Kantech ioProx P40?

Hey there!

I currently have an xSLX NFC implant and I’m excited to delve a bit deeper into the capabilities of alternate implants!

I’m specifically looking for an implant that I could clone my door fob from work (Kantech ioProx P40) to, and I’m curious if anyone’s had experience working with the ioProx P40s in particular?


Have you searched and read this

1 Like

Just came across this now and giving it a read! Thanks!


All good, Any questions, just come back and ask :+1:


Lmk if you hit any snags. I’m not familiar with the P40s, but it might not be the chip, just the physical form factor. Make sure you try it on a test card first. The xSLX probably won’t work, you’d need a NExT or an xEM

1 Like

or the easily forgotten ( Because it is new), FlexEM :+1:


Thanks so much! Not banking on my current one working with it at all - just doing some planning to figure out what implant I should go with next that will likely work with the secure doors at the office :slight_smile:
Thanks again!

1 Like

Hello, This is a pretty old post but, I’m hoping you can help me with a problem I came across while trying to clone a kantech ioprox tag. I’m currently using a proxmark3 easy to try to clone it using the instruction you gave in the other forum post. But, I can’t seem to just write the raw data into the t577 but rather I have to use an Version, FC and Card number to try to clone it:

lf io clone [-h] --vn --fc --cn [–q5] [–em]

-h, --help This help
–vn 8bit version
–fc 8bit facility code
–cn 16bit card number
–q5 optional - specify writing to Q5/T5555 tag
–em optional - specify writing to EM4305/4469 tag

Do you know how I might be able to bypass this or find out the version, fc, and card number?

Thanks in advance

Do you have the physical access control card? All these numbers should be written on it.

Is it the XSF 0295:49181 written on the tag?

Yeah mang, you gotta do the lf search first to get those numbers like in this post:

In new proxmark revisions sometimes they charge the syntax, but the idea is the same.

I know this was an old thread, but it comes up in searches so hopefully OK to drop this in to complete the thread if anyone else comes up with it - this is all ‘old news’ info but to consolidate it for poster:

The XSF tags have 3 relevant fields (the proxmark prints them in binary by default):

  • version (2 digits)
  • facility code (2 digits)
  • card number (5 digits, maybe more/less as decimal number)

The normal format is XSF(VERSION)FACILITY:CARD printed on them, but on your tag it looks like to save space they removed the brackets? It just breaks down then that the format of your card is:

  • version = 02
  • facility = 95
  • card number = 49181

The proxmark will print it in the expected format so you could confirm that as a string, XSF (02)95:49181. It will also print the “raw” code from the card, which is what was used in other tutorials to clone. If you need to convert “manually” to the raw code, the following Python code should do this (warning - very fragile, posted as gist):

I was provisioning new cards so needed the ability to insert new card ids, but my version didn’t seem to have the separate input options (I missed it was added until I saw it in this post even, by then I had the Python working…).

Thanks to the documentation on the forum & elsewhere for showing how these work, not sure why all their documentation claims ‘eXtra secure’ as it seems very clonable…


Don’t let the marketing people know :shushing_face:

everytime i see something spelled like this I giggle inside …

So much industrial stull is the same as last week with a cap somewhere in it and twice the proce …

iTs eXtRa sEcUrE!¡ :crazy_face:

they’re “time tested” :rofl:

1 Like

“eXtra Secure Facility” isn’t that what XSF stands for? :roll_eyes:

Obviously I didn’t search too well. This is exactly what I need to get in. Unpacking gear now. Ty!!

Why is the syntax either clone raw. Or this seemingly odd call function. Python to the rescue.