Cloning a Kantech ioProx?

Has someone in here succesfully cloned a “Kantech ioProx - Keyfob” to the xEM/NeXT chip?

If so, could you kindly write a “how to”?

i found this through a quick google search: https://bit.ly/2P1P5Zp
Is it really “that easy”?

Thank’s in advance!

I think the Kantech ioProx cards use Frequency-Shift Keying. We use them at my work and I wasn’t able to figure it out. I don’t think the T5577 (LF chip inside the xEM & NExT) can emulate that, but I’m not sure.

Let’s get @bepiswriter in here, he probably knows.

1 Like

I did a bit of research on this and to be honest I’m not sure. Correct me if I’m wrong but I believe the T5577 chip can do FSK, you just have to program it to do so. I mostly have my experience in the HID ecosystem. All I know is if it was cloneable, you would need to clone it to the LF side. I did stumble across this thread in the Proxmark forums, it may help: http://www.proxmark.org/forum/viewtopic.php?id=364

1 Like

Just looked and the ATA5577 datasheet says it supports FSK modulation. My proxmark game is weak, but I’ll play around this week and let you know what I find out. Now that I know it’s a possibility, I would really like to configure my NExT to be compatible with my work access control system.

2 Likes

Oh yeah, @Defenderboy67

I forgot to ask, do you have a Proxmark? I’m figuring it out using one of those. You might be able to pull it off with another piece of hardware that’s less expensive, but I’m going to be writing my instructions from that perspective =/

@Satur9
I don’t have a Proxmark as of yet.
But i’m planning on getting one soon.
I appriciate you doing this btw and i might not be the only one wondering about this.

So I couldn’t get the stock antenna on my OG Proxmark3 to perform write operations on x-series tags (unsurprising) and I only had blank EM4107 cards lying around so I couldn’t test for sure. I’m going to try and order some blank T5577 cards and test it on those. Then there’s the whole antenna thing to figure out…Maybe I can roll my own

This page lists the block 0 configuration to get a T5577 to act like an ioProx card. Can’t open it in a mobile browser for some reason (◔_◔) once the card is configured correctly, the

lf io clone [data]

Command should work. I’ll keep you posted as things progress.

2 Likes

Alright, my blank t5577 cards arrived (same chip as the xEM and NExT). I was able to clone a Kantech ioProx card to a t5577 card with minimal difficulty. I have not been able to write the same information to my NExT with my original proxmark3 using the stock antenna. If I am able to roll my own cylindrical antenna, I’ll come back and update this thread. Here is the rundown of how to perform the operation using the base repo found on this page:

  1. Install and configure proxmark3 software/drivers
    I set everything up on an up-to-date Ubuntu installation using this guide.

  2. Read ioProx card ID
    Place the ioProx card on your proxmark antenna and run
    lf search
    The output will look something like this
    Checking for known tags:

    00000000 0
    11110000 1
    01100110 1 facility
    00000001 1 version
    01100010 1 code1
    11111110 1 code2
    01001000 11 checksum
    IO Prox XSF(01)66:25342 (007859a0362ff523) [48 crc ok]

    Valid IO Prox ID Found!

    Save the information in parentheses (007859a0362ff523) for later

  3. Provision t5577 as an ioProx card
    You need to configure block 0 on the t5577 chip to make it act like an ioProx card. Here is the data you’re going to write to that block.
    00147040
    I retrieved that from the page linked in my earlier post. You can break it down if you want. I started to, but I’m lazy and we’re splitting bytes here.

    Place your t5577 card on your proxmark antenna and run
    lf t55xx write b 0 d 00147040

  4. Clone ioProx card ID to t5577
    Now you can clone the ID information. Copy that bit in the parentheses from earlier and run
    lf io clone 007859a0362ff523
    replace “007859a0362ff523” with your information


After that you’re done. I verified that it worked with the Kantech access control system at my work. The “security” on these things is atrocious. We pay like $8 for the damn ioProx cards, whereas I paid $1.25 for each of these blank t5577s.

5 Likes

Thanks for the write up @Satur9 !
I just picked up the Proxmark3 RDV4.01 at the post office (I already have Proxlf antenna by Dangerous Things) I did what you wrote and it seems to work, as my NeXT (125khz part) reads the same info as my work chip. Will be making another comment tomorrow to tell you if it actually works with the readers at my office.

3 Likes

I can confirm that it worked at my office, as I tested it today! Thank’s again for the write up @Satur9

1 Like

No problem. I got it working at my office too. I’ve introduced a few people to the concept of biohacking as a result.

2 Likes

@Satur9 do you happen to also know how I can get the t5577 back to it’s original state? There shouldn’t be a password on the chip, as I used the pm3 as previously stated.

See this post from TomHarkness

How do i go forward with this whitin the cmd?
Like commands

AFAIK you would follow the instructions from step 3, but instead of
lf t55xx write b 0 d 00147040
to provision the tag as ioProx you would use
lf t55xx write b 0 d 00148041
to provision it as an EM410x (the way it’s shipped from DT)

I haven’t tried those specific numbers yet, so test it out on a blank t5577 card first. After that run an
lf search
to verify it worked

proxmark3> lf t55xx write b 0 d 00148041
Writing page 0 block: 00 data: 0x00148041
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

No Known Tags Found!