MAGISK MODULE ❯ Universal SafetyNet Fix 2.3.1

Search This thread

zgfg

Senior Member
Oct 10, 2016
7,801
5,209
if update system bootloop . Android 10 support last magisk 20.4
Where do you see in Magisk Documentation on GitHub that Magisk v25 requires A11 or higher?

The other thing is if your particular (maybe custom) ROM has issues with newer Magisk (specially if it was released pre-rooted with some old version of Magisk - bad practice and long ago TJW documented on GitHub that developers should not do that) or if you use some modules that are not compatible with Magisk v25 (you can always disable/uninstall modules before updating)

Anyway, old Magisk is deprecated and you can hardly expect that anybody will continue developing modules, etc for those versions

Btw, I even think that I saw a modded version for Riru (in that case it could work for you) but you will need to look in this thread or in GPay thread. No guarantee

Eg, in Magisk v24 support for A12 was added but it doesn't mean that it is limited to A12
 

Attachments

  • IMG_20220809_214624.jpg
    IMG_20220809_214624.jpg
    200 KB · Views: 55
Last edited:

hulyahulya

Senior Member
Feb 19, 2019
168
10
Where do you see in Magisk Documentation on GitHub that Magisk v25 requires A11 or higher?

The other thing is if your particular (maybe custom) ROM has issues with newer Magisk (specially if it was released pre-rooted with some old version of Magisk - bad practice and long ago TJW documented on GitHub that developers should not do that) or if you use some modules that are not compatible with Magisk v25 (you can always disable/uninstall modules before updating)

Anyway, old Magisk is deprecated and you can hardly expect that anybody will continue developing modules, etc for those versions

Btw, I even think that I saw a modded version for Riru (in that case it could work for you) but you will need to look in this thread or in GPay thread. No guarantee

Eg, in Magisk v24 support for A12 was added but it doesn't mean that it is limited to A12
Sorry my bad i did something wrong. i install system now magisk 25.2 and safetynet-fix-v2.3.1 . But i dont see in magisk safetnet check button and hidemagisk and hide program part
 

hulyahulya

Senior Member
Feb 19, 2019
168
10
11.png

There no check safetynet and no hide program for root. i downloaded safetynetcheck app . its say its passed. Google play say its have certificate. But bank app say its rooted
 
Last edited:
  • Haha
Reactions: Klusio19

zgfg

Senior Member
Oct 10, 2016
7,801
5,209
View attachment 5681737
There no check safetynet and no hide program for root. i downloaded safetynetcheck app . its say its passed. Google play say its have certificate
There are LOT OF changes since Magisk v24. Please read the CHANGELOG

And there is a new thread with very good OP posts covering the important changes and the needed know-how for new users in Magisk v24/v25.
Just search for Magisk Zygisk thread on XDA and please read
 

hulyahulya

Senior Member
Feb 19, 2019
168
10
i have a quesiton. right now i can pass safetynet 2 diffirent way. magisk 20.4 safetyfix 1.2.0 . and magisk 25.2 zygisk safetiyfix 2.3.1 . one is old method another is new method . For android 10 which one is better ?
is it effect battery life old version or new version ?

@zgfg
 
Last edited:

zgfg

Senior Member
Oct 10, 2016
7,801
5,209
i have a quesiton. right now i can pass safetynet 2 diffirent way. magisk 20.4 safetyfix 1.2.0 . and magisk 25.2 zygisk and safetiyfix 2.3.1 . one is old method another is new method . For android 10 which one is better ?
is it effect battery life old version or new version ?

@zgfg
I've never seen a discussion about Magisk battery consumption and don't recall complaints about

Google is switching from SafetyNet to Play Integrity and USNF 2.3.1-mod was developed to pass (testing app can be also found in this thread)

As of today, detection of the old MagiskHide (present in Magisk up-to v23) has been made public (detection code and how-to description)

Hence you should better keep up with the new stuff
 
Last edited:
  • Like
Reactions: ipdev

hulyahulya

Senior Member
Feb 19, 2019
168
10
I've never seen a discussion about Magisk battery consumption

Google is switching from SafetyNet to Play Integrity and USNF 2.3.1-mod was developed to pass (testing app can be also found in this thread)

As of today, detection for the old MagiskHide (present in Magisk up-to v23) has been made public (code and description)

Hence you should better keep up with the new stuff

im using android 10 because better battery life with my test.
For sytem stability old method or new method maybe was better question. Because after safetyfix v1.1.1 for android 11 and later. İts still support android 10 but anything still new in that updates ?
 

zgfg

Senior Member
Oct 10, 2016
7,801
5,209
im using android 10 because better battery life with my test.
For sytem stability old method or new method maybe was better question. Because after safetyfix v1.1.1 for android 11 and later. İts still support android 10 but anything still new in that updates ?
Don't understand your question or it is out-of-topic

I answered about Msgisk v25 and new stuff like USNF 2.3.1-mod, etc

They all work with your Android 10 or newer Android versions

---

Usually, new Android versions eat more battery, and old devices may work more fluid with the original/older Android

But what is your device, how the new Android versions (stock or custom) would work and consume battery - sorry it is totally out-of-topic here, and you should better discuss on the (sub)forum for your device, with peers having the same phone who can better tell you their experience
 
  • Like
Reactions: rodken and ipdev

hulyahulya

Senior Member
Feb 19, 2019
168
10
Don't understand your question or it is out-of-topic

I answered about Msgisk v25 and new stuff like USNF 2.3.1-mod, etc

They all work with your Android 10 or newer Android versions

---

Usually, new Android versions eat more battery, and old devices may work more fluid with original/older Android

But what is your device, how the new Android version (stock or custom) would work and consumpt battery - sorry it is totally out-of-topic here, and you should better discuss on the (sub)forum for your device, with peers having the same phone who can better tell you their experience
My english not very good.
I guess I didn't explain exactly what I wanted. So let me ask you this briefly. Is there any system change in terms of using magisk 20.4-safetfix v1.2.0 and magisk 2.5.2 safetyfix v2.3.1? Does it make a difference to the system no matter which one I use? Either way I pass safetynet
i have mi10t android 10 miui 12.0.4
 

zgfg

Senior Member
Oct 10, 2016
7,801
5,209
My english not very good.
I guess I didn't explain exactly what I wanted. So let me ask you this briefly. Is there any system change in terms of using magisk 20.4-safetfix v1.2.0 and magisk 2.5.2 safetyfix v2.3.1? Does it make a difference to the system no matter which one I use? Either way I pass safetynet
i have mi10t android 10 miui 12.0.4
Sorry, it goes nowhere

What is "safetyfix" - there is SafetyNet API and Universal SafetyNet Fix (USNF) module

Of course there is substantial difference between the old USNF 1 2 and 2.3 - the new one utilizes Zygisk to target spoofed props exclusively to GMS=Google Play Services (the old one spoofed props for everybody and that way it might affect the other apps and services that rely on reading/knowing the correct/not spoofed props for your device and ROM)

And AGAIN, Goggle is switching from SafetyNet API to Play Integrity API (already used in eg Wallet), and to pass, you need USNF 2.3.1-mod (hence not even the 2.3 1 version from OP post)

Of course, if the old Magisk with the old USNF works fine for you and you don't see a reasons to update, you can continue using the old - your choice

Good night
 

wugga3

Senior Member
Oct 15, 2014
109
35
Ontario
OnePlus 7T
USNF 2.3.1-mod seemed to get me Netflix back into the Google Play store finally... Either that or registering my device online restored device certification. Funny how I've 2 major bank accounts with zero past or current problems yet Netflix is the only one complaining about device compatibility????

Sent from my ONEPLUS 7T HD1900
Stock OOS11.0.9.1 global
Magisk/App 25.2

Thanks everyone for everything.... Your all the best
 

ipdev

Recognized Contributor
Feb 14, 2016
1,917
1
3,512
Google Nexus 10
Nexus 7 (2013)

What can I say ... I skip over your posts. 😜

Actually I did not see there was another page in the thread last night.
My two posts were added to the bottom of the screen and then xda went offline for maintenance.
Once xda was back up, I continued catching up in other threads.
I see I missed 8-9 posts last night. 🙃

Cheers. :cowboy:
 
  • Like
Reactions: galaxys

ipdev

Recognized Contributor
Feb 14, 2016
1,917
1
3,512
Google Nexus 10
Nexus 7 (2013)
Last edited:
  • Like
  • Haha
Reactions: pndwal and galaxys

ipdev

Recognized Contributor
Feb 14, 2016
1,917
1
3,512
Google Nexus 10
Nexus 7 (2013)
latest magisk (zygisk)

I have google play services 22.26.15
playstore 31.7.27-21 (0) PR

the safetynetfix (last 2.3.1) does not certify the playstore
tried force stop , clear data etc

Need a bit more information.

What is you device and setup?

Are you passing SafetyNet?

Did you force stop and clear cache and data for both Play Store and Play Services?

Cheers. :cowboy:
 
  • Like
Reactions: galaxys

LedgendaryEpics

Senior Member
Jun 14, 2018
195
51
(Google Play) SERVICES is not (Google Play) STORE

Different words (!) and hence different things

Store is an app (you need to buy/download apps and games from the Google store) but Services is the background service, with various Google APIs

Store cannot work without Services, but Services do not need Store.
Similarly, Maps need Services (but not vice versa), etc

Again, Services are kind of a core for GApps, used by various other Google apps (but not limited to apps from Google, since open APIs can be called by any other app)
I got you now, before the edits your posts seemed kinda vague to me. I understand now, hopefully I will be able to use contactless payments again soon.
 

pndwal

Senior Member
Interesting.. when did this start showing up after replying to a post when not in the last page of the thread? :unsure:
View attachment 5681817
I do not remember seeing that last night.

Cheers. :cowboy:
Seen it for a while now... can be we see own post but not other new ones w/o refresh, and mileage varies between app and browser too... 😛 PW
 
  • Like
Reactions: ipdev

hulyahulya

Senior Member
Feb 19, 2019
168
10
i have installed new fresh system from twrp . i have only whatsapp. nothing else more. first i nstalled old magisk and tested brattery drain and today tried last magisk. im %100 sure magisk versions effect battery life. last version drain battery faster
 

bishoy ashraf

Senior Member
Aug 30, 2015
123
6
So, here is my modification of USNF with Play Integrity API bypass.

It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

Updated:
Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.

Many thanks to @1nikolas for integrity checker.

Source code: https://github.com/Displax/safetynet-fix/tree/integrity
shouldn't this bring back Netflix to google play🤔
 

Attachments

  • Screenshot_20220813-001922.jpg
    Screenshot_20220813-001922.jpg
    128.2 KB · Views: 32

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    So 'a boring or unenterprising person' or a fan of "Casey Jones"?... You don't need to answer that! 😜
    "And you know that notion just crossed my mind." 🙃

    Had a quick look at mHide SafetyNet project though...
    Just from this:

    Magisk Module
    Module to help pass SafetyNet on devices that do not support hardware attestation...

    This module will
    • Generate a list of 'sensitive' properties on the device and set the values to the 'safe' setting(s) during boot.
    • Check and adjust some 'sensitive' properties during boot.
    • Set Magisk's Denylist to enforcing.
    • Add part of PlayServices to the DenyList.
    Requires Zygisk to be enabled in Magisk.
    ... I'm wondering:
    - Could this be made to be an ideal solution for older devices in the event that Zygisk fix in modded USNF cannot be activated for A7 and lower?
    That is the idea (attempt). 🙃

    Ie.
    • Do adjustments to sensitive props target only com.google.android.gms.unstable?
    • Can we not set Denylist to enforcing (for use with Shamiko etc)?
    • Can we do targeted hiding of root from com.google.android.gms.unstable process instead of adding this to denylist (like USNF)?
    (I'm assuming Magisk path is always in /sbin in legacy ramdisk booting devices; is this correct?)
    • Can we do com.google.android.gms.unstable targeted spoofing of the same old A6 fingerprint prop as @Displax's USNF mod uses to fix CTS Profile Match in uncertified ROMs? (Possibly this could be enabled as an option if there's any benefit leaving original fingerprint as is where ROM is stock... I'm not sure there is however...)

    At the time I started mHide SafetyNet, the only way to access the denylist was when enforcing.
    The only way to "hide" Magisk was to add SafetyNet and (if needed) GMS to the denylist.
    A lot has changed since then and part of the reason I shelved the project.
    mHideSN still works on newer devices that do not support 'Hardware attestation'.
    Plan to update and cleanup one more time before archiving the repo.

    ---

    As for merging parts of mhsn into USNF..

    The 'com.google.android.gms' part is only to "hide" Magisk from SafetyNet when enforcing the Denylist.
    Only added on Android 7.x and older with Magisk 24.x and newer.
    Adapted from the 'MagiskHide' code purge. Lines 230-231 | Lines 249-256
    Became the 'set_default_list' function.​

    Since there are now other methods to "hide" Magisk..
    I currently only included a denylist check for Android 7.x and below.
    Not the part to enforce the denylist.

    Not sure if other methods like 'Shamiko' work on Android 7.x and below?

    When other methods of "hiding" Magisk started coming out.
    Most of them using the denylist (instead of creating their own list).
    I was not sure if any current or future, needed to add gms to the denylist list?
    - Part of the reason for commit.

    ---

    Setting the sensitive [secure] prop(s) to the safe value is only limited to what I and others have found.
    This part works across all Android versions.
    Using a system.prop file for some and the resetprop command in the service script for others.​

    The 'system.prop' file is generated during the install.
    I tried to move them all into the service and/or post-fs script(s) to be more dynamic (check and adjust during boot) but, ran into some issues.
    Some device/manufacture props do not exist until very late after boot complete if at all.
    So back to creating a system.prop file during the module install.​

    If the following prop(s) exist, it is added to the system.prop file regardless of the current value.
    The prop is added with the safe value.
    I would prefer to only add insecure props with the safe value but, this is a work-a-round in case the props are set by another module(s).​
    These props will be set shortly after the post.fs stage.
    ro.adb.secure=1
    ro.boot.selinux=enforcing
    ro.boot.warranty_bit=0
    ro.build.tags=release-keys
    ro.build.type=user
    ro.debuggable=0
    ro.is_ever_orange=0
    ro.odm.build.tags=release-keys
    ro.odm.build.type=user
    ro.product.build.tags=release-keys
    ro.product.build.type=user
    ro.system.build.tags=release-keys
    ro.system.build.type=user
    ro.vendor.boot.warranty_bit=0
    ro.vendor.build.tags=release-keys
    ro.vendor.build.type=user
    ro.vendor.warranty_bit=0
    ro.warranty_bit=0
    Props that are checked and adjusted if need be in service script.
    If 'ro.boot.mode' is recovery, set to unknown
    If 'ro.bootmode' is recovery, set to unknown
    If 'vendor.boot.mode' is recovery, set to unknown

    If 'ro.boot.hwc' is CN, set to GLOBAL
    If 'ro.boot.hwcountry' is China, set to GLOBAL

    If 'ro.build.selinux' exists, delete (remove) it.
    I still question this one but, it was part of 'MagiskHide'.
    'ro.boot.flash.locked' if not 1, set to 1
    'ro.boot.vbmeta.device_state' if not locked, set to locked
    'ro.boot.verifiedbootstate' if not green, set to green
    'ro.boot.veritymode' if not enforcing, set to enforcing
    'ro.secure' if not 1, set to 1
    'sys.oem_unlock_allowed' if not 0, set to 0
    'vendor.boot.vbmeta.device_state' if not locked, set to locked
    'vendor.boot.verifiedbootstate' if not green, set to green

    Currently USNF includes a 'system.prop' file.
    By generating the 'system.prop' file during the install instead, we can check if the prop exists before adding it.
    This will help from adding non-native props to the device.
    Currently any one using USNF has the OnePlus and Samsung props set.
    No matter if it is a Google, LG, Motorola, Poco, ...., Xiaomi device.

    ---

    Without the Zygisk part of the module, You would have to set the fingerprint globally.
    The same as the MHPC module does.
    Set props early (post-fs) you will change it across the board.
    Set props late (service) you will set it after system has started.
    For example of the difference between setting props early and late, see my question and flar2's response in the DevCheck thread - Post #258.​

    ---

    Hope it helps explain more than confuse. 🙃

    Cheers. :cowboy:
    5
    Strong integrity = hardware attestation, basically, so no, no way to fix AFAIK. OnePlus devices at least up to the OnePlus 9 Pro still shipped stock with broken hardware attestation, so there's no way at all of getting it working on those devices.
    4
    That's what I have... (But Xiaomi device w/ A10)...
    The 1st thing i did was to put play services and frameworks to denaylist.
    ... Better remove everything from there except bank apps etc... PW
    4
    Hi all,

    Does anyone know if there is any fix for the "MEETS_STRONG_INTEGRITY" ?
    From what I've read, the "MEETS_DEVICE_INTEGRITY" and "MEETS_BASIC_INTEGRITY" are fixable using Displax's fix on the USNF (thank you so much for this).

    However, i didn't found anything related the strong integrity.
    Is this correct, or have I missed some step?
    I'm facing this on a OnePlus 5 and a Nothing 1

    Thanks
    Yes; purchase an Asus ROG Phone 3!

    This is the only device I know of where the OEM has messed up the Keymaster implementation in such a way that it will pass MEETS_STRONG_INTEGRITY verdict w/ unlocked bootloader... Other device's may also...

    An app requiring new MEETS_STRONG_INTEGRITY is equivalent to requiring old CTS Profile Match using HARDWARE_BACKED evaluationType. As such, banks have not yet required either (although they could) as doing so would exclude users / customers with
    1) Many late devices (many OnePlus and others) with broken keymaster implementations.
    2) Devices launched with Android 7 and earlier, even if running late Android.

    🤠 PW
    3
    guys this is new. this app detected shamiko

    edit:zygisk denylist fixed this. this is the first time i encounter shamiko will be the culprit
    Screenshot_2022-09-02-07-25-47-473_com.GameDuo.MadArcher.jpg
  • 276
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.3.1

    Highlights
    • Fixed fingerprint on OxygenOS/ColorOS 12 (@osm0sis)
    • Support for Magisk 24+ module updates (@benjibobs)
    • Restored support for Android 7
    Other changes
    • Spoofed OnePlus OEM unlock status for futureproofing (@osm0sis)
    • Minor code improvements
    This version only supports Zygisk (Magisk 24 and newer).

    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    131
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    30
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW
    28
    ok so there is a solution

    get the magisk module riru

    after you get riru get LSPosed

    after you get LSPosed get xprivacylua (in the LSPosed app)

    select play services in the xprivacylua settings IN the LSPosed app

    AND in the xprivacylua app itself after you've restarted.

    clear play service data

    check safetynet in magisk - enjoy?

    I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module

    s/o to saitama_96 for discovering it or so I'm led to believe
    26
    Some useless statistics:
    My MOD was downloaded over 2k times.
    1,5k from XDA
    800 from GitHub

    I'm glad i made 2000+ people happier :) Thank you!