Back to Academy

VCA-RE-201: Reverse Engineering of Burst Radio Signals

Virtus Academy · Reverse Engineering Stream

Burst radio signals. Intermittent, short-duration transmissions typical of IoT protocols, keyless-entry systems, industrial telemetry, covert communications, and many tactical-grade RF systems. Present a distinct reverse-engineering challenge. Unlike continuous RF, bursts require triggered capture, synchronization recovery, and per-burst demodulation. Anchored in the instructor's masters-thesis subject matter.

Total time: ~140 hours (curriculum aligned to course mission, 2026-04-26)
Lecture: ~15 hr
Practical / lab: ~59 hr
Independent practice: ~65 hr
Position: After RE-101
Prereq: VCA-RE-101
Equipment: SDR + antenna kit (~$400-$550 BOM; see Hardware Kit section); shared-pool option pending Hardware Checkout decision (see hardware platform · we update this as the kit firms up)
Target cohort: 2027 if interest supports two RE streams
Register interest. Course is in charter stage, not yet developed. Email interested@virtuscyberacademy.org - interest signals drive prioritization of the full curriculum build. The schedule, lab manifest, and hardware-kit BOM below are firm against the course mission; per-week assessment rubric publishes before the first cohort runs.

Course Overview

Students completing this course should be able to take an unknown short-burst RF device, capture its emissions with software-defined radio, reverse the physical layer (modulation, framing, FEC), reverse the link layer (addressing, weak-crypto identification, control messages), and either replay, spoof, or extract payload data on a lab-owned authorized target.

RE-201 is the RF half of the embedded RE stream, paired in the curriculum with RE-101 (the wired-firmware half). Both sit at Belt 5/5 capstone depth; both assume the analytical posture established in RE-011 and the embedded-RE methodology of RE-101. RE-201 differs in capture medium (RF rather than wired bus), in the protocol-stack layers it primarily reverses (PHY + link-layer + framing rather than firmware blob + filesystem + binary), and in the regulatory context it operates within (FCC Part 15 / 97 / 90 transmit-permission, ITAR / Wassenaar export considerations, ICS-CERT coordinated disclosure pathways for industrial IoT). Together RE-101 + RE-201 produce graduates ready to handle the full reverse-engineering surface of contemporary embedded devices, the chip on the board and the radio that talks to it.

The course is anchored on the instructor's masters-thesis subject matter: a working program of independent research in burst-radio reverse engineering produced over multiple years of dedicated study. This anchoring is what permits RE-201 to operate at professional level on subject matter most undergraduate cybersecurity programs do not cover at all. The course is deliberately limited in scale (one cohort of small size) until the curriculum builds out further; enrolled students work directly with the instructor on protocols and devices the field has not yet fully characterised.

How the Course Teaches: Foundational Readings

RE-201 draws on the same RE-track anchor pairs as RE-011 and RE-101, applied now at capstone depth. Burst-radio protocols, SDR capture pipelines, and industrial-IoT disclosure-grade reporting. Two additional narrative anchors enter at this level: Kim Zetter on industrial control-system compromise and the Shenzhen/supply-chain chapters of bunnie's Hardware Hacker.

Build-it-yourself anchor (advanced depth): OpenSecurityTraining2 RE 2001 + Yurichev's Reverse Engineering for Beginners ARM and RF-adjacent chapters
Xeno Kovah designed OST2 Architecture 2001 as the natural sequel to 1001, the same bottom-up methodology applied to reverse engineering across architectural registers rather than a single ISA. By RE-201 the student has already worked through Kovah's 1001 foundations in RE-011 and the x86/ARM embedded extension in RE-101; what 2001 contributes here is the disciplined protocol-layer decomposition posture: every layer of an unknown protocol is a binary artifact subject to the same observe-hypothesize-test loop the student learned to apply to firmware. Yurichev's ARM and DSP chapters extend this to the register-level view of signal-processing code that appears whenever a microcontroller's firmware implements a protocol PHY in software, the demodulation loop a student disassembles in Week 9 has the same structural grammar Yurichev described three courses earlier. Together the pair anchors RE-201's analytical posture in a proven pedagogical lineage: every unknown burst is a firmware artifact at the RF boundary.
Narrative anchor (advanced depth): Erickson's Hacking: The Art of Exploitation + bunnie Huang's The Hardware Hacker + Kim Zetter's Countdown to Zero Day
Erickson's mechanistic clarity (the same control-flow-to-exploit chain that grounded RE-011 and RE-101) arrives in RE-201 reoriented toward the replay-and-spoof attack surface. Erickson's account of how timing relationships and memory-state transitions compose into exploitable conditions maps directly onto the rolling-code analysis in Week 9: the student is not finding a buffer overflow, but the analytical posture is identical. Characterise the state machine, identify the residual from incomplete defence, propose a controlled demonstration against an authorised target only. Bunnie's Shenzhen and supply-chain chapters in The Hardware Hacker provide the second narrative layer: bunnie's description of how RF module sourcing decisions propagate forward into protocol-compatibility constraints is the genealogical context RE-201's Week 8 protocol-lineage memo asks students to document. The student writing a lineage memo from LoRa back to Semtech's original ChirpSpread patent is doing exactly what bunnie describes. Tracing a design decision forward through a supply chain and backward through a specification history simultaneously. Zetter's account of Stuxnet in Countdown to Zero Day provides the industrial-IoT anchor that makes RE-201's ICS-CERT disclosure pathway tangible. Zetter's documentation of how Stuxnet's authors understood the Siemens S7 protocol well enough to inject fabricated sensor readings (a reverse-engineering triumph with catastrophic operational consequences) is the narrative that makes Week 11's regulatory framing and disclosure-pathway material feel central rather than procedural. RE-201 students writing coordinated-disclosure submissions are operating in the same professional space Zetter describes.
Cross-track weaves: PT-track (ADV-101) + HW-track (chip-off / firmware extraction) + RF-track forward pointer (rf-301)
RE-201's replay-and-spoof work is the research-tier upstream of ADV-101's operational CVE-reproduction framework. Stuttard and Pinto's state-management methodology from the PT-track anchors, already met in ADV-101, appears here in a different domain: the rolling-code protocol is a state machine with the same structural properties as a web-application session. A nonce, a validity window, a transition that an attacker wants to intercept or replay. RE-201 students who have completed ADV-101 recognise the analytical grammar; ADV-101 students who follow up with RE-201 find the RF-side CVEs (KRACK, Dragonblood, FragAttacks) newly tractable because they can now capture and characterise the protocol directly rather than reading proof-of-concept code. The HW-track cross-cut runs through chip-off: van Woudenberg and O'Flynn's hardware-hacking methodology from The Hardware Hacker's Handbook (already a required text in RE-101) returns in RE-201 as the extraction discipline for SDR front-end firmware. A student who wants to understand why a HackRF One captures certain bursts with lower noise floor than its spec suggests opens the front-end firmware to look; the chip-off posture van Woudenberg and O'Flynn establish is how that investigation begins. Forward pointer to the future vca-rf-301 elective: Week 4's OFDM / FHSS / DSSS / Chirp-SS week is the seam where RE-201 and rf-301 share methodology. RE-201 uses spread-spectrum identification as a reverse-engineering challenge. Categorise the unknown modulation, recover the spreading parameters. Rf-301 will deepen the same material into standardised-protocol analysis (LoRaWAN, 5G NR, Wi-Fi 7 OFDMA); the student who completes RE-201 first will find rf-301's treatment of protocol structure already familiar from the unknown-protocol side.

Learning Objectives

Listed in Bloom's-taxonomy order. Each is measurable against a specific lab or written deliverable. RE-201 is a capstone-tier course; objectives are heavy on Apply / Analyze / Evaluate / Create.

  1. Remember. Name the major modulation schemes used in burst-RF protocols (OOK, ASK, 2-FSK, 4-FSK, MSK / GMSK, PSK family, QAM family, OFDM); state the regulatory framework that governs transmit operations on each major ISM band (433 MHz, 868 MHz, 902-928 MHz, 2.4 GHz); recite the canonical burst-RF frame structure (preamble → sync word → header → payload → CRC / FEC). (Assessed: closed-book quiz; Lab 1 spectrum-survey worksheet.)
  2. Understand. Explain why burst RF requires triggered capture rather than continuous sampling; explain the timing-recovery and symbol-synchronisation problems and why each is harder for burst protocols than for continuous ones; explain why FEC choices (repetition, Hamming, Reed-Solomon, convolutional + Viterbi) leave identifiable signatures in the demodulated bitstream. (Assessed: written reflection D2; Lab 3 modulation-identification exercise.)
  3. Apply. Configure a software-defined radio (HackRF One, RTL-SDR V3, or YARDStick One) with appropriate gain staging, sample rate, and filter parameters for a target band; capture a clean burst against an authorized lab target; demodulate to a bitstream using GNU Radio Companion or URH (Universal Radio Hacker). (Assessed: Lab 4 capture-and-demod-the-target exercise.)
  4. Apply. Reverse the framing of an unknown protocol from a captured bitstream: identify the preamble / sync word / payload boundaries by statistical observation across multiple bursts; locate the CRC and verify; identify the addressing scheme by correlation against transmitter identity. (Assessed: Lab 5 framing-reverse exercise.)
  5. Analyze. Given a reversed protocol with apparent encryption or rolling-code defence, identify the cryptographic primitive in use (or its absence), evaluate replay-resistance, and propose (without executing) a defensive-design recommendation that would harden the protocol against the attack class the analysis exposed. (Assessed: Lab 7 crypto-and-replay-evaluation exercise.)
  6. Analyze. Trace the structural lineage between a burst-RF protocol and the broader telecom history it inherits from. For an instructor-assigned target, identify the lineage (e.g., DOCSIS upstream burst → HFC cable plant; LoRa → Chirp Spread Spectrum; Z-Wave → ITU-T G.9959; BLE advertisements → Bluetooth Core Specification). Document the public specification consulted. (Assessed: Lab 8 protocol-lineage memo.)
  7. Evaluate. Articulate, in writing, the legal and regulatory boundary that governs the analysis the course teaches. For a hypothetical target the student proposes, identify which FCC Part applies, whether transmission is permitted on the relevant band at the relevant power, whether the device falls under ITAR or EAR restriction, and whether the disclosure pathway is ICS-CERT, vendor PSIRT, or independent. (Assessed: deliverable D3 regulatory-framework reflection, ~500 words.)
  8. Create. Conduct, document, and report a complete reverse-engineering analysis on a student-authored or instructor-assigned authorized lab target. Capture, demodulate, reverse framing, identify cryptographic posture, and either (a) demonstrate a controlled replay against the lab-owned target, (b) extract structured payload data, or (c) document the residual analysis gap with the rigour required for a coordinated-disclosure submission. (Assessed: Lab 9, the capstone.)

Relationship to RE-101

RE-101 (wired hardware RE)RE-201 (burst radio RE)
Capture mediumLogic analyzer on physical tracesSDR with antenna
Protocol discoveryJTAGulator, pin-walkingSpectrum sweeps, OOK/FSK demod
Trust modelSecure boot, signed firmwarePayload crypto, replay resistance
Capstone targetSB6141 cable modemTBD. Rolling-code remote, LoRa endpoint, or similar

Many concepts transfer: disciplined capture, hash-verified dumps, modify-replay-verify cycle, protocol-stack layering, anti-rollback considerations.

Week-by-Week Topic Flow

Eleven weeks. Lab time roughly 4× lecture time per the bench-and-RF-heavy nature of the course; per-week independent practice ~6 hours covering protocol-spec reading, capture-and-demod drill, and capstone scoping in the second half of the term.

  1. Week 1. Foundations, RF fundamentals (the electromagnetic spectrum, propagation, attenuation), SDR architecture (RF front-end, ADC, IQ baseband, sample rate vs. bandwidth), legal and regulatory framing (FCC Part 15 / 97 / 90 transmit-permission, ITAR, Wassenaar, EAR). The professional posture: capture is generally permitted; transmit is regulated. Lab 1. Spectrum-survey worksheet on the lab's ambient RF environment.
  2. Week 2. Antennas, front-end, gain staging, RF measurement. Why antenna selection matters more than software for many capture problems. Calibrated power measurement; the dBm scale; the noise floor. Lab 2. Antenna A/B comparison against a known emitter.
  3. Week 3. Modulation schemes I, AM, FM, OOK, 2-FSK, 4-FSK. The simplest modulations the student is most likely to meet on consumer ISM-band devices. Eyes-on-the-waveform discipline: identifying modulation visually in Inspectrum or URH before any algorithmic step. Lab 3. Modulation-identification exercise across 8 captured signals.
  4. Week 4. Modulation schemes II, PSK, QAM, OFDM, spread-spectrum (DSSS / FHSS / Chirp). The harder modulations; LoRa as the canonical Chirp-SS commercial protocol; OFDM as the dominant high-throughput choice (Wi-Fi, LTE, 5G, DOCSIS upstream). Forward-pointer to vca-net-301 where these are deepened with channel-coding and FEC math.
  5. Week 5. Framing, preambles, sync words, FEC, CRC. Why every protocol has a preamble and why their lengths follow predictable patterns. CRC reverse engineering: identifying the polynomial from observed input-output pairs (CRCRevEng tooling). FEC identification: repetition codes, Hamming, Reed-Solomon, convolutional + Viterbi. Lab 5. Framing-reverse exercise against an unknown protocol.
  6. Week 6. Trigger-based capture, burst detection, timing recovery. The technical core of the course. Capturing transient signals reliably is harder than capturing continuous ones. Midterm practical: capture and fully demodulate a burst from an instructor-supplied lab device, end-to-end, against a 2-hour wall clock.
  7. Week 7. Protocol-stack reverse engineering. Industrial sensor (case study). A real LoRa or Z-Wave-class industrial endpoint, captured cleanly, reversed end-to-end with the student documenting each protocol layer. Lab 7. Crypto-and-replay-evaluation exercise.
  8. Week 8. Protocol-stack reverse engineering. Consumer remote (case study). A keyless-entry remote, garage-door opener, or comparable consumer device. The rolling-code challenge is the focus: how the protocol resists replay, and how analysis exposes the design without enabling unauthorised transmission. Lab 8. Protocol-lineage memo.
  9. Week 9. Replay and spoofing. Rolling codes, nonces, challenge-response defenses. The defensive-design vocabulary, taught from the attacker's perspective (where each defence breaks). Capture-replay-against-own-target-only is the ethical line.
  10. Week 10. Encryption considerations, AES-128-in-burst, key derivation in resource-constrained devices, weak KDF exploitation, side-channel-aware cryptanalysis at conceptual depth (no power-analysis hardware in CSA-101 / RE-201, but the awareness arrives here).
  11. Week 11. Ethics, regulatory compliance, coordinated disclosure with ICS-CERT and ICS PSIRTs. Capstone overview and final scoping. Lab 9 capstone delivery week.

Lab Manifest

Nine numbered labs across the eleven-week term. Labs 1-8 are graded on correctness and lab-notebook quality plus the regulatory-compliance discipline the course demands; Lab 9 is the capstone, two-tier-graded against the rubric below. The midterm practical in Week 6 is a separate timed exercise that gates progression into the case-study weeks.

  • Lab 1. Spectrum-survey worksheet. Sweep the ambient lab RF environment with an SDR; identify ISM-band emitters; classify by likely protocol family. Compliance gate: confirm receive-only operation and document the regulatory basis.
  • Lab 2. Antenna A/B comparison. Capture a known emitter with two antennas (e.g., the stock whip vs. a tuned dipole at the target frequency); measure SNR; explain the difference quantitatively.
  • Lab 3. Modulation identification across 8 captured signals. For each: identify modulation by visual inspection in Inspectrum or URH; confirm with algorithmic analysis; document signature.
  • Lab 4. Capture-and-demod the target. End-to-end SDR pipeline: configuration, capture, demodulation to bitstream. The first lab where the student produces a clean bitstream from raw RF.
  • Lab 5. Framing-reverse exercise on an unknown protocol. Identify preamble / sync / payload / CRC by statistical observation; reverse the CRC polynomial; document.
  • Midterm practical (Week 6). 2-hour timed exercise: instructor-supplied target, end-to-end capture and demod, single chance, documented.
  • Lab 7. Crypto-and-replay-evaluation. For an instructor-supplied protocol with rolling-code or AES defence, evaluate replay-resistance and propose (without executing) a defensive-design hardening recommendation.
  • Lab 8. Protocol-lineage memo. For an assigned target, document the structural lineage to its commercial origin (DOCSIS upstream, LoRa, Z-Wave, BLE advertisements, etc.); cite the public specification consulted.
  • Lab 9, Capstone. Complete reverse-engineering analysis on a student-proposed or instructor-assigned authorized target. See Capstone section below.

Bridge to ADV-101 / ADV-102 / future net-301 / future RE-301 / AI-strand: the RF Half of the RE Stream Closes Here

RE-201's deliberate forward-pointer is its position as the RF capstone of the embedded-RE curriculum. By the close of RE-201 the student can take an unknown short-burst RF device, capture its emissions, reverse the physical and link layers, and produce a coordinated-disclosure-ready analysis report. Three things this enables downstream:

  • VCA-ADV-101 (CVE-to-tool engineering). Disclosed RF vulnerabilities are reproduced against authorised lab targets in ADV-101's workflow. RE-201 graduates land ADV-101 with the capture-and-demod skill set already in hand; their CVE-reproduction work for RF-class CVEs (KRACK, Dragonblood, FragAttacks, BLE pairing flaws) is grounded in real captures rather than reading proof-of-concept code.
  • VCA-ADV-102 (LLM-CVE variant). The disclosure-grade-report writing discipline RE-201's capstone establishes is the same discipline ADV-102 demands of its CVE-2025-65106 LangChain Jinja2 reproduction. Different vulnerability surface, identical reporting standard.
  • The future vca-net-301 elective (Networking II: Bits, Modulation, Wireless, SDR). Per Findings §22.5 + §22.7. RE-201 is structurally adjacent to net-301. Both teach SDR-based work; RE-201 emphasises reverse engineering of unknown protocols, while net-301 emphasises understanding of standardised protocols (DOCSIS, Wi-Fi, LTE, BLE) at the modulation-and-bits level. RE-201 graduates likely take net-301 next; net-301 graduates may take RE-201 if not already taken. The pair forms the wireless half of the curriculum.
  • VCA-RE-101 reciprocal. The Findings §22.7 SB6141 chip-by-chip mapping makes the reciprocity concrete: SB6141's MaxLinear MxL261 RF front-end + Broadcom DOCSIS PHY are the RF half of the lab target; SB6141's ARM1176JZ-S Linux processor + TI PDSP packet-processor are the wired half. RE-101 students examine the wired half deeply; RE-201 students arriving with RE-101 background can extend the analysis to the RF front-end as a follow-on capstone study.
  • VCA-WIR-101 (wireless penetration testing). Wireless pentest work is operational-tier (attack a known protocol family); RE-201 work is research-tier (reverse an unknown protocol family). Skills overlap on capture and demodulation; RE-201 deepens the analytical posture WIR-101 introduces.
  • Future vca-ai-* AI-security strand. Increasingly, AI systems include RF-side surfaces, LLM-controlled drones, autonomous-vehicle V2X protocols, agentic systems with wireless I/O. The reverse-engineering posture RE-201 builds applies, with the target shifted from protocol-byte to protocol-byte-plus-model-output.

The course's closing message: RE-101 closes the wired half of the embedded-RE surface; RE-201 closes the RF half. Together they produce graduates ready to handle the full reverse-engineering surface of contemporary embedded devices.

Tool Journal: RE-201 Originating Entries

The Tool Journal continues. RE-201 originates the diary's SDR-and-RF-tooling roots; HW-101 originated bench-electronics, NET-101 originated network analysis, RE-011 originated binary-analysis, RE-101 originated firmware-extraction. By the close of RE-201 the student's diary contains roughly 50-55 practitioner-tool entries across the curriculum.

RE-201 originates the following diary entries:

  • HackRF One. First met Week 1. The standard-issue half-duplex SDR transceiver covering 1 MHz-6 GHz. The capture instrument for most lab work; transmit only on regulatorily-permitted bands and in compliance with the lab's authorization.
  • RTL-SDR V3 dongle. First met Week 1. The receive-only SDR; cheap, broad spectrum, the tool every practitioner has within arm's reach. Continues into vca-net-301.
  • YARDStick One. First met Week 3. Sub-GHz purpose-built SDR; better than HackRF for tight-RF-budget ISM-band work. The tool many production RF reverse-engineers prefer for <1 GHz captures.
  • LimeSDR Mini 2.0. First met Week 4 (optional). Full-duplex alternative to HackRF; higher RF quality, used when capture-and-transmit-simultaneously is required.
  • GNU Radio + GNU Radio Companion. First met Week 1. The open-source DSP framework on which most SDR work in the course is built. Block-diagram graphical editing of signal-processing flowgraphs; Python output the practitioner can edit and re-run.
  • Universal Radio Hacker (URH). First met Week 3. The interactive RF reverse-engineering tool. Visual demodulation, automatic protocol-shape detection, attack generation. The fastest route to a working capture-and-demod for the early labs.
  • Inspectrum. First met Week 3. Visual offline analysis of recorded SDR captures. The tool the practitioner reaches for to study a burst frame-by-frame after the live capture is over.
  • GQRX. First met Week 1. The general-purpose SDR receiver application. The first thing the student opens to confirm the antenna and front-end work.
  • Flipper Zero. First met Week 7 (optional). The handheld sub-GHz capture-and-replay device; not a research tool but a fast diagnostic for many ISM-band protocols. The tool that lets the student do field-work without a laptop and a HackRF on the bench.
  • CRCRevEng. First met Week 5. The CRC-polynomial reverse-engineering tool. Given input-output pairs, identifies the CRC variant in use.
  • scapy (RF / radio extensions). First met Week 8. Already in the diary from NET-101 + RE-101 for wired use; here met for radio packet construction and replay against authorised targets.
  • Faraday pouch / mini RF chamber. First met Week 2. Physical fixtures for controlled captures that isolate from interference. Not software but central for repeatable bench measurements.

Roughly twelve tool entries originate in RE-201. Net-301 (when the elective lands) will deepen this set with channel-coding tooling (LDPC and turbo-decoder libraries, polar-code research suites) and modulation-specific decoders for 5G NR, Wi-Fi 6/7, and LoRaWAN.

Capstone: Burst-RF Reverse-Engineering Analysis Report

The course capstone. The student selects (with instructor sign-off) or accepts assignment of an authorised lab target. Typically a rolling-code remote, a LoRa endpoint, an industrial-IoT sensor with documented public specification, or a comparable burst-RF device the lab owns and is authorised to study, and produces a complete reverse-engineering analysis. The capstone is the structural cousin of the RE-101 SB6141 capstone, oriented toward RF rather than wired RE.

Required artifacts

  • The complete capture set (raw IQ recordings, with hashes for integrity), captured under documented regulatory conditions (band, power, FCC Part justification).
  • The demodulated bitstream(s), with the demodulation pipeline documented (GNU Radio flowgraph or URH protocol description).
  • The reversed protocol description: framing, addressing, payload structure, FEC choice, CRC polynomial, cryptographic posture.
  • An evaluation of the protocol's replay-resistance, with a defensive-design recommendation for the at-least-one weakness identified (analysis-only; no transmit attack against unauthorised targets).
  • A 6-10 page disclosure-grade report at coordinated-disclosure practices: the report should be writeable to ICS-CERT or to a vendor PSIRT without modification.
  • A 10-minute oral defence to the cohort, presenting the analytical narrative.

Two-tier grading rubric

First, your project must work. The capstone reverses a real protocol against an authorised target, with technical accuracy and full regulatory compliance. Reports that operate on unauthorised targets do not pass, the regulatory-compliance gate is absolute, and a single instance of unauthorised transmission is grounds for course failure regardless of analytical quality elsewhere. Reports with material technical errors do not pass. No rubric scoring is performed on incorrect analysis.

Then we score the report on three dimensions. Once the capstone passes Tier 1, it is scored on three dimensions:

  • Technical depth and rigour (40%). Did the student reverse the protocol completely, or did the analysis stop at the first plausible interpretation? Was the cryptographic evaluation specific or hand-waved? Were edge cases (corrupted bursts, retransmissions, anomalous frame lengths) examined?
  • Methodological discipline (30%). Was the workflow documented such that another analyst could reproduce the work? Are the SDR settings, antenna selection, and capture conditions named? Are the demodulation pipelines preserved as runnable artifacts?
  • Disclosure-grade clarity and ethics (30%). Could the report be sent to ICS-CERT or the vendor PSIRT without modification? Is the regulatory-compliance discipline explicit? Does the defensive-design recommendation engage seriously with the trade-offs the protocol's designers faced?

There is no curve. There is no participation credit. The regulatory-compliance gate is non-negotiable. This is the student's professional RF reverse-engineering deliverable - the structural cousin of the RE-101 SB6141 capstone and the structural precursor to publication in the RF-RE research community. RE-201 graduates with strong capstones may, with instructor support, submit their work to industrial-IoT security venues (4SICS, S4, ICS-CERT advisories, IEEE Symposium on Security and Privacy industrial track).

Prerequisite Map

What RE-201 depends on, and what depends on RE-201:

  • Depends on: VCA-RE-101 (firmware-extraction, embedded-RE methodology, coordinated-disclosure practice; RE-201 extends the reverse-engineering posture from wired-bus to RF). Recommended: VCA-NET-101 (network-protocol-stack literacy; RE-201's framing-reverse work is structurally similar to NET-101's pcap-reading work). Recommended: VCA-HW-101 (RF measurement requires bench-electronics fluency the SDR work assumes).
  • Feeds into VCA-ADV-101 (CVE-to-tool engineering): RF-class CVEs (KRACK, Dragonblood, FragAttacks, BLE pairing flaws, Z-Wave protocol exploits) become reproducible CVE-reproduction targets after RE-201.
  • Feeds into VCA-ADV-102 (LLM-CVE variant): Disclosure-grade reporting discipline transfers structurally; technical surface differs.
  • Feeds into VCA-WIR-101 reciprocal: RE-201 is the research-tier; WIR-101 is the operational-tier. Students who take both gain bidirectional fluency.
  • Feeds into the future vca-net-301 elective (Networking II: Bits, Modulation, Wireless, SDR): Per Findings §22.5 + §22.7. Net-301 deepens RE-201's modulation work onto standardised protocols (5G NR, Wi-Fi 6/7, LoRaWAN); the SB6141 RF front-end (MxL261 + Broadcom DOCSIS PHY) becomes a worked case study in net-301.
  • Feeds into the future vca-emb-201 elective (Embedded RTOS, multi-processor, embedded Linux): RE-201's burst-RF protocol work intersects with TI PDSP-class packet-processor microcode (the SB6141 lineage); emb-201 deepens the multi-processor side.
  • Feeds into the future vca-ai-* AI-security strand: AI systems with RF-side surfaces (LLM-controlled drones, autonomous-vehicle V2X, agentic systems with wireless I/O) become reverse-engineering targets the AI strand will eventually examine.

Certification Alignment

No industry certification covers burst-RF reverse engineering at the depth RE-201 teaches. The field is niche enough that practitioner credibility comes from publication and conference talks rather than from credential acquisition. The Virtus certificate is the credential of record at this level.

Adjacent professional credentials students may pursue post-completion:

  • OffSec OSWP (Offensive Security Wireless Professional). ~$2k course + exam; covers Wi-Fi-only wireless pentest; narrower than RE-201's burst-RF scope but adjacent.
  • SANS SEC617 (Wireless Penetration Testing) and the GAWN credential. Wireless-pentest course adjacent to WIR-101's scope; useful for students continuing into the operational tier.
  • GIAC GREM (Reverse Engineering Malware). Already noted as the post-RE-101 forward-pointer; RE-201's reverse-engineering discipline applies even though malware-RE and protocol-RE differ in target.
  • Amateur radio licensing (FCC Technician / General / Extra; international equivalents). Not industry credentials, but legitimately-licensed transmit operations are a professional asset for SDR practitioners. Many working RF reverse-engineers hold General-class amateur tickets at minimum.

Publication venues RE-201 graduates with strong capstone work may target: ICS-CERT advisories, vendor PSIRT coordinated-disclosure submissions, industrial-IoT security conferences (4SICS, S4), and the IEEE Symposium on Security and Privacy industrial track. The credential of record in this field is the published advisory or the conference talk.

Candidate Hardware Kit (Beyond RE-101 Baseline)

ItemRoleApprox Cost
HackRF One + antenna setPrimary SDR transceiver, 1 MHz-6 GHz~$330 + $50
RTL-SDR V3 dongleReceive-only, broad spectrum, low cost~$35
LimeSDR Mini 2.0 (optional)Full-duplex alternative, higher quality~$500
YARDStick OneSub-GHz ISM-band purpose-built~$100
Flipper Zero (optional)Handheld alternative for sub-GHz quick captures~$170
Faraday pouch / mini-chamberControlled captures and interference isolation$50+

Legal and Ethical Framing

  • FCC Part 15 / Part 97 / Part 90, when transmit is permitted
  • HIPAA/ITAR considerations for medical/defense-adjacent RF RE
  • GDPR / CCPA if RF captures include identifiable data
  • DMCA ยง1201 and applicable exemptions
  • Wassenaar / 15 CFR 740.17 for SDR software export
  • Coordinated disclosure pathways for industrial IoT vulnerabilities (ICS-CERT)

Recommended Readings

The RE-track anchor pairs continue in RE-201. Two additional narrative anchors enter at this level.

Primary. Build-it-yourself

  • OpenSecurityTraining2, Architecture 2001 (Xeno Kovah; free; ost2.fyi). Advanced-depth extension of OST2 1001. Protocol-layer decomposition posture applied across architectural registers; the analytical discipline that anchors RE-201's unknown-burst methodology.
  • Yurichev, D. Reverse Engineering for Beginners. Free download at beginners.re; CC-BY-SA 4.0; 1052 pp. ARM and DSP chapters applied at RE-201 depth: the demodulation-loop disassembly and register-level view of protocol-PHY firmware.

Primary. Narrative

  • Erickson, J. Hacking: The Art of Exploitation, 2nd ed. No Starch Press, 2008. ISBN 978-1-59327-144-2. Control-flow-to-exploit methodology reoriented toward replay-and-spoof: the analytical posture for Week 9's rolling-code analysis.
  • Huang, A. ("bunnie"). The Hardware Hacker. No Starch Press, 2017. ISBN 978-1-59327-758-1. Shenzhen and supply-chain chapters: the genealogical context behind RE-201's protocol-lineage memo. Chip-off methodology cross-cut to SDR front-end firmware extraction.
  • Zetter, K. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Crown Publishers, 2014. ISBN 978-0-7704-3618-9. Industrial-IoT narrative anchor: Stuxnet's Siemens S7 reverse-engineering and fabricated-sensor-reading injection make Week 11's ICS-CERT disclosure pathway and coordinated-disclosure reporting tangible. The professional space RE-201 capstone graduates enter.

Supplementary

  • van Woudenberg, J. & O'Flynn, C. The Hardware Hacker's Handbook, vols. 1-2. No Starch Press. Already a required text in RE-101; surfaces in RE-201 as the chip-off and side-channel posture for SDR front-end firmware investigation.
  • Ossmann, M. Software Defined Radio with HackRF (free lecture series, greatscottgadgets.com/sdr/). The practitioner tutorial series for the RE-201 hardware kit; complements the course's GNU Radio / URH toolchain.
  • OWASP IoT Security Testing Guide. Free at owasp.org. Regulatory and coordinated-disclosure framework for IoT RE work; ICS-CERT disclosure workflow supplement.
  • GNU Radio documentation. Free at wiki.gnuradio.org. Reference documentation for the block-diagram signal-processing flowgraphs used throughout the labs.

Format Prescriptions

Hour budget: ~15 lec hr + ~59 lab hr + ~65 indep hr (= ~140 hr total). 11 weeks of curriculum + capstone RF reverse-engineering deliverable.

Live (standard cadence)

Synchronous lecture + proctored RF laboratory; 2 sessions/wk × 90 min each + 30 min stay-after office time. 11 weeks + RF range time. Best for college-elective + adult-learning + homeschool-co-op cadence with shared SDR pool + spectrum-licensed RF range access. Cohort scale is deliberately small (instructor-direct).

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~22 weeks + RF range time. Best for community-college + vocational-tech students with day jobs. Capstone RF deliverable is best run as a dedicated spectrum-block weekend.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~4 weeks. Best for adults / age-irrelevant students with prereq comfort + dedicated learning time + access to RF lab equipment + spectrum range.

Async self-paced

Lecture hours via recorded video; lab hours require per-student SDR + antenna kit ($400-$550 BOM per Equipment row); indep hours = student pace. Pool-supplied HackRF option pending Hardware Checkout decision. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for capstone-engagement coaching + ROE/FCC-compliance review.

High school / homeschool co-op

Adapted live cadence over a school year (~15 weeks at typical school cadence) OR semester (11 weeks at college cadence + RF range). Detailed per-syllabus planning available on request. Note: ROE + FCC compliance instructor sign-off required before any spectrum-active labs; spectrum-licensed RF range access strongly favours in-person co-op format.

Interested in VCA-RE-201?

Email interested@virtuscyberacademy.org with your background and interest. Sufficient demand moves this course up the build queue.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.