elliotkillick / mido Goto Github PK

View Code? Open in Web Editor NEW

485.0 5.0 21.0 2.14 MB

The Secure Microsoft Windows Downloader

Home Page: https://elliotonsecurity.com

License: MIT License

Shell 100.00%

automation microsoft security windows windows-10 windows-11 windows-7 windows-8-1 windows-downloader windows-ltsc

mido's Introduction

Mido

The Secure Microsoft Windows Downloader

Mido is a secure and open source download client for Microsoft's (reverse engineered) proprietary downloading API! Downloads are sourced from official Microsoft servers and you only have to run one command to go from start to finish in no time!

Comes with advanced features like download resumption, SHA-256 checksum verification, and downloading many different Windows versions in a single command. Did I mention it's written in pure POSIX sh (w/ few coreutils) + curl so it will run anywhere (even on Windows with WSL or a Cygwin shell)? So robust, very minimalist!

It's very well-suited to full automation if you just want to set it and forget it too... ⭐ Start saving time today with Mido!

❌ Microsoft's Media Creation Tool (`mediacreationtool.exe` proprietary bloatware)

Bloated website: https://www.microsoft.com/en-us/software-download/windows11

Mido provides the exact same downloads as this website (it uses the same API)

✅ Mido (using the same official Microsoft servers; open source software)

Get Mido

Get Mido.sh by opening the link, right-clicking and then selecting "Save [Page] as..."

Mac & Linux

You're done! Just open a terminal, give the file execution permissions (chmod +x Mido.sh), and run the script (as seen in the above GIF) to start using Mido.

Windows

To run Mido on Windows, use WSL (Windows Subsystem for Linux). If you don't have it enabled already then search "Turn Windows features on or off" in the Start menu, open that, check the "Windows Subsystem for Linux" box, and click "OK". This is the best option.

Alternatively, install Cygwin or MSYS2 from their download pages, or in one command using WinGet:

winget install -e --id Cygwin.Cygwin
winget install -e --id MSYS2.MSYS2

Both are POSIX emulation environments for Windows and you can use either one.

How does Mido work??

It interacts with Microsoft's proprietary downloading API (reverse engineered thanks to Pete Batard, @pbatard) to grab the latest release of Windows and generate a fresh download link (valid for 24 hours). Then we grab that link and get the file over to you as quickly as possible!

What else can Mido do?

Other than the consumer versions of Windows like 11 and 10, it can also automatically download the latest Server (e.g. Windows Server 2022) and Enterprise editions of every Windows version all the way back to Windows 7 (or Server 2008 R2)!

Want a more secure and minimalist Windows installation out-of-the-box that's officially provided by Microsoft? Then download the LTSC version of Windows. It comes with way less bloat and supports Microsoft's "Security" telemetry mode (plus it comes with long-term support). Microsoft is yet to release an LTSC version of Windows 11 (so 10 only for now) but it is planned.

Want to save more time?

Check out the create-media.sh script in Qvm-Create-Windows-Qube! Now complete with Mido and an answer file to go with each provided download. With that you will be saving time in downloading Windows and installing it to a VM. This is all very well-tested and could easily save you many hours of time over doing it manually. I usually reinstall my Windows VMs quite often because they tend to get slow over time and so a refresh always helps.

How secure is it really?

Mido is reasonably secure software. Every chance to reduce attack surface is taken. Untrusted data is treated as such with proper validation steps. The highest possible version of TLS is always used (up to TLS 1.3). Easily verify security properties yourself in the transparent shell script.

No web browser (e.g. headless Chromium running JavaScript) reduces the attack surface by many orders of magnitude.

Microsoft download servers (e.g. download.microsoft.com) support insecure TLS versions 1.0 and 1.1? Force TLS 1.2 or TLS 1.3 (the latter when Microsoft servers support it).

The next Shellshock/Bashdoor? POSIX sh compatible.

Plus, automatically switches to a more secure shell (Dash) if available
For even greater security, one could use a POSIX-compliant Rust shell with Rust coreutils (e.g. uutils). This is not the default configuration.

Frequent Curl HTTP 2.0 & 3.0 bugs? Force HTTP/1.1.

Comes at zero cost to performance for downloading a single large file

Coreutil bugs? Only builtins are used for the most critical functionality.

Still bugs? Wrap it in bubble wrap: bwrap --ro-bind /bin /bin --ro-bind /usr/bin /usr/bin --ro-bind /lib /lib --ro-bind /usr/lib /usr/lib --ro-bind /lib64 /lib64 --ro-bind /usr/lib64 /usr/lib64 --ro-bind /usr/share /usr/share --ro-bind /etc /etc --dev-bind /dev/null /dev/null --bind "$PWD" "$PWD" --ro-bind "$PWD/Mido.sh" "$PWD/Mido.sh" --unshare-all --share-net -- ./Mido.sh --help

This is the same sandbox used by Flatpak
Here, we have a fine-grained sandbox configuration tested to work on Debian and Fedora (likely others)
Compartmentalize further by running Mido in its own unprivileged user account or even it's own disposable VM on Qubes OS

With sandbox/VM escape or privilege escalation bugs? GG, you win!!

Todo

Make a small GUI wrapper for people who don't like running a single command
- Ideally something lightweight and cross-platform (a GTK app that runs an embedded script?)
- Should have a download progress bar (likely read from curl stderr) and shows an error log if anything goes wrong
- Contributions are very welcome

License

mido's People

Contributors

Stargazers

Watchers

mido's Issues

[ERROR] Failing HTTP status code on MacOS

Hi,
Great script, potentially very useful - but I've not got it working yet...

Steps -
I created local working folder, wget'd the .sh, chmod, etc. then ran -
./Mido.sh win11x64

Error produced each time i attempt -

[!] Microsoft servers returned failing HTTP status code!

[!] 1 attempted download(s) failed! Please re-run Mido with these arguments to try downloading again (any partial downloads will be resumed): win11x64

I can duplicate this across multiple networks, so i'm not sure its a network issue per-say.

Has this error been seen before?

Thanks!

SHA256SUMs for consumer editions of Windows can be gathered directly from the page of the ISO download link

Hello. I was working on options for downloading different windows ISOs in quickemu (which uses code from this project), and while trying to find where Microsoft publishes hashes, I discovered that they were located on the same page as the download link. Here's the code I used in order to gather the correct hash from the page (this must be run before reducing iso_download_link_html to the first 4096 characters).

HASH=$(echo "$iso_download_link_html" | sed 's/<tr><td>/\n<tr><td>/g' | grep "$LANGUAGE 64-bit" | grep -o -P '(?<=</td><td>).*(?=</td></tr>)')
This should work for windows 8, 10, and 11 consumer ISOs. From a quick check, the windows server pages do not appear to have checksums published, and the enterprise editions appear to only have them in a PDF format.

win7x64-ultimate iso redownloaded every time the script is run with 'all' argument

So far as I can tell mido already successfully downloaded the win7x64-ultimate.iso file on the first run. I'm re-running mido to complete a few remaining partial dowloads of win2022-eval.ios and win11x64-enterprise-eval.isos.

Is the sha256 hash of each ISO checked for before making the decision to redownload a file or only afterwards?

Current hash of win7 iso

sha256sum win7x64-ultimate.iso dec04cbd352b453e437b2fe9614b67f28f7c0b550d8351827bc1e9ef3f601389 win7x64-ultimate.iso

win7x64-ultimate.iso sha256 hash as found in the mido.sh script

dec04cbd352b453e437b2fe9614b67f28f7c0b550d8351827bc1e9ef3f601389

Here's a current directory listing:

total 52638916
-rwxr-xr-x 1 user user      38937 Aug  8 12:10 mido.sh
-rw-r--r-- 1 user user 5550497792 Aug  9 03:41 win10x64-enterprise-eval.iso
-rw-r--r-- 1 user user 4898582528 Aug  8 21:10 win10x64-enterprise-ltsc-eval.iso
-rw-r--r-- 1 user user 5088602112 Aug  8 20:38 win11x64-enterprise-eval.iso
-rw-r--r-- 1 user user 1001123840 Aug  9 03:47 win11x64-enterprise-eval.iso.PART
-rw-r--r-- 1 user user 3166840832 Aug  8 21:35 win2008r2.iso
-rw-r--r-- 1 user user 4542291968 Aug  8 22:17 win2012r2-eval.iso
-rw-r--r-- 1 user user 6972221440 Aug  8 23:10 win2016-eval.iso
-rw-r--r-- 1 user user 5652088832 Aug  8 23:43 win2019-eval.iso
-rw-r--r-- 1 user user 4778459128 Aug  9 00:12 win2022-eval.iso.PART
-rw-r--r-- 1 user user 5876357120 Aug  8 18:37 win7x64-ultimate.iso
-rw-r--r-- 1 user user 2413605000 Aug  9 09:05 win7x64-ultimate.iso.PART
-rw-r--r-- 1 user user 3961473024 Aug  9 03:09 win81x64-enterprise-eval.iso

[Request] Add Windows Server 2025 Preview

I wonder . . . could this be grabbed via Microsoft's download API?

Security Advisory: Unpatchable DoS vulnerability

Mido had an unpatchable DoS vulnerability since it's release. The issue was that Microsoft servers could send us data forever until OOM or disk space fills up. I knew about this issue, but, just tried to limit the untrusted size after running curl which was generally a good idea but didn't resolve the DoS issue.

I let the curl team know about the issue and they changed how --max-filesize works to make it fixable: curl/curl#11810

I released the fix in the latest commit: f06a128

To make sure the fix applies to you, please ensure your curl is at least version 8.4.0 (run curl --version).

Thanks,
Elliot

[Feature request] Disable integrity check

It would be nice to have a commandline parameter to disable the integrity check, because it takes quite some time and for me personally its not really necessary as the image is downloaded from a trusted source.

EDIT: An alternative would be to have a flag to let Mido just return the download url, and let me handle the download/processing myself.

[Bug] Windows 11 download returns error 403

For a while (a month) I havent been able to download Windows 11 via Mido anymore. I can succesfully download all other versions (8, 10, etc) but not 11. It always returns HTTP error 403.

At first I thought I just had been blocked, but I tried from many different IP addresses and they all result in error 403. So I am starting to think the problem is not on my end, but some change in the query parameter format for example.

Can someone please confirm wether Win11 download is still working for them?

[Suggestion] Speedup archive.org sources with torrent?

The only con then is that web.archive.org is a much slower download source than the Microsoft servers

archive.org sources can use massive speedup from using torrents.

The torrents have great amount of seeders, and webseeds from archive.org

Here's a discussion regarding the same thing.
dockur/windows#232

aria2 might also speed up HTTP downloads since it can download segments in parallel (if the server allows multiple connections)

[Feature Request] Possibility to choose ISO language

By default the English version of the ISOs get downloaded. It would be nice if the user has the choice of changing that on the command line, e.g. Mido.sh win11x64 --lang=german.

feat: add Microsoft Office ISOs

Description

I've been using Mido for downloading various versions of Windows and appreciate its security features and minimalist design. It's incredibly useful for automating downloads and setting up virtual machines. However, I noticed that it currently supports downloading Windows OS versions only.

Suggestion

It would be great if Mido could also support downloading Microsoft Office ISOs. This feature would make Mido even more versatile and beneficial for users who need to download Office for their work or personal use.

Benefits

Consolidation: Users could manage both Windows and Office downloads from a single tool.
Convenience: It simplifies the process of setting up a new system with both Windows and Office installed.
Automation: Like Windows downloads, Office downloads could also be automated, saving time and effort.

Conclusion

Adding Microsoft Office ISOs to Mido would enhance its functionality and provide a comprehensive solution for downloading Microsoft products securely and efficiently. Thank you for considering this suggestion.

Updated Win11 23H2 SHA-256

Hello!

Absolutely love this tool, just discovered it when researching the absurdity that is MS's iso download process and it's already saved me a ton of sanity.

Thought I'd submit the current SHA-256 for WIn11 23H2:

71a7ae6974866603d366a911b0c00eace476e0b49d12205d7529765cc50b4b39

Verified via my own downloads using Mido and: https://answers.microsoft.com/en-us/windows/forum/all/windows-11-23h2-multi-edition-iso-is-released-by/6aae0a33-fb9c-4e26-be2e-2fdeeb53b268

Thanks again for this!

Rewrite in Rust?

Hey! I just saw this project off of Reddit and saw there was a need for a GTK application. I was likewise wondering if there'd be interest in making this project work in Rust, which could provide some nice benefits compared to the current implementation:

This tool could be exposed as a library, allowing any Rust program to use it's functionality in a clean manner
The CLI and GUI can both use the same codebase, with the only differences being the code to make the CLI/GUI work

I'm throwing this out to get some thoughts on whether it'd be a viable option of not. What do you think?

free(): invalid pointer error

Immediately aborts with the error:

*** glibc detected *** /bin/sh: free(): invalid pointer: 0x000cd0cc ***

Attempting to run it on an old nas with 'uname':
Linux Seagate-D2 3.10.72-svn18863 #1 Thu Jan 17 00:12:15 UTC 2019 armv7l GNU/Linux

Kernel & software is probably too deprecated?