[Discussion] Magisk - The Age of Zygisk.

Search This thread

pndwal

Senior Member
Nice thanks
I have Xiaomi Redmi 9 (Android 10)
Magisk delta 25.1 (magisk hide enabled)
Zygisk disable, USFN riru, CTS profile match (pass)
App added to deny list
Seems I'm doing something wrong. .. I'll check with zygisk enabled and shamiko
Thanks😉
Should clear app data before each test in case caches previous detection result... PW
 

J.Michael

Recognized Contributor
Jan 20, 2018
1,253
1,194
Samsung Galaxy Tab A series

zgfg

Senior Member
Oct 10, 2016
7,587
4,988
no, it does not. It says "Fail". Should Google play services and google play be in denylist?
That must be covered by Universal SafetyNet Fix (USNF) module

What is exactly your Magisk version - please screenshot the Magisk app main window

Zygisk is enabled, DenyList not enforced - please screenshot

What version of USNF you run - please screenshot from Magisk Modules tab

Do you run a custom/not'certified ROM - in that case you might need to spoof fingerprints, but let's first clarify ay above
 

m0han

Senior Member
Apr 30, 2012
4,992
2,046

Attachments

  • Screenshot_20220707_150607.jpg
    Screenshot_20220707_150607.jpg
    200.8 KB · Views: 99
  • Screenshot_20220707_150235.jpg
    Screenshot_20220707_150235.jpg
    172.1 KB · Views: 99
  • Screenshot_20220707_150322.jpg
    Screenshot_20220707_150322.jpg
    200.8 KB · Views: 83
  • Screenshot_20220707_150443.jpg
    Screenshot_20220707_150443.jpg
    179.9 KB · Views: 101

zgfg

Senior Member
Oct 10, 2016
7,587
4,988
All and everything green on my side (with TJW Canary)

But very BASIC question - do you properly hide all those detected LSPosed modules from TB Checker by use of Hide My Apps

(Also, did you checkmark DenyList or Magisk hide, whichever you use, for that TB Checke)

Whenever you install a new checker or a 'banking' app, always do those two things (and reboot) before running that app. In most cases that should be ok (but if you don't do, then you can expect troubles)
 

Attachments

  • Screenshot_2022-07-07-12-03-38-098_krypton.tbsafetychecker.jpg
    Screenshot_2022-07-07-12-03-38-098_krypton.tbsafetychecker.jpg
    329.8 KB · Views: 56
  • Like
Reactions: ipdev and m0han

dohanin

Senior Member
Mar 26, 2011
225
126
Sony Xperia X Compact
Xiaomi Mi Pad 4

zgfg

Senior Member
Oct 10, 2016
7,587
4,988
Interesting. I just tried this app which can detect Magisk Random Package Name.

Tried with Magisk app disabled -> not detected; with Magisk app enabled -> random package name shown.

This aligns with some banking apps which detects root only when Magisk is not disabled. Maybe they have similar logic behind.
I don't hide Magisk app and I don't disable it. I use Hide My Apps to hide Magisk app from eg this TB Checker (and all banking apps and similar)

And it passes

As posted above, Hide My apps also successfully hides my four installed LSPosed modules (incl. the HMA itself) from TB Checker - and everything is green
 

dohanin

Senior Member
Mar 26, 2011
225
126
Sony Xperia X Compact
Xiaomi Mi Pad 4
I don't hide Magisk app and I don't disable it. I use Hide My Apps to hide Magisk app from eg this TB Checker (and all banking apps and similar)

And it passes

As posted above, Hide My apps also successfully hides my four installed LSPosed modules (incl. the HMA itself) from TB Checker - and everything is green
Yep, understood. HMA is a good method to hide Magisk app. I don't use it because I don't need the other LSPosed modules, so I simply disable the app when not in use.
 

m0han

Senior Member
Apr 30, 2012
4,992
2,046

Attachments

  • Screenshot_20220707_155825.jpg
    Screenshot_20220707_155825.jpg
    210.1 KB · Views: 62
  • Screenshot_20220707_155951.jpg
    Screenshot_20220707_155951.jpg
    174.1 KB · Views: 64

pndwal

Senior Member
no, it does not. It says "Fail". Should Google play services and google play be in denylist?
No!

You should never need Google Play, and won't need Play Services unless you are using Magisk with MagiskHide, ie. <23.0 if official (whence MagiskHide toggle will add one or two processes in Google Play Services automatically), or trying to pass S/N with Magisk 24.0+ using Universal SafetyNet Fix module 2.1.1 or earlier (possible on some devices) or w/o USNF (eg if running Android 7 or earlier; Nb. Latest USNF can be used w/ Android 7 however).

... But to put things simply, you should pass SafetyNet with nothing more than Zygisk Yes (Magisk App, Home screen), and Latest Universal SafetyNet Fix module active on a certified stock ROM as long as no modules (or possibly other mods) are breaking Safety net. (No need to put anything in denylist.)

If you are on an uncertified ROM (eg China region stock, some beta or preview builds or custom ROMs that don't manipulate props to bypass proper SafetyNet attestation), you will likely need to set the security patch prop date to match, and possibly set, a Google certified device fingerprint prop to spoof a certified ROM / device...

For this, the simplest method is to install and configure MagiskHide Props Config module using a terminal emulator to replace the current fingerprint prop with a known working one from the MHPC fingerprint list, which will also adjust the security patch prop date... Choose one matching your device as closely as possible if required...

🤠 PW
 
Last edited:

itt533

Member
Nov 12, 2020
43
4
chennai
That must be covered by Universal SafetyNet Fix (USNF) module

What is exactly your Magisk version - please screenshot the Magisk app main window

Zygisk is enabled, DenyList not enforced - please screenshot

What version of USNF you run - please screenshot from Magisk Modules tab

Do you run a custom/not'certified ROM - in that case you might need to spoof fingerprints, but let's first clarify ay above
magisk v. 25.1 (25100)
zygisk : yes (enabled in settings)
enforce denylist disabled
USNF v.2.3.1 by kdragOn
denylist Unmount v.0.4 by mywalkb
Rom: LOS 18.1 official (LG V20 h990) with swan kernel
 

etmatrix

Senior Member
Jan 6, 2015
92
28
So the one you mentioned detect zygisk ;) Can you tell the name of that app?
Sorry for the delay, be.keytradebank.phone bypass denylistunmount and shamiko.
I don't know if detect zygisk or use a good method for detect magisk.
This app uses a method which is also used in other apps, maybe a library.
Shared library is encrypted, I decrypted it with frida and fixed with sofix, but is not easy to decompile.
 

ipdev

Recognized Contributor
Feb 14, 2016
1,846
1
3,233
Google Nexus 10
Nexus 7 (2013)
Hi all. 🙂

Just to expand on what pndwal mentioned. 🙃
Clue: Official LOS will never integrate certified device fingerprint spoofing... PW
Custom roms use an official (normally the latest/last) certified build fingerprint.
LG V20 (Global) h990
LineageOS - [GitHub] - [android_device_lge_h990] - lineage_h990.mk

Starting with Android 8 [Might have been late Android 7 :unsure:].
The certified print requires the corresponding security patch (date).

Example.
Code:
ro.system.build.fingerprint=google/sargo/sargo:12/SP2A.220505.002/8353555:user/release-keys
ro.build.version.security_patch=2022-05-05

---

Lineage will not allow security patch spoofing.
Matching the security patch to the certified fingerprint used.​

Devices that still get monthly manufacture updates normally pass since lineage updates the build fingerprint to the current manufacture print.

Pixel 4 and newer do not need to be spoofed because the certified print is current (same security patch as the los build).
Starting in November (2022) Pixel 4 will be End-Of-Life and not get an update.​
November Lineage builds will be out of sync (ahead of the certified patch level).​
So you will need to adjust the security patch level back to October for Pixel 4.​

Cheers all. :cowboy:

PS.
Just for reference.​
Requirements for an official build.​
Lineage - [GitHub] - Charter
LineageOS - [Gerrit] - open - merged
 

Stillhard

Senior Member
Sep 25, 2016
138
109
Sorry for the delay, be.keytradebank.phone bypass denylistunmount and shamiko.
I don't know if detect zygisk or use a good method for detect magisk.
This app uses a method which is also used in other apps, maybe a library.
Shared library is encrypted, I decrypted it with frida and fixed with sofix, but is not easy to decompile.
No problem here, i managed to launch the app and go to markets, but other menu need to create a profile
Where's is the detection? Right after you launch it or after you created a profile?
 

itt533

Member
Nov 12, 2020
43
4
chennai
[ ... ]
For this, the simplest method is to install and configure MagiskHide Props Config module using a terminal emulator to replace the current fingerprint prop with one in the MHPC fingerprint list. (These are known working device fingerprints matched to security patch dates.) Choose one matching your device as closely as possible if required...

🤠 PW
yes with magiskHideProps and a stock fingerprint it worked.
 
  • Like
Reactions: ipdev and pndwal

Top Liked Posts

  • 2
    It kind of works now, but I have to choose if I want Zygisk on (=No Mobile Network) or Zygisk off (=Older version of Magisk).
    I did flash the recovery image to get Magisk onto the device to begin with, everything else is "direct install (recommended)".
    No A/B stuff..
    Very interesting...

    So can I assume 7T has recovery_a/_b partitions as I believe 8T does, and that you also patched either recovery_a or _b in Magisk App some time back?

    If this is correct, I'm guessing Zygisk-off somehow causes device to reboot to system via recovery, and you thus have old Magisk since you patched recovery image (which is also a boot image containing ramdisk of course) with that some time ago...

    Note: Magisk in recovery and customised protocol for reboot via recovery to system w/o special adapted recovery key combo was designed for A-only legacy SAR devices specifically as these require Magisk in recovery partition as they have no ramdisk in boot... You seem to have used it on your 2SI device and there is no reason it shouldn't work apart from the fact that Magisk in boot partion is far more desirable / convenient...

    If I'm correct about a/b partitioning in 7T, your modern 2SI boot type device will of course have ramdisk in 4 partitions, recovery_a and _b, also boot_a and _b... This is fairly unique as most 2SI devices use recovery in boot partition (w/ a hybrid ramdisk) and have no actual recovery partitions.

    Again, if I'm right you can test theory by booting from powered down state using recovery key combo with this adjustment: As soon as you press the key combo and the device vibrates with a splash screen, release all buttons to boot into Magisk. (If you wanted to boot into the actual recovery mode, you would long press volume up until you see the recovery screen.)
    https://topjohnwu.github.io/Magisk/install.html#magisk-in-recovery

    Please reply to confirm (or correct) this! 😛 PW
    1
    This is still intriguing me... I see this is OnePlus 7T, and it happens on rebooting...

    Just wondering if you have ever patched / flashed recovery image on this device?... Or is device swapping between A/B system slots somehow? (Do you have working systems on both?... Perhaps Magisk in boot_a and boot_b?)... PW
    It kind of works now, but I have to choose if I want Zygisk on (=No Mobile Network) or Zygisk off (=Older version of Magisk).
    I did flash the recovery image to get Magisk onto the device to begin with, everything else is "direct install (recommended)".
    No A/B stuff..
  • 6
    Latest Official TJW Canary (release) & Debug (debug) Magisk builds:

    Magisk (f42c089b) (25102)​

    • [MagiskInit] Fix a potential issue when stub cpio is used
    • [MagiskInit] Fix reboot to recovery when stub cpio is used
    • [General] Better data encryption detection
    • [General] Move the whole logging infrastructure into Rust

    Diffs to v25.1​

    • [MagiskInit] Fix a potential issue when stub cpio is used
    • [MagiskInit] Fix reboot to recovery when stub cpio is used
    • [General] Better data encryption detection
    • [General] Move the whole logging infrastructure into Rust
    https://github.com/topjohnwu/magisk-files/blob/8fce25209918072f18b5bb056c43f596f771324d/notes.md

    👍 PW
    5
    I just tried it on my phone (stock rom, Magisk 24.3, Shamiko 0.5.0, USNF).
    Without doing anything, it detects root.
    Adding it to denylist, still detects root.
    Freezing the Magisk app, goes through!
    It's now been reported a number of times that freezing the Magisk app helps thwart root detection in many cases.

    So ... I now believe that what we need to do is not talk about that publicly too much, so that the banking-and-other-kinds-of-app developers who might check these forums don't catch on to the fact the Magisk app itself doesn't actually provide any run-time Magisk functionality.

    This way, those developers will keep thinking that checking for the existence of a non-frozen Magisk app itself is sufficient.

    Given the intelligence level of some of the banking people who lamely think that it's important to block root access under Android in order to "protect" their provided banking functionality, this ruse might actually be quite effective in many cases.

    After all, anyone who accesses a bank via their desktop computer is doing so on a rooted machine, and those idiotic banking software designers don't even care about "protecting" us against that. And those same banks issue us debit cards that we carry in our stealable wallets, and they don't prohibit us from using those debit cards, either. They go crazy only over trying to protect people against rooted Android devices, which are no more insecure than desktop computers and wallet-borne debit cards.
    5
    Is it possible to find out what an app detects? I have Shamiko 0.5.1 installed and somehow a banking app still detects root. This is the app: https://play.google.com/store/apps/details?id=ro.raiffeisen.eToken&hl=ro&gl=US
    I just tried it on my phone (stock rom, Magisk 24.3, Shamiko 0.5.0, USNF).
    Without doing anything, it detects root.
    Adding it to denylist, still detects root.
    Freezing the Magisk app, goes through!
    5
    How should I hide apps?
    ... its just an addon script that (attempts, as best possible) to hide whatevers in the Deny List
    Just to avoid confusion/ be clear, Shamiko does not hide apps (in denylist or otherwise)...

    It's akin to old MagiskHide, and hides traces of root from apps in the list...
    ### Introduction
    Shamiko is a Zygisk module to hide Magisk root, Zygisk itself and Zygisk modules like riru hide.

    Shamiko read the denylist from Magisk for simplicity but it requires denylist enforcement to be disabled first.
    @appleman_wp
    If you wish to hide apps detected by banks etc, try the Hide My Applist LSPosed module...
    I don't think Shamiko has a "Settings". I think you use the Magisk Manager app's deny list. If you do not "Enforce Deny List" in Magisk, then Shamiko will use Magisk's Deny List to tell it what to hide [traces of root] from.
    (Edits mine.)

    Generally Shamiko is used without settings / extra configuration.
    ### Usage
    1. Install Shamiko and enable Zygisk and reboot
    1. Configure denylist to add processes for hiding
    1. *DO NOT* turn on denylist enforcement

    However it can actually be reconfigured (by those game / mavericks 😛) for whitelist mode usage. Note caveats:
    #### Whitelist
    - You can create an empty file `/data/adb/shamiko/whitelist` to turn on whitelist mode and it can be triggered without reboot
    - Whitelist has significant performance and memory consumption issue, please use it only for testing
    - Only apps that was previously granted root from Magisk can access root
    - If you need to grant a new app root access, disable whitelist first

    ... ts theoretically possible to... bootloop your device... At which point myself and the other senior members will pass around the chalice of your tears and drink heartily from it...
    Sadist! 😜 PW
    4
    I have a problem with shamiko. I tried many times to install it via magisk. Itinstalls itsuccessfully however the app is not showing in the app drawer. Could someone help why shamiko is not on my device?

    It doesnt get added to the app drawer, its a module...many/most modules do not include an app in them

    Look in your list of modules section (last menu item in bottom right) in Magisk Manager, you'll find it there
  • 120
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    63
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    57
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    52
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.

    Play Intergrity API Checker
    This app shows info about your device integrity as reported by Google Play Services.
    If any of this fails could mean your device is rooted or tampered in a way (for example you have an unlocked bootloader).​

    Development:

    Download Links:

    Credits:
    1nikolas
    All who contribute and support this project.

    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    43
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​