Back to Academy

VCA-RF-201: Intermediate RF: Layer-1 + Layer-2 + RE Workflows

Virtus Academy · Part-II RF-Track Anchor

WIR-101 closed at the wireless-pentest engagement: a student who can characterise an authorised environment, capture a WPA handshake, classify a sub-GHz protocol, and write the report. Every modulation, every frame format, every spread-spectrum trick the entry course mentioned in passing was named. RF-201 pays the bills. Modulation theory at the depth a working SDR engineer reads it (AM / FM / PM / ASK / FSK / PSK / QPSK / QAM; modulation choice rationale across band, channel, and regulatory constraint). Frequency hopping and spread spectrum (FHSS / DSSS / chirp; the pseudorandom-sequence engineering behind Bluetooth Classic, GPS, and modern wireless protocols). WiFi 802.11 capture / replay / fuzzing at intermediate depth. Bluetooth Classic and BLE protocol-RE workflows. LoRa and ISM-band experiments at 433 / 868 / 915 MHz. ZigBee + 802.15.4. SDR fundamentals deep-dive (IQ-sampling theory; sample-rate / bandwidth / dynamic range as architecture). Wireshark RF (capture-on-air protocols decoded). And explicit cross-cuts to RE-track network-protocol RE, PT-track wireless pentesting (aircrack-ng / Reaver / Bettercap), and the SB6141 cable-modem DOCSIS RF stage that VCA-RE-101 capstones on. Every WIR-101 forward-promise comes due here.

Total time: ~155 hours
Lecture: ~24 hr
Practical / lab: ~52 hr
Independent practice: ~79 hr
Position: After WIR-101 + CSA-101 (or equivalent wireless + computing-systems foundation)
Prereq: VCA-WIR-101 + VCA-CSA-101
Equipment: Primary DSP/SDR tooling delivered in-browser via the academy workbench (PySDR-style DSP-in-Python; LIVE). An in-browser GNU Radio subset is in engineering. RTL-SDR (~$25 entry); HackRF One (~$300 transmit-capable; widely-adopted academic platform); ANT-SDR E200 (program-supplied; the canonical academy lab platform). ESP32 promiscuous-mode kit (also used in HW track). Tang Primer 25K (forward-stretch FPGA-side SDR work; carries over from CSA-101). Lyons + Wyglinski textbooks library-acquired or paperback (Wyglinski FREE PDF). (see hardware platform · we update this as the kit firms up)
Credential: VCA-RF-201 Certificate of Completion
Register interest. We're not taking enrollments yet. Email interested@virtuscyberacademy.org.

Course Overview

RF-201 is the academy's Part-II RF-track anchor. It assumes WIR-101's graduates: students who have personally captured a WPA handshake, characterised a 433 MHz sub-GHz garage-door opener with an RTL-SDR, enumerated a BLE GATT server, and written a five-day-engagement client report. The pedagogical contract is that RF-201 is the wireless-protocol zoo opened for inspection, for every protocol WIR-101 introduced at first-encounter depth, RF-201 opens the modulation, the spread-spectrum mechanism, the framing, and the protocol-RE workflow that lets a student characterise a novel wireless protocol from a captured IQ stream.

Closes the WIR-101 forward-promises. The Week-1 RF-fundamentals one-week sketch expands into a three-week Layer-1 module covering AM / FM / PM / ASK / FSK / PSK / QAM modulation theory + frequency hopping + spread spectrum. The Week-9 sub-GHz-survey skim expands into a five-week Layer-2-protocols module (WiFi 802.11 + Bluetooth Classic + BLE + LoRa + ZigBee + 802.15.4). The Week-9 brief GNU Radio Companion introduction expands into a multi-week SDR fundamentals deep-dive covering IQ-sampling theory, sample-rate / bandwidth / dynamic-range tradeoffs, and the GNU Radio custom-blocks workflow.

Position relative to peer offerings. RF-201 is the only formal curriculum at this course that assumes the student has already shipped a wireless-pentest capstone in the prior course and intends to feed both an embedded-networking RE capstone (RE-201 / EMB-201) and an advanced wireless-pentest specialty (ADV-101). University-level intermediate RF courses (Stanford EE 261, Berkeley EE 123, MIT 6.011) cover overlapping territory but assume the student is reading the architecture from the textbook, not having personally built the WIR-101 substrate. RF-201's pace and depth are calibrated against WIR-101's graduates' existing apparatus.

Pedagogy. The three RF-track teaching habits continue at intermediate depth. Foundational readings (~16-20 weaves across RF-201's twelve chapters; Lyons Ch 6-13 for advanced filtering / sample-rate conversion / spectral analysis; Wyglinski full text for SDR-engineering depth; PySDR Ch 8-15 for advanced DSP + IQ + sampling; Sklar selected modulation chapters; URH + Inspectrum docs for protocol-RE workflow). Tool Journal (~12 new entries: URH-NG / Inspectrum advanced / HackRF GRC blocks / bladeRF / LimeSDR Mini / ANT-SDR E200 IIO / Wireshark RF dissectors / OpenAirInterface scaffold / GNU Radio custom blocks / gr-osmocom broader / scapy 802.11/BLE / ARRL General study materials). Architecture comparison sidebars (AM/FM/PM/ASK/FSK/PSK/QAM; RTL-SDR/HackRF/bladeRF/USRP/ ANT-SDR E200/LimeSDR; WiFi/Bluetooth/BLE/LoRa/ZigBee Layer-2). The SB6141 cable-modem RF stage runs through the LoRa / ISM-band module + the SDR-fundamentals module as a forward-pointer into vca-emb-201.

How the Course Teaches: Foundational Readings

The same paired-textbook system WIR-101 introduced is carried forward at intermediate depth. Lyons's Understanding Digital Signal Processing (3rd ed., 2010) supplies the DSP pedagogy substrate; Wyglinski et al.'s Software-Defined Radio for Engineers (Artech House 2018; FREE PDF) supplies the SDR-engineering depth; Lichtman's PySDR carries the build-it-yourself thread in-browser via the academy workbench. Sklar's Digital Communications joins for the modulation modules; URH community docs anchor the protocol-RE workflow; ARRL General study materials are the parallel cert-track-aligned companion. The full per-chapter weave catalog publishes as handouts/cross-chapter-rf-201-anchor-reading-guide.md.

Sample weave (Wyglinski et al., SDR for Engineers, Ch 6, IQ Sampling). Wyglinski and colleagues argue in Chapter 6 that the in-phase / quadrature representation isn't a clever optimisation. It's a structural consequence of how a real band-limited signal's spectrum is reconstructable when you sample at the Nyquist rate of its bandwidth (not its highest frequency). Two real samples at twice the bandwidth carry the same information as one complex sample at the bandwidth itself. The pedagogical move at this level is to show that this isn't magic; it's the mathematical consequence of treating the real-valued passband signal as a complex-valued baseband signal plus a known carrier frequency. Once a student has internalised Wyglinski's IQ-mixer diagrams, the choice of HackRF's 20 MS/s complex sampling (capturing 20 MHz of bandwidth) becomes a real architectural decision rather than a vendor specification, and the consequences for dynamic range, ADC bit depth, and computational load become visible. Lab 7 has you capture a known signal in IQ at three different sample rates and observe the spectral-leakage tradeoffs against this Wyglinski framing.
Sample weave (Lyons, Understanding DSP 3rd ed., Ch 7, Specialized Filters). Lyons's argument in Chapter 7 is that filter design at intermediate level isn't about choosing between pre-canned IIR and FIR forms; it's about understanding which performance criterion (passband ripple, stopband attenuation, group delay, computational cost, numerical stability) the application actually demands and selecting the design technique that optimises that criterion. The pedagogical consequence at RF-201 is that a student who has internalised the Lyons design-criterion framework reads a GNU Radio flowgraph as a sequence of deliberate engineering decisions, not as a black-box pipeline. Why is the LoRa demodulator using a polyphase filter rather than a straightforward FIR? Because LoRa's chirp signal demands a specific group-delay characteristic the polyphase form provides at lower computational cost. That argument is unreadable without Lyons. Lab 5 has you implement two LoRa demodulators - one straightforward FIR, one polyphase, and measure both against this framing.

Curriculum Outline

Twelve chapters across ~14 weeks. Each chapter takes a WIR-101 first-encounter and opens it for inspection.

ChTopicWhat WIR-101 first-encounter it opens
1RF first-principles. Modulation theory (AM / FM / PM / ASK / FSK / PSK / QAM)WIR-101 Week 1 RF-fundamentals one-week sketch
2Frequency hopping + spread spectrum (FHSS / DSSS / chirp)WIR-101's "protocols-mention spread-spectrum" framing
3Layer-2 WiFi 802.11. Capture / replay / fuzzingWIR-101 Week 2-5 802.11 entry depth
4Bluetooth Classic + BLE protocol REWIR-101 Week 8 BLE enumeration baseline
5LoRa + ISM-band experiments (433 / 868 / 915 MHz)WIR-101 Week 9 sub-GHz-survey skim
6ZigBee + 802.15.4WIR-101's "mention only" coverage
7SDR fundamentals deep-dive, IQ-sampling theory; sample-rate / bandwidth / dynamic rangeWIR-101 Week 9 brief GRC introduction
8Wireshark RF. Capture-on-air protocols decodedWIR-101 Wireshark 802.11 dissectors at advanced depth
9URH protocol-RE workflow. Identify / isolate / decode / replay an unknown protocolWIR-101's "classify protocol family" tier
10Cross-cut to PT-track wireless pentestingForward pointer to vca-adv-101 wireless engagements
11Cross-cut to RE-track network-protocol REForward pointer to vca-re-201 burst-radio-signal RE
12Capstone. End-to-end RF protocol RE on a chosen real-world targetThe synthesis deliverable

Architecture Comparison Sidebars

RF-201 carries three structured comparison sidebars. The full set publishes as handouts/cross-chapter-rf-201-architecture-sidebars.md.

  • AM vs FM vs PM vs ASK vs FSK vs PSK vs QAM. Seven fundamental modulation schemes, their bandwidth efficiency, their noise robustness, and which deployment chose which and why. Anchored on Wyglinski + Sklar.
  • RTL-SDR vs HackRF vs bladeRF vs USRP vs ANT-SDR E200 vs LimeSDR Mini. Six SDR hardware tiers, the cost/dynamic-range/bandwidth/transmit-capability tradeoffs, where each is deployed in production, the academy's bring-your-own progression. Anchored on Wyglinski + community.
  • WiFi 802.11 vs Bluetooth Classic vs BLE vs LoRa vs ZigBee/802.15.4. Five Layer-2 wireless protocols, their MAC philosophies, their ranges, their power profiles, and which IoT / consumer / industrial deployments chose which. Anchored on Wyglinski + URH community docs.

Learning Outcomes

step-by-step.

  1. Remember. State the seven fundamental modulation schemes (AM / FM / PM / ASK / FSK / PSK / QAM); the three spread-spectrum techniques (FHSS / DSSS / chirp); the five major Layer-2 wireless protocols (WiFi / Bluetooth Classic / BLE / LoRa / ZigBee).
  2. Understand. Explain why IQ representation lets a complex-valued signal at sample-rate B carry the same information as a real-valued signal at sample-rate 2B, and why this matters for SDR architecture choices.
  3. Understand. Distinguish FHSS (Bluetooth Classic) from DSSS (legacy 802.11b, GPS) from chirp (LoRa); explain the spectrum-spreading-and-de-spreading mechanism for each.
  4. Apply. Capture an unknown sub-GHz signal with an RTL-SDR; characterise its modulation in URH; reproduce it with HackRF in a sandboxed RF environment.
  5. Apply. Implement two LoRa demodulators (FIR + polyphase) in GNU Radio; measure performance against the same captured signal.
  6. Apply. Enumerate a BLE peripheral's GATT services and characteristics; capture an authenticated pairing exchange; analyse the cryptographic handshake.
  7. Analyze. Given a captured IQ stream of an unknown protocol, classify the modulation, recover the symbol rate, identify the framing, and propose a hypothesis for the protocol family.
  8. Synthesize. Ship the end-to-end capstone: characterise a real-world target's RF behaviour, reverse-engineer its protocol, document the workflow, and produce a reproducibility package.

Hands-On Labs

Twelve labs, one capstone. Each lab opens a WIR-101 first-encounter for intermediate-grade inspection.

  • Lab 1. Modulation zoo. Generate AM / FM / PM / ASK / FSK / PSK / QAM signals in GNU Radio; demodulate each; compare bandwidth and noise robustness.
  • Lab 2. Spread-spectrum lab. Build a DSSS transmitter + receiver in GNU Radio; visualise spectrum spreading and de-spreading.
  • Lab 3. WiFi 802.11 capture-replay-fuzzing. Fuzzing 802.11 management frames against a sandboxed AP.
  • Lab 4. Bluetooth Classic + BLE protocol RE. Pair-capture-decode workflow against an authorised target.
  • Lab 5. LoRa demodulator pair (FIR + polyphase). Performance comparison.
  • Lab 6. ZigBee / 802.15.4 mesh lab. Capture and decode a ZigBee mesh.
  • Lab 7. IQ-sampling-rate exploration. Capture the same signal at 2 / 8 / 20 MS/s; observe spectral leakage.
  • Lab 8. Wireshark RF dissection. Decode WiFi + BT + ZigBee captures with appropriate dissector plugins.
  • Lab 9. URH unknown-protocol-RE workflow. Full RE on an instructor-supplied unknown protocol capture.
  • Lab 10. Wireless-pentest cross-cut. Aircrack-ng / Reaver / Bettercap discipline against a sandboxed target.
  • Lab 11. ANT-SDR E200 advanced lab. Full-duplex IQ work on the academy primary platform.
  • Lab 12 (capstone). End-to-end RF protocol RE on a chosen real-world target. See the Capstone section below.

Capstone: End-to-End RF Protocol RE

The student selects a real-world wireless target they have authority to observe (a personal-owned ISM-band device; a sandboxed lab target; a homebrew transmitter the student built in HW-101) and reverse-engineers its protocol from captured IQ to a working GNU Radio demodulator and a written protocol specification.

Required artifacts

  • Captured IQ archive (the raw evidence base).
  • URH-driven protocol-fingerprinting analysis with annotated symbol stream.
  • GNU Radio flowgraph implementing a working demodulator for the target protocol.
  • Written protocol specification at the level a successor RE engineer would read: physical layer (modulation, symbol rate, framing), link layer (preambles, addressing, error detection), application layer (payload structure if recoverable), and a limit-of-confidence statement for any component the student couldn't recover.
  • Reproducibility package, make capture reproduces the IQ archive on the target hardware; make demod reproduces the GNU Radio flowgraph against a captured archive.
  • 15-25 page lab-notebook capstone report covering: target-selection rationale, capture methodology, RE workflow, findings, the limit-of-confidence statement, and an explicit ROE/FCC/CFAA-compliance section.

Two-tier grading rubric

First, your project must work. The captured IQ archive reproduces; the URH analysis identifies a defensible modulation + symbol rate; the GNU Radio demodulator extracts the same symbol stream URH did; the written specification is internally consistent. Reports below this threshold do not pass.

Then we score the report on three dimensions.

  • RE methodology + technical depth (40%). Is the workflow systematic and reproducible? Does the demodulator match the URH symbol stream byte-for-byte? Is the protocol specification at the level a successor RE engineer would actually read?
  • Limit-of-confidence honesty (30%). Is the limit-of-confidence statement complete? Did the student avoid claiming more than the evidence supports?
  • ROE / FCC / CFAA compliance + ethics (30%). Is transmit operation on lab-shielded equipment only? Is the target authorised? Is the legal framing complete?

B− minimum on Tier 2 for the certificate. The capstone is the structural precursor to RF-301's full RF-protocol RE + reimplementation work and to RE-201's burst-radio-signal RE.

Tool Journal: RF-201 Originating Entries

~12 new tools enter the diary in RF-201; the WIR-101 corpus continues at advanced depth.

  • URH-NG (PentHertz fork), 327-protocol auto-identification + automotive RF crypto toolkit; advanced URH variant for protocol-RE depth.
  • Inspectrum (advanced features). Offline RF visual-analysis at intermediate-RE depth.
  • HackRF GRC blocks (Ossmann), the canonical HackRF flowgraph corpus.
  • bladeRF + libbladeRF. Transmit-capable advanced SDR; cross-cut platform.
  • LimeSDR Mini + LimeSuite. Advanced SDR with broad frequency coverage.
  • ANT-SDR E200 + libIIO, the academy primary platform; advanced full-duplex work.
  • Wireshark RF dissector plugins, WiFi / BT / Zigbee / 802.15.4 plugin pipeline.
  • GNU Radio custom-blocks workflow. Authoring custom GRC blocks in Python.
  • scapy 802.11 + BLE layers. Programmatic Layer-2 frame crafting.
  • gr-osmocom (broader; cellular + GPS + ADS-B), the GNU Radio osmocom integration suite.
  • Bettercap + Reaver + WiFiPhisher, PT-track wireless-pentest cross-cut tools.
  • ARRL General license study materials, the next-tier ham-licensing pathway after WIR-101's Technician.

Recommended Readings

Primary anchor pair (continued from WIR-101 at intermediate depth)

  • Richard Lyons, Understanding Digital Signal Processing, 3rd ed. Pearson, 2010 (ISBN 978-0-13-702741-5). Chapters 6-13 (advanced filtering / sample-rate conversion / signal averaging / adaptive filters / spectral analysis). Library-acquire or paperback ~$80-100.
  • Wyglinski et al., Software-Defined Radio for Engineers. Artech House, 2018. Full text. FREE PDF via Analog Devices.
  • Marc Lichtman, PySDR. FREE online at pysdr.org. Chapters 8-15 (advanced DSP + SDR + IQ + sampling + practical SDR).
  • GNU Radio Tutorials. Custom-blocks track. First-party docs at wiki.gnuradio.org/Tutorials.

Module-specific anchors (RF-201 introduces)

  • Bernard Sklar, Digital Communications: Fundamentals and Applications, 3rd ed. Pearson, 2017. Selected modulation chapters; primary anchor for Chapter 1.
  • Steven W. Smith, The Scientist and Engineer's Guide to Digital Signal Processing. FREE at dspguide.com. Continues at advanced-DSP depth.
  • Michael Ossmann, "Software Defined Radio with HackRF" video series. FREE on YouTube; deepens HackRF practitioner depth.
  • URH community documentation. github.com/jopohl/urh. The protocol-RE workflow reference.

Practitioner training (parallel credential pathway)

  • ARRL General license study materials. Continues from WIR-101's Technician.

Career Outcomes & Cross-Course Bridges

  • VCA-RF-301. Advanced SDR + waveform RE; cognitive radio; cellular (LTE / 5G NR / OpenAirInterface); SATCOM; SIGINT; anti-jamming / LPI/LPD. RF-201 is the central prerequisite.
  • → VCA-RE-201 (RE of Burst Radio Signals). RF-201's URH protocol-RE methodology + GNU Radio custom-blocks workflow are the substrate RE-201 deepens into adversarial-RF reverse-engineering.
  • → VCA-ADV-101 (Adversarial Techniques). RF-201's wireless-pentest cross-cut module (Reaver / Bettercap / WiFiPhisher) feeds adv-101's engagement work.
  • → VCA-EMB-201 (future, planned) + VCA-RE-101 (the SB6141 cable-modem pipeline). RF-201's LoRa / ISM-band + DOCSIS-RF-stage understanding feeds the embedded-networking RE pipeline; a student who reaches RE-101 having taken WIR-101 + RF-201 + EMB-201 reads the cable modem's RF stage as a witness to its architecture.
  • VCA-NET-201. RF-201's wireless-protocol-RE methodology cross-cuts NET-201's wired-protocol pentesting; both inherit the same Wireshark-and-protocol-decode discipline.
  • Industry. SDR engineers; wireless-protocol RE engineers at security-research firms (PentHertz, Trail of Bits wireless team); RF security researchers at IoT vendors; junior wireless-pentest specialists; embedded-networking engineers at modem / cellular / IoT vendors; SATCOM engineers; SIGINT analysts in defence-adjacent roles.
  • Credential paths. ARRL General → ARRL Extra; CWNP CWS / CWT / CWNA / CWAP for wireless-LAN specialty; SANS GAWN for wireless audit/assessment.

Certification Alignment

ARRL General CWNP CWNA SANS GAWN (forward-pointer)

Primary: ARRL General amateur-radio licensing. Continues from WIR-101's Technician; the General license unlocks substantial HF privileges relevant to advanced RF experimentation. Exam fee ~$15.

Alternative: CWNP CWNA (Certified Wireless Network Administrator). Vendor-neutral wireless-LAN credential; pairs with RF-201's WiFi 802.11 chapters. Exam fee ~$275.

Forward-pointer: SANS GAWN (GIAC Assessing and Auditing Wireless Networks). High-cost forward-stretch alternative for students with employer training budget; pairs with RF-201's wireless-pentest cross-cut module + the future RF-301 + WIR-101 capstone work.

Before You Start

  1. Have you completed WIR-101 and shipped its 5-day wireless engagement capstone? (If no → WIR-101's capstone is central prereq.)
  2. Have you completed CSA-101 (or equivalent computer-systems foundation)? (If no → the SDR fundamentals + GNU Radio custom-blocks modules assume systems-level fluency.)
  3. Are you comfortable with Python + NumPy + scipy.signal? (If no → FND-102 + WIR-101 review.)
  4. Can you read a Wireshark 802.11 capture and identify the management-plane frames? (If no → WIR-101 Lab 2 review.)
  5. Do you have access to Lyons + Wyglinski (Wyglinski FREE PDF)? (If no → library-acquire pathway for Lyons; Wyglinski direct download from Analog Devices.)

Format Prescriptions

Hour budget: ~24 lec hr + ~52 lab hr + ~79 indep hr (= ~155 hr total).

Live (standard cadence)

2 sessions/wk × 90 min over 14 weeks. Best for college-elective post-WIR-101.

Night class

1-2 sessions/wk evenings; ~28 weeks. The IQ-sampling-deep-dive and capstone modules need extended-evening blocks.

Bootcamp

40 hr/wk × ~4 weeks intensive. Compressed but feasible.

Async self-paced

Recorded video; per-student SDR kit (RTL-SDR + HackRF + ANT-SDR E200 program-supplied); AI-assistant tier add-on; 1:1 tutoring premium for the capstone protocol-RE work.

High school / homeschool co-op

Year-long cadence at HS scheduling. Recommended for advanced-track students; ROE+FCC-compliance instructor sign-off required for transmit labs.

Interested in VCA-RF-201?

Email interested@virtuscyberacademy.org.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.