[Discussion] Magisk - The Age of Zygisk.

Search This thread

zgfg

Senior Member
Oct 10, 2016
7,650
5,054
Hi,

Don't know if this is the right place ... anyways ...


Firstly I don't have a clue why my github issue got closed by a bot.
If I remember correctly, you have to fill a template when reporting. And you have to confirm there that you use the latest Debug version.
Without all those formalities, the bot will immediately close your issue

But even if you pass the bot, your 'issue' will be sooner or later closed by developers because it's not their business if some banking app detects 'root'

Who knows how does it detect. Maybe by looking for Magisk Application (configuration of DenyList has nothing to do with that)

Maybe the app guesses about 'root' by finding TWRP folder. Maybe the app recognizes that Bootloader is unlocked (like Momo app can find on some phones) and it guesses why would somebody unlock BL if not for rooting or installing a custom ROM

It's not about detecting the 'root' but detecting that you are not running the 'safe' (read the CERTIFIED) stock firmware

And TJW has clearly departed himself and his Magisk v24+ from those detections of 'root'. New DenyList is something totally different than previous MagiskHide. Even if somebody does not understand the differences in techniques, he should see a significant difference in their NAMES

I only don't understand why TJW still keeps Hide (repackage) Magisk App option. If he really wanted to be straight about differentiating from hiding the 'root', he should have removed that option - that option (putting aside that it can be circumvented by smarter 'banking' apps) has no other purpose than to hide Magisk app from the 'banking' apps who try to look for the Magisk ('service', 'mask', whatever you call) by looking instead for (an easier task) the Magisk app. Hence TJW still stands here on the 'wrong' side, but apparently his employer does not care much (meanwhile trying to impose that apps soon will no more be able to search for the installed apps, hence hiding the Magisk app would become irrelevant)

Ie, detecting and hiding root is a game. And AFAIK, Magisk GitHub does not accept reporting any 'issues' about

Edit:
Just checked, the template/instructions when reporting an Issue (Magisk GitHub) clearly say (among others):

  • **DO NOT** open issues regarding root detection.
  • Without following the rules above, your issue will be closed without explanation.
 
Last edited:
  • Like
Reactions: asripath and ipdev

zgfg

Senior Member
Oct 10, 2016
7,650
5,054
I noticed it was because of Zygisk that even on Magisk Delta it was detecting root. So I now installed Magisk Delta without Zygisk enabled and Hide list On and it works. Is there any significant difference for Zygisk and no Zygisk?

I fail SafetyNet now
Of course there is a BIG difference. Not easy to describe in few words (specially to a newbie regarding to Zygisk).But take your time and search/read in this and Magisk general thread, you can find a lot about Zygisk, how and why it was introduced, about its still not mature status, about its name (process starting from Android Zygote!), etc

If you don't use Zygisk, and if you needed USNF (with Zygisk to pass SN), then now you need to go back to the lower version of USNF - new USNF is made for Zygisk.
Please read and find info in the USNF thread - for Delta without Zygisk, you should look for the USNF version as for the old, pre v24 Magisk

Or ask in the Delta thread - this thread here is for the official/new Magisk v24+ while Delta, with Zygisk disabled acts l(in some aspects) like Magisk v23-.
Actually, it's ba specific mix of the old and new and should not be messed with the official Magisk v24/25
 
Last edited:
  • Like
Reactions: ipdev

pndwal

Senior Member
so far i enabled app hiding feature in magisk, installed denylistunmount (and disabled "enforce denylist") and safetynetfix modules and put banking apps in denylist. Two banking apps seem to work, at least they don't complain. Not yet tried logging and everything... but gpay is showing a blank screen and seems to hang only. G-play says "device is not certified".
If YASNAC gives CTS profile match pass you should get Play Protect Device is certified if you clear Google Play Store and (sometimes) Google Play Services data... PW
 
  • Like
Reactions: J.Michael

pndwal

Senior Member
I noticed it was because of Zygisk that even on Magisk Delta it was detecting root. So I now installed Magisk Delta without Zygisk enabled and Hide list On and it works. Is there any significant difference for Zygisk and no Zygisk?
Zygisk is the new Riru, ie. XHook to inject into zygote in order to allow modules to run their codes in apps or the system server... One difference is that it's integrated in Magisk...
I fail SafetyNet now
You need Riru (framework module) and Universal Safety net Fix v2.1.3 (Riru) (module). PW
 

pndwal

Senior Member
I only don't understand why TJW still keeps Hide (repackage) Magisk App option. If he really wanted to be straight about differentiating from hiding the 'root', he should have removed that option - that option (putting aside that it can be circumvented by smarter 'banking' apps) has no other purpose than to hide Magisk app from the 'banking' apps who try to look for the Magisk ('service', 'mask', whatever you call) by looking instead for (an easier task) the Magisk app.
John may not be interested in the board-game (if you will) of Cat and Mouse any longer, but he has stated that he doesn't intend to stop others playing.

This means he's not resetting the board at this point... In fact he's even encouraged Devs 'still passionate about' the 'hiding' game to get more involved and 'start doing their job'...

The issue for him has clearly been the requirement (now that he's working with the big, if apparently lazy, cat) to take back moves where he's 'played dirty'...

This Take Back specifically means
Yes, MagiskHide will have to see its end of life... Magisk will not spoof/alter/manipulate any non-Magisk related signals or traces to circumvent any device state detection.
https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458

In other words, 'dirty' = a deliberate attempt to 'subvert Google's security model'.

However
It's worth noting that neither Google nor John seem to regard hiding (obfuscating) Magisk App as akin to attempts to "spoof/alter/manipulate any non-Magisk related signals or traces to circumvent any device state detection", now precluded in Magisk... Seems this is legitimate subterfuge as apps should not be employing such means of detection in any case... (Ie. Google has rules preventing both modder abuse, and proprietary app abuses)...

Hence TJW still stands here on the 'wrong' side,
Matter of perspective...

Yes, he may be hiding code the fat cats don't like, but the cat-who-counts hasn't given them clearance to enter and search!.... So who's playing dirty here?...
but apparently his employer does not care much (meanwhile trying to impose that apps soon will no more be able to search for the installed apps, hence hiding the Magisk app would become irrelevant)
Exactly... Google have rules for Banks and for users... Banks have been breaking the rules re obtaining applists and Google are (s l o w l y) addressing this abuse...
Some very interesting news re. apps that use the QUERY_ALL_PACKAGES permission (S PushTAN & many others) FINALLY being pulled into line by Google (from former XDA Editor in chief):
Mishaal Rahman, Apr 6
...
Apps that declare the QUERY_ALL_PACKAGES permission but haven't filled out the relevant permission declaration may be removed from Google Play starting June 1, 2022.
www.twitter.com/MishaalRahman/status/1511452117214679053

Reasons / excuses for the delay:
https://www.xda-developers.com/google-play-store-query-all-packages-rule/

What it means in practice:
My guess is that it will depend a lot on Google... Here's hoping... 🙃 PW
So Google clearly view deliberate subversion of API changes that prevent apps from obtaining applists as foul ('dirty') play, not efforts to hide apps from from other apps...

Ie, detecting and hiding root is a game.
And the game continues... And boundaries (rules) are being defined more clearly... Thanks to John... And Google... 😝 😊 PW
 
Last edited:
  • Like
Reactions: rodken and ipdev

zgfg

Senior Member
Oct 10, 2016
7,650
5,054
YASNAC and CTS, mean?
Both are really household terms in this thread (for anybody who here and there reads some posts). Please read OP posts on the first page

Screenshot from YASNAC app (Google Play) attached
 

Attachments

  • IMG_20220706_113553.jpg
    IMG_20220706_113553.jpg
    216.5 KB · Views: 43

Ace_Cole

Member
Jul 5, 2022
25
1
But I see now that you started by asking about App Cloner

I don't see App Cloner in the MIUI Security. If that App Cloner is a third party app, then adding Security to DenyList would have no effect/not help

Then I don't know why somebody recommended you to add MIUI Security to DenyList - my previous post was exclusively about adding Security to DenyList (since I remember that with some MIUI version and/or some Magisk version, Security was not showing in DenyList or in MagiskHide and I needed to be added through CLI in Terminal)
Can there be a solution for this "App cloner" detecting root?
 

pndwal

Senior Member
😀 Is your device rooted?
Since new! 😜
If yes
Do you see a splash screen
With warning message "Root detected"?
Nope...
If No
Please I'd like to know how you got it to work without detecting root. Thanks
App cloner 2.14.7 (1 July 2022)
Xiaomi Redmi Note 8T, stock MIUI, Android 10.
Magisk 25101, Zygisk, USNF, Shamiko.
App in denylist

IMG_20220706_234837.jpg

CTS profile match (SafetyNet) pass.
Play Protect Device is certified.

This one was easy...
👍 PW
 
  • Like
Reactions: J.Michael

Ace_Cole

Member
Jul 5, 2022
25
1
Since new! 😜

Nope...

App cloner 2.14.7 (1 July 2022)
Xiaomi Redmi Note 8T, stock MIUI, Android 10.
Magisk 25101, Zygisk, USNF, Shamiko.
App in denylist

View attachment 5653699
CTS profile match (SafetyNet) pass.
Play Protect Device is certified.

This one was easy...
👍 PW
Nice thanks
I have Xiaomi Redmi 9 (Android 10)
Magisk delta 25.1 (magisk hide enabled)
Zygisk disable, USFN riru, CTS profile match (pass)
App added to deny list
Seems I'm doing something wrong. .. I'll check with zygisk enabled and shamiko
Thanks😉
 

Top Liked Posts

  • 1
    Hey guys, here's a challenge for you. I've not been able to hide root from this app: https://play.google.com/store/apps/details?id=de.volkswagen.carnet.eu.eremote

    It was working fine up until a couple of weeks ago when I guess an update happened that improved root detection.

    Fortunately, it can be tested easily, because it immediately warns about rooted device when opening it for the first time.

    My device is a Oneplus 5T running OxygenOS 10.

    I've installed Magisk 25.2 via twrp for root.

    Things I've tried to hide root:
    - Installed the app "Shelter" to isolate WeConnect into a work profile that does not have magisk in it.
    - used the Magisk setting to change its package name
    - activated zygisk and put both WeConnect processes on the list.
    - installed the safetyNet fix module
    - reinstalled WeConnect to check if it's a caching issue
    - deleted all magisk, twrp and rom zips from my device

    I was successful in hiding root from my banking apps this way.
    Now I'm at a loss what else to try and get it working.
    Any ideas?
    1
    Hey guys, here's a challenge for you. I've not been able to hide root from this app: https://play.google.com/store/apps/details?id=de.volkswagen.carnet.eu.eremote

    It was working fine up until a couple of weeks ago when I guess an update happened that improved root detection.

    Fortunately, it can be tested easily, because it immediately warns about rooted device when opening it for the first time.

    My device is a Oneplus 5T running OxygenOS 10.

    I've installed Magisk 25.2 via twrp for root.

    Things I've tried to hide root:
    - Installed the app "Shelter" to isolate WeConnect into a work profile that does not have magisk in it.
    - used the Magisk setting to change its package name
    - activated zygisk and put both WeConnect processes on the list.
    - installed the safetyNet fix module
    - reinstalled WeConnect to check if it's a caching issue
    - deleted all magisk, twrp and rom zips from my device

    I was successful in hiding root from my banking apps this way.
    Now I'm at a loss what else to try and get it working.
    Any ideas?
    Try without Shelter.
    Are you enforcing Deny list?
    Try Shamiko, stop enforcing Deny list.
    Try Hide-My-Apps. (more involved setup, I think you have to make a dingus specifying the things, like Magisk, and HMA itself, you want to hide. Then a different dingus listing the things to hide from, like the bank app; and some reference to the first list.)
    1
    Hey guys, here's a challenge for you. I've not been able to hide root from this app: https://play.google.com/store/apps/details?id=de.volkswagen.carnet.eu.eremote

    It was working fine up until a couple of weeks ago when I guess an update happened that improved root detection.

    Fortunately, it can be tested easily, because it immediately warns about rooted device when opening it for the first time.

    My device is a Oneplus 5T running OxygenOS 10.

    I've installed Magisk 25.2 via twrp for root.

    Things I've tried to hide root:
    - Installed the app "Shelter" to isolate WeConnect into a work profile that does not have magisk in it.
    - used the Magisk setting to change its package name
    - activated zygisk and put both WeConnect processes on the list.
    - installed the safetyNet fix module
    - reinstalled WeConnect to check if it's a caching issue
    - deleted all magisk, twrp and rom zips from my device

    I was successful in hiding root from my banking apps this way.
    Now I'm at a loss what else to try and get it working.
    Any ideas?
    Instead of the old 'official' USNF 2.3.1, try with USNF 2.3.1-mod.
    Look into the USNF thread and go through the posts during the last three weeks, posted by Displax

    No guarantee that it would solve your case, but simple thing to try first (that version of USNF solves the problem for Play Integrity, that is replacing now the old SafetyNet)

    That story about Wallet and Play Integrity is also about three weeks or so old, hence maybe concides with your app and its new/improved detection
    1
    Try without Shelter.
    Are you enforcing Deny list?
    Try Shamiko, stop enforcing Deny list.
    Try Hide-My-Apps. (more involved setup, I think you have to make a dingus specifying the things, like Magisk, and HMA itself, you want to hide. Then a different dingus listing the things to hide from, like the bank app; and some reference to the first list.)
    Shamiko worked! Thanks, dude. You rock!
  • 6
    Latest Official TJW Canary (release) & Debug (debug) Magisk builds:

    Magisk (f42c089b) (25102)​

    • [MagiskInit] Fix a potential issue when stub cpio is used
    • [MagiskInit] Fix reboot to recovery when stub cpio is used
    • [General] Better data encryption detection
    • [General] Move the whole logging infrastructure into Rust

    Diffs to v25.1​

    • [MagiskInit] Fix a potential issue when stub cpio is used
    • [MagiskInit] Fix reboot to recovery when stub cpio is used
    • [General] Better data encryption detection
    • [General] Move the whole logging infrastructure into Rust
    https://github.com/topjohnwu/magisk-files/blob/8fce25209918072f18b5bb056c43f596f771324d/notes.md

    👍 PW
    5
    How should I hide apps?
    ... its just an addon script that (attempts, as best possible) to hide whatevers in the Deny List
    Just to avoid confusion/ be clear, Shamiko does not hide apps (in denylist or otherwise)...

    It's akin to old MagiskHide, and hides traces of root from apps in the list...
    ### Introduction
    Shamiko is a Zygisk module to hide Magisk root, Zygisk itself and Zygisk modules like riru hide.

    Shamiko read the denylist from Magisk for simplicity but it requires denylist enforcement to be disabled first.
    @appleman_wp
    If you wish to hide apps detected by banks etc, try the Hide My Applist LSPosed module...
    I don't think Shamiko has a "Settings". I think you use the Magisk Manager app's deny list. If you do not "Enforce Deny List" in Magisk, then Shamiko will use Magisk's Deny List to tell it what to hide [traces of root] from.
    (Edits mine.)

    Generally Shamiko is used without settings / extra configuration.
    ### Usage
    1. Install Shamiko and enable Zygisk and reboot
    1. Configure denylist to add processes for hiding
    1. *DO NOT* turn on denylist enforcement

    However it can actually be reconfigured (by those game / mavericks 😛) for whitelist mode usage. Note caveats:
    #### Whitelist
    - You can create an empty file `/data/adb/shamiko/whitelist` to turn on whitelist mode and it can be triggered without reboot
    - Whitelist has significant performance and memory consumption issue, please use it only for testing
    - Only apps that was previously granted root from Magisk can access root
    - If you need to grant a new app root access, disable whitelist first

    ... ts theoretically possible to... bootloop your device... At which point myself and the other senior members will pass around the chalice of your tears and drink heartily from it...
    Sadist! 😜 PW
    5
    :p
    uhh..its been over an year since but I still haven't used the device yet, my backs turned hump now, hurts too coz been just bending over on the PC screen and flashing this and that and GSIs and ROMs then reflashing stock factory image then TWRP for the hundreth time now maybe lol but I've still not managed to get the bank app to run :cautious:. Will it even work with an unlocked bootloader on samsung? maybe one last good try then I'll give up and move to Net-Banking instead perhaps. Magisk is a great program though. Any pointers would be welcome. TIA

    No idea which device you have but as for Samsung, i run an S20+ 5G (bootloader unlocked etc) and have 0 issues with any banking app ive ever used. Just to give you hope. And giving hope goes against my central edicts....as does spoonfeeding :)

    As for tips :

    When in doubt, start with stock ROM....

    The next could have been harvested from the last 5-10 pages...you should practice reading the last few pages of a thread, its a good habit as XDA isnt your own personal helpdesk where you only post when you have a crisis - without reading the room, because often its not just you having the issue, and we collaborate to fix issues....

    You'll almost certainly need (along with reading the first page of this thread) this:


    Thats currently the best option to deal with the recent (as in last few weeks) change from SafetyNet to Integrity Check, and you should bookmark that thread for any future changes.

    And you'll want to check you can pass this (top 2 out of 3 green is good enough)


    And thus you have reached the extent of my pity....i now return you to the normal programming from me, which is pure unadulterated indifference to the plight of man as a whole. Enjoy.
    4
    Universal SafetyNet Fix?

    Check attestation with an app like YASNAC.

    I also remember having to pull my device ID hex value (I cant remember how), and registering the device with google on their certification website, so that my phone would be certified in google play.

    More recently, I had to use Magisk Build Prop editor to change the signature of my phone to an older (a11) firmware so that Google Pay would work.

    You can probably tell I'm no expert, so hopefully someone clever can come along and convert my garbage into something useful for you!

    Just a heads up that you should be able to revert the MagiskHide Props Config module fingerprint change (uninstall the module) and install this Universal SafetyNet Fix (modded) module to pass SafetyNet and have Google Pay working, seamlessly after doing so. This is currently the preferred way with least side effects per device. What it does, as explained in the post, is spoof an early Android version ONLY to Google Play SafetyNet, and otherwise retains your devices other props. Its a clever solution. Give @Displax a like if it works for you...

    4
    Hello friends .
    I have a Redmi 9 (Global) Codename : Lancelot
    Installed magisk via custom recovery (twrp and shrp) and root is sucess , but zygisk doesnt work , when I enable it in settings and reboot , in magisk zygisk : no . I used official MIUI 11.0.4. 11.0.7 11.0.9 12.0.1 12.0.4 Android 10 and zygisk still no success , although it worked on Lineage 18.1 Android 11 and Pixel Experience 12.1 Plus but I want to use MIUI and I want it to be MIUI android 10 to be exact because of some complexity of android 11 in Xiaomi devices I avoid android 11 . now back to MIUI 12.5.6 Android 11 to see if works at all or not , then I'm gonna try EEA or Europe MIUI Roms But before that I'm here to see if others have the same problem with their Xiaomi ? If yes , any fixes yet ?

    Edit : Fixed by flashing latest Global MIUI Rom ,for almost a week I was looking for a way around Redmi 9 android 10 zygisk but was not successful . Switch to android 11 and it will work like a charm but I lost TWRP decryption in Android 11 my internal storage is encrypted while in TWRP . Didnt try EEA roms .
    It's of-topic (TWRP and encryption) but:

    - Generally, when switching ROMs, it's required to Format Data.
    Don't know what exactly you did but you can try that

    - Sometimes it may also help to experiment by switching between pin, pattern and no Android unlock screen setting

    - Make sure you use the latest TWRP

    - TWRP.me does not support A12 encryption yet. However, there are SKKK TWRP versions (for various Xiaomi models) that do support (beta development stage):
  • 120
    This is a discussion and help thread for the newer versions of Magisk.

    The main goal of this thread is to help users migrate to Magisk v24+
    • SafetyNet
      Basic integrity Pass
      CTS profile match Pass
    • Play Protect certification
      Device is certified

    Feel free to discuss or give links to other Magisk related issues.
    Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
    Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds. 🙃

    Please read John's State of Magisk (medium.com)

    Starting with the Magisk 23 (23010) canary builds.
    • MagiskHide is removed.
      MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
      Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
      You still have the option to Hide the Magisk app under setting.​
    • Magisk Module online Repo is removed.
      The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.​
    • Everything SafetyNet is removed.
      This includes the SafetyNet check that was incorporated into the Magisk app.​
    • Zygisk is introduced.
      Zygote + Magisk = Zygisk​
    • The Deny list replaces the Hide list.
      The Hide list (more or less) hid Magisk from the process on the list.
      The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.​

    Starting with the Magisk 23 (23017) canary builds.
    • Magisk supports update channels per module.
      Each module can include it's own update link.​
    • Hide Magisk offline.
      You do not need internet connection to rename (repackage) the Magisk app.​

    What does this mean?
    Not much.
    It is just the next step in Magisk's development.
    Zygisk is a big step forward. ;)

    Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share. :D

    Jump to Post


    This is post will be updated once Magisk v24 is released.
    63
    Magisk
    The Magic Mask for Android.

    Magisk Links:
    GitHub
    Release Notes

    Download Links:
    Stable and Beta releases.
    Canary
    • GitHub
      The notes.md file is the change log.
      The app-debug.apk is Magisk canary.
      Click on app-debug.apk and choose View Raw or click on the Download option.​

    Credits:
    topjohnwu
    All who contribute and support this project.
    57
    Modules

    MagiskHide Props Config
    This module allows you to add, change and adjust prop values systemlessly using Magisk.​

    MagiskHide Props Config Links:

    Download Links:

    Credits:
    Didgeridoohan
    All who contribute and support this project.


    Universal SafetyNet Fix
    It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
    This 'trick' has been implemented properly into quite a few custom roms.
    For custom roms that do not include it and/or stock roms, he turned it into a module.​

    Universal SafetyNet Fix Links:

    Download Links:

    Credits:
    kdrag0n
    All who contribute and support this project.
    53
    Apps

    Fox's Magisk Module Manager
    This app allows you to manage and install Magisk modules.
    Including from an online repo.​

    Fox's Magisk Module Manager Links:

    Download Links:

    Credits:
    Fox2Code
    All who contribute and support this project.

    Play Intergrity API Checker
    This app shows info about your device integrity as reported by Google Play Services.
    If any of this fails could mean your device is rooted or tampered in a way (for example you have an unlocked bootloader).​

    Development:

    Download Links:

    Credits:
    1nikolas
    All who contribute and support this project.

    YASNAC - Yet Another SafetyNet Attestation Checker
    YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.​

    YASNAC Links:

    Download Links:

    Credits:
    RikkaW
    All who contribute and support this project.
    44
    Force Basic Attestation

    Newer devices are designed to support hardware attestation.
    Currently there is no way to hide the sensitive device properties when checked using hardware attestation.​

    To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
    SafetyNet will then fall back to check using basic attestation.

    Note:
    This method will work for devices that support hardware attestation and devices that do not.
    • Enable Zygisk.
    • Install the USNF module.
    • Reboot

    To keep posts short, the instructions are hid by spoiler tags.
    If you have not installed Magisk.
    Follow the installation link in the Magisk post.​

    Download the Universal SafetyNet Fix module.
    Download link is in the Modules post.​

    1. Enable Zygisk
      • Open the Magisk app.
      • Go to Settings.
      • Scroll down to the Magisk section.
      • Toggle Zygisk on.
      • Go back to the Magisk Home screen.
    2. Go to Modules.
      • Select Install from storage.
      • Navigate to the Universal SafetyNet Fix module zip file and select it.
    3. Reboot.

    The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
    Depending on the device and system (ROM) configuration, you might need to adjust a few more.
    See the Adjust Prop values post.​