Safety Net check a problem for rooted guys - Lenovo Vibe P1 Questions & Answers

Hello!
After moving on S288 and rooting my device, I realised that I no longer pass Safetynet. I, currently rooted with Chainfire's SuperSU + Magisk, with the feature from Magisk, Magisk Hide I cannot bypass the safetynet checker. Also as I seem to realise, it is bypassed by an unlocked bootloader, which I'm wondering if we lock again if it will pass.
This safetynet thing doesn't allow me to log into Snapchat and doesn't allow me to use some apps to pay via NFC, which drives me nuts.
I'll try locking the bootloader again and then seeing if that fixes the issue.
Any suggestions are welcome!

Related

To those who have rooted already: did you trip dm-verity?

Hi all,
It's surprisingly hard to find a current state of affairs on this.
Well the title says it all really. I understand that this verifies the block device using a hash tree. Obviously, flashing a different kernel or recovery should make it trip. If that trips, I expect the phone no longer to pass safetynet which is a problem.
So for those who have rooted, did you trip dm-verity?
How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?
I do have a warning at boot due to unlocking bootloader but still passing safetynet without issue.
Stock Kernel, BlueSpark TWRP
Blu Spark twrp and SimpleGX kernel and it passes safetynet.
Was reading the twrp website earlier and it said as soon as you swipe to allow modification in TWRP that unless you format data and decrypt that it will fail to boot, yet I've never formatted data and my phone has never not booted due to this.
Lum_UK said:
How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?
Click to expand...
Click to collapse
If you pass safetynet, you're good to go I believe. It seems the root apps are taking care of this then. Anyway, It should display some kind of warning if it is tripped.
https://source.android.com/security/verifiedboot/verified-boot
I wanted to double check this--if you flash something and re-lock the bootloader, I think you've tripped dm-verity if you still have a boot message saying that the OS has changed. I'm having this issue after flashing Magisk (15.3). Can anyone confirm or deny that it is possible to flash Magisk and retain dm-verity?
Edit: After some Google searching it *seems* like it's not possible to have a green verified boot if you're applying Magisk, unless you have the OEM key.
https://source.android.com/security/verifiedboot/verified-boot
I have never tripped dm verity on my 5t and I never will. There is a no verity zip. Always flash that zip Last when flashing roms and you will be fine.
Magisk automatically disables DM verity. I think it is not possible to root without tripping it, but I never tried. DM verity doesn't interest me as long as SafetyNet is fine.

ctsProfile: false - Allthough not rooted

Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
wsjoke said:
Some kernels lack the feature needed to pass cts without magisk installed you can either
1. install magisk to pass CTS
2. Use a kernel that has the patch (loki and my own kernel "chunchunmaru" should have it but both are for Q only as off now)
Click to expand...
Click to collapse
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
wsjoke said:
Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
Click to expand...
Click to collapse
I assume that you are from stock. It is the problem from Mi A2 Lite's device fingerprint that somehow it is not certified. Probably for reasons:
1. Magisk manager is present
2. Unlocked bootloader
3. Usually, it will pass when fingerprint has the same value from 10.0.1.0. After that, it fails for no reason. One theory suggests it might have to do with vulnerabilities present from our device (the System Toolkit app, when you dial *#*#64663#*#*), thus revoking certification from Play Store.
If you're on custom ROM, that would be it, except from POSP that has passed CTS. Also it could be the GApps you are using.
Os_Herdz said:
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
Click to expand...
Click to collapse
Stock rom, I previously had my phone rooted, thats why I still have installed magisk.
Various Banking Apps doesnt work as intended. For example https://play.google.com/store/apps/details?id=de.commerzbanking.mobil&hl=de cant unlock with fingerprint anymore. https://play.google.com/store/apps/details?id=com.starfinanz.mobile.android.dkbpushtan&hl=de doesnt open at all and opens a website which says a rooted phone could cause this issue.

Magisk suddenly not passing SafetyNet

I rooted my phone about 6 months ago using the custom OEM unlock fix files and guide by Dr. Ketan. I'm on Magisk 18.0 and Manager ver. 7.0.0, which is the version that came with the guide since I think it's made specifically for my device (SM-G960F). For some reason, it's no longer passing SafetyNet even though it was before.
It's no longer passing the ctsProfile or basicintegrity checks. I'm afraid to update Magisk through the manager, as I'm not sure it will work on my device since I had to use a unique method to root it in the first place. Can someone help me so that my phone can pass SafetyNet again? Thanks!

[XT1676] Has anyone managed to flash a 64-bit ROM and still passed SafetyNet?

Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Jimmy_The_Squid said:
Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Click to expand...
Click to collapse
Why would you want to re-lock the bootloader? You couldn't do that anyway without flashing a stock unmodified firmware image and even then its not advisable because if something happens in the future you may not be able to reflash firmware as the bootloader is locked
Anyway to answer your question - most 64bit roms pass safetynet by default (lineage 17.1 & AOSP for example) as they contain a hack that changes the device fingerprint (you will get a message on boot about contacting the manufacturer due to the mismatch of fingerprints but this can be ignored)
If you want root flash magisk and then hide pokemon go in magisk hide assuming magisk still supports hiding of root as I haven't tested it for a while
Also no roms should be rooted by default - you need to root it yourself if you want to
Jimmy_The_Squid said:
Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Click to expand...
Click to collapse
Just use MintOS with Magisk
It will work out of the box
Thanks for the advice both, I wanted to relock the bootloader as I believe the CTS check fails if it is detected as being unlocked. I'll have a go with one of the recommended ROMs and let you know how it turns out. I don't have any need for Root.
J.e.v.a.
Jimmy_The_Squid said:
Thanks for the advice both, I wanted to relock the bootloader as I believe the CTS check fails if it is detected as being unlocked. I'll have a go with one of the recommended ROMs and let you know how it turns out. I don't have any need for Root.
J.e.v.a.
Click to expand...
Click to collapse
The bootloader tripping CTS does not work on this phone, it's too old
And you ironically need Magisk to pass SafetyNet! Magisk Hide hides Custom ROM things too that will trap SafetyNet.
nift4 said:
The bootloader tripping CTS does not work on this phone, it's too old
And you ironically need Magisk to pass SafetyNet! Magisk Hide hides Custom ROM things too that will trap SafetyNet.
Click to expand...
Click to collapse
Ah good to hear having an old phone works in my favour sometimes.
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
foosee said:
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
Click to expand...
Click to collapse
It depends if the rom passes safetynet by default
If it doesn't you need magisk to either flash a safetynet module or change device fingerprint in order to pass cts
You also need it to hide the fact you're rooted from apps using magisk hide
So to clarify - if the rom passes basic integrity & cts there shouldn't be a need to root
If it doesn't you need to use magisk to help you pass these things and to hide root
foosee said:
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
Click to expand...
Click to collapse
Try it. You can unroot and root your phone with the zips.

Question : widevine, mcdonalds, banking app and root?

Hello!
I will receive a oneplus 9 pro next week and wonder if i shall root it or not. I want to use titanium backup and a few other apps that need root permission, but i also dont want to loose widevine level 1 for netflix and amazon video in hd, want to use my banking app and mcdonalds app.
i havent followed the magisk/root discussion for maybe a year or two (used a unrooted stock phone), so i am not up to date how things are at the moment.
just to be clear, please can someone answer the following questions:
1.) is unlocking bootloader (no root afterwards) enough to loose widevine level 1? can level 1 be gained again when bootloader is locked again or is lost permanent (like triggering knox with samsung).
2.) any problems with mcdonalds app and magisk? google pay?
after reading to the internet on the subject totday, i get the impression that rooting nowadays causes more problems thn benefits, but maybe i get a wrong impression.
flotsch1 said:
Hello!
I will receive a oneplus 9 pro next week and wonder if i shall root it or not. I want to use titanium backup and a few other apps that need root permission, but i also dont want to loose widevine level 1 for netflix and amazon video in hd, want to use my banking app and mcdonalds app.
i havent followed the magisk/root discussion for maybe a year or two (used a unrooted stock phone), so i am not up to date how things are at the moment.
just to be clear, please can someone answer the following questions:
1.) is unlocking bootloader (no root afterwards) enough to loose widevine level 1? can level 1 be gained again when bootloader is locked again or is lost permanent (like triggering knox with samsung).
2.) any problems with mcdonalds app and magisk? google pay?
after reading to the internet on the subject totday, i get the impression that rooting nowadays causes more problems thn benefits, but maybe i get a wrong impression.
Click to expand...
Click to collapse
Use the canary builds of Magisk, enable MagiskHide, and toggle the apps in question, and you're golden. Also, just to be sure, toggle it on for Google stuff like the Google app, Google Play Store, Google Play Services, Google Services Framework, Netflix, McDonald's, GPay, and any other banking or streaming subscription apps. Might want to have Magisk hide its self by changing the app name and signature as well.
GuyInDogSuit said:
Use the canary builds of Magisk, enable MagiskHide, and toggle the apps in question, and you're golden. Also, just to be sure, toggle it on for Google stuff like the Google app, Google Play Store, Google Play Services, Google Services Framework, Netflix, McDonald's, GPay, and any other banking or streaming subscription apps. Might want to have Magisk hide its self by changing the app name and signature as well.
Click to expand...
Click to collapse
thank you for the information.
so i will definitely not loose widevine l1 with unlocking bootloader and root?
to hide magisk itself (change name and signature), i just need to turn this option on in magisk and not need to do this in a manual way?
flotsch1 said:
thank you for the information.
so i will definitely not loose widevine l1 with unlocking bootloader and root?
to hide magisk itself (change name and signature), i just need to turn this option on in magisk and not need to do this in a manual way?
Click to expand...
Click to collapse
Correct, by default it will change to a "default" app icon and rename itself to "Settings" but you can easily still tell it from the device's own system Settings app.
one last question.
following this root instruction https://forum.xda-developers.com/t/guide-magisk-unlock-root-keep-root-oos-11-2-7-7.4252373/ , do i have to use the provided boot images? i feel safer to download the full ota from oneplus official site and extract payload.bin and then use payload dumper to get a boot.img.
flotsch1 said:
one last question.
following this root instruction https://forum.xda-developers.com/t/guide-magisk-unlock-root-keep-root-oos-11-2-7-7.4252373/ , do i have to use the provided boot images? i feel safer to download the full ota from oneplus official site and extract payload.bin and then use payload dumper to get a boot.img.
Click to expand...
Click to collapse
If you are leery of using someone else's boot.img, feel free to do that if you'd like. But regardless, be sure to boot the image, don't flash it. Booting it not only gives you the temporary root access to install Magisk yourself, but also ensures that the patched boot.img is actually valid.
v23 has a fix for SafetyNet API. It looks like that supersedes anything from the last canary/debug builds, so it's probably safe to stick with that. Everything else is the same, though.
GuyInDogSuit said:
v23 has a fix for SafetyNet API. It looks like that supersedes anything from the last canary/debug builds, so it's probably safe to stick with that. Everything else is the same, though.
Click to expand...
Click to collapse
V23?
flotsch1 said:
V23?
Click to expand...
Click to collapse
Latest stable Magisk build. I'm saying you won't need to mess with canary/debug.
When you turn on hide then hide the app the in the settings then your allowed to do anything you like but also hide it in the menu of magisk then your all done don't flash to much crap and magisk hide module is not really finished yet for this device good luck
I rooted it the second i got it
And don't use canary builds of magisk only if you want to run your phone very unstable i recommend the stable version
thanks alot for the information.
i still hazzle to root. i had a oneplus 3 2 years ago and had magisk root/custom rom/twrp, but i also had issues on regular basis and spent alot of time on xda and with flashing. dont know if i want this again or just a phone that works.
and just to be sure:
in case i loose my widevine level 1 because of root or bootloader unlock: will it come back when locking bootloader again and/or unroot. or will it be level 3 forever?
Wildvine L1 is not always retained when unlocking the bootloader. If I unlock mine, I go to L3 every single time, but when I lock it back, I go back to L1. I've tested this 3 times and it happened all 3 times.
flotsch1 said:
thanks alot for the information.
i still hazzle to root. i had a oneplus 3 2 years ago and had magisk root/custom rom/twrp, but i also had issues on regular basis and spent alot of time on xda and with flashing. dont know if i want this again or just a phone that works.
and just to be sure:
in case i loose my widevine level 1 because of root or bootloader unlock: will it come back when locking bootloader again and/or unroot. or will it be level 3 forever?
Click to expand...
Click to collapse
Well to be honest I never had that problem and i need to have my binance hidden as well and everything works well but with some games like slime hunter i really need to hide magisk it self too from the settings but when you do they everything will be working okay. And so far I have seen with magisk hide module what you can download is that there are no keys yet for using in op9p (could be changed didn't check it for a while now)

Categories

Resources