Related
Certified Device/SafetyNet "CTS profile mismatch" with LineageOS 14.1 and Magisk 12.0
Edit: My motivation is that I want use apps which checks Google Certified Device status and existing root. For example Netflix or Banking Apps (just examples for apps that are performing those kind of checks).
I have a Samsung Galaxy Tab 10.1 WiFi (SM-T520, picassowifi, n2awifi).
I have LineageOS 14.1 (lineage-14.1-20170518-nightly-n2awifi-signed.zip) in combination with OpenGApps (open_gapps-arm-7.1-nano-20170525.zip) and Magisk (v12) installed on the tablet.
In the Magisk settings I have...
BusyBox: disabled
Magisk Core Only Mode: disabled
Magisk Hide: Enabled
Systemless host file: Enabled
SuperUser Access: Apps and ADB
WIth "Magisk Hide" I have activate every app that Magisk Hide shows me with the app selection.
I have restartet my tablet.
I have startet Magisk Manager app and run the SafetyNet check... it shows up the error: "CTS profile mismatch".
I have startet Google Play store app and within Play store app settings the "Device Certification" status is "Not certified".
Using the very same installation procedure from my tablet, my smartphone (OnePlus 3T) showed me a green "SafetyNet passed" status. I had to install a Magisk module dedicated for my OP3T to "fix" the Google Play store certification check.
The current situation leads to two questions:
How to pass SafetyNet check?
How to "fix" Google Play store device certification check?
Edit: "Developer Mode/Tools" and ADB are disabled.
It may not help you too much but I was able to get Super Mario Run, an app notorious for not working if safety net isn't working correctly, to work by uninstalling all interations of supersu completely and then installing the latest v13 beta of Magisk. I still get the "CTS Profile Mismatch" but when using the hide option, Mario Run started working again when it wouldn't even load before. Make a TWRP backup before you change anything though.
My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
s0l1dsn8k3 said:
My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
Click to expand...
Click to collapse
The following works but I am not sure if all the steps are crucial and which ones may be superfluous. Those instructions in (parentheses) may be not necessary).
I am not a programmer (Basic on a C-64 doesn't count, I take it), don't know anything about computer architectures etc., just able to follow instructions and wrap my mind around them to tweak my devices.
The main part is to "Hide Magisk Manager" after Boxer is installed (but before it is opened/setup) as that also creates another Magisk app (instance?) with the new name for the work profile where Boxer etc. show up and can be hidden with Magisk Hide.
The other (first) part is to hide anything that would alert and conflict with Hub before or during setting up the work profile - I pretty much hid everything under Magisk Hide...
I don't know BYOD nor Workspace One, so the solution below may not work.
- uninstall Hub (that's the only app remaining after the auto-uninstall, right?)
- if Magisk Manager is already hidden: go to Settings\Restore Magisk Manager "with original package and app names" - that seems to be important, as hiding it later and with another name will then also create a Work Profile where one can see and click and hide the work profile apps such as Boxer (not sure if it works the other way around, i.e. starting off hidden with a different name and then later restoring to original will create a Magisk work profile)
- Magisk Hide: click almost every system app, not just the Google ones, but almost everything, camera, calendar, contacts etc. and your phone maker's versions as well (not sure what is necessary, but only Google system apps didn't seem to do it...), also all root and SU related apps like BusyBox etc. (not sure what Hub looks for)
(- System\Apps > clear storage data for Google Play Store and other Play Apps, also make sure Hub is really uninstalled. If not or having problems at least clear data storage as well)
- reboot (can also go into TWRP and wipe cache/Dalvik, not sure if necessary)
- install Hub, don't open it
- open Magisk, go to Magisk Hide: click Hub
(- close Magisk)
(- reboot)
- open Hub, let setup run its course creating the work profile
- if there are conflicts showing in Hub (and/or on your employer's MDM website for your device), e.g. root certificate not installed, don't install any apps yet such as Boxer etc. and reboot instead
- Are those conflicts resolved after reboot?
- install Boxer and other apps (trough Hub itself, MDM website push (or Google Play)) but don't open/start them
(- reboot)
- open Magisk, go to Settings\Hide Magisk Manager and click on it, pick a name and confirm: this will then change the name of Magisk AND create a another Magisk app (with the new name) for the work profile.
- open that new Magisk work profile and go to Magisk Hide: click Boxer (and other apps controlled by Hub); Hub itself and everything already hidden in the private (= non-work) profile Magisk app should show up here as already hidden. Double and triple check.
(- reboot)
- open Boxer and start set-up
That's it. Stable, even after another reboot.
Did this solution work for you @s0l1dsn8k3?
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.
Hello,
I have installed OP 12 (C44) stock rom (BA version), then apply root with magisk v24.1.
In magisk zygisk & denylist turned on.
Now everything is fine I have root but google pay doesn't work so...
I'm installing https://github.com/kdrag0n/safetynet-fix, after that my dialer broke.
1) I see "no sim card" in two slots
2) Could not open settings -> mobile network (phone has no reaction, but sometimes it says "com.android.phone" stop working
Turning off safetynet-fix / zygisk doesn't help.
Only when I flash whole rom again - it work, but I lost all SMS & phones.
The plus point is that safetynet test has a green light, but I could not phone by phone ))
What do I badly?
Update:
I see some logs from ADB:
Spoiler: code
Failed to open database '/data/user_de/0/com.android.providers.telephony/databases/carrierIdentification.db'.
android.database.sqlite.SQLiteCantOpenDatabaseException: Cannot open database '/data/user_de/0/com.android.providers.telephony/databases/carrierIdentification.db': Directory /data/user_de/0/com.android.providers.telephony/databases doesn't exist
you probably didn't do anything badly, i have never used any safetynet fixes as i never needed them, so i probably don't know much stuff either. Worst than that is having magisk literally destroying baseband from a32 4g that even a reflash and repartition wouldn't work
Hello can u help me.
I am currently using POCO F3, there is an APP called SHOPEE PH. and i am banned in using that app.
i want to use the app again without Reset / install new custom rom.
i tried using apps like device changer, etc that mask device info but i am still banned. is there a way to mask the device info that will look like a new fresh one.
what modules in LPosed should i check for it to work on shopee. i already did some research
I suppose it is not device banned but root prevention. You use magisk and you should in the newest version :
- hide magisk by renaming it
- activate zygisk
- activate enforce denylist
- add your app to denylist
- install universal safety net fix
- install hidepropsconf , restart and set correct fingerprint in termux
- remove cache and data of your app (and for playstore and google play services)
- restart smartfon
You should have playstore certified and your app working.
Tomek0000 said:
I suppose it is not device banned but root prevention. You use magisk and you should in the newest version :
- hide magisk by renaming it
- activate zygisk
- activate enforce denylist
- add your app to denylist
- install universal safety net fix
- install hidepropsconf , restart and set correct fingerprint in termux
- remove cache and data of your app (and for playstore and google play services)
- restart smartfon
You should have playstore certified and your app working.
Click to expand...
Click to collapse
it is really device banned https://prnt.sc/vl8iY8qU8WwT
Try using any android device ID change app, probably will work as long as you have root permission
Hi,
I installed microG Lineage 20 on my Moto G 5G Plus. Everything works fine except that one (banking) app that complains that "Google Play Services are not Installed".
I assume that means SafetyNet?
I tried to get it to work using the path depicted here: https://forum.xda-developers.com/t/safetynet-on-lineageos-20-microg.4558065/, but no luck on this phone.
Is there anyway to get safety net to pass, ideally without rooting the phone/using magisk?
EDIT: there's a switch in the microG settings "Allow Device Attestation" but it's greyed out ...
Best,
N
Ok, first of all, you have to enable "Device Registration" in the microG settings. Didn't know that.
That way, I got to the point where I can check for device attestation, and get the notorious "CTS Profile Doesn't Match" error.
I've tried using Magisk and Zygisk, and the Univesal SafetyNet fix, but to no avail, still not passing.
EDIT: tried the modded universal safety net fix by displax, not the check says "integrity check failed" ... not sure whether I sould count that as progress or not
Hi,
I had the same problem, but I found the solution and now I successfully pass safetynet with LOS 20 microG.
You have to do 3 steps:
Enable zygisk in Magisk and configure denylist to hide root from 'microG Services Core'
Enable 'Device Registration' and 'Google SafetyNet' at microG settings
Install Magisk module MagiskHidePropsConf, reboot, then configure it in any Terminal Emulator as follows:
su (start root shell)
props (run props command line tool)
1 (edit device fingerprint)
f (choose from the list)
select any fingerprint you like, then proceed and reboot
This third step solves CTS profile mismatch error by changing the device's fingerprint to one trusted by Google.
It should work.
Edit: I did not use any 'Universal SafetyNet fix' module.
Hmm ok, I have read about it but never tried, as the page states is a deprecated project ... That'd probably mean I'd have to install an older version of Magisk, right ?
Hmm... I haven't noticed yet. Good to know.
It's working fine for me with the latest Magisk version.