Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#151 2015-03-31 10:29:30

Draik
Member
Registered: 2015-03-17
Posts: 7

Re: Kantech ioProx

I made a few of them, to make sure I capture enough data.

http://www.mediafire.com/download/lims1sc8sszq0ga/My+Traces.zip

I'm running on Asper's pm3-bin-0.0.7
I'll look into compiling the latest source from GitHub.

Offline

#152 2015-03-31 10:44:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Kantech ioProx

I think Asper is about to release a new pre-comp binaries,  based on sourcecode tagged as v2.0.
But I strongly recommend to use the latest source from GitHub.

Offline

#153 2015-03-31 13:32:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Kantech ioProx

I've looked at your traces,  there seem to be a systomatic error in them.  Making it hard to decode, looked like psk according to the new "lf search u".   Can you try to make better sniff traces with a cleaner signal?   (look at the  "data plot" window" and you'll see when it becomes clear)

Offline

#154 2015-03-31 13:56:04

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Kantech ioProx

Do not use the old amp command.

Offline

#155 2015-04-03 13:15:21

Draik
Member
Registered: 2015-03-17
Posts: 7

Re: Kantech ioProx

A few more traces.
I have high hopes for this one.
AMP command not used.

https://www.mediafire.com/?un0ealuvc7wrsy8

Let me know if this is any better.

Offline

#156 2016-04-06 21:59:28

warriors
Contributor
Registered: 2015-06-18
Posts: 17

Re: Kantech ioProx

iceman wrote:

I've looked at your traces,  there seem to be a systomatic error in them.  Making it hard to decode, looked like psk according to the new "lf search u".   Can you try to make better sniff traces with a cleaner signal?   (look at the  "data plot" window" and you'll see when it becomes clear)

Hello,

I have Kantech XSF format card(39 bit from wiegand)

1)    (01)07:53156     111000111111101111100000110000010110110
2)    (01)F4:22975     111000111111100000101110100110010000000
3)    (01)F4:22970     111000111111100000101110100110010001010
4)    (01)07:53191     111000111111101111100000110000001110000
5)    (01)07:53168     111000111111101111100000110000010011110
6)    (01)07:53162     111000111111101111100000110000010101011
7)    (01)07:53178     111000111111101111100000110000010001010

Can anyone help me finding the card code, facility code and parity bits.

Thanks,
warriors

Offline

#157 2016-04-06 22:09:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Kantech ioProx

not sure where you got your binary, but it doesn't look like it is correct.  you should get 64 or 32 bits off an xsf card.  get a pm3. wink

Offline

#158 2016-04-06 22:19:18

warriors
Contributor
Registered: 2015-06-18
Posts: 17

Re: Kantech ioProx

marshmellow wrote:

not sure where you got your binary, but it doesn't look like it is correct.  you should get 64 or 32 bits off an xsf card.  get a pm3. wink

I am using P225XSF reader. Kantech supports 39 bit XSF format.

http://www.kantech.com/Support/Docs/Kantech_ProductGuide_2010.pdf
Page 47 it says 39 bit XSF

warriors

Offline

#159 2016-04-07 00:01:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Kantech ioProx

That is created (crypted) by the reader and sent to the controller to decipher.  Sounds like you aren't using the correct controller with that reader.  The raw card data is 64 bits as was considered in this thread.

Offline

#160 2016-04-07 04:40:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Kantech ioProx

however lucky for you it is just inverted and not really crypted as their docs state.
invert the binary and cheers.

Offline

#161 2016-04-07 16:35:39

warriors
Contributor
Registered: 2015-06-18
Posts: 17

Re: Kantech ioProx

marshmellow wrote:

however lucky for you it is just inverted and not really crypted as their docs state.
invert the binary and cheers.

Thanks marshmallow you are right.
I am not using Kantech controller so I had to decipher the binary coming out from the reader.

1)    (01)07:53156     489591693494
11100011111110  11111000   0011000001011011    0   == normal readout
00011100000001{00000111}{1100111110100100}{1}   == 1 complement
                              FC              Card code           Parity

I could not figure out the parity.


warriors

Offline

#162 2016-05-16 20:42:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Kantech ioProx

Had some fun tonight and added the  "version, facilitycode, cardnumber"  options to
'lf io sim'
'lf io clone'
commands.

pm3 --> lf io sim
Enables simulation of IOProx card with specified facility-code and card number.
Simulation runs until the button is pressed or another USB command is issued.

Usage:  lf io sim [h] <version> <facility-code> <card-number>
Options :
                h :  This help
        <version> :  8bit version
  <facility-code> :  8bit value facility code
    <card number> :  16bit value card number

Samples
       lf io sim 26 224 1337
pm3 --> lf io clone 1 7 53156
Preparing to clone IOProx to T55x7 with Version: 1 FC: 7, CN: 53156
Blk | Data
----+------------
 00 | 0x00147040
 01 | 0x007841e0
 02 | 0x3cfd2653
#db# DONE!
pm3 --> lf se
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

00000000 0
11110000 1
00000111 1 facility
00000001 1 version
11001111 1 code1
10100100 1 code2
10010100 11 checksum
IO Prox XSF(01)07:53156 (007841e03cfd2653) [94 crc ok]

Valid IO Prox ID Found!
pm3 -->

Offline

#163 2017-03-24 13:35:22

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Kantech ioProx

My apologies if I'm missing something obvious, but I'm running on no sleep at the moment and it's making the world fuzzy.  Have we figured out a way to encode an ioProx tag using only the printed ID on the card, or only the other way around?

Offline

#164 2017-03-24 14:03:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Kantech ioProx

Dont remember anymore since this thread has been stale for a year or so,   but it sure looks like I added it.

Offline

#165 2017-03-31 07:23:25

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Kantech ioProx

iceman wrote:

Dont remember anymore since this thread has been stale for a year or so,   but it sure looks like I added it.

Hmm, am I missing something?  I've looked through the thread a couple times and all of the commands related to ioprox and haven't seen anyway to clone cards based only off of the XSF number.

Offline

#166 2017-03-31 09:20:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Kantech ioProx

Omikron wrote:
iceman wrote:

Dont remember anymore since this thread has been stale for a year or so,   but it sure looks like I added it.

Hmm, am I missing something?  I've looked through the thread a couple times and all of the commands related to ioprox and haven't seen anyway to clone cards based only off of the XSF number.

@Omikron You should look at post #162 and #163 (01)07:53156 if that is what you mean XSF number.

Usage:  lf io sim

<version> <facility-code> <card-number>

Options :
                h :  This help
        <version> :  8bit version
  <facility-code> :  8bit value facility code
    <card number> :  16bit value card number

Samples
       lf io sim 26 224 1337
pm3 --> lf io clone 1 7 53156
Preparing to clone IOProx to T55x7 with Version: 1 FC: 7, CN: 53156

Offline

#167 2017-03-31 15:01:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Kantech ioProx

I think its in iceman fork, not PM3 master.

Offline

#168 2017-04-01 04:05:24

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Kantech ioProx

Thank you, @ntk @iceman, I'll look into it. I'm not sure how I missed that.

Offline

Board footer

Powered by FluxBB