Kaba access system

Hey guys, I was wondering if any of you have experience with kaba door systems and the standards they use. Are these types of keycards encrypted? My workplace uses this brand of access systems and I was wondering if I will be able to load my keycard onto my NeXT implant and if yes what kind if writer I will need. All i found online do far is that the keycards operate with Mifare or/and Legic.

I’ve seen them… don’t recall them being particularly secure or anything… if it’s LF (125kHz) then probably could clone to the T5577 in your NExT but if it’s HF then no… but you might be able to get them to add your UID to the system.

You’d need a proxmark3 (check the product page for cloning videos at the bottom)

1 Like

Thanks for you response amal!
I think I’m going to try the test card for figuring out if the use high or low frequency. These types of access systems seem to be widely used here in Switzerland, I guess because they are a swiss company. I will update this thread when I find out more if anybody else is interested. :slight_smile:

1 Like

Always interested.

A couple of other suggestions in the mean time,
Try your Diagnostic card :card_diagnostic_dt: on a reader and see if it is HF and / or LF

Use Taginfo or NFC tools on you phone and scan your access card


1 Like

I already tried this but the card doesn’t scan, probably meaning its low frequency.


I hope so for your sake, your chances of compatibility have just increased substantially…

1 Like

whoa whoa whoa, DormaKaba? @Marc.r22


if you figure this out, please message me. lol im having a hard time with it.

1 Like

I will but I’m not very experienced with this sort of stuff. What have you tried so far?


The readers look different to the ones from the link you sent but maybe they use the same standard. I can’t really make sense of the information from that link tho I’m quite new to this whole nfc/rfid stuff.

if you email this company and ask questions, they say their readers can not communicate with a key inside you body.

Wonderful customer service there. What they really mean is “we don’t support this and aren’t going to answer technical questions.”


I think at this point a good idea would be for you to use the proxmark3 to sniff comms between the kaba reader and your legit badge to see what it’s doing… is it looking for a signature? is it testing for backdoor cards? once we understand what the reader actually cares about we can narrow in on why the clone isn’t working.

@amal i don’t have access to a proxmark3 at the moment but i will get one to check it out. At least to read the badge. I don’t think i can just walk into work with a pc and proxmark connect to it without anyone from security getting suspicious :sweat_smile: they are pretty strict with this sort of stuff because the badges are also used to unlock safes as well. I figured out that they probably do use Hf because I tried reading the official card again with my phone but it says connection error.

iphone… classic… might be an ndef data container problem or possibly the card is mifare which is not NFC compliant and only works on certain phones with NXP reader chips inside with the proper license to read crypto1 used by mifare to secure memory… nxp also published their own pseudo-spec for “NFC Type Mifare” which is a laugh… the NFC Forum decides on NFC types and specs and there are currently NFC Type 1 through Type 5 … no official mifare support.

1 Like

actually research “headless mode” for proxmark3… it lets you set it up to operate without a host and you just init an action using the pushbutton… all you need is a proxmark3 and a power source like a usb battery pack or something.


Ok, thanks I’m going to look this up. It will probably be a few week until I can try this out but when I do I’m very keen on sharing what the results are :face_with_monocle:

Here is a quick starter diagram, for what Amal mentioned

that has caught out many people out in the past, I hope this helps you on a successful journey


1 Like