kurtis/Jailarr
kurtis/Jailarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
Page: JSON Endpoints
Pages
Home JSON Endpoints
3 JSON Endpoints
Kurtis Ward edited this page 2026-01-20 00:11:14 -05:00
Table of Contents

Background

To obtain the inmate information that Jailarr relies on, it emulates the official MyOCV mobile apps. MyOCV mobile apps do not themselves contain most of the information that they provide to the user. Instead, they query a URL that returns a JSON file that contains all of the agency's data, including the local jail roster and most of the other information you may find in the app. The JSON URL is not public, and each agency (municipality) has a unique URL that returns only that agency's data.

Finding the JSON Endpoint

Method 1: TLS Decryption

Requirements

  • Rooted Android phone

Steps

Capture a request

  1. Install PCAPdroid and use the documentation to enable TLS decryption.
  2. Install the MyOCV android app for the desired municipality.
  3. Start the PCAPdroid capture (don't forget to enable a decryption rule for the app).
  4. Open the MyOCV app, and tap on the inmate search feature.
  5. When you can see the inmate list in the app, end the PCAPdroid capture.

Review the capture

  1. Once the capture is completed, navigate to the "connections" tab in PCAPdroid. This is where you will be able to browse the decrypted traffic.
  2. Look at the decrypted responses to the HTTPS requests to blogapi.myocv.com. One of these responses will contain a JSON-formatted inmate list.
  3. Once you have found the response containing an inmate list, look for the "blogID" key. It should be present for each of the inmates. The value of that key is what we are looking for. It should look like https://cdn.myocv.com/ocvapps/{AGENCY_ID}/{RosterName}.json. This is the URL to use for the JSON_URLS environment variable.

Method 2: Brute Force

If you are not able to capture and decrypt the HTTPS traffic, you can try to deduce the URL. The URL is always in the same format: https://cdn.myocv.com/ocvapps/{AGENCY_ID}/{RosterName}.json, so the only things we need to find are the agency ID and the roster name.

Find the agency ID

Via Google Search

Every single MyOCV app has a landing page on apps.myocv.com. The landing page URL looks like https://apps.myocv.com/share/{agencyID} where the value after the last slash is the agency ID. It appears most of the landing pages have been indexed by Google. If the desired municipality has ever published a document using the MyOCV platform, that too may be indexed. Files are hosted on cdn.myocv.com. Using Google dorks like site:apps.myocv.com or site:cdn.myocv.com, you may get lucky and find the agency ID.

MyOCV account number + zipcode

Most of the agency IDs follow a specific format: {client#}{primaryzipcode}. For example, the agency ID for Houghton County, Michigan is a134149931. a1341 is the MyOCV client number, and 49931 is the primary zipcode for that jurisdiction. The client number can often be found in the app's package name. Here is the link for the Houghton County app: https://play.google.com/store/apps/details?id=com.ocv.a1341. The part at the end is the package name. Combine that with the local zip code, and you likely have the agency ID. You can try dropping it in the landing page URL template. For example, here is Houghton's: https://apps.myocv.com/share/a134149931 If it takes you to the correct landing page, then you have the correct agency ID!

Find the roster name

The default roster name is inmates, but many agencies have differing names. If inmates does not work, there is known way to blindly deduce the correct one.