SafetyNet CTS profile match false

sakis_the_fraud · Oct 13, 2016

This thread is dedicated to understanding what is causing the SafetyNet to report the CTS profile match as false.

I tried unrooting and flashing a new kernel, but the error remains.

Anyone knows what does it check?

@Tesla
@xstahsie

emuandco · Oct 13, 2016 at 3:58 PM

What I can tell you, Busybox is not the problem in my case. Fully unrooted und un-busyboxed my Note3 (see sig) by modding the ROM I use pre-flash, wiped /system and put it on there with TWRP. Nope. I am close to think that there's some thing custom ROMs pass to Google by SafetyNet and are being detected as not official by that. The fingerprint (In my case "samsung/hero2ltexx/hero2lte:6.0.1/MMB29K/G935FXXU1APEK:user/release-keys") compared to H/W maybe...

_M4rc05_ · Oct 13, 2016

I have the same problem with a unroot cyanogenmod 13. Pokemon Go die.

xstahsie · Oct 13, 2016 at 4:12 PM

sakis_the_fraud said:
This thread is dedicated to understanding what is causing the SafetyNet to report the CTS profile match as false.

View attachment 3902690

I tried unrooting and flashing a new kernel, but the error remains.

Anyone knows what does it check?

@Tesla
@xstahsie

Assuming you have made a NANDROID backup via TWRP when the phone was unrooted, simply restore "boot" from your backup. If you don't have a copy, you'll need to reflash your ROM. And if you have to do that, just flash boot and system.

Sent from my Nexus 6P using Tapatalk

ccav2000 · Oct 13, 2016 at 4:14 PM

I'm on the same boat as you guys. Exact same error, CM13 with su removed, nothing else modified. No idea why CTS is now false.

sakis_the_fraud · Oct 13, 2016 at 5:15 PM

xstahsie said:
Assuming you have made a NANDROID backup via TWRP when the phone was unrooted, simply restore "boot" from your backup. If you don't have a copy, you'll need to reflash your ROM. And if you have to do that, just flash boot and system.

Sent from my Nexus 6P using Tapatalk

Phone was rooted on second boot.

I will try to flash a stock kernel when i return home, but i don't expect much.

Flashing stock system is definitely not an option, do you think dirtyflash will work?

Sent from my Xperia Z5 using Tapatalk

xstahsie · Oct 13, 2016 at 5:25 PM

sakis_the_fraud said:
Phone was rooted on second boot.

I will try to flash a stock kernel when i return home, but i don't expect much.

Flashing stock system is definitely not an option, do you think dirtyflash will work?

Sent from my Xperia Z5 using Tapatalk

I've dirty flash system on LG G3 many times without any issues. Just wipe cache afterward.

Sent from my Nexus 6P using Tapatalk

sakis_the_fraud · Oct 14, 2016 at 11:09 AM

@AbiDez , @Boosik , @asdone001 check here, we all have the same problem!

anyone here tried switching SELinux mode as phhuson suggested?

phhusson said:
For people for which SafetyNet fails, is /sys/fs/selinux/enforce or policy readable by an application?
On standard Android it's not readable, but perhaps that's the difference on your devices.

here is a guide:

koron393 said:
Code:

$ getenforce

This prints SELinux mode. (Permissive or Enforcing)

Code:

$ su # setenforce 1

This will set SELinux mode Enforcing.
or try

Code:

# setenforce Enforcing

my kernel is set to permissive and I can't switch it, i will try to flash stock and report back.

ccav2000 · Oct 14, 2016 at 11:17 AM

sakis_the_fraud said:
@AbiDez , @Boosik , @asdone001 check here, we all have the same problem!

anyone here tried switching SELinux mode as phhuson suggested?

my kernel is set to permissive and I can't switch it, i will try to flash stock and report back.

Already tried it, but not with those commands. I switched from an unofficial CM13 ROM with SElinux set to permissive to an official CM13 nightly with SElinux set to enforcing. I removed root and bam, Safety Net check passes all checks now.

Boosik · Oct 14, 2016

@sakis_the_fraud
My kernel is

.
On pure stock rom with stock recovery without root - SafetyNet is all green, PoGo works.
On stock rom with TWRP without root - SafetyNet is all green, PoGo works.
On stock rom with TWRP and superuser-r266-hidesu - SafetyNet is red (CTS profile match: false), PoGo doesn't work.

My superuser-r266-hidesu config is "eng noverity crypt hidesu".

But as phh asked "/sys/fs/selinux/enforce" is readable on my device, I can open it in SE File Explorer (contains 1). "/sys/fs/selinux/policy" gives me access denied.

---------- Post added at 01:38 PM ---------- Previous post was at 12:39 PM ----------

Fixed it by setting my superuser-r266-hidesu to verity (was using noverity to be able to mount /system as rw).

sakis_the_fraud · Oct 14, 2016 at 12:44 PM

Boosik said:
My superuser-r266-hidesu config is "eng noverity crypt hidesu".

Fixed it by setting my superuser-r266-hidesu to verity (was using noverity to be able to mount /system as rw).

great info, we are getting somewhere. :good:

could you tell me how to change this setting?

Also, you could try with "noverity setting" to use the "root switch" from shakalaca.
You can find the latest version here at post no: 263.

Boosik · Oct 14, 2016 at 12:55 PM

sakis_the_fraud said:
great info, we are getting somewhere. :good:

could you tell me how to change this setting?

Also, you could try with "noverity setting" to use the "root switch" from shakalaca.
You can find the latest version here at post no: 263.

Open the superuser-r266-hidesu.zip archive and there is config.txt file. Open it and there are some words "eng verity crypt hidesu" I had it set to "noverity" it has to be "verity". Also root switch app doesn't seem to work with phh's superuser.

sakis_the_fraud · Oct 14, 2016 at 1:19 PM

Boosik said:
Open the superuser-r266-hidesu.zip archive and there is config.txt file. Open it and there are some words "eng verity crypt hidesu" I had it set to "noverity" it has to be "verity". Also root switch app doesn't seem to work with phh's superuser.

thanks!

I see that the default option is verity, but it isn't passing the CTS profile match for me.

have you tried with chainfire's root and hidesu, maybe got some luck with that!

Boosik · Oct 14, 2016 at 1:29 PM

sakis_the_fraud said:
thanks!

I see that the default option is verity, but it isn't passing the CTS profile match for me.

have you tried with chainfire's root and hidesu, maybe got some luck with that!

Unfortunately chainfires su 2.78-SR1 has huge performance hit on my phone for some reason and makes it nearly unusable, so that is no option for me.

---------- Post added at 02:29 PM ---------- Previous post was at 02:27 PM ----------

Are you using Magisk?
I do not use it.
I have stock rom and flashed superuser-r266-hidesu.zip nothing else. Everything works fine now.

sakis_the_fraud · Oct 14, 2016 at 1:33 PM

Boosik said:
Unfortunately chainfires su 2.78-SR1 has huge performance hit on my phone for some reason and makes it nearly unusable, so that is no option for me.

i haven't tried it yet, reading about systemless install and the rest procedure.

what device are you using?

Boosik said:
Are you using Magisk?
I do not use it.
I have stock rom and flashed superuser-r266-hidesu.zip nothing else. Everything works fine now.

no.

here are the setups I have tried

Boosik · Oct 14, 2016

sakis_the_fraud said:
i haven't tried it yet, reading about systemless install and the rest procedure.

what device are you using?

no.

here are the setups I have tried

View attachment 3903539

My device is Huawei Mate 8 (NXT-L29C432)

AFAIK "dm verity" has to be on for CTS to pass.

---------- Post added at 02:39 PM ---------- Previous post was at 02:35 PM ----------

Is your current phone Sony Z5?

On the Magisk page, there is something about Sony kernels being unpatchable, maybe that is the problem why your phone does not boot while trying it with dm verity on?

Sony devices generally: Sony devices seems to use ELF kernel that is unpatchable, or some has two ramdisks (inner + outer), both requires different workarounds, if you know any addition quirks about Sony boot image modifications, please contact me

sakis_the_fraud · Oct 14, 2016 at 1:46 PM

Boosik said:
AFAIK "dm verity" has to be on for CTS to pass.

If yes, I'm screwed! I have no clue why it doesn't boot with that on!

Boosik said:
Is your current phone Sony Z5?

On the Magisk page, there is something about Sony kernels being unpatchable, maybe that is the problem why your phone does not boot while trying it with dm verity on?

yes, but there is a tool that can patch the kernel and edit those kind of things such as dm verity, sony ric, root, twrp etc.

also, magisk was working fine on my phone, i was using it before turning to phh's v266.

javaxcore · Aug 13, 2015 1 0 0

What does it mean if its says this and my phone is still vanilla.as in never been rooted or used thirdparty apps or that sort of stuff

Sent from my Elite 5 using Tapatalk

sakis_the_fraud · Oct 14, 2016 at 10:29 PM

javaxcore said:
What does it mean if its says this and my phone is still vanilla.as in never been rooted or used thirdparty apps or that sort of stuff

something is tipping cts, we are searching to find it.

sakis_the_fraud · Oct 15, 2016 at 12:50 PM

@Jayster06 check here

Something is tripping CTS, if it was on /system, why it isn't reported with stock kernel?

If you are rooted, the checker reports that the response validation failed, so it's not the root.

here are the configurations I have tried so far...

please report back if you found a solution.

SafetyNet CTS profile match false

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

New member

Senior Member

Senior Member