MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread

wyt18

Senior Member
Hi all,

I'm on oneUI 2.5.
Safetynet is ok as fingerprint in bank apps.
But it brokes secure folder. Impossible to access it.
which version of safetynet fix are you using and on which device? i'm on stock s9 snapdragon oneui 2.5, magisk 21.2 and xposed (tried both taichi and edxposed/riru). haven't been able to get fingerprint in banking apps to work
 

23Xor

Member
Dec 27, 2020
6
1
Until three days ago it was passing having applied Magisk only. I am quite sure that Google changed to using hardware based SafetyNet checks also for the M5 and so it's failing with or without SafetyNet security fix.

I also found a strange thing that might cause CTS failure, but I am not sure: getprop ro.build.fingerprint is returning version "9.1.0.335" while having installed version "9.1.0.345" on the device. Probably I'll try to set the fingerprint manually to see whether that fixes the issue.

I haven't tested it these days.
OH DAMN IT
*open the Play Store*
*passed*
OH YES
*download Safetynet Check*
*CTS profile fails*
OH DAMN IT AGAIN
*flash this module*
*fully passes Safetynet Check*
OH YES

And in fact it's just a google safetynet check yes? I can just use Ourplay.
If Ourplay doesn't work... Well I don't need these apps so heavily and I can just choose root and abandon them.
So why am I shifting my emotions like this?:unsure:
Why am I so concerned everytime when I hear that google is making passing SafetyNet harder?:unsure:
Oh, there might be a switch on my back.:LOL:(and google is switching it)
 
Last edited:
  • Like
Reactions: isoladisegnata

Durete

Member
Dec 15, 2006
22
3
I was using 1.1.0 version and worked just fine, but after intensive testing I found some strange issues with my banking app and Amazon App (Safety Net pass and Gpay contactless OK).
My banking app ask to install a new CA certificate every time I open.
My Amazon app crashed always.

I tested version 1.1.1 Test 1 and all issues seems to be gone.
My banking app works perfect, Amazon App stopped to crash, Google Play shows Certified Device, SafetyNet pass OK and Gpay contactless seems to work fine.
I will report in case I found any new issue, but all apps seems to work perfect now.

Thank you for your work !
Seems to be I talked too much soon....
Tested version 1.1.1 Test1, 1.1.1 Test2 and official 1.1.1 Release from GitHub repo.
All versions works just fine to pass SafetyNet, Google Play Certificied device and Gpay including contactless.
But all versions broke some apps like my banking app, Amazon App after a few random minutes from reboot device. They work perfect as soon I reboot the device, but after lock screen or some minutes they do not work. My banking app ask always to install a new CA Certificate (Geotrust .....) and Amazon App crash with a message inside the app "Something is wrong"
Not sure, but seems to be related to GPS or location services.

Anyway, thanks for your work @kdrag0n
 

Attachments

  • photo_2021-01-16_11-46-29.jpg
    photo_2021-01-16_11-46-29.jpg
    34 KB · Views: 78
  • photo_2021-01-16_11-45-16.jpg
    photo_2021-01-16_11-45-16.jpg
    29.1 KB · Views: 77

Seehank

Senior Member
Apr 6, 2013
52
18
Bratislava
Clear Google Play Services cache and ensure PlayStore says device is certified for play Protect. Check Gpay is shown in PlayStore / is not listed as incompatible. If not showing/compatible, clear PlayStore Data.

Ensure G Pay is selected in MagiskHide list, clear it's Data and reboot. (You'll need to set up card(s) etc again from scratch in any case.) 👍 PW

This alone did not help, because my banks app was feeding Google Pay with card information, but after performing all you recommended + removed the card from Google Pay manually and than reenable it with my bank app it seems to be working, so thanx <3
 
  • Like
Reactions: pndwal

MoL_82

Senior Member
Aug 16, 2019
90
45
Tested official 1.1.1. Works just like the two test versions.
I am on a Samsung S9, A10, DevBase.

It still has the issue of biometrics not working on third party apps. It was suggested that had to do with Samsung Pass. I do not know if Samsung Pass is on DevBase-ROM. I see that one of the third party apps even removed the option of using biometrics to log in.
 

pndwal

Senior Member
Latest release
v1.1.1
@kdrag0n released this 4 hours ago

Changes
- Removed security patch fixup to fix CTS profile mismatches on some devices

Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes

👍 PW
 

Tianhe

Senior Member
Mar 16, 2011
676
168
Latest release
v1.1.1
@kdrag0n released this 4 hours ago

Changes
- Removed security patch fixup to fix CTS profile mismatches on some devices

Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes

👍 PW

I believe this is best to maintain compatibility across devices. I have been using MHPC(fingerprint) + V1.1.0 for sometime now and everything is smooth.

BTW, as you had predicted, I removed forced basic attestation from MHPC yet I still pass CTS. Added benefit - Now my about phone info shows my exact device model.

Thanks @kdrag0n
 

rewtnull

Senior Member
Aug 22, 2010
86
12
Just enable magisk hide on revolut. Just tried it and it worked for me. Tap the shield at bottom of magisk app. Select magisk hide, find revolut and tick the checkbox. Root hidden. I suggest doing this for all Google services as well.

Just to be very clear, are you using Revolut v7.31?
 
Last edited:
Latest release
v1.1.1
@kdrag0n released this 4 hours ago

Changes
- Removed security patch fixup to fix CTS profile mismatches on some devices

Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes

👍 PW

As seen in the previous page:

Universal SafetyNet Fix v1.1.1 is now available.

Changes
  • Removed security patch fixup to fix CTS profile mismatches on some devices

Download

Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes.

If this module helped you, please consider a recurring donation for sustainable support, or alternatively buy me a coffee. Everything helps, but a recurring donation is the best way to keep the project alive in the long term.

Issues on heavy OEM skins
This is a reminder that heavy OEM skins are not officially supported. They may happen to work depending on your luck and the particular ROM in question, but nothing is guaranteed. Please do not report problems on such ROMs. It's surprising that it works at all on them; I wouldn't expect everything to be fully working. I will not provide more support for issues related to heavy OEM skins.

The compatibility issue does not lie in the SafetyNet fix itself, but rather how the Magisk module is built. It's possible to make the Magisk module version of the fix slightly more portable, but I have no interest in supporting heavy OEM skins, nor do I have any devices running such ROMs.

You will always have the best luck with a ROM not too far from AOSP, e.g. most custom ROMs and Pixel stock ROMs.

So why not quote or link to it?
***
 
  • Like
Reactions: pndwal

rewtnull

Senior Member
Aug 22, 2010
86
12
I took some time to compare last working version 7.30.3 to the two newest ones 7.31/7.32. After taking some logs I noticed that:

1. 7.30.3 - no root detection implemented in the app

2. 7.31 & 7.32 - root detection built-in

So Revolut changed this just few days ago. You can compare the screenshots.

BUT hiding magisk manager seems to do the trick and the new version is working fine now. I've just tried it so I was wrong by saying that nothing could be done. Sorry for the misinformation guys.

Still can't get v7.31+ to work even by hiding Magisk Manager (something I had done already before but had used the default suggested name when hiding. Changing the name to something else didn't make any difference though,)
 

jurluk

Member
Jan 21, 2015
22
16
Works like a charm
v1.1.1, Galaxy A40

With MagiskHide and by hiding the Magisk Manager, Revolut is again working (after clearing app data)

edit:
And for the first time I have managed to successfully run McDonalds app :)
 

mamama07

Senior Member
Sep 7, 2014
76
12
PM me, I will try help you, because I have the same configuration but in my case everything works.

Thanks kdrag0n for your hard work ;-)

Feedback: With your fix, Magisk shows success when checking safetynet, but until now, the fix doesn't work for GPay in my case, neither with V1.1.0 nor with V1.1.1-test2 on Xiaomi Mi 9 with MIUI 12.

What I have done: I have cleared GPay's and PlayStore's cache and user data, uninstalled GPay, rebooted. Checked that PlayStore is checked in Magisk Hide and that Play Store indicates no problems in Play protect. Then I re-installed GPay, added it to MagiskHide and cleard GPlay's and GPay's cache and user data again. After this procedure, GPay did still know my credit card, but reported that the phone doesn't meet the security requirements. I have deleted the credit card, cleared cache and data, rebooted and added the card again, but GPay is still not working.
 
  • Like
Reactions: wonka92

innit

Senior Member
Still can't get v7.31+ to work even by hiding Magisk Manager (something I had done already before but had used the default suggested name when hiding. Changing the name to something else didn't make any difference though,)
Hmm, no idea why it's not working for you. All I did was to rename the magisk manager, safety net is passing, google play's status shows certified. I also use EdXposed and Revolut doesn't seem to care about it. But as soon as magisk manager is restored to it's original name the issue starts again. So magisk is tripping Revolut's root protection mechanism.

You have probably already tried the typical steps of clearing app's cache and data or reinstalling it all together, haven't you?
 
  • Like
Reactions: wonka92

rewtnull

Senior Member
Aug 22, 2010
86
12
Hmm, no idea why it's not working for you. All I did was to rename the magisk manager, safety net is passing, google play's status shows certified. I also use EdXposed and Revolut doesn't seem to care about it. But as soon as magisk manager is restored to it's original name the issue starts again. So magisk is tripping Revolut's root protection mechanism.

You have probably already tried the typical steps of clearing app's cache and data or reinstalling it all together, haven't you?

I had done all that, however I did forget to hide the Revolut app the second time around reinstalling it and rehiding the manager. Thank's again and sorry for the inconveniance. :)
 
  • Like
Reactions: wonka92

wonka92

New member
Apr 18, 2014
1
0
I can confirm everything is working as needed now.
Just need to add Revolut to the list of apps that are hidden by Magisk Hide.

That's it! Thanks a lot guys! ;)
 

Britch3s

Senior Member
Sep 10, 2016
97
15
34
Grayson
Not currently running force basic as an update broke it or something happened on my poco f2 pro, but gpay, Mario run, pokemon go all work tho I don't play these games, simply use to test functions of bypassing. But currently magisk says cts profile mismatch which wasn't the case last when I tested a month or so ago. Haven't flashed any roms, anything new in several months time. But google still sees device as certified. This was the module I used to bypass the issue of gpay, and certian games/apps not working. Again not using it now as it's vanished since the latest update, termu doesn't see it and do not have the option to set basic fingerprint currently selected as poco f2 global.

Notes to ANYONE stating this doesn't work, when you change finger print be SURE to add Google play, gpay, any game that checks etc in magisk hide, also CLEAR DATA OF GOOGLE PLAY AND PLAY SERVICES THEN REBOOT or it will never work!.
 

Essentrix

Senior Member
Apr 4, 2013
923
193
Samsung Galaxy A52 5G
Hi, been trying to get this working correctly for the last few days with partial success.
Have Galaxy S5e tab with rooted stock Android 10, user interface 2.5.
Magiskhide solves the basic pass.
Installed a number of recent builds including the latest to resolve cts profile fail.
Problem is I pass basic and cts and works fine as long as I don't set a screen lock. Once I put on a screen lock the tab reboots 5-6 times each time I reboot and and becomes unstable with occasional random reboots.
Have to set a lock due to organisation policy.
Any thoughts?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 337
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0

    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    223
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    58
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    33
    So, created separate thread for my mod. Welcome)

    32
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW