This idea was inspired by this post topjohnwu/Magisk#509 (comment)
I got this working with CalyxOS 3.3.1 (Android 12) with full AVB Verity enabled and was able to lock the bootloader after flashing and still have su. The OTA update zip generated was also tested against the Calyx 2.11.0 version (with Magisk) and it works well.
First, make sure you can build and sign a proper CalyxOS for your device. This is probably the hardest part.
Second, prepare a magisk directory outside your build directory as follows:
mkdir magisk24304
cd magisk24304/
wget https://cdn.jsdelivr.net/gh/topjohnwu/magisk-files@a17271415ec0b3b34fbb5715d92893a1f8c529d0/app-debug.apk
unzip app-debug.apk
Replace the apk URL with whatever version is latest or works best for you. For Android 12, v24+ is a must. The URL for the latest version can be found in the Magisk files repo. https://github.com/topjohnwu/magisk-files
We then need a few helper scripts in the same directory.
cat > root-img.sh
#!/bin/bash
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
export PATH=$PATH:$SCRIPT_DIR
export BOOTMODE=true
export KEEPVERITY=true
cp $SCRIPT_DIR/lib/x86/libmagiskboot.so $SCRIPT_DIR/assets/magiskboot
cp $SCRIPT_DIR/lib/arm64-v8a/libmagisk64.so $SCRIPT_DIR/assets/magisk64
cp $SCRIPT_DIR/lib/armeabi-v7a/libmagisk32.so $SCRIPT_DIR/assets/magisk32
cp $SCRIPT_DIR/lib/arm64-v8a/libmagiskinit.so $SCRIPT_DIR/assets/magiskinit
. $SCRIPT_DIR/assets/boot_patch.sh $*chmod 755 root-img.sh
Make sure magiskinit is correct for your target in root-img.sh.
cat > dos2unix
#!/bin/bash
cat $*chmod 755 dos2unix
cat > getprop
#!/bin/bash
echo $*chmod 755 getprop
That's all for preparing magisk.
Now we need to intercept avbtool to root the boot.img file just before it's hashed/signed.
In the last step of building the OS, the target files are zipped up and moved into a signing directory, along with the signing keys and binaries. In the bin directory, you should find avbtool which will be used during signing. We're going to replace it with a script that detects boot images, roots them and then continues with the real avbtool.
cd bin
mv avbtool avbtool.realcat > avbtool
#!/bin/bash
# change this to whereever you created the magisk directory:
MAGISK_DIR=/media/work/magisk24304
echo "%%%%%%%%%%" `date` Running avbtool with "$*" >> $MAGISK_DIR/avbtool-invokes.txt
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
IMG_NAME=`realpath $3`
if [[ $1 == add_hash_footer ]] && [[ $7 == boot ]] ;
then
echo starting to root $3 >> $MAGISK_DIR/rooting.txt
$MAGISK_DIR/root-img.sh $IMG_NAME >> $MAGISK_DIR/rooting.txt 2>&1
cp $MAGISK_DIR/assets/new-boot.img $IMG_NAME
fi
$SCRIPT_DIR/avbtool.real $*chmod 755 avbtool
We'll do something similar for toybox to avoid an error in the build.
mv toybox toybox.real
cat > toybox
#!/bin/bash
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
echo "%%%%%%%%%%" `date` Running toybox with "$*" >> $SCRIPT_DIR/toybox-invokes.txt
if [[ $1 == cpio ]] && [[ $2 == -F ]] ;
then
echo ignoring toybox error >> $SCRIPT_DIR/toybox-invokes.txt
$SCRIPT_DIR/toybox.real $* >> $SCRIPT_DIR/toybox-invokes.txt 2>&1
exit 0
fi
$SCRIPT_DIR/toybox.real $*chmod 755 toybox
Now, sign the target files again.
If all goes well, that should create a rooted boot.img with the correct signatures. You can check the avbtool-invokes.txt and rooting.txt files to see if everything went well.
You can apply the factory image (which will wipe the phone), or the OTA update (no wipe) if you have a previous OS with the same keys.
For anyone using this method: Don't use the updater in the Magisk App. If you have OEM Unlocking disabled, this will brick your phone pretty badly (failing to boot, unable to reflash via fastboot due to locked bootloader, neither recovery, nor fastbootd working anymore). I had to learn the hard way. My advice is to always enable OEM Unlocking while tinkering with the bootloader.