separate dependencies

Question

separate dependencies

Uj947nXmRqV2nRaWshKtHzTvckUUpD opened this issue 2 years ago · 10 comments

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 2 years ago

magisk and busybox should be downloaded locally and then pushed to avd.
in case of busybox, one can check the checksum and confirm the authenticity, rather than obfuscating busybox in the code. as an extra advantage, you make sure latest busybox is being used

For example:

download_dep.sh

#!/bin/sh

# DOWNLOAD MAGISK
username="topjohnwu"
repo="Magisk"

# latest stable
# magisk_URL=$(curl -s https://api.github.com/repos/$username/$repo/releases/latest | grep "browser_download_url" | grep -v stub | awk -F ['"'] '{print $4}')

# canary more compatible
magisk_URL="https://raw.githubusercontent.com/topjohnwu/magisk-files/canary/app-debug.apk"

echo "$magisk_URL"

curl -L -o magisk.apk "$magisk_URL"

# DOWNLOAD BUSYBOX

username="Magisk-Modules-Repo"
repo="busybox-ndk"

busybox_URL="https://github.com/$username/$repo/raw/master/busybox-x86_64-selinux"

curl -L -o busybox "$busybox_URL"

Answer 1 · 2023-01-24T07:08:10.000Z

Dear @fusionneur,
thank you for your request, which is not the first of this kind.
They are quite some conditions to meet to implement this. I am sure
you didn't consider all of them, If yes, I will do it as you please.

What is the Up-to-Date version of busybox?
What are the present versions of busybox in the script?
What tool in detail are you missing in the present busybox version? and why?
Does your code run in Linux/Mac/Windows?
Why exactly should Magisk be downloaded locally and then pushed to the avd?
Why exactly should busybox be downloaded locally and then pushed to the avd?
If you would move your code to be executed within the avd, does it also run with Android 7?
Or would you actually need busybox to get busybox?

Answer 2 · 2023-01-24T13:29:42.000Z

Hi and thank you for reply. I try to answer some of the questions. But before, I just want to mention that I just discovered the project yesterday, so I didn't really have time to look too deep into the code. I was more familiar with shakalaka's implementation which seems to not be updated anymore and had quite a lot of issues. Thank you a lot for this great tool !

What is the Up-to-Date version of busybox?
I suppose these binaries should be actually used https://www.busybox.net/downloads/binaries/

What are the present versions of busybox in the script?
If you refer to my snippet, they are taken from busybox-ndk magisk module (https://github.com/Magisk-Modules-Repo/busybox-ndk). But as I previously said, maybe the original binaries should be used.
If you refer to rootAVD's busybox version, I didn't look so deep into it yet and it seems quite obfuscated.

What tool in detail are you missing in the present busybox version? and why?
None, I believe. I tried rootAVD's yesterday with success on an android v 13 (API 33)

Does your code run in Linux/Mac/Windows?
curl and wget is nowadays on all major OSs. my snippet should be easily adapted in .bat form for windows

Why exactly should Magisk be downloaded locally and then pushed to the avd?
for eg. to preserve a copy that could be reused on other avd's, if the version already matches the latest.

Why exactly should busybox be downloaded locally and then pushed to the avd?
One reason is to prevent circular dependency, like you further specified - requiring busybox inside avd to download itself. Another reason and most important, and actually the reason for opening this issue, is to prevent obfuscating and adding unnecessary complexity in the code.
Also from security perspective, one could easily validate it's authenticity, being downloaded from original source without the possibility of being tampered (even magisk's internal busybox seems to be a different version than the original.. why?). Imo, It just feels more natural to have it already downloaded and just push it to AVD, than having to dump an embedded binary into a huge script every time it updates which makes it difficult to maintain. Also, same as previous question, you could reuse the already downloaded for rooting other AVD's.

If you would move your code to be executed within the avd, does it also run with Android 7?
Or would you actually need busybox to get busybox?
The snippet I wrote is supposed to run on host, and to be executed before the actual patching, rather than on the AVD.

Answer 3 · 2023-01-29T09:15:57.000Z

What tool in detail are you missing in the present busybox version? and why?
None, I believe. I tried rootAVD's yesterday with success on an android v 13 (API 33)

Thanks for your reply. So there is actually no practical reason nor a real benefit to change this.

Answer 4 · 2023-01-29T15:27:04.000Z

real benefit is having the code easily audited and trustable

Answer 5 · 2023-01-29T16:13:43.000Z

Dont use it if you dont trust it.
Easily audited for whom?

Answer 6 · 2023-01-29T16:14:19.000Z

by community.. ? isn't this the point of being open source? if not, then just upload one single obfuscated binary instead of the code

Answer 7 · 2023-01-29T16:35:05.000Z

It is just a script! If github is showing it not correctly, not my fault. Just dont use it, or fork it and rewrite it in your own style.

Answer 8 · 2023-01-29T16:40:28.000Z

i am not talking about how github doesn't show the script (that's because it is too long which is a consequence of having the busybox binary embedded in the script)

i am talking about this big chunk of binary inserted at the end of the script, that looks awful:

Answer 9 · 2023-01-29T19:17:31.000Z

Both are the same. The "chunk" is the start of one of the busybox binarys.

Answer 10 · 2023-01-29T19:23:52.000Z

my point is, code should contain code, not binaries. it's up to you what you do with this information