New Google Integrity API update breaks universal safetynet fix

Describe the bug Google Play device is certified. YASNAC safety net passes. Google Pay is now Google Wallet which detects device as rooted regardless of safetynet pass status.

To reproduce Steps to reproduce the behavior:

1. Go to play store
2. Update to Google Wallet
3. Attempt to add payment method
4. See error

Expected behavior To be able to add payment method credit or debit card to new Google Wallet.

Screenshots

Device info Device model: Samsung Galaxy S22 Ultra SM-S908E Snapdragon Android version: 12 ROM name/version: Stock rom with Magisk and TWRP

I know Samsung is heavily skinned. Hope we can still get some help, and have sent a few beers if that helps.

Enabling the fix breaks 3rd party apps from using fingerprint sensor. Two things I noticed:

1. after enabling the fix, one of those apps complained about "fingerprints have changed, please enroll again" or something to that effect

2. system.prop in the fix's zip sets ro.boot.veritymode=enforcing and ro.boot.vbmeta.device_state=locked. However, if the fix is not enabled, getprop returns empty for those properties. Are these needed? What would happen if I tried to remove those lines from system.prop?

Any other idea of what I could test?

The "C.20" update for OnePlus 8 Pro based on Android 12 and the OxygenOS 12.1 overlay in correlation with "SafetyNet-Fix v2.2.1" completely blocks the fingerprint scanner. Uninstalling this module from "Magisk" restores the operation of the fingerprint scanner.

In addition, the "CTS Profile Matched" check grid is not passed.

After turning off "Safetynet-Fix v2.2.1" it completely breaks down:

• CTS Profile Matched,
• Basic Integrity,
• Advice: Restore to factory ROM Lock Bootloader. Consequently, contactless payments do not work, GooglePlay has the status of uncertified.

The fingerprint scanner seems to work fine after loading "Safetynet-fix v2.3.0". The only thing that fails is the safety net for "CTS Profile Matched"

This method is more portable, does not require a different executable for each Android version, and avoids breaking ROMs with heavy keystore customizations. It works by injecting a shared library into the keystore service and wrapping the Binder transaction handler in the generated AIDL interface.

Because the actual attestKey implementation is statically linked into the keystore service executable, we can't hijack it directly without messy and error-prone code patching. Instead, we check each Binder transaction handled by the AIDL stub and hijack transactions with the TRANSACTION_attestKey code.

In order to keep key attestation working for apps, we only block Google Play Services by checking the command line of the calling process through Binder. This is not infallible and can be spoofed, but it's much easier to do in C++ than looking up the calling UID's package name through PackageManagerService. There are no negative security implications as the only difference is a denied operation.

We can't set LD_PRELOAD for the keystore service because Magisk modules start too late to modify its init.rc, so we inject the shim library as a dependency instead using patchelf and build it with the DF_1_GLOBAL ELF flag to make the dynamic linker prioritize it in symbol resolution.

TRANSACTION_attestKey values and AIDL stub names by Android version:

Android 10 - 11     (SDK 29-30): TX# 28, android::security::keystore::BnKeystoreService
Android 9           (SDK 28   ): TX# 35, android::security::BnKeystoreService
Android 7.0 - 8.1.0 (SDK 24-27): TX# 36, android::BnKeystoreService

This needs testing in many different scenarios before it can be considered stable.

Fixes #32.

Blocked by #33.

Scenarios and issues to test

• 32-bit ARM devices
• Heavy OEM skins
• Samsung One UI
• MIUI
• Broken biometric authentication in apps
• Unstable system (i.e. rebooting and/or crashing)

Bypass PIA (for now?) by changing fingerprint to old "marlin" 7.1.2 (does not required to apply other security patch level). This kills two rabbits: • fix old SN CTS profile check on some weird Custom ROMs • bypass Integrity (MEETS_DEVICE_INTEGRITY) for now.

Other commit fix OnePlus OOS 12 problems ( thanks to @HuskyDG )

Hi,

I tried both 2.0.0 and 2.1.0 (preview) versions of safetynet-fix -- I still can't pass ctsProfile. Using XPrivacyLua works, so I expect the problem is on safetynet-fix side.

After successfully installing latest module in magisk these are the output of SafetyNet test Safety Net Request success Response signature validation success Basic Integrity success CTS profile match fail

Describe the bug Oxygen os 12 FOD issue is present. Whenever flashing module the safety net fixes but FOD disappear

To reproduce Steps to reproduce the behavior:

1. Go to 'Magisk flash safety net fix module,after that reboot,then try to add fingerprint it'll not work'
2. Click on 'fingerprint enrollment..'
3. Scroll down to '.fingerprint enrollment.'
4. See error

Expected behavior Fingerprint should work after flashing module

Screenshots If applicable, add screenshots to help explain your problem.

Device info Device model: Oneplus 8T kb2005 Android version:12 ROM name/version: Oxygen OS 12 Stable build

Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

Additional context Add any other context about the problem here.

Checklist

• [ ] All information is present
• [ ] Logs are attached
• [ ] I have tried installing and configuring [MagiskHide Props Config]https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf)

Installing the latest release of safetynet-fix "breaks" the fingerprint sensor on the OnePlus 8T. After installing the finger print sensor will say hardware unavailable. Removing the module and rebooting will make the sensor function again. At first I thought it was just a coincidence, however I did get confirmation of this behavior on the 8T on the telegram group as well. Please let me know what other information I can supply that maybe helpful, it diagnosing this issue. I'll be happy to help.

Just a heads-up really.

While Riru and Zygisk (as well as USNF 2.x.x) were working nicely together in vvb2060 Alpha Magisk before todays builds, Riru is now is broken with Zygisk w/ latest TJW commits in both Alpha and TJW's new Canary Magisk.

John has just provided documentation for "Develping Zygisk Modules"

"The Zygisk API and sample module is online! Start developing and testing Zygisk modules with the latest canary release 😀" https://github.com/topjohnwu/zygisk-module-sample

Hope it helps. PW

Phones I know of it doing it are 3a, 3a xl and 4a all running stock roms. It'll mostly happen when you plug the phone in to charge, but it'll also happen seemingly at random. I thought I was the one one having this issue until I decided to ask @Skittles9823 if he had any idea why WiFi would cause a lockup as it seemed to stop if you killed WiFi and or mobile data together

After finding out he had the same issue I was having I decided to ask in another group and found out they were having the same problem. So I started testing, I disabled the pixel launcher like I said in the picture and it didn't lockup for a few days, then last night it did. Well I had scoop running to try and grab the crash and I wasn't able to get a log of the issue. Well it didn't catch the lockup as the entire system locked up. I was able to grab some logs after it rebooted by dumb luck, I got WiFi off apparently mid crash and it grabbed all the logs and then locked up for a few seconds but then came out of it. These are those logs.

gps.zip

When I opened the log to read it to see if I could find whats causing it, they were all complaining about the keystore. So I asked the people I knew having the issue if they had your fix installed and they all did. One of them was using 2.0 instead of 1.1

I figured having the logs might be helpful

hi kdrag0n, just a request.. you can put your repo to this compiled magisk modules repo here https://github.com/Magisk-Modules-Repo/submission

so that more people can make use of this repo and easy to search.

Hello sir is there a way to fix CTS profile mismatch using twrp and not magisk module as i can't root the phone cuz of the many problems related to bank apps and magisk etc .. . . .

can i do something like editing build.prop or somethng else

Thanks

Makes bank apps and Google Pay happy, since even if the prop is otherwise spotless, those apps still wouldn't work because this prop is set to 1.

Was the only thing that I had to do to get my bank app to allow biometric unlock, and Google Pay to let me add my payment cards

Describe the bug It is breaking microG components, when microG is installed as Magisk Module. Though the microG GmsCore resides in actual system and rest of the files as module for obvious reasons. The case is reverted, when installation of microG is done into system or USNF is uninstalled. Here i am explaining in reference to microG Installer containing microG GmsCore & additional components.

To reproduce A simple installation of USNF is enough to reproduce this issue.

1. Go to 'microG Settings'
2. Click on 'Cloud Messaging'
3. Click on 'Location Modules'
4. See error

Expected behavior There must be name of App in microG Settings rather name of App process, can be seen in below screenshot.

Screenshots

Device info Device model: Redmi Note 10 Pro (sweetin) Android version: 11.0.0 ROM name/version: LineageOS 18.1

Additional context I haven't seen this error previously, as i have already done systemless installation plenty of times. Below list of installed modules.

Checklist

• [X] All information is present
• [ ] Logs are attached
• [ ] I have tried installing and configuring MagiskHide Props Config

Describe the bug A clear and concise description of what the bug is.

After having Root enabled by TWRP OR Flashing Magisk_modified_boot.img, there is no problem with Root on this device. But after installing the module and reboot, the phone keeps rebooting into the Recovery MUIU 5.0 (NON-TWRP) after a couple reboots (10min later) the phone boots into the phone normally and disable this module V.2.3.1 in Magisk, and reboots, there is NO problem with booting into the phone. This only happens when enable/installing the module and reboots.

This also happens with TWRP being installed. The phone keeps booting into the TWRP recovery, after a couple reboots the phone boots into the phone normally. Once I been boot normally into the phone and give the phone a normall reboot, it keeps booting into the Recovery TWRP OR Recovery MUIU 5.0 with NON-TWRP

I can reproduce this problem.

To reproduce Steps to reproduce the behavior:

1. Having the phone Xiaomi Mi 11 Pro - MIUI 13 - 13.0.7.0 Stable - EEA (Europe) Xiaomi SKAEUXM
2. Getting Root by installing Magisk.zip by TWRP OR patch the Boot.img of the current ROM to get the Magisk_moddified_boot.img and patch this by ADB.
3. Once Magisk is being installed (Version 25.2 - 25200), install only this module V.2.3.1 (latest at this moment)
4. Give the phone a reboot when this module is being installed, then the phone boots into the recovery. Stock it boot into the MUIU Recovery 5.0 It keeps restarting automaticly, after 10min a reboots cycle further the phone will boot normally. But if you reboot your phone or shutdown, it will be booting automaticly into the recovery.

TWRP installed, it will boot into the TWRP recovery. Give manually a reboot a couple times. then the phone will boot normally.

Device info Device model: Xiaomi Mi 11 Pro Chinese - Flashed EEA (europe) Xiaomi ROM - MIUI Global 13.0.7 Stable - 13.0.7.0 (SKAEUXM) Android version: Android 12 - 12 SKQ1.211006.001 ROM name/version: star_eea_global_images_V13.0.7.0.SKAEUXM_20220507.0000.00_12.0_eea_dffd02e396

Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

• Enable this Module, by enable Zygisk in the settings, otherwise the module is not active.
• Reboot
• Phone gets boot into the Recovery / TWRP automaticly.
• Give this phone another reboot, phone boots again into the recovery / TWRP
• In TWRP - Advanced - Copy Log - Check, Include Logcat, Include Kernal Log, - Swipe
• Add 3 log files to this case: dmesg.log, logcat.txt, recovery.log Additional context I always hide my Magisk with Magisk Hide Props Config - SU - Props fingerprint - Xiaomi 11 (china) - This process gets me passing Safetynet.

So basicly I need these 2 modules to pass my Safetynet coming anything different then the official stockROM.

That being said, there more people / users having this issue: https://forum.xda-developers.com/t/mi-11-ultra-reboots-to-recovery-mode-several-time-before-rebooting-to-miui.4477991/ dmesg.log logcat.txt recovery.log

Then I suddenly install ONLY this module, fresh, stock after flashing ROM, then the phone booting into the recovery so the cause is this module.

For the record; I can be a tester if there is a new module available, just let me know.

Checklist

• [x] All information is present
• [x] Logs are attached
• [x] I have tried installing and configuring MagiskHide Props Config