Hi,
I'm currently running Android Nougat Stock (4.28.401.3), with the Bootloader unlocked, but without TWRP or Magisk. My device is currently failing the SafetyNet Check due to Basic Integrity and CTS profile mismatch (Image attached).
I also get the error "Security checking fail GT_CONNECT_FAIL" when booting into Bootloader Mode (Image attached, Source).
I updated several months ago from Marshmallow to Nougat, via OTA. When I had Marshmallow, I had TWRP and Magisk installed, but didn't reinstall them afterwards.
Now I would like to try and fix this error. Would installing Magisk (using MagiskHide) fix this issue? Does the Bootloader need to be re-locked now in order to pass the SafetyNet Check?
Any help appreciated.
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Flippy498 said:
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Click to expand...
Click to collapse
It looks like the Security checking fail GT_CONNECT_FAIL error is unrelated to the phone not passing the SafetyNet Check. Installing Magisk solved that problem (Though the Security checking fail GT_CONNECT_FAIL error still pops up).
Did the SafetyNet Check get updated or changed? My phone used to pass this check when on the Stock ROM.
Google constantly updates safetynet since they try to make magisk hide useless (aka make apps that rely on safetynet more secure). It's a cat and mouse game.
An unlocked bootloader results in a safetynet fail for quite some time, now, even if you use the stock rom.
Sent from my HTC One M9 using XDA Labs
As the title implies, the universal safetynet fix 2.2.0 has been released for those that want root + Google Pay + Netflix + banking apps + etc
Release v2.2.0 (Zygisk) ยท kdrag0n/safetynet-fix
Changes Ported module to Zygisk Fixed screen-off Voice Match in Google Assistant Fixed poor microphone quality with Voice Match enabled on Pixel 5 Fixed At a Glance weather display on Android 12 F...
github.com
Yep thanks. Just uninstalled Alpha channel with Riru and USNF v2.1.1 and installed official Canary with Zygist and USNF v2.2. Passing all checks and all root detecting apps are working.
Just for info: root detection and SN are 2 different things ... all my banking apps work OK once they are in Magisk's DenyList, so they check for root (e.g. check su binary or check if com.topjohnwu.magisk exists) but don't check SN. Google pay (which I personally do not use) does not work (only works with SN). Netflix needs SNF for it to appear on the Play store but does not care about root. Of course just unlocking the BL means that you have tampered with the device and that will make SN fail (even when youy are still unrooted).
foobar66 said:
Just for info: root detection and SN are 2 different things ... all my banking apps work OK once they are in Magisk's DenyList, so they check for root (e.g. check su binary or check if com.topjohnwu.magisk exists) but don't check SN. Google pay (which I personally do not use) does not work (only works with SN). Netflix needs SNF for it to appear on the Play store but does not care about root. Of course just unlocking the BL means that you have tampered with the device and that will make SN fail (even when youy are still unrooted).
Click to expand...
Click to collapse
Just wondering before I install this and try it is it safe to use? I understand there is a risk just like anything linked to rooting. However based on this posted you make it sound like this isn't needed, so just making sure before I install it, bc I do use Gpay.
Also is it the same as:
Working SafetyNet with Pixel 6 Pro Android 12
This is no longer using an Unofficial Magisk app, it's the official Canary and USNF 2.2.0 1. Download the latest Magisk Canary build 2. Patch the boot.img from the Factory Images in Magisk, you'll also need the vbmeta.img if you aren't already...
forum.xda-developers.com
Some banking apps check for SN, other's don't. Most banking apps check for root nowadays ... Anyway does not "harm" if you install it (on the contrary). You will need it for GPay.
collegencmc said:
Just wondering before I install this and try it is it safe to use? I understand there is a risk just like anything linked to rooting. However based on this posted you make it sound like this isn't needed, so just making sure before I install it, bc I do use Gpay.
Also is it the same as:
Working SafetyNet with Pixel 6 Pro Android 12
This is no longer using an Unofficial Magisk app, it's the official Canary and USNF 2.2.0 1. Download the latest Magisk Canary build 2. Patch the boot.img from the Factory Images in Magisk, you'll also need the vbmeta.img if you aren't already...
forum.xda-developers.com
Click to expand...
Click to collapse
It is the same as this but is now free instead of behind the Patreon/one time paywall. I can confirm it works with LSposed and I'm passing Safetynet.
Great thanks for the info on this!
I have read about people getting widevine L1 on their rooted devices and custom roms, i tried it too with copying "a" partition to the "b" partition before flashing anything (recovery is a live boot) but the moment mu bootloader is unlocked i have widevine L3 no matter what (using "fastboot oem unlock " and "fastboot flashing unlock")... Even when i pass safetynet and such i never get back to L1
Is there anyone that knows how to do it?
safetynet fix?
financeledger said:
safetynet fix?
Click to expand...
Click to collapse
If you mean universal safetynet fix.zip then yes it was the first thing i installed after magisk
I have mine rooted, magisked, some audio-, Adblocker-, busybox- and the swift installer- modules. Its a global version from Switzerland and still L1.
I got L3 the first time. I re locked bl and started over. Got L1. I think it can be done
mac796 said:
I got L3 the first time. I re locked bl and started over. Got L1. I think it can be done
Click to expand...
Click to collapse
I tried it for about 4 hours locking and unlocking the bootloader but still got L3, so either my device doesn't like me or i'm really unlucky... What command did you use to unlock the bootloader? Did you install a custom rom?
VoidedKN0X said:
I tried it for about 4 hours locking and unlocking the bootloader but still got L3, so either my device doesn't like me or i'm really unlucky... What command did you use to unlock the bootloader? Did you install a custom rom?
Click to expand...
Click to collapse
No custom ROM just stock, rooted. I can't remember which command I used. I think I tried both. But first time I did get L3. I think I used msm then tried again. Got L1
Stock and rooted with Magisk.
I'm showing Widevine L1. I'm also passing safety net and able to use GPay (Oxygen OS 11.2.9.9)
Ok I will tell what helped me gaining L1 from L3,
1. First just flash oos 11 using msm tool, please do this step is a must.
2. Now update to the latest available firmware using OTA. (11.2.9.9 or above)
3. Now reboot to bootloader
4. Use this command only to unlock
"Fastboot flashing unlock" for this you need latest fastboot and adb older adb and fastboot fails for l1.
5. Now boot (your data will be wiped)
6. Do not install DRM info app at this point.
7. Now enable usb debugging enable adb and connect to pc
8. Remove 2 Netflix apps that are pre install either by pm uninstall command if you dont know donwload debloater from here and then remove:
[2022-07-03] [v0.5.1] Universal Android Debloater
Universal Android Debloater This is a complete rewrite in Rust of the UAD bash script. DISCLAIMER : Use this software at your own risk. I am not responsible for anything that could happen to your phone. Summary I try to maintain a...
forum.xda-developers.com
9. After removal of netflix reboot your phone.
10. Now install Drm info and check your phone should be L1.
11. Now root using magisk canary enable zygisk and enable deny list, select google play services (all from sublist), and install safetynet-fox 2.2.0 from here: "https://github.com/kdrag0n/safetynet-fix"
12. Clear data for google play services reboot.
13. Enjoy l1 and play store certified device...
VoidedKN0X said:
I have read about people getting widevine L1 on their rooted devices and custom roms, i tried it too with copying "a" partition to the "b" partition before flashing anything (recovery is a live boot) but the moment mu bootloader is unlocked i have widevine L3 no matter what (using "fastboot oem unlock " and "fastboot flashing unlock")... Even when i pass safetynet and such i never get back to L1
Is there anyone that knows how to do it?
Click to expand...
Click to collapse
Mine went to L3 after I unlocked. I gave up trying to fix it, but now it's L1. It might just take time.
I get L1 using newest canary branch of Magisk. I have systemless hosts and google services added to deny list in zygisk. Banking apps, gpay and McDonalds (I found it more sensitive than banking apps! ) work great.
l_mike said:
I get L1 using newest canary branch of Magisk. I have systemless hosts and google services added to deny list in zygisk. Banking apps, gpay and McDonalds (I found it more sensitive than banking apps! ) work great.
Click to expand...
Click to collapse
I tried with canady magisk too but no luck as it turned to L3 on bootloader unlock... Can you provide a link with the magisk version you used? And maybe a guide on how you rooted your phone? The tutorials i followed didn't work for L1
I have 23015 version. Installed via twrp (previous version) than updated by direct install with Magisk. Bootloader unlocked. Custom arter's kernel onboard.
Make sure you have all of these checked in Magisks deny list.
DevilRockr said:
Ok I will tell what helped me gaining L1 from L3,
1. First just flash oos 11 using msm tool, please do this step is a must.
2. Now update to the latest available firmware using OTA. (11.2.9.9 or above)
3. Now reboot to bootloader
4. Use this command only to unlock
"Fastboot flashing unlock" for this you need latest fastboot and adb older adb and fastboot fails for l1.
5. Now boot (your data will be wiped)
6. Do not install DRM info app at this point.
7. Now enable usb debugging enable adb and connect to pc
8. Remove 2 Netflix apps that are pre install either by pm uninstall command if you dont know donwload debloater from here and then remove:
[2022-07-03] [v0.5.1] Universal Android Debloater
Universal Android Debloater This is a complete rewrite in Rust of the UAD bash script. DISCLAIMER : Use this software at your own risk. I am not responsible for anything that could happen to your phone. Summary I try to maintain a...
forum.xda-developers.com
9. After removal of netflix reboot your phone.
10. Now install Drm info and check your phone should be L1.
11. Now root using magisk canary enable zygisk and enable deny list, select google play services (all from sublist), and install safetynet-fox 2.2.0 from here: "https://github.com/kdrag0n/safetynet-fix"
12. Clear data for google play services reboot.
13. Enjoy l1 and play store certified device...
Click to expand...
Click to collapse
Does this work on the c.63 build?
L1 with 8/31 nameless. Nameless is the only one I can get L1 on rooted/unlocked bl, etc. Only had L1 on stock once.
TheKnux said:
L1 with 8/31 nameless. Nameless is the only one I can get L1 on rooted/unlocked bl, etc. Only had L1 on stock once.
Click to expand...
Click to collapse
I'm good on TMO 11.2.9.9 with unlocked bootloader, total root, custom systemwide fonts and custom bootanimation!
Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!
razercortex said:
Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!
Click to expand...
Click to collapse
Nice find! Too bad I used the Indian MSM on my T-Mobile variant so I can't cross-flash anymore.
It also seems to survive MSM flashing, updates, custom ROMs, and bootloader locking/relocking
razercortex said:
It also seems to survive MSM flashing, updates, custom ROMs, and bootloader locking/relocking
Click to expand...
Click to collapse
Do you think it'll work for me when though I use the OP9 Indian MSM?
Not sure. You'd have to unlock bootloader first, then do a full system upgrade to check.
razercortex said:
Not sure. You'd have to unlock bootloader first, then do a full system upgrade to check
Click to expand...
Click to collapse
I'm already unlocked. It doesn't really matter though since I haven't given a yit about L1 since, ever. Just didn't know if you knew or not.
Thanks! Worked!
razercortex said:
Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!
Click to expand...
Click to collapse
Worked!
Thanks
I didn't use your method to get to c.63 (a12) for my TMobile OnePlus 9 pro. i dont know i can back to tmobile stock. Now I currently rooted and using magisk. All video apps work but I can't get L1 widedine. Is there another way?
Thanks for this. I have a 9 pro coming.
Edited
Thanks
I've had success using this method to keep L1 up to A12, but any attempt to upgrade to A13 downgrades Widevine to L3.
What is l1? What is widevine?
immortalwon said:
What is l1? What is widevine?
Click to expand...
Click to collapse
It is the security level of the firmware. It effects the certain apps like banking apps etc...
immortalwon said:
What is l1? What is widevine?
Click to expand...
Click to collapse
L1 is a drm (digital rights content management) state. L1 means the content is being digitally decoded or decrypted in a trusted environment. (I believe some of these are done in hardware with hardware verification only). It is the highest protection level.
In short, some apps will not work or will not play HD content without L1 state of drm. For us, when we lose L1, we go to L3. This could mean apps won't work at all, or they could be reduced in functionality.
Netflix for example, with L3, is limited to 480p video (however some bypass this with casting and get to 720p resolution).
Typically, when you unlock the bootloader of a phone, it will drop drm to L3 as it's considered a not-trusted environment.
This behavior is mixed by device, firmware versions and sometimes region (I have read some devices have shipped without Widevine keys to certain areas). This is bypass-able in some devices. For example, my 9P on oos11 is L1 with bootloader unlocked and rooted, using the standard magisk modules for Safetynet and clearing system cache.
Some phones will not regain L1 with unlocked bootloader (and maybe some versions of firmware also). They will be stuck with L3 Widevine until they relock the bootloader or unroot. And some firmwares are broken and will not have L1 because they implemented drm wrong.
On my 10T, netflix would not launch with unlocked bootloader. That may have been resolved by now but I was limited to L3 in drm checker (play store app) anyway.
For my 9P, I lost L1 (to L3) when I flashed Eu conversion to 11.2.2.2 - someone said that was an issue with early OnePlus firmwares where they implemented drm wrong or the key was problematic somehow. Whether that's true or not, I regained L1 when I temporarily unrooted and took the OTA.
This is likely going to be an increasing problem going forward as more devices go to hardware (only) attestation for everything. I suspect we will eventually see a magisk method of patching these apps and running them as modded apks. There used to be some patched netflix apks around. I think forced updates and signature checking made these obsolete. We may eventually see someone modify the individual apks, perhaps injecting a software mechanism for drm. Like taking the entire process of decoding, from an older device, into the apk itself. That might be overkill for the situation but eventually these bypasses we have currently, will not work anymore. We will be relying on some form of device spoofing, patching apks, standalone or redirected drm decoding, or a combination of all of those things.
That's assuming someone with that much skill is interested in doing all or any of that work.
Perhaps we will reach a point where unlocked bootloader or rooting breaks regular use so much that it's no longer worth the headache. It seems that's what they're going for. 'They' being app developers and phone manufacturers.
Here's a link to drm checker (DRM info) in play store if you'd like to find your current state: https://play.google.com/store/apps/details?id=com.androidfung.drminfo
Appreciative said:
L1 is a drm (digital rights content management) state. L1 means the content is being digitally decoded or decrypted in a trusted environment. (I believe some of these are done in hardware with hardware verification only). It is the highest protection level.
In short, some apps will not work or will not play HD content without L1 state of drm. For us, when we lose L1, we go to L3. This could mean apps won't work at all, or they could be reduced in functionality.
Netflix for example, with L3, is limited to 480p video (however some bypass this with casting and get to 720p resolution).
Typically, when you unlock the bootloader of a phone, it will drop drm to L3 as it's considered a not-trusted environment.
This behavior is mixed by device, firmware versions and sometimes region (I have read some devices have shipped without Widevine keys to certain areas). This is bypass-able in some devices. For example, my 9P on oos11 is L1 with bootloader unlocked and rooted, using the standard magisk modules for Safetynet and clearing system cache.
Some phones will not regain L1 with unlocked bootloader (and maybe some versions of firmware also). They will be stuck with L3 Widevine until they relock the bootloader or unroot. And some firmwares are broken and will not have L1 because they implemented drm wrong.
On my 10T, netflix would not launch with unlocked bootloader. That may have been resolved by now but I was limited to L3 in drm checker (play store app) anyway.
For my 9P, I lost L1 (to L3) when I flashed Eu conversion to 11.2.2.2 - someone said that was an issue with early OnePlus firmwares where they implemented drm wrong or the key was problematic somehow. Whether that's true or not, I regained L1 when I temporarily unrooted and took the OTA.
This is likely going to be an increasing problem going forward as more devices go to hardware (only) attestation for everything. I suspect we will eventually see a magisk method of patching these apps and running them as modded apks. There used to be some patched netflix apks around. I think forced updates and signature checking made these obsolete. We may eventually see someone modify the individual apks, perhaps injecting a software mechanism for drm. Like taking the entire process of decoding, from an older device, into the apk itself. That might be overkill for the situation but eventually these bypasses we have currently, will not work anymore. We will be relying on some form of device spoofing, patching apks, standalone or redirected drm decoding, or a combination of all of those things.
That's assuming someone with that much skill is interested in doing all or any of that work.
Perhaps we will reach a point where unlocked bootloader or rooting breaks regular use so much that it's no longer worth the headache. It seems that's what they're going for. 'They' being app developers and phone manufacturers.
Here's a link to drm checker (DRM info) in play store if you'd like to find your current state: https://play.google.com/store/apps/details?id=com.androidfung.drminfo
Click to expand...
Click to collapse
Excellent summary of Widevine! I've tested extensively using every method I could find on XDA, and I've come to the conclusion that it isn't possible to attain L1 status in A13 with an unlocked bootloader on my OP 9 Pro.
Reznor7 said:
Excellent summary of Widevine! I've tested extensively using every method I could find on XDA, and I've come to the conclusion that it isn't possible to attain L1 status in A13 with an unlocked bootloader on my OP 9 Pro.
Click to expand...
Click to collapse
Have you surveyed others on a13 to see their Widevine state? I have heard some users on custom roms (In crDroid group) using 13, claiming they're L1. I haven't verified that first hand, just saw it in threads and telegram groups.
If it's true that I can't retain or regain L1 in regular stock oos13, I will never make the move to 13
1. https://github.com/Displax/safetynet-fix/releases/tag/v2.3.1-MOD_2.0
2. https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-126
3. In Magisk, hide Magisk, enable Zygisk, Configure DenyList (make sure all Google apps and Netflix are selected) and DO NOT enforce DenyList (for Shamiko to work). The Mount Namespace Mode should be Isolated Namespace.
4. Google Play Services, Google Play Store, and Netflix, clear storage. Restart your phone and give it some time. You should be able to search and find Netflix in Google Play Store (may need to try few times to force Google to check your phone), the Netflix should pass L1 too.
5. DO NOT use MagiskHide Props Config, it's not working at all.
yanggame said:
1. https://github.com/Displax/safetynet-fix/releases/tag/v2.3.1-MOD_2.0
2. https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-126
3. In Magisk, hide Magisk, enable Zygisk, Configure DenyList (make sure all Google apps and Netflix are selected) and DO NOT enforce DenyList (for Shamiko to work). The Mount Namespace Mode should be Isolated Namespace.
4. Google Play Services, Google Play Store, and Netflix, clear storage. Restart your phone and give it some time. You should be able to search and find Netflix in Google Play Store (may need to try few times to force Google to check your phone), the Netflix should pass L1 too.
5. DO NOT use MagiskHide Props Config, it's not working at all.
Click to expand...
Click to collapse
I'm on stock A13 unlocked and rooted with Magisk. I did all of this exactly as listed and am still stuck at L3.
Reznor7 said:
I'm on stock A13 unlocked and rooted with Magisk. I did all of this exactly as listed and am still stuck at L3.
Click to expand...
Click to collapse
You can try to reset you phone and finish all steps without login your account first. See if there is any difference. But it's probably will not work.
The best solution is to go back to stock OOS11 and flash Omega or Arter97 kernel since the leak is probably kernel side and only custom kernels can hide it.
yanggame said:
You can try to reset you phone and finish all steps without login your account first. See if there is any difference. But it's probably will not work.
The best solution is to go back to stock OOS11 and flash Omega or Arter97 kernel since the leak is probably kernel side and only custom kernels can hide it.
Click to expand...
Click to collapse
I've done enough flashing for a while. I'll leave it to someone else to try.
I got L1 with unlocked bootloader and Magisk.
I have LE2110. I used MSM tool (Global) to get back to OOS 11. It locked the bootloader; it always does. So I set up the phone offline (without connecting to WiFi or Mobile Data). Then I upgraded to OOS 11.2.10.10 version through local upgrade. Then opened Developer Options for OEM Unlocking. The option was greyed out and it asked to connect to internet. So I connected my WiFi for a minute or two until that OEM Unlocking was available. I enabled it, and disconnected WiFI. I DID NOT login to my Google account or opened Play Store. I rebooted to fastboot, and unlocked bootloader. Then rebooted. Then did the initial setup again (without connecting to WiFi or Mobile Data). Then I turned off and got the boot.img through MSM tool's readback option. (I was on slot_b so I got boot_b from MSM). Patched this boot.img with Magisk. Booted it temporarily and then through Magisk app, gainded permanent root by Direct Install. Rebooted. Enabled Zygisk from Magisk and Enforce Denylist, and rebooted again. Installed Universal SafetyNet Fix through Magisk and rebooted again. Opened Magisk and hid the Magisk app (just named it Settings; it installed and then showed root lost, but I just closed the app, and reopened new hidden Magisk again). Rebooted. Then I went ahead and connected to WiFi, logged in to my Google account and stuff. Checked from YASNAC and DRM Info and found that Safety Net passed as well as got L1.
I did not put any Google related app to Denylist.