[Guide] Bypass Safetynet on MM with Custom ROM & Kernel

xJovs

Senior Member
Nov 28, 2016
118
66
28
(Please note that I am not responsible if your phone bricks etc. Please use at your own risk! Myself and others who have also tested this bypass have had no reported issues of this bypass causing some sort of brick etc., but I cannot guarantee anything.)

__________________________________​

*UPDATED*

Since October 2016, Google has (yet again) changed their way on how SafetyNet works and how they can now easily figure out if your phone is rooted or not. This caused many issues for rooted Android users who wanted to play games such as PKMNGO and use apps such as Snapchat. However, there is still ways to bypass SafetyNet.

Tested Devices:
- Samsung Galaxy S6
- Samsung Galaxy S5
- Samsung Galaxy S7

*Looking for people with other devices to try and see if it works for themselves so I can add the device to the list.*

__________________________________​

Requirements:
- Basic Understanding on how to use Custom Recovery, flashing zip files etc.
- Running on Android 6.0+/7.0+
- Phone has a custom recovery (I suggest TWRP) and on a Custom ROM. (Stock roms "should" work too.)
- Rom should have November 1st Security update or older updates. (Have not tested with roms with November 5th Security update and higher.)
- Magisk V11.1 & Magisk Manager 4.1
- SafetyNet Checker
- Phh Super User APK. PlayStore or 2.0 Beta
- Root File Explorer. I suggest Root Browser
- Kernel Adiutor
- Root Checker

(If you cannot bypass with Xposed, use Root Switch!)
Tutorial
**WARNING: BIG IMAGES** (Had no time to resize them, but will soon.)

Before we begin, I suggest that you make a Nandroid backup through your preferred Custom Recovery. I suggest you use TWRP however CWM "should" work, but I have not tried myself.

Step 1:
Clean Install

The first step 'is' optional, however it is recommended that you do a clean install. I will be using Alexis Rom 8.0 Beta 2 for my Galaxy S6, but any rom should work. (Other than certain GraceUX ports, but am able to get it to work with other ported rom like CoreUi (a MIUI port) for the Galaxy S6). You should also flash a kernel now as well. I use to personally use Arter97 as SuperSU is not installed in this kernel, however Arter97 is slowly starting to become unstable as it hasn't been updated and there is better kernels out there. For this tutorial, I will be using Twisted Kernel.

Step 2:
Removing SuperSU

This step is 'also' optional, but ONLY if your rom/kernel does not automatically install SuperSU for you. In my case, it is automatically installed.

What you will need to do is to go to the SuperSU app, go to settings.


Scroll down until you see "Full unroot" and click it.

A popup will come up and click "Continue", then followed by another popup and click "NO".


Once you click no, your phone will freeze and then reboot. You should then install Root Checker to verify if your phone is unrooted.


(If for some reason, you are unable to use the SuperSU app but you know SuperSU is installed, I'd suggest you download UPDATE-unSU-signed.zip and flash it as it will manually remove SuperSU.)

Step 3:
Installing required APKs.

You will now need to install MagiskManager 4.2.6, SafetyNet Helper Sample, PHH Super User APK, Root Browser and Kernel Adiutor.


Step 4:
Flashing MagiskV11.1

You will need to reboot into your custom recovery and flash "Magisk-v10.2.zip", followed by rebooting. If you receive ERROR: 1 in TWRP when it is trying to mount SU, I suggest reflashing a kernel (and re-remove SuperSU), uninstalling Magisk with MagiskUninstaller (in Magisk thread) and reinstall Magisk V11.1, or reinstalling your rom.

Once you have flashed the file, reboot into System and open Magisk Manager to verify you have installed Magisk. A little pop up will open to allow Magisk to have root. Make sure to click allow and set it so it has root for "Forever".



If it states that root isn't properly installed, manually flash PHH Super User V266-2. (Useless now as Magisk-V11+ has MagiskSU built into the main file and the Super User manager is built into Magisk Manager.)

Step 5:
Enabling Magisk Hide

In Magisk Manager, go to the side menu and go to "Settings." You will see an unchecked box that says "Enable Magisk Hide." Select it and reboot. Re-open Magisk Manager and verify that it is now check marked. If the App crashes when you select "Enable Magisk Hide", reboot your phone and retry.



Step 6:
Set Permissions

In Root Browser, go to the directory "/sys/fs/selinux" and find the file "enforce" and the file "policy". On the file "enforce", change the permissions of the file from "644" to "640", and for the file "policy", change the permissions of the file from "444" to "440". If MagiskSU pops up and asks for root access, click "Allow."



Once you are done, open up SafetyNet Helper Sample and it 'should' pass. If you are getting "Response Validation Failed" and the background is blue, uninstall Magisk by flashing Magisk Uninstaller, flash UPDATE-unSU-signed.zip, then reflash Magisk V11.1. Then, go back to Step 5 and enable Magisk Hide.


Step 7:
Use Kernel Adiutor to automatically set permissions in init.d

This last step is 'optional', however it automates the permission setting as every time you reboot your system, the file permissions will reset. Open up Kernel Adiutor, go to the sidebar and scroll down until you see 'Init.d'. Click it and make sure "Emulate Init.d" is enabled.
Then click the plus button, set the name to "Permissions" and then add the following script:

"chmod 640 /sys/fs/selinux/enforce" and "chmod 440 /sys/fs/selinux/policy" and save the files.

Also allow root access to Kernel Adiutor!




Step 8:
Reboot

Reboot your device, let Kernel Adiutor do its countdown (you will see in the notifications drop down) and once it says "Applying settings completed!", open up Safetynet and you should be passing!

If you're still not passing, try disabling USB Debugging in Developer Options!

Credits:

topjohnwu - Main developer of Magisk and Magisk Supported Phh Super User
This XDA thread - Helped me figure out how to do this bypass in the first place.
CoreUi Telegram Chat - Helped me test this bypass to see if it worked on different S6 models. Join here!

If I forgot to credit anyone, please tell me.

__________________________________​

If there is any mistakes I made, spelling, phrasing etc., please tell me so I can fix it. Thanks.
 
Last edited:

xJovs

Senior Member
Nov 28, 2016
118
66
28
Great tutorial by the home looks of it! Will try tomorrow morning
Thanks. Been using this way to bypass for 2 months now and when I realized not a lot of people knew how to do it, I knew I needed to write a tutorial. It has only not worked with one ROM I tried but worked with a variety of other roms. XtreStoLite, Alexis, CoreUi, MIUI Port etc. Note, I did not originally "find" it but there is no real guide to follow it like how I have written it above.
 

Raphaeldu68

Member
Dec 8, 2011
7
1
0
Worked well for me on Galaxy S7 SM-G930F with SuperMan-Rom 1.18.1
I'll try with Xposed later.
Thanks for sharing this great tutorial! :)

EDIT : This method with Magisk 10.2 + Xposed does NOT work
 
Last edited:

xJovs

Senior Member
Nov 28, 2016
118
66
28
Any luck?
Haven't really went and tried it yet. However I don't think it is currently possible. Been busy recently etc etc.

Also, there 'is' supposedly a bug where settings would crash and that would cause issues. If that is the case, I suggest try flashing Magisk V9 as it worked for me as well before.
 

hamstrman

Senior Member
Feb 14, 2015
74
10
0
Hmmm... Twisted Kernel is only for G920F... what is F? Sorry for my ignorance. Tried googling it. Still unclear.

I have Sprint G920P. Anyone know if this would be devastating and irreversible to my phone if I tried it?

Every other method has failed for me and/or is incompatible with my Sprint phone. I'd love to try this and not brick my phone. Thanks!
 

r0fless

Senior Member
Apr 15, 2014
79
11
0
Stockholm
Thanks you so much!
Works perfect on Nexus 6p and 5x running latest 7.1.1 stock with Elementalx kernel.

Just had some problems with changing permissions but it passes anyway. Danke!