I started logic analyzing a 16F916 chip in a wireless thermostat using PulseView (free software from Saleae) and a generic logic analyzer hooked up to the old Linux laptop.
It turns out PulseView has decoders for Wiegand...the protocols I was using while decoding and cloning RFID security dongles and door access cards! Remove the data analyzer and put on an antenna: sucking up all that Wiegand security info. Record and play it back.
Here is just the little logic probe pen (in case you've never seen one before). I just buzzes and squeals and lights up with up/down arrows and that shows up where the logic is going or coming from.
Here is the logic analyzer with it hooked up to legs of the microchip; this shows the physical setup and screen results (see software settings below):
This is the 16F916 chip I was first playing with:
Below are the nice and easy settings I used in PulseView for the logic analyzer (the thing with the red wire clippy things--not the pen-shaped probe thingy which just buzzes and lights up). Saleae has a free download on their website, but since I was using the tiny old Linux laptop I added it via Linux Package Manager.
Oh look, some Wiegand security info. Hmm...stream state and bit values. Sniff out the security signals and then see the binary values.
So what can you do with this setup? Alarm system sniffing, breaching and JAMMING!
For right now let's forget about the Wiegand stuff and focus on a simple wireless alarm 433Mhz 866Mhz jammer and sniffer:
A Baofeng GT-5R radio can be used to jam home alarm systems. Many home alarms operate wirelessly (window, door, hallway sensors) on either 433Mhz or 866Mhz. This cheap, $25 radio can transmit on 43Mhz--while doing so it also sends out a frequency at double the Mhz...which just happens to be 866Mhz.
You can see the little burbling waves of the background 433Mhz devices...and then see them all drowned out by the 5 Watt radio. Now, you have to remember that 5W is way, way more powerful than what all the little infrared wall mounted sensors and cameras are putting out, so the radio easily drowns out pretty much the entire alarm network (and all the neighbors too).
This radio receives 144Mhz-148Mhz, FM radio and it can also TRANSMIT on 420MHz-450Mhz.
This was tested on an installed alarm system and WORKED. Holding down the transmit button allows you to open doors/windows and walk past room/hallway sensors without setting off the alarm or even getting an interference warning from the alarm main box! The sniffer is an RTL-SDR dongle, hooked to a MooElec Ham it up box running into a laptop (running linux mint, but it works on Windows). The antenna is a simple telescoping AM/FM type antenna and the antenna on the transmitter is the cheapie one that came with it. The software to see all this awesomeness was CubicSDR with basically the default settings.
This post is like 8 different things smooshed into one: alarm jamming, Wiegand RFID keycard and dongle cloning (much more on that later), logic analyzers and probes, logic protocol decoding, PulseView and cheap radio alarm jammers (more on that later too). I'll edit out some and try to separate this all...basically the little Linux laptop is now the center of a terrifying, portable electronics warfare setup. LOL!
My QA answer for someone using a cheap logic analyzer:
For Linux go to software packager and install "PulseView" and then install "sigrick-firmware-fx2lafw" which is the driver for this.
Start PulseView and this should show up.
If it doesnt click the downward arrow on top center edge of screen and select "connect to device" and select "fx2lafw" which will show the device as Saleae Logic. Click run.
You need to have this hooked up to something. I used a wireless thermostat and hooked the ground wire to the spring holding in the AA battery powering it.
I hooked the CLK wire to a clock leg of a microchip inside of the thermostat and randomly hooked some other wires to other legs and clicked run: awesome!
I am a complete novice with Linux and logic, lol!
M1K3 FR0M D3TR01T
