[GUIDE] Pixel 4a "sunfish": Unlock Bootloader, Update, Root, Pass SafetyNet

Search This thread

V0latyle

Forum Moderator
Staff member
If you are looking for my guide on a different Pixel, find it here:
WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

Prerequisites:


Android Source - Setting up a device for development


  1. Follow these instructions to enable Developer Options and USB Debugging.
  2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
  3. Connect your device to your PC, and open a command window in your Platform Tools folder.
  4. Ensure ADB sees your device:
    Code:
    adb devices
    If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
    If you see "unauthorized", you need to authorize the connection on your device.
    If you see the device without "unauthorized", you're good to go.
  5. Reboot to bootloader:
    Code:
    adb reboot bootloader
  6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
    Code:
    fastboot flashing unlock
    Select Continue on the device screen.

  1. Install Magisk on your device.
  2. Download the factory zip for your build.
  3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
  4. Copy boot.img to your device.
  5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
  6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
  7. Reboot your device to bootloader.
  8. Flash the patched image:
    Code:
    fastboot flash boot <drag and drop master root.img here>
  9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

  1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
  2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
  3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
  4. You should now be updated with root.

  1. Download the OTA.
  2. Reboot to recovery and sideload the OTA:
    Code:
    adb reboot sideload
    Once in recovery:
    Code:
    adb sideload ota.zip
  3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
  4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
  5. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
  1. Download the factory zip and extract the contents.
  2. Reboot to bootloader.
  3. Compare bootloader versions between phone screen and bootloader.img build number
    Code:
    fastboot flash bootloader <drag and drop new bootloader.img here>
    If bootloader is updated, reboot to bootloader.
  4. Compare baseband versions between phone screen and radio.img build number
    Code:
    fastboot flash radio <drag and drop radio.img here>
    If radio is updated, reboot to bootloader.
  5. Apply update:
    Code:
    fastboot update --skip-reboot image-codename-buildnumber.zip
    When the update completes, the device will be in fastbootd. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
The scripted commands should look like this:
Code:
fastboot flash bootloader <bootloader image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot flash radio <radio image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot update  --skip-reboot --slot=all <image-device-buildnumber.zip>
Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

PixelFlasher by @badabing2003 is an excellent tool that streamlines the update process - it even patches the boot image for you. Please note that root access is required to patch.
  1. Download PixelFlasher and the factory image. You do not need to extract the factory image.
  2. Open PixelFlasher. Point the Android Platform Tools directory (browse for your Platform Tools folder)
  3. Point the Factory Image directory to the factory image package you just downloaded.
  4. Connect your device via USB. Ensure it shows up under ADB Connected Devices.
  5. Click the button to the right of the factory image Browse button (looks like a meat grinder). This will extract the boot image from the factory package.
  6. When the boot image appears in the list, click on it and click Patch. A root request should pop up on your device; this is PixelFlasher requesting shell root access through ADB. Make sure you approve it.
  7. PixelFlasher will automatically copy the boot image to your device, patch it in Magisk, then copy it back to your PC. The patched image should now appear in the boot image list.
  8. Select the patched boot image, the desired flash mode (Keep Data), and click Flash Pixel Phone.
  9. Pixel Flasher will automatically update bootloader, radio, system, then finally flash the patched boot image.
  10. When your device boots, you should be updated with root.

  1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
  2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
  3. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  5. Reboot your device. You should now be updated with root.

This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

Zygisk + DenyList enabled
All subcomponents of these apps hidden under DenyList:
  • Google Play Store
  • GPay
  • Any banking/financial apps
  • Any DRM media apps
Modules:
To check SafetyNet status:
I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

Points of note:
  • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
  • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
    screenshot_20211218-194517-png.5486339
  • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
  • "App" simply shows the version of the app itself.
  • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
  • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
  • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


Credits:
Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
 
Last edited:

largeruk

Senior Member
Aug 4, 2011
102
6
@V0latyle and all you other helpful people

A few basic questions please. I intend to use your guide to unlock the bootloader and root a Pixel 4a (non-5g) which is currently on stock rom Android 12 SP2A.220405.003. (Auto system updates are currently off in Developer options).
  1. Should I update to the latest June version of Android 12 before doing anything?
  2. Which versions of Magisk and Magisk Manager should I use to root the device?
  3. Which elements of Magisk do I need to activate and which modules do I need to install to pass all SafetyNet checks so I can use UK banking apps?
  4. I've used older versions of Magisk when the repository was built in but am unfamiliar with more recent versions where apparently there is no repo. How does one install modules now?
Many thanks
 

V0latyle

Forum Moderator
Staff member
@V0latyle and all you other helpful people

A few basic questions please. I intend to use your guide to unlock the bootloader and root a Pixel 4a (non-5g) which is currently on stock rom Android 12 SP2A.220405.003. (Auto system updates are currently off in Developer options).
  1. Should I update to the latest June version of Android 12 before doing anything?
You can, but you don't have to. You'll be downloading the factory image so you can patch the boot image anyway, so you might as well take advantage of the newest security update.
  1. Which versions of Magisk and Magisk Manager should I use to root the device?
The two are the same. First, make sure you are only using the authentic Magisk from John Wu's Github, linked in the OP. Secondly, you can use almost any version of Magisk, but Android 12 support wasn't included until Canary 23010, meaning any version prior, including Stable v23.0 may not work properly. Since Public Beta 25.0 is out, just use that.
  1. Which elements of Magisk do I need to activate and which modules do I need to install to pass all SafetyNet checks so I can use UK banking apps?
Ensure Zygisk and DenyList are enabled. Enable DenyList on the Play Store and the apps you want to hide root from; it will not work on system processes. Install the Universal SafetyNet Fix module, linked in the OP. Installing USNF will likely also install MagiskHide Props Config.

Confirm SafetyNet is passing with YASNAC.
  1. I've used older versions of Magisk when the repository was built in but am unfamiliar with more recent versions where apparently there is no repo. How does one install modules now?
Again, the only legitimate source for Magisk is the Magisk Github. Do not use any other version from any other site. The repository continues to be alive and well. If you're talking about the module library, that is no longer included in Magisk, so you have to install the modules manually through Magisk. For more help with this, please see the Magisk help threads, also linked in the OP
 
  • Like
Reactions: largeruk

largeruk

Senior Member
Aug 4, 2011
102
6
Ensure Zygisk and DenyList are enabled. Enable DenyList on the Play Store and the apps you want to hide root from; it will not work on system processes. Install the Universal SafetyNet Fix module, linked in the OP. Installing USNF will likely also install MagiskHide Props Config.

Confirm SafetyNet is passing with YASNAC.
@ V0latyle Thanks very much for your incredibly helpful reply - much appreciated. Just some quick follow-ups for clarity please.
  • Zygisk - I assume that is enabled within Magisk somewhere?
  • DenyList - how exactly do I enable this 'on the Play Store'?
  • When you say DenyList will not work on system processes, I assume you mean things like Google Play Store etc? If so, is the mere installation of Magisk through the process you describe in the op now enough to hide Magisk and root from system processes?
Thanks again for your help and patience.
 

V0latyle

Forum Moderator
Staff member
@ V0latyle Thanks very much for your incredibly helpful reply - much appreciated. Just some quick follow-ups for clarity please.
  • Zygisk - I assume that is enabled within Magisk somewhere?
  • DenyList - how exactly do I enable this 'on the Play Store'?
  • When you say DenyList will not work on system processes, I assume you mean things like Google Play Store etc? If so, is the mere installation of Magisk through the process you describe in the op now enough to hide Magisk and root from system processes?
Thanks again for your help and patience.
Not to be rude but these are questions you should be asking in the Magisk support thread. Also, Google is your friend.

Here's how to get to the settings:
Screenshot_20220614-092537.png

Screenshot_20220614-092617.png

Screenshot_20220614-092646~2.png

Google Play Store is not a system process. Google Play Services on the other hand is, and blocking it in MagiskHide used to be pretty standard for passing SafetyNet attestation.

For further questions please use the Magisk support threads, linked in the OP under "Pass SafetyNet"
 

largeruk

Senior Member
Aug 4, 2011
102
6
Apologies for raising questions that, as you rightly point out, should have been posed in other threads. Lesson learnt.

A quick follow-up to my original set of questions. Given that I will be rooting with the latest (June) Magisk-patched factory image, will I need to update the bootloader and radio prior to flashing the patched stock img?

I've compared the versions between phone screen and those contained in the stock factory zip. Both versions appear to be older the current stock one:-
  • bootloader version on phone is c2f2-0.4-8048765 vs bootloader-sunfish-s5-0.4-8351029 on stock image
  • radio version on phone g8150-00123-220122-B-8106568 vs radio-sunfish-g7150-00090-220406-b-8411773.
Thanks again for all your advice. Much appreciated.
 

V0latyle

Forum Moderator
Staff member
Apologies for raising questions that, as you rightly point out, should have been posed in other threads. Lesson learnt.

A quick follow-up to my original set of questions. Given that I will be rooting with the latest (June) Magisk-patched factory image, will I need to update the bootloader and radio prior to flashing the patched stock img?

I've compared the versions between phone screen and those contained in the stock factory zip. Both versions appear to be older the current stock one:-
  • bootloader version on phone is c2f2-0.4-8048765 vs bootloader-sunfish-s5-0.4-8351029 on stock image
  • radio version on phone g8150-00123-220122-B-8106568 vs radio-sunfish-g7150-00090-220406-b-8411773.
Thanks again for all your advice. Much appreciated.
If the build numbers are different, you should update them. Don't worry about the numbers appearing "older"; as far as I can tell it doesn't seem like Google uses consecutive numbers for bootloader and radio.
 
  • Like
Reactions: largeruk

acspdx

Member
Dec 2, 2016
23
4
This morning, my rooted Pixel 4a informed me that there was a "Security update available," even though I have Automatic System Updates turned off in Developer Options. And because I changed the device's signature in order to pass SafetyNet, it says it's an update for a Nexus 6P.

Obviously I don't want this update to install — especially since it's for the wrong device! Will it go ahead and download/install the update the next time I restart? (Or did it already download it?!) How can I abort this process?

Screenshot_20220620-093720.png
 

V0latyle

Forum Moderator
Staff member
This morning, my rooted Pixel 4a informed me that there was a "Security update available," even though I have Automatic System Updates turned off in Developer Options. And because I changed the device's signature in order to pass SafetyNet, it says it's an update for a Nexus 6P.

Obviously I don't want this update to install — especially since it's for the wrong device! Will it go ahead and download/install the update the next time I restart? (Or did it already download it?!) How can I abort this process?

View attachment 5641937
I would recommend immediately changing the signature back to the 4a. Changing it should not be necessary to pass SafetyNet. Installing the Nexus software at the very least may fail to boot, and at the very worst may brick your device. The update has already unpacked to the alternate slot, so tapping Restart will attempt to reboot to that slot.
 

acspdx

Member
Dec 2, 2016
23
4
I would recommend immediately changing the signature back to the 4a. Changing it should not be necessary to pass SafetyNet.
When I first rooted it, I tried passing SafetyNet with an unmodified signature, but it didn't work; that's why I changed it. At any rate, I just reset things in MagiskHide Props Config, but I didn't reboot yet.

What to do about the already-downloaded update? Can I delete it somehow?
 

V0latyle

Forum Moderator
Staff member
When I first rooted it, I tried passing SafetyNet with an unmodified signature, but it didn't work; that's why I changed it. At any rate, I just reset things in MagiskHide Props Config, but I didn't reboot yet.

What to do about the already-downloaded update? Can I delete it somehow?
I don't know of a way to manually wipe the alternate slot. You could dirty flash the current factory image to both slots.

I am passing SafetyNet on my otherwise stock Pixel 5 using USNF + MHPC, no "under the hood" changes, although I have DenyList enabled on banking/DRM apps as well as Play Store.
 

acspdx

Member
Dec 2, 2016
23
4
OK, deep breaths... I think I can do this. It's OK that the "master root" file was created on the previous version, right?

Let me make sure I have all the steps correct:
  • Reboot to bootloader.
  • % fastboot flash bootloader bootloader-sunfish-s5-0.4-7758095.img
  • Reboot to bootloader.
  • % fastboot flash radio radio-sunfish-g7150-00078-211007-b-7801723.img
  • Reboot to bootloader.
  • % fastboot update --skip-reboot --slot=all image-sunfish-sq1a.220205.002.zip
  • [When the update completes, the device will be in fastbootd.]
  • Reboot to bootloader.
  • % fastboot boot master_root.img
Does that look right? There's no "fastboot flash boot" step?
 

V0latyle

Forum Moderator
Staff member
OK, deep breaths... I think I can do this. It's OK that the "master root" file was created on the previous version, right?

Let me make sure I have all the steps correct:
  • Reboot to bootloader.
  • % fastboot flash bootloader bootloader-sunfish-s5-0.4-7758095.img
  • Reboot to bootloader.
  • % fastboot flash radio radio-sunfish-g7150-00078-211007-b-7801723.img
  • Reboot to bootloader.
  • % fastboot update --skip-reboot --slot=all image-sunfish-sq1a.220205.002.zip
  • [When the update completes, the device will be in fastbootd.]
  • Reboot to bootloader.
  • % fastboot boot master_root.img
Does that look right? There's no "fastboot flash boot" step?
If you have a newer version of Magisk installed, you can just re-patch the new boot image.

And yes, you can choose to flash the boot image instead:
Code:
fastboot flash boot --slot=all <patched boot image>

However, this will prevent OTA updates as there will be no "original" boot image.

The reason why I suggested booting an older patched image is to save the trouble of re-patching the image every time there's an update. Any version of Magisk can use almost any patched image for root, which it can then use to patch the images that are in /boot.
 

acspdx

Member
Dec 2, 2016
23
4
OK, so doing the Magisk "direct install" or using adb tools to "flash boot" is an either/or thing? It sound like, if I have Magisk 24, that'll be easier.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    If you are looking for my guide on a different Pixel, find it here:
    WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

    Prerequisites:


    Android Source - Setting up a device for development


    1. Follow these instructions to enable Developer Options and USB Debugging.
    2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
    3. Connect your device to your PC, and open a command window in your Platform Tools folder.
    4. Ensure ADB sees your device:
      Code:
      adb devices
      If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
      If you see "unauthorized", you need to authorize the connection on your device.
      If you see the device without "unauthorized", you're good to go.
    5. Reboot to bootloader:
      Code:
      adb reboot bootloader
    6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
      Code:
      fastboot flashing unlock
      Select Continue on the device screen.

    1. Install Magisk on your device.
    2. Download the factory zip for your build.
    3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
    4. Copy boot.img to your device.
    5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
    6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
    7. Reboot your device to bootloader.
    8. Flash the patched image:
      Code:
      fastboot flash boot <drag and drop master root.img here>
    9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

    1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
    2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
    3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
    4. You should now be updated with root.

    1. Download the OTA.
    2. Reboot to recovery and sideload the OTA:
      Code:
      adb reboot sideload
      Once in recovery:
      Code:
      adb sideload ota.zip
    3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
    4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
    5. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

    Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
    1. Download the factory zip and extract the contents.
    2. Reboot to bootloader.
    3. Compare bootloader versions between phone screen and bootloader.img build number
      Code:
      fastboot flash bootloader <drag and drop new bootloader.img here>
      If bootloader is updated, reboot to bootloader.
    4. Compare baseband versions between phone screen and radio.img build number
      Code:
      fastboot flash radio <drag and drop radio.img here>
      If radio is updated, reboot to bootloader.
    5. Apply update:
      Code:
      fastboot update --skip-reboot image-codename-buildnumber.zip
      When the update completes, the device will be in fastbootd. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
    The scripted commands should look like this:
    Code:
    fastboot flash bootloader <bootloader image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot flash radio <radio image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot update  --skip-reboot --slot=all <image-device-buildnumber.zip>
    Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

    PixelFlasher by @badabing2003 is an excellent tool that streamlines the update process - it even patches the boot image for you. Please note that root access is required to patch.
    1. Download PixelFlasher and the factory image. You do not need to extract the factory image.
    2. Open PixelFlasher. Point the Android Platform Tools directory (browse for your Platform Tools folder)
    3. Point the Factory Image directory to the factory image package you just downloaded.
    4. Connect your device via USB. Ensure it shows up under ADB Connected Devices.
    5. Click the button to the right of the factory image Browse button (looks like a meat grinder). This will extract the boot image from the factory package.
    6. When the boot image appears in the list, click on it and click Patch. A root request should pop up on your device; this is PixelFlasher requesting shell root access through ADB. Make sure you approve it.
    7. PixelFlasher will automatically copy the boot image to your device, patch it in Magisk, then copy it back to your PC. The patched image should now appear in the boot image list.
    8. Select the patched boot image, the desired flash mode (Keep Data), and click Flash Pixel Phone.
    9. Pixel Flasher will automatically update bootloader, radio, system, then finally flash the patched boot image.
    10. When your device boots, you should be updated with root.

    1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
    2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
    3. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    5. Reboot your device. You should now be updated with root.

    This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

    Zygisk + DenyList enabled
    All subcomponents of these apps hidden under DenyList:
    • Google Play Store
    • GPay
    • Any banking/financial apps
    • Any DRM media apps
    Modules:
    To check SafetyNet status:
    I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

    Points of note:
    • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
    • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
      screenshot_20211218-194517-png.5486339
    • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
    • "App" simply shows the version of the app itself.
    • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
    • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
    • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


    Credits:
    Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
    2
    @ V0latyle Thanks very much for your incredibly helpful reply - much appreciated. Just some quick follow-ups for clarity please.
    • Zygisk - I assume that is enabled within Magisk somewhere?
    • DenyList - how exactly do I enable this 'on the Play Store'?
    • When you say DenyList will not work on system processes, I assume you mean things like Google Play Store etc? If so, is the mere installation of Magisk through the process you describe in the op now enough to hide Magisk and root from system processes?
    Thanks again for your help and patience.
    Not to be rude but these are questions you should be asking in the Magisk support thread. Also, Google is your friend.

    Here's how to get to the settings:
    Screenshot_20220614-092537.png

    Screenshot_20220614-092617.png

    Screenshot_20220614-092646~2.png

    Google Play Store is not a system process. Google Play Services on the other hand is, and blocking it in MagiskHide used to be pretty standard for passing SafetyNet attestation.

    For further questions please use the Magisk support threads, linked in the OP under "Pass SafetyNet"
    1
    @V0latyle and all you other helpful people

    A few basic questions please. I intend to use your guide to unlock the bootloader and root a Pixel 4a (non-5g) which is currently on stock rom Android 12 SP2A.220405.003. (Auto system updates are currently off in Developer options).
    1. Should I update to the latest June version of Android 12 before doing anything?
    You can, but you don't have to. You'll be downloading the factory image so you can patch the boot image anyway, so you might as well take advantage of the newest security update.
    1. Which versions of Magisk and Magisk Manager should I use to root the device?
    The two are the same. First, make sure you are only using the authentic Magisk from John Wu's Github, linked in the OP. Secondly, you can use almost any version of Magisk, but Android 12 support wasn't included until Canary 23010, meaning any version prior, including Stable v23.0 may not work properly. Since Public Beta 25.0 is out, just use that.
    1. Which elements of Magisk do I need to activate and which modules do I need to install to pass all SafetyNet checks so I can use UK banking apps?
    Ensure Zygisk and DenyList are enabled. Enable DenyList on the Play Store and the apps you want to hide root from; it will not work on system processes. Install the Universal SafetyNet Fix module, linked in the OP. Installing USNF will likely also install MagiskHide Props Config.

    Confirm SafetyNet is passing with YASNAC.
    1. I've used older versions of Magisk when the repository was built in but am unfamiliar with more recent versions where apparently there is no repo. How does one install modules now?
    Again, the only legitimate source for Magisk is the Magisk Github. Do not use any other version from any other site. The repository continues to be alive and well. If you're talking about the module library, that is no longer included in Magisk, so you have to install the modules manually through Magisk. For more help with this, please see the Magisk help threads, also linked in the OP
    1
    Apologies for raising questions that, as you rightly point out, should have been posed in other threads. Lesson learnt.

    A quick follow-up to my original set of questions. Given that I will be rooting with the latest (June) Magisk-patched factory image, will I need to update the bootloader and radio prior to flashing the patched stock img?

    I've compared the versions between phone screen and those contained in the stock factory zip. Both versions appear to be older the current stock one:-
    • bootloader version on phone is c2f2-0.4-8048765 vs bootloader-sunfish-s5-0.4-8351029 on stock image
    • radio version on phone g8150-00123-220122-B-8106568 vs radio-sunfish-g7150-00090-220406-b-8411773.
    Thanks again for all your advice. Much appreciated.
    If the build numbers are different, you should update them. Don't worry about the numbers appearing "older"; as far as I can tell it doesn't seem like Google uses consecutive numbers for bootloader and radio.