How to sign Lineage for AVB? (Can't pass SafetyNet) - Google Pixel XL Questions & Answers

I upgraded to official Lineage 17.1 after holding out from Oreo for a while. Everything is working perfectly, except for passing SafetyNet. CTSprofile continues to return false. After reading about the new security enhancements put into SafetyNet, I searched for a method to sign ROMs so that they would pass dm-verity and be safe to lock the bootloader, but I can't find anyone who has done it for recent ROMs.
How does one sign a custom ROM so that they can pass the bootloader's checks?
Can a Verizon Pixel that's been unlocked with the workaround be unlocked after it has been locked on a custom ROM?
Is it possible to use further tweaks on a signed and locked ROM (eg Magisk, modules, etc) ?

it will not be possible.

Related

SafetyNet / Android Pay Failure

Hello, I am having an issue with my wife's Robin. The phone is completely stock other than an unlocked bootloader and unencrypted storage. System, boot, recovery, kernel, etc. are all stock and no root. I have even wiped the system partition and reflashed the system.img for good measure. The device is failing SafetyNet checks, however. This means Android Pay is not working and displays the following error. "Android Pay can't be used on this device. This may be because your device is rooted, has an unlocked bootloader, or is running a custom ROM. As a result, Google can't confirm that your device meets Android Pay's security standards." Does anyone else with ONLY an unlocked bootloader have the same issue? Could lack of encryption have anything to do with it? I am puzzled. I have an old Nexus 5 with an unlocked bootloader, rooted, with no encryption and I am still able to toggle root and pass SafetyNet checks. Anyone else have a similar issue? If this is the case, she might as well have root and the advantages (as well as the potential hazards) that come with it.
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
flyfire04 said:
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
Click to expand...
Click to collapse
Thanks for the response and link. I ran the OEM unlock command and have since flashed the boot.img from the official Nextbit factory images. So unless that boot.img is itself patched, then I should be stock (other than the unlocked bootloader of course). That is likely the issue, but I want to see if anyone else who is stock with an unlocked bootloader has the same issue.
Then read this: https://www.xda-developers.com/sult...otloader-check-on-latest-cm13-builds-for-op3/
Then you will understand that an unlocked bootloader by itself can trigger saftynet. magisk removes the the verified boot flag.
Another easy solution is to just lock the bootloader using the oem lock command. This will not wipe the device like unlocking does.
So to be clear, my choices to get SafetyNet to pass are to:
OEM lock thus returning to complete stock or
Flash a modified kernel to suppress the bootloader unlocked flag or
Flash Magisk and phh root and activate Magisk hide
If I do the last option, do I also need a modified kernel or will this hide the bootloader unlock status from SafetyNet with the stock kernel? Thanks for the feedback.

How can SafetyNet be passed with Oneplus3 and signed LineageOS

One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Hazuki Amamiya said:
One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Click to expand...
Click to collapse
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Nevermindthelabel said:
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Click to expand...
Click to collapse
Thanks for your reply. I have some bank apps that require the SafetyNet be passed so I need to find a way. I know Xposed/Magisk will work but I wish to find a way not requiring 3rd party (hacking) software.
I aware that locking/unlocking bootloader would wipe data, so I am thinking of locking the bootloader with latest TWRP and never unlocks again, just not sure if it is possible to do so, and I am not sure when after the bootloader is locked , I can go back to TWRP for LineageOS upgrade.
I have no spare phone for testing so hopefully I can get answers from here before I do anything risky

Safetynet

If I were to unlock my bootloader, flash unmodified 8.1 dev preview and relock the bootloader, would I be able to pass safetynet? Or does unlocking the bootloader mean I'll permanently need to find workarounds no matter what I do afterwards?
Magisk rooting hides that. I can confirm that it works all the way up to November security patch. Look at the developer forum for more information.
TheSt33v said:
If I were to unlock my bootloader, flash unmodified 8.1 dev preview and relock the bootloader, would I be able to pass safetynet?
Click to expand...
Click to collapse
Yes.
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Hobox10 said:
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Click to expand...
Click to collapse
Safetynet checks for Bootloader Status, unlocked doesn't pass.
Hobox10 said:
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Click to expand...
Click to collapse
Custom roms often make changes at the kernel level to block safetynet's ability to check the bootloader status, which makes it pass (for now). Magisk also hides bootloader unlock status from safetynet. So there are workarounds.

CTS fail right after flash-all

My Pixel 2 XL running on DP2 pass CTS test no problem. I could use Google Pay normally. (with Magisk v16.4)
Today I update to DP3 with factory image (flash-all with wipe), but CTS profile match failed...
I tried to downgrade to Oreo Jun with factory image (flash-all with wipe), CTS profile match still fail...
No TWRP, No Magisk, No Xposed. Tested right after initial configuration (Google account, etc.) The Only APP installed is CTS test APP. Android Pay refused to add credit card, complaining device being rooted.
My 2 XL is oem unlocked (had always been since I got it months ago)...
Any idea?
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
lssong99 said:
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
Click to expand...
Click to collapse
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
ram4ufriends said:
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
Click to expand...
Click to collapse
But before DP2 (as well as Android 8 up to May update) I always have bootloader unlocked with Magisk and CTS profile pass (Stock, Magisked kernel) ... Now CTS doesn't pass with or without Magisk...
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
danielt021 said:
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
Click to expand...
Click to collapse
Yes... I did everything that should be done....
Out of desperation, I still tried to set up a Credit card in Google Pay and interesting thing is that although my system still CTS failed, I was able to add my credit card to Google Pay and made a payment! Really strange.....
Anyway as long as Google Pay works, really don't care about CTS status...
Thanks for all your reply...

Question Cannot lock bootloader

Hi,
I unlocked the bootloader of my oneplus 9 pro.
After finding out that I cannot use Google Pay anymore I wanted to lock the device again.
When using fastboot oem lock I get the message that my phone has been tampered with and it will not boot.
I tried flashing the stock rom using payload_dumper and locking the bootloader afterward, but no succes.
The only thing I can do at the moment is unlocking the bootloader and using the phone like this.
Does anyone have a solution?
Never mind I found the solution
-> flash the same OTA twice via local system upgrade
-> reboot into bootloader
-> fastboot oem lock
glad you got it sorted!
That is the correct way to lock. But I am typing on a 9 Pro that has Magisk installed with GPay working flawlessly. Running 11.2.6.6
That is weird.
My gpay app would always say that my device was rooted of tampered with.
I followed the guide to install magisk.
After that I flashed a custom kernel.
Used magisk hide on gpay and my banking apps.
I even used the hide magisk app feature and I was still unable to get gpay working.
I removed magisk and still gpay would not work.
I wonder how you got it to work.

Categories

Resources