Alright, my blank t5577 cards arrived (same chip as the xEM and NExT). I was able to clone a Kantech ioProx card to a t5577 card with minimal difficulty. I have not been able to write the same information to my NExT with my original proxmark3 using the stock antenna. If I am able to roll my own cylindrical antenna, I’ll come back and update this thread. Here is the rundown of how to perform the operation using the base repo found on this page:
Install and configure proxmark3 software/drivers
I set everything up on an up-to-date Ubuntu installation using this guide.
Read ioProx card ID
Place the ioProx card on your proxmark antenna and run lf search
The output will look something like this Checking for known tags:
Save the information in parentheses (007859a0362ff523) for later
Provision t5577 as an ioProx card
You need to configure block 0 on the t5577 chip to make it act like an ioProx card. Here is the data you’re going to write to that block. 00147040
I retrieved that from the page linked in my earlier post. You can break it down if you want. I started to, but I’m lazy and we’re splitting bytes here.
Place your t5577 card on your proxmark antenna and run lf t55xx write b 0 d 00147040
Clone ioProx card ID to t5577
Now you can clone the ID information. Copy that bit in the parentheses from earlier and run lf io clone 007859a0362ff523
replace “007859a0362ff523” with your information
After that you’re done. I verified that it worked with the Kantech access control system at my work. The “security” on these things is atrocious. We pay like $8 for the damn ioProx cards, whereas I paid $1.25 for each of these blank t5577s.
Thanks for the write up @Satur9 !
I just picked up the Proxmark3 RDV4.01 at the post office (I already have Proxlf antenna by Dangerous Things) I did what you wrote and it seems to work, as my NeXT (125khz part) reads the same info as my work chip. Will be making another comment tomorrow to tell you if it actually works with the readers at my office.
@Satur9 do you happen to also know how I can get the t5577 back to it’s original state? There shouldn’t be a password on the chip, as I used the pm3 as previously stated.
AFAIK you would follow the instructions from step 3, but instead of lf t55xx write b 0 d 00147040
to provision the tag as ioProx you would use lf t55xx write b 0 d 00148041
to provision it as an EM410x (the way it’s shipped from DT)
I haven’t tried those specific numbers yet, so test it out on a blank t5577 card first. After that run an lf search
to verify it worked
proxmark3> lf t55xx write b 0 d 00148041
Writing page 0 block: 00 data: 0x00148041
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Got a chance to learn even more about this legacy technology (joy) turns out the ioProx system uses the wiegand protocol to communicate? The PIGPIO Python module has a nifty library for handling that. Here’s a mockup I made.
I can confirm this does not work. I can read P40, the syntax is lf io clone --vn --fc --cn
Thus was just to give my daughter. I recently moved to this townhome community, and being very helpful. Network and card readers alone, I need stop.
I bricked another one, I have confess T5577’s and magical 2k. I need help, I was locked in. Now locked out. I have raw data XSF. Blocks 0-7. Binary math seems to be needed. Odd I can’t find this anywhere else. I must be doing old or wrong.
Whoever I’ll send guft to ksec or here or whatever is allowed.
Hi. I’m new here. I’m a dangerous thing, accidentally.
I am not certain of your exact question, but please feel free to use the translation feature, It works pretty well and you might find it easier to read and write posts.
What is your native language? we have a few members that are bilingual / polyglots that also may be able to help
Step back, slow down and remember we don’t have any context…
So, what I can gather is that you have just moved into a townhome community and you are trying to clone a Kantech IoProx key fob so that you can give one to your daughter.
You have the correct command lf io clone --vn --fc --cn but you need to know the values for vn, fc and cn.
You should be able to put your working IoProx on the LF antenna of a proxmox and run the command lf io read and it should spit out all of the data you need.
Thanks, I do the lf io read, it returns XSF(01)c2:64030, Raw: 007870a03fa8f4d3
I don’t know what goes to what. I apologize, I am exhausted.
These are the options
clone a ioProx card with specified facility-code and card number
to a T55x7, Q5/T5555 or EM4305/4469 tag.
Tag must be on the antenna when issuing this command.
options:
-h, --help This help
–vn 8bit version
–fc 8bit facility code
–cn 16bit card number
–q5 optional - specify writing to Q5/T5555 tag
–em optional - specify writing to EM4305/4469 tag
version = id_str.split(’(’)[1].split(’)’)[0]
facility = id_str.split(’(’)[1].split(’)’)[1].split(’:’)[0]
code = id_str.split(’:’)[1]
version = int(version, 16) #is this hex? Have only seen 1 or 2 here
facility = int(facility, 16) #this is always hex
code = int(code, 10) #this is always decimal
joy 
) turns out the ioProx system uses the wiegand protocol to communicate? The PIGPIO Python module has a nifty library for handling that. Here’s a mockup I made.