Dorking the DoorKing

by Cadet Crusher

If you live in a newer or renovated apartment building, chances are there is a telephone entry system that controls visitors' access to the building, and chances are it's of the DoorKing brand.

I have one of these devices controlling access to my building and it occurred to me one day shortly after moving in to investigate the security of such an access control system after one of my friends used it to enter my building.

What piqued my interest was the fact that the phone number of the DoorKing showed up on my Caller ID.  So I called it back.  Its response was merely a short beep followed by silence, indicating to me that it was awaiting instruction.

In order to confirm this assumption, I downloaded the operating manual, conveniently located at www.dkaccess.com/English/Telephone_Entry/1835-065-F-8-05.pdf, which covers models 1833, 1834, 1835, and 1837 (figuring out what model your building has is fairly trivial, just match your mental (or digital) picture of your building's model with one on the DoorKing website (www.doorking.com)).  Indeed it was awaiting command.

Basics of Programming DoorKing Telephone Entry Systems

Before we begin, a standard disclaimer is in order: I provide this information for educational purposes and am not responsible for what any individual may do with it.

The most important thing to note is that all of the following programming steps must be executed on the box's keypad.

Dial-in programming access is only supported via the DoorKing Remote Account Manager software (which I haven't had the opportunity to examine yet - more on that in the future).

Another point to note is that the box will give you feedback as you give it instructions, a short beep will be emitted after each successful program step, and a long beep (beeeeeeep, as the manual states) will signal end of programming.

Lastly, you will need the master code for the box.  Conveniently for us the factory code is: 9999

If the master code has been changed, I suggest trying: 1234, or 1111 - 8888

Or even try the building's address (I have a feeling you'll be in luck).  One more thing: when you see something like *07 in the steps below, that means press * , then 0, then 7 unless otherwise stated.

Good, now we can get to the fun stuff.

Setting Tone/Pulse Dialing

This is the easiest thing to make the box do (as well as quite humorous).  Just follow these steps:

1. Dial *07 then the master code.
2. Dial 0* for tone dialing or 1* for pulse dialing.
3. Press 0 and # together to end the programming cycle.

It's that easy!

Now you can watch everyone's befuddled looks as they wait for the box to dial using pulses.

Changing Tone Open Codes

Tone open codes are what the called party (the resident) must dial from his or her phone to unlock the door for the guest.  From the manual:

1. Dial *05 then the master code.
2. Dial 0*, 1*, or 2* to designate which relay you wish to program.  Most likely it is Relay 0 or 0*.  Each box can control three doors/gates, one per relay.
3. Dial the new tone open code.  This will be four digits.  If you want to make it one digit, like 9, then you would dial 9###.  Each # is a blank digit.  The defaults are Relay 0 = ####, Relay 1 = 9876, Relay 2 = 5432.
4. Press 0 and # together to end the programming cycle.

I should mention what Relays 0-2 are.

The box has three relays, one relay can control one door/gate.  We are most interested in Relay 0 as it is the primary relay and most likely the one controlling the door/gate we wish to command.  Now only you will know the proper tone open code, so everyone else will have to get up off the couch to let their visitors in.

Other Capabilities

Programming the box from the keypad allows for a plethora of mischief to be done.

Here are just a few things possible: changing four digit entry codes, setting the welcome message, setting the door open time (how long the relay will keep the door unlocked after access is granted), erasing the entire directory, and, by far the most unsettling, reverse lookups of directory codes to resident phone numbers.

All of these functions and more can found in the manual (refer to the URL above).  Please use discretion when exploring this system.

Don't disable any of the locks or do anything that would compromise the security of the building.  Remember we're here to learn.

Conclusion

Dorking a DoorKing entry system is astonishingly simple.

I was surprised to find that so much was programmable using the keypad interface and a measly four digit master code.  The above examples are harmless pranks, but the possibility for much more malicious actions does exist.

It does have an RS-232 port tucked away behind its locked face plate and most models have a 56k modem built in for programming via the Remote Account Management software, so I assume the ability to program it via the keypad is a failsafe in case no other programming methods are available.

Oh well, at least you can reset the system's welcome message to let everyone in your building know that you "pwnd this place d00d."