[Magisk][Module] Play Store Visa - Get your device certified with custom ROMs

[ttimasdf]

Introduction

Fix UNCERTIFIED status in Play Store for OP2/OP3/Note4 and maybe more.

Uncertified status may lead to some restrictions on specific apps (saying Netflix). It is not only judged by SafetyNet status but also some build props in your ROM. So this module does NOT may or may not help you to pass SafetyNet.

More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,

• a patch in your kernel like this is REQUIRED (maybe optional because of MagiskHide?)
• If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
• SELinux is always enforcing

Installation

Search for "Play Store Visa" in Magisk Manager or download at Github.

Support for New Devices

This module made it by injecting proper build fingerprint properties per device, most commonly ro.build.fingerprint. So device support is highly dependent on a working build fingerprint from a certified stock ROM. You can test and find a combination by your own and add to service.sh accordingly.

I used to find those fingerprints hard to search around. Although one fingerprint may work for all devices of a kind, but people barely shares it. Pull requests are very welcomed so we may help one another!

Define: a working fingerprint
For the time being, I test the prop edits working by:

• clean data of Play Store
• reboot for the module to apply (or invoke resetprop through adb)
• open and check certification status in settings. (may have some delay)
• search for Netflix in Play Store.

If you can see Netflix in search results after wiping store's data, then your props edits are good to go!

Enjoy

Q&A
Q:
Only for OP2/OP3/note4? Not support for other device?

A:
To support other device, we need the value of `ro.build.fingerprint` from a stock ROM. I don't own other devices so I may not have chance to extract it. Contributions are welcomed, and I may search for other useful ones in the future..

Q:
What's the difference between this module and this one?

A:
We both solved part of the problem, see my explanation below. I'm happy to contribution my parts, if necessary, to prevent reinventing the wheels.


XDA:DevDB Information
Play Store Visa, App for all devices (see above for details)

Contributors
ttimasdf
Source Code: https://github.com/Magisk-Modules-Repo/playstore_certification_bypass


Version Information
Status: Beta

Created 2018-03-26
Last Updated 2018-03-31

 

[Cbk | Unknown]

Only for OP2/OP3/note4?
Not support for other device?

 

[abacate123]

What's the difference between this module and this one?

 

[Didgeridoohan]

More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,

• a patch in your kernel like this is REQUIRED
• If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
• SELinux is always enforcing

That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...

I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:

If your device is uncertified, Google doesn’t have a record of the Android compatibility test results.

If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.

Would love the hear your findings if you're up to sharing.

---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------

What's the difference between this module and this one?

Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.

 

[zerlkung]

My play store don't have "Device certification" tab :'(

 

[Didgeridoohan]

My play store don't have "Device certification" tab :'(

Can you find and install Netflix? If so, your device is certified. If not, it's uncertified.

 

[nl3142]

Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.

That being said, based on current reports it would not be hard to create a universal "coyote mode" by getting the existing ro.build.fingerprint and then modifying the build date portion so that it is before March 2018. Said mode would not make the device certified if it wasn't already but would allow GApps to run normally thus the term "coyote mode" (a coyote is a person who smuggles other people across the border).

 

[abacate123]

Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.

Google is not blocking gapps for custom roms. At least not yet.

In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/

 

[nl3142]

Google is not blocking gapps for custom roms. At least not yet.

In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/

Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.

 

[abacate123]

Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.

IMEI fellow...

 

[nl3142]

IMEI fellow...

Which wifi only devices like tablets don't have, so obviously that isn't going to work.

 

[ttimasdf]

Only for OP2/OP3/note4?
Not support for other device?

As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions

 

[ttimasdf]

What's the difference between this module and this one?

Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.

My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it

That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...

I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:

If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.

Would love the hear your findings if you're up to sharing.

---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------



Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.

Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:

From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.

But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together

 

[Didgeridoohan]

Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.

My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it



Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:

From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.

But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together

Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.

I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.

And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.

I'll be back...

 

[ttimasdf]

Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.

I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.

And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.

I'll be back...

Thanks for the hint. I do a few tests today. My module seems to be broken today but after added Play Store and `com.google.android.gsf` to MagiskHide list it works again.

And most interestingly, the fingerprint for my Note4 from the ROM seems to be blacklisted by Google.
I wiped data, disabled module, reboot. Device become uncertified and even cannot pass `basic integrity`. wipe-enable-reboot become certified and able to download again.

It's a cat and mouse game after all:angel:

Also I tested for the "delay" you mentioned. After a wiped reboot, tested 2 out of 3 times the Netflix shows in result. However, whether it can start download still depends on the certification status. If uncertified, download will say error after some time. With module enabled, the download succeeded normally. So Netflix is the most timely and accurate way to speak if your device is certified.

For I have not yet used any apps that check SafetyNet status at runtime, maybe I'll check it later.

 

[Dreamer(3MF)]

Profound Thanks For You. Your Module Was Useful To Make A Specified One For My Phone. :good:

 

[GeorgePr]

After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.

 

[ttimasdf]

After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.

This module merely changed some build props, if and only if your device is supported. Theoretically it should not mess other things around. Check your logcat if there's anything worth notice and clear app data if necessary

 

[TENN3R]

As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions

I made a screenshot from my Pixel 8.1 stock - april security patch
Maybe can help for pixel support :good:

Sent from my Google Pixel using XDA Labs

 

[DCvan]

It is working on my Nexus 7 2013 WiFi tablet. Running Flo classic asop 8.1 r28 May 2018 version with Ground Zero Gapps. Did the clear data (clear cache alone didn't work) rebooted and open Playstore, my apps updates and installed tabs show zero item. A few hours later, check again and I get a Certified in Playstore settings.
Thank you, good job! :good:

Also trying on OnePlus One running AEX 8.1 v5.5. currently updates and installed tabs are also zero item. Going to let it be and see if it will populate over time. Under Playstore version build number, nothing under. Before installing Visa module, it say uncertified.

Library tabs on both show my history of apps.