Square Wave Generator
The TL074 quad op-amp (U1) sweep generator of the cellular
jammer exciter is based around a few simple op-amp
building blocks. First, op-amp U1a is
configured as a relaxation oscillator, or square
wave generator. Basically, feedback resistor Rf
charges capacitor C until it reaches a voltage level set by
resistors R1 and R2. The
op-amp then discharges, resulting in a waveform which is a square wave. The
frequency of the square wave is determined via the following Perl equation:
# $FRQ is the oscillator's output frequency, in Hz
$Rf = 10000; # resistor Rf, in ohms (10k)
$C1 = 0.00000001; # capacitor C1, in farads (0.01 uF)
$R1 = 3300; # resistor R1, in ohms (3.3k)
$R2 = 22000; # resistor R2, in ohms (22k)
$FRQ = 1 / (2 * $Rf * $C1 * log(((2 * $R1) / ($R2) + 1)));
This equation is usually accurate only for a dual-supply op-amp
configuration, (i.e. op-amps using both + and - voltages). A
single-supply configuration will often output at a slightly higher
frequency - and I'm not really sure why. It will help to experiment
a bit.
The above values produce a frequency of approximately 19 kHz. "Real
world" testing, however, showed the frequency to vary between 17-18 kHz. It
reached 30 kHz when using a single-supply op-amp configuration. The
component's exact value isn't too critical in this application. The
main feedback resistor (Rf) is the main determining
factor of the oscillator's frequency. Change it to a potentiometer
(100k to 1M) to vary the output frequency. The other resistors in
the oscillator control the duty cycle of the square wave, and for the
most part can be left alone.
Integrator / Buffer
A square wave is pretty useless in a jamming circuit. Ideally,
we want a "ramp" or "triangle" waveform. When
applied to the voltage tune pin on an external Voltage Controlled
Oscillator (VCO), the resulting RF output will be "swept" across the
entire tuning band. This is what is neeed for wideband jamming
applications.
In this particular circuit, op-amp U1b is configured as an integrator,
or triange
wave generator. The resistor (R4)
and capacitor (C2)in the integrator op-amp's
feedback network form a RC time constant which is used to convert the incoming
square wave into a triangle wave. I actually found the best
resulting output waveform by experimenting with different capacitor values in
the feedback network (it will be frequency dependant). The feedback
resistor (R4) should be approximately 10 times the
input resistor (R3). A feedback
capacitor value of 2200 pF was found to output the cleanest triangle waveform
with minimum signal attenuation.
Mathematically, the integrator's components are found via the following
Perl equations:
# $R4 is the integrator's feedback resistor, in ohms
# $C2 is the integrator's feedback capacitor, in farads
# $FRQ is the input square wave's frequency, in Hz
$R3 = 10000; # resistor R3, in ohms (10k)
$R4 = 10 * $R3;
$C2 = 1 / ($FRQ * $R4);
But, I'd trust what an oscilloscope has to say more...
Op-amp U1c is configured as a buffer (gain = 1). This
helps to isolate the oscillator network from the rest of the circuits. The
series 0.1 µF capacitors remove any DC bias voltage which may be present on
the op-amp's outputs. Low-leakage film capacitors will work the
best.
Mixer / DC Offset
The final op-amp, U1d, is configured as a summing
amplifier (gain = 1), otherwise known as a mixer. The output of
a summing amplifier is the sum of the input voltages. The sum of
these input voltages should not exceed the the +9 VDC of the TL074's positive
voltage rail. The input to this mixer is a triangle wave and a
random "noise" signal. These signals are mixed to form a
new, "noisy" triangle waveform. When applied to the VCO,
the resulting RF signal will "sweep" across the cellular downlink
frequencies, and will be Frequency Modulated (FM) with the noise signal. This
noise modulation helps to increase the jammer's effectiveness.
Another thing this op-amp performs is to provide a DC offset for the
VCO's voltage tune pin. What this does is give the triangle wave a
positive DC voltage offset to help "center" the triangle wave within
the required frequency range.
Example:
(RF Output of a Particular VCO)
Voltage Tune (+ Volts DC) Frequency Output (MHz)
0 790
1 810
2 830
3 850
4 870
5 890
6 910
In our above example, a particular VCO is capable of tuning between 790 to
910 MHz with a voltage tune of 0 to +6 VDC. This works out to about
20 MHz of tuning per volt. So, if a person wanted to
"jam" the frequencies between 870 and 890 MHz, they would need a +1
volt peak-to-peak triangle wave, with a DC offset of +4 volts. This
would result in voltage signal sweeping between +4 and +5 VDC (referenced from
ground), sweeping the VCO RF output between 870 and 890 MHz. Of
course, in real life, the voltage-to-frequency mappings are not this precise.
The DC offset is provided via two multiturn potentiometers. One
provides a "coarse" tuning and the other, smaller value one provides
the "fine" tuning. The use of multiturn potentiometers is
not a requirement, but is highly recommended for ease of tuning.
Noise Generator
The noise generator is just a standard 6.8 volt Zener diode with a small
reverse current and a transistor buffer. The (optional) National
LM386-1 audio amplifier acts as a natural band-pass filter and small-signal
amplifier. The noise jamming signal is then mixed with the triangle
wave input. This will help in masking the jamming transmission,
making it look like random "noise" to an outside observer. Without
the noise generator, the jamming signal is just a sweeping, unmodulated
Continuous Wave (CW) RF carrier.
The LM386-based noise generator may break into oscillation or output
a very low signal. If it does this, adjust the Zener bias resistor
(2 k) up or down a few hundred ohms while observing the signal (disconnected
from the LM386) on an oscilloscope for the maximum noise signal. Be
sure that everything is grounded properly. The LM386 will
oscillate without a good grounding system and poor power supply bypassing.
Any Zener diode above or equal to 6.2 volts will work in the noise
generator, as these Zener diodes have an "avalanche" region which
generates a tremendous amount of noise when properly biased.
Voltage Controlled Oscillator
The Voltage Controlled Oscillator (VCO) is arguably the most important
component in a cellular phone jamming system. It is little
four-terminal device (Power, Ground, RF Output, and Voltage Tune) which
generates the required, low-level RF output signal with a minimal of fuss. Unfortunately,
they can be harder to find than a black man in Canada. Companies
such as Mini-Circuits and Z-Communications
are very helpful to amateur electronics enthusiasts, and will sell their VCO
models in single quantities directly, or point you to a local distributor.
Ideally, the VCO you choose should cover the frequency range of the
cellular base station's downlink frequencies (tower transmit) you wish to jam. You
always jam a receiver, so in this case, you'd jam the mobile station's
(handset) receive frequencies - which are the cellular tower's transmit
frequencies.
Here's a website which shows the U.S. cellular carrier-to-frequency
mappings:
http://www.criterioncellular.com/tutorials/findfrequencies.html
Here's a little chart to help you choose the right cellular frequency
ranges:
GSM / GPRS / HSCSD / EDGE (TDMA formats)
Mainly used in Eurosavage-land, Asia, Latin America, and some parts of
North America.
| Description / Band |
Mobile Station Frequencies (MHz) |
Base Station Frequencies (MHz) |
| GSM 450 Band |
450.4 - 457.6 |
460.4 - 567.6 |
| GSM 480 Band |
478.8 - 486.0 |
488.8 - 496.0 |
| GSM 750 Band |
777.0 - 792.0 |
747.0 - 762.0 |
| GSM 850 Band |
824.0 - 849.0 |
869.0 - 894.0 |
| GSM 900 Band |
890.0 - 915.0 |
935.0 - 960.0 |
| GSM 900 Extended Band |
880.0 - 915.0 |
925.0 - 960.0 |
| GSM 900 Railway Band |
876.0 - 915.0 |
921.0 - 960.0 |
| DCS 1800 Band |
1710.0 - 1785.0 |
1805.0 - 1880.0 |
| PCS 1900 Band |
1850.0 - 1910.0 |
1930.0 - 1990.0 |
EIA-136 / EIA-95 / EIA-95A / EIA-95B / CDMA2000 / 1xEV-DO (EIA-136
is TDMA, the rest are CDMA formats)
Mainly used in North America, some Latin America, Korea, some Asian
countries, Japan.
| Description / Band |
Mobile Station Frequencies (MHz) |
Base Station Frequencies (MHz) |
| 800 MHz Systems (US, Korea) |
824.0 - 849.0 |
869.0 - 894.0 |
| 800 MHz Systems (Japan) |
887.0 - 925.0 |
832.0 - 870.0 |
| 1900 MHz Systems (US) |
1850.0 - 1910.0 |
1930.0 - 1990.0 |
| 1900 MHz Systems (Korea) |
1750.0 - 1780.0 |
1840.0 - 1870.0 |
| NMT 450 Band |
411.0 - 483.0 |
421.0 - 493.0 |
| NMT 2000 Band |
1920.0 - 1980.0 |
2110.0 - 2170.0 |
W-CDMA / TD-SCDMA (Combination TDMA and CDMA formats)
Mainly used in North America, some Eurosavage countries, Korea, Japan,
some Asian countries.
| Description / Band |
User Equipment Frequencies (MHz) |
Base Station Frequencies (MHz) |
| IMT 2000 Band |
1920.0 - 1980.0 |
2110.0 - 2179.0 |
| PCS 1900 / W-CDMA Band |
1850.0 - 1910.0 |
1930.0 - 1990.0 |
| DCS 1800 Band |
1710.0 - 1785.0 |
1805.0 - 1880.0 |
| W-CDMA Band |
1900.0 - 1920.0 (UE & BS) |
1900.0 - 1920.0 (UE & BS) |
| W-CDMA Band |
1910.0 - 1930.0 (UE & BS) |
1910.0 - 1930.0 (UE & BS) |
| W-CDMA Band |
2010.0 - 2025.0 MHz (UE & BS) |
2010.0 - 2025.0 MHz (UE & BS) |
| TD-SCDMA Band |
2010.0 - 2025.0 MHz for TD-SCDMA mode |
2010.0 - 2025.0 MHz for TD-SCDMA mode |
| TD-SCDMA Band |
GSM 900 and DCS 1800 for GSM mode |
GSM 900 and DCS 1800 for GSM mode |
RF Power Amplifiers
The second most important part of the RF chain is the RF power amplifier. This
is a device which may take a small RF signal, say at +10 dBm (10 milliwatts)
and amplify it up to around +34 dBm (2.5 watts). The cheap &
easiest source of these amplifiers is from old cellular phones themselves. Some
cellular phones will use broadband RF power "hybrid" modules which
helps make their construction easier and smaller. These RF module
devices tend to be very widebanded, and will easily amplify RF signals outside
of their intended range. Increasing the module's bias, power
control, or Vdd voltage can also milk a little more gain
out of them. The modules will need to be connected to a
large, smooth heatsink and may also require a cooling fan.
This picture
shows a Hitachi PF0030 820-850 MHz, 6 watt RF power amplifier module installed
in an old Nokia/Radio Shack cellular phone. This particular module
will work up to over 900 MHz, with only a slight decrease in gain at those
higher frequencies. Running the Vdd voltage at
+15 VDC also slightly increases the RF power output. I've gotten
them to hit 10 watts output, when properly layed out and constructed with a
big heatsink.
This is an example
picture of a Hitachi PF0031 880-915 MHz, 6 watt RF power amplifier module
which is mounted in a portable jammer. The PF0031 is intended for
operation at slightly higher frequencies, so it gives a little better RF
output and input SWR performance and will also run cooler than the PF0030.
Here is an even bigger
RF power amplifier. It's connected to an old Motorola Mostar
800 MHz trunked mobile radio. Only the RF power amplifier is used. RF
output is over 30 watts into a homebrew Yagi antenna.
Most broadband RF power hybrid modules rarely need more than +13 dBm (20 mW)
of RF input to work properly. This is perfect for being driven
directly from the VCO's RF output without the need for any additional MMIC
amplification. Increasing the RF input power only shortens the life
of the power module, with little result in output gain.
Another useful device to place in the RF power amplifier chain is an isolator. An
isolator is a ferrite circulator with one of the ports connected to a pure 50
ohm resistive load. Basically, from port 1 to port 2, (RF power
amplifier to antenna) there is minimal insertion loss. But, any RF
power flowing back from port 2 into port 1 is "diverted" into
port 3, the 50 ohm load. What this means is that the RF power
amplifier is always "seeing" a perfect 50 ohm load (perfect SWR),
even if the antenna is removed! These are very handy little
devices, but are harder to find then $2600 Magazine's integrity. Use
'em if you've got 'em.
Here is a picture
of the RF power amplifier section on a four watt, 1.9 GHz PCS jammer. The
RF module's output is fed into an isolator (that big round thing). RF
input is on the left, the antenna connection is on the right, and the 50 ohm
load is on the bottom. The silver rectangle thing is a directional
coupler. This is a device which samples the module's RF output,
then sends it to a diode detector/transistor buffer to control a "RF
Output" LED.
Antenna / Feedline
The most important part of a radio system is the antenna. Spend
90% of your money on the antenna system and coaxial cable, and you'll have no
problems. Use a coathanger and some alligator clips and you'll be
emailing me 50 times a day saying it doesn't work. Thankfully, you
can also salvage the antenna from old cellular phones. Those
magnetic or trunk mount antennas work best. Glass mount antennas or
anything "stick-on" are crap. Directional gain antennas
can be used to increase the jammer's performance, but only in the direction
the antenna is pointed. High-gain, omni-directional antennas are
the best. For homebrew designs, you can scale down (or up) 900 MHz
(33 cm) band amateur radio band antennas.
For 1.8/1.9 GHz band antennas, you are pretty much stuck with using
commercial designs. Building antennas at those high of frequencies
is quite difficult and not worth the trouble.
Ramsey
Electronics sells nice wideband Yagi antennas for everything betweeen 400
MHz and 6 GHz.
Button Ad
Spaces 
Custom Search
