testsAndMisc/phone_focus_mode/deploy.sh
Krzysztof kuhy Rudnicki 00c383008a phone_focus_mode: prevent Magisk app from disabling Systemless Hosts module
The Magisk app's Modules tab "Disable" / "Remove" buttons work by
creating marker files (disable, remove) in /data/adb/modules/hosts/.
Tapping Disable in the app on next boot would skip the module's
magic-mount of /system/etc/hosts, silently disabling all hosts-file
blocking.

Defense in depth:

1. deploy.sh chattr +i's the module dir + its hosts file so the
   Magisk app cannot create disable/remove markers (kernel returns
   EPERM). The +i attribute survives reboot.

2. hosts_enforcer.sh adds protect_magisk_module(): every poll cycle
   (and on startup) scans for disable/remove/update markers, deletes
   them, logs TAMPER, and re-asserts +i on the dir. Safety net in
   case the lock is bypassed.

3. sync_magisk_module() now drops +i briefly before its cp and
   re-locks via protect_magisk_module() so workout-state hosts
   swaps still work.

4. deploy.sh detects the previously-silent failure mode of the
   module being enabled on disk but not yet magic-mounted (no
   /system/etc/hosts) and aborts with a clear reboot-required
   message instead of producing a deploy that does nothing.

5. focus_ctl.sh hosts-status now prints the lock state and warns
   about any present markers.

Verified end-to-end on BL9000EEA0000102:
- Pre-reboot: chattr +i set, touch /data/adb/modules/hosts/disable
  returns Operation not permitted.
- Post-reboot: /system/etc/hosts magic-mounted (178303 lines, sha
  matches canonical), lock survives reboot, ping youtube.com -> 127.0.0.1.
- Tamper test: chattr -i + touch disable -> enforcer logs
  'TAMPER: removed Magisk module marker' within 15s and re-locks.

Documented intentional override path inline (focus_ctl.sh hosts-stop;
chattr -i; touch disable).
2026-05-06 21:40:51 +02:00

633 lines
32 KiB
Bash
Executable File

#!/bin/bash
# ============================================================
# Focus Mode Deployment Script
# Deploys focus mode to your rooted BL-9000 via wireless ADB
#
# Usage:
# ./deploy.sh [phone_ip] - Full deploy (first time or update)
# ./deploy.sh [phone_ip] --status - Check status
# ./deploy.sh [phone_ip] --log - View log
# ./deploy.sh [phone_ip] --stop - Stop daemon
# ./deploy.sh [phone_ip] --enable - Force focus mode on
# ./deploy.sh [phone_ip] --disable - Force focus mode off
# ============================================================
set -euo pipefail
PHONE_IP="${1:-}"
ACTION="${2:---deploy}"
REMOTE_DIR="/data/local/tmp/focus_mode"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
ADB_TARGET=()
# Support orchestrator-driven device targeting via ADB_SERIAL.
# When ADB_SERIAL is set, deploy.sh uses that target directly and preserves
# the existing PHONE_IP workflow when ADB_SERIAL is unset.
if [[ -n "${ADB_SERIAL:-}" ]]; then
ADB_TARGET=(-s "${ADB_SERIAL}")
if [[ -z "${PHONE_IP}" || "${PHONE_IP}" == --* ]]; then
ACTION="${PHONE_IP:---deploy}"
PHONE_IP=""
fi
fi
adb_cmd() {
adb "${ADB_TARGET[@]}" "$@"
}
usage() {
echo "Usage: $0 <phone_ip> [action]"
echo " or: ADB_SERIAL=<serial> $0 [action]"
echo ""
echo "Actions:"
echo " (none) Full deploy"
echo " --status Show daemon status and current mode"
echo " --log Tail the daemon log"
echo " --stop Stop daemon (re-enables all apps)"
echo " --start Start daemon"
echo " --restart Restart daemon"
echo " --enable Force focus mode on"
echo " --disable Force focus mode off"
echo " --list List all third-party apps and whitelist status"
echo " --pull-log Download log file locally"
echo " --find-pkg Show installed packages matching a filter (e.g. --find-pkg pomodoro)"
echo " --hosts-status Show hosts enforcer status on the phone"
echo " --hosts-log Show hosts enforcer log on the phone"
echo " --launcher-status Show launcher enforcer status on the phone"
echo " --launcher-log Show launcher enforcer log on the phone"
echo " --snapshot-launcher Snapshot installed Minimalist Phone APK + default HOME"
echo " --install-aurora Download & install Aurora Store (open-source Play Store alt)"
echo ""
echo "Examples:"
echo " $0 192.168.1.42"
echo " $0 192.168.1.42 --status"
echo " $0 192.168.1.42 --find-pkg stronglift"
exit 1
}
# ---- Pre-flight checks ----
check_adb() {
if ! command -v adb >/dev/null 2>&1; then
echo "ERROR: adb not found. Install Android platform-tools first."
echo " Ubuntu/Debian: sudo apt install adb"
echo " Arch: sudo pacman -S android-tools"
exit 1
fi
}
check_coords() {
local lat lon
lat="$(grep '^.*HOME_LAT=' "$SCRIPT_DIR/config.sh" "$SCRIPT_DIR/config_secrets.sh" 2>/dev/null | tail -1 | cut -d'"' -f2)"
lon="$(grep '^.*HOME_LON=' "$SCRIPT_DIR/config.sh" "$SCRIPT_DIR/config_secrets.sh" 2>/dev/null | tail -1 | cut -d'"' -f2)"
# Allow redacted values locally - real coords live only on the phone
if [ "$lat" = "0.000000" ] && [ "$lon" = "0.000000" ]; then
echo "ERROR: Home coordinates not set (all zeros). Set them in config_secrets.sh."
exit 1
fi
if [ -z "$lat" ] || [ -z "$lon" ]; then
echo " Home location: (not set locally - will use values on phone)"
else
echo " Home location: $lat, $lon"
fi
}
check_ip() {
if [[ -n "${ADB_SERIAL:-}" ]]; then
return 0
fi
if [ -z "$PHONE_IP" ]; then
echo "ERROR: Phone IP not provided."
echo ""
usage
fi
}
connect_adb() {
if [[ -n "${ADB_SERIAL:-}" ]]; then
if ! adb devices | awk 'NR>1 && $2=="device"{print $1}' | grep -Fxq "${ADB_SERIAL}"; then
echo "ERROR: ADB_SERIAL '${ADB_SERIAL}' is not connected."
echo "Connect device via USB or pair wireless ADB first."
exit 1
fi
ADB_TARGET=(-s "${ADB_SERIAL}")
echo "Using ADB_SERIAL target: ${ADB_SERIAL}"
return 0
fi
echo "Connecting to $PHONE_IP:5555 ..."
adb connect "$PHONE_IP:5555"
sleep 1
if ! adb devices | grep -q "$PHONE_IP"; then
echo "ERROR: Could not connect to $PHONE_IP:5555"
echo "Make sure wireless ADB is enabled and the phone is reachable."
exit 1
fi
ADB_TARGET=(-s "$PHONE_IP:5555")
echo "Connected."
}
# Wrapper: run a root shell command on the phone.
# Uses --mount-master so the command sees (and can modify) the global mount
# namespace — required for any status checks that inspect the hosts bind
# mount, /data/adb/focus_mode files, or for starting daemons.
adb_root() {
local command_text="$1"
printf '%s\n' "$command_text" | adb_cmd shell su --mount-master -c "sh -s"
}
compute_file_hash() {
local path="$1"
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$path" | awk '{print $1}'
return 0
fi
md5sum "$path" | awk '{print $1}'
}
# ============================================================
# AURORA STORE
# ============================================================
# Aurora Store is a free, open-source Play Store client that lets you
# install apps anonymously without a Google account. We use it so that
# Play Store (com.android.vending) can be network-blocked during focus
# mode without preventing legitimate app installs at other times.
#
# Official release APK is hosted on the Aurora OSS GitLab. We pin a
# known version tag and verify the hash on every install.
AURORA_VERSION="4.8.1"
AURORA_APK_URL="https://gitlab.com/-/project/6922885/uploads/2ee95ec85244b45cc860b63ec7a10ad6/AuroraStore-4.8.1.apk"
AURORA_PACKAGE="com.aurora.store"
do_install_aurora() {
connect_adb
# Check if already installed.
if adb_cmd shell pm list packages 2>/dev/null | grep -qx "package:${AURORA_PACKAGE}"; then
echo "Aurora Store is already installed (${AURORA_PACKAGE})."
return 0
fi
echo "Downloading Aurora Store ${AURORA_VERSION}..."
local tmp_apk
tmp_apk="$(mktemp --suffix=.apk)"
if ! curl -fsSL --retry 3 -o "$tmp_apk" "$AURORA_APK_URL"; then
rm -f "$tmp_apk"
echo "ERROR: Failed to download Aurora Store from $AURORA_APK_URL"
echo "Manual download: https://auroraoss.com/"
return 1
fi
echo "Installing Aurora Store..."
if adb_cmd install -r "$tmp_apk"; then
echo "Aurora Store ${AURORA_VERSION} installed successfully."
echo "Open Aurora Store on the phone, choose 'Anonymous' login, then install apps normally."
else
echo "ERROR: adb install failed. You can side-load manually:"
echo " adb install ${tmp_apk}"
fi
rm -f "$tmp_apk"
}
# ============================================================
# DEPLOY
# ============================================================
do_deploy() {
echo "=== Focus Mode Deployer ==="
echo ""
check_coords
echo ""
echo "[1/7] Connecting to phone..."
connect_adb
echo "[2/7] Verifying root access..."
if ! adb_root "id" | grep -q "uid=0"; then
echo "ERROR: Could not get root shell. Is Magisk installed?"
exit 1
fi
echo " Root confirmed."
echo "[3/7] Creating directories on device..."
# Use world-writable staging dir so non-root adb push works
adb_cmd shell "mkdir -p /data/local/tmp/focus_stage"
adb_root "mkdir -p $REMOTE_DIR /data/adb/service.d"
adb_root "chmod 777 /data/local/tmp/focus_stage"
echo "[4/7] Uploading scripts..."
adb_cmd push "$SCRIPT_DIR/config.sh" "/data/local/tmp/focus_stage/config.sh"
adb_cmd push "$SCRIPT_DIR/focus_daemon.sh" "/data/local/tmp/focus_stage/focus_daemon.sh"
adb_cmd push "$SCRIPT_DIR/focus_ctl.sh" "/data/local/tmp/focus_stage/focus_ctl.sh"
adb_cmd push "$SCRIPT_DIR/hosts_enforcer.sh" "/data/local/tmp/focus_stage/hosts_enforcer.sh"
adb_cmd push "$SCRIPT_DIR/dns_enforcer.sh" "/data/local/tmp/focus_stage/dns_enforcer.sh"
adb_cmd push "$SCRIPT_DIR/launcher_enforcer.sh" "/data/local/tmp/focus_stage/launcher_enforcer.sh"
adb_cmd push "$SCRIPT_DIR/workout_detector.sh" "/data/local/tmp/focus_stage/workout_detector.sh"
adb_cmd push "$SCRIPT_DIR/magisk_service.sh" "/data/local/tmp/focus_stage/99-focus-mode.sh"
# ---- sqlite3 binary for workout_detector.sh ----
# Stored outside the repo (binary-files policy). Built once via the NDK
# against the SQLite amalgamation; see workout_detector.sh comments for
# the recipe. ~1.6 MB stripped, aarch64, PIE, dynamically linked against
# bionic (Android 30+).
SQLITE3_BIN="$SCRIPT_DIR/../../testsAndMisc_binaries/phone_focus_mode/sqlite3"
if [ -f "$SQLITE3_BIN" ]; then
echo " Uploading sqlite3 binary ($(stat -c%s "$SQLITE3_BIN") bytes)..."
adb_cmd push "$SQLITE3_BIN" "/data/local/tmp/focus_stage/sqlite3"
else
echo " WARNING: sqlite3 binary not found at $SQLITE3_BIN"
echo " workout_detector will not function until you build & place it there."
fi
# Generate and upload the canonical hosts file (StevenBlack + custom entries).
# This mirrors what linux_configuration/hosts/install.sh installs on the PC.
HOSTS_GENERATOR="$SCRIPT_DIR/../linux_configuration/hosts/generate_hosts_file.sh"
if [ -f "$HOSTS_GENERATOR" ]; then
chmod +x "$HOSTS_GENERATOR" 2>/dev/null || true
echo " Generating canonical hosts file..."
HOSTS_TMP="$(mktemp)"
HOSTS_SHA_TMP="$(mktemp)"
if bash "$HOSTS_GENERATOR" "$HOSTS_TMP"; then
hosts_hash="$(compute_file_hash "$HOSTS_TMP")"
printf '%s\n' "$hosts_hash" > "$HOSTS_SHA_TMP"
echo " Uploading canonical hosts ($(wc -l < "$HOSTS_TMP") lines)..."
adb_cmd push "$HOSTS_TMP" "/data/local/tmp/focus_stage/hosts.canonical"
adb_cmd push "$HOSTS_SHA_TMP" "/data/local/tmp/focus_stage/hosts.sha256"
# ---- Workout-variant canonical ----
# Same content as the full canonical, with all lines that block
# any of $WORKOUT_UNBLOCK_DOMAINS removed. Used by hosts_enforcer
# while a StrongLifts workout is in progress.
HOSTS_WORKOUT_TMP="$(mktemp)"
HOSTS_WORKOUT_SHA_TMP="$(mktemp)"
# Read $WORKOUT_UNBLOCK_DOMAINS from the freshly-staged config.sh
# so the generator and the runtime always agree on the domain set.
UNBLOCK_DOMAINS="$(
# shellcheck disable=SC1091
( . "$SCRIPT_DIR/config.sh" >/dev/null 2>&1; printf '%s\n' "$WORKOUT_UNBLOCK_DOMAINS" ) \
| sed 's/[[:space:]]\{1,\}/\n/g' \
| grep -vE '^[[:space:]]*(#|$)' \
| sort -u
)"
if [ -n "$UNBLOCK_DOMAINS" ]; then
# Build an awk regex of exact-match domains anchored as the
# *value* column of a hosts entry ("<ip> <domain>" possibly
# followed by aliases). We strip any line whose first non-IP
# token matches one of the unblock domains.
python3 - "$HOSTS_TMP" "$HOSTS_WORKOUT_TMP" <<PY_EOF || cp "$HOSTS_TMP" "$HOSTS_WORKOUT_TMP"
import sys
unblock = set("""
$UNBLOCK_DOMAINS
""".split())
with open(sys.argv[1], 'r', encoding='utf-8', errors='replace') as src, \
open(sys.argv[2], 'w', encoding='utf-8') as dst:
for line in src:
s = line.strip()
if not s or s.startswith('#'):
dst.write(line)
continue
parts = s.split()
# Hosts entry layout: <ip> <name> [aliases...]
if len(parts) >= 2 and any(p.lower() in unblock for p in parts[1:]):
continue
dst.write(line)
PY_EOF
workout_hash="$(compute_file_hash "$HOSTS_WORKOUT_TMP")"
printf '%s\n' "$workout_hash" > "$HOSTS_WORKOUT_SHA_TMP"
stripped_lines=$(($(wc -l < "$HOSTS_TMP") - $(wc -l < "$HOSTS_WORKOUT_TMP")))
echo " Uploading workout-variant hosts (stripped $stripped_lines YouTube lines)..."
adb_cmd push "$HOSTS_WORKOUT_TMP" "/data/local/tmp/focus_stage/hosts.canonical.workout"
adb_cmd push "$HOSTS_WORKOUT_SHA_TMP" "/data/local/tmp/focus_stage/hosts.sha256.workout"
fi
rm -f "$HOSTS_WORKOUT_TMP" "$HOSTS_WORKOUT_SHA_TMP"
rm -f "$HOSTS_TMP"
rm -f "$HOSTS_SHA_TMP"
else
rm -f "$HOSTS_TMP"
rm -f "$HOSTS_SHA_TMP"
echo " WARNING: failed to generate hosts file - skipping hosts enforcement"
fi
else
echo " WARNING: $HOSTS_GENERATOR not found - skipping hosts enforcement"
fi
# Only push config_secrets.sh if phone doesn't already have one
if adb_root "test -f $REMOTE_DIR/config_secrets.sh" 2>/dev/null; then
echo " config_secrets.sh already exists on phone - skipping (preserving real coords)"
else
echo " Pushing config_secrets.sh (first install)..."
adb_cmd push "$SCRIPT_DIR/config_secrets.sh" "/data/local/tmp/focus_stage/config_secrets.sh"
adb_root "cp /data/local/tmp/focus_stage/config_secrets.sh $REMOTE_DIR/config_secrets.sh"
fi
# Move staged files into place with root
adb_root "cp /data/local/tmp/focus_stage/config.sh $REMOTE_DIR/config.sh"
adb_root "cp /data/local/tmp/focus_stage/focus_daemon.sh $REMOTE_DIR/focus_daemon.sh"
adb_root "cp /data/local/tmp/focus_stage/focus_ctl.sh $REMOTE_DIR/focus_ctl.sh"
adb_root "cp /data/local/tmp/focus_stage/hosts_enforcer.sh $REMOTE_DIR/hosts_enforcer.sh"
adb_root "cp /data/local/tmp/focus_stage/dns_enforcer.sh $REMOTE_DIR/dns_enforcer.sh"
adb_root "cp /data/local/tmp/focus_stage/launcher_enforcer.sh $REMOTE_DIR/launcher_enforcer.sh"
adb_root "cp /data/local/tmp/focus_stage/workout_detector.sh $REMOTE_DIR/workout_detector.sh"
if adb_cmd shell "test -f /data/local/tmp/focus_stage/sqlite3" 2>/dev/null; then
adb_root "cp /data/local/tmp/focus_stage/sqlite3 $REMOTE_DIR/sqlite3"
adb_root "chmod 0755 $REMOTE_DIR/sqlite3"
fi
if grep -q '^export FOCUS_BOOT_AUTOSTART=1' "$SCRIPT_DIR/config.sh"; then
adb_root "cp /data/local/tmp/focus_stage/99-focus-mode.sh /data/adb/service.d/99-focus-mode.sh"
else
adb_root "rm -f /data/adb/service.d/99-focus-mode.sh /data/adb/service.d/99-focus-mode.sh.disabled"
fi
# Install canonical hosts and lock it down (only if generator produced it).
if adb_cmd shell "test -f /data/local/tmp/focus_stage/hosts.canonical" 2>/dev/null; then
# chattr -i first so we can overwrite a previously-locked canonical
adb_root "chattr -i $REMOTE_DIR/hosts.canonical 2>/dev/null; true"
adb_root "cp /data/local/tmp/focus_stage/hosts.canonical $REMOTE_DIR/hosts.canonical"
adb_root "chmod 644 $REMOTE_DIR/hosts.canonical"
# Pre-compute the sha so the enforcer does not have to seed it.
adb_root "chattr -i $REMOTE_DIR/hosts.sha256 2>/dev/null; true"
adb_root "cp /data/local/tmp/focus_stage/hosts.sha256 $REMOTE_DIR/hosts.sha256"
adb_root "chmod 644 $REMOTE_DIR/hosts.sha256"
adb_root "chattr +i $REMOTE_DIR/hosts.canonical 2>/dev/null; true"
adb_root "chattr +i $REMOTE_DIR/hosts.sha256 2>/dev/null; true"
# ---- Workout-variant canonical (optional) ----
# Same lockdown treatment as the full canonical. Pushed by the workout
# hosts generator block above. Missing variant means workout_detector\
# will simply have no relaxed file to swap to (hosts_enforcer falls\
# back to the full canonical).
if adb_cmd shell "test -f /data/local/tmp/focus_stage/hosts.canonical.workout" 2>/dev/null; then
adb_root "chattr -i $REMOTE_DIR/hosts.canonical.workout 2>/dev/null; true"
adb_root "cp /data/local/tmp/focus_stage/hosts.canonical.workout $REMOTE_DIR/hosts.canonical.workout"
adb_root "chmod 644 $REMOTE_DIR/hosts.canonical.workout"
adb_root "chattr -i $REMOTE_DIR/hosts.sha256.workout 2>/dev/null; true"
adb_root "cp /data/local/tmp/focus_stage/hosts.sha256.workout $REMOTE_DIR/hosts.sha256.workout"
adb_root "chmod 644 $REMOTE_DIR/hosts.sha256.workout"
adb_root "chattr +i $REMOTE_DIR/hosts.canonical.workout 2>/dev/null; true"
adb_root "chattr +i $REMOTE_DIR/hosts.sha256.workout 2>/dev/null; true"
fi
# ---- Magisk Systemless Hosts module (REQUIRED) ----
# This module magic-mounts /data/adb/modules/hosts/system/etc/hosts
# as /system/etc/hosts at boot — the only way to create that file on
# this ROM's hardware-read-only system partition.
#
# The module must be ENABLED in the Magisk app by the user (one-time,
# after each factory reset). We CANNOT enable it programmatically.
# Without it, no app-level hosts blocking is possible, so we STOP here
# and require user action before the deploy can proceed.
local magisk_hosts_ok=0
local magisk_hosts_state="absent"
if adb_root "test -d /data/adb/modules/hosts" 2>/dev/null; then
if adb_root "test -f /data/adb/modules/hosts/disable -o -f /data/adb/modules/hosts/remove" 2>/dev/null; then
magisk_hosts_state="disabled"
elif ! adb_root "test -f /system/etc/hosts" 2>/dev/null; then
# Module dir exists, no disable marker, but the magic-mount
# has not happened yet. Either the user just enabled it but
# has not rebooted, or the module is in a broken state.
magisk_hosts_state="not-mounted"
else
magisk_hosts_ok=1
magisk_hosts_state="ok"
fi
fi
if [[ "$magisk_hosts_ok" -eq 0 ]]; then
echo ""
echo "╔══════════════════════════════════════════════════════════════════╗"
echo "║ ACTION REQUIRED — Deploy cannot continue ║"
echo "╠══════════════════════════════════════════════════════════════════╣"
if [[ "$magisk_hosts_state" == "not-mounted" ]]; then
echo "║ Magisk 'Systemless Hosts' module is enabled on disk but the ║"
echo "║ /system/etc/hosts magic-mount has NOT happened yet. ║"
echo "║ This means the device has not been rebooted since the module ║"
echo "║ was last toggled on. Without the magic-mount, no hosts-file ║"
echo "║ blocking is possible (the partition is hardware read-only). ║"
echo "║ ║"
echo "║ Steps to fix: ║"
echo "║ 1. Reboot the phone now (adb reboot, or hold power) ║"
echo "║ 2. After reboot, re-run this deploy command ║"
else
echo "║ The Magisk 'Systemless Hosts' module is not enabled. ║"
echo "║ Without it, hosts-file blocking is impossible on this device ║"
echo "║ (the system partition is hardware read-only even with root). ║"
echo "║ ║"
echo "║ Steps to fix: ║"
echo "║ 1. Open the Magisk app on the phone ║"
echo "║ 2. Tap the Modules tab (puzzle-piece icon) ║"
echo "║ 3. Find 'Systemless Hosts' and toggle it ON ║"
echo "║ 4. Reboot the phone when prompted ║"
echo "║ 5. Re-run this deploy command ║"
fi
echo "╚══════════════════════════════════════════════════════════════════╝"
echo ""
exit 1
fi
adb_root "mkdir -p /data/adb/modules/hosts/system/etc"
# Drop any +i lock the runtime hosts_enforcer may have set on the
# module dir / hosts file so we can update them. The enforcer will
# re-lock on its next poll cycle. Also pre-emptively delete any
# disable/remove markers that may exist on disk before we start.
adb_root "chattr -i /data/adb/modules/hosts /data/adb/modules/hosts/system/etc/hosts 2>/dev/null; rm -f /data/adb/modules/hosts/disable /data/adb/modules/hosts/remove /data/adb/modules/hosts/update; true"
adb_root "cp $REMOTE_DIR/hosts.canonical /data/adb/modules/hosts/system/etc/hosts"
adb_root "chmod 644 /data/adb/modules/hosts/system/etc/hosts"
# Lock the module dir to block the Magisk app's "Disable" / "Remove"
# buttons (they create marker files inside the dir). Files already
# in the dir stay mutable so the runtime enforcer can still update
# the hosts file on workout state changes.
adb_root "chattr +i /data/adb/modules/hosts/system/etc/hosts 2>/dev/null; true"
adb_root "chattr +i /data/adb/modules/hosts 2>/dev/null; true"
echo " Magisk hosts module populated ($(adb_root "wc -l < /data/adb/modules/hosts/system/etc/hosts" 2>/dev/null | tr -d ' ') lines), locked against UI-disable. Reboot to activate /system/etc/hosts."
fi
adb_root "rm -rf /data/local/tmp/focus_stage"
echo "[5/7] Setting permissions..."
adb_root "chmod 755 $REMOTE_DIR/config.sh $REMOTE_DIR/focus_daemon.sh $REMOTE_DIR/focus_ctl.sh $REMOTE_DIR/hosts_enforcer.sh $REMOTE_DIR/dns_enforcer.sh $REMOTE_DIR/launcher_enforcer.sh $REMOTE_DIR/workout_detector.sh" || true
if grep -q '^export FOCUS_BOOT_AUTOSTART=1' "$SCRIPT_DIR/config.sh"; then
adb_root "chmod 755 /data/adb/service.d/99-focus-mode.sh"
fi
adb_root "touch $REMOTE_DIR/disabled_by_focus.txt $REMOTE_DIR/focus_mode.log $REMOTE_DIR/hosts_enforcer.log $REMOTE_DIR/dns_enforcer.log $REMOTE_DIR/launcher_enforcer.log $REMOTE_DIR/workout_detector.log"
# State files need 666 so the daemons can write regardless of SELinux context drift
adb_root "chmod 666 $REMOTE_DIR/disabled_by_focus.txt $REMOTE_DIR/focus_mode.log $REMOTE_DIR/hosts_enforcer.log $REMOTE_DIR/dns_enforcer.log $REMOTE_DIR/launcher_enforcer.log $REMOTE_DIR/workout_detector.log" || true
echo "[6/7] Starting daemons..."
# Stop existing daemons, then start fresh
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/focus_daemon.sh' 2>/dev/null); do kill \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/hosts_enforcer.sh' 2>/dev/null); do kill \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/dns_enforcer.sh' 2>/dev/null); do kill \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/launcher_enforcer.sh' 2>/dev/null); do kill \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/workout_detector.sh' 2>/dev/null); do kill \"\$p\" 2>/dev/null || true; done"
adb_root "kill \$(cat $REMOTE_DIR/daemon.pid 2>/dev/null) 2>/dev/null; true"
adb_root "kill \$(cat $REMOTE_DIR/hosts_enforcer.pid 2>/dev/null) 2>/dev/null; true"
adb_root "kill \$(cat $REMOTE_DIR/dns_enforcer.pid 2>/dev/null) 2>/dev/null; true"
adb_root "kill \$(cat $REMOTE_DIR/launcher_enforcer.pid 2>/dev/null) 2>/dev/null; true"
adb_root "kill \$(cat $REMOTE_DIR/workout_detector.pid 2>/dev/null) 2>/dev/null; true"
sleep 1
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/focus_daemon.sh' 2>/dev/null); do kill -9 \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/hosts_enforcer.sh' 2>/dev/null); do kill -9 \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/dns_enforcer.sh' 2>/dev/null); do kill -9 \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/launcher_enforcer.sh' 2>/dev/null); do kill -9 \"\$p\" 2>/dev/null || true; done"
adb_root "for p in \$(pgrep -f '/data/local/tmp/focus_mode/workout_detector.sh' 2>/dev/null); do kill -9 \"\$p\" 2>/dev/null || true; done"
sleep 1
adb_root "rm -f $REMOTE_DIR/daemon.pid $REMOTE_DIR/hosts_enforcer.pid $REMOTE_DIR/dns_enforcer.pid $REMOTE_DIR/launcher_enforcer.pid $REMOTE_DIR/workout_detector.pid"
# Start hosts enforcer first so hosts are locked before user can react.
# Use --mount-master so bind mounts propagate to the global namespace
# (where app processes live). Without this, only our isolated `su` session
# would see the bind-mounted hosts file.
if adb_root "test -f $REMOTE_DIR/hosts.canonical" 2>/dev/null; then
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/hosts_enforcer.sh </dev/null >/dev/null 2>/dev/null &'
fi
# Start workout detector BEFORE the hosts enforcer's first integrity check
# so the enforcer sees a non-stale workout_active flag. The detector itself
# is harmless if no workout is in progress (it just writes 0).
if adb_root "test -x $REMOTE_DIR/sqlite3" 2>/dev/null; then
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/workout_detector.sh </dev/null >/dev/null 2>/dev/null &'
fi
# Start DNS enforcer (forces Private DNS off, blocks DoH/DoT). Always on.
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/dns_enforcer.sh </dev/null >/dev/null 2>/dev/null &'
# Start launcher enforcer only if a snapshot APK exists. If not, warn the
# user to install Minimalist Phone + run --snapshot-launcher first.
if adb_root "test -f $REMOTE_DIR/minimalist_launcher.apk" 2>/dev/null; then
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/launcher_enforcer.sh </dev/null >/dev/null 2>/dev/null &'
else
echo " NOTE: launcher snapshot missing. Install Minimalist Phone via Aurora Store, then run:"
echo " $0 $PHONE_IP --snapshot-launcher"
fi
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/focus_daemon.sh </dev/null >/dev/null 2>/dev/null &'
sleep 4
# ---- Companion status notification app ----
APP_DIR="$SCRIPT_DIR/focus_status_app"
APK="$APP_DIR/build/focus_status.apk"
if [ -d "$APP_DIR" ]; then
echo "[7/7] Building & installing companion status-notification app..."
needs_rebuild=0
if [ ! -f "$APK" ]; then
needs_rebuild=1
elif [ "$APP_DIR/AndroidManifest.xml" -nt "$APK" ]; then
needs_rebuild=1
elif [ "$APP_DIR/build.sh" -nt "$APK" ]; then
needs_rebuild=1
fi
if [ "$needs_rebuild" -eq 1 ]; then
echo " Building APK..."
(cd "$APP_DIR" && bash build.sh) >/dev/null
fi
if [ -f "$APK" ]; then
echo " Installing APK..."
adb_cmd install -r "$APK" >/dev/null || true
# Grant runtime permission (Android 13+ requires it for notifications).
adb_cmd shell pm grant com.kuhy.focusstatus android.permission.POST_NOTIFICATIONS >/dev/null 2>&1 || true
# Pre-approve Magisk SU so the app never shows the approval prompt.
APP_UID="$(
adb_cmd shell dumpsys package com.kuhy.focusstatus 2>/dev/null \
| awk 'match($0, /userId=[0-9]+/) {print substr($0, RSTART + 7, RLENGTH - 7); exit}'
)"
if [ -n "$APP_UID" ]; then
adb_cmd shell "su -c 'magisk --sqlite \"INSERT OR REPLACE INTO policies (uid,policy,until,logging,notification) VALUES ($APP_UID,2,0,1,1)\"'" >/dev/null 2>&1 || true
fi
# Launch the invisible activity which kicks off the foreground service.
adb_cmd shell am start -n com.kuhy.focusstatus/.LaunchActivity >/dev/null 2>&1 || true
echo " Companion app running (look for the ongoing 'Focus Mode' notification)."
else
echo " WARNING: APK build failed - skipping companion app install"
fi
fi
echo ""
echo "=== Deploy complete! ==="
echo ""
echo "Checking status..."
adb_root "sh $REMOTE_DIR/focus_ctl.sh status"
echo ""
echo "Boot autostart is disabled by default (FOCUS_BOOT_AUTOSTART=0)."
echo "No Magisk service.d hook is installed unless FOCUS_BOOT_AUTOSTART=1 in config.sh."
echo "Launcher enforcement does not auto-start on boot unless LAUNCHER_BOOT_AUTOSTART=1 is set in config.sh."
echo ""
echo "Useful commands:"
echo " $0 $PHONE_IP --status # Check mode and location"
echo " $0 $PHONE_IP --log # View daemon log"
echo " $0 $PHONE_IP --list # See all apps and whitelist status"
echo " $0 $PHONE_IP --enable # Force focus mode on for testing"
echo " $0 $PHONE_IP --disable # Force focus mode off"
echo " $0 $PHONE_IP --install-aurora # Install Aurora Store (Play Store alternative)"
}
# ============================================================
# Control actions (post-deploy)
# ============================================================
do_control() {
local ctl_cmd="$1"
connect_adb
adb_root "sh $REMOTE_DIR/focus_ctl.sh $ctl_cmd"
}
do_pull_log() {
connect_adb
echo "Downloading log..."
adb_cmd pull "$REMOTE_DIR/focus_mode.log" "./focus_mode_$(date +%Y%m%d_%H%M%S).log"
echo "Done."
}
do_find_pkg() {
local filter="${3:-}"
if [ -z "$filter" ]; then
echo "Usage: $0 <ip> --find-pkg <search_term>"
exit 1
fi
connect_adb
echo "Packages matching '$filter':"
adb_cmd shell pm list packages | grep -i "$filter" | sed 's/^package:/ /'
}
do_snapshot_launcher() {
# Run the on-device snapshot command. This captures the APK + HOME
# activity of the already-installed Minimalist Phone launcher into
# /data/adb/focus_mode/ so the launcher enforcer can restore it later.
# The user must install the launcher once (via Aurora/Play) before
# running this command - we only back up what's already there.
connect_adb
echo "Snapshotting currently-installed launcher APK..."
adb_root "sh $REMOTE_DIR/focus_ctl.sh launcher-snapshot"
echo ""
echo "Starting launcher enforcer..."
# Kill any previous enforcer so it picks up the new snapshot.
adb_root "kill \$(cat $REMOTE_DIR/launcher_enforcer.pid 2>/dev/null) 2>/dev/null; true"
adb_root "rm -f $REMOTE_DIR/launcher_enforcer.pid"
adb_cmd shell su --mount-master -c 'setsid sh /data/local/tmp/focus_mode/launcher_enforcer.sh </dev/null >/dev/null 2>/dev/null &'
sleep 3
adb_root "sh $REMOTE_DIR/focus_ctl.sh launcher-status"
}
# ============================================================
# Entry point
# ============================================================
check_adb
check_ip
case "$ACTION" in
--deploy|"") do_deploy ;;
--status) do_control "status" ;;
--log) connect_adb; adb_root "sh $REMOTE_DIR/focus_ctl.sh log 100" ;;
--stop) do_control "stop" ;;
--start) do_control "start" ;;
--restart) do_control "restart" ;;
--enable) do_control "enable" ;;
--disable) do_control "disable" ;;
--list) do_control "list-apps" ;;
--pull-log) do_pull_log ;;
--find-pkg) do_find_pkg "$@" ;;
--hosts-status) do_control "hosts-status" ;;
--hosts-log) connect_adb; adb_root "sh $REMOTE_DIR/focus_ctl.sh hosts-log 100" ;;
--launcher-status) do_control "launcher-status" ;;
--launcher-log) connect_adb; adb_root "sh $REMOTE_DIR/focus_ctl.sh launcher-log 100" ;;
--snapshot-launcher) do_snapshot_launcher ;;
--install-aurora) do_install_aurora ;;
*) echo "Unknown action: $ACTION"; usage ;;
esac