VCA-RE-201 — Reverse Engineering of Burst Radio Signals
Burst radio signals — intermittent, short-duration transmissions typical of IoT protocols, keyless-entry systems, industrial telemetry, covert communications, and many tactical-grade RF systems — present a distinct reverse-engineering challenge. Unlike continuous RF, bursts require triggered capture, synchronization recovery, and per-burst demodulation. Anchored in the instructor’s masters-thesis subject matter.
Course Overview
Students completing this course should be able to take an unknown short-burst RF device, capture its emissions with software-defined radio, reverse the physical layer (modulation, framing, FEC), reverse the link layer (addressing, weak-crypto identification, control messages), and either replay, spoof, or extract payload data on a lab-owned authorized target.
Relationship to RE-101
| RE-101 (wired hardware RE) | RE-201 (burst radio RE) | |
|---|---|---|
| Capture medium | Logic analyzer on physical traces | SDR with antenna |
| Protocol discovery | JTAGulator, pin-walking | Spectrum sweeps, OOK/FSK demod |
| Trust model | Secure boot, signed firmware | Payload crypto, replay resistance |
| Capstone target | SB6141 cable modem | TBD — rolling-code remote, LoRa endpoint, or similar |
Many concepts transfer: disciplined capture, hash-verified dumps, modify-replay-verify cycle, protocol-stack layering, anti-rollback considerations.
Tentative Weekly Schedule
| Week | Topic (tentative) |
|---|---|
| 1 | Foundations — RF fundamentals, SDR architecture, legal/regulatory framing |
| 2 | Antennas, front-end, gain staging, RF measurement |
| 3 | Modulation schemes I — AM, FM, OOK, 2-FSK, 4-FSK |
| 4 | Modulation schemes II — PSK, QAM, OFDM, spread-spectrum |
| 5 | Framing, preambles, sync words, FEC, CRC |
| 6 | Trigger-based capture, burst detection, timing recovery — midterm practical |
| 7 | Protocol stack reverse engineering — industrial sensor (case study) |
| 8 | Protocol stack reverse engineering — consumer remote (case study) |
| 9 | Replay and spoofing — rolling codes, nonces, challenge-response defenses |
| 10 | Encryption considerations — AES-128-in-burst, key derivation, weak KDF exploitation |
| 11 | Ethics, regulatory compliance, coordinated disclosure + capstone overview |
Candidate Hardware Kit (Beyond RE-101 Baseline)
| Item | Role | Approx Cost |
|---|---|---|
| HackRF One + antenna set | Primary SDR transceiver, 1 MHz–6 GHz | ~$330 + $50 |
| RTL-SDR V3 dongle | Receive-only, broad spectrum, low cost | ~$35 |
| LimeSDR Mini 2.0 (optional) | Full-duplex alternative, higher quality | ~$500 |
| YARDStick One | Sub-GHz ISM-band purpose-built | ~$100 |
| Flipper Zero (optional) | Handheld alternative for sub-GHz quick captures | ~$170 |
| Faraday pouch / mini-chamber | Controlled captures and interference isolation | $50+ |
Legal and Ethical Framing
- FCC Part 15 / Part 97 / Part 90 — when transmit is permitted
- HIPAA/ITAR considerations for medical/defense-adjacent RF RE
- GDPR / CCPA if RF captures include identifiable data
- DMCA §1201 and applicable exemptions
- Wassenaar / 15 CFR 740.17 for SDR software export
- Coordinated disclosure pathways for industrial IoT vulnerabilities (ICS-CERT)
Interested in VCA-RE-201?
Email academy@virtuscybersecurity.com with your register and why. Sufficient demand moves this course up the build queue.