How to Use SDR as a Signal Jammer with Jerry Olla

Jerry Olla explains what he did differently with his HackRF.


Keith Parsons:
At WLPC in Phoenix, we had a couple of hands-on sessions. One of the maker sessions was HackRF and the other one was ODROID and it was fantastic, loved it! You’ve done something else with your HackRF and I saw it. I thought it would be a great episode for the podcast. But first of all, tell us what you did with the HackRF and what do we have here in front of us now?

Jerry Olla:
I took the HackRF apart, that’s the first thing geeks like to do with new electronics. I did a little research and ultimately I was trying to accomplish creating a portable way of using the HackRF without needing to connect it to my laptop, mainly for the sake of using it as a demoing device for spectrum analysis and being able to show the spectrum utilization when the HackRF was transmitting on certain frequencies to a signal generator.

Also, to be able to demonstrate the spectrum analysis capabilities like in Ekahau and other tools where they can show channel utilization and how it affects transmissions and the receiving side.

Keith Parsons:
So, one of the HackRF exercises we did at WLPC was to turn the HackRF into listening to FM radio, we listened to a variety of things. The other thing we did was Bluetooth, so we could transmit a Bluetooth BLE signal and you’re saying what you’ve done with HackRF is you loaded the software on it that will allow it to generate a jammer?

Jerry Olla:
Yeah, essentially. It’s kind of a custom firmware that has a few capabilities. One of those is being a signal generator or a jammer.

Keith Parsons:
Yes, a signal generator that we don’t want to use the jammer word that sounds bad.

Jerry Olla:
Yeah, that’s a bad word. We’ll call it a signal generator and you can generate signals on frequencies. The HackRF is capable of generating signals which are 10 megahertz all the way up to 6 gigahertz, I believe.

Keith Parsons:
So there’s a company up in Seattle called “nuts about nets”. They take a regular Wi-Fi chip and they turn it into a signal generator that generates a Wi-Fi look. You can see either a CCK curve or off diem curve, but it kind of breaks the way.

Wi-Fi works and it just transmits the straight curve and then on a spectrum analyzer you can see it. So they made that as a signal generator to test your spectrum analyzer.

What you’re saying here is you made a signal generator with HackRF to tests like Ekahau spectrum analyzer, so you can see it there. What I see in front of me here is it looks like you have a little box, that box came with the PortaPack.

Jerry Olla:
That’s the accessory there that adds the screen, the buttons, and everything.

Keith Parsons:
Yeah, it looks like a really big iPod with the little thumb wheel. Did it come with a little video screen as well?

Jerry Olla:
Yep! Touchscreen too!

Keith Parsons:
Then, you strapped a battery to the bottom of it so now it’s a very portable little device.

Jerry Olla:
Same battery that we used for the Odroid maker session.

Keith Parsons:
Good combination. Right now you have it set up in this jammer mode and we’ll add this. So tell me what this does now? You show a sweep ten looks like 10 kilohertz, it’s a preset and a hop time and a range. What are those?

Jerry Olla:
You’ve got a few options on here. The type of kind of signal generation or jamming that you’re doing here is three different modes, FSK tone sweep. It generates different signatures and is essentially what we see on the spectrum analysis using those different types.

But then you can configure the settings between the speed of the signal that’s being generated as well as the presets. You can define specific different presets. Maybe WLAN frequencies that you’re wanting to show on a spectrum analyzer or monitoring your spectrum analyzer.

Keith Parsons:
Is this software like some pack you downloaded specifically for the HackRF?

Jerry Olla:
The custom firmware that I use, there’s a specific one for the PortaPack but this one is kind of builds upon that is called the HAVOC firmware. That custom firmware for the PortaPack works specifically with the PortaPack in the HackRF.

Keith Parsons:
You bought the additional quarterback to go with your HackRF and then you download an extra image and pushed down to the HackRF to run this? Does it have a little antenna on top? That’s a 2 for an antenna?

Jerry Olla:
Yeah exactly! This is a pretty low gain one obviously you could amplify that signal a little more with a larger antenna.

Keith Parsons:
Or directional perhaps? That’s what you want to do?

Jerry Olla:
So pretty versatile that way.

Keith Parsons:
You set this up and configured it using this HAVOC firmware. Now when you use it, if you had a spectrum analyzer running that you could push on this, what is the shape that shows on the spectrum analyzer?

Jerry Olla:
It’s pretty unique! It’s not something that I’ve seen in there. It’s essentially using the HackRF’s capability of what kind of chunks it is. I’m not really familiar with the technology as far as what its limitations and capabilities are.

It’s pretty unique! It’s not something that I’ve seen in there. You can see it’s transmitting on a certain section of frequency at a time and then continue moving to sweep across…

But in the spectrum analysis, you can see that right. You can see it’s transmitting on a certain section of frequency at a time and then continue moving to sweep across that range.

Keith Parsons:
What can I do? some sample? Does it show if let’s say we’re in either Metageek or Ekahau spectrum analyzer and we set it down to the five-second range? What is the last 5 seconds worth of data it shows?

Jerry Olla:
If you’re looking at a specific channel since it constantly sweeping across those subcarriers in that channel, though it’ll show utilization at about 60% or so from what I’ve seen.

But as far as decoding transmissions and stuff like that, it’s preventing it. Like Ekahau for example, the beacons will stop being received by Ekahau because of the jamming on across the entire channel.

Keith Parsons:
Is that signal must be above energy detect level in order to stop the Wi-Fi? Can you tell how loud it is to transmit? What is its transmit power?

Jerry Olla:
That’s a good question. No, there’s no setting on that. It just must be transmitting at full power.

Keith Parsons:
But on your specifications end, at what level does it show if this is sitting at the same table?

Jerry Olla:
Yes. It obviously depends on the proximity of it, but when I’ve transmitted within like a few feet away from the spectrum analyzer, showing we could pull it up here and see.

I think it’s more around like the 10 to 20 DB kind of range. It’s really loud. It depends on the antenna that’s connected. This is a lower gain antenna so probably not as loud but I think you’re gonna see it.

It’s really loud. It depends on the antenna that’s connected. This is a lower gain antenna so probably not as loud but I think you’re gonna see it.

Keith Parsons:
So, when you say you can have this sweep across the 2 for 2 to 5 region, there’s basically a knock of all the Wi-Fi along the way?

Jerry Olla:
Yeah!

Keith Parsons:
Quite useful to have at a certain time.

Jerry Olla:
For demonstration purposes, of course.

Keith Parsons:
Good. Can we get the URL? How long did it take you to go through the process of getting this prepared and ready for?

Jerry Olla:
Pretty straightforward, there’s no soldering required. You take apart a couple of screws out of the HackRF from its casing. There’s this bolt of module thing where it just has the connections that are made and are very seamless.

Then, you put a couple of screws in its case and the time-consuming part is getting the firmware downloaded and flashed on to the HackRF board.

Keith Parsons:
Would you have any instructions on how to do that?

Jerry Olla:
Yeah, we’ll link to all of that. So, I can give you the link to the PortaPack into the HackRF firmware, the HAVOC firmware.

Keith Parsons:
Great! Well, any other new projects you’re working on? We take your Odroid and turned it into a Maker session. We had the HackRF. You’ve now turned the HackRF into a nice signal generator that can wreak havoc basically on Wi-Fi.

What’s next for you on you’re hacking journey area?

Jerry Olla:
You’ll never know. I mean there are sorts of gadgets out there. I try to keep my eye out on what options are available. Nothing on the radar right now, but I’m sure something will pop up soon enough. I’ll get really focused on that for a while and then move on to something else.

I try to keep my eye out on what options are available… but I’m sure something will pop up soon enough. I’ll get really focused on that for a while and then move on to something else.

Keith Parsons:
Well, I got a PortaPack and so now I just have to put it together and make it work. Looks like a great additional tool to have in Wireless LAN Professionals toolkit. Thanks for your time, Jerry!

Jerry Olla:
Thanks, Keith! Thanks for having me on.


Jerry Ola is a product manager at ekahau. If you have more questions or feedback, connect with Jerry via twitter.


Go HERE to listen to this entire interview.