[Magisk][Module] Play Store Visa - Get your device certified with custom ROMs

Search This thread

ttimasdf

Member
Feb 20, 2016
11
2
Introduction

Fix UNCERTIFIED status in Play Store for OP2/OP3/Note4 and maybe more.

Uncertified status may lead to some restrictions on specific apps (saying Netflix). It is not only judged by SafetyNet status but also some build props in your ROM. So this module does NOT may or may not help you to pass SafetyNet.
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
  • a patch in your kernel like this is REQUIRED (maybe optional because of MagiskHide?)
  • If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
  • SELinux is always enforcing

Installation

Search for "Play Store Visa" in Magisk Manager or download at Github.

Support for New Devices

This module made it by injecting proper build fingerprint properties per device, most commonly ro.build.fingerprint. So device support is highly dependent on a working build fingerprint from a certified stock ROM. You can test and find a combination by your own and add to service.sh accordingly.

I used to find those fingerprints hard to search around. Although one fingerprint may work for all devices of a kind, but people barely shares it. Pull requests are very welcomed so we may help one another! ;)

Define: a working fingerprint
For the time being, I test the prop edits working by:
  • clean data of Play Store
  • reboot for the module to apply (or invoke resetprop through adb)
  • open and check certification status in settings. (may have some delay)
  • search for Netflix in Play Store.
If you can see Netflix in search results after wiping store's data, then your props edits are good to go!

Enjoy;)

Q&A
Q:
Only for OP2/OP3/note4? Not support for other device?

A:
To support other device, we need the value of `ro.build.fingerprint` from a stock ROM. I don't own other devices so I may not have chance to extract it. Contributions are welcomed, and I may search for other useful ones in the future..

Q:
What's the difference between this module and this one?

A:
We both solved part of the problem, see my explanation below. I'm happy to contribution my parts, if necessary, to prevent reinventing the wheels.


XDA:DevDB Information
Play Store Visa, App for all devices (see above for details)

Contributors
ttimasdf
Source Code: https://github.com/Magisk-Modules-Repo/playstore_certification_bypass


Version Information
Status: Beta

Created 2018-03-26
Last Updated 2018-03-31
 
Last edited:

Didgeridoohan

Senior Moderator / Developer Relations
Staff member
May 31, 2012
11,546
12,023
Gothenburg
Google Nexus 4
Nexus 6
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
  • a patch in your kernel like this is REQUIRED
  • If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
  • SELinux is always enforcing

That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...

I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:
If your device is uncertified, Google doesn’t have a record of the Android compatibility test results.
If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.

Would love the hear your findings if you're up to sharing.

---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------

What's the difference between this module and this one?

Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.
 

nl3142

Senior Member
Jun 11, 2011
167
23
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.

That being said, based on current reports it would not be hard to create a universal "coyote mode" by getting the existing ro.build.fingerprint and then modifying the build date portion so that it is before March 2018. Said mode would not make the device certified if it wasn't already but would allow GApps to run normally thus the term "coyote mode" (a coyote is a person who smuggles other people across the border).
 

abacate123

Senior Member
Feb 22, 2015
1,266
1,801
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.

Google is not blocking gapps for custom roms. At least not yet.

In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/
 
Last edited:

nl3142

Senior Member
Jun 11, 2011
167
23
Google is not blocking gapps for custom roms. At least not yet.

In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/

Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.
 

ttimasdf

Member
Feb 20, 2016
11
2
What's the difference between this module and this one?

Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.

My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works :p so I published my solution. Maybe I could make a PR into it

That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...

I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:

If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.

Would love the hear your findings if you're up to sharing.

---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------



Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.

Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:

From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.

But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together :p
 
Last edited:

Didgeridoohan

Senior Moderator / Developer Relations
Staff member
May 31, 2012
11,546
12,023
Gothenburg
Google Nexus 4
Nexus 6
Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.

My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works :p so I published my solution. Maybe I could make a PR into it



Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:

From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.

But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together :p

Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.

I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.

And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.

I'll be back...
 
  • Like
Reactions: braschlosan

ttimasdf

Member
Feb 20, 2016
11
2
Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.

I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.

And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.

I'll be back...

Thanks for the hint. I do a few tests today. My module seems to be broken today but after added Play Store and `com.google.android.gsf` to MagiskHide list it works again.

And most interestingly, the fingerprint for my Note4 from the ROM seems to be blacklisted by Google.
I wiped data, disabled module, reboot. Device become uncertified and even cannot pass `basic integrity`. wipe-enable-reboot become certified and able to download again.

It's a cat and mouse game after all:angel:

Also I tested for the "delay" you mentioned. After a wiped reboot, tested 2 out of 3 times the Netflix shows in result. However, whether it can start download still depends on the certification status. If uncertified, download will say error after some time. With module enabled, the download succeeded normally. So Netflix is the most timely and accurate way to speak if your device is certified.;)

For I have not yet used any apps that check SafetyNet status at runtime, maybe I'll check it later.
 
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.
 

ttimasdf

Member
Feb 20, 2016
11
2
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.

This module merely changed some build props, if and only if your device is supported. Theoretically it should not mess other things around. Check your logcat if there's anything worth notice and clear app data if necessary:p
 

TENN3R

Senior Member
Dec 6, 2014
845
447
Trento
As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions ;)


I made a screenshot from my Pixel 8.1 stock - april security patch
Maybe can help for pixel support :good:

Sent from my Google Pixel using XDA Labs
 

Attachments

  • Screenshot_20180417-160238.jpg
    Screenshot_20180417-160238.jpg
    199.5 KB · Views: 473

DCvan

Senior Member
Aug 4, 2017
89
54
Vancouver
It is working on my Nexus 7 2013 WiFi tablet. Running Flo classic asop 8.1 r28 May 2018 version with Ground Zero Gapps. Did the clear data (clear cache alone didn't work) rebooted and open Playstore, my apps updates and installed tabs show zero item. A few hours later, check again and I get a Certified in Playstore settings.
Thank you, good job! :good:

Also trying on OnePlus One running AEX 8.1 v5.5. currently updates and installed tabs are also zero item. Going to let it be and see if it will populate over time. Under Playstore version build number, nothing under. Before installing Visa module, it say uncertified.

Library tabs on both show my history of apps.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    After I installed my play store displays 'Certified' however play store shows this for Netflix.

    Is my device not compatible, or is this more likely due to xposed framework and not been able to pass safety net?

    Kindly Do The Following
    - Download ClearPlayStoreWithServicesData4Magisk From This Thread https://forum.xda-developers.com/apps/magisk/module-google-playstore-services-data-t3789498 & Flash It Thru Magisk Manager Then Reboot
    - Wait About 15-30 Min. Then Check PlayStore Device Certification Status & Netflix From PlayStore
    - If It Didnot Work, Did You Install BusyBox/Xposed? And If So, Disable/Uninstall BusyBox/Xposed --> Reboot
    - Check Again The SafetyNet, PlayStore Device Certification Status & Netflix From PlayStore
    - If It Didnot Work, Download SELinuxModeInverter4Magisk From This Thread https://forum.xda-developers.com/apps/magisk/selinux-mode-inverter-t3775271 & Flash It Thru Magisk Manager Then Reboot
    - Check Again The SafetyNet, PlayStore Device Certification Status & Netflix From PlayStore
    2
    Introduction

    Fix UNCERTIFIED status in Play Store for OP2/OP3/Note4 and maybe more.

    Uncertified status may lead to some restrictions on specific apps (saying Netflix). It is not only judged by SafetyNet status but also some build props in your ROM. So this module does NOT may or may not help you to pass SafetyNet.
    More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
    • a patch in your kernel like this is REQUIRED (maybe optional because of MagiskHide?)
    • If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
    • SELinux is always enforcing

    Installation

    Search for "Play Store Visa" in Magisk Manager or download at Github.

    Support for New Devices

    This module made it by injecting proper build fingerprint properties per device, most commonly ro.build.fingerprint. So device support is highly dependent on a working build fingerprint from a certified stock ROM. You can test and find a combination by your own and add to service.sh accordingly.

    I used to find those fingerprints hard to search around. Although one fingerprint may work for all devices of a kind, but people barely shares it. Pull requests are very welcomed so we may help one another! ;)

    Define: a working fingerprint
    For the time being, I test the prop edits working by:
    • clean data of Play Store
    • reboot for the module to apply (or invoke resetprop through adb)
    • open and check certification status in settings. (may have some delay)
    • search for Netflix in Play Store.
    If you can see Netflix in search results after wiping store's data, then your props edits are good to go!

    Enjoy;)

    Q&A
    Q:
    Only for OP2/OP3/note4? Not support for other device?

    A:
    To support other device, we need the value of `ro.build.fingerprint` from a stock ROM. I don't own other devices so I may not have chance to extract it. Contributions are welcomed, and I may search for other useful ones in the future..

    Q:
    What's the difference between this module and this one?

    A:
    We both solved part of the problem, see my explanation below. I'm happy to contribution my parts, if necessary, to prevent reinventing the wheels.


    XDA:DevDB Information
    Play Store Visa, App for all devices (see above for details)

    Contributors
    ttimasdf
    Source Code: https://github.com/Magisk-Modules-Repo/playstore_certification_bypass


    Version Information
    Status: Beta

    Created 2018-03-26
    Last Updated 2018-03-31
    2
    Have you found away to pass integrity while xposed us active?

    I've never been looking for it... Greater minds than mine have tried to find a way though, and deemed it impossible with how Xposed currently works.
    1
    Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.

    My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works :p so I published my solution. Maybe I could make a PR into it



    Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:

    From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.

    But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together :p

    Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.

    I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.

    And as a side note, about the CTS profile test:
    Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.

    I'll be back...
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone