MAGISK MODULE ❯ Universal SafetyNet Fix 2.3.1

Search This thread

eyalsa

Senior Member
Aug 21, 2017
104
16
Do you use @Displax/ USNF_mod solution for Play Integrity only?
yes
What if you just disable all LSPosed modules?... (If results change, try enabled modules one by one to determine which or if all modules trigger detection.)
I fail even if disabeling all models
What is LSPosed version?
1.8.4 zygisk
Nb. Of course 2/3 is best case w/ root...

Nb 2. Shamiko generally won't help w/ Google attestation, but some have recently reported success reversing failed verdicts w/ Shamiko if gms (G Play Services) are in denylist...
The 1st thing i did was to put play services and frameworks to denaylist.
 
  • Like
Reactions: pndwal

GenRahul

Member
Apr 24, 2017
5
2
So, here is my modification of USNF with Play Integrity API bypass.

It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

Updated:
Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.

Many thanks to @1nikolas for integrity checker.

Source code: https://github.com/Displax/safetynet-fix/tree/integrity
Thanks man!
 

ykjae

Senior Member
Oct 19, 2013
291
36
OnePlus 8T
I'm on oneplus 8t 5g android 12 and I pass safetynet and play integrity (other then hardware) without any additional modules.

Not even magisk props or usf kdrag0n/displax

I am using shamiko and have lsposed installed. It's strange to me.
 

pndwal

Senior Member
I'm on oneplus 8t 5g android 12 and I pass safetynet and play integrity (other then hardware) without any additional modules.

Not even magisk props or usf kdrag0n/displax

I am using shamiko and have lsposed installed. It's strange to me.
Nope no custom rom. Just OxygenOS 12.1, KB2003_11_C.35

Passed without shamiko also - but that was with denylist enabled.
Ok...

First, I'm assuming you have main (com.google.android.gms) and attestation (com.google.android.gms.unstable) Google Play Services processes in denylist (to hide 'root' from these)...

Many custom ROMs integrate @kdrag0ns Safety net Fix and passing device fingerprint, but this doesn't apply..

OnePlus has notoriously produced devices with broken keymaster implementation (processes keystore values in TEE OS) incl. the 8T, so Attestation falls back to Basic Evaluation type (trigger is exception caused by broken keymaster) and Hardware attestation is not enforced (based on device model prop in S/N API and both model and fingerprint props and possibly security patch level in PI API ) without the need for USNF fallbacks / bypasses...

Passing CTS Profile match still requires a passing device fingerprint (you have this on non China region stock ROM; custom ROMs may need to adjust props), and as long as no sensitive props are detected (NB. MHPC adjusts such detected props w/o any configuration if active so this is an alternative to running USNF, which also does this, where sensitive props are an issue), and it seems none are affecting your device - I believe it's more of a problem for legacy devices/older ROMs anyway -, and no other mods break device integrity, device security attestations will just pass!... 😋 PW
 
Last edited:

stathis

Senior Member
May 10, 2015
149
12
Xiaomi Poco X3 NFC
Very strange, today Google play store show me again the Netflix and some other apps which had been missing since July, I don't have changed anything in my phone, I have Xiaomi Poco X3 NFC android 10, magisk 23 with magisk hide com.google.android.gms.unstable and module riru 26.1.3 and Universal SafetyNet Fix 2.1.1 by kdrag0n
 

dimm0k

Senior Member
Jan 25, 2014
1,693
654
Google Pixel 4 XL
having some really weird issues where GPay and my Pixel 6 Pro tells me that it doesn't meet the right requirements for pay, yet I can still make payments by tapping... this was using the unmodded USNF 2.2.0. if i remove that and install the modded version, I still get the same quirk except in Magisk I see this update icon for this module even after rebooting. anyone know how to fix the update issue, as well as the requirements message?
 

Attachments

  • Screenshot_20221005-112921.png
    Screenshot_20221005-112921.png
    122.9 KB · Views: 77

73sydney

Senior Member
having some really weird issues where GPay and my Pixel 6 Pro tells me that it doesn't meet the right requirements for pay, yet I can still make payments by tapping... this was using the unmodded USNF 2.2.0. if i remove that and install the modded version, I still get the same quirk except in Magisk I see this update icon for this module even after rebooting. anyone know how to fix the update issue, as well as the requirements message?

weird issues have been noted in the current times (even using the modded version), best is to not wonder why but bathe in the ability to still use thy contactless functions

ignore the Update icon.....
 
  • Like
Reactions: dimm0k

pndwal

Senior Member
having some really weird issues where GPay and my Pixel 6 Pro tells me that it doesn't meet the right requirements for pay, yet I can still make payments by tapping... this was using the unmodded USNF 2.2.0. if i remove that and install the modded version, I still get the same quirk except in Magisk I see this update icon for this module even after rebooting. anyone know how to fix the update issue,
There's no issue... Icon is greyed out so there's no update... That'll change when there is...
as well as the requirements message?
Check you now have deviceIntegrity passing in Play Integrity API Checker.

This had probably failed prior to installing @Displax USNF mod/fork but Google has been turning new Play Integrity hardware attestation evaluation type enforcement on and off spasmodically for different devices and at different times lately...

If passing now G Pay/Wallet error message may just go away after some days...

For immediate fixes:

Clear Google Play Services data.

Clear G Pay/Wallet data and reboot before starting app again (important to avoid issues like Activity list failing to populate)... Take any updates and set up cards again as needed...

If you can't see G Pay/Wallet in Play Store, clear Play Store data then check Play Protect says Device is certified in Play Store settings...

🤠 PW
 
  • Like
Reactions: dimm0k

pndwal

Senior Member
Very strange, today Google play store show me again the Netflix and some other apps which had been missing since July, I don't have changed anything in my phone, I have Xiaomi Poco X3 NFC android 10, magisk 23 with magisk hide com.google.android.gms.unstable and module riru 26.1.3 and Universal SafetyNet Fix 2.1.1 by kdrag0n
Play Store now relies on Play Integrity API since SafetyNet is deprecated and will hide many apps in store if deviceIntegrity verdict fails...

As mentioned above, Google has been turning new Play Integrity hardware attestation evaluation type enforcement on and off spasmodically for different devices and at different times lately...

It seems Google has simply reverted this enforcement for your device recently, but you should probably apply a bypass fix as it's likely they'll restore enforcement when they've sorted out any regression issues for your device...

Clearly you cannot use @Displax modded USNF version with Play Integrity fix with pre-Zygisk magisk. You can try @huskydg's Riru compatible mod here however:
https://github.com/HuskyDG/safetynet-integrity-fix

👀 PW
 
  • Like
Reactions: okij

stathis

Senior Member
May 10, 2015
149
12
Xiaomi Poco X3 NFC
Play Store now relies on Play Integrity API since SafetyNet is deprecated and will hide many apps in store if deviceIntegrity verdict fails...

As mentioned above, Google has been turning new Play Integrity hardware attestation evaluation type enforcement on and off spasmodically for different devices and at different times lately...

It seems Google has simply reverted this enforcement for your device recently, but you should probably apply a bypass fix as it's likely they'll restore enforcement when they've sorted out any regression issues for your device...

Clearly you cannot use @Displax modded USNF version with Play Integrity fix with pre-Zygisk magisk. You can try @huskydg's Riru compatible mod here however:
https://github.com/HuskyDG/safetynet-integrity-fix

👀 PW
Oh, understand, I have read about this, until now I'm little lucky until broke again and not see the apps, so now I see again the apps who hide it in Google Play from the July until post this
 
  • Like
Reactions: pndwal

YMatrix

Senior Member
Hey
So I have been using the moded safetynet fix by Displax without trouble... Till now.
I had a Google wallet update and suddenly it has stopped working.
Tried tinkering with all options, using shamiko, but without success.
I am using this on my s20fe 5g on a custom oneui rom
Any advice?
Change device fingerprint?
 

pndwal

Senior Member
Hey
So I have been using the moded safetynet fix by Displax without trouble... Till now.
I had a Google wallet update and suddenly it has stopped working.
Tried tinkering with all options, using shamiko, but without success.
I am using this on my s20fe 5g on a custom oneui rom
Any advice?
Change device fingerprint?
Probably only need some resets...

As mentioned above, Google has been turning new Play Integrity hardware attestation evaluation type enforcement on and off spasmodically for different devices and at different times lately...

Check deviceIntegrity first; see here:
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637
... Re. resets, scroll down and see 'Related Issues'... 👍 PW
 

Exokan

Senior Member
Sep 15, 2016
69
15
Hi, probably a dumb question... Pixel 6 on A13. Used USNF mod to get cards to work (works great!). However, I was previously also using MHPC to add a notethering prop. Can USNF and MHPC not work together because they're essentially both trying to modify the props and would conflict?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    Yes i can see device certified but app redirects to attach page. App added to denylist. But same issue.
    This is out of topic for the USNF module. USNF module is to pass SafetyNet, and the moded version, to pass Play Integrity API (Google's successor for SN)

    Various 'banking' apps use various additional techniques to detect 'root' - from relatively stupid things like looking for Magisk app, TWRP folder, USB debugging mode to more complicated like looking for LSPosed and its modules or even for Zygisk, etc

    If you know (of course, they don't tell you, you have to experiment), you can try to hide Magisk app (disable it or even uninstall it), to rename or delete TWRP folder, to use Hide My Apps module (to hide Magisk app and LSPosed modules apps) for LSPosed, etc.
    Certain custom ROMs (or just custom Kernels) are built in debug mode - and that can be just another way for a 'banking' app to find that you are not using the certified, stock ROM

    Sorry, I will not go into the details or guide how to use Hide My Apps, etc - there are really tens and tens of posts in the general XDA Magisk thread about all that

    There are posts with particular 'solutions' (users found by experimenting for this or that app which technique to use to hide 'root' from that app).
    One has to read there, search, study, experiment himself, etc

    However, and that has also been discussed in the Magisk General thread (with names/examples of those apps - you should look there, maybe your app is among them) there are now apps that look for Zygisk and unfortunately that cannot be hidden (by the out-dated Shamiko module)

    Apparently, one must not use this new 'official' Magisk with Zygisk and DenyList but the custom fork (it has its own thread on XDA) Magisk Delta, that uses the 'good' old MagiskHide (instead of Zygisk+DenyList) to 'hide root' from those apps

    ---

    All together, USNF module is not a module to hide 'root' from the x-y-z app, but to pass SN (and now its successor PI)

    SN/PI APi is just one point on the checklist what 'banking" apps may use when they look for 'root' - for various techniques they use, one must apply various particular solutions to hide

    All that is out-of-topic for this thread, and too big and complex to be guided in one post.
    One has to look into the threads and posts (by searching, etc) where these things have been already and extensively discussed

    It's the game - today you hide, tomorrow they will discover new way to detect

    TJW works for Google and he had distanced himself from hiding the 'root,'
    To make things worse, it seems that there are now new sorts/versions of 'banking' apps that detect Zygisk, with no known solution to hide - except for going back from this new Zygisk+DenyList to the old MagiskHide (but again, you could not blain TJW, hiding from root is not his business anymore)
    4
    Lo siento mucho, subí las capturas de mi celular para no pasarlas a la PC, estaba pensando en editar para agregar información, pero tuve un problema físico y no podía usar la PC, ahora vi la notificacion y se que hice mal, hasta la proxima que tenga el texto no subire las fotos

    gracias por la advertencia
    Please, this is English forum, use Translate if necessary to post in English
    4

    I think you missed the part where you ask an actual question, and provide details

    We dont troubleshoot from screenshots alone here....

    Also you seem to have missed reading from any of the last dozen or so pages which would tell you that its no longer just about passing safetynet, and what the fix is...

    You should get into the habit of reading the last pages of any thread before posting a query, as generally if youre experiencing an issue (one thats usually a dramatic change) then others are too, therefore an answer probably has already been provided.

    Posting just a screenshot, no info and expecting people to jump to attention for you will not go well for you here...youre expected to do some work yourself..

    This will get you up to speed, but please, next time, dont be lazy...

    4
    I try to read everything here almost every day... I'm no a developer.... But I still need to ask:

    The reason why Magisk Delta would work for this app when Magisk stable wouldn't??? Please direct me to the appropriate reference that I can read which might/might not make sense to me. Thanks

    The very very, and i repeat, very simplistic 30 second answer is that Magisk Stable had all its hiding code removed (on purpose even), as TJW put it, to make Magisk get out of the way of itself, and to make it actually more powerful (for applications beyond hiding necessarily), whereas "legacy" Magisk forks, like Delta still include the code to hide processes.

    Magisk stable can actually have modules for hiding (such as Shamiko) run under zygisk, but it can be, as noted hit or miss, as theres no 100% way to hide zygisk, given how it operates in the way and at the level it does

    Some people get very territorial (and waaaay too emotional at times) over this or that fork, and TJW took 100% more flack than he should have making the change, but those folks need to know that neither fork is immune to or exempt from being made redundant

    Im sure @pndwal will no doubt come down from his bell tower to provide more relevant material and links (he has ALL the links)

    Also probably worth mentioning, because it really isnt mentioned or highlighted enough, that theres more to Magisk than just hiding stuff, case in point i have about 14 self made modules, just 2 of them in any way rely on the hiding abilities provided by zygsik and shamiko
    4
    Banking app like HDFC has updated their app. Now when we start the app it checks for root check and immediately redirects to web browser with root alert. I think module or magisk needs to be updated to make work with such apps. Note: I have magisk in hidden mode as well as app is hidden and

    Universal SafetyNet Fix 2.3.1 module activated but app does not work.​

    You just need to get play store certified. Safetynet fix is all you need. Turn on airplane mode and clear cache on play store and play services and gpay. Restart phone. Turn air plane mode off.
    Seems many are assuming Play Protect certification will fix detection for Netflix etc... And indeed Netflix suggests checking this themselves...

    However all such apps are migrating from depreciated SafetyNet to new Play Integrity API... Not sure, but I'm guessing Netflix will require this by now...

    Last time I checked, Play Protect was still using old S/N API, so it's possible to have 'Device is certified' while newly required PI deviceIntegrity is failing... A clue is when updates for affected apps no longer show up on Play Store which filters according to the attestation label used by hosted apps...

    So assuming official USNF is enough since 'Device is certified' is not longer good policy...

    Some users won't need to update to the @Displax modded USNF fork which solves this since further HKA enforcement bypasses aren't needed to pass deviceIntegrity on some devices, especially A10 stock and earlier. However I strongly suggest using Play Integrity AOI Checker app to ensure this verdict label passes. If not, install the Displax forked USNF w/ extra deviceIntegrity fix (essentially Universal deviceIntegrity PI fix now) as apps will often say 'root is detected' when deviceIntegrity is simply failing...

    Of course apps may also add their own new custom detections in addition, but don't make assumptions before at least passing deviceIntegrity, taking Hide the Magisk app Magisk option and adding app in denylist... I'd be substituting denylist for Shamiko (deny-->hide) also...

    🤠 PW
  • 282
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.3.1

    Highlights
    • Fixed fingerprint on OxygenOS/ColorOS 12 (@osm0sis)
    • Support for Magisk 24+ module updates (@benjibobs)
    • Restored support for Android 7
    Other changes
    • Spoofed OnePlus OEM unlock status for futureproofing (@osm0sis)
    • Minor code improvements
    This version only supports Zygisk (Magisk 24 and newer).

    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    173
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW
    28
    ok so there is a solution

    get the magisk module riru

    after you get riru get LSPosed

    after you get LSPosed get xprivacylua (in the LSPosed app)

    select play services in the xprivacylua settings IN the LSPosed app

    AND in the xprivacylua app itself after you've restarted.

    clear play service data

    check safetynet in magisk - enjoy?

    I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module

    s/o to saitama_96 for discovering it or so I'm led to believe
    26
    Some useless statistics:
    My MOD was downloaded over 2k times.
    1,5k from XDA
    800 from GitHub

    I'm glad i made 2000+ people happier :) Thank you!