Cloning a Kantech ioProx?

Has someone in here succesfully cloned a “Kantech ioProx - Keyfob” to the xEM/NeXT chip?

If so, could you kindly write a “how to”?

i found this through a quick google search: Proxmark3 vs Kantech ioProx | Pentura Labs's Blog
Is it really “that easy”?

Thank’s in advance!

I think the Kantech ioProx cards use Frequency-Shift Keying. We use them at my work and I wasn’t able to figure it out. I don’t think the T5577 (LF chip inside the xEM & NExT) can emulate that, but I’m not sure.

Let’s get @bepiswriter in here, he probably knows.

1 Like

I did a bit of research on this and to be honest I’m not sure. Correct me if I’m wrong but I believe the T5577 chip can do FSK, you just have to program it to do so. I mostly have my experience in the HID ecosystem. All I know is if it was cloneable, you would need to clone it to the LF side. I did stumble across this thread in the Proxmark forums, it may help: Kantech ioProx / Questions and Requests / Proxmark3 community

1 Like

Just looked and the ATA5577 datasheet says it supports FSK modulation. My proxmark game is weak, but I’ll play around this week and let you know what I find out. Now that I know it’s a possibility, I would really like to configure my NExT to be compatible with my work access control system.

3 Likes

Oh yeah, @Defenderboy67

I forgot to ask, do you have a Proxmark? I’m figuring it out using one of those. You might be able to pull it off with another piece of hardware that’s less expensive, but I’m going to be writing my instructions from that perspective =/

@Satur9
I don’t have a Proxmark as of yet.
But i’m planning on getting one soon.
I appriciate you doing this btw and i might not be the only one wondering about this.

1 Like

So I couldn’t get the stock antenna on my OG Proxmark3 to perform write operations on x-series tags (unsurprising) and I only had blank EM4107 cards lying around so I couldn’t test for sure. I’m going to try and order some blank T5577 cards and test it on those. Then there’s the whole antenna thing to figure out…Maybe I can roll my own

This page lists the block 0 configuration to get a T5577 to act like an ioProx card. Can’t open it in a mobile browser for some reason (◔_◔) once the card is configured correctly, the

lf io clone [data]

Command should work. I’ll keep you posted as things progress.

3 Likes

Alright, my blank t5577 cards arrived (same chip as the xEM and NExT). I was able to clone a Kantech ioProx card to a t5577 card with minimal difficulty. I have not been able to write the same information to my NExT with my original proxmark3 using the stock antenna. If I am able to roll my own cylindrical antenna, I’ll come back and update this thread. Here is the rundown of how to perform the operation using the base repo found on this page:

  1. Install and configure proxmark3 software/drivers
    I set everything up on an up-to-date Ubuntu installation using this guide.

  2. Read ioProx card ID
    Place the ioProx card on your proxmark antenna and run
    lf search
    The output will look something like this
    Checking for known tags:

    00000000 0
    11110000 1
    01100110 1 facility
    00000001 1 version
    01100010 1 code1
    11111110 1 code2
    01001000 11 checksum
    IO Prox XSF(01)66:25342 (007859a0362ff523) [48 crc ok]

    Valid IO Prox ID Found!

    Save the information in parentheses (007859a0362ff523) for later

  3. Provision t5577 as an ioProx card
    You need to configure block 0 on the t5577 chip to make it act like an ioProx card. Here is the data you’re going to write to that block.
    00147040
    I retrieved that from the page linked in my earlier post. You can break it down if you want. I started to, but I’m lazy and we’re splitting bytes here.

    Place your t5577 card on your proxmark antenna and run
    lf t55xx write b 0 d 00147040

  4. Clone ioProx card ID to t5577
    Now you can clone the ID information. Copy that bit in the parentheses from earlier and run
    lf io clone 007859a0362ff523
    replace “007859a0362ff523” with your information


After that you’re done. I verified that it worked with the Kantech access control system at my work. The “security” on these things is atrocious. We pay like $8 for the damn ioProx cards, whereas I paid $1.25 for each of these blank t5577s.

6 Likes

Thanks for the write up @Satur9 !
I just picked up the Proxmark3 RDV4.01 at the post office (I already have Proxlf antenna by Dangerous Things) I did what you wrote and it seems to work, as my NeXT (125khz part) reads the same info as my work chip. Will be making another comment tomorrow to tell you if it actually works with the readers at my office.

4 Likes

I can confirm that it worked at my office, as I tested it today! Thank’s again for the write up @Satur9

2 Likes

No problem. I got it working at my office too. I’ve introduced a few people to the concept of biohacking as a result.

4 Likes

@Satur9 do you happen to also know how I can get the t5577 back to it’s original state? There shouldn’t be a password on the chip, as I used the pm3 as previously stated.

See this post from TomHarkness

1 Like

How do i go forward with this whitin the cmd?
Like commands

AFAIK you would follow the instructions from step 3, but instead of
lf t55xx write b 0 d 00147040
to provision the tag as ioProx you would use
lf t55xx write b 0 d 00148041
to provision it as an EM410x (the way it’s shipped from DT)

I haven’t tried those specific numbers yet, so test it out on a blank t5577 card first. After that run an
lf search
to verify it worked

1 Like

proxmark3> lf t55xx write b 0 d 00148041
Writing page 0 block: 00 data: 0x00148041
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

No Known Tags Found!

Got a chance to learn even more about this legacy technology (:tada: joy :confetti_ball:) turns out the ioProx system uses the wiegand protocol to communicate? The PIGPIO Python module has a nifty library for handling that. Here’s a mockup I made.
Access_Control

5 Likes

I can confirm this does not work. I can read P40, the syntax is lf io clone --vn --fc --cn

Thus was just to give my daughter. I recently moved to this townhome community, and being very helpful. Network and card readers alone, I need stop.

I bricked another one, I have confess T5577’s and magical 2k. I need help, I was locked in. Now locked out. I have raw data XSF. Blocks 0-7. Binary math seems to be needed. Odd I can’t find this anywhere else. I must be doing old or wrong.

Whoever I’ll send guft to ksec or here or whatever is allowed.

Hi. I’m new here. I’m a dangerous thing, accidentally.

Hey buddy,

I am not certain of your exact question, but please feel free to use the translation feature, It works pretty well and you might find it easier to read and write posts.

What is your native language? we have a few members that are bilingual / polyglots that also may be able to help

English, the American kind.
I thought found a python script to convert RAW or xsf ioprox output from reading the key fob.

It converts id_string

Let me get on the computer.

I need to lf io clone --vn --fc --cn

This version doesn’t allow lf clone raw data