MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread
4) If using Shamiko then must not be Enforce DenyList.
If not using Shamiko then must be Enforced.
That was many times debated in this thread and so.
Most of ppl use Shamiko, hence they have disabled Enforce
I know that and thank you as you informed. I read that Shamiko, HMA thing. I disabled DenyList of Magisk, Shamiko failed. I also tried Lsposed and enabled HMA (disabled DenyList of Magisk) that too failed. Just wanted to update you that out of 5 root detect apps including 2 banking apps, 4 apps worked and with Shamiko, HMA, Lsposed only one app could work, not the other 4. I think just for one banking app I should not screw all the 4 working apps.

Apps are:
HDFC Bank- Did not work
Axis bank - Works
RTO - Works
Medibuddy - Works
Rapido Captain - Works

I'm confident that if I use Shamiko, HMA, Lsposed I may get HDFC work but other 4 apps will not work. Just for one HDFC app I don't want to go installing other apps like Lsposed, Shamiko and their too many settings.
 
4) If using Shamiko then must not be Enforce DenyList.
If not using Shamiko then must be Enforced.
That was many times debated in this thread and so.
Most of ppl use Shamiko, hence they have disabled Enforce
I want to follow Shamiko properly so I need your help please. I'm sorry I read shamiko thing and I did not understood.

My condition now: I have magisk (hide mode) with Enforce denylist enabled and those 5 root apps selected already. Only the HDFC is not working and still detecting root.

So do I need to do below steps? Please correct the steps if you feel they are wrong:
-I have to disable the enforce denylist in magisk
-Flash shamiko.zip
-Then open magisk and enforce denylist and select root detect apps right?
 

zgfg

Senior Member
Oct 10, 2016
8,203
5,840
Xiaomi Mi 11
Xiaomi Mi 11 Lite 5G
I know that and thank you as you informed.
HMA is not substitute for DenyList.
Nobody ever said to disable DenyList when using HMA

Putting a 'banking' app in DenyList is the FIRST thing every user must do, before asking here for help.
Otherwise we really waste time of our lives repeating the same BASIC FACTS

There are many other posts in this and other threads and there are threads here on XDA with guides in the OP posts about Zygisk, DenyList, Shamiko, USNF, HMA and the techniques of hiding

There are eg good guides in the OP posts in the following threads:



I specially like Standard 73Sydney Disclaimer (about asking things instead of taking own time to search and read) - hence I will no more continue this debate
 
Last edited:

73sydney

Senior Member
@zgfg

73sydney

I found a work around (no Lsposed, HMA, shamiko needed, they did not work too).

So,
1. I have cleared data and uninstalled the RTO, Medibuddy app which were detecting root and were not working.
2. Uninstalled Magisk
3. Reboot phone
4. Installed Magisk latest 25.2 > Settings > Enabled 'Zygisk' and Checked 'Enforce DenyList'
5. Hide Magisk (need to do this before installing those root detect apps from PlayStore)
6. Reboot
7. Installed RTO and other root detect apps from PlayStore (did not open them yet).
8. Magisk > Settings > Cofigure DenyList > Checked RTO and other root detecting apps.
9. Went back back to my phone's home screen.
10. Reboot.
11. Launched those RTO and other root detect apps and they worked!

I would say most root detecting apps would work with the above method however for me out of 5 Root detecting apps, 4 worked except HDFC bank app. It was working fine on Magisk Manager v23.0 with Magisk.zip v22.1.

Similar to this episode yesterday, where the root detection was ultimately being caused by the users TWRP folder (always check, and umm, recheck the basics folks) :) where i disabled Shamiko to prove, along with @zgfg that it must be something the user overlooked as we were doing the least amount of work to get his problem appto hide...i dont disable Shamiko for most examples, but it was warranted in this case...because nothing was adding up, and it needed to be shown that he must be overlooking something :)

We dont ALWAYS suggest HMA and Shamiko etc, i usually point out that Shamiko is always enabled on my device when im replying to a post and testing stuff for people though. We all like to use the least amount of gear where possible :)
 

73sydney

Senior Member
I want to follow Shamiko properly so I need your help please. I'm sorry I read shamiko thing and I did not understood.

My condition now: I have magisk (hide mode) with Enforce denylist enabled and those 5 root apps selected already. Only the HDFC is not working and still detecting root.

So do I need to do below steps? Please correct the steps if you feel they are wrong:
-I have to disable the enforce denylist in magisk
-Flash shamiko.zip
-Then open magisk and enforce denylist and select root detect apps right?


When using shamiko = DISABLE "Enforce Deny List"
When NOT using shamiko = ENABLE "Enforce Deny List"
 

73sydney

Senior Member
HMA is not substitute for DenyList.
Nobody ever said to disable DenyList when using HMA

Putting a 'banking' app in DenyList is the FIRST thing every user must do, before asking here for help.
Otherwise we really waste time of our lives repeating the same BASIC FACTS

There are many other posts in this and other threads and there are threads here on XDA with guides in the OP posts about Zygisk, DenyList, Shamiko, USNF, HMA and the techniques of hiding

There are eg good guides in the OP posts in the following threads:



I specially like Standard 73Sydney Disclaimer (about asking things instead of taking own time to search and read) - hence I will no more continue this debate

We really have to stop meeting up and tag teaming the same old points from people at 4am-5:00am my time (not sure what time it is where you are :) This is getting a bit much :)

Rehashing stuff where a search or even as im always saying "read the last 6-12 pages of a thread people, usually already answered" is getting exhausting....
 
  • Like
Reactions: rodken
When using shamiko = DISABLE "Enforce Deny List"
When NOT using shamiko = ENABLE "Enforce Deny List"
Thank you very much. I can confirm that both did not make my HDFC bank app work. I literally invested hours on this and I think I have to live with it. All other 4 root detect apps working fine. Thank you and thank you @zgfg I cant imagine having phone without root though haha
 

73sydney

Senior Member
Thank you very much. I can confirm that both did not make my HDFC bank app work. I literally invested hours on this and I think I have to live with it. All other 4 root detect apps working fine. Thank you and thank you @zgfg I cant imagine having phone without root though haha

Im going to say this just like i did yesterday at 4am...only its now 6:38 Aussie time

at any point after changing anything in trying to defeat root detection and before opening the apps again, did you clear the data for the affected apps..

any time youre messing with root detected apps and you make a change in trying to defeat the app detecting root, you should clear the apps data

theres an outside chance if you didnt do this you may find it works

also like yesterday, did you try running a detection app like Ruru to see if your were failing anywhere?


and now i have to sleep


update:

Just before i headed to bed, i realised that that banking app rang a bell, becuase i only tested it weeks ago....we (a fe wof us) tested a few of them in a row, that was one of them, and it does work, using Hide My Applist....in fact when i just started up my Hide My Applist app, there it was still in the Effective App list...i installed it again from the play store just now, added it to the Deny List, and ran it....opened first go

 
  • Like
Reactions: AusVGM and ipdev

pndwal

Senior Member
...
Just before i headed to bed, i realised that that banking app rang a bell, becuase i only tested it weeks ago....we (a fe wof us) tested a few of them in a row, that was one of them, and it does work, using Hide My Applist....in fact when i just started up my Hide My Applist app, there it was still in the Effective App list...i installed it again from the play store just now, added it to the Deny List, and ran it....opened first go

https://forum.xda-developers.com/t/discussion-magisk-the-age-of-zygisk.4393877/post-87714843
Wasn't able to pass on my MIUI device (RN8T, A10) however... Remember this:
https://forum.xda-developers.com/t/discussion-magisk-the-age-of-zygisk.4393877/post-87715143

... Think we're taking Redmi Note 9 Pro Max here(?)... Anyone had success on MIUI?... I'd love to know what extra leaks need hiding and how... 😃 PW
 
  • Like
Reactions: ipdev and 73sydney
at any point after changing anything in trying to defeat root detection and before opening the apps again, did you clear the data for the affected apps..
Yes I did clear cache and data.
also like yesterday, did you try running a detection app like Ruru to see if your were failing anywhere?
Installed Ruru, not sure what to check there. Its too much of geek for me. I like what you said earlier like everybody likes to have few gears :)
Just before i headed to bed, i realised that that banking app rang a bell, becuase i only tested it weeks ago....we (a fe wof us) tested a few of them in a row, that was one of them, and it does work, using Hide My Applist....in fact when i just started up my Hide My Applist app, there it was still in the Effective App list...i installed it again from the play store just now, added it to the Deny List, and ran it....opened first go
That HDFC Banking app appears to work but not actually. When you in real, enter the Customer ID and Password, it crashes and takes you browser picker. When I select Chrome, nothing happens. I have Titanium Backup and also checked with the previous version of HDFC app Still no success will use the website instead of app. Just don't want to install other apps Lsposed, HMA and configure so many settings just to make this ONE app work and can fail the OTHER 4. I'm good with Magisk Enforce denylist. Refer the attached screen record

https://drive.google.com/file/d/1IDDmPlHPgl59MeeksxzkI0vflO7Qj8zl/view?usp=drivesdk

If some dev take over Magisk/Zygisk then the enforce deny list/deny list can be improved.
 
Last edited:
  • Like
Reactions: 73sydney

pndwal

Senior Member
If some dev take over Magisk/Zygisk then the enforce deny list/deny list can be improved.
There are already Devs/forks that do just that, allowing use of either hidelist or denylist as well as special tweaks (many experimental) for better Zygisk hiding etc etc...

Don't expect this happen in official Magisk however...

John has been following his own roadmap for Magisk and has said he has not plans to abandon it. In 2020 he said:
I don’t see myself stepping down from Magisk in the near future. Magisk is too important for me to abandon it.
https://topjohnwu.medium.com/state-of-magisk-2020-21de32721d65
And in 2021:
I will do my best to continue contribute to the Android modding community!
https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458

Also, while he won't now state it plainly, code injection (Zygisk project) was always about providing a better framework for 'proper ways to "hide" root and Magisk Manager/App'... See these comments back in 2020:
https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-84104161

He's said it's up to other Devs to 'step up' and 'start doing their job', ie making zygisk based hiding modules if they're passionate about that... He's also said he wishes people wouldn't fork Magisk for restoring MagiskHide however...

So the future of root hiding is very much in the hands of 3rd party Devs (John has stated as much for a while now too), and it must be said that this makes the whole exercise, including choosing individual hiding solutions, necessarily more complex and challenging than it used to be... but there are also many more options and more effective methods... Such is the modern cat and mouse game of root hiding... 🙃 PW
 

73sydney

Senior Member
  • Like
  • Haha
Reactions: ipdev and pndwal

pndwal

Senior Member
FYI: Looks like we may finally be getting official Universal PI deviceIntegrity Fix in USNF!

It'll be nice to have a working fix linked from OP here again too...

... So seems @kdrag0n has found proper hooks to set and revert the fingerprint used for mismatch trigger for PI hardware based verdict enforcement bypass making this proposition less of a stop-gap fix with far less likelihood of breaking print prop related stuff... He'll also implement the additional @anirudhgupta109 shipping API level prop mismatch needed for Pixel 7 and other A13 LV devices (already adopted by @Displax in his forked USNF mods)... See here:
https://github.com/kdrag0n/safetynet-fix/pull/207#issuecomment-1340460803

Watch this space! 😛 ... And thanks for efforts @kdrag0n. 👍

👀PW
 
Last edited:
Does anyone know why it doesn't select all items in oo
@Atharkhan101 Are you running an ad-blocker at any level? For example, I've found that some of these "detect root" scenarios are actually AdAway blocking the sign-in domain as unsafe.
Yes I use Adaway and I'm confident that it is not cause any issue because I tried to freeze it in Titanium backup and additionally it used to work in 22.1 Version of magisk WITH Adaway ON.
 

zgfg

Senior Member
Oct 10, 2016
8,203
5,840
Xiaomi Mi 11
Xiaomi Mi 11 Lite 5G
Does anyone know why it doesn't select all items in oo

Yes I use Adaway and I'm confident that it is not cause any issue because I tried to freeze it in Titanium backup and additionally it used to work in 22.1 Version of magisk WITH Adaway ON.
If you have Systemless hosts enabled and you freeze AdAway, /data/adb/modules/hosts/system/etc/hosts file will remain, and Magisk will still mount it (even upon reboot) to the /system/etc/hosts, ie blocking will be still in place

Only if you use AdAway in the non-root/VPN mode, then freezing will really stop blocking

Nevertheless, I don't understand why complicating
AdAway has Pause/Resume button. Just Pause, reboot and then you're sure that AdAway is no more blocking until you Resume and reboot again (reboots not needed if using AdAway in the VPN mode)
 

Attachments

  • IMG_20221207_203740.jpg
    IMG_20221207_203740.jpg
    49.6 KB · Views: 36
  • IMG_20221207_204131.jpg
    IMG_20221207_204131.jpg
    58.7 KB · Views: 36
Last edited:
  • Like
Reactions: ipdev
If you have Systemless hosts enabled and you freeze AdAway, /data/adb/modules/hosts/system/etc/hosts file will remain, and Magisk will still mount it (even upon reboot) to the /system/etc/hosts, ie blocking will be still in place

Only if you use AdAway in the non-root/VPN mode, then freezing will really stop blocking

Nevertheless, I don't understand why complicating
AdAway has Pause/Resume button. Just Pause, reboot and then you're sure that AdAway is no more blocking until you Resume and reboot again (reboots not needed if using AdAway in the VPN mode)
Already done all you said. Still nope!
 

m0han

Senior Member
Apr 30, 2012
5,311
2,405
... Putting a 'banking' app in DenyList is the FIRST thing every user must do, before...
... even running it for the first time, may I add?

... at any point after changing anything in trying to defeat root detection and before opening the apps again, did you clear the data for the affected apps....
I thought I read somewhere: Turn ON airplane mode, Clear cache and data of the apps, Reboot and Turn OFF airplane mode before running the apps again.

I want to follow Shamiko properly so I need your help please. I'm sorry I read shamiko thing and I did not understood....
If the latest official Shamiko-v0.6-126-release.zip here does not work, you might like to try Shamiko-v0.6-130 (see screenshot). For more, see/use the Telegram channel.
 

Attachments

  • Screenshot_20221208_091150.jpg
    Screenshot_20221208_091150.jpg
    181.5 KB · Views: 56
Last edited:
  • Like
Reactions: pndwal and ipdev

kamilchno

Senior Member
Feb 19, 2015
69
7
Sony Xperia Z3 Compact
Which telegram channel?
 
  • Like
Reactions: bombadier

Top Liked Posts

  • 4
    It's not my intention to double post, but maybe it's more relevant here what I wrote in other thread

    Couple of weeks ago I found strange "card rejected" messages while paying with gwallet. But immediately, after the first failing attempt it was accepted.

    Then I read the posts here sharing new problems, while everything had been working fine until now.

    So I checked the gwallet app (I never look at it), and discovered it was complaining with the "old" message: this device doesn't meet...

    I wiped apps caché (google play and gwallet), rebooted, got a first complaint of not meeting requirements, but closing and reopening the app made it disappear.

    So, I decided a more "conclusive" approach. I went to the supermarket and payed with the gwallet without any problem.

    So, this is my situation: I've had to downgrade nothing, I've kept USFN v2.4.0 by kdrag0n, and I'm paying with gwallet.

    Hope it's helpful for your "diagnosis"
    The failures with 2.4.0 may be random, often occuring with a reboot...

    Google monitors device security for G Pay/Wallet full time, so whether PI deviceIntegrity fails momentarily or user removes lockscreen pattern/password and immediately restores it, Pay/Wallet will likely lock out contactless payment use even while Pay/Wallet is not in use and either require resetting (clearing data for Pay/Wallet and/or Play Services) or will be restored after some time...

    We need a fix for detections in official solution, but @Displax modded USNF builds are not failing this way and are working fine for most users ATM. PW
    1
    Hey
    Thank you for the reply. With all modules removed the JSON is same, only with "nonce" value changed.
    I haven't installed the TWRP (No twrp for my phone), however i've used a Magisk module that tweaks some stock kernel issues. I've already deleted the module, but apparently the traces are what causing this issue.
    I think i need to look into flashing the stock ROM, and trying again with Magisk and modded USNF.
    If you suspect any system changes (as opposed to systemless) changes/mods have been applied, even dirty flashing ROM may fix the issue... PW
    1
    Of this module? Official. 2.4.0
    Read above some, 2.4.0 is randomly dropping protection for some.
  • 19
    While we still waiting official public release of 2.4.0, i am compiled this version myself from latest source.
    So if you can't wait to try - you are welcome :)

    Public release is up. Use it instead.
    14
    Public release of v.2.4.0 now available.

    12
    OP and thread title have been updated in order to reflect the latest changes.
    Cheers
    10

    Latest Universal SafetyNet Fix (yup, no name change yet... by June? 😝) Release notes:​


    v2.4.0 (early access)
    Pre-release

    Highlights​

    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)

    Other changes​

    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    It's taken a while to find way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    👍 PW
    7
    /me waits for the usual people asking the forum elders via PM for copies of the early access module....because its happened before

    hint: most of us wont/dont have it, so dont do it, any one asking will be reported and get a nice little holiday if not their account closed as this counts as requests for warez....just a tip

    everyone will get a copy free when kdrag0n feels like releasing it widely....no one will die if they dont have it right now
  • 291
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0

    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    188
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW
    28
    ok so there is a solution

    get the magisk module riru

    after you get riru get LSPosed

    after you get LSPosed get xprivacylua (in the LSPosed app)

    select play services in the xprivacylua settings IN the LSPosed app

    AND in the xprivacylua app itself after you've restarted.

    clear play service data

    check safetynet in magisk - enjoy?

    I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module

    s/o to saitama_96 for discovering it or so I'm led to believe
    26
    Some useless statistics:
    My MOD was downloaded over 2k times.
    1,5k from XDA
    800 from GitHub

    I'm glad i made 2000+ people happier :) Thank you!