This idea was inspired by this post topjohnwu/Magisk#509 (comment)
I got this working with CalyxOS 2.11.0 (Android 11) with full AVB Verity enabled and was able to lock the bootloader after flashing and still have su.
First, make sure you can build and sign a proper CalyxOS for your device. This is probably the hardest part.
Second, prepare a magisk directory outside your build directory as follows:
mkdir magisk
cd magisk
wget https://cdn.jsdelivr.net/gh/topjohnwu/magisk-files@55bdc45955e7ba1fe4d296b6fc06f926ebc9ddd1/app-debug.apk
unzip app-debug.apk
Replace the apk URL with whatever version is latest or works best for you. The URL for the latest version can be found in the Magisk files repo. https://github.com/topjohnwu/magisk-files
We then need a few helper scripts in the same directory.
cat > root-img.sh
#!/bin/bash
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
export PATH=$PATH:$SCRIPT_DIR
export BOOTMODE=true
export KEEPVERITY=true
cp $SCRIPT_DIR/lib/x86/libmagiskboot.so $SCRIPT_DIR/assets/magiskboot
cp $SCRIPT_DIR/lib/arm64-v8a/libmagisk64.so $SCRIPT_DIR/assets/magisk64
cp $SCRIPT_DIR/lib/armeabi-v7a/libmagisk32.so $SCRIPT_DIR/assets/magisk32
cp $SCRIPT_DIR/lib/arm64-v8a/libmagiskinit.so $SCRIPT_DIR/assets/magiskinit
. $SCRIPT_DIR/assets/boot_patch.sh $*chmod 755 root-img.sh
Make sure magiskinit is correct for your target in root-img.sh.
cat > dos2unix
#!/bin/bash
cat $*chmod 755 dos2unix
cat > getprop
#!/bin/bash
echo $*chmod 755 getprop
That's all for preparing magisk.
Now we need to intercept avbtool to root the boot.img file just before it's hashed/signed.
In the last step of building the OS, the target files are zipped up and moved into a signing directory, along with the signing keys and binaries. In the bin directory, you should find avbtool which will be used during signing. We're going to replace it with a script that detects boot images, roots them and then continues with the real avbtool.
cd bin
mv avbtool avbtool.realcat > avbtool
#!/bin/bash
# change this to whereever you created the magisk directory:
MAGISK_DIR=/media/work/magisk
echo "%%%%%%%%%%" `date` Running avbtool with "$*" >> $MAGISK_DIR/avbtool-invokes.txt
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
IMG_NAME=`realpath $3`
if [[ $1 == add_hash_footer ]] && [[ $7 == boot ]] ;
then
echo starting to root $3 >> $MAGISK_DIR/rooting.txt
$MAGISK_DIR/root-img.sh $IMG_NAME >> $MAGISK_DIR/rooting.txt
cp $MAGISK_DIR/assets/new-boot.img $IMG_NAME
fi
$SCRIPT_DIR/avbtool.real $*chmod 755 avbtool
Now, sign the target files again.
If all goes well, that should create a rooted boot.img with the correct signatures. You can check the avbtool-invokes.txt and rooting.txt files to see if everything went well.
Alright, I have a signed Android 12 build with Magisk v24.1. Here are my findings:
During signing, there are errors dealing with the Magisk
.backupfolder:This happens because Magisk currently makes a
.backupfolder inside the cpio archive that has000permissions - not even the owner can read or modify this folder. However, when it's extracted from the cpio,.backupis created with these permissions, so its subfolders and files cannot be created.This results in
common.pybeing unable to get the build properties. Granted - these errors do not seem to cause any problems. However, it would be ideal to make including Magisk as close to the official process as possible. Thankfully, patching the script causing this error to be aware of the.backupfolder's permissions, thus allowing it to do its job, does not appear to be too complicated:https://android.googlesource.com/platform/build/+/refs/tags/android-12.0.0_r32/tools/releasetools/common.py#3830
Anyway, I tested my own CalyxOS build for a Pixel 6 Pro using this procedure, and I am happy to report: