Hi,
I'm currently running Android Nougat Stock (4.28.401.3), with the Bootloader unlocked, but without TWRP or Magisk. My device is currently failing the SafetyNet Check due to Basic Integrity and CTS profile mismatch (Image attached).
I also get the error "Security checking fail GT_CONNECT_FAIL" when booting into Bootloader Mode (Image attached, Source).
I updated several months ago from Marshmallow to Nougat, via OTA. When I had Marshmallow, I had TWRP and Magisk installed, but didn't reinstall them afterwards.
Now I would like to try and fix this error. Would installing Magisk (using MagiskHide) fix this issue? Does the Bootloader need to be re-locked now in order to pass the SafetyNet Check?
Any help appreciated.
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Flippy498 said:
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Click to expand...
Click to collapse
It looks like the Security checking fail GT_CONNECT_FAIL error is unrelated to the phone not passing the SafetyNet Check. Installing Magisk solved that problem (Though the Security checking fail GT_CONNECT_FAIL error still pops up).
Did the SafetyNet Check get updated or changed? My phone used to pass this check when on the Stock ROM.
Google constantly updates safetynet since they try to make magisk hide useless (aka make apps that rely on safetynet more secure). It's a cat and mouse game.
An unlocked bootloader results in a safetynet fail for quite some time, now, even if you use the stock rom.
Sent from my HTC One M9 using XDA Labs
Related
Hello!
After moving on S288 and rooting my device, I realised that I no longer pass Safetynet. I, currently rooted with Chainfire's SuperSU + Magisk, with the feature from Magisk, Magisk Hide I cannot bypass the safetynet checker. Also as I seem to realise, it is bypassed by an unlocked bootloader, which I'm wondering if we lock again if it will pass.
This safetynet thing doesn't allow me to log into Snapchat and doesn't allow me to use some apps to pay via NFC, which drives me nuts.
I'll try locking the bootloader again and then seeing if that fixes the issue.
Any suggestions are welcome!
I ran the latest RUU to update my US unlocked HTC 10 to 2.41.617.3. I was hoping that it would fix it so I could pass the SafetyNet but even right after a wipe, data format, clean install and no root, the safetycheck test still comes back with CTS profile match: false. Am I doing something wrong here?
ray985 said:
I ran the latest RUU to update my US unlocked HTC 10 to 2.41.617.3. I was hoping that it would fix it so I could pass the SafetyNet but even right after a wipe, data format, clean install and no root, the safetycheck test still comes back with CTS profile match: false. Am I doing something wrong here?
Click to expand...
Click to collapse
The only other thing I can think of that would trip it is an unlocked bootloader.
Other than that, SN would **** up.
My advice is to just install Magisk and enable Magisk hide to pass SafetyNet.
Ariac Konrel said:
The only other thing I can think of that would trip it is an unlocked bootloader.
Other than that, SN would **** up.
My advice is to just install Magisk and enable Magisk hide to pass SafetyNet.
Click to expand...
Click to collapse
Thanks. I tried using Magisk and Magisk hide but unfortunately they don't work at bypass SafetyNet either for me.
ray985 said:
Thanks. I tried using Magisk and Magisk hide but unfortunately they don't work at bypass SafetyNet either for me.
Click to expand...
Click to collapse
If your bootloader is unlocked, it will fail. Install any of the current custom kernels on the forum, they all have the bootloader fix to allow it to pass safetynet. You may even be able to relock your bootloader via sunshine.
ray985 said:
Thanks. I tried using Magisk and Magisk hide but unfortunately they don't work at bypass SafetyNet either for me.
Click to expand...
Click to collapse
aer0zer0 said:
If your bootloader is unlocked, it will fail. Install any of the current custom kernels on the forum, they all have the bootloader fix to allow it to pass safetynet. You may even be able to relock your bootloader via sunshine.
Click to expand...
Click to collapse
That's what I did on my WWE variant. I bought and ran SunShine to set my device S-OFF/locked. Since then it passes SafetyNet on my end.
As it's behaviour is the same as S-OFF/unlocked it even comes in handy as soon as one's going to sell it. In such case one could easily RUU back to stock an set the secureflag back to S-ON afterwards. Renders the device in a state that's looking like you never touched it at all.
Sent from my htc_pmeuhl using XDA Labs
5m4r7ph0n36uru said:
That's what I did on my WWE variant. I bought and ran SunShine to set my device S-OFF/locked. Since then it passes SafetyNet on my end.
As it's behaviour is the same as S-OFF/unlocked it even comes in handy as soon as one's going to sell it. In such case one could easily RUU back to stock an set the secureflag back to S-ON afterwards. Renders the device in a state that's looking like you never touched it at all.
Sent from my htc_pmeuhl using XDA Labs
Click to expand...
Click to collapse
i was one of the first to mail in, so mine is set to unlocked on vzw by default. I haven't had any need to change it though.
aer0zer0 said:
If your bootloader is unlocked, it will fail. Install any of the current custom kernels on the forum, they all have the bootloader fix to allow it to pass safetynet. You may even be able to relock your bootloader via sunshine.
Click to expand...
Click to collapse
Thanks, I'll play around with some of the custom kernels and see if that fixes it.
I recently ran into a lot of problems due to the fact vr 12 of magisk and the new update to safetynet. I have read that tbe developer of magisk realeased a new version to pass checks. I need to pass as I am an Uber user and in default need Android pay.
I have since tried to go back to stock but ran into problems regarding unlocking my bootloader, currently I am completely stock although my bootloader is unlocked and I can't pass the safetynet check with the new parameters.
I NEED to pass safety net on this device, I don't know what to do, when I lock my bootloader I'm unable to sideload the ROM, with the device unlocked I fail safetynet, will the latest version of magisk work (v13b) with an unlocked bootloader, as my device was soft bricked for 3 days after I locked the bootloader.
Thank you in an advance for any insight on this. Currently I am on stock recovery and unrooted but it seams with the unlocked bootloader I am unable to pass safety net thus unable to use Android pay and subsequently unable to book rides with Uber/Lyft.
Thanks in advance for your help
Sorry I forgot to say I'm running stock recovery and ROM only my bootloader is unlocked, I tried to lock it but adb would not sideload the stock ROM after locking the bootloader. Right now i an as stock as I can be ****
Without a locked bootloader, I don't care if my device is rooted or not I just want to pass the safety net check, I'm failing CTS mismatch, I don't know why after factory resetting my device, why google is doing this IDK I just need to get my device working 100 percent, rooted or not at this point I don't care.
Thank you for your future reply and thank you again if you have helped me before, this is a nightmare, why google is doing this Idk but I funny believe it's in anyone's best interest except possibly but business.
Quick google search for magisk beta version 13. His newest beta passes safetynet, and i believe he claims its easy to fix in the future as well
I believe you need a custom kernel that bypasses the Safety Net boot-loader check.
If you want to completely go back to stock (and pass safety net) follow this guide: https://forums.oneplus.net/threads/...-3-3t-and-go-back-completely-to-stock.456232/
Magisk 13 BETA or wait for stable.
I previously tried to go completely to stock but ran into problems after locking the bootloader,
https://forum.xda-developers.com/oneplus-3/help/tried-to-to-stock-adb-error-read-file-t3621902
As I would be fine with that, I prefer using magisk so I suppose I'll go with that,
What kernel is recommended? I was thinking blu-spark or franko as afaik they work?
After I lock my bootloader I ran into problems, adb would recognize my device along with fastboot although, it would not side load the ROM, so I guess my only option is magisk, I just need to find,
Correct kernel, best version of TWRP recovery (I used to have blu-spark, with franko kernel, this time I think I'm going to go buy with blu-spark)
I appreciate your help, although whatever works is what I'll do, IDK why I can't go back to stock, I've done it before so IDK what has changed, I just need to find the latest version 13 beta of magisk.
Currently im fully stock except for unlocked bootloader and I get the CTS mismatch error on safety net, (these safety net crap is annoying)
I am using Magisk v13 and it is completely free of bugs.
lebeatnik said:
I previously tried to go completely to stock but ran into problems after locking the bootloader,
https://forum.xda-developers.com/oneplus-3/help/tried-to-to-stock-adb-error-read-file-t3621902
As I would be fine with that, I prefer using magisk so I suppose I'll go with that,
What kernel is recommended? I was thinking blu-spark or franko as afaik they work?
After I lock my bootloader I ran into problems, adb would recognize my device along with fastboot although, it would not side load the ROM, so I guess my only option is magisk, I just need to find,
Correct kernel, best version of TWRP recovery (I used to have blu-spark, with franko kernel, this time I think I'm going to go buy with blu-spark)
I appreciate your help, although whatever works is what I'll do, IDK why I can't go back to stock, I've done it before so IDK what has changed, I just need to find the latest version 13 beta of magisk.
Currently im fully stock except for unlocked bootloader and I get the CTS mismatch error on safety net, (these safety net crap is annoying)
Click to expand...
Click to collapse
Hi all,
It's surprisingly hard to find a current state of affairs on this.
Well the title says it all really. I understand that this verifies the block device using a hash tree. Obviously, flashing a different kernel or recovery should make it trip. If that trips, I expect the phone no longer to pass safetynet which is a problem.
So for those who have rooted, did you trip dm-verity?
How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?
I do have a warning at boot due to unlocking bootloader but still passing safetynet without issue.
Stock Kernel, BlueSpark TWRP
Blu Spark twrp and SimpleGX kernel and it passes safetynet.
Was reading the twrp website earlier and it said as soon as you swipe to allow modification in TWRP that unless you format data and decrypt that it will fail to boot, yet I've never formatted data and my phone has never not booted due to this.
Lum_UK said:
How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?
Click to expand...
Click to collapse
If you pass safetynet, you're good to go I believe. It seems the root apps are taking care of this then. Anyway, It should display some kind of warning if it is tripped.
https://source.android.com/security/verifiedboot/verified-boot
I wanted to double check this--if you flash something and re-lock the bootloader, I think you've tripped dm-verity if you still have a boot message saying that the OS has changed. I'm having this issue after flashing Magisk (15.3). Can anyone confirm or deny that it is possible to flash Magisk and retain dm-verity?
Edit: After some Google searching it *seems* like it's not possible to have a green verified boot if you're applying Magisk, unless you have the OEM key.
https://source.android.com/security/verifiedboot/verified-boot
I have never tripped dm verity on my 5t and I never will. There is a no verity zip. Always flash that zip Last when flashing roms and you will be fine.
Magisk automatically disables DM verity. I think it is not possible to root without tripping it, but I never tried. DM verity doesn't interest me as long as SafetyNet is fine.
Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
wsjoke said:
Some kernels lack the feature needed to pass cts without magisk installed you can either
1. install magisk to pass CTS
2. Use a kernel that has the patch (loki and my own kernel "chunchunmaru" should have it but both are for Q only as off now)
Click to expand...
Click to collapse
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
wsjoke said:
Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
Click to expand...
Click to collapse
I assume that you are from stock. It is the problem from Mi A2 Lite's device fingerprint that somehow it is not certified. Probably for reasons:
1. Magisk manager is present
2. Unlocked bootloader
3. Usually, it will pass when fingerprint has the same value from 10.0.1.0. After that, it fails for no reason. One theory suggests it might have to do with vulnerabilities present from our device (the System Toolkit app, when you dial *#*#64663#*#*), thus revoking certification from Play Store.
If you're on custom ROM, that would be it, except from POSP that has passed CTS. Also it could be the GApps you are using.
Os_Herdz said:
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
Click to expand...
Click to collapse
Stock rom, I previously had my phone rooted, thats why I still have installed magisk.
Various Banking Apps doesnt work as intended. For example https://play.google.com/store/apps/details?id=de.commerzbanking.mobil&hl=de cant unlock with fingerprint anymore. https://play.google.com/store/apps/details?id=com.starfinanz.mobile.android.dkbpushtan&hl=de doesnt open at all and opens a website which says a rooted phone could cause this issue.