Construction Notes of Cellular Phone Jammers

Overview

Device(s) to disrupt the reception of cellular phone system downlink frequencies. This will prevent a cellular phone user from sending or receiving cellular phone calls within the small jam radius. Advanced electronic and RF engineering technical skills will be required.

Square Wave Generator

The TL074 quad op-amp (U1) sweep generator of the cellular jammer exciter is based around a few simple op-amp building blocks. First, op-amp U1a is configured as a relaxation oscillator, or square wave generator. Basically, feedback resistor R_f charges capacitor C until it reaches a voltage level set by resistors R₁ and R₂. The op-amp then discharges, resulting in a waveform which is a square wave. The frequency of the square wave is determined via the following Perl equation:

# $FRQ is the oscillator's output frequency, in Hz

$Rf = 10000;        # resistor Rf, in ohms      (10k)
$C1 = 0.00000001;   # capacitor C1, in farads   (0.01 uF)
$R1 = 3300;         # resistor R1, in ohms      (3.3k)
$R2 = 22000;        # resistor R2, in ohms      (22k)

$FRQ = 1 / (2 * $Rf * $C1 * log(((2 * $R1) / ($R2) + 1)));

This equation is usually accurate only for a dual-supply op-amp configuration, (i.e. op-amps using both + and - voltages). A single-supply configuration will often output at a slightly higher frequency - and I'm not really sure why. It will help to experiment a bit.

The above values produce a frequency of approximately 19 kHz. "Real world" testing, however, showed the frequency to vary between 17-18 kHz. It reached 30 kHz when using a single-supply op-amp configuration. The component's exact value isn't too critical in this application. The main feedback resistor (R_f) is the main determining factor of the oscillator's frequency. Change it to a potentiometer (100k to 1M) to vary the output frequency. The other resistors in the oscillator control the duty cycle of the square wave, and for the most part can be left alone.

Integrator / Buffer

A square wave is pretty useless in a jamming circuit. Ideally, we want a "ramp" or "triangle" waveform. When applied to the voltage tune pin on an external Voltage Controlled Oscillator (VCO), the resulting RF output will be "swept" across the entire tuning band. This is what is neeed for wideband jamming applications.

In this particular circuit, op-amp U1b is configured as an integrator, or triange wave generator. The resistor (R₄) and capacitor (C₂)in the integrator op-amp's feedback network form a RC time constant which is used to convert the incoming square wave into a triangle wave. I actually found the best resulting output waveform by experimenting with different capacitor values in the feedback network (it will be frequency dependant). The feedback resistor (R₄) should be approximately 10 times the input resistor (R₃). A feedback capacitor value of 2200 pF was found to output the cleanest triangle waveform with minimum signal attenuation.

Mathematically, the integrator's components are found via the following Perl equations:

# $R4 is the integrator's feedback resistor, in ohms
# $C2 is the integrator's feedback capacitor, in farads
# $FRQ is the input square wave's frequency, in Hz

$R3 = 10000;        # resistor R3, in ohms      (10k)

$R4 = 10 * $R3;

$C2 = 1 / ($FRQ * $R4);

But, I'd trust what an oscilloscope has to say more...

Op-amp U1c is configured as a buffer (gain = 1). This helps to isolate the oscillator network from the rest of the circuits. The series 0.1 µF capacitors remove any DC bias voltage which may be present on the op-amp's outputs. Low-leakage film capacitors will work the best.

Mixer / DC Offset

The final op-amp, U1d, is configured as a summing amplifier (gain = 1), otherwise known as a mixer. The output of a summing amplifier is the sum of the input voltages. The sum of these input voltages should not exceed the the +9 VDC of the TL074's positive voltage rail. The input to this mixer is a triangle wave and a random "noise" signal. These signals are mixed to form a new, "noisy" triangle waveform. When applied to the VCO, the resulting RF signal will "sweep" across the cellular downlink frequencies, and will be Frequency Modulated (FM) with the noise signal. This noise modulation helps to increase the jammer's effectiveness.

Another thing this op-amp performs is to provide a DC offset for the VCO's voltage tune pin. What this does is give the triangle wave a positive DC voltage offset to help "center" the triangle wave within the required frequency range.

Example:

(RF Output of a Particular VCO)

Voltage Tune (+ Volts DC)      Frequency Output (MHz)

0                              790
1                              810
2                              830
3                              850
4                              870
5                              890
6                              910

In our above example, a particular VCO is capable of tuning between 790 to 910 MHz with a voltage tune of 0 to +6 VDC. This works out to about 20 MHz of tuning per volt. So, if a person wanted to "jam" the frequencies between 870 and 890 MHz, they would need a +1 volt peak-to-peak triangle wave, with a DC offset of +4 volts. This would result in voltage signal sweeping between +4 and +5 VDC (referenced from ground), sweeping the VCO RF output between 870 and 890 MHz. Of course, in real life, the voltage-to-frequency mappings are not this precise.

The DC offset is provided via two multiturn potentiometers. One provides a "coarse" tuning and the other, smaller value one provides the "fine" tuning. The use of multiturn potentiometers is not a requirement, but is highly recommended for ease of tuning.

Noise Generator

The noise generator is just a standard 6.8 volt Zener diode with a small reverse current and a transistor buffer. The (optional) National LM386-1 audio amplifier acts as a natural band-pass filter and small-signal amplifier. The noise jamming signal is then mixed with the triangle wave input. This will help in masking the jamming transmission, making it look like random "noise" to an outside observer. Without the noise generator, the jamming signal is just a sweeping, unmodulated Continuous Wave (CW) RF carrier.

The LM386-based noise generator may break into oscillation or output a very low signal. If it does this, adjust the Zener bias resistor (2 k) up or down a few hundred ohms while observing the signal (disconnected from the LM386) on an oscilloscope for the maximum noise signal. Be sure that everything is grounded properly. The LM386 will oscillate without a good grounding system and poor power supply bypassing.

Any Zener diode above or equal to 6.2 volts will work in the noise generator, as these Zener diodes have an "avalanche" region which generates a tremendous amount of noise when properly biased.

Voltage Controlled Oscillator

The Voltage Controlled Oscillator (VCO) is arguably the most important component in a cellular phone jamming system. It is little four-terminal device (Power, Ground, RF Output, and Voltage Tune) which generates the required, low-level RF output signal with a minimal of fuss. Unfortunately, they can be harder to find than a helpful Canadian. Companies such as Mini-Circuits and Z-Communications are very helpful to amateur electronics enthusiasts, and will sell their VCO models in single quantities directly, or point you to a local distributor.

Ideally, the VCO you choose should cover the frequency range of the cellular base station's downlink frequencies (tower transmit) you wish to jam. You always jam a receiver, so in this case, you'd jam the mobile station's (handset) receive frequencies - which are the cellular tower's transmit frequencies.

Here's a website which shows the U.S. cellular carrier-to-frequency mappings:

http://www.criterioncellular.com/tutorials/findfrequencies.html

Here's a little chart to help you choose the right cellular frequency ranges:

GSM / GPRS / HSCSD / EDGE  (TDMA formats)

Mainly used in Eurosavage-land, Asia, Latin America, and some parts of North America.

Description / BandMobile Station Frequencies (MHz) Base Station Frequencies (MHz)

GSM 450 Band450.4 - 457.6 460.4 - 567.6

GSM 480 Band478.8 - 486.0 488.8 - 496.0

GSM 750 Band777.0 - 792.0 747.0 - 762.0

GSM 850 Band824.0 - 849.0 869.0 - 894.0

GSM 900 Band890.0 - 915.0 935.0 - 960.0

GSM 900 Extended Band880.0 - 915.0 925.0 - 960.0

GSM 900 Railway Band876.0 - 915.0 921.0 - 960.0

DCS 1800 Band1710.0 - 1785.0 1805.0 - 1880.0

PCS 1900 Band1850.0 - 1910.0 1930.0 - 1990.0

EIA-136 / EIA-95 / EIA-95A / EIA-95B / CDMA2000 / 1xEV-DO  (EIA-136 is TDMA, the rest are CDMA formats)

Mainly used in North America, some Latin America, Korea, some Asian countries, Japan.

Description / BandMobile Station Frequencies (MHz) Base Station Frequencies (MHz)

800 MHz Systems (US, Korea)824.0 - 849.0 869.0 - 894.0

800 MHz Systems (Japan)887.0 - 925.0 832.0 - 870.0

1900 MHz Systems (US)1850.0 - 1910.0 1930.0 - 1990.0

1900 MHz Systems (Korea)1750.0 - 1780.0 1840.0 - 1870.0

NMT 450 Band411.0 - 483.0 421.0 - 493.0

NMT 2000 Band1920.0 - 1980.0 2110.0 - 2170.0

W-CDMA / TD-SCDMA  (Combination TDMA and CDMA formats)

Mainly used in North America, some Eurosavage countries, Korea, Japan, some Asian countries.

Description / BandUser Equipment Frequencies (MHz) Base Station Frequencies (MHz)

IMT 2000 Band1920.0 - 1980.0 2110.0 - 2179.0

PCS 1900 / W-CDMA Band1850.0 - 1910.0 1930.0 - 1990.0

DCS 1800 Band1710.0 - 1785.0 1805.0 - 1880.0

W-CDMA Band1900.0 - 1920.0 (UE & BS) 1900.0 - 1920.0 (UE & BS)

W-CDMA Band1910.0 - 1930.0 (UE & BS) 1910.0 - 1930.0 (UE & BS)

W-CDMA Band2010.0 - 2025.0 MHz (UE & BS) 2010.0 - 2025.0 MHz (UE & BS)

TD-SCDMA Band2010.0 - 2025.0 MHz for TD-SCDMA mode 2010.0 - 2025.0 MHz for TD-SCDMA mode

TD-SCDMA BandGSM 900 and DCS 1800 for GSM mode GSM 900 and DCS 1800 for GSM mode

Description / BandMobile Station Frequencies (MHz)	Base Station Frequencies (MHz)
GSM 450 Band450.4 - 457.6	460.4 - 567.6
GSM 480 Band478.8 - 486.0	488.8 - 496.0
GSM 750 Band777.0 - 792.0	747.0 - 762.0
GSM 850 Band824.0 - 849.0	869.0 - 894.0
GSM 900 Band890.0 - 915.0	935.0 - 960.0
GSM 900 Extended Band880.0 - 915.0	925.0 - 960.0
GSM 900 Railway Band876.0 - 915.0	921.0 - 960.0
DCS 1800 Band1710.0 - 1785.0	1805.0 - 1880.0
PCS 1900 Band1850.0 - 1910.0	1930.0 - 1990.0

Description / BandMobile Station Frequencies (MHz)	Base Station Frequencies (MHz)
800 MHz Systems (US, Korea)824.0 - 849.0	869.0 - 894.0
800 MHz Systems (Japan)887.0 - 925.0	832.0 - 870.0
1900 MHz Systems (US)1850.0 - 1910.0	1930.0 - 1990.0
1900 MHz Systems (Korea)1750.0 - 1780.0	1840.0 - 1870.0
NMT 450 Band411.0 - 483.0	421.0 - 493.0
NMT 2000 Band1920.0 - 1980.0	2110.0 - 2170.0

Description / BandUser Equipment Frequencies (MHz)	Base Station Frequencies (MHz)
IMT 2000 Band1920.0 - 1980.0	2110.0 - 2179.0
PCS 1900 / W-CDMA Band1850.0 - 1910.0	1930.0 - 1990.0
DCS 1800 Band1710.0 - 1785.0	1805.0 - 1880.0
W-CDMA Band1900.0 - 1920.0 (UE & BS)	1900.0 - 1920.0 (UE & BS)
W-CDMA Band1910.0 - 1930.0 (UE & BS)	1910.0 - 1930.0 (UE & BS)
W-CDMA Band2010.0 - 2025.0 MHz (UE & BS)	2010.0 - 2025.0 MHz (UE & BS)
TD-SCDMA Band2010.0 - 2025.0 MHz for TD-SCDMA mode	2010.0 - 2025.0 MHz for TD-SCDMA mode
TD-SCDMA BandGSM 900 and DCS 1800 for GSM mode	GSM 900 and DCS 1800 for GSM mode

RF Power Amplifiers

The second most important part of the RF chain is the RF power amplifier. This is a device which may take a small RF signal, say at +10 dBm (10 milliwatts) and amplify it up to around +34 dBm (2.5 watts). The cheap & easiest source of these amplifiers is from old cellular phones themselves. Some cellular phones will use broadband RF power "hybrid" modules which helps make their construction easier and smaller. These RF module devices tend to be very widebanded, and will easily amplify RF signals outside of their intended range. Increasing the module's bias, power control, or V_dd voltage can also milk a little more gain out of them. The modules will need to be connected to a large, smooth heatsink and may also require a cooling fan.

This picture shows a Hitachi PF0030 820-850 MHz, 6 watt RF power amplifier module installed in an old Nokia/Radio Shack cellular phone. This particular module will work up to over 900 MHz, with only a slight decrease in gain at those higher frequencies. Running the V_dd voltage at +15 VDC also slightly increases the RF power output. I've gotten them to hit 10 watts output, when properly layed out and constructed with a big heatsink.

This is an example picture of a Hitachi PF0031 880-915 MHz, 6 watt RF power amplifier module which is mounted in a portable jammer. The PF0031 is intended for operation at slightly higher frequencies, so it gives a little better RF output and input SWR performance and will also run cooler than the PF0030.

Here is an even bigger RF power amplifier. It's connected to an old Motorola Mostar 800 MHz trunked mobile radio. Only the RF power amplifier is used. RF output is over 30 watts into a homebrew Yagi antenna.

Most broadband RF power hybrid modules rarely need more than +13 dBm (20 mW) of RF input to work properly. This is perfect for being driven directly from the VCO's RF output without the need for any additional MMIC amplification. Increasing the RF input power only shortens the life of the power module, with little result in output gain.

Another useful device to place in the RF power amplifier chain is an isolator. An isolator is a ferrite circulator with one of the ports connected to a pure 50 ohm resistive load. Basically, from port 1 to port 2, (RF power amplifier to antenna) there is minimal insertion loss. But, any RF power flowing back from port 2 into port 1 is "diverted" into port 3, the 50 ohm load. What this means is that the RF power amplifier is always "seeing" a perfect 50 ohm load (perfect SWR), even if the antenna is removed! These are very handy little devices, but are harder to find then $2600 Magazine's integrity. Use 'em if you've got 'em.

Here is a picture of the RF power amplifier section on a four watt, 1.9 GHz PCS jammer. The RF module's output is fed into an isolator (that big round thing). RF input is on the left, the antenna connection is on the right, and the 50 ohm load is on the bottom. The silver rectangle thing is a directional coupler. This is a device which samples the module's RF output, then sends it to a diode detector/transistor buffer to control a "RF Output" LED.

Antenna / Feedline

The most important part of a radio system is the antenna. Spend 90% of your money on the antenna system and coaxial cable, and you'll have no problems. Use a coathanger and some alligator clips and you'll be emailing me 50 times a day saying it doesn't work. Thankfully, you can also salvage the antenna from old cellular phones. Those magnetic or trunk mount antennas work best. Glass mount antennas or anything "stick-on" are crap. Directional gain antennas can be used to increase the jammer's performance, but only in the direction the antenna is pointed. High-gain, omni-directional antennas are the best. For homebrew designs, you can scale down (or up) 900 MHz (33 cm) band amateur radio band antennas.

For 1.8/1.9 GHz band antennas, you are pretty much stuck with using commercial designs. Building antennas at those high of frequencies is quite difficult and not worth the trouble.

Ramsey Electronics sells nice wideband Yagi antennas for everything betweeen 400 MHz and 6 GHz.

Your name:

Your Email:

Comment:
Type the characters: * Refresh