Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#151 2015-03-31 10:29:30
- Draik
- Member
- Registered: 2015-03-17
- Posts: 7
Re: Kantech ioProx
I made a few of them, to make sure I capture enough data.
http://www.mediafire.com/download/lims1sc8sszq0ga/My+Traces.zip
I'm running on Asper's pm3-bin-0.0.7
I'll look into compiling the latest source from GitHub.
Offline
#152 2015-03-31 10:44:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Kantech ioProx
I think Asper is about to release a new pre-comp binaries, based on sourcecode tagged as v2.0.
But I strongly recommend to use the latest source from GitHub.
Offline
#153 2015-03-31 13:32:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Kantech ioProx
I've looked at your traces, there seem to be a systomatic error in them. Making it hard to decode, looked like psk according to the new "lf search u". Can you try to make better sniff traces with a cleaner signal? (look at the "data plot" window" and you'll see when it becomes clear)
Offline
#154 2015-03-31 13:56:04
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Kantech ioProx
Do not use the old amp command.
Offline
#155 2015-04-03 13:15:21
- Draik
- Member
- Registered: 2015-03-17
- Posts: 7
Re: Kantech ioProx
A few more traces.
I have high hopes for this one.
AMP command not used.
https://www.mediafire.com/?un0ealuvc7wrsy8
Let me know if this is any better.
Offline
#156 2016-04-06 21:59:28
- warriors
- Contributor
- Registered: 2015-06-18
- Posts: 17
Re: Kantech ioProx
I've looked at your traces, there seem to be a systomatic error in them. Making it hard to decode, looked like psk according to the new "lf search u". Can you try to make better sniff traces with a cleaner signal? (look at the "data plot" window" and you'll see when it becomes clear)
Hello,
I have Kantech XSF format card(39 bit from wiegand)
1) (01)07:53156 111000111111101111100000110000010110110
2) (01)F4:22975 111000111111100000101110100110010000000
3) (01)F4:22970 111000111111100000101110100110010001010
4) (01)07:53191 111000111111101111100000110000001110000
5) (01)07:53168 111000111111101111100000110000010011110
6) (01)07:53162 111000111111101111100000110000010101011
7) (01)07:53178 111000111111101111100000110000010001010
Can anyone help me finding the card code, facility code and parity bits.
Thanks,
warriors
Offline
#157 2016-04-06 22:09:13
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Kantech ioProx
not sure where you got your binary, but it doesn't look like it is correct. you should get 64 or 32 bits off an xsf card. get a pm3. 
Offline
#158 2016-04-06 22:19:18
- warriors
- Contributor
- Registered: 2015-06-18
- Posts: 17
Re: Kantech ioProx
not sure where you got your binary, but it doesn't look like it is correct. you should get 64 or 32 bits off an xsf card. get a pm3.
I am using P225XSF reader. Kantech supports 39 bit XSF format.
http://www.kantech.com/Support/Docs/Kantech_ProductGuide_2010.pdf
Page 47 it says 39 bit XSF
warriors
Offline
#159 2016-04-07 00:01:58
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Kantech ioProx
That is created (crypted) by the reader and sent to the controller to decipher. Sounds like you aren't using the correct controller with that reader. The raw card data is 64 bits as was considered in this thread.
Offline
#160 2016-04-07 04:40:32
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Kantech ioProx
however lucky for you it is just inverted and not really crypted as their docs state.
invert the binary and cheers.
Offline
#161 2016-04-07 16:35:39
- warriors
- Contributor
- Registered: 2015-06-18
- Posts: 17
Re: Kantech ioProx
however lucky for you it is just inverted and not really crypted as their docs state.
invert the binary and cheers.
Thanks marshmallow you are right.
I am not using Kantech controller so I had to decipher the binary coming out from the reader.
1) (01)07:53156 489591693494
11100011111110 11111000 0011000001011011 0 == normal readout
00011100000001{00000111}{1100111110100100}{1} == 1 complement
FC Card code Parity
I could not figure out the parity.
warriors
Offline
#162 2016-05-16 20:42:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Kantech ioProx
Had some fun tonight and added the "version, facilitycode, cardnumber" options to
'lf io sim'
'lf io clone'
commands.
pm3 --> lf io sim
Enables simulation of IOProx card with specified facility-code and card number.
Simulation runs until the button is pressed or another USB command is issued.
Usage: lf io sim [h] <version> <facility-code> <card-number>
Options :
h : This help
<version> : 8bit version
<facility-code> : 8bit value facility code
<card number> : 16bit value card number
Samples
lf io sim 26 224 1337
pm3 --> lf io clone 1 7 53156
Preparing to clone IOProx to T55x7 with Version: 1 FC: 7, CN: 53156
Blk | Data
----+------------
00 | 0x00147040
01 | 0x007841e0
02 | 0x3cfd2653
#db# DONE!
pm3 --> lf se
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
00000000 0
11110000 1
00000111 1 facility
00000001 1 version
11001111 1 code1
10100100 1 code2
10010100 11 checksum
IO Prox XSF(01)07:53156 (007841e03cfd2653) [94 crc ok]
Valid IO Prox ID Found!
pm3 -->Offline
#163 2017-03-24 13:35:22
- Omikron
- Contributor
- Registered: 2010-02-12
- Posts: 78
Re: Kantech ioProx
My apologies if I'm missing something obvious, but I'm running on no sleep at the moment and it's making the world fuzzy. Have we figured out a way to encode an ioProx tag using only the printed ID on the card, or only the other way around?
Offline
#164 2017-03-24 14:03:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Kantech ioProx
Dont remember anymore since this thread has been stale for a year or so, but it sure looks like I added it.
Offline
#165 2017-03-31 07:23:25
- Omikron
- Contributor
- Registered: 2010-02-12
- Posts: 78
Re: Kantech ioProx
Dont remember anymore since this thread has been stale for a year or so, but it sure looks like I added it.
Hmm, am I missing something? I've looked through the thread a couple times and all of the commands related to ioprox and haven't seen anyway to clone cards based only off of the XSF number.
Offline
#166 2017-03-31 09:20:40
- ntk
- Contributor
- Registered: 2015-05-24
- Posts: 701
Re: Kantech ioProx
iceman wrote:Dont remember anymore since this thread has been stale for a year or so, but it sure looks like I added it.
Hmm, am I missing something? I've looked through the thread a couple times and all of the commands related to ioprox and haven't seen anyway to clone cards based only off of the XSF number.
@Omikron You should look at post #162 and #163 (01)07:53156 if that is what you mean XSF number.
Usage: lf io sim
<version> <facility-code> <card-number>
Options :
h : This help
<version> : 8bit version
<facility-code> : 8bit value facility code
<card number> : 16bit value card number
Samples
lf io sim 26 224 1337
pm3 --> lf io clone 1 7 53156
Preparing to clone IOProx to T55x7 with Version: 1 FC: 7, CN: 53156
Offline
#167 2017-03-31 15:01:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Kantech ioProx
I think its in iceman fork, not PM3 master.
Offline
#168 2017-04-01 04:05:24
- Omikron
- Contributor
- Registered: 2010-02-12
- Posts: 78
Re: Kantech ioProx
Thank you, @ntk @iceman, I'll look into it. I'm not sure how I missed that.
Offline