Related
Hi everyone. I just want to make it clear.
Rooting isn't bad if you know what you are doing.
First of all, there are attack methods for android as well as for PC's.
Here's how to prevent them.
NON-ROOTED:
Make sure you clear cache and dalvik once every month (This is just for the sake of free storage).
If a third-party app you downloaded doesn't have a name in the package installer, don't install it. More likely delete even the apk.
Otherwise it will probably show random webpages by using default browser.
Download any kind of Anti-Virus like Avast, AVG, CM security etc...
Don't turn Play Protect off, if you don't have root, you probably don't have apps that can be recognised as a threat.
Don't download any file from anywhere with an unknown extension.
If your phone supports it without any issues, you can use Full Device Encryption in Security Settings this will put the Normal mode lock to recovery, and even the phone can't be booted unless you type the password in, also in recovery if the atacker deletes the entire system partition, your user data partition will still be encrypted so your data is safe.
ROOTED:
First of all, to protect yourself from network-based attack vectors, install AFWall+ (Free on Play Store).
It rquires root acces bc it's modifying the device's iptable rules to prevent specified apps or app kinds from reaching differenet sort of network, if you are paranoid you can even deny the entire system from reaching any sort of network.
Second install a root privileged anti-virus (I'm pretty sure such things exist).
Third use magisk rooting instead of SuperSU or phh's Superuser, magisk has 2 very usefull mods, one is Energized Protection what blocks malwares adware etc... and the second one is Unified Hosts Adblock (i prefer thsi a bit more cause it has a GUI where you can select what must be blocked).
Also magisk rooting method doesn't corrupts your device's fingerprint so it passes SafetyNET so you still can use Snapchat and Super Mario Run even with a rooted device.
Fourth you still can use Full Device Encryption (Remember if you forget your password or something doesn't working after the encryption like the fingerprint sensor you should consider going back to stock with nand erase to get the data partition Decrypted (Causes full internal sd content loss) otherwise factory reset won't do the job.)
Thanks for sharing information.
I agree with you that rooting is not bad when you know what you are doing but also you should know WHAT APPS ARE DOING.
As a Cyber Security Expert, there are alot of attacking tactics for android phone too as well as PC. These days there are lot of vulnerabilities networking and android system.
1. WPA2/PSK wireless technology is not safe as it is vulnerable to Blueborn attack
2. Newly found vulnerability in LTE networks, allowing three types of attacking methods.
3. The adware is most common in rooted phones and if it got administrator permisiions, it becomes evil.
4. MITM attack is always here
And there are lot of other methods using these days to hijack devices.
bencetari said:
Hi everyone. I just want to make it clear.
Rooting isn't bad if you know what you are doing.
First of all, there are attack methods for android as well as for PC's.
Here's how to prevent them.
NON-ROOTED:
Make sure you clear cache and dalvik once every month (This is just for the sake of free storage).
If a third-party app you downloaded doesn't have a name in the package installer, don't install it. More likely delete even the apk.
Otherwise it will probably show random webpages by using default browser.
Download any kind of Anti-Virus like Avast, AVG, CM security etc...
Don't turn Play Protect off, if you don't have root, you probably don't have apps that can be recognised as a threat.
Don't download any file from anywhere with an unknown extension.
If your phone supports it without any issues, you can use Full Device Encryption in Security Settings this will put the Normal mode lock to recovery, and even the phone can't be booted unless you type the password in, also in recovery if the atacker deletes the entire system partition, your user data partition will still be encrypted so your data is safe.
ROOTED:
First of all, to protect yourself from network-based attack vectors, install AFWall+ (Free on Play Store).
It rquires root acces bc it's modifying the device's iptable rules to prevent specified apps or app kinds from reaching differenet sort of network, if you are paranoid you can even deny the entire system from reaching any sort of network.
Second install a root privileged anti-virus (I'm pretty sure such things exist).
Third use magisk rooting instead of SuperSU or phh's Superuser, magisk has 2 very usefull mods, one is Energized Protection what blocks malwares adware etc... and the second one is Unified Hosts Adblock (i prefer thsi a bit more cause it has a GUI where you can select what must be blocked).
Also magisk rooting method doesn't corrupts your device's fingerprint so it passes SafetyNET so you still can use Snapchat and Super Mario Run even with a rooted device.
Fourth you still can use Full Device Encryption (Remember if you forget your password or something doesn't working after the encryption like the fingerprint sensor you should consider going back to stock with nand erase to get the data partition Decrypted (Causes full internal sd content loss) otherwise factory reset won't do the job.)
Click to expand...
Click to collapse
**rooted user**
What happens if I lose my phone and someone get's into the recovery and deletes the lockscreen security? How can I avoid that? Is running a custom ROM without a custom recovery safe, or is it even possible?
I'd like to add:
• Using a trusted VPN
• Possibly changing your DNS settings to use a provider that supports DNS over HTTPS
clonechill said:
**rooted user**
What happens if I lose my phone and someone get's into the recovery and deletes the lockscreen security? How can I avoid that? Is running a custom ROM without a custom recovery safe, or is it even possible?
Click to expand...
Click to collapse
Philz CWM recovery and some other custom TWRP-s has recovery lock. And with full device encryption data partition can't be reached without giving the unlock.
"Can't load Android system" and "Factory data reset" tried and does not work
Hi all,
I bought a Pixel 3a, unlocked the bootloader, upgraded it to Android 10, and then tried to root it with Magisk. I must somehow have missed a step because now the phone only boots to:
Android Recovery
google/sargo/sargo
9/PQ3B.190801.002/5674421
user/release-keys
Use volume up/down and power.
Can't load Android system. Your data may be corrupt. If you continue to get this message, you may need to perform a factory data reset and erase all user data stored on this device.
Try again
Factory data reset
If I "Try again" I end up in the same place after a long time with the Google logo and a reboot. If I "Factory data reset" I also end up in the same place.
My desktop has adb and fastboot, and was able to access the phone until the failed attempt at rooting. Now it does not detect the phone despite the system "bleeping" as if it has found a new device:
>adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
>adb devices
List of devices attached
Is there a way out of this mess?
FD
You're still on P by what recovery says. 0801 image. PQ3B is P. You want QP1A. Please try downloading the recent Q image and follow the official instructions from Google in the link and try again.
https://developers.google.com/android/images
Uzephi said:
You're still on P by what recovery says. 0801 image. PQ3B is P. You want QP1A. Please try downloading the recent Q image and follow the official instructions from Google in the link and try again.
https://developers.google.com/android/images
Click to expand...
Click to collapse
Thank you very much! Using the flash-all script I have managed to get my phone back. I have flashed the original Android 9 the phone came with.
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Frederick Davies said:
Thank you very much! Using the flash-all script I have managed to get my phone back. I have flashed the original Android 9 the phone came with.
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Click to expand...
Click to collapse
I followed this guide. it's for a pixel 3 but it's exactly the same for a 3a. There is no TWRP for 10 so doing it this way is the only way for now.
https://android.gadgethacks.com/how-to/root-your-pixel-3-android-10-0200295/
Just use magisk to patch Android 10 boot IMG and Flash it and your rooted on Android 10
Frederick Davies said:
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Click to expand...
Click to collapse
I have created a (IMHO) very thorough quide on how to root your Pixel 3a. It walks you through rooting with both Android Pie and Android 10 with very clear and precise steps. If you have any questions about it, feel free to post in that thread or reach out to me via a direct message.
There is no limitation on using Magisk or rooting under Android 10. The only thing you cannot do with Android 10 is use TWRP, but that isn't a deal breaker. TWRP is good for making backups of your OS, but as you have found you can still recover from just about any situation using the Google factory images, so while a backup might be beneficial at times, it isn't a necessity. Personally I would definitely recommend using Android 10 because Pie isn't being updated by Google anymore, so you are going to be behind on security updates, etc if you stick with Pie.
Watch this video and you shouldn't have any problems
sic0048 said:
I have created a (IMHO) very thorough quide on how to root your Pixel 3a. It walks you through rooting with both Android Pie and Android 10 with very clear and precise steps. If you have any questions about it, feel free to post in that thread or reach out to me via a direct message.
Click to expand...
Click to collapse
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
sic0048 said:
There is no limitation on using Magisk or rooting under Android 10. The only thing you cannot do with Android 10 is use TWRP, but that isn't a deal breaker. TWRP is good for making backups of your OS, but as you have found you can still recover from just about any situation using the Google factory images, so while a backup might be beneficial at times, it isn't a necessity. Personally I would definitely recommend using Android 10 because Pie isn't being updated by Google anymore, so you are going to be behind on security updates, etc if you stick with Pie.
Click to expand...
Click to collapse
I am going through all this rigmarole to be able to install XPrivacyLua through the Xposed Framework, but the instructions for Xposed (https://www.xda-developers.com/xposed-framework-hub/) seem to indicate you need TWRP as a requisite, hence I think am stuck with Android P (9.0).
On the other hand, I get conflicting information as to whether Xposed for Magisk does (https://www.xda-developers.com/xposed-framework-hub/) or does not (https://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268) pass SafetyNet. Most confusing...
FD
Frederick Davies said:
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
FD
Click to expand...
Click to collapse
There is no need to install or boot into TWRP (btw. there is even no working TWRP for Android 10 yet) to install Magisk. It's sufficents to install Magisk Manager on your phone and patch the boot.img extracted from the factory image. Just follow the instructions which have been quoted here in the thread already.
AndDiSa said:
There is no need to install or boot into TWRP (btw. there is even no working TWRP for Android 10 yet) to install Magisk. It's sufficents to install Magisk Manager on your phone and patch the boot.img extracted from the factory image. Just follow the instructions which have been quoted here in the thread already.
Click to expand...
Click to collapse
Dear AndDisa,
As I said, I am rooting my Pixel 3a because I want to install XPrivacyLua, which requires the Xposed Framework; and to install Xposed with Magisk, it lists TWRP as a pre-requisite (see "Method 2: Magisk" in https://www.xda-developers.com/xposed-framework-hub/). Since it seems there is some kind of reluctance to use/install TWRP in this thread, I am asking why that is so. I understand it is possible to install Magisk without TWRP, I am just asking "why?"
Again, thank you all for your help.
FD
TWRP doesn't work on Android 10 at this point so you can't flash it.
Frederick Davies said:
Dear AndDisa,
As I said, I am rooting my Pixel 3a because I want to install XPrivacyLua, which requires the Xposed Framework; and to install Xposed with Magisk, it lists TWRP as a pre-requisite (see "Method 2: Magisk" in https://www.xda-developers.com/xposed-framework-hub/). Since it seems there is some kind of reluctance to use/install TWRP in this thread, I am asking why that is so. I understand it is possible to install Magisk without TWRP, I am just asking "why?"
Again, thank you all for your help.
FD
Click to expand...
Click to collapse
If you read closely in the guide sic linked, he does state the TWRP method is only for P because you can't use TWRP on 10. It is the way partitions are handled in 10 where you really can't read your internal storage and it would have to require a code rework. Until that's done, no TWRP.
Edit: quote from twrp developer about it. https://twrp.me/site/update/2019/10/23/twrp-and-android-10.html
https://github.com/ElderDrivers/EdXposed/pull/354
https://github.com/ElderDrivers/EdXposedManager/releases
You can flash xposed without TWRP. Just install edxposed by downloading and installing through magisk and install the edxposed manager. You don't need TWRP
Frederick Davies said:
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
FD
Click to expand...
Click to collapse
As other have noted, TWRP does not work with Android 10. However, I also wanted to answer your question because it is valid.....
With Android Pie (9), you cannot permanently install TWRP unless you first flash a custom kernel that supports LZMA compression. Using the stock kernel, you can load TWRP using ADB and use it just like normal, but when you reboot the phone TWRP will not be loaded anymore. My instructions are about rooting the phone and not about installing TWRP permanently on the phone and therefore I provided the simplest method to accomplish that goal.
Most custom kernels have been updated with LZMA support, but you should really read the TWRP thread for more information on how to permanently install TWRP on Android Pie
Dear All,
Thank you for all your help and explanations concerning my questions.
I have now rooted my Pixel 3a running Android 9 following the instructions supplied (no TWRP installation), and It seems that Magisk is installed and happy (at least it thinks it is and FX has root access), but I am afraid that EdXposed and XPrivacyLua are not working as expected.
After Magisk, I installed the "Riru - Core" and "Riru - EdXposed (YAHFA)" modules. I then installed the "EdXposed Framework (YAHFA)" (giving the EdXposed Installer superuser privileges; EdExposed reports it is installed and active), and the XprivacyLua module inside it. But now Magisk complains that the SafetyNet checks are failing (this coincides with installing XPrivacyLua, but it is the only module I have in EdXposed), and XPrivacyLua is not actually blocking anything at all (that is, even when I supposedly block access to some functions, the apps just go ahead and use them).
Why do I get the impression Google does not want people to root their phones?
Yours,
FD
Frederick Davies said:
Dear All,
Thank you for all your help and explanations concerning my questions.
I have now rooted my Pixel 3a running Android 9 following the instructions supplied (no TWRP installation), and It seems that Magisk is installed and happy (at least it thinks it is and FX has root access), but I am afraid that EdXposed and XPrivacyLua are not working as expected.
After Magisk, I installed the "Riru - Core" and "Riru - EdXposed (YAHFA)" modules. I then installed the "EdXposed Framework (YAHFA)" (giving the EdXposed Installer superuser privileges; EdExposed reports it is installed and active), and the XprivacyLua module inside it. But now Magisk complains that the SafetyNet checks are failing (this coincides with installing XPrivacyLua, but it is the only module I have in EdXposed), and XPrivacyLua is not actually blocking anything at all (that is, even when I supposedly block access to some functions, the apps just go ahead and use them).
Why do I get the impression Google does not want people to root their phones?
Yours,
FD
Click to expand...
Click to collapse
It is most certainly the things you have installed that are breaking the SafetyNet check. I don't know anything about XprivacyLua, but I would assume there is a support thread here on XDA for it. I would read that support thread and see if there is a solution to the Safetynet issue.
Dear All,
OK, I have now rooted my Pixel 3a: I am running Android 9, and I flashed Magisk (Magisk Manager version 7.4.0; Magisk version 20.1) without installing TWRP as per the instructions. Then I installed the Riru - Core (version 10) and Riru - Ed Exposed (version 0.2.8_beta) modules, which allowed me to install EdXposedInstaller (version 2.2.5). I am currently running Xposed Framework (version 90.0-0.2.8) with XPrivacyLua (version 1.25).
The result is that XPrivacyLua is working with a few caveats: the SafetyNet Check fails both the ctsProfile and basicIntegrity checks (this is triggered by XPrivacyLua, not (Ed)Xposed), and when I limit access of WhatsApp to the Contacts list, there are constant errors whenever WhatsApp tries to read it (though it seems to work as expected). Also, the Contacts list keeps disappearing from the Contacts app itself, despite WhatsApp actually seeing those contacts in there (go figure).
Other apps that require root (like FX) are working as expected.
In the end, I have decided that since I am not interested in using my mobile for Google Pay, I will have to live with it as it is now, but I have a couple of points for others that may want to follow in my footsteps (this is not necessarily related to the method of rooting; those who helped me here are certainly not at fault for the following):
1. XPrivacyLua is in no way as capable and easy to use as XPrivacy was (XPrivacy is the main reason why I am rooting my phone). If I could install Android 4 on my Pixel 3a, I would do so and go back to XPrivacy (my venerable Nexus 5's second battery is shot, so I had to get new hardware). There is nothing in Android 9 that I actually need that was not there in Android 4.
2. We really need a Nexus Toot Toolkit for Pixel phones. The multitude of versions and steps required in rooting them successfully is too much for those like me who will root their phone for one or two apps and then leave it as it is. I know that these forums are really for tinkerers who want to extract the maximum from their hardware, and hence my point of view is not representative here, but I just want a mobile that will not spy on me, the rest is irrelevant to me.
I guess I will have to open a thread in the XPrivacyLua forums to see if I can sort out my problems, but I would like to thank you all for your help in getting me here and answering my questions (no matter how pointless they may have seemed).
Yours,
FD
Frederick Davies said:
Dear All,
OK, I have now rooted my Pixel 3a: I am running Android 9, and I flashed Magisk (Magisk Manager version 7.4.0; Magisk version 20.1) without installing TWRP as per the instructions. Then I installed the Riru - Core (version 10) and Riru - Ed Exposed (version 0.2.8_beta) modules, which allowed me to install EdXposedInstaller (version 2.2.5). I am currently running Xposed Framework (version 90.0-0.2.8) with XPrivacyLua (version 1.25).
The result is that XPrivacyLua is working with a few caveats: the SafetyNet Check fails both the ctsProfile and basicIntegrity checks (this is triggered by XPrivacyLua, not (Ed)Xposed), and when I limit access of WhatsApp to the Contacts list, there are constant errors whenever WhatsApp tries to read it (though it seems to work as expected). Also, the Contacts list keeps disappearing from the Contacts app itself, despite WhatsApp actually seeing those contacts in there (go figure).
Other apps that require root (like FX) are working as expected.
In the end, I have decided that since I am not interested in using my mobile for Google Pay, I will have to live with it as it is now, but I have a couple of points for others that may want to follow in my footsteps (this is not necessarily related to the method of rooting; those who helped me here are certainly not at fault for the following):
1. XPrivacyLua is in no way as capable and easy to use as XPrivacy was (XPrivacy is the main reason why I am rooting my phone). If I could install Android 4 on my Pixel 3a, I would do so and go back to XPrivacy (my venerable Nexus 5's second battery is shot, so I had to get new hardware). There is nothing in Android 9 that I actually need that was not there in Android 4.
2. We really need a Nexus Toot Toolkit for Pixel phones. The multitude of versions and steps required in rooting them successfully is too much for those like me who will root their phone for one or two apps and then leave it as it is. I know that these forums are really for tinkerers who want to extract the maximum from their hardware, and hence my point of view is not representative here, but I just want a mobile that will not spy on me, the rest is irrelevant to me.
I guess I will have to open a thread in the XPrivacyLua forums to see if I can sort out my problems, but I would like to thank you all for your help in getting me here and answering my questions (no matter how pointless they may have seemed).
Yours,
FD
Click to expand...
Click to collapse
Cool story bro
HI,
I have installed Pixel Experience Plus on starlte(galaxy9)
I need to install work profile with MS Teams (that's said)
It requires MS Intunes what require system encryption
1. Is there any way to trick Intune about mobile encryption (I don't want encrypt my mobile)
2. Even if I try encrypt - encrypt process was taking more than 4 hours so I stopped it and wipe in TWRP
duo_pendulum said:
HI,
I have installed Pixel Experience Plus on starlte(galaxy9)
I need to install work profile with MS Teams (that's said)
It requires MS Intunes what require system encryption
1. Is there any way to trick Intune about mobile encryption (I don't want encrypt my mobile)
2. Even if I try encrypt - encrypt process was taking more than 4 hours so I stopped it and wipe in TWRP
Click to expand...
Click to collapse
I don't have any experience with any MS product and never will. Did you already check if this Magisk module could solve your problem?
[MODULE] Microsoft Intune Company Portal Hider (Intune Hider)
Introduction: Simple Module To Hide The Root From Microsoft Intune Company Portal. - After The Installation & 1st Reboot, It Hides The Rooting & Disables Itself [P.S. Disabling Itself For Some Versions] - Enabling This Module From Magisk Manager...
forum.xda-developers.com
Yes I have my galaxy9 rooted with Magisk. I flashed recovery to TWRP 3.6.0_9-0. Works perfect.
I think the problem is not related to MS Intune. It is more related 'Settings -> Security -> Encrypt Phone' in my Pixel Experience Plus custom rom.
If I want to encrypt directly from settings encryption progress bar is never ending (after 4 hours I reboot)
I have ROM from here:
[ROM][11][S9/S9+] PixelExperience Plus [AOSP/UNOFFICIAL]
PixelExperience Plus for S9/S9+ [starlte/star2lte] What is this? PixelExperience Plus is an AOSP based ROM, with Google apps included and all Pixel goodies (launcher, wallpapers, icons, fonts, boot animation) it has some extra additions over...
forum.xda-developers.com
I know there is more fresh version of Pixel Experience Plus:
[ROM][10.0][NOTE 9] Pixel Experience Plus [AOSP/UNOFFICIAL][2020/12/12]
hi, I installed it, but when I rebooted the phone again I went to download mode, help me, thanks
forum.xda-developers.com
but download link doesn't work :-(
I also flashed DisableForceEncryption.zip but it also didn't help.
Maybe because Android 11 uses FileBaseEncryption(FBE) instead of FDE
Oswald in the link you attached there is about Magisk Hidden so far I see now it is Magisk feature and application (MS Intune) didn't complain about "hey your phone is rooted" because Magisk is hidden.
BTW. Thx for answer
duo_pendulum said:
Oswald in the link you attached there is about Magisk Hidden so far I see now it is Magisk feature and application (MS Intune) didn't complain about "hey your phone is rooted" because Magisk is hidden.
BTW. Thx for answer
Click to expand...
Click to collapse
Hi, did you get your problem solved ? I am facing the same issue.
This is a tutorial on how to set up your phone so that you can consistently pass SafetyNet. Note that all this is from my own experience, and if what works on one device blows up another, that's not my problem and I'm not responsible for that. I will attempt to keep this tutorial as clean and simple as possible, but if you have any further questions that are more specific you are welcome to ask.
In order to be as simple as possible to understand, this guide assumes the following:
- You have a PC. Windows, Mac, the almighty Linux, it makes no difference.
- You have the android platform tools on your PC
- Your device has an unlocked bootloader.
- Your device does not have support for signature spoofing.
- Your device does not have Google's official play services on it.
- You have a working brain.
If one or more of the above is incorrect, you'll have to make more use of the last item on the list.
If the last item on the list is incorrect, you're beyond hope.
Now, the guide:
Step 1: Get some magisk on your phone
Setting up magisk is incredibly simple, and I won't be going into detail here. I would recommend installing the regular magisk app and patching your boot image, as that is what I've done.
Note that you do not need the magisk manager app for this guide at all.
I've attached the magisk app I used to this post. You'll need to install the app and make use of the "install" section of the home page.
Once magisk is installed and set up, you'll need to enable zygisk in the magisk settings. Then reboot.
Step 2: Installing MicroG
I am not going to list through all the possible way you can install microG. Instead, have a link to microG's wiki:
index - MicroG
r/MicroG: Subreddit about microG, a free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries. This …
www.reddit.com
Now here comes the important bit:
From everything I have seen, it appears clear that google stores information about each device that registers with it, and that this in turn will affect SafetyNet.
Therefore, the best way to prevent this leading to SafetyNet failing is to prevent connection with google completely - till the phone is ready.
Before you install microG, make sure your phone has both wifi and data turned off. Leave these off till the setup is complete. Note that only the phone needs to be disconnected, nothing else matters.
In essence, this means that google sees nothing till your device is setup correctly, and then SafetyNet has nothing to complain about.
Now that you've read every word of the above paragraph, go ahead and install microG on your phone.
Make sure you've got all the different components: Core, GSF Framework, FakeStore, and DroidGuard helper. If your installation method does not handle all of this for you, then it sucks, and you shouldn't have used it. Regardless, you can find apks for all of these at https://microg.org/
Step 3: Don't touch
As I've already made clear above, do not change any microG settings at this point. Don't enable device registration (if it's disabled), don't enable safetynet, and just generally leave microG settings alone for now. Oh yeah, and don't turn on wifi or data.
Step 4: Tricking SafetyNet
Everything up till now has just been preparation for actually tricking SafetyNet. So now that we've got all that out the way, let's get down to details:
First, downloads:
Download the latest zip: https://themagisk.com/magiskhide-props-config/
Download the latest zygisk zip: https://themagisk.com/universal-safetynet-fix/
Move these over to your phone and install them both as magisk modules.
Once these modules are installed and you've rebooted, connect your phone to your pc.
Open a terminal/command prompt in your platform tools folder, and type "adb shell props". You may need to grant the superuser permission from your phone.
Then choose option 1.
You'll then need to choose a device from the list available.
The key here is that we need to spoof our device fingerprint, so google thinks the device is certified, even if it actually isn't.
If your device is approved by google, then simply select your device model.
If not, things get a bit more unclear. Not every fingerprint will work for every device - If your device is vastly different from the one you are trying to spoof things may not always work correctly. The best advice I can give here is to choose a device that matches yours as closely as possible. As an example: if your device is made by Xiaomi but is not approved by google, I would select a fingerprint belonging to a Xiaomi device.
Keep in mind that if you try a fingerprint that does not work, you cannot simply switch it to something else and try again, as the SafetyNet history for the device has to be clean.
Once you've spoofed your device fingerprint and rebooted, you're almost ready to test out SafetyNet and google sign in. But first:
Step 5: Do you need signature spoofing?
To ensure things work as smoothly as possible, it's important to make sure you have signature spoofing working before you test SafetyNet. If you've got your own solution to that great. If not:
The first thing I have to point out is that a lot of sigspoof methods on google nowadays are outdated and semi-functional at best, working for a handful of devices. As this guide is intended to be a universal solution regardless of your device, the only answer is lsposed and fakegapps.
Download the latest zygisk zip: https://themagisk.com/lsposed/
Transfer it to your phone and install it as a magisk module.
I've attached the full lsposed manager apk to this post, as the parasitic one sucks. Install it and the fakegapps apk which I've also attached to this post.
You'll now need to enable fakegapps, and turn it on for anything that might need access to spoofing. This includes the system framework, all the microG stuff, and any app that needs to be fooled by microg. Then reboot.
Step 6: Ready to test
Everything should now be set up correctly.
Check the microG settings to make sure signatures are correctly being spoofed.
Enable device registration (if disabled).
Enable SafetyNet attestation.
At this point your phone should still be completely disconnected from the internet.
If you're happy everything is set up correctly, turn on your wifi or data, and test SafetyNet attestation.
Step 7: Done.
Hopefully you now have working SafetyNet and google sign in. If this does work for you, it means that safetynet is now stable on your device, and you are free to install whatever you want on it.
If it didn't work, keep in mind that this hasn't been tested on every device in existence. All I know is that this consistently works for me.
If your phone doesn't turn on, you probably need to charge it.
If your phone has exploded, you probably have a Samsung.
Thanks everyone for reading my guide, I hope you enjoyed! (Maybe it even worked)
RESERVED FOR STUFF
Your guide is well made but I have some things I would change.
1) Since everything has to be done offline and adb is used in linux installation at least I would recommend adding an tip with adb push ~/Downloads/safetynet-tools.zip /storage/emulated/0/Downloads.
Furthermore cause of it I recommend attaching a single zip with
tools so they can be moved easily to the device.
2) there is missing Information: you said in the guide that safety net trips extremely easily. During the entire process the device cant be connected to the internet but what if you want to install another app. For example what if you want to install another app later lets say Netflix for example. I know for a fact it requires safetynet. It would be configured automatically will it? This would conclude to permanetley lock safety net till its reinstalled.
hypethetime said:
Your guide is well made but I have some things I would change.
1) Since everything has to be done offline and adb is used in linux installation at least I would recommend adding an tip with adb push ~/Downloads/safetynet-tools.zip /storage/emulated/0/Downloads.
Furthermore cause of it I recommend attaching a single zip with
tools so they can be moved easily to the device.
Click to expand...
Click to collapse
Hi, I think you may have misunderstood slightly. Only the phone has to be offline, you can still connect it to a PC and download the files on the PC. The only important thing is that the device doesn't communicate with google till you are ready for it to.
hypethetime said:
2) there is missing Information: you said in the guide that safety net trips extremely easily. During the entire process the device cant be connected to the internet but what if you want to install another app. For example what if you want to install another app later lets say Netflix for example. I know for a fact it requires safetynet. It would be configured automatically will it? This would conclude to permanetley lock safety net till its reinstalled.
Click to expand...
Click to collapse
Once the process is complete, you can install whatever else you want and safetynet will not stop working. The main thing is that the process of setting up the device so that it can be approved is very easy to mess up, so that part has to be done carefully.
I'll edit the guide to make these points more clear.
Sense_101 said:
Hi, I think you may have misunderstood slightly. Only the phone has to be offline, you can still connect it to a PC and download the files on the PC. The only important thing is that the device doesn't communicate with google till you are ready for it to.
Click to expand...
Click to collapse
I knew you always were able to use pc and you miss understood me. I at least often had the problem with transferring files for some reseason and for this adb push is extremey helpful.
Regarding instaling more apps thank you for the answer and how quickly it came.
Sense_101 said:
This is a tutorial on how to set up your phone so that you can consistently pass SafetyNet. Note that all this is from my own experience, and if what works on one device blows up another, that's not my problem and I'm not responsible for that. I will attempt to keep this tutorial as clean and simple as possible, but if you have any further questions that are more specific you are welcome to ask.
In order to be as simple as possible to understand, this guide assumes the following:
- You have a PC. Windows, Mac, the almighty Linux, it makes no difference.
- You have the android platform tools on your PC
- Your device has an unlocked bootloader.
- Your device does not have support for signature spoofing.
- Your device does not have Google's official play services on it.
- You have a working brain.
If one or more of the above is incorrect, you'll have to make more use of the last item on the list.
If the last item on the list is incorrect, you're beyond hope.
Now, the guide:
Step 1: Get some magisk on your phone
Setting up magisk is incredibly simple, and I won't be going into detail here. I would recommend installing the regular magisk app and patching your boot image, as that is what I've done.
Note that you do not need the magisk manager app for this guide at all.
I've attached the magisk app I used to this post. You'll need to install the app and make use of the "install" section of the home page.
Once magisk is installed and set up, you'll need to enable zygisk in the magisk settings. Then reboot.
Step 2: Installing MicroG
I am not going to list through all the possible way you can install microG. Instead, have a link to microG's wiki:
index - MicroG
r/MicroG: Subreddit about microG, a free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries. This …
www.reddit.com
Now here comes the important bit:
From everything I have seen, it appears clear that google stores information about each device that registers with it, and that this in turn will affect SafetyNet.
Therefore, the best way to prevent this leading to SafetyNet failing is to prevent connection with google completely - till the phone is ready.
Before you install microG, make sure your phone has both wifi and data turned off. Leave these off till the setup is complete. Note that only the phone needs to be disconnected, nothing else matters.
In essence, this means that google sees nothing till your device is setup correctly, and then SafetyNet has nothing to complain about.
Now that you've read every word of the above paragraph, go ahead and install microG on your phone.
Make sure you've got all the different components: Core, GSF Framework, FakeStore, and DroidGuard helper. If your installation method does not handle all of this for you, then it sucks, and you shouldn't have used it. Regardless, you can find apks for all of these at https://microg.org/
Step 3: Don't touch
As I've already made clear above, do not change any microG settings at this point. Don't enable device registration (if it's disabled), don't enable safetynet, and just generally leave microG settings alone for now. Oh yeah, and don't turn on wifi or data.
Step 4: Tricking SafetyNet
Everything up till now has just been preparation for actually tricking SafetyNet. So now that we've got all that out the way, let's get down to details:
First, downloads:
Download the latest zip: https://themagisk.com/magiskhide-props-config/
Download the latest zygisk zip: https://themagisk.com/universal-safetynet-fix/
Move these over to your phone and install them both as magisk modules.
Once these modules are installed and you've rebooted, connect your phone to your pc.
Open a terminal/command prompt in your platform tools folder, and type "adb shell props". You may need to grant the superuser permission from your phone.
Then choose option 1.
You'll then need to choose a device from the list available.
The key here is that we need to spoof our device fingerprint, so google thinks the device is certified, even if it actually isn't.
If your device is approved by google, then simply select your device model.
If not, things get a bit more unclear. Not every fingerprint will work for every device - If your device is vastly different from the one you are trying to spoof things may not always work correctly. The best advice I can give here is to choose a device that matches yours as closely as possible. As an example: if your device is made by Xiaomi but is not approved by google, I would select a fingerprint belonging to a Xiaomi device.
Keep in mind that if you try a fingerprint that does not work, you cannot simply switch it to something else and try again, as the SafetyNet history for the device has to be clean.
Once you've spoofed your device fingerprint and rebooted, you're almost ready to test out SafetyNet and google sign in. But first:
Step 5: Do you need signature spoofing?
To ensure things work as smoothly as possible, it's important to make sure you have signature spoofing working before you test SafetyNet. If you've got your own solution to that great. If not:
The first thing I have to point out is that a lot of sigspoof methods on google nowadays are outdated and semi-functional at best, working for a handful of devices. As this guide is intended to be a universal solution regardless of your device, the only answer is lsposed and fakegapps.
Download the latest zygisk zip: https://themagisk.com/lsposed/
Transfer it to your phone and install it as a magisk module.
I've attached the full lsposed manager apk to this post, as the parasitic one sucks. Install it and the fakegapps apk which I've also attached to this post.
You'll now need to enable fakegapps, and turn it on for anything that might need access to spoofing. This includes the system framework, all the microG stuff, and any app that needs to be fooled by microg. Then reboot.
Step 6: Ready to test
Everything should now be set up correctly.
Check the microG settings to make sure signatures are correctly being spoofed.
Enable device registration (if disabled).
Enable SafetyNet attestation.
At this point your phone should still be completely disconnected from the internet.
If you're happy everything is set up correctly, turn on your wifi or data, and test SafetyNet attestation.
Step 7: Done.
Hopefully you now have working SafetyNet and google sign in. If this does work for you, it means that safetynet is now stable on your device, and you are free to install whatever you want on it.
If it didn't work, keep in mind that this hasn't been tested on every device in existence. All I know is that this consistently works for me.
If your phone doesn't turn on, you probably need to charge it.
If your phone has exploded, you probably have a Samsung.
Thanks everyone for reading my guide, I hope you enjoyed! (Maybe it even worked)
Click to expand...
Click to collapse
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
WheelingPigeon said:
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
Click to expand...
Click to collapse
Yeah, that's a joke
WheelingPigeon said:
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
Click to expand...
Click to collapse
Samsung phones have a history of "blowing" up. First they were actually dangerous in very few cases but now they can expand and pop of the back of your phone. As long as you switch the battery then your safe to use it.
AOSP Rom (signature spoofing unsupported, without MicroG installer)
After Root install patch for spoofing via NanoDroid Patcher
Open Magisk settings -> Enable Zygisk + Enforce DenyList, install module MagiskHide Props Config -> reboot
Open Termux or ADB, type su to set root permission then type props (option 1)
Install MicroG via APK or offical F-Droid app, grant Signature spoofing permission
If you want using play store, install patched version (F-Droid add repo NanoDroid)
Open MicroG Settings -> Self-Check -> make sure all box checked
Turn on Google device registration, Google SafetyNet, if CTS fail then install Universal SafetyNet Fix
Install magisk module App Systemizer, Busybox for Android NDK to change MicroG to system app
As we known when samsung phone is rooted then Knox is tripping so multi user with a work profile isn't possible with the error message... can't create work profile.
This is howto guide to bypass Knox security so Shelter works on it, after many tries and errors methode
My setup
- S20 magisk zygisk root android 13
- Magisk modules: lsposed, knoxpatch apk and enhancer (in lsposed), shamiko as blacklist mode, safetynet fix
- Shelter
Guide
- Root your samsung phone with zygisk magisk (25.2) and install those magisk modules. Reboot several times
- In Lsposed enable KnoxPatch module with suggested Recommended. Reboot
- In Magisk Settings change Multiuser Mode > Device Owner Managed (using in multi user profile)
- In Magisk Settings change Mount Namespace Mode > Inherit namespace. Reboot
- Install Shelter and create work profile following Setup Wizard
- Clone the needed apps to Work profile or install directly from Shelter Work Profile
- In Magisk configure DenyList with those apps in work profile
My rooted S20 works fine in Work Profile with my company apps Microsoft Authenticator, Company Portal, Outlook, Teams etc.
Hope it helps for you guys too.
Further process how to make company apps work on Work Profile created by Shelter/ Island needs follow steps
- Install Applist Detector to check root
- Install InitrcHider (zygisk version) in Magisk
- In Magisk configure DenyList with full denying for those company apps (ticks all processes)
- Uninstall Magisk from Settings/ Apps, not directly from Magisk! because if doing it from Magisk then you loose the root
- Check root again with AppList Detector
- Delete company apps data and cache from Settings/ Apps then setup those apps again as new
gsmdb said:
As we known when samsung phone is rooted then Knox is tripping so multi user with a work profile isn't possible with the error message... can't create work profile.
This is howto guide to bypass Knox security so Shelter works on it, after many tries and errors methode
My setup
- S20 magisk zygisk root android 13
- Magisk modules: lsposed, knoxpatch apk and enhancer (in lsposed), shamiko as blacklist mode, safetynet fix
- Shelter
Guide
- Root your samsung phone with zygisk magisk (25.2) and install those magisk modules. Reboot several times
- In Lsposed enable KnoxPatch module with suggested Recommended. Reboot
- In Magisk Settings change Multiuser Mode > Device Owner Managed (using in multi user profile)
- In Magisk Settings change Mount Namespace Mode > Inherit namespace. Reboot
- Install Shelter and create work profile following Setup Wizard
- Clone the needed apps to Work profile or install directly from Shelter Work Profile
- In Magisk configure DenyList with those apps in work profile
My rooted S20 works fine in Work Profile with my company apps Microsoft Authenticator, Company Portal, Outlook, Teams etc.
Hope it helps for you guys too.
Click to expand...
Click to collapse
Does the above steps really working bro?
Please help me bro
Device Details:
Samsung S10
Custom ROM: One UI 5.1 android 13 by Ivan_meler
Issue: unable to use intune company portal and Island
Please guide me how to do it bro. The above instruction not working for me bro
Did it work for you to install Island?
The scoop is how to make Shelter/ Island/ Insular work with rooted Samsung.
Further process how to make company apps work on Work Profile created by Shelter/ Island needs follow steps
- Install Applist Detector to check root
- Install InitrcHider (zygisk version)
- In Magisk configure DenyList with full denying for those company apps (ticks all processes)
- Uninstall Magisk from Settings/ Apps, not directly from Magisk (important!) because if doing it from Magisk then you loose the root
- Check root again with AppList Detector
- Delete company apps data and cache from Settings/ Apps then setup those apps again as new
Thanks for your reply bro
My first issue is that when i try to install shelter or island it starts, loads and restarts automatically bro
Rooted, installed above modules and followed the instruction bro.
Are you sure your Knox works? Samsung Health, Biometrics, Samsung Pass etc?
It looks like you've trouble with Knox.
You can try enable multi user (per default disabled in Samsung) either using Firefds Kit module in Lsposed or edit the build.prop with
#Multi user
fw.max_users=3
fw.show_multiuserui=1
I have attached the screenshots bro. Please check. Yea even i think knox is not working it is tripped and i m using custom rom bro. If i use intune on main profile it says you need to enable encryption and in island profile it is not even registering profile. Samsung pass doesnt work bro...other samsung apps works properly when i use lsposed knox enhancer bro
My knox is tripped too because unlocking bootloader.
I'm using stock ROM with custom kernel rooted with magisk. The phone is still encrypted.
Your case is using a decrypted ROM. You can search in xda flashing custom ROM without decryption.
The official twrp doesn't decrypt the data partition, the biggest catch will be that you will not have the data partition in a twrp backup. But apart from that, twrp will still work for installs and updates and backups og the system and cache partitions.
Use smart switch doing backup in stead.
gsmdb said:
My knox is tripped too because unlocking bootloader.
I'm using stock ROM with custom kernel rooted with magisk. The phone is still encrypted.
Your case is using a decrypted ROM. You can search in xda flashing custom ROM without decryption
Click to expand...
Click to collapse
Can u suggest any rom bro?
MY device is S10, and dont want to use pixel or different rom , want only one ui ported rom bro android 13
gsmdb said:
My knox is tripped too because unlocking bootloader.
I'm using stock ROM with custom kernel rooted with magisk. The phone is still encrypted.
Your case is using a decrypted ROM. You can search in xda flashing custom ROM without decryption.
The official twrp doesn't decrypt the data partition, the biggest catch will be that you will not have the data partition in a twrp backup. But apart from that, twrp will still work for installs and updates and backups og the system and cache partitions.
Use smart switch doing backup in stead.
Click to expand...
Click to collapse
How to do it bro using smart switch
You can still use One UI5.1 ivan_meler custom ROM. Nothing wrong with it.
You must flash stock ROM first to get back encrypted. Set it up until your phone is working.
Flash twrp and get custom ROM on external SD card.
Follow your own process to flash custom ROM with twrp.
In twrp do wipe dalvik and cache as usual. DON'T format Data. Doing it will get your phone decrypted.
Install your custom ROM.
I did it as remembered back to the days with my old s10 with custom ROM android 10.
gsmdb said:
You can still use One UI5.1 ivan_meler custom ROM. Nothing wrong with it.
You must flash stock ROM first to get back encrypted. Set it up until your phone is working.
Flash twrp and get custom ROM on external SD card.
Follow your own process to flash custom ROM with twrp.
In twrp do wipe dalvik and cache as usual. DON'T format Data. Doing it will get your phone decrypted.
Install your custom ROM.
I did it as remembered back to the days with my old s10 with custom ROM android 10.
Click to expand...
Click to collapse
In the official TWRP My SD card shows only 117MB instead of 128GB bro. So i will try adb sideload bro
Probably your SD card is formatted with ExFat which isn't visible in twrp.
Try FAT32 in stead.
{the file is too large for destination} -b cant able to transfer file more than 4gb bro after formatting SD card to FAT32
Bro in island work profile, intune looks like this only bro, I did click in check device settings multiple time bro nothing happens bro but in the main profile I can install and register my device in intune bro and use my company mails and teams bro
You do know how to use island? You can only use one intune app either in main or work profile. Clone or install directly in work profile and uninstall from the main profile.
Did you check the root from work profile with Applist detector? Install Applist Detector in work profile and run.
In my work profile my device settings is registered as unknown, but ok because it does pass all checks from company apps.