MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread


Senior Member
This version seems to be working great for me on my Pixel 7 Pro with Feb patch! CTS profile passes consistently now and I am meeting both basic and device integrity. I didn't clear data for anything, just installed this test version over the previous 3.0 mod and all seems good. Thanks a lot for your hard work!
  • Like
Reactions: ipdev and Displax


New member
Dec 22, 2015
Google Pixel 7


  • Screenshot_20230208-222653.png
    62.4 KB · Views: 47
  • Like
Reactions: ipdev


Senior Member
Jan 9, 2012
Google Pixel 7 Pro
Bear with me, can add cards, haven't tried to GPay yet.
Updated to Mod_3.0, cleared cache Wallet and GPS
reboot and failed Meets_device_integrity, Wallet sees root
In DenyList, unchecked Google Play Protect and for Wallet unchecked lifeboat
cleared cache wallet and GPS
Added cards
still failing Meets_device_integrity, Wallet not warning about root
will update post tomorrow morning after I try to get on the subway


Senior Member
Oct 24, 2010
Somewhere in Holland.
Updated to to "" on my pixel 6a with stock rom with magisk on it. 2 green checkmarks again! Adding a card to Google wallet works, haven't tested to actually pay with my phone.



Senior Member
Just an update on this, I've noticed that Google wallet occasionally says my device may be jailbroken or running uncertified software and tap to pay won't be available, however it still works and SafetyNet still passes (the pay contactless setup in wallet also says my phone meets security requirements). It didn't happen before on kdrag0n's USNF 2.4.0 (before the background GPS update too presumably) so I'm not sure why this is occurring. Always scares me to see that pop up haha but I suppose as long as tap to pay is still working and SafetyNet is still passing then it's fine.
  • Like
Reactions: cognitivedissonance
Mar 4, 2015
No luck for me, it still fails using the modded version provided by @Displax 🥲

Related info:
  • Poco F1 (Beryllium) - PixelOS (A13)
  • Magisk Delta (Zgisk enabled, also HideList)
  • Cleared both Google Play and Play Services data, restarted device couple times


  • Screenshot_20230209-012526_Tela de início do Pixel.png
    Screenshot_20230209-012526_Tela de início do Pixel.png
    68.5 KB · Views: 61
  • Screenshot_20230209-012650_Tela de início do Pixel.png
    Screenshot_20230209-012650_Tela de início do Pixel.png
    199.7 KB · Views: 62
  • Screenshot_20230209-012708_Tela de início do Pixel.png
    Screenshot_20230209-012708_Tela de início do Pixel.png
    207.6 KB · Views: 62


Senior Member
Jun 12, 2012
Google Pixel 7 Pro
@Displax Pixel 7 Pro with Feb stable and 3.0 and Shamiko works perfectly, normalcy is restored. I don't add play store in deny list when using your mods in deny list to circumvent my phone showing up as a Nexus 6p in the devices list in my Google account under security tab. Thank you once again.


Senior Member
Feb 17, 2009
Google Nexus 10
LG Nexus 5X
I'm passing the cts check as well as device integrity with the new 3.0 mod but I can't seem to add cards. Any thoughts?

Ignore me. I was able to add cards. We'll see about spending money tomorrow :)
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    That's why I hate Lineage, I don't understand that "rules"...
    'Hate' is a strong word!...

    Anyway, when the original CyanogenMod bundled all proprietary GApps for one thing, Google issued their infamous "Cease And Desist" order and Steve Kondik thought his baby was dead!...

    However Google were quick to clarify that although custom OS's could not legitimately bundle GApps (Nb. other ROMs still do), users are welcome to 'sideload' the same (as devices themselves are generally certified through CTS while custom ROMs are not)...

    So OpenGapps was formed to offer legitimised seperate packages, Steve continued with CM project, users continued to use vanilla CM (and later LOS) with proprietary Google Apps, and all in the custom mod world was sweet again...

    Of course Google must have realised they nearly shot themselves in the foot with that action, but they scrambled to offer a solution / compromise that wouldn't result in the death of CM or custom ROMs as we know them...

    I think the Lineage team simply see that Google is actually the custom modders benefactor and is (in reality) supportive of them and custom mods/ROMs in general if Devs play by the rules, and LOS is simply willing to do so...

    Also, they are in the best position to get their custom ROM approved/certified in future (see my post above) by being careful 'not to subvert Google's security model' by tampering expected signals... Note that Magisk now follows this same policy, and I think that's not just because John is a Googler now; it's also a sign of his maturity as a responsible dev...

    And ensuring that the main custom mods (ROM, root/overlay framework) comply in no way prevents "those passionate about hiding" from "doing their job"!... Both history and you are proving that.

    Personally I think LOS is great and follows a great tradition! 🙃 PW

    With this module you can start the CIB Egypt Mobile Banking which is the only app I know they check if you have an unlocked bootloader. Enjoy 😎😎😎
    Tested with all my devices with different ROMs. PE, OctaviOS, AncientOS, EvolutionX and Bootleggers 😉
    Also, that roms already have a fix hardcoded. @kdrag0n said it's better:
    View attachment 5910631
    Yeah... Maybe most custom ROMs now integrate SNF (per Proton model) or other spoofing... But what about Stock ROM users... 😉

    Just to mention, official LineageOS builds are not allowed to include 'hacks' like this.

    LineageOS Charter - [Github] - SafetyNet
    "- All devices MUST NOT alter SafetyNet validation responses."

    Cheers. :cowboy:
    I can pass safelynet on YASNAC but not Play integrity API checker.
    Most bank apps work except one.
    Currently using Magisk 26.1, hidden, no enforce list, Shamiko, USNF 2 4.0 mod 1.2.
    Noticed you mentioned Magisk alpha. How is this different to Magisk 26.1 and can I go back to 26.1 afterwards if it makes no difference?
    I'm using rooted stock 13, no TWRP.
    Alpha works because after disabling Zygisk (which you need to do ATM) you have MagiskHide (old style) restored...

    You need to hide root from Starling but you cannot use Denylist or Shamiko as both require Zygisk, and even with native bridge loaded Zygisk (already implemented in Alpha, but still not fully hidable as is evident by Starling detections) injection/hooking is detected by memory scanning (or other means?)...
    Thanks a lot, it finally worked with Magisk alpha so, because it has worked this way, I tried to uninstall magisk alpha and normal magisk and reinstalling normal magisk and it is working as well without any module installed ... so I do not know what happened in the first place... could be that it just needed to make the initial bank app start without rooting and, after this first start, root the device and apply "denylist" in Magisk...
    Thanks all of you for your support :)
    Some have reported that Starling app gives you a week's grace from when it detects root until it fails to open... Just a guess on my part, but you may need a non-Zygisk hide solution again when/if that occurs.

    🤠 PW
    Can somebody help me? I can't get past safety net. I have installed the rom on my xiaomi 13. I have Magisk 26.1 with Zygisk. I have installed the modules universal safetynet fix 2.4 mod 1.2 and lsposed. I have added to the deny list: google play services, google play and google play framework. I have deleted the data from those apps and from the bank apps. I have also tried to install the Alpha app instead of Magisk and to hide the magisk app from the settings. But nothing works.

    The strange thing is that before installing the rom it worked. ROMs can pass Play Integrity (once again, PI is now of interest, SN is deprecated, and if you pass PI you will also pass SN) since they have the spoof built-in

    Cannot guarantee for all Xiaomi.eunROMs

    Hence, have you tried Play Integrity checker prior than you installed Magisk?

    For PI, you should pass Basic and Device Integrity but you cannot pass Strong Integrity (with the unlocked Bootloader)


    If you switch from Magisk official to Magisk Alpha or Delta, it is not enough (actually, it's then almost as if you did not switch) to install Alpha or Delta app, but after that you also have to install Magisk Alpha or Delta (like through the app, Install, patch and flash the boot img or Direct Install but after reboot you then also have to configure your Magisk Alpha or Delta)
  • 324
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release

    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code:
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.


    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).

    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code:
    So, created separate thread for my mod. Welcome)

    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW