[Discussion] Magisk - The Age of Zygisk.

[pndwal]

Nice thanks
I have Xiaomi Redmi 9 (Android 10)
Magisk delta 25.1 (magisk hide enabled)
Zygisk disable, USFN riru, CTS profile match (pass)
App added to deny list
Seems I'm doing something wrong. .. I'll check with zygisk enabled and shamiko
Thanks

Should clear app data before each test in case caches previous detection result... PW

 

[Ace_Cole]

Should clear app data before each test in case caches previous detection result... PW

Now it works.
Updated to latest 2.14.7 from 2.14.5
App added to deny list.
Thanks

 

[J.Michael]

Nice thanks
I have Xiaomi Redmi 9 (Android 10)
Magisk delta 25.1 (magisk hide enabled)
Zygisk disable, USFN riru, CTS profile match (pass)
App added to deny list
Seems I'm doing something wrong. .. I'll check with zygisk enabled and shamiko
Thanks

Should clear app data before each test in case caches previous detection result... PW

Why no mention: @Ace_Cole using Magisk delta; @pndwal not?

 

[Ace_Cole]

Why no mention: @Ace_Cole using Magisk delta; @pndwal not?

I mentioned earlier having Magisk delta.. so nice

 

[itt533]

If YASNAC gives CTS profile match pass you should get Play Protect Device is certified if you clear Google Play Store and (sometimes) Google Play Services data... PW

no, it does not. It says "Fail". Should Google play services and google play be in denylist?

 

[zgfg]

no, it does not. It says "Fail". Should Google play services and google play be in denylist?

That must be covered by Universal SafetyNet Fix (USNF) module

What is exactly your Magisk version - please screenshot the Magisk app main window

Zygisk is enabled, DenyList not enforced - please screenshot

What version of USNF you run - please screenshot from Magisk Modules tab

Do you run a custom/not'certified ROM - in that case you might need to spoof fingerprints, but let's first clarify ay above

 

[m0han]

Tried an app that does various checks: https://play.google.com/store/apps/details?id=krypton.tbsafetychecker

 

[zgfg]

Tried an app that does various checks: https://play.google.com/store/apps/details?id=krypton.tbsafetychecker

All and everything green on my side (with TJW Canary)

But very BASIC question - do you properly hide all those detected LSPosed modules from TB Checker by use of Hide My Apps

(Also, did you checkmark DenyList or Magisk hide, whichever you use, for that TB Checke)

Whenever you install a new checker or a 'banking' app, always do those two things (and reboot) before running that app. In most cases that should be ok (but if you don't do, then you can expect troubles)

 

[dohanin]

Tried an app that does various checks: https://play.google.com/store/apps/details?id=krypton.tbsafetychecker

Interesting. I just tried this app which can detect Magisk Random Package Name.

Tried with Magisk app disabled -> not detected; with Magisk app enabled -> random package name shown.

This aligns with some banking apps which detects root only when Magisk is not disabled. Maybe they have similar logic behind.

 

[zgfg]

Interesting. I just tried this app which can detect Magisk Random Package Name.

Tried with Magisk app disabled -> not detected; with Magisk app enabled -> random package name shown.

This aligns with some banking apps which detects root only when Magisk is not disabled. Maybe they have similar logic behind.

I don't hide Magisk app and I don't disable it. I use Hide My Apps to hide Magisk app from eg this TB Checker (and all banking apps and similar)

And it passes

As posted above, Hide My apps also successfully hides my four installed LSPosed modules (incl. the HMA itself) from TB Checker - and everything is green

 

[dohanin]

I don't hide Magisk app and I don't disable it. I use Hide My Apps to hide Magisk app from eg this TB Checker (and all banking apps and similar)

And it passes

As posted above, Hide My apps also successfully hides my four installed LSPosed modules (incl. the HMA itself) from TB Checker - and everything is green

Yep, understood. HMA is a good method to hide Magisk app. I don't use it because I don't need the other LSPosed modules, so I simply disable the app when not in use.

 

[m0han]

All and everything green on my side (with TJW Canary)...

... Tried with Magisk app disabled -> not detected; with Magisk app enabled -> random package name shown...

All green now on Magisk Delta Canary c403c77 (25101). Magisk app not disabled » random package name not shown. (I'd forgotten to hide Magisk app from TB Checker.)

 

[pndwal]

no, it does not. It says "Fail". Should Google play services and google play be in denylist?

No!

You should never need Google Play, and won't need Play Services unless you are using Magisk with MagiskHide, ie. <23.0 if official (whence MagiskHide toggle will add one or two processes in Google Play Services automatically), or trying to pass S/N with Magisk 24.0+ using Universal SafetyNet Fix module 2.1.1 or earlier (possible on some devices) or w/o USNF (eg if running Android 7 or earlier; Nb. Latest USNF can be used w/ Android 7 however).

... But to put things simply, you should pass SafetyNet with nothing more than Zygisk Yes (Magisk App, Home screen), and Latest Universal SafetyNet Fix module active on a certified stock ROM as long as no modules (or possibly other mods) are breaking Safety net. (No need to put anything in denylist.)

If you are on an uncertified ROM (eg China region stock, some beta or preview builds or custom ROMs that don't manipulate props to bypass proper SafetyNet attestation), you will likely need to set the security patch prop date to match, and possibly set, a Google certified device fingerprint prop to spoof a certified ROM / device...

For this, the simplest method is to install and configure MagiskHide Props Config module using a terminal emulator to replace the current fingerprint prop with a known working one from the MHPC fingerprint list, which will also adjust the security patch prop date... Choose one matching your device as closely as possible if required...

PW

 

[itt533]

That must be covered by Universal SafetyNet Fix (USNF) module

What is exactly your Magisk version - please screenshot the Magisk app main window

Zygisk is enabled, DenyList not enforced - please screenshot

What version of USNF you run - please screenshot from Magisk Modules tab

Do you run a custom/not'certified ROM - in that case you might need to spoof fingerprints, but let's first clarify ay above

magisk v. 25.1 (25100)
zygisk : yes (enabled in settings)
enforce denylist disabled
USNF v.2.3.1 by kdragOn
denylist Unmount v.0.4 by mywalkb
Rom: LOS 18.1 official (LG V20 h990) with swan kernel

 

[zgfg]

magisk v. 25.1 (25100)
zygisk : yes (enabled in settings)
enforce denylist disabled
USNF v.2.3.1 by kdragOn
denylist Unmount v.0.4 by mywalkb
Rom: LOS 18.1 official (LG V20 h990) with swan kernel

See the detailed answer #1993 from pndwal

 

[etmatrix]

So the one you mentioned detect zygisk Can you tell the name of that app?

Sorry for the delay, be.keytradebank.phone bypass denylistunmount and shamiko.
I don't know if detect zygisk or use a good method for detect magisk.
This app uses a method which is also used in other apps, maybe a library.
Shared library is encrypted, I decrypted it with frida and fixed with sofix, but is not easy to decompile.

 

[pndwal]

magisk v. 25.1 (25100)
zygisk : yes (enabled in settings)
enforce denylist disabled
USNF v.2.3.1 by kdragOn
denylist Unmount v.0.4 by mywalkb
Rom: LOS 18.1 official (LG V20 h990) with swan kernel

Clue: Official LOS will never manipulate props to bypass SafetyNet... PW

 

[ipdev]

Hi all.

Just to expand on what pndwal mentioned.

Clue: Official LOS will never integrate certified device fingerprint spoofing... PW

Custom roms use an official (normally the latest/last) certified build fingerprint.
LG V20 (Global) h990

LineageOS - [GitHub] - [android_device_lge_h990] - lineage_h990.mk​

Starting with Android 8 [Might have been late Android 7 ].
The certified print requires the corresponding security patch (date).

Example.

Spoiler: Pixel 3a (Android 12)

ro.system.build.fingerprint=google/sargo/sargo:12/SP2A.220505.002/8353555:user/release-keys
ro.build.version.security_patch=2022-05-05

---

Lineage will not allow security patch spoofing.

Matching the security patch to the certified fingerprint used.​

Devices that still get monthly manufacture updates normally pass since lineage updates the build fingerprint to the current manufacture print.

Pixel 4 and newer do not need to be spoofed because the certified print is current (same security patch as the los build).

Starting in November (2022) Pixel 4 will be End-Of-Life and not get an update.​

November Lineage builds will be out of sync (ahead of the certified patch level).​

So you will need to adjust the security patch level back to October for Pixel 4.​

Cheers all.

PS.

Just for reference.​

Requirements for an official build.​

Lineage - [GitHub] - Charter​

​

LineageOS - [Gerrit] - open - merged​

 

[Stillhard]

Sorry for the delay, be.keytradebank.phone bypass denylistunmount and shamiko.
I don't know if detect zygisk or use a good method for detect magisk.
This app uses a method which is also used in other apps, maybe a library.
Shared library is encrypted, I decrypted it with frida and fixed with sofix, but is not easy to decompile.

No problem here, i managed to launch the app and go to markets, but other menu need to create a profile
Where's is the detection? Right after you launch it or after you created a profile?

 

[itt533]

No!

[ ... ]

For this, the simplest method is to install and configure MagiskHide Props Config module using a terminal emulator to replace the current fingerprint prop with one in the MHPC fingerprint list. (These are known working device fingerprints matched to security patch dates.) Choose one matching your device as closely as possible if required...

PW

yes with magiskHideProps and a stock fingerprint it worked.