Safetynet can be easily bypassed by :
step 1 : hide magisk
step 2 : turn on zygisk and enforce deny list
step 3 : open configure deny list & apply deny list on google apps | eg: google play services and playstore, etc.., (don't forget to clear cache & data)
step 4 : install riru module
step 5 : restart your phone
step 6 : install universal safety net fix module
step 7 : restart your phone
in newer version of magisk manager, magisk hide functionality is replaced by deny list
download modules from links given below or you can directly download it via files i attached
riru module link : (https://github.com/RikkaApps/Riru/releases)
universal safetynet-fix module link : (https://github.com/kdrag0n/safetynet-fix/releases)
Small clarification:
The deny list is currently (as of writing this) only available on unofficial Magisk releases. Any official Magisk release after build 23001 will have the deny list rather than MagiskHide.
Didgeridoohan said:
Small clarification:
The deny list is currently (as of writing this) only available on unofficial Magisk releases. Any official Magisk release after build 23001 will have the deny list rather than MagiskHide.
Click to expand...
Click to collapse
Yes, rooting this device via stable version is causing bootloop for now but alpha version(706a4922-alpha) is working fine that's why i mentioned deny list
Safety net stops working after few days then i have to flash riru and safety net again and it works 1,2 days then again it stops working, do you have any solution for this?
I cant get get the step 1 : hide magisk option to work.
When I click that option, it asks me for a new package name and it creates a new icon in the app drawer with that name, but it doesn't do anything. the original magisk icon still opens the app.
When i check safetynet in the app, it still says failed.
Any idea what I'm doing wrong?
Thanks for the guide. Currently running Derpfest 12 on a OP5T and Magisk 24.
Riru is suspended with zygote activated, whilst SafetyNet fix is suspended when it is not enabled.
In my case GPay works with zygote disabled, thus USNF working.
This is a discussion and help thread for the newer versions of Magisk.
The main goal of this thread is to help users migrate to Magisk v24+
SafetyNet
Basic integrity Pass
CTS profile match Pass
Play Protect certification
Device is certified
Feel free to discuss or give links to other Magisk related issues.
Fixes for gPay, banking apps and/or other apps and games that detect a 'compromised' Android system.
Please try to restrain from discussing alternative (unofficial) Magisk builds that include changes that were removed or can not be included in the official Magisk builds.
Please read John's State of Magisk (medium.com)
State of Magisk: 2021
State of Magisk: 2020
Starting with the Magisk 23 (23010) canary builds.
MagiskHide is removed.
MagiskHide masked the sensitive properties of the device to hide it from SafetyNet.
Renaming (repackaging) the Magisk app is/was not part of MagiskHide.
You still have the option to Hide the Magisk app under setting.
Magisk Module online Repo is removed.
The Magisk Module online Repo is still available and can be accessed outside of the Magisk app.
Everything SafetyNet is removed.
This includes the SafetyNet check that was incorporated into the Magisk app.
Zygisk is introduced.
Zygote + Magisk = Zygisk
The Deny list replaces the Hide list.
The Hide list (more or less) hid Magisk from the process on the list.
The Deny list is similar but instead of hiding Magisk from the process, Magisk is unloaded so there is nothing to hide.
Starting with the Magisk 23 (23017) canary builds.
Magisk supports update channels per module.
Each module can include it's own update link.
Hide Magisk offline.
You do not need internet connection to rename (repackage) the Magisk app.
What does this mean?
Not much.
It is just the next step in Magisk's development.
Zygisk is a big step forward.
Even before these changes in Magisk, the xda family and the Android community have always been active and willing to share.
Jump to PostMagisk - Modules - Apps - Force Basic Attestation - Basic Attestation - Adjust Prop values - Notes - Points of Interest
This is post will be updated once Magisk v24 is released.
MagiskThe Magic Mask for Android.
Magisk Links:
GitHub
Installation Instruction
Frequently Asked Questions
Magisk Documentation
Magisk Troubleshoot Wiki (by Didgeridoohan)
Release Notes
Download Links:
Stable and Beta releases.
GitHub
Canary
GitHub
The notes.md file is the change log.
The app-debug.apk is Magisk canary.
Click on app-debug.apk and choose View Raw or click on the Download option.
Credits:
topjohnwu
All who contribute and support this project.
Modules
MagiskHide Props Config
This module allows you to add, change and adjust prop values systemlessly using Magisk.
MagiskHide Props Config Links:
GitHub
xdaThread
Download Links:
GitHub
Credits:
Didgeridoohan
All who contribute and support this project.
Universal SafetyNet Fix
It has been a year now since kdrag0n figured out how to 'trick' SafetyNet.
This 'trick' has been implemented properly into quite a few custom roms.
For custom roms that do not include it and/or stock roms, he turned it into a module.
Universal SafetyNet Fix Links:
GitHub
xdaThread
Download Links:
GitHub
Credits:
kdrag0n
All who contribute and support this project.
Apps
Fox's Magisk Module Manager
This app allows you to manage and install Magisk modules.
Including from an online repo.
Fox's Magisk Module Manager Links:
GitHub
Download Links:
GitHub
Credits:
Fox2Code
All who contribute and support this project.
Play Intergrity API Checker
This app shows info about your device integrity as reported by Google Play Services.
If any of this fails could mean your device is rooted or tampered in a way (for example you have an unlocked bootloader).
Development:
GitHub
Download Links:
PlayStore
Credits:
1nikolas
All who contribute and support this project.
YASNAC - Yet Another SafetyNet Attestation Checker
YASNAC (short for Yet Another SafetyNet Attestation Checker) is an Android app that demonstrates SafetyNet Attestation API.
YASNAC Links:
GitHub
PlayStore
Download Links:
GitHub
PlayStore
Credits:
RikkaW
All who contribute and support this project.
Force Basic Attestation
Newer devices are designed to support hardware attestation.
Currently there is no way to hide the sensitive device properties when checked using hardware attestation.
To get around this, kdrag0n figured out how trick SafetyNet that the device does not support hardware attestation.
SafetyNet will then fall back to check using basic attestation.
Note:
This method will work for devices that support hardware attestation and devices that do not.
Enable Zygisk.
Install the USNF module.
Reboot
To keep posts short, the instructions are hid by spoiler tags.
Spoiler: Instructions
If you have not installed Magisk.
Follow the installation link in the Magisk post.
Download the Universal SafetyNet Fix module.
Download link is in the Modules post.
Enable Zygisk
Open the Magisk app.
Go to Settings.
Scroll down to the Magisk section.
Toggle Zygisk on.
Go back to the Magisk Home screen.
Go to Modules.
Select Install from storage.
Navigate to the Universal SafetyNet Fix module zip file and select it.
Reboot.
The USNF module will adjust the sensitive props that are needed to pass SafetyNet.
Depending on the device and system (ROM) configuration, you might need to adjust a few more.
See the Adjust Prop values post.
Basic Attestation<Reserve>
Older devices that can not support hardware attestation there are other options.
Enable Zygisk.
Enable Denylist.
Add com.google.android.gms.unstable to the Denylist.
Add com.google.android.gms to the Denylist if needed.
Reset the sensitive prop values for the device.
Click to expand...
Click to collapse
Due to other modules and methods that require DenyList to be inactive, this method is more for reference.
For ease of use and compatibility, I would recommend using the USNF module instead.
See the Force Basic Attestation post.
This post will be updated in a few days.
Adjust Prop values<Reserve>
Reset sensitive prop values.
Spoiler: Instructions
Download the MagiskHide Props Config module.
Open the Magisk app and select the Modules option.
Select Install from storage option.
Navigate to where you saved the MHPC module and select it.
When the install is done, reboot.
Open a terminal app (or adb shell) and type props in the command line.
Make sure to grant root access
Select the Edit MagiskHide props (active) option.
(Currently option number 4)
It will show you the sensitive props that need to be adjusted.
If they all show (active) no changes needed.
If there is a prop value that shows as (enabled, not active) then you need to activate it by selecting it or a for all.
You will be prompted to set MagiskHide sensitive props?
Enter y(es), n(o) or e(xit):
If you are using a custom rom, you might also have to adjust the build fingerprint and security date.
From the MHPC main menu select Edit device fingerprint option.
(Currently option number 1)
Select Pick a certified fingerprint option.
(Currently option f)
Select the latest certified print for your device.
If your device is not listed, choose a device that is close to yours.
This post will be updated soon.
NotesandCommon Issues<Reserve>
Spoiler: SafetyNet
<Reserve>
Spoiler: Play Protect certification
<Reserve>
Spoiler: PlayStore App Purchases and Updates
<Reserve>
Points of Interest.
LSPosed
Zygisk releases are now included.
Download Links:
GitHub - Releases
Shamiko
Download Links:
GitHub - Releases
Denylist Unmount
Download Links:
GitHub - Releases
Yay! I get post no. 10!
Good to see this thread up Doc! ... How are you linking / promoting it?
Want mentions in Magisk General Discussion thread, or not for now?...
I note that this thread has the advantage of having an active OP...
So what? - Means I can post rubbish and it will be cleaned! ... Love a clean house... Hope you're a good housekeeper @ipdev! PW
zputnyq said:
Hi all,
I'm on TJW's canary 23019.
Does anyone know/could explain what is/are the difference(s) with enforce denylist activated and not activated ?
Click to expand...
Click to collapse
denylist (which preserves some of MagiskHide infrastructure) is active, or not active...
Nb. For Zy-Shamiko hiding module solution to work, this needs to be deactivated for Shamiko to do the hiding itself; Shamiko just uses the same list for convenience / simplicity... PW
Edit: Lets kickstart things here!
pndwal said:
denylist (which preserves some of MagiskHide infrastructure) is active, or not active...
Nb. For Zy-Shamiko hiding module solution to work, this needs to be deactivated for Shamiko to do the hiding itself; Shamiko just uses the same list for convenience / simplicity... PW
Edit: Lets kickstart things here!
Click to expand...
Click to collapse
Ok, I get it. Thank you.
I was confused since I use an old device which doesn't really need this part to do the hiding & on v23017 John made that part work along with the configure denylist, I mean configure denylist is greyed out when denylist part isn't active.
zputnyq said:
Ok, I get it. Thank you.
I was confused since I use an old device which doesn't really need this part to do the hiding & on v23017 John made that part work along with the configure denylist, I mean configure denylist is greyed out when denylist part isn't active.
Click to expand...
Click to collapse
You could do worse than read the first 5 posts here! PW
Thanks @ipdev
I tried to put a short help for probably the most frequent posts/questions soon to expect.
(Sorry for cross-posting, I first put to the old and cluttered General Magisk thread but this is now better place)
===
Please carefully read Magisk Changelog and OP posts in this thread
Study the Magisk documentation from the official Magisk Github page - particularly about installing Magisk (if not familiar with patching the image in Magisk app and flashing the patched img from Fastboot- different from the old school about flashing Magisk zip through TWRP)
a) No more MagiskHide. New technology instead (for more or less the same - to help hiding root): Zygisk+DenyList
b) No more built in SafetyNet checker. Install from PlayStore e g: YASNAC to check your SN
c) Modules window does no more connect to the old Modules repository.
You must download module zip files manually and "Install from local storage".
Or search for and install Fox Magisk Module Manager (Fox Mmm) app - it will connect to the new, alternative repository and the old 'official' repo, allowing you to install from both
---
0) If upgrading Magisk and if you previously did "Hide Magisk app/Mngr" from Magisk app/mngr - always "Restore Magisk app/Mngr" before upgrading Magisk
1) Make sure that both Magisk app and Magisk are installed and updated to the new version v24 version. Inspect version numbers on the main Magisk window/page
2) Make sure to uninstall all Riru modules (Riru is not compatible with Zygisk that comes with Magisk v24)
3) Settings, Enable Zygisk and reboot.
Then check on the main window does it show Zygisk Yes
4) Settings, enable Enforce DenyList.
Configure DenyList, enable filters to Show OS and System apps.
Find Google Play Services and check-in only the two processes ending with gms and gms.unstable.
You will have to check in all your banking apps and so as you used with MagiskHide.
Always reboot upon reconfiguring DenyList
5) If SafetyNet does not pass, install USNF 2.2.1 and test again.
Always reboot upon installing a module, also if/when you enable Systemless Hosts
Note: Once you install/enable USNF 2.2.1, it will remove Google Play Services from your DenyList - but don't worry, USNF takes care of GMS
6) If you are on non-certified custom ROM and you still don't pass SN - then you will need Magisk Hide Props Config module - check for and consult the MHCP thread
---
If you want to hide Zygisk, then instal Shamiko module - and you must disable Enforce DenyList (although DenyList must stay configured).
But Shamiko is really not essential (might help for some banking apps but it's irrelevant for SafetyNet)
---
Banking apps - out of scope for this post (also, this thread is about the Magisk v24 itself, not abkut the particular banking apps)
Go to Magisk Github documentation, read Wiki, there is a section with tips you should try first
If putting your banking app to DenyList (now, instead of the old Magisk Hide) and hiding Magisk app does not help, and the other tips from Wiki do not help (like renaming TWRP folder and so), search in this thread how to use Hide My Applist (Zygisk-LSPosed module)
Every time you apply another tip to your troublesome banking app - go to Settings, Apps, and delete Cache and Data for that banking app before you try to open it again (some apps will cache that they previously found the phone was rooted)
Even with HMA, there are certain banking apps that cannot be tricked (on some phones like Xiami, etc)
---
Momo - absolutely not essential for your life
When you pass SN, Momo might still detect that your Bootloader is unlocked - you cannot hide it from Momo on e.g. Xiaomi phones
Generally, treat Momo as 'banking' apps (add to DenyList and reboot)
Momo does not look for apps (Magisk app, LSPosed mngr, LSPosed modules), hence for Momo you don't need to bother with HMA
Basic tips for Momo: Remove/rename TWRP folder, disable USB Debugging - for the rest, search for Momo posts in this thread - but still, there will be findings you could not hide from Momo (not encrypted Data, custom ROM, etc)
===
PS: Magisk Alpha v24.1 (vvb2060 and her team) has departed their way (different package name, revival of MagiskHide?), hence this post is now (mainly) for the official TJW Magisk Stable and Canary v24
(Some parts do apply also to Alpha but use Alpha on your own risk and ask the other Alpha users about the Alpha status and practices)
===
Last but not the list - there night be specifics for certain phones (like flashing with Odin for Samsung, end so on)
This post is generic, for your specific practices read/search through this thread and also on your phone/model subforuns on XDA
Hello - sorry if obvious but I'm having issues getting some apps checking for root to pass. I think the issue might well be the statement related to "Google Play Services and check-in only the two processes ending with gms and gms.unstable."
Regardless of whether I tick just these two, or if I tick the whole of Google Play Services, once I reboot and if I go back into Magisk the app reports that these services are no longer hidden.
This is Pixel6Pro Stock, January update, Magisk canary (but 24001 that synced with the public build) + Zygisk + USNF 2.2.1
Thank you
Chris
@ipdev
Thread was pinned. Thx for your effort
Nice. Will we be able to run a module like fakegapps without riru/LSPosed?
crypticc said:
Hello - sorry if obvious but I'm having issues getting some apps checking for root to pass. I think the issue might well be the statement related to "Google Play Services and check-in only the two processes ending with gms and gms.unstable."
Regardless of whether I tick just these two, or if I tick the whole of Google Play Services, once I reboot and if I go back into Magisk the app reports that these services are no longer hidden.
This is Pixel6Pro Stock, January update, Magisk canary (but 24001 that synced with the public build) + Zygisk + USNF 2.2.1
Thank you
Chris
Click to expand...
Click to collapse
No, you don't need to add Play Services processes w/ Zy-USNF as I explained here:
https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-86321879
Download YASNAC and check if you pass SafetyNet, then that you have Play Protect Device is certified in Play Store settings... If you have these, Bank app is using its own custom detection methods... PW
kurtn said:
Nice. Will we be able to run a module like fakegapps without riru/LSPosed?
Click to expand...
Click to collapse
Yes, Use Zygisk-LSPosed. PW
pndwal said:
No, you don't need to add Play Services processes w/ Zy-USNF as I explained here:
https://forum.xda-developers.com/t/magisk-general-support-discussion.3432382/post-86321879
Download YASNAC and check if you pass SafetyNet, then that you have Play Protect Device is certified in Play Store settings... If you have these, Bank app is using its own custom detection methods... PW
Click to expand...
Click to collapse
Yes I appreciate that. I guess my question was if it is correct that after reboot USNF deselects the gms and gms.unstable
Thanks for the explanation.
FYI found what was triggering the app and got it working. Before I had just renamed Magisk (I renamed to MagicApp if that matters) but that didn't work. Also "pausing" the app wasn't enough.
I needed to actually uninstall the Magisk Manager app itself.
So the mechanism being used by the other app wasn't looking for Magisk/SU, but the app iself.
The App failing doesn't have any local file permissions so must've been something else.
Actually I found two apps failing root check and both were resolved by uninstalling the (renamed) Magisk APK.
So I wondered if the app was simply listening to debug messages.
So I reinstalled and then reproduced the failure looking into ADB logcat.
I could see during opening and just before the protection was triggered logcat events against the ".Magisk" app related to denying access. Uninstalling Magisk app stopped those messages and then the app was able to start.
Should Magisk "hiding" the magisk manager app by renaming it from ".Magisk" also have relabelled all of the messages and such related to the app?
If your Tab S8, S8+, or S8U is failing safetynet, thus preventing you from using apps like Netflix, then this is the guide to follow. I made this same post in another how-to guide for the Tab S8, but I decided to make a dedicated thread for it.
(FYI: I did the following steps on my rooted Tab S7+, but these instructions should also work for the Tab S8, S8+, and S8 Ultra.)
Prerequisites:
- Rooted Tab S8 device
- Unlocked bootloader
- Latest version of Magisk
Step 1. Enable Zygisk in Magisk settings, then reboot.
Step 2. Enable Enforce DenyList in Magisk settings, then go to Configure DenyList.
Step 3. Enable show system apps with the menu on the top-right, then search "google play services".
Step 4. Enable DenyList for com.google.android.gms & com.google.android.gms.unstable, then reboot.
Step 5. Install YASNAC and open it to run safetynet attestation, you should be passing basic integrity but failing cts profile match. (If at this point you're passing both, skip to step 8)
Step 6. Download and install the latest version of the safetynet fix for zygisk module, then reboot.
Step 7. Check YASNAC again, you should now be passing basic integrity and cts profile match.
Step 8. Go to settings > apps, find google play service & google play store, clear data for both of them, reboot.
Step 9. Go to the play store > settings, play protect certification should now say "device is certified".
Step 10. Open Magisk > Configure DenyList, search for Netflix (enable show system apps if you need to), enable DenyList for everything, reboot.
Step 11. Update Netflix if it's not up to date. If the play store is allowing you to update Netflix at all, then you're good to go.
If everything working, you're now passing safetynet and can use Netflix on your rooted Tab S8 device!
Added to my Root Guide post here - https://forum.xda-developers.com/t/root-guide-for-galaxy-tab-s8-s8-s8ultra.4423095/post-86658899
I was writing it up after I had already rooted and had mine passing SafetyNet, so please let me know if I missed anything.
com.google.android.gms & com.google.android.gms.unstable will be auto removed from denylist after reboot. I have tried multiple time. Same issue is reported here:
https://www.reddit.com/r/Magisk/comments/v41m31
oooooooor, you create a separate user profile (non-admin) and put all those root-sensitive apps there. Since root applies only to the main user you avoid all the fuss with trying to fool safety net.
I never understood why this advice isn't seen more often. Everyone seems locked in to having just one user profile.
Hello,
I've rooted my p7, how am i supposed to pass safety net?
I've used pixelflasher to root, install magisk and update.
In magisk, I've tried many times to set the "Google Play service" in the exclusion list, it always get uncheck.
I've installed the safety net fix in magisk.
Be sure to check play service, wallet... And empty their cache, all that in airplane mode and reboot.
But still... Play service become uncheck on exclude list and Google Play direct certified my device... Bank apps didn't work ...
What is different with the p7 than the p5?
My p5 is easy to do all that, i can flash the modified boot from magisk easily, which can't be done in cmd with the p7, only pixelflasher have been able to
Hide Magisk, use Zygisk denylist and Displax's universal safetynet fix.
https://forum.xda-developers.com/t/...nlock-bootloader-pass-safetynet-more.4505353/
1. Install displax's safetynetfix
2. Hide Magisk
3. Enable Zygisk
4. Enforce DenyList
5. Configure DenyList and check all your required apps (clear storage for apps already installed)
6. Install AirFrozen
7. Freeze Magisk in AirFrozen and now your banking apps should work fine
dewri21 said:
1. Install displax's safetynetfix
2. Hide Magisk
3. Enable Zygisk
4. Enforce DenyList
5. Configure DenyList and check all your required apps (clear storage for apps already installed)
6. Install AirFrozen
7. Freeze Magisk in AirFrozen and now your banking apps should work fine
Click to expand...
Click to collapse
I did like this but didn't use AirFrozen. I hid Magisk from within Magisk and my banking apps work fine and I'm device certified. Also, when using DenyList I expanded all the Google Play apps and made sure all the subcomponents were selected rather than just the one's picked by default. Accepted my choices with the arrow at the top of the screen rather than the nav button which seemed sometimes to not save my choices. YMMV.
Releases · Displax/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - Displax/safetynet-fix
github.com
v2.3.1-mod_2.0 is required. Older version won't pass device integrity.
Hid magisk, enabled zygisk and denylist, but didn't need to deny any google apps. No shamiko either.
Use https://play.google.com/store/apps/details?id=gr.nikolasspyr.integritycheck to confirm you pass both device and basic integrity.
Still have L1 too
ktdt00 said:
I did like this but didn't use AirFrozen. I hid Magisk from within Magisk and my banking apps work fine and I'm device certified. Also, when using DenyList I expanded all the Google Play apps and made sure all the subcomponents were selected rather than just the one's picked by default. Accepted my choices with the arrow at the top of the screen rather than the nav button which seemed sometimes to not save my choices. YMMV.
Click to expand...
Click to collapse
I had to use AirFrozen for two of my banking apps. Rest were fine. So in case any banking app doesn't work, you know what to do.
Prevent Root Detection in all apps inc banking - fully functioning work profile - MS Teams - Outlook etcI have seen some crazy guides floating around in order to prevent root detection and just wanted to share how I achieved it.
After smashing the screens of 6 pro, followed by 6a, I now have a pixel 7 as of yesterday woohoo.
(i'll order screens from china for the other two pixels as the local price in UK is ridiculous)
Pixel 7 (Panther) - Android 13 May 23 security patch - TQ2A.230505.002
Magisk Canary Official 26102 - Unlocked bootloader, flashed magisk patched init_boot.img from fw named above
Enabled Zygisk
Hide the Magisk app (I reinstalled as "SettingsMA")
Configure DenyList (all work profile apps) ie. company portal / teams / outlook - I simply searched for "Microsoft" "Azure" & then "Office" , oh and personally I also hide google wallet
Do not enforce DenyList
Cleared storage of teams and outlook apps
LSPosed-v1.8.6-6712-zygisk-release.zip reboot
LSPosed v 1.8.6 6901 zygisk release.zip reboot
safetynet-fix-v2.4.0-MOD_1.2.zip Displax Mod reboot
Shamiko-v0.7.3-174-release.zip reboot
IAmNotADeveloper 1.0.2 - Installed apk and enabled in LSPosed against company portal / office 365 / authenticator and then within lsposed, select this app and choose install to work profile, ignore the warning, lsposed now has a work profile tab to load it against all of the apps
Other module(s) installed without a direct impact
AOSPMods-253.zip Canary - update to canary from within app/updates section of standard release AOSP mods
Substratum and Liv Dark theme from playstore
All working like a dream, no longer detecting root on anything
the key to the above working is simply Shamiko - the same guide without shamiko and instead enforcing DenyList does not work
Thanks to all of the developers of the above tools, mods, apps!
Update 06/06/23: LSPosed version initially posted still caused work profile to intermittently detect root, using 6901 instead, resolves this issue.