DESIGN AND IMPLEMENTATION OF A DUAL-BAND RF

JAMMING SYSTEM FOR WIRELESS COMMUNICATIONS

 1

Abstract

The purpose of this project is to design, implement, and test a cellular phone radio
frequency (RF) jamming system. This system consists of a noise signal generator
circuit, a series of low noise amplifiers (LNAs) to amplify the signal, two VCO's
and mixers to modulate the signal to the 900MHz and 1800MHz cellular phone
frequencies, and two antennas to transmit the jamming signal at the two considered
frequency bands.

The project consists of three parts: simulation of the design, hardware

implementation, and testing the jammer on operating cellular phones using two
different telecommunication operators in the kingdom. The simulations were
performed using Advanced Design System (ADS) software. Measurement based
models of the jammer components were used along with datasheet extracted
parameters to perform accurate system level simulation of the designed jammer.
The hardware implementation was done using off-the-shelf components. The noise
signal generated had a bandwidth of about 30MHz in both the 900MHz and
1800MHz bands.

The implemented design was able to jam both 2G and 3G signals inside our
department's building with a distance of 2-3 meters from the antenna to the jammed
mobile device.
 2

1 Introduction

Radio jamming devices are circuits that transmit noise at a certain frequency in
order to prevent radio frequency communication at that frequency, or degrade the
signal to cause a delay in transmission.

Armies all over the world have been using electronics in hopes of gaining
superiority over the enemy, and ever since electronics were used, attempts were
made to make these electronics less effective. One of those attempts led to the
creation of radio jammers: in World War II, the British used to jam German radio
communications [1],[2],[3].

Cellular phone jammers are devices that prevent signals coming from base stations
from reaching cellular phones. The need for cellular phone jammers rose as a result
of the increasing disruptions cellular phones introduced to everyday life. In our
community, we mostly need cellular phone jammers in mosques and schools [4].

The cellular phone jammer mainly consists of a noise generator, one or more
frequency up-conversion stages, an RF amplification stage, and an antenna to
transmit the noise signal. In most countries, it is illegal to own and operate a
cellular phone jammer [4].

This paper reports the design, implementation, and testing of a dual-band RF

jamming system. It will be discussed in details how to transmit noise with enough
power to completely mask any other signal that falls in the same frequency band.
This will be done first through system-level simulation as well as practically
through experiments. The communication link can be broken by jamming either the
uplink signal going from the mobile terminal to the base station of the downlink
signal transmitted from the base station to the mobile terminal. In the vicinity of the
mobile terminals where the designed jammer is intended to work, the intensity of
 3

the downlink signal is expected to be much lower than that of the uplink one.
Accordingly, the jammer will be designed to operate at the frequencies used for the
downlink in both the 900MHz and the 1800MHz frequency bands.

2 Methodology

2.1 White Noise

White noise is customarily used in communication systems because it is close to

the actual random noise in practice in addition to its properties and characteristics
that simplify calculations. White noise is a random process that theoretically covers
all frequencies and has the same power at each frequency. This results in a flat

infinite spectral density as shown in Figure 1 below, where is the power spectral
density of the white noise. The name White comes from the fact that white light
contains equal amounts of all frequencies within the visible band of
electromagnetic radiation [5]. White noise has infinite average power and infinite
bandwidth, which makes it a purely theoretical construction that cannot be
physically realized. However, some circuits can give an output signal that contains
approximately equal power within a certain bandwidth.

Sw (f)

Figure 1: Frequency spectrum for white noise

 4

2.2 System Architecture

In order to jam the cellular phone network, a sufficient amount of noise, 20dBm
or higher, has to lie in the frequency range of the cellular phones i.e. 900 MHz and
1800 MHz bands. Therefore, a noise signal has to be generated, amplified and up-
converted to the required bands. The details of the power level of the noise signal
after each stage will be discussed in detail in section 3.2.

Practically, the white noise generator will synthesize a wideband signal having
almost a 100 MHz bandwidth, as will be explained later. Connecting the noise
generator to the cascade of two high gain amplifiers, results in a baseband signal
with a sufficient amount of power to result in the required power level at the
jammer output. The mixer will up-convert the signal to 900MHz. This signal will
then be sent to two paths using a two-branch splitter. One part of the signal will be
further amplified before being transmitted to jam the cellular signal in the 900MHz
frequency band. The other part of the signal will be up-converted to the 1800MHz
frequency band after being amplified by two radio frequency amplifiers. This part
of the signal will be transmitted by the antenna designed to operate in the
1800MHz frequency band. The block diagram of the designed radio frequency
jamming system is shown in Figure 2.
 5

Figure 2: Block diagram of the dual-band jammer

3 Jamming System Design

This section will discuss the design of the noise circuit, the RF front end and the
antennas.

3.1 Noise Circuit

A lowcan
A low cost circuit costbecircuit can be implemented
implemented using Zener using
diode Zener
[1], asdiode
shown[6],
in as shown
Figure 3. in Figure 3.

+14 V

12 V Zener 470 pF
diode

30

Figure 3: Low cost noise generator circuit

 6

Very low power noise can be generated by the Zener diode when a high voltage,
that exceeds the breakdown voltage of the diode, is applied to the cathode side
which makes the diode operate in the reversed-biased region. The noise results
from the random fluctuation of the current across the zener diode which is under
breakdown voltage. This noise signal will be input to the RF front end and
processed for transmission in the considered frequency bands.

3.2 RF Front End

The various components used to build the RF front-end of the jammer are listed
below:

Low frequency amplifier (ZFL-500): Two low frequency amplifiers are

connected in cascade with the noise generator to amplify the signal up to
20dBm. This specific low frequency amplifier, ZFL-500, was chosen for its
features including its wide bandwidth ranging from 0.05 to 500MHz and its
high gain (20dB). This amplifier requires DC biasing of any value between
12V and 16V.
Mixer (ZFM-11+): Two frequency mixers are used for the jammer line-up.
This mixer covers a wide range of bandwidth from 1 to 2000MHz. Thus, it
can be used for both frequency bands. As the frequency increases, the
conversion loss will increase. However, the conversion loss will never
exceed 7.5dB, which is considered acceptable for our application.
Voltage controlled oscillator (ZX95-1015+): The two frequency mixers need
two voltage controlled oscillators to drive their LO ports. The voltage
controlled oscillator provides linear tuning of frequencies from 750 to
1010MHz. It has three inputs for DC supply, ground and tuning. It requires
 7

+5V for the DC supply. As for the tuning, by changing the tuning voltage
between 0V and 28V, the output frequency will change. This voltage
controlled oscillator can draw a maximum of 35mA.
High frequency amplifier (ZFL-1000LN+): This amplifier can be used after
the first mixer in the design. It has a wide bandwidth from 0.1 to 1000MHz.
It amplifies the signal by approximately 20dB. It requires DC biasing of any
value in the range of 12 to 16V. As the value of the DC biasing increases, the
gain will increase. The gain can reach up to 23.6dB.
Splitter (ZFSC-2-2500+): The splitter has a very wideband characteristic as it
can handle signals ranging anywhere from 10 to 2500MHz. It has an
insertion loss of only 3dB. Its only limitation is that the signal power input
should not exceed 1W (30dBm). However, this is not an issue in our design
since the power levels are not expected to reach 30dBm anywhere in the RF
front-end.

3.3 Antennas

An antenna is an electrical device used to transmit or receive radio frequencies.

Printed antenna, or micro-strip antenna, is one type of antennas that is commonly
used in microwave applications because of its simple shape and size. This antenna
is designed by etching the antenna element pattern in metal trace bonded to an
insulating dielectric substrate, such as a printed circuit board, with a continuous
metallic layer bonded to the opposite side of the substrate which forms a ground
plane. One of the types of printed antennas is called patch printed antenna because
it looks like a patch. The dimensions of the metal sheet and the dielectric in
addition to their characteristics are what determine the frequency at which the
antenna is tuned. This is done by applying the design equations and finding the
 8

exact value of each dimension [2]. For this project, two patch printed antennas
operating at the frequencies 900 MHz and 1800 MHz will be used These antennas
are shown in Figure 4.

Figure 4: Patch antennas tuned at 900 MHz and 1800 MHz[7]

The dimensions of the two antennas as determined according to the design

equations are reported in Table 1.

Table 1: 900 MHz and 1800 MHz path antennas parameters [7]

Antenna W Leff L L LG Lfeed WG F0

(MHz) (mm) (mm) (mm) (mm) (mm) (mm) (mm) (MHz)
900 103 93.2 7.7 78 128 40 113 900
1800 51 46 0.77 44 83 30 60 1800

where W: width of the patch

 9

L: length of the patch

Leff: effective length of the patch
WG: length of ground
LG: length of ground

F0: centre frequency

Both antennas were simulated on ADS[6], the results of the simulation are shown in
table (III)

Table 2: ADS simulations results [7]

Antenna Freq. S(1,1) Max Gain BW W L WG LG

(MHz) (MHz) (db) (db) (MHz) (mm) (mm) (mm) (mm)
900 921.1 -24.4 0.389 15.6 100 80 131 117
1800 1787 -36.1 2.82 38 47 41 70 82

where: S(1,1): Reflected Power

BW: bandwidth

A photograph of the complete dual-band jamming system prototype is shown in

Figure 5. This figure includes the noise circuit, the RF front-end as well as both
antennas. It is worth mentioning that the prototype can be made smaller by building
all the components within the same printed circuit board rather than connecting off-
the-shelve components.
 10

Figure 5: Photograph of the dual-band jammer prototype.

4 Results

There are three sets of results that are included in this paper. The first set is related
to the simulation of the circuit using the ADS software. The second set of results
presents the measurements performed using the circuit prototype implemented
using the hardware components and its measured output using the spectrum
analyzer. Finally, the ability of the designed system to jam phone calls and data
transmission is demonstrated.

4.1 ADS Modeling and Simulation Results

The schematic used to simulate the jamming system in ADS software is shown in
Figure 6. The simulation is built using models based on the measurements of the
components. The output at v1 represents the output of the noise signal circuit
cascaded with the two amplifiers. The power of the signal at this stage is 40dBm.
The mixer will modulate the baseband signal to be centered at 900MHz. The local
 11

oscillator introduces a conversion loss of +7dB. The two subsequent amplifiers,

each with a 20dB gain, will amplify the signal to 7dBm. The splitter will
introduce approximately 3dB loss.

Figure 6: Circuit design in ADS

The results obtained at the output of the schematic shown in Figure 6 are reported
in Figure 7. These correspond to the spectra, in dBm, of the jamming signals that
will be sent in each of the two frequency bands.

Figure 7: Simulated output of the jammer circuit in ADS

 12

The results shown in Figure 7 represent the final output of the circuit using the
ADS software. This frequency spectrum illustrates that the center frequency of the
output will be 900MHz and 1800MHz, respectively. Since the power level of the
downlink signal in the vicinity of the cellular phone is unlikely to exceed 20dBm,
according to previous measurements performed within our department's building,
this will be enough to reduce the signal to noise ratio of the received signal
sufficiently; resulting in jamming the cellular phone bands. For the sake of
simplicity, a sinusoidal input was used in the ADS design instead of the noise
circuit. The purpose of designing the circuit in ADS is to study the amplification
and modulation process and the power levels throughout the system.

4.2 Measurement Results

This section will show the results measured using the prototyped jammer. All of
these results were obtained using the spectrum analyzer. For a clearer display of the
plots, the data from the spectrum analyzer was transferred first to a PC using
'Engauge' software and then plotted using MATLAB software.

4.2.1 Output of the Noise Generator cascaded with two amplifiers

The output spectrum is shown in Figure 8. The center frequency of the signal is
around 100MHz, and the bandwidth is about 20 to 25MHz. This is less than the
expected value due to the simplicity of the circuit used to generate noise. The
maximum power of the signal achieved at this stage is 34dBm. The reason for
which the output before the two amplifiers was not displayed is that it was too low,
in terms of power, that the available spectrum analyzer could not distinguish
between the signal and the noise floor. The signal observed at 400MHz is due to
some interference and it is not intentionally generated by the jamming circuit.
Though, this is not a problem since the main objective of the designed system is to
transmitted unwanted signals that do not have any information content.
 13

Figure 8: Output of the noise circuit and the two subsequent amplifiers

4.2.2 Output of the first mixer

The output spectrum after the first mixer, centered at around 900 MHz, is shown in
Figure 9. Due to the +7dB power gain obtained from the up-conversion process, the
maximum output power level is now 26dBm.
 14

Figure 9: Signal spectrum at the output of the first mixer

4.2.3 Signal amplified after the first mixer

The output spectrum of the signal after connecting the first mixer with two
amplifiers is shown in Figure 10. The center frequency is the same as the stage
before. However, the power has significantly increased to about +11dBm.

Figure 10: Spectrum of the amplified signal after the first mixer
 15

4.2.4 Signal at the output of the second mixer

Using another mixer, with a local oscillator signal centered at 900MHz, will result
in modulating the signal to 1800MHz as shown in Figure 11. The spectrum
analyzer showed that the power of the signal at 1800MHz is 15dBm. Thus, the
noise signal generated at this frequency band has sufficient power to prevent
communication from being established and maintained in this band.

Figure 11: Signal spectrum at the output of the second mixer

4.3 Experimental Validation of the Jammer Prototype

4.3.1 Jamming the 900MHz frequency band

The patch antenna was directed at the cellular phone while the system was being
tested. The phone was forced to operate in the 900MHz frequency band. As
illustrated in Figure 12, the designed prototype was able to completely jam the
900MHz band. The network coverage bars dropped in the cellular phone after
turning the jamming system on. The maximum distance that the system was able to
jam is in the range from 2 to 3 meters. Also, using a feature available in some smart
 16

phones, one can measure the signal that is being received from the base station to
the mobile phone. When this measurement was done, an increase in the level of the
received signal was noticed before the signal gets completely jammed. An
explanation for that behavior is that when the base station senses that the signal to
noise ratio is very low, it automatically increases the power level of the signal that
is being sent. But, after a couple of seconds the base station cannot increase the
power level further to dominate the level of noise which causes the signal to
disappear eventually.

Figure 12: Jamming 2G signal

4.3.2 Jamming the 1800MHz frequency band

The 1800MHz band was completely jammed after turning the system on as show in
Figure 13. However, the distance that the system could jam is less than 2 meters.
Jamming the 1800MHz is not guaranteed with the current prototype. The reason
behind that is that, this frequency band has a width of 75MHz. Depending on the
provider; the channels that are used within this band may vary. Since the bandwidth
of the noise that is generated by our jammer prototype is only 25MHz, it is not able
to fully cover the 1800MHz frequency band. Figure 14 also shows jamming both
 17

the 900MHz and 1800MHz concurrently when both antennas are connected. In this
figure, jamming the 900MHz can be identified from the word searching and
jamming the 1800MHz used for data can be identified by the disappearance of the
3G sign that should appear when the 3G service is activated.

Figure 13: Jamming of the data transmission in the 1800MHz band.

Figure 14: Jamming both the 900MHz and 1800MHz concurrently.

 18

5 Conclusion and Recommendations

The designed system was simulated using harmonic balance analysis in ADS. This
was done to confirm that the design gives the right output at the antenna's input.
Once the system architecture was chosen based on satisfactory simulation results,
the hardware implementation was carried out. The prototype was intially test to
ensure its proper operation. Then the system ability to jam signals in the 900MHz
and the 1800MHz was tested. The jammer prototype was able to completely jam
both bands for all network providers (STC, Mobily, and Zain) inside our
department's building. For the 900MHz band, a noise with +8dBm and a bandwidth
of around 25 MHz was enough to cover the spectrum at 900MHz. The 1800MHz
signal was jammed with 15dBm noise signal with the same bandwidth.

Although the design in this project does not have a commercial advantage
compared to other jammers available in the market, it has the advantage of being
able to cover any frequency. Also, the fact that it is illegal to import jammers into
this country makes it worthwhile to build one from off-the-shelf components. This
knowledge can also be valuable for defense applications.

Although this project achieved its objective (jam the downlink connection), it is
important to note that this also involves blocking emergency calls. The system can
be improved by enabling emergency calls to pass through. France is finalizing a
technology that would let such calls pass through [8].
 19

6 References

1. "Radio Jamming", Wikipedia Foundation, Inc. 2012.

2. "Electronic Warfare", Wikipedia Foundation, Inc. 2012.
3. "Electronic Counter-Countermeasures", Wikipedia Foundation, Inc. 2012.
4. "Mobile Phone Jammers", Wikipedia Foundation, Inc. 2012.
5. Haykin, Simon. "Communication Systems". 4th. Wiley. 2000.
6. "Building a Low-Cost White-Noise Generator", MAXIM. 2005.
7. Al-Mansour, Abdulazziz, Rami Al-Safriah, and Abdullah Sindi. "Design and
Implementation of a Digitally Controlled RF Power Meter for Wireless
Coverage Measurements", King Fahd University. 2011.
8. Wollenhaupt, Gary. "How Cell Phone Jammers Work" 24 March 2005.
HowStuffWorks.com. <http://electronics.howstuffworks.com/cell-phone-
jammer.htm> 30 April 2012.