This idea was inspired by this post topjohnwu/Magisk#509 (comment)
I got this working with CalyxOS 2.11.0 (Android 11) with full AVB Verity enabled and was able to lock the bootloader after flashing and still have su.
First, make sure you can build and sign a proper CalyxOS for your device. This is probably the hardest part.
Second, prepare a magisk directory outside your build directory as follows:
mkdir magisk
cd magisk
wget https://cdn.jsdelivr.net/gh/topjohnwu/magisk-files@55bdc45955e7ba1fe4d296b6fc06f926ebc9ddd1/app-debug.apk
unzip app-debug.apk
Replace the apk URL with whatever version is latest or works best for you. The URL for the latest version can be found in the Magisk files repo. https://github.com/topjohnwu/magisk-files
We then need a few helper scripts in the same directory.
cat > root-img.sh
#!/bin/bash
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
export PATH=$PATH:$SCRIPT_DIR
export BOOTMODE=true
export KEEPVERITY=true
cp $SCRIPT_DIR/lib/x86/libmagiskboot.so $SCRIPT_DIR/assets/magiskboot
cp $SCRIPT_DIR/lib/arm64-v8a/libmagisk64.so $SCRIPT_DIR/assets/magisk64
cp $SCRIPT_DIR/lib/armeabi-v7a/libmagisk32.so $SCRIPT_DIR/assets/magisk32
cp $SCRIPT_DIR/lib/arm64-v8a/libmagiskinit.so $SCRIPT_DIR/assets/magiskinit
. $SCRIPT_DIR/assets/boot_patch.sh $*chmod 755 root-img.sh
Make sure magiskinit is correct for your target in root-img.sh.
cat > dos2unix
#!/bin/bash
cat $*chmod 755 dos2unix
cat > getprop
#!/bin/bash
echo $*chmod 755 getprop
That's all for preparing magisk.
Now we need to intercept avbtool to root the boot.img file just before it's hashed/signed.
In the last step of building the OS, the target files are zipped up and moved into a signing directory, along with the signing keys and binaries. In the bin directory, you should find avbtool which will be used during signing. We're going to replace it with a script that detects boot images, roots them and then continues with the real avbtool.
cd bin
mv avbtool avbtool.realcat > avbtool
#!/bin/bash
# change this to whereever you created the magisk directory:
MAGISK_DIR=/media/work/magisk
echo "%%%%%%%%%%" `date` Running avbtool with "$*" >> $MAGISK_DIR/avbtool-invokes.txt
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
IMG_NAME=`realpath $3`
if [[ $1 == add_hash_footer ]] && [[ $7 == boot ]] ;
then
echo starting to root $3 >> $MAGISK_DIR/rooting.txt
$MAGISK_DIR/root-img.sh $IMG_NAME >> $MAGISK_DIR/rooting.txt
cp $MAGISK_DIR/assets/new-boot.img $IMG_NAME
fi
$SCRIPT_DIR/avbtool.real $*chmod 755 avbtool
Now, sign the target files again.
If all goes well, that should create a rooted boot.img with the correct signatures. You can check the avbtool-invokes.txt and rooting.txt files to see if everything went well.
EDIT: False alarm. My issue had nothing to do with Magisk. I also add Lawnchair in my builds, and as it turns out, Lawnchair is not compatible with Android 12L, it leads to a bootloop. More info:
LawnchairLauncher/lawnchair#2517
Is anyone having issues with this as of CalyxOS 3.3.0, the 12L update?This method was working perfectly fine for a while. Bootloader locked, OTA updates working perfectly, Magisk intact, etc.But I just built 3.3.0 with Magisk, and the OTA update won't boot. It tries to boot, but crashes on the Google bootloader splash logo (and when it turns off, the screen has lines on it, as though it experienced an abrupt power cut). It tries again 2 more times, then gives up and reverts back to the last good boot slot. I've tried an incremental update and then a full OTA update, the result is the same.I'm not sure if Magisk is causing this, but my phone doesn't even get to SystemUI before it crashes. I don't think Android even gets to start, so I can't think of anything else it could possibly be. And my updates were working fine before this, my signing keys are all good, etc.I'll try and see if building without Magisk fixes this, but for now, is anyone here running CalyxOS 3.3.0 with Magisk working?