In our previous article on anti-drone warfare, we discussed the topic of jamming. Based on observations from the Russian-Ukrainian war, jamming is not only a legitimate electronic warfare technique but also a highly effective one. One notable incident involved Ursula von der Leyen’s plane, which was reportedly affected by suspected Russian GPS jamming. Furthermore, there have been numerous instances where weapons made by either Russia or the U.S. missed their targets due to GPS jamming. To further explore this issue, I would like to introduce a tool that visualizes GPS/GNSS disruptions affecting aircraft worldwide – GPSJam.
What Is GPSJam?
GPSJam.org is a website that offers information about GPS interference experienced by aircraft around the world. It utilizes data from ADS-B Exchange, a crowd-sourced flight tracking platform, to create daily maps that show areas likely to experience GPS interference. These maps are based on aircraft reports regarding the accuracy of their navigation systems.
It’s worth mentioning that GPSJam focuses not solely on GPS but also on GNSS in general. GNSS, or Global Navigation Satellite System, is a broad term that refers to any satellite navigation system capable of providing global coverage. This category includes various satellite-based positioning systems. Examples of GNSS include GPS (Global Positioning System) from the United States, GLONASS from Russia, Galileo from the European Union, and BeiDou from China.
How Does It Work?
Most aircraft are typically equipped with a device known as ADS-B Out, which stands for “Automatic Dependent Surveillance-Broadcast.” This system allows a plane to share its location, speed, and altitude with air traffic control and other aircraft in the vicinity. Additionally, it serves as a vital navigation tool that assists planes in approaching for landing.
Flight professionals and enthusiasts use specialized equipment to receive this information and relay it to flight-tracking websites like ADS-B Exchange. These platforms then visualize the flight data on interactive maps.
When aircraft utilize ADS-B Out, they not only transmit their position but also indicate the accuracy of that position. According to the tool provider, “when there is interference with their GPS, the uncertainty goes up.” Therefore, greater interference leads to decreased accuracy. Conversely, when there is little or no interference, the accuracy improves. Essentially, ADS-B Exchange collects data on the accuracy of an aircraft’s position. The tool provider aggregates this information over a 24-hour period and organizes it into hexagon sections, assigning different colors to represent varying levels of accuracy.
Get Started with GPSJam
To begin investigating where Russians or others conduct jamming, we should simply open https://gpsjam.org/ in our browser.
One of the most valuable functions is filtering by a date. But keep in mind that historical data only goes back to 14 February 2022.
Additionally, there are further settings that enable filtering by location and traffic threshold.
GPSJam clearly demonstrates GPS/GNSS interference; however, it’s important to note that some output data on this website may not be solely due to jamming. GNSS interference could also result from hardware issues in aircraft, as well as from weather conditions.
Summary
Jamming represents the forefront of cyber warfare. Tools like GPSJam can help identify areas experiencing jamming without the need for additional hardware or security clearance.
If you are a dedicated OSINT investigator, consider exploring this tool, as it may enhance your work. Furthermore, if you’re new to the field of Open Source Intelligence, check out our OSINT training.
New technological developments in recent years has made it possible to build a private cellular network at very low cost. This can be useful to many organizations who place their privacy at a premium such as firms engaged in research and development of intellectual property (IP) or law firms, to name but a few.. You can read here how the Mexican drug cartels built their own private cellular network to evade both law enforcement and competitors snooping.
This article was written by one of our most advanced students, Astra. Astra is an ardent supporter of Ukraine’s freedom and an advanced student of low cost cellular networks.
If you want to learn more about setting up a private 4G LTE network, enroll in our SDR for Hackers: Building a Private 4G Network!
In this article, he will demonstrate how to build your own 4G LTE network!
LTE Networks
The concept of private LTE itself is not new. There are ready-made solutions that allow you to lease frequencies and deploy such network at your enterprise. But, of course, all this equipment is not suitable for a one-time testing experience, so we will launch a network based on SDR.
If in the world of open-source stacks GSM is ruled by Osmocom, then here in 4G LTE the undoubted leader is srsRAN. This is a completely open-source software that with minimum configuration, allows us to launch this kind of network.
srsRAN can be built from source, but I recommend using DragonOS, which has already been mentioned many times by OTW, where this software is already included in the distribution.
There is also another similar project which is LibreCellular that uses slightly different hardware, but the key concept is the same of srsRAN.
How LTE works
Let’s understand how this network (RAN, Radio Access Network) works.
It is a network that utilizes frequencies more efficiently and provides much faster performance compared to GSM and 3G.
It consists of three key components:
EPC (Evolved Packet Core)
This the operator’s core network. Its main component is the MME (Mobility Management Unit), through which all signaling traffic from UEs (User Equipment) passes. This node is responsible for service transfer, calling, authentication and many other operations. Its other parts are the billing service and gateways (service and packet), which provide data exchange between parts of the network and other networks. Connected to the core network is the HSS (Home Subscriber Server), a secure database where encryption keys and subscriber information are stored. In a GSM network, the role of this node is played by the home register (HLR).
eNBs (eNodeB).
These are the base stations. LTE operates in a wide range of frequencies, from 450 to 2600 MHz. Their use varies from country to country, as some of these frequencies are already reserved for something else. Like GSM, there are channel numbers here too – the E-UTRA Absolute Radio Frequency Channel Number (EARFCN).
The whole spectrum of frequencies is divided into broad sections (LTE bands), the choice of which differs from country to country.
UE (User Equipment).
These are the devices that connect to the network such as phones and modems.
What does it take to get your own LTE network up and running?
In order to reproduce everything that I will be describing below, you will require some specific hardware and specific configuration.
For this test you will need:
1) A Linux and a Windows machine.
2) A full duplex SDR with proper antennas. B210, BladeRF, and LimeSDR are suitable.
3) A sim card reader
4) Programmable LTE USIM cards
5) An android smartphone
Let’s start
Boot into DragonOS and plug in the SDR.
Navigate to the /etc/srsran folder.
dragonos> cd /etc/srsan
You’ll find the configuration files there.
dragonos > ls -l
In the enb.conf file we will modify two parameters: MCC and MNC
These parameters are identical to those used in GSM networks – they are country code and network code. Normally, we should use some arbitrary values, but the problem is that most phones refuse to work when they see strange values for network. That’s why we need to specify the MCC of the country you live in or use the 999, which is the value for private enterprise networks. With regards the network code (MNC) make sure to set one that doesn’t belong to any operator working in your country.
[enb]
enb_id = 0x19B
mcc = 999
mnc = 01
mme_addr = 127.0.1.100
gtp_bind_addr = 127.0.1.1
s1c_bind_addr = 127.0.1.1
s1c_bind_port = 0
n_prb = 50
#tm = 4
#nof_ports = 2
Then, modify the epc.conf file in the same way:
[mme]
mme_code = 0x1a
mme_group = 0x0001
tac = 0x0007
mcc = 999
mnc = 01
mme_bind_addr = 127.0.1.100
apn = srsapn
dns_addr = 8.8.8.8
encryption_algo = EEA0
integrity_algo = EIA1
paging_timer = 2
request_imeisv = false
lac = 0x0006
full_net_name = astra00011
short_net_name = astra00011
Now in two separate terminals, run first sudo srsepc and then sudo srsenb.
Next, take your phone and go to search for networks manually. If we are lucky we’ll see a network, depending on which values you set, starting with 99913. If we try to connect to this network, we will surely fail – the phone will connect a bit and then give a sad “No service”.
It’s all about authentication. That is what we are going to deal with now.
Fire up a windows machine and plug in the sim card reader. Insert a blank sim into the reader.
I am using a non open source software to read/write on sims. There are other options such as pysim.
Once the sim card is read, we can proceed writing the required parameters.
The key parameters required by srsRAN are the IMSI, KI and OPC.
The first field to fill in is to write value for ICCID. The ICCID number should be a unique 19 digit identifier for the SIM card itself. It should composed by the following:
Field
Description
Example
Major Industry Identifier
Always set 89 for telecommunication purposes
89
Country Code
2 or 3 digit country code as defined by by ITU-T recommendation E.164.
Account identifier (usually the same as the one in the ICCID but chopped here to stay in the 15 digit limit)
0000000001
Next step is to generate the KI value (subscriber key), which is known only by the subscriber and network and used to authenticate the device on the network. We also need to generate a OPC (operator code derived) value.
I used the following script to generate 128-bit values for both Ki and OPC:
Then fill in the last parameters which consists of:
PLMNwAct: A user-managed list of preferred Public Land Mobile Networks (PLMNs) ranked by priority, along with the corresponding access technologies (2G/3G/4G/5G, etc.).
OPLMNwAct: An operator-controlled version of the user-preferred PLMN list mentioned above.
HPLMNwAct: The Home PLMN, including the specified access technology, identifies the network associated with the subscriber’s identity, represented as a combination of Mobile Country Code (MCC) and Mobile Network Code (MNC) with the access technology included.
EHPLMN: A list of Equivalent Home PLMNs. Networks in this list are treated as equivalent to the home network, meaning the device won’t consider itself roaming when connected to them. This field can be useful, for example, when operators merge, allowing each to include the other’s
PLMN in this list (though the original source for this suggestion could not be verified).
FPLMN: A list of forbidden PLMNs that the device should not automatically attempt to register with. This can be used to avoid all specified local public mobile networks.
If everything was correctly set up, once you insert your programmed sim card in your smartphone, you should be able to see something like this in the network parameters:
Notice that we still don’t have any mobile connection (top right corner icon)
Lastly, we need to choose the radio frequency for transmission and reception, which is conveniently represented by an EARFCN (Evolved-UTRA Absolute Radio Frequency Number). srsRAN supports exclusively FDD (Frequency Division Duplexing), where the mobile device’s downlink and uplink operate on separate frequencies. By specifying the downlink EARFCN, srsRAN can determine the corresponding downlink frequency. This can be done in the /etc/srsran configuration folder in the rr.conf file.
The final step to complete the whole configuration is to edit the user_data.csv file. This file includes the SIM card identity that we previously configured. This file is utilized by the Home Subscriber Service (HSS). The information programmed into the SIM cards is now necessary for operation.
Keep in mind that srsRAN does not support calls and SMS, only internet connectivity. Calls are possible with VoLTE, but this involves additional components such as the IP Multimedia Subsystem (IMS) that srsRAN does not natively include.
Now’s the time to raise our 4G LTE network:
In two separate terminals type:
>sudo srsepc
followed by
sudo srsenb
Success! We have our own private 4G LTE network!
Summary
It is now possible to create your own 4G LTE network with low cost components and a bit of expertise! These networks can be invaluable to those who place a high priority upon privacy and confidentiality. This is key in a era where competitors or nation state actors may be inside your mobile carrier’s system.
To learn more about SDR (Signals Intelligence), join our SDR (Signals Intelligence) program or our Subscriber Pro training package. Look for our SDR (Signals Intelligence) for Hackers for Mobile Systems, June 9-11.
In modern warfare, we’re dealing with a whole new battlefield—one that’s invisible to the naked eye but just as deadly as kinetic warfare. Drones, or unmanned aerial vehicles (UAVs), have completely changed the game. From small commercial quadra-copters rigged with grenades to sophisticated military platforms conducting precision strikes, these aerial threats are everywhere on today’s battlefield.
But here’s the thing: they all depend on the electromagnetic spectrum to communicate, navigate, and operate. And that’s where Electronic Warfare (EW) comes in. Specifically, we’re talking about Electronic Countermeasures (ECM) designed to jam, disrupt, or even hijack these flying threats.
In this article, we’ll dive into how this invisible war is being fought. Let’s get rolling!
Understanding Radio-Electronic Warfare
Jamming UAVs falls under what’s called Radio-Electronic Warfare. The mission is simple in concept but complex in execution: disorganize the enemy’s command and control, wreck their reconnaissance efforts, and keep our own systems running smoothly.
Within this framework, we have COMJAM (suppression of radio communication channels). This is the bread and butter of counter-drone operations—disrupting the channels that control equipment and weapons, including those UAVs.
How Jamming Actually Works
Let’s get real about how this stuff actually works. It’s really just exploiting basic radio physics and the limitations of receiver systems.
Basic Jamming Principle
The Signal-to-Noise Game
All radio communication depends on what we call the signal-to-noise ratio (SNR). For a drone to receive its control commands or GPS signals, the legitimate signal must be stronger than the background electromagnetic noise.
This follows what’s known as the “jamming equation.” Here’s what matters:
Power output. A 30-watt personal jammer might protect just you and a small group of people, while a 200-watt system can throw up an electronic dome over a much bigger area. More watts equals more range and effectiveness.
Distance relationships. Think about it—the drone operator’s control signal has to travel several kilometers to reach the drone. But if we position our jammer between them or near the drone, we’ve got a much shorter transmission path.
Antenna gain. Directional antennas focus our jamming energy like a spotlight instead of a light bulb.
Frequency selectivity means we can target specific frequency bands used by drones while leaving other communications alone.
Types of Jamming Signals
Types of Jamming Techniques
Different situations call for different jamming techniques:
Noise jamming. We just sent random radio frequency energy across the target frequencies, creating a “wall” of interference.
Tone jamming transmits continuous wave signals at specific frequencies. It’s more power-efficient for targeting narrow-band communications, but modern systems can filter this out more easily.
Pulse jamming uses intermittent bursts of energy. This can be devastating against receivers that use time-based processing, and it conserves our jammer’s power for longer operations.
Swept jamming rapidly changes frequencies across a band. If the enemy drone is frequency-hopping to avoid us, swept jamming ensures we’re hitting them somewhere, though with less power at any single frequency at any moment.
Barrage jamming simultaneously broadcasts across wide frequency ranges. It’s comprehensive coverage, but it requires serious power output.
Smart Jamming and Spoofing
The most basic jamming just drowns out signals with noise. But the most advanced systems go way beyond that, using what we call “smart jamming” or spoofing.
Smart jamming means analyzing the source signal in real-time, understanding how it works, and then replacing it with a more powerful, false signal that the target system will actually accept as legitimate.
In the context of UAV operations, this gets really sophisticated. Systems can manipulate GPS signals to provide false positioning data, making drones think they’re somewhere they’re not—that’s spoofing. Even more advanced are systems like the Shipovnik-АЕРО complex, which can actually penetrate the UAV’s onboard systems and potentially take control.
Shipovnik-АЕРО Complex
What Actually Happens When We Jam a Drone
When we successfully jam a drone, what happens depends on what we’re targeting and how the drone is programmed to respond:
Control link jamming cuts the command channel between the operator and the drone. Depending on its fail-safe programming, the drone might hover in place, automatically return to its launch point, attempt to land immediately, or continue its last programmed mission autonomously.
GPS/GNSS jamming denies the drone accurate position information. Without GPS, most commercial drones and many military ones can’t maintain stable flight or navigate to targets. Some will fall back on inertial navigation systems, but those accumulate errors over time. Others become completely disoriented and crash.
Video link jamming blinds FPV operators, forcing them to fly without visual reference. This is particularly effective against FPV kamikaze drones, which require continuous video feedback for precision targeting.
Combined jamming hits multiple systems simultaneously—control, navigation, and video—creating a comprehensive denial effect that overwhelms even drones with redundant systems.
The Arsenal of Counter-Drone Electronic Warfare Systems
The modern battlefield has an array of EW systems designed specifically for detecting and suppressing drones. These range from massive, brigade-level complexes that can throw up electronic domes over vast areas to small, portable units that individual soldiers can carry for personal protection.
Dedicated Counter-UAS (C-UAS) Systems
The AUDS (Anti-UAV Defence System) is an example of dedicated C-UAS tech. It suppresses communication channels between UAVs and their operators with suppression distances of 2-4 kilometers for small UAVs and up to 8 kilometers for medium-sized platforms. The variation in range reflects the different power levels and signal characteristics of various drone types.
AUDS
The M-LIDS (Mobile-Low, Slow, Small Unmanned Aircraft System Integrated Defeat System) takes a more comprehensive approach. This system doesn’t just jam—it combines an EW suite with a 30mm counter-drone cannon for kinetic kills and even deploys Coyote kamikaze UAVs. It’s literally using drones to fight drones.
M-LIDS
Russian Federation EW Complexes
Russian forces have invested heavily in electronic warfare, including numerous systems specifically designed for drone suppression.
The Leer-2 system offers suppression of UAV communication channels at 4 kilometers for small UAVs and up to 8 kilometers for medium platforms. The Silok system is basically a mobile variant mounted on a Kamaz chassis, with a suppression distance of 3-4 kilometers, giving tactical units mobile EW capabilities.
Leer-2
The Repellent-1 system specifically targets UAV communication channels and satellite navigation, operating in the 200-600 MHz frequency range with a suppression distance of up to 30 kilometers.
Repellent-1
Personal and Tactical-Level Counter-Drone Protection
Big systems are great for area defense, but the ubiquity of small drones has created massive demand for personal and small-unit protection. These portable devices focus on the most commonly used frequencies for commercial and modified commercial drones, providing immediate, localized protection.
The UNWAVE SHATRO represents cutting-edge personal counter-drone protection. Available in portable, wearable, and mobile versions, this system creates a protective bubble with a radius of 50-100 meters, specifically targeting guided munitions and UAVs operating in the 850-930 MHz range.
UNWAVE SHATRO
The UNWAVE BOOMBOX offers both directed protection (up to 500 meters) and omnidirectional coverage (100 meters), targeting multiple frequency bands critical to drone operations. By suppressing frequencies including 850-930 MHz, 1550-1620 MHz (GPS), 2400-2480 MHz (Wi-Fi/Control), and 5725-5850 MHz (Wi-Fi/Video), this system addresses the full spectrum of commercial drone communication and navigation systems.
UNWAVE BOOMBOX
Summary
This article examines the role of Electronic Warfare (EW) in combating unmanned aerial vehicles (UAVs), which rely on electromagnetic signals for operation. It discusses jamming techniques like noise, tone, and pulse jamming, along with advanced methods such as smart jamming and spoofing.
The invisible war for control of the electromagnetic spectrum may not capture headlines like kinetic combat, but make no mistake—it’s every bit as crucial to the outcome of modern conflicts.
Login
