Related
At least 2 of my Apps refuse to start. One is my banking app and they do not offer any other way of interaction.
The problem is that the phone in fact is not rooted! It's just "OEM unlocked" to be prepared for root (which I need for E.g. titanium backup, but only maybe once a month).
Please give me a way out of this vicious circle!
I cannot remove the OEM unlock because it requires full wipe every time. Or is there a way?
Or what can I possibly tell the App Provider to improved their Code so that Oneplus phone state is being recognized (more) correctly?
Any help would be greatly appreciated.
Use Magisk I guess? Use it to hide root from that app.
Reeb_Lam said:
Use Magisk I guess? Use it to hide root from that app.
Click to expand...
Click to collapse
In fact I already flashed an official image and still (with no zip installed via TWRP) I'm getting refusals from these apps.
So for sure some apps decide from something else then simply an installed "root" manager or the installed "su" binaries.
What else could they decide from? "OEM unlock" was my first guess (and it would also be the worst, because as far as I know it can't be "hidden" temporarily, or can it?), but maybe there are other settings. Does anybody know more?
ako673de said:
In fact I already flashed an official image and still (with no zip installed via TWRP) I'm getting refusals from these apps.
So for sure some apps decide from something else then simply an installed "root" manager or the installed "su" binaries.
What else could they decide from? "OEM unlock" was my first guess (and it would also be the worst, because as far as I know it can't be "hidden" temporarily, or can it?), but maybe there are other settings. Does anybody know more?
Click to expand...
Click to collapse
You need to do some reading about Safetynet. If you're OEM unlocked you fail Verified Boot checks. Most custom Kernels include a bypass for this. Magisk alone should also work. I think you missed one important step:
Open Play Store Settings. Scroll down. It says 'Uncertified' at the bottom, right? Now install and set up Magisk. Go to system App Settings and clear Data and Cache for Play Store. Return to the Play Store Settings and scroll down. Now it should say 'Certified'. It might not be immediate, but it will happen. Now your Banking Apps work.
If you don't want, or have no luck with Magisk, simply flash a Custom Kernel that bypasses Verified Boot, and works with OOS.
Simple.
Thank you. That was for sure a major part of the overall issue. Unfortunately it didn't yet fix it. I'm now certified in play store and magisk succeeds with both safety net checks (which however it also did before). And root is disabled in magisk. dm-verity does not show the warning during Boot and the Check itself should be disabled (I followed the recommendation in another Thread to Patch the Boot Image).
Anything else you can imagine?
ako673de said:
Thank you. That was for sure a major part of the overall issue. Unfortunately it didn't yet fix it. I'm now certified in play store and magisk succeeds with both safety net checks (which however it also did before). And root is disabled in magisk. dm-verity does not show the warning during Boot and the Check itself should be disabled (I followed the recommendation in another Thread to Patch the Boot Image).
Anything else you can imagine?
Click to expand...
Click to collapse
Link to other Thread?
I don't know Magisk but are you hiding Root from your Banking App? Have you cleared Data and Cache for the Banking App since getting Certified?
First my phone did not Boot any more after installing superSU. Fixed that by patching Boot.img (to disable dm-verity) according to this thread: https://forum.xda-developers.com/oneplus-3t/how-to/disable-dm-verity-force-encryption-op3t-t3688748
Now data and cache of all (now) 3 affected Apps has been cleared and Magisk is configured to be hidden for them, but still no change.
However, in Magisk there is the "extended" option "AVB 2.0/keep dm-verity", which is unticked. I'm not sure, should I try to set it?
Any other idea?
ako673de said:
Any other idea?
Click to expand...
Click to collapse
Nope. If Play Store says Certified you should be good to go. I can only imagine it's a Magisk issue. Post screenshots of your config and let the Magisk experts pick through them. Maybe there's something not set up correctly.
ako673de said:
First my phone did not Boot any more after installing superSU. Fixed that by patching Boot.img (to disable dm-verity) according to this thread: https://forum.xda-developers.com/oneplus-3t/how-to/disable-dm-verity-force-encryption-op3t-t3688748
Now data and cache of all (now) 3 affected Apps has been cleared and Magisk is configured to be hidden for them, but still no change.
However, in Magisk there is the "extended" option "AVB 2.0/keep dm-verity", which is unticked. I'm not sure, should I try to set it?
Any other idea?
Click to expand...
Click to collapse
Hide Magisk Manager. I had to do that to get my banking app to work.
Edit: you may need to reboot after hiding Magisk Manager and clear you banking app's data before it works.
Sent from my OnePlus3T using XDA Labs
Thank you, indeed that WORKED! Well, at least for 2 out of 3 Apps. I think I can tell which one: "HVB banking". Maybe could somebody cross-check this one on his/her phone?
After firmware update to OOS 5.0.5 I now have the problem that my PlayStore can no longer be convinced in any way to show that it's certified. But interestingly my banking Apps work (currently really no root app installed). I even waited for one day because earlier in this thread somebody mentioned that it might take awhile. Is there anything special I need to care about under the new OS version?
ako673de said:
After firmware update to OOS 5.0.5 I now have the problem that my PlayStore can no longer be convinced in any way to show that it's certified. But interestingly my banking Apps work (currently really no root app installed). I even waited for one day because earlier in this thread somebody mentioned that it might take awhile. Is there anything special I need to care about under the new OS version?
Click to expand...
Click to collapse
Did you reflash custom kernel after update?
I'm not using any. What I did right after the update is to disable dm-verity (with a patched boot.img), like I did last time. But magisk is not yet re-installed because I wanted to see at least once the HypoVereinsbank App working, which it in fact does (different to last time when the phone was not rooted as well, and the store not certified!).
ako673de said:
But magisk is not yet re-installed
Click to expand...
Click to collapse
That's why... You can't pass the ctsProfile check if your bootloader is unlocked, and if you can't pass the ctsProfile check the Play Store won't be certified. You need Magisk for that...
Now I'm getting confused. The initial mail of this thread explains the situation as it was when I opened this thread:
--> Original ROM, no root, and banking apps didn't work <--
The advice to clear data of the PlayStore immediately brought the PlayStore back to "certified".
This is clearly in contrast to what you're saying now.
I can imagine only one reason: Maybe the older PlayStore had a bug and therefore was able to "certify" even with unlocked bootloader?
Sidenote: My main intention to do the firmware upgrade was that the "safety net checks" in Magisk suddenly stopped working one day (with the error message "invalid response", most probably you know what I'm talking about, I've read some comments from you on this issue). Therefore it's maybe really not too unlikely that Google has changed something very basic. Could you please confirm?
Edit: Now magisk is back, version 16.7, and in fact PlayStore is back to "certified" AND now even the HypoVereinsbank App works. Just one thing remains: magisk safety net check still says "invalid response" (after it downloaded some "FOSS" code, which it didn't do last time, when it was still working).
ako673de said:
Edit: Now magisk is back, version 16.7, and in fact PlayStore is back to "certified" AND now even the HypoVereinsbank App works. Just one thing remains: magisk safety net check still says "invalid response" (after it downloaded some "FOSS" code, which it didn't do last time, when it was still working).
Click to expand...
Click to collapse
https://www.didgeridoohan.com/magisk/MagiskHide#hn_The_response_is_invalid
Sorry, now comes a probably often asked question: do I need the safetynet check option in magisk for something real? Or do the alternative apps fulfill all possible needs? What are these needs? Isn't that exactly what the PlayStore does to determine "certified"?
After quite some months of absolutely no "root" problems with any of my apps, since today o2banking again doesn't work.
I tried to update Magisk, but after update of the Magisk manager app to v7.1.1(203) it reports that Magisk is not installed at all, and any update of Magisk itself resulted in just the same. So I reverted back to v6.1.0(165) and everything seems to be okay, except that o2banking doesn't work. SafetyNet is clean, Magisk is hidden for o2banking and Magisk manager is repacked.
Does anybody know what the problem might be? Especially with that new version of the manager app, but also with Magisk v19.0 which cannot be installed from v6.1.0 (max. is v18.1). Any ideas welcome! I'm now on OOS 5.0.8 by the way.
SOLVED it myself: As mentioned somewhere in the update FAQ of Magisk there was a bug in manager v6.1.0 that causes the updated v7.1.1 to co-exist with the old version if the old version has been re-packed. If anybody encounters the same problem, the solution is at the bottom of this page: https://www.didgeridoohan.com/magisk/ManagerIssues.
o2banking will then still not work. Update to v19.0 is mandatory. But that is no problem then any more...
probably your banking app identified oxygen os as custom rom and have root. 1 out of 3 banking app in my phone doesn't work with lineageos even though i already hide magisk, but when running oxygen os with magisk hide, and also hide magisk manager (turn it on in magisk manager setting) all 3 banking app work just fine. maybe try sending a message to bank app developer to add oxygen os as exception.
Did you notice my edit? It was a problem with magisk manager update and magisk main version. Now everything is back up and running.
Hi guys
I recently decided to root my Exynos S21U, all fine to far but I'm fighting to get Google Pay to work properly - so far without success.
Has anybody here got a rooted S21U with working Gpay and could kindly share what you did to make it work?
Thanks,
Axel
U dont need root to have google pay.
Download apk from here and install it on your device:
https://apkpure.com/google-pay/com.google.android.apps.walletnfcrel
Beso said:
U dont need root to have google pay.
Download apk from here and install it on your device:
https://apkpure.com/google-pay/com.google.android.apps.walletnfcrel
Click to expand...
Click to collapse
I don't think he's rooting to get Google Pay.
He wants a rooted phone, but is dealing with the side effect that it renders GPay un-usable.
Correct me if I'm wrong @s3axel
BTW @s3axel , have you tried Magisk Hide?
Yes, my device is rooted and I want to get Gpay to work
What I tried so far, all without success (of course all With Magisk Hide enabled for at least Gpay, Google Play Services and Google Framework)
- Magisk Stable
- Magisk Canary
- Props Magisk module
- Safetynet Fix 1.1.1
Funny enough everything is working fine in my other phone (Mi11U) with Magisk Stable and Magisk Hide enabled, nothing else...
Thus I was curious for reports from people who use their S21U rooted and with Gpay to learn what I need to do.....
s3axel said:
Yes, my device is rooted and I want to get Gpay to work
What I tried so far, all without success (of course all With Magisk Hide enabled for at least Gpay, Google Play Services and Google Framework)
- Magisk Stable
- Magisk Canary
- Props Magisk module
- Safetynet Fix 1.1.1
Funny enough everything is working fine in my other phone (Mi11U) with Magisk Stable and Magisk Hide enabled, nothing else...
Thus I was curious for reports from people who use their S21U rooted and with Gpay to learn what I need to do.....
Click to expand...
Click to collapse
It's possible to make it work (I'm on S21 Ultra 5G, latest Magisk canary, AUC8).
Follow these instructions to the letter and you'll get going ;-)
Working: Magisk with Google Pay as of gms 17.1.22 on Pie
Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that I suspect users will have to reverse some step if gms is updated and...
forum.xda-developers.com
By the way, once you succeed in make it work, I suggest you update the thread title with something like [SOLVED] or [WORKING], so other newcomers can benefit from it
rodrigofd said:
It's possible to make it work (I'm on S21 Ultra 5G, latest Magisk canary, AUC8).
Follow these instructions to the letter and you'll get going ;-)
Working: Magisk with Google Pay as of gms 17.1.22 on Pie
Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that I suspect users will have to reverse some step if gms is updated and...
forum.xda-developers.com
By the way, once you succeed in make it work, I suggest you update the thread title with something like [SOLVED] or [WORKING], so other newcomers can benefit from it
Click to expand...
Click to collapse
Thanks, this worked fine once I found the correct Magisk module
Just for reference flashing this module did its magic and kept the fingerprint in 3rd party apps working...
Hi
I succeded in rooting this phone without TWRP following this guide and applied the SafetyNet Fix without success.
I have also a rooted Poco X3 NFC with stock MIUI 12.5 where SafetynetFix is working fine. I have not flashed TWRP on the POCO, but I just use TWRP to boot into recovery, when needed.
Anyone succeded in having the RN 10s rooted with GPay working?
Thanks
no success for me too
Yup google pay is working for me. Make sure safetynet passes. I followed this: Root then install magisk as an app with different name, enabled magisk hide, enable safetynet fix, reboot and then install google pay
abhinavprateek said:
Yup google pay is working for me. Make sure safetynet passes. I followed this: Root then install magisk as an app with different name, enabled magisk hide, enable safetynet fix, reboot and then install google pay
Click to expand...
Click to collapse
Safetynet unfortunately does not pass.
Which version of SafetyNet Fix did you use?
I will check again.
Thanks
This one: https://github.com/kdrag0n/safetynet-fix
You need to install magisk and riru for it to work
abhinavprateek said:
Yup google pay is working for me. Make sure safetynet passes. I followed this: Root then install magisk as an app with different name, enabled magisk hide, enable safetynet fix, reboot and then install google pay
Click to expand...
Click to collapse
When you say "install magisk as an app with different name" you mean that I have to install Magisk normally, then from the Magisk settings, reinstall with different name to hide it from other app.
Is it correct?
Thanks
THANKS @abhinavprateek
Finally it's working!!!
Probably the issue was the correct version of SafetyNet Fix that has to be the Riru one, version 2.1.2 actually (and Riru has to be installed in Magisk previously, as you wrote).
After installing Safetynet fix I cleared all data in those apps:
Google Pay
Play Store
Play Services
and rebooted
Then the safetynet check in Magisk was working ad also Google Pay
After searching the forum thoroughly, trying multiple found solutions and trying to find the answer on my own I decided to ask here. What is the right procedure to clean flash A12 AOSP-based roms and getting root?
Some time ago, after updating to A11 rom, I noticed I can't use Magisk the way I used to to root my device - 'no ramdisk' status made me forget about rooting for a while. Now I want it back at any cost. This is why I want you to answer some of my questions, including the one above:
1. Is 'ramdisk: no' status caused by A11 and above versions?
2. Is there a way to have ramdisk status 'yes' on A12 ROM to root the device without having to patch boot.img?
3. Magisk installation doc has totally different way of rooting in my situation. According to it, for ramdisk status 'no' the only solution is 'Magisk in Recovery'. However, every time I saw someone talk about no ramdisk magisk patching, they were patching the boot image - it works fine and is even suggested by Magisk app. Who is wrong here and which solution is the right one?
4. Is there a way to get SafetyNet to pass on patched boot.img? Is there a way to get it to pass on a rooted A12 rom?
5. Some time ago, I have accidentally flashed european vendor instead of chinese one (I own chinese K20 Pro). I had no problems with it so I ran it for a few months and then flashed it back to chinese. Might this be the source of ramdisk issue?
Big thank you to anyone who replies. I have no important data on my device so there is no need for a data-safe solution. I feel like existing flashing/rooting guides seem outdated as they mention A10 at best. After more than 2 years of owning this device I still love it and am not going to replace it anytime soon and I hope there are still people like me! Cheers!
deadw0lf said:
After searching the forum thoroughly, trying multiple found solutions and trying to find the answer on my own I decided to ask here. What is the right procedure to clean flash A12 AOSP-based roms and getting root?
Some time ago, after updating to A11 rom, I noticed I can't use Magisk the way I used to to root my device - 'no ramdisk' status made me forget about rooting for a while. Now I want it back at any cost. This is why I want you to answer some of my questions, including the one above:
1. Is 'ramdisk: no' status caused by A11 and above versions?
2. Is there a way to have ramdisk status 'yes' on A12 ROM to root the device without having to patch boot.img?
3. Magisk installation doc has totally different way of rooting in my situation. According to it, for ramdisk status 'no' the only solution is 'Magisk in Recovery'. However, every time I saw someone talk about no ramdisk magisk patching, they were patching the boot image - it works fine and is even suggested by Magisk app. Who is wrong here and which solution is the right one?
4. Is there a way to get SafetyNet to pass on patched boot.img? Is there a way to get it to pass on a rooted A12 rom?
5. Some time ago, I have accidentally flashed european vendor instead of chinese one (I own chinese K20 Pro). I had no problems with it so I ran it for a few months and then flashed it back to chinese. Might this be the source of ramdisk issue?
Big thank you to anyone who replies. I have no important data on my device so there is no need for a data-safe solution. I feel like existing flashing/rooting guides seem outdated as they mention A10 at best. After more than 2 years of owning this device I still love it and am not going to replace it anytime soon and I hope there are still people like me! Cheers!
Click to expand...
Click to collapse
Although Magisk official guide on Github is not clear about, for MIUI you should patch boot.img, not recovery, and do not pay attention to Ramdisk no.
However, when patching boot.img, watch to the log window and you will see it reports there that it found Ramdisk
And that procedure works fine on A11 as well - I have it (MIUI 12.5.2 on my side)
I suppose you have the official A11 and you installed over custom A12 ROM).
Old Magisk v23 was released before A12, hence you should IMO go for the new Canary or Alpha 23016
Btw, you will be IMO better askung in the Magisk General XDA thread
zgfg said:
Although Magisk official guide on Github is not clear about, for MIUI you should patch boot.img, not recovery, and do not pay attention to Ramdisk no (when patching boot.img, watch to the log window and you will see it reports that it found Ramdisk)
And that procedure works fine on A11 as well - I have it (I suppose you have the official A11 and you installed over custom A12 ROM)
However, old Magisk v23 was released before A12, hence you should IMO go for the new Canary or Alpha 23016
Btw, you will be IMO better askung in the Magisk General XDA thread
Click to expand...
Click to collapse
Thank you for replying.
I am aware of Magisk Canary, I used it to root my current A12 rom. Yes, I flashed it over the latest chinese MIUI firmware. Is there any way to pass SafetyNet with it though?
deadw0lf said:
Thank you for replying.
I am aware of Magisk Canary, I used it to root my current A12 rom. Yes, I flashed it over the latest chinese MIUI firmware. Is there any way to pass SafetyNet with it though?
Click to expand...
Click to collapse
If you are on Canary 23016 (latest), you must enable Zygisk, and reboot
Then enable Enforce DenyList and go to Configure DenyList, enable Show System and OS apps, find Google Play Services and checkmark com.google.android.gms and
com.google.android.gms.unstable, and reboot again
If you were on the official, certified ROM, that would be enough to pass SafetyNet (since new Magisk app has no more the built-in SN checker, use one from PlayStore like YASNAC)
With your custom ROM you would probably need Universal Safety Net Fix= USNF 2.2.1 (latest).
Maybe even Magisk Hide Props Config (if USNF not enough) to spoof your unofficial/not Google certified ROM fingerprints - you will need to figure out (pain in the ass with custom ROMs)
zgfg said:
If you are on Canary 23016 (latest), you must enable Zygisk, and reboot
Then enable Enforce DenyList and go to Configure DenyList, enable Show System and OS apps, find Google Play Services and checkmark com.google.android.gms and
com.google.android.gms.unstable, and reboot again
If you were on the official, certified ROM, that would be enough to pass SafetyNet (since new Magisk app has no more the built-in SN checker, use one from PlayStore like YASNAC)
With your custom ROM you would probably need Universal Safety Net Fix= USNF 2.2.1 (latest).
Maybe even Magisk Hide Props Config (if USNF not enough) to spoof your unofficial/not Google certified ROM fingerprints - you will need to figure out (pain in the ass with custom ROMs)
Click to expand...
Click to collapse
This is exactly what I needed, thank you!
I dont have this model phone but i faced the same problem, i just flashed ArrowOS S along with magisk but i didnt realised it has now ramdisk no, before i was using AICP and it has ramdisk yes, so i installed latest version of magisk and the system updated but i dont have root anymore, what can i do?
I use OrangeBox for flashing
Edit: also it does replace the custom recovery?
So I'm trying to get Android 12 working with root and SafetyNet passing. I found that all the guides to be wrong or outdated. Problem with the latest Magisk canary is that it does not support MagiskHide. Problem with the latest stable Magisk (v23) is that it doesn't support Android 12. Here are the combinations I've tried:
Canary Magisk APK, Canary Magisk boot image, with Universal SafetyNet Fix v2.2.1 (Zygisk)
Result: No way to test if safety net passes within Magisk, but it doesn't seem to work.
Canary Magisk APK, Stable Magisk v23 boot image, with Universal SafetyNet Fix v2.1.3 (Riru)
Result: Does not work. MagiskHide automatically turns off after every reboot, probably because the canary boot image does not support it.
Stable Magisk v23 APK, Stable Magisk v23 boot image
Result: Device fails to boot. fast food indicates in an invalid signature. presumably happening because stable magisk v23 does not support Android 12.
Based on these test results these are my assumptions:
1. There is no way to run Magisk 23 on Android 12, and this article and its screenshot are fake:
https://www.droidwin.com/how-to-roo...k-on-android-12/#STEP_6_Boot_to_Fastboot_Mode
and this also does not work: https://krispitech.com/how-to-pass-safetynet-on-rooted-android-12/
OR
It was possible and Android 12 September 5th patch level but somehow not the latest December build?
There is no advantage to running mismatched Magisk APK and boot image versions
Both the Zygisk and Riru versions of the SafetyNet Fix do not work on the latest Android 12 builds.
The new DenyList system does nothing in allowing a SafetyNet bypass.
The ONLY working method That can possibly bypass safety net on Android 12 is using either of these 2 Magisk forks:
Custom Magisk by TheHitMan7 (Can’t find download link)
Alpha Magisk by vvb2060 (Can’t find download link)
Are these assumptions correct? Can someone please correct my misunderstandings?
You need Universal Safetynet Fix v2.2.0 or v2.2.1 which was just released 10 days ago.
To be honest, I haven't tried v2.2.1 yet, but I would imagine it will work. I'm on v2.2.0 right now.
Get it from here: https://github.com/kdrag0n/safetynet-fix
I have been using Magisk Canary 23016, USNF 2.2.0, and MagiskHide Props Config 6.1.2 on my Pixel 5 running the December Android 12 release. SafetyNet passes, GPay works.
I have DenyList blocking both GPay and Google Play Store..
Either you have something configured wrong, or you're having a unique issue. Others have been able to pass SafetyNet using a similar configuration.
No, Magisk Stable does not currently support Android 12. You MUST use Canary 23016; none of the previous builds properly handle the vbmeta flags in the boot image header.
I'm using the latest magisk canary, USNF 2.2.1 and no magisk hide props and am passing. I have Zygisk enabled, but that's about it. Install was flawless. Followed V0latyle's thread on going from A11 to A12 when the canary update dropped.
Thank you everyone, I got it working the way you said! I was super close.
-----------------------------------
V0latyle said:
I have been using Magisk Canary 23016, USNF 2.2.0, and MagiskHide Props Config 6.1.2 on my Pixel 5 running the December Android 12 release. SafetyNet passes, GPay works.
I have DenyList blocking both GPay and Google Play Store..
Either you have something configured wrong, or you're having a unique issue. Others have been able to pass SafetyNet using a similar configuration.
No, Magisk Stable does not currently support Android 12. You MUST use Canary 23016; none of the previous builds properly handle the vbmeta flags in the boot image header.
Click to expand...
Click to collapse
I only blocked play services with deny list and it worked.
One of the guides told me to flash stock vbmeta (idk what this is), and this bricked it until I re-flashed the ROM. But I guess that's not needed anymore.
flyoffacliff said:
Thank you everyone, I got it working the way you said! I was super close.
-----------------------------------
I only blocked play services with deny list and it worked.
One of the guides told me to flash stock vbmeta (idk what this is), and this bricked it until I re-flashed the ROM. But I guess that's not needed anymore.
Click to expand...
Click to collapse
Which guide?
V0latyle said:
Which guide?
Click to expand...
Click to collapse
How to Root Pixel Devices via Magisk on Android 12
In this comprehensive tutorial, we will show you detailed steps to root your Pixel device via Magisk running Android 12.
www.droidwin.com
On step 7. It says it's not necessary for some reason on newer devices but pixel 5 and older still require it. What does flashing this file actually do? Like what's the file made of?
flyoffacliff said:
How to Root Pixel Devices via Magisk on Android 12
In this comprehensive tutorial, we will show you detailed steps to root your Pixel device via Magisk running Android 12.
www.droidwin.com
On step 7. It says it's not necessary for some reason on newer devices but pixel 5 and older still require it. What does flashing this file actually do? Like what's the file made of?
Click to expand...
Click to collapse
Nothing needs to be done with vbmeta as long as you're using Magisk 23016.
I'll try to explain what it is and what it does as simply as I can but there isn't really a simple explanation...
Some components of Android system security, such as Verified Boot, incorporate a means by which the data being loaded from critical partitions is checked in real time as it is loaded. This is called "device-mapper verity". The raw data itself is read at the block device level and used to create a hash; this hash is then compared to a reference hash to determine the data has not been modified. The partition that contains this reference hash is vbmeta.
When the Android 12 beta was first released, Magisk had not yet been updated to properly handle Android 12 boot image headers. Verified Boot is disabled for the most part when the bootloader is unlocked; however some elements still remain to ensure you're booting a proper device boot image. Magisk did not preserve necessary information in the boot headers, so the device wouldn't boot; we would get a message in bootloader stating failed to load/verify boot images
We figured out a workaround for this: disable dm-verity and vbmeta verification altogether. This was done by flashing the vbmeta partition with those two options:
Code:
flash vbmeta vbmeta.img --disable-verity --disable-verification
The problem with this is it has some sort of safety interlock that prevents system from loading if verity/verification are disabled and /data isn't clean. So, rooting required wiping data. You probably discovered this during your "brick": you got a screen reading Cannot load Android system. Your data may be corrupt.
We also discovered that the vbmeta workaround had to be performed every time vbmeta was flashed - meaning no OTA updates, because if vbmeta was flashed without the disable options, we wouldn't be able to boot a patched boot image, and even if we re-disabled verity/verification, the device still wouldn't boot unless data was clean. The only way to update AND reroot AND keep data was to ensure that verity and verification were disabled every time the device was updated.
Fortunately, Magisk 23016 fixed all of this. We don't have to mess with vbmeta anymore. Magisk properly preserves the flags in the boot header, meaning that AVB recognizes it as a legitimate boot image, and the device is happy.
has anyone able to pass safety CTSprofile ?
Basic integrity is pass but CTSprofile Check isnt passed...
anybody able to pass in A12 (OnePlus Nord)
tried all effort but dint work, even Universal SafetyNet Fix v2.2.1 (Zygisk) isnt working..
its makes Basic Integrity Fail after Flash ( Universal SafetyNet Fix v2.2.1 (Zygisk).
I roll back to A11 then sadly....
shhahidxda said:
has anyone able to pass safety CTSprofile ?
Basic integrity is pass but CTSprofile Check isnt passed...
anybody able to pass in A12 (OnePlus Nord)
tried all effort but dint work, even Universal SafetyNet Fix v2.2.1 (Zygisk) isnt working..
its makes Basic Integrity Fail after Flash ( Universal SafetyNet Fix v2.2.1 (Zygisk).
I roll back to A11 then sadly....
Click to expand...
Click to collapse
You're doing something wrong. Don't overlook anything. I'm on Android 12.1 and pass safety net, Google pay works, Netflix works.
Have you configured the deny list in magisk?? If not do that then. I'd start fresh, don't connect to anything on first start. Hide everything about those Google apps. Then add your accounts etc etc. This is what worked for me no problem
thatsupnow said:
You're doing something wrong. Don't overlook anything. I'm on Android 12.1 and pass safety net, Google pay works, Netflix works.
Have you configured the deny list in magisk?? If not do that then. I'd start fresh, don't connect to anything on first start. Hide everything about those Google apps. Then add your accounts etc etc. This is what worked for me no problem
Click to expand...
Click to collapse
I would like to know, how you are able to pass? I mean It is passed using Universal safetynet fix by Kdragon?
or without fix?
as you mention in your screenshot that you have put all google services in denylist,
I've already done that..
anything else ? you done it? can you show screenshot of your safetynet pass??
shhahidxda said:
I would like to know, how you are able to pass? I mean It is passed using Universal safetynet fix by Kdragon?
or without fix?
as you mention in your screenshot that you have put all google services in denylist,
I've already done that..
anything else ? you done it? can you show screenshot of your safetynet pass??
Click to expand...
Click to collapse
I'm using the latest safetynet fix v2.2.1 Kdragon
thatsupnow said:
I'm using the latest safetynet fix v2.2.1 Kdragon
Click to expand...
Click to collapse
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal fix..
but as I applied OTA of A12...
I lose safetynet pass.
let me know do you have any workaround?
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
I am still looking for solution to fix this issue..!! if you have any work around.. let me know.. I will do my best.. may be i need to modify device fingerprints with Security patch.? what you say?
shhahidxda said:
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
Click to expand...
Click to collapse
shhahidxda said:
Yes, you are able to pass both .. but i am having issue with OnePlus Nord A12..
On A11 i was able to pass without Universal fix..
but as I applied OTA of A12...
I lose safetynet pass.
let me know do you have any workaround?
I've applied Universal fix by Kdragon.. but before flashing Universal fix of Zygisk I was able to pass Basic Integrity but as soon as I flash Kdragon Universal fix of Zygisk both CTS profile & Basic Integrity gets failed... !!!!
I am still looking for solution to fix this issue..!! if you have any work around.. let me know.. I will do my best.. may be i need to modify device fingerprints with Security patch.? what you say?
Click to expand...
Click to collapse
You do realise that your posting on the pixel 5 forum right?? I'd maybe go checkout what they are doing on the OnePlus side of the tracks
thatsupnow said:
You do realise that your posting on the pixel 5 forum right?? I'd maybe go checkout what they are doing on the OnePlus side of the tracks
Click to expand...
Click to collapse
Yes, I knew i am posting in Pixel 5 and this topic isnt mention on Oneplus section..
I am looking for a solution of this issue.. but nobody has mention it till now.
Android 12.1 + Magisk 25.1 + Zygisk + Google Play services on enforced Denylist > Works charmingly
Note 1: Enforce Denylist for all the Google Play services modules on Magisk.
Note 2: After reboot, clear data of Google Play services and Play Store to make a fresh start.
pseudokawaii said:
Android 12.1 + Magisk 25.1 + Zygisk + Google Play services on enforced Denylist > Works charmingly
Note 1: Enforce Denylist for all the Google Play services modules on Magisk.
Note 2: After reboot, clear data of Google Play services and Play Store to make a fresh start.
Click to expand...
Click to collapse
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
El3ssar said:
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
Click to expand...
Click to collapse
What do you mean by "it no longer shows there"? Does the Google Play services disappear after putting on denylist? Did you enable the "Enforce Denylist" option? Did you do a retest of SafetyNet after reboot?
El3ssar said:
I have the same running on a Galaxy S10, but every time I put Google Play Services on the enforce Denylist and reboot it no longer shows there. I'm trying to be able to use my banking app, it worked charmingly on magisk 24 but not anymore. Any advice?
Click to expand...
Click to collapse
Yea and it won't stick I've tried that too. You don't need to add Google Play services to the deny list anyway
thatsupnow said:
Yea and it won't stick I've tried that too. You don't need to add Google Play services to the deny list anyway
Click to expand...
Click to collapse
If you're using Universal Safetynet Fix, Play Services is blocked out of the box. I had the same thing happen in one of the newer releases and thought it was an issue. It isn't. Play Services is blocked even though it doesn't show it.