Wiki source for MagiskHideSafetyNet


Show raw source

@@[[MagiskHide | -- To the top/main article --]]@@
=====**{{color text="SafetyNet" c="blue"}}**=====

===**Passing ""SafetyNet""**===
If everything works out, ""SafetyNet"" should pass with no further input from the user, as long as your device fulfills the [[https://didgeridoohan.com/magisk/MagiskHideBasics | basic requirements]]. Nothing needs to be added to the Hide list. You can see in the Magisk Manager if it works by checking the ""SafetyNet"" status, or in the ""SafetyNet"" checker of your choice (just make sure that you use one that is properly updated to check the ""SafetyNet"" status). If ""SafetyNet"" doesn't pass after enabling Hide, try rebooting //(also see [[https://www.didgeridoohan.com/magisk/MagiskHideMore | “MagiskHide isn’t working”]])//.

Google continuously updates ""SafetyNet"". Currently, no versions prior to Magisk v13.3 will pass ""SafetyNet"" without major workarounds.

===**What triggers ""SafetyNet""?**===
There are two parts to the ""SafetyNet"" check, CTS Profile and Basic Integrity.

Examples of when ctsProfileMatch will report as false (failed):
- Uncertified device (the manufacturer haven't applied for Google certification)
- Unlocked bootloader
- Custom ROM
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, ""EdXposed"", etc)

Examples of when basicIntegrity will report as false (failed):
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, ""EdXposed"", etc)

Several (but not all) of the things mentioned above can be hidden by Magisk. See what Magisk can and cannot hide under //[[https://didgeridoohan.com/magisk/MagiskHideBasics | Basics]]//.

===**Test ""MagiskHide""**===
First thing to do is to make sure that MagiskHide is enabled (since Magisk v20.4 MagiskHide is disabled by default), or if it is on toggle MagiskHide off and on again. Sometimes MagiskHide stops working temporarily after an update of Magisk or the Manager. If ""SafetyNet"" still doesn't pass, make sure MagiskHide is actually working by using a root checker or a root app. Start by making sure the app can detect that your device is rooted. After that, add the app to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device. If you can't get it to work, see [[MagiskHideIssues | "MagiskHide Issues"]].

It can of course also be any other mod that you've done to your device outside of Magisk, so check those as well.

===**Unlocked bootloader**===
In March 2020 Google flexed their muscles and showed us that they are ready to implement proper hardware key attestation in the ""SafetyNet"" check. By doing this they can easily detect if the bootloader is unlocked and as a result the CTS profile check will fail. This check is very likely impossible to circumvent and as a result Magisk will no longer be able to make ""SafetyNet"" pass fully (basic integrity will still pass). This applies to all devices that have shipped with the proper hardware (any device that ships with Android 8+ is required to have it). A device with this hardware will __not__ be able to pass CTS, no matter which of the methods below are tested.

In late June 2020 Google started rolling this out again. If you are failing CTS you can check if hardware attestation is being used by saving a logcat while doing a ""SafetyNet"" check and see if evaluationType contains HARDWARE_BACKED in the JWS responses. A much easier way would be to use the current Canary build (as of writing this) of the Magisk Manager, which will also report if BASIC or HARDWARE is being used when doing a SafetyNet check.

Topjohnwu has written a faq on hardware key attestation that can be found here:
https://twitter.com/topjohnwu/status/1237830555523149824?s=20
And XDA has a very good article on this as well:
https://www.xda-developers.com/safetynet-hardware-attestation-hide-root-magisk

Since this part of ""SafetyNet"" checks for an unlocked bootloader you might be tempted to simply lock the bootloader again. This is a bad idea... Most devices will be permanently bricked if you lock the bootloader on a modified device. There are some devices that you can lock the bootloader on even if it isn't stock, but this is __not__ recommended unless you know __exactly__ what you are doing. Be warned...

===**""SafetyNet"" fails after an update**===
If ""SafetyNet"" starts failing after an update to either Magisk, the Manager or both it's usually fixed by toggling MagiskHide off and on //(see ”Test ""MagiskHide"" above”)//. It might be necessary to reboot after toggling the setting off and on.

===**CTS profile mismatch vs Basic integrity**===
There are two parts to a ""SafetyNet"" check, CTS compatibility and Basic integrity. The CTS check is a server side checkup up that's difficult to spoof, while Basic integrity is done on the device side and is a lower level of security. Some apps only use the Basic integrity part of the ""SafetyNet"" API and thus can be used even if ""SafetyNet"" doesn't fully pass.

===**Both CTS profile and Basic integrity fails**===
MagiskHide needs to be enabled. Start there. If MagiskHide is enabled and working //(see Test """MagiskHide""" above)//, and both checks fail you might be successful if you clear cache for Google Play Services. If that doesn't help you should also make sure that you don't have a mod or module that is triggering ""SafetyNet"" //(see "Check your modules and mods" below)//.

===**CTS profile fails but Basic integrity passes**===
MagiskHide needs to be enabled (yes, basic integrity can pass even if MagiskHide is disabled). Start there. If MagiskHide is enabled and working //(see Test """MagiskHide""" above)//, and you still can't pass the CTS profile check, but Basic integrity shows as true, that basically means Google doesn't trust your device for some reason //(also see "Unlocked bootloader" and """SafetyNet"" incompatible devices and ROMs" below)//. You should be able to fix this by matching prop values with a ROM that passes ""SafetyNet"" //(see "Matching official prop values to pass ""SafetyNet""" and "Spoofing device fingerprint" below)//.

===**CTS profile passes but Basic integrity fails**===
This means that ""SafetyNet"" is actually failing and you are likely using a mod like the Xposed HiddenCore module that is trying to spoof the CTS profile check result.

===**Both CTS profile and Basic integrity passes**===
Everythings good. You can stop reading (at least this section of the guide).

===**Check your modules and mods**===
In March 2020 Google didn't just start using hardware key attestation (see //"Unlocked bootloader"// below), but they also tigthened down what kind of modifications ""SafetyNet"" detects. If you suddenly start failing both CTS and basic integrity, try disabling or uninstalling the last module you intalled, or try enabling Magisk's Core Only mode. If you can pass ""SafetyNet"" fully with that module disabled or Core Only Mode enabled you know it is that/one module that is causing the issue. If you do not know which module, disable Core Only Mode again and then disable each module individually until you find which one is the culprit.

===**""SafetyNet"" incompatible devices and ROMs**===
There are devices/ROM’s that just won’t be able to pass ""SafetyNet"". This might have to do with how the ROM is built, and if so there is nothing the user can do to change it.

But, fortunately, most of the time it is much simpler than that.

All custom ROMs are incompatible with ""SafetyNet"" out of the box (unless the ROM creator uses the described method below and uses a certified device fingerprint instead of the on that matches the ROM). This has to do with how Google certifies devices, CTS certification (Compatiblity Test Suite). If a device hasn’t passed the Google certification process, or if the ROM alters how the device is perceived by Google, it won’t be able to fully pass ""SafetyNet"" (CTS profile mismatch). You might be able to get basic integrity to report as true //(see Checking if Basic integrity passes above)// and this would mean that MagiskHide is working as it should and it's most likely a simple CTS certification issue.

You can match your ROM's ro.build.fingerprint (and possibly other props, like ro.build.version.security_patch) with an official ROM for your device, or any other device that is certified, to make it pass ""SafetyNet"" fully //(see "Matching official prop values to pass ""SafetyNet""" and "Spoofing device fingerprint" below)//.

===**Matching official prop values to pass ""SafetyNet""**===
If you use an unofficial/developers ROM you might have to match an official/stable ROM's details (usually ro.build.fingerprint and possibly ro.build.version.security_patch) to pass the ""SafetyNet"" CTS profile check //(also see "Spoofing device fingerprint" below)//.

[[https://forum.xda-developers.com/member.php?u=6217614 | coolguy_16]] have made a guide for Moto G 2015 [[https://forum.xda-developers.com/2015-moto-g/general/guide-pass-safetynet-custom-roms-t3603609 | here]]. Thank you to [[https://forum.xda-developers.com/member.php?u=6705717 | diegopirate]] for the tip.

===**Spoofing device fingerprint**===
Try changing your device's ro.build.fingerprint to a device's/ROM's that is known to pass ""SafetyNet"". The Magisk module [[https://forum.xda-developers.com/apps/magisk/module-magiskhide-props-config-t3789228 | MagiskHide Props Config]] can do this. This can also be done with a [[https://topjohnwu.github.io/Magisk/guides.html#boot-scripts | boot script]] (don't forget to set the proper permissions for the script to execute) and the resetprop tool //(also see [[MagiskHideMore | "Sensitive props"]])//.

To change the device fingerprint with a [[https://topjohnwu.github.io/Magisk/guides.html#boot-scripts | boot script]], add the following to a file you place in /data/adb/service.d (and don't forget to set the proper permissions for the script to execute):
%%
#!/system/bin/sh
resetprop ro.build.fingerprint <fingerprint value>
%%
Depending on your ROM and/or device you might also have to edit ro.bootimage.build.fingerprint, ro.system.build.fingerprint, ro.vendor.build.fingerprint and ro.odm.build.fingerprint. It's not necessary for passing the CTS profile check, but if your ROM has one of these other props and you don't match them with the used fingerprint you may get a warning at boot about your device having an internal problem.

If the device fingerprint is from an Android build after March 16 2018 you'll also have to match that build's Android Security Patch date (ro.build.version.security_patch). This is automatically done by [[https://forum.xda-developers.com/apps/magisk/module-magiskhide-props-config-t3789228 | MagiskHide Props Config]], but otherwise you can go about it the same way as described above.

===**The response is invalid**===
This basically means that your device can't get a proper response from the Google servers, for whatever reason. It says nothing about wether your device actually passes ""SafetyNet"" or not...

If you get an invalid response result when checking ""SafetyNet"" it might mean that the app you're using to check ""SafetyNet"" hasn't been updated to work with the latest version of the ""SafetyNet"" API.

This response might also mean that Google's servers are down at the moment.

Another thing to try is to force close Play Services, clearing it's data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from [[https://www.apkmirror.com/ | APKMirror]].

Make sure that you have a proper working internet connection and that there's nothing interfering (firewalls, etc).

===**""SafetyNet"" check never finishes**===
If the ""SafetyNet"" status check never finishes (make sure to wait a while), it might mean that your Google Play Services aren’t working properly or have crashed. Try force closing Play Services, clearing data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from [[https://www.apkmirror.com/ | APKMirror]].

===**""SafetyNet"" API error**===
This error is usually caused by the app you are using to check SafetyNet not having internet access or the snet.apk not downloading properly if you're using the Magisk Manager. If you're using the Magisk Manager, try clearing data for it and make sure that you have a working internet connection when starting the ""SafetyNet"" check. The Manager need to download the necessary files to be able to do the check and internet access is required to get a response from Google's servers.

===**Device uncertified in Play store/Netflix (and other apps) won't install or doesn't show up**===
If some apps won't install or doesn't show up in the Play store, check the Play store settings. At the bottom there might be a section called "Device certification". Some apps won't install if this shows "uncertified" (a couple of known apps are Netflix and Mario Run). It might even be that your device show "certified" and they don't show up. Even if there isn't a "Device certification" section in your version of the Play store, try the below if you have issues with apps like Netflix not installing or showing up.

The solution is to make sure your device passes ""SafetyNet"" and then clear data for the Play store and reboot. If you have multiple users on your device, you might have to clear data for all users. Next time you open up the Play store, "Device certification" should show "certified" and the apps should be able to install/show up again. You might have to wait a bit before the apps show up. Some users have reported having to wait mere minutes, others several hours up to a whole day.

===**Permissive SELinux**===
MagiskHide can usually mask a permissive SELinux and let you pass ""SafetyNet"" anyway. But, it has been reported that this is not successful on all devices. If you have SELinux set to permissive, try changing it to enforcing and check ""SafetyNet"" again.

===**Passing ""SafetyNet"" with ""EdXposed"" installed**===
Google can detect if you have ""EdXposed"" installed, but you can usually work around this by making sure you're using the latest release and using things like the ""EdXposed"" Managers Blacklist feature and enabling it for Google Play Services, Play Store and Services Framework.

===**I still can't pass ""SafetyNet""**===
Start by clearing data for Play Services and the Play Store. There have been reports of this making ""SafetyNet"" passing. It's also a good idea to read through the rest of the guide. For example [[MagiskHideMore | More hiding tips]], [[MagiskHideIssues | MagiskHide Issues]], [[MagiskOther | Other things to try]], [[MagiskHelp | Asking for help/reporting bugs]] and other parts.

Changing ROM or completely wiping your device and starting out clean might also be a good idea.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki