Introduction
Fix UNCERTIFIED status in Play Store for OP2/OP3/Note4 and maybe more.
Uncertified status may lead to some restrictions on specific apps (saying Netflix). It is not only judged by SafetyNet status but also some build props in your ROM. So this module does NOT may or may not help you to pass SafetyNet.
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
a patch in your kernel like this is REQUIRED (maybe optional because of MagiskHide?)
If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
SELinux is always enforcing
Installation
Search for "Play Store Visa" in Magisk Manager or download at Github.
Support for New Devices
This module made it by injecting proper build fingerprint properties per device, most commonly ro.build.fingerprint. So device support is highly dependent on a working build fingerprint from a certified stock ROM. You can test and find a combination by your own and add to service.sh accordingly.
I used to find those fingerprints hard to search around. Although one fingerprint may work for all devices of a kind, but people barely shares it. Pull requests are very welcomed so we may help one another!
Define: a working fingerprint
For the time being, I test the prop edits working by:
clean data of Play Store
reboot for the module to apply (or invoke resetprop through adb)
open and check certification status in settings. (may have some delay)
search for Netflix in Play Store.
If you can see Netflix in search results after wiping store's data, then your props edits are good to go!
Enjoy
Q&A
Q:
Only for OP2/OP3/note4? Not support for other device?
A:
To support other device, we need the value of `ro.build.fingerprint` from a stock ROM. I don't own other devices so I may not have chance to extract it. Contributions are welcomed, and I may search for other useful ones in the future..
Q:
What's the difference between this module and this one?
A:
We both solved part of the problem, see my explanation below. I'm happy to contribution my parts, if necessary, to prevent reinventing the wheels.
XDA:DevDB Information
Play Store Visa, App for all devices (see above for details)
Contributors
ttimasdf
Source Code: https://github.com/Magisk-Modules-Repo/playstore_certification_bypass
Version Information
Status: Beta
Created 2018-03-26
Last Updated 2018-03-31
Only for OP2/OP3/note4?
Not support for other device?
What's the difference between this module and this one?
ttimasdf said:
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
a patch in your kernel like this is REQUIRED
If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
SELinux is always enforcing
Click to expand...
Click to collapse
That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...
I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:
If your device is uncertified, Google doesn’t have a record of the Android compatibility test results.
Click to expand...
Click to collapse
If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.
Would love the hear your findings if you're up to sharing.
---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------
abacate123 said:
What's the difference between this module and this one?
Click to expand...
Click to collapse
Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.
My play store don't have "Device certification" tab :'(
zerlkung said:
My play store don't have "Device certification" tab :'(
Click to expand...
Click to collapse
Can you find and install Netflix? If so, your device is certified. If not, it's uncertified.
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.
That being said, based on current reports it would not be hard to create a universal "coyote mode" by getting the existing ro.build.fingerprint and then modifying the build date portion so that it is before March 2018. Said mode would not make the device certified if it wasn't already but would allow GApps to run normally thus the term "coyote mode" (a coyote is a person who smuggles other people across the border).
nl3142 said:
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.
Click to expand...
Click to collapse
Google is not blocking gapps for custom roms. At least not yet.
In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/
abacate123 said:
Google is not blocking gapps for custom roms. At least not yet.
In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/
Click to expand...
Click to collapse
Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.
nl3142 said:
Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.
Click to expand...
Click to collapse
IMEI fellow...
abacate123 said:
IMEI fellow...
Click to expand...
Click to collapse
Which wifi only devices like tablets don't have, so obviously that isn't going to work.
Cbk | Unknown said:
Only for OP2/OP3/note4?
Not support for other device?
Click to expand...
Click to collapse
As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions
abacate123 said:
What's the difference between this module and this one?
Click to expand...
Click to collapse
Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.
My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it
Didgeridoohan said:
That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...
I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:
If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.
Would love the hear your findings if you're up to sharing.
---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------
Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.
Click to expand...
Click to collapse
Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:
From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.
But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together
ttimasdf said:
Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.
My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it
Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:
From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.
But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together
Click to expand...
Click to collapse
Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.
I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.
And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.
I'll be back...
Didgeridoohan said:
Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.
I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.
And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.
I'll be back...
Click to expand...
Click to collapse
Thanks for the hint. I do a few tests today. My module seems to be broken today but after added Play Store and `com.google.android.gsf` to MagiskHide list it works again.
And most interestingly, the fingerprint for my Note4 from the ROM seems to be blacklisted by Google.
I wiped data, disabled module, reboot. Device become uncertified and even cannot pass `basic integrity`. wipe-enable-reboot become certified and able to download again.
It's a cat and mouse game after all:angel:
Also I tested for the "delay" you mentioned. After a wiped reboot, tested 2 out of 3 times the Netflix shows in result. However, whether it can start download still depends on the certification status. If uncertified, download will say error after some time. With module enabled, the download succeeded normally. So Netflix is the most timely and accurate way to speak if your device is certified.
For I have not yet used any apps that check SafetyNet status at runtime, maybe I'll check it later.
Profound Thanks For You. Your Module Was Useful To Make A Specified One For My Phone. :good:
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.
GeorgePr said:
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.
Click to expand...
Click to collapse
This module merely changed some build props, if and only if your device is supported. Theoretically it should not mess other things around. Check your logcat if there's anything worth notice and clear app data if necessary
ttimasdf said:
As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions
Click to expand...
Click to collapse
I made a screenshot from my Pixel 8.1 stock - april security patch
Maybe can help for pixel support :good:
Sent from my Google Pixel using XDA Labs
It is working on my Nexus 7 2013 WiFi tablet. Running Flo classic asop 8.1 r28 May 2018 version with Ground Zero Gapps. Did the clear data (clear cache alone didn't work) rebooted and open Playstore, my apps updates and installed tabs show zero item. A few hours later, check again and I get a Certified in Playstore settings.
Thank you, good job! :good:
Also trying on OnePlus One running AEX 8.1 v5.5. currently updates and installed tabs are also zero item. Going to let it be and see if it will populate over time. Under Playstore version build number, nothing under. Before installing Visa module, it say uncertified.
Library tabs on both show my history of apps.
Hello,
today my phone suddenly wrote to me that it is no longer possible to use google pay.
Phone Pixel 5. Stock firmware.
Google pay reports that the device is certified.
I use magical canary 23001. I have the safetynet fix module installed.
Google pay does not work. And magisk reports an error when verifying the safetynet.
Any help please?
Just to say that the same occurred to me on a Oneplus 8 pro: Google Pay says the phone is not safe and Safetynet fails with basicintegrity (-), ctsProfile (-) and evaltype = basic. The cause seems to have been a Google Pay update two days ago (or, more probably, Google Play Services or the like, since I had disabled Google Pay updates). I have universal safetynet fix and magiskhide props config installed. If anyone could help, I'd appreciate. Let me know if I have to post more information. Thanks
UPDATE - A guy on Reddit says he fixed it by uninstalling EdXposed. Actually, I had that module and removed it and now I seem to pass the safetynet test, although Google Pay still has some issues (I will try cleaning data and cache, and possibly do the same to Google Play Services, I am also trying to put Google Services Framework under Magiskhide...). He says LSPosed (instead of EdXposed) should be fine, which it apparently is.
andrearesti said:
UPDATE - A guy on Reddit says he fixed it by uninstalling EdXposed. Actually, I had that module and removed it and now I seem to pass the safetynet test, although Google Pay still has some issues (I will try cleaning data and cache, and possibly do the same to Google Play Services, I am also trying to put Google Services Framework under Magiskhide...). He says LSPosed (instead of EdXposed) should be fine, which it apparently is.
Click to expand...
Click to collapse
Thanks for this update. Was having the same issue on my OP6T. I had already eyed at switching to a different Xposed clone since this keeps occuring every few weeks. Maybe now is a good time as ever.
Great. Thanks you so much.
Hello,
my Oneplus 7+ is running stock Android 11. Magisk has been installed and since a month ago everything was working fine (even DKB TAN2go and other banking apps). Last month an update for Comdirects Photo TAN was released and it stopped working. Luckily I was not the only one to encounter it and the description from @ralphabt here solved the issue for me.
Since this morning Google Pay stopped working (of couse I only noticed when I tried to pay and had my wallet nearby). SafetyNet fails (basic and cts). If I disabled the modules that I installed for the PhotoTan fix, SafetyNet is working again.
I found the MagiskHide Props Config, which I don't have a problem installing and testing, but I was wondering if there anything else I can try before fixing an issues that is caused by a solution for another issue.
Thanks a lot!
If SafetyNet now triggers from the Riru/EdXposed stuff you'll likely have to wait for an update to those modules (or try the latest beta/alpha/canary releases). Or try LSPosed instead (seems like more people have success with that). It's a cat and mouse game...
Im still waiting for anyone to give me a valid reason to use Xposed of any sort....
I pulled it out recently after jettisoning Xposed back in Marshmallow days, and was completely unsurprised that in my attempts to avoid root detection when i was having bank app issues it just broke things harder
Your biggest issue is getting SafetyNet pass...
Getting Google Pay and banking apps is another level...
My current setup for working bank apps (my bank at least) and working Samsung Pay & Google Pay is, should you wish to have a crack:
Magisk Alpha - here (second most recent at time of posting) or here for latest:
Riru - here
Riru-Momohider - my own mod of that module attached to my post here (where i just added creation of the 4 optional config options to the installations script, to avoid manual jiggery pokery, touching 4 files in a terminal every ROM flash didnt seem like a fun thing after the 3 ROMS i tested that week i started using Riru-Momohider)
Im talking those are the only modules i use. Even a simple font replacement module will give up a system modification to most root detection apps. So no fonts, no emojis swapping, no fiddly shizz. Keep it simple.
You can get an idea of what may be setting things off via Magisk Detector here, or VD Infos here (apologies to Didge, as mentioning that may be a trigger )
And i now get to tell you that this only currently works on 2 ROM's for my device, all the others cough up the existence of root through modifications made by devs to build.prop etc
So even in the best circumstances, and with all the right magisk and riru modules, the ROM youre using can still betray you.
Isnt that fun?
Worth pointing out (so frequently am i pointing this out these days im thinking of removing the link to my GPay Magisk Module from my sig) that for like 6 months now its been unnecessary for a lot of people to
a) Use the Google Pay db fix originally sussed out by @BostonDan, or my Magisk Module that does the same thing
and
b) Enable MagiskHide for Google Pay...
Actually getting SafetyNet is rather easy - if I remove EdXposed and XPrivacyLua it is working again and Google Pay as well. I only installed (my only reason) it, as it was required to get that banking app running.
I am using different banking apps and it the past the one from german DKB was rather difficult, but with newest Magisk (23) and Magisk Hide it is working.
Hey, I did things like:
-Applied Magisk Hide
-Selected all in Push TAN
-Applied package rename of Magisk
And s push tan still detects fcking root/ magisk.
The only way it works is to freeze the magisk app with another app. But this solution is trashy and I dont want to every time freeze magisk if I need s push tan.
Are there some fixes? Or even APK edits which I can install?
#****ThoseBankingApps
You can rebuild the stub as described/discussed in this github issue:
https://github.com/topjohnwu/Magisk/issues/1084
Didgeridoohan said:
You can rebuild the stub as described/discussed in this github issue:
https://github.com/topjohnwu/Magisk/issues/1084
Click to expand...
Click to collapse
fck off dude. Where its "described" in your eyes? There is nothing usefull and not even links BRUH
Suakey said:
fck off dude. Where its "described" in your eyes? There is nothing usefull and not even links BRUH
Click to expand...
Click to collapse
It is, but you might have to scroll back quite a few posts (it'll be from August or September, IIRC).
And please be mindful of your language. I'll let it slip this one time, but before posting anything further I suggest you take a look at the forum rules.
Hello again. A small update with some background info I didn't have time to add earlier...
The reason it's almost impossible to hide the Magisk app, even with it repackaged with a random name, is Android's poor privacy. Up until now, any app could query any other app on your device... Now that should change though. From August 2021 all new apps and from November 2021 all app updates in the Play Store will be forced to target API 30 (Android 11). This means that they're forced to conform to new privacy changes that make it so that they no longer can query other apps on your device.
In other words: the real solution is to wait until S-Push TAN gets its next update or so and it should no longer be able to detect the Magisk app.
Didgeridoohan said:
Hello again. A small update with some background info I didn't have time to add earlier...
The reason it's almost impossible to hide the Magisk app, even with it repackaged with a random name, is Android's poor privacy. Up until now, any app could query any other app on your device... Now that should change though. From August 2021 all new apps and from November 2021 all app updates in the Play Store will be forced to target API 30 (Android 11). This means that they're forced to conform to new privacy changes that make it so that they no longer can query other apps on your device.
In other words: the real solution is to wait until S-Push TAN gets its next update or so and it should no longer be able to detect the Magisk app.
Click to expand...
Click to collapse
Thanks for this information.
But how can it be that the devs of Magisk cant block those requests of other apps? I mean then "magisk HIDE" is completely nonsene in my eyes.
Suakey said:
Thanks for this information.
But how can it be that the devs of Magisk cant block those requests of other apps? I mean then "magisk HIDE" is completely nonsene in my eyes.
Click to expand...
Click to collapse
MagiskHide (and from now on Deny) hides what Magisk (the actual service, not the app) changes. Because of the above mentioned privacy limitations in Android up until Android 10 it has been practically impossible to fully hide the app without Xposed style modules (of which there are a couple that also can do the job). Since Magisk isn't Xposed (or at least hasn't been up until now when Zygisk now is live) it's been impossible for Magisk to do this by itself. And now there's no longer any need once the A11 updates for the apps on the Play store goes live (hopefully).
Didgeridoohan said:
MagiskHide (and from now on Deny) hides what Magisk (the actual service, not the app) changes. Because of the above mentioned privacy limitations in Android up until Android 10 it has been practically impossible to fully hide the app without Xposed style modules (of which there are a couple that also can do the job). Since Magisk isn't Xposed (or at least hasn't been up until now when Zygisk now is live) it's been impossible for Magisk to do this by itself. And now there's no longer any need once the A11 updates for the apps on the Play store goes live (hopefully).
Click to expand...
Click to collapse
So that means actually that I have zero chance because im on Android 10? XD...
I am able to get my phone to pass safety net (checking with YASNAC) but Google Pay still won't let me add my card so something is missing here. Is YASNAC no longer sufficient to check if you're actually able to pass safety net anymore? I used Google Pay for everything before rooting so it's kind of sucking not being able to use it. I have magisk hidden along with everything pertaining to Google along with the safety net modules that allow me to pass YASNAC
yes get magisk module UNIVERSALSAFETYNEXT FIX
Right. Zygisk enabled, Google Play Store + Google Wallet on DenyList and Module "Universal SafetyNet Fix" by kdrag0n
RealZac said:
Right. Zygisk enabled, Google Play Store + Google Wallet on DenyList and Module "Universal SafetyNet Fix" by kdrag0n
Click to expand...
Click to collapse
This is exactly what I did and I passed safety net but it still told me I couldn't add my card with the typical message, also for some reason my fingerprint scanner stops working with l universal safety net fix module on top of not working with Google pay and that's my only module besides systemless hosts
Cengiz67 said:
yes get magisk module UNIVERSALSAFETYNEXT FIX
Click to expand...
Click to collapse
That's exactly what I was doing, I don't know what happened but turning the module back on and trying again worked but it broke my fingerprint reader. Luckily I found this fix and it worked just fine
https://forum.xda-developers.com/attachments/safetynet-fix-v2-3-1-test-zip.5735587/
jld2k6 said:
This is exactly what I did and I passed safety net but it still told me I couldn't add my card with the typical message, also for some reason my fingerprint scanner stops working with l universal safety net fix module on top of not working with Google pay and that's my only module besides systemless hosts
Click to expand...
Click to collapse
I found this safetynet module that fixes the fingerprint scanner! For some reason after multiple attempts of doing the same thing I got Google Pay working and this fixed my fingerprint scanner while still keeping safetytnet working
https://forum.xda-developers.com/attachments/safetynet-fix-v2-3-1-test-zip.5735587/