To those who have rooted already: did you trip dm-verity? - OnePlus 5T Questions & Answers

Hi all,
It's surprisingly hard to find a current state of affairs on this.
Well the title says it all really. I understand that this verifies the block device using a hash tree. Obviously, flashing a different kernel or recovery should make it trip. If that trips, I expect the phone no longer to pass safetynet which is a problem.
So for those who have rooted, did you trip dm-verity?

How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?

I do have a warning at boot due to unlocking bootloader but still passing safetynet without issue.
Stock Kernel, BlueSpark TWRP

Blu Spark twrp and SimpleGX kernel and it passes safetynet.
Was reading the twrp website earlier and it said as soon as you swipe to allow modification in TWRP that unless you format data and decrypt that it will fail to boot, yet I've never formatted data and my phone has never not booted due to this.

Lum_UK said:
How can I tell if I tripped it?
I flashed Magisk, and my device still works, and still passes safetynet, but I've not really encountered dm-verity before?
Click to expand...
Click to collapse
If you pass safetynet, you're good to go I believe. It seems the root apps are taking care of this then. Anyway, It should display some kind of warning if it is tripped.
https://source.android.com/security/verifiedboot/verified-boot

I wanted to double check this--if you flash something and re-lock the bootloader, I think you've tripped dm-verity if you still have a boot message saying that the OS has changed. I'm having this issue after flashing Magisk (15.3). Can anyone confirm or deny that it is possible to flash Magisk and retain dm-verity?
Edit: After some Google searching it *seems* like it's not possible to have a green verified boot if you're applying Magisk, unless you have the OEM key.
https://source.android.com/security/verifiedboot/verified-boot

I have never tripped dm verity on my 5t and I never will. There is a no verity zip. Always flash that zip Last when flashing roms and you will be fine.

Magisk automatically disables DM verity. I think it is not possible to root without tripping it, but I never tried. DM verity doesn't interest me as long as SafetyNet is fine.

Related

Safety Net check a problem for rooted guys

Hello!
After moving on S288 and rooting my device, I realised that I no longer pass Safetynet. I, currently rooted with Chainfire's SuperSU + Magisk, with the feature from Magisk, Magisk Hide I cannot bypass the safetynet checker. Also as I seem to realise, it is bypassed by an unlocked bootloader, which I'm wondering if we lock again if it will pass.
This safetynet thing doesn't allow me to log into Snapchat and doesn't allow me to use some apps to pay via NFC, which drives me nuts.
I'll try locking the bootloader again and then seeing if that fixes the issue.
Any suggestions are welcome!

Is it possible to pass new safetynet update with an unlocked bootloader?

I recently ran into a lot of problems due to the fact vr 12 of magisk and the new update to safetynet. I have read that tbe developer of magisk realeased a new version to pass checks. I need to pass as I am an Uber user and in default need Android pay.
I have since tried to go back to stock but ran into problems regarding unlocking my bootloader, currently I am completely stock although my bootloader is unlocked and I can't pass the safetynet check with the new parameters.
I NEED to pass safety net on this device, I don't know what to do, when I lock my bootloader I'm unable to sideload the ROM, with the device unlocked I fail safetynet, will the latest version of magisk work (v13b) with an unlocked bootloader, as my device was soft bricked for 3 days after I locked the bootloader.
Thank you in an advance for any insight on this. Currently I am on stock recovery and unrooted but it seams with the unlocked bootloader I am unable to pass safety net thus unable to use Android pay and subsequently unable to book rides with Uber/Lyft.
Thanks in advance for your help
Sorry I forgot to say I'm running stock recovery and ROM only my bootloader is unlocked, I tried to lock it but adb would not sideload the stock ROM after locking the bootloader. Right now i an as stock as I can be ****
Without a locked bootloader, I don't care if my device is rooted or not I just want to pass the safety net check, I'm failing CTS mismatch, I don't know why after factory resetting my device, why google is doing this IDK I just need to get my device working 100 percent, rooted or not at this point I don't care.
Thank you for your future reply and thank you again if you have helped me before, this is a nightmare, why google is doing this Idk but I funny believe it's in anyone's best interest except possibly but business​.
Quick google search for magisk beta version 13. His newest beta passes safetynet, and i believe he claims its easy to fix in the future as well
I believe you need a custom kernel that bypasses the Safety Net boot-loader check.
If you want to completely go back to stock (and pass safety net) follow this guide: https://forums.oneplus.net/threads/...-3-3t-and-go-back-completely-to-stock.456232/
Magisk 13 BETA or wait for stable.
I previously tried to go completely to stock but ran into problems after locking ​the bootloader,
https://forum.xda-developers.com/oneplus-3/help/tried-to-to-stock-adb-error-read-file-t3621902
As I would be fine with that, I prefer using magisk so I suppose I'll go with that,
What kernel is recommended? I was thinking blu-spark or franko as afaik they work?
After I lock my bootloader I ran into problems, adb would recognize my device along with fastboot although, it would not side load the ROM, so I guess my only option is magisk, I just need to find,
Correct kernel, best version of TWRP recovery (I used to have blu-spark, with franko kernel, this time I think I'm going to go buy with blu-spark)
I appreciate your help, although whatever works is what I'll do, IDK why I can't go back to stock, I've done it before so IDK what has changed, I just need to find the latest version 13 beta of magisk.
Currently im fully stock except for unlocked bootloader and I get the CTS mismatch error on safety net, (these safety net crap is annoying)
I am using Magisk v13 and it is completely free of bugs.
lebeatnik said:
I previously tried to go completely to stock but ran into problems after locking ​the bootloader,
https://forum.xda-developers.com/oneplus-3/help/tried-to-to-stock-adb-error-read-file-t3621902
As I would be fine with that, I prefer using magisk so I suppose I'll go with that,
What kernel is recommended? I was thinking blu-spark or franko as afaik they work?
After I lock my bootloader I ran into problems, adb would recognize my device along with fastboot although, it would not side load the ROM, so I guess my only option is magisk, I just need to find,
Correct kernel, best version of TWRP recovery (I used to have blu-spark, with franko kernel, this time I think I'm going to go buy with blu-spark)
I appreciate your help, although whatever works is what I'll do, IDK why I can't go back to stock, I've done it before so IDK what has changed, I just need to find the latest version 13 beta of magisk.
Currently im fully stock except for unlocked bootloader and I get the CTS mismatch error on safety net, (these safety net crap is annoying)
Click to expand...
Click to collapse

SafetyNet Fail with Stock Nougat (4.28.401.3)

Hi,
I'm currently running Android Nougat Stock (4.28.401.3), with the Bootloader unlocked, but without TWRP or Magisk. My device is currently failing the SafetyNet Check due to Basic Integrity and CTS profile mismatch (Image attached).
I also get the error "Security checking fail GT_CONNECT_FAIL" when booting into Bootloader Mode (Image attached, Source).
I updated several months ago from Marshmallow to Nougat, via OTA. When I had Marshmallow, I had TWRP and Magisk installed, but didn't reinstall them afterwards.
Now I would like to try and fix this error. Would installing Magisk (using MagiskHide) fix this issue? Does the Bootloader need to be re-locked now in order to pass the SafetyNet Check?
Any help appreciated.
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Flippy498 said:
I can only help you with safetynet since I haven't seen that Security checking fail GT_CONNECT_FAIL error before. For making sure everything is fine with the software of your phone I'd flash a RUU, nonetheless, if I were you. If the error gets caused by a hardware failure (e.g. the infamous nand death) then there's not much you can do for fixing it aside from sending it to HTC for a repair.
Safetynet fails as soons as you unlock the bootloader. You have two choices now. Either you re-lock the bootloader or you install magisk and activate magisk hide. If you choose the latter the bootloader can stay unlocked.
Click to expand...
Click to collapse
It looks like the Security checking fail GT_CONNECT_FAIL error is unrelated to the phone not passing the SafetyNet Check. Installing Magisk solved that problem (Though the Security checking fail GT_CONNECT_FAIL error still pops up).
Did the SafetyNet Check get updated or changed? My phone used to pass this check when on the Stock ROM.
Google constantly updates safetynet since they try to make magisk hide useless (aka make apps that rely on safetynet more secure). It's a cat and mouse game.
An unlocked bootloader results in a safetynet fail for quite some time, now, even if you use the stock rom.
Sent from my HTC One M9 using XDA Labs

ctsProfile: false - Allthough not rooted

Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
wsjoke said:
Some kernels lack the feature needed to pass cts without magisk installed you can either
1. install magisk to pass CTS
2. Use a kernel that has the patch (loki and my own kernel "chunchunmaru" should have it but both are for Q only as off now)
Click to expand...
Click to collapse
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
wsjoke said:
Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
Click to expand...
Click to collapse
I assume that you are from stock. It is the problem from Mi A2 Lite's device fingerprint that somehow it is not certified. Probably for reasons:
1. Magisk manager is present
2. Unlocked bootloader
3. Usually, it will pass when fingerprint has the same value from 10.0.1.0. After that, it fails for no reason. One theory suggests it might have to do with vulnerabilities present from our device (the System Toolkit app, when you dial *#*#64663#*#*), thus revoking certification from Play Store.
If you're on custom ROM, that would be it, except from POSP that has passed CTS. Also it could be the GApps you are using.
Os_Herdz said:
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
Click to expand...
Click to collapse
Stock rom, I previously had my phone rooted, thats why I still have installed magisk.
Various Banking Apps doesnt work as intended. For example https://play.google.com/store/apps/details?id=de.commerzbanking.mobil&hl=de cant unlock with fingerprint anymore. https://play.google.com/store/apps/details?id=com.starfinanz.mobile.android.dkbpushtan&hl=de doesnt open at all and opens a website which says a rooted phone could cause this issue.

[XT1676] Has anyone managed to flash a 64-bit ROM and still passed SafetyNet?

Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Jimmy_The_Squid said:
Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Click to expand...
Click to collapse
Why would you want to re-lock the bootloader? You couldn't do that anyway without flashing a stock unmodified firmware image and even then its not advisable because if something happens in the future you may not be able to reflash firmware as the bootloader is locked
Anyway to answer your question - most 64bit roms pass safetynet by default (lineage 17.1 & AOSP for example) as they contain a hack that changes the device fingerprint (you will get a message on boot about contacting the manufacturer due to the mismatch of fingerprints but this can be ignored)
If you want root flash magisk and then hide pokemon go in magisk hide assuming magisk still supports hiding of root as I haven't tested it for a while
Also no roms should be rooted by default - you need to root it yourself if you want to
Jimmy_The_Squid said:
Hey everyone,
So with pokemon GO dropping support for 32-bit devices soon (and Motorola decided to give us a 32-bit OS on 64-bit hardware....), I was wondering if there was any way I could flash a 64-bit ROM and still pass the SafetyNet CTS check? I guess I'd have to flash something without built in root, and then re-lock the bootloader, has anyone done this before?
Currently running stock ROM on my XT1676.
Thanks in advance,
J.e.v.a
Click to expand...
Click to collapse
Just use MintOS with Magisk
It will work out of the box
Thanks for the advice both, I wanted to relock the bootloader as I believe the CTS check fails if it is detected as being unlocked. I'll have a go with one of the recommended ROMs and let you know how it turns out. I don't have any need for Root.
J.e.v.a.
Jimmy_The_Squid said:
Thanks for the advice both, I wanted to relock the bootloader as I believe the CTS check fails if it is detected as being unlocked. I'll have a go with one of the recommended ROMs and let you know how it turns out. I don't have any need for Root.
J.e.v.a.
Click to expand...
Click to collapse
The bootloader tripping CTS does not work on this phone, it's too old
And you ironically need Magisk to pass SafetyNet! Magisk Hide hides Custom ROM things too that will trap SafetyNet.
nift4 said:
The bootloader tripping CTS does not work on this phone, it's too old
And you ironically need Magisk to pass SafetyNet! Magisk Hide hides Custom ROM things too that will trap SafetyNet.
Click to expand...
Click to collapse
Ah good to hear having an old phone works in my favour sometimes.
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
foosee said:
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
Click to expand...
Click to collapse
It depends if the rom passes safetynet by default
If it doesn't you need magisk to either flash a safetynet module or change device fingerprint in order to pass cts
You also need it to hide the fact you're rooted from apps using magisk hide
So to clarify - if the rom passes basic integrity & cts there shouldn't be a need to root
If it doesn't you need to use magisk to help you pass these things and to hide root
foosee said:
I'm in same boat : wanted to flash the Lineage OS 64 bit version on the G5.
I don't understand why we need to use Magisk, I used to do the same last year on a Samsung J3 and flash a Lineage 14.1 (32bits and without root).
And it pass Safetynet checks wihout Magisk, is Magisks reaaly required on the G5 if we don't root the phone ?
Thanks
Click to expand...
Click to collapse
Try it. You can unroot and root your phone with the zips.

Categories

Resources