Some modules will break basicIntegrity and/or deviceIntegrity/old ctsProfileMatch... I don't recall apps doing that, but things change... Please say what app.PW
MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0
- Thread starter kdrag0n
- Start date
Did not know that you can pass strong integrity with a unlocked bootloader. Last I heard, once you unlock the bootloader, strong integrity cannot be passed.Asus ROG Phone 3 can pass strongIntegrity verdict rooted and unlocked, so some members can!...
There are always exceptions.
PW
Generally that's correct.
... Unless the AVB root/chain of trust is messed up by the OEM!... Nb. ROG phone 3 always returns
- Verified boot state: Verified and
- Device locked: true ...
And this is not just broken keymaster implementation like on so many OnePlus devices ... Seems keymaster is fine so hardware-backed Device locked = true checks out!..
PWFolks, looks to me like Google is upping the anti for late-ish devices/OS's by somehow preventing ctsProfileMatch from passing with mismatched fingerprints now...Of course PI deviceIntegrity depends on this and thus fails also...
On the other hand, Google still seem to be flipping switches / experimenting, and there are a number of reports that even users of stock phones are having similar failures (Play Protect: Device not certified, G Pay/Wallet suddenly not meeting Security requirements etc) popping up recently on Reddit etc...
Seems for those modders affected, ctsProfileMatch still passes when matching fingerprint prop is used, but w/o the mismatch PI deviceIntegrity doesn't pass any longer...
The strategy for Google now seems to be to come up with ways to enforce hardware-backed verdicts on a per device basis that can't easily be bypassed...
I'm hoping someone will discover a new way to bypass PI API hardware-backed verdict enforcement for devices Google identifies as hardware-ready using fingerprint prop...
May need the best minds on this, and it may get difficult while the Google plays games we aren't expecting... but it wouldn't be the first time!...
Who wants to play
&
?
PW
On the other hand, Google still seem to be flipping switches / experimenting, and there are a number of reports that even users of stock phones are having similar failures (Play Protect: Device not certified, G Pay/Wallet suddenly not meeting Security requirements etc) popping up recently on Reddit etc...
Seems for those modders affected, ctsProfileMatch still passes when matching fingerprint prop is used, but w/o the mismatch PI deviceIntegrity doesn't pass any longer...
The strategy for Google now seems to be to come up with ways to enforce hardware-backed verdicts on a per device basis that can't easily be bypassed...
I'm hoping someone will discover a new way to bypass PI API hardware-backed verdict enforcement for devices Google identifies as hardware-ready using fingerprint prop...
May need the best minds on this, and it may get difficult while the Google plays games we aren't expecting... but it wouldn't be the first time!...
Who wants to play
&?PW
Last edited:
I not tried paying using my phone yet but on Pixel 7 Pro Stock Feb ROM using Magisk 25.02 with Disaplex USNF MOD 2 and unmount denylist I can add cards to Wallet without error I normally get to say device is not supported.
However I fail CTS check.
However I fail CTS check.
Same, I fail CTF check and MEETS_DEVICE_INTEGRITY and MEETS_STRONG_INTEGRITY and can still add cards and just paid with Google Wallet. Google doing Google things.
Pixel 7 here:
Pixel 7 user here, root with Magisk. No hideprops (device not spoofed), only Universal SafetyNet 2.4.0 and DenyList on Play Store, and i cant get the certified on play protect. Wallet is giving me the "unable to pay contactless on this device".
I use Denylist Unmount module and dont enforce denylist and also hide the magisk app.Pixel 7 here:
Pixel 7 user here, root with Magisk. No hideprops (device not spoofed), only Universal SafetyNet 2.4.0 and DenyList on Play Store, and i cant get the certified on play protect. Wallet is giving me the "unable to pay contactless on this device".
Could you please provide details? I pass basic integrity check, but not CTS. I can pass CTS as for this tutorial, but in minutes the denylist for Play Services unchecks itself and i'm back to failing CTS check.
I had been using contactless gpay with no issue till yesterday, did not even used denylist. I updated the module, still didn't work. I added gpay to denylist and voilà, it worked. CTS is not passed but it doesn't mean anything to me, not yet. Remember restarting after doing any changes.Pixel 7 here:
Pixel 7 user here, root with Magisk. No hideprops (device not spoofed), only Universal SafetyNet 2.4.0 and DenyList on Play Store, and i cant get the certified on play protect. Wallet is giving me the "unable to pay contactless on this device".
Same, I only get MEETS_BASIC_INTEGRITY, but I cannot add cards or pay with Wallet, because my device doesn't meet the safety requirements
Google Wallet (and Play Store) are not fooled by the Universal Safety Fix for me. It does not matter if i pass or not integrity tests, they just know
Must be device specific. I'm on p3xl.Google Wallet (and Play Store) are not fooled by the Universal Safety Fix for me. It does not matter if i pass or not integrity tests, they just know
I do not pass CTS check either but I can add cards to Wallet without issue. Its not related for me.
Ok so I
Ok so here's what I did:
- Changed to 2.3.1 mod 2.1
- Reboot
- Uninstalled/uninstall updates and clear storage for: gpay, wallet, play services, play protect, and play store
- Remove all of the above from the denylist
- Reboot
- reinstall/update: gpay, wallet, play services
- Run gpay and wallet to get them to "integrate" . Wallet app did not disappear like it had previously
- Have not added any of these back to denylist
- Fails cts, passes basic, fails device and Strong
I'm using safetynet fix 2.4.0 by anirudhgupta109 on my Pixel 7 on rooted Android 13. I've been on version 2.3.1 for months starting November and Google Wallet worked fine until today. I don't know what changed but I tried a lot of the suggestions on this thread (like using 2.3.1 mod 2.1, configuring the denyList etc) but nothing worked.
Is there a current fix to get google wallet/gpay working?
Is there a current fix to get google wallet/gpay working?
No new fix as of yet. I'm having the same issue as you. It started after updating to the February release on my Pixel 6 Pro. There were also a few Google app updates that may have contributed to it as well. I know there are some developers working on it already but who knows how long it will be before they figure something out. Guess I'll be using my debit card instead of tap and pay for a while.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
4For those using Canary builds
Please be aware that in 25207+ major refactoring (of selinux rule patching) has broken many modules etc... This is likely the cause of issues with hiding using recent builds as Shamiko is affected... Please see discussion in Magisk Discussion thread...
You could revert to 25206 or wait for fixes hopefully in 25211...
PW3[MODULE] [MOD] Universal SafetyNet Fix
Universal SafetyNet Fix [MOD] Magisk module...
forum.xda-developers.com
3
Ok, so NOT intermittently passing only basicIntegrity verdict...
Sounds like the same issues w/ official 2.4.0... Are you sure you actually have v2.4.0-MOD_1.2 @Displax build?
If so, please say device/ROM... Also, suggest reverting to v2.3.1-MOD_3.0... There may possibly still be issues with 2.4.0 builds... Please report your mileage with that if you do... PW3
This module has issues with builds that offer a fix for new Play Integrity deviceIntegrity...
As mentioned above, you need to pass that now as SafetyNet is depreciated, but you will need to be passing old ctsProfileMatch in order to pass deviceIntegrity...
@Displax posted links to his working (forked/fixed) builds in a new thread a couple of pages back here:
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88149057
We're hoping that official USNF may get needed attention soon, but it appears @kdrag0n is busy with other matters...
PW3[MODULE] [MOD] Universal SafetyNet Fix
Universal SafetyNet Fix [MOD] Magisk module...
forum.xda-developers.com
-
311Universal SafetyNet Fix
Magisk module
Magisk module to work around Google's SafetyNet attestation.
This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.
If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).
Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.
How does it work?
The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.
Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.
Downloads
Downloads and changelogs can be found on GitHub. The topmost release is the latest.
Latest release
v2.4.0
Highlights
- Play Integrity bypass without breaking device checks or causing other issues
- Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
- Updated instructions for newer Android and Magisk versions
- Better debugging for future development
It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!
If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
Alternatively, you can also buy me a coffee. All support is appreciated
Source code213So, here is my modification of USNF with Play Integrity API bypass.
It changes fingerprint to old7.1.26.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.
Updated 3.0:
No words needed, you understand everything yourself
Updated 2.1:
Hide "Enable OEM Unlock" setting
Updated 2.0:
Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )
Updated:
Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version
Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.
3. You may be needed to wipe GMS data (not cache) if there is no result immediately.
Many thanks to @1nikolas for integrity checker.
Source code: https://github.com/Displax/safetynet-fix/tree/integrity58So, here is my new modification of USNF with Play Integrity API bypass.
It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.
Changelog:
Version 1.2
* Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
* Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).
Version 1.1
* Fix KeyStore hook desynchronization (tests randomly failing problem).
Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.
3. You may be needed to wipe GMS data (not cache) if there is no result immediately.
Source code: https://github.com/Displax/safetynet-fix/tree/dev31Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.
This means (assuming fully deployed Hardware Key Attestation doesn't come first
) that the need for a 'Universal Play Integrity Fix' has become quite urgent.
We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.
So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...
Please let me know here if I have missed anything important, or add any technically relevant details there...
PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for...
:
Here's hoping...
PW28ok so there is a solution
get the magisk module riru
after you get riru get LSPosed
after you get LSPosed get xprivacylua (in the LSPosed app)
select play services in the xprivacylua settings IN the LSPosed app
AND in the xprivacylua app itself after you've restarted.
clear play service data
check safetynet in magisk - enjoy?
I would reboot between each step just to be safe but I know it's necessary to load the xprivacylua module
s/o to saitama_96 for discovering it or so I'm led to believe
