Magisk SafetyNet fail - Android 11 - Google Pixel 3a Questions & Answers

I've recently encountered a problem. I rooted My Pixel 3a when it had stock Android 10 and passed the SafetyNet checks.
I then upgraded to stock Android 11 (RP1A.201005.004, Oct 2020) and re-rooted. However, the Magisk SafetyNet check now reports as 'attestation failed'. basicIntegrity passes but ctsProfile now fails (evalType HARDWARE).
Can anyone help in identifying the problem and how to resolve it?

largeruk said:
I've recently encountered a problem. I rooted My Pixel 3a when it had stock Android 10 and passed the SafetyNet checks.
I then upgraded to stock Android 11 (RP1A.201005.004, Oct 2020) and re-rooted. However, the Magisk SafetyNet check now reports as 'attestation failed'. basicIntegrity passes but ctsProfile now fails (evalType HARDWARE).
Can anyone help in identifying the problem and how to resolve it?
Click to expand...
Click to collapse
Same, passed it about a week ago and failed it today - I've had the October update since release and it has been fine so something has changed in the last few days ?
Magisk 21005
Manager 311
Cananry update channel

captain sideways said:
Same, passed it about a week ago and failed it today - I've had the October update since release and it has been fine so something has changed in the last few days
Magisk 21005
Manager 311
Cananry update channel
Click to expand...
Click to collapse
You have to use magiskhide props module. See its XDA thread.

magjir said:
You have to use magiskhide props module. See its XDA thread.
Click to expand...
Click to collapse
Thanks very much for that - I did try that but it didn't work for me - went on a few searches and this module I found elsewhere on here did work.
I just flashed it and my cts profile passes - there some interesting posts round it as well:
https://forum.xda-developers.com/showpost.php?p=83028387&postcount=40655
Relevant: https://forum.xda-developers.com/showpost.php?p=83028387&postcount=40655

@largeruk @captain sideways
Hey, I hate to steal the thread, but I wanted to ask if either of you would please upload a copy of the Magisk patched boot image file that you used. The ones that I have been generating using MM 8.0.2 and the latest sargo factory boot image have consistently failed to boot for me and I would like an image that has been proven to work. I would greatly appreciate you help!
UPDATE
Thanks for the file! It worked for me.

captain sideways said:
Thanks very much for that - I did try that but it didn't work for me - went on a few searches and this module I found elsewhere on here did work.
I just flashed it and my cts profile passes - there some interesting posts round it as well:
https://forum.xda-developers.com/showpost.php?p=83028387&postcount=40655
Relevant: https://forum.xda-developers.com/showpost.php?p=83028387&postcount=40655
Click to expand...
Click to collapse
THANKS!!! I recently ran into this issue and have tried the modules and changes through terminal, unrooting, flashing complete stock, but the only thing that worked was locking the bootloader. Once I had my 3a wiped and back to stock, I kept experimenting and located your fix. Magisk (cts profile) still won't pass safety net, but GPay works again (at least I could re-add cards without an error message--haven't tried to use it at a pay terminal yet) which was the whole point. I hope it's long-lasting. I can't believe more people aren't running into this issue.

@largeruk @captain sideways
Just to clarify, this is not an Android 10 or 11 issue. Newer (starting around October 22) versions of Google Play Services changed how SafetyNet works and ctsProfile fails with evalType HARDWARE.

The "Hardware Off" module no longer fixes the ctsProfile failure. I have seen mention of a new module here, but I'm not sure I trust the source: https://droidholic.com/safetynet-cts-profile-failed-fix/
Anyone have updates on this issue with the latest February Android 11 release?

madmartian said:
The "Hardware Off" module no longer fixes the ctsProfile failure. I have seen mention of a new module here, but I'm not sure I trust the source: https://droidholic.com/safetynet-cts-profile-failed-fix/
Anyone have updates on this issue with the latest February Android 11 release?
Click to expand...
Click to collapse
https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-1-1-0.4217823/ it does work.
Edit: there is also a link to the github in the thread so you can check the code if you wish.

Hi i flashed pixel experience on my moto g7 power and i cant get the cts profile match to not fail does anyone know how to do this

Related

Bootloader won't relock, and SafetyNet mayhem

Hi there
Two issues/problems here:
I rebranded my Oreo European MHA-L09 successfully to MHA-L29, everything went perfectly. Then I proceeded to flash RR. SafetyNet however is not helping : CTS mismatch doesn't seem to wanna go away. I tried everything I could find, Magisk does nothing, unrooting : same, can't relock bootloader (root is risk)... kindabummed as it even blocks Spotify from showing up in Play Store. After a week of proding, I'v given up.
So I go back to stock, and whaddayaknow, everything goes fine except... bootloader won't relock : root is risk. I tried reflashing using HWOTA, like, a billion times, couldn't get HiSuite to help either, can't really figure out how to use download mode - most tutorials I found were for P10 - sooooo... yeah.
Any ideas when it come to relocking bootloader (in a stock rom or nah) and passing SafetyNet when a GSI is flashed?
SomeRandomEngi said:
Hi there
Two issues/problems here:
I rebranded my Oreo European MHA-L09 successfully to MHA-L29, everything went perfectly. Then I proceeded to flash RR. SafetyNet however is not helping : CTS mismatch doesn't seem to wanna go away. I tried everything I could find, Magisk does nothing, unrooting : same, can't relock bootloader (root is risk)... kindabummed as it even blocks Spotify from showing up in Play Store. After a week of proding, I'v given up.
So I go back to stock, and whaddayaknow, everything goes fine except... bootloader won't relock : root is risk. I tried reflashing using HWOTA, like, a billion times, couldn't get HiSuite to help either, can't really figure out how to use download mode - most tutorials I found were for P10 - sooooo... yeah.
Any ideas when it come to relocking bootloader (in a stock rom or nah) and passing SafetyNet when a GSI is flashed?
Click to expand...
Click to collapse
So, bootloader relock won't happen if any of the stock images don't match exactly to what the system expects. (If it does, you brick.)
On any ROM, provided it passes the basicIntegrity check, Magisk, possibly with the universal props fix module, will get SN passing. (If it doesn't pass basicIntegrity in the first place, that's another thing, and Magisk can't fix that.)
irony_delerium said:
So, bootloader relock won't happen if any of the stock images don't match exactly to what the system expects. (If it does, you brick.)
On any ROM, provided it passes the basicIntegrity check, Magisk, possibly with the universal props fix module, will get SN passing. (If it doesn't pass basicIntegrity in the first place, that's another thing, and Magisk can't fix that.)
Click to expand...
Click to collapse
Thank you so much for your answer! I already tried installing huawei props fix but it doesn't want to flash - /data/magisk is not configure proprerly even after multiple reinstalls apparently - and when it comes to MagiskHide Props Config, I can't seem to find a fingerprint for the Mate 9. Would using the Mate 10's cause issues?
SomeRandomEngi said:
Thank you so much for your answer! I already tried installing huawei props fix but it doesn't want to flash - /data/magisk is not configure proprerly even after multiple reinstalls apparently - and when it comes to MagiskHide Props Config, I can't seem to find a fingerprint for the Mate 9. Would using the Mate 10's cause issues?
Click to expand...
Click to collapse
Near as I've been able to tell, the fingerprint only makes a difference to things like SafetyNet. You can add the fingerprint for the Mate 9 if you want, obviously, but you could just as easily use one swiped from anywhere else and it would work just the same.
How are you attempting to install Magisk? I've only ever done it, personally, through Magisk Manager, using "Patch boot image" or "Direct install". With the bugs that recently appeared (Magisk Manager 5.8, Magisk 16.6, saw lots of softbricks due to direct install or install via TWRP - it was unconditionally patching something it shouldn't have), I've been telling people to use Patch Boot Image in Magisk Manager always.
irony_delerium said:
Near as I've been able to tell, the fingerprint only makes a difference to things like SafetyNet. You can add the fingerprint for the Mate 9 if you want, obviously, but you could just as easily use one swiped from anywhere else and it would work just the same.
How are you attempting to install Magisk? I've only ever done it, personally, through Magisk Manager, using "Patch boot image" or "Direct install". With the bugs that recently appeared (Magisk Manager 5.8, Magisk 16.6, saw lots of softbricks due to direct install or install via TWRP - it was unconditionally patching something it shouldn't have), I've been telling people to use Patch Boot Image in Magisk Manager always.
Click to expand...
Click to collapse
Okay, thanks! Yeah, I installed it from TWRP. Gonna redo the install then.
Also, I just noticed that Bluetooth does not work - it doesn't even activate for some reason - so I'll probably restart from ,yet another, clean flash. Thank you so much for your help!

Failing safteynet without root, and with magisk hide while rooted

Hi. Recently my safteynet started failing. I don't remeber exactly what modifcations I did at the time to cause it. I flashed the latest OOS from OnePlus so I would have no root or mods, and safteynet continues to report failed.
I really don't feel like wiping my data. Does anyone have any suggestions?
The mods I have installed at some point via magisk are, edxposed, riru, and viper audio effects.
Thank You!
Nuzzlet said:
Hi. Recently my safteynet started failing. I don't remeber exactly what modifcations I did at the time to cause it. I flashed the latest OOS from OnePlus so I would have no root or mods, and safteynet continues to report failed.
I really don't feel like wiping my data. Does anyone have any suggestions?
The mods I have installed at some point via magisk are, edxposed, riru, and viper audio effects.
Thank You!
Click to expand...
Click to collapse
The safetynet fail during no root time is likely because of the still unlocked bootloader. Edxposed does no longer pass safetynet. Im currently running OOS 10.3.1 with magisk while passing safetynet
Having the same issue man.
Latest beta, with root, but failing safetynet.
not sure where to go from here. I remember having this same issue a while back but "safetypatcher" fixed me right up....but it's not on the magisk repo any more
Crom4rtie said:
The safetynet fail during no root time is likely because of the still unlocked bootloader. Edxposed does no longer pass safetynet. Im currently running OOS 10.3.1 with magisk while passing safetynet
Click to expand...
Click to collapse
How are you passing safteynet with root & unlocked bootloader?
turdbogls said:
Having the same issue man.
Latest beta, with root, but failing safetynet.
not sure where to go from here. I remember having this same issue a while back but "safetypatcher" fixed me right up....but it's not on the magisk repo any more
Click to expand...
Click to collapse
Just found this: https://github.com/kam821/safetypatch/releases/tag/v4.0.1
about to re root and flash with magisk hide. I'll update this thread. Might be worth a try for you as well.
Thanks for the idea!
Update. the SafteyPatcher above did not work. I am trying MagiskHidePropsConfig now, however I am failing BasicIntegrity and CTS, which I believe means theres probably something else going on. Not really sure what to do.
Edexposed does bypass safetynet I'm on oos 10.3.2
J0nhy said:
Edexposed does bypass safetynet I'm on oos 10.3.2
Click to expand...
Click to collapse
What did you do to make it pass? I already included GSF and Play Services from the blacklist.
All my problems resolved when i uninstall Magisk, and return to PIE....
is the manager hidden and play services in the hide list (should be by default)
also check that avb and preserve encryption are ticked on the front page. Normally these should allow you to pass.
If you are still failing then there is probably some mod/previous installation of root apps on the phone causing this to trip snet.

SafetyNet (CTS Profile) check fails on Poco F2

Hi everyone.
I have a rooted Poco F2 with magisk 21.2 and TWRP on stock MIUI rom 12.0.4.
I had passed SafetyNet by hiding magisk manager and enabling the magisk hide props module but literally one morning I woke up with a message from Google Pay saying the phone can't be used for transactions.
I checked SafetyNet again and it indeed failed. BasicIntegrity passed and evalType was set to BASIC but ctsProfile failed.
Since I've been trying to fix it by formatting the phone entirely, flashing the stock rom from scratch and re-applying everything but i still get the same issue. I've also tried several different fingerprints from the props module but ctsProfile check always fails.
Does anyone have any clue what might've happened? I didn't mess with any setting or allow any automatic updates when i got the fail message from Google Pay.
Thanks in advance!
moxalis said:
Hi everyone.
I have a rooted Poco F2 with magisk 21.2 and TWRP on stock MIUI rom 12.0.4.
I had passed SafetyNet by hiding magisk manager and enabling the magisk hide props module but literally one morning I woke up with a message from Google Pay saying the phone can't be used for transactions.
I checked SafetyNet again and it indeed failed. BasicIntegrity passed and evalType was set to BASIC but ctsProfile failed.
Since I've been trying to fix it by formatting the phone entirely, flashing the stock rom from scratch and re-applying everything but i still get the same issue. I've also tried several different fingerprints from the props module but ctsProfile check always fails.
Does anyone have any clue what might've happened? I didn't mess with any setting or allow any automatic updates when i got the fail message from Google Pay.
Thanks in advance!
Click to expand...
Click to collapse
That method doesn't work anymore.
try this https://github.com/kdrag0n/safetynet-fix/releases/tag/v1.1.0
Dadovvv said:
That method doesn't work anymore.
try this https://github.com/kdrag0n/safetynet-fix/releases/tag/v1.1.0
Click to expand...
Click to collapse
That seems to have fixed it! Thank you so much.
Is there a sub-forum somewhere where I could've been updated that the method I was using isn't working anymore?
[TUTORIAL] WORKING FIX FOR SAFETYNET / CTS PROFILE FAILED
Alright , here we go again . Steps to follow : 1. Open Magisk and select modules tab 2. Install Module for Android 11 - (https://t.me/XiaomiEUCloud/156) For Android 10 - (https://t.me/XiaomiEUCloud/158) from Storage 3. Reboot your Device Done . [emoji3544] UPDATE : NO NEED TO FLASH THIS ON...
xiaomi.eu

Question Solved - C.44 update won't install after magisk boot

Hi guys,
Sorry if I'm missing something very obvious but I can't install the latest update on my rooted oneplus 9
I have a LE2110 model, currently on 11.2.10.10..LE25BA. I'm rooted with magisk, confirmed with root checker.
I've downloaded the C44 update, went to updater, install from storage, then to magisk where I disable all my modules and select install to inactive slot, 'lets go' and 'reboot'.
The phone reboots and displays a message saying that the update did not install try again or try reapir.
Anyone know if I'm missing anything in the process? Any help would be appreciated.
Cheers everyone
Edit: Thanks for all the responses..using canary magisk instead has worked.
chinbags said:
Hi guys,
Sorry if I'm missing something very obvious but I can't install the latest update on my rooted oneplus 9
I have a LE2110 model, currently on 11.2.10.10..LE25BA. I'm rooted with magisk, confirmed with root checker.
I've downloaded the C44 update, went to updater, install from storage, then to magisk where I disable all my modules and select install to inactive slot, 'lets go' and 'reboot'.
The phone reboots and displays a message saying that the update did not install try again or try reapir.
Anyone know if I'm missing anything in the process? Any help would be appreciated.
Cheers everyone
Click to expand...
Click to collapse
You have to fastboot flash the stock untouched boot.img back. Magisk patched the boot partition to root. Therefore the partition is modified. Ota fails. Try uninstall Magisk and see if it restores stock boot image. Or get full build run payload him through payload extractor and nab boot.img there.
Thanks, so I basically need to unroot, restore to stock, update to C44, then reroot from scratch again?
chinbags said:
Thanks, so I basically need to unroot, restore to stock, update to C44, then reroot from scratch again?
Click to expand...
Click to collapse
Wrong magisk was used. You must use canary magisk.
MrSteelX said:
Wrong magisk was used. You must use canary magisk.
Click to expand...
Click to collapse
Wrong . I'm on stock A12 and it's rooted with 23.0. passing safety net,modules,Magisk hide all working
in order for magisk to work on A12 and booting to an inactive slot it has to be the alpha build ill post it but its also in the root guide for oos on 12 the table shows the only one that works on 12 is this build, same thing happened to me
chinbags said:
Thanks, so I basically need to unroot, restore to stock, update to C44, then reroot from scratch again?
Click to expand...
Click to collapse
no need for any of that
mattie_49 said:
Wrong . I'm on stock A12 and it's rooted with 23.0. passing safety net,modules,Magisk hide all working
Click to expand...
Click to collapse
yes it is true but you did the manual way. every one else wants the automatic way which requires canary or alpha.
MrSteelX said:
yes it is true but you did the manual way. every one else wants the automatic way which requires canary or alpha.
Click to expand...
Click to collapse
Everyone does want bleeding edge.
Thanks for all the info guys, sounds like a bit more reading needed on my end but all of the above should steer me in the right direction.
I was able to jump from rooted 11.10.10 to c44 using canary magisk.
Downloaded the 4gb c44 from oxygen updater, then local udpate and DONT reboot then install magisk in inactive slot.
Ok, this has worked, original posted uodated, thanks everyone.
One last question...and slightly unrelated. I can't find my list of hidden apps in magisk. I've hidden the app in settings and have the magisk hideprops config module enabled. My banking app is telling me I'm rooted...I'm pretty sure I added it to a list in the past. None of the options at the bottom bring me to it either..anyone have the same issue?
chinbags said:
One last question...and slightly unrelated. I can't find my list of hidden apps in magisk. I've hidden the app in settings and have the magisk hideprops config module enabled. My banking app is telling me I'm rooted...I'm pretty sure I added it to a list in the past. None of the options at the bottom bring me to it either..anyone have the same issue?
Click to expand...
Click to collapse
the alpha build doesnt have magisk hide built in. and he literally just posted the updated v24 stable build an hour ago and is supposed to fully support android 12. but he also announced that he removed Magisk hide all together and is no longer going to support it.
so its still early, not sure how to fix your problem , those are the only two builds i see for 12
jruizdesign said:
the alpha build doesnt have magisk hide built in. and he literally just posted the updated v24 stable build an hour ago and is supposed to fully support android 12. but he also announced that he removed Magisk hide all together and is no longer going to support it.
so its still early, not sure how to fix your problem , those are the only two builds i see for 12
Click to expand...
Click to collapse
Ok, thanks. Could a rollback to v23 APK work? Happy to give it a whirl unless you think it could bork my phone
chinbags said:
Ok, thanks. Could a rollback to v23 APK work? Happy to give it a whirl unless you think it could bork my phone
Click to expand...
Click to collapse
i would try and delete the version you have and install stable 23, dont repack the boot.img or anything only replace the app, that wont hurt you
jruizdesign said:
i would try and delete the version you have and install stable 23, dont repack the boot.img or anything only replace the app, that wont hurt you
Click to expand...
Click to collapse
No dice, v23 will install and the option is available in settings, I just still can't find where I add an app to the hidden list. Bank apps not loading.
Magisk is dropping support for hiding root access from apps
Magisk, the popular Android rooting tool, will continue to be developed by topjohnwu, but without its root hiding feature called MagiskHide.
www.xda-developers.com
Have you tried using USNF? https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-1-1-0.4217823/
I'm also having troubles updating to c44 with magisk v23, but don't wanna lose the magisk hide option. While looking for alternatives, I came across this the USNF solution in here :
How to pass SafetyNet on Android after rooting or installing a custom ROM
It is possible to pass SafetyNet, even after extensive modding like rooting or installing a custom ROM. Check out how to do that here!
www.xda-developers.com
Didn't try it myself yet...
I can confirm USNF works for me, and I have some very strict apps detecting root access, DenyList hides the root from the apps, but it doesn't try to fix safetynet, with USNF I have no more problems even in apps that didn't work with DenyList only (remember to turn on Zygisk and Enforced DenyList).
If you are using permissive mode on SELinux you will also need SELinux switch to get back to enforcing mode for some apps, but that is an edge case
EDIT: It seems if you are on custom ROM MagiskHidePropsConf might help, not sure if USNF is enough but I can't test it

[solved] Safetynet doesn't pass until last update

Hello everyone,
I switched Magisk to c3b4678f (25204)(34) tonight, as I am on the Canary versions. But unfortunately, I notice while using Yasnac that my Pixel 3a does not pass SafetyNet anymore. The evaluation type remains Basic but Basic Integrity and CTS profile are both set to False. I uninstalled the safetynet fix from kdrag0n before reinstalling it (after rebooting each time) but nothing works! I even did a flash of the boot.img patched by Magisk but nothing to do. Do others have the same problem? What can I do?
During this night, Magisk developers pushed an update because of a deny list issue. They fixed it in the new version a468fd94 (25205)(34). And right after the update, Safetynet passes again !
I worried too quickly !

Categories

Resources