MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread
By:
Advanced…
fkofilee

fkofilee

Senior Member
Aug 6, 2010
1,178
429
Crawley
Samsung Galaxy Tab S7 / S7 Plus
Google Pixel 5
pndwal said:
Wow, yes... We have a major problem Huston...

I Hadn't noticed this till two days ago... Google Wallet was working for contactless payments at lunch, but for coffee afterwards it failed with 'device doesn't meet security requirements'... 🙁 (FWIW, I may have rebooted phone during lunch...)

Checked and deviceIntegrity was good, but immediately after a reboot got failed verdict and minutes later all is good again...

FYI Google Pay/Wallet somehow monitors device security even while app is closed (likely Google gets telemetry if lockscreen pattern/password is removed, deviceIntegrity is lost, etc), and contactless fails on next use... This occurs after bad device integrity verdicts, or if a user disables lockscreen pin or pattern... even if this is restored before opening Google Pay/Wallet, bank cards may have already been removed... So even brief loss of deviceIntegrity at startup is catastrophic for G Pay / Wallet! 😬

To avoid intermittent Play Integrity failures I've reverted to @Displax modded USNF also; all seems good and can't reproduce failed verdict...

To fix G Wallet however, despite knowing it would likely just come right in about a week, I tried the immediate fix as it's worked for me in the past:

...Bit of a saga begins...

Uninstalled wallet, cleared Google Pay and Google Play Services data, rebooted, installed wallet again only to get the familiar "Google Pay is Currently Updating..." Screen that never goes away! .... No problem... I covered a fix for this in "Current fixes needed for Google Pay / Wallet" linked here:
Post in thread '[Discussion] Google Pay Magisk Discussion Thread' https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637

... Tried both clearing data and rebooting as well as uninstalling/reinstalling and nothing worked this time!... Still stuck on updating screen!

Finally resolved after removing all Play Store and Play Services updates, clearing their caches only, uninstalling Google Pay (even latest version doesn't show as 'Wallet' until online 'App is updating...' completes), rebooting, re-installing Google 'Wallet' --> Finally G Pay opens and updates to Wallet successfully!... No more security issue for contactless payments since reverted to @Displax modded USNF... 🙂

...End of Saga...


But this part-time spoofing based on new hooks is only for fingerprint prop mismatch (for some devices on Google's list for HKA based verdict enforcement in PI API) AFAIK ... My device (Xiaomi RedMi Note 8T w/ stock MIUI A10) like many A8, 9 & 10 devices, actually needs none of the three prop based bypasses we now have to pass either S/N or PI deviceIntegrity; I do need the principal broken keystore based fallback to Basic attestation to pass these however...

Because of this, I think the issue is something other than temporary fingerprint prop spoofing... Could it be that the fake keystore is registered so late that I can run Play Integrity API Checker before it breaks HKA?...

Anyone else had G Pay/Wallet failing after installing USNF 2.4.0?...

👀 PW
Click to expand...
Click to collapse

Yes sir. Same here - Uninstalled GW, wiped Google Store and Play Services. Disabled 2.4.0, pulled the modded version from @Displax and installed then rebooted. Downloaded GW - Added cards and all good. For now...
 
  • Like
Reactions: pndwal
rafal.polska.b

rafal.polska.b

Senior Member
Mar 22, 2015
271
72
Gdynia
I wasn't able to add bank card to the Wallet.
Using Magisk Alpha which is hidden,
Google Play Services and Google Play Store added to DenyList,
Shamiko and Universal SafetyNet Fix 2.4.0 are installed,
Play Integrity API Checker says Device and Basic Integrity pass,
YASNAC says Basic integrity and CTS profile match both pass
I have clear data for Google Play Services, Google Play Store and for Wallet, phone rebooted but still getting: "Couldn't finish setup to pay in stores. This phone can't be used to pay in stores"

Then I have uninstalled USNF 2.4.0, reboot, installed safetynet-fix-v2.3.1-MOD_2.1.zip and finally bank card added to the Wallet.
 
  • Like
Reactions: ipdev
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
DartGerion said:
Hey.
So with all modules (including USNF) the safetynet and PI Integrity shows "Not passed" (Duh).
The MOMO shows just that it found the SU folder and detected Magisk.
When everything excluding the @Displax modded USNF is turned off (and also Play Services data cleared) the results are on the screenshots below. Note: Deny list is enforced and only Google Wallet and some banking apps are added, nothing more.
YASNAC passes with flying colours. The device integrity in 2 apps fail to be checked and return UNEVALUATED results. Json is also attached.
What's baffling is that even now, the Google Wallet worked (I checked it now in the supermarket terminal).
Click to expand...
Click to collapse
Yes, I missed something in JSON... While Unevaluated results DO NOT apply to deviceIntegrity as I mentioned already (These are for appIntegrity - appRecognitionVerdict and accountDetails - appLicensingVerdict ... These are different signals from deviceIntegrity within the new Play integrity verdict), I'm no longer sure deviceIntegrity is actually supplying a proper response since while documentation says "device_recognition_verdict can have one of the following labels:
MEETS_DEVICE_INTEGRITY
No labels (a blank value)
MEETS_BASIC_INTEGRITY
MEETS_STRONG_INTEGRITY
MEETS_VIRTUAL_INTEGRITY"
the value"deviceRecognitionVerdict": generally appears before labels, and that is missing altogether...
https://developer.android.com/google/play/integrity/verdict#device-integrity-field

Of course a blank value is really No label as seen above, so
"deviceIntegrity": {},
may still be a properly evaluated response... I'm just not sure...

I'm still leaning towards the latter being the case, but I'm equally confused by working Wallet/contactless payments...

do JSON results change now modules are removed w/ a flush of Play Services data?

Nb. If deviceIntegrity correctly = blank/no label, this is what is indicated:
No labels (a blank value)

The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
Click to expand...
Click to collapse

and it is clearly a more sensitive detection than old basicIntegrity for S/N... and this is why I mentioned:

pndwal said:
Anyway, it seems something is now breaking PI's more sensitive basicIntegrity verdict... Again, please report check w/ all modules disabled except USNF... This user also had passing S/N but failing PI basicIntegrity due to modules on OnePlus 7 device w/ stock ROM:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-87891641

Also, please check your selinux status is enforcing regardless of results disabling modules... (Are you a viper4android user?)... PW
Click to expand...
Click to collapse
Apart from permissive SELinux, you may break system partition/digest checks if you have ever run ANY system mods (even changing simple file permissions), eg twrp flashable mods etc, and even if you have fully reverted these, on current ROM... If you suspect this, flashing system again should fix...PW
 
  • Like
Reactions: ipdev
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
rafal.polska.b said:
I wasn't able to add bank card to the Wallet.
Using Magisk Alpha which is hidden,
Google Play Services and Google Play Store added to DenyList,
Shamiko and Universal SafetyNet Fix 2.4.0 are installed,
Play Integrity API Checker says Device and Basic Integrity pass,
YASNAC says Basic integrity and CTS profile match both pass
I have clear data for Google Play Services, Google Play Store and for Wallet, phone rebooted but still getting: "Couldn't finish setup to pay in stores. This phone can't be used to pay in stores"

Then I have uninstalled USNF 2.4.0, reboot, installed safetynet-fix-v2.3.1-MOD_2.1.zip and finally bank card added to the Wallet.
Click to expand...
Click to collapse
Thanks for your experience/confirmation per recent discussion here!... My initial experience here:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88049087

👀 PW
 
  • Like
Reactions: ipdev
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
Sasy969 said:
I have tried again and now i fail all three integrity check as can been seen in the screenshot below.
Current setup
OP9
Magisk installed
Custom ROM Evox
No USNF module installed
com.google.android.gms.unstable and com.google.android.gms added to the denylist
Click to expand...
Click to collapse
Ah, ... And that I suggested you add these slipped my mind when I responded:
pndwal said:
That's interesting... Did you add, or does ROM add?... And if you remove them, are the added again with reboot?

I ask because USNF removes these at boot if manually added as they'll cause conflicts w/ USNF if denylist is enforced... (There's no conflict if proper hiding using Shamiko etc is employed however.)

If they're added at boot by ROM, this may be the source of the conflict w/ USNF module... Simply allowing that to happen but using Shamiko (denylist NOT enforced) may possibly fix issue with USNF installed...
Click to expand...
Click to collapse
so please disregard that unless ROM is also pre-rooted as of course ROM won't/can't usually do that... It doesn't need to hide root from gms attestation/droidguard as superuser permission doesn't exist... Could still be an issue in case of pre-rooted ROM however....

Seems something is breaking PI deviceIntegrity spasmodically for you however... Please see my post to member above for clues...

ipdev said:
Adding gms processes to the denylist will do nothing unless you are enforcing the denylist or using another module that sources the denylist.
Click to expand...
Click to collapse
Yup, but member was passing like that:
Sasy969 said:
... I have just tried following you suggestions and I have eliminated USNF module.
com.google.android.gms.unstable and com.google.android.gms were already added to the denylist.
At least for now my device get MEETS _DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY.
I will try again during the day, for now I thank you for your help and apologize for my poor knowledge.
Click to expand...
Click to collapse
but when trying again later on same day it failed... I assume no configuration was charged...
ipdev said:
If your rom incudes integrity (SafteyNet) fix(s).
Click to expand...
Click to collapse
It does...
ipdev said:
Try enforcing the denylist in Magisk and see what happens.
Click to expand...
Click to collapse
Member did...
ipdev said:
Note:
Make sure to clear cache/data of PI checker before testing again.
Click to expand...
Click to collapse
I've never had this or most other checkers cache results... I may be wrong however...
ipdev said:
Might also have to clear cache/data of PlayStore/PlayServices and let them update again.
Click to expand...
Click to collapse
Good points...
ipdev said:
SafetyNet (com.google.android.gms.unstable) is required.
Main GMS (com.google.android.gms) is only required if Magisk is not in /sbin.
It can/will cause problems if GMS is added when not required.
Click to expand...
Click to collapse
I only suggested doing this, which has worked at least initially, w/ Magisk installed but NO USNF module...

This alone is generally needed for ROMs integrating SNF w/ Magisk installed since SNF is achieving needed fallback and enforcement bypasses as well as altering sensitive prop values, but not generally hiding root from gms attestation/droidguard process etc... I assume a pre-rooted ROM would need to do that itself also however if integrating SNF...

🤠 PW
 
T

thomas140

Senior Member
Jul 3, 2018
652
142
Johor
Xiaomi Poco F1
pndwal said:
All good for you now then re deviceIntegrity then... Expected results...

Is it Viper4AndroidFX?... I think you only have issues with Neon driver only when installing/changing to legacy mode... If you didn't reinstall V4A you shouldn't have the issue...

You just need to reset Neon driver when selecting legacy mode... When you reinstall in future or have driver = abnormal, just set legacy mode, disable the module, reboot, re-enable module and reboot again... driver should have reset and status should now be Normal...

I wasn't able to hide root/modified environment from this app with my setup... Sorry... PW
Click to expand...
Click to collapse
Hi again,
Just to update something here.
1. I manage to access the banking app with rooted poco f1 after so long.
I installed the Shamiko module and turned off the enforce denylist. Voila, all banking app issue resolved!!! 😁

2. I found that there is an app become forced closed if I root. When dirty flash back the same rom and become unroot, the app can be opened as per normal.

Do you face such kind of issue before?
Btw, the app is called TNG ewallet. It is a Malaysia app used by many Malaysian people here.
 
Last edited:
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
thomas140 said:
Hi again,
Just to update something here.
1. I manage to access the banking app with rooted poco f1 after so long.
I installed the Shamiko module and turned off the enforce dentist. Voila, all banking app issue resolved!!! 😁

2. I found that there is an app become forced closed if I root. When dirty flash back the same rom and become unroot, the app can be opened as per normal.

Do you face such kind of issue before?
Btw, the app is called TNG ewallet. It is a Malaysia app used by many Malaysian people here.
Click to expand...
Click to collapse
1) Interesting...
thomas140 said:
The banking app that still detect root is Ocbc Digital- Mobile Banking app(Singapore version). You can try to download the app via link below...
https://ocbc-digital.nl.aptoide.com/app
Click to expand...
Click to collapse
I wasn't able to hide root on RN8T w/ Shamiko for this, however
2) Have no issues opening TNG eWallet using LSPosed and HMA module... See here:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-87873291

🙃 PW
 
D

DartGerion

Member
Dec 8, 2018
37
6
32
OnePlus 7
Samsung Galaxy Tab S6
pndwal said:
Yes, I missed something in JSON... While Unevaluated results DO NOT apply to deviceIntegrity as I mentioned already (These are for appIntegrity - appRecognitionVerdict and accountDetails - appLicensingVerdict ... These are different signals from deviceIntegrity within the new Play integrity verdict), I'm no longer sure deviceIntegrity is actually supplying a proper response since while documentation says "device_recognition_verdict can have one of the following labels:
MEETS_DEVICE_INTEGRITY
No labels (a blank value)
MEETS_BASIC_INTEGRITY
MEETS_STRONG_INTEGRITY
MEETS_VIRTUAL_INTEGRITY"
the value"deviceRecognitionVerdict": generally appears before labels, and that is missing altogether...
https://developer.android.com/google/play/integrity/verdict#device-integrity-field

Of course a blank value is really No label as seen above, so
"deviceIntegrity": {},
may still be a properly evaluated response... I'm just not sure...

I'm still leaning towards the latter being the case, but I'm equally confused by working Wallet/contactless payments...

do JSON results change now modules are removed w/ a flush of Play Services data?

Nb. If deviceIntegrity correctly = blank/no label, this is what is indicated:


and it is clearly a more sensitive detection than old basicIntegrity for S/N... and this is why I mentioned:


Apart from permissive SELinux, you may break system partition/digest checks if you have ever run ANY system mods (even changing simple file permissions), eg twrp flashable mods etc, and even if you have fully reverted these, on current ROM... If you suspect this, flashing system again should fix...PW
Click to expand...
Click to collapse
Hey
Thank you for the reply. With all modules removed the JSON is same, only with "nonce" value changed.
I haven't installed the TWRP (No twrp for my phone), however i've used a Magisk module that tweaks some stock kernel issues. I've already deleted the module, but apparently the traces are what causing this issue.
I think i need to look into flashing the stock ROM, and trying again with Magisk and modded USNF.
 
T

thomas140

Senior Member
Jul 3, 2018
652
142
Johor
Xiaomi Poco F1
pndwal said:
1) Interesting...

I wasn't able to hide root on RN8T w/ Shamiko for this, however
2) Have no issues opening TNG eWallet using LSPosed and HMA module... See here:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-87873291

🙃 PW
Click to expand...
Click to collapse
Under LSPosed, I have HMA and Greenify.

In HMA, I added Greenify, HMA & hidden magisk app named WWE 🤣. But TNG app still forced closed. (Can refer to screenshot)
Wonder where did I do wrong though.

As for the root, that's what I did:
Under Magisk
- turn off enforce denylist
- Shamiko 0.6
- the modded usnf you recommended.
- zygisk lsposed 1.8.6

You may refer my screenshot to check where is the missing one. I can access to banking app even though the applist detector showed as attached.🤔
 

Attachments

  • IMG_20230130_162706.jpg
    IMG_20230130_162706.jpg
    366 KB · Views: 70
  • IMG_20230130_162450.jpg
    IMG_20230130_162450.jpg
    198.3 KB · Views: 67
  • Screenshot_2023-01-30-16-23-39-020_com.tsng.hidemyapplist.jpg
    Screenshot_2023-01-30-16-23-39-020_com.tsng.hidemyapplist.jpg
    235.8 KB · Views: 60
  • Screenshot_2023-01-30-16-23-44-833_com.tsng.hidemyapplist.jpg
    Screenshot_2023-01-30-16-23-44-833_com.tsng.hidemyapplist.jpg
    258.2 KB · Views: 58
  • Screenshot_2023-01-30-16-38-31-676_com.android.shell.jpg
    Screenshot_2023-01-30-16-38-31-676_com.android.shell.jpg
    216.1 KB · Views: 57
  • Screenshot_2023-01-30-16-23-20-748_com.android.shell.jpg
    Screenshot_2023-01-30-16-23-20-748_com.android.shell.jpg
    158 KB · Views: 69
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
thomas140 said:
Under LSPosed, I have HMA and Greenify.

In HMA, I added Greenify, HMA & hidden magisk app named WWE 🤣. But TNG app still forced closed. (Can refer to screenshot)
Wonder where did I do wrong though.

As for the root, that's what I did:
Under Magisk
- turn off enforce denylist
- Shamiko 0.6
- the modded usnf you recommended.
- zygisk lsposed 1.8.6

You may refer my screenshot to check where is the missing one. I can access to banking app even though the applist detector showed as attached.🤔
Click to expand...
Click to collapse
Detector should look like this:
IMG_20230130_232959.jpg


Greenify, HMA & hidden magisk app (named WWE) should be in a template used, in turn, for bank apps since you need to hide all these (especially Magisk) from banks! 🙃

You don't need them in App Manage list since there's no need to hide other apps from them... 😉 PW
 
T

thomas140

Senior Member
Jul 3, 2018
652
142
Johor
Xiaomi Poco F1
pndwal said:
Detector should look like this:
View attachment 5823555

Greenify, HMA & hidden magisk app (named WWE) should be in a template used, in turn, for bank apps since you need to hide all these (especially Magisk) from banks! 🙃

You don't need them in App Manage list since there's no need to hide other apps from them... 😉 PW
Click to expand...
Click to collapse
Well, I manage to use banking software with the applist detector incomplete result as shown in my screenshot earlier.

I tried your suggestion. Put magisk, hma, greenify in the blacklist template to be invisible, put TNG app into app manage.
Apparently, the issue still persists.
Also, I have put the application detector in the app manage as well. The result is thay it can't find all these 3 app, meaning that the hma module is working🤔
 

Attachments

  • Screenshot_2023-01-30-20-56-17-394_com.tsng.hidemyapplist.jpg
    Screenshot_2023-01-30-20-56-17-394_com.tsng.hidemyapplist.jpg
    121.3 KB · Views: 30
  • Screenshot_2023-01-30-20-56-08-059_com.tsng.hidemyapplist.jpg
    Screenshot_2023-01-30-20-56-08-059_com.tsng.hidemyapplist.jpg
    271.1 KB · Views: 30
Last edited:
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
DartGerion said:
Hey
Thank you for the reply. With all modules removed the JSON is same, only with "nonce" value changed.
I haven't installed the TWRP (No twrp for my phone), however i've used a Magisk module that tweaks some stock kernel issues. I've already deleted the module, but apparently the traces are what causing this issue.
I think i need to look into flashing the stock ROM, and trying again with Magisk and modded USNF.
Click to expand...
Click to collapse
If you suspect any system changes (as opposed to systemless) changes/mods have been applied, even dirty flashing ROM may fix the issue... PW
 
  • Like
Reactions: DartGerion
B

Bxperiaz3

Senior Member
May 19, 2015
224
97
My pixel 7 pro is rooted since October. Always used this module without issue and then yesterday it blocked contact less Google pay, I used magisk to hide extra play services parts and cleared the play store cache. Was ok for a few taps and now I have the same issue again. Is there something else I can try?
 
Nergal di Cuthah

Nergal di Cuthah

Senior Member
Sep 20, 2013
2,028
1,086
Google Pixel 6 Pro
Bxperiaz3 said:
My pixel 7 pro is rooted since October. Always used this module without issue and then yesterday it blocked contact less Google pay, I used magisk to hide extra play services parts and cleared the play store cache. Was ok for a few taps and now I have the same issue again. Is there something else I can try?
Click to expand...
Click to collapse
Which version are you using, official or mod?
 
X

xabier-bo

Senior Member
Sep 17, 2014
150
29
It's not my intention to double post, but maybe it's more relevant here what I wrote in other thread

Couple of weeks ago I found strange "card rejected" messages while paying with gwallet. But immediately, after the first failing attempt it was accepted.

Then I read the posts here sharing new problems, while everything had been working fine until now.

So I checked the gwallet app (I never look at it), and discovered it was complaining with the "old" message: this device doesn't meet...

I wiped apps caché (google play and gwallet), rebooted, got a first complaint of not meeting requirements, but closing and reopening the app made it disappear.

So, I decided a more "conclusive" approach. I went to the supermarket and payed with the gwallet without any problem.

So, this is my situation: I've had to downgrade nothing, I've kept USFN v2.4.0 by kdrag0n, and I'm paying with gwallet.

Hope it's helpful for your "diagnosis"
 
P

pndwal

Senior Member
Jun 23, 2016
5,903
6,504
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
xabier-bo said:
It's not my intention to double post, but maybe it's more relevant here what I wrote in other thread

Couple of weeks ago I found strange "card rejected" messages while paying with gwallet. But immediately, after the first failing attempt it was accepted.

Then I read the posts here sharing new problems, while everything had been working fine until now.

So I checked the gwallet app (I never look at it), and discovered it was complaining with the "old" message: this device doesn't meet...

I wiped apps caché (google play and gwallet), rebooted, got a first complaint of not meeting requirements, but closing and reopening the app made it disappear.

So, I decided a more "conclusive" approach. I went to the supermarket and payed with the gwallet without any problem.

So, this is my situation: I've had to downgrade nothing, I've kept USFN v2.4.0 by kdrag0n, and I'm paying with gwallet.

Hope it's helpful for your "diagnosis"
Click to expand...
Click to collapse
The failures with 2.4.0 may be random, often occuring with a reboot...

Google monitors device security for G Pay/Wallet full time, so whether PI deviceIntegrity fails momentarily or user removes lockscreen pattern/password and immediately restores it, Pay/Wallet will likely lock out contactless payment use even while Pay/Wallet is not in use and either require resetting (clearing data for Pay/Wallet and/or Play Services) or will be restored after some time...

We need a fix for detections in official solution, but @Displax modded USNF builds are not failing this way and are working fine for most users ATM. PW
 
  • Like
Reactions: ipdev, wrongway213, xabier-bo and 2 others
You must log in or register to reply here.

Similar threads

Chainfire
[Android 2.1+][03.10.2011][v3.2] Chainfire3D [ROOT][OpenGL ES 2.0+]
Replies
3K
Views
3M
rignfool
rignfool
apb_axel
[ZIP] Synapse + Script => Universal Kernel Manager v3.8.1
Replies
3K
Views
766K
D
Dildoman
repey6
[6.0-12.0][Magisk]Dolby Digital Plus[upd.20211005]
Replies
2K
Views
737K
B
b4minee
Chainfire
[2014.05.01][ROOT] Mobile ODIN v4.20
Replies
5K
Views
3M
Zagnutty
Zagnutty
DooMLoRD
[04/Jan][ROOTING/UNROOTING] DooMLoRD's Easy Rooting Toolkit [v4.0](zergRush Exploit)
Replies
927
Views
3M
B
bishoy ashraf

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 4
    P
    pndwal
    For those using Canary builds

    Please be aware that in 25207+ major refactoring (of selinux rule patching) has broken many modules etc... This is likely the cause of issues with hiding using recent builds as Shamiko is affected... Please see discussion in Magisk Discussion thread...

    You could revert to 25206 or wait for fixes hopefully in 25211... 👀 PW
    View
    3
    jasonbiggs
    jasonbiggs
    zgfg said:
    With Integrity and CTS do you refer to the deprecated SafetyNet or the 'new' Play Integrity API?

    Also, are you using USNF from this thread or the newer/better safetynet-fix-v2.4.0-MOD_1.2 from the other thread?

    Look into the other USNF thread from Displax and find more info in the thread about GPay

    Btw, banking apps do not rely only on PI API - they try many other detections od root, hence you might need (things vary from app to app) Shamiko, Hide My Applist or even the Magisk Delta fork

    The best would be to search through the Magisk related threads here on XDA, how the other user(s) solved the root detection from your particular banking or similar app
    Click to expand...
    Click to collapse
    Yes! I was trying to find the link for that mod. This worked. Thanks!

    View
    3
    P
    pndwal
    nate911 said:
    Yes. Device and basic passes.

    I use the phone for 2 hrs

    I run the checker again and device and basic integrity fails.

    Reboot. It then starts passing again

    Edit: restarting gms fixes it too.

    Thanks @pndwal
    Click to expand...
    Click to collapse
    Ok, so NOT intermittently passing only basicIntegrity verdict...

    Sounds like the same issues w/ official 2.4.0... Are you sure you actually have v2.4.0-MOD_1.2 @Displax build?

    If so, please say device/ROM... Also, suggest reverting to v2.3.1-MOD_3.0... There may possibly still be issues with 2.4.0 builds... Please report your mileage with that if you do... PW
    View
    3
    zgfg
    zgfg
    jasonbiggs said:
    so I'm on android 13, pixel 6a. Got Integrity ✅ and CTS match ✅ and also Play Store as Certified. Although, still no google pay or banks access. Any hints to get this working or it this fix not fully functional on 13 as of yet?

    Thanks!
    Click to expand...
    Click to collapse
    With Integrity and CTS do you refer to the deprecated SafetyNet or the 'new' Play Integrity API?

    Also, are you using USNF from this thread or the newer/better safetynet-fix-v2.4.0-MOD_1.2 from the other thread?

    Look into the other USNF thread from Displax and find more info in the thread about GPay

    Btw, banking apps do not rely only on PI API - they try many other detections od root, hence you might need (things vary from app to app) Shamiko, Hide My Applist or even the Magisk Delta fork

    The best would be to search through the Magisk related threads here on XDA, how the other user(s) solved the root detection from your particular banking or similar app
    View
    3
    osm0sis
    osm0sis
    I was on 2.3.1_MOD_3.0 on Android 12 and now 2.4.0_MOD_1.2 on Android 13 and all was now well in both setups.
    View
  • 315
    kdrag0n
    kdrag0n
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0
    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    View
    213
    Displax
    Displax
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    View
    58
    Displax
    Displax
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    View
    31
    P
    pndwal
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.
    Click to expand...
    Click to collapse

    Here's hoping... 🙃 PW
    View
    29
    Displax
    Displax
    So, created separate thread for my mod. Welcome)

    [MODULE] [MOD] Universal SafetyNet Fix

    Universal SafetyNet Fix [MOD] Magisk module...
    forum.xda-developers.com forum.xda-developers.com
    View

New posts