[MODULE] [MOD] Universal SafetyNet Fix
- Thread starter Displax
- Start date
FYI, the most likely culprit is LP, and the modded play store. Once I ditched those, I was able to pass the first two integrity checks. To be fair, I haven't tried reinstalling LP now that I'm passing, so you could still give that a go.
Is working on all aosp roms based after flash this, but not when use original module, but miui doesn't have this problem (not miui: mean safety check fails 1 of 2)
Idk why the original module safety check fails in all aosp roms (even with safety passed out of the box) but not in miui, but before that, i doesn't have any problem with original module, maybe its Google?
Idk why the original module safety check fails in all aosp roms (even with safety passed out of the box) but not in miui, but before that, i doesn't have any problem with original module, maybe its Google?
, working even on miui (doesn't have any problem)For what it's worth, I've tried several times, but I'm unable to get it to work successfully with xiaomi.eu 14.0.1.0, installing magisk 25.2 and safetynetfix 2.4.0 mod 1.2. With Zygisk enabled, with or without enforcing.
YASNAC fails basic integrity and CTS profile match, and Integrity Checker fails device_integrity and basic_integrity.
YASNAC fails basic integrity and CTS profile match, and Integrity Checker fails device_integrity and basic_integrity.
david003
If you did all ok, lets go back to magisk and check app list in it. It is possible the google play services is not checked. If you do it , and restart phone, or only start magisk again, it can be unchecked again (and CTS will fail as result). It is not fixable.I replaced magisk to delta version and use SuList instead .
For me, safetynetfix is not enough, I have to use hideprops also and select a new fingerprint (that match the current Android version) to pass CTS profile.
Later USNF builds fro @Displax actually play better with custom ROMs that already integrate SNF (from @kdrag0n Proton project) or fixes from @Displax, but there can still be conflicts with custom ROMs that do this (eg XiaomiEU) and may also spoof additional prop values etc...
If the ROM's embedded SNF/spoofing is up to date and capable of passing PI deviceIntegrity w/o Magisk, when you install Magisk you should NOT install any USNF module... You only need to hide root from droidguard/attestation (com.google.android.gms.unstable) gms (Play Services) process by adding this in denylist (and main com.google.android.gms process for most A11+ devices)...
Otherwise you may need to upgrade ROM or wait for maintainer to update the integrated attestation... PW
USNF hides attestation/droidguard (com.google.android.gms.unstable) gms (Play Services) process itself since Denylist breaks USNF's key functions, especially the injection of code in gms to register a fake keystore and cause the fallback to basic attestation... That's why if you add this to denylist it will kill USNF (deviceIntegrity will be failing) if Denylist is enforced until next boot when USNF will actually remove it from denylist for you!...
With Zygisk based USNF, simply don't add any gms (Google Play Services) processes to Denylist... PW
Thanks. I tried this, reinstalling magisk without the USNF module and adding com.google.android.gms to the DenyList. It still failed, though. Hopefully things will get sorted out eventually. Until then I've been temporarily installing magisk to run backups and then uninstalling it.
Did you mean just com.google.android.gms process? Should be that + com.google.android.gms.unstable for most A11+ installations...And did you check S/N and PI results without Magisk?; That would indicate if inbuilt fixes are working... PW
I had added all of Google Play Services to the denylist, that includes com.google.android.gms and com.google.android.gms.unstable, and a lot of others. I tried again, and added just those 2 to the deny list, and it appears to have worked.
The integrity checks pass, both with unrooted xiaomi.eu, and with magisk with those 2 added to the deny list, without the USNF module.
My banking app still fails, though (it works with unrooted xiaomi.eu). But that's another issue. I suspect it's trying to check something else I haven't figured out, yet.
Thank you!
Attachments
You shouldn't deny most Google stuff... You may have unexpected issues... Only we only need those two gms services added... If you hide Chrome components for example, you may break webview for other apps depending on Android version...
Good to know XiaomiEU has current SNF...Certainly is... An no surprise...
Can you say app?
Welcome...
PWThe banking app is BDO.You shouldn't deny most Google stuff... You may have unexpected issues... Only we only need those two gms services added... If you hide Chrome components for example, you may break webview for other apps depending on Android version...
Certainly is... An no surprise...
Can you say app?
Welcome...
Attachments
Easy one:
My device:
Xiaomi RN8T stock A11 MIUI,
Magisk Canary 25209,
Magisk App hidden in stub,
Latest Shamiko public release (for proper root hiding),
LSPosed Hide My AppList module configured to hide all apps associated with root,*
OEM unlocking disabled,*
USB debugging disabled,*
Developer options disabled.*
* = confirmed not needed for your app.
I suspect just using proper root hiding (Shamiko or other) should get you going... And maybe you haven't taken Hide the Magisk app option in Magisk app?...
PW
Last edited:
Thank you for trying all that. I'm still not able to get it to work. Magisk was hidden already. I added Shamiko, but it still failed. I also added LSPosed and Hide My AppList, but it still failed even with those.Easy one:
View attachment 5874301
My device:
Xiaomi RN8T stock A11 MIUI,
Magisk Canary 25209,
Magisk App hidden in stub,
Latest Shamiko public release (for proper root hiding),
LSPosed Hide My AppList module configured to hide all apps associated with root,*
OEM unlocking disabled,*
USB debugging disabled,*
Developer options disabled.*
* = confirmed not needed for your app.
I suspect just using proper root hiding (Shamiko or other) should get you going... And maybe you haven't taken Hide the Magisk app option in Magisk app?...
Just checked and this app works for me w/o Shamiko hiding (ie with Denylist enforced)...
Please give device details; ROM, any custom recovery, any unusual mods...
Try with all modules other than USNF disabled (reboot and check still have PI deviceIntegrity)... And are you clearing app data before each test? App in denylist of course(?)...
Please show Momo and Ruru detector results... PW
You can disable this in LineageOS... I think you can in most ROMs, but apparently it doesn't show in some...
Wasn't needed for the app mentioned anyway... You can leave as is if it's not detected... PW
Similar threads
- Sticky
Top Liked Posts
-
There are no posts matching your filters.
-
8
The secret lies in the setup. Don't intend to sound like an expert, but this has been my due diligence since day 0 with Pixel 6 pro and now with Pixel 7 pro. Please do not forget to thank the kind people like @roirraW "edor" ehT @Homeboy76 @V0latyle whose posts I have been following for a couple of years now. Let's assume your use case and walk backwards before we move forward.
1. Disable and Remove all modules from magisk including USNF and Shamiko ( in case you already have and it's not working). Yes its a pain but I assure you its a one time thing. Disable Zygisk too. Reboot phone. So now essentially you have a rooted phone with stock/third party kernel and Zygisk No and No modules (your modules page would be blank). Follow this with uninstalling all the apps that you want to include in the Deny list and have them already installed (yes its a pain too). Please uninstall them correctly, Delete data, cache, force close and uninstall. Follow this with deleting data and cache from playstore and gms. Once all done, reboot your phone again. This will bring your phone to a state where you will get three red crosses in Play Integrity API checker app - Ground 0 state. This state is also similar to when you have made a clean flash to stock and just rooted your phone (in case you intended to do that, start from here). Now just install Wallet and Company Portal (for example). Do not install your other apps that you had uninstalled (banking etc) yet.
2. Now flash the latest Displax USNF and Shamiko one after another in Magisk, dont reboot phone.
3. If you have not hidden magisk yet, hide it from Magisk settings section..
4. Enable Zygisk - dont reboot phone even if you get prompted.
5. Do not check Enforce Deny List. Now enter Deny list and just check Wallet. Ensure that all subcomponents of wallet are also checked (its finicky, so manually do it if needed)
6. Now put your phone in Airplane Mode.
7. Delete data and cache for Wallet, Play Store and Play Service (GMS) from Apps. Once done immediately restart the phone. Disable Airplane Mode. Check Play Integrity API checker app and Wallet and the Devices tab in Google Security Section - All will be working as intended.
8. Now for the other applications, install in groups of 3, same, add them to deny list after installing, put the phone in airplane mode, delete data, cache and force close app and immediately reboot phone and disable airplane mode. Why 3, for some odd reason, while deleting data and cache for some for example 12 apps, one or two fall through the crack, dont ask me why, just saying. No interaction with playstore of gms is needed while doing this.
If you are an experienced user which you clearly are from your post count, you would probably be laughing your guts off reading my childish instructions. Good luck!
In the future if lets, say your Citi bank app gets updated and shows root, and when you go to deny list you see an additional subcomponent added to the Citi app, exit Magisk, delete cache, data, force close and uninstall app, "reboot phone", install citi app, add it to deny list (make sure all subcomponents are selected now), put the phone in airplane mode, delete cache data force close citi app, reboot phone, disable air plane phone and you are good to go.6Moving this here as info may benefit others.
Some disambiguation regarding hardware -backed verdict enforcement, fallback to basic attestation and other USNF workings.
No, if server resolves gms data as ctsProfileMatch=true then that's what's sent back with the original nonce and the same is true of basicIntegrity.
The SafetyNet Attestation API provides a cryptographically-signed attestation, assessing the device's integrity. In order to create the attestation, the API examines the device's software and hardware environment, looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation is bound to the nonce that the caller app provides.
https://developer.android.com/training/safetynet/attestation
This mechanism is much the same in new Play Integrity API also, except that there are additional criteria for passing verdicts... Eg basicIntegrity in S/N will pass with permissive selinux without changing signals for that, but PI API basicIntegrity will fail at the same time... We can pass that too with additional prop changes however.
Because without it keymaster 3+ (Android 8+) compliant devices are using hardware-backed security features including Key attestation for some of the measurements and reference data sent...Either way, and regardless of system configuration, I always get "Evaluation type" reported as "BASIC" when I run the SN test. Yet for whatever reason I still need Zygisk and USNF to get SafetyNet to pass properly. This confuses me as if the evaluation type is "BASIC" without USNF, why do I need USNF
?
Many are still confused about BASIC (only) evaluationType... This does NOT mean that device is not supplying such hardware -backed measurements/data, and the API will default to this data to compute response fields when it's available, so verdicts will be failing.
What evaluationType=BASIC DOES mean is that Google server-end hardware-backed verdict enforcement (prop based) has not been activated for your device or has been bypassed. If evaluationType=HARDWARE_BACKED, BASIC, hardware-backed measurements/data will be required where expected for keymaster 3+ devices so BASIC-only evaluations will necessarily fail.
Further, evaluationType may be 'BASIC' for S/N (and this can be easily seen) but 'HARDWARE_BACKED, BASIC' for PI purposes... See note on altered props used to bypass hardware-backed verdict enforcement for S/N and PI below*
So to get passing verdicts, keymaster 3+ compliant devices need USNF or similar solution to
1) produce the fallback to supply BASIC-only measurements/data. This is USNF's key function and is achieved simply by injecting code (using Zygisk) into gms to register a fake keystore, and in turn this produces an exception (error) that results in the fallback to BASIC-only measurements/data.
This works at device level and always required. And to
2) bypass hardware-backed verdict enforcement. This secondary function is achieved by ensuring that the props used to identify devices Google has flagged for enforcement of hardware-backed measurements/data never match expected valued. Ie, this bypass is purely based on simple prop mismatches. This works at server (backend) level since the data/measurements are processed by Google to generated attestations.
This is not always required; some or all props USNF handles may need altering per device.
* So far Devs have discovered that Google polls the following props for hardware-backed verdict enforcement, so USNF causes mismatches by using targeted spoofing (in gms only unlike MagiskHide Props Config module's global changes) to adjust their values:
- ro.product.model for both S/N and PI (not all devices require this at least for S/N but USNF always appends a space character to model value).
- ro.build.fingerprint for PI (mostly A11+ devices initially required this but USNF always uses passing (CTS certified) old Nexus 6P (angler) fingerprint prop.
- first_api_level for PI (A13 launch version devices require this, and shipping API level is set to 32 only for devices >=33)
Proton is the model for any wanting to integrate @kdrag0ns SNF approach in a ROM.
Since a Dev builds a ROM there isn't the obstacle of read only /system partition, and code can be baked in rather than overlaid.
It seems API hooking is used to target gms with prop changes as well as altered keystore data... I'm hazy on hooking usage and native code injection, so I may not be strictly correct about this...
The methods, including fake keystore registration are otherwise very similar and he has provided more details for Devs:
https://github.com/kdrag0n/safetynet-fix#rom-integration
The Proton info. discusses additional SNF functions like setting 'sensitive' props early. It also links a commit with this (old) info on bypassing opportunistic hardware-backed attestation:
Well again I'm hazy on this, but it seems source code isn't modified; calls for the attestation certificate chain from KeyStore are apparently just intercepted and fake data returned while prop values are also spoofed for gms at runtime, but yes, gms is targeted to fix both S/N and Play Integrity verdicts.
Specifically hardware key based attestation is effectively broken in the Droidguard/Attestation servicecom.google.android.gms.unstablein order to cause the fallback to basic attestation.
Nb This is what was formerly referred to as the 'SafetyNet' service, but I'm now properly calling it the Droidguard/Attestation service since S/N is depreciated and this process actually connects gms to the Droidguard VM engine that collects device integrity measurements securely.
Yes, it's easy to alter props globally like MHPC module does, but for the props dealt with for attestation purposes this can break stuff, eg device/OEM specific functions and apps like Galaxy store, backup utilities, proprietary camera features etc etc
Riru/Zygisk solutions mean that targeted spoofing (ie. only in gms) can be used so other processes see expected values...
Well while the method has changed from setting available flags for basic attestation to registering a fake keystore, evidently source code for gms is unchanged as mentioned.
Seems we need Zygisk (or Riru) hooking for targeted prop changes as well as to hook attestation calls and fake lack of hardware key attestation support.
PW5
safetynet-fix-v2.4.0-MOD_1.2.zip
It took it exactly 12 hours to fix itself. Enforce Deny List is off (must be)3
I use the latest module released by displax with shamiko and have only wallet in the deny list along with other banking and office applications like company Portal. Adding playstore and gsm and other google services always proved counterproductive to me as doing so made my pixel 7 pro show up as a pixel xl under devices in google - security tab.
You however have to delete data from gsm and playstore with airplane mode on and reboot, there are multiple posts to guide you through the procedure.3
USNF now does targeted (to gms processes only) fingerprint prop spoofing, so there's no point using (the more invasive and problematic) MHPC global fingerprint spoofing...
USNF also sets other props needed to bypass hardware-backed verdict enforcement by Google (server end) for some devices, so for practically all devices prop changes needed for passing Play Integrity deviceIntegrity verdict are handled properly by USNF, and this mod fork addresses several other issues with the new part-time hiding mechanism, timing etc...
You may want to use MHPC prop spoofing for other purposes, but disable any S/N or PI related prop changes unless USNF is simply not working...
PW -
118Universal SafetyNet Fix [MOD]Hello. This is my modification [FORK] of the original Universal SafetyNet Fix module from @kdrag0n.
Magisk module
Created for the (temporary?) restoration of working capacity in the conditions of constant change of verification algorithms from Google.
If you can`t wait for update original kdrag0n`s project - feel free to use my little "experimental sandbox"
Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix (if present) and reboot device.
3. You may be needed to wipe GMS data (not cache) if there is no result immediately.
Changelog:
v2.4.0-MOD_1.2
* Fix crash and endless tests loop/failing on Android < 9.0 (bug from original version 2.4.0).
* Do not unpatch (revert) changes. To prevent possible tests failing after a while on some ROMs (cross conflicts).
v2.4.0-MOD_1.1
* Fix KeyStore hook desynchronization (tests randomly failing problem).
v2.4.0-MOD_1.0
* It is now based on top of original v2.4.0 codebase instead of v2.3.1, with adding new hiding algorithm for current realities and some code refreshing.
Downloads: at the bottom of this post or GitHub Releases
Source code: GitHub10
The original USNF (2.3.1) did not incorporate any fixes for Play Integrity, so @Displax forked it into this branch because he's had the time and energy to keep up with the changes to PI. @kdrag0n has been focused on other projects so while he eventually committed many of Displax's changes into 2.4.0, there have been several changes to PI since then.
So, for now, this fork is the most "up to date" regarding Play Integrity fixes, while Google continues to fiddle with things. Should there come a point when they finally stop messing with stuff we will probably see a lot of the changes committed to the original USNF10
I didn't change the update channel in the module on purpose so that everyone can upgrade to the new official version automatically without any problems.You should also consider updating update.json so updates can be seen by the Magisk app of one's choosing
8
The secret lies in the setup. Don't intend to sound like an expert, but this has been my due diligence since day 0 with Pixel 6 pro and now with Pixel 7 pro. Please do not forget to thank the kind people like @roirraW "edor" ehT @Homeboy76 @V0latyle whose posts I have been following for a couple of years now. Let's assume your use case and walk backwards before we move forward.
1. Disable and Remove all modules from magisk including USNF and Shamiko ( in case you already have and it's not working). Yes its a pain but I assure you its a one time thing. Disable Zygisk too. Reboot phone. So now essentially you have a rooted phone with stock/third party kernel and Zygisk No and No modules (your modules page would be blank). Follow this with uninstalling all the apps that you want to include in the Deny list and have them already installed (yes its a pain too). Please uninstall them correctly, Delete data, cache, force close and uninstall. Follow this with deleting data and cache from playstore and gms. Once all done, reboot your phone again. This will bring your phone to a state where you will get three red crosses in Play Integrity API checker app - Ground 0 state. This state is also similar to when you have made a clean flash to stock and just rooted your phone (in case you intended to do that, start from here). Now just install Wallet and Company Portal (for example). Do not install your other apps that you had uninstalled (banking etc) yet.
2. Now flash the latest Displax USNF and Shamiko one after another in Magisk, dont reboot phone.
3. If you have not hidden magisk yet, hide it from Magisk settings section..
4. Enable Zygisk - dont reboot phone even if you get prompted.
5. Do not check Enforce Deny List. Now enter Deny list and just check Wallet. Ensure that all subcomponents of wallet are also checked (its finicky, so manually do it if needed)
6. Now put your phone in Airplane Mode.
7. Delete data and cache for Wallet, Play Store and Play Service (GMS) from Apps. Once done immediately restart the phone. Disable Airplane Mode. Check Play Integrity API checker app and Wallet and the Devices tab in Google Security Section - All will be working as intended.
8. Now for the other applications, install in groups of 3, same, add them to deny list after installing, put the phone in airplane mode, delete data, cache and force close app and immediately reboot phone and disable airplane mode. Why 3, for some odd reason, while deleting data and cache for some for example 12 apps, one or two fall through the crack, dont ask me why, just saying. No interaction with playstore of gms is needed while doing this.
If you are an experienced user which you clearly are from your post count, you would probably be laughing your guts off reading my childish instructions. Good luck!
In the future if lets, say your Citi bank app gets updated and shows root, and when you go to deny list you see an additional subcomponent added to the Citi app, exit Magisk, delete cache, data, force close and uninstall app, "reboot phone", install citi app, add it to deny list (make sure all subcomponents are selected now), put the phone in airplane mode, delete cache data force close citi app, reboot phone, disable air plane phone and you are good to go.
