[Discussion] Google Pay Magisk Discussion Thread

Search This thread

SimpleStevie

Member
Dec 12, 2011
33
13
Xiaomi Poco F3
Like many people Google Wallet is now broken for me. I've been using it without issue on my Poco F3 running Crdroid for a few months now using the latest Magisk, Zygisk and the SafetyNet Mod Fix by Displax but it not longer seems to work.

I've tried the usual clearing storage for Play Services, Play Store, Wallett App without success, I can't even add a card to the Wallet app now.

My YASNAC still passes but Google Play Integrity API Checker now fails on MEETS_DEVICE_INTEGRITY when it used to pass.

:(
Same phone, same rom, same issues
 

73sydney

Senior Member
not sure then
mine was same as yours until I changed to UNSF MOD

I've always been using the MOD version and everything was working just fine so i've no idea what I can do really as I cant bear the though of going back to stock MIUI.

Just an aside, did you have a recent google play services update...i got one a few days (official, from the play store update, not a self inflicted beta mess from apkmirror like some nut bars on here do - hint: never do that) ago that when it installed itself wreaked havoc by seemingly clearing either database or data upon install which severed my Watch 4 connection (the most egregious thing as its a total ballache to reset that backup from scratch thanks to Samsungs (non) backup) and killed Wallet. I had to uninstall the update, which reverted Wallet to Pay, which gave the usual Pay is updating so you cant open it nonsense, meaning wait 20 minutes, open it, set it back up and migrate to wallet shamozzle, at the end of which i was delighted to see contactless still working happily...only plus side of the events...
 
Jul 29, 2011
40
7
Why did I choose yesterday of all days to decide to install a rom on my Poco f3, Crdroid 8.9

I've just come from miui wanted a change, had custom ROMs on my previous devices and now just reading about these problems.
Screenshot_20220924-200752_Play Integrity API Checker.png
 

Nekromantik

Senior Member
Just an aside, did you have a recent google play services update...i got one a few days (official, from the play store update, not a self inflicted beta mess from apkmirror like some nut bars on here do - hint: never do that) ago that when it installed itself wreaked havoc by seemingly clearing either database or data upon install which severed my Watch 4 connection (the most egregious thing as its a total ballache to reset that backup from scratch thanks to Samsungs (non) backup) and killed Wallet. I had to uninstall the update, which reverted Wallet to Pay, which gave the usual Pay is updating so you cant open it nonsense, meaning wait 20 minutes, open it, set it back up and migrate to wallet shamozzle, at the end of which i was delighted to see contactless still working happily...only plus side of the events...
Yes I had play services update but I already had Wallet instead of Pay even before the update few days ago
 

pndwal

Senior Member

Nekromantik, SimpleStevie, OverlordBubbles, tom510, Goooober


So everyone has this issue using @Displax USNF-mod module on Poco f3 w/ Crdroid 8.9?... Interesting...

Did issue occur with an update, or just started occuring?

If no update its likely Google has strengthened prerequisites for deviceIntegrity on server end... Could be something peculiar to Crdriod Rom too... Eg. is selinux enforcing?... Some strange prop settings/manipulations?...

Could ask Poco f3 Crdroid maintainer about possible incompatibility... An integrated mod may be causing issues when running Magisk USNF mod...

Strangely this seems to be removed from tree:
https://github.com/crdroidandroid/a...mmit/c24af39a3e66cf11bcff09fa150651dd60cfef16

Also, seems 12.1 branch ROMs are built with A13 fingerprints now:
- PixelPropsUtils: Update fingerprints to September 2022 release
- PixelPropsUtils: Update fingerprints to Android 13 August 2022 release
... not sure of effect of this...

... Perhaps these don't mix well with Magisk module or these:
- PixelPropsUtils: Limit SafetyNet workarounds to unstable GMS process
- PixelPropsUtils: Only spoof GMS to Raven
- Introduce PixelPropsUtils for safety net spoof
... or other commits... ???

Could post info. here for @Displax / @kdrag0n:
https://github.com/kdrag0n/safetynet-fix/pull/207

🙃 PW
 
Last edited:
  • Like
Reactions: SimpleStevie

batboy00

New member
Nov 28, 2013
4
5
Hello. Same problem since 22/09. Xiaomi Redmi Note 10 5G with magisk v23 and Props Config modification since july. Suddenly, Google Wallet does not meet security requirements and device integrity does not pass anymore.
 

pndwal

Senior Member
Hello. Same problem since 22/09. Xiaomi Redmi Note 10 5G with magisk v23 and Props Config modification since july. Suddenly, Google Wallet does not meet security requirements and device integrity does not pass anymore.
Stock MIUI?... Guess you had official USNF + some mismatched (earlier) fingerprint prop configured in MHPC...

Does deviceIntegrity pass again for you if you disable MHPC and replace official USNF with @Displax's modded USNF?... PW
 

Goooober

Senior Member
Dec 22, 2011
212
22
Kent

Nekromantik, SimpleStevie, OverlordBubbles,tom510, Goooober


So everyone has this issue using @Displax USNF-mod module on Poco f3 w/ Crdroid 8.9?... Interesting...

Did issue occur with an update, or just started occuring?

If no update its likely Google has strengthened prerequisites for deviceIntegrity on server end... Could be something peculiar to Crdriod Rom too... Eg. is selinux enforcing?... Some strange prop settings/manipulations?...

Could ask Poco f3 Crdroid maintainer about possible incompatibility... An integrated mod may be causing issues when running Magisk USNF mod, eg:
https://github.com/crdroidandroid/a...mmit/c24af39a3e66cf11bcff09fa150651dd60cfef16

Perhaps it should look like this one(?):
https://github.com/Spark-Rom/frameworks_base/commit/c75f9f540e6fd60f68164773d8545a662045893c
or others linked from the issue below...

Could post info. here for @Displax / @kdrag0n:
https://github.com/kdrag0n/safetynet-fix/pull/207

🙃 PW

The issue just started spontaneously, no updates or anything. In the Play Store it still says the devices is certified despite Wallet not meeting security requirements.
 
  • Like
Reactions: pndwal

batboy00

New member
Nov 28, 2013
4
5
Stock MIUI?... Guess you had official USNF + some mismatched (earlier) fingerprint prop configured in MHPC...

Does deviceIntegrity pass again for you if you disable MHPC and replace official USNF with @Displax's modded USNF?... PW
Yes, stock MIUI. And official USNF until July. And then I had to use a prop with a lower Android version, hence the use of MHPC. If I am not mistaken the modded USNF works for latest Magisk and I have the v23 (not really willing for the moment to upgrade to brake something). But if no other solution will be found I will also try this solution.
 
  • Like
Reactions: pndwal

zgfg

Senior Member
Oct 10, 2016
7,977
5,532
Yes, stock MIUI. And official USNF until July. And then I had to use a prop with a lower Android version, hence the use of MHPC. If I am not mistaken the modded USNF works for latest Magisk and I have the v23 (not really willing for the moment to upgrade to brake something). But if no other solution will be found I will also try this solution.
There was (two months or so ago) USNF 2.3.1-mod (with that "mod" in the name!), by Displax (hence again, not the 'official'), targeting exactly the Wallet / new Play integrity API

With that, you should better test (first) without MHCP

And USNF, for it's full potential, requires Zygisk (hence the new Magisk)
 
  • Like
Reactions: batboy00

pndwal

Senior Member
Yes, stock MIUI. And official USNF until July. And then I had to use a prop with a lower Android version, hence the use of MHPC. If I am not mistaken the modded USNF works for latest Magisk and I have the v23 (not really willing for the moment to upgrade to brake something). But if no other solution will be found I will also try this solution.
Ah... Explains why you kept MHPC globally spoofed earlier fingerprint... So guess you have official Riru USNF... And G Play Services com.google.android.gms.unstable and (assuming A11+) com.google.android.gms processes in hidelist...

If you don't want to move to Zygisk builds, you could test targeted spoofed old fingerprint solution using @huskydg's Riru/Zygisk - Play Integrity Fix:

(@huskydg, I see you made this improvement:
Only inject safetynet process
but readme.md still says "by injecting into com.google.android.gms and com.google.android.gms.unstable" 😜...)

Please say (if you try this) if deviceIntegrity passes again for you by disabling MHPC and replacing official USNF with @huskydg's modded USNF... 👍 PW
 

pndwal

Senior Member
The issue just started spontaneously, no updates or anything. In the Play Store it still says the devices is certified despite Wallet not meeting security requirements.
Yup, - I noticed month's ago that Google seems to have only partially implemented PI API... Eg. G Pay/Wallet still seemed to be using S/N API for basic setup (incl. online purchases) but PI for Contactless setup of cards... the in-app contactless Security requirements dialog erroneously said "device meets security requirements" but card setup would fail in practice with a correct error message... Also, while Play Store began restricting app availability (eg Netflix) if PI deviceIntegrity failed, it's Play Protect dialogue in Settings, About, still said "Device is certified"... (Of course clearing app data can affect results also.)

Back to the issue; It seems evident that integrating signal spoofing in ROMs is complicated and fraught, and can involve many separate commits (some examples above), and further, these will need to be made to play well with additional magisk/root modules/solutions that attempt to do similar things...

For me personally, I much prefer ROMs that are clean of such mods (ie. don't attempt to fix S/N & PI issues natively)... Using official LOS (will never manipulate expected signals due to policy) for example allows users to apply all such mods using Magisk and be far more aware of what changes are actually being applied as well as decreasing the potential for conflicts... At least introduced conflicts can be reversed by users instead of requiring dev intervention...

Many have wondered why official LOS won't spoof signals but there is something to be said for this policy... In instances like this it has clear added advantages... Unless Devs can always get these manipulations (often requiring ability to juggle commits, a fantastic memory and much luck with outguessing Google mechanisms and changes) right... 🙃 PW
 
Last edited:
  • Like
Reactions: 73sydney

tom510

New member
Sep 24, 2022
2
1

Nekromantik, SimpleStevie, OverlordBubbles, tom510, Goooober


So everyone has this issue using @Displax USNF-mod module on Poco f3 w/ Crdroid 8.9?... Interesting...

Did issue occur with an update, or just started occuring?

If no update its likely Google has strengthened prerequisites for deviceIntegrity on server end... Could be something peculiar to Crdriod Rom too... Eg. is selinux enforcing?... Some strange prop settings/manipulations?...

Could ask Poco f3 Crdroid maintainer about possible incompatibility... An integrated mod may be causing issues when running Magisk USNF mod...

Strangely this seems to be removed from tree:
https://github.com/crdroidandroid/a...mmit/c24af39a3e66cf11bcff09fa150651dd60cfef16

Also, seems 12.1 branch ROMs are built with A13 fingerprints now:
- PixelPropsUtils: Update fingerprints to September 2022 release
- PixelPropsUtils: Update fingerprints to Android 13 August 2022 release
... not sure of effect of this...

... Perhaps these don't mix well with Magisk module or these:
- PixelPropsUtils: Limit SafetyNet workarounds to unstable GMS process
- PixelPropsUtils: Only spoof GMS to Raven
- Introduce PixelPropsUtils for safety net spoof
... or other commits... ???

Could post info. here for @Displax / @kdrag0n:
https://github.com/kdrag0n/safetynet-fix/pull/207

🙃 PW
It started working for me despite not changing anything. Integrity device test started passing and after clearing cache+data from google play,play services and wallet its working again.
 
  • Like
Reactions: pndwal

sanguinesaintly

Senior Member
Apr 16, 2011
2,705
1,328
Redmi Note 9 Pro Max
It started working for me despite not changing anything. Integrity device test started passing and after clearing cache+data from google play,play services and wallet its working again.
Same here. I'd cleared cache and data many times before with no result, but this time I cleared them , rebooted, and it added the card back it. Haven't tried it yet but looks promising. Maybe someone at Google had second thoughts !
 
  • Like
Reactions: pndwal

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    I could be wrong, but for most people, the "solid base" of Magisk modules (assuming stock ROM with root) is just USNF Displax mod. If other modules or modifications are installed then more elaborate hiding measures might be necessary but in general the modded USNF alone is sufficient to pass basic and device integrity.
    FWIW, USNF (now w/ @Displax' mods) is the defacto replacement for basic MagiskHide functions that provided an environment attestation API (SafetyNet) bypass...

    MagiskHide also provided proper 'root' hiding from apps but always remained basic as John has tired of / lost interest in bypassing app's increasingly sophisticated custom root trace detection methods for some years now.

    This has meant that more sophisticated root hiding has been the province of solutions like
    'Servicely' (to disable services with isolatedProcess enabled that can 'easily bypass MagiskHide), vv's Unshare and later Canyie's MomoHider Magisk modules in combination with Magisks own hidelist.

    XPosed modules like Hide My Applist were also added to the list of hiding solutions as Devs have found ways to (arguably) abuse ability to detect apps they deem indicators of execution environment compromise despite Google's efforts to limit this 'improper' use of permissions like QUERY_ALL_PACKAGES...

    With Zygisk-generation Magisk (24+), even basic root trace hiding has been 'sunsetted' in Magisk itself... As John said:
    • It's not a secret that specifically designed modules can indeed utilize the DenyList feature for "hiding" purposes
    • DenyList, however, is only meant to "revert all Magisk changes". It will not attempt to manipulate any other signals on the device
    • Since Magisk already provides root permissions, modules don't actually need to rely on DenyList for hiding. They can do everything themselves
    • There are already modules out there that directly manipulates root detecting processes / system services to workaround HW KA

    So newer efforts to provide root hiding have had to re-implement proper methods (not simply reverting Magisk modifications in processes which actually breaks much hiding). This means that solutions like Shamiko, while 'hijacking' denylist for convenience, are actually re-imlementing denylist as a hidelist. In this sense at least Shamiko is now supplying the 'solid base' hiding once provided by MagiskHide (but it's not needed for passing SafetyNet or Play Integrity attestations as you said)...

    Of course other 'base' hiding is also supplied by Shamiko, eg xhook hiding for LSPosed and other modules was previously integrated in Riru as Riruhide but many were unaware of its existence. With 24+ Magisk there is no such integrated hiding but Shamiko is hiding (most?) traces of xhook/Zygisk now...

    Being a Canyie initiative, Shamiko adds the unshare (isolated process) and other hiding done by her MomoHider as well as tmp mount and more hiding for further traces now detected by banks... PW
    5
    Sorry, i guess i quote it mostly as a solid base for everything after...
    I could be wrong, but for most people, the "solid base" of Magisk modules (assuming stock ROM with root) is just USNF Displax mod. If other modules or modifications are installed then more elaborate hiding measures might be necessary but in general the modded USNF alone is sufficient to pass basic and device integrity.
    4
    For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
    Shamiko isn't even required in most cases I believe. Play Integrity does not detect Zygisk and in fact has no way to do so.
    4
    doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

    As promised, linking you to the newly completed HMA guide:

    4
    doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

    It does say Android 11+ API 30+ on the github page

    The module cant modify a file that doesnt exist :)

    Sorry but theres no equivalent function for Android -11

    I am working on a Hide My Applist guide (with pictures) at the moment, that may help. Once i have that up, ill tag you and you can follow and see if you have it setup correctly and then also let us know what youre being detected on under those categories

    For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
  • 61
    The new Google Play services update caused this.

    Temporary workaround:

    1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.

    2. Search "Google Play services" in the Settings search bar.

    3. Press the three dots and press "Uninstall previous updates".

    4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
    Pick your needed edition (arm or arm64, etc.), download it and install it.

    5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.

    6. Download Google Pay from the Play Store.

    7. Set up your cards. Enjoy!

    Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.

    Tested Google Pay versions:

    2.79.x-2.83.235070858 - working

    Tested Google Play services versions:

    14.7.99, 16.0.86 - working with Magisk 18.1

    14.8.49-16.x- working with Magisk 18.2 Canary
    32
    This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.

    Please use this to discuss issues with Google Pay and possible solutions.


    There's a working solution here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517


    For general tips on first getting SafetyNet to pass fully, check here:
    https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet
    29
    Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed

    Without further ado, here is my process:

    1) download a SQL database editor. I used

    https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US

    2) download a terminal emulator program. I used terminus but any terminal emulator should work.

    3) make sure Google pay is forced close, if it is open.

    4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases

    5) open dg.db

    6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)

    7) open the terminal emulator.

    8) get root access (su)

    9) cd /data/data/com.google.android.gms/databases

    10) type: chmod 440 dg.db
    This makes dg.db read only (for owner and group, and no access for world.)

    11) reboot

    I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.

    If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).

    Again, YMMV but this worked for me, so I give it back to the community now.

    Edit: recent activities did show up soon afterwards for the payment method.

    Cheers,
    B.D.
    27
    The app is finally public! (thanks Google for taking a week to approve this 🤦)
    I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.


    Source code:

    If you are curious, the possible outcomes I've seen are:
    • 3 ticks (unrooted samsung)
    • tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
    • x/tick/x (my rooted a11 op7t)
    23
    UPDATE 1/8/2022
    This app is officially discontinued in favor of a new app I published on Play Store. Read more here:

    ====================
    ORIGINAL MESSAGE:

    I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
    You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
    Also I didn't test it much since I don't have many devices that can pass. Hope it works fine 🤞

    Hope this helps someone find a solution :)

    EDIT:
    Here is a quote from Google of what exactly "Does not meet device integrity" mean:
    The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
    ...
    If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.