This is a tutorial on how to set up your phone so that you can consistently pass SafetyNet. Note that all this is from my own experience, and if what works on one device blows up another, that's not my problem and I'm not responsible for that. I will attempt to keep this tutorial as clean and simple as possible, but if you have any further questions that are more specific you are welcome to ask.
In order to be as simple as possible to understand, this guide assumes the following:
- You have a PC. Windows, Mac, the almighty Linux, it makes no difference.
- You have the android platform tools on your PC
- Your device has an unlocked bootloader.
- Your device does not have support for signature spoofing.
- Your device does not have Google's official play services on it.
- You have a working brain.
If one or more of the above is incorrect, you'll have to make more use of the last item on the list.
If the last item on the list is incorrect, you're beyond hope.
Now, the guide:
Step 1: Get some magisk on your phone
Setting up magisk is incredibly simple, and I won't be going into detail here. I would recommend installing the regular magisk app and patching your boot image, as that is what I've done.
Note that you do not need the magisk manager app for this guide at all.
I've attached the magisk app I used to this post. You'll need to install the app and make use of the "install" section of the home page.
Once magisk is installed and set up, you'll need to enable zygisk in the magisk settings. Then reboot.
Step 2: Installing MicroG
I am not going to list through all the possible way you can install microG. Instead, have a link to microG's wiki:
index - MicroG
r/MicroG: Subreddit about microG, a free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries. This …
www.reddit.com
Now here comes the important bit:
From everything I have seen, it appears clear that google stores information about each device that registers with it, and that this in turn will affect SafetyNet.
Therefore, the best way to prevent this leading to SafetyNet failing is to prevent connection with google completely - till the phone is ready.
Before you install microG, make sure your phone has both wifi and data turned off. Leave these off till the setup is complete. Note that only the phone needs to be disconnected, nothing else matters.
In essence, this means that google sees nothing till your device is setup correctly, and then SafetyNet has nothing to complain about.
Now that you've read every word of the above paragraph, go ahead and install microG on your phone.
Make sure you've got all the different components: Core, GSF Framework, FakeStore, and DroidGuard helper. If your installation method does not handle all of this for you, then it sucks, and you shouldn't have used it. Regardless, you can find apks for all of these at https://microg.org/
Step 3: Don't touch
As I've already made clear above, do not change any microG settings at this point. Don't enable device registration (if it's disabled), don't enable safetynet, and just generally leave microG settings alone for now. Oh yeah, and don't turn on wifi or data.
Step 4: Tricking SafetyNet
Everything up till now has just been preparation for actually tricking SafetyNet. So now that we've got all that out the way, let's get down to details:
First, downloads:
Download the latest zip: https://themagisk.com/magiskhide-props-config/
Download the latest zygisk zip: https://themagisk.com/universal-safetynet-fix/
Move these over to your phone and install them both as magisk modules.
Once these modules are installed and you've rebooted, connect your phone to your pc.
Open a terminal/command prompt in your platform tools folder, and type "adb shell props". You may need to grant the superuser permission from your phone.
Then choose option 1.
You'll then need to choose a device from the list available.
The key here is that we need to spoof our device fingerprint, so google thinks the device is certified, even if it actually isn't.
If your device is approved by google, then simply select your device model.
If not, things get a bit more unclear. Not every fingerprint will work for every device - If your device is vastly different from the one you are trying to spoof things may not always work correctly. The best advice I can give here is to choose a device that matches yours as closely as possible. As an example: if your device is made by Xiaomi but is not approved by google, I would select a fingerprint belonging to a Xiaomi device.
Keep in mind that if you try a fingerprint that does not work, you cannot simply switch it to something else and try again, as the SafetyNet history for the device has to be clean.
Once you've spoofed your device fingerprint and rebooted, you're almost ready to test out SafetyNet and google sign in. But first:
Step 5: Do you need signature spoofing?
To ensure things work as smoothly as possible, it's important to make sure you have signature spoofing working before you test SafetyNet. If you've got your own solution to that great. If not:
The first thing I have to point out is that a lot of sigspoof methods on google nowadays are outdated and semi-functional at best, working for a handful of devices. As this guide is intended to be a universal solution regardless of your device, the only answer is lsposed and fakegapps.
Download the latest zygisk zip: https://themagisk.com/lsposed/
Transfer it to your phone and install it as a magisk module.
I've attached the full lsposed manager apk to this post, as the parasitic one sucks. Install it and the fakegapps apk which I've also attached to this post.
You'll now need to enable fakegapps, and turn it on for anything that might need access to spoofing. This includes the system framework, all the microG stuff, and any app that needs to be fooled by microg. Then reboot.
Step 6: Ready to test
Everything should now be set up correctly.
Check the microG settings to make sure signatures are correctly being spoofed.
Enable device registration (if disabled).
Enable SafetyNet attestation.
At this point your phone should still be completely disconnected from the internet.
If you're happy everything is set up correctly, turn on your wifi or data, and test SafetyNet attestation.
Step 7: Done.
Hopefully you now have working SafetyNet and google sign in. If this does work for you, it means that safetynet is now stable on your device, and you are free to install whatever you want on it.
If it didn't work, keep in mind that this hasn't been tested on every device in existence. All I know is that this consistently works for me.
If your phone doesn't turn on, you probably need to charge it.
If your phone has exploded, you probably have a Samsung.
Thanks everyone for reading my guide, I hope you enjoyed! (Maybe it even worked)
RESERVED FOR STUFF
Your guide is well made but I have some things I would change.
1) Since everything has to be done offline and adb is used in linux installation at least I would recommend adding an tip with adb push ~/Downloads/safetynet-tools.zip /storage/emulated/0/Downloads.
Furthermore cause of it I recommend attaching a single zip with
tools so they can be moved easily to the device.
2) there is missing Information: you said in the guide that safety net trips extremely easily. During the entire process the device cant be connected to the internet but what if you want to install another app. For example what if you want to install another app later lets say Netflix for example. I know for a fact it requires safetynet. It would be configured automatically will it? This would conclude to permanetley lock safety net till its reinstalled.
hypethetime said:
Your guide is well made but I have some things I would change.
1) Since everything has to be done offline and adb is used in linux installation at least I would recommend adding an tip with adb push ~/Downloads/safetynet-tools.zip /storage/emulated/0/Downloads.
Furthermore cause of it I recommend attaching a single zip with
tools so they can be moved easily to the device.
Click to expand...
Click to collapse
Hi, I think you may have misunderstood slightly. Only the phone has to be offline, you can still connect it to a PC and download the files on the PC. The only important thing is that the device doesn't communicate with google till you are ready for it to.
hypethetime said:
2) there is missing Information: you said in the guide that safety net trips extremely easily. During the entire process the device cant be connected to the internet but what if you want to install another app. For example what if you want to install another app later lets say Netflix for example. I know for a fact it requires safetynet. It would be configured automatically will it? This would conclude to permanetley lock safety net till its reinstalled.
Click to expand...
Click to collapse
Once the process is complete, you can install whatever else you want and safetynet will not stop working. The main thing is that the process of setting up the device so that it can be approved is very easy to mess up, so that part has to be done carefully.
I'll edit the guide to make these points more clear.
Sense_101 said:
Hi, I think you may have misunderstood slightly. Only the phone has to be offline, you can still connect it to a PC and download the files on the PC. The only important thing is that the device doesn't communicate with google till you are ready for it to.
Click to expand...
Click to collapse
I knew you always were able to use pc and you miss understood me. I at least often had the problem with transferring files for some reseason and for this adb push is extremey helpful.
Regarding instaling more apps thank you for the answer and how quickly it came.
Sense_101 said:
This is a tutorial on how to set up your phone so that you can consistently pass SafetyNet. Note that all this is from my own experience, and if what works on one device blows up another, that's not my problem and I'm not responsible for that. I will attempt to keep this tutorial as clean and simple as possible, but if you have any further questions that are more specific you are welcome to ask.
In order to be as simple as possible to understand, this guide assumes the following:
- You have a PC. Windows, Mac, the almighty Linux, it makes no difference.
- You have the android platform tools on your PC
- Your device has an unlocked bootloader.
- Your device does not have support for signature spoofing.
- Your device does not have Google's official play services on it.
- You have a working brain.
If one or more of the above is incorrect, you'll have to make more use of the last item on the list.
If the last item on the list is incorrect, you're beyond hope.
Now, the guide:
Step 1: Get some magisk on your phone
Setting up magisk is incredibly simple, and I won't be going into detail here. I would recommend installing the regular magisk app and patching your boot image, as that is what I've done.
Note that you do not need the magisk manager app for this guide at all.
I've attached the magisk app I used to this post. You'll need to install the app and make use of the "install" section of the home page.
Once magisk is installed and set up, you'll need to enable zygisk in the magisk settings. Then reboot.
Step 2: Installing MicroG
I am not going to list through all the possible way you can install microG. Instead, have a link to microG's wiki:
index - MicroG
r/MicroG: Subreddit about microG, a free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries. This …
www.reddit.com
Now here comes the important bit:
From everything I have seen, it appears clear that google stores information about each device that registers with it, and that this in turn will affect SafetyNet.
Therefore, the best way to prevent this leading to SafetyNet failing is to prevent connection with google completely - till the phone is ready.
Before you install microG, make sure your phone has both wifi and data turned off. Leave these off till the setup is complete. Note that only the phone needs to be disconnected, nothing else matters.
In essence, this means that google sees nothing till your device is setup correctly, and then SafetyNet has nothing to complain about.
Now that you've read every word of the above paragraph, go ahead and install microG on your phone.
Make sure you've got all the different components: Core, GSF Framework, FakeStore, and DroidGuard helper. If your installation method does not handle all of this for you, then it sucks, and you shouldn't have used it. Regardless, you can find apks for all of these at https://microg.org/
Step 3: Don't touch
As I've already made clear above, do not change any microG settings at this point. Don't enable device registration (if it's disabled), don't enable safetynet, and just generally leave microG settings alone for now. Oh yeah, and don't turn on wifi or data.
Step 4: Tricking SafetyNet
Everything up till now has just been preparation for actually tricking SafetyNet. So now that we've got all that out the way, let's get down to details:
First, downloads:
Download the latest zip: https://themagisk.com/magiskhide-props-config/
Download the latest zygisk zip: https://themagisk.com/universal-safetynet-fix/
Move these over to your phone and install them both as magisk modules.
Once these modules are installed and you've rebooted, connect your phone to your pc.
Open a terminal/command prompt in your platform tools folder, and type "adb shell props". You may need to grant the superuser permission from your phone.
Then choose option 1.
You'll then need to choose a device from the list available.
The key here is that we need to spoof our device fingerprint, so google thinks the device is certified, even if it actually isn't.
If your device is approved by google, then simply select your device model.
If not, things get a bit more unclear. Not every fingerprint will work for every device - If your device is vastly different from the one you are trying to spoof things may not always work correctly. The best advice I can give here is to choose a device that matches yours as closely as possible. As an example: if your device is made by Xiaomi but is not approved by google, I would select a fingerprint belonging to a Xiaomi device.
Keep in mind that if you try a fingerprint that does not work, you cannot simply switch it to something else and try again, as the SafetyNet history for the device has to be clean.
Once you've spoofed your device fingerprint and rebooted, you're almost ready to test out SafetyNet and google sign in. But first:
Step 5: Do you need signature spoofing?
To ensure things work as smoothly as possible, it's important to make sure you have signature spoofing working before you test SafetyNet. If you've got your own solution to that great. If not:
The first thing I have to point out is that a lot of sigspoof methods on google nowadays are outdated and semi-functional at best, working for a handful of devices. As this guide is intended to be a universal solution regardless of your device, the only answer is lsposed and fakegapps.
Download the latest zygisk zip: https://themagisk.com/lsposed/
Transfer it to your phone and install it as a magisk module.
I've attached the full lsposed manager apk to this post, as the parasitic one sucks. Install it and the fakegapps apk which I've also attached to this post.
You'll now need to enable fakegapps, and turn it on for anything that might need access to spoofing. This includes the system framework, all the microG stuff, and any app that needs to be fooled by microg. Then reboot.
Step 6: Ready to test
Everything should now be set up correctly.
Check the microG settings to make sure signatures are correctly being spoofed.
Enable device registration (if disabled).
Enable SafetyNet attestation.
At this point your phone should still be completely disconnected from the internet.
If you're happy everything is set up correctly, turn on your wifi or data, and test SafetyNet attestation.
Step 7: Done.
Hopefully you now have working SafetyNet and google sign in. If this does work for you, it means that safetynet is now stable on your device, and you are free to install whatever you want on it.
If it didn't work, keep in mind that this hasn't been tested on every device in existence. All I know is that this consistently works for me.
If your phone doesn't turn on, you probably need to charge it.
If your phone has exploded, you probably have a Samsung.
Thanks everyone for reading my guide, I hope you enjoyed! (Maybe it even worked)
Click to expand...
Click to collapse
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
WheelingPigeon said:
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
Click to expand...
Click to collapse
Yeah, that's a joke
WheelingPigeon said:
I have a Samsung galaxy note 10 plus running LineageOS 19.1. I'ts unlocked, and rooted with Magisk. Is there something about Samsung phones that are more likely to "explode" trying to install MicroG?
Click to expand...
Click to collapse
Samsung phones have a history of "blowing" up. First they were actually dangerous in very few cases but now they can expand and pop of the back of your phone. As long as you switch the battery then your safe to use it.
AOSP Rom (signature spoofing unsupported, without MicroG installer)
After Root install patch for spoofing via NanoDroid Patcher
Open Magisk settings -> Enable Zygisk + Enforce DenyList, install module MagiskHide Props Config -> reboot
Open Termux or ADB, type su to set root permission then type props (option 1)
Install MicroG via APK or offical F-Droid app, grant Signature spoofing permission
If you want using play store, install patched version (F-Droid add repo NanoDroid)
Open MicroG Settings -> Self-Check -> make sure all box checked
Turn on Google device registration, Google SafetyNet, if CTS fail then install Universal SafetyNet Fix
Install magisk module App Systemizer, Busybox for Android NDK to change MicroG to system app
Related
"Can't load Android system" and "Factory data reset" tried and does not work
Hi all,
I bought a Pixel 3a, unlocked the bootloader, upgraded it to Android 10, and then tried to root it with Magisk. I must somehow have missed a step because now the phone only boots to:
Android Recovery
google/sargo/sargo
9/PQ3B.190801.002/5674421
user/release-keys
Use volume up/down and power.
Can't load Android system. Your data may be corrupt. If you continue to get this message, you may need to perform a factory data reset and erase all user data stored on this device.
Try again
Factory data reset
If I "Try again" I end up in the same place after a long time with the Google logo and a reboot. If I "Factory data reset" I also end up in the same place.
My desktop has adb and fastboot, and was able to access the phone until the failed attempt at rooting. Now it does not detect the phone despite the system "bleeping" as if it has found a new device:
>adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
>adb devices
List of devices attached
Is there a way out of this mess?
FD
You're still on P by what recovery says. 0801 image. PQ3B is P. You want QP1A. Please try downloading the recent Q image and follow the official instructions from Google in the link and try again.
https://developers.google.com/android/images
Uzephi said:
You're still on P by what recovery says. 0801 image. PQ3B is P. You want QP1A. Please try downloading the recent Q image and follow the official instructions from Google in the link and try again.
https://developers.google.com/android/images
Click to expand...
Click to collapse
Thank you very much! Using the flash-all script I have managed to get my phone back. I have flashed the original Android 9 the phone came with.
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Frederick Davies said:
Thank you very much! Using the flash-all script I have managed to get my phone back. I have flashed the original Android 9 the phone came with.
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Click to expand...
Click to collapse
I followed this guide. it's for a pixel 3 but it's exactly the same for a 3a. There is no TWRP for 10 so doing it this way is the only way for now.
https://android.gadgethacks.com/how-to/root-your-pixel-3-android-10-0200295/
Just use magisk to patch Android 10 boot IMG and Flash it and your rooted on Android 10
Frederick Davies said:
Now, one further question, are there some good (as in unlikely to brick my phone again) instructions on how to root my Pixel 3a? I believe that Android 9 is preferred when using Magisk to Android 10, and I do not mind staying with Android 9, but I would like some instructions on how to root it without bricking it again.
Again, thanks for your prompt reply.
Yours,
FD
Click to expand...
Click to collapse
I have created a (IMHO) very thorough quide on how to root your Pixel 3a. It walks you through rooting with both Android Pie and Android 10 with very clear and precise steps. If you have any questions about it, feel free to post in that thread or reach out to me via a direct message.
There is no limitation on using Magisk or rooting under Android 10. The only thing you cannot do with Android 10 is use TWRP, but that isn't a deal breaker. TWRP is good for making backups of your OS, but as you have found you can still recover from just about any situation using the Google factory images, so while a backup might be beneficial at times, it isn't a necessity. Personally I would definitely recommend using Android 10 because Pie isn't being updated by Google anymore, so you are going to be behind on security updates, etc if you stick with Pie.
Watch this video and you shouldn't have any problems
sic0048 said:
I have created a (IMHO) very thorough quide on how to root your Pixel 3a. It walks you through rooting with both Android Pie and Android 10 with very clear and precise steps. If you have any questions about it, feel free to post in that thread or reach out to me via a direct message.
Click to expand...
Click to collapse
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
sic0048 said:
There is no limitation on using Magisk or rooting under Android 10. The only thing you cannot do with Android 10 is use TWRP, but that isn't a deal breaker. TWRP is good for making backups of your OS, but as you have found you can still recover from just about any situation using the Google factory images, so while a backup might be beneficial at times, it isn't a necessity. Personally I would definitely recommend using Android 10 because Pie isn't being updated by Google anymore, so you are going to be behind on security updates, etc if you stick with Pie.
Click to expand...
Click to collapse
I am going through all this rigmarole to be able to install XPrivacyLua through the Xposed Framework, but the instructions for Xposed (https://www.xda-developers.com/xposed-framework-hub/) seem to indicate you need TWRP as a requisite, hence I think am stuck with Android P (9.0).
On the other hand, I get conflicting information as to whether Xposed for Magisk does (https://www.xda-developers.com/xposed-framework-hub/) or does not (https://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268) pass SafetyNet. Most confusing...
FD
Frederick Davies said:
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
FD
Click to expand...
Click to collapse
There is no need to install or boot into TWRP (btw. there is even no working TWRP for Android 10 yet) to install Magisk. It's sufficents to install Magisk Manager on your phone and patch the boot.img extracted from the factory image. Just follow the instructions which have been quoted here in the thread already.
AndDiSa said:
There is no need to install or boot into TWRP (btw. there is even no working TWRP for Android 10 yet) to install Magisk. It's sufficents to install Magisk Manager on your phone and patch the boot.img extracted from the factory image. Just follow the instructions which have been quoted here in the thread already.
Click to expand...
Click to collapse
Dear AndDisa,
As I said, I am rooting my Pixel 3a because I want to install XPrivacyLua, which requires the Xposed Framework; and to install Xposed with Magisk, it lists TWRP as a pre-requisite (see "Method 2: Magisk" in https://www.xda-developers.com/xposed-framework-hub/). Since it seems there is some kind of reluctance to use/install TWRP in this thread, I am asking why that is so. I understand it is possible to install Magisk without TWRP, I am just asking "why?"
Again, thank you all for your help.
FD
TWRP doesn't work on Android 10 at this point so you can't flash it.
Frederick Davies said:
Dear AndDisa,
As I said, I am rooting my Pixel 3a because I want to install XPrivacyLua, which requires the Xposed Framework; and to install Xposed with Magisk, it lists TWRP as a pre-requisite (see "Method 2: Magisk" in https://www.xda-developers.com/xposed-framework-hub/). Since it seems there is some kind of reluctance to use/install TWRP in this thread, I am asking why that is so. I understand it is possible to install Magisk without TWRP, I am just asking "why?"
Again, thank you all for your help.
FD
Click to expand...
Click to collapse
If you read closely in the guide sic linked, he does state the TWRP method is only for P because you can't use TWRP on 10. It is the way partitions are handled in 10 where you really can't read your internal storage and it would have to require a code rework. Until that's done, no TWRP.
Edit: quote from twrp developer about it. https://twrp.me/site/update/2019/10/23/twrp-and-android-10.html
https://github.com/ElderDrivers/EdXposed/pull/354
https://github.com/ElderDrivers/EdXposedManager/releases
You can flash xposed without TWRP. Just install edxposed by downloading and installing through magisk and install the edxposed manager. You don't need TWRP
Frederick Davies said:
Very detailed indeed, but I still have a question: in your instructions you seem to boot into TWRP to install Magisk, but you do NOT install TWRP itself, just boot it for the installation of Magisk. Is that correct? Why?
FD
Click to expand...
Click to collapse
As other have noted, TWRP does not work with Android 10. However, I also wanted to answer your question because it is valid.....
With Android Pie (9), you cannot permanently install TWRP unless you first flash a custom kernel that supports LZMA compression. Using the stock kernel, you can load TWRP using ADB and use it just like normal, but when you reboot the phone TWRP will not be loaded anymore. My instructions are about rooting the phone and not about installing TWRP permanently on the phone and therefore I provided the simplest method to accomplish that goal.
Most custom kernels have been updated with LZMA support, but you should really read the TWRP thread for more information on how to permanently install TWRP on Android Pie
Dear All,
Thank you for all your help and explanations concerning my questions.
I have now rooted my Pixel 3a running Android 9 following the instructions supplied (no TWRP installation), and It seems that Magisk is installed and happy (at least it thinks it is and FX has root access), but I am afraid that EdXposed and XPrivacyLua are not working as expected.
After Magisk, I installed the "Riru - Core" and "Riru - EdXposed (YAHFA)" modules. I then installed the "EdXposed Framework (YAHFA)" (giving the EdXposed Installer superuser privileges; EdExposed reports it is installed and active), and the XprivacyLua module inside it. But now Magisk complains that the SafetyNet checks are failing (this coincides with installing XPrivacyLua, but it is the only module I have in EdXposed), and XPrivacyLua is not actually blocking anything at all (that is, even when I supposedly block access to some functions, the apps just go ahead and use them).
Why do I get the impression Google does not want people to root their phones?
Yours,
FD
Frederick Davies said:
Dear All,
Thank you for all your help and explanations concerning my questions.
I have now rooted my Pixel 3a running Android 9 following the instructions supplied (no TWRP installation), and It seems that Magisk is installed and happy (at least it thinks it is and FX has root access), but I am afraid that EdXposed and XPrivacyLua are not working as expected.
After Magisk, I installed the "Riru - Core" and "Riru - EdXposed (YAHFA)" modules. I then installed the "EdXposed Framework (YAHFA)" (giving the EdXposed Installer superuser privileges; EdExposed reports it is installed and active), and the XprivacyLua module inside it. But now Magisk complains that the SafetyNet checks are failing (this coincides with installing XPrivacyLua, but it is the only module I have in EdXposed), and XPrivacyLua is not actually blocking anything at all (that is, even when I supposedly block access to some functions, the apps just go ahead and use them).
Why do I get the impression Google does not want people to root their phones?
Yours,
FD
Click to expand...
Click to collapse
It is most certainly the things you have installed that are breaking the SafetyNet check. I don't know anything about XprivacyLua, but I would assume there is a support thread here on XDA for it. I would read that support thread and see if there is a solution to the Safetynet issue.
Dear All,
OK, I have now rooted my Pixel 3a: I am running Android 9, and I flashed Magisk (Magisk Manager version 7.4.0; Magisk version 20.1) without installing TWRP as per the instructions. Then I installed the Riru - Core (version 10) and Riru - Ed Exposed (version 0.2.8_beta) modules, which allowed me to install EdXposedInstaller (version 2.2.5). I am currently running Xposed Framework (version 90.0-0.2.8) with XPrivacyLua (version 1.25).
The result is that XPrivacyLua is working with a few caveats: the SafetyNet Check fails both the ctsProfile and basicIntegrity checks (this is triggered by XPrivacyLua, not (Ed)Xposed), and when I limit access of WhatsApp to the Contacts list, there are constant errors whenever WhatsApp tries to read it (though it seems to work as expected). Also, the Contacts list keeps disappearing from the Contacts app itself, despite WhatsApp actually seeing those contacts in there (go figure).
Other apps that require root (like FX) are working as expected.
In the end, I have decided that since I am not interested in using my mobile for Google Pay, I will have to live with it as it is now, but I have a couple of points for others that may want to follow in my footsteps (this is not necessarily related to the method of rooting; those who helped me here are certainly not at fault for the following):
1. XPrivacyLua is in no way as capable and easy to use as XPrivacy was (XPrivacy is the main reason why I am rooting my phone). If I could install Android 4 on my Pixel 3a, I would do so and go back to XPrivacy (my venerable Nexus 5's second battery is shot, so I had to get new hardware). There is nothing in Android 9 that I actually need that was not there in Android 4.
2. We really need a Nexus Toot Toolkit for Pixel phones. The multitude of versions and steps required in rooting them successfully is too much for those like me who will root their phone for one or two apps and then leave it as it is. I know that these forums are really for tinkerers who want to extract the maximum from their hardware, and hence my point of view is not representative here, but I just want a mobile that will not spy on me, the rest is irrelevant to me.
I guess I will have to open a thread in the XPrivacyLua forums to see if I can sort out my problems, but I would like to thank you all for your help in getting me here and answering my questions (no matter how pointless they may have seemed).
Yours,
FD
Frederick Davies said:
Dear All,
OK, I have now rooted my Pixel 3a: I am running Android 9, and I flashed Magisk (Magisk Manager version 7.4.0; Magisk version 20.1) without installing TWRP as per the instructions. Then I installed the Riru - Core (version 10) and Riru - Ed Exposed (version 0.2.8_beta) modules, which allowed me to install EdXposedInstaller (version 2.2.5). I am currently running Xposed Framework (version 90.0-0.2.8) with XPrivacyLua (version 1.25).
The result is that XPrivacyLua is working with a few caveats: the SafetyNet Check fails both the ctsProfile and basicIntegrity checks (this is triggered by XPrivacyLua, not (Ed)Xposed), and when I limit access of WhatsApp to the Contacts list, there are constant errors whenever WhatsApp tries to read it (though it seems to work as expected). Also, the Contacts list keeps disappearing from the Contacts app itself, despite WhatsApp actually seeing those contacts in there (go figure).
Other apps that require root (like FX) are working as expected.
In the end, I have decided that since I am not interested in using my mobile for Google Pay, I will have to live with it as it is now, but I have a couple of points for others that may want to follow in my footsteps (this is not necessarily related to the method of rooting; those who helped me here are certainly not at fault for the following):
1. XPrivacyLua is in no way as capable and easy to use as XPrivacy was (XPrivacy is the main reason why I am rooting my phone). If I could install Android 4 on my Pixel 3a, I would do so and go back to XPrivacy (my venerable Nexus 5's second battery is shot, so I had to get new hardware). There is nothing in Android 9 that I actually need that was not there in Android 4.
2. We really need a Nexus Toot Toolkit for Pixel phones. The multitude of versions and steps required in rooting them successfully is too much for those like me who will root their phone for one or two apps and then leave it as it is. I know that these forums are really for tinkerers who want to extract the maximum from their hardware, and hence my point of view is not representative here, but I just want a mobile that will not spy on me, the rest is irrelevant to me.
I guess I will have to open a thread in the XPrivacyLua forums to see if I can sort out my problems, but I would like to thank you all for your help in getting me here and answering my questions (no matter how pointless they may have seemed).
Yours,
FD
Click to expand...
Click to collapse
Cool story bro
My daughter got a new phone, after struggling with bootloops and magisk issues. Finally got everything working correctly.
But,
I got root to go fine, only thing is she has had location issues. Google maps, other GPS or location services did not work.
So I uninstalled xprivacylua and seems like services came back, looks like I wasn't hiding anything on it anyways. Or I don't remember what it was.
So instead of reinstalling xprivacylua I decided to look for different answers .
Maybe some other solutions.
Here is a list of apps and modules that are installed. I think some of them overlapped and are kind of messed up. To many that my head is spinning.
Magisk
23.0 (23000)
Magiskhide Props Config.
Riru
Riru LS exposed (Tried switching back and forth to edxposed)
Systemless Hosts
Universal Safetynet fix 1.1.2. (Tried different versions)
LS Esposed one module,
Hiddencore module (enabled Google services Framework and google play services)
Also cleared Data and Cache on google play store.
Rebooted every time
Always safety net failure.
I know its a lot to take in , and do appreciate any feedback or help on this issue.
Is it an 8T? Are you running stock OOS with magisk?
In that case all you need to pass safteynet should be Magisk 23 with magisk hide activated. No need to bother with Magisk hide propconfig, or edexposed or anything.
If you are running a custom rom it is a different matter
I have magisk 23 and magisk hide is active on all google play services, but it still fails.
Its 8t with stock rom.
I think this is why its a little confusing since on my stock 7 pro I have google play services and only android.gms, and android gms unstable hidden and it works fine.
There is not a custom recovery on either of these phones.
Magisk and magisk hide works fine for me, so don't know what to say.
Perhaps try to uninstall Riru and exposed to make sure that they aren't triggering safety net?
You have to get termux. Get su superuser permissions then type props a menu will load press 2 then select yes to change device name then y again to reboot then it should pass safety net
Screens of magisk hide props config
scottlam1 said:
You have to get termux. Get su superuser permissions then type props a menu will load press 2 then select yes to change device name then y again to reboot then it should pass safety net
Click to expand...
Click to collapse
Nope.. Terminal Emulator is actually recommended. With Termux, you are required to use root access for props to work.
with Terminal Emulator, you can just type:
props
and then it'll load. no "su" necessary. That's termux. I've had some issues that these people are talking about with my OnePlus 8T (KB2005, unlocked completely).. I'll try Termux just to rule this out, but this is highly doubtful as to whether or not safetynet passes based on this--it's attempting to modify the same values. Anyway, when I unlocked that bootloader on a stock rom, CTS Profile started showing as false. So I did get the stock on there correctly and it initially passed with a LOCKED bootloader. There's an alpha TWRP that you can actually flash if you want. There's a couple others where you can only boot it.. there's a lot of "only's" here.. and I couldn't get it going with any of the apps mentioned, including ditching EdXposed and deciding to try LSPosed, but that + XPrivacyLau didnt seem to help me. Maybe I'm doing something wrong. From what I can tell I've done everything right and I've got quite a bit of experience attempting/doing this. Sometimes Device SImulation and forced BASIC ATTESTATION can be a lifesaver.
On my OnePlus 6T, I don't have this problem.. then again it's on Android 10. I can't even get a proper root explorer for Android 11. I seriously can't stand what they did to Android 11.. it's so ridiculous how many apps are now incompatible. Root Explorer Pro was possibly the best Root File Manager I've ever used and I've used it since day 1.
Anyway, I'm gonna give all of this a shot in different order.. and this time I'll see if Magisk can do the trick (last time it was on some different firmware and i just now was able to get it going by flashing via Fastboot in Linux). It's the manual way (payload dumper) as opposed to MSMDownloadTool -- which could be used via a VM.. and maybe even better than using Windows tools where you literally have no idea what you're actually doing. I'm just saying. Android is a linux distro, technically.. and we're trying to use just basic root apps for Android 11, and they don't seem to work.. it's insane. They did something with the partitions and it's apparently having issues even mounting R/W even with Magisk giving it root permissions. Btw, Magisk Canary is now outdated, as far as I can tell? Or it's just nowhere to be found when it comes to versions. Either way, I have tried multiple. So I'll try again in a different order.
Sorry for the long post. I've just had it. I've been working on this for a WEEK non stop.. 5-6 days and this is the first sign of progress (reverting via fastboot via Linux, which is the same thing as the MSMDownloadTool ultimately... without the hassle of finding it)
Let me know if there's anything else.. cause I've tried just about everything out there. Remember, for me, so far... unlocked bootloader = CTS Profile failure.. but locked bootloader + stock rom? Passed. I don't know. Before it wasn't passing with a stock rom that came with it so that drove me nuts and made no sense, hence me saying "progress" ... heh. Anyway.. Please let me know if you guys do find anything that works for it. I'm at my wits end. There's basically almost zero support for the 8T but plenty for the 8 and 8 Pro. So that also gets on my nerves. Sorry, once again, for this really long post. Some of it is just venting and I'll update if I get somewhere with it.
.. and now this morning after installing magisk, by just booting twrp (not flashing, but booting) and then using LSPosed/XPrivacyLua (I installed MagiskProps too but I barely did anything aside from pick a fingerprint) --- and it passed? WHAT?
I'm gonna look into this, but I'm not complaining. Let's see if I can find good Android 11 apps for actually browsing the system and being able to r/w any elusive partitions -- wasn't working well with Android 11 before. Not sure if that's around with a simple design anymore. Root Explorer Pro was king of that. Then Android 11 stepped in. I still have to install Lucky Patcher, if it will even work as a module for LSPosed. (Yes, I'm one of those idiots) -- I fully expect it to fail with that but I might be pleasantly surprised. Who knows. So, we'll just call this mixed results. For now -- Passing somehow. I don't understand aside from LSPosed and XPrivLua.. maybe magiskprops. Not sure which one did what first to cause this to go the right direction.
All I can say is all I have is magisk props not the other 2 modules you speak of
Well this is super weird. I didnt see my daughter for 2 days and she said everything is working fine.
I did tons of reboots and other installs/uninstalls and nothing worked.
But now I do safety net check and it works fine.
I dont get it.
If I do have issues again I will post here and follow instructions.
Thank you for your time and help
eracet said:
Well this is super weird. I didnt see my daughter for 2 days and she said everything is working fine.
I did tons of reboots and other installs/uninstalls and nothing worked.
But now I do safety net check and it works fine.
I dont get it.
If I do have issues again I will post here and follow instructions.
Thank you for your time and help
Click to expand...
Click to collapse
Ok asked her what she did. Mentioned updated YouTube vanced. And not sure of anything else.
Saw on reddit that some people have issues with google pay, since the new update added some new checks. So here is what you do:
- Update Magisk to 25.2, Update magisk app to 25.2 as well
- Rename Magisk app if you havent already
- [ OPTIONAL ] Add all google apps on deny list (good practice in case google wants to detect root throught their other apps)
- install these modules: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf and https://github.com/kdrag0n/safetynet-fix
- then:
step 1.) Download any terminal (I use termux)
step 2.) type SU
step 3.) type props
step 4.) edit device fingerprint
step 5.) follow the onscreen promt
step 6.) once successfully changed, reboot device
optional (i didnt have to but you can try) reset google play, play services and google wallet appdata.
step 7.) enjoy working google wallet.
- Reboot
NOTE: Remeber to clear google wallet just in case.
ANOTHER NOTE: If your device is not on this list: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/blob/master/common/prints.sh
then you'll have to manually obtain an old fingerprint for your device, its all on here how to do:
MagiskHidePropsConf/README.md at master · Magisk-Modules-Repo/MagiskHidePropsConf
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
Enjoy.
EDIT: Alternatively try this:
https://github.com/Displax/safetynet-fix/releases/
it wont work for all from what I know but it was successful for some.
I only had to update magisk then add Wallet to the deny list.... Haven't tested an actual payment yet, but it stopped complaining about root when I open it.
I probably already had some of those modules installed from before. Some of the names look familiar.
Tried it at McDonald's... Didn't work. I guess the app stops complaining after a few goes of starting it up... Need to check in the "contactless setup" part of the Wallet app to be sure. Has a warning there if your device is "unsafe".
I'll try the full list of steps above tonight and confirm tomorrow if I can pay with it.
ahhh, it was not only with me... going to install to see if it passes...
None of the above works. If you try to pay contactless it will fail. If you try to add card it will fail also. I think that the new google wallet can detect if bootloader is unlocked. I don't see any workaround on this.
covar said:
None of the above works. If you try to pay contactless it will fail. If you try to add card it will fail also. I think that the new google wallet can detect if bootloader is unlocked. I don't see any workaround on this.
Click to expand...
Click to collapse
Yeah I removed Magisk and I still failed. It seems bootloader related I think.
covar said:
None of the above works. If you try to pay contactless it will fail. If you try to add card it will fail also. I think that the new google wallet can detect if bootloader is unlocked. I don't see any workaround on this.
Click to expand...
Click to collapse
works fine for me, I added something you should try as well in case it didnt work for you.
Danishblunt said:
works fine for me, I added something you should try as well in case it didnt work for you.
Click to expand...
Click to collapse
Still nothing. Have you try to make payment????
covar said:
Still nothing. Have you try to make payment????
Click to expand...
Click to collapse
I made 4 payments after the fix, latest being 12 minutes prior to this reply. it works fine.
I suggest starting from my post 1point by point. If it still doesnt work then you may have an app that somehow triggers the root detection that I don't have on my phone.
You should probably mention that picking correct CTS fingerprint is crucial. Sometimes its one version down for your device, but other times you have to use entirely different (but probably related somehow?) device FP, either because prior version doesn't exist, or Google simply doesn't accept it. The Google Pay thread has a scattered reports of working combos somebody should probably make a nicer list of.
I think some steps are not necessary. Like hiding all Google apps and SQ Lite
Also, momo-hider is depreciated. Use shamiko.
Lastly, I just installed magisk hide props (and configured it) and now it works.
Thanks its work✓ !! Is it permanent? Or someday its gonna pop out because some updates?
Magisk user
Paulo_1307_ said:
I think some steps are not necessary. Like hiding all Google apps and SQ Lite
Also, momo-hider is depreciated. Use shamiko.
Lastly, I just installed magisk hide props (and configured it) and now it works.
Click to expand...
Click to collapse
You are correct. The only thing to do is to configure props. I personally change the fingerprint and now works fine.
Paulo_1307_ said:
I think some steps are not necessary. Like hiding all Google apps and SQ Lite
Also, momo-hider is depreciated. Use shamiko.
Lastly, I just installed magisk hide props (and configured it) and now it works.
Click to expand...
Click to collapse
You're right, just listed old modules i gathered over time just in case without testing if they are needed anymore. Tested if they were needed and indeed, they arent.
Hiding the google apps is a good idea regardless if its needed or not.
Fixed the original post to reflect the changes.
Danishblunt said:
Saw on reddit that some people have issues with google pay, since the new update added some new checks. So here is what you do:
- Update Magisk to 25.2, Update magisk app to 25.2 as well
- Rename Magisk app if you havent already
- [ OPTIONAL ] Add all google apps on deny list (good practice in case google wants to detect root throught their other apps)
- install these modules: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf and https://github.com/kdrag0n/safetynet-fix
- then:
step 1.) Download any terminal (I use termux)
step 2.) type SU
step 3.) type props
step 4.) edit device fingerprint
step 5.) follow the onscreen promt
step 6.) once successfully changed, reboot device
optional (i didnt have to but you can try) reset google play, play services and google wallet appdata.
step 7.) enjoy working google wallet.
- Reboot
NOTE: Remeber to clear google wallet just in case.
ANOTHER NOTE: If your device is not on this list: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/blob/master/common/prints.sh
then you'll have to manually obtain an old fingerprint for your device, its all on here how to do:
MagiskHidePropsConf/README.md at master · Magisk-Modules-Repo/MagiskHidePropsConf
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
Enjoy.
Click to expand...
Click to collapse
hi may I ask what does step 5 mean? Thanks!
darkhunter9 said:
hi may I ask what does step 5 mean? Thanks!
Click to expand...
Click to collapse
baisically just means follow instructions on your screen.
Paulo_1307_ said:
I think some steps are not necessary. Like hiding all Google apps and SQ Lite
Also, momo-hider is depreciated. Use shamiko.
Lastly, I just installed magisk hide props (and configured it) and now it works.
Click to expand...
Click to collapse
Can confirm this works
I had both GPay and Wallet installed on my Pixel 5; yesterday I got the "security requirements" notification.
I've now removed both apps. When I tap on the GPay tile in Quick Settings, it says "Hold to reader", but when I tap Show All, it says "Not set up". I'll test it later today.
Does anyone know how to clear cache for embedded GPay?
V0latyle said:
I had both GPay and Wallet installed on my Pixel 5; yesterday I got the "security requirements" notification.
I've now removed both apps. When I tap on the GPay tile in Quick Settings, it says "Hold to reader", but when I tap Show All, it says "Not set up". I'll test it later today.
Does anyone know how to clear cache for embedded GPay?
Click to expand...
Click to collapse
It will show an error when you try to do a transaction if you havent done the above. Minr also showed that it was reafy but when trying to pay it would throw error.
Danishblunt said:
It will show an error when you try to do a transaction if you havent done the above. Minr also showed that it was reafy but when trying to pay it would throw error.
Click to expand...
Click to collapse
I just went to Dollar General and successfully used tap to pay. I do not have either of the discrete apps installed, just embedded GPay.
Danishblunt said:
Saw on reddit that some people have issues with google pay, since the new update added some new checks. So here is what you do:
- Update Magisk to 25.2, Update magisk app to 25.2 as well
- Rename Magisk app if you havent already
- [ OPTIONAL ] Add all google apps on deny list (good practice in case google wants to detect root throught their other apps)
- install these modules: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf and https://github.com/kdrag0n/safetynet-fix
- then:
step 1.) Download any terminal (I use termux)
step 2.) type SU
step 3.) type props
step 4.) edit device fingerprint
step 5.) follow the onscreen promt
step 6.) once successfully changed, reboot device
optional (i didnt have to but you can try) reset google play, play services and google wallet appdata.
step 7.) enjoy working google wallet.
- Reboot
NOTE: Remeber to clear google wallet just in case.
ANOTHER NOTE: If your device is not on this list: https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/blob/master/common/prints.sh
then you'll have to manually obtain an old fingerprint for your device, its all on here how to do:
MagiskHidePropsConf/README.md at master · Magisk-Modules-Repo/MagiskHidePropsConf
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
Enjoy.
Click to expand...
Click to collapse
Even tho Xiaomi Mi 11 Lite 5g (European version) is not on either list, I got Google Wallet to play nicely (ie work! ) using this guide. In effect the Xiaomi Mi 11 Lite Indonesia Xiaomi:M2101K9AG must have similar coding to Xiaomi M2102K9G. I am now on 13.0.6 SKIEUXM MIUI version. I was worried in the termux app re warnings about ensuring device fingerprint is compatible etc, but when I got the sae warning in adb shell command within minimal adb & fastboot command, I decided to see what happens and it all worked for me. Have carried 2 transactions within Google wallet over yesterday & today with complete success. My device was already certified within Play protect part of Google Play Store.
So I have rooted phone with Magisk 25.2 version, zygisk and deny list set up ; magisk hidden (Hide) then froze Magisk Hide within SD Maid so my fully rooted phone runs Ad Away, no ads & all my banking apps eg Santander & Halifax work fine, so root is hidden from them. Given up trying to get Chase banking app tho
I have zero interest in rooting my phone, but because 5G/VoLTE/VoWiFi are not supported in my country (Slovakia) I had to root it. After successful root, passing SafetyNet and pretty much make everything to work as expected, my Company Portal is detecting root when running Teams and Outlook provisioned by my Company Portal despite having them in DenyList. Is there anyone who managed to pass this?
Thank you.
Happened to me as well. I used Shamiko magisk module and it's all good now.
@chaos193, did you use Riru along?
Or maybe even better question if you don't mind - what modules are you using to successfully pass SafetyNet and hide root?
Can you list them one by one, please?
Either use Shamiko or MagiskHidePropsConf to mask additional properties. I can confirm that InTune Company Portal works fine with SafetyNetFix + Shamiko
p4ra said:
@chaos193, did you use Riru along?
Or maybe even better question if you don't mind - what modules are you using to successfully pass SafetyNet and hide root?
Can you list them one by one, please?
Click to expand...
Click to collapse
It's pretty much what @craigacgomez said. I used Shamiko 0.6 alongside LSposed zygisk release. I'm pretty sure LSposed is not needed but I have it just in case.
chaos193 said:
It's pretty much what @craigacgomez said. I used Shamiko 0.6 alongside LSposed zygisk release. I'm pretty sure LSposed is not needed but I have it just in case.
Click to expand...
Click to collapse
Quick question @chaos193 - I haven't updated Shamiko to 0.6 as the update states that it requires Magisk 25205+. Reckon that would be magisk canary? Or as you using 0.6 with Magisk stable?
WhoIsJohnGalt1979 said:
Quick question @chaos193 - I haven't updated Shamiko to 0.6 as the update states that it requires Magisk 25205+. Reckon that would be magisk canary? Or as you using 0.6 with Magisk stable?
Click to expand...
Click to collapse
I used it with magisk stable 25.2. I think we are all using magisk stable to root our phone right?
I have tried your suggestions, but still does not seem to work. Adding screenshots.
Can you help me, please? What is wrong with my setup?
Following steps work 100% - I had the same issue.
1. Use magisk canary.
2. Install universal safetynet fix MOD 2.0 from displax (Google for "displax github")
3. Use latest shamiko module
4. Activate zygisk
5. Don't enforce denylist
6. Go to denylist and chose all Microsoft apps and tick ALL options for each app.
7. Hide magisk app
I had issue with a specific banking app which detects root by most of the methods. I made it working by using shamiko + airfrozen which i was not really liking.
Now i wnded up with a forked project of magisk bu Husky called magisk delta which brought back magisk hide along with zygisk. With this i don't need shamiko, magiskpropshide, airfrozen or any modules for hiding the root from apps. Yes for safetynet you can use the modded veraion by D. Below is the link. If you are interested have a look at Magisk Delta by HuskyDG... I use the magisk delta canary builds...
I have made it work with first approach. I did a restart of the phone and it worked.
What I am wondering though is the following - I have used the VoLTE/VoWiFi/5G Magisk module, but I don't see the "HD" icon during the call, even though I can browse the internet (when I am not on WiFi). And despite 5G coverage of my current carrier in my area, I don't see 5G icon.
Is there any other module I am missing for this last piece of puzzle?
And last but not least. What scares me the most is that next OTA will completely screw me over after setting everything up. I wish there was a clear tutorial on how to OTA and keep the root without wiping everything out.
p4ra said:
I have made it work with first approach. I did a restart of the phone and it worked.
What I am wondering though is the following - I have used the VoLTE/VoWiFi/5G Magisk module, but I don't see the "HD" icon during the call, even though I can browse the internet (when I am not on WiFi). And despite 5G coverage of my current carrier in my area, I don't see 5G icon.
Is there any other module I am missing for this last piece of puzzle?
And last but not least. What scares me the most is that next OTA will completely screw me over after setting everything up. I wish there was a clear tutorial on how to OTA and keep the root without wiping everything out.
Click to expand...
Click to collapse
I'm not quite sure which VoLTE/VoWiFi/5G Magisk module you are referring to, but I believe enabling 5G requires modified mbn files specific to your country/region.
Regarding OTAs, there are two "How To" guides here with all the details you need.
Blaze1001 said:
Following steps work 100% - I had the same issue.
1. Use magisk canary.
2. Install universal safetynet fix MOD 2.0 from displax (Google for "displax github")
3. Use latest shamiko module
4. Activate zygisk
5. Don't enforce denylist
6. Go to denylist and chose all Microsoft apps and tick ALL options for each app.
7. Hide magisk app
Click to expand...
Click to collapse
I have done exactly this but it still detects
Oneplus 7 pro
LineageOS 19.1 Nov 27th nightly build
This should be all that's needed to pass the compliance checks for Intune
1. Magisk (Zygisk mode)
2. SafetyNet v2.3.1-MOD_2.0
3. Shamiko v0.5.1 (or higher)
4. Magisk deny-list for the following apps (without Enforce deny-list)
a. Company Portal (Intune)b. Microsoft Authenticator (if you use it)c. Microsoft Defender (if you use it)5. Make sure you clear app data for the apps in the deny list after adding them to the deny list
Don't know about this specific app, but in the past I had issues with detection of an "unsecure" device, that was related to ADB debugging being enabled in developer settings...
craigacgomez said:
This should be all that's needed to pass the compliance checks for Intune
1. Magisk (Zygisk mode)
2. SafetyNet v2.3.1-MOD_2.0
3. Shamiko v0.5.1 (or higher)
4. Magisk deny-list for the following apps (without Enforce deny-list)
a. Company Portal (Intune)b. Microsoft Authenticator (if you use it)c. Microsoft Defender (if you use it)5. Make sure you clear app data for the apps in the deny list after adding them to the deny list
Click to expand...
Click to collapse
s3axel said:
Don't know about this specific app, but in the past I had issues with detection of an "unsecure" device, that was related to ADB debugging being enabled in developer settings...
Click to expand...
Click to collapse
Still doesn't work. Its weird because it worked for one night and the next morning it stopped.
UPDATE: its LSPosed I think. But this is the only way to force dark mode on some apps....
UPDATE 2: I disabled forced dark mode on all Microsoft apps in LSPosed plugin and its looking good so far...
UPDATE 3: Had a full day with not a single root detection notification. Looks solid!
s3axel said:
Don't know about this specific app, but in the past I had issues with detection of an "unsecure" device, that was related to ADB debugging being enabled in developer settings...
Click to expand...
Click to collapse
one of the worse parts of it, if not the worst, is that nobody knows what it detects and there's no guide that applies to each and every device,
I tried in 3 devices, the exact same steps and files, etc, it worked on the 1st one, but on the other two.. no!
For all those who still got issues as another idea: Does Google Wallet work ? Is the device play protect certified ?
I ask because to get Wallet to work (and presumably other apps that rely on Safetynet and/or Play Protect certification) the additional step after #5 in the list above is: clear data for Google Play Services and Google Play Store, then reboot (your device will ask for Google backup configuration again).....
I got the same issue with an App called "SwissID". It recognizes magisk for some reason. All other Apps work (like banking, google wallet etc.)
chaos193 said:
It's pretty much what @craigacgomez said. I used Shamiko 0.6 alongside LSposed zygisk release. I'm pretty sure LSposed is not needed but I have it just in case.
Click to expand...
Click to collapse
Its work to me!!! Thanks
So a year ago i rooted my OnePlus 8t and i still have oos 13 anyway I'm trying to bypass postfinance root check but anything seems to work (zygisk block , shamiko , securitynet tried) on yasnac it runs the check perfectly and i tried to cancel the cache and the memory many times but anything...
There are any other options or i must deroot the phone?
NewNoSignal said:
So a year ago i rooted my OnePlus 8t and i still have oos 13 anyway I'm trying to bypass postfinance root check but anything seems to work (zygisk block , shamiko , securitynet tried) on yasnac it runs the check perfectly and i tried to cancel the cache and the memory many times but anything...
There are any other options or i must deroot the phone?
Click to expand...
Click to collapse
So I know nothing of OnePlus (I've only experience in Samsung & Pixels), so I don't know if any of the following suggestions work on your phone.....
First of all, safetynet is becoming depreciated and will become completely depreciated by '24; what many apps now use for "safety" detection is Play Integrity API -- in which using the Play Integrity API Checker app or more comprehensive root checker TB Checker is a better way to see how your device passes established safety checks more than YASNAC and passing them (or certain checks) may be required to get your app running with root.
Among Zygisk DenyList and Shamiko as viable root hiding methods, there is also
Magisk Delta [Magisk fork] (which returns Magisk Hide),
UniversalSafetyNetFix [Magisk module] (if main branch isn't successful, Displax's fork often times is more successful),
HideMyApplist (HMA) [LSPosed module],
Bootloader Spoofer [Xposed module] (to spoof locked bootloader) {this method is new}.
Also, hopefully you are employing Shamiko correctly where you configure the Zygisk DenyList but do not enable/Enforce it -- if that interferes, apparently there is a "whitelist" mode for Shamiko.
P.S. Also, I hope you've also made sure to Hide Magisk (essentially renaming the app manager name) in settings -- you never mentioned doing this in the OP...
I've read these other methods have fairly good success particularly on banking apps where Zygisk DenyList and Shamiko don't...
sometimes you have to try/work them in different combinations with each other to get it passed....
Again, I do not know if any of these work with your device, so I suggest going through their respective threads (if they have one in your device's subforum, that would be best) to see if/how they work with your device and/or you could post & inquire if/how they do/might....
simplepinoi177 said:
So I know nothing of OnePlus (I've only experience in Samsung & Pixels), so I don't know if any of the following suggestions work on your phone.....
First of all, safetynet is becoming depreciated and will become completely depreciated by '24; what many apps now use for "safety" detection is Play Integrity API -- in which using the Play Integrity API Checker app or more comprehensive root checker TB Checker is a better way to see how your device passes established safety checks more than YASNAC and passing them (or certain checks) may be required to get your app running with root.
Among Zygisk DenyList and Shamiko as viable root hiding methods, there is also
Magisk Delta [Magisk fork] (which returns Magisk Hide),
UniversalSafetyNetFix [Magisk module] (if main branch isn't successful, Displax's fork often times is more successful),
HideMyApplist (HMA) [LSPosed module],
Bootloader Spoofer [Xposed module] (to spoof locked bootloader) {this method is new}.
Also, hopefully you are employing Shamiko correctly where you configure the Zygisk DenyList but do not enable/Enforce it -- if that interferes, apparently there is a "whitelist" mode for Shamiko.
P.S. Also, I hope you've also made sure to Hide Magisk (essentially renaming the app manager name) in settings -- you never mentioned doing this in the OP...
I've read these other methods have fairly good success particularly on banking apps where Zygisk DenyList and Shamiko don't...
sometimes you have to try/work them in different combinations with each other to get it passed....
Again, I do not know if any of these work with your device, so I suggest going through their respective threads (if they have one in your device's subforum, that would be best) to see if/how they work with your device and/or you could post & inquire if/how they do/might....
Click to expand...
Click to collapse
Ah yes i renamed it too now I'm going home and try all you just wrote i hope it works
Thanks for the help anyway
I don't install any of those apps.
Couldn't you simply login to the banking site using your browser?
blackhawk said:
I don't install any of those apps.
Couldn't you simply login to the banking site using your browser?
Click to expand...
Click to collapse
well in nnot that easy i have to scan a qr code from the app to somehow activate my account? i dont'know for sure i don't know german too well XD anyway is not that easy
NewNoSignal said:
well in nnot that easy i have to scan a qr code from the app to somehow activate my account? i dont'know for sure i don't know german too well XD anyway is not that easy
Click to expand...
Click to collapse
I just use passwords, the KISS principle.
I use a secure browser like Brave.
No issues in over 7 years. Login takes seconds.
simplepinoi177 said:
So I know nothing of OnePlus (I've only experience in Samsung & Pixels), so I don't know if any of the following suggestions work on your phone.....
First of all, safetynet is becoming depreciated and will become completely depreciated by '24; what many apps now use for "safety" detection is Play Integrity API -- in which using the Play Integrity API Checker app or more comprehensive root checker TB Checker is a better way to see how your device passes established safety checks more than YASNAC and passing them (or certain checks) may be required to get your app running with root.
Among Zygisk DenyList and Shamiko as viable root hiding methods, there is also
Magisk Delta [Magisk fork] (which returns Magisk Hide),
UniversalSafetyNetFix [Magisk module] (if main branch isn't successful, Displax's fork often times is more successful),
HideMyApplist (HMA) [LSPosed module],
Bootloader Spoofer [Xposed module] (to spoof locked bootloader) {this method is new}.
Also, hopefully you are employing Shamiko correctly where you configure the Zygisk DenyList but do not enable/Enforce it -- if that interferes, apparently there is a "whitelist" mode for Shamiko.
P.S. Also, I hope you've also made sure to Hide Magisk (essentially renaming the app manager name) in settings -- you never mentioned doing this in the OP...
I've read these other methods have fairly good success particularly on banking apps where Zygisk DenyList and Shamiko don't...
sometimes you have to try/work them in different combinations with each other to get it passed....
Again, I do not know if any of these work with your device, so I suggest going through their respective threads (if they have one in your device's subforum, that would be best) to see if/how they work with your device and/or you could post & inquire if/how they do/might....
Click to expand...
Click to collapse
I MADE IT was suficient to swap magisk and install universalsafetynetfix (i installed directly the displax's one)
thank you very very much
NewNoSignal said:
I MADE IT was suficient to swap magisk and install universalsafetynetfix (i installed directly the displax's one)
thank you very very much
Click to expand...
Click to collapse
GREAT!
Glad I helped you get there! I know how much of a relief it is to not need to unroot and/or relock the bootloader and have the phone be wiped (at least that's how it is on Samsung & Pixels)
Nice to know that USNF and Magisk Delta (I assume that's what you meant with "swap magisk") work well enough on OnePlus...