Related
Hi
I've search the forums but apart from finding several people with the same issue, i didn't find anything useful.
I'm running LOS14.1 on a OP3 with latest Magisk. Safetynet passes but the MS Intune company portal seems to be detecting that the device is rooted. Turning off root however is not fixing this. Any idea on how it detects this or are there solutions via Magisk for dealing with this (or other solutions off course).
Regards
Mrhubris
mrhubris said:
Hi
I've search the forums but apart from finding several people with the same issue, i didn't find anything useful.
I'm running LOS14.1 on a OP3 with latest Magisk. Safetynet passes but the MS Intune company portal seems to be detecting that the device is rooted. Turning off root however is not fixing this. Any idea on how it detects this or are there solutions via Magisk for dealing with this (or other solutions off course).
Regards
Mrhubris
Click to expand...
Click to collapse
I am on stock Lollipop rooted using Magisk 11.6. Outlook wouldn't start for me even though magisk hide was enabled and safetynet passed. I used the Tasker app to get around the root check with the with the following tasks:
Launch App (Outlook)
Run Shell command:
su
chmod 0754 /data/magisk
sleep 25
chmod 0755 /data/magisk
This launches the outlook app and changes the permissions of the magisk folder for 25 seconds so that when it does the root check after I input my pin everything checks out. After 25 seconds it restores the permissions to what they were, and root continues to work. I exported this as an app (long hold on task, click menu in upper right and export as app) and it seems to work like a charm.
I tried changing permissions on the individual files in the /system/data/magisk folder, but that didn't work. changing the permissions on the whole /system/data/magisk directory to 0754 seems to do the trick.
You can also use a root file manager to change the permissions, but you have to be careful because if the file browser loses its root privilege before changing the permissions back, you will lose your root capabilities until rebooting into TWRP recovery to do a chmod 0755 on the magisk folder. It's more inconvenient than having tasker do it, but it works.
Hope this helps somewhat.
The only issue I'm having is that tasker seems to be a paid app. I'm not willing to pay money if I'm not sure it works.
This is why asked the question. In the other threads I read it was clear that this is not always working so I asked the question in here specifically for magisk.
Regards
Mrhubris
mrhubris said:
The only issue I'm having is that tasker seems to be a paid app. I'm not willing to pay money if I'm not sure it works.
This is why asked the question. In the other threads I read it was clear that this is not always working so I asked the question in here specifically for magisk.
Regards
Mrhubris
Click to expand...
Click to collapse
Tasker is definitely worth it! If you're worried you can try by doing the chmod manually first.
@dizzybrow
Thank you! Purchased Tasker just to do this and it worked!
dizzybrow said:
I am on stock Lollipop rooted using Magisk 11.6. Outlook wouldn't start for me even though magisk hide was enabled and safetynet passed. I used the Tasker app to get around the root check with the with the following tasks:
Launch App (Outlook)
Run Shell command:
su
chmod 0754 /data/magisk
sleep 25
chmod 0755 /data/magisk
This launches the outlook app and changes the permissions of the magisk folder for 25 seconds so that when it does the root check after I input my pin everything checks out. After 25 seconds it restores the permissions to what they were, and root continues to work. I exported this as an app (long hold on task, click menu in upper right and export as app) and it seems to work like a charm.
I tried changing permissions on the individual files in the /system/data/magisk folder, but that didn't work. changing the permissions on the whole /system/data/magisk directory to 0754 seems to do the trick.
You can also use a root file manager to change the permissions, but you have to be careful because if the file browser loses its root privilege before changing the permissions back, you will lose your root capabilities until rebooting into TWRP recovery to do a chmod 0755 on the magisk folder. It's more inconvenient than having tasker do it, but it works.
Hope this helps somewhat.
Click to expand...
Click to collapse
I can use Outlook app without Magisk Hide, I don't understand why you need do that.
Deic said:
I can use Outlook app without Magisk Hide, I don't understand why you need do that.
Click to expand...
Click to collapse
Each company has different policies. Also some don't use intune (maybe that's you).
Time for another update.
The problem is not necessarly the oulook app. It's the Intune Company Portal that's closing everything up. Is there a way around this?
From my experience it even trips on unsigned custom roms. Currently Paranoid Android is the only one not giving me problems.
as far as i can tell it detects:
- signed / Un-signed
- root (the binaries itself). Disabling root results in the exact same error notification
If magisk.hide is enabled for the app, there is no way it will detect the root binaries.
Detection could be due to the build props .. ones such as
ro.build.tags=release-keys
ro.build.type=user
Have you tried setting the above build.prop properties to the value mentioned above. These are not set like this for custom roms.
You may try the attached magisk module to set these.
Changing these build props is not working.
Root beer sample is still detecting dangerous props and safetynet is also triggering.
mrhubris said:
Changing these build props is not working.
Root beer sample is still detecting dangerous props and safetynet is also triggering.
Click to expand...
Click to collapse
Then you have some other issue. Both, root bear and safteynet should pass easily with magisk on custom roms.
candiesdoodle said:
Then you have some other issue. Both, root bear and safteynet should pass easily with magisk on custom roms.
Click to expand...
Click to collapse
Intune is just detecting specific aspects and the company i work for says that in those cases no configuration (of email for example) is allowed to happen.
But i've got no clue as to what it is detecting.
If i run Paranoid Android as a ROM it is possible. If i switch to LineageOS or Resurrection it's not.
Somehow the setup of these ROM's differs in a way to MS Intune trips or not. Is it possible to figure this out in some way?
I having same problems too but with onedrive, atm at work we are testing intune and now it would not let me use onedrive as the intune app detects root...
It could be detecting apps that require root as a secondary check, do you have anything like root explorer , Titanium backup etc ?
Sent from my ONEPLUS A5000 using Tapatalk
For me, It's detecting something in sbin even though magisk unmounts it. If I remove read or execute permissions from sbin then Company Portal and all associated apps launch just fine. Of course nothing that needs root works anymore since without those permissions nothing can access su or anything else needed for root.
Sent from my Nexus 6 using Tapatalk
i found out @dizzybrow fix works in magisk 11.6 but not 13 (didn't try 12). i'm staying on 11.6 just for this reason.
Any better ways to fix this problem?
illwafer said:
i found out @dizzybrow fix works in magisk 11.6 but not 13 (didn't try 12). i'm staying on 11.6 just for this reason.
Click to expand...
Click to collapse
So you are using Magisk Hide on 11.6 and Intune is not detecting root? I tried that and it didn't work for me.
Anyone else have any ideas?
Are you using Tasker with the variables provided by dizzybrow? If so, it should work with 11.6 (safetynet still fails).
illwafer said:
Are you using Tasker with the variables provided by dizzybrow? If so, it should work with 11.6 (safetynet still fails).
Click to expand...
Click to collapse
I am trying to, but I am not all that familiar with Tasker, so apparently I am doing something wrong. I would appreciate any assistance as far as setting it up correctly.
suhide-lite is an experimental (and officially unsupported) mod for SuperSU that can selectively hide root (the su binary) from other applications. It can also toggle visibility of packages (such as SuperSU).
SafetyNet verified passing on 2017.08.10.
This is ultimately a losing game (see the next post). suhide may stop working at any time.
Requirements
- SuperSU v2.82 SR2 or newer (link)
- SuperSU installed in SBIN mode (default on O+)
- Android 6.0 or newer
- TWRP (3.0.2 or newer with access to /data), FlashFire is not (yet) supported.
Xposed
Not supported.
CyanogenMod/LineageOS
Not currently tested or supported. Might work, might not.
Custom kernels/ROMs
If they changed build props, they will probably fail SafetyNet check (for now).
Installation
First make sure you are using SuperSU in SBIN mode on Android 6.x and 7.x
- Boot into TWRP
--- adb shell: echo "BINDSBIN=true">/data/.supersu
--- OR: flash SuperSU Config and select Systemless SBIN mode
- Reflash SuperSU v2.82 SR2 or newer
- Reboot into Android at least once
With SuperSU in SBIN mode
- Flash the suhide ZIP in TWRP
- Reboot into Android
If your TWRP does not fully decrypt /data, reflashing the SuperSU ZIP and immediately flashing the suhide ZIP without rebooting in between may sometimes allow suhide to be installed as well where it would otherwise throw an error.
Usage
The suhide GUI available from your app drawer should be fairly self-explanatory. The About tab lists further instructions.
Advanced usage
You can manually add/remove/list entries to suhide's blacklist by using these commands:
/sbin/supersu/suhide/add UID-or-processname
/sbin/supersu/suhide/rm UID-or-processname
/sbin/supersu/suhide/list
App package names are usually the same as the process name, but not always. Using the UID is safer. You can find the UID by running 'ps -n' (6.x/7.x) or 'ps -An' (8.x). The UID is the first column, and is a 5-digit number starting with 10: 10xxx.
Uninstall
Remove /data/adb/su/suhide folder in TWRP's file manager. You can uninstall the suhide app through Android's settings.
Download
UPDATE-suhide-v1.09-20171001222116.zip
In case that bootloops, try the old v1.00 version, and let me know your device and firmware:
UPDATE-suhide-v1.00-20170809130405.zip
Sauce @ https://github.com/Chainfire/suhide-lite
Hiding root: a losing game - rant du jour
Quoting myself from the OP of the old suhide thread:
Chainfire said:
Most apps that detect root fall into the payment, banking/investing, corporate security, or (anit cheating) gaming category.
While a lot of apps have their custom root detection routines, with the introduction of SafetyNet the situation for power users has become worse, as developers of those apps can now use a single API to check if the device is not obviously compromised.
SafetyNet is of course developed by Google, which means they can do some tricks that others may not be able to easily do, as they have better platform access and control. In its current incarnation, ultimately the detection routines still run as an unprivileged user and do not yet use information from expected-to-be-secure components such as the bootloader or TPM. In other words, even though they have slightly more access than a 3rd party app, they still have less access than a root app does.
Following from this is that as long as there is someone who is willing to put in the time and effort - and this can become very complex and time consuming very quickly - and SafetyNet keeps their detection routines in the same class, there will in theory always be a way to beat these detections.
While reading that may initially make some of you rejoice, this is in truth a bad thing. As an Android security engineer in Google's employ has stated, they need to "make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model".
The problem is that with a rooted device, it is ultimately not possible to guarantee said security model with the current class of SafetyNet tamper detection routines. The cat and mouse game currently being played out - SafetyNet detecting root, someone bypassing it, SafetyNet detecting it again, repeat - only serves to emphasize this point. The more we push this, the more obvious this becomes to all players involved, and the quicker SafetyNet (and similar solutions) will grow beyond their current limitations.
Ultimately, information will be provided and verified by bootloaders/TrustZone/SecureBoot/TIMA/TEE/TPM etc. (Samsung is already doing this with their KNOX/TIMA solutions). Parts of the device we cannot easily reach or patch, and thus there will come a time when these detection bypasses may no longer viable. This will happen regardless of our efforts, as you can be sure malware authors are working on this as well. What we power-users do may well influence the time-frame, however. If a bypass attains critical mass, it will be patched quickly.
More security requires more locking down. Ultimately these security features are about money - unbelievably large amounts of money. This while our precious unlocked bootloaders and root solutions are more of a developer and enthusiast thing. While we're all generally fond of shaking our fists at the likes of Google, Samsung, HTC, etc, it should be noted that there are people in all these companies actively lobbying to keep unlocked/unlockable devices available for us to play with, with the only limitation being that some financial/corporate stuff may not work if we play too hard.
It would be much easier (and safer from their perspective) for all these parties to simply plug that hole and fully lock down the platform (beyond 3rd party apps using only the normal APIs). Bypassing root checks en masse is nothing less than poking the bear.
Nevertheless, users want to hide their roots (so do malware authors...) and at least this implementation of suhide is a simple one. I still think it's a bad idea to do it. Then again, I think it's a bad idea to do anything financial related on Android smartphone that isn't completely clean, but that's just me.
Note that I have intentionally left out any debate on whether SafetyNet/AndroidPay/etc need to be this perfectly secure (most people do their banking on virus ridden Windows installations after all), who should get to decide which risk is worth taking, or even if Google and cohorts would be able to design the systems more robustly so the main app processor would not need to be trusted at all. (the latter could be done for Android Pay, but wouldn't necessarily solve anything for Random Banking App). While those are very interesting discussion points, ultimately it is Google who decides how they want this system to work, regardless of our opinions on the matter - and they want to secure it.
Click to expand...
Click to collapse
I still stand behind this statement I made a year ago.
I will add to this another concern that I've posted before: on the A/B layout devices such as the Google Pixel (XL), it is possible to detect the device is rooted with a handful of lines of code, and I do not see any way to beat this detection aside from custom kernels. As soon as this detection is added to SafetyNet, it is pretty much game over. Frankly I'm surprised it hasn't been added yet.
The new suhide-lite vs the old suhide
The old suhide was completely different under the hood. It proxied zygote and created two different process trees for the real zygote and descendants (apps), one with root and one without, and multiplexed app instantiation calls between them. The new suhide-lite uses a completely different mechanism to achieve a similar outcome (some apps with and some apps without root).
One thing the old suhide had and the new suhide-lite version does not, is full binder interception. It could listen to and change most API calls and responses between apps and the Android system dynamically. While this may not sound like a big deal to some, from a malware-perspective this is almost a holy-grail class hack. suhide only used it to hide application packages (such as SuperSU) from apps selectively, so for example the launcher could still find it, but to some games it was completely invisible.
The binder interception code was the part that really interested me and the desire to get that working was the driving force behind the old suhide implementation. The security measures in Android's November 2016 security update blocked the old mechanism and with it the binder interceptor. Of course, I have actually written the code to bypass those (naive) protections in turn, but since that implementation of suhide was possible to detect in other ways, I kept that patch private. It may still prove useful in other projects, so it didn't make any sense to burn those work-arounds.
It may be possible to port the interceptor to the new mechanism, but it would be a lot of work and I don't think I'll be doing it any time soon, if ever. The lack of this intercepter is what makes the new suhide lite. The new suhide is able to hide packages such as SuperSU from other apps and games, but it does so via a toggle mechanism (3x alternating volup/voldown) that hides and unhides them, rather than handling the whole thing transparently.
Changelogs
2017.10.01 - v1.09
- Remove ODM and OEM mounts
- Setpropex: set multiple properties
- Cleanup: remove /boot
2017.08.15 - v1.08
- Fix a process freeze issue
- Fix framework restart survival (stop && start)
- Fix double free crash
2017.08.11 - v1.07
- Startup: Fix parallelism
2017.08.10 - v1.06
- Startup: Disable parallelism (temporary?), causes things to break sometimes
2017.08.10 - v1.05
- GUI: Synchronize changing items with the same UID
- GUI: Hide system apps (UID < 10000)
- GUI: Fix UID / package display line to ellipsize instead of wrap
- Properties: Adjust various build, adb, debug and security properties
- Startup: Improve performance by running operations in parallel
- ZIP: Allow flashing directly after SuperSU switch from image to SBIN mode, without reboot in between
2017.08.09 - v1.00
- Initial release of new code
- For old code, see https://forum.xda-developers.com/apps/supersu/suhide-t3450396
FIRST! new suhide yay. My 6p is currently running N 7.1.2. STOCK ANDROID, NO customisation whatsoever. Will 2.82 SR2 automatically update the root to sbin mode? If yes is the echo command still needed then?
Sent from my Nexus 6P with Tapatalk
Ch3vr0n said:
FIRST! new suhide yay. My 6p is currently running N 7.1.2. will 2.82 SR2 automatically update the root to sbin mode? If yes is the echo command still needed then?
Sent from my Nexus 6P with Tapatalk
Click to expand...
Click to collapse
Sbin mode is only activated by default on O (as per OP). Everything else requires the echo command.
Cool. I was avoiding using Magisk so far and was without root to be able to use certain apps like Netflix. I have a Pixel XL. Will SuperSU 2.82 SR2 alongwith suhide-lite work on my phone? Will I have to give the commands in TWRP as given in op? I intend to flash August security patch and try this during that update process. Currently I am stock (no root) with ElementalX kernel which I intend to continue using to be able to hide bootloader unlocked status.
Wow.. this works!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Shamusent
@Chainfire
hi,
maybe you can do something about this :crying:
i'm on nougat 7.1.2 (July security patch) been trying for long time to get this to work on citrix secure hub (by zenprise- formally known as worx)
attaching my logs and pics.
this is what i found from the logs attached:
Code:
"com.citrix.work.MAM.PolicyCheck:Found an APK requiring rooted device: eu.chainfire.supersu"
"com.citrix.work.MAM.PolicyCheck:BuildTag Test advisory ----- > is probably rooted"
SuperUser APKs Test advisory ---- > is probably rooted
the only one thing it didnt find:
Code:
D/"SecureHub"(16939): su In Path Test --- > is NOT rooted
i manged to pass safety net as you can see.
please if you can help.
Hi all and Chainfire. Thank you for this app! I tested it with a search if the Netflix app in the Playstore, but it wasn't found. I hided Playstore app in the list. Is there something I have overseen?
Otherwise I am also passing Safety Net. Thank you Chainfire!
rocky78 said:
@Chainfire
hi,
maybe you can do something about this :crying:
i'm on nougat 7.1.2 (July security patch) been trying for long time to get this to work on citrix secure hub (by zenprise- formally known as worx)
attaching my logs and pics.
this is what i found from the logs attached:
Code:
"com.citrix.work.MAM.PolicyCheck:Found an APK requiring rooted device: eu.chainfire.supersu"
"com.citrix.work.MAM.PolicyCheck:BuildTag Test advisory ----- > is probably rooted"
SuperUser APKs Test advisory ---- > is probably rooted
the only one thing it didnt find:
Code:
D/"SecureHub"(16939): su In Path Test --- > is NOT rooted
i manged to pass safety net as you can see.
please if you can help.
Click to expand...
Click to collapse
Does citrix secure hub run constantly in the background, or do you just need it now and then ?
Have you read the instructions in the About screen as stated ?
Have you tried hiding the SuperSU GUI ? (3x volup/voldown alternate) Because that is what it's detecting.
It's not detecting the su binary, I assume you already hid root from the hub ?
TR2N said:
Hi all and Chainfire. Thank you for this app! I tested it with a search if the Netflix app in the Playstore, but it wasn't found. I hided Playstore app in the list. Is there something I have overseen?
Otherwise I am also passing Safety Net. Thank you Chainfire!
Click to expand...
Click to collapse
Try clear Google Play Store and Google Play Services app data.
Netflix shows for me on a freshly installed device.
Chainfire said:
Does citrix secure hub run constantly in the background, or do you just need it now and then ?
Have you read the instructions in the About screen as stated ?
Have you tried hiding the SuperSU GUI ? (3x volup/voldown alternate) Because that is what it's detecting.
It's not detecting the su binary, I assume you already hid root from the hub ?
Click to expand...
Click to collapse
1. i can use it how ever i want (background or now and then). this is an email from my company.
2. yes. tried that.
3. yes i did. i attached a pic for you to see in the previous replay.
rocky78 said:
1. i can use it how ever i want (background or now and then). this is an email from my company.
2. yes. tried that.
3. yes i did. i attached a pic for you to see in the previous replay.
Click to expand...
Click to collapse
But is SuperSU still available from the app drawer? Did you actually press the volume button as instructed? The screenshot does not (can cannot) show that.
Chainfire said:
But is SuperSU still available from the app drawer? Did you actually press the volume button as instructed? The screenshot does not (can cannot) show that.
Click to expand...
Click to collapse
no.
When im pressing in the right order its hidden from app drawer. Also some other apps gets hidden.
p.s.
from the log i uploaded before it looks like "they" are running a search of supersu.apk in my device and mannage to find that.
is there a way to hide/stop that?
rocky78 said:
no.
When im pressing in the right order its hidden from app drawer. Also some other apps gets hidden.
p.s.
from the log i uploaded before it looks like "they" are running a search of supersu.apk in my device and mannage to find that.
is there a way to hide/stop that?
Click to expand...
Click to collapse
In that case I don't know what's going on. They shouldn't be able to iterate over APKs either. But it's all just guess work on my end at this point.
EDIT: actually I do know of a way they could still detect this even when hidden... but really the only way around that is to uninstall the SuperSU APK.
TR2N said:
... I tested it with a search if the Netflix app in the Playstore, but it wasn't found....
Click to expand...
Click to collapse
I think Safetynet is a server side check.Wait till tomorrow with su hided and check again.
Chainfire said:
In that case I don't know what's going on. They shouldn't be able to iterate over APKs either. But it's all just guess work on my end at this point.
EDIT: actually I do know of a way they could still detect this even when hidden... but really the only way around that is to uninstall the SuperSU APK.
Click to expand...
Click to collapse
do you mean if i clean flash my rom (custom) without root i will be able to use it?
And if so... Wft? No way! The hell with them.
rocky78 said:
do you mean if i clean flash my rom (custom) without root i will be able to use it?
And if so... Wft? No way! The hell with them.
Click to expand...
Click to collapse
No, just uninstall the SuperSU app from Android settings. Your apps will still have root access, you just wont have any way to manage it.
Chainfire said:
No, just uninstall the SuperSU app from Android settings. Your apps will still have root access, you just wont have any way to manage it.
Click to expand...
Click to collapse
look at this....
Do you see in the log-pic? After hiding from app drawer took a log file and suhide worked.
Only one more thing left to hide.
wtf is build tag? is it related to ro.build.tags in props?
rocky78 said:
look at this....
Do you see in the log-pic? After hiding from app drawer took a log file and suhide worked.
Only one more thing left to hide.
wtf is build tag? is it related to ro.build.tags in props?
Click to expand...
Click to collapse
Only citrix knows
Code:
getprop | grep build
may show some obvious problems.
Apps that use liboemcrypto.so to play content protected by DRM, such as Netflix and My5, will fail when playback is attempted on a rooted device.
The symptoms displayed by affected devices vary by brand and Android version. Some devices may display an obscure error message when you attempt playback. Others may just appear stuck loading the requested content.
This Magisk module fixes the problem by masking liboemcrypto.so with a zero byte replacement. Whilst the same effect could be achieved by simply deleting or renaming liboemcrypto.so with a root-enabled file manager, this has the disadvantage of altering your /system partition by writing to the file-system. The advantage of the Magisk method is that no actual changes are made to the device. The problematic file is merely concealed from the apps that attempt to use it.
To use the module, flash it in the Modules section of Magisk Manager and then reboot your device.
The module works when the library in question is located at either /system/lib/liboemcrypto.so or /system/vendor/lib/liboemcrypto.so. If your library is located elsewhere (or missing), this module will have no effect (but it's harmless to try it).
The module has been verified working on a Samsung Galaxy S9+ (SM-G965F/DS) running Magisk 16.x/17.x/18.x on a variery of ROMs, on a Samsung Tab S3 (SM-T820) running stock Android 8.0 and Magisk 16.x/17.x, and on a Samsung Tab S4 (SM-T830) running stock Android 8.1 and Magisk 17.x/18.x. It was created because a similar module on XDA did not work on my devices. It is being released by popular request, because a number of other users contacted me with the same complaint.
The module was integrated into the official Magisk module repository on 2018-06-27, and can therefore be directly downloaded from within the Magisk Manager app.
Please note that a consequence of using this module is that Widevine DRM will fall back to using L3 instead of L1. This means that Netflix will play all content in SD quality, regardless of your subscription type. Of course, without this module, you won't be able to play anything on a rooted device, so beggars can't be choosers.
Change log:
2020-12-20: v1.5
Updated for Magisk v21 template format.
2019-03-29: v1.4
Updated for Magisk v19 template format.
Issue a warning if installed on an S10e (G970F), S10 (G973F) or S10+ (G975F).
2018-12-06: v1.3
Added support for devices that have the library under either /system/lib64 or /system/vendor/lib64.
Added support for devices that have the library in multiple locations.
2018-07-22: v1.2
Added logic to install in only the appropriate library directory, rather than in both.
2018-05-29: v1.1
Added support for devices that have the library under /system/vendor/lib instead of /system/lib.
2018-04-23: v1.0
Initial release.
Work on Note 8 perfectly thx mate check with netafix,showmax thx again mate
Wysłane z mojego SM-N950F przy użyciu Tapatalka
Version 1.1 has been released with support for devices that have the library under /system/vendor/lib instead.
Hi,
Could you try to make nc+ GO usefull for rooted devices ?
Thanks for the module @ianmacd, finaly Netflix working again on my rooted and Widevine L1 patched Oneplus5.
I noticed this module actually reverts your device back to Widevine L3 when module is active, is that correct?
an0therus3r said:
Thanks for the module @ianmacd, finaly Netflix working again on my rooted and Widevine L1 patched Oneplus5.
I noticed this module actually reverts your device back to Widevine L3 when module is active, is that correct?
Click to expand...
Click to collapse
Yes, this is an unfortunate side-effect of the module. The module fakes the erasure of the DRM library, which enables playback, but not in HD.
If HD is important to you, there are patched Netflix binaries floating around, but I believe they are quite an old version. I mainly use my tablet to cast to the television, so it's not a problem for me. I should add something about this to the documentation.
Why did I have my device manually updated by ONEPLUS in order to enjoy HD content thru YouTube, prime, Netflix etc.. if it is conflicting with Netflix, the one I use the most?? This is pretty weird. This model is a great work around, but now I'm back to L3 and the whole point was to enjoy L1. What do you mean with patched Netflix libraries? Can you maybe point me in the right direction? That'd be greatly appreciated
mshinni80 said:
Why did I have my device manually updated by ONEPLUS in order to enjoy HD content thru YouTube, prime, Netflix etc.. if it is conflicting with Netflix, the one I use the most?? This is pretty weird. This model is a great work around, but now I'm back to L3 and the whole point was to enjoy L1. What do you mean with patched Netflix libraries? Can you maybe point me in the right direction? That'd be greatly appreciated
Click to expand...
Click to collapse
This article contains an introduction to the problem. Basically, you either need to patch the APK or find one pre-patched by someone else.
Most, if not all people use apktool for this kind of work, but later versions of the Netflix APK can't currently be decompiled, so if you look around for a patched APK, you'll necessarily find an old version.
ianmacd said:
Version 1.1 has been released with support for devices that have the library under /system/vendor/lib instead.
Click to expand...
Click to collapse
I didnt fix my error -9 still getting same error sorry we couldn't get Netflix service error (-9) running on Note 4 with Magisk 16.4 on MM ROM
*edit* I went into /vendor/lib/ and delete (take a backup of it) the file liboemcrypto.so, reboot and it worked! I dont know if that the right way to fix it? this Module seems like didn't change anything
zfk110 said:
I didnt fix my error -9 still getting same error sorry we couldn't get Netflix service error (-9) running on Note 4 with Magisk 16.4 on MM ROM
*edit* I went into /vendor/lib/ and delete (take a backup of it) the file liboemcrypto.so, reboot and it worked! I dont know if that the right way to fix it? this Module seems like didn't change anything
Click to expand...
Click to collapse
Thank you for the report. I will investigate the matter.
The module should have worked with that path. I have a device myself that has liboemcrypto.so in that location, and the module works fine with it. I'll look into it.
ianmacd said:
Thank you for the report. I will investigate the matter.
The module should have worked with that path. I have a device myself that has liboemcrypto.so in that location, and the module works fine with it. I'll look into it.
Click to expand...
Click to collapse
this time I download the module direct from Magisk without using the your provided zip and then installing using from TWRP
this time it worked, now I can use Netflix without any issues I download and installed the module direct from Magisk
zfk110 said:
this time I download the module direct from Magisk without using the your provided zip and then installing using from TWRP
this time it worked, now I can use Netflix without any issues I download and installed the module direct from Magisk
Click to expand...
Click to collapse
That's weird, too, because it's the same version in both cases.
I assume you returned liboemcrypto.so to your device before installing the module. If not, there wouldn't have been anything for the module to do.
I don't know if this is related to the liboemcrypto.so library or something very different: I would like to screen cast (as in mirror my display to a Chromecast) protected content such as Prime Video. If I do so now then the result is sound + captions and a black screen. No video. This module sort of fixed my problem with Prime Video but not entirely so I wonder if you have insights into fully resolving this. I can't believe Google's own screen cast feature isn't trusted by Google's own Chromecast!
Thanks
Your work is perfect. You are a genius!
Has anyone actually managed to mask the device as L1 DRM? Just curious
Hi @ianmacd, I've installed this through Magisk Manager. I don't use Netflix or My5. I expect it to work with Saavn like apps with more Indian content (songs). Regards.
Massive thank you to the O.P been trying for a very long time to get all 4 to work on a rooted device with this module it WORKS!!! Thank you so much for the time you put into Roms and this Module!!
MetalIris said:
Massive thank you to the O.P been trying for a very long time to get all 4 to work on a rooted device with this module it WORKS!!! Thank you so much for the time you put into Roms and this Module!!
Click to expand...
Click to collapse
With all regards to @ianmacd efforts, this hack will enforce falling back to Widevine L3, hence make Netflix HD a no-go.
I am now trying to fix Widevine L1 on Exynos5420 stuff, and I found out that SELinux enforcing mode restricting access from untrusted apps to read "/", and "mount", as well as restricting "toybox" system() calls effectively make up-to-date Netflix happy while debugging the mediadrmserver with gdbserver using root Of course a small SELinux policy change is required to make gdbserver work but this is out of scope.
If there is a way to assign a custom seclabel to processes or files related to package by its name, this approach can help using SELinux as an umbrella for apps like NF.
ianmacd said:
Apps that use liboemcrypto.so to play content protected by DRM, such as Netflix and My5, will fail when playback is attempted on a rooted device.
The symptoms displayed by affected devices vary by brand and Android version. Some devices may display an obscure error message when you attempt playback. Others may just appear stuck loading the requested content.
This Magisk module fixes the problem by masking liboemcrypto.so with a zero byte replacement. Whilst the same effect could be achieved by simply deleting or renaming liboemcrypto.so with a root-enabled file manager, this has the disadvantage of altering your /system partition by writing to the file-system. The advantage of the Magisk method is that no actual changes are made to the device. The problematic file is merely concealed from the apps that attempt to use it.
To use the module, flash it in the Modules section of Magisk Manager and then reboot your device.
The module works when the library in question is located at either /system/lib/liboemcrypto.so or /system/vendor/lib/liboemcrypto.so. If your library is located elsewhere (or missing), this module will have no effect (but it's harmless to try it).
The module has been verified working on a Samsung Galaxy S9+ (SM-G965F/DS) running Magisk 16.x/17.x on a variery of ROMs, on a Samsung Tab S3 (SM-T820) running stock Android 8.0 and Magisk 16.x/17.x, and on a Samsung Tab S4 (SM-T830) running stock Android 8.1 and Magisk 17.x. It was created because a similar module on XDA did not work on my devices. It is being released by popular request, because a number of other users contacted me with the same complaint.
The module was integrated into the official Magisk module repository on 2018-06-27, and can therefore be directly downloaded from within the Magisk Manager app.
Please note that a consequence of using this module is that Widevine DRM will fall back to using L3 instead of L1. This means that Netflix will play all content in SD quality, regardless of your subscription type. Of course, without this module, you won't be able to play anything on a rooted device, so beggars can't be choosers.
Change log:
2018-07-22: v1.2
Added logic to install in only the appropriate library directory, rather than in both.
2018-05-29: v1.1
Add support for devices that have the library under /system/vendor/lib instead of /system/lib.
2018-04-23: v1.0
Initial release.
Click to expand...
Click to collapse
Ianmacd thank you 10 times for this and for the module that restores on Samsung note 9 previously paired bluetooth devices that were lost after reboot. You saved my life !! Hhh
So if I unroot my S8 will HDR and hd work?
Hi Guys!
Recently I hope to use Tasker to do something automatically when the phone is turned on, but I found that Tasker can't start when my phone is turned on but locked.
So I wrote an Android app that uses the shell to enter the password at boot time, but even if I used DirectBoot mode(developer.android.com/training/articles/direct-boot) it still doesn't work.
So I tried to write a module using Magisk, and automatically entered the password when I booted. This time I raised succeeded.
I think there may be other people who have the same needs as me, so I do a function that can customize the password for others to use.
At first we need install AutoInputBootPinManager(github.com/ZeroingIn/AutoInputBootPinManager) to configure your PIN. The application needs to grant root privileges.
Next we download and install this module(github.com/ZeroingIn/AutoInputBootPin) and reboot phone to enjoy it.
If you have any questions, please submit an issue.
Thank you all.
Interesting idea.
There are several modules available that use a shell script UI, run through a terminal emulator, to change settings for the module. App systemizer, Unified Hosts Adblock, MagiskHide Props Config, Energized Protection, etc. Take a look at them for inspiration.
A couple of things:
An explanation of the command in post-fs-data.sh might be a good idea.
Code:
supolicy --live "allow untrusted_app default_android_service service_manager find"
And, why are you setting this prop? As far as I can tell that's for the app Brevent...
Code:
log.tag.BreventServer=DEBUG
Didgeridoohan said:
Interesting idea.
There are several modules available that use a shell script UI, run through a terminal emulator, to change settings for the module. App systemizer, Unified Hosts Adblock, MagiskHide Props Config, Energized Protection, etc. Take a look at them for inspiration.
A couple of things:
An explanation of the command in post-fs-data.sh might be a good idea.
Code:
supolicy --live "allow untrusted_app default_android_service service_manager find"
And, why are you setting this prop? As far as I can tell that's for the app Brevent(play.google.com/store/apps/details?id=me.piebridge.brevent&hl=en)...
Code:
log.tag.BreventServer=DEBUG
Click to expand...
Click to collapse
Thank you very much for your advice, I will try it. Any progress, I will be posted in this post.
The setting of this prop is my mistake, and you have carefully discovered this bug that I have not noticed.
Because I was a beginner to make the Magisk module, I didn't see the Magisk Module Template(github.com/topjohnwu/magisk-module-template) at first, so I wrote it with reference to the Privileged Api Booter(github.com/Magisk-Modules-Repo/magisk-privileged-api-booter).I will fix this problem right away.
ZeroingIn said:
Thank you very much for your advice, I will try it. Any progress, I will be posted in this post.
The setting of this prop is my mistake, and you have carefully discovered this bug that I have not noticed.
Because I was a beginner to make the Magisk module, I didn't see the Magisk Module Template(github.com/topjohnwu/magisk-module-template) at first, so I wrote it with reference to the Privileged Api Booter(github.com/Magisk-Modules-Repo/magisk-privileged-api-booter).I will fix this problem right away.
Click to expand...
Click to collapse
In that case you have a couple of more things to rectify. The first part I mentioned, about the post-fs-data.sh script is also from that module. So, I'm going to assume you do not need it for your purpose. I'd suggest removing that as well... And after you've done that, you should also go in and edit config.sh and change PROPFILE and POSTFSDATA from true to false, because you're not using them anymore. From the looks of it you're only using service.sh, so only LATESTARTSERVICE needs to be active.
Didgeridoohan said:
In that case you have a couple of more things to rectify. The first part I mentioned, about the post-fs-data.sh script is also from that module. So, I'm going to assume you do not need it for your purpose. I'd suggest removing that as well... And after you've done that, you should also go in and edit config.sh and change PROPFILE and POSTFSDATA from true to false, because you're not using them anymore. From the looks of it you're only using service.sh, so only LATESTARTSERVICE needs to be active.
Click to expand...
Click to collapse
You are right, I modified it with reference to the template.Thanks a lot.
Are you going to.update this at all?
I have a bug if you are...
I only have 1 pin... But all 3 fire... Since there's no way to stop them without deleting it from the script
Hey everyone,
after some trial and error, I was able to pass Safety Net.
I just want to mention what I did in the process to get there. May have been a combination of things or just one...
1. I followed this guide, but make sure you notice that It's for the Pixel 5 not 5a. But the process is similar. This process didn't fix the issue. However, it's also a good how-to on how to root. I did also modify the props to the 3a.
How to Root the Pixel 5 & Still Pass SafetyNet — Full Guide for Beginners & Intermediate Users
The Pixel 5 is a great value proposition in this era of $1,500 phones. With its reasonable price tag, fully open-sourced software, and unlockable bootloader, it's also an ideal phone for rooting.
android.gadgethacks.com
2. When that didn't work, I followed this video, and hid all my banking apps besides the Google Play Services:
3. When that didn't work, I installed these both using Magisk from this post:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
4. Cleared my data and cache with Google Play and GPay + any other banking apps.
That worked for me!
EDIT: IF GOOGLE MAPS reports the wrong location, its likely XPrivacy-LUA, Google Services. Uncheck some of them.
Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!
anubis2k3 said:
Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!
Click to expand...
Click to collapse
Didnt think it was that big of a deal to me. But it was fun with a new phone with nothing on it.
This was the Magisk module that worked to pass safety net for me. I didn't need any others.
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.
joemommasfat said:
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.
Click to expand...
Click to collapse
That's the part that I use the most, and the reason I haven't rooted yet. Please let us know if it works. Much appreciated!
I can confirm that using google pay (newer GPay app) on my rooted 5a works at merchants. I've already used it several times over the last week or so with no problems.
Deadmau-five said:
3. When that didn't work, I installed these both using Magisk from this post:
Click to expand...
Click to collapse
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.
borxnx said:
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.
Click to expand...
Click to collapse
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.
I only mentioned what works for me since there was no step-by-step guide.
Dangerous how? Doing any mods to your phone is "dangerous". I fail to see how this is more so than others. Modifying your phone is risky.
If it didn't work I wouldn't have posted this guide. I only mentioned the steps that I took. It's not really a guide, just how I passed safety net.
But, my 5a has still been working great since then. GPay included.
jcmm11 said:
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.
Click to expand...
Click to collapse
Just a quick note to say I just finished with everything (new Pixel 5a 5G, rooted + Safety net, restored all my apps, etc) and it's a flawless victory, ALL banking apps work great, SafetyNet passes, no hiccups.
I'd be happy to craft up a step by step and post it if there's some interest. It's not often I get to give back to this outstanding community, so it's the least I can do jumping on the opportunity. UFC 266 Main card is just starting, so I'll get started right after the fight and post it here in this thread.
Great to see ya again @jcmm11! Coming back to root a new phone feels like a family reunion, so great to see many of you active folks still here helping out!!
hfam
Alright, as promised, here is my writeup for a step-by-step tutorial for rooting your new Pixel 5a and getting SafetyNet up and going. I know it looks like a book, but I wanted to put it into plain language and attempt to explain the process for everyone, even absolute first timers. I know when I first started I really appreciated when the person helping didn't presume I had any knowledge, so for those that may have some experience, sorry for the wordiness. I'll also include how I apply updates when a new Android security update is pushed out. I understand that there are now elegant ways to accept OTA updates, but that is out of the scope of this tutorial as I have always had issues with OTA, and have to catch up on how that works myself. I can attest to years of using this method though (using a full factory image) to perform the "monthly" security updates, and I have never had anything but full success, so I'll share that here below the rooting tutorial.
*Disclaimer and heads-up* this is for an UNLOCKED PIxel 5a purchased directly from Google Store. At the time of this writing that is the only place I'm aware of which currently offers the PIxel 5a. Once carriers like Verizon, etc, offer this device, there may be some changes to the process, so just know up front this is for the unlocked Pixel 5a*
*WARNING*! When you unlock the bootloader on your phone it WILL WIPE YOUR PHONE and reset it to factory. If you've already used your phone and set it up, you're going to lose that setup. If you can't bear it, then the rest of this isn't for you, as root cannot be achieved without unlocking the bootloader.
First, you'll need a few things
- https://developers.google.com/android/images
and download the latest FACTORY IMAGE for "barbet", which is the Pixel 5a. You want to download the SAME VERSION that is currently installed on your device. At the time of this writing, it's the September release.
From that same page, you will need the ADB+Fastboot platform tools which will allow you to perform the required tasks, download from this link:
- https://developer.android.com/studio/releases/platform-tools.html
I use Windows 10, and extract this tools download to a folder in the root of C: called "platform-tools". You will then need to add "c:\platform-tools" to your environment path.
On the Pixel 5a, you need to enable developer options. Go into Settings/About Phone/and tap "Build Number" 7 times. This enables developer options and it will let you know when you've unlocked this as you tap 7 times. Once developer options is unlocked, go back to Settings/System/Advanced, and you'll see Developer Options is now available.
Select Developer Options, and enable "USB Debugging" and also enable "OEM Unlocking".
(**NOTE** For now at least, until you decide how you want to proceed with handling updates in future (more on that later), I strongly recommend turning OFF "Automatic System Updates" as well, just a few items below "OEM Unlocking". This prevents any updates happening automatically on a phone reboot. You don't want to wake up and find an OTA update pushed out and removed root, or worse. You can always turn it back on later.)
Plug your phone into a USB port on your PC. Allow the PC to do it's thing. You can open up Computer Management on the PC (right click the windows menu button icon lower left of your toolbar and select "Computer Management". Select "Device Manager" on the left panel. You should see "Android ADB Device" appear at the top of the right pane list of devices. if not, then visit:
Install OEM USB drivers | Android Studio | Android Developers
Discover links to the web sites for several original equipment manufacturers (OEMs), where you can download the appropriate USB driver for your device.
developer.android.com
and download the appropriate USB driver for your system and retry the above directions.
First thing we have to do is unlock the bootloader.
On the PC, open a command prompt and change directory to "C:\platform-tools" as discussed above.
Now, type in "adb reboot bootloader". The phone will reboot into bootloader. (you may receive a dialog on the phone which says something to the effect of not recognizing the PC. Go ahead and allow it, check the box to allow it in the future, and proceed.
Phone is now at the bootloader, and shows you some info letting you know it's so, including that the bootloader is locked. Also, look at the Device Manager we opened earlier and confirm that you see Android ADB Device (or similar) which confirms your PC recognizes the phone and setup for ADB commands .
To unlock the bootloader, in the command prompt type:
fastboot flashing unlock
This will unlock the bootloader, you will likely see a warning that it's going to wipe the phone. Proceed and allow the unlock. The phone will then reboot and take you to your wiped phone just as you received it out of the box, except the bootloader is now unlocked and Developer Options are still available. Let the phone continue through it's first-time setup, and leave the phone plugged into the PC. If you unplugged no biggie, but we're going right back to the PC shortly and it will need to be plugged back in before the next step to accept the file we're going to push to it.
Now, you want to open a browser on the phone and go to (at the time of this writing, v23.0 is the current stable Magisk):
Release Magisk v23.0 · topjohnwu/Magisk
This release is focused on fixing regressions and bugs. Note: Magisk v22 is the last major version to support Jellybean and Kitkat. Magisk v23 only supports Android 5.0 and higher. Bug Fixes [App]...
github.com
Scroll down and under "Assets" select that Magisk 23.apk file, download and install it. Open Magisk if it doesn't open on install, and just let it sit, we're coming back to it shortly.
PATCHING THE BOOT.IMG FILE
On the PC, go back to the Factory Image you downloaded, and extract it to a temporary directory. You will see 6 files; a few "flash-all" files, a radio image, a bootloader image, and a ZIP file called "image-barbet-XXXXXXXXXXX.zip (the xxx's are whatever the version number is you've downloaded). Double click that ZIP file and you will see a dozen files. The one we need to root the device is "boot.img".
Copy (don't move!!) this file to c:\platform-tools. Now, go back to your command prompt (still pointing to c:\platform-tools) and type in:
adb push boot.img /sdcard/Download
Now back on the phone, within the Magisk app we left open, at the top where it says Magisk, choose to install. A dialog box will open, select Patch Boot File Image. Point the process to your /sdcard/Download, and select the boot.img file we just pushed there. Now allow it to patch the boot.img and Magisk will show you it's patching it, and in a moment tell you it was successful. Close the Magisk app, open "Files" and direct it to sdcard/Download. Note the name of the patched boot file, which is called "magisk_patched-XXXXX_xxxxx.img (the X's are the Magisk version, and the x's are 5 random chars). Feel free to leave it there as you go back to the PC...
Back on the PC, in the command prompt, now type:
adb pull /sdcard/Download/magisk_patched-XXXXX_xxxxx.img
make certain you get the name exact or it won't go, no worries, just get it correct. The file now resides in the "c:\platform-tools" directory along with the unpatched "boot.img" and your ADB+Fastboot tools.
Just about done rooting, here we go!
Now, in the command prompt type:
adb reboot bootloader
The phone reboots into bootloader. Now type:
fastboot flash boot magisk_patched-XXXXX_xxxxx.img (again, use the numbers and letters in YOUR patched file!)
Lastly, type:
fastboot reboot
Your phone reboots, and you should be rooted!! Unplug your phone from the PC, open up Magisk App and confirm, the Magisk entry at the top of the main Magisk App screen should now show you the version you installed, etc!
Time to get your banking apps (and any others that may detect unlocked bootloaders/root/etc) working!
In the Magisk App, on the bottom of the screen is a 4 item menu bar. Select the right-most icon, which is "Modules". At the top of the screen select "sorting order" and sort alphabetically. Scroll down to "riru" and select the module that is JUST "RIRU", (not any of the other "riru _______" modules). Choose to download it, then choose to install it. You'll be prompted to reboot the phone, so reboot the phone.
Next, we're going to install drag0n's Universal SafetyNet fix (at the time of this writing it's currently v 2.1.1) You will need to download this via a browser on your phone, so open a web browser and go to:
GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
Google SafetyNet attestation workarounds for Magisk - GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
github.com
On the right-hand side, you'll find "Releases", and v2.1.1 is the latest. Select that, then scroll down to "Assets" and download "safetynet-fix-v2.1.1.zip" By default this will download to sdcard/Download.
Go back into the Magisk App, select the "Modules" menu as above, and at the very top select the "Install from Storage" bar. Point to the file we just downloaded and install it (don't extract it, etc, it requires the zip exactly as downloaded and will do it's thing). Again, it will install the module and prompt you to reboot. Reboot.
Almost there!
At this point, if you havent installed your banking apps, do so. DON'T RUN THEM, just install them. I also have a Nintendo Switch Online app which failed because of root, so if you also have or want this app, install it now, again, do NOT run it yet, just install. Same with any other apps you are aware which have root/bootloader unlocked issues, get them installed, but don't run 'em.
Now, we're going to use MagiskHide to hide these apps and complete the process for passing SafetyNet and running apps which may not run due to root.
in the Magisk App, at that 4 item menu bar at the bottom, select the 2nd from left, or "MagiskHide". Select the MagiskHide item and it will open to a scan of all the apps on your system. By default I believe Magisk sets up to hide Google Play Services. You will see it selected, and all the other apps on your system unselected. Select each of the banking apps, the Nintendo Switch Online (if you have it), and any other apps that YOU ARE SURE will complain about unlocked bootloaders and/or root. Any onilne gaming that's popular are good choices, but again, it's easiest to NOT RUN them PRIOR to hiding them via MagiskHide. Pokemon GO comes to mind as one I've seen that needs hiding, etc, so make it easy on yourself and do a little research on any suspect apps prior to running them, then hide them if needed.
Anyhow, select your banking apps to hide them.
Now, we're going to check SafetyNet to make sure youll now pass.
On the Home menu in the Magisk App, select "Check SafetyNet". You will be prompted to download some proprietary SafetyNet shhhhhhhtuff....so let it download. Once done, SafetyNet check will open, and you should show a blue screen which says SUCCESS, and "basicintegrity" and "ctsProfile" will be checkmarked, evalType will show BASIC.
You're good to go, rooted, SafetyNet works perfect, and you can now open your banking apps and should open right up!!
If you find any specific issues about specific apps not working, or detecting root, etc, the best place to get help is in the Magisk General Discussion forum:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
I owe those folks eternally for showing me what I know, and always having the answers for any issues I've ever had. Some of the nicest, smartest people Ive had the pleasure of knowing, they're always helpful, and even maintain fantastic sites for FAQ and chock full of great info about every aspect of Magisk.
BONUS ITEM: As I indicated above, I'd share the method I know, trust, and have used many many times, trouble free, to apply a system update to the phone without overwriting anything, and not hitting any issues many encounter using the OTA method (though I understand that's been vastly improved, I haven't educated myself as to that process and will likely continue to use this method).
Security Update (monthlies) Process using Full System Image
As above, download the newest Full Factory Image from the site. Extract this full image to a directory inside C:\platform-tools
In this directory, if you're on Windows, open the "flash-all.bat" file (don't run it, open it with Notepad or something similar, I really like Notepad++ as it's free, has a LOT of great functionality and, like the native Notepad, doesn't do any goofy formatting/fonting/etc when modifying and saving a file.)
In flash-all.bat, look for the "-w" entry in the fastboot command near the end of the file and REMOVE ONLY THE "-w", leaving the line correctly formatted (don't leave an extra space or something goofy), then save the file over the top of the original with the same name. This will remove the overwriting of your data when pushing the image, the "-w" tells the process to overwrite, so we remove it.
Open up a Windows Explorer and go to your c:\platform-tools directory. Delete (or move to another location) any "boot.img" files along with any "magisk_patched-XXXXX_xxxxx.img" files from previous operations. Also note and confirm that you have correctly extracted the latest Full System Image to it's own directory, residing in c:\platform-tools.
Now, connect your phone to the PC. Open your command prompt and point to "C:\platform-tools" again. Type: cd <name of Full system Image directory>
In command prompt, type:
adb reboot bootloader
The phone is now in bootloader. In command prompt, confirm you're pointing to "C:\platform-tools\<Full System Image extract dir>" Type:
flash-all
This will do a full factory image push to your phone, you'll see a couple quick writes and phone reboots, then begins writing the rest of the image to your phone, but since we removed the "-w" from "flash-all.bat", it's NOT overwriting your data, just the necessary system files to update it to the latest version!
Reboot your phone, let it do any optimizing and updating it needs to do, and don't run anything yet, we're not quite done, just let the phone settle in and finish booting and doing it's thing.
Now, go back and perform the steps above listed under "PATCHING THE BOOT.IMG FILE" to patch the newest boot.img from the Full System Image we just updated the phone with (push the boot.img to sdcard/Download, patch with Magisk App, pull magisk_patched-XXXXX_xxxxx.img to your PC, blast it back using fastboot), and you've now rerooted the phone.
Lemme just say again that I know this was a friggin' book, and I tried to make it as clear and plain language as I could to help even a first timer, so my apologies if it seems like an onerous process. It's really not, and once you've done this once or twice, it's a cakewalk and takes about 10 minutes of your time from start to finish to do the whole system update and reroot. Again, the newer methods to take OTA without losing root may be something you'd like to look into, i definitely will, but I'm very confident in sharing this method as I know it works like a champ and is foolproof if you take your time the first few times and make sure you do what's required (remove the "-w" from the flash-all.bat, etc)
Lastly, I've been using this method since the Pixel 2, and just performed it on my new 5a, it worked exactly as it has for years for me on the P2, so you can be confident moving forward that, if you follow instructions and take your time until it's all familiar, you'll be successful in rooting, passing SafetyNet, and applying system updates without screwing up the A/B slots or overwriting your data in the process.
I hope this helps even one person, and since I rarely find myself able to give back to the community in any real meaningful way (many of these folks are WAAAY beyond my modest skills and know so much!!), I hope that this provides some folks with a useful and meaningful tutorial, providing confidence that anyone can root their P5a (or about any Pixel it seems) without being a Magisk/Android prodigy.
@Didgeridoohan, @pndwal, @zgfg, @jcmm11, and so many others over the years have been so helpful, I couldn't have done any of this without their selfless help, so give those folks a big thanks also if this is any help to you.
Best of luck,
hfam
Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!
nsoult said:
Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!
Click to expand...
Click to collapse
Awww, thanks! Glad to do it and really hope it helps some folks tackle rooting their phones and passing SN!
Rooted with magisk v.23 - flashed zip as a module
So has anyone installed the October update yet?
GrandAdmiral said:
So has anyone installed the October update yet?
Click to expand...
Click to collapse
Yep, good to go. I used the same method I shared above.
Is this working with Android 12? Which Magisk version to use?
This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?
Poking around in this thread, it seems that android 12 root is a much more involved process, requiring factory wipe and additional steps.
[Guide] Flash Magisk on Android 12
Trying to root the Pixel 5 running Android 12 by flashing a magisk-patched boot image results in the phone only booting to fastboot mode ("failed to load/verify boot images") Some users have reported that booting (instead of flashing) the patched...
forum.xda-developers.com
tintn00+xda said:
This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?
Click to expand...
Click to collapse
As you stated, you are correct. You need to perform a full wipe or flash the factory image with a wipe and then root works fine and phone boots. Tried myself and works fine.