• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

MAGISK MODULE ❯ Universal SafetyNet Fix 1.1.0

Search This thread

oldbear3

Member
Feb 4, 2011
36
3
Until the RQ3A.210605.005 update on my Pixel 3a, even with Safetynetfix 1.1.1 installed (and uninstalled and reinstalled) my CtsProfile remains false, so i don't get safetynet checked.
The evaltype is Basic with the module installed but it keeps on refusing the ctsProfile.
Do I miss something or does Google made new changes ?
 

pndwal

Senior Member
Until the RQ3A.210605.005 update on my Pixel 3a, even with Safetynetfix 1.1.1 installed (and uninstalled and reinstalled) my CtsProfile remains false, so i don't get safetynet checked.
The evaltype is Basic with the module installed but it keeps on refusing the ctsProfile.
Do I miss something or does Google made new changes ?
I don't know for sure.

Try disabling any modules other than this one to eliminate these...

Do are you on stock ROM? Do you run any mods to System? PW
 

ReK_

Member
Nov 8, 2010
5
0
GT-i9250
HTC Dragon
I'm having trouble with Google Pay. Magisk says SafetyNet passes with eval basic, however Google Pay won't enable contactless, saying "Your phone doesn't meet security requirements."
  • OnePlus 7 Pro GM1917
  • LineageOS 18.1 (20210606-nightly)
  • MindTheGapps 11.0.0
  • Magisk 23.0 (installed via boot.img, app renamed)
  • MagiskHide Props Config 5.4.0-v128
  • Universal SafetyNet Fix v1.1.1
I've renamed the Magisk app, turned on MagiskHide for all Google services, Google Pay and banking apps, and used the props config to emulate a Pixel 3a. This has gotten SafetyNet passing according to Magisk, and my related banking apps are working fine, but I still can't enable contactless payment in Google Pay. I've checked for the Play Protect certificate issue but it looks like the menus have changed in Google Play and I can't see anything that positively says it passes, but there's also no warning popup or anything that says it fails either.
 

ahecht

Senior Member
Oct 23, 2010
518
308
I'm having trouble with Google Pay. Magisk says SafetyNet passes with eval basic, however Google Pay won't enable contactless, saying "Your phone doesn't meet security requirements."
  • OnePlus 7 Pro GM1917
  • LineageOS 18.1 (20210606-nightly)
  • MindTheGapps 11.0.0
  • Magisk 23.0 (installed via boot.img, app renamed)
  • MagiskHide Props Config 5.4.0-v128
  • Universal SafetyNet Fix v1.1.1
I've renamed the Magisk app, turned on MagiskHide for all Google services, Google Pay and banking apps, and used the props config to emulate a Pixel 3a. This has gotten SafetyNet passing according to Magisk, and my related banking apps are working fine, but I still can't enable contactless payment in Google Pay. I've checked for the Play Protect certificate issue but it looks like the menus have changed in Google Play and I can't see anything that positively says it passes, but there's also no warning popup or anything that says it fails either.
 

ReK_

Member
Nov 8, 2010
5
0
GT-i9250
HTC Dragon
Thanks for that! I may not need the module: I had cleared data for Pay and Services before but not with the airplane mode and reboot trick. After doing it that way adding the card still said "something went wrong" but after clicking OK on the error everything looks good and it says it's ready to be used for contactless. I'll give it a try at a coffee shop tomorrow.
 

Attachments

  • Screenshot_20210613-001715_Google_Play_services.png
    Screenshot_20210613-001715_Google_Play_services.png
    141.2 KB · Views: 88

ju_one06

Member
May 11, 2011
20
2
mythnetworks.com
Hello,
Im have issue bypass safetynet, im install magisk by rename and install thru twrp as zip..then rename back to apk and install apk..
Phone : Redmi Note 9S
OS : Miui 12.0.2.0 Android 11
Im already try safetynet fix from 1.0 to 1.1.1 but still prob..did i miss step or do wrong?..
 
Jun 19, 2021
9
3
Hello,

I was wondering whether there is a way the module survives factory reset ? Or can it be modified to do so ? I am in a situation where I only need to bypass SafetyNet from the initial setup without being able to upgrade Magisk or access the developers options before the test.

Thanks for reading.
 

zgfg

Senior Member
Oct 10, 2016
5,438
2,766
Hello,

I was wondering whether there is a way the module survives factory reset ? Or can it be modified to do so ? I am in a situation where I only need to bypass SafetyNet from the initial setup without being able to upgrade Magisk or access the developers options before the test.

Thanks for reading.
No

Factory reset wipes Data partition

To the other side, Magisk database and all Magisk modules are installed to /data/adb folder - therefore, they will be all wiped by Factory reset
 
Jun 19, 2021
9
3
No

Factory reset wipes Data partition

To the other side, Magisk database and all Magisk modules are installed to /data/adb folder - therefore, they will be all wiped by Factory reset
I mean, there is a "way" to change the app in order to obtain this result. Like Magisk-Frida, the Frida agents survive the factory reset and don't need to be reinstalled by Magisk.
 

zgfg

Senior Member
Oct 10, 2016
5,438
2,766
I mean, there is a "way" to change the app in order to obtain this result. Like Magisk-Frida, the Frida agents survive the factory reset and don't need to be reinstalled by Magisk.
I told you how the nodule installs. Check your /data/adb/modules and consult Magisk documentation on Github (scroll to the Magisk modules chapter):

Otherwise, try Factory reset and report the result
 
Jun 19, 2021
9
3
I told you how the nodule installs. Check your /data/adb/modules and consult Magisk documentation on Github (scroll to the Magisk modules chapter):

Otherwise, try Factory reset and report the result
Thanks for the link. I think I have found a way to circumvent the problem. I could install the module manually from TWRP. I'm just stuck because Magisk doesn't seem to have the "full install" after the initial setup. (The Magisk icon is present after factory reset, but it needs to be installed by the user. I'm wondering whether it's possible to fully install Magisk from TWRP without having to do this)
 

pndwal

Senior Member
Thanks for the link. I think I have found a way to circumvent the problem. I could install the module manually from TWRP.
This module?

... Whole other can of worms. - Most got bootloops doing so.
I'm just stuck because Magisk doesn't seem to have the "full install" after the initial setup. (The Magisk icon is present after factory reset, but it needs to be installed by the user. I'm wondering whether it's possible to fully install Magisk from TWRP without having to do this)
I think mileage varies per device. Many do have App fully functional after Custom Recovery zip Installation.

A factory reset wipes all setup data as discussed. Normal App Uninstall doesn't, unlike other apps, due to separate app data location in /data/adb. PW
 
Last edited:
  • Like
Reactions: BattleRobot_HK47
Jun 19, 2021
9
3
This module?

... Whole other can of worms. - Most got bootloops doing so.

I think mileage varies per device. Many do have App fully functional after Custom Recovery zip Installation. But a factory reset wipes all setup data as discussed. PW
So okay it's risky... Now the biggest problem is finalizing the installation of Magisk without going through the GUI. (Here Fairphone 3) After that I would have the Magisk CLI to install the module. (The purpose is to obtain the module and Magisk fully installed before the inital setup. In this way, I could have a rooted device that bypasses a MDM activation for forensic analyzes)
 
  • Like
Reactions: pndwal
Jun 19, 2021
9
3
It is all good, I have managed to completely install Magisk by enabling USB debugging from TWRP and then adb install the APK before the initial setup. From that, we can install the module with the magisk CLI and the SafetyNet of the MDM is bypassed.
 
  • Like
Reactions: pndwal

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Thanks, by replacing the EXPosed with LSPOSED solved my problem :)
    By the way isn't there a way or why isn't possible block the safety net backend to be updated?
    You can write an e-mail to Google asking them to stop updating their backend parts on their servers, and explain that it really bothers you because of your issues with EdXposed and SafetyNet 🥸😂😍
    3
    No, like, in sure there's some code running in our devices and probably he is updated to became "better" otherwise how the hell he begin detect from nothing things that he didn't found before? I'm just curious about that... Well I would read a wiki to reply that then whatever
    Google for the official Google document (it has been attached or URL given in some early posts in this thread and/or in General Magisk thread also here on XDA), to read about the SafetyNet architecture and its components consisting of:
    - appilcation calling SN check
    - API part in Google Play Services
    - Google server (backend) side
    - Backend part of the application executing the SN check

    And think for which of those parts you (don't) have control on changes and updates (or you even know when they happen)

    Ofc that Google intents to harden the procedure and they will not ask you and me and zillion of other users for confirmation when they want to make updates to GMS (you could probably block updates of Google Play Services on your phone) or their server side (you have no control whatsoever and Google will not warn you with their Changlogs)

    Hence always be ready that without your awareness of any 'updates' on your phone, things start to behave differently

    And one more thing - you were asking for your problem (expecting that us, others spend our time to read your mail and answer you).
    But in parallel you were participating in this same thread where the same problem was already asked, answered and solution given (to replace EdExposed by LSposed) - but you didn't bother to read that discussion, to search about, etc.
    Think what if everybody would be lazy and ignorant to read other posts - who would anawer to questions from you or somebody else?!
    This is a Forum (and there are rules to read and search before asking!), not a Telegram channel where every soul lost in virtual world posts dozen of his cats every day and the same things are asked every hour (because, nobody could follow the whole noise of thousands of useless posts every day)

    Sorry, I didn't want to be arogant, but some things really bother
    3
    Galaxy S20 with Android 11 stock suddenly fails safetynet since two days ago, no change made to phone. Check type is still basic, not hardware. Has Google changed something and this doesn't work anymore?
    Samsung Galaxy J6 SM-J600FN Android 10 (crDroid unofficial): ctsProfile doesn't word :(
    sm-g9600 stock Rom. If I set SafetyNet Fix, getting random reboots..(sometimes it's just enough for someone to call). But all the checks pass and the Gpay works fine. If I remove this module via Magisk - I don't see any more reboots.
    Guys, if you have tried without EDXposed and still have issues with Universal SafetyNet Fix, try this experimental solution c/o OP @kdrag0n (thanks Danny! 👍👍👍 ), already working for many (Samsung especially) with 'heavily skinned' OS's like One UI (with non AOSP keystore implementation, etc):

    Shim the keystore service instead of replacing it #13​

    This method is more portable, does not require a different executable for each Android version, and avoids breaking ROMs with heavy keystore customizations. It works by injecting a shared library into the keystore service and wrapping the Binder transaction handler in the generated AIDL interface...

    Scenarios and issues to test​

    • 32-bit ARM devices
    • Heavy OEM skins
    • Samsung One UI
    • MIUI
    • Broken biometric authentication in apps
    • Unstable system (i.e. rebooting and/or crashing)
    https://github.com/kdrag0n/safetynet-fix/pull/13#issuecomment-767863635

    Nb. S9 and other users still report problems with this, but additional working module variations for several specific devices are found in the closed issues mentioned / linked from PR thread above. These solutions use Keystores from specific OneUI/other OS versions. You'll likely find a modified fix for your particular Sammy device in this post or elsewhere in this long issue thread:
    https://github.com/kdrag0n/safetynet-fix/issues/6#issuecomment-764129632

    Happy reading! PW
    2
    So what if there were no 'updates' on your EdXposed - G makes changes on their side (SafetyNet consists also of the backend part and you don't see their 'updates')

    Users clearly described that EdXposed (if using it) causes a problem now and must be replaced by LSposed
    Thanks for helping I made replace EdXposed by LSposed now work fine again thanks
    2
    Worked with the LSPosed, basic integrity and ctsProfile are ok, but my banking aplications still can't work due the phone being rooted (In the second screenshot says: Acces Denied For security measures, the app can't be used in devices which had obtained root privileges). Any suggestion on that situation?
    Check if Play Protect (PlayStore settings) says Device is certified, clear PlayStore and Play Services data if not.

    After that, hide root from bank app in MagiskHide list, toggle MagiskHide off and on again in Magisk settings, clear bank app data, reboot, try/set up bank app again.

    If still not working, bank employs custom measures in addition to checking SafetyNet API (as they are aware, like us, that SafetyNet is unreliable pre full hardware Tee activation 😜). Check measures to take here:
    https://www.didgeridoohan.com/magisk/MagiskHide#

    https://www.didgeridoohan.com/magisk/MagiskHide#

    Hope it helps... Thanks (like) button feels forgotten! 😀 PW
  • 188
    Universal SafetyNet Fix
    Magisk module​

    This is a universal fix for SafetyNet on devices with hardware attestation and unlocked bootloaders. It defeats both hardware attestation and the new SafetyNet CTS profile updates released on January 12, 2021. The only requirement is that you can pass basic attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    Passing basic attestation is mostly out-of-scope for this module; this module is meant to defy hardware attestation, as well as reported "basic" attestation that actually uses hardware under-the-hood. Nonetheless, it features a few basic attempts at helping pass basic attestation on some devices, especially older devices and devices running stock ROMs.

    No device-specific features (such as the new Pixel-exclusive Google Assistant design or screen-off voice match) will be lost with this fix.

    Android versions 8–11 are supported. Heavy OEM skins are not officially supported, but they may work depending on your luck and the particular ROM in question. Please do not report problems on such ROMs.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Telegram group
    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    22
    I managed to fix the 3rd party app fingerprint issue on my Samsung w/ Android 10 (commented on this Github issue too). Basically the AOSP keystore is not fully compatible with the Samsung one so I decided to binary patch the one on my phone and ended up with this module. Now both fingerprint and SafetyNet works.
    Notes:
    - This disables key attestation for every app, idk if it breaks anything, nothing broke so far
    - Only change is the replaced system_sdk29/bin/keystore with the Samsung one (8 bytes modified)
    - Only works on Android 10
    - Might or might not work for you, use at your own risk.
    13
    Universal SafetyNet Fix v1.1.1 is now available.

    Changes
    • Removed security patch fixup to fix CTS profile mismatches on some devices

    Download

    Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes.

    If this module helped you, please consider a recurring donation for sustainable support, or alternatively buy me a coffee. Everything helps, but a recurring donation is the best way to keep the project alive in the long term.

    Issues on heavy OEM skins
    This is a reminder that heavy OEM skins are not officially supported. They may happen to work depending on your luck and the particular ROM in question, but nothing is guaranteed. Please do not report problems on such ROMs. It's surprising that it works at all on them; I wouldn't expect everything to be fully working. I will not provide more support for issues related to heavy OEM skins.

    The compatibility issue does not lie in the SafetyNet fix itself, but rather how the Magisk module is built. It's possible to make the Magisk module version of the fix slightly more portable, but I have no interest in supporting heavy OEM skins, nor do I have any devices running such ROMs.

    You will always have the best luck with a ROM not too far from AOSP, e.g. most custom ROMs and Pixel stock ROMs.
    7
    Thanks, by replacing the EXPosed with LSPOSED solved my problem :)
    By the way isn't there a way or why isn't possible block the safety net backend to be updated?
    You can write an e-mail to Google asking them to stop updating their backend parts on their servers, and explain that it really bothers you because of your issues with EdXposed and SafetyNet 🥸😂😍
    6
    Everyone having issues passing basic attestation after installing the module, please try the attached versions.

    There have been quite a few reports of fingerprint unlocking in apps breaking on One UI. This is not something that is planned to be fixed, because One UI is a heavy OEM skin that is not officially supported. It's surprising that it works on One UI to begin with.