[Discussion] Magisk - The Age of Zygisk.

Search This thread

mingkee

Senior Member
Thanks @ipdev

I tried to put a short help for probably the most frequent posts/questions soon to expect.
(Sorry for cross-posting, I first put to the old and cluttered General Magisk thread but this is now better place)

===

Please carefully read Magisk Changelog and OP posts in this thread

Study the Magisk documentation from the official Magisk Github page - particularly about installing Magisk (if not familiar with patching the image in Magisk app and flashing the patched img from Fastboot- different from the old school about flashing Magisk zip through TWRP)

a) No more MagiskHide. New technology instead (for the same - to help hiding root): Zygisk+DenyList

b) No more built in SafetyNet checker. Install from PlayStore e g: YASNAC

c) Modules window does no more connect to the (now frozen) old Modules repository.
You must download module zip files manually and "Install from local storage".
Or search for and install Fox Magisk Module Manager (Fox Mmm) app - it will connect to the new, alternative repository

---

1) Make sure that both Magisk app and Magisk are installed and updated to the new version. Inspect version numbers on the main Magisk window/page

2) Make sure to uninstall all Riru modules (not compatible with Zygisk)

3) Settings, Enable Zygisk and reboot.
Then check on the main window does it show Zygisk Yes

4) Settings, enable Enforce DenyList.
Configure DenyList, enable filters to Show OS and System apps
Find Google Play Services and check-in only the two processes ending with gms and gms.unstable.
You will have to check in all your banking apps and so as you used with MagiskHide.
Always reboot upon reconfiguring DenyList

5) If SafetyNet does not pass, install USNF 2.2.1 and test again.
Always reboot upon installing a module, also if/when you enable Systemless Hosts

---

Intentionally, I didn't want to complicate with Shamiko for the new Magisk 24 users 👍
Then Magisk hide is replaced by Zygisk + Deny List?
Should I keep using Safetynet Fix and switch to Zygisk version?
 

nacos

Senior Member
Sep 27, 2007
537
246
Here & Now
Did you setup DenyList?
Check if SafetyNet passes.
You may need to use USNF 2.2.1 - read e g. post #14 in this thread

To hide Zygisk itself, use Shamiko - once installed, you need to disable Enforce DenyList since Shamiko will take over

Shamiko must be also downloaded from TG, but thanks to the new module auto-updating scheme (properly implemented for Shamiko but not for LSPosed), its URL can be obtained:
Something's not right. I'm no longer able to open the bank apps ++ (whereas I used to be able to run all these apps under Magisk 23 + Hide)

Samsung S8, Havoc OS (Android 10), MicroG.

1. I did configure Deny list and added all affected aps (as previously)
2. Zygisk shows yes on the main page
3. I did install USNF 2.2.1, however I don't pass SafetyNet. YASNAC reports "Google Play Services API error16: cancelled"
4. I also installed Shamiko and disabled Deny List in settings.
5. Self-check in MicroG confirms System does have signature spoofing (through LSPosed > FakeGaaps)

Any suggestions? Thanks!
 
Last edited:

V0latyle

Forum Moderator
Staff member
Can you guarantee that all apps that magiskhide hid root from will hide root with the deny list?
Nothing is ever a guarantee. If the risk of root detection is unacceptable to you, don't root. You are completely and absolutely at your own risk here. You and you alone are liable for any problems you may experience.

That being said, for the majority of people using Magisk + USNF + MHPC in the proper configuration have had success.
Why fix what wasn't broken? magiskhide has worked well for most people for years.
This was answered in the OP. Please read John Wu's 2021 blog post as it describes why Magisk transitioned to Zygote, as well as why MagiskHide has been discontinued.
 

zgfg

Senior Member
Oct 10, 2016
7,186
4,635
Can you guarantee that all apps that magiskhide hid root from will hide root with the deny list? Why fix what wasn't broken? magiskhide has worked well for most people for years.
Why should I guarantee you anything?!

Guys, please understand that there are VARIOUS (banking) apps that detect or guess about root by VARIOUS methods.
What works to hide root from one app, does not work for the other app - or will no more work for the first app upon they update the app

Did you take some time to read what was posted in this thread about PushTAN?
With the same settings root is successfully hidden for other users but not for any Xiaomi users

YOUR MILLEAGE MAY VARY

Sorry, being tired of answering to such posts, specially when people are lazy or what to first read something - sorry to being rude, but that's it
 

ldeveraux

Senior Member
Nov 20, 2008
2,523
914
Lenovo Thinkpad Tablet
Nexus Q
Why should I guarantee you anything?!

Guys, please understand that there are VARIOUS (banking) apps that detect or guess about root by VARIOUS methods.
What works to hide root from one app, does not work for the other app - or will no more work for the first app upon they update the app

Did you take some time to read what was posted in this thread about PushTAN?
With the same settings root is successfully hidden for other users but not for any Xiaomi users

YOUR MILLEAGE MAY VARY

Sorry, being tired of answering to such posts, specially when people are lazy or what to first read something - sorry to being rude, but that's it
It was a hypothetical question; one we all already know the answer too. The point is many people were upset when this transition was announced because something worked great for them and was changed. Sure I don't have to upgrade, and I won't because magiskhide works 100% for me, as it does for most people. We all know why TJW stopped development of magisk and it had nothing to do with the app. This just seems like a regression or at best a lateral tech shift.

ninjaedit: Why in the world is this still considered a version number upgrade from Magisk when they are essentially different apps? Why not just call it the Zygisk app or whatever you're calling it and offer it as a version 1.0 separate entity? Maybe that would confuse people less and you wouldn't have to answer the same question repeatedly.
 
Last edited:

nacos

Senior Member
Sep 27, 2007
537
246
Here & Now
Did you setup DenyList?
Check if SafetyNet passes.
You may need to use USNF 2.2.1 - read e g. post #14 in this thread

To hide Zygisk itself, use Shamiko - once installed, you need to disable Enforce DenyList since Shamiko will take over

Shamiko must be also downloaded from TG, but thanks to the new module auto-updating scheme (properly implemented for Shamiko but not for LSPosed), its URL can be obtained:
Could you please check my last post #85 (link below). I would appreciate any suggestions. Thanks!
 

zgfg

Senior Member
Oct 10, 2016
7,186
4,635
Something's not right. I'm no longer able to open the bank apps ++ (whereas I used to be able to run all these apps under Magisk 23 + Hide)

Samsung S8, Havoc OS (Android 10), MicroG.

1. I did configure Deny list and added all affected aps (as previously)
2. Zygisk shows yes on the main page
3. I did install USNF 2.2.1, however I don't pass SafetyNet. YASNAC reports "Google Play Services API error16: cancelled"
4. I also installed Shamiko and disabled Deny List in settings.
5. Self-check in MicroG confirms System does have signature spoofing (through LSPosed > FakeGaaps)

Any suggestions? Thanks!
SafetyNet uses Google Play Services (GMS). AFAIK, you cannot substitute GMS with MicroG

Maybe it was possible way ago, but not now - GMS communicates with the Google servers. Communication is authenticated by PKI. MicroG or nobody else could sign with the private key of Google Play Services, hence Google servers would immediately know they don't talk to GMS

API error actually means that SN communication is broken.. I doubt that MicroG even provides SN API (knowing that it cannot spoof Google's backend part for SN). Hence your API error probably means that SN checker cannot find GMS and its SN API
 
Last edited:

nacos

Senior Member
Sep 27, 2007
537
246
Here & Now
SafetyNet uses Google Play Services (GMS). AFAIK, you cannot substitute GMS with MicroG

Maybe it was possible way ago, but not now - GMS communicates with the Google servers. Communication is authenticated by PKI. MicroG or nobody else could sign with the private key of Google Play Services, hence Google servers would immediately know they don't talk to GMS

API error actually means that SN communication is broken.. I doubt that MicroG even provides SN API (knowing that it cannot spoof Google's backend part for SN). Hence API error probably means that SN checker cannot find GMS and its SN API
Makes sense. The interesting part is that under Magisk v.23, although clearly I also wasn't passing SafetyNet, I was able to use all banking apps that currently no longer run. This tells me that Magisk's previous built-in hiding mechanism worked, while Magisk's v.24.1 external hiding mechanism doesn't - unless it passes SafetyNet - which is likely the only hiding mechanism.

Anyways, I truly appreciate your help. Thanks a lot.
 
Last edited:
  • Like
Reactions: zgfg

tom1807

Senior Member
No idea what kind of sorcery this is, but I got yesterday my Pixel 6 and this Zygisk is pretty awesome.
Not only work now bank apps again, which still detected root, despite being properly rooted on my previous mobile and passing SafetyNet, but most amazing, DRM Info shows, that I am in Widevine CDM on security level L1.
Pretty amazing.

Cheers
Tom
 
  • Like
Reactions: pndwal and zgfg

mingkee

Senior Member
No idea what kind of sorcery this is, but I got yesterday my Pixel 6 and this Zygisk is pretty awesome.
Not only work now bank apps again, which still detected root, despite being properly rooted on my previous mobile and passing SafetyNet, but most amazing, DRM Info shows, that I am in Widevine CDM on security level L1.
Pretty amazing.

Cheers
Tom
How did you setup compared with 23?
 

bgsdeluxe

Senior Member
Feb 23, 2013
126
40
Anybody with Magisk v24 or v24.1 and safetynetfix 2.2.1 and Google Play Services added to hidelist could do me a favour and check, if Play Store is still present in this list after a reboot, please? (Yes, I ticked "show system apps" ;) )
Thanks, highly appreciated.
 
Last edited:

bgsdeluxe

Senior Member
Feb 23, 2013
126
40
Yep, still present

Cheers
Tom
Thank you! I meant to ask for Play Services, not Store.
Are you running A12 or an older build?
Another app (non-system app) I added is still in hidelist only Play Services isn't surviving reboot. That's due to Magisk Hide not enabled?
 
Last edited:

mkcs

Member
Feb 1, 2017
46
10
I received this error even though Zygisk is enabled and UNSF are installed

Screenshot_2022-01-29-11-17-54-435_rikka.safetynetchecker.jpg
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Where do you guys get Momo? I can't download from Telegram on PC and I don't want to create an account.
    I've attached it for you. :)
    8
    I am just curious why you don't want to install telegram. About a year ago, or so, I uninstalled telegram because I got tired of the juvenile, posts on an android app dev forum, lspeed. I feel now that telegram is better moderated, but that is mostly based on the magisk alpha, lsposed. etc that I am now on. Is there some other security issues with it that I am not aware? I have most notification in it turned off so it doesn't constantly annoy me.
    Nah just the childishness nonsense you mention. I was on a few Android groups at one point and they were all pretty obnoxious. That and when I tried having a public profile getting random "Hey are you THE osm0sis from xda? Cool! Just checking." roughly every couple days was ridiculous. Made me fairly certain I'm doing just fine with xda, Twitter, email, GitHub, Slack and TWRP's Zulip. 😜
    6
    But we can attach the file itself, can't we @pndwal ?
    5
    Seems not, but Canyie has fixed her GitHub link to Momo from MomoHider page https://github.com/canyie/Riru-MomoHider ('depreciation notice' introduces Shamiko - MomoHider may not be a 'thing' anymore...) however (Link to momo apk is dead #22 / Fix #22, 54d76a6), so at least we can link to that on XDA since we can't post TG links as file source...

    Momo is linked under 'Test':
    https://github.com/canyie/Riru-MomoHider#test

    👀 PW
    Sigh.. guess I'll secretly install Telegram just to download things. 🤷‍♂️🙄🥲
    5
    What do you'll think about this Xposed module?

    I can't find an app that doesn't work...momo still complains about broken tee.
    4.1.1 momo, 1.3.7 privacyspace, 0.5.0 shamiko and 1.8.3 lsposed
    Momo complains about broken TEE because of the way OnePlus implemented hardware key attestation. The same happens on my 8T.
    It's not something that can be fixed and it doesn't affect root detection or SafetyNet.
  • 114
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    61
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    55
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    51
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.


    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    43
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​