CalyxOS with Magisk with working signed images and AVB Verity

Calyx-Magisk.md

CalyxOS with Magisk with working signed images and AVB Verity

This idea was inspired by this post topjohnwu/Magisk#509 (comment)

I got this working with CalyxOS 2.11.0 (Android 11) with full AVB Verity enabled and was able to lock the bootloader after flashing and still have su.

Create a working build

First, make sure you can build and sign a proper CalyxOS for your device. This is probably the hardest part.

Prepare Magisk files for rooting

Second, prepare a magisk directory outside your build directory as follows:

mkdir magisk
cd magisk
wget https://cdn.jsdelivr.net/gh/topjohnwu/magisk-files@55bdc45955e7ba1fe4d296b6fc06f926ebc9ddd1/app-debug.apk
unzip app-debug.apk

Replace the apk URL with whatever version is latest or works best for you. The URL for the latest version can be found in the Magisk files repo. https://github.com/topjohnwu/magisk-files

We then need a few helper scripts in the same directory. cat > root-img.sh

#!/bin/bash

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

export PATH=$PATH:$SCRIPT_DIR

export BOOTMODE=true
export KEEPVERITY=true

cp $SCRIPT_DIR/lib/x86/libmagiskboot.so $SCRIPT_DIR/assets/magiskboot
cp $SCRIPT_DIR/lib/arm64-v8a/libmagisk64.so $SCRIPT_DIR/assets/magisk64
cp $SCRIPT_DIR/lib/armeabi-v7a/libmagisk32.so $SCRIPT_DIR/assets/magisk32
cp $SCRIPT_DIR/lib/arm64-v8a/libmagiskinit.so $SCRIPT_DIR/assets/magiskinit

. $SCRIPT_DIR/assets/boot_patch.sh $*

chmod 755 root-img.sh

Make sure magiskinit is correct for your target in root-img.sh.

cat > dos2unix

#!/bin/bash
cat $*

chmod 755 dos2unix

cat > getprop

#!/bin/bash
echo $*

chmod 755 getprop

That's all for preparing magisk.

Prepare signing step

Now we need to intercept avbtool to root the boot.img file just before it's hashed/signed.

In the last step of building the OS, the target files are zipped up and moved into a signing directory, along with the signing keys and binaries. In the bin directory, you should find avbtool which will be used during signing. We're going to replace it with a script that detects boot images, roots them and then continues with the real avbtool.

cd bin
mv avbtool avbtool.real

cat > avbtool

#!/bin/bash

# change this to whereever you created the magisk directory:
MAGISK_DIR=/media/work/magisk

echo "%%%%%%%%%%" `date` Running avbtool with "$*" >> $MAGISK_DIR/avbtool-invokes.txt

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
IMG_NAME=`realpath $3`

if [[ $1 == add_hash_footer ]] && [[ $7 == boot ]] ;
then
        echo starting to root $3 >> $MAGISK_DIR/rooting.txt
        $MAGISK_DIR/root-img.sh $IMG_NAME >> $MAGISK_DIR/rooting.txt
        cp $MAGISK_DIR/assets/new-boot.img $IMG_NAME
fi

$SCRIPT_DIR/avbtool.real $*

chmod 755 avbtool

Now, sign the target files again. If all goes well, that should create a rooted boot.img with the correct signatures. You can check the avbtool-invokes.txt and rooting.txt files to see if everything went well.

Ah ok thank you for the reply.

Total noob here. I'm getting Pixel 6 next week and want to flash CalyxOS with root privileges, but also with locked bootloader. I found your guide, but I'm a little lost.

I'm in the process of creating a build environment. Should I firstly try to build and sign without Magisk? To see if everything works correctly?

@Nextross yes, it's critical to be able to build with your own keys and be able to install and lock the bootloader. The build instructions for 12 might be a missing a couple of prerequisite steps. Last time I built 12, I had to do this:

 git clone https://github.com/anestisb/android-simg2img
 cd android-simg2img/
 make
 sudo make install
 cd ..
 git clone https://github.com/chirayudesai/qc_image_unpacker
 cd qc_image_unpacker/
 ./make.sh
 cp bin/qc_image_unpacker ~/bin

before running device.sh

@mohrezaei when running make, it shows this error:

g++ -std=gnu++17 -O2 -W -Wall -Werror -Wextra -D__STDC_FORMAT_MACROS -D__STDC_CONSTANT_MACROS -Iinclude -Iandroid-base/include -c backed_block.cpp -o backed_block.o g++ -std=gnu++17 -O2 -W -Wall -Werror -Wextra -D__STDC_FORMAT_MACROS -D__STDC_CONSTANT_MACROS -Iinclude -Iandroid-base/include -c output_file.cpp -o output_file.o output_file.cpp:30:10: fatal error: zlib.h: No such file or directory 30 | #include <zlib.h> | ^~~~~~~~ compilation terminated. make: *** [Makefile:97: output_file.o] Error 1

What should I do?

@Nextross Sorry, this is not the right forum for dealing with build issues. You should join the Calyx dev discord https://app.element.io/#/room/#calyxos-dev:matrix.org and ask there.

EDIT: False alarm. My issue had nothing to do with Magisk. I also add Lawnchair in my builds, and as it turns out, Lawnchair is not compatible with Android 12L, it leads to a bootloop. More info:

LawnchairLauncher/lawnchair#2517

Is anyone having issues with this as of CalyxOS 3.3.0, the 12L update?

This method was working perfectly fine for a while. Bootloader locked, OTA updates working perfectly, Magisk intact, etc.

But I just built 3.3.0 with Magisk, and the OTA update won't boot. It tries to boot, but crashes on the Google bootloader splash logo (and when it turns off, the screen has lines on it, as though it experienced an abrupt power cut). It tries again 2 more times, then gives up and reverts back to the last good boot slot. I've tried an incremental update and then a full OTA update, the result is the same.

I'm not sure if Magisk is causing this, but my phone doesn't even get to SystemUI before it crashes. I don't think Android even gets to start, so I can't think of anything else it could possibly be. And my updates were working fine before this, my signing keys are all good, etc.

I'll try and see if building without Magisk fixes this, but for now, is anyone here running CalyxOS 3.3.0 with Magisk working?

I'm going to do a 12L build in the coming week. I'll report back.

Thank you!

But, as it turns out, Magisk wasn't the cause of my issue. In addition to adding Magisk, I also replaced my launcher with Lawnchair, which is not compatible with Android 12L. See my edit above.

So, confirmation from me: Magisk 24.3 is working just fine with this method on Android 12L on my test device, a Pixel 3XL. I don't expect there to be any further issues once I make a build for my Pixel 6 Pro.

Just added a new gist for Android 12, with the addition of the toybox script. My build went well on my test device and the update was pretty smooth.

@YetAnotherRandomGuy Android 12 instructions are now in a separate gist . I have a locked bootloader, but admittedly, that was done with Android 11 (Calyx 2.x) and subsequently upgraded.

Are you sure you replaced the avbtool that's used during signing? Do you separate your signing dir from your build dir?

@mohrezaei actually... realized I screwed up completely during the signing - so embarassingly I will delete the post so no one else wonders "WTF did he do...". Thank you for the response, though. I'll walk it through with your updated gist once I fix my glitch.

Can anyone please let me know that how can I use this method with any other rom?
I'm building crDroid and can't these instructions to work with it.
Can't find avbtool in my build directory.

crDroid is based on LineageOS, which is not targeted at locking bootloaders post install. There is no point in following these instructions if you're not going to lock your bootloader. Just install crDroid, then follow Magisk install directions.
If you've gone through the arduous process of enabling locked bootloaders in LineageOS, you have to look at the build process and insert the magisk installations script right after the boot.img is created.

Thanks. but I just want to integrate Magisk in my builds. bootloader locking not required

…

On 11/27/2022 7:43 PM, Mohammad Rezaei wrote: Re: mohrezaei/Calyx-Magisk.md ***@***.**** commented on this gist. ------------------------------------------------------------------------ crDroid is based on LineageOS, which is not targeted at locking bootloaders post install. There is no point in following these instructions if you're not going to lock your bootloader. Just install crDroid, then follow Magisk install directions. If you've gone through the arduous process <https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/> of enabling locked bootloaders in LineageOS, you have to look at the build process and insert the magisk installations script right after the boot.img is created. — Reply to this email directly, view it on GitHub <https://gist.github.com/fe76ab2091e834b6edb2ab9f11e31c07#gistcomment-4382723> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABQWBM4DMTSTFCE65PVN6STWKNUAJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCMZQGE3TEOJSU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.