How do i go forward with this whitin the cmd?
Like commands
AFAIK you would follow the instructions from step 3, but instead of
lf t55xx write b 0 d 00147040
to provision the tag as ioProx you would use
lf t55xx write b 0 d 00148041
to provision it as an EM410x (the way it’s shipped from DT)
I haven’t tried those specific numbers yet, so test it out on a blank t5577 card first. After that run an
lf search
to verify it worked
1 Like
proxmark3> lf t55xx write b 0 d 00148041
Writing page 0 block: 00 data: 0x00148041
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Got a chance to learn even more about this legacy technology (
joy 
) turns out the ioProx system uses the wiegand protocol to communicate? The PIGPIO Python module has a nifty library for handling that. Here’s a mockup I made.
5 Likes
I can confirm this does not work. I can read P40, the syntax is lf io clone --vn --fc --cn
Thus was just to give my daughter. I recently moved to this townhome community, and being very helpful. Network and card readers alone, I need stop.
I bricked another one, I have confess T5577’s and magical 2k. I need help, I was locked in. Now locked out. I have raw data XSF. Blocks 0-7. Binary math seems to be needed. Odd I can’t find this anywhere else. I must be doing old or wrong.
Whoever I’ll send guft to ksec or here or whatever is allowed.
Hi. I’m new here. I’m a dangerous thing, accidentally.
Hey buddy,
I am not certain of your exact question, but please feel free to use the translation feature, It works pretty well and you might find it easier to read and write posts.
What is your native language? we have a few members that are bilingual / polyglots that also may be able to help
English, the American kind.
I thought found a python script to convert RAW or xsf ioprox output from reading the key fob.
It converts id_string
Let me get on the computer.
I need to lf io clone --vn --fc --cn
This version doesn’t allow lf clone raw data
Step back, slow down and remember we don’t have any context…
So, what I can gather is that you have just moved into a townhome community and you are trying to clone a Kantech IoProx key fob so that you can give one to your daughter.
You have the correct command
lf io clone --vn --fc --cn but you need to know the values for vn, fc and cn.
You should be able to put your working IoProx on the LF antenna of a proxmox and run the command lf io read and it should spit out all of the data you need.
1 Like
Thanks, I do the lf io read, it returns
XSF(01)c2:64030, Raw: 007870a03fa8f4d3
I don’t know what goes to what. I apologize, I am exhausted.
These are the options
clone a ioProx card with specified facility-code and card number
to a T55x7, Q5/T5555 or EM4305/4469 tag.
Tag must be on the antenna when issuing this command.
usage:
lf io clone [-h] --vn --fc --cn [–q5] [–em]
options:
-h, --help This help
–vn 8bit version
–fc 8bit facility code
–cn 16bit card number
–q5 optional - specify writing to Q5/T5555 tag
–em optional - specify writing to EM4305/4469 tag
XSF Version 01 facility code c2 card number 64030
All the information you needed.
Seriously? lol.
This is day 7 of 8, haha. Thank you kind sir. Good thing I have extra cards
c2 is not going over well.
Python script must be doing something
id_str = “XSF(01)c2:64030”
version = id_str.split(’(’)[1].split(’)’)[0]
facility = id_str.split(’(’)[1].split(’)’)[1].split(’:’)[0]
code = id_str.split(’:’)[1]version = int(version, 16) #is this hex? Have only seen 1 or 2 here
facility = int(facility, 16) #this is always hex
code = int(code, 10) #this is always decimalchecksum = 0xF0 + facility + version + (code >> 8) + (code & 0xff)
checksum = 0xFF ^ (checksum & 0xff)id_strbin = format(0, ‘08b’) + “0” +
… format(0xF0, ‘08b’) + “1” +
… format(facility, ‘08b’) + “1” +
… format(version, ‘08b’) + “1” +
… format(code >> 8, ‘08b’) + “1” +
… format(code & 0xff, ‘08b’) + “1” +
… format(checksum, ‘08b’) + “11”print(id_strbin)
0000000001111000011100001010000000111111101010001111010011010011id_int = int(id_strbin, 2)
id_strhex = format(id_int, ‘016x’)print(id_strhex)
007870a03fa8f4d3
I took the 8bits literal, closest yet. that c2 hex value to decimal
usb] pm3 → lf io clone --vn 01 --fc 194 --cn 64030
[+] IO raw bits:
[+] 0000000001111000011100001010000000111111101010001111010011010011
[=] Preparing to clone ioProx to T55x7 with Version: 1 FC: 194 (0xc2) CN: 64030
[+] Blk | Data
[+] ----±-----------
[+] 00 | 00147040
[+] 01 | 007870A0
[+] 02 | 3FA8F4D3
[+] Data written and verified
[+] Done
[?] Hint: try lf io reader to verify
[usb] pm3 →
[usb] pm3 →
[usb] pm3 →
[usb] pm3 → lf io reader
[+] IO Prox - XSF(01)c2:64030, Raw: 007870a03fa8f4d3 (ok)
C2 in decimal would be 194 not 08. Why are you putting them through some python code?
Here is what I get when I write that to a t5577 and read it afterwards.
[usb] pm3 --> lf io clone 01 c2 64030
[+] IO raw bits:
[+] 0000000001111000011100001010000000111111101010001111010011010011
[=] Preparing to clone IOProx to T55x7 with Version: 1 FC: 194, CN: 64030
[+] Blk | Data
[+] ----+------------
[+] 00 | 00147040
[+] 01 | 007870A0
[+] 02 | 3FA8F4D3
[+] Success writing to tag
[+] Done
[usb] pm3 --> lf io read
[+] IO Prox - XSF(01)c2:64030, Raw: 007870a03fa8f4d3 (ok)
[usb] pm3 -->
T5577 are not single write cards, so you should only need one to make one copy.
In this case I wrote this to a dual frequency ring. But any t5577 should work the same.
Help I’m stumped I have a io card when I read gives
XSF(01)ab:06240
When try to clone I get a error the facility code is ‘ab’
What do I do ?
ABh = 171d
Hex to Decimal conversion
2 Likes
Anyway I can get that list for emulation modes for t5577?
I tried to follow link and the link does not work…
thxs in advance.
I followed the link, it leads to the Proxmark3 forum login page.
I haven’t been on there in a while so I am not sure how active it is.
There is a Discord for RFID Hacking ( Same peeps ) which is quite active with a large helpful community ( Just make sure you do your research / search before asking questions )
Here’s an invite link
good luck
Hey thxs. I know it goes to the forum but the post is missing.
I’m looking for the table of emulation codes.
1 Like
My bad.
Do you have a proxmark?
lf help
Pretty sure It will popupate a list of T5577 modes
Is that what you are after?