Hacking Into Gated Communities
Originally posted here. For entertainment purposes only.
Section 1: The Introduction
Gated communities are one of the most annoying parts of suburban landscape. They take a perfectly decent shortcut from point A and point B, and gate it up so only their residents can use it. At least, that’s what one gated community did to me here. While most people would have just gone around it, I didn’t. I grew up around that area, and they were gating up a piece of my history (one of my first joints was smoked in the woods where that gated community is now). So I set to figure out how to bypass that problem, and go through whenever I liked. After figuring out how I figured that I would share it with the rest of you so that you as well can do the same.
Section 2: How Those Gates Work
So you understand the system I’m going to first go over a basic layout. First the gates themselves. The devices beside the gates on either side are called gate operators. These are the devices that either open or close the gate.
There are two types of gate operators. The first is a slide gate operator, and the second is a swing gate operator. Naturally slide gate operators are used to control gates that slide open, and swing gate operators are used to control gates that swing open. Then there are the devices in front of the gate that visitors use to access the roads and everything else on the other side. The most commonly found for most gated communities are simple keypads. These are the boxes with just the keypad, and you punch in your entry code to open the gate. Then there are telephone entry systems. These are hooked up to the POTS lines, instead of just with the gate itself. These boxes have a number-pad, but will also have a speaker, a call button, and for many a LED screen as well. Though the primary purpose of these devices is to call up the landlord in order to have him/her open the gate for you these devices as well can be programmed to have entry codes so that visitors and residents can open the gates without disturbing the landlord. The other devices that aren’t commonly used in most gated communities include biometric fingerprint readers and proximity card readers. However, again, due to the price of these devices you won’t commonly come across these around gated communities.
Section 3: Door King
Well now that I’m done explaining how the systems operate I’m going to get into how to reprogram them and/or figure out an existing entry code in order to access the land behind these gates. I’m going to start with Door King, since this was the manufacturer that the equipment for the gated community down the road came from. First off what you can do if you know that the residents use entry codes is try to guess one of the entry codes to get into. Doesn’t matter if the box is a digital keypad or a telephone entry system, because entry codes are entered into these devices the same. To put in the entry code on one of these devices you first hit # and then the entry code. None of these systems from my knowledge at least have a limit on how many times you can attempt to put in your entry code so you can use this in order to find an existing entry code. Just try these on for size…
#1111 #2222 #3333 #4444 #5555 #6666 #7777 #8888 #9999 #0000 #1234 #2580 #6969 #0420 #6669 #1337 #1112 #1122
…Et cetera, et cetera, you get the idea. Also there are 5-digit entry codes that are used sometimes so try something like #12345, #54321, #13795, etc. If all this sounds like too much work for you then you can always on the other hand just program your own entry code into the device. First lets start with programming in 4-digit entry codes. If the device you are targeting a digital keypad (the number-pads without the call buttons and LED screen) then you would hit *2, followed by the master code. If you are targeting a telephone entry system then you would hit *02, followed by the master code. The default master code for these devices is9999. So to test the default on a telephone entry system for instance you would hit *029999. If it is a success you will then hear the device beep. If it doesn’t beep then that means that the master code was changed, which from there you can try to guess the master code the same way you try to guess an entry code. If however when punching in the default master code or master code you guessed right you can move on to the next step, programming in the code. On a digital keypad you would first hit *1, which the device will respond with a beep to confirm it’s ready for a new entry code to be entered, and then punch in the desired 4-digit entry code. Then from there press *, and the device will yet again respond with a beep. Then from there just hit 0# to exit out of programming mode. If the device is a telephone entry system then you would simply punch in the desired entry code at this point, hit *, and then press 0# to exit out of programming mode. If the target device uses 5-digit entry codes then the method is a little different, but relatively the same. When you’re programming a 5-digit entry code into a digital keypad you would hit *9 and then the master code, and with a telephone entry system you would hit *09 and then the master code. After that step the technique is still the same, except that you are programming in a 5-digit entry code instead of a 4-digit one.
Section 4: AAS
This manufacturer only makes digital keypads, but they do it right. AAS keypads, unlike Door King devices, have a lockout set in after 3 incorrect attempts at the entry code in a 3 minute interval. Meaning if you come across an AAS keypad, then your only option when it comes to trying to figure out an existing entry code is to try at the entry code twice every 3 minutes or so. If this is something you don’t mind though then you can try the same type of entry codes I listed in the Door King section, except that you don’t have to hit * or #, since the device already knows you’re putting in an entry code. You can do this as long as you follow the rule about only trying twice within a three minute or so interval. However, you’re more than likely not too keen on the idea of waiting out there for hours in between the time intervals to try to guess an entry code when you can just program one in yourself. To do this hit * and then put in the master code. The default master code for AAS keypads is 1251. After this type in the desired entry code, and hit #. As with the Door King, you will hear a nice beep to notify you if the entry code has been accepted.
Section 5: AeGIS
This manufacturer for the most part makes telephone entry systems, with the exception of the SK9 Satellite Keypad. Most of these systems have the capability for programmable entry codes with the exception of the 2500NC series. These systems like the AAS keypads use a 3 count lockout limit for failed entry codes. You just have to observe the same rule as you would with the AAS systems in order to try to find a good entry code. I think what it is is that manufacturers who concentrate their production solely on the production of this part of the system are more concentrated on the security for these devices than manufacturers like Door King that bulk production to include all products someone with a gated system would need/want. So yeah, if any of you reading this for some reason own a gated system like the kind used in gated communities then I’d suggest going with one of the manufacturers I just described. Anyways, to program your own entry code into the system you will hit 0 and # at the same time. This will drop the device into it’s programming mode. Then you punch in the master code, which the default for this device is0000. If this isn’t the master code and you can pick the lock to open the panel then you can reset the device to the default master code by turning the power switch off/on, and then hit 0 and # at the same time. Anywho, once you have put in the master code you must choose which panel to put the entry code in. Each AeGIS device has 50 available panels for entering entry codes. If you hit the device beep two long beeps, then that means that the panel you tried to access already has an entry code set. Then you would hit * and the device will beep once. Then just try to choose another panel. Once you have an available panel you will punch in your desired 4-digit entry code, and then again hit *. Then hit * yet again to exit the programming mode, and you will hear the device give off three quick beeps in order to acknowledge that it has exited the programming mode.
Section 6: Elite
Yup, I know, w00t. 17 15 73|-| 1337 5Y573|/|!!! Anywho, Elite doesn’t really do too many telephone entry systems, but there are a couple of exceptions. When they do them though, I’d have to say their capabilities are quite 1337, at least compared to other manufacturers. This has nothing to do with their security mind you, just the features that come with them. Anyways, to access programming mode on these devices you will naturally hit the “Program” button. After doing so you should try the default master code for these systems, which is7777. Then hit “Enter”. Now from here you have to set the PROG MODE. Luckily for you if you get to PROG MODE you don’t have to guess the entry code. What? Get out! No way! Yup, that’s right, the entry codes are listed in the system. Told you these things have more features! =) From this menu go to (N)Names. Now from here you can just hit the up or down buttons to browse through the database on the system of every tenant in the gated community. This information includes the first and last name, phone number, and get this, their key code. Yup, that’s right, it’s all there for the picking. Got to love modern convenience! If that isn’t enough you can also grab the Utility key codes, used by certain utility companies like the telco, water, power, construction workers, etc. To access this list just select (U)Utility from PROG MODE. From this menu once again use the up and down buttons in order to browse the list of utility key codes. If that isn’t enough to make you want to jump on an Elite telephone entry system now I’ll put in one more treat. From PROG MODE select (G)Greeting, and you can edit the message that is displayed on the LED. After you have selected (G)Greeting, then punch in any message you want to display (like for example “Legalize Marijuana” or “Information Leak dot net pwnz you”), and hit “Enter”.
There you go, now you have all the access codes for the system, and your own custom message on the LED screen. Enjoy.
Section 7: Linear
There’s nothing really 1337 about this manufacturer. They mostly do keypads, and they’re pretty boring when it comes to features. Still, it’s pretty easy to program in your own entry codes, or figure out existing entry codes. To enter programming mode on one of these keypads just hit # 9 # and the master code, which by default is 123456. From here to program in your own entry code just hit 0 1 # desired code # reenter code # 3 #. The 3 in that command series is to instruct the device to use this entry code on both relays (both gates). That way the entry code works no matter which way you’re coming into the gated community. When you enter the code the yellow LED with flash while the device tries to store the entry code you entered, then it will turn green if the entry code was stored. If the entry code you entered is already in use then the LED will go red. Which from there you can either try to enter a new entry code, or use the one that is already in use. To exit programming mode just hit * * #. Just the same you can also figure out an existing entry code using the same method mentioned in the Door King section.
Section 8: Multicode
This manufacturer mostly does transmitters, and to be honest I think they should stick with transmitters. Their keypads are probably the lamest on the market. These keypads only support one access code, which by default is 1234. Even if the tenant changed this access code you can simply punch through different combinations until you hit the right one, because there is no lockout limit.
Section 9: Bonus Information
Many of these devices also have an option for erasing and adding phone numbers into the device. Though I haven’t tried this I have a suspicion that if you erased all current numbers, added in a number you want to call, and either lengthen or null the time limit for calls then you could use these devices to call out from the landlord’sline. That is at least on a telephone entry system. I’m not certain, because I haven’t tested this, but if a gated community providing you with a complimentary beige box seem to strike your interest then I’d suggest exploring the options in the programming menu in order to make this happen. There are manuals online that are available for download that you can use. They will be linked at the end of this tutorial, since I used them myself to do and write about all this.
knowledge is action.
A link to this post is being forwarded to the Palm Beach, Broward, and Miami-Dade Police, and the FBI.
Shut up Darius, how did you even find this?
♀️
Darius: Get a life, you asshole.