Remove All Ads from XDA

Why Does XPosed Always Trip SafetyNet?

66 posts
Thanks Meter: 7
 
By gudenau, Member on 2nd September 2017, 06:14 AM
Post Reply Email Thread
10th September 2017, 05:37 PM |#11  
Senior Member
Thanks Meter: 82
 
More
Quote:
Originally Posted by aer0zer0

Maybe @topjohnwu can explain better here

he did: https://forum.xda-developers.com/sho...postcount=4200

Quote:

Systemless Xposed cannot pass SafetyNet!!! SN checks the running Zygote process, it is not as simple as unmounting the files to hide it!

 
 
10th September 2017, 05:46 PM |#12  
aer0zer0's Avatar
Recognized Contributor
Flag Cortland NY
Thanks Meter: 1,671
 
More
Quote:
Originally Posted by lover

he did: https://forum.xda-developers.com/sho...postcount=4200

Lol, already saw that (it was in my earlier explanation) I think others in this thread want a more nuts and bolts answer.
10th September 2017, 05:52 PM |#13  
Senior Member
Flag Munich
Thanks Meter: 548
 
More
Quote:
Originally Posted by aer0zer0

I think others in this thread want a more nuts and bolts answer.

That would actually be awesome.


Gesendet von meinem Moto G 2014 LTE mit Tapatalk
11th September 2017, 02:57 AM |#14  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by aer0zer0

safetynet checks the zygote, which xposed modifies to work, thats why it trips, be it system or systemless, it didnt used to. Safetynet has evolved

Quote:
Originally Posted by lover

he did: https://forum.xda-developers.com/sho...postcount=4200

Sure it checks it, but what does it look for? I want to know exactly what it does, as I said in the first post.
The Following User Says Thank You to gudenau For This Useful Post: [ View ] Gift gudenau Ad-Free
12th September 2017, 05:46 AM |#15  
Senior Member
Thanks Meter: 82
 
More
Quote:
Originally Posted by gudenau

Sure it checks it, but what does it look for? I want to know exactly what it does, as I said in the first post.

I am not the right person to answer
13th September 2017, 03:32 AM |#16  
Jacte's Avatar
Junior Member
Flag Ankara/Antalya
Thanks Meter: 9
 
More
Nice thread going on here. Hope someone could explain the anathomy of SafetyNet and how does it check Zygote.
The Following 5 Users Say Thank You to Jacte For This Useful Post: [ View ] Gift Jacte Ad-Free
10th January 2018, 12:37 AM |#17  
CosmicDan's Avatar
Senior Member
Flag Sydney
Thanks Meter: 6,452
 
Donate to Me
More
Quote:
Originally Posted by gudenau

Sure it checks it, but what does it look for? I want to know exactly what it does, as I said in the first post.

I believe if anybody actually KNEW this answer, they'd be able to spoof it. It could be some kind of tamper-detection stuff on the level that serious hackers use (e.g. measuring execution time of an arbitrary method), or it could be specifically design to detect Xposed (it is opensource after all).

This is one of those things where if you have to ask the question, the answer is probably beyond your expertise.
The Following 3 Users Say Thank You to CosmicDan For This Useful Post: [ View ] Gift CosmicDan Ad-Free
10th January 2018, 04:57 AM |#18  
Thaodan's Avatar
Senior Member
Thanks Meter: 19
 
More
I'm watching this talk from 34c3.
Maybe this would explain/help on under standing saftynet.
https://media.ccc.de/v/34c3-8725-ins...ck_and_defense
The Following 2 Users Say Thank You to Thaodan For This Useful Post: [ View ] Gift Thaodan Ad-Free
6th March 2018, 04:13 PM |#19  
Senior Member
Thanks Meter: 78
 
More
I think topjohnwu already explained well enough. Since SN checks not the "file integrity" of Zygote but the integrity of the running Zygote process in memory, it makes the spoof very difficult.

Since Zygote is loaded very early during boot and is actually the base of all system and app process (this is also why XPosed is so powerful by modifying Zygote), so it's always running and it's not so easy to spoof the memory contents (including code and data area) of a running process from another process, so there SN is tripped always.

However since there Zygote is modified by XPosed, maybe someone can modify the Zygotes in such a way that will pretent the integrity and thus will not trip safety net (like some root kit for Windows) but how and if this can be done is entirely beyond my knowledge...
23rd June 2018, 08:06 AM |#20  
CosmicDan's Avatar
Senior Member
Flag Sydney
Thanks Meter: 6,452
 
Donate to Me
More
Quote:
Originally Posted by lssong99

I think topjohnwu already explained well enough. Since SN checks not the "file integrity" of Zygote but the integrity of the running Zygote process in memory, it makes the spoof very difficult.

Since Zygote is loaded very early during boot and is actually the base of all system and app process (this is also why XPosed is so powerful by modifying Zygote), so it's always running and it's not so easy to spoof the memory contents (including code and data area) of a running process from another process, so there SN is tripped always.

However since there Zygote is modified by XPosed, maybe someone can modify the Zygotes in such a way that will pretent the integrity and thus will not trip safety net (like some root kit for Windows) but how and if this can be done is entirely beyond my knowledge...

I'd like to discover some technical details too. I wonder if it's possible to compile a ROM with modified zygote binary that chain-loads Xposed stuff or something like that. But I'd need to first find out what exactly Xposed Zygote does differently, and go through trial and error with modifying zygote sources to find what actually trips it.
27th June 2018, 09:23 AM |#21  
Rom's Avatar
Senior Member
Flag Lyon
Thanks Meter: 822
 
Donate to Me
More
Quote:
Originally Posted by CosmicDan

I'd like to discover some technical details too. I wonder if it's possible to compile a ROM with modified zygote binary that chain-loads Xposed stuff or something like that. But I'd need to first find out what exactly Xposed Zygote does differently, and go through trial and error with modifying zygote sources to find what actually trips it.

Zygote is a fundamental tool in Android, to make short, when Xposed installed, a process related to Xposed runs in background in Zygote. This is what SafetyNet detects.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes