MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread
By:
Advanced…
AnyNameYouWish

AnyNameYouWish

Senior Member
Feb 13, 2022
75
44
Amazon Fire TV
Samsung Galaxy Tab S2
So I don't pass device integrity , but I do pass basic integrity.


Screenshot_20230209-110239.png


I disabled all Magisk modules, and deleted XPL folder as mentionned in previous post.
Cleared cache and data from GPS / GMS / Wallet, and installed safety net-fix 2.3.1-MOD latest version.
Tried again with safetynet-fix 2.4.0.

Both fail to pass device integrity.

In Magisk's deny list I have GPS, Wallet and bank apps checked. I also check GMS after reboot to try and see.
Tried with both deny list enforced and shamiko without enforcement.

If that matters, I'm on Pixel 5 A13 january update.

What more could I try to pass both device and basic integrity?
 
AnyNameYouWish

AnyNameYouWish

Senior Member
Feb 13, 2022
75
44
Amazon Fire TV
Samsung Galaxy Tab S2
AnyNameYouWish said:
So I don't pass device integrity , but I do pass basic integrity.


View attachment 5831719

I disabled all Magisk modules, and deleted XPL folder as mentionned in previous post.
Cleared cache and data from GPS / GMS / Wallet, and installed safety net-fix 2.3.1-MOD latest version.
Tried again with safetynet-fix 2.4.0.

Both fail to pass device integrity.

In Magisk's deny list I have GPS, Wallet and bank apps checked. I also check GMS after reboot to try and see.
Tried with both deny list enforced and shamiko without enforcement.

If that matters, I'm on Pixel 5 A13 january update.

What more could I try to pass both device and basic integrity?
Click to expand...
Click to collapse
Oh nevermind, mod v3.0 do the trick.

Sorry and thanks!
 
Last edited:
C

crypticc

Senior Member
Aug 22, 2009
1,248
171
London
jknaggs said:
OK, have carried out a couple of transactions on Gipsy all went without a hitch. However on initial opening of Gpay I had device unsafe warning. Exited, ran YASNAC and passed. Reopened Gpay , no warning and payment successful.
Click to expand...
Click to collapse
Which region are you please? Trying to understand how you have Gpay. Even I look in apps there's only wallet and only see that if I manually install wallet from Play Store. (Though the shortcut for wallet in drop down menu even before then)

Correction.... Several reboot and clearing and freezing and rebooting I now have Gpay, but can't find to block in Magisk.


This is actually how it was when I was in India and was able to add my card. Now here cannot so will try adding via Gpay again. (Last time I did the it worked for a day or two)
 
Last edited:
M

Marcyvee

Senior Member
Oct 9, 2015
330
35
It there a way to pass safetynet with LSPosed zygisk 1.8.6?
Edit: sorry, I passed it.
 
Last edited:
jknaggs

jknaggs

Senior Member
Oct 3, 2010
138
51
Manchester UK
Google Pixel 6 Pro
crypticc said:
Which region are you please? Trying to understand how you have Gpay. Even I look in apps there's only wallet and only see that if I manually install wallet from Play Store. (Though the shortcut for wallet in drop down menu even before then)

Correction.... Several reboot and clearing and freezing and rebooting I now have Gpay, but can't find to block in Magisk
Click to expand...
Click to collapse
Apologies, it's Google wallet. All still working OK.
 
bigknowz

bigknowz

Senior Member
Jan 9, 2012
955
503
NYC
Google Pixel 7 Pro
bigknowz said:
Bear with me, can add cards, haven't tried to GPay yet.
Updated to Mod_3.0, cleared cache Wallet and GPS
reboot and failed Meets_device_integrity, Wallet sees root
In DenyList, unchecked Google Play Protect and for Wallet unchecked lifeboat
cleared cache wallet and GPS
Added cards
still failing Meets_device_integrity, Wallet not warning about root
will update post tomorrow morning after I try to get on the subway
Click to expand...
Click to collapse
giphy (3).gif
 
SchmilK

SchmilK

Senior Member
Nov 2, 2007
772
538
play.google.com
Google Pixel 6 Pro
Displax said:
So, here is my modification of USNF with Play Integrity API bypass.

It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

Updated 3.0:
No words needed, you understand everything yourself 😜
Click to expand...
Click to collapse
Attempted to get things working yesterday with google wallet tap to pay with no success. Saw this this morning from the Pixel 7 Pro thread, installed it over my existing version, rebooted, went to the Cafe at work and taped my way into an egg sandwich and a coffee!

THANK YOU!!!
 
  • Like
Reactions: Skysurfer77
_Raziel666

_Raziel666

Senior Member
Jun 15, 2011
727
209
Athens
So is there a way for non-Pixel phones (rooted or unrooted) for this to work or not?

I've tried following this thread the last couple of days but not sure where we are at the moment.
 
V0latyle

V0latyle

Forum Moderator
Staff member
Feb 20, 2011
6,000
1
9,510
The Heartland of America
Google Pixel 5
Google Pixel 5a
C

cognitivedissonance

Senior Member
Jan 11, 2012
661
208
This morning I just got a pop-up from Google Wallet warning me that my Tap To Pay would no longer be available due to not meeting security requirements. Sure enough when I checked in the Google Wallet app (Profile letter in the upper right > Tap To Pay setup) the first thing listed is the message "Phone doesn't meet security requirements."

I checked to see if safety net was still passing, and the CTS profile match failed. I'm on Magisk 25.2 stable, USNF 2.4.0, Shamiko 0.6 (Denylist not enforcing of course,) Systemless Hosts 1.0, and BusyBox 1.34.1. I've been running this for quite a while without issue.

I found this thread, and installed Displax's USNF 2.3.1 (MOD 3) overtop of USNF 2.4.0 and then rebooted. SafetyNet check now fully passes again including CTS profile match. The issue with Wallet remains though -- it still is showing "Phone doesn't meet security requirements." Is that expected, or are there further steps I can take?
 
V0latyle

V0latyle

Forum Moderator
Staff member
Feb 20, 2011
6,000
1
9,510
The Heartland of America
Google Pixel 5
Google Pixel 5a
cognitivedissonance said:
This morning I just got a pop-up from Google Wallet warning me that my Tap To Pay would no longer be available due to not meeting security requirements. Sure enough when I checked in the Google Wallet app (Profile letter in the upper right > Tap To Pay setup) the first thing listed is the message "Phone doesn't meet security requirements."

I checked to see if safety net was still passing, and the CTS profile match failed. I'm on Magisk 25.2 stable, USNF 2.4.0, Shamiko 0.6 (Denylist not enforcing of course,) Systemless Hosts 1.0, and BusyBox 1.34.1. I've been running this for quite a while without issue.

I found this thread, and installed Displax's USNF 2.3.1 (MOD 3) overtop of USNF 2.4.0 and then rebooted. SafetyNet check now fully passes again including CTS profile match. The issue with Wallet remains though -- it still is showing "Phone doesn't meet security requirements." Is that expected, or are there further steps I can take?
Click to expand...
Click to collapse
Clear data for Wallet and GPay, make sure both are in DenyList (include all subprocesses).

Stop checking for SafetyNet pass. You need to be checking Play Integrity.

_Raziel666 said:
For payments with Google Wallet!
Click to expand...
Click to collapse
All you have to do is read this thread. Others have asked your question, and it has been answered many times.
 
  • Like
Reactions: cognitivedissonance
You must log in or register to reply here.

Similar threads

Chainfire
[Android 2.1+][03.10.2011][v3.2] Chainfire3D [ROOT][OpenGL ES 2.0+]
Replies
3K
Views
3M
rignfool
rignfool
apb_axel
[ZIP] Synapse + Script => Universal Kernel Manager v3.8.1
Replies
3K
Views
766K
D
Dildoman
repey6
[6.0-12.0][Magisk]Dolby Digital Plus[upd.20211005]
Replies
2K
Views
737K
B
b4minee
Chainfire
[2014.05.01][ROOT] Mobile ODIN v4.20
Replies
5K
Views
3M
Zagnutty
Zagnutty
DooMLoRD
[04/Jan][ROOTING/UNROOTING] DooMLoRD's Easy Rooting Toolkit [v4.0](zergRush Exploit)
Replies
927
Views
3M
B
bishoy ashraf

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 4
    P
    pndwal
    For those using Canary builds

    Please be aware that in 25207+ major refactoring (of selinux rule patching) has broken many modules etc... This is likely the cause of issues with hiding using recent builds as Shamiko is affected... Please see discussion in Magisk Discussion thread...

    You could revert to 25206 or wait for fixes hopefully in 25211... 👀 PW
    View
    3
    zgfg
    zgfg
    jasonbiggs said:
    so I'm on android 13, pixel 6a. Got Integrity ✅ and CTS match ✅ and also Play Store as Certified. Although, still no google pay or banks access. Any hints to get this working or it this fix not fully functional on 13 as of yet?

    Thanks!
    Click to expand...
    Click to collapse
    With Integrity and CTS do you refer to the deprecated SafetyNet or the 'new' Play Integrity API?

    Also, are you using USNF from this thread or the newer/better safetynet-fix-v2.4.0-MOD_1.2 from the other thread?

    Look into the other USNF thread from Displax and find more info in the thread about GPay

    Btw, banking apps do not rely only on PI API - they try many other detections od root, hence you might need (things vary from app to app) Shamiko, Hide My Applist or even the Magisk Delta fork

    The best would be to search through the Magisk related threads here on XDA, how the other user(s) solved the root detection from your particular banking or similar app
    View
    3
    jasonbiggs
    jasonbiggs
    zgfg said:
    With Integrity and CTS do you refer to the deprecated SafetyNet or the 'new' Play Integrity API?

    Also, are you using USNF from this thread or the newer/better safetynet-fix-v2.4.0-MOD_1.2 from the other thread?

    Look into the other USNF thread from Displax and find more info in the thread about GPay

    Btw, banking apps do not rely only on PI API - they try many other detections od root, hence you might need (things vary from app to app) Shamiko, Hide My Applist or even the Magisk Delta fork

    The best would be to search through the Magisk related threads here on XDA, how the other user(s) solved the root detection from your particular banking or similar app
    Click to expand...
    Click to collapse
    Yes! I was trying to find the link for that mod. This worked. Thanks!

    View
    2
    Nergal di Cuthah
    Nergal di Cuthah
    JigsawMobile said:
    If I understood at A12 and 13 we don't need Magiskhide Props Config?

    I have installed and Magiskhide Props Config but my bank application still recognizes that root is applied, and I can't do it by ByPass no way.

    another one question,
    Could we patch system without Magisk, is it possibly make zip and patch via twrp ?
    Click to expand...
    Click to collapse
    It may help for us to know the app to see if anyone successfully bypased it. Remember that this is a race between a variety of different banking app developers and usnf developers. Both are trying to catch up with eachother, so my second question is have you tried the current displax fork of usnf (2.4.0 mod 1.2)?

    As to your question alot of them are check for system changes, or even custom os,. But it depends on what you do with root. i use adaway which changes hosts and need systemless hosts and specifically use usnf for allowing netflix you do need magisk (or some root) for any SN or PI passing (such as usnf),i believe.
    View
    2
    P
    pndwal
    Nergal di Cuthah said:
    ... you do need magisk (or some root) for any SN or PI passing (such as usnf),i believe.
    Click to expand...
    Click to collapse
    ... Unless using a custom ROM that integrates SNF (or own prop/signal spoofing)... Many do this... Some like official LineageOS never will...

    While I prefer a 'clean' ROM like official LOS and to add-on Magisk and modules for integrity attestation fixes, integrated fixes in ROMs may actually be better when user doesn't intend to use Magisk/root (@kdragOn gives guides - two options - for Devs and develops SNF for native use in his Proton ROMs)... These ROMs have props and other spoofed signals set in /system and need no /system overlays (ie. Magisk mask) or code injection using hooking frameworks like Zygisk or Riru which present their own hiding challenges...

    The issue is really the priority maintaining Devs give to keeping up with ever changing Google integrity attestation API standards and server-end changes in measurements and algorithms used for verdicts... USNF has traditionally been quick to implement fixes, and independent Devs like @Displax have been able to pick up the slack when @kdrag0n has been otherwise occupied... Some ROM Devs are diligently watching these developments and update their native fixes soon after USNF builds overcome changes, but others are slow... There are still custom ROMs that integrate SNF for SafetyNet but haven't yet included fixes for PI deviceIntegrity...

    This means that when there is significant lag with updates for integrity attestations in a ROM, users may need to install Magisk & a USNF build... This can work depending on both ROM SNF and USNF Dev implementations, but can also lead to failure/conflicts as has been seen recently...

    If a user adds Magisk to ROMs having built in SNF and the fix is up to date and working, no USNF module should really be added... All that will be required is adding the attestation/droidguard gms process and for most A11+ devices the main gms process (ie. com.google.android.gms.unstable and com.google.android.gms in Google Play Services) in denylist to hide Magisk/root from Google Mobile Services as the ROM handles the rest...

    👀 PW
    View
  • 315
    kdrag0n
    kdrag0n
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0
    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    View
    215
    Displax
    Displax
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    View
    58
    Displax
    Displax
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    View
    31
    P
    pndwal
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.
    Click to expand...
    Click to collapse

    Here's hoping... 🙃 PW
    View
    29
    Displax
    Displax
    So, created separate thread for my mod. Welcome)

    [MODULE] [MOD] Universal SafetyNet Fix

    Universal SafetyNet Fix [MOD] Magisk module...
    forum.xda-developers.com forum.xda-developers.com
    View

New posts