Related
After a bit of tinkering and some insight from Chainfire and imoseyon i was finally able to get SuperSU working on AOSP roms without being permissive or having to use Chainfire's prebuilt sepolicy
sepolicy patch is here: https://github.com/PureNexusProject...mmit/0f5072de4580a5db7348917e77e4c1c35d3e3c1a
Stickied.
sorry to be that guy, but how does this affect the average joe?
does it mean theres going to be a new version of supersu with this or does this mean that custom rom makers can use this patch to make there roms not need the the custom boot.img?
WarningHPB said:
sorry to be that guy, but how does this affect the average joe?
Click to expand...
Click to collapse
It doesn't, this is for ROM devs only, they know what to do with this.
Chainfire said:
It doesn't, this is for ROM devs only, they know what to do with this.
Click to expand...
Click to collapse
Welcome back! Hope you had a good break.
Chainfire said:
Stickied.
Click to expand...
Click to collapse
Thanks after including this in my AOSP builds i have noticed a few things, certain "root" app still dont function and get selinux denials. i originally had noticed this with logcat extreme. i was getting read and write denials on logd so i did an audit2allow on my sepolicy and came up with the following allow
Code:
#============= logd ==============
allow logd init:fifo_file { read write };
i did a quick google search on this and came up with https://gist.github.com/poliva/fc5b7402bde74be27518 which is apparently an sediff of your sepolicy, which is heavily modified beyond just what i had for supersu to work in enforcing for aosp roms. so i guess my real question is do us "AOSP" devs have to update our sepolicys with these 300+ additions to get all current root apps working or is this something that you can overcome in an update to SuperSU.
thanks in advance :good:
BeansTown106 said:
Thanks after including this in my AOSP builds i have noticed a few things, certain "root" app still dont function and get selinux denials. i originally had noticed this with logcat extreme. i was getting read and write denials on logd so i did an audit2allow on my sepolicy and came up with the following allow
Code:
#============= logd ==============
allow logd init:fifo_file { read write };
i did a quick google search on this and came up with https://gist.github.com/poliva/fc5b7402bde74be27518 which is apparently an sediff of your sepolicy, which is heavily modified beyond just what i had for supersu to work in enforcing for aosp roms. so i guess my real question is do us "AOSP" devs have to update our sepolicys with these 300+ additions to get all current root apps working or is this something that you can overcome in an update to SuperSU.
thanks in advance :good:
Click to expand...
Click to collapse
There is no such thing now as "all current root apps working".
If SuperSU's deamon can be launched, and it can in turn launch the supolicy tool, most of the rules from the diff will be modified by SuperSU as needed.
What your patch needs to do (and you have already done) is make sure SuperSU can be launched in the right context, and can modify the sepolicy. You do not need to implement those 300+ additions - it will be done at boot automagically.
As for those additions themselves, they are primarily needed to:
- make sure SuperSU can work, internal communications between the different processes and such
- make processes running as the "init" context (where root apps run by default) as powerful as possible
- specifically "allow" a number of things that would otherwise still work, but would be logged (everything that starts with "allow init" or "allow recovery")
Now, even with the above, still not everything works out of the box. Everything that goes from "init" to "non-init" context should already work, but going from "non-init" context to "init" may not. In your example case, we go from "logd" to "init", which isn't specifically allowed. Often apps can be fixed to work around an issue such as this.
Generally speaking, the solution is not to fix the source sepolicy or the supolicy tool, the solution is for the "logcat extreme" app to run the following at launch (as documented in How-To SU):
Code:
supolicy --live "allow logd init fifo_file { read write }"
In this specific case, maybe it could be added to supolicy, it depends on what exactly generates the audit. If it's a simple logcat command, it's a candidate for inclusion. The problem might even be solved by switching contexts rather than modifying any SELinux policies. But that is something for the app developer to figure out.
In either case, it is not something you need to fix in the AOSP patches. Those already do what they need to do.
Since they started doing SELinux Enforcing though, the policies in AOSP have generally been a tad stricter than on retail devices (this was specifically the case during 4.4 days). This may lead to you sometimes having to add/remove a rule manually somewhere that was not added to SuperSU yet. It could happen, but it's unlikely, probably temporary, and it probably should not go into this AOSP patch.
A note on pof's sediff, I'm not sure it was done cleanly, as I see some modifications in there that are not done by supolicy. Either way, such a post is informative, not leading, as supolicy may do more or less modifications depending on various runtime variables (such as Android version). Additionally, due to context names and availabilities changing between Android versions, any rule modification referencing a context not available in the to-be-patched sepolicy will not be applied, and thus will not show up in an sediff.
@BeansTown106
Have you checked by any chance if this patch is enough to allow 2.61 (systemless) to work still ?
Chainfire said:
@BeansTown106
Have you checked by any chance if this patch is enough to allow 2.61 (systemless) to work still ?
Click to expand...
Click to collapse
thanks for the description above now i understand. have never developed a root app so i had not read that part of how to su, but it makes perfect sense that the root apps would handle the denials live via your supolicy
as for system less root i have not tried that yet but i will give it a shot tonight, and report back, i know some people in my ROM thread have used system less root. but i am not sure if you had packaged your sepolicy in the install script for 2.61+ and if it is overwriting mine in the kernel, if that is the case i will modify the installation to not patch the sepolicy and see if it works with my pre compiled one based on the source above
Starting 2.64, I think this addition to init.te is all that is needed:
Code:
allow init kernel:security load_policy;
Confirmation needed though. The original patch will also work with 2.64, and the ZIP installer should default to /system installation mode.
Of course, this also requires that /system isn't verified by dm-verity, and init reloads sepolicy from the standard /data/security/current location.
the link in OP its no longer working...
Also in CM13 tree we have:
Code:
# Reload policy upon setprop selinux.reload_policy 1.
# Note: this requires the following allow rule
# allow init kernel:security load_policy;
and over my builds have no problem with SuperSU system less...
Chainfire said:
Starting 2.64, I think this addition to init.te is all that is needed:
Code:
allow init kernel:security load_policy;
Confirmation needed though. The original patch will also work with 2.64, and the ZIP installer should default to /system installation mode.
Of course, this also requires that /system isn't verified by dm-verity, and init reloads sepolicy from the standard /data/security/current location.
Click to expand...
Click to collapse
will build and test with only load policy enabled, is this for system, and systemless root?
danieldmm said:
the link in OP its no longer working...
Also in CM13 tree we have:
Code:
# Reload policy upon setprop selinux.reload_policy 1.
# Note: this requires the following allow rule
# allow init kernel:security load_policy;
and over my builds have no problem with SuperSU system less...
Click to expand...
Click to collapse
updated link, so your saying systemless supersu works with no selinux modifications?
BeansTown106 said:
updated link, so your saying systemless supersu works with no selinux modifications?
Click to expand...
Click to collapse
Over my builds yes, no issues at all in cm13, although my kernel it's in permissive mode. Maybe it's why it works all good?
Enviado do meu A0001 através de Tapatalk
danieldmm said:
Over my builds yes, no issues at all in cm13, although my kernel it's in permissive mode. Maybe it's why it works all good?
Enviado do meu A0001 através de Tapatalk
Click to expand...
Click to collapse
that is why, these patchs are to allow you to run in enforcing
I dont know if a should post here this question: there is any way to fix this problem with the rom already installed?
Thanks
Garzla said:
I dont know if a should post here this question: there is any way to fix this problem with the rom already installed?
Thanks
Click to expand...
Click to collapse
Try the following. It works for me when needed...
http://forum.xda-developers.com/showthread.php?t=3574688
Thank you for your work!
Link in OP its no longer working...
Is there any actual guide how to add SU directly to AOSP build. I have found bits and pieces but those are mainly 4.x releases.
I'm using Android M release and quite much struggling to get it working.
I have tried to make SU default on AOSP 6.0 by using this guide.
http://forum.khadas.com/t/gapps-and-su-on-soc/118/3
I'm using user build and enabled selinux permissive on that.
i have made also ro.secure=0 ro.debuggable=1 and security.perf_harden=0 (Not sure if needed)
I have also modified to change the su permissions in fs_config.c
I managed to get this work so that when flashing rom SuperSu ask for updating su binary and after that su works.
but i then cleaned work area to verify build by deleting out dir and recompiled. No go anymore.
Why it's so hard to add su by default on AOSP rom. I woud like to have it by default so i would not need to do any tricks everytime i flash new rom.
It reminds me of Korean dramas ,
This thread/guide is now closed and will no longer be updated. It is only kept for posterity.
The new guide is stickied at the top of the Magisk forum, right here.
This thread/guide is now closed and will no longer be updated. It is only kept for posterity.
The new guide is stickied at the top of the Magisk forum, right here.
Installing Magisk and Modules
Installation
Where to start
It’s always a good idea to read through, at least, the release thread for information about what Magisk is and how to install it. Other useful information can be found in the Magisk All-In-One Wiki and the support thread.
Known issues
There may be issues with certain devices, ROMs and/or apps and Magisk. Check the release thread for information about currently known issues. While you're there, make sure to also take a look at the FAQ. When a new release is imminent, there will also be useful information in the beta thread.
Things to keep on your device
There are a couple of things that are good to keep on your device, making it easier to recover from any problems that might arise.
Magisk zip (release thread).
Magisk Manager apk (release thread) or GitHub.
Uninstall zip (release thread).
Mount Magisk zip (Collection of Magisk Modules v2 thread).
A copy of a clean boot image for your ROM (can be flashed in TWRP in case of problems).
Module zips.
Installation
Installing Magisk is straightforward. Follow the installation instructions in the release thread. After that you can install Magisk Modules through the Manager or via custom recovery (e.g. TWRP).
Moving from another systemless root solution to MagiskSU
If you wan't to install Magisk but already have a systemless root solution installed (SuperSU, phh's superuser) you'll have to first remove that.
With SuperSU, most of the times you can simply use the full unroot option in the SuperSU app and let it restore your stock boot image, alternatively use the full unroot option and then flash the stock boot image in recovery before installing Magisk.
Otherwise, and this applies to any other root solution as well, you an use @osm0sis unSU script (in recovery) and then flash the stock boot image before installing Magisk.
If you're ROM is prerooted it's quite likely that you can still use the boot image from the ROM zip. Many ROMs simply flash a root zip at the end of the ROM installation. If this doesn't work you'll have to check with your ROM developer on how to find an unpatched boot image that work with your ROM. Also see "Boot image patched by other programs" below.
Updating
If there's an update to Magisk, you'll get a notification from the Magisk Manager (if you haven't turned it off, that is). You can update through the Manager or download the Magisk zip from the release thread and flash in recovery. Make sure to read the release notes and the changelog, both can be found in the release thread. Any modules you have installed may have to be updated to conform with possible changes to Magisk.
If you're having problems updating to a newer version. Flash the uninstaller in recovery, restore your stock boot image and start over.
Note that with an update to Magisk, the Uninstall zip may also have been updated. Always keep the latest version on your device.
Boot image patched by other programs
If the installation (or uninstallation) through recovery fails with a message about the boot image being patched by other programs you need to follow the instructions given with the message. You most likely have some other systemless root solution (SuperSU, phh's superuser) or there's something else that have added it's patches to the boot image that will interfere with Magisk and cause the installation/uninstallation to fail. If you're already rooted (not MagiskSU), first unroot ( @osm0sis unSU script is good for this).
You'll have to restore a stock boot image without any other patches before installing/uninstalling Magisk. If you're using TWRP you can simply flash the boot.img file pretty much the same way you would with a zip.
The boot image can usually be found in your device's factory image/firmware file. If you're using a custom ROM it's found in the ROM zip.
If your ROM comes pre-rooted this can be tricky, depending on how the ROM roots your device. Usually the ROM just flashes root at the end of the ROM flash and you can simply open up the zip, unroot and flash the clean boot image from the ROM zip. If the ROM comes pre-patched from the start, ask for advice in your ROM thread or you could try a custom kernel that modifies the ramdisk.
Of course, you can also use a ROM that does not come pre-rooted (the preferred way).
After installation or update
After the first installation or an update, it may be necessary to perform a reboot or two for Magisk and/or any modules you have installed to start functioning properly.
Issues
Long boot time
If your device get stuck on the splash screen for a minute or so, it might mean that the magisk daemon have crashed or that there is some SELinux issue. If it is the case that the magisk daemon crashed, the Magisk debug logging during boot will never finish, even after the device has booted. This will eventually cause the debug log to eat up all your storage space! Take a look in /data and see if the file magisk_debug.log is very large and growing. Save the log and report the issue. Try rebooting to see if this fixes things, otherwise you'll probably need to uninstall Magisk and wait for a fix. Also see "Nothing works!" below.
Bootloop
If you end up in a bootloop when installing Magisk, run the uninstaller script in recovery, flash a clean boot image (the uninstaller restores a copy of the untouched boot image, so this step is “just in case”) and start over. If the uninstaller fails, just flash your unmodified copy of the boot image and you should be good to go. There’ll probably be some leftover files and folders from Magisk laying around in /cache and /data, but these can be removed manually.
First make sure your system can boot up without Magisk.
Boot to recovery and install Magisk. Boot up your system without installing any modules. Also see "Module causing issues" below.
If your system bootloops again and you're using a custom kernel, try starting over without installing that kernel. If there's still a bootloop your system might just not be compatible. One possibility is to try finding another custom kernel that is compatible. Also see "Nothing works!" below.
Magisk Manager crashes
If you're having issues with the Magisk Manager force closing/crashing after an update, clear data for the Manager or uninstall it and install again.
The Manager crashing might also be caused by using a theme engine to theme the Manager (Substratum, etc). Disable it and reapply after an update.
If it still crashes, try reverting to an earlier version of the Manager (they're all on GitHub). But before you do, capture a logcat from the crash and post it in the support thread (with a detailed description of the problem).
There are no modules
If the list of modules under "Downloads" is empty, clear the repo cache (in settings) and/or reload the modules list (pull down).
Can't install modules
If there's an error installing a module, there's a couple of things to try.
If the error occurs when installing a module through the Downloads section of the Magisk Manager, then something is wrong. Capture a logcat and post in the support thread (with a detailed description of the problem).
If the error just states something along the lines "error when installing", try flashing the zip through recovery instead. It might also be that you're trying to flash a v4 template module on a Magisk version lower than v13.1. If you feel you need to stick with an outdated version of Magisk, check with the module developer if there is a v3 template module available.
If the error states that it's not a Magisk zip, or invalid zip in TWRP, something's gone wrong while packing the zip. Open up the zip and you'll probably see a folder (probably named something like <nameofmodule>-master). Take all the contents of that folder and repack it to the root of the zip and try flashing it again.
Module causing issues (Magisk functionality, bootloop, loss of root, etc)
If you have a working Magisk installation, but a module causes Magisk, the Magisk Manager or your device to not function properly (bootloop, loss of root, etc), here's a tip:
Boot to recovery and flash the Mount Magisk zip (see “Things to keep on your device” above). This mounts the Magisk image to /magisk and it can now be accessed as any other directory. You now have a couple of options to remove the module:
Simply delete the modules folder under /magisk and reboot.
Navigate to the modules directory under /magisk and rename the "module.prop" file to "remove".
In terminal you can type (without quotation marks) "touch /magisk/<module folder>/remove" (or “/magisk/<module folder>/disable”, depending on your preference).
If you create the "remove" or "disable" files, Magisk will take care of removing or disabling the module on the next reboot.
You can also keep a copy of the corresponding disable or remove files on your device and copy them to the module folder as needed.
If you get an error in recovery when flashing Mount Magisk it might mean your Magisk image has become corrupted. Check the recovery log for details. Easiest way to fix this is to run the uninstaller and start from the beginning. It might also be possible to use fsck in terminal in recovery or through ADB. Google it (and check the recovery log for details).
Since Magisk v12.0 and Magisk Manager 4.3.0 you can also use the "Magisk Core Only Mode" in Manager settings. This disables all modules and only keeps the core functions of Magisk active (MagiskSU, MagiskHide, systemless hosts and, for Magisk v12.0, Busybox).
Installing/disabling/uninstalling modules through the Manager or recovery
If you’re experiencing problems with installing, disabling or uninstalling a module through the Manager, simply try it through recovery instead. For disabling or uninstalling a module through recovery, see the described method above under “Module causing issues”.
Apps are force closing
If a bunch of apps suddenly start force closing after installing Magisk, your ROM might have issues with WebView. More precisely with the signatures for Chrome and Google WebView. You can take a logcat when one of the apps crash and see if there's anything about WebView in there. The reason is that MagiskHide sets ro.build.type to "user" and this enables the signature check. Ask your ROM developer to fix the signature error... Meanwhile, you can fix it temporarily by disabling MagiskHide.
It's also possible that removing and reinstalling Chrome stable, Chrome Beta or Google WebView (or simply installing one of them if it's not already) will fix the issue.
Magisk isn't working
If you can boot up, but Magisk isn't working as expected (not detecting the Magisk installation, loss of root, etc), there's a few things you can try.
First, reboot. Sometimes this helps Magisk mount everything as it should.
Second, try removing any installed modules to see if it's a faulty module causing issues. If that seems to fix it, install the modules one at a time to find which one causes issues.
If nothing else works, try starting fresh with a new installation. Also see “Asking for help” and “Nothing works!” below.
Root issues
<insert app name here> can’t detect root
Since Magisk v11 and the included MagiskSU, some apps have started having troubles detecting root. Usually this means the app in question is looking for root in a specific location and needs to be updated to work with MagiskSU.
You can try symlinking the su binary to the location where the troublesome app is looking for it. Here’s an example on how to do this in terminal (If you don’t know about symlinking, Google it.):
Code:
ln -s /sbin/su /system/xbin/su
@laggardkernel have made a Magisk module that does this completely systemlessly. Which, of course, is preferable as we're using a systemless mask... :good: You'll find it here. Please note that doing this might have the effect of MagiskHide not being able to hide root.
Tasker and MagiskSU
Any version before Tasker v5.0 will have issues detecting MagiskSU. If you by any chance feel that you cannot update to v5+, you can use this Magisk module to enable Tasker root support. Reportedly, Secure Settings will also function with MagiskSU thanks to this module.
Another way is to use “Run Shell” in Tasker and use shell commands to do what you want, prefaced by “/sbin/su -c”. Example (copy a new host file to Magisk):
Code:
/sbin/su -c cp /sdcard/hosts /magisk/.core/hosts
If the command doesn’t work, try putting quotation marks around the command, like so:
Code:
/sbin/su -c "cp /sdcard/hosts /magisk/.core/hosts”
Randomly losing root
Some devices seem to have issues with memory management where the Magisk Manager will not be kept in memory and as a result root management is lost. This can sometimes be fixed by clearing the Manager from memory (swipe it away from recent apps list) and opening it again. Make sure the Manager is removed from any battery optimisation.
Magisk but no MagiskSU
There have been a few reports of devices/ROMs where Magisk gets installed properly, but MagiskSU fails to install. This might have to do with your device/ROM not letting Magisk symlink the required binaries and files to /sbin. See the release thread for known issues. If you know of a solution that's not listed, here or in the release thread, please let me know and I'll add it.
Other things to try
Starting fresh
If you've been trying a lot of things and can't get Magisk to work properly it can be a good idea to start fresh. Start by uninstalling Magisk, flashing a clean boot image and installing Magisk again. If that doesn't work you could try wiping your device and starting out completely clean.
Older versions of Magisk
It is possible that an older version of Magisk and MagiskHide may work if the latest does not. This is a last resort and should be considered unsupported. If the latest version of Magisk doesn’t work, but an earlier version does, please help fixing the issue by reporting it with all the necessary details (see “Asking for help” and “Nothing works!” below)
Installation files back to Magisk v12 can be found in the release thread.
Please note that there’s no guarantee that an older version of Magisk will work with the current Magisk Manager. Compatible apk's can be found inside the Magisk zip.
Asking for help
If you can't fix the problem yourself, start by looking in the support thread where you might find that someone else have had this problem as well. Search for your device and/or problem. If you can't find anything (it's a big thread), provide as much information as possible (in the support thread). For example:
Detailed description of the issue and what you've tried so far.
Details about your device and ROM, custom kernel, mods, etc.
Current and previous root solution (and what you've done to remove it, if applicable)
Logs! And when providing logs, do NOT paste them into your post. Attach as a file or use a service like Pastebin.
Recovery log from installation (in TWRP, go to Advanced - Copy log).
Magisk log (from the Manager or in /cache through recovery if you don't have root access)
Logcat. Get it via ADB or an app.
If you have boot issues (stuck or long boot time), take a look in /data for a file called magisk_debug.log (access through recovery if necessary). If it's not there, try capturing a logcat through ADB during boot (see above).
Nothing works!
If nothing works and you just can't get Magisk to install/function properly on your device, check the troubleshooting section in the release thread for instructions on how to help topjohnwu fix any compatibility issues with your device. The best thing you can do if Magisk isn't compatible with your device is to open an issue on GitHub and upload logs (recovery log, Magisk log, logcat, whatever is applicable) and a copy of your boot image. No boot image, no fix.
If you're using an older release of Magisk, take a look at the Old and outdated tips and tricks for "Installing Magisk and Modules". There might be something in there that applies to you.
Beta releases
It's also possible that whatever problem you're facing has been fixed in code, but not yet released. For this you have two options. The official beta and the unofficial beta snapshot.
The official beta is for @topjohnwu to test the release before it goes out to the masses. Read the OP carefully and follow any directions given. When reporting things about the beta, provide the necessary details and logs for whatever issue you're facing. Please don't spam the thread with "useless" posts...
If you're feeling brave you can try the unofficial beta snapshot. It's built directly from source and can sometimes be unusable. Keep an eye on the thread for current issues.
Changelog
Installing Magisk and Modules - Changelog
2017-07-21
Tasker v5.0 is released. Update "Tasker and MagiskSU" to reflect this.
2017-07-19
Added some links to the Manager apk downloads on GitHub.
Updated and moved "Magisk Manager crashes".
Updated "Module causing issues".
Updated "Nothing works!".
2017-07-17
Slight update to "Boot image patched by other programs".
2017-07-14
Added a new section, "Moving from another systemless root solution to MagiskSU".
Added a new section, "Can't install modules".
Added a new section, "Apps are force closing".
2017-07-13
Added a note about using themes with the Manager under "Magisk Manager is crashing".
2017-07-12
Updated "Boot image patched by other programs".
Added a section about "Long boot time".
Added a section about "Magisk Manager crashes".
2017-07-11
Updated for Magisk v13.1
2017-06-19
Updated info about beta releases.
2017-06-18
Moved "Outdated tips and tricks" to it's own post.
2017-05-25
Some clarifications for SuperSU pre-patched boot image.
2017-05-08
Added "Magisk but no MagiskSU"
Added a link to the solution for no MagiskSU on Sony devices by @[email protected].
2017-05-06
Added some clarifying headings.
Added an index in the OP.
2017-05-01
Slight clarification under "Asking for help".
2017-04-19
Added "Starting fresh".
2017-04-14
Added a link to a Magisk module for Tasker compatibility with MagiskSU.
2017-04-09
Updated "Losing root".
2017-04-04
Added "There are no modules".
2017-03-31
Updated for Magisk v12.
Moved old and outdated tips and tricks to the bottom.
2017-03-28
Minor clarification on Module issues.
Updated link to new Modules Collection thread.
2017-03-21
Added information about updating.
Slight restructuring.
2017-03-20
Updated for Magisk v11.6
2017-03-14
Added a link to the Beta snapshot thread.
2017-03-05
Added more ways to make Tasker recognise root with MagiskSU.
2017-03-02
Changelog started.
Refinements.
2017-02-23 - 2017-03-02
Various additions.
Refinements.
2017-02-23
Initial post.
This thread/guide is now closed and will no longer be updated. It is only kept for posterity.
The new guide is stickied at the top of the Magisk forum, right here.
Hiding root and passing Safety Net
MagiskHide works, IF your system is set up correctly and is compatible.
Basics
Requirements:
A Linux kernel version of at least 3.8 or a kernel that has the necessary features (mount namespace) backported.
MagiskHide hides:
Magisk and some modules (it depends on what the module does)
MagiskSU
Unlocked bootloader
Permissive SELinux
Things that may trigger SafetyNet and apps looking for root. Can't be hidden by MagiskHide
Magisk Manager - Some apps look specifically for the Magisk Manager and there is currently no simple way of fixing this. See "Detecting Magisk Manager or apps requiring root" below.
Other known root apps - Same as above.
Remnants of previous root method, including any root management apps (a good way to remove most remnants of root is osm0sis' unSU script).
Xposed (deactivate or uninstall). It doesn't matter if it's systemless, Magisk can't hide it.
USB/ADB Debugging (disable under Developer options). This isn't necessary on all devices/ROMs.
Make sure that your device conforms to the above requirements before continuing.
Known issues
There may be devices that have issues with MagiskHide. Check the release thread for information about currently known issues. While you're there, make sure to also take a look at the FAQ. When a new release is imminent, there will also be useful information in the beta thread.
Passing SafetyNet
If everything works out, SafetyNet should pass with no further input from the user. Nothing needs to be added to the Hide list. You'll see in the Magisk Manager if it works by checking the SafetyNet status. If SafetyNet doesn't pass after enabling Hide, try rebooting (also see “Hide isn’t working” and the sections about SafetyNet below).
Hiding root from apps
If you have other apps that you need to hide root from, open MagiskHide and select the app in question. Just remember there are apps out there with their own ways of detecting root that may circumvent MagiskHide (also see “More things to try” below).
MagiskHide isn't working
If you can’t get MagiskHide to work, either for SafetyNet or any other app detecting root, there are a few things you can try:
First make sure Hide is actually working by using a root checker. Start by making sure the root checker can detect that your device is rooted. After that, add the root checker to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device.
Check the logs
Take a look in the Magisk log. In there you should see something like this (just an example, YMMV):
Code:
--------- beginning of main
I( [I]<numbers>: <numbers>[/I]) Magisk v13.3(1330) daemon started
I( [I] <numbers>: <numbers>[/I]) ** post-fs mode running
--------- beginning of system
I( [I]<numbers>: <numbers>[/I]) ** post-fs-data mode running
I( [I]<numbers>: <numbers>[/I]) * Mounting /data/magisk.img
I( [I]<numbers>: <numbers>[/I]) * Running post-fs-data.d scripts
[I]<Here you'll see scripts that are installed to /magisk/.core/post-fs-data.d running>[/I]
I( [I]<numbers>: <numbers>[/I]) post-fs-data.d: exec ************
I( [I]<numbers>: <numbers>[/I]) * Loading modules
[I]<Your installed modules will be loaded here.>[/I]
I( [I]<numbers>: <numbers>[/I]) ***********: loading [system.prop]
I( [I]<numbers>: <numbers>[/I]) ***********: constructing magic mount structure
I( [I]<numbers>: <numbers>[/I]) * Mounting system/vendor mirrors
I( [I]<numbers>: <numbers>[/I]) mount: /dev/block/bootdevice/by-name/system -> /dev/magisk/mirror/system
I( [I]<numbers>: <numbers>[/I]) link: /dev/magisk/mirror/system/vendor -> /dev/magisk/mirror/vendor
[I]<If you have modules that install files/folders to /system, you might see a lot of bind_mount entries.>[/I]
I( [I]<numbers>: <numbers>[/I]) bind_mount: **************
I( [I]<numbers>: <numbers>[/I]) * Running module post-fs-data scripts
[I]<Here you'll see scripts that are installed in modules running.>[/I]
I( [I]<numbers>: <numbers>[/I]) ************: exec [post-fs-data.sh]
I( [I]<numbers>: <numbers>[/I]) * Enabling systemless hosts file support
I( [I]<numbers>: <numbers>[/I]) bind_mount: /system/etc/hosts
I( [I]<numbers>: <numbers>[/I]) * Starting MagiskHide
I( [I]<numbers>: <numbers>[/I]) hide_utils: Hiding sensitive props
I( [I]<numbers>: <numbers>[/I]) hide_list: [com.google.android.gms.unstable]
[I]<Any other apps/processes added to the Hide list will be seen here.>[/I]
I( [I]<numbers>: <numbers>[/I]) proc_monitor: init ns=mnt:[[I]<numbers>[/I]]
I( [I]<numbers>: <numbers>[/I]) ** late_start service mode running
I( [I]<numbers>: <numbers>[/I]) * Running service.d scripts
[I]<Here you'll see scripts that are installed to /magisk/.core/service.d running>[/I]
I( [I]<numbers>: <numbers>[/I]) service.d: exec ***************
I( [I]<numbers>: <numbers>[/I]) * Running module service scripts
[I]<Here you'll see scripts that are installed in modules running.>[/I]
I( [I]<numbers>: <numbers>[/I]) ************: exec [service.sh]
I( [I]<numbers>: <numbers>[/I]) proc_monitor: zygote ns=mnt:[[I]<numbers>[/I]] [I]<possibly more zygotes and numbers>[/I]
I( [I]<numbers>: <numbers>[/I]) proc_monitor: com.google.android.gms.unstable (PID=[I]<numbers>[/I] ns=mnt:[[I]<numbers>[/I]])
I( [I]<numbers>: <numbers>[/I]) hide_utils: Re-linking /sbin
If there are no entries in the log about MagiskHide starting, take a look under "Restarting the MagiskHide daemon" and "Starting MagiskHide Manually" below.
Restarting the MagiskHide daemon
Sometimes the MagiskHide daemon needs to restart, or haven't properly started on a reboot. Fix this by toggling MagiskHide off and then on again in settings. You can also try disabling MagiskHide, rebooting and then enabling it again.
If you previously have had MagiskHide functioning on your device, but suddenly it stops working, it's a good chance the MagiskHide daemon hasn't properly started on boot. Toggle off and on (and possibly reboot) and you should be good. If not, keep reading to the next section, "Starting MagiskHide manually".
Starting MagiskHide manually
If MagiskHide just won't start when toggling it in the Magisk Manager, try starting it manually. This can be done in a terminal emulator (as su) by executing the following command:
Code:
su
magiskhide --disable
magiskhide --enable
Systemless hosts
Some users have reported issues with MagiskHide if systemless hosts is enabled in Magisk Manager settings. Try disabling it and rebooting to see if it fixes your issue.
Kernel logcat support
If your device's kernel doesn't have logcat support the MagiskHide process monitor won't be able to see when a process/package is started and therefore won't unmount the necessary folders to hide Magisk and it's core features. You can test for this by running the following command in a terminal app:
Code:
logcat -b events -v raw -t 10
If you get an error you might have a logcat issue. Ask in your kernel/ROM thread for advice or try a different kernel.
There's also a possibility that your issue can be fixed by using a kernel managing app like Kernel Adiutor. It might be enough just to install it to enable logcat support. This is untested (by me at least) and just speculation on my part from what I've seen around the forums (please confirm if you have information about this or tested it).
A huge thank you to @tamer7 for teaching me about this.
Logger buffer size
If you have turned off Logger buffer size under Developer Options, MagiskHide won't be able to monitor when a process/package is started and won't unmount the necessary folders to hide Magisk and it's core features.
Thank you to @Chaplan for the tip.
Mount namespace issues
If you see this line in the Magisk log: "proc_monitor: Your kernel doesn't support mount namespace", your device has a Linux kernel that is to old. The Linux kernel version have to be at least 3.8 (thank you @TheCech12), or otherwise have the necessary features backported. Ask in your ROM/kernel thread or try a different ROM and/or kernel.
SafetyNet
Google continuously updates SafetyNet. Currently, the only version of Magisk that will pass SafetyNet without workarounds is Magisk v13.3.
SafetyNet incompatible devices and ROMs
There are some devices/ROM’s that just won’t be able to pass SafetyNet fully. This has to do with how Google certifies devices, CTS certification (Compatiblity Test Suite). If a device hasn’t passed the Google certification process, or if the ROM alters how the device is perceived by Google, it won’t be able to fully pass SafetyNet (CTS profile mismatch). You might be able to get basic integrity to report as true (see Checking if Basic integrity passes below) and this means that MagiskHide is working as it should and it's most likely a CTS certification issue. If there is anything to be done about this it's most likely found in your device's forums. Go there and ask...
You can find out if your device/ROM has issues by checking SafetyNet with your current ROM without Magisk, any other root solution or mod (e.g. Xposed) You’ll also have to either relock your bootloader or flash a custom kernel that hides the bootloader state (disabled verified boot flag), set SELinux to enforcing (if it isn’t already) and possibly disable USB/ADB Debugging. If SafetyNet passes with a clean system, you’re good to go and can start troubleshooting MagiskHide. If it fails with a CTS profile mismatch you might be out of luck, but not necessarily. You can still give MagiskHide a go and see if you can get your device to pass, but if it doesn't it might be the ROM causing issues. If your device's stock ROM can pass SafetyNet, you could try finding a ROM that’s closer to stock and see if this helps.
It's also possible that you can match your ROM's ro.build.fingerprint and/or ro.build.description (or other props) with an official ROM for your device to make it pass SafetyNet fully. See Matching official prop values to pass SafetyNet below.
CTS profile mismatch vs Basic integrity
There are two parts to a SafetyNet check, CTS compatibility and Basic integrity. The CTS check is a server side checkup up that's difficult to spoof, while Basic integrity is done on the device side and is a lower level of security. Some apps only use the Basic integrity part of the SafetyNet API and thus can be used even if SafetyNet doesn't fully pass.
Checking if Basic integrity passes
You can use a SafetyNet checker app (SafetyNet Helper and SafetyNet Playground are two good examples) to see if you at least pass Basic integrity. If you can't pass SafetyNet, but Basic integrity shows as true, that basically means Google doesn't trust your device for some reason (also see "SafetyNet incompatible devices and ROMs" above). You should be able to fix this by matching prop values with a ROM that passes SafetyNet (see below).
Matching official prop values to pass SafetyNet
If you use an unofficial/developers ROM you'll have to match an official/stable ROM's details (usually ro.build.fingerprint and possibly ro.build.description) to pass SafetyNet. Check your device's forum for details. Also, see the section about "Sensitive props" below.
@coolguy_16 have made a guide for Moto G 2015 here. Thank you to @diegopirate for the tip.
Spoofing device fingerprint
As a last resort you could try changing your device's ro.build.fingerprint to a device's/ROM's that is known to pass SafetyNet. This can be done with a Magisk module or with boot script and the resetprop tool. See the section about "Sensitive props" below. Or you can use the Universal SafetyNet Fix module. Spoofing the device fingerprint is part of what it does.
SafetyNet check never finishes
If the SafetyNet status check never finishes (make sure to wait a while), it might mean that your Google Play Services aren’t working properly or have crashed. Try force closing Play Services, clearing data and/or rebooting the device.
You can also try updating to a newer version (take a look at APKMirror).
Device uncertified in Play store/Some apps won't install or doesn't show up
If some apps won't install or doesn't show up in the Play store, check the Play store settings. At the bottom there's a section called "Device certification". Some apps won't install if this shows "uncertified" (a couple of known apps are Netflix and Mario Run).
The solution is to make sure your device passes SafetyNet and then clear data for the Play store and reboot. If you have multiple users on your device, you might have to clear data for all users. Next time you open up the Play store, "Device certification" should show "certified" and the apps should be able to install/show up again. You might have to wait a bit before the apps show up. Some users have reported having to wait mere minutes, others several hours up to a whole day.
Some users have reported having to add the Play store to the MagiskHide list.
I still can't pass SafetyNet
First, keep reading and see if there's anything you can try below that you haven't already.
If you've tried everything and SafetyNet still doesn't pass, give the Universal SafetyNet Fix module by @Deic a try.
Other things to try
First make sure Hide is actually working by using a root checker. Start by making sure the root checker can detect that your device is rooted. After that, add the root checker to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device.
USB/ADB debugging
If you haven’t yet, try disabling USB/ADB debugging to see if this helps you use your root detecting app or pass SafetyNet.
Dependencies
There are some apps that require one or more other apps or processes being added to MagiskHide. For example, if an app is asking for extra permissions, try hiding the corresponding app/process as well. As an example: for a banking app asking for permissions to make phone calls it might be necessary to add the Phone app as well as the banking app to MagiskHide. Unfortunately it's not necessarily the case that the app or process used for finding root asks for permissions (also see "Figuring out if an app has dependencies, looks for 'sensitive props', Busybox, etc" below).
Sensitive props
Some apps trigger if they find "sensitive props". Also, on some devices SafetyNet triggers if certain props are not set to the expected values. A few props get set to "safe" values by MagiskHide by default. Currently these are ro.debuggable, ro.secure, ro.build.type, ro.build.tags and ro.build.selinux.
Some examples of props may include:
Code:
ro.build.selinux [I](careful, it might cause issues with SELinux)[/I]
ro.build.flavor
ro.build.description
ro.build.fingerprint
ro.bootimage.build.fingerprint
ro.build.oemfingerprint
etc...
Use the command "getprop" (without quotations) on the props in a terminal emulator to see what they're set to. Note that not all props used can be found in build.prop.
The props can be changed with a Magisk module or a boot script and the resetprop tool.
If you have a ROM (stock is usually a good bet) that can pass SafetyNet or use an app on without modifications, check for props on that ROM that you can change to on the ROM you're having trouble with (also see "Figuring out if an app has dependencies, looks for 'sensitive props', Busybox, etc" below).
Please note that changing prop values may have other consequences for your device than just being able to pass SafetyNet or hide root. If you're experiencing issues after changing prop values, revert them and see if that helps.
Developer options disappeared from settings
If Developer options suddenly disappeared from settings after installing Magisk, it's probably because MagiskHide changes ro.build.type from "userdebug" to "user" (known "safe" prop value). On some devices/ROMs this prop need to be set to "userdebug" to show the Developer options. A solution is to temporarily disable MagiskHide and reboot if you need access to the Developer options.
Or, there's a much better solution... You can ask your ROM developer to add this commit: https://github.com/DirtyUnicorns/an...mmit/5a647d96432abcb1276fab695600c5233e88b8d3
Busybox
Some apps detect Busybox and see this as a sign of your device being compromised (rooted). Magisk should be able to hide any Busybox installed as a Magisk module.
Figuring out if an app has dependencies, looks for "sensitiveprops", Busybox, etc
It can be tricky figuring out if an app is dependent on another app or process for detecting root, expects certain prop values, doesn't like Busybox or whatever is triggering a root warning within the app. Apart from trying one thing/prop at a time, finding this out could mean you have to decompile the apk to look at the source code. Google it...
Detecting Magisk Manager or apps requiring root
There are apps that detect the Magisk Manager or known apps that require root and refuse to work properly or even start if that is the case. This can be worked around by uninstalling or possibly freezing the Manager or root app when you need to use these apps and reinstalling/unfreezing it afterwards. Cumbersome, but it might work. There are also some Xposed modules that can hide apps from other apps, but having Xposed installed might cause other issues with tampering detection...
Samsung...
Yeah... Samsung doesn't have the mod-friendliest devices out there. But anyway...
Parts of Magisk have had a history of breaking/not working on Samsung devices. This is constantly being worked on. Check the Known issues in the release thread, the support thread and other relevant threads in the Magisk forums for information. If you can't find anything about your issue, make sure you leave as detailed a report as possible when asking for help. See "Asking for help" below.
Lineage OS...
Yeah... Cyanogenmod had a history of breaking things for many mods and it seems like Lineage OS is continuing on this legacy.
Parts of Magisk have had a history of breaking/not working on devices with Lineage OS. Check the Known issues in the release thread, the support thread and other relevant threads in the Magisk forums for information. If you can't find anything about your issue, make sure you leave as detailed a report as possible when asking for help. See "Asking for help" below.
Magisk Core Only Mode
If you can't get MagiskHide to work, try enabling the Core Only Mode in Magisk Manager settings. No modules will be loaded and any conflicts as a result of that part of Magisk will be bypassed. Note: In Magisk v13.1 there seems to be a bug with Core Only Mode where it will disable MagiskHide and Systemless hosts. Toggle MagiskHide and Systemless hosts off and on in settings to fix this.
Starting fresh
If you've been trying a lot of things and can't pass SafetyNet it can be a good idea to start fresh. Start by uninstalling Magisk, flashing a clean boot image and installing Magisk again. If that doesn't work you could try wiping your device and starting out completely clean.
Older versions of Magisk
It is possible that an older version of Magisk and MagiskHide may work if the latest does not. This is a last resort and should be considered unsupported. If the latest version of Magisk doesn’t work, but an earlier version does, please help fixing the issue by reporting it with all the necessary details (see “Asking for help” and “Nothing works!” below)
Installation files back to Magisk v12 can be found in the release thread.
Please note that there’s no guarantee that an older version of Magisk will work with the current Magisk Manager. Compatible apk's can be found inside the Magisk zip.
Asking for help
If you can't fix the problem yourself, start by looking in the support thread where you might find that someone else have had this problem as well. Search for your device and/or problem. If you can't find anything (it's a big thread), provide as much information as possible (in the support thread).
Detailed description of the issue and what you've tried so far.
Details about your device and ROM, custom kernel, mods, etc.
Logs! And when providing logs, do NOT paste them into your post. Attach as a file or use a service like Pastebin.
Recovery log from installation (in TWRP, go to Advanced - Copy log).
Magisk log (from the Manager or in /cache through recovery if you don't have root access)
Logcat. Get it via ADB or an app.
If you have boot issues (stuck or long boot time), take a look in /data for a file called magisk_debug.log (access through recovery if necessary). If it's not there, try capturing a logcat through ADB during boot (see above).
Nothing works!
If MagiskHide does not work for you even though you've tried everything, check the troubleshooting section in the release thread for instructions on how to help topjohnwu fix any compatibility issues with your device. The best thing you can do if Magisk isn't compatible with your device is to open an issue on GitHub and upload logs (recovery log, Magisk log, logcat, whatever is applicable) and a copy of your boot image. No boot image, no fix. Just remember that there are some things @topjohnwu can't fix, like if your device's kernel doesn't have mount namespace support (you need a Linux kernel version of at least 3.8) or similar.
If you're using an older release of Magisk, take a look at the Old and outdated tips and tricks for "Hiding root and passing Safety Net". There might be something in there that applies to you.
And, if nothing else works you could try the Universal SafetyNet Fix module by @Deic.
Beta releases
It's also possible that whatever problem you're facing has been fixed in code, but not yet released. For this you have two options. The official beta and the unofficial beta snapshot.
The official beta is for @topjohnwu to test the release before it goes out to the masses. Read the OP carefully and follow any directions given.
If you're feeling brave you can try the unofficial beta snapshot. It's built directly from source and can sometimes be unusable. Keep an eye on the thread for current issues.
Changelog
Hiding root and passing SafetyNet - Changelog
2017-07-19
Updated "Check the logs".
Updated "Nothing works!".
2017-07-14
Added a link to a commit that fixes the disappearing Developer options issue on some ROMs with ro.build.type set to "user". Thank you @The Flash.
Moved "SafetyNet never finishes" to a more logical location.
2017-07-11
Updated for Magisk v13.1.
2017-07-06
Updated the section about "Magisk Manager" being detected. Renamed to "Detecting Magisk Manager or apps requiring root".
Removed duplicate information about SafetyNet being updated.
2017-06-27
Updated info about "Spoofing device fingerprint".
Small update to "Dangerous props".
2017-06-19
Updated info about beta releases.
2017-06-18
Updated info about the latest SafteyNet update and how to bypass it.
Updated info about the Universal SafetyNet fix module by @Deic.
Added section about "Spoofing ro.build.fingerprint".
Moved "Outdated tips and tricks" to it's own post.
2017-06-16
Added notes about the update to SafetyNet and how to bypass it.
2017-06-01
Removed "Unlocked bootloader, permissive SELinux and Samsung KNOX".
Moved "Samsung KNOX".
Added "Magisk Manager".
2017-05-26
Some more clarifications on "Magisk Hide isn't unmounting...".
Added info about multiuser under "Device uncertified...".
2017-05-25
Added some info about setns support under "Magisk Hide isn't unmounting folders as it should".
2017-05-19
Added "some Moto device" to known devices that need official prop values added to custom ROMs to pass SafetyNet.
Added a link to the guide to pass SafetyNet on Moto G 2015 by @coolguy_16.
Some clarifications about Samsung KNOX.
Minor clarifications on Play store certification.
2017-05-14
Minor clarifications.
2017-05-09
Added a new section, "Magisk v12 can't hide root (but v11.6 could)".
2017-05-06
Added some more tips under "Magisk Hide isn't unmounting folder as it should" (Xiaomi devices).
Added some clarifying headings.
Added an index in the OP.
2017-05-03
Added a section about matching official ROM prop values to pass SafetyNet.
Added a link to Xiaomi SafetyNet fix module by @Deic.
2017-05-02
Slightly update information regarding SafetyNet incompatibility, CTS profile matching and Basic integrity.
Minor cosmetic changes, rearranging and typos.
2017-05-01
Another small clarification. This time under "Asking for help".
Slight clarification on issues with unmounting.
2017-04-28
Added a section about setting Logger buffer size to off breaking Magisk Hide.
2017-04-25
Added a command to test for kernel logcat support and a possible solution for a lack thereof.
2017-04-24
Moved info about busybox and systemless host issues to "Busybox conflict" and "Systemless hosts" under the section about Magisk hide not unmounting folders.
2017-04-20
Added a section about certification status in the Play store. "Some apps won't install or doesn't show up in the Play store".
Added "Check the logs".
Added "Magisk Hide isn't unmounting folders as it should". Again: thank you @tamer7.
More minor clarifications.
2017-04-19
Minor clarifications.
2017-04-16
Added a note about Core Only Mode.
2017-04-09
Added section about starting Magisk Hide manually.
Added section about Magisk built-in busybox or systemless hosts possibly causing SafetyNet to fail on some ROMs.
2017-04-07
Updated "Dangerous props".
Updated information about Samsung KNOX (Samsung pay probably won't work).
2017-03-31
Updated for Magisk v12.
Moved old and outdated tips and tricks to the bottom.
2017-03-22
Changing prop values may have undesired effect (duh).
Moved "Restarting Magisk Hide" to the beginning of the text and updated it. Might be a good thing to start with when troubleshooting.
2017-03-21
Added ro.build.flavor to "dangerous props".
Added information about what to try when a prop value isn't set properly.
More updates for Magisk v11.6 (resetprop added to PATH).
Clarifications.
2017-03-20
Updated for Magisk v11.6
Removed "ro.build.selinux" from "dangerous props" since it might cause issues with SELinux.
2017-03-15
Clarifications about finding out if you have "dangerous props" set to undesired values.
Added a new "dangerous prop" example (ro.build.selinux).
2017-03-14
Added a link to the Beta snapshot thread.
2017-03-10
Small update to the "Samsung..." section.
2017-03-06
Clarification about setting props and figuring out dependencies, etc.
2017-03-06
Added some info to "Dependencies".
Added section about how to figure out what an app is looking for to detect root.
2017-03-03
Added some information about "Dangerous props".
Updated information about SafetyNet CTS profile mismatch and Basic integrity.
2017-03-02
Changelog started.
Added Samsung SELinux tips.
Refinements.
2017-02-23 - 2017-03-02
Various additions.
Refinements.
2017-02-23
Initial post.
Old and outdated tips and tricks for "Installing Magisk and Modules"
Unmounting of folders is no longer showed in the Magisk log, since Magisk v13.1.
MagiskHide isn't unmounting folders as it should
If MagiskHide isn't unmounting as it chould for the processes/packages added to the Hide list (there are no "hide_daemon: Unmounted" entries in the log or there are entries showing that the unmount failed ("hide_daemon: Unmount Failed")), see "MagiskHide isn't unmounting folders as it should" below.
If you don't see any entries in the Magisk log for "hide_daemon: Unmounted", MagiskHide isn't functioning as it should and can't hide Magisk from apps and processes that trigger if root is found. There are a few reasons as to why this might happen. See "Kernel logcat support", "Logger buffer size", and "Mount namespace issues" below. Of course, these might not be the only reasons. If you're lucky, one of the solutions below will work for your particular case.
If there are entries in the Magisk log showing that the unmount failed ("hide_daemon: Unmount Failed"), take a look at what folder it's failing for and disable the corresponding Magisk module. If you can't work out what module is causing the issue, disable them all and enable one by one until you find the culprit. If it is one of your installed modules causing the issue, ask for advice in the module's support thread.
It might be that you have to rely on manually starting MagiskHide to make it unmount folders properly (known: some Xiaomi devices/MIUI). See "Starting MagiskHide manually" above.
Busybox is no longer bundled with Magisk since v13.1.
Randomly losing root
Some devices and/or ROMs (known: Lineage OS) have issues with losing root when using MagiskSU. This can sometimes be fixed by disabling busybox in Magisk Manager settings. Some users have also reported success by disabling systemless hosts instead/as well.
Magisk v13+ is fully compatible with stock Sony ROMs.
Sony and MagiskSU
If you're using a Sony device and have the above issue with MagiskSU, you're probably running a stock boot image or otherwise haven't disabled Sony RIC. Don't worry, @[email protected] have got the fix for you here.
Old and outdated tips and tricks for "Hiding root and passing Safety Net"
The changed prop values have been reintroduced with Magisk v13.1.
Magisk v12 can't hide root (but v11.6 could)
If you have an app that you can hide root from with Magisk v11.5/v11.6 but not after upgrading to v12, you need to take a look at the "Dangerous props" section below. In Magisk v11.5 and v11.6, Magisk Hide would alter a few build.prop values, specifically a couple of the usual suspects mentioned in "Dangerous props". These are ro.build.tags and ro.build.type. This was reverted with Magisk v12 since it has the potential to cause issues and is better left to the users discretion.
So, if you can fool an app with Magisk v11.5/v11.6, but not with v12. Try changing ro.build.tags and/or ro.build.type to "safe" values. Again, see "Dangerous props" below.
Scripts are no longer used in Magisk v13.1.
If you have a device where you find you have to start Magisk Hide manually to pass SafetyNet, try editing the enable script (found in /magisk/.core/magiskhide) and change the last line to:
Code:
(su -c $BINPATH/magiskhide --daemon)
This might make Magisk Hide work properly on your device.
Busybox is no longer bundled with Magisk since v13.1.
Busybox conflict
If you already have busybox installed or your ROM comes with it built-in, enabling Magisk busybox may cause a conflict that breaks Magisk Hide. Either use and update the existing installation or remove it if you want to use Magisk busybox.
Magisk v13.1 does note have these issues.
Since beginning of June 2017, SafetyNet has been updated. Magisk v12 and lower versions can't pass. The solution is to enable Core Only Mode in Magisk Manager settings and you might also have to disable systemless hosts. In Magisk v13.0 beta, this has been fixed (but of course, there might be other issues present). Note that this guide is written for Magisk v12 and the tips in it may not be applicable for Magisk v13 beta. I'll update the guide for v13 when it is released from beta.
For users of Magisk v12 @Deic have made a Magisk module that might make SafetyNet pass with modules active. Note that this module will also change your device's fingerprint to match a Xiaomi Mi 6 (for devices/ROMs that have no CTS certification), also see "Spoofing ro.build.fingerprint" below. @yochananmarqos have made a version of the module that leaves out the fingerprint part, for users that could pass SafetyNet before the update. See the links for details.
Module link removed from the guide since it does so much more than just editing the fingerprint.
@Deic have updated his Xiaomi SafetyNet fix module to be a Universal SafetyNet fix module that does just this. It'll change your devices fingerprint to match an official one for Xiaomi Mi 6. It'll also make Magisk v12 pass SafetyNet with modules installed.
IMO it'd be best if you could use a fingerprint that more closely matches your device (you'll find it in the build.prop file). If you're on a custom ROM that doesn't pass SafetyNet and the stock ROM does, use the stock ROM's prop values, etc. To change the fingerprint set by the module, unzip it and open up the post-fs-data.sh file in a text editor that can handle Unix line endings (on Windows this means Sublime, Atom, Notepad++ etc). Change the following two lines to match your device's stock ROM:
Code:
$RESETPROP "ro.build.fingerprint" "Xiaomi/sagit/sagit:7.1.1/NMF26X/V8.2.17.0.NCACNEC:user/release-keys"
$RESETPROP "ro.bootimage.build.fingerprint" "Xiaomi/sagit/sagit:7.1.1/NMF26X/V8.2.17.0.NCACNEC:user/release-keys"
No longer applicable.
An app still detects the original prop value
If Magisk Hide doesn't start properly at boot, it can be started by toggling Hide off and on again in settings. But, when doing this, some of the prop values changed by Magisk Hide may not get set properly. Try rebooting your device and see if Hide starts up properly. If it doesn't it might be one of your modules causing issues.
If it's a prop value you're changing yourself with a Magisk module and you're using system.prop to set the value, try moving the script to post-fs-data.sh and use resetprop instead. See here for more resetprop syntax. Example:
Code:
[I]system.prop code:[/I]
ro.build.tags=release-keys
[I]post-fs-data.sh code:[/I]
resetprop ro.build.tags release-keys
Removed from the guide since the feature doesn't seem to work anyway.
Samsung KNOX
If you're having issues with Samsung KNOX, use a KNOX checker app from the Play store to see if it reports as triggered or not. Samsung pay and other Samsung apps/services that check KNOX have been reported to still see the KNOX counter as triggered, even though it gets masked by Magisk Hide.
The module have been updated to a universal SafetyNet fix.
Deic have made a Magisk module for Xiaomi devices that does the above, Xiaomi SafetyNet fix.
Since Magisk v11.5 resetprop is added to PATH and can be called directly through shell and apps.
Code:
/data/magisk/resetprop ro.build.tags release-keys
This part is no longer necessary since Magisk v11.5. It's changed by Magisk by default. Only do this if you're using an earlier release.
Some Samsung users with custom ROMs have reported that they have had to do some modifications to the permissions for a couple of files related to SELinux to pass SafetyNet. These files are "/sys/fs/selinux/enforce" and "/sys/fs/selinux/policy". The "enforce" file should have permission 640 (rw-r-----) and the "policy" file should have permission 440 (r--r-----). This can be easily automated with Magisks General Purpose Boot Scripts (see here for details) or a Magisk module. The lines needed for the script are:
Code:
#!/system/bin/sh
chmod 640 /sys/fs/selinux/enforce
chmod 440 /sys/fs/selinux/policy
Magisk Hide uses a pseudo-enforcing SELinux state to mask a permissive kernel
Permissive SELinux
You can check if it’s SELinux causing problems by typing (without quotation marks) “getenforce” in a terminal emulator. If it reports permissive you can try temporarily setting it to enforcing by typing “setenforce 1” (this requires root access) and see if this makes SafetyNet pass. To make SELinux permissive again, use “setenforce 0” or reboot your device (if it’s permissive by default). If you want a more permanent solution it can be done with Magisks General Purpose Boot Scripts. See here for details. The lines needed for the script to set SELinux to enforcing are:
Code:
#!/system/bin/sh
setenforce 1
Check the module support thread for update.
Update 20170228
Since a little syntax error in the mounting script from Magisk v11.0-v11.1, mounting link systemless-ly won't success. Hence we choose copy but not to link the su binary for v11.0-v11.1. Don't worry, both methods are systemless.
==========
Great guide. :good:
Just made a simple module try to solve the /sbin/su not detectable problem. This module will look for existing su binary, and create a link as /magisk/su_xbin_bind/system/xbin/su pointing to the real su. The link will also be mounted as /system/xbin/su systemless-ly later.
Installation
Flash it in RECOVERY, then reboot. And you will find a link /system/xbin/su. All the work is done systemless-ly.
Uninstallation
Open Magisk Manager, go to Modules, disable or uninstall the module called "Su xbin_bind". Then it will disappear after reboot.
laggardkernel said:
Great guide. :good:
Just made a simple module try to solve the /sbin/su not detectable problem. This module will look for existing su binary, and create a link as /magisk/su_xbin_bind/system/xbin/su pointing to the real su. The link will also be mounted as /system/xbin/su systemless-ly later.
Installation
Flash it in recovery, then reboot. And you will find a link /system/xbin/su. All the work is done systemless-ly.
Uninstallation
Open Magisk Manager, go to Modules, disable or uninstall the module called "Su xbin_bind". Then it will disappear after reboot.
Click to expand...
Click to collapse
Nice! I added a mention of this in the guide. You should get this in the repo...
Great guide. Apparently this contains almost all the troubleshoot steps and known issues right from the original support thread of Magisk. However it would be complete if you had added the steps that user reported working on various custom roms that are known to not pass safetynet. One of the step is below for pre rooted custom roms :
1. Go back to recovery.
2. Flash unSU.zip by osmosis
3. Flash magisk 10.2
4. Boot to system. Install Phh superuser. Update binary.
5. Update to latest magisk from magist manager. Reboot.
6. Check safetynet, it should work.
This is reported to be working for some user, and some other reported it didn't work. But still worth a try.
iubjaved said:
Great guide. Apparently this contains almost all the troubleshoot steps and known issues right from the original support thread of Magisk. However it would be complete if you had added the steps that user reported working on various custom roms that are known to not pass safetynet. One of the step is below for pre rooted custom roms :
1. Go back to recovery.
2. Flash unSU.zip by osmosis
3. Flash magisk 10.2
4. Boot to system. Install Phh superuser. Update binary.
5. Update to latest magisk from magist manager. Reboot.
6. Check safetynet, it should work.
This is reported to be working for some user, and some other reported it didn't work. But still worth a try.
Click to expand...
Click to collapse
I hadn't seen that one before. Looks a little fishy (updating the phh's superuser binary?), but I'll do some research on that and see if I can work this into the guide somehow.
2 posts removed.
Do not discuss or post warez on XDA.
Thank you.
:good:
The Merovingian said:
2 posts removed.
Do not discuss or post warez on XDA.
Thank you.
:good:
Click to expand...
Click to collapse
Sorry
Didgeridoohan said:
I hadn't seen that one before. Looks a little fishy (updating the phh's superuser binary?), but I'll do some research on that and see if I can work this into the guide somehow.
Click to expand...
Click to collapse
These steps are from the Magisk thread, i could be wrong about binary update ( considering when installing any superuser, you will get prompt for updating binary?) but rest of the steps are exactly as it was mentioned there. I wish i could link you for reference but i have to go through the whole thread again and search for these . You can post these steps on the magisk support thread for clarification. Great work once again. Good luck!
laggardkernel said:
Great guide. :good:
Just made a simple module try to solve the /sbin/su not detectable problem. This module will look for existing su binary, and create a link as /magisk/su_xbin_bind/system/xbin/su pointing to the real su. The link will also be mounted as /system/xbin/su systemless-ly later.
Installation
Flash it in recovery, then reboot. And you will find a link /system/xbin/su. All the work is done systemless-ly.
Uninstallation
Open Magisk Manager, go to Modules, disable or uninstall the module called "Su xbin_bind". Then it will disappear after reboot.
Click to expand...
Click to collapse
Hey installed ur module, but still root checker detects no su file symlinks in xbin :crying:
Xennet said:
Hey installed ur module, but still root checker detects no su file symlinks in xbin :crying:
Click to expand...
Click to collapse
Did you reboot your phone after installation? And try to check its existence in /magisk/su_xbin_bind/system/xbin. If the su link exists here, where does it point to?
laggardkernel said:
Did you reboot your phone after installation? And try to check its existence in /magisk/su_xbin_bind/system/xbin. If the su link exists here, where does it point to?
Click to expand...
Click to collapse
Yes rebooted. It is activated in magisk. The su link exists in /magisk/su_xbin_bind/system/xbin/. Opening t link directs to su...But how to check it where it directs to..
Really dis is a great module to get t apps dat look for real root location xbin/su...
Please help
Xennet said:
Yes rebooted. It is activated in magisk. The su link exists in /magisk/su_xbin_bind/system/xbin/. Opening t link directs to su...But how to check it where it directs to..
Really dis is a great module to get t apps dat look for real root location xbin/su...
Please help
Click to expand...
Click to collapse
How about /magisk/su_xbin_bind/auto_mount, does it exist? If not, create an empty file and name it as auto_moint.
laggardkernel said:
How about /magisk/su_xbin_bind/auto_mount, does it exist? If not, create an empty file and name it as auto_moint.
Click to expand...
Click to collapse
auto_mount exists too
Xennet said:
auto_mount exists too
Click to expand...
Click to collapse
Now, I need more detail to figure it out.
1. Where does the su link point to? Does it exist in /system/xbin and /dev/magisk/dummy/system/xbin. Use a explore to check su's position and the Link's property, or use a terminal
Code:
su
ls -al /magisk/su_xbin_bind/system/xbin/su
2. What is the version of your magisk? Upload your /cache/magisk.log and /sbin_orig/magisk_mask.sh for me, please.
3. Which ROM are you using and is there any root imbedded?
I'm using an op3 with OOS 3.2.7, Magisk v11.1, and the su_xbin_bind module works well now. It seems you're using an op3 or op3t. So it's weird for me the module don't work on your device.
Much obliged if you could tell me the package name of the root checker app in your picture.
AS OF 03/07/2018
Support and development of this module have been discontinued.
A replacement module can be found here : https://forum.xda-developers.com/apps/magisk/module-magisk-selinux-manager-t3760042
This is a very simple module that installs a post-fs-data.sh script which enables SELinux Permissive Mode. This is useful for certain audio mods and removes the need to understand Magisk's file system & boot logic. No need to create your own scripts, just flash and forget.
I have only tested this on my Verizon HTC 10, but this module is so simple and generic that it should work on any Android device with SELinux.
This module has been tested on and is compatible with Magisk v11.6-15.2.
Disclaimer & Recommendations: This module should be used as a last resort only if appropriate SELinux Permissions can not be generated and injected into the SELinux Policy using selinux-inject, supolicy or magiskpolicy. Putting your device into Permissive Mode will essentially disable all of the operating system level security built into Android and allow any app in any context to do whatever it wants. Actions requiring root access will still trigger your SU Manager App, but all apps have elevated privileges due to permissive and may be able to take malicious actions on your device without needing root access. If you find that this module fixes issues you are experiencing with an app I recommend contacting the app developer and trying to work with them to isolate the necessary SELinux Permissions and have them injected into the SELinux Policy at startup.
Here is a discussion of some of concerns to consider when running your device in Permissive Mode : https://forum.xda-developers.com/general/general/discussion-root-selinux-risks-t3607295
Github Repo : https://github.com/Jman420/magisk-permissive-script
Change Log :
v1.0 - Initial Release
v1.1 - Update to Module Template v1400
v1.2 - Update to Module Template v1500
thank you brother!
LeEco LePro 3 Atmos can work finally!
huaiyue said:
thank you brother!
Can you tell me how to install LeEco LePro 3 Atmos ?
I hava supersu systemless.
Click to expand...
Click to collapse
These two things are completely unrelated.
If you want to install something, you install it. There's not much more to that.
huaiyue said:
thank you brother!
Can you tell me how to install LeEco LePro 3 Atmos ?
I hava supersu systemless.
Click to expand...
Click to collapse
In Magisk, go to the Modules section, and select the "+", and select the zip you downloaded.
Jman420 said:
This is a very simple module that installs a post-fs-data.sh script which enables SELinux Permissive Mode. This is useful for certain audio mods and removes the need to understand Magisk's file system & boot logic. No need to create your own scripts, just flash and forget.
I have only tested this on my Verizon HTC 10, but this module is so simple and generic that it should work on any Android device with SELinux.
Github Repo : https://github.com/Jman420/magisk-permissive-script
Click to expand...
Click to collapse
LeEco LePro 3 Atmos can work
however
xposed systemless failed.
---------- Post added at 01:32 ---------- Previous post was at 01:31 ----------
ahrion said:
These two things are completely unrelated.
If you want to install something, you install it. There's not much more to that.
Click to expand...
Click to collapse
http://imgur.com/a/Sbf9p
dolby fc.
---------- Post added at 01:36 ---------- Previous post was at 01:32 ----------
jhedfors said:
In Magisk, go to the Modules section, and select the "+", and select the zip you downloaded.
Click to expand...
Click to collapse
thank you brother!
Thanks a lot
huaiyue said:
thank you brother!
LeEco LePro 3 Atmos can work finally!
Click to expand...
Click to collapse
Regarding your other post mentioning Xposed (which I'm not quoting cause it's a mess). I'm running on Nougat so I can't use Xposed and haven't tested with it. If you give me more details I can try to determine what the issue is. Logs, error messages, symptoms would all be helpful.
Thor™ said:
Thanks a lot
Click to expand...
Click to collapse
I aim to please
I don't understand why this mod is usefull. In the latest version of magisk, there is a semi enforce/permissive linux bypass. The system thinks it's enforced, but in reality is permissive. Or maybe I didn't fully understand it?
its working with s5neo?
I've just flashed this zip. This allows Viper4Android to run in enforcing mode:
https://www.dropbox.com/s/k9cnruw2e1t1d4t/ViPER4Android-supolicy.zip?dl=0
I forgot the source. Maybe Google it
matssa said:
I don't understand why this mod is usefull. In the latest version of magisk, there is a semi enforce/permissive linux bypass. The system thinks it's enforced, but in reality is permissive. Or maybe I didn't fully understand it?
Click to expand...
Click to collapse
I agree that Magisk hides the actual SELinux Mode in such a way that if Magisk Hide is enabled the 'getenforce' command always returns 'Enforcing'. But if you do not run the 'setenforce 0' command the SELinux mode will still be set to 'Enforcing' rather than 'Permissive'. This script puts the SELinux mode into 'Permissive' at startup. Magisk Hide will still hide the fact that you are in Permissive Mode, which I believe is the 'pseudo permissive' mode that Magisk describes. But I can not find any settings or commands within Magisk that enable Permissive Mode.
htr5 said:
I've just flashed this zip. This allows Viper4Android to run in enforcing mode:
https://www.dropbox.com/s/k9cnruw2e1t1d4t/ViPER4Android-supolicy.zip?dl=0
I forgot the source. Maybe Google it
Click to expand...
Click to collapse
It's just a shell script, the source is in the zip file. This is really helpful and is the direction I want to take this project. Permissive Mode is great in that it gets the Apps/Mods that we want to run to work, but I consider it the equivalent of using a sledgehammer to hammer in a finishing nail. I would much rather be able to grant the specific permissions that each App needs rather than enable all permissions for all apps (which is what permissive mode does).
I plan on trying to develop an App which will assist in managing and generating a script which uses 'supolicy' to inject individual SELinux Policy Permissions. I had planned on using the Dolby Atmos LePro3 build as a guinea pig to try to isolate which permissions it needs and put together the supolicy command for them. I've hit a bit of a roadblock in verifying my supolicy command due to the format that the SELinux Policy is stored in on the device. I've found a project called sedump (https://ge0n0sis.github.io/posts/2015/12/exploring-androids-selinux-kernel-policy/) which claims to deserialize the Binary SELinux Policy to a readable format, but I can't seem to get it to work... the process seems to complete, but it generates an empty file... If anyone has experience with SELinux I'd really appreciate any feedback.
cosmin691 said:
its working with s5neo?
Click to expand...
Click to collapse
Dunno, I've only got an HTC 10 for testing. Give it a shot, if it doesn't work just uninstall the Magisk Package. Remember to disable Magisk Hide if you are testing to make sure it actually put your phone into Permissive Mode by using the 'getenforce' command.
It works for oneplus 3t on freedom OS rom.
Jman420 said:
This is a very simple module that installs a post-fs-data.sh script which enables SELinux Permissive Mode. This is useful for certain audio mods and removes the need to understand Magisk's file system & boot logic. No need to create your own scripts, just flash and forget.
I have only tested this on my Verizon HTC 10, but this module is so simple and generic that it should work on any Android device with SELinux.
Github Repo : https://github.com/Jman420/magisk-permissive-script
Click to expand...
Click to collapse
this zip must be flashed using twrp rite ? or stock recovery also will do fine ? because i tried many times to flash recovery for samsung e5 5.1.1 but ended up with boot loop. now running all stock !!
X_GOD said:
this zip must be flashed using twrp rite ? or stock recovery also will do fine ? because i tried many times to flash recovery for samsung e5 5.1.1 but ended up with boot loop. now running all stock !!
Click to expand...
Click to collapse
Should be able to install it through Magisk Manager or TWRP. Let me know if you have problems.
matssa said:
I don't understand why this mod is usefull. In the latest version of magisk, there is a semi enforce/permissive linux bypass. The system thinks it's enforced, but in reality is permissive. Or maybe I didn't fully understand it?
Click to expand...
Click to collapse
Now, I have magisk 11.6 on EMUI marshmallows V4A driver was abnormal because Enforcing selinux. Same happened with SuperSU 2.79. When I changed to permissive mode using terminal emulato/kernerl aduitor init.d script emulator/su.d SuperSU script, V4A driver was normal and it was processing. I like Magisk a lot because of its xposed like modules. Now using jman420's permissive magisk module.
Thor™ said:
Now, I have magisk 11.6 on EMUI marshmallows V4A driver was abnormal because Enforcing selinux. Same happened with SuperSU 2.79. When I changed to permissive mode using terminal emulato/kernerl aduitor init.d script emulator/su.d SuperSU script, V4A driver was normal and it was processing. I like Magisk a lot because of its xposed like modules. Now using jman420's permissive magisk module.
Click to expand...
Click to collapse
Without this module, ARISE is working fine, processing in 48000 on my side, so for V4A I don't think this is necessary, at least on my side.
Sent from my OnePlus3 using XDA Labs
matssa said:
Without this module, ARISE is working fine, processing in 48000 on my side, so for V4A I don't think this is necessary, at least on my side.
Click to expand...
Click to collapse
For ARISE I used to flash permissive script by osm0sis. Otherwise no luck with V4A, AM3D and Dolby.
Thor™ said:
For ARISE I used to flash permissive script by osm0sis. Otherwise no luck with V4A, AM3D and Dolby.
Click to expand...
Click to collapse
Strange... Did you enable magisk hide? If not, that is the reason.
Sent from my OnePlus3 using XDA Labs
matssa said:
Strange... Did you enable magisk hide? If not, that is the reason.
Click to expand...
Click to collapse
No, I was using SuperSU 2.79. Same happened with MagiskSU.
These modules are not meant for everyday use. They are intended for debugging and modification of a firmware. They significantly lower security of your device while active and even could softbrick it. You've been warned.
ADB Root
Magisk Module that allows you to run "adb root". adb root is not an ordinary root (su), it's adbd daemon running on your phone with root rights. adb root allows you to "adb push/pull" to system directories and run such commands as "adb remount" or "adb disable-verify".
Download v1.0: https://github.com/evdenis/adb_root/releases/download/v1.0/adb_root.zip
Source code: https://github.com/evdenis/adb_root
Support: Telegram
SELinux Permissive
This module switches SELinux to permissive mode during boot process. This module intentionally lowers security settings of your phone. Please don't use it if there is a better solution to your problem, e.g., magiskpolicy. The module will not work if your kernel compiled with always enforcing config, e.g., stock samsung kernels. It's not possible to enable permissive mode on such kernels.
Download v2.0: https://github.com/evdenis/selinux_permissive/releases/download/v2.0/selinux_permissive_v2.0.zip
Source code: https://github.com/evdenis/selinux_permissive
Support: Telegram
Enable Eng
This Magisk Module enables engineering build props. It allows to activate debugging parts of a firmware. Please, disable Magisk Hide for this module. If you don't know what you are doing, don't use this module. It can easily softbrick your device.
Troubleshooting
If your device doesn't boot then you need to reboot to TWRP recovery and
Code:
$ adb shell rm -fr /data/adb/modules/enable_eng
If ADB doesn't work that means adbd in your firmware is build without ALLOW_ADBD_ROOT. You can fix adb autostart either by installing "ADB Root" magisk module or by disabling this module.
Download v1.0: https://github.com/evdenis/enable_eng/releases/download/v1.0/enable_eng.zip
Source code: https://github.com/evdenis/enable_eng
Support: Telegram
Kexec tools for Android
This module adds statically linked kexec binary to your system. Aarch64 only. Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. Your kernel should support kexec.
Download v1.0: https://github.com/evdenis/kexec/releases/download/v1.0/kexec.zip
Source code: https://github.com/evdenis/kexec
Support: Telegram
GDISK/Parted for Android
The module adds statically linked parted/sfdisk/fdisk/gdisk binaries to your system. Aarch64 only. These utils are standard linux tools to edit the partitions tables on disks.
Download v2.0: https://github.com/evdenis/disk/releases/download/v2.0/disk-v2.0.zip
Source code: https://github.com/evdenis/disk
Support: Telegram
Is also valid for One Plus 5 ?
Inviato dal mio ONEPLUS A5000 utilizzando Tapatalk
tmviet said:
Is also valid for One Plus 5 ?
Click to expand...
Click to collapse
Hi, these magisk modules are device independent. Yes, you can use them on One Plus 5.
evdenis said:
Hi, these magisk modules are device independent. Yes, you can use them on One Plus 5.
Click to expand...
Click to collapse
Tks. A lot [emoji6]
Inviato dal mio ONEPLUS A5000 utilizzando Tapatalk
Thanks @evdenis, this module is great! I haven't gotten the 100% desired behavior (getting adbd with actual root perms) because I'm running a 32-bit architecture (armeabi-v7a) and you've supplied only the 64-bit version of adbd, but I've been using your module to swap out 32-bit versions of different versions of adbd I have lying around (older devices). I'm a n00b when it comes to building adbd from scratch using the latest sources with your patch so I'm planning on using the adbd that came with the device and using a disassembler and a hexeditor to NOP out some calls, such as the call to minijail_enter() and see if I have any success. The original device version of adbd doesn't seem to have the functions in it that you built with the patch, but instead appears to use a bunch of minijail library functions. The device is a rooted android 8.1.0 OS, but it is only rooted systemlessly so many of the ro.* build properties affecting adb are changed well after the OS-essential portion boots rendering my efforts thus-far using the original adbd ineffective I'm guessing. I can now issue the "adb root" command from my machine, but adbd on the device is always being launched with the following command line arg "--root_seclabel=u:r:su:s0" and never gains root permissions by default (the behavior I'm trying to achieve). I can manually use "su" but this doesn't help me with push/pull requests to protected parts of the OS and chainfire's "ADB Insecure" patches adbd successfully, but I still don't get the root perms.
Do you know if the system is starting the process with reduced permissions (i.e. adbd will never be able to gain root access on its own no matter what I modify) and I should go a different route like modifying something else in the system rather than adbd? Again, I've already modified the ro.* properties affecting adbd so it does attempt to re-launch itself as root, it just doesn't end up getting the root perms. Manually launching adbd after killing it from within a shell on the device doesn't seem to affect the permissions in ultimately gets.
If you are anyone has any insight as to what I need to do so that adbd gains root permission, that would be much appreciated.
bpaxda said:
I'm planning on using the adbd that came with the device and using a disassembler and a hexeditor to NOP out some calls, such as the call to minijail_enter() and see if I have any success.
Click to expand...
Click to collapse
It was my initial attempt to gain "adb root" on samsung s10. And noping a couple of calls is not enough on the phone. adbd binary on your device could be compiled without "adb root" branch. This is the case on samsung s10. If "adb root" branch exists one need to force should_drop_privileges() function to return false (https://android.googlesource.com/platform/system/core/+/refs/heads/master/adb/daemon/main.cpp#65) in order to get into the "adb root" branch of code (https://android.googlesource.com/platform/system/core/+/refs/heads/master/adb/daemon/main.cpp#151).
bpaxda said:
ro.* build properties affecting adb are changed well after the OS-essential portion boots rendering my efforts thus-far using the original adbd ineffective I'm guessing.
Click to expand...
Click to collapse
You could try enable_eng magisk module (https://github.com/evdenis/enable_eng). The module changes ro.* props to engineering build props. Depending on a firmware this could help to get "adb root". However, no guaranties that the module will not softbrick your device. In case of softbrick you will need to reboot to TWRP and delete the module, instruction is in the README.md.
bpaxda said:
I can now issue the "adb root" command from my machine, but adbd on the device is always being launched with the following command line arg "--root_seclabel=u:r:su:s0" and never gains root permissions by default (the behavior I'm trying to achieve).
Click to expand...
Click to collapse
Try to disable SELinux either with the magisk module or with a script.
Thanks for your response.
I think you're right. Despite having adjusted the ro properties post-boot, there was nothing in ADB that would change the privileges as if it has been compiled out. By sheer luck, I managed to grab adbd from an identical device that had a recent forced firmware update, but the "improved adbd" actually let me get closer. The updated adbd had code changes to its adbd_main function so that it at least looks at the properties "ro.secure" and "service.adb.root" not to mention new calls to minijail_capbset_drop(), minijail_change_gid() and minijail_change_uid(). Using magisk to dynamically replace my original adbd binary with this updated one actually worked in getting adbd to start root shells without needing to invoke "su"!
However its a weird type of root that can't read certain files like /verity_key but I can see some things I should be able to see as root. I'm no SELinux expert, but my guess is that if everything is functioning correctly, I may be getting an SELinux "restricted" root. In this case, it might be the most I can expect from an SELinux enabled kernel launching adbd as root. Let me explain: since I'm using Magisk, post-boot systemlessly, (the system boots restricted and then I use the mtk_su exploit, to gain root and disable permissive SELinux mode), I'm getting permissive root on a session by session basis. I think the nature of this type of root means the kernel is probably still locked down and thus whatever daemon may be responsible for launching adbd remains locked down. Does this sound correct to you? If so, I can live with that
I'd love to get TWRP on this device, but I'm not sure its possible since TWRP doesn't list my device as supported on their website nor can I get into fastboot mode (I didn't try that hard because I wanted to exhaust other options before flashing anything). Do you think enable_eng would work *after* the ACTION_BOOT_COMPLETE event is processed? I.e. my device is rooted after bootup by a script which runs the exploit, but it is well after the system is fully running and locked-down. Luckily Magisk has a utility to change ro properties, but some of those properties are not looked-at by the system this late in the boot stage. Do you think in this case "enable_eng" would work for me? Thanks again!
bpaxda said:
Let me explain: since I'm using Magisk, post-boot systemlessly, (the system boots restricted and then I use the mtk_su exploit, to gain root and disable permissive SELinux mode), I'm getting permissive root on a session by session basis.
Click to expand...
Click to collapse
I'm not sure that my modules will work with this rooting scenario. As far as I could understand, magisk by default replaces the init process, patches selinux policy before it is loaded and next, calls the original init binary. I don't think that it will be possible to alter selinux policy with different boot scenario for magisk.
bpaxda said:
Do you think enable_eng would work *after* the ACTION_BOOT_COMPLETE event is processed? I.e. my device is rooted after bootup by a script which runs the exploit, but it is well after the system is fully running and locked-down. Luckily Magisk has a utility to change ro properties, but some of those properties are not looked-at by the system this late in the boot stage. Do you think in this case "enable_eng" would work for me?
Click to expand...
Click to collapse
I'm not sure that enable_eng will work. adbd daemon check some properties such as ro.secure dynamically, but they could be cached after the boot. I don't know the ways to drop the cache and re-read these properties (altered with magisk) after the boot. Here are the main properties the modules changes https://github.com/evdenis/enable_eng/blob/master/system.prop
Thanks for making this tool! I'm just wondering if I need to modify my adb to use the module - I run "adb root" normally and get "adbd cannot run as root in production builds" still
Anyone know why when i install SELinux Permissive version 2.0 of the module it still states version 1 in Magisk?
I flashed this in Magisk and rebooted. Now my phone is stuck in a boot loop. Any ideas? I'm using Sony Xperia XZ1 compact.
cheeklitched said:
I flashed this in Magisk and rebooted. Now my phone is stuck in a boot loop. Any ideas? I'm using Sony Xperia XZ1 compact.
Click to expand...
Click to collapse
If you have twrp installed just uninstall and reinstall magisk.
Otherwise,
Boot to bootloader and flash your boot.img file
Code:
fastboot flash boot boot.img
Then let phone boot. Reboot to bootloader again. Flash magisk_patched.img
Code:
fastboot flash boot magisk_patched.img
During startup, as soon as you get to the Google logo, hold the volume button down. This should start the phone in safe mode. See if it loads. If not, reboot phone, and execute this in terminal/command prompt:
Code:
adb wait-for-device shell magisk --remove-modules
This should allow the phone to start up all the way. Enable whatever modules you want. You may need to flash magisk_patched.img again.
This has fixed multiple problems for me. It's redundant, but it tends to work.
I installed the Magisk selinux script, but after installing it no longer shows in Magisk, so how do I dissable/undo/uninstall the script? I installed a Selinux checker and it says it is on permissive, so the scrip must have installed, but I want to remove it. Is there an undo script, or can I manually delete the script in my root filesystem? THX
Hello guys
I used Redmi K20 pro with Eu rom 10.4, android 10.
I used the lastest version of this module but my devices was not found on ADB system on my computer.
So what I do now? I tried to fix it but I cannot find anything about it.
Recently, setting SElinux to permissive is not advised. I had a issue with V4A setting my SElinux to permissive permenantly, but editing the magisk module to set SElinux to enforcing instead of permissive also works.
This is probs the only module that actually sets SElinux properly.
Here's the modded magisk module with the same credited creator, but just sets SElinux to Enforcing instead of permissive
OMFG I THINK THIS IS WHAT IVE BEEN LOOKING FOR. TEH HOLY GRAILLLLL OMGOMGOMG THANK YOU THANK YOU THANK YOUUUUU
Will ADB Root work for Android 8.1?
evdenis said:
These modules are not meant for everyday use. They are intended for debugging and modification of a firmware. They significantly lower security of your device while active and even could softbrick it. You've been warned.
ADB Root
Magisk Module that allows you to run "adb root". adb root is not an ordinary root (su), it's adbd daemon running on your phone with root rights. adb root allows you to "adb push/pull" to system directories and run such commands as "adb remount" or "adb disable-verify".
Download v1.0: https://github.com/evdenis/adb_root/releases/download/v1.0/adb_root.zip
Source code: https://github.com/evdenis/adb_root
Support: Telegram
SELinux Permissive
This module switches SELinux to permissive mode during boot process. This module intentionally lowers security settings of your phone. Please don't use it if there is a better solution to your problem, e.g., magiskpolicy. The module will not work if your kernel compiled with always enforcing config, e.g., stock samsung kernels. It's not possible to enable permissive mode on such kernels.
Download v2.0: https://github.com/evdenis/selinux_permissive/releases/download/v2.0/selinux_permissive_v2.0.zip
Source code: https://github.com/evdenis/selinux_permissive
Support: Telegram
Enable Eng
This Magisk Module enables engineering build props. It allows to activate debugging parts of a firmware. Please, disable Magisk Hide for this module. If you don't know what you are doing, don't use this module. It can easily softbrick your device.
Troubleshooting
If your device doesn't boot then you need to reboot to TWRP recovery and
Code:
$ adb shell rm -fr /data/adb/modules/enable_eng
If ADB doesn't work that means adbd in your firmware is build without ALLOW_ADBD_ROOT. You can fix adb autostart either by installing "ADB Root" magisk module or by disabling this module.
Download v1.0: https://github.com/evdenis/enable_eng/releases/download/v1.0/enable_eng.zip
Source code: https://github.com/evdenis/enable_eng
Support: Telegram
Kexec tools for Android
This module adds statically linked kexec binary to your system. Aarch64 only. Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. Your kernel should support kexec.
Download v1.0: https://github.com/evdenis/kexec/releases/download/v1.0/kexec.zip
Source code: https://github.com/evdenis/kexec
Support: Telegram
GDISK/Parted for Android
The module adds statically linked parted/sfdisk/fdisk/gdisk binaries to your system. Aarch64 only. These utils are standard linux tools to edit the partitions tables on disks.
Download v2.0: https://github.com/evdenis/disk/releases/download/v2.0/disk-v2.0.zip
Source code: https://github.com/evdenis/disk
Support: Telegram
Click to expand...
Click to collapse
how can i make permissive enfocing because in 2022 i heard thats a BIG security risk and my custom ROM (havoc os) if selinux permissive
Hey all,
Android 7.1.1, Magisk 20.4 (on Stable update channel), Magisk Manager is hidden (as "Manager", tried "MM" as well) and the updated Sony app was added to Magisk Hide list.
Data & Cache were cleared for the app as well.
https://play.google.com/store/apps/details?id=com.playstation.remoteplay
But on launch, it crashes with error 88001003, which seems to indicate root detection.
The previous version 3.0 has worked flawlessly on the same system with same settings.
Does anyone know a workaround, could the app now be checking the system for root-compatible apps and block from there ?
Any way to find out how the app detects root?
Any feedback is very welcome.
Full Manager obfuscation capabilities aren't available on Android versions lower than 9. Could be what's causing your issues...
For what it's worth I can start the app just fine on my Android 9 OP3T with Canary build 21004 and hidden Canary Manager 310.
Try uninstalling the Manager and see if that makes a difference.
Log Cat info :
Code:
[10-15 14:29:26.760 4218:4218 D/PRCNT_#RecentsModel#]
#createTaskStack# :: task=PS Remote Play, isTopRunningTask=false, isVisible=false, isLocked=false, isKnoxTask=false, isHideThumbnail=false, isLongLive=false
Didgeridoohan said:
Try uninstalling the Manager and see if that makes a difference.
Click to expand...
Click to collapse
Sadly no difference (and deleted app's data + cache of course). Would you have any other ideas?
Spartacus500 said:
Log Cat info :
Code:
[10-15 14:29:26.760 4218:4218 D/PRCNT_#RecentsModel#]
#createTaskStack# :: task=PS Remote Play, isTopRunningTask=false, isVisible=false, isLocked=false, isKnoxTask=false, isHideThumbnail=false, isLongLive=false
Click to expand...
Click to collapse
Thanks but I'm not sure how it's supposed to help?
Ps24u said:
Sadly no difference (and deleted app's data + cache of course). Would you have any other ideas?
Click to expand...
Click to collapse
Many things may trigger detection, not only Magisk:
https://www.didgeridoohan.com/magisk/MagiskHide#hn_Hiding_root_from_apps
Thanks Didgeridoohan, after many hours I found 2 culprits that triggered root detection on my system.
For the Sony Remote Play app mentionned in this thread: SELinux set to permissive was the culprit.
After disabling the Magisk module for SElinux, the app runs normally, no crash, all good.
But it's pretty annyoing having to reboot to enable/disable SELinux just to run this app.
Would you know if there's a way to either toggle SElinux in realtime while the os is running or to have the Sony app always believe SElinux is set to enforcing ?
For the second app, it was dumb, it looked for "twrp" folder on internal storage. After I renamed the folder, the app launches and runs perfectly.
But again it's far from ideal to do it manually all the time. So for this case also, is there a way to hide the "twrp" folder from this app, either via magisk module, script or otherwise?
Thanks a lot for your tips and awesome site, probably the best ressource for all things Magisk. :bow:
Ps24u said:
Would you know if there's a way to either toggle SElinux in realtime while the os is running or to have the Sony app always believe SElinux is set to enforcing ?
Click to expand...
Click to collapse
That's just a simple terminal command (which is exactly what the module uses and runs at boot). You can run that whenever and it'll change selinux to the state you want on the fly, no need for a reboot.
Permissive:
Code:
setenforce 0
Enforcing:
Code:
setenforce 1
Needs to be run as su, of course (you could add "su -c" in front of the command to make it easy).
You could either set up a script with an app like Tasker or use an app that's made for toggling selinux (if you look around there should be a few available).
For the second app, it was dumb, it looked for "twrp" folder on internal storage. After I renamed the folder, the app launches and runs perfectly.
But again it's far from ideal to do it manually all the time. So for this case also, is there a way to hide the "twrp" folder from this app, either via magisk module, script or otherwise?
Click to expand...
Click to collapse
To hide the TWRP directory you could use an isolation app to stop the app from detecting what you have on your device. When it comes up the internal storage, Storage isolation is the most powerful.
Another option could be to set up a Tasker task (or similar) that renames the folder and then launches the app. Another Tasker profile could then keep track of when the app is running and rename the folder again once it's closed. Or it might be more reliable to run a task manually when you're done with the app. I'm just mentioning this to show some options. It's nowhere near as elegant as using an isolation app...
Thanks a lot for your tips and awesome site, probably the best ressource for all things Magisk. :bow:
Click to expand...
Click to collapse
No worries, I'm glad you found it useful and could get things figured out.
Didgeridoohan said:
That's just a simple terminal command (which is exactly what the module uses and runs at boot). You can run that whenever and it'll change selinux to the state you want on the fly, no need for a reboot.
Permissive:
Code:
setenforce 0
Enforcing:
Code:
setenforce 1
Needs to be run as su, of course (you could add "su -c" in front of the command to make it easy).
You could either set up a script with an app like Tasker or use an app that's made for toggling selinux (if you look around there should be a few available).
Click to expand...
Click to collapse
That strangely doesn't do the trick. If SElinux is set to permissive at boot via Magisk module, toggling to Enforcing afterwards doesn't allow the app to launch (crashes with same error 88001003, even after deleting data+cache).
It seems the app somehow knows if SElinux was set to permissive on boot and doesn't care if SElinux is switched to Enforcing afterwards.
Due to how my setup works I need Permissive at boot (mount cifs folders) so I'm in pinch.
I use selinux_permissive_v2.zip on Magisk 20.4.
I also tried to set SElinux to permissive via a script in /data/adb/service.d
Code:
#!/system/bin/sh
setenforce 0
But same results, toggling to Enforcing afterwards doesn't allow the app to launch.
I tried toggling with "su -c setenforce 1" in Termux, and with SELinux Toggler.
However, If the phone boots with Enforcing, and then I toggle to Permissive after boot and then back to Enforcing, the app launches without issues, strange!
There is a mystery going on here...
Didgeridoohan said:
To hide the TWRP directory you could use an isolation app to stop the app from detecting what you have on your device. When it comes up the internal storage, Storage isolation is the most powerful.
Click to expand...
Click to collapse
That worked straight away, awesome!
On my Samsung Galaxy S7 edge Custom Pie 9.0 Rom NFE root Magisk, this application does not work, keeps saying "something went wrong", I changed the twrp folder to aaaTWRPaaa but still the application won't work. I also changed selinux mode changer to permisive, but after this change also doesn't work, my antivirus screams selinux permisive is dangerous. Any ideas ?
Spartacus500 said:
On my Samsung Galaxy S7 edge Custom Pie 9.0 Rom NFE root Magisk, this application does not work, keeps saying "something went wrong", I changed the twrp folder to aaaTWRPaaa but still the application won't work. I also changed selinux mode changer to permisive, but after this change also doesn't work, my antivirus screams selinux permisive is dangerous. Any ideas ?
Click to expand...
Click to collapse
From my testing, PS Remote Play doesn't care about TWRP folder.
Spartacus, for now try to boot with SElinux to Enforced, and clear data/cache for the app.
I hope Didgeridoohan can help solve the SElinux pemissive at boot mystery.
Ps24u said:
I hope Didgeridoohan can help solve the SElinux pemissive at boot mystery.
Click to expand...
Click to collapse
Not really... I've no idea why the app would behave like that.
But I have a thought: how do you set up your cifs folders mounting? With a script? If so, could you temporarily set SELinux permissive only during that time? If you're lucky, it might be that's enough... I have no idea how cifs folder mounting works, so I'm just throwing ideas aimed at your head.
Ps24u said:
From my testing, PS Remote Play doesn't care about TWRP folder.
Spartacus, for now try to boot with SElinux to Enforced, and clear data/cache for the app.
I hope Didgeridoohan can help solve the SElinux pemissive at boot mystery.
Click to expand...
Click to collapse
I did as you said, deleted the TWRP folder from internal storage, also deleted the Titanium backup folder, no result, Selinux I have enforcing, the application still shows an error on startup
I also have a question, is your audit error the same as mine? Maybe there is a bug here
audit (error)
Code:
type=1400 audit(1603135249.830:2343): avc: denied { read } for pid=7381 comm="zCloudWorkerThr" name="enforce" dev="selinuxfs" ino=4 scontext=u:r:untrusted_app:s0:c212,c259,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 SEPF_SM-N935F_9_0001 audit_filtered
Code:
type=1400 audit(1603135249.830:2344): avc: denied { open } for pid=7381 comm="zCloudWorkerThr" path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:untrusted_app:s0:c212,c259,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 SEPF_SM-N935F_9_0001 audit_filtered
Didgeridoohan said:
Not really... I've no idea why the app would behave like that.
But I have a thought: how do you set up your cifs folders mounting? With a script? If so, could you temporarily set SELinux permissive only during that time? If you're lucky, it might be that's enough... I have no idea how cifs folder mounting works, so I'm just throwing ideas aimed at your head.
Click to expand...
Click to collapse
In the context of Cifs, I need SELinux permissive during actual use, not only during the mounting phase, so it cannot be done unfortunately.
Spartacus500 said:
I did as you said, deleted the TWRP folder from internal storage, also deleted the Titanium backup folder, no result, Selinux I have enforcing, the application still shows an error on startup
I also have a question, is your audit error the same as mine? Maybe there is a bug here
audit (error)
Click to expand...
Click to collapse
I'm not sure what / how to "audit" ?
I'm back again, Samsung Galaxy S7 edge Custom Pie 9.0 Rom. Selinux enforcing, PS Remote Play 4.0.0 keeps crashing, I uninstalled Magisk root and PS Remote Play 4.0.0 app works fine on my S7, I reload Magisk root via TWRP and PS Remote Play 4.0.0 shows error again ...
You've added PS Remote Play to the "Magisk Hide" list already, right ?
If not, add it, then clear data/cache or Uninstall and reinstall the app but don't launch it, and reboot.
Ps24u said:
You've added PS Remote Play to the "Magisk Hide" list already, right ?
If not, add it, then clear data/cache or Uninstall and reinstall the app but don't launch it, and reboot.
Click to expand...
Click to collapse
Of course, right after installing Magisk I hid hide root for PS Remote Play 4.0.0 and also changed the name of Magisk manager to something else, cleaning the memory for this application does not help either, every time I open the application it says "something went wrong" and error code ... All I need to do is remove the Magisk root and the app works. I'm using Magisk 20400, tested 21000 and Canary 21005 version and on neither of these versions this app shows the same error
Sorry I can't help more. I'm on Magisk 20.4 and M.Manager 7.5.1, also on Android 7.1.1 official Sony rom.
I performed the test, removed the Magisk root, PS Remote Play 4.0.0 works, when I install only Magisk manager, then PS REMOTE PLAY 4.0.0 detects Magisk and shows an error, after removing Magisk manager, PS Remote Play 4.0.0 works again, but it's enough that I will upload root Magisk, hide root hide, remove Magisk manager then PS Remote Play 4.0.0 shows error ...
I've got the same issue, anyone find a workaround?
Same here. This app work in the past, now it doesnt open. I dont know why Sony now dont left we use it because of root. It thinks that we will hack something. Mas, if Sony continues to do this and **** the past generation with last updates I will left consoles for while.
Im using Android 8.1