[Discussion] Google Pay Magisk Discussion Thread

Search This thread

73sydney

Senior Member
Thanks - I will talk to the maintainer of the LOS version and see what we can figure out. I did however already try choosing a fingerprint of android 12, 11, 10 & 9 (I think I didn't go lower) with different devices tried for each version. None had an effect...

the worst ive ever had to do was one version lower, in safetynet only days, so the generation of print isnt your issue
 

pndwal

Senior Member
the worst ive ever had to do was one version lower, in safetynet only days, so the generation of print isnt your issue
mmm... But that's for passing CTS Profile match...

In the case of deviceIntegrity we need to do both that and also have a somewhat elusive print mismatch to trigger bypassing of hardware attestation enforcement for PI (even though fallback to Basic evaluation type has already been achieved)

@Displax said we need different SDK level for some (especially custom) ROMs, but very recent, although mismatched, prints have worked for a number of devices... PW
 
  • Like
Reactions: 73sydney

shisaya24

Senior Member
Mar 10, 2013
194
43
Redmi Note 9 Pro
mmm... But that's for passing CTS Profile match...

In the case of deviceIntegrity we need to do both that and also have a somewhat elusive print mismatch to trigger bypassing of hardware attestation enforcement for PI (even though fallback to Basic evaluation type has already been achieved)

@Displax said we need different SDK level for some (especially custom) ROMs, but very recent, although mismatched, prints have worked for a number of devices... PW
Which fingerprint is recommended for LineageOS 20 based on Android 13? Do you have any recommendations I could try...? Device integrity still not passing for me...
 

pndwal

Senior Member
Which fingerprint is recommended for LineageOS 20 based on Android 13? Do you have any recommendations I could try...? Device integrity still not passing for me...
Really I've told you all I know... We need mismatched print where CTS Profile match passes but deviceIntegrity doesn't and some custom ROMs require different SDK (Android) level while others can work with a slightly older print...

Anyway, if you've had no success after many print changes I wouldn't mind betting it's a ROM issue as I indicated... Also, I've seen very few cases where @ Displax mod, which uses a very old Android 6 print targeting gms, fails...

Does dev have a discussion forum?... Is this build device specific or a GSI?... PW
 

shisaya24

Senior Member
Mar 10, 2013
194
43
Redmi Note 9 Pro
Really I've told you all I know... We need mismatched print where CTS Profile match passes but deviceIntegrity doesn't and some custom ROMs require different SDK (Android) level while others can work with a slightly older print...

Anyway, if you've had no success after many print changes I wouldn't mind betting it's a ROM issue as I indicated...

Does dev have a discussion forum?... Is this build device specific or a GSI?... PW

The dev has a Telegram group - it's a device specific build. Dev is very motivated and responsive and seemingly fixed the issue rom sided by integrating the play integrity fix into the ROM. Waiting for the link so I can try myself. Maybe it was really a conflict between the rom sided fixes and the modules
 
  • Like
Reactions: pndwal

aNGERY

Senior Member
Aug 6, 2017
290
108
OnePlus 7 Pro
OnePlus 9 Pro
Screenshot_2022-10-09-09-18-17-15_c164fb607f41c6d3a88bed2bf1a99c07.jpg
 

Attachments

  • Screenshot_2022-10-09-09-02-57-70_b783bf344239542886fee7b48fa4b892.jpg
    Screenshot_2022-10-09-09-02-57-70_b783bf344239542886fee7b48fa4b892.jpg
    193.1 KB · Views: 95
  • Screenshot_2022-10-09-09-02-48-74_34583e9c971f506808bb8161313e190d.jpg
    Screenshot_2022-10-09-09-02-48-74_34583e9c971f506808bb8161313e190d.jpg
    188.1 KB · Views: 97

cescman

Senior Member
Nov 5, 2013
177
41
I attached a few pics. The Google Pay icon says Google Pay, it shows wallet in info.
I had the same problem before. You may try clearing data and cache of the app. If it still doesn't work, try installing an older version of Google pay and add some cards. If it works, you can update the app afterwards in the play store. I previously tried the January version of Google wallet when I got the error few months ago
 
  • Like
Reactions: aNGERY

aNGERY

Senior Member
Aug 6, 2017
290
108
OnePlus 7 Pro
OnePlus 9 Pro
Doubt you needed to roll back, but should have cleared Google Play Services data as well as G Pay/Wallet... See this:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637

🙂 PW

I appreciate it.

So I switched to displax's usnf mod, cleared the cache and data, uninstalled updates and it started working.

I'm still failing, and will probably continue to fail secure device.

If it happens again, I just need to clear the data then?
 
  • Like
Reactions: pndwal

pndwal

Senior Member
I appreciate it.

So I switched to displax's usnf mod, cleared the cache and data, uninstalled updates and it started working.

I'm still failing, and will probably continue to fail secure device.
Do you mean strongIntegrity verdict here?
If it happens again, I just need to clear the data then?
For now my guide is working... No guarantees for future use in this game! 😜 PW
 
  • Like
  • Love
Reactions: 73sydney and aNGERY

Annil

Senior Member
Dec 6, 2012
53
20
Google Wallet stopped working now and detects root, too.
A13 with P6P and used the guide from @pndwal using also mod 2.0 patch from displax.
Not sure what else I could do now or what's wrong. It just started with that free week ago after some Google apps for updated...
 

pndwal

Senior Member
Google Wallet stopped working now and detects root, too.
A13 with P6P and used the guide from @pndwal using also mod 2.0 patch from displax.
Not sure what else I could do now or what's wrong. It just started with that free week ago after some Google apps for updated...
Mod 2.0 should be fixed again per
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87579273
(Bad DOS endings)

Nb. Latest includes new prop mismatch needed for A13 launch version devices... Older mod version should be fine for P6 etc.

Also, see this:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637
- Scroll to 'Related Issues'... PW
 
  • Like
Reactions: dr4go and 73sydney

borisSweden

Senior Member
May 10, 2021
230
21
OnePlus 7T
OK I have an idea, lets say you have one unmodded stock phone with Google approved status and a rooted phone. Why cant I just ping the home phone when I tap the card terminal NFC tag with my rooted phone?

For some Gpay and Samsung Pay isn't a option because "reason" and you dont want to fork out for a Fitbit, Garmin or a S-Gear until GNU Taler is ready. Because this constant struggle with Gapps, Integrity, Safety Net, Hide, DenyList can't go on forever.
 

zgfg

Senior Member
Oct 10, 2016
8,199
5,831
Xiaomi Mi 11
Xiaomi Mi 11 Lite 5G
OK I have an idea, lets say you have one unmodded stock phone with Google approved status and a rooted phone. Why cant I just ping the home phone when I tap the card terminal NFC tag with my rooted phone?

For some Gpay and Samsung Pay isn't a option because "reason" and you dont want to fork out for a Fitbit, Garmin or a S-Gear until GNU Taler is ready. Because this constant struggle with Gapps, Integrity, Safety Net, Hide, DenyList can't go on forever.
I don't understand how would you 'ping' the other phone

Wallet (or any other 'banking' app) calls SafetyNet, now PlayIntegrity API from the Google Play Services running on that SAME phone. And that PI API inspects again the SAME (own) phone

Only if you would spoof the complete Google Play Services (GMS) to make it to 'ping' the other phone, to execute there the Hardware type CTS Profile attestation, to returm the result, that your spoofed GMS would send then to Google server (as its own CTS Profile Attestation), for the final verdict

Not sure if that would be possible without the modifications on that other phone (sitting 'at your home'.
But in that case, those modifications on that other phone would also require the unlocked Bootloader (to flash the modifications), hence that phone would no more run its stock firmware with the locked Bootloader, meaning that it would also not be able to pass the Strong Integrity (Hardware type CTS Profile attestation, ie, on the Trusted Execution Environment=TEE). Hence you're back on the square one
 
Last edited:
  • Like
Reactions: zagreous and rodken

Top Liked Posts

  • 1
    Not to 'toot my own horn' - I might be one of the lucky few that doesn't have any issues with GPay while running 2.4.0 on the OnePlus 8 OOS 11 while passing Basic and Device Integrity.
    OnePlus 8?... Doesn't Momo show 'Tee broken'?... (It's actually not, but Devs mean keymaster implementation is broken)...

    If so (IIRC), you don't even need main USNF functions!; neither fake keystore registration to trip fallback to Basic attestation nor prop changes to bypass hardware attestation based verdict enforcement as your broken keymaster already trips fallback to basic and Google don't enforce hardware attestation based verdict enforcement using your devices expected prop values as they know which OnePlus devices (and others) are broken...

    It seems that the recent failure relates to USNF's key fake keystore registration function/timing...

    You most likely only need root hiding for gms attestation (droidguard) process (com.google.android.gms.unstable) and resetting of some sensitive props to pass S/N or PI deviceIntegrity... USNF also performs these functions since we no longer have MagiskHide doing this...

    👀 PW
    1
    For me, too. Couple of days ago, Wallet complained that my device didn`t match security standards. Then, downgraded to USNF-MOD-2.1, rebooted, and Wallet is back to work! Xperia XZ2 running LineageOS 20.0. Magisk Delta Canary. Zygisk, Magiskhide and SuList are enabled.
    You will also need to make sure wipe out Google service cache just in case if any funky residue may back to you some time later..
  • 3
    No, it does not set by itself. I had problems enabling its driver, one thread on XDA was strongly suggesting to set SELinux to permissive. I did and it worked, so... 🤷‍♂️. However, now when I reverted it back to enforcing, Viper still works 😊
    I did not search for STRONG_INTEGRITY, my bad
    Good that V4A V2.7 works for you with Enforcing mode (as it should)

    Btw, there are two newer versions:

    1) Repackaged V4A - finding and patching audio drivers when they are scattered to other system folders (needed for some devices):

    2) (1) + Reverse engineered V4A alpha v0.2.0 support for 64-bit audio drivers (needed on some new devices that could not fall-back to 32-bit audio drivers):

    Both also don't require SE Linux Permissive. Might need AML v4.2 (recently updated):

    PS:
    And don't forget to enable Legacy mode (and of course, Master limiter)
    2
    Anything else I've missed?
    you missed play integrity check result. the other thing is that you have too many apps on deny list imo, this might result with the opposite result than expected, also you don't need magisk hide props when you use usnf mod by displax, and the last but not least - would be good to switch to ENFORCING SE LINUX if possible, i never tried to setup Gwallet on permissive tbh.

    cheers
    2
    OK.
    • Removed MHPC from magisk modules
    • Removed everything from denylist except Google Wallet
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    • Reboot
    Still PI checker shows red cross for MEETS_STRONG_INTEGRITY
    that's normal and gwallet should work
    2
    OK.
    • Removed MHPC from magisk modules
    • Removed everything from denylist except Google Wallet
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    • Reboot
    Still PI checker shows red cross for MEETS_STRONG_INTEGRITY
    Perfect!...

    I didn't say you need strongIntegrity... When Google/banks start enforcing that it'll be a sad day for modders... Also, customers using any device w/ A7 or less + many modern OnePlus etc w/ broken keymaster will be collateral damage... deviceIntegrity is what you need ATM as stated... PW
    2
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    If using V4A FX 2.7.2.1, it doesn't set SE Linux to Permissive and you should not need to force Permissive manually

    And no need for Strong Integrity was already answered by others (and for the mater of fact, the same was commented numerous times in this thread already)
  • 61
    The new Google Play services update caused this.

    Temporary workaround:

    1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.

    2. Search "Google Play services" in the Settings search bar.

    3. Press the three dots and press "Uninstall previous updates".

    4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
    Pick your needed edition (arm or arm64, etc.), download it and install it.

    5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.

    6. Download Google Pay from the Play Store.

    7. Set up your cards. Enjoy!

    Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.

    Tested Google Pay versions:

    2.79.x-2.83.235070858 - working

    Tested Google Play services versions:

    14.7.99, 16.0.86 - working with Magisk 18.1

    14.8.49-16.x- working with Magisk 18.2 Canary
    32
    This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.

    Please use this to discuss issues with Google Pay and possible solutions.


    There's a working solution here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517


    For general tips on first getting SafetyNet to pass fully, check here:
    https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet
    29
    Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed

    Without further ado, here is my process:

    1) download a SQL database editor. I used

    https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US

    2) download a terminal emulator program. I used terminus but any terminal emulator should work.

    3) make sure Google pay is forced close, if it is open.

    4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases

    5) open dg.db

    6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)

    7) open the terminal emulator.

    8) get root access (su)

    9) cd /data/data/com.google.android.gms/databases

    10) type: chmod 440 dg.db
    This makes dg.db read only (for owner and group, and no access for world.)

    11) reboot

    I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.

    If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).

    Again, YMMV but this worked for me, so I give it back to the community now.

    Edit: recent activities did show up soon afterwards for the payment method.

    Cheers,
    B.D.
    27
    The app is finally public! (thanks Google for taking a week to approve this 🤦)
    I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.


    Source code:

    If you are curious, the possible outcomes I've seen are:
    • 3 ticks (unrooted samsung)
    • tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
    • x/tick/x (my rooted a11 op7t)
    23
    UPDATE 1/8/2022
    This app is officially discontinued in favor of a new app I published on Play Store. Read more here:

    ====================
    ORIGINAL MESSAGE:

    I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
    You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
    Also I didn't test it much since I don't have many devices that can pass. Hope it works fine 🤞

    Hope this helps someone find a solution :)

    EDIT:
    Here is a quote from Google of what exactly "Does not meet device integrity" mean:
    The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
    ...
    If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.