SELinux issue (always set to permissive) - SafetyNet fail - OnePlus 5T Questions & Answers

Hello everybody, this is my first post on XDA!
I have a OnePlus 5T previously on OxygenOS (Pie). I wiped then flashed ResurrectionRemix 7 (also Pie). Almost everything work well, Magisk needed additionnal files to work but is now OK.
But the Lineage "Trust" menu tell me that SELinux is set to permissive. And the SafetyNet does not pass (CTS Profile false, basicIntegrity OK), so I can't use my phone to pay with Google Pay anymore.
So, after hours of searching and testing solutions, I created the file "08setperm" into /etc/init.d folder, with the command "setenforce 0".
It worked, "Trust" show that SELinux is enabled but the SafetyNet check were still the same. And my fingerprints were not recognized anymore (the pression is detected but does not match). Same after setting SELinux to permissive mode as it was since ResurrectionRemix were installed. I tried to delete the saved fingerprints. Then, I was not able to use the fingers that I use before, but with another finger it was OK. I resolved the problem by deleting the folder /data/system/users/fpdata and settings_fingerprint.xml.
I'm stuck on this point, if someone know where the problem is..
(My apologies for my approximate english, i'm french)
Thank you all for taking time to read and help me

Related

Problem with Rooted Stock Rom with AirWatch

My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
s0l1dsn8k3 said:
My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
Click to expand...
Click to collapse
The following works but I am not sure if all the steps are crucial and which ones may be superfluous. Those instructions in (parentheses) may be not necessary).
I am not a programmer (Basic on a C-64 doesn't count, I take it), don't know anything about computer architectures etc., just able to follow instructions and wrap my mind around them to tweak my devices.
The main part is to "Hide Magisk Manager" after Boxer is installed (but before it is opened/setup) as that also creates another Magisk app (instance?) with the new name for the work profile where Boxer etc. show up and can be hidden with Magisk Hide.
The other (first) part is to hide anything that would alert and conflict with Hub before or during setting up the work profile - I pretty much hid everything under Magisk Hide...
I don't know BYOD nor Workspace One, so the solution below may not work.
- uninstall Hub (that's the only app remaining after the auto-uninstall, right?)
- if Magisk Manager is already hidden: go to Settings\Restore Magisk Manager "with original package and app names" - that seems to be important, as hiding it later and with another name will then also create a Work Profile where one can see and click and hide the work profile apps such as Boxer (not sure if it works the other way around, i.e. starting off hidden with a different name and then later restoring to original will create a Magisk work profile)
- Magisk Hide: click almost every system app, not just the Google ones, but almost everything, camera, calendar, contacts etc. and your phone maker's versions as well (not sure what is necessary, but only Google system apps didn't seem to do it...), also all root and SU related apps like BusyBox etc. (not sure what Hub looks for)
(- System\Apps > clear storage data for Google Play Store and other Play Apps, also make sure Hub is really uninstalled. If not or having problems at least clear data storage as well)
- reboot (can also go into TWRP and wipe cache/Dalvik, not sure if necessary)
- install Hub, don't open it
- open Magisk, go to Magisk Hide: click Hub
(- close Magisk)
(- reboot)
- open Hub, let setup run its course creating the work profile
- if there are conflicts showing in Hub (and/or on your employer's MDM website for your device), e.g. root certificate not installed, don't install any apps yet such as Boxer etc. and reboot instead
- Are those conflicts resolved after reboot?
- install Boxer and other apps (trough Hub itself, MDM website push (or Google Play)) but don't open/start them
(- reboot)
- open Magisk, go to Settings\Hide Magisk Manager and click on it, pick a name and confirm: this will then change the name of Magisk AND create a another Magisk app (with the new name) for the work profile.
- open that new Magisk work profile and go to Magisk Hide: click Boxer (and other apps controlled by Hub); Hub itself and everything already hidden in the private (= non-work) profile Magisk app should show up here as already hidden. Double and triple check.
(- reboot)
- open Boxer and start set-up
That's it. Stable, even after another reboot.
Did this solution work for you @s0l1dsn8k3?
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.

Question Magisk-safety net verification error / Google pay

I can't use a credit card via google pay. Google pay writes that I have a root device even though it is marked in magisk in exceptions.
Magisk show - safety net verification error.
Please help.
Thanks
jkmaxfli said:
I can't use a credit card via google pay. Google pay writes that I have a root device even though it is marked in magisk in exceptions.
Magisk show - safety net verification error.
Okrasné help.
Thanks
Click to expand...
Click to collapse
You have to hide it fully in magisk. And then reboot
Are you using stock rom? Or any other custom rom? If you can't pass safetynet, Magisk hide doesn't "hide", so we have to locate the error.
I using Stock Rom.
Fully hide, reboot And nothing change.
Flash magisk module and you will be ok
https://github.com/kdrag0n/safetynet-fix/releases/download/v1.1.1/safetynet-fix-v1.1.1.zip
In Google Play:
Certification play protect - the device is not certified.
what should I do with it now
hexisg said:
Flash magisk module and you will be ok
https://github.com/kdrag0n/safetynet-fix/releases/download/v1.1.1/safetynet-fix-v1.1.1.zip
Click to expand...
Click to collapse
Thanks ill try it
after flashing the module test your safetunet status.
after clear data of Goole Play Store , google Services and google Pay.And you should be good to use Google Pay.
Safety net is successful, Google play is also successful, but the payment card cannot be added - error:
request failed - transaction could not be performed. When adding a credit card.
Edit:
...the current credit card cannot be removed, it is said to be associated with some one payment method. I wanted to try removing it completely and signing in again. :-(
jkmaxfli said:
Safety net is successful, Google play is also successful, but the payment card cannot be added - error:
request failed - transaction could not be performed. When adding a credit card.
Edit:
...the current credit card cannot be removed, it is said to be associated with some one payment method. I wanted to try removing it completely and signing in again. :-(
Click to expand...
Click to collapse
Try deleting all data a of Google Play Services and Google Pay app, restart the phone, and try if you u can do it now
I tried that, unfortunately no change.
Try this:
Working: Magisk with Google Pay as of gms 17.1.22 on Pie
Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that I suspect users will have to reverse some step if gms is updated and...
forum.xda-developers.com
Release GPay SQLite Fix v2.4 · stylemessiah/GPay-SQLite-Fix
Changes to service.sh: -Fixed broken/mangled pipes that left the log file blank - dont ask me why If you need logging (only useful if youre having an issue and want to troubleshoot) you can choose ...
github.com
UnderscoreKer said:
Try this:
Working: Magisk with Google Pay as of gms 17.1.22 on Pie
Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that I suspect users will have to reverse some step if gms is updated and...
forum.xda-developers.com
Release GPay SQLite Fix v2.4 · stylemessiah/GPay-SQLite-Fix
Changes to service.sh: -Fixed broken/mangled pipes that left the log file blank - dont ask me why If you need logging (only useful if youre having an issue and want to troubleshoot) you can choose ...
github.com
Click to expand...
Click to collapse
Dont work :-(
So for now, to sum it up:
magisk safety net is pass-ok.
In magisk I have two fix modules (screenshots) and google pay adding a credit card still not working. Still error OR-TAPSH-08.
I also read on the net that it helped someone wait 1 day and then the payment card went to add.
Next:
when I run clean and select the security check, it turns out to me that there is a problem in the payment environment.(screenshots)
jkmaxfli said:
Dont work :-(
So for now, to sum it up:
magisk safety net is pass-ok.
In magisk I have two fix modules (screenshots) and google pay adding a credit card still not working. Still error OR-TAPSH-08.
I also read on the net that it helped someone wait 1 day and then the payment card went to add.
Next:
when I run clean and select the security check, it turns out to me that there is a problem in the payment environment.(screenshots)
Click to expand...
Click to collapse
Not trying to be mean or anything but, have you enabled magisk hide?
Uninstall universal safety net fix first and restart.
IMPORTANT: Make sure that you are running the latest version of magisk.
Make sure hide is on and you have selected all core Google services and gpay.
Then install magiskhide props config and restart.
Install an command terminal from the play store and type "props". You may have to enter "su" first.
Type "1" then “f”
Then follow the steps to select your phone model.
Then apply the fingerprint and restart.
If you cannot find your phone model, then ignore this step.
Go into magisk settings and click on the option to hide the magisk app. The app should reinstall itself under the "settings" name.
Restart again.
Then, turn data and WiFi off, go into settings and clear the storage/data of all Google apps and especially Google play services. Then just reflash the gpay fix (DON'T RESTART). Turn connection back on and try to add your cards as well as any nfc setup for those cards.
Then restart your phone.
Then go into Google play store, and into settings, and ensure that the device is certified.
This allowed me to get gpay working, however, I'm running a custom rom though.
You may want to carry your cards physically in case the phone doesn't work for the first month or so.
Hello.
I have a magisk hide.
For the item google services framework, if I check, after leaving and re-entering the already checked google services framework is not, the check mark does not hold.(screenshot)
jkmaxfli said:
Hello.
I have a magisk hide.
For the item google services framework, if I check, after leaving and re-entering the already checked google services framework is not, the check mark does not hold.(screenshots)
Click to expand...
Click to collapse
Hi, sorry, I had to edit my reply several times.
Just enable them all just in case. For the 2nd screenshot, enable the hide thing. I have it enabled so the option says to restore it.
For the services framework bugthing, ignore it. The gpay fix was the one that added it. Just expand it and ensure its on
I'll try it all, thank you. I'll get back to you today
I'm tangled in it, you wrote a lot. Please send me one more steps 1 to ..... Thank you very much
!!!!!!!!!!!!!!!!!!!!!!!!! Dude, you're really a giant, it all works !!!!!!!!!!!!!!!!!!!!!!!
Safety net in magisk PASS.
Google play store - device is certified.
Credit card added successfully.
Tomorrow I will try payment using a mobile phone and NFC and see if it is fully functional.
I'll let you know tomorrow if the payments are working.
BIG BIG thanks

Question [LOGS] NO SIM CARD after apply safetynet-fix

Hello,
I have installed OP 12 (C44) stock rom (BA version), then apply root with magisk v24.1.
In magisk zygisk & denylist turned on.
Now everything is fine I have root but google pay doesn't work so...
I'm installing https://github.com/kdrag0n/safetynet-fix, after that my dialer broke.
1) I see "no sim card" in two slots
2) Could not open settings -> mobile network (phone has no reaction, but sometimes it says "com.android.phone" stop working
Turning off safetynet-fix / zygisk doesn't help.
Only when I flash whole rom again - it work, but I lost all SMS & phones.
The plus point is that safetynet test has a green light, but I could not phone by phone ))
What do I badly?
Update:
I see some logs from ADB:
Spoiler: code
Failed to open database '/data/user_de/0/com.android.providers.telephony/databases/carrierIdentification.db'.
android.database.sqlite.SQLiteCantOpenDatabaseException: Cannot open database '/data/user_de/0/com.android.providers.telephony/databases/carrierIdentification.db': Directory /data/user_de/0/com.android.providers.telephony/databases doesn't exist
you probably didn't do anything badly, i have never used any safetynet fixes as i never needed them, so i probably don't know much stuff either. Worst than that is having magisk literally destroying baseband from a32 4g that even a reflash and repartition wouldn't work

Soft reboot after screen unlock PIN entry

A rooted FP4 running stock 11 is performing a soft reboot after entering the initial PIN for screen unlocking right after unlock the SIM. Logs are inconclusive apart from from a few Java exceptions (mostly NFC-related and one systemui-related (om.android.systemui.statusbar.phone.LockIcon.getIcon(LockIcon.java:174)).
This happens with both Nova Launcher and Quickstep.
Used Magisk mods:
Busybox for Android NDK,
Magiskhide Props Config,
SQLite3 Universal Binaries,
Riru,
Universal SafetyNet Fix.
The last two mods are disabled because of an enabled Zygisk feature.
Removing the SIM doesn’t make a difference. And neither did restarting the device in SafeMode (per the instructions at https://support.fairphone.com/hc/en-us/articles/360048843571-FP3-Safe-mode ).
Any hints even for further root cause analysis never mind solutions are highly appreciated. I can provide more info if required - just let me know. Please also let me know if this is not the right forum for posting such a thread is this may indicate a general Android issue.

MicroG Lineage 20 - Anyone managed to get SafetyNet passing ?

Hi,
I installed microG Lineage 20 on my Moto G 5G Plus. Everything works fine except that one (banking) app that complains that "Google Play Services are not Installed".
I assume that means SafetyNet?
I tried to get it to work using the path depicted here: https://forum.xda-developers.com/t/safetynet-on-lineageos-20-microg.4558065/, but no luck on this phone.
Is there anyway to get safety net to pass, ideally without rooting the phone/using magisk?
EDIT: there's a switch in the microG settings "Allow Device Attestation" but it's greyed out ...
Best,
N
Ok, first of all, you have to enable "Device Registration" in the microG settings. Didn't know that.
That way, I got to the point where I can check for device attestation, and get the notorious "CTS Profile Doesn't Match" error.
I've tried using Magisk and Zygisk, and the Univesal SafetyNet fix, but to no avail, still not passing.
EDIT: tried the modded universal safety net fix by displax, not the check says "integrity check failed" ... not sure whether I sould count that as progress or not
Hi,
I had the same problem, but I found the solution and now I successfully pass safetynet with LOS 20 microG.
You have to do 3 steps:
Enable zygisk in Magisk and configure denylist to hide root from 'microG Services Core'
Enable 'Device Registration' and 'Google SafetyNet' at microG settings
Install Magisk module MagiskHidePropsConf, reboot, then configure it in any Terminal Emulator as follows:
su (start root shell)
props (run props command line tool)
1 (edit device fingerprint)
f (choose from the list)
select any fingerprint you like, then proceed and reboot
This third step solves CTS profile mismatch error by changing the device's fingerprint to one trusted by Google.
It should work.
Edit: I did not use any 'Universal SafetyNet fix' module.
Hmm ok, I have read about it but never tried, as the page states is a deprecated project ... That'd probably mean I'd have to install an older version of Magisk, right ?
Hmm... I haven't noticed yet. Good to know.
It's working fine for me with the latest Magisk version.

Categories

Resources