[Discussion] Magisk - The Age of Zygisk.

Search This thread

pndwal

Senior Member
SafetyNet fix 2.3.1 Mod solved the problem 👍
I'd be very interested to know if you can still pass deviceIntegrity if you uninstall that and install MagiskHide Props Config module and reboot as I suggested above (no need to configure anything in a terminal emulator as we're just testing the Edit MagiskHide props function which is the only function enabled/active by default when module is enabled) to test if the actual issue is that some sensitive prop(s) needs setting to a 'safe' value, or if a fingerprint prop other than the one used in ROM build is needed, and report results...

Of course this is purely academic but would help to understand what changes are actually needed on pre-hardware key attestation (ie. pre-keymaster 3 Android 8 launch version) compliant devices...

Of course no version of USNF should actually be needed for Galaxy S7 Edge since Basic evaluationType attestation is used by default... Even if unconfigured MHPC (to fix sensitive props; nb. USNF does that too) isn't enough, using MHPC to configure a different fingerprint globally (enter 'props' in a terminal emulator and follow prompts... I'd also be interested to know if Galaxy S7 Edge fingerprint works or if a mismatched device fingerprint is needed) should do the trick...

🙂 PW
 
Last edited:
  • Like
Reactions: blksith0

Spartacus500

Senior Member
Nov 6, 2014
626
118
@pndwal
I will write like this, my Rom NFE 9.0 Pie is on Bootloader and Baseband since the original last version 8.0 Oreo, the whole system is on 9.0 Pie, Rom 100% stock without any modifications, I made Magisk root myself. The fingerprint from S7 Edge to NFE 9.0 Pie doesn't pass SafetyNet, and I'll explain why, the latest S7 edge version is at 8.0 Oreo and the NFE system is at 9.0, so the fingerprint from 8.0 to 9.0 is wrong. For SafetyNet to be correct, the fingerprint can be from another Samsung (my S8 +), such as the S8 PLUS which has the latest version 9.0 Pie. The request that the fingerprint from another device passes SafetyNet correct must be from the same android version (eg 9.0) as on our 9.0 device, and the security date must match.
 

pndwal

Senior Member
@pndwal
I will write like this, my Rom NFE 9.0 Pie is on Bootloader and Baseband since the original last version 8.0 Oreo, the whole system is on 9.0 Pie, Rom 100% stock without any modifications,
But it's a custom ROM of course, not 'stock'...
I made Magisk root myself. The fingerprint from S7 Edge to NFE 9.0 Pie doesn't pass SafetyNet, and I'll explain why, the latest S7 edge version is at 8.0 Oreo and the NFE system is at 9.0, so the fingerprint from 8.0 to 9.0 is wrong. For SafetyNet to be correct, the fingerprint can be from another Samsung (my S8 +), such as the S8 PLUS which has the latest version 9.0 Pie. The request that the fingerprint from another device passes SafetyNet correct must be from the same android version (eg 9.0) as on our 9.0 device, and the security date must match.
Ah... Suspected you already used a different fingerprint to pass S/N... How are you applying the S8 print (it's not clear if NFE ROM builds this)?

Nb. If you apply any fingerprint via MHPC module's list the module also changes ro.build.version.security_patch to the matching date so experimenting is easy... Also, different API level (Android version) prints work fine for many devices... PW
 

ardiesel

Member
Jun 3, 2014
16
3

pndwal

Senior Member
How about that sideloading the OTA update, will that break root?
Either approach will restore stock images, so root is lost and installing Magisk again will be needed after installation...

However it may be possible to install Full OTA ROMs for 'sideload' from system in the same way as incremental OTAs are installed, to the inactive slot... But I'm not a Pixel guy and I don't know if it is...

If that can be done and you're happy to swap slots instead of just restoring stock images on current slot, you should be able to preserve root by having the OTA installed to the inactive slot and having the Magisk app install Magisk onto this updated slot. Method here:
https://github.com/topjohnwu/Magisk/blob/master/docs/ota.md#ota-upgrade-guides

👀 PW
 

ardiesel

Member
Jun 3, 2014
16
3
Either approach will restore stock images, so root is lost and installing Magisk again will be needed after installation...

However it may be possible to install Full OTA ROMs for 'sideload' from system in the same way as incremental OTAs are installed, to the inactive slot... But I'm not a Pixel guy and I don't know if it is...

If that can be done and you're happy to swap slots instead of just restoring stock images on current slot, you should be able to preserve root by having the OTA installed to the inactive slot and having the Magisk app install Magisk onto this updated slot. Method here:
https://github.com/topjohnwu/Magisk/blob/master/docs/ota.md#ota-upgrade-guides

👀 PW
So I actually went ahead with the side load of the OTA, it worked fine I just had to reflash the boot img after and reroot. It wasn't so bad, you know. Eventually I'll be on a custom rom maybe that'll make things easier I don't know. I can't really find too many Android 13 roms that I really like yet or have the access to.
 
  • Like
Reactions: pndwal

sahil2903

New member
Oct 7, 2022
1
0

Unable to see google pay icon in Magisk hide app​

I have installed safetynet and props config and entered my device via temux but I cannot see google pay icon in the magisk hide the app memu, so I tried to hide wallet but no avail :(
Additionally I cannot see google pay icon in my home screen, it tends to come and go (weird behavious)

- using lineageOS
- Oneplus 8T EU
 

73sydney

Senior Member

Unable to see google pay icon in Magisk hide app​

I have installed safetynet and props config and entered my device via temux but I cannot see google pay icon in the magisk hide the app memu, so I tried to hide wallet but no avail :(
Additionally I cannot see google pay icon in my home screen, it tends to come and go (weird behavious)

- using lineageOS
- Oneplus 8T EU

 
  • Like
Reactions: ipdev and pndwal

mikelucky

Member
Aug 27, 2022
7
1
Do not mix up Shamiko and HMA.
Did I mention HMA by any word in my previous response to you?!
You asked about Shamiko and how to reach its developer, I told you it's the same developer as for LSPosed and actually suggested you to reach the developer by e-mail you find from her GitHub

HMA is just a module for LSPosed, developped by totally different developer, and indeed it has nothing with their LSPosed TG channel, and their discussion there

Please do your own research (don't be a layman - your own words), google about HMA:

And by the way, HMA and Shamiko/DenyList do totally different things. One cannot substitute the other

DenyList and Shamiko serve to hide Magisk itself

Hide My Applist serves to hide one app from another. Eg, Magisk APPLICATION from your banking app.
You must distinguish Magisk (service, mask, whatever you call it) and Magisk app (previously it had 'better' name manager that better describes what it is - just a MANAGER to manage the Magisk).
Eg, you could uninstall Magisk app and your Magisk (root, modules, etc) will all continue to work (even after reboots).
And you could still manage your Magisk but by using it's Command Line Interface (from Terminal), and by directly editing the Magisk database

Banking apps use different techniques to look if you have 'root'

On one side they look for the root itself, on the other some may also look for the Magisk app (reasoning: Why would somebody install Magisk app if he/she does not have Magisk).
But actually you can install Magisk app to the phone with the locked Bootloader, untouched stock firmware, hence no Magisk at all - and if your banking app, among other techniques, looks for the Magisk app, it would still 'complain"

Similarly, some look for the TWRP folder (reasoning: why would someone have TWRP folder if TWRP is not installed).
You simply delete TWRP folder (or just rename) and they no more find it and 'complain' (ofc, they don't tell you in plain they found Magisk, Magisk app, TWRP folder or what - they just refuse to work)

And eg, you can use HMA for other purposes (not related with banking apps and 'hiding' root).
Eg, you want to prevent PlayStore to know that you have certain app installed, and want to prevent it from automatically updating that app or bothering you that your version of that app is outdated.
Eg, I use it for hiding/detaching YouTube and Android Auto from Google Play, since I need to run the particular old versions of YT and AA (as I need them for Vanced YT root and some hacks for Android Auto that work only with those old versions of YT and AA)
Similarly, some look for the TWRP folder (reasoning: why would someone have TWRP folder if TWRP is not installed).
You simply delete TWRP folder (or just rename) and they no more find it and 'complain' (ofc, they don't tell you in plain they found Magisk, Magisk app, TWRP folder or what - they just refuse to work)

yes,it works,although it's an empty folder,some apps still think twrp installed...
 

rubnduardo

Member
Nov 23, 2012
37
11
Maracaibio
Hello guys. Thanks so much for all your hard work, it's awesome.

My problem:

I'm on P3XL pixeldust A13 magisk 25.2 + Zygisk + USNF
and
SN passed (YASNAC, both) // Play Integrity only STRONG failed

For dumb but nevertheless important reasons (spoiler: im in venezuela and depend on the wellsfargoapp LOL) i need the app to properly work but since out of stock rom it doesn't, just loads a webapp in a seamless way, which doesn't push notifications, among other less important stuff.

I'm currently doing research both in this thread and others. I've read there are several different ways apps blacklist devices and personally i think it's not the app but some Play Store security feature. I'll keep working on this.

Any advice or help to solve this is deeply cherished, and I thank you all in advance.
 

rubnduardo

Member
Nov 23, 2012
37
11
Maracaibio
Hello guys. Thanks so much for all your hard work, it's awesome.

My problem:

I'm on P3XL pixeldust A13 magisk 25.2 + Zygisk + USNF
and
SN passed (YASNAC, both) // Play Integrity only STRONG failed

For dumb but nevertheless important reasons (spoiler: im in venezuela and depend on the wellsfargoapp LOL) i need the app to properly work but since out of stock rom it doesn't, just loads a webapp in a seamless way, which doesn't push notifications, among other less important stuff.

I'm currently doing research both in this thread and others. I've read there are several different ways apps blacklist devices and personally i think it's not the app but some Play Store security feature. I'll keep working on this.

Any advice or help to solve this is deeply cherished, and I thank you all in advance.
So to update a bit, pixeldust a13 does not pass stronintegrity and when i wiped everything and try it outofthebox wellsfargoapp worked as it should.

I tinkered yesterday the whole day, got in some troubles with twrp 3.7 recovery (restore is broken?) and ended up flashing stock via google online flashing (allbat did not work, i was SO F SCARED).

Today im setting my apps and stuff but nothing besides twrp. MOMO found twrp and magisk (which i dont have, nothing not even closely related), i changed TWRP folder name and MOMO doesn't find twrp nor magisk.

Wellsfargoapp is triggered by something related to my google account, i think. When i open my account from the browser i get the standard app, whereas from the android app im still getting the limited one.

I've read about wiping play store, gms, and gmsunsntable cache, which i think im gonna try but i dont want to go blind. Do anyone has some experience or pointers to fix this?

Thanks in advance.
 

AhmadOkda

Senior Member
Jul 20, 2010
609
151
Cairo
HTC U11
OnePlus 5
So to update a bit, pixeldust a13 does not pass stronintegrity and when i wiped everything and try it outofthebox wellsfargoapp worked as it should.

I tinkered yesterday the whole day, got in some troubles with twrp 3.7 recovery (restore is broken?) and ended up flashing stock via google online flashing (allbat did not work, i was SO F SCARED).

Today im setting my apps and stuff but nothing besides twrp. MOMO found twrp and magisk (which i dont have, nothing not even closely related), i changed TWRP folder name and MOMO doesn't find twrp nor magisk.

Wellsfargoapp is triggered by something related to my google account, i think. When i open my account from the browser i get the standard app, whereas from the android app im still getting the limited one.

I've read about wiping play store, gms, and gmsunsntable cache, which i think im gonna try but i dont want to go blind. Do anyone has some experience or pointers to fix this?

Thanks in advance.
did you try shamiko ?
 

rubnduardo

Member
Nov 23, 2012
37
11
Maracaibio
did you try shamiko ?
I have not. I was thinking about finding out the problem before root to avoid layering it.

Here are two photos of the exact same app. The one with the biometric option is what it should be. Pixeldust with TWRP, no further setup other than google account, got me the proper app. The difference now is that i set up my acc and stuff but no root, no nothing.

Before trying root + shamiko i was thinking of wiping data and cache (?) of playstore and gms (?), but i'm kind of blind.

Any suggestions? Or should i go with root right away and try shamiko? [USNF did not fix the problem when i tried it rooted, per my first post]

EDIT: the devices are diff but it's an example, as i got the one on the left when pixeldust outofthebox only google acc set (no sync, no nothing).
 

Attachments

  • unnamed (1).jpg
    unnamed (1).jpg
    20.9 KB · Views: 48
  • unnamed.jpg
    unnamed.jpg
    17.4 KB · Views: 49

pndwal

Senior Member
So to update a bit, pixeldust a13 does not pass stronintegrity
No devices I'm aware of other than Rog Phone 3 pass this w/ unlocked B/L... (But their may be others shipped w/ busted keymaster implementations that pass...) However no banks etc require more than deviceIntegrity yet AFAIK.
and when i wiped everything and try it outofthebox wellsfargoapp worked as it should.

I tinkered yesterday the whole day, got in some troubles with twrp 3.7 recovery (restore is broken?) and ended up flashing stock via google online flashing (allbat did not work, i was SO F SCARED).

Today im setting my apps and stuff but nothing besides twrp. MOMO found twrp and magisk (which i dont have, nothing not even closely related), i changed TWRP folder name and MOMO doesn't find twrp nor magisk.
Interesting... Thanks for reporting...
Wellsfargoapp is triggered by something related to my google account, i think. When i open my account from the browser i get the standard app, whereas from the android app im still getting the limited one.

I've read about wiping play store, gms, and gmsunsntable cache
... gmsunsntable cache (?)
, which i think im gonna try but i dont want to go blind. Do anyone has some experience or pointers to fix this?

Thanks in advance.
I haven't read that you put app in denylist... Did you?

If more hiding is needed you can substitute denylist for Shamiko (read Zygisk hiding(not perfect) + MagiskHide restorer (enhanced)).

You'll need to do this also before using other hiding methods that rely on injection into zygote... In thinking particularly of Hide My Applist LSPosed module. (It won't have desired effect w/ denylist active as that reverses / blocks all modifications to apps in list whereas Shamiko allows these like old MagiskHide.)

For basic hiding, wipes needed etc however, principles here:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637

🤠 PW
 
Last edited:

darywira

New member
Dec 2, 2018
1
0
Bring new good thing, this app can break hiding stuff
Dear Mr. Huskydg , is there anyway to hide magisk from this app ? thank you
 

knasiotis

Member
Aug 21, 2016
18
2
I have a question, I used this applist detector and it detects magisk app as a gptekjgml.ah, the thing is i've done all steps, zygisk, universal safety net, changed magisk name via its option and the props config. Is there any way to hide magisk completely?
 

pndwal

Senior Member
I have a question, I used this applist detector and it detects magisk app as a gptekjgml.ah, the thing is i've done all steps, zygisk, universal safety net, changed magisk name via its option and the props config. Is there any way to hide magisk completely?
IMG_20221016_103007.jpg


... Use HIde My Applist LSPosed module to properly hide Magisk / other apps... 👍 PW
 

Top Liked Posts

  • 2
    no shamiko for android 7 nougat?
    it says only android 8.1+?
    what can I do?

    edit: I would also need lsposed zygisk (also not supported :( )

    edit2: it seems I can't use lsposed, since it's 8.1+, so what should I do?
    ditch zugisk and use xposed as before? or use zygisk but then what about shamiko?
    Consider Magisk Delta - with Delta you don't need Shamiko (you will use Zygosk + MagiskHide)

    However, there maybe other modules you may need, like LSPosed (same devs like Shamiko) that are also limited to the newer versions of Android
    1
    no shamiko for android 7 nougat?
    it says only android 8.1+?
    what can I do?

    edit: I would also need lsposed zygisk (also not supported :( )

    edit2: it seems I can't use lsposed, since it's 8.1+, so what should I do?
    ditch zugisk and use xposed as before? or use zygisk but then what about shamiko?

    You should downgrade, if you use a 5years old Android version.

    For Android 7.x you should use Magisk not newer as 23.x (maybe even older)...

    samhhmobil
    1
    no, I didn't, it isn't available for 23 anyway I think
    I meant 'were you using' as in before you downgraded... Also I've added to last post... PW
  • 13
    Hide My AppList Guide i started in a post in this thread is now in its own thread here:

    7
    Hide My AppList Guide is now in its own thread here:

    5
    Perhaps someone with Magisk Delta could test this one?
    Work fine for me (tested with zygisk/riru+magiskhide)
    4
    Is this device or Android version dependent? On one of my Android 9 tablets with the latest, official, canary debug build, every time I install the latest test version of zygisk lsposed, a new, clean copy of system.prop file is created in the lsposed module folder. The latest version is 1.8.5-6656.
    With Zygisk - LSPosed v1.8.5 (6649), I don't have system.prop in my /data/adb/modules/zygisk_lsposed

    However, I see that there is a system.prop file in the installation archive Zygisk_-_LSPosed-v1.8.5(6649).zip, containing a single line:
    dalvik.vm.dex2oat-flags=--inline-max-code-units=0

    Also, the installation script customize.sh looks for the prop ro.maple.enable, if the prop exists with the value 1, it will be disabled by appending the system.prop:
    if [ "$(grep_prop ro.maple.enable)" == "1" ] && [ "$FLAVOR" == "zygisk" ]; then
    ui_print "- Add ro.maple.enable=0"
    echo "ro.maple.enable=0" >> "$MODPATH/system.prop"
    fi


    However, I don't see anything else in the scripts to control wether the system.prop file will be kept in the /data/adb/modules/zygisk_lsposed folder or not

    That must be controlled by the binary parts - to analyze the logic you would need to study the module's sources from GitHub - if available (frankly, I didn't search on GitHub, I automatically update the module when Magisk, Modules show that an Update is available)

    See also the post/answer #2548 about the dex2oat wrapper (you will find in the module's bin subfolder)

    Btw, you could check which of the two lines (or both) do you have in your system.prop:
    dalvik.vm.dex2oat-flags=--inline-max-code-units=0
    and/or
    ro.maple.enable=0

    The second line will be present only if you otherwise had
    ro.maple.enable=1, but the logic behind the need of the first one (probably dependent on the Android version and so) should be in the sources for the module's binaries
    4
    It's a pity.(

    Yes, I'm using the latest version of lsposed, and I can't find system.prop. It simply doesn't exist.
    In this topic, a person already wrote a similar problem. I have exactly the same.
    New versions of Zygisk-LSPosed do not use system.prop anymore, instead all the props handling is in the Zygosk native so

    You may try your luck with an older version of Zygisk-LSposed:

    You could download the zips, unzip and find an older version that contained the system.prop file
  • 130
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    66
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    59
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    55
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.

    Play Intergrity API Checker
    This app shows info about your device integrity as reported by Google Play Services.
    If any of this fails could mean your device is rooted or tampered in a way (for example you have an unlocked bootloader).​

    Development:

    Download Links:

    Credits:
    1nikolas
    All who contribute and support this project.

    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    46
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​