MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Search This thread

Essentrix

Senior Member
Apr 4, 2013
914
193
Samsung Galaxy A52 5G
I've seen it. Cause was permissive selinux; we can pass SafetyNet (basicIntegrity and ctsProfileMatch) with that but not PI basicIntegrity... This additional requirement would probably have come to S/N except that it's superseded by PI, so this API got the stricter basicIntegrity requirement...

I don't yet know of other reasons (enhanced requirements) however, but it's likely there are others.

Try this: disable all Magisk modules, reboot, clear Google Play Services data, enable only latest @Displax USNF, reboot and check again...

Also, check selinux (in terminal emulator type getenforce with su) and in Play integrity API Checker click <> at top and screenshot raw JSON response... PW
Thanks for the update. Made some progress...
 

Attachments

  • Screenshot_20230526_195428_Play Integrity API Checker.jpg
    Screenshot_20230526_195428_Play Integrity API Checker.jpg
    145 KB · Views: 99

immortalwon

Senior Member
Mar 11, 2017
256
117
Has anyone figured out how to bypass 8 ball pool & or KFC app usa root detection?



How the device is rooted:

Magisk Alpha 26.101
Shamiko latest --------> GP services, playstore, framework on deny list including KFC & 8 Ball pool.
Hidemyapp list

What could these 2 apps be detecting???
 

missionman

Member
Sep 18, 2012
22
2
Littleton Colorado
I updated module to V2.4.0 but im still getting CTS Profile Match Fail.
Pixel 7 Pro, Android 13. Rooted usinng Magisk 26.1
How do I get CTS Profile Match to pass?
I got a Pass on Device Certification, its just the CTS fail.
It also says HARDWARE_BACKED under Evaluation Type instead of BASIC like it should says if it passes.
 

zgfg

Senior Member
Oct 10, 2016
9,577
7,435
Redmi K20 / Xiaomi Mi 9T
Xiaomi Mi 11
I updated module to V2.4.0 but im still getting CTS Profile Match Fail.
Pixel 7 Pro, Android 13. Rooted usinng Magisk 26.1
How do I get CTS Profile Match to pass?
I got a Pass on Device Certification, its just the CTS fail.
It also says HARDWARE_BACKED under Evaluation Type instead of BASIC like it should says if it passes.
2.4 0 from this thread (wrong) or the proper 2.4.0-mod_1.2 from another thread

If needed, please spend 5 minutes to read last few pages here...
 
I know how difficult nowadays is to pass SafetyNet / Play Integration, but maybe there's still something obvious that I'm missing, so I'm looking for advice.

I pass verification at my OnePlus 7T with LineageOS 20 and below, pretty common as I guess, configuration:
- Magisk 26.1
- hidden Magisk app
- Zygisk enabled (without Enforce DenyList)
- DenyList configured for Google Play Service, Play Store, Applist Detector, TB Checker, YASNAC, hidden magisk app, banking apps etc.
- Shamiko 0.7.2
- Universal SafetyNet Fix 2.4.0
- Zygisk LSPosed 1.8.6
- Hide My Applist configured for the same apps as in Magisk DenyList, to hide LSPosed and all root apps

By passing verification I mean:
- SafetyNet Basic + CTS in YASNAC
- All tests in TB Checker (Play Integrity, Root Check, Xposed Check)
-- without SafetyNet Strong integrity and Virtual integrity
- All tests in Applist Detector

So that's great, right? However, if I left device for some time and re-run YASNAC CTS is failing. But If I'll run TB Checker and run tests there, everything is OK back again. After this even YASNAC once again shows passed CTS profile!

This random losing of CTS (until re-running TB Checker) confirms in daily usage, as some apps like banking one are randomly loosing ability to use fingerprint authentication or contactless payment. After running TB Checker and passing CTS once again I might add these payment features back to normal, so it's more like an annoyance than serious problem.

I've tried to reset Google Store/Services/Wallet data and adding some additional Magiks modules related to hidding props but this didn't change a thing, CTS is still failing from time to time, at random moments.

Do you have similar problems? Is there anything I might try to do, or maybe there're some ways to detect which activity at my phone is actually making CTS failing?

Edit: That might be useless post, I just discovered USNF v2.4.0-MOD_1.2... trying it out now.

Edit 2: Works perfectly lol :D
 
Last edited:
  • Haha
Reactions: pndwal

sakun-ice

Senior Member
Nov 10, 2012
323
59
Can somebody help me? I can't get past safety net. I have installed the xiaomi.eu rom on my xiaomi 13. I have Magisk 26.1 with Zygisk. I have installed the modules universal safetynet fix 2.4 mod 1.2 and lsposed. I have added to the deny list: google play services, google play and google play framework. I have deleted the data from those apps and from the bank apps. I have also tried to install the Alpha app instead of Magisk and to hide the magisk app from the settings. But nothing works.

The strange thing is that before installing the xiaomi.eu rom it worked.
 

zgfg

Senior Member
Oct 10, 2016
9,577
7,435
Redmi K20 / Xiaomi Mi 9T
Xiaomi Mi 11
Can somebody help me? I can't get past safety net. I have installed the xiaomi.eu rom on my xiaomi 13. I have Magisk 26.1 with Zygisk. I have installed the modules universal safetynet fix 2.4 mod 1.2 and lsposed. I have added to the deny list: google play services, google play and google play framework. I have deleted the data from those apps and from the bank apps. I have also tried to install the Alpha app instead of Magisk and to hide the magisk app from the settings. But nothing works.

The strange thing is that before installing the xiaomi.eu rom it worked.
Xiaomi.eu ROMs can pass Play Integrity (once again, PI is now of interest, SN is deprecated, and if you pass PI you will also pass SN) since they have the spoof built-in

Cannot guarantee for all Xiaomi.eunROMs

Hence, have you tried Play Integrity checker prior than you installed Magisk?

For PI, you should pass Basic and Device Integrity but you cannot pass Strong Integrity (with the unlocked Bootloader)

---

If you switch from Magisk official to Magisk Alpha or Delta, it is not enough (actually, it's then almost as if you did not switch) to install Alpha or Delta app, but after that you also have to install Magisk Alpha or Delta (like through the app, Install, patch and flash the boot img or Direct Install but after reboot you then also have to configure your Magisk Alpha or Delta)
 
  • Like
Reactions: ipdev and rodken

immortalwon

Senior Member
Mar 11, 2017
256
117
OOS 13.1 on Oneplus 9 fail every safetynet with USNF 2.4.0 mod 1_2. Tried denylist, zygisk and all I used before and worked now don't. Please help and suggest solutions.
Install latest shamiko module. Add google play store, google play services, google services framework to deny list. Clear all app data of above mentioned services and reboot and check again.
 
  • Wow
Reactions: pndwal

pndwal

Senior Member
OOS 13.1 on Oneplus 9 fail every safetynet with USNF 2.4.0 mod 1_2. Tried denylist, zygisk and all I used before and worked now don't. Please help and suggest solutions.
Disable all modules except USNF and try... Clear Google Play Services data too... If no dice, try older @Displax v2.3.1-MOD_3.0... 2.4.0 changes (part time spoofing etc) still cause issues on some devices and modded 2.3.1 works better for many... 👀 PW
 

immortalwon

Senior Member
Mar 11, 2017
256
117
View attachment 5925703
I notice that google framework auto uncheck everytime I open Magisk. Plus Google Play crashed when I clear data of G.Framework, so I restored it from my backup.
You have to restart after clearing the data (not cache, all data) of G.play services, g play services framework, and g play store. Make sure "enforce deny list" is not enabled. It should work and it's also normal for the framework to disable itself, I just do it for good measure. Try again and report results. Don't worry about the crashes, it should be normal after a reboot. Make sure not to accidently uninstall any app updates as that will break the device sometimes.
 

Nhatlienhoan

Senior Member
Jun 17, 2020
71
11
OnePlus 5T
OnePlus 9
You have to restart after clearing the data (not cache, all data) of G.play services, g play services framework, and g play store. Make sure "enforce deny list" is not enabled. It should work and it's also normal for the framework to disable itself, I just do it for good measure. Try again and report results. Don't worry about the crashes, it should be normal after a reboot. Make sure not to accidently uninstall any app updates as that will break the device sometimes.
I got "Error retrieving information from server. DF-DFERH-01" message in Play store after restart.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    I have two devices, Pixel 7 Pro and Pixel tablet. Both are running stock A13 with root, USFN_1.3, Zygisk and Shamiko. Both devices pass Safetynet. Starting today, my corporate Outlook (and Slack, Onedrive, Teams) are detecting ROOT. I tried clearing cache and memory, but that didnt help. My P7P still lets me run corporate Outlook.

    I plan to do a full wipe next week with the next Android drop. In the meantime, are there any suggestions?
    EDIT: Rolling back Intune Company portal to 5.0.5926 allows me to prevent corporate apps from detecting ROOT.
    2
    Is there currently any way to fix TEE Broken? Device Xiaomi Mi A3
    No... Unless Momo is giving false positive, really TEE is not broken anyway... I mentioned to you:
    'Broken Tee' (actually it won't be; Tee OS for decoding DRM, fingerprint scanner etc is probably fine... Really just OEM keymaster implementation for AVB signals as used by droidguard etc is broken) on A3 is interesting too...

    So OEM's messed up and AVB chain of trust fixes generally don't even come with OEM updates...

    In such cases broken keystore etc will hopefully cause an exception that triggers on-device fallback to basic-only attestation and Google allows this verdict by not enforcing hardware backed evaluationType verdicts at server end, but generally devices affected will never pass strongIntegrity (unless a retrofit fix is applied by OEM.

    In other cases, like Asus ROG Phone 3 that used to pass strongIntegrity erroneously with bootloader unlocked, Google simply revokes keys for strongIntegrity verdict (blacklists device) as soon as the flawed OEM implementations are discovered.. 😕

    👀 PW
    3
    I'm using USNF mod 2.4.0 1.3
    moto edge (2020) all seems ok yet Androidacy shows update though Magisk does not. All seems to still be working well on Android 11. Should I still update?
    For you either @Displax Mod 1.3 or latest 2.0 should be fine, but 2.0 was experimental, does use a different (Pixel 2) fingerprint prop and it's Shipping level prop setting breaks the fix for devices launched with A13 like Pixel 7... The props set by either of these affecting your device are set to target GMS properly however...

    @chiteroman's newer PIF module (based on USNF but renamed) presumably sets shipping level for LV A13 devices to target GMS so should be better for Pixel 7 and other A13 launch version devices... @Displax Mod 1.3 sets it correctly to 32 but globally which breaks WiFi calling and possibly other features...

    Others reading this; Note that the official module (this thread) has been largely broken for some time...

    👀 PW
    1
    - Remove all data from GSF and GMS.
    - Completly uninstall Magisk and flash original boot.img (or init_boot.img) from bootloader.
    - Remove dalvik cache and caches.
    - "rm -rf *" in /data/adb directory (DON'T remove the directory)
    - Try to remove any custom *.rc file.
    - Check Play Integrity API, you should pass BASIC integrity.
    - Patch original boot.img (or init_boot.img) in Magisk app and flash it in bootloader.
    - Install PlayIntegrityFix or Displax safetynet-fix module.
    - Should pass BASIC & DEVICE.
    Very weird, but this happened:

    I restarted my phone and it went into bootloop but was saved by Magisk bootloop protector. Checked YASNAC and both passed... wtf. Google Wallet detects root so I'll need to still fix that but what the f is happening...
    2
    I don't pass the CTS profile match test. How can I fix?
    Motorola edge 30 fusion with Android 13
    First of all, if you are still on the old KDragon's USNF module - better please read just like two or three last pages and you will see that you had to move to the USNF fork from Displax or Play Integrity midule - they have their own threads with downloads

    If it won't help, then which Magisk version you have, which modules, and if you have LSPosed, which LSPosed modules you have installed- some modules may collide (like MHCP, XPrivacyLua, Lucky patcher and so)

    If you have custom ROM and if that ROM runs SELinux in Permissive mode - you're in troubles again

    Etc - just the question "not passing CTS" cannot be decisively answered

    Btw, SafetyNet is deprecated and you should download from Playstore and test Play Integrity API (Checker).
    There, you need to pass Device and Basic Integrity - don't ask or expect to pass Strong Integrity (for that, phone must run stock/official firmware with the locked Bootloader)
  • 333
    Universal SafetyNet Fix
    Magisk module​

    Magisk module to work around Google's SafetyNet attestation.

    This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).

    Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Latest release
    v2.4.0

    Highlights
    • Play Integrity bypass without breaking device checks or causing other issues
    • Disabled use of hardware attestation on Pixel 7 and newer (@anirudhgupta109)
    Other changes
    • Updated instructions for newer Android and Magisk versions
    • Better debugging for future development
    This version only supports Zygisk (Magisk 24 and newer).

    It's taken a while to find a way to bypass Play Integrity that doesn't require spoofing the build fingerprint permanently, but I wanted to make sure this module doesn't cause any unnecessary breakage. Just like the original goal of Universal SafetyNet Fix, this minimizes adverse effects by spoofing dynamically at runtime only when necessary. Enjoy!

    If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support.
    Alternatively, you can also buy me a coffee. All support is appreciated ❤️

    Source code
    223
    So, here is my modification of USNF with Play Integrity API bypass.

    It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

    Updated 3.0:
    No words needed, you understand everything yourself 😜

    Updated 2.1:
    Hide "Enable OEM Unlock" setting

    Updated 2.0:
    Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

    Updated:
    Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Many thanks to @1nikolas for integrity checker.

    Source code: https://github.com/Displax/safetynet-fix/tree/integrity
    58
    So, here is my new modification of USNF with Play Integrity API bypass.

    It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.

    Changelog:

    Version 1.2
    * Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
    * Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).

    Version 1.1
    * Fix KeyStore hook desynchronization (tests randomly failing problem).


    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.
    3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

    Source code: https://github.com/Displax/safetynet-fix/tree/dev
    33
    So, created separate thread for my mod. Welcome)

    31
    Folks, the SafetyNet API was depreciated last Month with 'full turndown' slated for June 2024 and the introduction of the new Play Integrity API. It has also become clear that Google apps are simply the first to adopt the long foretold Play Integrity API; all responsible banks are bound to follow suit in short order, and at least before the June 2023 migration deadline.

    This means (assuming fully deployed Hardware Key Attestation doesn't come first 😬) that the need for a 'Universal Play Integrity Fix' has become quite urgent.

    We currently have workarounds involving using older fingerprint props by means of MHPC module (similar to fix needed for uncertified ROMs), but success/mileage varies per device and users of regular bank apps / gamers etc on stock devices will all soon be forced to experiment with MHPC prints also... This is hardly ideal.

    So I've made an issue report/request on USNF GitHub as follows. This information may be insightful to users here also...

    Please let me know here if I have missed anything important, or add any technically relevant details there...

    PLEASE DON'T spam that issue with unimportant details or queries... (The previous issue is already burgeoning w/ OT.) That's what this thread is for... 😛 :

    Please make 'Universal Play Integrity Fix' ... #204

    Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

    The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
    https://developer.android.com/training/safetynet/deprecation-timeline

    New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

    June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

    June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

    The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.

    Currently (evidently due to this), device security issues are detected by

    1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
    2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
    I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

    A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

    Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

    A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

    Here's hoping... 🙃 PW