Say ByeBye👋 to the ETA feature in my WeChat miniprogram


Last year, I have released a WeChat miniprogram which is an alternative to the KMB 1933 APP.

Why I still spent my time making this mini-program? I have below pain points when using the KMB APP, the points were based on the KMB 1933 app version released around min-2019.

  1. The full-screen ads keep popping up on my iPhone.
  2. The app was so slow to open and crash occasionally.
  3. I just care about some buss routes and stops, don’t give me too much info I don’t need.

My solution

My miniprogram have these three key features to solve the pain points:

  1. Home screen: Show ETA of the bookmarked bus stops(Swipe left to delete the bookmark).
  2. Second screen: Show nearby stops ETA (Swipe left the row to bookmark the stop).
  3. Third screen: Search bus routes(Bus announces, schedules, and map views of the routes)
miniprogram screenshots

Welcome to have a trial, just scan this QRCode by WeChat:

The miniprogram QR Code

The ETA features

EAT(Estimated Arrival Time) is the key info of the app. There’re two ways we can try to get the ETA info:

  1. KMB official Web site:
  2. KMB 1933 APP

My miniprogram is using the KMB official Website as the data source.

KMB official website site ETA feature screenshoot.

KMB official Website ETA feature is a pure front-end function without any authentication. You can easily find out the JS source code to inspect the logic of how it integrated with the API. I can tell you there’s no fanny encryption stuff.

However, the KMB official website has tried many ways to protect the API endpoint from abuse. The recent key improvement is KMB introduced Google reCAPTCHA to protect the API.

The new captcha key for invoking the ETA API.

The captcha key will be generated when the user open the KMB website and bound with the KMB domain (I guess it will bind with the user IP as well). So I the captcha key one-off and can’t be reused.

I created a codesandbox demo to try the captcha.

The sandbox site is using my own Google reCAPTCHA. If you replace with KMB key 6LdiOd8ZAAAAACukKcCRmmf_Ll2hgSIVya22YR99, you will get the error of “ERROR for site owner: Invalid domain for site key”.

Possible solutions

Since the KMB website is a pure front-end app, one possible solution is we can simulate the browser in node.js runtime to get the google captcha token then invoke the ETA API. The headerless browser can be done by puppeteer or PhantomJS.

To run a browser will be a huge overhead or it may require some daemon service to accelerate performance, so some serverless env such lambda or cloud function maybe not suitable to host this kind of service. (My miniprogram API is hosted by WeChat Cloud Function).

Another solution is to hack the KMB 1933 APP. For example, using some proxy apps such as Charles to monitor the APP traffic with backend API, hopefully, you can get the dedicated or more well-organized API of how the APP gets the ETA data.

Usually, the APP will use HTTPS protocol to secure communication. The good news is that Charles can use man-in-the-middle HTTPS proxy so that you’re able to view in plain text the communication between web browser and SSL web server. The bad news is that if the APP enables the HTTP Public Key Pinning (HPKP) the Charles will be useless for the proxy.

Thank you for reading.




最近在随机地听李志的各张live专辑,随机到了这首歌: 普希金 – 李志x丁薇丨live 2015 动静







当然我还发现了一些来自普希金有趣的句子(以下是浮躁时代的快速阅读方式【谷歌关键字:普希金 名言】):

  1. 讀書和學習是在別人思想和知識的幫助下,建立起自己的思想和知識。 (多么好的勉励自己读书的理由)
  2. 读书是最好的学习,追随伟大人物的思想,是富有趣味的事情。(多么好的解析为什么读书的理由)
  3. 世界的設計創造應以人為中心,而不是以謀取金錢,人並非以金錢為對象而生活,人的對象往往是人。(多么好的指导产品设计的理由)(在各种IT新品发布会,引用这句话,格调马上上来了)
  4. 不管怎么说,不怀希望、不求报答的爱情肯定比一切工于心计的引诱更能打动一个女人的心。(多么好的打动女孩子的理由)
  5. 沒有幸福,只有自由和平靜。(多么好的让自己接受平庸平凡的理由)