Hackrf and Bluetooth jamming
A few years ago I bought an HackRF on eBay — long story short it arrived broken (thanks, Poste Calabria) — and so it sat in a drawer for years until I found it again while I was organizing that very drawer.
At the time it was a considerable expense for a student, so I told myself “okay, I’ll fix it.”
While I was at it I thought “let’s see what firmware updates have come out in the meantime,” and to my surprise the community underneath was still active!
Not wanting to admit to myself that I’d wasted money back then, I decided to finish the dream of past-me, the script-kiddie — except this time I actually knew how to think, and I ended up contributing to the firmware.
The original plan
Back then I bought it with a clear idea in mind: get rid of that deafening noise coming from the Bluetooth speakers that maranza blast in the parks.
But even with the new updates and after reading forums and replies given to anyone who asked similar questions, the answer was always the same: “You can’t jam Bluetooth.”
Quoting some replies taken from Reddit: “Theoretically, you could use a microwave oven” and “You can’t, the band isn’t wide enough to cover all the channels.”
Yet in the latest updates an application called “hopper” had appeared that is basically a jammer that hops from one frequency to another.
Customizing the Bluetooth hopping
Bluetooth does channel hopping up to 1600 times per second, but the hopper app allowed a hop every 10 ms — so 100 times per second. Considering there are 48 channels, at that speed the jammer wouldn’t create any interference.
So I wondered: what if I modified the firmware to support 1 ms? Or even 0?
The firmware is open source — I make the change, recompile it, reflash it (a very scary step).
With one millisecond nothing happened; with 0 the story is different because everything crashes. While I was doing this experiment and the HackRF was unresponsive and suddenly the cursor on my Bluetooth trackpad started to lag, shortly after I was without music in my headphones: it worked!
Small problem: with 0 milliseconds the Portapack UI becomes totally unresponsive, but a reboot fixes it.
That’s how I made my first two pull requests to the mayhem firmware amid the maintainers’ confusion.
Field testing
The HackRF has a problem: its transmit power is limited to 15 mW, while Bluetooth devices are allowed up to 100 mW; this means the jammer has to be very close to the device it wants to disrupt.
To do a field test I literally go out into a field, far from houses, and with a Bluetooth speaker and a friend with an iPhone I position myself between the speaker and the phone.
I try to turn it on and nothing happens, I get closer to the speaker and still nothing, then suddenly without anything visibly changing the music starts to jitter.
The problem here is that with this transmission mode not only am I transmitting at low power (much lower than normal because of the HackRF’s technical limits) but I also have to be closer to the Bluetooth speaker than to the phone.
Rabbit holes
Unlike a Flipper Zero, the HackRF has an SMA port for the antenna, and that’s how my first AliExpress rabbit hole starts.
Apparently it’s full of active amplifiers for reception — which of course amplify noise as well — and it turns out there are transmit amplifiers too; even if they introduce some noise, that wouldn’t be a huge problem, after all it’s a jammer!
Now, if the maximum allowed Bluetooth transmit power is 100 mW, on AliExpress you can easily find amplifiers that claim to transmit up to 200 watts at 2.4 GHz (2000 times the legal power limit), attachable between the HackRF and an antenna. And here I ask myself: what if I also add a directional antenna? The story would be long, but I wouldn’t trust AliExpress antennas because the risk of frying the preamplifier is high, and the same goes for the amplifier itself — besides, I wonder why these products are freely sold when the legal limits on the 2.4 GHz bands in the European Union are only a fraction of what these devices claim.
So maybe it’s technically possible to build a very powerful jammer with an HackRF, but my goal was only to demonstrate that it’s possible to jam Bluetooth regardless of distance.
A real attacker could equip themselves with similar gear and would probably be able to knock out Bluetooth across a whole city — provided they spent thousands of euros on AliExpress.
The conclusion of this story is: don’t believe something is impossible just because people who, realistically, have never even read the firmware code tell you so.
Links: