WoBike icon indicating copy to clipboard operation
WoBike copied to clipboard

Published 20 hours ago • verified publisher icon ubahnverleih

Lime juicer api

Open Mradmedamine opened this issue 6 years ago • 8 comments

Hello guys, Where is the juicer api ? there is only the rider's one. How could you intercept the requests. I tried to do this with several tools but I couldn't explore fully the requests it seems protected or sthg ..

The client failed to negotiate an SSL connection to web-production.lime.bike:443: Remote host closed connection during handshake

Does lime app have SSL pinning ? Please help !!

Mradmedamine avatar Jan 22 '19 11:01 Mradmedamine

Hi, Sorry this is a project focused on the positions of bikes/scooters. These APIs are collected by many volunteer contributers. So obviously until now no one of them was interested in reverse engineering the juicer API. We love to get issues with requests for new services or APIs to look at, but it does not help to spam other, completely unrelated issues. Begging for help with dozens of exclamation marks in different issues is not the best motivation for volunteers.

I guess one issue with this ist, that you need to have a special juicer account reverse engineer this API. I don't know how hard it is to get such an account.

ubahnverleih avatar Feb 03 '19 14:02 ubahnverleih

Where can i get the Lime rider API

johnnyh0826 avatar Sep 25 '19 01:09 johnnyh0826

@johnnyh0826 https://github.com/ubahnverleih/WoBike/blob/master/Lime.md

bransonf avatar Sep 25 '19 02:09 bransonf

The URL for finding juicable scooters is https://juicer.lime.bike/api/rider/v2/juicer/views/main

W1MMER avatar Sep 26 '20 23:09 W1MMER

The URL for finding juicable scooters is https://juicer.lime.bike/api/rider/v2/juicer/views/main

Hi, can I ask how you guys are reverse engineering the API? Lime appears to use HSTS, so any cert bypasses seem impossible.

EDIT: I have a juicer account, so I'd be happy to help to figure this out. EDIT 2: Nevermind, I see that mitim'ing in iOS is a lot easier. Fortunately I have an iPad and managed to sniff what I needed.

kltye avatar Nov 09 '20 00:11 kltye

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

EDIT: This is the link to the documentation for the Lime Juicer API HERE

W1MMER avatar Nov 09 '20 02:11 W1MMER

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

Thanks! I managed to sniff the traffic with mitmproxy. I was going down the Android path of injecting certs with frida, etc - not knowing that that isn't necessary with iOS devices.

kltye avatar Nov 09 '20 02:11 kltye

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

Thanks! I managed to sniff the traffic with mitmproxy. I was going down the Android path of injecting certs with frida, etc - not knowing that that isn't necessary with iOS devices.

That's fine! I'm an iOS user and had no idea that Lime implemented SSL Pinning on their Android App. I have SSL Kill Switch installed onto my old jailbroken iPhone 6, so I use that when an app has implemented SSL pinning.

W1MMER avatar Nov 09 '20 02:11 W1MMER