CalyxOS with Magisk with working signed images and AVB Verity

Calyx-Magisk.md

CalyxOS with Magisk with working signed images and AVB Verity

This idea was inspired by this post topjohnwu/Magisk#509 (comment)

I got this working with CalyxOS 2.11.0 (Android 11) with full AVB Verity enabled and was able to lock the bootloader after flashing and still have su.

Create a working build

First, make sure you can build and sign a proper CalyxOS for your device. This is probably the hardest part.

Prepare Magisk files for rooting

Second, prepare a magisk directory outside your build directory as follows:

mkdir magisk
cd magisk
wget https://cdn.jsdelivr.net/gh/topjohnwu/magisk-files@55bdc45955e7ba1fe4d296b6fc06f926ebc9ddd1/app-debug.apk
unzip app-debug.apk

Replace the apk URL with whatever version is latest or works best for you. The URL for the latest version can be found in the Magisk files repo. https://github.com/topjohnwu/magisk-files

We then need a few helper scripts in the same directory. cat > root-img.sh

#!/bin/bash

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

export PATH=$PATH:$SCRIPT_DIR

export BOOTMODE=true
export KEEPVERITY=true

cp $SCRIPT_DIR/lib/x86/libmagiskboot.so $SCRIPT_DIR/assets/magiskboot
cp $SCRIPT_DIR/lib/arm64-v8a/libmagisk64.so $SCRIPT_DIR/assets/magisk64
cp $SCRIPT_DIR/lib/armeabi-v7a/libmagisk32.so $SCRIPT_DIR/assets/magisk32
cp $SCRIPT_DIR/lib/arm64-v8a/libmagiskinit.so $SCRIPT_DIR/assets/magiskinit

. $SCRIPT_DIR/assets/boot_patch.sh $*

chmod 755 root-img.sh

Make sure magiskinit is correct for your target in root-img.sh.

cat > dos2unix

#!/bin/bash
cat $*

chmod 755 dos2unix

cat > getprop

#!/bin/bash
echo $*

chmod 755 getprop

That's all for preparing magisk.

Prepare signing step

Now we need to intercept avbtool to root the boot.img file just before it's hashed/signed.

In the last step of building the OS, the target files are zipped up and moved into a signing directory, along with the signing keys and binaries. In the bin directory, you should find avbtool which will be used during signing. We're going to replace it with a script that detects boot images, roots them and then continues with the real avbtool.

cd bin
mv avbtool avbtool.real

cat > avbtool

#!/bin/bash

# change this to whereever you created the magisk directory:
MAGISK_DIR=/media/work/magisk

echo "%%%%%%%%%%" `date` Running avbtool with "$*" >> $MAGISK_DIR/avbtool-invokes.txt

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
IMG_NAME=`realpath $3`

if [[ $1 == add_hash_footer ]] && [[ $7 == boot ]] ;
then
        echo starting to root $3 >> $MAGISK_DIR/rooting.txt
        $MAGISK_DIR/root-img.sh $IMG_NAME >> $MAGISK_DIR/rooting.txt
        cp $MAGISK_DIR/assets/new-boot.img $IMG_NAME
fi

$SCRIPT_DIR/avbtool.real $*

chmod 755 avbtool

Now, sign the target files again. If all goes well, that should create a rooted boot.img with the correct signatures. You can check the avbtool-invokes.txt and rooting.txt files to see if everything went well.

Just added a new gist for Android 12, with the addition of the toybox script. My build went well on my test device and the update was pretty smooth.

@YetAnotherRandomGuy Android 12 instructions are now in a separate gist . I have a locked bootloader, but admittedly, that was done with Android 11 (Calyx 2.x) and subsequently upgraded.

Are you sure you replaced the avbtool that's used during signing? Do you separate your signing dir from your build dir?

@mohrezaei actually... realized I screwed up completely during the signing - so embarassingly I will delete the post so no one else wonders "WTF did he do...". Thank you for the response, though. I'll walk it through with your updated gist once I fix my glitch.

Can anyone please let me know that how can I use this method with any other rom?
I'm building crDroid and can't these instructions to work with it.
Can't find avbtool in my build directory.

crDroid is based on LineageOS, which is not targeted at locking bootloaders post install. There is no point in following these instructions if you're not going to lock your bootloader. Just install crDroid, then follow Magisk install directions.
If you've gone through the arduous process of enabling locked bootloaders in LineageOS, you have to look at the build process and insert the magisk installations script right after the boot.img is created.

Thanks. but I just want to integrate Magisk in my builds. bootloader locking not required

…

On 11/27/2022 7:43 PM, Mohammad Rezaei wrote: Re: mohrezaei/Calyx-Magisk.md ***@***.**** commented on this gist. ------------------------------------------------------------------------ crDroid is based on LineageOS, which is not targeted at locking bootloaders post install. There is no point in following these instructions if you're not going to lock your bootloader. Just install crDroid, then follow Magisk install directions. If you've gone through the arduous process <https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/> of enabling locked bootloaders in LineageOS, you have to look at the build process and insert the magisk installations script right after the boot.img is created. — Reply to this email directly, view it on GitHub <https://gist.github.com/fe76ab2091e834b6edb2ab9f11e31c07#gistcomment-4382723> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABQWBM4DMTSTFCE65PVN6STWKNUAJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCMZQGE3TEOJSU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.