Course Overview

Students progress from physical-layer printed-circuit-board characterization, through serial-protocol and debug-interface analysis (SPI, I²C, UART, JTAG, SWD), to SoC boot-sequence recovery, firmware extraction, binary reverse engineering, patch-and-reflash, and the trust architectures that defend against these techniques. The course is appropriate preparation for offensive security research, defensive firmware assurance, hardware-trojan analysis, supply-chain integrity evaluation, and forensic device examination.

Position relative to peer offerings. RE-101 sits between introductory hardware-hacking surveys (Black Hat 2-day workshops, the Hardware Hacking Handbook self-study path) and the disciplines for which it is professional preparation (Offensive Security OSEE, SANS SEC760, the USENIX Security publication track). The 2-day workshops introduce the tools; RE-101 builds the methodology. The certification programs assume the methodology already; RE-101 is the place that methodology is taught with proctored lab time, instructor-graded artifact submissions, and a publication-quality written report at the close. A student who completes RE-101 enters those certification pathways already operating at the level they assume.

Learning Outcomes

On completion, graduates are able to:

Characterize an unknown printed circuit board by systematic physical measurement.
Identify SPI, I²C, UART, JTAG, and SWD protocols from observed bus waveforms.
Discover undocumented on-chip debug interfaces and verify discovered pinouts through independent methods.
Extract firmware from serial non-volatile memory using industry-standard programmers, with redundant-read cryptographic verification.
Analyze firmware images using binwalk, Ghidra, radare2, and QEMU.
Describe secure-boot and root-of-trust architectures, their threat models, and their practical attack surface.
Modify and reflash firmware to a target device while preserving recoverability to factory state.
Produce publication-quality technical reports suitable for USENIX Security, IEEE S&P, DEFCON, or coordinated-disclosure submission.

Schedule

Week	Topic	Laboratory
1	Foundations, threat models, laboratory setup	Bench qualification
2	Digital I/O, signal integrity, measurement	Logic analyzer fundamentals
3	Serial protocols: SPI, I²C, UART	Bus Pirate protocol exercises
4	JTAG and SWD	JTAG pinout discovery
5	SoC boot architectures and memory hierarchy	Boot sequence analysis
6	Non-volatile memory: NOR, NAND, eMMC	Midterm practical exam
7	Firmware extraction: in-circuit and ex-circuit	SB6141 flash dump
8	Firmware analysis: filesystems and signatures	SB6141 binwalk and extraction
9	Firmware analysis: executable reverse engineering	SB6141 binary analysis
10	Firmware modification and reflash	SB6141 patched firmware deployment
11	Trust architectures, secure boot, ethics	Live-device sniffing

Capstone oral defenses are held in Finals Week.

Assessment and Credential

Eleven laboratory exercises 55% · midterm practical exam Week 6 15% · capstone written report 20% · capstone oral defense 10%. A minimum grade of B− on capstone components is required to earn the VCA-RE-101 Certificate of Completion. The program is independent; no affiliation with, or endorsement by, any government academy or university is claimed or implied.

How the Course Teaches: Foundational Readings

RE-101 carries the RE track's paired-textbook system at the intermediate-to-professional depth the flagship course demands. The build-it-yourself pair (OST2 + Yurichev) provides the assembly and RE methodology scaffold students work inside from Day 1; the narrative pair (Erickson + bunnie) provides the practitioner mental model that makes the hardware-RE work feel grounded in the discipline's history. This section is a master-side operator reference; the per-lab assignments in the companion course operator repository note which anchor-pair chapters map to which lab weeks.

Build-it-yourself weave, OST2 Architecture 1001 / RE 1101 / RE 2001 (Xeno Kovah) + Yurichev, Reverse Engineering for Beginners (intermediate RE depth).

OST2's RE 1101 (Introduction to Reverse Engineering) and RE 2001 courses build the systematic binary-analysis workflow RE-101's Weeks 8-9 assume. Kovah's approach is to work from actual binary examples rather than synthetic illustrations; the analysis technique is hypothesis-driven and evidence-documented, which is exactly the lab-notebook discipline RE-101's graded artifacts require. Kovah's Architecture 1001 course, which RE-011 students have already worked through, is the entry ramp; RE 1101 and RE 2001 deepen the same methodology onto binary analysis at professional scale.

Yurichev's Reverse Engineering for Beginners (beginners.re; free; CC-BY-SA) covers ARM and big-endian architectures alongside x86, the coverage that directly maps onto the SB6141's BCM3383 big-endian ARM target in Weeks 8-9. Yurichev's ARM chapter structure is the reference students consult when a Ghidra decompiler output produces idiomatic ARM that diverges from the x86-64 patterns RE-011 built fluency around. The book follows students through the entire RE strand; the ARM and MIPS chapters are the RE-101-tier reading.

Narrative weave, Erickson, Hacking: The Art of Exploitation (binary exploitation + exploit development) + bunnie Huang, The Hardware Hacker + Hacking the Xbox (hardware-RE discipline and the practitioner's creative frame).

Erickson's Hacking: The Art of Exploitation is the narrative anchor for the binary-analysis work in RE-101's Weeks 8-9. Erickson's account of how memory corruption actually works, from the calling-convention layout through the stack-frame construct to the controlled overwrite. Is the mechanistic underpinning that makes the SB6141's binary analysis intelligible as more than pattern-matching in a disassembler. When students identify a suspicious function in the SB6141's SNMP implementation, Erickson's chapters on the conditions that make functions exploitable are the mental model they use to decide whether the function is a finding or a false alarm.

bunnie Huang's account of Shenzhen electronics culture in The Hardware Hacker establishes the practitioner's creative frame for what hardware RE is and who does it. bunnie's SD-card chapter, where he identifies a counterfeit storage device by its firmware's behavior under structured queries. Is the closest structural analog to the SB6141 capstone in the entire anchor corpus: a practitioner, an unfamiliar device, no documentation, working from first principles. Hacking the Xbox establishes the genealogy: the firmware-as-security-boundary model bunnie defeated in 2002 is still the model every IoT RE practitioner works against today, including on the SB6141's BCM3383 bootloader. Students who have read bunnie's account arrive at the trust-architecture lecture (Week 11) having already internalized its central claim.

Lab Manifest

Eleven graded laboratory exercises across the eleven-week schedule, each producing a versioned artifact committed to the student's course Git repository alongside a lab-notebook entry recording instrument serial numbers, cryptographic hashes, and a timestamped procedure trace. Lab 6 is the proctored midterm practical against an unknown-board target; Labs 7-10 walk the SB6141 from flash dump through patched reflash; Lab 11 is the live-device sniffing exercise; the capstone is a separate multi-week independent engagement (see Capstone below).

Lab	Title	Deliverable artifact
1	Bench qualification	Annotated photograph of student bench; instrument inventory log; safe-power-on procedure for an unknown board
2	Logic-analyzer fundamentals	Captured waveform of a known SPI bus on the W25Q80BV reference flash; identified MOSI / MISO / CLK / CS lines from the trace
3	Bus Pirate protocol exercises	Successful read of the TMP102 temperature register over I²C; successful read of W25Q80BV ID over SPI; UART loop-back transcript
4	JTAG pinout discovery	Identified TCK / TMS / TDI / TDO / TRST on a Raspberry Pi Zero W; verified discovery via OpenOCD `scan_chain` output
5	Boot-sequence analysis	Annotated boot-ROM trace for a reference SoC; identified boot-stage transitions and where firmware-stage code begins
6	Midterm practical exam	Proctored 4-hour bench exam against an unknown-board target; deliverables: identified protocol on each populated bus; hash-verified flash dump if accessible
7	SB6141 flash dump	Hash-verified dump of the SB6141's NOR flash (Macronix MX25L6406E) using a SOIC-16 clip + flashrom; redundant-read consistency verified
8	SB6141 binwalk and extraction	Carved filesystem(s) from the dump; extracted root filesystem; identified bootloader / kernel / rootfs partitions
9	SB6141 binary analysis	Ghidra + radare2 analysis of one identified service binary; documented function entry points, string references, and one observed control-flow construct of interest
10	SB6141 patched firmware deployment	Modified firmware reflashed and verified to boot to factory state; recoverability artifact (original-flash backup) hash-archived
11	Live-device sniffing	Captured DOCSIS-style provisioning conversation between the SB6141 and a headend simulator using Wireshark + `usbmon`; protocol stack identified at each layer
C	Capstone	End-to-end SB6141 reverse-engineering report. See Capstone section below for the full rubric

Capstone: End-to-End SB6141 Reverse Engineering

The course capstone is a multi-week independent engagement against a decommissioned Motorola SURFboard SB6141 cable modem, supplied per student. Students integrate every methodology built across the eleven labs into a single coherent investigation, deliver a publication-quality written report, and defend the report orally before a panel including the instructor and at least one external practitioner. The capstone is not graded against fault-discovery - students are not required to find a vulnerability. The capstone is graded against methodology: did the student apply the discipline the course teaches, document it reproducibly, and reason about the trust architecture the device implements?

Required artifacts

The SB6141 device, returned to factory-recoverable state at submission time.
The complete flash dump, original and any modified images, hash-archived in the course Git repository.
A 20-30 page written report at publication catalog: methodology, instrumentation, observations, threat-model analysis, and a reproducibility section detailing every command, every instrument serial number, and every file hash.
A 30-minute oral defense before a panel; ten minutes presentation, twenty minutes Q&A.
A coordinated-disclosure assessment: if the student observed a security-relevant artifact during the work, the report includes a disclosure-readiness analysis. Not an exploit, but a documented decision about whether the finding merits coordinated disclosure and to whom.

Two-tier grading rubric

First, your project must work. The capstone artifact is delivered: the device is returned recoverable; the flash dump and any modified images are present and hash-verified; the written report meets the page range and reproducibility-section requirement; the oral defense is held. A failure at Tier 1 triggers a remediation plan and a re-defense in the next available window. No advanced scoring is applied to an incomplete foundational artifact.

Then we score the report.

Methodology rigor (40%). Did the student apply the systematic procedure the course teaches. Physical-layer characterization first, protocol identification before extraction, redundant verification of every observation? Are instrument serial numbers, configuration settings, and timestamps captured? Is every binary artifact hashed? A well-instrumented investigation that finds no fault scores well; a fault-discovery built on undocumented intuition scores poorly.
Analytical depth (30%). Does the report reason about what the device is doing rather than only what the student saw? Does the threat-model section identify the trust boundaries the SB6141 implements (or fails to implement)? Is the binary-analysis section honest about which functions were understood vs. flagged as unanalyzed? A short, accurate, scoped analysis outscores a long speculative one.
Communication (30%). Is the written report at publication catalog. Figures captioned, citations complete, prose clean of marketing tone or hedging-without-evidence? Is the reproducibility section dense enough that a competent reader could replicate the investigation from the document alone? Does the oral defense respond to panel questions substantively rather than defensively?

A minimum grade of B− on capstone components is required to earn the VCA-RE-101 Certificate of Completion. There is no curve. The certificate signals that the holder operates the methodology of embedded-systems reverse engineering at professional register; it is not a participation credential.

Equipment: Software and Reading

Every student maintains a personal hardware workstation. A small inventory of shared instruments is provided per two-student team, and a larger course-level inventory is held by the program. All host software is free; the instructor supplies a prepared Docker container with extraction and analysis tooling. Hardware prices verified April 2026.

Compute Path (choose one)

Option A, Personal VM-capable laptop. macOS, Windows 10+, or Linux with at least 8 GB RAM and a VM that supports USB passthrough (VMware, VirtualBox, UTM, or Hyper-V). Chromebooks, tablets, and laptops below 8 GB are not supported on this path.

Option B, Raspberry Pi 5 (rent or buy from the program). Pi 5 8 GB kit with instructor-baked fwlab SD card, PSU, and case, about $250 to purchase outright, or a flat rental per cohort (refundable on return). Students interact with the Pi via any SSH-capable device (laptop, tablet, Chromebook, or older machine) or via a lab-provided keyboard-and-monitor station at the bench during proctored sessions.

Equipment per Student (Personal Workstation)

Item	Purpose	Approx. cost
Bus Pirate v3.6a with probe cable (SparkFun)	SPI / I²C / UART protocol work	$41
8-channel USB logic analyzer, 24 MHz, FX2LP-based	Bus waveform capture	$12, $27
Digital multimeter, auto-ranging (basic consumer model)	Voltage and continuity measurement	$25
SOIC-8 test clip (Amazon generic, 25-series compatible)	Non-destructive 8-pin flash access	$10
SOP-16 test clip (Amazon generic, 25-series compatible)	Non-destructive 16-pin flash access	$10
Solderless breadboard and jumper-wire kit	Ad-hoc prototyping	$17
ESD mat and wrist strap kit	Electrostatic-discharge protection	$25
Kit subtotal (excluding compute path)		≈ $140

Equipment per Two-Student Team (Shared)

Item	Purpose	Approx. cost
JTAGulator (EXPLIoT. Official maintainer since July 2025)	Debug-interface discovery	$249
Attify Badge (Attify Store) or FT2232H breakout	High-speed SPI flash programming	$48
Raspberry Pi Zero W (Adafruit)	Lab 4 JTAG training target	$15

Equipment per Course (Instructor / Facility)

Item	Purpose	Approx. cost
Hot-air rework station (858D class)	Desolder demonstrations	$80
Decommissioned Motorola SURFboard SB6141 (eBay), one per student	Capstone platform	$15, $22 each
Unknown-board targets for the midterm practical	Proctored exam stock	instructor-sourced
Winbond W25Q80BV 1 MByte SPI flash breakout (Adafruit)	Reference chip, Weeks 2-3	$2
SparkFun TMP102 Qwiic temperature sensor breakout	I²C reference chip	$10
Macronix MX25L6406E SOIC-16 (eBay 5-pack)	NOR flash reference	$5 / 5
Lab power supply and USB hubs with isolated power rails	Workstation infrastructure	instructor-sourced

Software

All software listed below is free. The fwlab container is built from a public Dockerfile in the course repository and distributed to each student at the start of Week 1.

Host-side (student laptop)	`fwlab` container (instructor-supplied)
`flashrom`, `openocd`	`binwalk`, `squashfs-tools`
`pulseview`, `sigrok-cli`	`jefferson`, `ubi_reader`
`wireshark` (with `usbmon`)	`hexedit`, `xxd`, `p7zip`
`minicom`, `screen`	`radare2`
Ghidra (NSA, free download)	QEMU user-mode and full-system (`qemu-armeb-static`)

Required Texts

van Woudenberg, J. and O'Flynn, C. The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks. No Starch Press, 2021. ISBN 978-1593278748.
Dang, B., Gazet, A., and Bachaalany, E. Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation. Wiley, 2014. ISBN 978-1118787311.
Kleidermacher, D. and Kleidermacher, M. Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development. Newnes, 2012. ISBN 978-0123868862.
Erickson, J. Hacking: The Art of Exploitation, 2nd ed. No Starch Press, 2008. ISBN 978-1-59327-144-2. (Narrative anchor for the binary-exploitation mental model underlying Weeks 8-9 binary analysis; RE track foundational anchor pair.)
Huang, A. ("bunnie"). The Hardware Hacker: Adventures in Making and Breaking Hardware. No Starch Press, 2017. ISBN 978-1-59327-758-1. (Narrative anchor for hardware-RE discipline and the firmware-as-security-boundary mental model underlying Weeks 7-11; RE track foundational anchor pair.)
Yurichev, D. Reverse Engineering for Beginners. Free download at beginners.re; CC-BY-SA 4.0. (Build-it-yourself anchor for ARM and big-endian RE methodology; RE track foundational anchor pair; ARM and MIPS chapters are the RE-101-tier reading.)

Recommended Texts and Primary Literature

Recommended: Eagle, The IDA Pro Book (No Starch, 2011); Yiu, The Definitive Guide to ARM Cortex-M0 / M0+ (Newnes, 2015); Anderson, Security Engineering, 3rd ed. (Wiley, 2020), chapters 18 and 20. Selected peer-reviewed papers, IEEE and JEDEC standards, ARM architecture references, and vendor datasheets are assigned per week; the full bibliography is distributed when the cohort starts.

Prerequisites and Student Profile

VCA-RE-101 is calibrated for professional academic rigor and proceeds at the pace of a working engineering course. It is intended for practicing engineers and analysts who will apply embedded-systems reverse engineering in professional work; it does not devote lecture time to remedial instruction in its prerequisite areas.

Ideal Learner Profile

Early-career firmware or hardware engineer
Defense-industrial-base hardware or supply-chain analyst
Government civilian security researcher
Advanced practitioner seeking professional calibration and a completion credential

Required Knowledge, Skills, and Abilities

Knowledge, what you must already understand

Undergraduate-level electronic circuits: Ohm's law, voltage dividers, CMOS logic levels, pull-up / pull-down behavior, bypass capacitance
Digital logic at the level of clock edges, logic-level thresholds, and voltage domains (5 V, 3.3 V, 1.8 V, 1.2 V)
Operating-system fundamentals: processes, filesystems, permissions, and the Linux boot sequence at a conceptual level
Number-system literacy: binary, hexadecimal, byte order
Basic networking vocabulary at a recognition level (TCP/IP, MAC addressing, Ethernet framing)

Skills, what you must already be able to do

Read and follow a component datasheet end to end
Operate at a Unix shell with proficiency: navigation, redirection, piping, process management, remote access over SSH
Use git to version-control text and small binary artifacts
Read C source code (pointers, structs, switch statements); write small scripts in Python or Bash
Operate a digital multimeter to measure voltage and verify continuity

Abilities, the dispositions the course assumes

Methodological patience. Hardware work is iterative; failure is a normal, expected, and instructive state
Documentation discipline. Lab notebook entries, instrument serial numbers, cryptographic hashes of every artifact
Self-directed learning, the capstone is an independent, multi-week engagement
Willingness to produce written technical prose at publication catalog

Skills Developed During the Course (Not Required on Entry)

Students do not need to arrive with any of the following. Each is taught in place.

Soldering, the primary capstone extraction is non-destructive, using SOIC clips; a hot-air desolder demonstration is given but not graded
ARM assembly reading. Introduced in Week 4 and developed in Week 9
SoC boot architecture. Taught in Week 5
Static binary analysis with Ghidra and radare2. Taught across Weeks 8 and 9
Firmware carving, filesystem extraction, and repackaging. Taught in Weeks 8 and 10
Coordinated vulnerability disclosure practice. Taught in Week 11

Who Is Not Well Matched

Students who have never used a Unix terminal
Students who find troubleshooting physical systems frustrating rather than engaging
Pure web or application developers with no embedded or systems-programming exposure
Students seeking a fast-paced certification badge rather than professional instruction

Readiness Self-Check

Prospective students who can answer yes to all five of the following are a good match for this course:

Can I read an ARM or Cortex-class datasheet block diagram and identify which pins are power, ground, clock, and I/O?
Can I move around a Linux filesystem, use ssh, scp, and git, and write a small script that parses a text file?
Can I read a simple C function (with pointers, structs, and a switch statement) and explain what it does?
Am I prepared to write a twenty-page technical report with figures, citations, and a reproducibility section?
Will I find it satisfying, rather than demoralizing, to debug a wiring error for two hours and emerge with a hash-verified firmware dump?

Prospective students uncertain of any answer are invited to email interested@virtuscyberacademy.org with a note about their background and we can help calibrate readiness.

Bridge to Downstream Courses

RE-101 is the central course on the embedded-systems-reverse-engineering side of the Virtus pipeline. The methodology built here transfers forward into the adversarial and signal-domain courses; the SB6141 lab target carries the curriculum thread into Part-II long-term electives.

→ VCA-ADV-101 (Adversarial Techniques). RE-101's binary-analysis discipline (Lab 9) is the substrate ADV-101's exploit-development and adversarial-firmware-modification work assumes. The trust-architecture lecture (Week 11) names the boundaries ADV-101 then teaches students to challenge.
→ VCA-RE-201 (RE of Burst Radio Signals). The same RE methodology. Physical-layer characterization, protocol identification, hash-verified capture, hypothesis-driven analysis. Applied to the RF domain. RE-201 picks up exactly the lab-notebook discipline RE-101 builds.
→ Part-II long-term electives. Students who complete RE-101 are calibrated for VCA-ARM-201 (deep ARM internals on a chip cousin of the SB6141's BCM3383), VCA-EMB-201 (embedded Linux internals on SB6141-cousin platforms), VCA-NET-201 / VCA-NET-301 (DOCSIS and cable-network protocols, paralleling the Week-11 live-device sniffing lab), VCA-X86-201 (server-class reverse engineering), and VCA-MIPS-201 (legacy SOHO router reverse engineering, the SB6141's MIPS predecessors).
Lab-target pipeline continuity. The SB6141 is the named lab target for both RE-101 and ADV-101. A student who completes RE-101 owns the methodology; a student who continues into ADV-101 turns that methodology against the same physical artifact at adversarial depth. The continuity is deliberate.
Professional readiness. RE-101 graduates with capstone scores at the upper end of Tier 2 are calibrated to submit to USENIX Security, IEEE S&P, or DEFCON; to enter coordinated-disclosure relationships with vendors; and to operate as embedded-security researchers in defense-industrial, civilian-government, or commercial-security roles.

Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). RE-101 references the four CVEs as binary-diffing exercise loci: TLS dissector across 4.6.4 vs 4.6.5 (CVE-2026-5402); SBC codec diff (CVE-2026-5403); tvbuff_rdp.c diff against the analogous FreeRDP CVEs CVE-2022-39316 / 39320 (CVE-2026-5405). The mini-module catalog page distils the vocabulary; the deep walkthroughs live in the companion handout.

Tool Journal: RE-101 Originating Entries

The Tool Journal is a per-student Markdown file the student maintains in their course Git repository, with one paragraph per practitioner tool the first time it is met. The diary spans every Virtus Academy course; HW-101 originates the bench-instrumentation entries, CSA-101 originates the software-toolchain entries, and RE-101 originates the embedded-RE-specialist entries listed below. These are tools the graduate returns to throughout a professional career in firmware analysis or hardware security research.

Bus Pirate. First met Week 3. Pocket-sized multi-protocol bus interpreter; the standard Swiss-army-knife for SPI / I²C / UART / 1-Wire bring-up. A working RE practitioner carries one for life.
USB logic analyzer (sigrok / pulseview). First met Week 2. The cheap-but-correct entry-tier waveform-capture instrument. Returns in every embedded debugging engagement.
JTAGulator. First met Week 4. Joe Grand's automated debug-interface discovery instrument; the standard tool for finding undocumented JTAG / SWD pads on production hardware.
OpenOCD. First met Week 4. Open-source on-chip debugger; the interface between any modern JTAG / SWD adapter and a target SoC. Lifetime tool.
flashrom. First met Week 7. Ex-circuit and in-circuit reading and programming of serial flash. The SOIC-clip workflow that does not require desoldering, the technique most RE practitioners use first against an unknown target.
binwalk. First met Week 8. Firmware carving and filesystem-signature identification. The first command run against any unknown firmware blob.
Ghidra. First met Week 9. NSA-released static binary-analysis platform. Becomes the daily working surface for any serious binary-analysis engagement; the open-source counterpart to commercial IDA Pro.
radare2. First met Week 9. Command-line, scriptable binary analysis, the fast-iteration counterpart to Ghidra's GUI-driven workflow.
QEMU user-mode + qemu-armeb-static. First met Week 9. Cross-architecture binary execution; the path from "I have an ARM big-endian binary" to "I can run it on an x86_64 host and step through it." The same QEMU CSA-101 students used to run their toy CPU returns at production-architecture scale, now configured for the SB6141's big-endian ARM target.
Wireshark with usbmon. First met Week 11. Packet-and-bus capture extended to USB-attached embedded devices; the bridge between RE-101's hardware focus and the network-protocol world NET-101 built.

Students who worked through OST2's RE 1101 / RE 2001 courses alongside RE-011 will already have several of these tools in their diary at the conceptual level; RE-101 promotes them to professional-depth entries with full instrumentation context. Yurichev's Reverse Engineering for Beginners diary entry, started in RE-011, gets a RE-101 addendum noting the ARM and big-endian architecture chapters used during the SB6141's BCM3383 analysis.

Roughly ten tool entries originate in RE-101. Combined with HW-101's seven and CSA-101's twenty-three, the Tool Journal by the close of RE-101 is substantive enough to function as a personal reference document for the rest of the student's career in embedded security.

Prerequisite Map

What RE-101 depends on, and what depends on RE-101 at cohort-level course-to-course granularity. See Prerequisites and Student Profile above for the full required-knowledge breakdown inside any individual prerequisite course.

Hard prerequisites: VCA-SEC-101 (threat-model vocabulary), VCA-NET-101 (TCP/IP recognition for the Week-11 live-device sniffing lab), and either VCA-RE-011 or demonstrated equivalent (introductory disassembly fluency).

Strongly recommended:

VCA-HW-101. Bench-instrumentation fluency. Students arriving without HW-101 are referred to a Week-0 catch-up bench-qualification lab; students arriving with HW-101 walk into RE-101's Lab 1 with the multimeter, breadboard, soldering-iron, and oscilloscope habits the course assumes.
VCA-CSA-101. Assembly-language reading fluency. RE-101 introduces ARM assembly in Week 4 and develops it in Week 9; CSA-101 graduates have already written and traced assembly for a CPU they personally designed, which is a deeper foundation than any survey course can supply.

Feeds into:

VCA-ADV-101, Adversarial Techniques; same lab target, methodology turned adversarial.
VCA-RE-201, RE of Burst Radio Signals; same methodology, RF domain.
Part-II long-term electives: VCA-ARM-201, VCA-EMB-201, VCA-NET-201, VCA-NET-301, VCA-X86-201, VCA-MIPS-201.

See the course prerequisite map for the academy-wide map and named track sequences.

Certification Alignment

OffSec OSEE (tangent) SANS GXPN / GREM (tangent) DoD 8140 / DCWF 632

No exact 1:1 industry certification covers RE-101's content at professional level. The closest tangents are Offensive Security's OSEE (Offensive Security Exploitation Expert), which assumes the binary-analysis fluency RE-101 builds but focuses on userland exploitation rather than embedded firmware; SANS SEC660 / SEC760 (GXPN) and SEC710 / FOR710 (GREM), which cover overlapping exploitation and reverse-engineering material at certification level but assume rather than teach the hardware methodology RE-101 develops; and the Black Hat 2-day hardware-hacking workshops, which are professional but introductory in scope. RE-101's certificate holder enters those programs already operating at the level they assume.

DoD 8140 / DCWF alignment. Graduates carry the embedded-RE skill set that DCWF role 632 (Cyber Operator, exploitation-analyst specialty) and adjacent vulnerability-research roles require, and are calibrated for the practical-exam components those roles' validation pathways increasingly include.

Pedagogical-vs-vocational stance. RE-101's capstone. A publication-quality written report defended orally before an external practitioner panel. Is a stronger professional credential in this domain than any multiple-choice or proctored-lab certification. The capstone is intentionally structured to be submission-ready to USENIX Security, IEEE S&P, or DEFCON. The certificate is the program's credential of record; the capstone artifact is the portfolio piece. Employers evaluating Virtus Academy graduates should weight the capstone artifact and the personal Git repository of eleven instrumented labs alongside (or above) any vendor cert the graduate happens to hold, in the same way that a graduate research project at a competitive university is weighted alongside (not instead of) any vendor cert the graduate happens to hold.

Certs are never required to complete a Virtus Academy course. The course transcript, the committed lab repository, and the capstone report and oral defense are the academy's primary credentials.

Format Prescriptions

Hour budget: ~28 lec hr + ~69 lab hr + ~81 indep hr (= ~178 hr total). RE-101 is the heaviest course in the catalog by total hours; reflects its professional scope and 4.0-unit equivalent.

Live (standard cadence)

Synchronous lecture + proctored laboratory; 2 sessions/wk × 90 min each + 30 min stay-after office time. 11 weeks + capstone defense in finals week. Best for college-elective + adult-learning + homeschool-co-op cadence with shared Hardware Checkout pool access.

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~22 weeks. Best for community-college + vocational-tech students with day jobs. The capstone's multi-week SB6141 engagement maps well to a 4-6 week intensive at the close of the night-class run.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~5 weeks (4 weeks of curriculum + 1 week capstone defense prep). RE-101's 178 hr is dense; bootcamp format requires committed full-time pace + access to a Hardware Checkout pool. Best for adults / age-irrelevant students with prereq comfort + dedicated learning time.

Async self-paced

Lecture hours via recorded video; lab hours require per-student bench kit (~$140 BOM per Equipment table) + capstone SB6141 pool-rental; indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for capstone-engagement coaching + binary-analysis walkthrough.

High school / homeschool co-op

Adapted live cadence over a school year (~15 weeks at typical school cadence) OR semester (11 weeks at college cadence). Detailed per-syllabus planning available on request. RE-101's hardware bench access + capstone SB6141 work strongly favours in-person co-op format with shared Hardware Checkout pool.

VCA-RE-101: Reverse Engineering of Embedded Systems