GBPPR Cellular Phone Jammers

Can you hear me now?    No.    Good.


Overview

Device(s) to disrupt the reception of cellular phone system downlink frequencies.  This will prevent a cellular phone user from sending or receiving cellular phone calls within the small jam radius.  Advanced electronic and RF engineering technical skills will be required.

Also, be sure to read this excellent thesis paper by Limor Fried:

Social Defense Mechanisms: Tools for Reclaiming our Personal Space  (4.9M PDF)

Abstract:  In contemporary Western society, electronic devices are becoming so prevalent that many people find themselves surrounded by technologies they find frustrating or annoying. The electronics industry has little incentive to address this complaint; I designed two counter-technologies to help people defend their personal space from unwanted electronic intrusion. Both devices were designed and prototyped with reference to the culture-jamming "Design Noir" philosophy. The first is a pair of glasses that darken whenever a television is in view. The second is low-power RF jammer capable of preventing cell phones or similarly intrusive wireless devices from operating within a user's personal space. By building functional prototypes that reflect equal consideration of technical and social issues, I identify three attributes of Noir products: Personal empowerment, participation in a critical discourse, and subversion.

An HTML version of the above paper is available here: Design and Implementation of Wave Bubble, and you can read more about her thesis project in this article: Zone of Silence.  (Text)

HOPE Number Six panel by Ladyada and Mitch Altman: Social Impact Sides of Creating Defensive Technology

Abstract:  Ever wish you had the power to turn off a TV in a restaurant or disable an intrusive cell phone?  Social defensive technologies are "reality hacking" devices that give us the sort of sociopathic control we've come to enjoy on the Internet alone.  Three years ago, Mitch decided he'd had enough of televisions and designed the TV-B-Gone, a universal "off" keychain remote.  Around the same time, Ladyada designed a personal RF jammer.  Together they will discuss these projects in the context of reclaiming personal space, culture-jamming, and how we can design technologies that do what we really want.  Don't expect good WiFi/cell reception.

$2600 Magazine's HOPE Number Six audio panel by Ladyada and Phil Torrone: Citizen Engineer - Consumer Electronics Hacking and Open Source Hardware

Abstract:  This is a hands-on session on all the things you're not supposed to do (but want to) with the gadgets that fill our drawers and shelves: transform an old VCR into an automatic cat feeder, use open interfaces to control Roomba robotic vacuums.  Projects like these (and others, such as WRT54G hacking, iPod Linux, car-computer hacking, etc.) are part of a growing trend where consumers are going back and hacking what they buy.  Just as computer hacking is closely tied to the Open Source software movement, so can such embedded gadget-hacking lead to an Open Source hardware movement.

Read about Ladyada's MP3 player project in this New York Times article: Curiously High-Tech Hacks for a Classic Tin, and a small feature from the O'Reilly book Makers: Page #1 and Page #2.  Here is an article from the News Bytes column in the June 2006 issue of Nuts and Volts Magazine.  (x0xb0x clipart in PCB Cart ad)

Pictures from Ladyada's cell phone jammer experiments on Flickr.

Article on HOPE #6 and cellular phone jammers in Wired Magazine: Hackers Fight Authority in NYC, and a nice interview taken at HOPE #6 by Sophie Le-Phat Ho.  (Text).  Wireless Design & Development has another article: Protecting Your Personal Space  (Text)

Episode 4 of thebroken shows off the latest in cell phone jamming.  (Note:  These guys should be shot.)

Here is an updated no-tune Wave Bubble which covers cell phones, GPS, WiFi: Wave Bubble

Screen Captures from the Wave Bubble Schematic:

Here is a video (14M MOV) of the Wave Bubble operating at SXSW 2007 from Minnesota Stories.  (Keynote Speech)

Hack-A-Day Entry and Engadget Entry for the above Wave Bubble project.  Apparently, her next project should be a cellular phone jammer with a built-in defibrillator...

Old Schematics

New Schematics

This section will contain new, updated cellular jamming schematics, pictures and notes.  The old ones (above) are now mostly for reference use.

The "Exciter" schematics contain only the sweep & generator sections and the VCO for that particular band.  Match it with the RF power amplifier schematic for higher output power.

Construction Notes / Pictures

Square Wave Generator

The TL074 quad op-amp (U1) sweep generator of the cellular jammer exciter is based around a few simple op-amp building blocks.  First, op-amp U1a is configured as a relaxation oscillator, or square wave generator.  Basically, feedback resistor Rf charges capacitor C until it reaches a voltage level set by resistors R1 and R2.  The op-amp then discharges, resulting in a waveform which is a square wave.  The frequency of the square wave is determined via the following Perl equation:

# $FRQ is the oscillator's output frequency, in Hz

$Rf = 10000;        # resistor Rf, in ohms      (10k)
$C1 = 0.00000001;   # capacitor C1, in farads   (0.01 uF)
$R1 = 3300;         # resistor R1, in ohms      (3.3k)
$R2 = 22000;        # resistor R2, in ohms      (22k)

$FRQ = 1 / (2 * $Rf * $C1 * log(((2 * $R1) / ($R2) + 1)));

This equation is usually accurate only for a dual-supply op-amp configuration, (i.e. op-amps using both + and - voltages).  A single-supply configuration will often output at a slightly higher frequency - and I'm not really sure why.  It will help to experiment a bit.

The above values produce a frequency of approximately 19 kHz.  "Real world" testing, however, showed the frequency to vary between 17-18 kHz.  It reached 30 kHz when using a single-supply op-amp configuration.  The component's exact value isn't too critical in this application.  The main feedback resistor (Rf) is the main determining factor of the oscillator's frequency.  Change it to a potentiometer (100k to 1M) to vary the output frequency.  The other resistors in the oscillator control the duty cycle of the square wave, and for the most part can be left alone.

Integrator / Buffer

A square wave is pretty useless in a jamming circuit.  Ideally, we want a "ramp" or "triangle" waveform.  When applied to the voltage tune pin on an external Voltage Controlled Oscillator (VCO), the resulting RF output will be "swept" across the entire tuning band.  This is what is neeed for wideband jamming applications.

In this particular circuit, op-amp U1b is configured as an integrator, or triange wave generator.  The resistor (R4) and capacitor (C2)in the integrator op-amp's feedback network form a RC time constant which is used to convert the incoming square wave into a triangle wave.  I actually found the best resulting output waveform by experimenting with different capacitor values in the feedback network (it will be frequency dependant).  The feedback resistor (R4) should be approximately 10 times the input resistor (R3).  A feedback capacitor value of 2200 pF was found to output the cleanest triangle waveform with minimum signal attenuation.

Mathematically, the integrator's components are found via the following Perl equations:

# $R4 is the integrator's feedback resistor, in ohms
# $C2 is the integrator's feedback capacitor, in farads
# $FRQ is the input square wave's frequency, in Hz

$R3 = 10000;        # resistor R3, in ohms      (10k)

$R4 = 10 * $R3;

$C2 = 1 / ($FRQ * $R4);

But, I'd trust what an oscilloscope has to say more...

Op-amp U1c is configured as a buffer (gain = 1).  This helps to isolate the oscillator network from the rest of the circuits.  The series 0.1 µF capacitors remove any DC bias voltage which may be present on the op-amp's outputs.  Low-leakage film capacitors will work the best.

Mixer / DC Offset

The final op-amp, U1d, is configured as a summing amplifier (gain = 1), otherwise known as a mixer.  The output of a summing amplifier is the sum of the input voltages.  The sum of these input voltages should not exceed the the +9 VDC of the TL074's positive voltage rail.  The input to this mixer is a triangle wave and a random "noise" signal.  These signals are mixed to form a new, "noisy" triangle waveform.  When applied to the VCO, the resulting RF signal will "sweep" across the cellular downlink frequencies, and will be Frequency Modulated (FM) with the noise signal.  This noise modulation helps to increase the jammer's effectiveness.

Another thing this op-amp performs is to provide a DC offset for the VCO's voltage tune pin.  What this does is give the triangle wave a positive DC voltage offset to help "center" the triangle wave within the required frequency range.

Example:

(RF Output of a Particular VCO)

Voltage Tune (+ Volts DC)      Frequency Output (MHz)

0                              790
1                              810
2                              830
3                              850
4                              870
5                              890
6                              910

In our above example, a particular VCO is capable of tuning between 790 to 910 MHz with a voltage tune of 0 to +6 VDC.  This works out to about 20 MHz of tuning per volt.  So, if a person wanted to "jam" the frequencies between 870 and 890 MHz, they would need a +1 volt peak-to-peak triangle wave, with a DC offset of +4 volts.  This would result in voltage signal sweeping between +4 and +5 VDC (referenced from ground), sweeping the VCO RF output between 870 and 890 MHz.  Of course, in real life, the voltage-to-frequency mappings are not this precise.

The DC offset is provided via two multiturn potentiometers.  One provides a "coarse" tuning and the other, smaller value one provides the "fine" tuning.  The use of multiturn potentiometers is not a requirement, but is highly recommended for ease of tuning.

Noise Generator

The noise generator is just a standard 6.8 volt Zener diode with a small reverse current and a transistor buffer.  The (optional) National LM386-1 audio amplifier acts as a natural band-pass filter and small-signal amplifier.  The noise jamming signal is then mixed with the triangle wave input.  This will help in masking the jamming transmission, making it look like random "noise" to an outside observer.  Without the noise generator, the jamming signal is just a sweeping, unmodulated Continuous Wave (CW) RF carrier.

The LM386-based noise generator may break into oscillation or output a very low signal.  If it does this, adjust the Zener bias resistor (2 k) up or down a few hundred ohms while observing the signal (disconnected from the LM386) on an oscilloscope for the maximum noise signal.  Be sure that everything is grounded properly.  The LM386 will oscillate without a good grounding system and poor power supply bypassing.

Any Zener diode above or equal to 6.2 volts will work in the noise generator, as these Zener diodes have an "avalanche" region which generates a tremendous amount of noise when properly biased.

Voltage Controlled Oscillator

The Voltage Controlled Oscillator (VCO) is arguably the most important component in a cellular phone jamming system.  It is little four-terminal device (Power, Ground, RF Output, and Voltage Tune) which generates the required, low-level RF output signal with a minimal of fuss.  Unfortunately, they can be harder to find than a helpful Canadian.  Companies such as Mini-Circuits and Z-Communications are very helpful to amateur electronics enthusiasts, and will sell their VCO models in single quantities directly, or point you to a local distributor.

Ideally, the VCO you choose should cover the frequency range of the cellular base station's downlink frequencies (tower transmit) you wish to jam.  You always jam a receiver, so in this case, you'd jam the mobile station's (handset) receive frequencies - which are the cellular tower's transmit frequencies.

Here's a website which shows the U.S. cellular carrier-to-frequency mappings:

http://www.criterioncellular.com/tutorials/findfrequencies.html

Here's a little chart to help you choose the right cellular frequency ranges:

GSM / GPRS / HSCSD / EDGE  (TDMA formats)

Mainly used in Eurosavage-land, Asia, Latin America, and some parts of North America.

Description / Band Mobile Station Frequencies (MHz) Base Station Frequencies (MHz)
GSM 450 Band 450.4 - 457.6 460.4 - 567.6
GSM 480 Band 478.8 - 486.0 488.8 - 496.0
GSM 750 Band 777.0 - 792.0 747.0 - 762.0
GSM 850 Band 824.0 - 849.0 869.0 - 894.0
GSM 900 Band 890.0 - 915.0 935.0 - 960.0
GSM 900 Extended Band 880.0 - 915.0 925.0 - 960.0
GSM 900 Railway Band 876.0 - 915.0 921.0 - 960.0
DCS 1800 Band 1710.0 - 1785.0 1805.0 - 1880.0
PCS 1900 Band 1850.0 - 1910.0 1930.0 - 1990.0



EIA-136 / EIA-95 / EIA-95A / EIA-95B / CDMA2000 / 1xEV-DO  (EIA-136 is TDMA, the rest are CDMA formats)

Mainly used in North America, some Latin America, Korea, some Asian countries, Japan.

Description / Band Mobile Station Frequencies (MHz) Base Station Frequencies (MHz)
800 MHz Systems (US, Korea) 824.0 - 849.0 869.0 - 894.0
800 MHz Systems (Japan) 887.0 - 925.0 832.0 - 870.0
1900 MHz Systems (US) 1850.0 - 1910.0 1930.0 - 1990.0
1900 MHz Systems (Korea) 1750.0 - 1780.0 1840.0 - 1870.0
NMT 450 Band 411.0 - 483.0 421.0 - 493.0
NMT 2000 Band 1920.0 - 1980.0 2110.0 - 2170.0



W-CDMA / TD-SCDMA  (Combination TDMA and CDMA formats)

Mainly used in North America, some Eurosavage countries, Korea, Japan, some Asian countries.

Description / Band User Equipment Frequencies (MHz) Base Station Frequencies (MHz)
IMT 2000 Band 1920.0 - 1980.0 2110.0 - 2179.0
PCS 1900 / W-CDMA Band 1850.0 - 1910.0 1930.0 - 1990.0
DCS 1800 Band 1710.0 - 1785.0 1805.0 - 1880.0
W-CDMA Band 1900.0 - 1920.0 (UE & BS) 1900.0 - 1920.0 (UE & BS)
W-CDMA Band 1910.0 - 1930.0 (UE & BS) 1910.0 - 1930.0 (UE & BS)
W-CDMA Band 2010.0 - 2025.0 MHz (UE & BS) 2010.0 - 2025.0 MHz (UE & BS)
TD-SCDMA Band 2010.0 - 2025.0 MHz for TD-SCDMA mode 2010.0 - 2025.0 MHz for TD-SCDMA mode
TD-SCDMA Band GSM 900 and DCS 1800 for GSM mode GSM 900 and DCS 1800 for GSM mode

RF Power Amplifiers

The second most important part of the RF chain is the RF power amplifier.  This is a device which may take a small RF signal, say at +10 dBm (10 milliwatts) and amplify it up to around +34 dBm (2.5 watts).  The cheap & easiest source of these amplifiers is from old cellular phones themselves.  Some cellular phones will use broadband RF power "hybrid" modules which helps make their construction easier and smaller.  These RF module devices tend to be very widebanded, and will easily amplify RF signals outside of their intended range.  Increasing the module's bias, power control, or Vdd voltage can also milk a little more gain out of them.  The modules will need to be connected to a large, smooth heatsink and may also require a cooling fan.

This picture shows a Hitachi PF0030 820-850 MHz, 6 watt RF power amplifier module installed in an old Nokia/Radio Shack cellular phone.  This particular module will work up to over 900 MHz, with only a slight decrease in gain at those higher frequencies.  Running the Vdd voltage at +15 VDC also slightly increases the RF power output.  I've gotten them to hit 10 watts output, when properly layed out and constructed with a big heatsink.

This is an example picture of a Hitachi PF0031 880-915 MHz, 6 watt RF power amplifier module which is mounted in a portable jammer.  The PF0031 is intended for operation at slightly higher frequencies, so it gives a little better RF output and input SWR performance and will also run cooler than the PF0030.

Here is an even bigger RF power amplifier.  It's connected to an old Motorola Mostar 800 MHz trunked mobile radio.  Only the RF power amplifier is used.  RF output is over 30 watts into a homebrew Yagi antenna.

Most broadband RF power hybrid modules rarely need more than +13 dBm (20 mW) of RF input to work properly.  This is perfect for being driven directly from the VCO's RF output without the need for any additional MMIC amplification.  Increasing the RF input power only shortens the life of the power module, with little result in output gain.

Another useful device to place in the RF power amplifier chain is an isolator.  An isolator is a ferrite circulator with one of the ports connected to a pure 50 ohm resistive load.  Basically, from port 1 to port 2, (RF power amplifier to antenna) there is minimal insertion loss.  But, any RF power flowing back from port 2 into port 1 is "diverted" into port 3, the 50 ohm load.  What this means is that the RF power amplifier is always "seeing" a perfect 50 ohm load (perfect SWR), even if the antenna is removed!  These are very handy little devices, but are harder to find then $2600 Magazine's integrity.  Use 'em if you've got 'em.

Here is a picture of the RF power amplifier section on a four watt, 1.9 GHz PCS jammer.  The RF module's output is fed into an isolator (that big round thing).  RF input is on the left, the antenna connection is on the right, and the 50 ohm load is on the bottom.  The silver rectangle thing is a directional coupler.  This is a device which samples the module's RF output, then sends it to a diode detector/transistor buffer to control a "RF Output" LED.

Antenna / Feedline

The most important part of a radio system is the antenna.  Spend 90% of your money on the antenna system and coaxial cable, and you'll have no problems.  Use a coathanger and some alligator clips and you'll be emailing me 50 times a day saying it doesn't work.  Thankfully, you can also salvage the antenna from old cellular phones.  Those magnetic or trunk mount antennas work best.  Glass mount antennas or anything "stick-on" are crap.  Directional gain antennas can be used to increase the jammer's performance, but only in the direction the antenna is pointed.  High-gain, omni-directional antennas are the best.  For homebrew designs, you can scale down (or up) 900 MHz (33 cm) band amateur radio band antennas.

For 1.8/1.9 GHz band antennas, you are pretty much stuck with using commercial designs.  Building antennas at those high of frequencies is quite difficult and not worth the trouble.

Ramsey Electronics sells nice wideband Yagi antennas for everything betweeen 400 MHz and 6 GHz.

Pictures / Waveforms

Datasheets / Links to Suppliers

Miscellaneous Pictures

Miscellaneous Notes

Other Countries

Additional notes:

the max vco 2623 was sufficient to work from freq range of 700mhz-1100mhz. we introduced a control for diff sweep freq by varying the capacitance value of 555 timer ic in its astable mode of operation.the sweep best suited was 100khz and not 1khz.rest the remaining part was same we used pf08103b as the power amp instead of pf0030.

Construction Overview of a Homebrew P2JBZ-style Cellular (GSM 900) Jammer

PCB Size: Top track to bottom track is 408 mm, left track to right track is 160 mm.  Double-sided FR-4, 1.6mm thick

Datasheets for the above jammer.

Commercial Cellular Phone Jammers

Can't build your own, dumbass?  Then buy one.

Other Related GBPPR Projects


Return to Homebrew Military & Espionage Electronics Page