Can anybody provide the latest stock ro.build.fingerprint value in the build.prop file for the E6653? I am trying to create a Magisk Module for passing safetynet on custom ROMs for the Xperia Z5. There is a module that already does this, but it changes your device to a Xaomi build and I'd like to retain my Z5 designation.
Devo7v said:
Can anybody provide the latest stock ro.build.fingerprint value in the build.prop file for the E6653? I am trying to create a Magisk Module for passing safetynet on custom ROMs for the Xperia Z5. There is a module that already does this, but it changes your device to a Xaomi build and I'd like to retain my Z5 designation.
Click to expand...
Click to collapse
I need this too. Have you found a working one yet?
Anyone with an Xperia Z5 on stock software can provide this by running the following command:
adb shell getprop ro.build.fingerprint
hey i just decrypted my phone and Safetynet isn't passing for me anything I can do to fix this?
AngryUserLG said:
hey i just decrypted my phone and Safetynet isn't passing for me anything I can do to fix this?
Click to expand...
Click to collapse
There were apparently some updates in the past (year or two?) that made it harder overall to pass SafetyNet using rooted phones and/or those using certain ROMs. There's a way around it, though.
Toggling "MagiskHide" in the Magisk settings should take care of passing basicIntegrity, but the real issue is passing ctsProfile. There are two methods:
Download SafetyNet Fix and install the module manually in Magisk, or
Spoof the device fingerprint:
Download and install the "MagiskHide Props Config" and "Busybox for Android NDK" modules in Magisk, then reboot.
Open a terminal emulator (eg. Termux) and:
type su and press [enter]
type props and press [enter]
Select "Edit device fingerprint" (probably option 1)
Select "Pick a certified fingerprint" (probably option "f")
Enter the number "Google" (it was 7 for me)
Enter the number for "Pixel 3" or "Pixel 3 XL" (options 18 and 19, respectively, for me)
Select your Android version (11 was option 3 for me)
You'll see the value for ro.build.fingerprint in pink, enter "y" for yes
Enter "y" for yes when asked to reboot
Both options worked for me (I tested them separately). I don't know if you have to run it again if you update the ROM because an update hasn't come out since I did it.
EDIT: oops, thought I was responding to a Google Pixel 3 XL thread. I'll leave this here in case it helps you, though!
How can an Android application detect that it is running on a rooted device that is running the Universal SafetyNet Fix with MagiskHide configured to hide from that application, props configured to a known good fingerprint, and magisk renamed to something else?
I have read that the Universal SafetyNet Fix module works by causing hardware attestation to fall back to basic when key attestation fails with the "not implemented" error. How can an app developer detect when this happens and require that true hardware attestation is used?
It's easy for any app to detect whether Android got tampered or not: No Magisk module can prevent this.
Only as example:
The Universal Safetynet Fix changes in system file named build.prop these properties
Code:
ro.boot.flash.locked
ro.boot.verifiedbootstate
ro.boot.veritymode
ro.boot.vbmeta.device_state
what in turn changes LastModifiedTime property of build.prop.
Hence it should be obvious - to see whether Android OS got tampered or not - the most easy method is comparing this timestamp with timestamp when Android OS was built.
IMO it's a misconception to believe that app developers are dumber than the developer of Magisk.
Update 04.01.2023: I've updated/added additional steps to make this tutorial work again.
This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?
With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.2 or higher).
After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- uncheck Force Denylist in Magisk settings
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune).
Important: Expand the view by clicking on the entry. You will see something like this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
- Now, with the expaned view, click the entry. It will look like this:
- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!
Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:
Fix Basic integrity
- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.
If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device
After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
Update 04.01.2023:
- Install Shamiko and make sure that you uncheck Force Denylist in Magisk settings
Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).
If you find this tutorial helpful please leave a like for this post - thanks in advance.
More Informations / Background / How does this work:
Magisk: The Age of Zygsik
[Discussion] Magisk - The Age of Zygisk.
This is a discussion and help thread for the newer versions of Magisk. The main goal of this thread is to help users migrate to Magisk v24+ SafetyNet Basic integrity Pass CTS profile match Pass Play Protect certification Device is certified...
forum.xda-developers.com
Magisk Hide Props Config - SafetyNet
[MODULE] [DEPRECATED] MagiskHide Props Config - SafetyNet, prop edits, and more - v6.1.2
MagiskHide Props Config v6.1.2 Note: This project is dead, and has been for some time. I have not been involved in the Android modding scene for some time and I no longer have the energy to take it up again. If anyone feels like taking over...
forum.xda-developers.com
Hi @GoodSoul nice method- same as my posting from back 2+ weeks ago
Thanks for the repost! It's a proven working method
Zygisk (Alpha channel) + Magisk Hide app stting + DenyList + (MagiskHide Props Config (add fingerprint) + Universal SafetyNet Fix)
Click to expand...
Click to collapse
skuppej said:
Hi @GoodSoul nice method- same as my posting from back 2+ weeks ago
Thanks for the repost! It's a proven working method
Click to expand...
Click to collapse
Hey skuppej, did not see your post, sorry. Was it also (mainly) about Microsoft Intune? Because Magisk Hide did work well in the past on Banking Apps and Google Pay but somehow not well on MS Intune.
Oh, this method is what you should use to hide root from anything
tldr:
Zygisk (Alpha channel) + Magisk Hide app stting + DenyList + (MagiskHide Props Config (add fingerprint) + Universal SafetyNet Fix)
Click to expand...
Click to collapse
Hi,
I've exactly followed the steps mentioned but InTune still detects root.
I've InTune v5.0.5421 installed and Magisk v24.1 installed.
The only difference from your screenshots is that you've evaluation type HARDWARE_BACKED, I've BASIC. The rest is same. My phone is S9 with Stock Android 10 installed.
Do you have any suggestion to check?
This did work, but for some reason as soon as I enable Enforce Deny list, I get extreme lag. Without that option enabled phone woks fine but intune detects root and blocks. I really wish there was a better solution, this never was an issue with MagiskHide
hmm. Update. For literally no reason with nothing changed it just stopped working...No idea why
elite-fusion said:
has anyone had luck with this lately?
I tried the 5067 version and it worked, but teams and outlook still stated that the intune is out of date, so still unusable.
Click to expand...
Click to collapse
persmash said:
Hi,
I've exactly followed the steps mentioned but InTune still detects root.
I've InTune v5.0.5421 installed and Magisk v24.1 installed.
The only difference from your screenshots is that you've evaluation type HARDWARE_BACKED, I've BASIC. The rest is same. My phone is S9 with Stock Android 10 installed.
Do you have any suggestion to check?
Click to expand...
Click to collapse
Make sure you guys clear data in your intune/teams apps, first. Also, delete any work accounts that might pre-exist, if you have them.
skuppej said:
Make sure you guys clear data in your intune/teams apps, first. Also, delete any work accounts that might pre-exist, if you have them.
Click to expand...
Click to collapse
Hi,
Thanks for your reply but InTune doesn't give an error related to rooting. It says the OS is modified and I think that is because of system status is "Custom". I'm searching for a way to make it "Official" again without loosing root but couldn't find anything.
I am on zygisk denylist + shamiko + ticking all processes in denylist
I have also installed universal safetynet but removed it as it doesnot make a difference and i donot have an issue to fail safetynet for now
I am passing intune and Outlook app only
However Onedrive , Office and Teams says i am having policy error and refuse to log in
I would appreciate any assistance as it is crucial for my work environment
Have people gotten this to work on the latest version of Intune (5.0.5421.0)? Root is still being detected on my Google Pixel 4a and 5. I read in the other thread to use an older version of Intune, but my company Intune policy will not allow it (get a Company portal out of date message).
My Intune is updated to 5.0.5421.0 and Teams is still working on all my devices (Oneplus 7, Samsung Tablet A6, Samsung Galaxy S8+ - all with LineageOS 18.1).
For those who have problems: What does 'adb logcat' says in the moment when you launch teams?
GoodSoul said:
My Intune is updated to 5.0.5421.0 and Teams is still working on all my devices (Oneplus 7, Samsung Tablet A6, Samsung Galaxy S8+ - all with LineageOS 18.1).
For those who have problems: What does 'adb logcat' says in the moment when you launch teams?
Click to expand...
Click to collapse
Hi,
I don't have that much technical knowledge. Could you please guide me how can I record the logs so that I can share it here?
Thanks.
persmash said:
I don't have that much technical knowledge. Could you please guide me how can I record the logs so that I can share it here?
Click to expand...
Click to collapse
Try one of these tutorials.
Hey,
I am still using Magisk 23.0 and recently also my Outlook and Teams started crying about my rooted devices. But I have a strange behavior: If I click away this message 2-3 times everything works fine ¯\_(ツ)_/¯.
Anybody else who notices this behavior?
@GoodSoul Is this meant to be work also within the Android Enterprise environment? I mean this thing which is encapsulated from the rest of the system like I would create another user.
tiga05 said:
@GoodSoul Is this meant to be work also within the Android Enterprise environment? I mean this thing which is encapsulated from the rest of the system like I would create another user.
Click to expand...
Click to collapse
I don't know why it should not.
GoodSoul said:
Try one of these tutorials.
Click to expand...
Click to collapse
I used Android Studio to get the logs. Please find them below. To be honest, I didn't undestand anything from them
Code:
2022-03-15 19:04:20.037 6529-6529/? E/[IndicatorGarden]Presenter: onGardenApplyWindowInsets() New DisplayCutout is NULL!!
2022-03-15 19:04:20.041 6203-7029/? E/WindowManager: win=Window{d677566 u0 com.microsoft.windowsintune.companyportal/com.microsoft.omadm.client.OMADMAwaitActivity} destroySurfaces: appStopped=true win.mWindowRemovalAllowed=false win.mRemoveOnExit=false win.mViewVisibility=8 caller=com.android.server.wm.AppWindowToken.destroySurfaces:1249 com.android.server.wm.AppWindowToken.destroySurfaces:1230 com.android.server.wm.AppWindowToken.notifyAppStopped:1285 com.android.server.wm.ActivityRecord.activityStoppedLocked:2776 com.android.server.wm.ActivityTaskManagerService.activityStopped:2512 android.app.IActivityTaskManager$Stub.onTransact:2280 android.os.Binder.execTransactInternal:1056
2022-03-15 19:04:20.061 6529-6529/? E/[IndicatorGarden]Presenter: onGardenApplyWindowInsets() New DisplayCutout is NULL!!
2022-03-15 19:04:20.064 6529-6529/? E/SystemUIImageView: set Image Drawable!!
2022-03-15 19:04:20.064 6529-6529/? E/SystemUIImageView: set Background Drawable!!
2022-03-15 19:04:20.070 6529-6529/? E/[IndicatorGarden]Presenter: onGardenApplyWindowInsets() New DisplayCutout is NULL!!
2022-03-15 19:04:20.495 6814-6814/? E/ApduServiceInfo: Not adding <aid-group> with empty or invalid AIDs
2022-03-15 19:04:20.607 526-1088/? E/BufferQueueProducer: [com.android.systemui.infinity.InfinityWallpaperBlue$_6721#0] disconnect: not connected (req=1)
2022-03-15 19:04:20.609 526-2814/? E/BufferQueueProducer: [com.microsoft.windowsintune.companyportal/com.microsoft.windowsintune.companyportal.views.EnrollmentActivity$_20093#0] disconnect: not connected (req=1)
2022-03-15 19:04:20.681 32192-32192/? E/Zygote: isWhitelistProcess - Process is Whitelisted
2022-03-15 19:04:20.681 32192-32192/? E/Zygote: accessInfo : 1
2022-03-15 19:04:20.683 6203-8084/? E/WindowManager: win=Window{7796f62 u0 com.microsoft.windowsintune.companyportal/com.microsoft.windowsintune.companyportal.views.EnrollmentActivity} destroySurfaces: appStopped=true win.mWindowRemovalAllowed=false win.mRemoveOnExit=false win.mViewVisibility=8 caller=com.android.server.wm.AppWindowToken.destroySurfaces:1249 com.android.server.wm.AppWindowToken.destroySurfaces:1230 com.android.server.wm.AppWindowToken.notifyAppStopped:1285 com.android.server.wm.ActivityRecord.activityStoppedLocked:2776 com.android.server.wm.ActivityTaskManagerService.activityStopped:2512 android.app.IActivityTaskManager$Stub.onTransact:2280 android.os.Binder.execTransactInternal:1056
2022-03-15 19:04:20.713 32192-32192/? E/nder:appservic: Not starting debugger since process cannot load the jdwp agent.
2022-03-15 19:04:22.298 7354-8693/? E/BtGatt.ContextMap: remove() - removed: 7
2022-03-15 19:04:22.341 7354-7521/? E/BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_STOP, appName: android.uid.system, scannerId: 7, reportDelayMillis=0
2022-03-15 19:04:22.433 7354-7521/? E/BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_START, appName: android.uid.system, scannerId: 7, reportDelayMillis=0
2022-03-15 19:04:22.582 2892-2913/? E/perfsdkserver: [Interface] BpPerfSDKService::connectionRequest()
2022-03-15 19:04:27.585 2892-2913/? E/perfsdkserver: [Interface] BpPerfSDKService::connectionRequest()
2022-03-15 19:04:28.568 6203-6233/? E/Watchdog: [email protected]: 772 heap: 95 / 96 [2022-03-15 19:04:28.567] sdogWay: softdog
2022-03-15 19:04:32.591 2892-2913/? E/perfsdkserver: [Interface] BpPerfSDKService::connectionRequest()
2022-03-15 19:04:37.597 2892-2913/? E/perfsdkserver: [Interface] BpPerfSDKService::connectionRequest()
2022-03-15 19:04:42.603 2892-2913/? E/perfsdkserver: [Interface] BpPerfSDKService::connectionRequest()
2022-03-15 19:04:47.585 32243-32243/? E/Zygote: isWhitelistProcess - Process is Whitelisted
2022-03-15 19:04:47.586 32243-32243/? E/Zygote: accessInfo : 1
Hi,
I followed the guide, but the second time I fire up YASNAC it still fails the SafteyNet fix. I tried everything, rebooted every time, no dice.
GoodSoul said:
My Intune is updated to 5.0.5421.0 and Teams is still working on all my devices (Oneplus 7, Samsung Tablet A6, Samsung Galaxy S8+ - all with LineageOS 18.1).
For those who have problems: What does 'adb logcat' says in the moment when you launch teams?
Click to expand...
Click to collapse
Any luck for you to check my logcat?