Lost root after Cache wipe, and forever lost device certification - Magisk

I have a Nexus 6 stock and would like to share my recent experience with the community about what happened to me yesterday.
I installed Magisk 16.7 at the beginning of August and finally I was able to hide all apps from root, including Android Pay which said I was allowed to pay contactless. Hooray!!!
Yesterday something odd happened. I had troubles with my battery stats so -long story short- I chose to wipe the cache from stock recovery.
Upon reboot, Magisk lost root. I had a copy of the Magisk zip file handy so I booted TWRP and flashed the zip. Did not work.
So I spent my entire evening applying OTA N8I11F then flashing either Magisk zip or the patched boot image, but without success. Magisk was never enabled.
Only after wiping cache, reflashing OTA, deleting /data/su.img via TWRP, deleting the entire Magisk app with its settings and reflashing the patched boot image I was able to get Magisk to work again.
I am sure I didn't "dirt" the OS by running the steps above in their order in Flight Safe mode.
But now it looks like my phone is like doomed forever. Despite I applied MagiskHide to all apps except the ones I want to be root-enabled, Play Store reports my device as "not certified".
Android Pay does not start, demanding an update to Google Pay. But Pay is now incompatible with my device and won't download. (I think Google Pay is an upgrade to the Android Pay app)
At the moment I can still find Netflix, since Netflix won't appear on rooted devices for listing.
Today I was looking into SafetyNet and my attention was caught by:
Device Status Value of "ctsProfileMatch" Value of "basicIntegrity" Certified, genuine device that passes CTS true true Certified device with unlocked bootloader false true Genuine but uncertified device, such as when the manufacturer doesn't apply for certification false true Device with custom ROM (not rooted) false true Emulator false false No device (protocol emulator script) false false Signs of system integrity compromise, such as rooting false false Signs of other active attacks, such as API hooking false false
Click to expand...
Click to collapse
I don't know if this existed before and if Magisk Hide can hide the bootloader status to Play apps.
I am confused. Has something changed very recently? SafetyNet test reports failure despite it reported success in the past.
Anyone found this happening too? Any ideas on how to restore Pay?

Have you tried wiping data of pay, play store and play services?
Also, I think there's a magisk module for editing build props so eventually that could be used or modified for unlock status - yet that's just a speculation by me...
Gesendet von meinem Moto G (5) Plus mit Tapatalk

For Certifying The Device & Pass The SafetyNet, Check This Thread https://forum.xda-developers.com/apps/magisk/qa-want-to-install-modules-magisk-v13-3-t3800435.

gothicVI said:
Have you tried wiping data of pay, play store and play services?
Click to expand...
Click to collapse
Luck that worked. I didn't delete play services' data as I was afraid it would have deleted my accounts and SMSes.
Device is now certified. Android Pay does not demand me any update, asks me for adding cards.
Google Pay still unsupported. Not a problem.
Okay, problem solved.
Fiuuuuuuuuuuuuuuuuu

I have a similar problem too when I root from magisk The phone said me "Data partition corrupted" and I choose reset button but I was aiming root without data loss but my root hadn't gone to anywhere but my phone was unable to pass safetynet after a long time I tried to delete cache to accelerate my phone but when I opened my phone I got error messages from my root apps and when I tried to open magisk it stucks in magisk logo.I still can't pass safetynet too :crying:

igalhan said:
I have a similar problem too when I root from magisk The phone said me "Data partition corrupted" and I choose reset button
Click to expand...
Click to collapse
From what you are saying your problem seems to be with dm-verity/dm-verify, which MUST be disabled on devices that enforce it. In my experience with a Samsung phone I always got my system reset until I explicitly disabled dm-verify in the boot image. I didn't have to disable mandatory encryption, which is one of the security features I like the most in Android OS.
Regards.

djechelon said:
From what you are saying your problem seems to be with dm-verity/dm-verify, which MUST be disabled on devices that enforce it. In my experience with a Samsung phone I always got my system reset until I explicitly disabled dm-verify in the boot image. I didn't have to disable mandatory encryption, which is one of the security features I like the most in Android OS.
Regards.
Click to expand...
Click to collapse
Ok but I reseted my phone and it fixed could it be about forced encryption
---------- Post added at 05:16 PM ---------- Previous post was at 05:15 PM ----------
djechelon said:
From what you are saying your problem seems to be with dm-verity/dm-verify, which MUST be disabled on devices that enforce it. In my experience with a Samsung phone I always got my system reset until I explicitly disabled dm-verify in the boot image. I didn't have to disable mandatory encryption, which is one of the security features I like the most in Android OS.
Regards.
Click to expand...
Click to collapse
I didn't installed twrp it's from odin

Related

Samsung Pay and Magisk

Has anyone gotten Samsung Pay to work with Magisk? I've got it installed as a gear plugin and safetynet passes. However, somehow Samsung Pay still detects root, even though it's hidden in magisk hide.
Same. Then this droidx program protecting pay app
Sent from my SM-N910V using XDA-Developers Legacy app
Try the universal safteynet net module
Is your Knox tripped? Samsung Pay might check that independently of the root-status of your phone.
grymkmb said:
Is your Knox tripped? Samsung Pay might check that independently of the root-status of your phone.
Click to expand...
Click to collapse
I'm on an LG
I've got the same issue with galaxy tab 3
I got warranty bit warning was showing on the boot screen, so I'm pretty sure I triggered Knox. The reason I was using magisk was to prevent this issue, but I guess Google figured out how to detect its presence. I downloaded a fresh copy of the firmware, which will cause Knox to reset but it also factory resets the tablet. I will still use magisk on my new s8+ phone. I hope magisk will work more effectively to where I can use exposed and its modules. After jellybean, magisk wasn't able to allow exposed to be used because of the way Android sets up its environment to execute apps. Hopefully soon a work around will be accomplished especially since Oreo is coming to my two devices by the end of the year, I guess if not sooner.
Same problem here; Magisk works but Samsung pay won't work
Even tried freezing magisk. Though still no go must be detecting something.
hkbladelawhk said:
Has anyone gotten Samsung Pay to work with Magisk? I've got it installed as a gear plugin and safetynet passes. However, somehow Samsung Pay still detects root, even though it's hidden in magisk hide.
Click to expand...
Click to collapse
I tried the same thing but couldn't make it work. I think it is due to the fact that the "System Status" is custom (or modified) since magisk modifies the "boot" partition, and that you probably installed a custom recovery to install magisk. That's why OTA also don't work without first flashing back the original boot and recovery images. I don't have an LG to verify that the "System Status" appears on those.
If it does, what could be tried is to install xposed and a module that fakes the system status (if you've got marshmallow or before)
sevenday4 said:
I got warranty bit warning was showing on the boot screen, so I'm pretty sure I triggered Knox. The reason I was using magisk was to prevent this issue, but I guess Google figured out how to detect its presence. I downloaded a fresh copy of the firmware, which will cause Knox to reset but it also factory resets the tablet. I will still use magisk on my new s8+ phone. I hope magisk will work more effectively to where I can use exposed and its modules. After jellybean, magisk wasn't able to allow exposed to be used because of the way Android sets up its environment to execute apps. Hopefully soon a work around will be accomplished especially since Oreo is coming to my two devices by the end of the year, I guess if not sooner.
Click to expand...
Click to collapse
Sorry, once knox is tripped there is no going back. However, installing Magisk fools the phone into thinking knox is still untriggerred (0x0). By reflashing the original firmware, what you did is restore the "boot" partition that was modified by magisk. By doing that, your phone should get back its "official status", allowing OTA. However, Knox will stay tripped. Anyway, Knox does little... and is only used by samsung softwares.
There is nothing that we can do about it because Samsung Pay checks the tripped status on kernel level so it's impossible.
Iradj said:
There is nothing that we can do about it because Samsung Pay checks the tripped status on kernel level so it's impossible.
Click to expand...
Click to collapse
Booo!
someone please made an apps that can hide or fake the Knox status.
Iradj said:
There is nothing that we can do about it because Samsung Pay checks the tripped status on kernel level so it's impossible.
Click to expand...
Click to collapse
This is possible by disabling safetynet check at boot level before compiling the kernel
Iradj said:
There is nothing that we can do about it because Samsung Pay checks the tripped status on kernel level so it's impossible.
Click to expand...
Click to collapse
Does this apply for non-Samsung phones? I understand that Knox has a tripped flag, but on a non-Samsung phone, what exactly is "tripped"? As with everyone else, I'm pretty frustrated that I still can't use Samsung pay, even on a phone that passes safety checks and has MagiskHide.
gghose said:
Does this apply for non-Samsung phones? I understand that Knox has a tripped flag, but on a non-Samsung phone, what exactly is "tripped"? As with everyone else, I'm pretty frustrated that I still can't use Samsung pay, even on a phone that passes safety checks and has MagiskHide.
Click to expand...
Click to collapse
Works for me on a Samsung phone, after hide I just had to rename all busybox exe's.
Doesn't work for me on a OnePlus 3T, OOS 4.1.7, rooted with Magisk 14.0. This stopped working after the Samsung Pay (Gear version) was updated right around August 21st. Maybe I'm just missing one or more binaries or apps that still must be hidden. I don't have any busybox apps installed, though I previously did, and I removed the busybox binaries where I knew to find them. Maybe it's detecting Magisk's su install, or some other binary I still need to remove. SafetyNet passes just fine, and I can use AndroidPay and CapitalOneWallet on the phone, but I can't use the SPay tab in the Gear app without getting the "rooted phone" message.
Magisk hide 14
Hi Yeti47: I have a samsung galaxy s8 sm-g950f. It is rooted wit renovate ice and magisk 14. What modules I have to check in magisk hide to make samsung pay working? Please answer me in [email protected]. Thank you so much. Bye.
Finally solved it. Busybox can be installed in /data/local, apart from /system/xbin or /system/bin. Samsung Pay will find it there. After I removed it, I was able to get Samsung Pay (Gear Version) working again on my OnePlus 3T.
Spot on fella, just got it working on OP5 with lineage ROM.
dcbii said:
Finally solved it. Busybox can be installed in /data/local, apart from /system/xbin or /system/bin. Samsung Pay will find it there. After I removed it, I was able to get Samsung Pay (Gear Version) working again on my OnePlus 3T.
Click to expand...
Click to collapse
Root explorer won't let me remove it from xbin. How exactly did you do it?
Sent from my iPad using Tapatalk

Getting Safety Net to Pass Again After Uninstalling Xposed?

After installing Xposed I realized its current functionality isn't what it used to be so I uninstalled it to restore the ability to pass Safety Net, and it fails both the ctsProfile and basicIntegrity checks. What do I need to do to fix that?
I have Magisk 14.3 installed on a ZTE Axon 2017U, Android 7.1.1, if any of that is relevant.
Cyrus D. said:
After installing Xposed I realized its current functionality isn't what it used to be so I uninstalled it to restore the ability to pass Safety Net, and it fails both the ctsProfile and basicIntegrity checks. What do I need to do to fix that?
I have Magisk 14.3 installed on a ZTE Axon 2017U, Android 7.1.1, if any of that is relevant.
Click to expand...
Click to collapse
You shouldn't have to do anything else - I just tested, and just unchecking Xposed in my Magisk modules list and rebooting was all it took to get SafetyNet completely passing again. No other mods or alterations to /system that might have made it angry?
Xposed triggers SafetyNet, period. There's a Xposed module to pass the CTS profile check but you can't fully pass SafetyNet with Xposed active.
Jaitsu said:
You shouldn't have to do anything else - I just tested, and just unchecking Xposed in my Magisk modules list and rebooting was all it took to get SafetyNet completely passing again. No other mods or alterations to /system that might have made it angry?
Click to expand...
Click to collapse
I didn't have it installed as a module, I had it installed separately. I have it uninstalled now. I don't know what else I could have done to cause Safety Net's check to fail.
Didgeridoohan said:
Xposed triggers SafetyNet, period. There's a Xposed module to pass the CTS profile check but you can't fully pass SafetyNet with Xposed active.
Click to expand...
Click to collapse
I have it uninstalled completely. Any ideas what residual changes could cause this issue?
Cyrus D. said:
I didn't have it installed as a module, I had it installed separately. I have it uninstalled now. I don't know what else I could have done to cause Safety Net's check to fail.
I have it uninstalled completely. Any ideas what residual changes could cause this issue?
Click to expand...
Click to collapse
Ah... I didn't first understand you had uninstalled it in an attempt to pass SN.
Try a dirty flash of your ROM/factory image/firmware package.
Don't forget to uninstall the Xposed installer.
Just want to update that I got it working by running the uninstaller again from TWRP. Apparently the in-app "recovery" uninstallation didn't work properly despite reporting it did.
Edit: I just realized that Netflix was not updating because of it detecting Safety Net checks failed. That company is disgusting. It's locked to 720p outside of systems that have newer DRM, meaning on a PC you have to use Microsoft Edge, nothing else will work. And even then you can't get over 1080p unless it's attached to a certified DRM machine/qualified TV, and has a latest generation Intel chip for more built-in hardware DRM. I wish I was making this up, and I wish I knew that before I was paying for a "4K" account.
Cyrus D. said:
Just want to update that I got it working by running the uninstaller again from TWRP. Apparently the in-app "recovery" uninstallation didn't work properly despite reporting it did.
Edit: I just realized that Netflix was not updating because of it detecting Safety Net checks failed. That company is disgusting. It's locked to 720p outside of systems that have newer DRM, meaning on a PC you have to use Microsoft Edge, nothing else will work. And even then you can't get over 1080p unless it's attached to a certified DRM machine/qualified TV, and has a latest generation Intel chip for more built-in hardware DRM. I wish I was making this up, and I wish I knew that before I was paying for a "4K" account.
Click to expand...
Click to collapse
So actually you mean there was no SafetyNet pass after installing with Xposed uninstaller? Did you eventually fixed it? I guess it's a matter of deleting a few leftover files. Can you point out which files you've deleted (if any) and their storage path1? However, I think you can check these out by looking into the actual Xposed framework zip...
Sent from my Z2 Play using XDA Labs
The Analog Kid said:
So actually you mean there was no SafetyNet pass after installing with Xposed uninstaller? Did you eventually fixed it? I guess it's a matter of deleting a few leftover files. Can you point out which files you've deleted (if any) and their storage path1? However, I think you can check these out by looking into the actual Xposed framework zip...
Sent from my Z2 Play using XDA Labs
Click to expand...
Click to collapse
I actually don't remember much of anything, I switched to a Galaxy S9+ a long time ago and haven't looked back. I thought it'd be intolerable being on a locked device, but so far most functionality seems to work. With ADB commands most things more or less work, such as Greenify. Too bad I can't uninstall all the bloatware (using ADB commands to uninstall them just result in them being reinstalled on reboot).
This is kind of unfortunate for me because now I plan on sticking with Samsung devices, which are usually insanely priced and I have a real beef with Samsung. I got mine on a special promotion for getting $50 contract instead of a $40 one, + $25/m for 24 months for the phone. So $600 for the phone and an extra $120 which I wouldn't have paid otherwise (in Canadian dollars) but I do get some useful functionality out of it so whatever.

Apps refuse to start because phone being rooted but it isn't!

At least 2 of my Apps refuse to start. One is my banking app and they do not offer any other way of interaction.
The problem is that the phone in fact is not rooted! It's just "OEM unlocked" to be prepared for root (which I need for E.g. titanium backup, but only maybe once a month).
Please give me a way out of this vicious circle!
I cannot remove the OEM unlock because it requires full wipe every time. Or is there a way?
Or what can I possibly tell the App Provider to improved their Code so that Oneplus phone state is being recognized (more) correctly?
Any help would be greatly appreciated.
Use Magisk I guess? Use it to hide root from that app.
Reeb_Lam said:
Use Magisk I guess? Use it to hide root from that app.
Click to expand...
Click to collapse
In fact I already flashed an official image and still (with no zip installed via TWRP) I'm getting refusals from these apps.
So for sure some apps decide from something else then simply an installed "root" manager or the installed "su" binaries.
What else could they decide from? "OEM unlock" was my first guess (and it would also be the worst, because as far as I know it can't be "hidden" temporarily, or can it?), but maybe there are other settings. Does anybody know more?
ako673de said:
In fact I already flashed an official image and still (with no zip installed via TWRP) I'm getting refusals from these apps.
So for sure some apps decide from something else then simply an installed "root" manager or the installed "su" binaries.
What else could they decide from? "OEM unlock" was my first guess (and it would also be the worst, because as far as I know it can't be "hidden" temporarily, or can it?), but maybe there are other settings. Does anybody know more?
Click to expand...
Click to collapse
You need to do some reading about Safetynet. If you're OEM unlocked you fail Verified Boot checks. Most custom Kernels include a bypass for this. Magisk alone should also work. I think you missed one important step:
Open Play Store Settings. Scroll down. It says 'Uncertified' at the bottom, right? Now install and set up Magisk. Go to system App Settings and clear Data and Cache for Play Store. Return to the Play Store Settings and scroll down. Now it should say 'Certified'. It might not be immediate, but it will happen. Now your Banking Apps work.
If you don't want, or have no luck with Magisk, simply flash a Custom Kernel that bypasses Verified Boot, and works with OOS.
Simple.
Thank you. That was for sure a major part of the overall issue. Unfortunately it didn't yet fix it. I'm now certified in play store and magisk succeeds with both safety net checks (which however it also did before). And root is disabled in magisk. dm-verity does not show the warning during Boot and the Check itself should be disabled (I followed the recommendation in another Thread to Patch the Boot Image).
Anything else you can imagine?
ako673de said:
Thank you. That was for sure a major part of the overall issue. Unfortunately it didn't yet fix it. I'm now certified in play store and magisk succeeds with both safety net checks (which however it also did before). And root is disabled in magisk. dm-verity does not show the warning during Boot and the Check itself should be disabled (I followed the recommendation in another Thread to Patch the Boot Image).
Anything else you can imagine?
Click to expand...
Click to collapse
Link to other Thread?
I don't know Magisk but are you hiding Root from your Banking App? Have you cleared Data and Cache for the Banking App since getting Certified?
First my phone did not Boot any more after installing superSU. Fixed that by patching Boot.img (to disable dm-verity) according to this thread: https://forum.xda-developers.com/oneplus-3t/how-to/disable-dm-verity-force-encryption-op3t-t3688748
Now data and cache of all (now) 3 affected Apps has been cleared and Magisk is configured to be hidden for them, but still no change.
However, in Magisk there is the "extended" option "AVB 2.0/keep dm-verity", which is unticked. I'm not sure, should I try to set it?
Any other idea?
ako673de said:
Any other idea?
Click to expand...
Click to collapse
Nope. If Play Store says Certified you should be good to go. I can only imagine it's a Magisk issue. Post screenshots of your config and let the Magisk experts pick through them. Maybe there's something not set up correctly.
ako673de said:
First my phone did not Boot any more after installing superSU. Fixed that by patching Boot.img (to disable dm-verity) according to this thread: https://forum.xda-developers.com/oneplus-3t/how-to/disable-dm-verity-force-encryption-op3t-t3688748
Now data and cache of all (now) 3 affected Apps has been cleared and Magisk is configured to be hidden for them, but still no change.
However, in Magisk there is the "extended" option "AVB 2.0/keep dm-verity", which is unticked. I'm not sure, should I try to set it?
Any other idea?
Click to expand...
Click to collapse
Hide Magisk Manager. I had to do that to get my banking app to work.
Edit: you may need to reboot after hiding Magisk Manager and clear you banking app's data before it works.
Sent from my OnePlus3T using XDA Labs
Thank you, indeed that WORKED! Well, at least for 2 out of 3 Apps. I think I can tell which one: "HVB banking". Maybe could somebody cross-check this one on his/her phone?
After firmware update to OOS 5.0.5 I now have the problem that my PlayStore can no longer be convinced in any way to show that it's certified. But interestingly my banking Apps work (currently really no root app installed). I even waited for one day because earlier in this thread somebody mentioned that it might take awhile. Is there anything special I need to care about under the new OS version?
ako673de said:
After firmware update to OOS 5.0.5 I now have the problem that my PlayStore can no longer be convinced in any way to show that it's certified. But interestingly my banking Apps work (currently really no root app installed). I even waited for one day because earlier in this thread somebody mentioned that it might take awhile. Is there anything special I need to care about under the new OS version?
Click to expand...
Click to collapse
Did you reflash custom kernel after update?
I'm not using any. What I did right after the update is to disable dm-verity (with a patched boot.img), like I did last time. But magisk is not yet re-installed because I wanted to see at least once the HypoVereinsbank App working, which it in fact does (different to last time when the phone was not rooted as well, and the store not certified!).
ako673de said:
But magisk is not yet re-installed
Click to expand...
Click to collapse
That's why... You can't pass the ctsProfile check if your bootloader is unlocked, and if you can't pass the ctsProfile check the Play Store won't be certified. You need Magisk for that...
Now I'm getting confused. The initial mail of this thread explains the situation as it was when I opened this thread:
--> Original ROM, no root, and banking apps didn't work <--
The advice to clear data of the PlayStore immediately brought the PlayStore back to "certified".
This is clearly in contrast to what you're saying now.
I can imagine only one reason: Maybe the older PlayStore had a bug and therefore was able to "certify" even with unlocked bootloader?
Sidenote: My main intention to do the firmware upgrade was that the "safety net checks" in Magisk suddenly stopped working one day (with the error message "invalid response", most probably you know what I'm talking about, I've read some comments from you on this issue). Therefore it's maybe really not too unlikely that Google has changed something very basic. Could you please confirm?
Edit: Now magisk is back, version 16.7, and in fact PlayStore is back to "certified" AND now even the HypoVereinsbank App works. Just one thing remains: magisk safety net check still says "invalid response" (after it downloaded some "FOSS" code, which it didn't do last time, when it was still working).
ako673de said:
Edit: Now magisk is back, version 16.7, and in fact PlayStore is back to "certified" AND now even the HypoVereinsbank App works. Just one thing remains: magisk safety net check still says "invalid response" (after it downloaded some "FOSS" code, which it didn't do last time, when it was still working).
Click to expand...
Click to collapse
https://www.didgeridoohan.com/magisk/MagiskHide#hn_The_response_is_invalid
Sorry, now comes a probably often asked question: do I need the safetynet check option in magisk for something real? Or do the alternative apps fulfill all possible needs? What are these needs? Isn't that exactly what the PlayStore does to determine "certified"?
After quite some months of absolutely no "root" problems with any of my apps, since today o2banking again doesn't work.
I tried to update Magisk, but after update of the Magisk manager app to v7.1.1(203) it reports that Magisk is not installed at all, and any update of Magisk itself resulted in just the same. So I reverted back to v6.1.0(165) and everything seems to be okay, except that o2banking doesn't work. SafetyNet is clean, Magisk is hidden for o2banking and Magisk manager is repacked.
Does anybody know what the problem might be? Especially with that new version of the manager app, but also with Magisk v19.0 which cannot be installed from v6.1.0 (max. is v18.1). Any ideas welcome! I'm now on OOS 5.0.8 by the way.
SOLVED it myself: As mentioned somewhere in the update FAQ of Magisk there was a bug in manager v6.1.0 that causes the updated v7.1.1 to co-exist with the old version if the old version has been re-packed. If anybody encounters the same problem, the solution is at the bottom of this page: https://www.didgeridoohan.com/magisk/ManagerIssues.
o2banking will then still not work. Update to v19.0 is mandatory. But that is no problem then any more...
probably your banking app identified oxygen os as custom rom and have root. 1 out of 3 banking app in my phone doesn't work with lineageos even though i already hide magisk, but when running oxygen os with magisk hide, and also hide magisk manager (turn it on in magisk manager setting) all 3 banking app work just fine. maybe try sending a message to bank app developer to add oxygen os as exception.
Did you notice my edit? It was a problem with magisk manager update and magisk main version. Now everything is back up and running.

Play Store Protect Certification

After unlocking bootloader and flashing Magisk-patched boot.img, says "device is not certified". Would this cause any trouble in the future or even now? I can download apps so seems like it's nothing to worry about, just wanna make sure.
That's a standard message that comes up on any Android phone starting since Marshmellow I think? But no that screen is nothing to be concerned about, just showing that your bootloader has been unlocked.
ColdFyre33 said:
After unlocking bootloader and flashing Magisk-patched boot.img, says "device is not certified". Would this cause any trouble in the future or even now? I can download apps so seems like it's nothing to worry about, just wanna make sure.
Click to expand...
Click to collapse
Not much to worry about but if you wipe data and cache on pstore then reboot, it will usually certify
As previously already stated, just force close and delete app data + cache from the play store app, reboot, and it should show as certified (only if safetyNet previously already passes of course!). Keep in mind that after rooting, you need to enable the HideProps module in Magisk to force basic attestation by emulating an older device (e. g. a Pixel 3a). Otherwise safetyNet will fail and your device won't certify.

Can't get Android 12 + Magisk + SafetyNet, no matter what... All the guides seem outdated

So I'm trying to get Android 12 working with root and SafetyNet passing. I found that all the guides to be wrong or outdated. Problem with the latest Magisk canary is that it does not support MagiskHide. Problem with the latest stable Magisk (v23) is that it doesn't support Android 12. Here are the combinations I've tried:
Canary Magisk APK, Canary Magisk boot image, with Universal SafetyNet Fix v2.2.1 (Zygisk)
Result: No way to test if safety net passes within Magisk, but it doesn't seem to work.
Canary Magisk APK, Stable Magisk v23 boot image, with Universal SafetyNet Fix v2.1.3 (Riru)
Result: Does not work. MagiskHide automatically turns off after every reboot, probably because the canary boot image does not support it.
Stable Magisk v23 APK, Stable Magisk v23 boot image
Result: Device fails to boot. fast food indicates in an invalid signature. presumably happening because stable magisk v23 does not support Android 12.
Based on these test results these are my assumptions:
1. There is no way to run Magisk 23 on Android 12, and this article and its screenshot are fake:
https://www.droidwin.com/how-to-roo...k-on-android-12/#STEP_6_Boot_to_Fastboot_Mode
and this also does not work: https://krispitech.com/how-to-pass-safetynet-on-rooted-android-12/
OR
It was possible and Android 12 September 5th patch level but somehow not the latest December build?
There is no advantage to running mismatched Magisk APK and boot image versions
Both the Zygisk and Riru versions of the SafetyNet Fix do not work on the latest Android 12 builds.
The new DenyList system does nothing in allowing a SafetyNet bypass.
The ONLY working method That can possibly bypass safety net on Android 12 is using either of these 2 Magisk forks:
Custom Magisk by TheHitMan7 (Can’t find download link)
Alpha Magisk by vvb2060 (Can’t find download link)
Are these assumptions correct? Can someone please correct my misunderstandings?
You need Universal Safetynet Fix v2.2.0 or v2.2.1 which was just released 10 days ago.
To be honest, I haven't tried v2.2.1 yet, but I would imagine it will work. I'm on v2.2.0 right now.
Get it from here: https://github.com/kdrag0n/safetynet-fix
I have been using Magisk Canary 23016, USNF 2.2.0, and MagiskHide Props Config 6.1.2 on my Pixel 5 running the December Android 12 release. SafetyNet passes, GPay works.
I have DenyList blocking both GPay and Google Play Store..
Either you have something configured wrong, or you're having a unique issue. Others have been able to pass SafetyNet using a similar configuration.
No, Magisk Stable does not currently support Android 12. You MUST use Canary 23016; none of the previous builds properly handle the vbmeta flags in the boot image header.
I'm using the latest magisk canary, USNF 2.2.1 and no magisk hide props and am passing. I have Zygisk enabled, but that's about it. Install was flawless. Followed V0latyle's thread on going from A11 to A12 when the canary update dropped.
Thank you everyone, I got it working the way you said! I was super close.
-----------------------------------
V0latyle said:
I have been using Magisk Canary 23016, USNF 2.2.0, and MagiskHide Props Config 6.1.2 on my Pixel 5 running the December Android 12 release. SafetyNet passes, GPay works.
I have DenyList blocking both GPay and Google Play Store..
Either you have something configured wrong, or you're having a unique issue. Others have been able to pass SafetyNet using a similar configuration.
No, Magisk Stable does not currently support Android 12. You MUST use Canary 23016; none of the previous builds properly handle the vbmeta flags in the boot image header.
Click to expand...
Click to collapse
I only blocked play services with deny list and it worked.
One of the guides told me to flash stock vbmeta (idk what this is), and this bricked it until I re-flashed the ROM. But I guess that's not needed anymore.
flyoffacliff said:
Thank you everyone, I got it working the way you said! I was super close.
-----------------------------------
I only blocked play services with deny list and it worked.
One of the guides told me to flash stock vbmeta (idk what this is), and this bricked it until I re-flashed the ROM. But I guess that's not needed anymore.
Click to expand...
Click to collapse
Which guide?
V0latyle said:
Which guide?
Click to expand...
Click to collapse
How to Root Pixel Devices via Magisk on Android 12
In this comprehensive tutorial, we will show you detailed steps to root your Pixel device via Magisk running Android 12.
www.droidwin.com
On step 7. It says it's not necessary for some reason on newer devices but pixel 5 and older still require it. What does flashing this file actually do? Like what's the file made of?
flyoffacliff said:
How to Root Pixel Devices via Magisk on Android 12
In this comprehensive tutorial, we will show you detailed steps to root your Pixel device via Magisk running Android 12.
www.droidwin.com
On step 7. It says it's not necessary for some reason on newer devices but pixel 5 and older still require it. What does flashing this file actually do? Like what's the file made of?
Click to expand...
Click to collapse
Nothing needs to be done with vbmeta as long as you're using Magisk 23016.
I'll try to explain what it is and what it does as simply as I can but there isn't really a simple explanation...
Some components of Android system security, such as Verified Boot, incorporate a means by which the data being loaded from critical partitions is checked in real time as it is loaded. This is called "device-mapper verity". The raw data itself is read at the block device level and used to create a hash; this hash is then compared to a reference hash to determine the data has not been modified. The partition that contains this reference hash is vbmeta.
When the Android 12 beta was first released, Magisk had not yet been updated to properly handle Android 12 boot image headers. Verified Boot is disabled for the most part when the bootloader is unlocked; however some elements still remain to ensure you're booting a proper device boot image. Magisk did not preserve necessary information in the boot headers, so the device wouldn't boot; we would get a message in bootloader stating failed to load/verify boot images
We figured out a workaround for this: disable dm-verity and vbmeta verification altogether. This was done by flashing the vbmeta partition with those two options:
Code:
flash vbmeta vbmeta.img --disable-verity --disable-verification
The problem with this is it has some sort of safety interlock that prevents system from loading if verity/verification are disabled and /data isn't clean. So, rooting required wiping data. You probably discovered this during your "brick": you got a screen reading Cannot load Android system. Your data may be corrupt.
We also discovered that the vbmeta workaround had to be performed every time vbmeta was flashed - meaning no OTA updates, because if vbmeta was flashed without the disable options, we wouldn't be able to boot a patched boot image, and even if we re-disabled verity/verification, the device still wouldn't boot unless data was clean. The only way to update AND reroot AND keep data was to ensure that verity and verification were disabled every time the device was updated.
Fortunately, Magisk 23016 fixed all of this. We don't have to mess with vbmeta anymore. Magisk properly preserves the flags in the boot header, meaning that AVB recognizes it as a legitimate boot image, and the device is happy.
has anyone able to pass safety CTSprofile ?
Basic integrity is pass but CTSprofile Check isnt passed...
anybody able to pass in A12 (OnePlus Nord)
tried all effort but dint work, even Universal SafetyNet Fix v2.2.1 (Zygisk) isnt working..
its makes Basic Integrity Fail after Flash ( Universal SafetyNet Fix v2.2.1 (Zygisk).
I roll back to A11 then sadly....
shhahidxda said:
has anyone able to pass safety CTSprofile ?
Basic integrity is pass but CTSprofile Check isnt passed...
anybody able to pass in A12 (OnePlus Nord)
tried all effort but dint work, even Universal SafetyNet Fix v2.2.1 (Zygisk) isnt working..
its makes Basic Integrity Fail after Flash ( Universal SafetyNet Fix v2.2.1 (Zygisk).
I roll back to A11 then sadly....
Click to expand...
Click to collapse
You're doing something wrong. Don't overlook anything. I'm on Android 12.1 and pass safety net, Google pay works, Netflix works.
Have you configured the deny list in magisk?? If not do that then. I'd start fresh, don't connect to anything on first start. Hide everything about those Google apps. Then add your accounts etc etc. This is what worked for me no problem
thatsupnow said:
You're doing something wrong. Don't overlook anything. I'm on Android 12.1 and pass safety net, Google pay works, Netflix works.
Have you configured the deny list in magisk?? If not do that then. I'd start fresh, don't connect to anything on first start. Hide everything about those Google apps. Then add your accounts etc etc. This is what worked for me no problem
Click to expand...
Click to collapse
I would like to know, how you are able to pass? I mean It is passed using Universal safetynet fix by Kdragon?
or without fix?
as you mention in your screenshot that you have put all google services in denylist,
I've already done that..
anything else ? you done it? can you show screenshot of your safetynet pass??
shhahidxda said:
I would like to know, how you are able to pass? I mean It is passed using Universal safetynet fix by Kdragon?
or without fix?
as you mention in your screenshot that you have put all google services in denylist,
I've already done that..
anything else ? you done it? can you show screenshot of your safetynet pass??
Click to expand...
Click to collapse
I'm using the latest safetynet fix v2.2.1 Kdragon
thatsupnow said:
I'm using the latest safetynet fix v2.2.1 Kdragon
Click to expand...
Click to collapse
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal fix..
but as I applied OTA of A12...
I lose safetynet pass.
let me know do you have any workaround?
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
I am still looking for solution to fix this issue..!! if you have any work around.. let me know.. I will do my best.. may be i need to modify device fingerprints with Security patch.? what you say?
shhahidxda said:
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
Click to expand...
Click to collapse
shhahidxda said:
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal fix..
but as I applied OTA of A12...
I lose safetynet pass.
let me know do you have any workaround?
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
I am still looking for solution to fix this issue..!! if you have any work around.. let me know.. I will do my best.. may be i need to modify device fingerprints with Security patch.? what you say?
Click to expand...
Click to collapse
You do realise that your posting on the pixel 5 forum right?? I'd maybe go checkout what they are doing on the OnePlus side of the tracks
thatsupnow said:
You do realise that your posting on the pixel 5 forum right?? I'd maybe go checkout what they are doing on the OnePlus side of the tracks
Click to expand...
Click to collapse
Yes, I knew i am posting in Pixel 5 and this topic isnt mention on Oneplus section..
I am looking for a solution of this issue.. but nobody has mention it till now.
Android 12.1 + Magisk 25.1 + Zygisk + Google Play services on enforced Denylist > Works charmingly
Note 1: Enforce Denylist for all the Google Play services modules on Magisk.
Note 2: After reboot, clear data of Google Play services and Play Store to make a fresh start.
pseudokawaii said:
Android 12.1 + Magisk 25.1 + Zygisk + Google Play services on enforced Denylist > Works charmingly
Note 1: Enforce Denylist for all the Google Play services modules on Magisk.
Note 2: After reboot, clear data of Google Play services and Play Store to make a fresh start.
Click to expand...
Click to collapse
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
El3ssar said:
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
Click to expand...
Click to collapse
What do you mean by "it no longer shows there"? Does the Google Play services disappear after putting on denylist? Did you enable the "Enforce Denylist" option? Did you do a retest of SafetyNet after reboot?
El3ssar said:
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
Click to expand...
Click to collapse
Yea and it won't stick I've tried that too. You don't need to add Google Play services to the deny list anyway
thatsupnow said:
Yea and it won't stick I've tried that too. You don't need to add Google Play services to the deny list anyway
Click to expand...
Click to collapse
If you're using Universal Safetynet Fix, Play Services is blocked out of the box. I had the same thing happen in one of the newer releases and thought it was an issue. It isn't. Play Services is blocked even though it doesn't show it.

Categories

Resources