Database Develop

[2016.10.10] suhide v0.55 [CLOSED]

THIS IS CURRENTLY NOT WORKING
A newer version is available here: https://forum.xda-developers.com/apps/supersu/suhide-lite-t3653855
suhide is an experimental (and officially unsupported) mod for SuperSU that can selectively hide root (the su binary and package name) from other applications.
Pros
- Hides root on a per-app base, no need to globally disable root
- Doesn't need Xposed
- Even supports SuperSU's ancient app compatibility mode (BINDSYSTEMXBIN)
- Passes SafetyNet attestation by default on stock ROMs (last officially tested on 2016.10.07)
Cons
- Ultimately a losing game (see the next few posts)
- No GUI (at the moment) - Unofficial GUI by loserskater
Requirements
- SuperSU v2.78 SR1 or newer (link)
- SuperSU installed in systemless mode
- Android 6.0 or newer
- TWRP (3.0.2 or newer, with access to /data - link!) or FlashFire (link)
Xposed
Xposed is not currently officially supported, but if you want to use it directly, you must be using @topjohnwu 's systemless xposed v86.2 exactly (attached at the bottom). It seems to mostly work during my non-extensive testing, but there are still some performance issues (both boot-time and run-time). Proceed with caution, expect bootloop.
Alternatively, there are some reports that the latest Magisk version + the latest systemless xposed (for Magisk) also works. I have not personally tested this.
CyanogenMod
I've personally tested with CM13 on i9300 without issue, however, several users are reporting it doesn't work for them. Proceed with caution, expect bootloop. Also, aside from just flashing SuperSU, you need to make sure /system/bin/su and /system/xbin/su are removed, or CM's internal root will still be used.
Usage
Install/Upgrade
- Make sure you have the latest SuperSU version flashed in systemless mode
- Make sure you are using the latest TWRP or FlashFire version
- Remove any and all Xposed versions
- If you have been having issues, flash suhide-rm-vX.YY.zip first, and note that your blacklist has been lost.
- Flash the attached suhide-vX.YY.zip
- If you are upgrading from suhide v0.16 or older, reflash SuperSU ZIP, and note that your blacklist has been lost.
- Optionally, flash the Xposed version linked above, and pray
At first install SafetyNet is automatically blacklisted.
If you have just flashed a ROM, it is advised to let it fully boot at least once before installing suhide.
Uninstall
- Flash the attached suhide-rm-vX.YY.zip. The version may appear older, the uninstall script doesn't change very often.
Blacklisting an app
You need the UID (10000 to 99999, usually 10xxx) of the app, which can be tricky to find, or the process name. There may be a GUI for this at some point.
(Note that all commands below need to be executed from a root shell)
If you know the package name, ls -nld /data/data/packagename will show the UID - usually the 3rd column.
Similarly, for running apps, ps -n | grep packagename will also show the UID - usually the 1st column.
Note that the process name is often the same as the package name, but this is not always the case. UID is more reliable for identifying a specific app, and it is also faster than blocking based on process names.
When you know the UID or process name:
Add to blacklist: /su/suhide/add UID or /su/suhide/add processname
Remove from blacklist: /su/suhide/rm UID or /su/suhide/rm processname
List blacklist: /su/suhide/list
All running processes for that UID or process name need to be killed/restarted for su binary hiding. For SuperSU GUI hiding, the device needs to be restarted. I recommend just (soft-)rebooting your device after making any changes.
Please keep in mind that many apps store their rooted state, so you may need to clear their data (and then reboot).
Integration into SuperSU
This mod isn't stable, and probably will never be (see the next few posts). As SuperSU does aim to be stable, I don't think they're a good match. But who knows, it all depends on how things progress on the detection side.
Detections
This mod hides the su binary pretty well, and does a basic job of hiding the SuperSU GUI. The hiding is never perfect, and suhide itself is not undetectable either. This will never be a perfectly working solution.
Debugging bootloops
- Get your device in a booting state
- Make sure you have TWRP or a similar recovery
- Install LiveBoot (link)
- If you are not a LiveBoot Pro user, enable the Freeload option
- Enable the Save logs option
- Recreate the bootloop
- In TWRP, get /cache/liveboot.log , and ZIP+attach it to a post here.
Download
Attached below.
Any rm version should work to uninstall any suhide version.
There may be multiple versions of suhide attached, please look carefully which one you are downloading!
YOU ARE EXPLICITLY NOT ALLOWED TO REDISTRIBUTE THESE FILES
(pre-v0.51: 17410 downloads)

Hiding root: a losing game - rant du jour
Most apps that detect root fall into the payment, banking/investing, corporate security, or (anit cheating) gaming category.
While a lot of apps have their custom root detection routines, with the introduction of SafetyNet the situation for power users has become worse, as developers of those apps can now use a single API to check if the device is not obviously compromised.
SafetyNet is of course developed by Google, which means they can do some tricks that others may not be able to easily do, as they have better platform access and control. In its current incarnation, ultimately the detection routines still run as an unprivileged user and do not yet use information from expected-to-be-secure components such as the bootloader or TPM. In other words, even though they have slightly more access than a 3rd party app, they still have less access than a root app does.
Following from this is that as long as there is someone who is willing to put in the time and effort - and this can become very complex and time consuming very quickly - and SafetyNet keeps their detection routines in the same class, there will in theory always be a way to beat these detections.
While reading that may initially make some of you rejoice, this is in truth a bad thing. As an Android security engineer in Google's employ has stated, they need to "make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model".
The problem is that with a rooted device, it is ultimately not possible to guarantee said security model with the current class of SafetyNet tamper detection routines. The cat and mouse game currently being played out - SafetyNet detecting root, someone bypassing it, SafetyNet detecting it again, repeat - only serves to emphasize this point. The more we push this, the more obvious this becomes to all players involved, and the quicker SafetyNet (and similar solutions) will grow beyond their current limitations.
Ultimately, information will be provided and verified by bootloaders/TrustZone/SecureBoot/TIMA/TEE/TPM etc. (Samsung is already doing this with their KNOX/TIMA solutions). Parts of the device we cannot easily reach or patch, and thus there will come a time when these detection bypasses may no longer viable. This will happen regardless of our efforts, as you can be sure malware authors are working on this as well. What we power-users do may well influence the time-frame, however. If a bypass attains critical mass, it will be patched quickly.
More security requires more locking down. Ultimately these security features are about money - unbelievably large amounts of money. This while our precious unlocked bootloaders and root solutions are more of a developer and enthusiast thing. While we're all generally fond of shaking our fists at the likes of Google, Samsung, HTC, etc, it should be noted that there are people in all these companies actively lobbying to keep unlocked/unlockable devices available for us to play with, with the only limitation being that some financial/corporate stuff may not work if we play too hard.
It would be much easier (and safer from their perspective) for all these parties to simply plug that hole and fully lock down the platform (beyond 3rd party apps using only the normal APIs). Bypassing root checks en masse is nothing less than poking the bear.
Nevertheless, users want to hide their roots (so do malware authors...) and at least this implementation of suhide is a simple one. I still think it's a bad idea to do it. Then again, I think it's a bad idea to do anything financial related on Android smartphone that isn't completely clean, but that's just me.
Note that I have intentionally left out any debate on whether SafetyNet/AndroidPay/etc need to be this perfectly secure (most people do their banking on virus ridden Windows installations after all), who should get to decide which risk is worth taking, or even if Google and cohorts would be able to design the systems more robustly so the main app processor would not need to be trusted at all. (the latter could be done for Android Pay, but wouldn't necessarily solve anything for Random Banking App). While those are very interesting discussion points, ultimately it is Google who decides how they want this system to work, regardless of our opinions on the matter - and they want to secure it.

--- reserved ---

Changelogs
2016.10.10 - v0.55 - RELEASE NOTES
- Some code cleanup
- Support for blocking based on process name
- Should fix some crashes (requires uninstall/reinstall to activate)
2016.10.07 - v0.54 - RELEASE NOTES
- Fix for latest SafetyNet update
2016.09.19 - v0.53 - RELEASE NOTES
- Haploid container (monoploid)
2016.09.18 - v0.52 - see v0.51 release notes below
- Fix root loss on some firmwares
2016.09.18 - v0.51 - RELEASE NOTES
- Complete redesign
- Zygote proxying (haploid)
- Binder hijacking (diploid)
- su.d instead of ramdisk modification
- Xposed supported (-ish)
2016.09.04 - v0.16 - RELEASE NOTES
- Fix some SELinux access errors
- Should now work on devices that ask for a password/pattern/pin immediately at boot - for real this time!
- Binderjacking improvements for Nougat
2016.08.31 - v0.12 - RELEASE NOTES
- Fix some issues with suhide-add/rm scripts
- Fix not working at all on 32-bit devices
- Should now work on devices that ask for a password/pattern/pin immediately at boot
- Rudimentary GUI hiding
- No longer limited to arm/arm64 devices: support for x86/x86_64/mips/mips64 devices added
2016.08.29 - v0.01
- Initial release

As always thank you Chainfire! I will try and edit this post.
Edit @Chainfire this seems to work for enabling Android Pay! I didn't get the chance to actually pay yet. But it did let me add my card and did not display the message about a failed authorization of Android check! Before I couldn't even get past that first screen.
Edit 2: @Chainfire It seems to of had an adverse effect on Snapchat. I cleared cache on the app, uninstalled and reinstalled and restarted. It kept Force closing after a photo no matter what. I used suhide-rm and it seems to have fixed the app from any issues. Thanks again and hopefully we'll get you some more reports. Either way your solution works!
Tested on stock rooted 7.0 Nexus 6p.

@Chainfire
What was your reason for doing this project?
Sent from my Nexus 6P using XDA-Developers mobile app

Ofthecats said:
What was your reason for doing this project?
Click to expand...
Click to collapse
For building it, curious if the method I came up with would work well. For releasing, if others are doing it, join them or be left behind.

I'm assuming with custom ROM android pay still won't work right?

HamsterHam said:
I'm assuming with custom ROM android pay still won't work right?
Click to expand...
Click to collapse
I'd just give it a try. It's spoofing the specific app, not the entire ROM that matters. It's fairly simple to try.

Installed on LG G4 w/ V20g-EUR-XX update and rerooted with TWRP 3.0.2-0 and SuperSU-v2.76-2016063161323. seems to be working fine, for the moment. Thank you for the update.

So far so good, I was able to add card to android pay. I would try using it during lunch and report back. Again, thanks for the continuous hard work.

djide said:
So far so good, I was able to add card to android pay. I would try using it during lunch and report back. Again, thanks for the continuous hard work.
Click to expand...
Click to collapse
What was the UID or process you found to blacklist it with?
Sent from my ONEPLUS A3000 using Tapatalk

how to install it? which file should I flash ? Both?

I can't see to add an app using terminal.
I'm typing in
/data/adb/suhide-add 10284
Says file not found. Can someone help, cheers.

Joshmccullough said:
What was the UID or process you found to blacklist it with?
Click to expand...
Click to collapse
Android Pay comes blacklisted out-of-the-box

HamsterHam said:
I can't see to add an app using terminal.
I'm typing in
/data/adb/suhide-add 10284
Says file not found. Can someone help, cheers.
Click to expand...
Click to collapse
Are you in Android or TWRP ?
ls -l /data/adb/

Chainfire said:
Android Pay comes blacklisted out-of-the-box
Click to expand...
Click to collapse
Derp. That's what I get for not reading the entire sentence under 'Install' in the OP......thanks!

PedroM.CostaAndrade said:
how to install it? which file should I flash ? Both?
Click to expand...
Click to collapse
Please don't quote a large post like that just to ask a single question.
Please read the first post, so you know what to do.

OnePlus 2 here, stock 6.0.1, systemless rooted with SuperSU Pro v2.76, flahed using Flashfire.
Passes SafetyNet check, does not pass my bank's root check, propably for the reasons the OP states above.

thdervenis said:
OnePlus 2 here, stock 6.0.1, systemless rooted with SuperSU Pro v2.76, flahed using Flashfire.
Passes SafetyNet check, does not pass my bank's root check, propably for the reasons the OP states above.
Click to expand...
Click to collapse
You need to blacklist the UID for your bank. Directions are in the OP.

[DEPRECATED] [2019.4.4] Magisk Manager for Recovery Mode (mm)

THIS PROJECT IS NO LONGER SUPPORTED.
# Magisk Manager for Recovery Mode (mm)
## LEGAL
Copyright (C) 2017-2019, VR25 @ xda-developers
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
## DISCLAIMER
Always read/reread this reference prior to installing/upgrading this software.
While no cats have been harmed, the author assumes no responsibility for anything that might break due to the use/misuse of it.
To prevent fraud, do NOT mirror any link associated with this project; do NOT share builds (zips)! Share official links instead.
## DESCRIPTION
- Manage your Magisk modules from recovery (e.g., TWRP) -- run "sh /sdcard/mm" on recovery terminal.
Features list
- Automatically fix magisk.img (e2fsck -fy)
- List installed modules
- Toggle
- Core only mode
- Magic mount
- Disable
- Remove
## PREREQUISITE
- Magisk 17-19
## SETUP
- Install
1. Flash live (e.g., from Magisk Manager) or from custom recovery (e.g., TWRP).
- Uninstall
- Use Magisk Manager app or mm itself (supports `uninstall.sh`, too).
## USAGE
- First time (right after installing/updating) - run `mm` or `sh /sdcard/mm` on recovery terminal.
- Next times (while in recovery) - no need to re-flash the zip; simply run `sh /sdcard/mm` on recovery terminal.
- Follow the instructions/wizard. Everything is interactive.
- Pro tip: lazy people can try running `*/mm` instead of `sh /sdcard/mm`.
## LINKS
- [Donate](https://paypal.me/vr25xda/)
- [Facebook page](https://facebook.com/VR25-at-xda-developers-258150974794782/)
- [Git repository](https://github.com/Magisk-Modules-Repo/mm)
- [Telegram channel](https://t.me/vr25_xda/)
- [Telegram profile](https://t.me/vr25xda/)
- [XDA thread](https://forum.xda-developers.com/apps/magisk/module-tool-magisk-manager-recovery-mode-t3693165)
## LATEST CHANGES
**2019.4.4 (201904040)**
- Complete redesign
- Magisk 17-19 support (including `uninstall.sh`)
- Toggle core only mode
- Updated information (copyright, documentation, and module description)
**2018.8.1 (201808010)**
- General optimizations
- New & simplified installer
- Striped down (removed unnecessary code & files)
- Updated documentation
**2018.7.24 (201807240)**
- Fixed modPath detection issue (Magisk 16.6).
- Updated documentation

Archive

Hey not sure whether this is right thread to ask, if not please redirect me.
I'm on AOKP, banking apps are detecting root and not allowing to access it, so I was asked to use Magisk.
Can you tell me how do I install it? Can I just download Magisk Manager and Magisk flash it via twrp? I'm noob to all rooting man

BackToAndroid said:
Hey not sure whether this is right thread to ask, if not please redirect me.
I'm on AOKP, banking apps are detecting root and not allowing to access it, so I was asked to use Magisk.
Can you tell me how do I install it? Can I just download Magisk Manager and Magisk flash it via twrp? I'm noob to all rooting man
Click to expand...
Click to collapse
Yeah... You took a serious wrong turn.
Start by reading these threads:
https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
https://forum.xda-developers.com/apps/magisk/guide-magisk-troubleshooting-t3641417
And if you need help, post here (with lots of details):
https://forum.xda-developers.com/apps/magisk/mod-magisk-v1-universal-systemless-t3432382

Sorry, maybe for my language, but I can not understand what this module is doing.
Enviado desde mi MI 5s Plus mediante Tapatalk

Hi,
Great idea! I'll check and comment. :good:
Please, add it to the official repository.
It includes one option to enable/disable Magisk Core Mode Only?
And one suggestion: provide a ZIP file for launch directly the "mm" command without opening the Terminal (or use Aroma Installer).

Nitram08 said:
Sorry, maybe for my language, but I can not understand what this module is doing.
Enviado desde mi MI 5s Plus mediante Tapatalk
Click to expand...
Click to collapse
You should at least have basic understanding of what Magisk is and how it operates before jumping onto this thread. If you don't know what I mean by "Magisk Manager for Recovery Mode," then you've been skipping steps. I can't help you before you help yourself.
manos78 said:
Hi,
Great idea! I'll check and comment. :good:
Please, add it to the official repository.
It includes one option to enable/disable Magisk Core Mode Only?
And one suggestion: provide a ZIP file for launch directly the "mm" command without opening the Terminal (or use Aroma Installer).
Click to expand...
Click to collapse
Currently limited to the features listed. New capabilities will be added over time. The ability to manage Magisk settings is already in the works. Repo submission status -- awaiting approval.

Firstly, thank you. I've used another mod that allows using terminal to get rid of modules but it's not as fluid in usage as this one. However, i have one question; While i was able to use it in recovery, I'm not sure I understand clearly about whether or not this can be used while the system is fully loaded. I tried accessing the app through the os terminal but it acts as if I'm entering the wrong command. In twrp i did as you said and typed "mm" and it pulled right up. Yet, when i try the instructions that follow afterward to access the module while in the os, it tells me it can't be found. Am i missing something or is this only available through recovery?

dodgyme said:
Firstly, thank you. I've used another mod that allows using terminal to get rid of modules but it's not as fluid in usage as this one. However, i have one question; While i was able to use it in recovery, I'm not sure I understand clearly about whether or not this can be used while the system is fully loaded. I tried accessing the app through the os terminal but it acts as if I'm entering the wrong command. In twrp i did as you said and typed "mm" and it pulled right up. Yet, when i try the instructions that follow afterward to access the module while in the os, it tells me it can't be found. Am i missing something or is this only available through recovery?
Click to expand...
Click to collapse
The "module" part is only meant for updating the tool through Magisk Manager.
So, you don't have to constantly check XDA/GitHub for newer versions.
@Nitram08, if that's what you meant, sorry about the first answer! Next time, PLEASE give more detail, or you might get very similar reactions.
A basic rule of thumb:
- Poor info = "nothing happened -- bad post".

Hmmmmm
So, just to clarify, it can only be used in twrp? If not, what's the exact command to use when I'm actually in the Android system using whatever terminal app I might be using...???
I ask because this part of your instructions confuses me:
"Else (after installing & rebooting) -- run `. /data/magisk/mm`."
My understanding suggests I can use it while in the actual system but when I use my terminal app it tells me it's not found...

dodgyme said:
So, just to clarify, it can only be used in twrp? If not, what's the exact command to use when I'm actually in the Android system using whatever terminal app I might be using...???
I ask because this part of your instructions confuses me:
"Else (after installing & rebooting) -- run `. /data/magisk/mm`."
My understanding suggests I can use it while in the actual system but when I use my terminal app it tells me it's not found...
Click to expand...
Click to collapse
Yeah... that line should be "after installing & rebooting into recovery". So, this is built for use in recovery mode only.
Instead of re-flashing every single time you need it, you simply run ". /data/magisk/mm" That is "dot space /magisk/mm".
In short
- First time (right after installing/updating) -- run "mm" (on recovery terminal)
- Next times (while in recovery) -- no need to re-flash the zip; simply run ". /data/magisk/mm" on terminal.

VR25 said:
Yeah... that line should be "after installing & rebooting into recovery". So, this is built for use in recovery mode only.
Instead of re-flashing every single time you need it, you simply run ". /data/magisk/mm" That is "dot space /magisk/mm".
In short
- First time (right after installing/updating) -- run "mm" (on recovery terminal)
- Next times (while in recovery) -- no need to re-flash the zip; simply run ". /magisk/mm" on terminal.
Click to expand...
Click to collapse
Understood, I appreciate your feedback and this little gem greatly. Thank you!

Type wrong, please ignore

I just want to thank Op for this. I can't tell you how many times I have gotten a bootloop from a faulty module making me have to delete magisk.img (always trying new things ). This makes it so much easier. Thanks much OP.

Thanks a bunch OP. This will be a life saver for those who don't take TWRP backups in TWRP before flashing a module, including me.
Sent from my Honor 8 Pro using XDA Labs

Magisk log: "e 432:569 sendfile failed with 2: No such file or directory"
Any Modules can not find after install this
New modules installs but not works and not shows on list of android magisk manager.
Very Poor soft! Need to repair system after that!
Unistall_magisk.zip not repair this error!
I lost my system???
Android AOSP (Aex) latest 7.1.2
Xiaomi redmi 4x

Amazing module, allows me to manage magisk in TWRP without issue. This is an essential module for every magisk user - if you can't boot after a module install, you can just remove the module and not worry about restoring a backup.
As an aside, also always have the Magisk uninstaller zip handy, it'll save your ass when your phone / tablet goes to **** when you're flashing modules like a meth addict.

Great module, but I found something weird on my phone...
Is there any reason why a removed/disabled moduled would appear as such in the current TWRP session or just after rebooting from TWRP to recovery, but reappear after powering off and then booting to recovery via bootloader?
This (strange) thing happened to me minutes ago and the only way to remove the module (and boot Android again) was uninstalling and then reinstalling Magisk...

Disable modules
I'm trying to disable a module but I don't entirely understand the commands. I start Magisk Manager and select "e" to enable/disable modules. Then it shows:
<Toggle Module ON/OFF>
Greenify4Magisk (ON)
aik-mobile (ON)
mm (ON)
Input a matching WORD/string at once
- Press RETURN when done (or to cancel)
-- CTRL+C to exit
What command do I have to use to disable Greenify4Magisk?

iqubik said:
Magisk log: "e 432:569 sendfile failed with 2: No such file or directory"
Any Modules can not find after install this
New modules installs but not works and not shows on list of android magisk manager.
Very Poor soft! Need to repair system after that!
Unistall_magisk.zip not repair this error!
I lost my system???
Android AOSP (Aex) latest 7.1.2
Xiaomi redmi 4x
Click to expand...
Click to collapse
Really good way of providing "useful" information...
You're dealing with different issues not related to this module in the first place. Could you describe exactly what you did and what actually happened afterwards?
njascgil said:
Great module, but I found something weird on my phone...
Is there any reason why a removed/disabled moduled would appear as such in the current TWRP session or just after rebooting from TWRP to recovery, but reappear after powering off and then booting to recovery via bootloader?
This (strange) thing happened to me minutes ago and the only way to remove the module (and boot Android again) was uninstalling and then reinstalling Magisk...
Click to expand...
Click to collapse
Odd...
Could you describe in details what you did to remove/disable the module in question?
beavis5706 said:
I'm trying to disable a module but I don't entirely understand the commands. I start Magisk Manager and select "e" to enable/disable modules. Then it shows:
<Toggle Module ON/OFF>
Greenify4Magisk (ON)
aik-mobile (ON)
mm (ON)
Input a matching WORD/string at once
- Press RETURN when done (or to cancel)
-- CTRL+C to exit
What command do I have to use to disable Greenify4Magisk?
Click to expand...
Click to collapse
You simply type a "matching WORD/string" and press ENTER. For example, to disable Greenify4Magisk, I would input "Green" or "4" or "Magisk" (whatever is unique to Greenify4Magisk).

PetNoire's SafetyNet Spoofer! (Universal SafetyNet Fix mod)

PetNoire's SafetyNet Spoofer
This module tries to pass SafetyNet on devices/roms that don't.
This started when i put LineageOS on my phone and couldn't play Pokemon GO anymore. much sadness was had.
i searched around for a fix and found universal-safetynet-fix. Awesome! it let me play pokemon again but it broke everything else root related while it was enabled.
So, i worked on updating it to be compatible with magisk 17. and i got it! (download at the bottom)
but, well.. there was a lot in that code that didn't need to be there anymore. (does anyone even use magisk 12?!)
and worse still, my phones stock image used a thumbprint, not a fingerprint. with it in usnf, it didnt even pass basic integrity!
so i got to work and PetNoire's SafetyNet Spoofer was born!
Disclaimer:
I am not responsible for bricked devices, dead SD cards,
thermonuclear war, or you getting fired because the alarm app failed.
I also do not support hacking/altering any other apps with your root powers.
i made this purely to legitimately play a game on a customized system.
Information
Features:
Resets system props to a factory state
spoofs the device fingerprint or thumbprint
has a friendly command tool to change finger/thumbprint settings
Use:
Flash it with TWRP or MM.
by default, it spoofs the same device that unsf did which is enough for most uses. Congrats, you're done!
you can also use the pnss command as root to change, reset, or disable the fingerprint spoofing.
run the 'pnss' command from terminal for usage information
example command:
Code:
su
pnss set thumb MyDeviceThumbprint/8.1/etc/etc
Requeriments
Magisk v17
Installation
Flash the .ZIP from TWRP or MM Module page
Reboot
Known issues
thumbprint mode is only passing BasicIntegrity, not CTS
Donations
If you feel I helped you, you can buy me a coffee here
Credits
@Deic - the original creator of universal-safetynet-fix here
@PetNoire - porting it to magisk 17, breaking it further, and adding thumbprint support
Download
Please DO NOT share the module itself or the download link, share the thread only.
vv

@PetNoire May I ask a favour (as I've done to other users that hav updated @Deic's module to the current template in the past)? If you're going to re-release the module with the current template, at least please fix it so that it no longer replaces Magisk's internal Busybox with it's own. Really bad practice and we never did get @Deic to fix that before he disappeared...
If you need a specific module Busybox, place it in the module folder instead and call the commands from there, or make sure that the users know that they have to install @osm0sis Busybox, or if you're really in a pinch just use the internal Magisk Busybox then, but at least don't replace it with one that have the possibility to mess up Magisk's internal functions.
Also, it would be a good idea if you gave @Deic a bit more credit than you're doing right now (a tiny, tiny link at the top of your post just isn't enough), no matter that he's MIA. All you've really done is to transfer his module to the current template and added a check for the current Magisk version and it's paths. I'd suggest you make that more apparent so you don't risk being accused of passing someone else's work off as your own.

Didgeridoohan said:
@PetNoire May I ask a favour (as I've done to other users that hav updated @Deic's module to the current template in the past)? If you're going to re-release the module with the current template, at least please fix it so that it no longer replaces Magisk's internal Busybox with it's own. Really bad practice and we never did get @Deic to fix that before he disappeared...
If you need a specific module Busybox, place it in the module folder instead and call the commands from there, or make sure that the users know that they have to install @osm0sis Busybox, or if you're really in a pinch just use the internal Magisk Busybox then, but at least don't replace it with one that have the possibility to mess up Magisk's internal functions.
Also, it would be a good idea if you gave @Deic a bit more credit than you're doing right now (a tiny, tiny link at the top of your post just isn't enough), no matter that he's MIA. All you've really done is to transfer his module to the current template and added a check for the current Magisk version and it's paths. I'd suggest you make that more apparent so you don't risk being accused of passing someone else's work off as your own.
Click to expand...
Click to collapse
Thanks for the tip on busybox. I thought it was pretty weird that it replaced it like that for 2 commands but was more concerned about getting it to work at all. I'll look into fixing that soon.
update: i think i almost have it working on magisk's busybox but still working out some bugs.
And I'll edit it to give him some more credit right away.

PetNoire said:
Thanks for the tip on busybox. I thought it was pretty weird that it replaced it like that for 2 commands but was more concerned about getting it to work at all. I'll look into fixing that soon.
Click to expand...
Click to collapse
That would be great.
I thought I'd give some insight into what the module actually does, for those that are wondering, since it might get lost in translation between the different updates to the module by others than @Deic.
The USNF module is made up of two parts. For one, it changes the device fingerprint to a certified one to pass the ctsProfile check (the in-built one is a Xiaomi print, but IIRC you can also use the device stock fingerprint if it's already certified). This is also something that can be done with a Magisk boot script (post-fs-data.d or service.d) and the resetprop tool:
Code:
resetprop ro.build.fingerprint <certified fingerprint value>
There are also Magisk modules available that do the same thing (apart from USNF).
Device Spoofing Tool by @Dreamer(3MF) is one (although it also changes a whole lot of other props to simulate a OnePlus 2).
And there's also my MagiskHide Props Config that changes the build fingerprint to one of your choice.
Or, if you don't care about the systemlessness, you can directly edit your build.prop file and change the current ro.build.fingerprint to a certified one.
So, for the device fingerprint and passing the ctsProfile there are a few options.
The second part of USNF is the custom MagiskHide (as described in the OP). The thing here though, is that for the majority of devices it is not necessary anymore, since (as it also says in the OP) @topjohnwu have fixed most of those issues. From what it seems, from user reports in different threads, this is only necessary on some MIUI releases (Xiaomi devices). The module actually started out as a "Xiaomi SafetyNet fix" (check the module id), but the build fingerprint part turned out to be useful for other devices, so @Deic changed the name to "Universal". All other devices should be good with only changing the device fingerprint.
So far, it doesn't seem like the custom MagiskHide from the module is interfering in any way with the real thing. But, considering that it hasn't been updated in over a year, who knows.
Class dismissed.

Is there any reason to keep the code for old magisk? Does anyone still use 12-14?

Seems to have helped on my S8 with KingROM
My Magisk updated to 17.1 and then GooglePay started getting upset that I had rooted, mucked around with various things including the 'MagiskHide Props Config' module which my S8 never seems happy with (random reboots when installed) but this seems to do the trick.
I installed via Magisk Manager but it seemed to kill the Magisk install when I rebooted, reinstalled Magisk and now all seems ok so a big thumbs up from me

I wonder how the magiskhide part (at least the "add", etc. scripts) can work, because you use the old outdated "/magisk"-folder, that is no longer supported since 16.3 (or so).

Oberth said:
My Magisk updated to 17.1 and then GooglePay started getting upset that I had rooted, mucked around with various things including the 'MagiskHide Props Config' module which my S8 never seems happy with (random reboots when installed) but this seems to do the trick.
I installed via Magisk Manager but it seemed to kill the Magisk install when I rebooted, reinstalled Magisk and now all seems ok so a big thumbs up from me
Click to expand...
Click to collapse
For some reason it doesn't always work the first time. Usually just rebooting fixes it.

jenslody said:
I wonder how the magiskhide part (at least the "add", etc. scripts) can work, because you use the old outdated "/magisk"-folder, that is no longer supported since 16.3 (or so).
Click to expand...
Click to collapse
I thought I changed it all. You sure there isnt some kind of version check? I'll look at it later
Again first goal was to get it working. Next goal is to make it awesome

Hmm.. this doesn't work with my phone (HTC one M8). After I flashed it, wiped cache (TWRP), it said "complete" on the log, then it will never boot to my OS, stuck on the HTC logo, no boot animation. I use TWRP

winzzzzz said:
Hmm.. this doesn't work with my phone (HTC one M8). After I flashed it, wiped cache (TWRP), it said "complete" on the log, then it will never boot to my OS, stuck on the HTC logo, no boot animation. I use TWRP
Click to expand...
Click to collapse
In-Case Of Facing A Bootloop/Bootscreen Issue Due To Flashing A Module, Download CoreOnlyMode4Magisk From This Thread https://forum.xda-developers.com/apps/magisk/module-core-mode-bootloop-solver-modules-t3817366 Then Flash It Thru TWRP Recovery.

winzzzzz said:
Hmm.. this doesn't work with my phone (HTC one M8). After I flashed it, wiped cache (TWRP), it said "complete" on the log, then it will never boot to my OS, stuck on the HTC logo, no boot animation. I use TWRP
Click to expand...
Click to collapse
Does it boot after disabling the module?
From twrp>advanced>terminal:
HTML:
Mount -o loop /data/adb/magisk.img /mnt
Touch /mnt/universal-safetynet-fix/disable
The reboot

so.. i kind of deleted the whole magiskhide clone from the module and just left the prop configs and its totally passing safetynet now. so i guess the normal magiskhide is enough and is just missing some prop resets.

@PetNoire I still failed to pass safetynet, When I flashed the module, my magisk was erased, but then I just saw from this thread that a reboot is needed. After reboot my magisk came back, but It' says "Requires Additional Setup" I ignore it and then checked if safetynet will pass, It failed.
I'm using stock CM FLARE S4 ROM android 5.1.
Sorry for my English.
Thankyou for the reviving this module. :good:
Godbless you.

PetNoire said:
so.. i kind of deleted the whole magiskhide clone from the module and just left the prop configs and its totally passing safetynet now. so i guess the normal magiskhide is enough and is just missing some prop resets.
Click to expand...
Click to collapse
That was kind of the point of my longish text above... All you need to pass on a device that doesn't fully pass SafetyNet (ctsProfile fails while basicIntegrity passes), is usually just to change ro.build.fingerprint to a certified fingerprint (and there are several ways to go about that, but the Magisk way always involves the resetprop tool somehow). Custom ROMs, developer versions of OEM firmwares (Oneplus 6 beta, for example), and otherwise uncertified devices can usually pass SafetyNet like this.

Didgeridoohan said:
That was kind of the point of my longish text above... All you need to pass on a device that doesn't fully pass SafetyNet (ctsProfile fails while basicIntegrity passes), is usually just to change ro.build.fingerprint to a certified fingerprint (and there are several ways to go about that, but the Magisk way always involves the resetprop tool somehow). Custom ROMs, developer versions of OEM firmwares (Oneplus 6 beta, for example), and otherwise uncertified devices can usually pass SafetyNet like this.
Click to expand...
Click to collapse
This was just the first one that gave me any success so I initially assumed it was because of the hiding. I wasn't even able to pass basic integrity without this one and most others didn't help either. I tries yours at one point with no success. Do you change all the "dangerous props" that this one does?

PetNoire said:
This was just the first one that gave me any success so I initially assumed it was because of the hiding. I wasn't even able to pass basic integrity without this one and most others didn't help either
Click to expand...
Click to collapse
Basic integrity passing has nothing to do with the device fingerprint or other props. With Magisk, that usually means that MagiskHide isn't working (for whatever reason, most of the times it just needs a restart) or you have something installed that MagiskHide can't hide (like Xposed, remnants of other kinds of root, etc).
Edit: Scroll down a little here for a table of examples of what will cause a true or false cts profile or basic integrity response.
https://developer.android.com/training/safetynet/attestation#compat-check-response

iamcurseal said:
@PetNoire I still failed to pass safetynet, When I flashed the module, my magisk was erased, but then I just saw from this thread that a reboot is needed. After reboot my magisk came back, but It' says "Requires Additional Setup" I ignore it and then checked if safetynet will pass, It failed.
I'm using stock CM FLARE S4 ROM android 5.1.
Sorry for my English.
Thankyou for the reviving this module. :good:
Godbless you.
Click to expand...
Click to collapse
I don't know what Tue additional setup does, but I always do it and its been working. Also your device may have thumbprint props instead of fingerprint.
Run this in a terminal and let me know what you get
Code:
getprop | grep print

PetNoire said:
I tries yours at one point with no success. Do you change all the "dangerous props" that this one does?
Click to expand...
Click to collapse
My module changes all the common fingerprint props, but as far as I know, it's only ro.build.fingerprint that is important for the ctsProfile check.

Didgeridoohan said:
Basic integrity passing has nothing to do with the device fingerprint or other props. With Magisk, that usually means that MagiskHide isn't working (for whatever reason, most of the times it just needs a restart) or you have something installed that MagiskHide can't hide (like Xposed, remnants of other kinds of root, etc).
Edit: Scroll down a little here for a table of examples of what will cause a true or false cts profile or basic integrity response.
https://developer.android.com/training/safetynet/attestation#compat-check-response
Click to expand...
Click to collapse
I wiped all partitions, installed lineage 15, installed magisk and enabled hide and it wouldn't pass basic at any point. Even still its never passed it without this module. It didn't even pass it on the clean install, before magisk

General System root + Passed Safety Net Pixel 5a

Hey everyone,
after some trial and error, I was able to pass Safety Net.
I just want to mention what I did in the process to get there. May have been a combination of things or just one...
1. I followed this guide, but make sure you notice that It's for the Pixel 5 not 5a. But the process is similar. This process didn't fix the issue. However, it's also a good how-to on how to root. I did also modify the props to the 3a.
How to Root the Pixel 5 & Still Pass SafetyNet — Full Guide for Beginners & Intermediate Users
The Pixel 5 is a great value proposition in this era of $1,500 phones. With its reasonable price tag, fully open-sourced software, and unlockable bootloader, it's also an ideal phone for rooting.
android.gadgethacks.com
2. When that didn't work, I followed this video, and hid all my banking apps besides the Google Play Services:
3. When that didn't work, I installed these both using Magisk from this post:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
4. Cleared my data and cache with Google Play and GPay + any other banking apps.
That worked for me!
EDIT: IF GOOGLE MAPS reports the wrong location, its likely XPrivacy-LUA, Google Services. Uncheck some of them.

Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!

anubis2k3 said:
Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!
Click to expand...
Click to collapse
Didnt think it was that big of a deal to me. But it was fun with a new phone with nothing on it.

This was the Magisk module that worked to pass safety net for me. I didn't need any others.
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.

joemommasfat said:
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.
Click to expand...
Click to collapse
That's the part that I use the most, and the reason I haven't rooted yet. Please let us know if it works. Much appreciated!

I can confirm that using google pay (newer GPay app) on my rooted 5a works at merchants. I've already used it several times over the last week or so with no problems.

Deadmau-five said:
3. When that didn't work, I installed these both using Magisk from this post:
Click to expand...
Click to collapse
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.

borxnx said:
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.
Click to expand...
Click to collapse
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.

I only mentioned what works for me since there was no step-by-step guide.
Dangerous how? Doing any mods to your phone is "dangerous". I fail to see how this is more so than others. Modifying your phone is risky.
If it didn't work I wouldn't have posted this guide. I only mentioned the steps that I took. It's not really a guide, just how I passed safety net.
But, my 5a has still been working great since then. GPay included.

jcmm11 said:
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.
Click to expand...
Click to collapse
Just a quick note to say I just finished with everything (new Pixel 5a 5G, rooted + Safety net, restored all my apps, etc) and it's a flawless victory, ALL banking apps work great, SafetyNet passes, no hiccups.
I'd be happy to craft up a step by step and post it if there's some interest. It's not often I get to give back to this outstanding community, so it's the least I can do jumping on the opportunity. UFC 266 Main card is just starting, so I'll get started right after the fight and post it here in this thread.
Great to see ya again @jcmm11! Coming back to root a new phone feels like a family reunion, so great to see many of you active folks still here helping out!!
hfam

Alright, as promised, here is my writeup for a step-by-step tutorial for rooting your new Pixel 5a and getting SafetyNet up and going. I know it looks like a book, but I wanted to put it into plain language and attempt to explain the process for everyone, even absolute first timers. I know when I first started I really appreciated when the person helping didn't presume I had any knowledge, so for those that may have some experience, sorry for the wordiness. I'll also include how I apply updates when a new Android security update is pushed out. I understand that there are now elegant ways to accept OTA updates, but that is out of the scope of this tutorial as I have always had issues with OTA, and have to catch up on how that works myself. I can attest to years of using this method though (using a full factory image) to perform the "monthly" security updates, and I have never had anything but full success, so I'll share that here below the rooting tutorial.
*Disclaimer and heads-up* this is for an UNLOCKED PIxel 5a purchased directly from Google Store. At the time of this writing that is the only place I'm aware of which currently offers the PIxel 5a. Once carriers like Verizon, etc, offer this device, there may be some changes to the process, so just know up front this is for the unlocked Pixel 5a*
*WARNING*! When you unlock the bootloader on your phone it WILL WIPE YOUR PHONE and reset it to factory. If you've already used your phone and set it up, you're going to lose that setup. If you can't bear it, then the rest of this isn't for you, as root cannot be achieved without unlocking the bootloader.
First, you'll need a few things
- https://developers.google.com/android/images
and download the latest FACTORY IMAGE for "barbet", which is the Pixel 5a. You want to download the SAME VERSION that is currently installed on your device. At the time of this writing, it's the September release.
From that same page, you will need the ADB+Fastboot platform tools which will allow you to perform the required tasks, download from this link:
- https://developer.android.com/studio/releases/platform-tools.html
I use Windows 10, and extract this tools download to a folder in the root of C: called "platform-tools". You will then need to add "c:\platform-tools" to your environment path.
On the Pixel 5a, you need to enable developer options. Go into Settings/About Phone/and tap "Build Number" 7 times. This enables developer options and it will let you know when you've unlocked this as you tap 7 times. Once developer options is unlocked, go back to Settings/System/Advanced, and you'll see Developer Options is now available.
Select Developer Options, and enable "USB Debugging" and also enable "OEM Unlocking".
(**NOTE** For now at least, until you decide how you want to proceed with handling updates in future (more on that later), I strongly recommend turning OFF "Automatic System Updates" as well, just a few items below "OEM Unlocking". This prevents any updates happening automatically on a phone reboot. You don't want to wake up and find an OTA update pushed out and removed root, or worse. You can always turn it back on later.)
Plug your phone into a USB port on your PC. Allow the PC to do it's thing. You can open up Computer Management on the PC (right click the windows menu button icon lower left of your toolbar and select "Computer Management". Select "Device Manager" on the left panel. You should see "Android ADB Device" appear at the top of the right pane list of devices. if not, then visit:
Install OEM USB drivers | Android Studio | Android Developers
Discover links to the web sites for several original equipment manufacturers (OEMs), where you can download the appropriate USB driver for your device.
developer.android.com
and download the appropriate USB driver for your system and retry the above directions.
First thing we have to do is unlock the bootloader.
On the PC, open a command prompt and change directory to "C:\platform-tools" as discussed above.
Now, type in "adb reboot bootloader". The phone will reboot into bootloader. (you may receive a dialog on the phone which says something to the effect of not recognizing the PC. Go ahead and allow it, check the box to allow it in the future, and proceed.
Phone is now at the bootloader, and shows you some info letting you know it's so, including that the bootloader is locked. Also, look at the Device Manager we opened earlier and confirm that you see Android ADB Device (or similar) which confirms your PC recognizes the phone and setup for ADB commands .
To unlock the bootloader, in the command prompt type:
fastboot flashing unlock
This will unlock the bootloader, you will likely see a warning that it's going to wipe the phone. Proceed and allow the unlock. The phone will then reboot and take you to your wiped phone just as you received it out of the box, except the bootloader is now unlocked and Developer Options are still available. Let the phone continue through it's first-time setup, and leave the phone plugged into the PC. If you unplugged no biggie, but we're going right back to the PC shortly and it will need to be plugged back in before the next step to accept the file we're going to push to it.
Now, you want to open a browser on the phone and go to (at the time of this writing, v23.0 is the current stable Magisk):
Release Magisk v23.0 · topjohnwu/Magisk
This release is focused on fixing regressions and bugs. Note: Magisk v22 is the last major version to support Jellybean and Kitkat. Magisk v23 only supports Android 5.0 and higher. Bug Fixes [App]...
github.com
Scroll down and under "Assets" select that Magisk 23.apk file, download and install it. Open Magisk if it doesn't open on install, and just let it sit, we're coming back to it shortly.
PATCHING THE BOOT.IMG FILE
On the PC, go back to the Factory Image you downloaded, and extract it to a temporary directory. You will see 6 files; a few "flash-all" files, a radio image, a bootloader image, and a ZIP file called "image-barbet-XXXXXXXXXXX.zip (the xxx's are whatever the version number is you've downloaded). Double click that ZIP file and you will see a dozen files. The one we need to root the device is "boot.img".
Copy (don't move!!) this file to c:\platform-tools. Now, go back to your command prompt (still pointing to c:\platform-tools) and type in:
adb push boot.img /sdcard/Download
Now back on the phone, within the Magisk app we left open, at the top where it says Magisk, choose to install. A dialog box will open, select Patch Boot File Image. Point the process to your /sdcard/Download, and select the boot.img file we just pushed there. Now allow it to patch the boot.img and Magisk will show you it's patching it, and in a moment tell you it was successful. Close the Magisk app, open "Files" and direct it to sdcard/Download. Note the name of the patched boot file, which is called "magisk_patched-XXXXX_xxxxx.img (the X's are the Magisk version, and the x's are 5 random chars). Feel free to leave it there as you go back to the PC...
Back on the PC, in the command prompt, now type:
adb pull /sdcard/Download/magisk_patched-XXXXX_xxxxx.img
make certain you get the name exact or it won't go, no worries, just get it correct. The file now resides in the "c:\platform-tools" directory along with the unpatched "boot.img" and your ADB+Fastboot tools.
Just about done rooting, here we go!
Now, in the command prompt type:
adb reboot bootloader
The phone reboots into bootloader. Now type:
fastboot flash boot magisk_patched-XXXXX_xxxxx.img (again, use the numbers and letters in YOUR patched file!)
Lastly, type:
fastboot reboot
Your phone reboots, and you should be rooted!! Unplug your phone from the PC, open up Magisk App and confirm, the Magisk entry at the top of the main Magisk App screen should now show you the version you installed, etc!
Time to get your banking apps (and any others that may detect unlocked bootloaders/root/etc) working!
In the Magisk App, on the bottom of the screen is a 4 item menu bar. Select the right-most icon, which is "Modules". At the top of the screen select "sorting order" and sort alphabetically. Scroll down to "riru" and select the module that is JUST "RIRU", (not any of the other "riru _______" modules). Choose to download it, then choose to install it. You'll be prompted to reboot the phone, so reboot the phone.
Next, we're going to install drag0n's Universal SafetyNet fix (at the time of this writing it's currently v 2.1.1) You will need to download this via a browser on your phone, so open a web browser and go to:
GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
Google SafetyNet attestation workarounds for Magisk - GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
github.com
On the right-hand side, you'll find "Releases", and v2.1.1 is the latest. Select that, then scroll down to "Assets" and download "safetynet-fix-v2.1.1.zip" By default this will download to sdcard/Download.
Go back into the Magisk App, select the "Modules" menu as above, and at the very top select the "Install from Storage" bar. Point to the file we just downloaded and install it (don't extract it, etc, it requires the zip exactly as downloaded and will do it's thing). Again, it will install the module and prompt you to reboot. Reboot.
Almost there!
At this point, if you havent installed your banking apps, do so. DON'T RUN THEM, just install them. I also have a Nintendo Switch Online app which failed because of root, so if you also have or want this app, install it now, again, do NOT run it yet, just install. Same with any other apps you are aware which have root/bootloader unlocked issues, get them installed, but don't run 'em.
Now, we're going to use MagiskHide to hide these apps and complete the process for passing SafetyNet and running apps which may not run due to root.
in the Magisk App, at that 4 item menu bar at the bottom, select the 2nd from left, or "MagiskHide". Select the MagiskHide item and it will open to a scan of all the apps on your system. By default I believe Magisk sets up to hide Google Play Services. You will see it selected, and all the other apps on your system unselected. Select each of the banking apps, the Nintendo Switch Online (if you have it), and any other apps that YOU ARE SURE will complain about unlocked bootloaders and/or root. Any onilne gaming that's popular are good choices, but again, it's easiest to NOT RUN them PRIOR to hiding them via MagiskHide. Pokemon GO comes to mind as one I've seen that needs hiding, etc, so make it easy on yourself and do a little research on any suspect apps prior to running them, then hide them if needed.
Anyhow, select your banking apps to hide them.
Now, we're going to check SafetyNet to make sure youll now pass.
On the Home menu in the Magisk App, select "Check SafetyNet". You will be prompted to download some proprietary SafetyNet shhhhhhhtuff....so let it download. Once done, SafetyNet check will open, and you should show a blue screen which says SUCCESS, and "basicintegrity" and "ctsProfile" will be checkmarked, evalType will show BASIC.
You're good to go, rooted, SafetyNet works perfect, and you can now open your banking apps and should open right up!!
If you find any specific issues about specific apps not working, or detecting root, etc, the best place to get help is in the Magisk General Discussion forum:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
I owe those folks eternally for showing me what I know, and always having the answers for any issues I've ever had. Some of the nicest, smartest people Ive had the pleasure of knowing, they're always helpful, and even maintain fantastic sites for FAQ and chock full of great info about every aspect of Magisk.
BONUS ITEM: As I indicated above, I'd share the method I know, trust, and have used many many times, trouble free, to apply a system update to the phone without overwriting anything, and not hitting any issues many encounter using the OTA method (though I understand that's been vastly improved, I haven't educated myself as to that process and will likely continue to use this method).
Security Update (monthlies) Process using Full System Image
As above, download the newest Full Factory Image from the site. Extract this full image to a directory inside C:\platform-tools
In this directory, if you're on Windows, open the "flash-all.bat" file (don't run it, open it with Notepad or something similar, I really like Notepad++ as it's free, has a LOT of great functionality and, like the native Notepad, doesn't do any goofy formatting/fonting/etc when modifying and saving a file.)
In flash-all.bat, look for the "-w" entry in the fastboot command near the end of the file and REMOVE ONLY THE "-w", leaving the line correctly formatted (don't leave an extra space or something goofy), then save the file over the top of the original with the same name. This will remove the overwriting of your data when pushing the image, the "-w" tells the process to overwrite, so we remove it.
Open up a Windows Explorer and go to your c:\platform-tools directory. Delete (or move to another location) any "boot.img" files along with any "magisk_patched-XXXXX_xxxxx.img" files from previous operations. Also note and confirm that you have correctly extracted the latest Full System Image to it's own directory, residing in c:\platform-tools.
Now, connect your phone to the PC. Open your command prompt and point to "C:\platform-tools" again. Type: cd <name of Full system Image directory>
In command prompt, type:
adb reboot bootloader
The phone is now in bootloader. In command prompt, confirm you're pointing to "C:\platform-tools\<Full System Image extract dir>" Type:
flash-all
This will do a full factory image push to your phone, you'll see a couple quick writes and phone reboots, then begins writing the rest of the image to your phone, but since we removed the "-w" from "flash-all.bat", it's NOT overwriting your data, just the necessary system files to update it to the latest version!
Reboot your phone, let it do any optimizing and updating it needs to do, and don't run anything yet, we're not quite done, just let the phone settle in and finish booting and doing it's thing.
Now, go back and perform the steps above listed under "PATCHING THE BOOT.IMG FILE" to patch the newest boot.img from the Full System Image we just updated the phone with (push the boot.img to sdcard/Download, patch with Magisk App, pull magisk_patched-XXXXX_xxxxx.img to your PC, blast it back using fastboot), and you've now rerooted the phone.
Lemme just say again that I know this was a friggin' book, and I tried to make it as clear and plain language as I could to help even a first timer, so my apologies if it seems like an onerous process. It's really not, and once you've done this once or twice, it's a cakewalk and takes about 10 minutes of your time from start to finish to do the whole system update and reroot. Again, the newer methods to take OTA without losing root may be something you'd like to look into, i definitely will, but I'm very confident in sharing this method as I know it works like a champ and is foolproof if you take your time the first few times and make sure you do what's required (remove the "-w" from the flash-all.bat, etc)
Lastly, I've been using this method since the Pixel 2, and just performed it on my new 5a, it worked exactly as it has for years for me on the P2, so you can be confident moving forward that, if you follow instructions and take your time until it's all familiar, you'll be successful in rooting, passing SafetyNet, and applying system updates without screwing up the A/B slots or overwriting your data in the process.
I hope this helps even one person, and since I rarely find myself able to give back to the community in any real meaningful way (many of these folks are WAAAY beyond my modest skills and know so much!!), I hope that this provides some folks with a useful and meaningful tutorial, providing confidence that anyone can root their P5a (or about any Pixel it seems) without being a Magisk/Android prodigy.
@Didgeridoohan, @pndwal, @zgfg, @jcmm11, and so many others over the years have been so helpful, I couldn't have done any of this without their selfless help, so give those folks a big thanks also if this is any help to you.
Best of luck,
hfam

Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!

nsoult said:
Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!
Click to expand...
Click to collapse
Awww, thanks! Glad to do it and really hope it helps some folks tackle rooting their phones and passing SN!

Rooted with magisk v.23 - flashed zip as a module

So has anyone installed the October update yet?

GrandAdmiral said:
So has anyone installed the October update yet?
Click to expand...
Click to collapse
Yep, good to go. I used the same method I shared above.

Is this working with Android 12? Which Magisk version to use?

This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?

Poking around in this thread, it seems that android 12 root is a much more involved process, requiring factory wipe and additional steps.
[Guide] Flash Magisk on Android 12
Trying to root the Pixel 5 running Android 12 by flashing a magisk-patched boot image results in the phone only booting to fastboot mode ("failed to load/verify boot images") Some users have reported that booting (instead of flashing) the patched...
forum.xda-developers.com

tintn00+xda said:
This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?
Click to expand...
Click to collapse
As you stated, you are correct. You need to perform a full wipe or flash the factory image with a wipe and then root works fine and phone boots. Tried myself and works fine.

request rejected, no prompt to grant access

heeeeey!
old magisk user, it was working like a charm on my galaxy s20, but lately something broke!
I have installed Magisk version 97b72a59 (20419)
and magisk manager version 8.0.7 (4834)
When I open an app that requires root access, nothing happens, and after a while, i get the toast message that denied superuser rights.
11-16 21:36:12.620 5867 27034 D Magisk : su: request from pid=[27031], client=[9]
11-16 21:36:12.620 5867 27034 D Magisk : su: request from uid=[10452]
11-16 21:36:12.620 5867 27034 D Magisk : magiskdb: query magiskhide=[0]
11-16 21:36:12.620 5867 27034 D Magisk : magiskdb: query su_fingerprint=[0]
11-16 21:36:20.462 5867 25942 W Magisk : su: request rejected (10452)
11-16 21:36:20.462 5867 25942 E Magisk : write failed with 32: Broken pipe
Click to expand...
Click to collapse
i have seen that it happens a lot, but there isn't any solution on these threads!
any suggestions?
thank you in advance for your help!

Go to magisk manager and manually grant root permission to that app in question

miravision said:
Go to magisk manager and manually grant root permission to that app in question
Click to expand...
Click to collapse
thank you for your reply!
on this page, on magisk manager app, I get the message "no app has asked for superuser permission yet"!

Install root checker app and check if it prompts you for root access, else magisk is configured to always reject root access in magisk settings

miravision said:
Install root checker app and check if it prompts you for root access, else magisk is configured to always reject root access in magisk settings
Click to expand...
Click to collapse
As expected, root checker app reports "Sorry! Root access is not properly installed on this device."
On magisk manager settings, i have set "automatic response" to "grant" instead of "prompt" but nothing changed.
any other options?

Unroot and reinstall latest magisk

miravision said:
Unroot and reinstall latest magisk
Click to expand...
Click to collapse
that's my last resort.
I am trying to repair it, rather than uninstalling and installing it again...

@sakis_the_fraud You see that broken pipe in your log? That suggests you're seeing an issue that was present in builds around v21 and fixed in v21.4.
I suggest you update to a more recent Magisk release instead of trying to troubleshoot further...

Didgeridoohan said:
@sakis_the_fraud You see that broken pipe in your log? That suggests you're seeing an issue that was present in builds around v21 and fixed in v21.4.
I suggest you update to a more recent Magisk release instead of trying to troubleshoot further...
Click to expand...
Click to collapse
thank you for your reply!
The reality is that I'm trying not to mess a lot with these just to be safe!
OK so If I got it correctly, i should do these steps:
select uninstall from magisk manager app,
reboot
and then "Patch the boot (Kernel) image via Magisk" as described in Stage 6 of the link?
any precautions and measures that i should take in order to avoid or minimize failure?

sakis_the_fraud said:
thank you for your reply!
The reality is that I'm trying not to mess a lot with these just to be safe!
OK so If I got it correctly, i should do these steps:
select uninstall from magisk manager app,
reboot
and then "Patch the boot (Kernel) image via Magisk" as described in Stage 6 of the link?
any precautions and measures that i should take in order to avoid or minimize failure?
Click to expand...
Click to collapse
No matter how you choose to update, there's always a risk of failure. Only way to minimise any damages is to make sure you have a backup of any important data before updating.
You should be able to do a direct update in the Magisk app (but since you're jumping a few versions it's a very good idea to have that backup ready). Only thing to mind is that the update to v22+ requires you to not have the Magisk app repackaged with a random name, so make sure you've restored that before updating. This should be the easiest way of doing things...
If you're on the Canary channel (since you have a Canary release installed now), keep in mind that the current Canary (23014) has some major changes from previous Magisk versions. The Hide list has been replaced with a Deny list and there's now a new feature: Zygisk (it's very similar to Riru, if you know that that is). If you're not ready for those kind of changes yet, make sure to be on the stable update channel...
If you don't want to do a direct update the linked guide should work.

Didgeridoohan said:
No matter how you choose to update, there's always a risk of failure. Only way to minimise any damages is to make sure you have a backup of any important data before updating.
You should be able to do a direct update in the Magisk app (but since you're jumping a few versions it's a very good idea to have that backup ready). Only thing to mind is that the update to v22+ requires you to not have the Magisk app repackaged with a random name, so make sure you've restored that before updating. This should be the easiest way of doing things...
If you're on the Canary channel (since you have a Canary release installed now), keep in mind that the current Canary (23014) has some major changes from previous Magisk versions. The Hide list has been replaced with a Deny list and there's now a new feature: Zygisk (it's very similar to Riru, if you know that that is). If you're not ready for those kind of changes yet, make sure to be on the stable update channel...
If you don't want to do a direct update the linked guide should work.
Click to expand...
Click to collapse
Ohhhh I see!
There are major changes listed on the changelog...
I found the "magisk_patched.tar" that I have used on my initial installation, do you believe that if i could flash it will solve this problem?
It's clear that I don't want the latest, i want the one working with minimal risk because I found out that i haven't installed TWRP at all

sakis_the_fraud said:
Ohhhh I see!
There are major changes listed on the changelog...
I found the "magisk_patched.tar" that I have used on my initial installation, do you believe that if i could flash it will solve this problem?
It's clear that I don't want the latest, i want the one working with minimal risk because I found out that i haven't installed TWRP at all
Click to expand...
Click to collapse
If that patched file is from an earlier release of Magisk, and you want to use that version, it's probably best to uninstall Magisk and flash that.
If you want a newer release you can either just choose the stable update channel and do a direct update to v22.1 (you'll be able to update to v23 after that), or you can download the v21.4 zip from GitHub and install that zip from the module section of the Magisk app.
You've got many options. Only you can decide what's best for you...

Didgeridoohan said:
If that patched file is from an earlier release of Magisk, and you want to use that version, it's probably best to uninstall Magisk and flash that.
If you want a newer release you can either just choose the stable update channel and do a direct update to v22.1 (you'll be able to update to v23 after that), or you can download the v21.4 zip from GitHub and install that zip from the module section of the Magisk app.
Click to expand...
Click to collapse
thank you for your help so far!
When i select uninstall i get two options "restore images" and "complete uninstall" what should i choose in order to keep my data?
If i go with the direct update to v22.1, then will i have to flash something? this is "safer"?

sakis_the_fraud said:
thank you for your help so far!
When i select uninstall i get two options "restore images" and "complete uninstall" what should i choose in order to keep my data?
If i go with the direct update to v22.1, then will i have to flash something? this is "safer"?
Click to expand...
Click to collapse
No worries.
To avoid incompatibilities between different Magisk versions you'd have to do a complete uninstall. If you do the direct update you don't have to do anything else then pick "Update" in the Magisk app and then "Direct install".
To say if one or the other is safer is hard to say since there quite a few variables that come into play. Doing an uninstall might cause issues if you've previously disabled encryption, as an example. On the other hand there might also be issues when doing a direct install.
Personally I would go for a direct install, but make sure that I have my firmware's/ROM's unpatched boot image at hand so I can install that and get my device up and running again without any further damage (hopefully). Magisk only alerts the boot image (or in some cases recovery image), which makes it very safe and easy to revert if there are problems. You rarely end up with an irreparable loss unless you start trying to fix stuff without actually knowing what you're doing.

Didgeridoohan said:
Personally I would go for a direct install, but make sure that I have my firmware's/ROM's unpatched boot image at hand so I can install that and get my device up and running again without any further damage (hopefully). Magisk only alerts the boot image (or in some cases recovery image), which makes it very safe and easy to revert if there are problems. You rarely end up with an irreparable loss unless you start trying to fix stuff without actually knowing what you're doing.
Click to expand...
Click to collapse
I made it!
I finally went with direct install as it appears to be less disruptive, first it updated the app, then I selected "direct install (recommended)". Afterwards it started to patch ramdisk, repacked and flashed the image. One reboot later and the root status is back! I really missed my adblock!!!
thank you for your help!