysis measures what the chip is doing while it does it. Power analysis (Simple Power Analysis; Differential Power Analysis) and timing analysis are the primary side-channel families; both extract secret data (keys; PINs) by observing the chip's behaviour rather than its outputs. A Belt-3 graduate should know SPA and DPA at the conceptual register.
3. JTAG and SWD attacks are debug-interface exploitations. JTAG (the IEEE 1149.1 boundary-scan standard) and SWD (ARM's Serial Wire Debug) are the canonical debug interfaces on modern embedded systems; finding and exploiting them is a foundational practitioner skill. A Belt-3 graduate should know the difference between the two protocols and how they are attacked.
4. Chip-off rework extracts the silicon from its package. Heat-gun and BGA reflow patterns let the practitioner remove a chip from a board, place it in an adapter, and read its memory directly. The technique is destructive-to-the-board but non-destructive-to-the-silicon; it is the canonical last-resort technique when in-system attacks fail.
5. The ChipWhisperer is the academy's primary applied-attacks platform. O'Flynn's ChipWhisperer is open hardware specifically designed for fault-injection and side-channel analysis at the practitioner-foundation tier; the academy's HW-101 Lab 9 uses the ChipWhisperer for entry-tier exercises.

What is out-of-scope at Belt-3

Specific exploit-implementation details (the exact glitch parameters for a specific target; the specific power-trace alignment algorithm for a specific cipher) belong at HW-201 register. Advanced techniques (focused-ion-beam circuit edit; advanced fault-injection at automotive register; commercial-grade laser fault injection) are graduate-research material.

Cross-anchor connections

The attack-family vocabulary lands directly on bunnie's Xbox-bus-tap example: the Xbox attack is itself a debug-interface-and-bench-tool attack at the early-2000s register. The attack vocabulary lands on Joe Grand's JTAGulator: JTAG attack patterns are the canonical practitioner exercise. The attack vocabulary lands on the SB6141 lab target: chip-off and JTAG probing are the canonical RE-101 exercises against the SB6141.

§5. Joe Grand DEF CON HHV deep walk: build-it-yourself bench discipline

Joe Grand's training corpus is the academy's primary build-it-yourself anchor for bench techniques. Walk for the practitioner-tier methodology as the corpus's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from the corpus:

1. JTAG discovery is the JTAGulator's purpose. The DEF CON 21 talk introduces the JTAGulator, an open-hardware tool for discovering JTAG (and UART) interfaces on unknown boards. A Belt-3 graduate should be able to use the JTAGulator on an academy-provided target.
2. Bus Pirate is the multi-protocol bench tool. The Bus Pirate (Dangerous Prototypes; widely available) speaks I2C, SPI, JTAG, UART, and several other protocols and lets the practitioner exercise them from a serial-console interface. A Belt-3 graduate should be able to use the Bus Pirate to read an SPI flash on the bench.
3. Probing live boards requires bench-safety discipline. Joe Grand's corpus repeatedly emphasises that the practitioner can damage the board, the tool, or themselves; the discipline of probing carefully matters. A Belt-3 graduate should be able to articulate the bench-safety vocabulary (ground, voltage levels, current limits, electrostatic discharge).
4. L0pht is the discipline's lineage anchor. Joe Grand was a member of the L0pht Heavy Industries group in the 1990s; the group's testimony to the U.S. Senate in 1998 ("any of us could shut down the internet in 30 minutes") is a foundational moment for the discipline's professional emergence. A Belt-3 graduate should know the L0pht lineage.
5. DEF CON HHV is the discipline's annual update channel. The Hardware Hacking Village programs at DEF CON each year cover both foundational training and current-research talks. A Belt-3 graduate should know the venue and the rhythm.

What is out-of-scope at Belt-3

Specific exploit walkthroughs from individual HHV talks belong at HW-201 capstone register. The Joe-Grand-specific consulting-engagement war stories are practitioner-narrative entertainment and out-of-scope at the practitioner-foundation tier.

Cross-anchor connections

Joe Grand's bench-tool vocabulary lands directly on bunnie's Xbox-bus-tap example: the JTAGulator and the Bus Pirate are the modern equivalents of the bench setup bunnie walks. The bench-tool vocabulary lands on van Woudenberg and O'Flynn: the JTAG-attack vocabulary the handbook walks is exercised through the JTAGulator and the Bus Pirate at the bench.

§6. Adafruit + SparkFun deep walk: entry-tier hands-on hardware

Adafruit Learn and SparkFun Tutorials are the academy's primary entry-tier hands-on hardware references. Walk in parallel with HW-101 Labs 1-6.

What to extract

A Belt-3 graduate should carry the following four facts from the corpora:

1. Breadboarding is the canonical entry-tier project pattern. The two corpora's introductory tutorials walk basic breadboard wiring, the colour-coded wire conventions, and the standard component layouts. A Belt-3 graduate should be able to wire a circuit from a schematic onto a breadboard without trial and error.
2. Arduino IDE is the entry-tier programming environment. The two corpora use the Arduino IDE almost universally for entry-tier projects; the academy follows the convention. A Belt-3 graduate should be able to write, compile, and upload a basic Arduino sketch.
3. Soldering is a learnable skill. The SparkFun soldering tutorials walk the technique from temperature setting through tip preparation through joint inspection. A Belt-3 graduate should be able to produce inspection-quality joints on through-hole and basic SMD work.
4. I2C and SPI are the entry-tier inter-chip communication protocols. The two corpora cover both protocols at entry-tier with sample code and breakout boards. A Belt-3 graduate should be able to wire an I2C or SPI sensor to an Arduino and read its values.

What is out-of-scope at Belt-3

Advanced project tutorials (specific home-automation builds; specific data-logger projects) are valuable as practitioner-narrative entertainment and out-of-scope as required reading. The corpora's deep dives into specific component datasheets belong at HW-201 register.

Cross-anchor connections

The entry-tier corpora are the foundation Joe Grand's bench techniques assume; reading Adafruit and SparkFun before walking the Joe Grand corpus installs the breadboarding-and-soldering vocabulary that the JTAG and Bus Pirate exercises require. The corpora are also the academy's primary part-sourcing reference; the supply-chain awareness bunnie's books install lands directly on the part-selection decisions Adafruit and SparkFun make tractable.

§7. Summary: how the anchors compose at Belt-3

The composition is opinionated by design. The bunnie pair plus van Woudenberg and O'Flynn provide the down-to-earth narrative core that the discipline reads itself through; Joe Grand and Adafruit and SparkFun provide the build-it-yourself complement that the discipline practices itself through. The five anchors do not reduce to one anchor; each earns its place because the others assume its content. The Belt-3 is what the composition produces.

§8. What's next at Belt-4 and Belt-5

HW-101 graduates carry the five-anchor foundation into RE-101 (Belt 4; embedded-systems reverse-engineering with the SB6141 cable modem as the lab target) and into ADV-101 (Belt 4; CVE-to-tool work where the target is hardware). The hardware track does not currently have a Belt-5 terminal course; advanced hardware work is integrated into RE-201 (Belt 5; burst-radio waveform RE) and into the academy's broader RE and AI capstone arcs.

Anchors that return at deeper register:

• bunnie's pair returns at RE-101 as the structural-analog reference for the SB6141 firmware-extraction lab; bunnie's Xbox flash-tap analysis maps onto the SB6141 SPI-flash dump.
• van Woudenberg + O'Flynn returns at RE-101 for the chip-off methodology and at ADV-101 for the fault-injection and side-channel attack families.
• Joe Grand returns at RE-101 for the live-board JTAG-probing methodology against the SB6141.

The capstone work HW-101 prepares for: a student-fabricated Arduino-based data logger in a hand-built enclosure with a written engineering report. Students who carry the five-anchor foundation into the capstone produce stronger artifacts than students who learn the vocabulary during the capstone.

The hardware-track parallel credential pathway is less consolidated than the networking-track or RF-track equivalents (no single industry-standard credential like CCNA or ARRL Technician); the closest analog is the OffSec OSED (Exploit Developer) track, which is Belt-5 and assumes HW-101 plus RE-101 plus ADV-101 as foundation.

§9. Cross-references