MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread

crypticc

Senior Member
Aug 22, 2009
1,248
171
London
There actually seem to be 3 separate components.

Pixel firmware has some sort of built in GPay/Wallet functionality. There's also the standalone GPay app, as well as the standalone Wallet app. I have both on my Pixel 5, but if I uninstall both of them, I still have Wallet in my Quick Settings.

Try this:
  • Remove any previous versions of Universal SafetyNet Fix and MagiskHide Props Config from Magisk.
  • Reboot device.
  • Go into Magisk DenyList, and enable DenyList on all components of Play Store, Wallet, and GPay. Clear data for all 3 apps.
  • Download and install USNF 2.3.1 MOD 3.0
  • Reboot again
  • Check Play Integrity status, use Play Integrity API Checker
Thank you

The Gpay app seems to be the version left behind just for India UPI payments. Not available in my country but presumably I had some remnants from my trip to Goa a few weeks ago because last week when I first started getting device security errors it was bringing up gpay gui until I installed wallet from the PlayStore. This was all cleared yesterday so not related to permission issues today (now resolved)

Now I just have whatever is the skeletal wallet and then re-install Wallet app from PlayStore is what I finally added the card to after MOD3 and freezing more stuff.

Thanks again
 
  • Like
Reactions: V0latyle

V0latyle

Forum Moderator
Staff member
Deny list including :
  • Google Play Protect,
  • Google Play Services (I've tried both with and without this)
  • Google wallet
If you check DenyList again, I bet you'll see it's unchecked :)

Play Protect shouldn't be necessary, but better safe than sorry.

I personally have Wallet and Play Store blocked, but since the only thing you and I have in common is Wallet and we're both able to use it, I think that's all that is necessary:
  • USNF 2.3.1 MOD 3.0
  • DenyList:
    • Wallet
    • GPay
 
You're correct - Wallet only gives the one pop-up, but it still seems to be detecting an issue with Play Integrity, which is unsurprising because I currently am failing all 3 of the Play Integrity checks.

Have you checked your Play Integrity? And have you checked in the Wallet menus to see if it still shows the message I mentioned?
Hey, I checked out the wallet app and it's working fine. Everything is working as it was prior to the February release. I'm not having any issues whatsoever. When checking integrity, the only one that fails is Strong security. but that fails due to the bootloader being unlocked, not much you can do about that.
 

canibuz

Member
Jul 25, 2007
33
18
As above mine currently working.

full stock Android... TQ1A.221205.011

I originally had this config:
  1. Magisk latest app and root (25206)
  2. Running in Zygote,
  3. USNF Displax 2.3.1_MOD 3 (previously 2.1)
  4. Shamiko 0.6 (126)
  5. Enforce Deny list disabled (as per Shamiko instruction)

Deny list including :
  • Google Play Protect,
  • Google Play Services (I've tried both with and without this)
  • Google wallet

In addition I've added following into deny list as mentioned by others on this thread

  • Global actions Wallet API
  • Android setup that includes the lifeboat API mentioned by others
  • Device policy (also mentioned lifeboat so did this too)
  • Betterbug (mentioned by others here)
  • Hardware info, because why not?
  • Security hub
  • Settings service ( includes lifeboat as mentioned)

Banking and media apps

I've probably put more than u need in the deny list but something in that second list is, once mod3 installed, what finally also allowed me to add a card. Might be coincidental though as been clearing rebooting adding clearing etc all day

I replicated this exact setup and it is now working for me.

The one thing I had to do in addition is clear the storage for Google Wallet. I was able to add a card with no warnings after that.
 
  • Like
Reactions: cognitivedissonance

Jon8RFC

Senior Member
Apr 3, 2010
147
75
TX
Can someone help me make a mod like as
[safetynet-fix v2.3.1-MOD_3.0]
for riru user
THX :)
@huskydg does some stuff for riru users:


I thought they also maintained an updated magisk riru version for some reason. I must've confused it with their magisk delta project:
 
  • Love
Reactions: apong1984

Yeedatoy

Senior Member
Jul 18, 2018
368
156
38
Charlotte
AT&T HTC One X
Moto G6
So I don't pass device integrity , but I do pass basic integrity.


View attachment 5831719

I disabled all Magisk modules, and deleted XPL folder as mentionned in previous post.
Cleared cache and data from GPS / GMS / Wallet, and installed safety net-fix 2.3.1-MOD latest version.
Tried again with safetynet-fix 2.4.0.

Both fail to pass device integrity.

In Magisk's deny list I have GPS, Wallet and bank apps checked. I also check GMS after reboot to try and see.
Tried with both deny list enforced and shamiko without enforcement.

If that matters, I'm on Pixel 5 A13 january update.

What more could I try to pass both device and basic integrity?
You don't check gms in the deny list. That can cause issues
 

crypticc

Senior Member
Aug 22, 2009
1,248
171
London
I replicated this exact setup and it is now working for me.

The one thing I had to do in addition is clear the storage for Google Wallet. I was able to add a card with no warnings after that.
Yes. I was doing three obvious steps. Clearing data of the trinity of Play Services, Play Store, Wallet, and for good measure I also did Pay protect and then rebooted.
My play store and wallet both still says compliant couple of hours later. I'm not brave enough to try a reboot to see if they stick
 

cognitivedissonance

Senior Member
Jan 11, 2012
661
208
There actually seem to be 3 separate components.

Pixel firmware has some sort of built in GPay/Wallet functionality. There's also the standalone GPay app, as well as the standalone Wallet app. I have both on my Pixel 5, but if I uninstall both of them, I still have Wallet in my Quick Settings.

Try this:
  • Remove any previous versions of Universal SafetyNet Fix and MagiskHide Props Config from Magisk.
  • Reboot device.
  • Go into Magisk DenyList, and enable DenyList on all components of Play Store, Wallet, and GPay. Clear data for all 3 apps.
  • Download and install USNF 2.3.1 MOD 3.0
  • Reboot again
  • Check Play Integrity status, use Play Integrity API Checker

Shouldn't be hard to pass BASIC and DEVICE integrity. See my previous post

I don't think this would actually cause it, but it's possible.

As above mine currently working.

full stock Android... TQ1A.221205.011

I originally had this config:
  1. Magisk latest app and root (25206)
  2. Running in Zygote,
  3. USNF Displax 2.3.1_MOD 3 (previously 2.1)
  4. Shamiko 0.6 (126)
  5. Enforce Deny list disabled (as per Shamiko instruction)

Deny list including :
  • Google Play Protect,
  • Google Play Services (I've tried both with and without this)
  • Google wallet

In addition I've added following into deny list as mentioned by others on this thread

  • Global actions Wallet API
  • Android setup that includes the lifeboat API mentioned by others
  • Device policy (also mentioned lifeboat so did this too)
  • Betterbug (mentioned by others here)
  • Hardware info, because why not?
  • Security hub
  • Settings service ( includes lifeboat as mentioned)

Banking and media apps

I've probably put more than u need in the deny list but something in that second list is, once mod3 installed, what finally also allowed me to add a card. Might be coincidental though as been clearing rebooting adding clearing etc all day


To anyone scratching their head not knowing why they're getting Play Integrity API Checker showing you failing all 3 checks (Device Integrity, Basic Integrity, and Strong Integrity) the above may work for you, but if it does not, I have an additional couple suggestions.

1. Check that you don't have a modded Play Store installed. If you know you don't, then skip this step. Typically this would be something you'd have done using an app that isn't allowed to be named here. The cereal with the leprechaun mascot is _ _ _ _ _ _ _ _ _ _ _ and the app I'm talking about shares part of that name. Anyway, if you have that installed and also have the Magisk module it uses, I suggest you go into that app, make it uninstall its Magisk module, and then uncheck the first 'switch,' and then uninstall the app entirely.

2. Check the version of your Google Play Store app. It may be quite outdated (especially if you're in the situation mentioned above.) The easiest way to update it is to grab a Play Store apk from APK Mirror (or other reputable source) and install it. To do the install, you'll need to use Split Apk Installer (SAI) which is an app you can find on the Play Store (the developer is polychromaticfox.)



tl;dr - The way I got my setup to pass Device Integrity and Basic Integrity was to follow crypticc's instructions, then V0latyle's instructions, and finally steps 1 and 2 that I've listed, above.


Edit: For the record, Wallet still acts like I'll be able to Tap To Pay (by shimmering the NFC icon above my cards that I've entered) however i haven't tested it yet to be sure. Also, when I go to the Wallet Tap To Pay Setup menu, it still shows "Phone does not meet security requirements" but also has a check mark indicating that (1) NFC is on, (2) Google Pay is set as my default, (3l I've added a card, and (4) I've set a screen lock.

I'll provide an update if I test out Tap To Pay.
 
Last edited:

Iverol

Member
Nov 18, 2017
32
5
Chisinau
Google Pixel 4 XL
To anyone scratching their head not knowing why they're getting Play Integrity API Checker showing you failing all 3 checks (Device Integrity, Basic Integrity, and Strong Integrity) the above may work for you, but if it does not, I have an additional couple suggestions.

1. Check that you don't have a modded Play Store installed. If you know you don't, then skip this step. Typically this would be something you'd have done using an app that isn't allowed to be named here. The cereal with the leprechaun mascot is _ _ _ _ _ _ _ _ _ _ _ and the app I'm talking about shares part of that name. Anyway, if you have that installed and also have the Magisk module it uses, I suggest you go into that app, make it uninstall its Magisk module, and then uncheck the first 'switch,' and then uninstall the app entirely.

2. Check the version of your Google Play Store app. It may be quite outdated (especially if you're in the situation mentioned above.) The easiest way to update it is to grab a Play Store apk from APK Mirror (or other reputable source) and install it. To do the install, you'll need to use Split Apk Installer (SAI) which is an app you can find on the Play Store (the developer is polychromaticfox.)



tl;dr - The way I got my setup to pass Device Integrity and Basic Integrity was to follow crypticc's instructions, then V0latyle's instructions, and finally steps 1 and 2 that I've listed, above.


Edit: For the record, Wallet still acts like I'll be able to Tap To Pay (by shimmering the NFC icon above my cards that I've entered) however i haven't tested it yet to be sure. Also, when I go to the Wallet Tap To Pay Setup menu, it still shows "Phone does not meet security requirements" but also has a check mark indicating that (1) NFC is on, (2) Google Pay is set as my default, (3l I've added a card, and (4) I've set a screen lock.

I'll provide an update if I test out Tap To Pay.
If it still says it doesn't meet the requirements then it just won't work. checking YASNAC on my phone and it still fails CTS. Wallet still reports my phone as unsafe.
 

V0latyle

Forum Moderator
Staff member
If it still says it doesn't meet the requirements then it just won't work. checking YASNAC on my phone and it still fails CTS. Wallet still reports my phone as unsafe.
What have you tried thus far? Are you using the Magisk module and the DenyList settings described above? Did you clear data for Wallet after doing this? And why are you still using YASNAC when you should be using Play Integrity API Checker?
 
  • Like
Reactions: YLNdroid

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    New huge update for the Xposed module, also now the repo it's in LSPosed repo so it will appear in LSPosed app. You will want to install it :D

    Screenshot_2023-05-11-16-51-55-199_io.github.vvb2060.keyattestation.jpgScreenshot_2023-05-11-16-51-59-407_io.github.vvb2060.keyattestation.jpg

    As you can see, now the module will spoof a locked bootloader with a verified boot state in RootOfTrust. This should work in all devices that have a TEE or StrongBox. If someone crash tag me and I will try to fix it.

    Also I'm working in Magisk module (Zygisk), but it's difficult XD.
    5
    Screenshot_2023-05-11-18-19-07-241_com.CIB.Digital.MB.jpg

    With this module you can start the CIB Egypt Mobile Banking which is the only app I know they check if you have an unlocked bootloader. Enjoy 😎😎😎
    5
    That's why I hate Lineage, I don't understand that "rules"...
    'Hate' is a strong word!...

    Anyway, when the original CyanogenMod bundled all proprietary GApps for one thing, Google issued their infamous "Cease And Desist" order and Steve Kondik thought his baby was dead!...

    However Google were quick to clarify that although custom OS's could not legitimately bundle GApps (Nb. other ROMs still do), users are welcome to 'sideload' the same (as devices themselves are generally certified through CTS while custom ROMs are not)...

    So OpenGapps was formed to offer legitimised seperate packages, Steve continued with CM project, users continued to use vanilla CM (and later LOS) with proprietary Google Apps, and all in the custom mod world was sweet again...

    Of course Google must have realised they nearly shot themselves in the foot with that action, but they scrambled to offer a solution / compromise that wouldn't result in the death of CM or custom ROMs as we know them...

    I think the Lineage team simply see that Google is actually the custom modders benefactor and is (in reality) supportive of them and custom mods/ROMs in general if Devs play by the rules, and LOS is simply willing to do so...

    Also, they are in the best position to get their custom ROM approved/certified in future (see my post above) by being careful 'not to subvert Google's security model' by tampering expected signals... Note that Magisk now follows this same policy, and I think that's not just because John is a Googler now; it's also a sign of his maturity as a responsible dev...

    And ensuring that the main custom mods (ROM, root/overlay framework) comply in no way prevents "those passionate about hiding" from "doing their job"!... Both history and you are proving that.

    Personally I think LOS is great and follows a great tradition! 🙃 PW
    4
    Screenshot_2023-05-06-13-05-02-825_io.github.vvb2060.magisk.jpg

    I found the way to move a file into process data dir so now I will inject an apk file with Pine and see if I can hook that Java methods.

    Safetynet-fix copy a classes.dex as byte array and send it through Zygisk socket to GMS process, I can't do that because DexClassLoader require a path to the file, so I need the apk is in target directory. After all operations the module will be detached from process (dlclose) and the apk should do the work.
    4
    Edit: I'll be man enough to apologise if @swer45 says he never made such an app available here in the first place. I will also ask the mods to remove my posts (if they don't do that themselves).
    The application I made before called "TEE Fvcker" was something quick for the user who asked me to try it. I do not recommend using it because the hook I used is quite insecure and can break the functionality of other applications. Besides the name is censored by the forum.
  • 324
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0

    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    222
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    58
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    33
    So, created separate thread for my mod. Welcome)

    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW