#!/bin/sh # Copyright (C) 2024 Elliot Killick # Licensed under the MIT License. See LICENSE file for details. [ "$DEBUG" ] && set -x # Prefer Dash shell for greater security if available if [ "$BASH" ] && command -v dash > /dev/null; then exec dash "$0" "$@" fi # Test for 4-bit color (16 colors) # Operand "colors" is undefined by POSIX # If the operand doesn't exist, the terminal probably doesn't support color and the program will continue normally without it if [ "0$(tput colors 2> /dev/null)" -ge 16 ]; then RED='\033[0;31m' BLUE='\033[0;34m' GREEN='\033[0;32m' NC='\033[0m' fi # Avoid printing messages as potential terminal escape sequences echo_ok() { printf "%b%s%b" "${GREEN}[+]${NC} " "$1" "\n" >&2; } echo_info() { printf "%b%s%b" "${BLUE}[i]${NC} " "$1" "\n" >&2; } echo_err() { printf "%b%s%b" "${RED}[!]${NC} " "$1" "\n" >&2; } # https://pubs.opengroup.org/onlinepubs/9699919799/utilities/fold.html format() { fold -s; } word_count() { echo $#; } usage() { echo "Mido - The Secure Microsoft Windows Downloader" echo "" echo "Usage: $0 ..." echo "" echo "Download specified list of Windows media." echo "" echo "Specify \"all\", or one or more of the following Windows media:" echo " win7x64-ultimate" echo " win81x64" echo " win10x64" echo " win11x64" echo " win81x64-enterprise-eval" echo " win10x64-enterprise-eval" echo " win11x64-enterprise-eval" echo " win10x64-enterprise-ltsc-eval (most secure)" echo " win2008r2" echo " win2012r2-eval" echo " win2016-eval" echo " win2019-eval" echo " win2022-eval" echo "" echo "Each ISO download takes between 3 - 7 GiBs (average: 5 GiBs)." echo "" echo "Updates" echo "-------" echo "All the downloads provided here are the most up-to-date releases that Microsoft provides. This is ensured by programmatically checking Microsoft's official download pages to get the latest download link. In other cases, the Windows version in question is no longer supported by Microsoft meaning a direct download link (stored in Mido) will always point to the most up-to-date release." | format echo "" echo "Remember to update Windows to the latest patch level after installation." echo "" echo "Overuse" echo "-------" echo "Newer consumer versions of Windows including win81x64, win10x64, and win11x64 are downloaded through Microsoft's gated download web interface. Do not overuse this interface. Microsoft may be quick to do ~24 hour IP address bans after only a few download requests (especially if they are done in quick succession). Being temporarily banned from one of these downloads (e.g. win11x64) doesn't cause you to be banned from any of the other downloads provided through this interface." | format echo "" echo "Privacy Preserving Technologies" echo "-------------------------------" echo "The aforementioned Microsoft gated download web interface is currently blocking Tor (and similar technologies). They say this is to prevent people in restricted regions from downloading certain Windows media they shouldn't have access to. This is fine by most standards because Tor is too slow for large downloads anyway and we have checksum verification for security." | format echo "" echo "Language" echo "--------" echo "All the downloads provided here are for English (United States). This helps to great simplify maintenance and minimize the user's fingerprint. If another language is desired then that can easily be configured in Windows once it's installed." | format echo "" echo "Architecture" echo "------------" echo "All the downloads provided here are for x86-64 (x64). This is the only architecture Microsoft ships Windows Server in.$([ -d /run/qubes ] && echo ' Also, the only architecture Qubes OS supports.')" | format } # Media naming scheme info: # Windows Server has no architecture because Microsoft only supports amd64 for this version of Windows (the last version to support x86 was Windows Server 2008 without the R2) # "eval" is short for "evaluation", it's simply the license type included with the Windows installation (only exists on enterprise/server) and must be specified in the associated answer file # "win7x64" has the "ultimate" edition appended to it because it isn't "multi-edition" like the other Windows ISOs (for multi-edition ISOs the edition is specified in the associated answer file) readonly win7x64_ultimate="win7x64-ultimate.iso" readonly win81x64="win81x64.iso" readonly win10x64="win10x64.iso" readonly win11x64="win11x64.iso" readonly win81x64_enterprise_eval="win81x64-enterprise-eval.iso" readonly win10x64_enterprise_eval="win10x64-enterprise-eval.iso" readonly win11x64_enterprise_eval="win11x64-enterprise-eval.iso" readonly win10x64_enterprise_ltsc_eval="win10x64-enterprise-ltsc-eval.iso" readonly win2008r2="win2008r2.iso" readonly win2012r2_eval="win2012r2-eval.iso" readonly win2016_eval="win2016-eval.iso" readonly win2019_eval="win2019-eval.iso" readonly win2022_eval="win2022-eval.iso" parse_args() { for arg in "$@"; do if [ "$arg" = "-h" ] || [ "$arg" = "--help" ]; then usage exit fi done if [ $# -lt 1 ]; then usage >&2 exit 1 fi # Append to media_list so media is downloaded in the order they're passed in for arg in "$@"; do case "$arg" in win7x64-ultimate) media_list="$media_list $win7x64_ultimate" ;; win81x64) media_list="$media_list $win81x64" ;; win10x64) media_list="$media_list $win10x64" ;; win11x64) media_list="$media_list $win11x64" ;; win81x64-enterprise-eval) media_list="$media_list $win81x64_enterprise_eval" ;; win10x64-enterprise-eval) media_list="$media_list $win10x64_enterprise_eval" ;; win11x64-enterprise-eval) media_list="$media_list $win11x64_enterprise_eval" ;; win10x64-enterprise-ltsc-eval) media_list="$media_list $win10x64_enterprise_ltsc_eval" ;; win2008r2) media_list="$media_list $win2008r2" ;; win2012r2-eval) media_list="$media_list $win2012r2_eval" ;; win2016-eval) media_list="$media_list $win2016_eval" ;; win2019-eval) media_list="$media_list $win2019_eval" ;; win2022-eval) media_list="$media_list $win2022_eval" ;; all) media_list="$win7x64_ultimate $win81x64 $win10x64 $win11x64 $win81x64_enterprise_eval $win10x64_enterprise_eval $win11x64_enterprise_eval $win10x64_enterprise_ltsc_eval $win2008r2 $win2012r2_eval $win2016_eval $win2019_eval $win2022_eval" break ;; *) echo_err "Invalid Windows media specified: $arg" exit 1 ;; esac done } handle_curl_error() { error_code="$1" fatal_error_action=2 case "$error_code" in 6) echo_err "Failed to resolve Microsoft servers! Is there an Internet connection? Exiting..." return "$fatal_error_action" ;; 7) echo_err "Failed to contact Microsoft servers! Is there an Internet connection or is the server down?" ;; 8) echo_err "Microsoft servers returned a malformed HTTP response!" ;; 22) echo_err "Microsoft servers returned a failing HTTP status code!" ;; 23) echo_err "Failed at writing Windows media to disk! Out of disk space or permission error? Exiting..." return "$fatal_error_action" ;; 26) echo_err "Ran out of memory during download! Exiting..." return "$fatal_error_action" ;; 36) echo_err "Failed to continue earlier download!" ;; 63) echo_err "Microsoft servers returned an unexpectedly large response!" ;; # POSIX defines exit statuses 1-125 as usable by us # https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08_02 $((error_code <= 125))) # Must be some other server or network error (possibly with this specific request/file) # This is when accounting for all possible errors in the curl manual assuming a correctly formed curl command and an HTTP(S) request, using only the curl features we're using, and a sane build echo_err "Miscellaneous server or network error!" ;; 126 | 127) echo_err "Curl command not found! Please install curl and try again. Exiting..." return "$fatal_error_action" ;; # Exit statuses are undefined by POSIX beyond this point *) case "$(kill -l "$error_code")" in # Signals defined to exist by POSIX: # https://pubs.opengroup.org/onlinepubs/009695399/basedefs/signal.h.html INT) echo_err "Curl was interrupted!" ;; # There could be other signals but these are most common SEGV | ABRT) echo_err "Curl crashed! Failed exploitation attempt? Please report any core dumps to curl developers. Exiting..." return "$fatal_error_action" ;; *) echo_err "Curl terminated due to a fatal signal!" ;; esac esac return 1 } part_ext=".PART" unverified_ext=".UNVERIFIED" scurl_file() { out_file="$1" tls_version="$2" url="$3" part_file="${out_file}${part_ext}" # --location: Microsoft likes to change which endpoint these downloads are stored on but is usually kind enough to add redirects # --fail: Return an error on server errors where the HTTP response code is 400 or greater curl --progress-bar --location --output "$part_file" --continue-at - --max-filesize 10G --fail --proto =https "--tlsv$tls_version" --http1.1 -- "$url" || { error_code=$? handle_curl_error "$error_code" error_action=$? # Clean up and make sure a future resume doesn't happen from a bad download resume file if [ -f "$out_file" ]; then # If file is empty, bad HTTP code, or bad download resume file if [ ! -s "$out_file" ] || [ "$error_code" = 22 ] || [ "$error_code" = 36 ]; then echo_info "Deleting failed download..." rm -f "$out_file" fi fi return "$error_action" } # Full downloaded succeeded, ready for verification check mv "$part_file" "${out_file}" } manual_verification() { media_verification_failed_list="$1" checksum_verification_failed_list="$2" echo_info "Manual verification instructions" echo " 1. Get checksum (may already be done for you):" >&2 echo " sha256sum " >&2 echo "" >&2 echo " 2. Verify media:" >&2 echo " Web search: https://duckduckgo.com/?q=%22CHECKSUM_HERE%22" >&2 echo " Onion search: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/?q=%22CHECKSUM_HERE%22" >&2 echo " \"No results found\" or unexpected results indicates the media has been modified and should not be used." >&2 echo "" >&2 echo " 3. Remove the $unverified_ext extension from the file after performing or deciding to skip verification (not recommended):" >&2 echo " mv $unverified_ext " >&2 echo "" >&2 for media in $media_verification_failed_list; do # Read current checksum in list and then read remaining checksums back into the list (effectively running "shift" on the variable) # POSIX sh doesn't support indexing so do this instead to iterate both lists at once # POSIX sh doesn't support here-strings (<<<). We could also use the "cut" program but that's not a builtin IFS=' ' read -r checksum checksum_verification_failed_list << EOF $checksum_verification_failed_list EOF echo " ${media}${unverified_ext} = $checksum" >&2 echo " Web search: https://duckduckgo.com/?q=%22$checksum%22" >&2 echo " Onion search: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/?q=%22$checksum%22" >&2 echo " mv ${media}${unverified_ext} $media" >&2 echo "" >&2 done echo " Theses searches can be performed in a web/Tor browser or more securely using" >&2 echo " ddgr (Debian/Fedora packages available) terminal search tool if preferred." >&2 echo " Once validated, consider updating the checksums in Mido by submitting a pull request on GitHub." >&2 # If you're looking for a single secondary source to cross-reference checksums then try here: https://files.rg-adguard.net/search # This site is recommended by the creator of Rufus in the Fido README and has worked well for me } consumer_download() { # Copyright (C) 2024 Elliot Killick # Licensed under the MIT License. See LICENSE file for details. # # This function is from the Mido project: # https://github.com/ElliotKillick/Mido # Download newer consumer Windows versions from behind gated Microsoft API out_file="$1" # Either 8, 10, or 11 windows_version="$2" url="https://www.microsoft.com/en-us/software-download/windows$windows_version" case "$windows_version" in 8 | 10) url="${url}ISO" ;; esac user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0" # uuidgen: For MacOS (installed by default) and other systems (e.g. with no /proc) that don't have a kernel interface for generating random UUIDs session_id="$(cat /proc/sys/kernel/random/uuid 2> /dev/null || uuidgen --random)" # Get product edition ID for latest release of given Windows version # Product edition ID: This specifies both the Windows release (e.g. 22H2) and edition ("multi-edition" is default, either Home/Pro/Edu/etc., we select "Pro" in the answer files) in one number # This is a request we make that Fido doesn't. Fido manually maintains a list of all the Windows release/edition product edition IDs in its script (see: $WindowsVersions array). This is helpful for downloading older releases (e.g. Windows 10 1909, 21H1, etc.) but we always want to get the newest release which is why we get this value dynamically # Also, keeping a "$WindowsVersions" array like Fido does would be way too much of a maintenance burden # Remove "Accept" header that curl sends by default (match Fido requests) iso_download_page_html="$(curl -sS --user-agent "$user_agent" --header "Accept:" --max-filesize 1M --fail --proto =https --tlsv1.2 --http1.1 -- "$url")" || { handle_curl_error $? return $? } # tr: Filter for only numerics to prevent HTTP parameter injection # head -c was recently added to POSIX: https://austingroupbugs.net/view.php?id=407 product_edition_id="$(echo "$iso_download_page_html" | grep -Eo '