I think the Kantech ioProx cards use Frequency-Shift Keying. We use them at my work and I wasn’t able to figure it out. I don’t think the T5577 (LF chip inside the xEM & NExT) can emulate that, but I’m not sure.
Let’s get @bepiswriter in here, he probably knows.
I did a bit of research on this and to be honest I’m not sure. Correct me if I’m wrong but I believe the T5577 chip can do FSK, you just have to program it to do so. I mostly have my experience in the HID ecosystem. All I know is if it was cloneable, you would need to clone it to the LF side. I did stumble across this thread in the Proxmark forums, it may help: Kantech ioProx / Questions and Requests / Proxmark3 community
Just looked and the ATA5577 datasheet says it supports FSK modulation. My proxmark game is weak, but I’ll play around this week and let you know what I find out. Now that I know it’s a possibility, I would really like to configure my NExT to be compatible with my work access control system.
I forgot to ask, do you have a Proxmark? I’m figuring it out using one of those. You might be able to pull it off with another piece of hardware that’s less expensive, but I’m going to be writing my instructions from that perspective =/
@Satur9
I don’t have a Proxmark as of yet.
But i’m planning on getting one soon.
I appriciate you doing this btw and i might not be the only one wondering about this.
So I couldn’t get the stock antenna on my OG Proxmark3 to perform write operations on x-series tags (unsurprising) and I only had blank EM4107 cards lying around so I couldn’t test for sure. I’m going to try and order some blank T5577 cards and test it on those. Then there’s the whole antenna thing to figure out…Maybe I can roll my own
This page lists the block 0 configuration to get a T5577 to act like an ioProx card. Can’t open it in a mobile browser for some reason (◔_◔) once the card is configured correctly, the
lf io clone [data]
Command should work. I’ll keep you posted as things progress.
Alright, my blank t5577 cards arrived (same chip as the xEM and NExT). I was able to clone a Kantech ioProx card to a t5577 card with minimal difficulty. I have not been able to write the same information to my NExT with my original proxmark3 using the stock antenna. If I am able to roll my own cylindrical antenna, I’ll come back and update this thread. Here is the rundown of how to perform the operation using the base repo found on this page:
Install and configure proxmark3 software/drivers
I set everything up on an up-to-date Ubuntu installation using this guide.
Read ioProx card ID
Place the ioProx card on your proxmark antenna and run lf search
The output will look something like this Checking for known tags:
Save the information in parentheses (007859a0362ff523) for later
Provision t5577 as an ioProx card
You need to configure block 0 on the t5577 chip to make it act like an ioProx card. Here is the data you’re going to write to that block. 00147040
I retrieved that from the page linked in my earlier post. You can break it down if you want. I started to, but I’m lazy and we’re splitting bytes here.
Place your t5577 card on your proxmark antenna and run lf t55xx write b 0 d 00147040
Clone ioProx card ID to t5577
Now you can clone the ID information. Copy that bit in the parentheses from earlier and run lf io clone 007859a0362ff523
replace “007859a0362ff523” with your information
After that you’re done. I verified that it worked with the Kantech access control system at my work. The “security” on these things is atrocious. We pay like $8 for the damn ioProx cards, whereas I paid $1.25 for each of these blank t5577s.
Thanks for the write up @Satur9 !
I just picked up the Proxmark3 RDV4.01 at the post office (I already have Proxlf antenna by Dangerous Things) I did what you wrote and it seems to work, as my NeXT (125khz part) reads the same info as my work chip. Will be making another comment tomorrow to tell you if it actually works with the readers at my office.
@Satur9 do you happen to also know how I can get the t5577 back to it’s original state? There shouldn’t be a password on the chip, as I used the pm3 as previously stated.
AFAIK you would follow the instructions from step 3, but instead of lf t55xx write b 0 d 00147040
to provision the tag as ioProx you would use lf t55xx write b 0 d 00148041
to provision it as an EM410x (the way it’s shipped from DT)
I haven’t tried those specific numbers yet, so test it out on a blank t5577 card first. After that run an lf search
to verify it worked
proxmark3> lf t55xx write b 0 d 00148041
Writing page 0 block: 00 data: 0x00148041 proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Got a chance to learn even more about this legacy technology ( joy ) turns out the ioProx system uses the wiegand protocol to communicate? The PIGPIO Python module has a nifty library for handling that. Here’s a mockup I made.
I can confirm this does not work. I can read P40, the syntax is lf io clone --vn --fc --cn
Thus was just to give my daughter. I recently moved to this townhome community, and being very helpful. Network and card readers alone, I need stop.
I bricked another one, I have confess T5577’s and magical 2k. I need help, I was locked in. Now locked out. I have raw data XSF. Blocks 0-7. Binary math seems to be needed. Odd I can’t find this anywhere else. I must be doing old or wrong.
Whoever I’ll send guft to ksec or here or whatever is allowed.
Hi. I’m new here. I’m a dangerous thing, accidentally.
I am not certain of your exact question, but please feel free to use the translation feature, It works pretty well and you might find it easier to read and write posts.
What is your native language? we have a few members that are bilingual / polyglots that also may be able to help