Box of Secrets: Discreetly modding an apartment intercom to work with Apple Home

When a friend's apartment complex failed to renew the cellular service for its Doorking 1834-080 intercom, guests were locked out. Two visiting hackers, Hazel and the author, were asked to find a fix. Their investigation began with the system's external voice box, which was unlocked. Inside, they found an AT&T Wi-Fi/cellular router with the default admin password printed on it, granting initial access. However, the router's locked-down interface and a custom serial protocol to the main controller proved to be dead ends. A second attempt to spoof phone line commands via the 'PH LINE' terminals was also abandoned due to complex DTMF signaling and limited debugging tools.

The breakthrough came from shifting strategy from 'top-down' control to 'bottom-up' subversion. Examining the junction box between the voice unit and the main controller revealed an unexpected, unsecured serial cable carrying the gate unlock signal. The team built a custom 'man-in-the-middle' device using a Raspberry Pi Zero 2 W ($35) and a USB-to-serial adapter. They wrote a Python script to listen on the serial line, detect the specific DTMF tone ('9') that unlocked the gate, and then spoof it on command. This hardware was discreetly installed in the existing junction box. The final software stack uses Home Assistant with an Apple Home integration, allowing the friend to unlock the gate remotely via Siri, the Home app, or automations, fully restoring functionality the landlord had neglected.