MAGISK MODULE ❯ Universal SafetyNet Fix 2.3.1

Search This thread

okij

Senior Member
Oct 24, 2012
1,997
3,876
Düsseldorf
Please reference the attached for a laugh or two. Sorry I couldn't contribute more

Oh well as it's been said .... We all knew this was gonna happen sooner or latter which kinda seems like now....

But SERIOUSLY: THE WEATHER NETWORK.... really???

Weather must be a bigger secret than all the other apps I continue use successfully - as always really...
Just put the Weather Network app on Magisk's deny list and everything is fine. ;) I just checked it.
 
Last edited:
Jul 24, 2021
35
10
what can i do if one of my banking apps is not letting me pay in an online shop because they detected my device as rooted even though i put it in my denylist? my Playstore is certified though and one thing some apps are missing including Netflix
 

pndwal

Senior Member
what can i do if one of my banking apps is not letting me pay in an online shop because they detected my device as rooted even though i put it in my denylist? my Playstore is certified though and one thing some apps are missing including Netflix
Use @Displax modded USNF module posted here (unofficial) to fix new Play Integrity API deviceIntegrity verdict (S/N is now depreciated) now used by Play Store and many other apps... May need to clear app data as well as Google Play Services data... PW
 
  • Like
Reactions: 73sydney and zgfg

Strephon Alkhalikoi

Senior Member
Aug 3, 2010
7,257
3,349
Vulcan
Samsung Galaxy S4
Nexus 6
Use @Displax modded USNF module posted here (unofficial) to fix new Play Integrity API deviceIntegrity verdict (S/N is now depreciated) now used by Play Store and many other apps... May need to clear app data as well as Google Play Services data... PW
Just to point out that on almost unique occasions even clearing app data doesn't work. For example, I suddenly wasn't passing device integrity with the modded USNF in place, and even clearing data wasn't helping. I ended up having to uninstall the USNF, reboot, then reinstall it for everything to work properly again.
 

eyalsa

Senior Member
Aug 21, 2017
104
16
Just to point out that on almost unique occasions even clearing app data doesn't work. For example, I suddenly wasn't passing device integrity with the modded USNF in place, and even clearing data wasn't helping. I ended up having to uninstall the USNF, reboot, then reinstall it for everything to work properly again.
did not worked for me on Samsung S22u :confused:
 
Last edited:

pndwal

Senior Member
Just to point out that on almost unique occasions even clearing app data doesn't work. For example, I suddenly wasn't passing device integrity with the modded USNF in place, and even clearing data wasn't helping. I ended up having to uninstall the USNF, reboot, then reinstall it for everything to work properly again.
Interesting... So simply removing, rebooting, installing the same modded USNF and booting again restored deviceIntegrity for you?... Please say what device / ROM...

I'm guessing simply disabling module, rebooting, enabling and booting again should accomplish the same...

This seems to be occurring suddenly for specific use cases, notably on Poco f3 w/ Crdroid 8.9 per:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87484949

@SimpleStevie, @OverlordBubbles, @tom510, @Goooober; anyone care to check if this method restores deviceIntegrity on Poco f3?... PW
 
Last edited:

Goooober

Senior Member
Dec 22, 2011
212
22
Kent
Interesting... So simply removing, rebooting, installing the same modded USNF and booting again restored deviceIntegrity for you?... Please say what device / ROM...

I'm guessing simply disabling module, rebooting, enabling are booting again should accomplish the same...

This seems to be occurring suddenly for specific use cases, notably on Poco f3 w/ Crdroid 8.9 per:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87484949

@SimpleStevie, @OverlordBubbles, @tom510, @Goooober; anyone care to check if this method restores deviceIntegrity on Poco f3?... PW

I didn’t see the last few posts before I decided to flash a different ROM (I went with Evolution, an Android 13 ROM). The good news is that everything is working normally again after installing Magisk and USNF Mod fix. Whether or not the solution posted above would have worked when I was still on CrDroid I couldn’t say.
 
  • Like
Reactions: ipdev and pndwal
Jul 29, 2011
40
7
Interesting... So simply removing, rebooting, installing the same modded USNF and booting again restored deviceIntegrity for you?... Please say what device / ROM...

I'm guessing simply disabling module, rebooting, enabling are booting again should accomplish the same...

This seems to be occurring suddenly for specific use cases, notably on Poco f3 w/ Crdroid 8.9 per:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87484949

@SimpleStevie, @OverlordBubbles, @tom510, @Goooober; anyone care to check if this method restores deviceIntegrity on Poco f3?... PW
This actually worked. For how long I don't know, but as of now I'm passing device integrity and able to add cards to wallet. Not tried to pay yet, but looks good.

Many thanks!
 

Attachments

  • Screenshot_20220925-221353_Play Integrity API Checker.png
    Screenshot_20220925-221353_Play Integrity API Checker.png
    79.6 KB · Views: 66
  • Like
Reactions: pndwal and ipdev

pndwal

Senior Member
@pndwal
View attachment 5720403View attachment 5720401
Displa[x]'s module actually works, i can't do this in kdragon's module even though i clear data all of them and reboot
Yup... This mod makes USNF more universal and fixes Play Integrity deviceIntegrity (not done by official release yet):
[URL[https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87480375[/URL]

Nb. This is just an added function... It's still @kdrag0n's solution, not @Displax's module!

...All fallbacks and bypasses for S/N are still needed for PI... This fork just adds @Displax's PI fix needed for some devices...

... Could be called UPIF soon! 😜

Notes, esp. for G Pay:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637

Pending fix for official USNF:
https://github.com/kdrag0n/safetynet-fix/pull/207

🤠 PW
 
Last edited:

Rcedude

New member
Jun 28, 2022
4
1
Hello. I have an up to date rooted A51, and i cant seems to pass PlayIntegrity. I previously used kdragon fix, i uninstalled it, rebooted the phone, installed Displax mod, rebooted.

The play integrity app tester posted there show i cant pass any of the checks. Tb Checker crash on playintegrity test. Basic safetynet is still ok.

What 's wrong? Shamiko? should i add / remove any app from deny list?

I use MHPC a while ago but i ended up uninstalling it. Could it be leftovers?
 
Last edited:

pndwal

Senior Member
Hello. I have an up to date rooted A51,
Stock ROM?
and i cant seems to pass PlayIntegrity. I previously used kdragon fix, i uninstalled it, rebooted the phone, installed Displax mod, rebooted.

The play integrity app tester posted there show i cant pass any of the checks.
Not even basic integrity?
Basic safetynet is still ok.
ie. Basic Integrity only? Does Evaluation type show as BASIC?...
What 's wrong? Shamiko? should i add / remove any app from deny list?
You don't need anything in list for PI os S/N...

Try with all modules except USNF_mod disabled... Next, try disabling USNF_mod also, reboot, clear data for Google Play Services and enable USNF_mod again then reboot again...

Nb. Zygisk=Yes must appear on Magisk App home screen...
I use MHPC a while ago but i ended up uninstalling it. Could it be leftovers?
Not if module is removed or disabled; it should be removed, disabled or reset when using USNF... PW
 

Rcedude

New member
Jun 28, 2022
4
1
Yes its stock rom.

Not even basic integrity?.> Nope : No MEET_DEVICE_INTEGRITY, no MEET_BASIC_INTEGRITY and obviously no MEET_STRONG_INTEGRITY.

ie. Basic Integrity only? Does Evaluation type show as BASIC?...
I meant that evaluation pass (basic and cts) because Evaluation type is forcibly downgraded to BASIC by USNF .
TLDR : Safetynet is OK.

NOTHING pass for playintegrity.
I obviously enabled zygisk since i use lsposed zygisk version and shamiko zygisk :)

MHPC has been disabled and uninstalled for a while now.

I tested all the methods you talked about, nothing change.

Tbchecker Play Integrity evaluation just crash.

EDIT : deviceintegrity field from JSON is EMPTY, wtf its shown as deviceintegrity {}
 
Last edited:
  • Like
Reactions: pndwal

eyalsa

Senior Member
Aug 21, 2017
104
16
Hello. I have an up to date rooted A51, and i cant seems to pass PlayIntegrity. I previously used kdragon fix, i uninstalled it, rebooted the phone, installed Displax mod, rebooted.

The play integrity app tester posted there show i cant pass any of the checks. Tb Checker crash on playintegrity test. Basic safetynet is still ok.

What 's wrong? Shamiko? should i add / remove any app from deny list?

I use MHPC a while ago but i ended up uninstalling it. Could it be leftovers?
Same with my S22u. Seem as Samsung issue. I can pass 2 out of 3 tests if I disable LSposed. but if Lsposed is on I fail all 3 tests. Shimaco didn't help.
 
  • Like
Reactions: pndwal

pndwal

Senior Member
Same with my S22u. Seem as Samsung issue. I can pass 2 out of 3 tests if I disable LSposed. but if Lsposed is on I fail all 3 tests. Shimaco didn't help.
Do you use @Displax/ USNF_mod solution for Play Integrity only?

What if you just disable all LSPosed modules?... (If results change, try enabled modules one by one to determine which or if all modules trigger detection.)

What is LSPosed version?

Nb. Of course 2/3 is best case w/ root...

Nb 2. Shamiko generally won't help w/ Google attestation, but some have recently reported success reversing failed verdicts w/ Shamiko if gms (G Play Services) are in denylist...

🤠 PW
 
  • Like
Reactions: eyalsa

pndwal

Senior Member
Yes its stock rom.

Not even basic integrity?.> Nope : No MEET_DEVICE_INTEGRITY, no MEET_BASIC_INTEGRITY and obviously no MEET_STRONG_INTEGRITY.

ie. Basic Integrity only? Does Evaluation type show as BASIC?...
I meant that evaluation pass (basic and cts) because Evaluation type is forcibly downgraded to BASIC by USNF .
TLDR : Safetynet is OK.
Ah... So by 'basic SafetyNet' you mean older S/N API, but it's fully passing w/ BASIC evalType...
NOTHING pass for playintegrity.
I obviously enabled zygisk since i use lsposed zygisk version and shamiko zygisk :)
Ok ... You hadn't mentioned LSPosed... Please see last two posts above...
MHPC has been disabled and uninstalled for a while now.

I tested all the methods you talked about, nothing change.
So you did try with all modules (including LSPosed) except USNF_mod disabled, and clearing data for Google Play Services / reboots didn't help either...
Tbchecker Play Integrity evaluation just crash.

EDIT : deviceintegrity field from JSON is EMPTY, wtf its shown as deviceintegrity {}
mmm
No labels (a blank value)

The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
https://developer.android.com/google/play/integrity/verdict#device-integrity-field

... Sorry I have no other clues at this point... PW
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    Yes i can see device certified but app redirects to attach page. App added to denylist. But same issue.
    This is out of topic for the USNF module. USNF module is to pass SafetyNet, and the moded version, to pass Play Integrity API (Google's successor for SN)

    Various 'banking' apps use various additional techniques to detect 'root' - from relatively stupid things like looking for Magisk app, TWRP folder, USB debugging mode to more complicated like looking for LSPosed and its modules or even for Zygisk, etc

    If you know (of course, they don't tell you, you have to experiment), you can try to hide Magisk app (disable it or even uninstall it), to rename or delete TWRP folder, to use Hide My Apps module (to hide Magisk app and LSPosed modules apps) for LSPosed, etc.
    Certain custom ROMs (or just custom Kernels) are built in debug mode - and that can be just another way for a 'banking' app to find that you are not using the certified, stock ROM

    Sorry, I will not go into the details or guide how to use Hide My Apps, etc - there are really tens and tens of posts in the general XDA Magisk thread about all that

    There are posts with particular 'solutions' (users found by experimenting for this or that app which technique to use to hide 'root' from that app).
    One has to read there, search, study, experiment himself, etc

    However, and that has also been discussed in the Magisk General thread (with names/examples of those apps - you should look there, maybe your app is among them) there are now apps that look for Zygisk and unfortunately that cannot be hidden (by the out-dated Shamiko module)

    Apparently, one must not use this new 'official' Magisk with Zygisk and DenyList but the custom fork (it has its own thread on XDA) Magisk Delta, that uses the 'good' old MagiskHide (instead of Zygisk+DenyList) to 'hide root' from those apps

    ---

    All together, USNF module is not a module to hide 'root' from the x-y-z app, but to pass SN (and now its successor PI)

    SN/PI APi is just one point on the checklist what 'banking" apps may use when they look for 'root' - for various techniques they use, one must apply various particular solutions to hide

    All that is out-of-topic for this thread, and too big and complex to be guided in one post.
    One has to look into the threads and posts (by searching, etc) where these things have been already and extensively discussed

    It's the game - today you hide, tomorrow they will discover new way to detect

    TJW works for Google and he had distanced himself from hiding the 'root,'
    To make things worse, it seems that there are now new sorts/versions of 'banking' apps that detect Zygisk, with no known solution to hide - except for going back from this new Zygisk+DenyList to the old MagiskHide (but again, you could not blain TJW, hiding from root is not his business anymore)
    4
    I try to read everything here almost every day... I'm no a developer.... But I still need to ask:

    The reason why Magisk Delta would work for this app when Magisk stable wouldn't??? Please direct me to the appropriate reference that I can read which might/might not make sense to me. Thanks

    The very very, and i repeat, very simplistic 30 second answer is that Magisk Stable had all its hiding code removed (on purpose even), as TJW put it, to make Magisk get out of the way of itself, and to make it actually more powerful (for applications beyond hiding necessarily), whereas "legacy" Magisk forks, like Delta still include the code to hide processes.

    Magisk stable can actually have modules for hiding (such as Shamiko) run under zygisk, but it can be, as noted hit or miss, as theres no 100% way to hide zygisk, given how it operates in the way and at the level it does

    Some people get very territorial (and waaaay too emotional at times) over this or that fork, and TJW took 100% more flack than he should have making the change, but those folks need to know that neither fork is immune to or exempt from being made redundant

    Im sure @pndwal will no doubt come down from his bell tower to provide more relevant material and links (he has ALL the links)

    Also probably worth mentioning, because it really isnt mentioned or highlighted enough, that theres more to Magisk than just hiding stuff, case in point i have about 14 self made modules, just 2 of them in any way rely on the hiding abilities provided by zygsik and shamiko
    4
    Banking app like HDFC has updated their app. Now when we start the app it checks for root check and immediately redirects to web browser with root alert. I think module or magisk needs to be updated to make work with such apps. Note: I have magisk in hidden mode as well as app is hidden and

    Universal SafetyNet Fix 2.3.1 module activated but app does not work.​

    You just need to get play store certified. Safetynet fix is all you need. Turn on airplane mode and clear cache on play store and play services and gpay. Restart phone. Turn air plane mode off.
    Seems many are assuming Play Protect certification will fix detection for Netflix etc... And indeed Netflix suggests checking this themselves...

    However all such apps are migrating from depreciated SafetyNet to new Play Integrity API... Not sure, but I'm guessing Netflix will require this by now...

    Last time I checked, Play Protect was still using old S/N API, so it's possible to have 'Device is certified' while newly required PI deviceIntegrity is failing... A clue is when updates for affected apps no longer show up on Play Store which filters according to the attestation label used by hosted apps...

    So assuming official USNF is enough since 'Device is certified' is not longer good policy...

    Some users won't need to update to the @Displax modded USNF fork which solves this since further HKA enforcement bypasses aren't needed to pass deviceIntegrity on some devices, especially A10 stock and earlier. However I strongly suggest using Play Integrity AOI Checker app to ensure this verdict label passes. If not, install the Displax forked USNF w/ extra deviceIntegrity fix (essentially Universal deviceIntegrity PI fix now) as apps will often say 'root is detected' when deviceIntegrity is simply failing...

    Of course apps may also add their own new custom detections in addition, but don't make assumptions before at least passing deviceIntegrity, taking Hide the Magisk app Magisk option and adding app in denylist... I'd be substituting denylist for Shamiko (deny-->hide) also...

    🤠 PW
    4
    Lo siento mucho, subí las capturas de mi celular para no pasarlas a la PC, estaba pensando en editar para agregar información, pero tuve un problema físico y no podía usar la PC, ahora vi la notificacion y se que hice mal, hasta la proxima que tenga el texto no subire las fotos

    gracias por la advertencia
    Please, this is English forum, use Translate if necessary to post in English
    4

    I think you missed the part where you ask an actual question, and provide details

    We dont troubleshoot from screenshots alone here....

    Also you seem to have missed reading from any of the last dozen or so pages which would tell you that its no longer just about passing safetynet, and what the fix is...

    You should get into the habit of reading the last pages of any thread before posting a query, as generally if youre experiencing an issue (one thats usually a dramatic change) then others are too, therefore an answer probably has already been provided.

    Posting just a screenshot, no info and expecting people to jump to attention for you will not go well for you here...youre expected to do some work yourself..

    This will get you up to speed, but please, next time, dont be lazy...

  • 282
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.3.1

    Highlights
    • Fixed fingerprint on OxygenOS/ColorOS 12 (@osm0sis)
    • Support for Magisk 24+ module updates (@benjibobs)
    • Restored support for Android 7
    Other changes
    • Spoofed OnePlus OEM unlock status for futureproofing (@osm0sis)
    • Minor code improvements
    This version only supports Zygisk (Magisk 24 and newer).

    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    173
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW
    28
    ok so there is a solution

    get the magisk module riru

    after you get riru get LSPosed

    after you get LSPosed get xprivacylua (in the LSPosed app)

    select play services in the xprivacylua settings IN the LSPosed app

    AND in the xprivacylua app itself after you've restarted.

    clear play service data

    check safetynet in magisk - enjoy?

    I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module

    s/o to saitama_96 for discovering it or so I'm led to believe
    26
    Some useless statistics:
    My MOD was downloaded over 2k times.
    1,5k from XDA
    800 from GitHub

    I'm glad i made 2000+ people happier :) Thank you!