[Discussion] Google Pay Magisk Discussion Thread
- Thread starter Didgeridoohan
- Start date
-
- Tags
- google pay hide magisk magiskhide
@DineshValor does Privacy Space support android 10 with Lsposed? Also can share the link to download the module? I'm finding a old one which mentioned support for Android 9
It's supported upto android 13 and currently I'm using LSposed with android 12.
Here is the link:
GitHub - LSPosed/LSPosed: LSPosed Framework
LSPosed Framework. Contribute to LSPosed/LSPosed development by creating an account on GitHub.
github.com
Release 1.3.7 · Xposed-Modules-Repo/cn.geektang.privacyspace
1、修复在Android9上不生效的问题; 2、适配Pixel、一加手机的设置页面; 3、修复了一些已知bug。
github.com
following this guide, landed me into bootloop. Is there a brief guide - blog or video?
Sorry about that issue, but right now I'm busy in some other stuff, i will make sure to create a brief video as a demo, plz grant me some time.
Sure, take your time.. Can you cover Paytm Tap to pay setup in your guide.. That would be very helpful.
Hi everyone
I've had to factory reset my phone (Xiaomi Mi 9T) recently, and since then I am unable to verify my payment cards for contactless payment on Google Wallet, on any rom that I tried (even the ones that pass SafetyNet by default).
The weird thing is that I don't get any error messages or security warning, but the verification process simply goes in an infinite loop:
1) I add a card
2) The Wallet app says it needs to verify the card with the bank, it asks me how I want to verify
3) I chose "use the bank's app"
4) The bank's app opens, I verify the card, it says everything is good and the card can now be used for contactless payments
5) I go back to Wallet and... it asks me how do I want to verify the card again! (in other words: I'm back at step 2)
Has anyone here experienced something like this? I've been tinkering for hours now, switching roms, installing magisk and various combinations of modules, but to no avail. Any suggestions?
I've had to factory reset my phone (Xiaomi Mi 9T) recently, and since then I am unable to verify my payment cards for contactless payment on Google Wallet, on any rom that I tried (even the ones that pass SafetyNet by default).
The weird thing is that I don't get any error messages or security warning, but the verification process simply goes in an infinite loop:
1) I add a card
2) The Wallet app says it needs to verify the card with the bank, it asks me how I want to verify
3) I chose "use the bank's app"
4) The bank's app opens, I verify the card, it says everything is good and the card can now be used for contactless payments
5) I go back to Wallet and... it asks me how do I want to verify the card again! (in other words: I'm back at step 2)
Has anyone here experienced something like this? I've been tinkering for hours now, switching roms, installing magisk and various combinations of modules, but to no avail. Any suggestions?
Can't say I've had exactly that behaviour... My bank app doesn't get opened to verify...
However SafetyNet API is of course now deprecated, so are your ROMs up to date and passing new Play Integrity API's deviceIntegrity verdict?
Nb. If using Magisk, late official Universal SafetyNet Fix module is broken... You need @Displax's fork... PW
Thanks for the info, is there an app I can use to check the status of Play Integrity?
Of course. It has been described in this thread
Search for Play Integrity on the Play Store and you will find the PI API Checker
Or, Google Play Store app itself (Developer options) can be used
Thanks a lot for your help.
Indeed, the strong Integrity check is failing, only the basic and device ones are passing. I'll try to install magisk and the modded module and see if it helps. Should I use original magisk? I've seen the Delta version recommend elsewhere
Strong Integrity is not relevant and you will never be able to pass with the Bootloader unlockedThanks a lot for your help.
Indeed, the strong Integrity check is failing, only the basic and device ones are passing. I'll try to install magisk and the modded module and see if it helps. Should I use original magisk? I've seen the Delta version recommend elsewhere
Again, before posting/,asking, please read and be familiar with the common facts
Sorry, I've been reading about this stuff all day but a lot of the information out there is at times contradictory and I have yet to find a single case similar to mine (i.e: where no error occurs but the Wallet app simply refuses to advance to the next step of the verification wizard).
This is what I find strange, all apps (integrity checkers, my bank's app, etc.) report everything is ok but for some reason I just cannot complete the verification process
Can P7P users with GPay working please chime in with the following:
OTA version:
Magisk version:
Universal SafetyNet Fix version:
+any other relevant info
Thank you in advance!
OTA version:
Magisk version:
Universal SafetyNet Fix version:
+any other relevant info
Thank you in advance!
PWgpay / wallet working here on xiaomi mi9 / crDroid 9 with: magisk 26.1, safetynet 2.4.mod.1.1, shamiko 0.7.x
With the deny list enforcement disabled in Magisk manager, e.g. Revolut does not work. Therefore, when you are adding payment cards to Google Wallet, the "Enforce Denylist" option in Magisk manager must be disabled, and after adding your cards to the wallet, you can re-enable it for the Revolut application to work. A very simple trick ;-)
Denylist is not proper root hiding; it's a little of MagiskHide code repurposed for the purpose of reverting/preventing Magisk modifications in listed processes... This is no longer a function for the general modder, but for the Android developer, security researcher etc...
Anyway, there's no issue using denylist (or enforced) for hiding root from GPay/Wallet... I don't know why any think this...
It isn't enough to hide root from apps that do more than superficial checks for root, eg looking for Zygisk injection or memory leaks etc... For this we need proper root-hiding modules like Shamiko... These might use the denylist (hijack it) for convenience, but it is NO LONGER used as denylist... It no longer prevents Magisk modifications (Zygisk injection into an app's zygote for instance) so doesn't interfere with hiding modules ... Denylist is now actually a hide list (as long as DenyList is disabled, ie. not enforced) per old MagiskHide but much improved in the case of Shamiko...
So for those wanting proper root hiding, Denylist must necessarily be disabled and a suitable hiding module utilised... This mode works well for GPay/Wallet and much better to bypass detections in other bank apps etc.
Nb. Shamiko has already been updated to hide new Native Bridge Zygisk loading implementation currently being tested for Magisk 27.0 by making /proc/maps string memory anonymous... This coming change is not being detected by banks at present as far as I've tested, but it appears that Shamiko is already configured in anticipation of this event...
PW
Last edited:
Unfortunately Revolut Bank app says that it won't work on rooted phones when Enforce Denylist option is disabled. I must confess that I'm still using Magisk 25.2 with application name changed. Because some dumb apps find rooted phone based on an installed app called "Magisk". Also, is Magisk 26.1 fundamentally better than version 25.2?
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
4
I believe GPay/Wallet would usually fail after some time unless you still pass Play Integrity deviceIntegrity verdict because ROM integrates SNF or it's own spoofs for this...
It's not surprising bank apps fail without denylist (they actively search for root) / Shamiko (proper hiding for traces of Zygisk etc)...
Having Play Services, specifically the droid guard/attestation process com.google.android.gms.unstable in active denylist breaks Zygisk based USNF builds (note, it will remove these from denylist on next boot for this reason) because DenyList reverts/prevents Magisk modifications in listed processes unlike old MagishHide. (It's really now a development tool, not a hiding tool.) In this case USNF injects code in gms to register a fake keystore to cause the fallback to basic attestation that's it's key function, so we can't hide root front gms using Denylist... Shamiko on the other hand is a proper hiding module and simply uses denylist (for convenience) as a hidelist, so it doesn't break USNF in this case...
Zy-USNF builds hide root from gsm processes itself, so they shouldn't be added in denylist anyway... This should be done to pass device integrity verdicts if you use pre-Android 8, devices with broken keymaster implementations or revoked keys, or when ROM integrates it's own SNF/spoofing, and USNF is not used/needed but never with Zy-USNF.
GPay/Wallet needs passing PI deviceIntegrity and you need to check this is passing with a Play Integrity checker app... You'll see this fail as soon as denylist is enforced...
Bank apps on the other hand often employ their own checks for traces of root and some don't check deviceIntegrity. Some only check deviceIntegrity and some do both...
Hope it helps your understanding of this.
PW3Just adding my experience to this thread, FWIW. On a OnePlus 9 Pro, rooted, Android 13 stock, and using the official Magisk 26.1. All I have installed is Shamiko 0.7 -- no Universal Safety Net Fix, no MagiskHide Props Config. In Magisk settings, Zygisk is enabled (as is required by Shamiko), but not Enforce Deny List. My Configure DenyList includes Google Wallet and Google Play Store, but not Google Play Services. With that configuration, Google Wallet has been working consistently. I can't speak to the various banking apps -- but I use Chase with this configuration (but the setup to get it working is not straight-forward, involving using an older apk version initially, and functionality for secure messages doesn't always work).
I did have a problem with opening Wallet after a reboot and getting a pop up warning that your device does not meet security requirements, but I could simply dismiss that and Wallet would still work (and "tap to pay setup" would show "Your phone meets security requirements" still). I think that may have been Magisk taking some time to load. I've gone into Battery settings for Magisk and enabled it both to run in the background and to autolaunch and that issue hasn't (yet) re-occurred.
Interestingly, with this configuration, using YASNAC (Yet Another SafetyNet Attestation Checker), my device would fail both Basic Integrity and CTS Profile Match, even with Google Wallet working. Once I added Universal Safety Net Fix 2.4, YASNAC would pass my device. So far, no ill effects from having both Shamiko and USNF installed and running. But Shamiko alone was sufficient for Google Wallet purposes.
YMMV.
P.S. I should add that once you have the Magisk/Module set up you want, you should clear cache (and, I believe but am not certain it's needed, data) for Google Play Store and Google Play Services and and Google Wallet and reboot.3Thanks to pndwal's suggestions, I confirm what rogerinnyc wrote above. On my S10e I'm using Ambassadii ROM 5.6 and Magisk 26.1 the Zygisk option is enabled. I set denials for GPay/Wallet, Google Play Services, banking applications and the Allegro application (a popular shopping platform in Poland, something like eBay). Also, I have the safetynet-fix-v2.4.0-MOD_1.2 module installed in Magisk. Without the Shamiko module installed in Magisk and without Enforce Deny List enabled, a strange thing happens. Namely, the GPay/Wallet application worked, but the banking applications detected the root. When Enforce Deny List was enabled, banking applications did not detect the root, but GPay/Wallet stopped working and showed that the device does not comply with security rules. Only the installation of the Shamiko module with the DISABLED Enforce Deny List in Magisk solved the problem. Both GPay/Wallet works and other banking apps don't see root. I did not tested removal of safetynet-fix-v2.4.0-MOD_1.2 module and leaving Shamiko module alone anymore. But my current combination of modules works for me. Thank you, Dear Friends, once more for your hints.3
It happens exactly as you said. So denylist enforcement in Magisk should be disabled. Shamiko module properly hides the root for all the rest bankig/shopping apps
2
I didn't know there were two different variants. I got it from kdrag0n's github. is there a new better one?
(I'll take a look in the meantime)
edit: it worked, omg thank you so much.
here's the thread with the other, working version of USNF, for convenience for anyone bumping into this post:
[MODULE] [MOD] Universal SafetyNet Fix
Universal SafetyNet Fix [MOD] Magisk module...
forum.xda-developers.com
-
62The new Google Play services update caused this.
Temporary workaround:
1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.
2. Search "Google Play services" in the Settings search bar.
3. Press the three dots and press "Uninstall previous updates".
4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
Pick your needed edition (arm or arm64, etc.), download it and install it.
5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.
6. Download Google Pay from the Play Store.
7. Set up your cards. Enjoy!
Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.
Tested Google Pay versions:
2.79.x-2.83.235070858 - working
Tested Google Play services versions:
14.7.99, 16.0.86 - working with Magisk 18.1
14.8.49-16.x- working with Magisk 18.2 Canary32This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.
Please use this to discuss issues with Google Pay and possible solutions.
There's a working solution here:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517
For general tips on first getting SafetyNet to pass fully, check here:
https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet29Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed
Without further ado, here is my process:
1) download a SQL database editor. I used
https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US
2) download a terminal emulator program. I used terminus but any terminal emulator should work.
3) make sure Google pay is forced close, if it is open.
4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases
5) open dg.db
6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)
7) open the terminal emulator.
8) get root access (su)
9) cd /data/data/com.google.android.gms/databases
10) type: chmod 440 dg.db
This makes dg.db read only (for owner and group, and no access for world.)
11) reboot
I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.
If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).
Again, YMMV but this worked for me, so I give it back to the community now.
Edit: recent activities did show up soon afterwards for the payment method.
Cheers,
B.D.28The app is finally public! (thanks Google for taking a week to approve this
)
I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.
Play Integrity API Checker - Apps on Google Play
Get info about your Device Integrity through...play.google.com
Source code:
GitHub - 1nikolas/play-integrity-checker-app: Get info about your Device Integrity through the Play Intergrity API
Get info about your Device Integrity through...
github.com
GitHub - 1nikolas/play-integrity-checker-server: Node-js server for the Play Inegrity API Checker app
Node-js server for the Play Inegrity API...
github.com
If you are curious, the possible outcomes I've seen are:
- 3 ticks (unrooted samsung)
- tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
- x/tick/x (my rooted a11 op7t)
23UPDATE 1/8/2022
This app is officially discontinued in favor of a new app I published on Play Store. Read more here:
[Discussion] Google Pay Magisk Discussion Thread
This thread is inspired by the PoGo Magisk...
forum.xda-developers.com
====================
ORIGINAL MESSAGE:
I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
Also I didn't test it much since I don't have many devices that can pass. Hope it works fine
Hope this helps someone find a solution
EDIT:
Here is a quote from Google of what exactly "Does not meet device integrity" mean:
