Revision [853]

This is an old revision of MagiskHideSafetyNet made by didgeridoohan on 2020-05-25 13:03:29.

 


SafetyNet


Passing SafetyNet

If everything works out, SafetyNet should pass with no further input from the user, as long as your device fulfills the basic requirements. Nothing needs to be added to the Hide list. You can see in the Magisk Manager if it works by checking the SafetyNet status, or in the SafetyNet checker of your choice (just make sure that you use one that is properly updated to check the SafetyNet status). If SafetyNet doesn't pass after enabling Hide, try rebooting (also see “MagiskHide isn’t working”).

Google continuously updates SafetyNet. Currently, no versions prior to Magisk v13.3 will pass SafetyNet without major workarounds.

What triggers SafetyNet?

There are two parts to the SafetyNet check, CTS Profile and Basic Integrity.

Examples of when ctsProfileMatch will report as false (failed):
- Uncertified device (the manufacturer haven't applied for Google certification)
- Unlocked bootloader
- Custom ROM
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, EdXposed, etc)

Examples of when basicIntegrity will report as false (failed):
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, EdXposed, etc)

Several (but not all) of the things mentioned above can be hidden by Magisk. See what Magisk can and cannot hide under Basics.

Test MagiskHide

First thing to do is to make sure that MagiskHide is enabled (since Magisk v20.4 MagiskHide is disabled by default), or if it is on toggle MagiskHide off and on again. Sometimes MagiskHide stops working temporarily after an update of Magisk or the Manager. If SafetyNet still doesn't pass, make sure MagiskHide is actually working by using a root checker or a root app. Start by making sure the app can detect that your device is rooted. After that, add the app to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device. If you can't get it to work, see "MagiskHide Issues".

It can of course also be any other mod that you've done to your device outside of Magisk, so check those as well.

SafetyNet fails after an update

If SafetyNet starts failing after an update to either Magisk, the Manager or both it's usually fixed by toggling MagiskHide off and on (see ”Test MagiskHide above”). It might be necessary to reboot after toggling the setting off and on.

CTS profile mismatch vs Basic integrity

There are two parts to a SafetyNet check, CTS compatibility and Basic integrity. The CTS check is a server side checkup up that's difficult to spoof, while Basic integrity is done on the device side and is a lower level of security. Some apps only use the Basic integrity part of the SafetyNet API and thus can be used even if SafetyNet doesn't fully pass.

Both CTS profile and Basic integrity fails

MagiskHide needs to be enabled. Start there. If MagiskHide is enabled and working (see Test "MagiskHide" above), and both checks fail you might be successful if you clear cache for Google Play Services. If that doesn't help you should also make sure that you don't have a mod or module that is triggering SafetyNet (see "Check your modules and mods" below).

CTS profile fails but Basic integrity passes

MagiskHide needs to be enabled. Start there. If MagiskHide is enabled and working (see Test "MagiskHide" above), and you still can't pass the CTS profile check, but Basic integrity shows as true, that basically means Google doesn't trust your device for some reason (also see "Unlocked bootloader" and "SafetyNet incompatible devices and ROMs" below). You should be able to fix this by matching prop values with a ROM that passes SafetyNet (see "Matching official prop values to pass SafetyNet" and "Spoofing device fingerprint" below).

CTS profile passes but Basic integrity fails

This means that SafetyNet is actually failing and you are likely using a mod like the Xposed HiddenCore module that is trying to spoof the CTS profile check result.

Both CTS profile and Basic integrity passes

Everythings good. You can stop reading (at least this section of the guide).

Check your modules and mods

In March 2020 Google didn't just start using hardware key attestation (see "Unlocked bootloader" below), but they also tigthened down what kind of modifications SafetyNet detects. If you suddenly start failing both CTS and basic integrity, try disabling or uninstalling the last module you intalled, or try enabling Magisk's Core Only mode. If you can pass SafetyNet fully with that module disabled or Core Only Mode enabled you know it is that/one module that is causing the issue. If you do not know which module, disable Core Only Mode again and then disable each module individually until you find which one is the culprit.

Unlocked bootloader

In March 2020 Google flexed their muscles and showed us that they are ready to implement proper hardware key attestation in the SafetyNet check. By doing this they can easily detect if the bootloader is unlocked and as a result the CTS profile check will fail. This check is impossible to circumvent and as a result Magisk will no longer be able to make SafetyNet pass fully (basic integrity will still pass). This applies to all devices that have shipped with the proper hardware (any device that ships with Android 8+ is required to have it). Any device with this hardware will not be able to pass CTS, no matter which of the methods below are tested.

So far, Google have not implemented this fully, but it is just a matter of time.

Topjohnwu has written a faq that can be found here:
https://twitter.com/topjohnwu/status/1237830555523149824?s=20

SafetyNet incompatible devices and ROMs

There are devices/ROM’s that just won’t be able to pass SafetyNet. This might have to do with how the ROM is built, and if so there is nothing the user can do to change it.

But, fortunately, most of the time it is much simpler than that.

All custom ROMs are incompatible with SafetyNet out of the box (unless the ROM creator uses the described method below and uses a certified device fingerprint instead of the on that matches the ROM). This has to do with how Google certifies devices, CTS certification (Compatiblity Test Suite). If a device hasn’t passed the Google certification process, or if the ROM alters how the device is perceived by Google, it won’t be able to fully pass SafetyNet (CTS profile mismatch). You might be able to get basic integrity to report as true (see Checking if Basic integrity passes above) and this would mean that MagiskHide is working as it should and it's most likely a simple CTS certification issue.

You can match your ROM's ro.build.fingerprint (and possibly other props, like ro.build.version.security_patch) with an official ROM for your device, or any other device that is certified, to make it pass SafetyNet fully (see "Matching official prop values to pass SafetyNet" and "Spoofing device fingerprint" below).

Matching official prop values to pass SafetyNet

If you use an unofficial/developers ROM you might have to match an official/stable ROM's details (usually ro.build.fingerprint and possibly ro.build.version.security_patch) to pass the SafetyNet CTS profile check (also see "Spoofing device fingerprint" below).

coolguy_16 have made a guide for Moto G 2015 here. Thank you to diegopirate for the tip.

Spoofing device fingerprint

Try changing your device's ro.build.fingerprint to a device's/ROM's that is known to pass SafetyNet. The Magisk module MagiskHide Props Config can do this. This can also be done with a boot script (don't forget to set the proper permissions for the script to execute) and the resetprop tool (also see "Sensitive props").

To change the device fingerprint with a boot script, add the following to a file you place in /data/adb/service.d (and don't forget to set the proper permissions for the script to execute):
#!/system/bin/sh
resetprop ro.build.fingerprint <fingerprint value>

Depending on your ROM and/or device you might also have to edit ro.bootimage.build.fingerprint, ro.system.build.fingerprint, ro.vendor.build.fingerprint and ro.odm.build.fingerprint. It's not necessary for passing the CTS profile check, but if your ROM has one of these other props and you don't match them with the used fingerprint you may get a warning at boot about your device having an internal problem.

If the device fingerprint is from an Android build after March 16 2018 you'll also have to match that build's Android Security Patch date (ro.build.version.security_patch). This is automatically done by MagiskHide Props Config, but otherwise you can go about it the same way as described above.

The response is invalid

This basically means that your device can't get a proper response from the Google servers, for whatever reason. It says nothing about wether your device actually passes SafetyNet or not...

If you get an invalid response result when checking SafetyNet it might mean that the app you're using to check SafetyNet hasn't been updated to work with the latest version of the SafetyNet API.

This response might also mean that Google's servers are down at the moment.

Another thing to try is to force close Play Services, clearing it's data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from APKMirror.

Make sure that you have a proper working internet connection and that there's nothing interfering (firewalls, etc).

SafetyNet check never finishes

If the SafetyNet status check never finishes (make sure to wait a while), it might mean that your Google Play Services aren’t working properly or have crashed. Try force closing Play Services, clearing data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from APKMirror.

SafetyNet API error

This error is usually caused by the app you are using to check SafetyNet not having internet access or the snet.apk not downloading properly if you're using the Magisk Manager. If you're using the Magisk Manager, try clearing data for it and make sure that you have a working internet connection when starting the SafetyNet check. The Manager need to download the necessary files to be able to do the check and internet access is required to get a response from Google's servers.

Device uncertified in Play store/Netflix (and other apps) won't install or doesn't show up

If some apps won't install or doesn't show up in the Play store, check the Play store settings. At the bottom there might be a section called "Device certification". Some apps won't install if this shows "uncertified" (a couple of known apps are Netflix and Mario Run). It might even be that your device show "certified" and they don't show up. Even if there isn't a "Device certification" section in your version of the Play store, try the below if you have issues with apps like Netflix not installing or showing up.

The solution is to make sure your device passes SafetyNet and then clear data for the Play store and reboot. If you have multiple users on your device, you might have to clear data for all users. Next time you open up the Play store, "Device certification" should show "certified" and the apps should be able to install/show up again. You might have to wait a bit before the apps show up. Some users have reported having to wait mere minutes, others several hours up to a whole day.

Permissive SELinux

MagiskHide can usually mask a permissive SELinux and let you pass SafetyNet anyway. But, it has been reported that this is not successful on all devices. If you have SELinux set to permissive, try changing it to enforcing and check SafetyNet again.

Passing SafetyNet with EdXposed installed

Google can detect if you have EdXposed installed, but you can usually work around this by making sure you're using the latest release and using things like the EdXposed Managers Blacklist feature and enabling it for Google Play Services, Play Store and Services Framework.

I still can't pass SafetyNet

Start by clearing data for Play Services and the Play Store. There have been reports of this making SafetyNet passing. It's also a good idea to read through the rest of the guide. For example More hiding tips, MagiskHide Issues, Other things to try, Asking for help/reporting bugs and other parts.

Changing ROM or completely wiping your device and starting out clean might also be a good idea.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki