• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

MAGISK MODULE ❯ Universal SafetyNet Fix 1.1.0

Search This thread

Pippolepippa

Member
Sep 16, 2010
7
7
Hi guys, Samsung S10 here with stock rom. Discard the below and sorry for the noise. After installing the (paid) 2.0.0 version from @kdrag0n, I now pass both basicIntegrity and ctsProfile (with evalType BASIC).


I have tried both the xprivacylua route and the safetynetfix route (I actually have both at the moment).

I'm passing basicintegrity, have evalType=Basic (yeah!) but I'm failing ctsProfile.
 
Last edited:
  • Like
Reactions: pndwal

F308

Senior Member
Feb 25, 2013
384
61
EU
My LSPosed on Galaxy A41, Android 11, said it was not fully activated because it could not modify selinux configuration then xprivacylua neither worked.
BTW:
I observed the same behavior when I tried to change selinux status from terminal about 2 months ago, running command as root of course.

Still seeking for solution, reading XDA forum too.
 

pndwal

Senior Member
Hi guys, Samsung S10 here with stock rom. Discard the below and sorry for the noise. After installing the (paid) 2.0.0 version from @kdrag0n, I now pass both basicIntegrity and ctsProfile (with evalType BASIC).


I have tried both the xprivacylua route and the safetynetfix route (I actually have both at the moment).

I'm passing basicintegrity, have evalType=Basic (yeah!) but I'm failing ctsProfile.
Actually, I wondered if that may fix/help! Thanks for confirming.

I had seen XDA Editor in chiefs response to John Wu here:
www.twitter.com/topjohnwu/status/1433496852054216738
but wasn't sure, and didn't get a response...

Worth $6 USD!... Love to know if this is a universal fix...

Link for any interested:
https://kdrag0n.dev/patreon/safetynet-fix/v2.0.0?utm_source=github PW
 

lordmd

Member
Dec 30, 2017
8
3
For my POCO X3 Pro (EEA latest stock rom update) the method with XPrivacyLua worked fine. Showed the device as certified again - in play store.

Only for the safetynet check in Magisk Manager I needed (which I forgot first and it threw me still the failure) to also force stop (to make it restart) the play services.

I only blocked the tracking in XPrivacyLua. Also Netflix showing in play store. (I think I did not even get to see Netflix there - usually not checking this since I do not use Netflix - before ... when weeks ago the safety net check still worked.)

Since I already used Riru and LSPosed for other stuff - this was on big deal for me to add/change ... at my phone. Let's see what Google is trying next. (My banking software though ... did not even check safetynet. Hiding in MagiskHide was enough. So I still have some leeway ... only used 1 other software that made problem. From my public health insurance some app to store personal data about the health. And data protection laws in my country are very strict forcing them to do a lot of checks lol.)
 

Courtrick

Senior Member
Dec 12, 2019
58
7
Samsung Galaxy A71
I'm on galaxy a71, magiskhide working until a few days ago but no longer works.

Tried downloading safetynet fix 2.0.0 but it didn't work

Currently passing basicIntegrity but not ctsProfile with eval type basic

does anyone have any idea on how to fix


fixed using device simulation
 
Last edited:

jumpers

Senior Member
Nov 11, 2010
274
46
31
Charleroi
Hi everyone,

i found nothing with the search function, but the search since XDA changed is board system is totaly weird, so i'm asking.

I'm running an Exynos Galaxy S10+ with Android 11 (oneUI 3.0), and i'm getting soft-reboots something like everyday since i have the fix installed.
the fix seems working for "safetynet checking apps", but those reboots are a bit annoying. (notification loss, randomness of those reboots, etc.)

is this a known issue ? and is there a workaround ? (it seems something that 2.0.0 fixes, because it's supporting heavy modified systems, but i'm not sure it's related to my reboots)

have a nice day.
 

Lord Sithek

Senior Member
Dec 19, 2018
882
401
Xiaomi Redmi Note 4
Huawei Watch 2
Hi everyone,

i found nothing with the search function, but the search since XDA changed is board system is totaly weird, so i'm asking.

I'm running an Exynos Galaxy S10+ with Android 11 (oneUI 3.0), and i'm getting soft-reboots something like everyday since i have the fix installed.
the fix seems working for "safetynet checking apps", but those reboots are a bit annoying. (notification loss, randomness of those reboots, etc.)

is this a known issue ? and is there a workaround ? (it seems something that 2.0.0 fixes, because it's supporting heavy modified systems, but i'm not sure it's related to my reboots)

have a nice day.
Most probably I was facing the same on my Tab S5e. You need the variant with shiming keystore: https://github.com/kdrag0n/safetynet-fix/pull/13#issuecomment-767863635
 
  • Like
Reactions: Philnicolls89

Philnicolls89

Senior Member
Jun 28, 2019
672
294
32
A.C.T
Samsung Galaxy S10+
Hi everyone,

i found nothing with the search function, but the search since XDA changed is board system is totaly weird, so i'm asking.

I'm running an Exynos Galaxy S10+ with Android 11 (oneUI 3.0), and i'm getting soft-reboots something like everyday since i have the fix installed.
the fix seems working for "safetynet checking apps", but those reboots are a bit annoying. (notification loss, randomness of those reboots, etc.)

is this a known issue ? and is there a workaround ? (it seems something that 2.0.0 fixes, because it's supporting heavy modified systems, but i'm not sure it's related to my reboots)

have a nice day.
Here is the shim variant that I use for my s10+, is working fine with no random reboots or other issues.
 

Attachments

  • safetynet-fix-shim-MOD.zip
    96.6 KB · Views: 115
  • Like
Reactions: Lord Sithek

InsaneMF

Member
Jan 6, 2014
41
12
Gliwice
Redmi 9 Power
Redmi 9T (lime), Android 11, Miui 12.6 (xiaomi.eu 21.9.1)

Unfortunately, SafetyNet doesn't go through (API error).
Both the safetynet-fix-shim-MOD.zip method and the Telegram method do not work. The only thing that remains is waiting.
 

pndwal

Senior Member
Right, I forgot we need a modded version to pass SN right now
To be precise however, seems 'we' don't.

Some (like me; RN8T, & Mi Pad 4,) are still unaffected with previous measures only.

Those with the issue report a number of fixes incl XPrivacyLua method, latest 'early release' USNF module (weeks or so old now, and not created specifically for this Google change) and various methods of altering one or more of the several model props to cause the fallback to basic attestation (the modded USNF modules were simply created as a convenient single-fix solution for many, but old USNF still works when combined with old HardwareOff module, MHPC module configured to Force Basic attestation (seems that's actually what's needed despite it being "under-the-hood" use of Hardware attestation that occurs despite evalType = Basic) or for Device Simulation or simply set to 'delete' ro.product.model prop, or a simple boot script applied.

So really there's a arsenal of fixes aside from modded versions of this (USNF) module. 😜

Various alternatives (w/ links) here:
https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-85582201 🤠 PW
 
Last edited:

jumpers

Senior Member
Nov 11, 2010
274
46
31
Charleroi

InsaneMF

Member
Jan 6, 2014
41
12
Gliwice
Redmi 9 Power
Thats not a fail...

If evalType = N/A, check your internet / network access, firewalls, adblocker etc. 😜 PW
I do not know what's wrong.

Installs a fresh ROM (clean install). I enable developer options and install Magisk. Nothing seems to be blocking.
Access to WiFi and GSM network is available, I do not use firewall and adblocker. Nothing else is installed on the system so far, even no configured accounts.

I will keep trying .... Thanks a lot for the response (y)
 

pndwal

Senior Member
I do not know what's wrong.

Installs a fresh ROM (clean install). I enable developer options and install Magisk. Nothing seems to be blocking.
Access to WiFi and GSM network is available, I do not use firewall and adblocker. Nothing else is installed on the system so far, even no configured accounts.

I will keep trying .... Thanks a lot for the response (y)
Have you tried w/ WiFi off to use mobile network data? (Could be a WiFi network setting.) PW
 
  • Like
Reactions: InsaneMF

Phil21185

New member
Jun 10, 2018
2
1
logged in from an ancient account to say that the paid version of kdrag0n's module worked fine for me, when other methods didnt (xprivacylua, etc)

S10e, android 9, unlokced bootload, magisk.

Edit: Scratch that - removed riru and xprivacylua and SN reverts to hardware and fails CTS. funny how it wouldnt pass without USNF though.

EDIT edit: Thats because im dumb and it needs riru to work. Facepalm...


Edit #3: now my Hlaifax app wont work. All other banking apps are fine, and this one was before I started, wiht MagiskHide active on the Halifax app, but Manager itself not hidden. I did update manager to the latest version though...?
 
Last edited:
  • Like
Reactions: pndwal

Top Liked Posts

  • 5
    Sadly, I've now managed to install both the Riru module and Universal SafetyNet Fix module, and even with both working, my phone doesn't pass either stage of the SafetyNet test built into Magisk. So weird... I feel like I'm missing something really obvious here, but I've tried everything suggested so far, without luck.

    Interesting, that about Canary. Doesn't sound too enticing to me - I'm far too much of a non-techie user to be dwelling into a basically alpha program. Maybe if it turns out to be the only chance I have to pass SN, I could give it a try... But I'd much rather stay in regular Magisk for now, tbh.

    And yeah, I imagined it had something to do with Google updating SN or something like that. And yes, sadly, one of the main things I was reading up on is how the "root scene", or at least the root-hiding scene, is coming to an abrupt ending with these hardware verification methods, and now Magisk creator going over to the "dark side" and working with the enemy. Sad times, I guess.

    I know for a fact, though, that Magisk is working (or should be working) right now, and I'd love to use it as long as I possibly can...
    Must say I completely disagree with your assessment of John's current employer as 'the dark side' / 'the enemy'... His previous appointment was with Apple.... I suppose they're the light side / our friends in your book? 😝😜😬

    I could argue Google are our benefactors, building in easy unlocking / modifying ability (that only certain manufacturers circumvent), and even knowingly allowing modding community (which their reps even describe as 'White Hat') to 'subvert their security model' and bypass SafetyNet until now... (Does the competition do this?) but sure, patching this obvious 'hole' is clearly on the agenda (to thwart 'black Hat' crooks / hackers / thieves / scammers / swindlers / fraudsters...), only it seems because their corporate partners (many having their own requirements as GPay & Samsung Pay partners for example) are demanding it & G risks loosing market share to their major competitor... and they have already...

    I've mentioned before that many government / security concious entities already ban Android devices at work and often purchase / issue iPhones as a security measure... I think we just need to 'get real' here... I don't believe G will suddenly become anti-root anytime soon however...

    Android will likely remain the only competitive out-of-the-box mod-able platform for some time despite tightening attestation to TEE (which really only safeguards proprietary software / interests), and this is largely thanks to Google and the Open Handset Alience they established having an inclusive vision re. custom mods incl many open source projects... They create all the major milestones that make Android what it is / keeps it innovative, usually in closed-shop builds for their own flagship devices before releasing AOSP code...

    Xiaomi then takes this vanilla experience and gives you Mocha MIUI which you loathe having developed Sudden Chocolate Taste Aversion, so you tip the mug out and fill it with a more pure AOSP experience again... courtesy of...
    ...
    GOOGLE!

    Want more detail? Here:
    https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-85140701
    and here:
    https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-85142363

    Sorry for the OT folks!

    Back to the subject, I missed that you run a custom ROM. This likely means you'll need Magisk Hide Props Config module w/ a certified fingerprint configured in addition to USNF as spoofing Compatibility Test Suite certified ROM is out of scope for USNF as mentioned in USNF GitHub instruction page.

    Further, please say what Magisk App Check SafetyNet says for evalType. Are you seeing Basic, N/A or other? (If this check is no longer working, you can alternatively use new YASNAC checker).

    Nb. Try toggling MagiskHide off then on again in settings to pass and then clear Google Play Services and Google Play Store data to get Play Protect (check in Play Store settings) device certification pass.

    Nb. Several modules (eg EDXposed) break SafetyNet, so ensure all but Riru and USNF 2.1.2 are disabled initially.

    If you still have issues, please give more details, eg what custom ROM? (Just remembered, some ROMs themselves, eg Pixel Experience, are themselves incompatible with new USNF solutions due to their manipulation of props in custom utils; swap to cleaner ROMs like LOS or petition ROM Dev to fix internally...)

    🤠 PW

    Edit:

    Bit further re. you inability to hide Magisk App and / or use Check SafetyNet; this would indicate that something may be borked in Magisk setup, or you may have network issues (I believe public builds still have use online stub APK). Do you use a firewall / adblocker etc, or similar on modem / router if using a hotspot? (Try with mobile data if previously using wifi).
  • 13
    Here I am, again. Some more cleaning of the thread was necessary.

    I'm only say this once: do not start any drama in the thread.

    users that do not want to or are not capable of paying what the pre-releases cost should just sit tight and wait. Until the pre-release becomes public (usually within a few weeks) whomever doesn't have/want access to it will have to use the currently publicly available releases. That might mean you need to use experimental releases of Magisk (of which there are a few), or the latest stable official Magisk release. Or you just suck it up and wait.

    That's it. It's that simple.

    No more drama or discussion of what is or isn't warez will be tolerated.

    Have a great day.
    10
    A friendly Announcement (Not)

    Okay, sadly for the second time in a few days i have been personally PM'd, asking for a copy of the latest
    Universal SafetyNet Fix

    Just now, by some newbie with a total of 3 posts, probably only signed up to try a grab a copy of it

    Heres the message i replied with, and anyone else considering badgering other members for paid content should read and absorb

    Why are you asking me?

    Its a paid version, which will be released freely in a week or so

    Asking for paid content for free is the same as asking for Warez, and is banned on here

    DO NOT ASK AGAIN


    For starters, im not a patreon member of @kdrag0n s, i get my copy the same time as most people do when its graciously released after early adopters have a crack at it, and even if i did get it early, i wouldnt share it

    So stop asking

    Any further PM's i get or hear of, asking for a copy of an early release, will be forwarded to admin same as if you asked for warez on here...simple

    Update:

    Seems the 2nd guy didnt get the message:

    Follow up mesasage: "Sorry, I come from a poor country and cannot pay, please share the module link, thanks"

    Reported to admin
    10
    Hi everyone. A general announcement requires your attention:

    Let me direct your attention to the form rules, and in particular rule #6:
    If a piece of software requires you to pay to use it, then pay for it.

    There's currently a pre-release of USNF, available for @kdrag0n's Patreon supporters. It'll most likely eventually make it's way to the general public, like all the previous releases, but until then it requires you to pay... It might take a week, it might take a month, but the important part is that if you can't/won't pay for the software you wait and use the releases that are currently available to you.

    End of story.

    If you have anything to add or any questions my inbox is always open.

    Best regards
    Didgeridoohan
    Senior Moderator/Developer Committee/Developer Relations
    7
    Latest kdrag0n
    Universal SafetyNet Fix Changelog:
    · v 2.2.0

    Changes since 2.1.1:

    • Ported module to Zygisk
    • Fixed screen-off Voice Match in Google Assistant
    • Fixed poor microphone quality with Voice Match enabled on Pixel 5
    • Fixed At a Glance weather display on Android 12
    • Fixed At a Glance settings on Android 12

    This version only supports Zygisk (latest Magisk Canary). See v2.1.2 for a Riru version.

    Download

    This version is currently only available to early access supporters. (Pledge now to get access or purchase one-time access.)

    https://kdrag0n.dev/patreon/safetynet-fix/v2.2.0

    👍😛 PW
    7
    When will the latest versions be released to GitHub?

    I thought 1 week of paid-only downloads was the standard.

    Dev Rule #1 :

    Never ask for an ETA
  • 228
    Universal SafetyNet Fix
    Magisk module​

    This is a universal fix for SafetyNet on devices with hardware attestation and unlocked bootloaders. It defeats both hardware attestation and the new SafetyNet CTS profile updates released on January 12, 2021. The only requirement is that you can pass basic attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    Passing basic attestation is mostly out-of-scope for this module; this module is meant to defy hardware attestation, as well as reported "basic" attestation that actually uses hardware under-the-hood. Nonetheless, it features a few basic attempts at helping pass basic attestation on some devices, especially older devices and devices running stock ROMs.

    No device-specific features (such as the new Pixel-exclusive Google Assistant design or screen-off voice match) will be lost with this fix.

    Android versions 8–11 are supported. Heavy OEM skins are not officially supported, but they may work depending on your luck and the particular ROM in question. Please do not report problems on such ROMs.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Telegram group
    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    28
    ok so there is a solution

    get the magisk module riru

    after you get riru get LSPosed

    after you get LSPosed get xprivacylua (in the LSPosed app)

    select play services in the xprivacylua settings IN the LSPosed app

    AND in the xprivacylua app itself after you've restarted.

    clear play service data

    check safetynet in magisk - enjoy?

    I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module

    s/o to saitama_96 for discovering it or so I'm led to believe
    22
    I managed to fix the 3rd party app fingerprint issue on my Samsung w/ Android 10 (commented on this Github issue too). Basically the AOSP keystore is not fully compatible with the Samsung one so I decided to binary patch the one on my phone and ended up with this module. Now both fingerprint and SafetyNet works.
    Notes:
    - This disables key attestation for every app, idk if it breaks anything, nothing broke so far
    - Only change is the replaced system_sdk29/bin/keystore with the Samsung one (8 bytes modified)
    - Only works on Android 10
    - Might or might not work for you, use at your own risk.
    21
    It's in progress.

    Worth noting when @kdrag0n does publish the new Zygisk rewrite of USNF then gms and unstable will actually need to be removed from the DenyList for the module to function correctly, not added like some people are doing now to get previous USNF versions working.
    18
    v2.1.0 is officially released and open sourced now, so everyone can stop being ****ing babies. 😏👍