Build toolchain

Author: bjw-s

.github/workflows/build.yaml

@@ -9,7 +9,7 @@ on:
 
 concurrency:
   group: build-kobo-ssh
-  cancel-in-progress: true
+  cancel-in-progress: false
 
 jobs:
   filter-changes:
@@ -42,6 +42,8 @@ jobs:
     if: ${{ needs.filter-changes.outputs.toolchain_changed == 'true' }}
     name: Build toolchain image
     runs-on: ubuntu-latest
+    needs:
+      - filter-changes
     permissions:
       contents: read
       packages: write
@@ -83,38 +85,83 @@ jobs:
           cache-to: type=gha,mode=max
 
   build-koboroot:
-    if: ${{ needs.filter-changes.outputs.build_changed == 'true' }}
+    if: ${{ !cancelled() && !failure() && needs.filter-changes.outputs.build_changed == 'true' }}
     name: Build KoboRoot
     runs-on: ubuntu-latest
     needs:
       - filter-changes
       - build-toolchain-image
     permissions:
-      contents: read
+      contents: write
       packages: read
     env:
       TOOLCHAIN_IMAGE: ghcr.io/${{ github.repository_owner }}/kobo-ssh-toolchain:latest
-      DROPBEAR_TAG: DROPBEAR_2025.87
+      DROPBEAR_VERSION: "2025.87"
       OPENSSH_TAG: V_9_9_P2
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Grab toolchain image
+        run: |
+          docker pull "${{ env.TOOLCHAIN_IMAGE }}"
+
       - name: Clone dropbear sources
         run: |
-          git clone --depth 1 --branch "${{ env.DROPBEAR_TAG }}" https://github.com/mkj/dropbear.git external/dropbear
+          git clone --depth 1 --branch "DROPBEAR_${{ env.DROPBEAR_VERSION }}" https://github.com/mkj/dropbear.git external/dropbear
+
+      - name: Clone openssh-portable sources
+        run: |
+          git clone --depth 1 --branch "${{ env.OPENSSH_TAG }}" https://github.com/openssh/openssh-portable.git external/openssh-portable
+
+      - name: Set dropbear compilation options
+        run: |
+          cp build/dropbear/localoptions.h external/dropbear/localoptions.h
 
       - name: Build dropbear
-        uses: kohlerdominik/docker-run-action@v2
+        uses: kohlerdominik/docker-run-action@v2.0.0
         with:
           image: ${{ env.TOOLCHAIN_IMAGE }}
           volumes: |
-            ${{ github.workspace }}:/workspace
+            ${{ github.workspace }}/external/dropbear:/workspace
           workdir: /workspace
           run: |
             export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"
             autoconf
             autoheader
             ./configure --host=arm-kobo-linux-gnueabihf --disable-zlib --disable-zlib CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld --disable-wtmp --disable-lastlog --disable-syslog --disable-utmpx --disable-utmp --disable-wtmpx --disable-loginfunc --disable-pututxline --disable-pututline --enable-bundled-libtom --disable-pam
             make clean
-            make PROGRAMS="dropbear dropbearkey" MULTI=1
+            make PROGRAMS="dropbear dropbearkey"
+
+      - name: Build sftp-server
+        uses: kohlerdominik/[email protected]
+        with:
+          image: ${{ env.TOOLCHAIN_IMAGE }}
+          volumes: |
+            ${{ github.workspace }}/external/openssh-portable:/workspace
+          workdir: /workspace
+          run: |
+            export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"
+            autoconf
+            autoheader
+            ./configure --host=arm-kobo-linux-gnueabihf --without-openssl --without-zlib --without-pam --without-xauth CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld
+            make clean
+            make sftp-server
+
+      - name: Build KoboRoot.tgz artifact
+        run: |
+          mkdir -p KoboRoot/usr/bin
+          mv external/dropbear/dropbear KoboRoot/usr/bin/
+          mv external/dropbear/dropbearkey KoboRoot/usr/bin/
+          mv external/openssh-portable/sftp-server KoboRoot/usr/bin/
+
+          mkdir -p dist
+          tar -cvzf dist/KoboRoot.tgz -C KoboRoot .
+
+      - name: Release artifact
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ env.DROPBEAR_VERSION }}
+          body: |
+            Dropbear ${DROPBEAR_VERSION} for Kobo eReaders
+          files: dist/KoboRoot.tgz

.gitignore

@@ -1,6 +1,7 @@
 # Compiled binaries
-KoboRoot/usr/bin/dropbearmulti
-KoboRoot/usr/libexec/sftp-server
+KoboRoot/usr/bin/dropbear
+KoboRoot/usr/bin/dropbearkey
+KoboRoot/usr/bin/sftp-server
 
 # Remote sources
 external/

KoboRoot/usr/local/dropbear/on-boot.sh

@@ -2,7 +2,7 @@
 
 case "$(pidof dropbear | wc -w)" in
 # Add the desired dropbear options here
-0) dropbearmulti dropbear -R -F -K 15 -s &
+0) dropbear -R -F -K 15 &
    ;;
 *) ;;
 esac

README.md

@@ -1,4 +1,36 @@
 # kobo-ssh
-Build pipeline to compile Dropbear for Kobo
 
-Based on the work of https://github.com/obynio/kobopatch-ssh
+This repository contains the tools needed to compile [dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) and [sftp-server](https://github.com/openssh/openssh-portable) for the `arm-kobo-linux-gnueabihf` system (all recent [Kobo](https://www.kobo.com/) products).
+This binary is used for root shell access on Kobo devices which, in my case, is used to deploy and debug software on e-readers. As of now, these binaries have been tested on a Kobo Libra H2o and a Kobo Libra 2.
+
+### Features:
+- Recent Dropbear version
+- `scp` to the SSH server works
+- Host keys will be generated automatically as required.
+
+## Compiling locally
+
+This project can be compiled locally by building the [toolchain container image](toolchain/Dockerfile) and then running the `compile.sh` script.
+
+```sh
+docker buildx build --tag kobo-ssh-toolchain:latest ./toolchain --load
+./compile.sh
+```
+
+This will compile all the required binaries and generate a `dist/KoboRoot.tgz` file.
+
+## Prebuilt binaries
+
+A prebuilt KoboRoot.tgz can be found on the [releases page](https://github.com/bjw-s-labs/kobo-ssh/releases).
+
+## Kobo setup
+
+Once you have generated the `KoboRoot.tgz` file you can transfer this to your Kobo device by connecting the device to your computer and placing the file in the `.kobo` folder on the exposed drive.
+
+Finally, disconnect the device from your computer and wait for it to restart. Once the restart is complete you should have a working SSH server.
+
+## Credits
+
+Many thanks to the following for their original work on this subject:
+- https://github.com/Ewpratten/KoboSSH
+- https://github.com/obynio/kobopatch-ssh

build/dropbear/localoptions.h

@@ -0,0 +1,6 @@
+#define DROPBEAR_MLKEM768 0
+#define DSS_PRIV_FILENAME "/usr/local/dropbear/dss_host_key"
+#define RSA_PRIV_FILENAME "/usr/local/dropbear/rsa_host_key"
+#define ECDSA_PRIV_FILENAME "/usr/local/dropbear/ecdsa_host_key"
+#define ED25519_PRIV_FILENAME "/usr/local/dropbear/ed25519_host_key"
+#define SFTPSERVER_PATH "/usr/bin/sftp-server"

compile.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-TOOLCHAIN_IMAGE="ghcr.io/bjw-s-labs/kobo-ssh-toolchain:latest"
+TOOLCHAIN_IMAGE="kobo-ssh-toolchain:latest"
 DROPBEAR_TAG="DROPBEAR_2025.87"
 OPENSSH_TAG="V_9_9_P2"
 
@@ -15,30 +15,23 @@ rm -rf external/openssh-portable
 git clone --branch "${OPENSSH_TAG}" --depth 1 https://github.com/openssh/openssh-portable.git external/openssh-portable
 
 # Compile Dropbear
-cat > external/dropbear/localoptions.h<< EOF
-#define DROPBEAR_MLKEM768 0
-#define DSS_PRIV_FILENAME "/usr/local/dropbear/dss_host_key"
-#define RSA_PRIV_FILENAME "/usr/local/dropbear/rsa_host_key"
-#define ECDSA_PRIV_FILENAME "/usr/local/dropbear/ecdsa_host_key"
-#define ED25519_PRIV_FILENAME "/usr/local/dropbear/ed25519_host_key"
-EOF
-
-docker run --platform linux/amd64 -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'cd /work; autoconf; autoheader'
-docker run --platform linux/amd64 -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; ./configure --host=arm-kobo-linux-gnueabihf --disable-zlib --disable-zlib CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld --disable-wtmp --disable-lastlog --disable-syslog --disable-utmpx --disable-utmp --disable-wtmpx --disable-loginfunc --disable-pututxline --disable-pututline --enable-bundled-libtom --disable-pam'
-docker run --platform linux/amd64 -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make clean'
-docker run --platform linux/amd64 -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make PROGRAMS="dropbear dropbearkey" MULTI=1'
+cp build/dropbear/localoptions.h external/dropbear/localoptions.h
+docker run -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'cd /work; autoconf; autoheader'
+docker run -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; ./configure --host=arm-kobo-linux-gnueabihf --disable-zlib --disable-zlib CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld --disable-wtmp --disable-lastlog --disable-syslog --disable-utmpx --disable-utmp --disable-wtmpx --disable-loginfunc --disable-pututxline --disable-pututline --enable-bundled-libtom --disable-pam'
+docker run -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make clean'
+docker run -v "${PWD}/external/dropbear:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make PROGRAMS="dropbear dropbearkey"'
 
 # Compile sftp-server
-docker run --platform linux/amd64 -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'cd /work; autoconf; autoheader'
-docker run --platform linux/amd64 -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; ./configure --host=arm-kobo-linux-gnueabihf --without-openssl --without-zlib --without-pam --without-xauth CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld'
-docker run --platform linux/amd64 -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make clean'
-docker run --platform linux/amd64 -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make sftp-server'
+docker run -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'cd /work; autoconf; autoheader'
+docker run -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; ./configure --host=arm-kobo-linux-gnueabihf --without-openssl --without-zlib --without-pam --without-xauth CC="arm-kobo-linux-gnueabihf"-gcc LD="arm-kobo-linux-gnueabihf"-ld'
+docker run -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make clean'
+docker run -v "${PWD}/external/openssh-portable:/work" "${TOOLCHAIN_IMAGE}" /bin/bash -c 'export PATH="/root/x-tools/arm-kobo-linux-gnueabihf/bin:$PATH"; cd /work; make sftp-server'
 
 # Build KoboRoot.tgz
 mkdir -p KoboRoot/usr/bin
-mv external/dropbear/dropbearmulti KoboRoot/usr/bin/dropbearmulti
-mkdir -p KoboRoot/usr/libexec
-mv external/openssh-portable/sftp-server KoboRoot/usr/libexec/sftp-server
+mv external/dropbear/dropbear KoboRoot/usr/bin/
+mv external/dropbear/dropbearkey KoboRoot/usr/bin/
+mv external/openssh-portable/sftp-server KoboRoot/usr/bin/
 
 mkdir -p dist
 tar -cvzf dist/KoboRoot.tgz --exclude='.DS_Store' -C KoboRoot .