[Discussion] Magisk - The Age of Zygisk.

Search This thread

mingkee

Senior Member
Thanks @ipdev

I tried to put a short help for probably the most frequent posts/questions soon to expect.
(Sorry for cross-posting, I first put to the old and cluttered General Magisk thread but this is now better place)

===

Please carefully read Magisk Changelog and OP posts in this thread

Study the Magisk documentation from the official Magisk Github page - particularly about installing Magisk (if not familiar with patching the image in Magisk app and flashing the patched img from Fastboot- different from the old school about flashing Magisk zip through TWRP)

a) No more MagiskHide. New technology instead (for the same - to help hiding root): Zygisk+DenyList

b) No more built in SafetyNet checker. Install from PlayStore e g: YASNAC

c) Modules window does no more connect to the (now frozen) old Modules repository.
You must download module zip files manually and "Install from local storage".
Or search for and install Fox Magisk Module Manager (Fox Mmm) app - it will connect to the new, alternative repository

---

1) Make sure that both Magisk app and Magisk are installed and updated to the new version. Inspect version numbers on the main Magisk window/page

2) Make sure to uninstall all Riru modules (not compatible with Zygisk)

3) Settings, Enable Zygisk and reboot.
Then check on the main window does it show Zygisk Yes

4) Settings, enable Enforce DenyList.
Configure DenyList, enable filters to Show OS and System apps
Find Google Play Services and check-in only the two processes ending with gms and gms.unstable.
You will have to check in all your banking apps and so as you used with MagiskHide.
Always reboot upon reconfiguring DenyList

5) If SafetyNet does not pass, install USNF 2.2.1 and test again.
Always reboot upon installing a module, also if/when you enable Systemless Hosts

---

Intentionally, I didn't want to complicate with Shamiko for the new Magisk 24 users 👍
Then Magisk hide is replaced by Zygisk + Deny List?
Should I keep using Safetynet Fix and switch to Zygisk version?
 

nacos

Senior Member
Sep 27, 2007
547
249
Here & Now
Did you setup DenyList?
Check if SafetyNet passes.
You may need to use USNF 2.2.1 - read e g. post #14 in this thread

To hide Zygisk itself, use Shamiko - once installed, you need to disable Enforce DenyList since Shamiko will take over

Shamiko must be also downloaded from TG, but thanks to the new module auto-updating scheme (properly implemented for Shamiko but not for LSPosed), its URL can be obtained:
Something's not right. I'm no longer able to open the bank apps ++ (whereas I used to be able to run all these apps under Magisk 23 + Hide)

Samsung S8, Havoc OS (Android 10), MicroG.

1. I did configure Deny list and added all affected aps (as previously)
2. Zygisk shows yes on the main page
3. I did install USNF 2.2.1, however I don't pass SafetyNet. YASNAC reports "Google Play Services API error16: cancelled"
4. I also installed Shamiko and disabled Deny List in settings.
5. Self-check in MicroG confirms System does have signature spoofing (through LSPosed > FakeGaaps)

Any suggestions? Thanks!
 
Last edited:

V0latyle

Forum Moderator
Staff member
Can you guarantee that all apps that magiskhide hid root from will hide root with the deny list?
Nothing is ever a guarantee. If the risk of root detection is unacceptable to you, don't root. You are completely and absolutely at your own risk here. You and you alone are liable for any problems you may experience.

That being said, for the majority of people using Magisk + USNF + MHPC in the proper configuration have had success.
Why fix what wasn't broken? magiskhide has worked well for most people for years.
This was answered in the OP. Please read John Wu's 2021 blog post as it describes why Magisk transitioned to Zygote, as well as why MagiskHide has been discontinued.
 

zgfg

Senior Member
Oct 10, 2016
7,385
4,778
Can you guarantee that all apps that magiskhide hid root from will hide root with the deny list? Why fix what wasn't broken? magiskhide has worked well for most people for years.
Why should I guarantee you anything?!

Guys, please understand that there are VARIOUS (banking) apps that detect or guess about root by VARIOUS methods.
What works to hide root from one app, does not work for the other app - or will no more work for the first app upon they update the app

Did you take some time to read what was posted in this thread about PushTAN?
With the same settings root is successfully hidden for other users but not for any Xiaomi users

YOUR MILLEAGE MAY VARY

Sorry, being tired of answering to such posts, specially when people are lazy or what to first read something - sorry to being rude, but that's it
 

ldeveraux

Senior Member
Nov 20, 2008
2,527
915
Lenovo Thinkpad Tablet
Nexus Q
Why should I guarantee you anything?!

Guys, please understand that there are VARIOUS (banking) apps that detect or guess about root by VARIOUS methods.
What works to hide root from one app, does not work for the other app - or will no more work for the first app upon they update the app

Did you take some time to read what was posted in this thread about PushTAN?
With the same settings root is successfully hidden for other users but not for any Xiaomi users

YOUR MILLEAGE MAY VARY

Sorry, being tired of answering to such posts, specially when people are lazy or what to first read something - sorry to being rude, but that's it
It was a hypothetical question; one we all already know the answer too. The point is many people were upset when this transition was announced because something worked great for them and was changed. Sure I don't have to upgrade, and I won't because magiskhide works 100% for me, as it does for most people. We all know why TJW stopped development of magisk and it had nothing to do with the app. This just seems like a regression or at best a lateral tech shift.

ninjaedit: Why in the world is this still considered a version number upgrade from Magisk when they are essentially different apps? Why not just call it the Zygisk app or whatever you're calling it and offer it as a version 1.0 separate entity? Maybe that would confuse people less and you wouldn't have to answer the same question repeatedly.
 
Last edited:

nacos

Senior Member
Sep 27, 2007
547
249
Here & Now
Did you setup DenyList?
Check if SafetyNet passes.
You may need to use USNF 2.2.1 - read e g. post #14 in this thread

To hide Zygisk itself, use Shamiko - once installed, you need to disable Enforce DenyList since Shamiko will take over

Shamiko must be also downloaded from TG, but thanks to the new module auto-updating scheme (properly implemented for Shamiko but not for LSPosed), its URL can be obtained:
Could you please check my last post #85 (link below). I would appreciate any suggestions. Thanks!
 

zgfg

Senior Member
Oct 10, 2016
7,385
4,778
Something's not right. I'm no longer able to open the bank apps ++ (whereas I used to be able to run all these apps under Magisk 23 + Hide)

Samsung S8, Havoc OS (Android 10), MicroG.

1. I did configure Deny list and added all affected aps (as previously)
2. Zygisk shows yes on the main page
3. I did install USNF 2.2.1, however I don't pass SafetyNet. YASNAC reports "Google Play Services API error16: cancelled"
4. I also installed Shamiko and disabled Deny List in settings.
5. Self-check in MicroG confirms System does have signature spoofing (through LSPosed > FakeGaaps)

Any suggestions? Thanks!
SafetyNet uses Google Play Services (GMS). AFAIK, you cannot substitute GMS with MicroG

Maybe it was possible way ago, but not now - GMS communicates with the Google servers. Communication is authenticated by PKI. MicroG or nobody else could sign with the private key of Google Play Services, hence Google servers would immediately know they don't talk to GMS

API error actually means that SN communication is broken.. I doubt that MicroG even provides SN API (knowing that it cannot spoof Google's backend part for SN). Hence your API error probably means that SN checker cannot find GMS and its SN API
 
Last edited:

nacos

Senior Member
Sep 27, 2007
547
249
Here & Now
SafetyNet uses Google Play Services (GMS). AFAIK, you cannot substitute GMS with MicroG

Maybe it was possible way ago, but not now - GMS communicates with the Google servers. Communication is authenticated by PKI. MicroG or nobody else could sign with the private key of Google Play Services, hence Google servers would immediately know they don't talk to GMS

API error actually means that SN communication is broken.. I doubt that MicroG even provides SN API (knowing that it cannot spoof Google's backend part for SN). Hence API error probably means that SN checker cannot find GMS and its SN API
Makes sense. The interesting part is that under Magisk v.23, although clearly I also wasn't passing SafetyNet, I was able to use all banking apps that currently no longer run. This tells me that Magisk's previous built-in hiding mechanism worked, while Magisk's v.24.1 external hiding mechanism doesn't - unless it passes SafetyNet - which is likely the only hiding mechanism.

Anyways, I truly appreciate your help. Thanks a lot.
 
Last edited:
  • Like
Reactions: zgfg

tom1807

Senior Member
No idea what kind of sorcery this is, but I got yesterday my Pixel 6 and this Zygisk is pretty awesome.
Not only work now bank apps again, which still detected root, despite being properly rooted on my previous mobile and passing SafetyNet, but most amazing, DRM Info shows, that I am in Widevine CDM on security level L1.
Pretty amazing.

Cheers
Tom
 
  • Like
Reactions: pndwal and zgfg

mingkee

Senior Member
No idea what kind of sorcery this is, but I got yesterday my Pixel 6 and this Zygisk is pretty awesome.
Not only work now bank apps again, which still detected root, despite being properly rooted on my previous mobile and passing SafetyNet, but most amazing, DRM Info shows, that I am in Widevine CDM on security level L1.
Pretty amazing.

Cheers
Tom
How did you setup compared with 23?
 

bgsdeluxe

Senior Member
Feb 23, 2013
132
40
Anybody with Magisk v24 or v24.1 and safetynetfix 2.2.1 and Google Play Services added to hidelist could do me a favour and check, if Play Store is still present in this list after a reboot, please? (Yes, I ticked "show system apps" ;) )
Thanks, highly appreciated.
 
Last edited:

bgsdeluxe

Senior Member
Feb 23, 2013
132
40
Yep, still present

Cheers
Tom
Thank you! I meant to ask for Play Services, not Store.
Are you running A12 or an older build?
Another app (non-system app) I added is still in hidelist only Play Services isn't surviving reboot. That's due to Magisk Hide not enabled?
 
Last edited:

mkcs

Member
Feb 1, 2017
46
10
I received this error even though Zygisk is enabled and UNSF are installed

Screenshot_2022-01-29-11-17-54-435_rikka.safetynetchecker.jpg
 

Top Liked Posts

  • 1
    Did you test with these apps, my lord?
    These app will beat your Shamiko and Momo detection ;)
    No time to test at the moment but, I will give them a try in the next few days. 🙃

    I will let you know my results sire. ;)

    Cheers. :cowboy:
    1
    I found out on latest update of "App cloner", I couldn't avoid it detecting root.. I updated from magisk TJW 23.0 official to fork magisk delta 25.1 if incase it will work but no way.. root still detected. Check attached snapshots.
    Zygisk disabled
    Magisk hide enabled
    App added on denylist
    This is warning from your system security app, not from the app itself
    1
    How to solve this? I use Xiaomi Redmi 9 android 10. Thanks 😊
    Are you asking about com.miui.securitycenter

    Did you add it to DenyList?
    See the screenshots

    You might need to enable Show System and Show OS apps to be able to see in the Magisk app, Configure DenyList

    Alternatively (if it won't show in Configure DenyList), DenyList can be managed through the Terminal:
    Code:
    su
    magisk --denylist ls
    magisk --denylist add com.miui.securitycenter
    magisk --denylist ls
    1
    Okay thanks. I'll try that and give feedback.
    But I see now that you started by asking about App Cloner

    I don't see App Cloner in the MIUI Security. If that App Cloner is a third party app, then adding Security to DenyList would have no effect/not help

    Then I don't know why somebody recommended you to add MIUI Security to DenyList - my previous post was exclusively about adding Security to DenyList (since I remember that with some MIUI version and/or some Magisk version, Security was not showing in DenyList or in MagiskHide and I needed to be added through CLI in Terminal)
  • 15
    @ipdev can you add https://github.com/mywalkb/DenylistUnmount to this post, as an open source alternative to Shamiko? Many users are posting positive results with this module.
    I bookmarked it the other day when I ran across the link in a different thread. 🙃
    I added Denylist Unmount to Points of Interest.

    Unfortunately my time has been short lately. 🙁
    Life and sidetracked by other projects.

    I have been meaning to update Post #9 for awhile now.
    Post #9 was to be a catch all post for additional links recommended in the threads.
    I have been trying to figure a good way to format/layout and categorize it.​

    This is my current WIP.
    Still needs to be formatted better. The secondary title needs to be reworded. Add/reword descriptions.
    Other cleanup and format/layout.

    Points of Interest.
    Apps, Links, Modules, Posts and Threads.
    Additional links recommended by the xda family.

    Apps

    Hide My Applist
    Hide apps or reject app list requests.
    Requires Xposed.​
    Download Links:
    GitHub | PlayStore

    Oprek Root Detector
    Check Devices Health​
    Download Links:
    PlayStore

    Magisk Modules

    Denylist Unmount
    Unmount the denylist processes​
    Download Links:
    GitHub

    LSPosed
    Systemless Xposed framework.
    Zygisk releases are now included.
    Releases
    Download Links:
    GitHub

    Shamiko
    Add description​
    Download Links:
    GitHub

    xda Posts

    xda Threads

    Other


    Note(s)
    • Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs.

    Cheers. :cowboy:
    9
    Anyone here have issue with latest version of Shamiko and some banking apps?
    My Starling app keeps closing itself when I have enabled Shamiko but if I disable it and revert to enforce denylist the app works fine but one of my other apps does not work without shamiko!
    Try using my build, turn off zygisk (optional) and enable MagiskHide.

    About Zygisk: Zygisk is still not perfect for hiding and zygisk leave very obvious traces for some apps such as Livin by Madiri (only work without zygisk). The problem is not "root is not hidden" but "Zygisk is not hidden". Riru has RiruHide to hide itself from scanning /proc/<pid/maps but Zygisk doesn't have hiding method and DenyList doesn't hide zygisk. If you are using LSPosed, recommended to use Riru for now.


    If you apps are still detecting root, try install Riru - MomoHider: https://github.com/HuskyDG/Riru-Momohider/releases/tag/0.0.8-all-configs
    8
    a new safetynet update has been released https://github.com/kdrag0n/safetynet-fix/releases
    thanks to kdrag0n and osm0sis and benjibobs
    8
    Points of Interest.

    LSPosed
    Zygisk releases are now included.
    Download Links:

    Shamiko
    Download Links:
    @ipdev can you add https://github.com/mywalkb/DenylistUnmount to this post, as an open source alternative to Shamiko? Many users are posting positive results with this module.
    5
    How Momo detect some traces:
  • 117
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    62
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    57
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    52
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.


    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    43
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​