Improved proxmark3 scanning of ioProx / Kantech fobs

I’ve been playing with my new proxmark3. It works great for HID cards, but ioProx code is still in its infancy. I made some improvements to it based on analysis by marshmellow:

  • Better accuracy: You no longer have to worry about centering your fob on the antenna or scan it repeatedly to get a “good” reading. Now you can just hold it in your fingers to scan. Before this update I was averaging 10 – 70% accuracy depending on how I held the fob. This version is pretty much 100% – I haven’t had a bad scan yet.
  • Correct decoding of human readable XSF number: Previous version had a bug that displayed the wrong unique code and the wrong facility IDs.


Download the binary firmware (including source code patch if you want to build it yourself) .

There is still more work to be done. For example, there appears to be CRC or checksum near the end – it’s still a mystery.

9 thoughts on “Improved proxmark3 scanning of ioProx / Kantech fobs”

  1. Thank you for doing the work on this to update the code for the Proxmark. I tried to correct the bad scans I was getting but given my somewhat deficient programming skills, failed miserably.

    I have downloaded your new code and will install it and give it a try. Just a quick question. I downloaded and updated the bootroom, Fpga and Os files from Ryccc that were dated 2014/04/01. Will it be necessary to update the bootroom. That always makes me nervous. As well I wonder if you have looked at the video from Bishop Fox at Defcon turning a card reader into a long range scanner for HID cards. Great work and a very interesting web site. Best regards, Terry

    1. I’m not sure. I can tell you I had trouble until I updated my bootrom. Now I tend to upgrade bootrom ahead of time just to make sure. I guess you could always just update the OS and hope for the best, but I find that too nerve racking as for a while you may be left with an unbootable device until you get the bootrom sorted out. I wish I had a better answer for you – I’m wondering what’s the safest way to do this myself.

  2. Hi Thomas thank you for your email. I am trying to follow the discussion on the forum between you and holiman regarding the Prox code for the HID XSF cards. Am I correct that the code you wrote and posted on this site has been or is being revised. I thought that a reading was being displayed even when a card was not on the antenna, but that may have been the result of holiman’s rewriting of the code. Not sure. What is the status of the review of the code. Can I just use your code and scan HID XSF cards and get good readings. Best regards

  3. Thomas: I appreciate that you took the time to respond given that you have another job that does not include writing code for the Proxmark. I flashed all of your code and it seemed to go well. What was strange is that when I did the hw ver command it gave me a response that the code installed was from Feb of 2014 instead of your code. I am wonder if the fact I am using the graphical interface for the Proxmark is the problem (Windows interface R844.) I was wondering what Windows or Linux interface you are using, I have can boot either. I was unable to get a reading on the IO prox card even with the command line. It just gave me a bunch of help commands. Best regards.

    1. I don’t have the proxmark here with me to verify, but the version is probably correct. I patched an older version but I never updated the date or version number.

      I tested it with windows CLI for sure. I didn’t even know there was a GUI, if there is I’m not surprised it’s not compatible as I changed the output format to be more readable. I recommend you try windows CLI

  4. Thanks Tomas, I appreciate your help and will certainly try not to bug you again. The info on date and version number clears up a mystery for me.

    best regards,

  5. Hello Tomas. I have been following your work on the proxmark3 in relation to the IO Prox xsf card format. I am new to Github and wonder if you could help point me in the right direction. I went to the Git download site and on the right hand side of the page downloaded the zip file that has the latest code for the my new proxmark. Here is the dumb question. When uncompressed, it has all of the usual file folders but no elf files that would permit me to load flash the proxmark. I don’t reall seeing a flasher file either . Do these need to be compiled in some way. Thanks for your help.

Leave a Reply

Your email address will not be published. Required fields are marked *