[Discussion] Magisk - The Age of Zygisk.

Search This thread

m0han

Senior Member
Apr 30, 2012
4,789
1,883
That 'rule' was previously insisted on by moderator @TNSMANI in September....
i once had to take up issue with him for removing one of my links
[commenting (sundry YT link removed)], but retaining a similar one in a post from another user with whom i was engaged in a 'conversation'. :D

his response: I agree that there are hundreds if not thousands of such posts spread all over the forum. But for 10 million users and hundreds of thousands of posts, there are hardly 50 Moderators. So I think that you will agree that it is like searching for a needle in a haystack.
 
Last edited:
  • Haha
Reactions: pndwal

heinhuiz

Senior Member
Nov 26, 2011
1,102
839
Xiaomi Mi A1
Redmi K20 / Xiaomi Mi 9T
After this, Magisk is gonna be a hard pass for me. John's gotta do what's in his best interests and I hope he is successful with Google.
I'll be sticking with Version 23 until another root solution comes along. I am having trouble after trying to update and then downgrading.
As for apps that check root status, if Magisk Hide can't defeat that, I'll delete them. Those services that I need can be accessed through any web browser, so I'll replace the app with a shortcut to the website. It's none of their business what I do with my own cell phone.
I might detail my issues another day. It's late and I'm too tired to work on the phone much. I tried Riru and some safety net fix, but uninstalled them when I downgraded to Magisk 23.
There is a very good reason I do not update anything on my phone unless absolutely necessary, and this is it. Again, I have no hard feelings. I've gotten a lot of miles outta Magisk and am thankful for that.
Seems like I'm in exactly the same boat with you. I'm not skilled enough to work out a solution for myself, but hopefully one day someone else will do that.

In my opinion, all these root checking methods should be forbidden by law. It's just spying behaviour without any obvious reason. Even if it's for fraud prevention. It should be illegal to deny someone a service just because that one has tools that *could be* used for illegal activities. Although it's technically much easier to prevent fraud than to actually detect it, these methods breach people's privacy rights.
 
  • Like
Reactions: shadow460 and lm089

heinhuiz

Senior Member
Nov 26, 2011
1,102
839
Xiaomi Mi A1
Redmi K20 / Xiaomi Mi 9T
i once had to take up issue with him for removing one of my links [commenting (sundry YT link removed)], but retaining a similar one in a post from another user with whom i was engaged in a 'conversation'. :D

his response: I agree that there are hundreds if not thousands of such posts spread all over the forum. But for 10 million users and hundreds of thousands of posts, there are hardly 50 Moderators. So I think that you will agree that it is like searching for a needle in a haystack.
Haha, those needles could be easily found if the search function actually worked 😂
 
  • Like
Reactions: zgfg and m0han
So had my banking app suddenly detect root a couple of weeks back after years of MagiskHide working fine.
Decided whilst trying to fix it that I may as well move to Magisk 24 and try and fix it at the same time.
Anyway, done everything necessary and got SafetyNet to pass.
However after hiding Magisk Manager and adding the banking app to the deny list, the app still detects root. So installed the Shamiko module and disabled the deny list, but still had no joy.
So searching around for more info on the Hide My Applist module I found this thread and specific post.

Gave it a try and it worked for me. Froze Magisk Manager, cleared data in the banking app and relaunched it and hey presto. No longer getting redirected to a root detected page, but the app fully launched successfully.

For those still having problems, give this a try.

For those that might be interested, the root detected landing page URL was a sub domain of the banks main site named app-shield, so I guess the bank app is using these guys for security
 
  • Like
Reactions: 1jkan and pndwal

pndwal

Senior Member
Seems like I'm in exactly the same boat with you. I'm not skilled enough to work out a solution for myself, but hopefully one day someone else will do that.

In my opinion, all these root checking methods should be forbidden by law. It's just spying behaviour without any obvious reason. Even if it's for fraud prevention. It should be illegal to deny someone a service just because that one has tools that *could be* used for illegal activities. Although it's technically much easier to prevent fraud than to actually detect it, these methods breach people's privacy rights.
In reality, hardware backed attestation to TEE is becoming the norm for allowing developers of apps requiring a high degree of security to have assurance that their code is, in fact, running in a Trusted Execution Environment. Even SOCs / processors for pC etc now have the hardware required, and it seems that soon even your PC will rely on these attestations rather than traditional malware detection etc...

Examples of such code include Google's own Google Pay.

The issue is quite simple; bank app devs / corporations who could be sued / banks who now are faced with replacing more and more of your funds obtained by fraud to maintain good faith with customers (eg GPay partner banks when a customer's phone is lost or stolen and thieves are able to unlock the phone & use your GPay because you loaded TWRP, decrypted, left USB debugging on etc etc) want to know the platform is secured (read 'is a TEE') as thieves basically cannot get you data / money in that case, but it is often a trivial matter otherwise.

However, since Google have been taking their time to implement HKA properly, the banks are simply covering themselves by investing in their own methods of detection; they already view IOS as the preferred mobile OS for security as it is basically impenetrable while Google has NOT delivered... 😬 Google can't afford to let that continue either!

While we can, Google is allowing us to 'subvert their security model' quite knowingly, but only because they view the Magisk / modding / custom development community as largely 'White Hat' rather than nefarious as they've said... But there are nefarious hackers etc out there, increasing in number by the minute...

So you are thinking only in terms of your privacy... What about your right to know stuff? What about the banks right to know their code is secure?... Really, by manipulating signals (spoofing CTS profile match etc) that legitimately attest to TEE, say to hide the fact that a chain of trust is broken (read device no longer has Verified Boot (AVB) ie. bootloader is unlocked), you are effectively misrepresenting these details (read lying)... You are verifying what has not been verified, attesting to the trustworthyness of what cannot be trusted...
What should really be illegal?...

Of course there'll be no litigation over this either way, but If they were forced to let you run their code in unsecure (non-Trusted Execution Environments) banks would simply stop viewing Android as a safe / viable platform for their apps and cease to produce them, so you'll loose the ability to bank unless you get an IPhone in any case, and Android would slowly become untenable...

It doesn't take a genius to work out which way this'll go... 😶 PW
 
Last edited:
  • Like
Reactions: BillGoss

heinhuiz

Senior Member
Nov 26, 2011
1,102
839
Xiaomi Mi A1
Redmi K20 / Xiaomi Mi 9T
In reality, hardware backed attestation to TEE is becoming the norm for allowing developers of apps requiring a high degree of security to have assurance that their code is, in fact, running in a Trusted Execution Environment. Even SOCs / processors for pC etc now have the hardware required, and it seems that soon even your PC will rely on these attestations rather than traditional malware detection etc...

Examples of such code include Google's own Google Pay.

The issue is quite simple; bank app devs / corporations who could be sued / banks who now are faced with replacing more and more of your funds obtained by fraud to maintain good faith with customers (eg GPay partner banks when a customer's phone is lost or stolen and thieves are able to unlock the phone & use your GPay because you loaded TWRP, decrypted, left USB debugging on etc etc) want to know the platform is secured (read 'is a TEE') as thieves basically cannot get you data / money in that case, but it is often a trivial matter otherwise.

However, since Google have been taking their time to implement HKA properly, the banks are simply covering themselves by investing in their own methods of detection; they already view IOS as the preferred mobile OS for security as it is basically impenetrable while Google has NOT delivered... 😬 Google can't afford to let that continue either!

While we can, Google is allowing us to 'subvert their security model' quite knowingly, but only because they view the Magisk / modding / custom development community as largely 'White Hat' rather than nefarious as they've said... But there are nefarious hackers etc out there, increasing in number by the minute...

So you are thinking only in terms of your privacy... What about your right to know stuff? What about the banks right to know their code is secure?... Really, by manipulating signals (spoofing CTS profile match etc) that legitimately attest to TEE, say to hide the fact that a chain of trust is broken (read device no longer has Verified Boot (AVB) ie. bootloader is unlocked), you are effectively misrepresenting these details (read lying)... You are verifying what has not been verified, attesting to the trustworthyness of what cannot be trusted...
What should really be illegal?...

Of course there'll be no litigation over this either way, but If they were forced to let you run their code in unsecure (non-Trusted Execution Environments) banks would simply stop viewing Android as a safe / viable platform for their apps and cease to produce them, so you'll loose the ability to bank unless you get an IPhone in any case, and Android would slowly become untenable...

It doesn't take a genius to work out which way this'll go... 😶 PW
The right to know stuff? That does not even exist. Nobody has any right to know what I do with my personal belongings, and that includes my bank and even the government. I am entitled to do whatever I want with my phone, as long as I don't break any laws.

This genius is already considering to buy a PinePhone and work from a browser.
 

lm089

Senior Member
Jun 26, 2011
612
196
Munich
Sorry for a silly remark / question: as I no longer have a repo in Magisk 24+ I guess it's a good idea to do one last d/l of TWRP A/B retention script module before upgrading? I made it a habit to simply delete the module after use then d/l it again after the next OTA. Anything else that changed in Magisk in regards to OTA behaviour for A/B devices?
 

lm089

Senior Member
Jun 26, 2011
612
196
Munich
The right to know stuff? That does not even exist. Nobody has any right to know what I do with my personal belongings, and that includes my bank and even the government. I am entitled to do whatever I want with my phone, as long as I don't break any laws.

This genius is already considering to buy a PinePhone and work from a browser.
Honestly I never liked the idea to have sensible stuff like a banking app on a device I'm carrying with me everyday, that I can lose, have it stolen or whatever. Esp. since banks started bringing all their services back into a single app after they found that using true 2FA was too expensive.
So I dedicated one of my older phones running LOS 17.1/A10 to be my sole banking device. It's unrooted now so no hassle with root detection etc. As long as the banking apps support A10 devices I'm more than happy with that solution
 

pndwal

Senior Member
The right to know stuff? That does not even exist.
Google believes app Devs have that right...
Nobody has any right to know what I do with my personal belongings, and that includes my bank and even the government.
The bank has the right to do what they want with their intellectual property (code), including offering it with conditions...

Or not at all.
I am entitled to do whatever I want with my phone, as long as I don't break any laws.
That's beside the point. 😜

But you'd like to see laws to limit what banks are entitled to do with their code. 😉
This genius is already considering to buy a PinePhone and work from a browser.
And you're quite entitled to do that too... 👍 PW
 
Last edited:
  • Like
Reactions: rhewins2268

jhedfors

Senior Member
Oct 16, 2009
1,469
757
St Paul, MN
Moto G6
OnePlus 6T
Sorry for a silly remark / question: as I no longer have a repo in Magisk 24+ I guess it's a good idea to do one last d/l of TWRP A/B retention script module before upgrading? I made it a habit to simply delete the module after use then d/l it again after the next OTA. Anything else that changed in Magisk in regards to OTA behaviour for A/B devices?
Fox's Magisk Module Manager in the OP (post #5 actually).
 
  • Like
Reactions: lm089

heinhuiz

Senior Member
Nov 26, 2011
1,102
839
Xiaomi Mi A1
Redmi K20 / Xiaomi Mi 9T
Google believes app Devs have that right...
There are more things Google (and Apple) consider their right while is is actually wrong.
The bank has the right to do what they want with their intellectual property (code), including offering it with conditions...
Up to where they start breaking the law. And I would really like to hear an expert's opinion on that. Especially a lawyer with knowledge of the European GDPR.
 

lm089

Senior Member
Jun 26, 2011
612
196
Munich
Fox's Magisk Module Manager in the OP (post #5 actually).
Yep, I've seen that. Guess I asked the wrong question ;): as far as I understand I can still load modules that are stored on my device, correct? Since the retention script is the only module I ever really used I hope I can get away without installing Fox that way. Or is that a wrong conclusion?
 

jhedfors

Senior Member
Oct 16, 2009
1,469
757
St Paul, MN
Moto G6
OnePlus 6T
Yep, I've seen that. Guess I asked the wrong question ;): as far as I understand I can still load modules that are stored on my device, correct? Since the retention script is the only module I ever really used I hope I can get away without installing Fox that way. Or is that a wrong conclusion?
Yes, you can install any module manually, by selecting "install from storage".
 
  • Like
Reactions: lm089

pndwal

Senior Member
There are more things Google (and Apple) consider their right while is is actually wrong.
The whole computing industry is going that way as I said... They all must be wrong, including all the soc / processor makers, and wasted a decade of r&d and $billions more in manufacturing chips w/ HKA support...
Up to where they start breaking the law. And I would really like to hear an expert's opinion on that. Especially a lawyer with knowledge of the European GDPR.
@ipdev?... PW
 

ldeveraux

Senior Member
Nov 20, 2008
2,523
914
Lenovo Thinkpad Tablet
Nexus Q
The whole computing industry is going that way as I said... They all must be wrong, including all the soc / processor makers, and wasted a decade of r&d and $billions more in manufacturing chips w/ HKA support...

@ipdev?... PW
Man, wake up and smell the coffee. Google and Apple assert their dominance as far as they possibly can without breaking the law. They also go over the line occasionally and have to pay for that. They only "go that way" because it's the direction that makes them the most money. Every other motive is ancillary.
 

heinhuiz

Senior Member
Nov 26, 2011
1,102
839
Xiaomi Mi A1
Redmi K20 / Xiaomi Mi 9T

_mysiak_

Senior Member
Apr 1, 2009
2,456
1,451
Xiaomi Mi 10T Lite
Anyone with Xiaomi phone who has been able to successfully pass Safetynet? I tried probably all the combinations (Magisk hide, Shamiko, Magisk hide props,..), but the best result I achieved is to switch from HW to basic Safetynet attestation and that's it. Everything fails, I can't even hide unlocked bootloader. I am using stock Xiaomi Mi 10T lite, had to rollback to Magisk v23, where everything works without any hiccups.
 

zgfg

Senior Member
Oct 10, 2016
7,153
4,609
Anyone with Xiaomi phone who has been able to successfully pass Safetynet? I tried probably all the combinations (Magisk hide, Shamiko, Magisk hide props,..), but the best result I achieved is to switch from HW to basic Safetynet attestation and that's it. Everything fails, I can't even hide unlocked bootloader. I am using stock Xiaomi Mi 10T lite, had to rollback to Magisk v23, where everything works without any hiccups.
Xiaomi Mi 9T, MIUI 12.5, A11 - passing always
 
  • Like
Reactions: J.Michael

_mysiak_

Senior Member
Apr 1, 2009
2,456
1,451
Xiaomi Mi 10T Lite
Xiaomi Mi 9T, MIUI 12.5, A11 - passing always
What combination of settings and modules do you use please? :)

I did these steps:
1. update magisk from 23 to 24
2. enable zygisk, enable magisk denylist, added gms + gms.unstable + gms.snet (+mamo and banking apps)
3. reboot, safetynet doesn't pass anything
4. install zygisk version of universal safetynet fix, reboot, HW attestation changed, but still not passing
5. install Shamiko, disable magisk denylist, reboot, no difference
6. install Magisk Hideprops, tried some random fingerprint, no difference

Mamo reports unlocked bootloader and detected magisk, zygisk,...
 

digger16309

Senior Member
Jul 17, 2014
441
155
OnePlus 5
Google Pixel 5
Questions on upgrading....I'd like to avoid bootloops and such...

Pixel 5, Android 11, Magisk Stable 23, running Riru and LSPosed. Magisk app NOT hidden. NO safetynet. EX Kernel.

Can I safely update to stable 24.1 in the app and then deal with the riru/zygisk changes thereafter? Do I need to re-patch the bootloader with the new version before applying the custom kernel or will my kernel remain unaffected?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    Bank apps are typically notorious in going out of way to detect root.

    Within Indian Banks' android app ecosystem, two most notorious ones are SBI Yono and Axis Bank.

    This post is for Axis Bank app which has been detecting root/jailbreak on my android phones since end of 2021. When I checked on internet, found that same issue was also reported by few users on github, reddit etc since mid 2021

    Thanks to initial post of user Drishal (Reddit) I got this tip which over the course of time have been testing/tweaking and using.

    My configuration to make Axis Bank app run without detecting root

    Firstly the usuals:
    Get Magisk - Zygisk mode, LSposed Zygisk, Universal Safety Net Fix, Shamiko,
    Axis Bank app should be selected in "Configure DenyList",
    "Enforce Denylist" to remain disabled, for Shamiko to work

    Try checking Axis Bank, post these steps.. for me it never worked and always greeted with "can't run on rooted phone"

    Also a parallel check with be using app like
    RootBeer Sample to check and be sure that root is hidden well till this step.

    Now comes specifics to make Axis Bank work
    Install Xprivacylua. Go to LSposed, select Axis Bank for Xprivacylua module
    In Xprivacylua app, go to Axis Bank app and tick following (super important):

    Determine activity,​
    Applications,​
    Sensors,​
    Identifiers,​
    Analytics, and​
    Tracking​

    And now we are good to go and use Axis Bank app. If here you face issues, erase app data once and you should have success.

    I tested this method for opening Axis Bank app on 4 phones and mileage varied across ROMs and version.

    Nokia 6 – 2018, with Rooted Stock ROM A9 – Solution works
    Redmi Note 7 Pro, with Custom ROM A11 – Solution works
    Redmi Note 9 Pro, with Custom ROM A11– Solution works
    Asus Zenfone Max Pro M1, with Custom ROM A10 – Solution doesn’t works. But then here even Rootbeer Sample detects busybox binary when it is not there. So seems to be a ROM issue

    Just before someone ask, I had tried HideMyApplist too, but it didn't help here at all.

    Hope this helps fellow users of Magisk and Axis Bank!

    indian bank axis bank magisk root detect not working crashing xda
    6
    But we can attach the file itself, can't we @pndwal ?
    4
    didn't quite get you, but check the screenshot. i'm running crDroid A12.1 rom on Poco X3. but, maybe the situation was the same on A11 rom too. i think i was the first to report(?) 'system.prop not found'.
    system.prop is present in the zip file for the latest stable Zygisk-LSPosed v1.8.2(6519) as just updated, but quickly looking to the customize.sh, seems that system.prop will be installed only for Pie and older - that's why you don't have when you install the module
    4
    Does anyone know why I am not play store certified and thus cannot install apps like netflix after passing both integrity check and CTS.

    I have lineage-18.1-20220425-nightly-cheeseburger-signed installed on my oneplus 5. I have rooted using magisk and used a combination of Universal safetynet fix together with changing the fingerprint of my device to pass the CTS.

    I also registered my device on the google certification site using the GSF ID.

    Any help would be highly appreciated.
    After passing SafetyNet, you need to clear cache and data for PlayStore and (not always) for PlayServices.
    This will clear data and updates.

    Then wait for them to update again.

    Play will scan your device again and mark it as certified.

    ---

    Registering your current install does not certify the device.

    You are telling Google that you are using a non-certified rom. ;)


    Cheers. :cowboy:
    3
    Is there a download link for Momo 4.1.0?
    But we can attach the file itself, can't we @pndwal ?
    For any wanting vvb2060 updates (MOMO, AlphaMagisk etc) in future -

    I can't find TG links on vvb2060's GitHub, but I just saw Canyie has fixed her MOMO link here (scroll down):
    https://github.com/canyie/Riru-MomoHider

    👀 PW
  • 110
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    61
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    55
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    51
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.


    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    43
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​