This is a small collection of papers and talks exposing features of digital radio PHYs that non-RF engineer folks like us find surprising. Your mileage may vary :)
Active Link-layer fingerprinting of 802.11/Wi-Fi: paper, tools & presentations
"Packet-in-packet", or how to inject 802.15.4/ZigBee digital radio frames without owning a radio: [pdf] [blog] (USENIX WOOT 2012)
"1/8th of a nybble", in which we evade anti-PIP measures that filter some strings before transmission, by shifting the signal so that transmitted and received frames have no bytes in common: [pdf] (1st LangSec IEEE S&P workshop 2014)
"Digital radio dialects & shaped charges", in which we use dialects of 802.15.4 PHY frames to inject frames invisible to some RF chips no matter what the signal-to-noise ratio is: [pdf] (ACM WiSec 2014)
DemystiPHY: how RF dialects arise. [slides] (InfoSec South West 2014)
"A Protocol for Leibowitz", in which we discuss how to hide information in modulation and encoding of RTTY and PSK31 ham radio protocols [slides] (REcon 2015)
"Fillory of PHY", in which we inject frames into incompatible PHYs and create PHY polyglots for the ham radio protocols RTTY & PSK31: [pdf] [slides] (USENIX WOOT 2016)