[GUIDE] Unlock/Root/Safetynet for Pixel 4a

Zackptg5

Recognized Developer
Sep 18, 2014
4,081
6,649
263
zackptg5.com
With the pixel 4a finally arriving for some (like me), figured I'd make a quick guide

Note that unlocking your bootloader breaks safetynet. There's a workaround in this guide but no guarantee that it won't get patched out in the future.

Also note that this only works with the unlocked carrier model. Cell providers typically lock you out from this unlock process.

Unlocking Bootloader (this is for the unlocked mode, can't speak for other models)
  • Go to system settings -> About phone -> tap on 'Build number' several times until Developer Options is enabled
  • Back out into settings and go to System -> Advanced -> Developer Options -> Enabled 'OEM Unlocking'
  • Unplug your phone if it's plugged into anything and power it off
  • Boot into fastboot by holding Power + Vol Down
  • Plug into pc -> open terminal/shell/whatever
  • Type 'fastboot flashing unlock' -> Follow prompt on device to unlock bootloader (Note that this will FACTORY RESET device)
  • The bootloader is now unlocked!

Rooting
  • Grab the boot img for your rom. If it's stock, get it from the official zip
  • Copy the boot.img to your device
  • Install Magisk manager (grab it from the release zip on github - it's in the common folder)
  • Open Magisk Manager -> select 'Beta'
  • Back on the main page of Magisk Manager, Select 'Install' -> 'Select and Patch File' -> select your boot.img file -> it'll output the patched boot img to your Downloads folder
  • Copy the magisk_patched.img to your pc
  • Reboot your device back into fastboot (see Unlock section above)
  • Open a terminal in the directory your patched boot img file is and type 'fastboot flash boot magisk_patched.img'
  • You're now rooted!
  • Disable "Automatic System Updates" in Developer Options so you aren't surprised with an OTA on boot and end up unrooted (see the OTA section below on proper way of updating)

Passing SafetyNet
As was discovered some time ago, google is switching to a hardware attestation method for safetynet. Fortunately, at the time of writing, there is a workaround thanks to @Didgeridoohan. As of January 2021, this fix no longer works. A new module by @kdrag0n now fixes the hardware attestation issue:
  • Enable MagiskHide in magisk manager
  • Download/Install his Safetynet-fix module from this xda thread
  • Reboot and verify you should hopefully pass safetynet!

Taking an OTA While Rooted

Note: Installing to Inactive slot has been disabled temporarily meaning that if you take an ota, you'll need to do the patch boot img method like you did initially. See here for more details.

Note that you can download the rom from google's site here and extra the boot img from there for patching.
TopJohnWu has a great guide on how to do this here along with some nice screen shots that complement this quick guide. I'll summarize the applicable stuff here:
  • When an OTA is available, ignore it at first
  • Open Magisk Manager and go to Uninstall -> Restore Images
  • Now go back to Settings -> System -> Advanced -> System Update and install the OTA but DO NOT REBOOT
  • Once the install is done (but before rebooting), go back into Magisk Manager -> Install -> Install to Inactive Slot
  • Once the install is done, choose the reboot option IN MAGISK MANAGER. It works some voodoo magic to switch to updated slot and skip post-ota verifications
Having issues?

Try magisk canary instead


Note that this isn't a support thread but just a guide. You're welcome to post your tips/experiences/questions here but don't expect me to answer or reply to them.

I'll try to keep this updated with other useful guides such as TWRP when/if it is released for this device :good:
 
Last edited:

digger16309

Senior Member
Jul 17, 2014
356
106
73
I followed these instructions, and also enabled Magisk Hide. I'm failing both items in SafetyNet. However, I'm also running EdXposed. I'm assuming that is the reason and that there is no workaround for that?
 

neph81

Senior Member
May 13, 2011
248
552
0
Thank you for this guide. I only needed root to restore old app settings with Swift Backup and this worked great. I just used fastboot to boot the modified image instead of flashing it and then used that session to run Swift Backup with root. When it rebooted, all was back to stock.
 

cmstlist

Senior Member
Jan 11, 2010
3,360
520
243
Toronto
Thank you for this guide. I only needed root to restore old app settings with Swift Backup and this worked great. I just used fastboot to boot the modified image instead of flashing it and then used that session to run Swift Backup with root. When it rebooted, all was back to stock.
I would think, in this case, you'll still fail SafetyNet b/c of the unlocked bootloader. Is this the case?
 

Zackptg5

Recognized Developer
Sep 18, 2014
4,081
6,649
263
zackptg5.com
I followed these instructions, and also enabled Magisk Hide. I'm failing both items in SafetyNet. However, I'm also running EdXposed. I'm assuming that is the reason and that there is no workaround for that?
Xposed can break safety net, I haven't tried it on this device. I have been able to pass safety net with it on some older devices though

I would think, in this case, you'll still fail SafetyNet b/c of the unlocked bootloader. Is this the case?
Yup but without Xposed, I was able to get safetynet to pass thanks to the module and magiskhide
 

neph81

Senior Member
May 13, 2011
248
552
0
I would think, in this case, you'll still fail SafetyNet b/c of the unlocked bootloader. Is this the case?
So, I reinstalled the magisk apk and confirmed that cts does fail. However, it does not appear to be affecting any apps. My games that normally trigger on root being available all work and Google Pay does not appear to be giving me any issues. This will bear some additional testing though anyone else goes that route.
 

CSX321

Senior Member
Aug 21, 2009
598
271
93
Southern IL USA
Is there a way to skip the initial setup so I can get to Developer Options?
Yes, but there are several different things you have to skip or back out of. Also, you have to have a Wi-Fi connection before it will enable the OEM unlocking setting in Developer options. You don't need to actually do any setup or enter an account or anything, though, before unlocking.
 

Zackptg5

Recognized Developer
Sep 18, 2014
4,081
6,649
263
zackptg5.com
it looks like there is now a pixel 4a fingerprint available in magiskhide props config
Ya but we don't want that (we have the 4a fingerprint by default). The point of the fingerprint hack is to change the fingerprint to a device that does not use hardware attestation so magiskhide will be enough to pass safety net (like the 3a)
 

MaxPower742

Member
Jun 17, 2015
32
6
28
Yes, but there are several different things you have to skip or back out of. Also, you have to have a Wi-Fi connection before it will enable the OEM unlocking setting in Developer options. You don't need to actually do any setup or enter an account or anything, though, before unlocking.
Awesome thanks for your help. Got it all going including the safetynet thing. Only stumbling block so far has been it didn't seem to recognize my sim card, even waiting till it prompted me to pop it in. I just had to disable wifi and it just became my phone, didn't even ask me to activate with VZ or anything. I just did it though so I guess something could come up later where I have to go through the portal or their support to switch off my old device and turn this one on like I had to do with my last one. Maybe they improved the process though, we'll see.

Should we turn off automatic updates in dev options? I've been on roms so long I don't remember how it works with stock rooted. I imagine it'd be fine as long as it's not an android version upgrade which would not be automatic anyway.
 

ReservedName

Member
Oct 29, 2014
17
11
23
Ya but we don't want that (we have the 4a fingerprint by default). The point of the fingerprint hack is to change the fingerprint to a device that does not use hardware attestation so magiskhide will be enough to pass safety net (like the 3a)
i don't think that's right there's no problem with using the pixel 4a fingerprint. personally tested. use the module to change the fingerprint and then the next option for basic key attestation. checked cts profile with magisk no problems.
 

MaxPower742

Member
Jun 17, 2015
32
6
28
Yeah I switched to the 4a fingerprint then actually did reset to default and still pass safetynet. Ampere thinks my phone is a 3a even after reinstall which is driving me ocd crazy but maybe it's just that app that needs to be updated.
 

digger16309

Senior Member
Jul 17, 2014
356
106
73
Ampere thinks my phone is a 3a even after reinstall which is driving me ocd crazy but maybe it's just that app that needs to be updated.
Same thing here. I couldn't stand to look at my car showing my phone as a 3a on the screen all the time so I changed it back.
 
Last edited:

MaxPower742

Member
Jun 17, 2015
32
6
28
Seems like with the magisk module for props config active, it'll continue to self identify as a 3a even if you tell it to reset the fingerprint to default. I assume that's why it keeps working, cause when I disabled it, Ampere did properly see it as a 4a, but safetynet failed.

I haven't been able to disable signature verification
 
Last edited: