├── README.md
├── nrf_jammer
    └── nrf_jammer.ino
└── nrf_jammer_fritzing.fzz


/README.md:
--------------------------------------------------------------------------------
 1 | # Bluetooth Low Energy jammer
 2 | BLE (Bluetooth low energy) jammer using nRF24L01+ modules and a simple STM32 microtroller like the Maple Mini/ Bluepill
 3 | 
 4 | ## Brief overview
 5 | BLE uses 40 channels, 3 of which are used for advertising and the other 37 are used for data transmission.
 6 | Data transmission on the other 37 channels are usually done with adaptive frequency hopping to minimize interference.
 7 | 
 8 | <img src="https://www.rfwireless-world.com/images/BLE-frequency-channels.jpg" width="600">
 9 | 
10 | On the other hand, BLE discovery is made possible by 3 advertising channels (2402MHz, 2426MHz and 2480MHz).
11 | These 3 advertising channels transmit the characteristics and Mac Address of the device.
12 | On newer BLE devices, advertising uses all 3 channels, hence the need to generate noise on all
13 | 3 channels in order to achieve maximum effectiveness in jamming BLE discoverability.
14 | 
15 | This is far more feasible than jamming all 40 channels with a wideband jammer as it risks affecting other network such as WiFi.
16 | 
17 | <img src="https://user-images.githubusercontent.com/7874219/85138533-8295e200-b275-11ea-97c1-f21c1f8e7b08.png" width="600">
18 | 
19 | Based on the above spectrogram, we can see that all 3 channels (2402MHz, 2426MHz and 2480MHz) are
20 | clearly flooded (blue is silence, green and other colors represent a signal). This would prevent BLE
21 | scanners from reading other BLE advertising transmissions.
22 | 
23 | To reproduce the above outcome, we will use 3 nRF24L01+ modules and transmit a single character `"x"` repeatedly
24 | using `writeFast`. This ensures that the module transmits without **auto-acknowledgement** and **auto-retry** which are features of the chipset turned on.
25 | 
26 | `radio2.setAutoAck(false);` may not be needed with `writeFast`.
27 | 
28 | We also set the module's data rate to **2Mbps** so that it will utilize a wider band (2Mhz) instead of (1Mhz) to cover a larger bandwidth for jamming.
29 | 
30 | ```C++
31 | radio2.setDataRate(RF24_2MBPS);
32 | ```
33 | 
34 | ## Project components
35 | 1. 1x Maple Mini (STM32) or Arduino
36 | 2. 3x nRF24L01+
37 | 
38 | ## nRF24L01+
39 | The nRF24L01+ (by Nordic Semiconductor) is a highly integrated, 
40 | ultra low power (ULP) 2Mbps RF transceiver for the 2.4GHz ISM (Industrial, 
41 | Scientific and Medical) band. 
42 | 
43 | ### Features:
44 | * Power supply : 1.9~3.6V
45 | * ~520m Range at 2Mbit Data Rate
46 | * Auto Acknowledge
47 | * Auto Re-Transmit
48 | * Multiceiver - 6 Data Pipes
49 | * 32 Byte separate TX and RX FIFOs
50 | * Software selectable channel: 2400MHz to 2525MHz (125 Selectable channels)
51 | * Minimum number of external components
52 | * Pins broken out : VCC, CE, CSN, SCK, MOSI, MISO, IRQ, GND
53 | 
54 | nRF24L01+ is a narrowband tranceiver (~2MHz) but that works to our advantage as BLE is also narrowband by design (~2MHz).
55 | 
56 | ## Schematics
57 | 
58 | <img src="https://user-images.githubusercontent.com/7874219/96822323-5cb75e80-145c-11eb-900e-d730055d1591.png" width="600">
59 | 
60 | 
61 | > Disclaimer: This project is for educational purposes only. How you use this information is your own responsibility. I will not be held accountable for any illegal activities.
62 | 


--------------------------------------------------------------------------------
/nrf_jammer/nrf_jammer.ino:
--------------------------------------------------------------------------------
 1 | /*
 2 | * Arduino nRF24L01 Noise Gen
 3 | *                
 4 | * by Wilson
 5 | * 
 6 | * Library: TMRh20/RF24, https://github.com/tmrh20/RF24/
 7 | */
 8 | #include <SPI.h>
 9 | #include <nRF24L01.h>
10 | #include <RF24.h>
11 | 
12 | 
13 | RF24 radio(PA0, PA1); // CE, CSN
14 | RF24 radio2(PA2, PA3);
15 | RF24 radio3(PB0, PB1);
16 | 
17 | void setup() {
18 |   pinMode(PC13, OUTPUT);
19 |   radio.begin();
20 |   radio2.begin();
21 |   radio3.begin();
22 |   radio.powerDown();
23 |   radio2.powerDown();
24 |   radio3.powerDown();
25 |   delay(1000);
26 |   digitalWrite(PC13, LOW);
27 | 
28 |   radio.powerUp();
29 |   radio.setAutoAck(false);  // Very important setting
30 |   radio.setPALevel(RF24_PA_HIGH);
31 |   radio.setDataRate(RF24_2MBPS);
32 |   radio.stopListening();
33 |   radio.setChannel(80);
34 |   delay(1000);
35 | 
36 |   radio2.powerUp();
37 |   radio2.setAutoAck(false);
38 |   radio2.setPALevel(RF24_PA_HIGH);
39 |   radio2.setDataRate(RF24_2MBPS);
40 |   radio2.stopListening();
41 |   radio2.setChannel(26);
42 |   delay(1000);
43 | 
44 |   radio3.powerUp();
45 |   radio3.setAutoAck(false);
46 |   radio3.setPALevel(RF24_PA_HIGH);
47 |   radio3.setDataRate(RF24_2MBPS);
48 |   radio3.stopListening();
49 |   radio3.setChannel(2);
50 |   delay(1000);
51 | 
52 |   digitalWrite(PC13, HIGH);
53 | }
54 | 
55 | 
56 | void loop() {
57 |   byte text = 255; //just some random string
58 |   radio.writeFast(&text, sizeof(text));
59 |   radio3.writeFast(&text, sizeof(text));
60 |   radio2.writeFast(&text, sizeof(text));
61 | }
62 | 


--------------------------------------------------------------------------------
/nrf_jammer_fritzing.fzz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lws803/BLE-jammer/7fea999dd1d69c1c2e6774b06a0416380e9f7e2e/nrf_jammer_fritzing.fzz


--------------------------------------------------------------------------------