[Discussion] Google Pay Magisk Discussion Thread

Search This thread

borisSweden

Senior Member
May 10, 2021
230
21
OnePlus 7T
I don't understand how would you 'ping' the other phone

Wallet (or any other 'banking' app) calls SafetyNet, now PlayIntegrity API from the Google Play Services running on that SAME phone. And that PI API inspects again the SAME (own) phone

Only if you would spoof the complete Google Play Services (GMS) to make it to 'ping' the other phone, to execute there the Hardware type CTS Profile attestation, to returm the result, that your spoofed GMS would send then to Google server (as its own CTS Profile Attestation), for the final verdict

Not sure if that would be possible without the modifications on that other phone (sitting 'at your home'.
But in that case, those modifications on that other phone would also require the unlocked Bootloader (to flash the modifications), hence that phone would no more run its stock firmware with the locked Bootloader, meaning that it would also not be able to pass the Strong Integrity (Hardware type CTS Profile attestation, ie, on the Trusted Execution Environment=TEE). Hence you're back on the square one
The unmodded phone will be on Android Pie which has the lax Android Pay requirements. Android enthusiast have several phones laying around and can find a use for them.
 

zgfg

Senior Member
Oct 10, 2016
8,199
5,831
Xiaomi Mi 11
Xiaomi Mi 11 Lite 5G
The unmodded phone will be on Android Pie which has the lax Android Pay requirements. Android enthusiast have several phones laying around and can find a use for them.
Fine. I have described the technical issues. Please be free to comment how would you solve/implement the details in question

Btw, that were only my comments (from the perspective how Google Play Services uses Play Integraty API for the attestation - in various threads here there were links to the official Google specification and comments from the users/'enthusiasts' from XDA)

Actually, I'm not interested specifically into the Wallet, and definitely, I can not participate in possible development, hence probably I will also not comment further here about.
There was another thread here on XDA about the game of mice and cat, with the similar ideas, wishes, and so
 
  • Like
Reactions: borisSweden

Zilla0617

Senior Member
So going through the thread I'm having an issue with Google Wallet that i haven't seen discussed. For some odd reason, Google Wallet is disabled but GPay (old version) works fine. When i go to open Wallet from the playstore it looks like its going to open but then quickly opens GPay instead. On my app homescreen its list GPay, Wallet is not listed, but when go to settings to see all my apps it lists Google Wallet not GPay. The quick setting for Wallet is disabled as well as the options to show wallet on my lockscreen. My device is rooted Pixel 6 Pro on stock October rom on stable Magisk 25.2 and Im located in the US. Magisk 25.2 is hidden and I named it settings.

Prior to this occurring about a week ago or so, Wallet worked in fine. In fact I had no apps hidden just the Universal safetynet 2.3.2 module installed. Cards are stored and I can add more if I wanted. Now with the same setup. Wallet is disabled, but GPay works fine. No other apps complains that of my device is rooted. Integrity check passes for the 1st 2 options

Steps I tried to alleviate the issue:
Deleted and reinstalled Wallet only for it revert to GPay when opened
Wiped data and cache for Wallet
Wiped data and cache for Google plays services, framework, and Google play store
Hid Wallet
Hid Google playstore
Installed Safetynet fix-MOD 2.3.1
Rebooted numerous times

Google store shows my device is certified. Something is preventing my device from using Wallet and is downgrading me to GPay. I rather not factory reset my phone. Something else I noticed when wiping data and cache for play services and framework the new app icon design for messages appeared, totaling 2 (contacts and messages) with the new app icon design. My phone app icon still shows the old icon

Thanks in advance.
 

pp085ster

Senior Member
Sep 5, 2010
352
101
Santa Cruz
Google Pixel 7
So going through the thread I'm having an issue with Google Wallet that i haven't seen discussed. For some odd reason, Google Wallet is disabled but GPay (old version) works fine. When i go to open Wallet from the playstore it looks like its going to open but then quickly opens GPay instead. On my app homescreen its list GPay, Wallet is not listed, but when go to settings to see all my apps it lists Google Wallet not GPay. The quick setting for Wallet is disabled as well as the options to show wallet on my lockscreen. My device is rooted Pixel 6 Pro on stock October rom on stable Magisk 25.2 and Im located in the US. Magisk 25.2 is hidden and I named it settings.

Prior to this occurring about a week ago or so, Wallet worked in fine. In fact I had no apps hidden just the Universal safetynet 2.3.2 module installed. Cards are stored and I can add more if I wanted. Now with the same setup. Wallet is disabled, but GPay works fine. No other apps complains that of my device is rooted. Integrity check passes for the 1st 2 options

Steps I tried to alleviate the issue:
Deleted and reinstalled Wallet only for it revert to GPay when opened
Wiped data and cache for Wallet
Wiped data and cache for Google plays services, framework, and Google play store
Hid Wallet
Hid Google playstore
Installed Safetynet fix-MOD 2.3.1
Rebooted numerous times

Google store shows my device is certified. Something is preventing my device from using Wallet and is downgrading me to GPay. I rather not factory reset my phone. Something else I noticed when wiping data and cache for play services and framework the new app icon design for messages appeared, totaling 2 (contacts and messages) with the new app icon design. My phone app icon still shows the old icon

Thanks in advance.
Having a similar issue. Are you able to go into your Google settings page (Settings -> Google)? For me this does nothing. If I try to update the OS (Settings -> System -> System update), it also does nothing when I click on it. Basically a bunch of Google apps/services stop working for me. Can you confirm the same?

I reported my issue here too
 

Zilla0617

Senior Member
Having a similar issue. Are you able to go into your Google settings page (Settings -> Google)? For me this does nothing. If I try to update the OS (Settings -> System -> System update), it also does nothing when I click on it. Basically a bunch of Google apps/services stop working for me. Can you confirm the same?

I reported my issue here too
No I do not have that issue. Updating to the November patched fixed my issue with wallet not being present. The quick setting feature is still disabled as well as the option to have wallet on the lock screen. Specifically, with your issue, do you happen to have any modules that changes system's font?
 

73sydney

Senior Member
So going through the thread I'm having an issue with Google Wallet that i haven't seen discussed. For some odd reason, Google Wallet is disabled but GPay (old version) works fine. When i go to open Wallet from the playstore it looks like its going to open but then quickly opens GPay instead. On my app homescreen its list GPay, Wallet is not listed, but when go to settings to see all my apps it lists Google Wallet not GPay. The quick setting for Wallet is disabled as well as the options to show wallet on my lockscreen. My device is rooted Pixel 6 Pro on stock October rom on stable Magisk 25.2 and Im located in the US. Magisk 25.2 is hidden and I named it settings.

Prior to this occurring about a week ago or so, Wallet worked in fine. In fact I had no apps hidden just the Universal safetynet 2.3.2 module installed. Cards are stored and I can add more if I wanted. Now with the same setup. Wallet is disabled, but GPay works fine. No other apps complains that of my device is rooted. Integrity check passes for the 1st 2 options

Steps I tried to alleviate the issue:
Deleted and reinstalled Wallet only for it revert to GPay when opened
Wiped data and cache for Wallet
Wiped data and cache for Google plays services, framework, and Google play store
Hid Wallet
Hid Google playstore
Installed Safetynet fix-MOD 2.3.1
Rebooted numerous times

Google store shows my device is certified. Something is preventing my device from using Wallet and is downgrading me to GPay. I rather not factory reset my phone. Something else I noticed when wiping data and cache for play services and framework the new app icon design for messages appeared, totaling 2 (contacts and messages) with the new app icon design. My phone app icon still shows the old icon

Thanks in advance.

Having a similar issue. Are you able to go into your Google settings page (Settings -> Google)? For me this does nothing. If I try to update the OS (Settings -> System -> System update), it also does nothing when I click on it. Basically a bunch of Google apps/services stop working for me. Can you confirm the same?

I reported my issue here too

No I do not have that issue. Updating to the November patched fixed my issue with wallet not being present. The quick setting feature is still disabled as well as the option to have wallet on the lock screen. Specifically, with your issue, do you happen to have any modules that changes system's font?


Some weird stuff there folks, sadly i cant comment as i departed Pixel after the 2XL because of the hardware issues post 2XL (i may be going back, somewhat reluctantly as i have been offered a 6 Pro at a good deal

Can you confirm if youre using shamiko and if the Enforce Deny List option is OFF in Magisk Manager's settings if you are....

Just for the record youre using the original Safetynet fix-MOD 2.3.1 right? have you tried uninstalling and using his later mod (MOD 2)?


Generally the only time i have seen Wallet -> Pay reversion is after clearing data for play services, and it takes some time (locking you out from opening it) as it "upgrades" back to Wallet...anecdotally this was noted by many during the period where people were scrambling when just plain old SafetyNet suddenly failed and Integrity Check was suddenly a thing and as Displax discovered the workaround...

Why its not automatically migrating to Wallet is puzzling....

And good call on font modules, people dont realise but even benign as they sound, they can give up the presence of root...

p.s. Just for an aside, as ive mentioned in here and main Magisk thread before, i havent even had Wallet (Pay before it) hidden for over 6 months (though most of the gang do)...so its not that on your end, its likely a services issue, but why....

wallet.jpg
 

pp085ster

Senior Member
Sep 5, 2010
352
101
Santa Cruz
Google Pixel 7
No I do not have that issue. Updating to the November patched fixed my issue with wallet not being present. The quick setting feature is still disabled as well as the option to have wallet on the lock screen. Specifically, with your issue, do you happen to have any modules that changes system's font?
I do have a custom font installed via CFI, but my issue happens once I flash the USNF 2.3.1 MOD 2.0. If I disable that in magisk then I can go back into settings -> Google but I don't pass the verification checks. If I enable it however, I pass 2/3 verification checks but I can't go into Google settings. It's weird. Any help is appreciated.

I don't have Shamiko installed, but I do have the "enforce denylist" option ON. Attached the options I have selected on there.
 

Attachments

  • Screenshot_20221108-084834.png
    Screenshot_20221108-084834.png
    191.9 KB · Views: 49
  • Like
Reactions: 73sydney

Zilla0617

Senior Member
Some weird stuff there folks, sadly i cant comment as i departed Pixel after the 2XL because of the hardware issues post 2XL (i may be going back, somewhat reluctantly as i have been offered a 6 Pro at a good deal

Can you confirm if youre using shamiko and if the Enforce Deny List option is OFF in Magisk Manager's settings if you are....

Just for the record youre using the original Safetynet fix-MOD 2.3.1 right? have you tried uninstalling and using his later mod (MOD 2)?


Generally the only time i have seen Wallet -> Pay reversion is after clearing data for play services, and it takes some time (locking you out from opening it) as it "upgrades" back to Wallet...anecdotally this was noted by many during the period where people were scrambling when just plain old SafetyNet suddenly failed and Integrity Check was suddenly a thing and as Displax discovered the workaround...

Why its not automatically migrating to Wallet is puzzling....

And good call on font modules, people dont realise but even benign as they sound, they can give up the presence of root...

p.s. Just for an aside, as ive mentioned in here and main Magisk thread before, i havent even had Wallet (Pay before it) hidden for over 6 months (though most of the gang do)...so its not that on your end, its likely a services issue, but why....

View attachment 5755703
I'm not using shamiko but I do not have Enforce Deny List off, should i? I am using Mod 2.0 of universal safetynet fix. When I updated to Nov Patch wallet came back (quick setting and lock screen still disabled) Unfortunately, my device was no longer certified in the play store so I deleted data and cache of play store and Google play services and it reverted back to the old GPay.

I hope you're right and wallet comes back after some time. I did this wipe before only to have GPay stick after Google play services settled. I read your advice back when you first mentioned it and have nothing hidden as well, I even deleted your GPay fix module and my transactions were working fine.

I'm currently using a module that changes font, but have no issues accessing Google menu, newer versions of it had the same issue of the inability to access Google menu within settings.
 
  • Like
Reactions: 73sydney

Zilla0617

Senior Member
I do have a custom font installed via CFI, but my issue happens once I flash the USNF 2.3.1 MOD 2.0. If I disable that in magisk then I can go back into settings -> Google but I don't pass the verification checks. If I enable it however, I pass 2/3 verification checks but I can't go into Google settings. It's weird. Any help is appreciated.

I don't have Shamiko installed, but I do have the "enforce denylist" option ON. Attached the options I have selected on there.
I couldn't tell based on your response, but have you tried removing the font module and seeing if the issue occurs?
 
  • Like
Reactions: pp085ster

pndwal

Senior Member
  • Like
Reactions: pp085ster and m0han

cadukmandi1337

New member
Sep 25, 2021
1
0
18
This module helps pass Libc and Syscall File Detection (in Ruru app) with Riru on Magisk Delta. Other detections remain, though. https://github.com/stylemessiah/AppDataIsolation/releases

Google Pay works.
doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb
 

73sydney

Senior Member
doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

It does say Android 11+ API 30+ on the github page

The module cant modify a file that doesnt exist :)

Sorry but theres no equivalent function for Android -11

I am working on a Hide My Applist guide (with pictures) at the moment, that may help. Once i have that up, ill tag you and you can follow and see if you have it setup correctly and then also let us know what youre being detected on under those categories

For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
 

73sydney

Senior Member
doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

As promised, linking you to the newly completed HMA guide:

 

V0latyle

Forum Moderator
Staff member
For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
Shamiko isn't even required in most cases I believe. Play Integrity does not detect Zygisk and in fact has no way to do so.
 
Last edited:

V0latyle

Forum Moderator
Staff member
Sorry, i guess i quote it mostly as a solid base for everything after...
I could be wrong, but for most people, the "solid base" of Magisk modules (assuming stock ROM with root) is just USNF Displax mod. If other modules or modifications are installed then more elaborate hiding measures might be necessary but in general the modded USNF alone is sufficient to pass basic and device integrity.
 

Top Liked Posts

  • 1
    Not to 'toot my own horn' - I might be one of the lucky few that doesn't have any issues with GPay while running 2.4.0 on the OnePlus 8 OOS 11 while passing Basic and Device Integrity.
    OnePlus 8?... Doesn't Momo show 'Tee broken'?... (It's actually not, but Devs mean keymaster implementation is broken)...

    If so (IIRC), you don't even need main USNF functions!; neither fake keystore registration to trip fallback to Basic attestation nor prop changes to bypass hardware attestation based verdict enforcement as your broken keymaster already trips fallback to basic and Google don't enforce hardware attestation based verdict enforcement using your devices expected prop values as they know which OnePlus devices (and others) are broken...

    It seems that the recent failure relates to USNF's key fake keystore registration function/timing...

    You most likely only need root hiding for gms attestation (droidguard) process (com.google.android.gms.unstable) and resetting of some sensitive props to pass S/N or PI deviceIntegrity... USNF also performs these functions since we no longer have MagiskHide doing this...

    👀 PW
    1
    For me, too. Couple of days ago, Wallet complained that my device didn`t match security standards. Then, downgraded to USNF-MOD-2.1, rebooted, and Wallet is back to work! Xperia XZ2 running LineageOS 20.0. Magisk Delta Canary. Zygisk, Magiskhide and SuList are enabled.
    You will also need to make sure wipe out Google service cache just in case if any funky residue may back to you some time later..
  • 3
    No, it does not set by itself. I had problems enabling its driver, one thread on XDA was strongly suggesting to set SELinux to permissive. I did and it worked, so... 🤷‍♂️. However, now when I reverted it back to enforcing, Viper still works 😊
    I did not search for STRONG_INTEGRITY, my bad
    Good that V4A V2.7 works for you with Enforcing mode (as it should)

    Btw, there are two newer versions:

    1) Repackaged V4A - finding and patching audio drivers when they are scattered to other system folders (needed for some devices):

    2) (1) + Reverse engineered V4A alpha v0.2.0 support for 64-bit audio drivers (needed on some new devices that could not fall-back to 32-bit audio drivers):

    Both also don't require SE Linux Permissive. Might need AML v4.2 (recently updated):

    PS:
    And don't forget to enable Legacy mode (and of course, Master limiter)
    2
    Anything else I've missed?
    you missed play integrity check result. the other thing is that you have too many apps on deny list imo, this might result with the opposite result than expected, also you don't need magisk hide props when you use usnf mod by displax, and the last but not least - would be good to switch to ENFORCING SE LINUX if possible, i never tried to setup Gwallet on permissive tbh.

    cheers
    2
    OK.
    • Removed MHPC from magisk modules
    • Removed everything from denylist except Google Wallet
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    • Reboot
    Still PI checker shows red cross for MEETS_STRONG_INTEGRITY
    that's normal and gwallet should work
    2
    OK.
    • Removed MHPC from magisk modules
    • Removed everything from denylist except Google Wallet
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    • Reboot
    Still PI checker shows red cross for MEETS_STRONG_INTEGRITY
    Perfect!...

    I didn't say you need strongIntegrity... When Google/banks start enforcing that it'll be a sad day for modders... Also, customers using any device w/ A7 or less + many modern OnePlus etc w/ broken keymaster will be collateral damage... deviceIntegrity is what you need ATM as stated... PW
    2
    • Set SELinux to enforcing - I set it to permissive earlier because of Viper4AndroidFX
    If using V4A FX 2.7.2.1, it doesn't set SE Linux to Permissive and you should not need to force Permissive manually

    And no need for Strong Integrity was already answered by others (and for the mater of fact, the same was commented numerous times in this thread already)
  • 61
    The new Google Play services update caused this.

    Temporary workaround:

    1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.

    2. Search "Google Play services" in the Settings search bar.

    3. Press the three dots and press "Uninstall previous updates".

    4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
    Pick your needed edition (arm or arm64, etc.), download it and install it.

    5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.

    6. Download Google Pay from the Play Store.

    7. Set up your cards. Enjoy!

    Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.

    Tested Google Pay versions:

    2.79.x-2.83.235070858 - working

    Tested Google Play services versions:

    14.7.99, 16.0.86 - working with Magisk 18.1

    14.8.49-16.x- working with Magisk 18.2 Canary
    32
    This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.

    Please use this to discuss issues with Google Pay and possible solutions.


    There's a working solution here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517


    For general tips on first getting SafetyNet to pass fully, check here:
    https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet
    29
    Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed

    Without further ado, here is my process:

    1) download a SQL database editor. I used

    https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US

    2) download a terminal emulator program. I used terminus but any terminal emulator should work.

    3) make sure Google pay is forced close, if it is open.

    4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases

    5) open dg.db

    6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)

    7) open the terminal emulator.

    8) get root access (su)

    9) cd /data/data/com.google.android.gms/databases

    10) type: chmod 440 dg.db
    This makes dg.db read only (for owner and group, and no access for world.)

    11) reboot

    I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.

    If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).

    Again, YMMV but this worked for me, so I give it back to the community now.

    Edit: recent activities did show up soon afterwards for the payment method.

    Cheers,
    B.D.
    27
    The app is finally public! (thanks Google for taking a week to approve this 🤦)
    I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.


    Source code:

    If you are curious, the possible outcomes I've seen are:
    • 3 ticks (unrooted samsung)
    • tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
    • x/tick/x (my rooted a11 op7t)
    23
    UPDATE 1/8/2022
    This app is officially discontinued in favor of a new app I published on Play Store. Read more here:

    ====================
    ORIGINAL MESSAGE:

    I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
    You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
    Also I didn't test it much since I don't have many devices that can pass. Hope it works fine 🤞

    Hope this helps someone find a solution :)

    EDIT:
    Here is a quote from Google of what exactly "Does not meet device integrity" mean:
    The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
    ...
    If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.