Earlier this year I visited Thorpe Park, a popular theme park in the south of England. At the entrance were signs advertising a new iPhone app for the park, which (among other things) could give you up to date queue times for all the rides. I quickly downloaded the app, and used it to plan my day around the queues.
On the way home I started playing with the app again, and when I tried to check the queue times an error message appeared: “not available off-park”. Clearly the programmers of the app had used the iPhone’s built-in GPS to limit the availability of the queue times; a crude form of location-based security. Only people within a certain location are able to access the queue times; everyone else had to go without. I presume this restriction is meant to stop people from checking ahead and deciding not to go to the park if the queues were too long.
However, I was intrigued at how the queue data got onto the device in the first place, so I decided to do a little investigating. My iPhone is jailbroken, so finding an app that could fake your GPS location was easy enough; there are a few in Cydia, but I found that FakeLocation is very easy to use and does the job well (for a relatively low price). Once installed, I chose my “location” as the middle of the park and restarted the Thorpe Park app. Sure enough, the queue times were now working.
I connected my iPhone to my wireless network at home, and used Wireshark to sniff the network traffic going in and out of the device. When I used the Thorpe Park app to check queue times, a simple HTTP request is sent to http://www.merlincms.com/1.php, which returns a JSON data object containing all the queue time information. However, all the queue times are linked to reference numbers, not the actual names of rides. This was a problem, but as it turned out, it was easily solvable.
Since my iPhone was jailbroken, I decided to see if there were any clues to the references in the app files themselves. I used SSH to connect to my iPhone, and browsed the directory which stored all files relating to the Thorpe Park app. Inside the Documents folder, I found a file named “Thorpe.db”, which I thought might be interesting. I downloaded it and opened it in a database browser, and found practically all the information you’d ever need to create your own Thorpe Park app. Not only did it contain a table mapping references to ride names, but it stored all the opening times, locations of all shops and facilities, and a bunch of random facts about the park.
I was only interested in the reference mappings though, and so I extracted them from the database and used them to create a web page which generates the most up to date queue times for the park.
Thorpe Park Queue Times – Short URL: http://is.gd/thorpepark
The web page can be accessed from anywhere, and on any device that supports web browsing. As an added bonus, I found (via the same method above) that the Alton Towers app does the same thing, and so created a web page specifically for that theme park as well:
Alton Towers Queue Times – Short URL: http://is.gd/altontowersqueue
Now I’m not promising that these web pages will “accurately” display the current queue times of rides in the parks, but what I can promise is that they will display the same times as their respective iPhone app displays. The advantage here being that you can view them from anywhere (with an Internet connection).