[Discussion] Google Pay Magisk Discussion Thread

Search This thread

zgfg

Senior Member
Oct 10, 2016
7,793
5,193
Is there a fix for this? I have Pixel 6 Pro and I have the same things checked. Can't pass MEETS_STRONG_INTEGRITY.
Not. It's been extensively discussed.
Hints to search and read: TEE = Trusted Execution Environment.
Particularly, if you 'fix' that for the last TItan, you could ask for 250K - 1.5M $ reward from Google
 
  • Like
Reactions: shoey63

pndwal

Senior Member

zgfg

Senior Member
Oct 10, 2016
7,793
5,193
I just updated to Android 13 final on my Pixel 5, and now Google Wallet won't work.
It was working fine on 13 Beta 4 though, and Safetynet passes.

Safety Net Request: success
Response signature validation: success
Basic integrity: success
CTS profile match: success
SafetyNet per se is not relevant for Wallet but Play Integrity.
And you need USNF 2.3.1-mod

If you are not up to the discussion here over the last month, please read the posts
 
SafetyNet per se is not relevant for Wallet but Play Integrity.
And you need USNF 2.3.1-mod

If you are not up to the discussion here over the last month, please read the posts
I already had the USNF 2.3.1 module. As I said - it was working yesterday, now no longer working.
Anyway, I resolved it, by clearing Google Services Framework, Google Wallet and Google Play Store data. Not sure which clearing made the difference.
 
  • Like
Reactions: zgfg

zgfg

Senior Member
Oct 10, 2016
7,793
5,193
I already had the USNF 2.3.1 module. As I said - it was working yesterday, now no longer working.
Anyway, I resolved it, by clearing Google Services Framework, Google Wallet and Google Play Store data. Not sure which clearing made the difference.
Primarily Wallet. Maybe Services Framework. Less likely, Play Store - Play Services is relevant
 

pndwal

Senior Member
I already had the USNF 2.3.1 module. As I said - it was working yesterday, now no longer working.
Anyway, I resolved it, by clearing Google Services Framework, Google Wallet and Google Play Store data. Not sure which clearing made the difference.
Out of interest, can we assume you mean you do have @Displax USNF 2.3.1-mod (modified USNF), not official @Kdragon USNF 2.3.1 module?... It would be surprising if the latter fixes Play Integrity w/ Android 13... (I don't need the modded version w/ my Android 10 device however.)... PW
 
Out of interest, can we assume you mean you do have @Displax USNF 2.3.1-mod (modified USNF), not official @Kdragon USNF 2.3.1 module?... It would be surprising if the latter fixes Play Integrity w/ Android 13... (I don't need the modded version w/ my Android 10 device however.)... PW
OH. I am using the official one. (I thought you meant module)
 

rodken

Senior Member
Jan 11, 2010
1,111
451
Primarily Wallet. Maybe Services Framework. Less likely, Play Store - Play Services is relevant
I always thought that messing with GSF changes the primary ID by which Google knows the device. As far as the servers are concerned, said device was basically factory reset. There are many downstream effects of this, but a major one is that this invalidates the tokens used by any app that uses GCM

-- Which is nearly all the Google apps, and maybe loads of 3rd party apps.
-- Play store won't recognize said device for a few hours or days aside from the fact that logging out and logging in can fix.
-- Whether or not it can cause various Google services to not work is a YMMV issue.

N.B.: Besides the fact that it will not cause Nuclear Warfare - it has the chance of a creating a load of nuisances on said device.
 

Entity 0

Senior Member
Sep 21, 2016
62
10
I already had the USNF 2.3.1 module. As I said - it was working yesterday, now no longer working.
Anyway, I resolved it, by clearing Google Services Framework, Google Wallet and Google Play Store data. Not sure which clearing made the difference.
Hoping push messaging is still working okay for your apps after clearing Google Services Framework, otherwise you'll need to wipe all the affected apps too.
 

niko26

Senior Member
May 5, 2010
180
63
Have you done/tried the following:

1) toggle magiskhide on

2) added com.google.android.gms.unstable to MagiskHide list (or Deny List in latest Magisk versions)

3) hide (rename) magisk app (from Settings menu)

4) Clear data of affected apps:
  • Toggle Airplane Mode on
  • Clear data and cache of:
    • Google Play
    • Google Play Services
    • Google Pay (Warning: this will remove any card and loyalty cards present - you can try without, but is recommended)
  • Usually this will be achieved by (exact steps and terminology may change per device or ROM):
    • Opening Settings
    • Going to Apps, choosing Show All Apps
    • Enabling Show System Apps via a menu option
    • Locating the app, tapping it and then finding Storage/Cache
    • Tapping Clear Data
  • Reboot and then Toggle Airplane Mode off
  • Open Google Play Store, wait 5 minutes, go to Settings and check Certification at bottom
5) Test Google Pay
Hm, i hab tried this.. No luck this time. Any idea what I am missing? Google Play Store shows that the device is certified.

I have reset Play Store as well as Play Services multiple times. No luck :(

Almost everything related is hidden magisk...

Any idea?
 

Top Liked Posts

  • 1

    Nekromantik, SimpleStevie, OverlordBubbles, tom510, Goooober


    So everyone has this issue using @Displax USNF-mod module on Poco f3 w/ Crdroid 8.9?... Interesting...

    Did issue occur with an update, or just started occuring?

    If no update its likely Google has strengthened prerequisites for deviceIntegrity on server end... Could be something peculiar to Crdriod Rom too... Eg. is selinux enforcing?... Some strange prop settings/manipulations?...

    Could ask Poco f3 Crdroid maintainer about possible incompatibility... An integrated mod may be causing issues when running Magisk USNF mod...

    Strangely this seems to be removed from tree:
    https://github.com/crdroidandroid/a...mmit/c24af39a3e66cf11bcff09fa150651dd60cfef16

    Also, seems 12.1 branch ROMs are built with A13 fingerprints now:
    - PixelPropsUtils: Update fingerprints to September 2022 release
    - PixelPropsUtils: Update fingerprints to Android 13 August 2022 release
    ... not sure of effect of this...

    ... Perhaps these don't mix well with Magisk module or these:
    - PixelPropsUtils: Limit SafetyNet workarounds to unstable GMS process
    - PixelPropsUtils: Only spoof GMS to Raven
    - Introduce PixelPropsUtils for safety net spoof
    ... or other commits... ???

    Could post info. here for @Displax / @kdrag0n:
    https://github.com/kdrag0n/safetynet-fix/pull/207

    🙃 PW
    1

    Nekromantik, SimpleStevie, OverlordBubbles,tom510, Goooober


    So everyone has this issue using @Displax USNF-mod module on Poco f3 w/ Crdroid 8.9?... Interesting...

    Did issue occur with an update, or just started occuring?

    If no update its likely Google has strengthened prerequisites for deviceIntegrity on server end... Could be something peculiar to Crdriod Rom too... Eg. is selinux enforcing?... Some strange prop settings/manipulations?...

    Could ask Poco f3 Crdroid maintainer about possible incompatibility... An integrated mod may be causing issues when running Magisk USNF mod, eg:
    https://github.com/crdroidandroid/a...mmit/c24af39a3e66cf11bcff09fa150651dd60cfef16

    Perhaps it should look like this one(?):
    https://github.com/Spark-Rom/frameworks_base/commit/c75f9f540e6fd60f68164773d8545a662045893c
    or others linked from the issue below...

    Could post info. here for @Displax / @kdrag0n:
    https://github.com/kdrag0n/safetynet-fix/pull/207

    🙃 PW

    The issue just started spontaneously, no updates or anything. In the Play Store it still says the devices is certified despite Wallet not meeting security requirements.
    1
    Stock MIUI?... Guess you had official USNF + some mismatched (earlier) fingerprint prop configured in MHPC...

    Does deviceIntegrity pass again for you if you disable MHPC and replace official USNF with @Displax's modded USNF?... PW
    Yes, stock MIUI. And official USNF until July. And then I had to use a prop with a lower Android version, hence the use of MHPC. If I am not mistaken the modded USNF works for latest Magisk and I have the v23 (not really willing for the moment to upgrade to brake something). But if no other solution will be found I will also try this solution.
    1
    Yes, stock MIUI. And official USNF until July. And then I had to use a prop with a lower Android version, hence the use of MHPC. If I am not mistaken the modded USNF works for latest Magisk and I have the v23 (not really willing for the moment to upgrade to brake something). But if no other solution will be found I will also try this solution.
    There was (two months or so ago) USNF 2.3.1-mod (with that "mod" in the name!), by Displax (hence again, not the 'official'), targeting exactly the Wallet / new Play integrity API

    With that, you should better test (first) without MHCP

    And USNF, for it's full potential, requires Zygisk (hence the new Magisk)
    1
    The issue just started spontaneously, no updates or anything. In the Play Store it still says the devices is certified despite Wallet not meeting security requirements.
    Yup, - I noticed month's ago that Google seems to have only partially implemented PI API... Eg. G Pay/Wallet still seemed to be using S/N API for basic setup (incl. online purchases) but PI for Contactless setup of cards... the in-app contactless Security requirements dialog erroneously said "device meets security requirements" but card setup would fail in practice with a correct error message... Also, while Play Store began restricting app availability (eg Netflix) if PI deviceIntegrity failed, it's Play Protect dialogue in Settings, About, still said "Device is certified"... (Of course clearing app data can affect results also.)

    Back to the issue; It seems evident that integrating signal spoofing in ROMs is complicated and fraught, and can involve many separate commits (some examples above), and further, these will need to be made to play well with additional magisk/root modules/solutions that attempt to do similar things...

    For me personally, I much prefer ROMs that are clean of such mods (ie. don't attempt to fix S/N & PI issues natively)... Using official LOS (will never manipulate expected signals due to policy) for example allows users to apply all such mods using Magisk and be far more aware of what changes are actually being applied as well as decreasing the potential for conflicts... At least introduced conflicts can be reversed by users instead of requiring dev intervention...

    Many have wondered why official LOS won't spoof signals but there is something to be said for this policy... In instances like this it has clear added advantages... Unless Devs can always get these manipulations (often requiring ability to juggle commits, a fantastic memory and much luck with outguessing Google mechanisms and changes) right... 🙃 PW
  • 10
    Mod Info:

    I have edited the first post of this thread.
    Indeed the linked solution is quite outdated, so an action was necessary.

    @CSX321 @73sydney
    Thx for bringing this up 👍🏼

    Cheers,
    your fav..riendly neighborhood mod 😉
    7
    @brambles1234, @Nekromantik, @cescman, others searching, here's a little Summary / Guide:

    Current fixes needed for Google Pay / Wallet


    These days we need passing deviceIntegrity in new Play Integrity API. (Don't worry about strong integrity; few if any apps will use this at present as that would exclude users/customers using any device launched with Android 7 or earlier even if on latest Android as well as a number of newer devices with broken keymaster implementations.) Nb. While Safety net API is already depreciated, it's attestation must all be passing and Evaluation type showing BASIC for PI deviceIntegrity to pass since the same signals (plus more) are used by PI...

    To check these, use YASNAC (S/N) and Play Integrity API Checker (PI) from Play Store...

    Many devices passing S/N CTS Profile match, especially those running Android 11+, won't pass PI deviceIntegrity verdict with current official Universal SafetyNet Fix alone. @Displax's safetynet-fix-xxxx-MOD is the current solution:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517
    - See my notes in post above for technical details, incl. why this solution also negates the need for setting a fingerprint in MagiskHide Props Config module for ROMs not passing CTS Profile match (China region, Beta, Developer, many custom ROMS)...
    - Also note Usage: Delete/disable/reset MHPC (if installed / spoofing fingerprint).
    - Note that Zygisk should be enabled and working, and only Google Pay/Wallet needs to be in denylist whether enforced or disabled with Shamiko etc active; no need for Play Store, Google Play Services processes etc when using any Zygisk-USNF builds...

    Once PI deviceIntegrity is restored / passing, Google Pay/Wallet security requirements may pass again after some days (could take a week!) if simply left... Clearing Google Play Services and Google Pay/Wallet data should fix this immediately but you will need to set up cards again... Nb. Be sure to reboot immediately after clearing Google Pay/Wallet data (before opening app) to avoid issues (eg. app works but Activity list fails to populate).

    Clearing Play Store data may be needed to restore Play Protect 'Device is certified' in Play Store Settings, About... This will affect whether Google Pay and other apps calling S/N or PI APIs appear in the Store...

    Related Issues:

    A number of users have experienced contactless payment failure with Google Pay / Wallet stating "Your phone does not meet the security requirements" irrespective of SafetyNet or Play Integrity status. (Several of us experienced this suddenly, and it predated both new Wallet upgrade an Play Integrity implementation.)...

    Further, in tackling this I experienced two issues restoring a working setup;
    - Issue where 'Google Pay/Wallet is currently updating' fails to complete, and
    - After restoring app, Activity list fails to populate.

    I put steps to fix these here:
    Initial fix:
    https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-86981221
    Resolved Activity list won't populate:
    https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-86991951
    Summary (scroll to 'In short...'):
    https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-86992241

    Hope this helps those concerned. 🤠 PW
    6
    Whenever I come to XDA and ask a question I'm normally receive a really unhelpful reply, along the lines of "if you search you will find your answer" This is can be very annoying, especially after I have spent an hour looking and I still can't find the answer? Hence the reason I ask a question.

    The reason I say this is because I have got Google wallet working and I will share what I did.

    1. Uninstalled Google wallet
    2. Deleted both cache and data from play store
    3. Updated Xprivacy Lua
    4. Reinstalled UNSF
    5. Changed fingerprint using su / props
    6. Restarted phone

    It is pertinent to say here that I fail all api integrity checks using the app on playstore. However Google wallet contactless payment works better than before.

    I will keep this updated if I have as any issues.

    Please understand that someone asking the same question over and over (and often expecting to be spoonfed) can be taxing.

    And yes the search system can sometimes take a bit of learning to fully utilize properly....but really, heres the key.....if its a recent issue, then the issue is very likely not just affecting you, and so the solution will often be found in the last 5-10 pages of a thread. People get really tired of people who rock up create a new post at the end of the thread, when the answer is maybe 3 pages back, and they seem to think thats too much effort. Standard Operating Procedure on any thread should be to read the last 5-10 pages before creating a new post. That would earn the average person who thinks theyre catching a tough break because theyve touched a nerve that been tugged at by 50 people before them a lot of respect....consider trying the last 5-10 pages of a thread method in future, it will often not only giver you the solution, but the context, which can be just as important, and often you may be able to provide some input or insight no one else has, which everyone can benefit from. Also if people just rock up and expect an answer in 5 minutes everytime (theres plenty do it, some people might have been registered for 3, sometimes many more, years and never post until they need something, happens all the time), then they dont learn anything, and they also dont contribute....

    As for your steps above:

    3. Updated Xprivacy Lua <-thats not required and is a personal choice, and has no real bearing ion the issue)

    Usually one would do:

    1. Install USNF Mod (the Mod is important as already stated)
    2. Integrity Test
    3. Test contactless menu in Wallet

    If contactless fails:
    4. Delete both cache and data from play store and reboot
    5. Test contactless menu in Wallet

    Note

    Step 4 has been known to take days to return a positive contactless setup, in some cases


    Note #2:

    5. Changed fingerprint using su / props <- this should be largely unnecessary except in the case of chinese ROM's or other edge cases as far as i remember
    5
    Play Integrity API Checker updated to v1.0:

    Thanks @1nikolas
    5
    ... Note #2:

    5. Changed fingerprint using su / props <- this should be largely unnecessary except in the case of chinese ROM's or other edge cases as far as i remember
    ... And with @Displax USNF_mod it is not needed even for ROMs not passing CTS Profile match (China region, Beta, Developer, many custom ROMS) in most cases. (There may rare be exceptions where this modded module doesn't work.)

    Technical:

    This mod actually adjusts the fingerprint prop to achieve the mismatch needed along with device prop mismatch to trigger bypassing of hardware based attestation enforcement in Play Integrity (different from the actual Evaluation type fallback triggered by the exception caused when trying to use key attestation with an injected 'fake' keystore provider registered)...

    All these mods, official and unofficial, target the gms attestation process (one process within Google Play Services) only. The prop changes are not globally applied, so issues with OEM specific functions (eg Galaxy Store, special camera functions etc) caused by model prop changes and issues with Play Store (eg. YouTube not updating as expected) etc caused by fingerprint prop changes are successfully avoided...

    Issues with unmatched security patch prop dates are also avoided with this solution...

    The @Displax mod also kills a second bird (or rabbit 😜 ), ie. allowing ROMs not passing CTS Profile match to pass as mentioned above, simply because the fingerprint prop used for HA bypass trigger must also be properly certified for CTS...

    --> This makes this USNF build a true 'Universal' fix, encompassing both old S/N API and new PI API, as well as the whole range of certified stock and uncertified China region, Beta, Developer and custom ROMS...

    👀 PW
  • 61
    The new Google Play services update caused this.

    Temporary workaround:

    1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.

    2. Search "Google Play services" in the Settings search bar.

    3. Press the three dots and press "Uninstall previous updates".

    4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
    Pick your needed edition (arm or arm64, etc.), download it and install it.

    5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.

    6. Download Google Pay from the Play Store.

    7. Set up your cards. Enjoy!

    Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.

    Tested Google Pay versions:

    2.79.x-2.83.235070858 - working

    Tested Google Play services versions:

    14.7.99, 16.0.86 - working with Magisk 18.1

    14.8.49-16.x- working with Magisk 18.2 Canary
    32
    This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.

    Please use this to discuss issues with Google Pay and possible solutions.


    There's a working solution here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517


    For general tips on first getting SafetyNet to pass fully, check here:
    https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet
    29
    Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed

    Without further ado, here is my process:

    1) download a SQL database editor. I used

    https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US

    2) download a terminal emulator program. I used terminus but any terminal emulator should work.

    3) make sure Google pay is forced close, if it is open.

    4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases

    5) open dg.db

    6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)

    7) open the terminal emulator.

    8) get root access (su)

    9) cd /data/data/com.google.android.gms/databases

    10) type: chmod 440 dg.db
    This makes dg.db read only (for owner and group, and no access for world.)

    11) reboot

    I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.

    If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).

    Again, YMMV but this worked for me, so I give it back to the community now.

    Edit: recent activities did show up soon afterwards for the payment method.

    Cheers,
    B.D.
    26
    The app is finally public! (thanks Google for taking a week to approve this 🤦)
    I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.


    Source code:

    If you are curious, the possible outcomes I've seen are:
    • 3 ticks (unrooted samsung)
    • tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
    • x/tick/x (my rooted a11 op7t)
    23
    UPDATE 1/8/2022
    This app is officially discontinued in favor of a new app I published on Play Store. Read more here:

    ====================
    ORIGINAL MESSAGE:

    I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
    You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
    Also I didn't test it much since I don't have many devices that can pass. Hope it works fine 🤞

    Hope this helps someone find a solution :)

    EDIT:
    Here is a quote from Google of what exactly "Does not meet device integrity" mean:
    The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
    ...
    If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.