MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread

pndwal

Senior Member
Started problem today and made all procedures including v2.3.1-MOD_2.1 and no solution. CTS profile match fail. (Mi9 with EvoX 13)
Of course you also need Play Integrity deviceIntegrity pass since Safetyis deprecated...
Yup looks like there's gonna need to be an update 🙄. It's a damn good thing I don't need or use NFC hardly ever and just do this for fun otherwise I'd be very annoyed.
This:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88103103

🙃 😬 PW
 

pndwal

Senior Member
CTS profile match fail here also on P7pro Feb security update. Running latest USNF 2.4.

Device still certified in play store and all banking apps working.
Bank app are usually fine since they don't monitor environment for security compliance / device integrity full time...

Google does that for Pay/Wallet, so even if PI API's deviceIntegrity fails at boot-time only or momentarily later while Pay/Wallet is not in use, security requirements will fail for contactless payments on next use. Nb. This applies to removing and replacing screen lock pattern/password also...

👀 PW
 

ddrum2000

Senior Member
Feb 17, 2009
184
9
Google Nexus 10
LG Nexus 5X
I've needed to wipe data for Play Store , Wallet/Pay and Play Services at least but twice even that wasn't enough; removing all updates for Play Store , Wallet/Pay and Play Services also, rebooting (very important) and starting fresh fixed it... 😬 PW
I did all of that. Do you mind being a little more specific about the order? Also if CTS failing, this doesn't really matter at this point does it?
 

pndwal

Senior Member
I did all of that. Do you mind being a little more specific about the order? Also if CTS failing, this doesn't really matter at this point does it?
Can you be specific about why you are
... unable to add cards to gpay/wallet...
... Do you have
IMG_20230206_055816.jpg

screen that doesn't ever complete, or other?

👍 PW
 

ddrum2000

Senior Member
Feb 17, 2009
184
9
Google Nexus 10
LG Nexus 5X
Hi, I was having problems passing CTS Profile Match today.
Device: Pixel 7 Feb Update
Tried v2.4.0 and v2.3.1-MOD_2.1 without success.
This last module have worked for me, hope for your devices too!
This did not work for me. Which apps do you have "enabled" on the denylist. I currently have: Google Play Store, Wallet, GPay, Play Protect Service, and some other non-relevent apps.
 

pndwal

Senior Member
I did all of that. Do you mind being a little more specific about the order? Also if CTS failing, this doesn't really matter at this point does it?
Can you be specific about why you are

... Do you have
View attachment 5830511
screen that doesn't ever complete, or other?

👍 PW
No. I'm getting this Google pay error messageView attachment 5830525

And this fail from the security checker
View attachment 5830527
Ah... The issue most here have is old (deprecated) S/N ctsProfileMatch and new PI deviceIntegrity failing only sporadically; they generally have these passing...

Yes, you need to fix PI deviceIntegrity first, then clear data etc for G Pay/Wallet, G Play services etc to reset failed security checks... It may just reset itself after some days (even a week), but only if you have PI deviceIntegrity... 😜 PW
 

pndwal

Senior Member

osm0sis

Senior Recognized Developer / Contributor
Mar 14, 2012
15,430
34,970
Halifax
GT-i9250
Google Nexus 4

pndwal

Senior Member
This did not work for me. Which apps do you have "enabled" on the denylist. I currently have: Google Play Store, Wallet, GPay, Play Protect Service, and some other non-relevent apps.
Did you have this passing previously?... Is ROM stock?...

You don't need Play Store in denylist... Keep Play Protect Service... Other than that, only bank and detection apps + GPay/Wallet are normally added...

Try passing PI deviceIntegrity with all modules disabled other than one of @Displax's USNF Mod builds, denylist enforced and Zygisk = Yes appearing on Magisk App home screen... PW
 

pndwal

Senior Member
Brutal commit log... If it is real it looks fake/spam as hell. I wouldn't trust giving that thing zygote access on my device...

Better ping the member:
Hi, I was having problems passing CTS Profile Match today.
Device: Pixel 7 Feb Update
Tried v2.4.0 and v2.3.1-MOD_2.1 without success.
This last module have worked for me, hope for your devices too!
😶

... Did you see any especially suspect commits?... Just tooo many since Dec... Seems to be trying to do all kinds of root hiding (Shamiko's job) too...

But security is the big issue for sure... PW
 

osm0sis

Senior Recognized Developer / Contributor
Mar 14, 2012
15,430
34,970
Halifax
GT-i9250
Google Nexus 4
Last edited:
  • Like
Reactions: ipdev and pndwal

Bad Bimr

Senior Member
Dec 29, 2010
230
37
Been reading for about an hour and could not find a definitive answer.
Have Both Pixel 6A and 7
magisk stable 25.2 (25200)(33)
with modules:
Advanced Charging Controller (ACC) v2022.7.3.30
MagiskHide PropsConfig v6.1.2-v137
SystemlessHosts 1.0
Universal SafteyNet Fix v2.4.0

Lately I have been getting an error (Pixel 7) about root upon opening my wallet but it would still work. Today however it did not work. Running YASNAC - SafetyNet Checker it passes for the first few times but after a while CTS fails. Then later it may pass again. With the Pixel 6A it passes when you reboot but fails a few seconds after.
What is going on? Is there a fix?
Thanks in advance.
BB
 

pndwal

Senior Member
Been reading for about an hour and could not find a definitive answer.
Have Both Pixel 6A and 7
magisk stable 25.2 (25200)(33)
with modules:
Advanced Charging Controller (ACC) v2022.7.3.30
MagiskHide PropsConfig v6.1.2-v137
SystemlessHosts 1.0
Universal SafteyNet Fix v2.4.0

Lately I have been getting an error (Pixel 7) about root upon opening my wallet but it would still work. Today however it did not work. Running YASNAC - SafetyNet Checker it passes for the first few times but after a while CTS fails. Then later it may pass again. With the Pixel 6A it passes when you reboot but fails a few seconds after.
What is going on? Is there a fix?
Thanks in advance.
BB
There's plenty on it here if you read back...

Basically 2.4.0 failed to maintain deviceIntegrity from the getgo:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88052749

Now we have intermittent failures w/ @Displax modded USNF builds also:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88103103

And note what I posted just above:
Of course you also need Play Integrity deviceIntegrity pass since Safetyis deprecated...

This:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88103103

🙃 😬 PW

👀 PW
 
  • Like
Reactions: Bad Bimr

ddrum2000

Senior Member
Feb 17, 2009
184
9
Google Nexus 10
LG Nexus 5X
Did you have this passing previously?... Is ROM stock?...

You don't need Play Store in denylist... Keep Play Protect Service... Other than that, only bank and detection apps + GPay/Wallet are normally added...

Try passing PI deviceIntegrity with all modules disabled other than one of @Displax's USNF Mod builds, denylist enforced and Zygisk = Yes appearing on Magisk App home screen... PW
Ok so what am I missing here. I cleared the storage for gpay, wallet, and play services, then rebooted. Here's what I got...
Screenshot_20230207-233425.png

My enabled modules
Screenshot_20230207-233605.png


Then the denylist...
Screenshot_20230207-233511.png


Then I try to add a card in wallet
Screenshot_20230207-233638.png


What am I missing? Thanks for the help.
 

Fishawy

Senior Member
Mar 26, 2010
3,362
662
Melbourne
OnePlus 9 Pro
Google Pixel 7 Pro
Ok so what am I missing here. I cleared the storage for gpay, wallet, and play services, then rebooted. Here's what I got..

My enabled modules


Then the denylist...


Then I try to add a card in wallet


What am I missing? Thanks for the help.
Not sure about the USNF module you're using, as I'm using Displax's fork.

I can't see Google Play Services in your DenyList. I would say this needs to be added, then clear storage for all, reboot and test.
 

Top Liked Posts

  • 1
    I know how difficult nowadays is to pass SafetyNet / Play Integration, but maybe there's still something obvious that I'm missing, so I'm looking for advice.

    I pass verification at my OnePlus 7T with LineageOS 20 and below, pretty common as I guess, configuration:
    - Magisk 26.1
    - hidden Magisk app
    - Zygisk enabled (without Enforce DenyList)
    - DenyList configured for Google Play Service, Play Store, Applist Detector, TB Checker, YASNAC, hidden magisk app, banking apps etc.
    - Shamiko 0.7.2
    - Universal SafetyNet Fix 2.4.0
    - Zygisk LSPosed 1.8.6
    - Hide My Applist configured for the same apps as in Magisk DenyList, to hide LSPosed and all root apps

    By passing verification I mean:
    - SafetyNet Basic + CTS in YASNAC
    - All tests in TB Checker (Play Integrity, Root Check, Xposed Check)
    -- without SafetyNet Strong integrity and Virtual integrity
    - All tests in Applist Detector

    So that's great, right? However, if I left device for some time and re-run YASNAC CTS is failing. But If I'll run TB Checker and run tests there, everything is OK back again. After this even YASNAC once again shows passed CTS profile!

    This random losing of CTS (until re-running TB Checker) confirms in daily usage, as some apps like banking one are randomly loosing ability to use fingerprint authentication or contactless payment. After running TB Checker and passing CTS once again I might add these payment features back to normal, so it's more like an annoyance than serious problem.

    I've tried to reset Google Store/Services/Wallet data and adding some additional Magiks modules related to hidding props but this didn't change a thing, CTS is still failing from time to time, at random moments.

    Do you have similar problems? Is there anything I might try to do, or maybe there're some ways to detect which activity at my phone is actually making CTS failing?

    Edit: That might be useless post, I just discovered USNF v2.4.0-MOD_1.2... trying it out now.
  • 9
    New huge update for the Xposed module, also now the repo it's in LSPosed repo so it will appear in LSPosed app. You will want to install it :D

    Screenshot_2023-05-11-16-51-55-199_io.github.vvb2060.keyattestation.jpgScreenshot_2023-05-11-16-51-59-407_io.github.vvb2060.keyattestation.jpg

    As you can see, now the module will spoof a locked bootloader with a verified boot state in RootOfTrust. This should work in all devices that have a TEE or StrongBox. If someone crash tag me and I will try to fix it.

    Also I'm working in Magisk module (Zygisk), but it's difficult XD.
    5
    Screenshot_2023-05-11-18-19-07-241_com.CIB.Digital.MB.jpg

    With this module you can start the CIB Egypt Mobile Banking which is the only app I know they check if you have an unlocked bootloader. Enjoy 😎😎😎
    5
    This will """hide""" TEE presence, so apps can't check by hardware if the bootloader is unlocked. It's a LSPosed module, I need to study how can I implement this as Magisk (Zygisk) module.

    Source code: https://github.com/swer45/TEE-Hide

    Download: https://github.com/swer45/TEE-Hide/releases

    This will NOT help you to bypass Strong.
    I updated the Xposed module with better hooking method to don't affect another apps. This afternoon I will work in Zygisk module, I will try to do it.
    5
    That's why I hate Lineage, I don't understand that "rules"...
    'Hate' is a strong word!...

    Anyway, when the original CyanogenMod bundled all proprietary GApps for one thing, Google issued their infamous "Cease And Desist" order and Steve Kondik thought his baby was dead!...

    However Google were quick to clarify that although custom OS's could not legitimately bundle GApps (Nb. other ROMs still do), users are welcome to 'sideload' the same (as devices themselves are generally certified through CTS while custom ROMs are not)...

    So OpenGapps was formed to offer legitimised seperate packages, Steve continued with CM project, users continued to use vanilla CM (and later LOS) with proprietary Google Apps, and all in the custom mod world was sweet again...

    Of course Google must have realised they nearly shot themselves in the foot with that action, but they scrambled to offer a solution / compromise that wouldn't result in the death of CM or custom ROMs as we know them...

    I think the Lineage team simply see that Google is actually the custom modders benefactor and is (in reality) supportive of them and custom mods/ROMs in general if Devs play by the rules, and LOS is simply willing to do so...

    Also, they are in the best position to get their custom ROM approved/certified in future (see my post above) by being careful 'not to subvert Google's security model' by tampering expected signals... Note that Magisk now follows this same policy, and I think that's not just because John is a Googler now; it's also a sign of his maturity as a responsible dev...

    And ensuring that the main custom mods (ROM, root/overlay framework) comply in no way prevents "those passionate about hiding" from "doing their job"!... Both history and you are proving that.

    Personally I think LOS is great and follows a great tradition! 🙃 PW
  • 324
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0

    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    222
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    58
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    33
    So, created separate thread for my mod. Welcome)

    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW