This guide is for "ctsProfile: false" and "basicIntegrity: true".
First download "busybox for android ndk" and "magiskhide props cofig" from magisk repo
after reboot type to adb
adb shell-su-props-1-f-18-10-y-n
and finished, reboot your phone and now safety net is completely passed
CHANGEABLE THINGS:
for another device owners
adb shell-su-props-1-f-18-<avaible devices>-y-n then reboot
At least it worked for me
mihhut said:
This guide is for "ctsProfile: false" and "basicIntegrity: true".
First download "busybox for android ndk" and "magiskhide props cofig" from magisk repo
after reboot type to adb
adb shell-su-props-1-f-18-10-y-n
and finished, reboot your phone and now safety net is completely passed
CHANGEABLE THINGS:
for another device owners
adb shell-su-props-1-f-18-<avaible devices>-y-n then reboot
At least it worked for me
Click to expand...
Click to collapse
you can also just install the SafetyPatch module in Magisk
InfinityXDA said:
you can also just install the SafetyPatch module in Magisk
Click to expand...
Click to collapse
I tried that module but it didn't work.
Im having this problem now, ive tried changing fingerprint, cts and other one fail even with magisk safetynet.
Here's a guide to help you make the most out of your phone
Guides below can be followed by both rooted and unrooted users
Debloat list: https://paste.rs/OLC
Debloating guide:
1) Download Google platform-tools (ADB and fastboot) from here for the operating system you are using on your computer, I will be using Windows for this guide, and extract the zip file to the root directory of your drive in its own folder (For example, C:\platform-tools, inside of the platform-tools folder you should see ADB and fastboot executables as well as other files).
2) On Windows, download and install the Samsung USB Drivers from here, I don't believe other OSes have to do this.
3) On your phone, go to Settings > About phone > Software information and tap Build number 7 or 8 times until you get a pop-up notification saying "Developer options have been enabled."
4) Go back out to the main Settings menu where you will notice a new option called "Developer options". Tap it and scroll down a little bit until you find USB Debugging, turn this option on and keep your phone unlocked (don't turn off the screen).
5) Plug your phone into your computer and open Command Prompt or Terminal and type cd C:\platform-tools and press Enter (Command will differ for the OS you're using).
6) Type ADB devices, give it a few moments, and check your phone for an ADB connection authorization prompt, check the box that says "always allow..." so you don't have to do this every time you want to use ADB.
7) Type ADB shell, the prompt should change from "C:\platform-tools\>" to something like "<phoneserialnumber>:/"
8) Either highlight all of these commands and paste them into the Command Prompt by right-clicking or highlight one command at a time and paste them in one by one
*************************************
Apps:
1)Naptime(Better Battery Life)
2)Galaxy Max HZ(Helps you change the refresh rate of your phone's display)
------------------------------------------------------------------------------------------------------------------------------------------
For rooted/Unlocked Devices only:
Twrp for Exynos
Kernel for Exynos
Remove Bootloader Warning(Exynos only)
Twrp for Snapdragon
Kernel for Snapdragon
*************************************
Magisk Modules:
Nuked Script: This module includes some scripts that will disable some services on all the apps on your device in order to avoid substantial wake-lock battery drain because your apps send some useless usage and information to GOOGLE and this amazing module will stop that.
Download
SAMSUNG GENERAL PATCHER: This Lets you use most Samsung apps on rooted devices
Download
Universal GMS Doze: Optimizes Google Play services.
Download
Safetynet-fix: fixes the SafetyNet.Install riru and enable magisk hide before installing this module
Download
NFS-Injector: This module aims to improve kernel/ram management between efficiency and energy-aware. Using a complex algorithm, determine the most optimal settings between battery and performance for your device.
Download
Telegram Group link if you need help: http://t.me/S20FeModding
If you are on an AOSP based ROM like ArrowOS you may have noticed that with ReVanced Manager installed for primary and secondary user, installing YouTube on secondary user doesn't work.
I found a way to do this properly. There might be better ways, let me know in case:
Check ReVanced-Patches Github Repo under com.google.android.youtube expand Details and see which Target Version most patches are for (example: 17.49.37)
Download the YouTube apk with exactly this version (example: 17.49.37) from apkmirror onto your tablet
Download latest ReVanced MicroG apk onto your computer (for example to C:\Temp)
On your primary user-account, install and open ReVanced Manager and select the downloaded youtube apk to patch, then install
Since I couldn't find where ReVanced Manager stores the patched Revanced youtube apk temporarily, I copy it after it's installed, from the installed apps folder. To do this use MixPlorer or any other file explorer app that allows to copy installed apps, and copy the patched ReVanced Youtube apk to your tablets download folder, then copy it to your computer (for example to C:\Temp)
Uninstall revanced youtube from your tablet (also revanced microG shouldn't be installed)
Download and extract android platform-tools to for example C:\platform-tools\
Enable USB debugging in the 1st user's developer settings, connect the tablet to the PC
Switch to 2nd user
Open cmd/terminal, navigate to C:\platform-tools\ and enter: adb.exe devices No device will be listed, or your device will show unauthorized, that's normal
Switch to 1st user. enter again: adb.exe devices There will be a USB authorization dialog pop up on the tablet's screen. Select "always" authorize.
Switch to 2nd user. Run the command adb.exe install <drag n drop revanced youtube apk file here> for example: adb.exe install "C:\Temp\YouTube ReVanced_17.49.37.apk" and hit enter
Do the same with Vanced microG that you downloaded in step 3.: adb.exe install <drag n drop vanced microg apk file here> for example: adb.exe install "C:\Temp\microg.apk"
Now, the apps should be installed both in the 2nd user and 1st user account
If u don't want that app in 1st user, you can switch to the 1st user and uninstall it there. That app in 2nd user should remain untouched
Google Pixel Watch Root Guide using Magisk
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ReadmeNote that this rooting process was performed with a special USB-C cradle provided by the Google Team. I would not recommend flashing the device without a stable connection to the pins under the wrist strap. I might attempt to make a 3D printed enclosure that uses pogo pins. Additionally, this process will wipe the device.
Rooting Process
Enable developer options on the watch by going to Settings > System > About > Versions > Tap Build number until you unlock developer mode
While here, note down the Build Number. It will look like RWD9.XXXXXX.XXX.XX.
Go into Developer options and enable ADB debugging
Install the latest version of ADB and Fastboot tools on a computer
https://developer.android.com/tools/releases/platform-tools
Connect watch to computer using USB and allow permanent ADB debugging access on the watch
Verify your access works by running
Code:
adb devices
Download the appropriate (LTE or Bluetooth/WIFI) firmware at the link below, making sure to download the version that matches the build number from Step 2.
Factory Images for Google Pixel Watch Devices | Google Play services | Google for Developers
developers.google.com
Verify the checksum of downloaded firmware using
Code:
sha256sum name-of-firmware.zip
Unzip the downloaded zip, then unzip the image-rXX zip inside the original zip. Then, transfer the boot.img file to the watch using
Code:
adb push boot.img /sdcard/Download
Install a file manager on the watch because it does not include one by default. We will need it to select the boot.img file the Magisk app. I used File Manager TV USB OTG Cloud from the Play Store. I recommend launching the app and granting Files and media permissions all the time like it asks you to do in the popup.
Install the latest version of the Magisk APK from the Github link below on the watch by running
Code:
adb install name-of-magisk.apk
Releases · topjohnwu/Magisk
The Magic Mask for Android. Contribute to topjohnwu/Magisk development by creating an account on GitHub.
github.com
Launch the Magisk app, click Install, choose Select and Patch a File, then browse to the downloaded boot.img file
Click Let's Go and the magisk-patched boot image will be created in the Download folder
Transfer the image back to your computer using
Code:
adb pull /sdcard/Download/name-of-patched-image
Run
Code:
adb reboot bootloader
to reboot the watch into Fastboot
Verify the device shows up by using
Code:
fastboot devices
Unlock the bootloader of the watch using
Code:
fastboot flashing unlock
Confirm the message on the watch to unlock and wipe the device
Flash and boot the newly created Magisk image using
Code:
adb flash boot name-of-patched-image.img
Select Start in Fastboot to start the watch
After waiting an extremely long time, the watch will hopefully start and will need to be setup again
Reinstall the Magisk app using
Code:
adb install name-of-magisk.apk
Launch the app and it might prompt that it needs to restart the watch
To prevent the broken Superuser request popup where the grant button is off the screen, I recommend changing the Automatic Response prompt setting in the Magisk app to Grant. To change the option, swipe up on the Prompt text
With the watch started and setup, start an adb shell by running
Code:
adb shell
Then, run su to escalate to root privilege. The shell should change symbols from $ to # and running
Code:
whoami
should result in root
Bypassing SafetyNet
Download the YASNAC - SafetyNet Checker APK from GitHub:
Releases · RikkaW/YASNAC
Yet Another SafetyNet Attestation Checker. Contribute to RikkaW/YASNAC development by creating an account on GitHub.
github.com
Install it on the watch using
Code:
adb install name-of-yasnac.apk
(Optional) Open the app and run the SafetyNet Attestation to verify your device fails
Download the SafetyNet Fix Magisk module from GitHub:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Transfer it to watch using
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
Start an adb shell with the watch using
Code:
adb shell
Elevate to root privileges with
Code:
su
Install the module with
Code:
magisk --install-module /sdcard/Download/safetynet-fix-v2.4.0.zip
Once installed, restart your watch
Now, run YASNAC SafetyNet Attestation again, and you should pass!
Interfacing with the USB PinsThe USB pins are under the watch band closest to the secondary button. From left to right, the pins are voltage, data+, data-, and ground. Google's VRP program provides the watch cradles by invitation only (still waiting for mine ). As such, a DIY solution needs to be created to make this process more accessible.
Picture courtesy of @ShinyQuagsireThe most reliable solution I can think of currently is using PCBite SP10 probes to connect to the USB pins. Once I get my PCBite, I will post a setup picture.
Another solution I'm going to try is inserting pogo pins into a replacement silicone watch band to connect to the USB pins.
Similarly, the pins have a 1.27mm spacing which you can find headers for online. That in combination with some helping hands could give a somewhat janky connection.
Troubleshooting
If booting the Magisk image results in a bootloop, you can unbrick the device by flashing the corresponding stock boot.img image using
Code:
adb flash boot boot.image
If Magisk doesn't see the file, try doing the following to your file browser app:
Settings > Apps & Notifications > App permissions > Files and media > AppName > Allow all the time
Tips
You can get into FastBoot mode by tapping on the top left and bottom right of the screen at the same time as the device is booting when the white "G" logo appears.
Wireless debugging allows you to do almost all of this guide except booting the patched boot.img file in Magisk. To enable wireless debugging, go to Settings > Developer options > Check Debug over Wi-Fi. Then, in developer options still, go to Wireless debugging and turn it on. From here, you can connect to your watch remotely from your PC using
Code:
adb connect watchip
ThanksHuge thanks to Asmita Jha (Twitter @aj_0x00) who was there during the first 2 days of the rooting attempts and helped troubleshoot throughout. Additionally, big thanks to Stack Smashing (Twitter @ghidraninja) for giving us the idea to patch the Magisk file on the watch itself, instead of patching the boot image on another device running Magisk. Additionally, thanks to the Google team who gave us access to device and the prototype cradles to interface with the watch reliably.
Future PlansTo make the process more accessible, a cheap interfacing solution needs to be created. Please reach out if have any questions, concerns, or information that would make the process easier. You can find me on Twitter @breaddisease
https://twitter.com/breaddisease
Thanks!
This is awesome!
Now we just need a way to source that craddle or design one.
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
I'm unsure about this so far! Both of my phones don't work with the Google Pixel Watch app (degoogled OP7P and old S8+) so I can't setup my Google account with the watch to use Google Wallet. Additionally, I can't install a SafetyNet checker without the USB cradle I'll get back to you if I figure something out!
How did you get the file manager to show the .img file? I installed the same file manager, pushed the file via adb, but the file manager can't see any .img files. I tried renaming it to 'boot.jpg', pushed that, the file manager sees it, but then Magisk fails with unknown/unsupported image type.
ClarkIV said:
How did you get the file manager to show the .img file? I installed the same file manager, pushed the file via adb, but the file manager can't see any .img files. I tried renaming it to 'boot.jpg', pushed that, the file manager sees it, but then Magisk fails with unknown/unsupported image type.
Click to expand...
Click to collapse
You might need to allow the app Files and media permissions all the time, like this:
Settings > Apps & Notifications > App permissions > Files and media > AnExplorer > Allow all the time
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
I fail SafetyNet without the Universal SafetyNet Fix Magisk Module. However, I was able to install the SafetyNet Fix module with the following:
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
adb shell
su
cd /sdcard/Download
magisk --install-module safetynet-fix-v2.4.0.zip
With this, I now pass SafetyNet! Still have to try Google Pay
breaddisease said:
Google Pixel Watch Root Guide using Magisk
ReadmeNote that this rooting process was performed with a special USB-C cradle provided by the Google Team. I would not recommend flashing the device without a stable connection to the pins under the wrist strap. I might attempt to make a 3D printed enclosure that uses pogo pins. Additionally, this process will wipe the device.
Rooting Process
Enable developer options on the watch by going to Settings > System > About > Versions > Tap Build number until you unlock developer mode
Go into Developer options and enable ADB debugging
Install the latest version of ADB and Fastboot tools on a computer
Connect watch to computer using USB and allow permanent ADB debugging access on the watch
Verify your access works by running
Code:
adb devices
Download the latest version of the appropriate (LTE or Bluetooth/WIFI) Google Pixel Watch OTA firmware at the link below. Note that the latest version is at the bottom of the list (thanks Google)
https://developers.google.com/android/ota-watch
Verify the checksum of downloaded firmware using
Code:
sha256sum name-of-firmware.zip
Unzip the downloaded zip, then transfer the boot.img file to the watch using
Code:
adb push boot.img /sdcard/Download
Install a file manager on the watch because it does not include one by default. We will need it to select the boot.img file the Magisk app. I used File Manager TV USB OTG Cloud from the Play Store
Install the latest version of the Magisk APK from the Github link below on the watch by running
Code:
adb install name-of-magisk.apk
Releases · topjohnwu/Magisk
The Magic Mask for Android. Contribute to topjohnwu/Magisk development by creating an account on GitHub.
github.com
Launch the Magisk app, click Install, choose Select and Patch a File, then browse to the downloaded boot.img file
Click Let's Go and the magisk-patched boot image will be created in the Download folder
Transfer the image back to your computer using
Code:
adb pull /sdcard/Download/name-of-patched-image
Run
Code:
adb reboot bootloader
to reboot the watch into Fastboot
Verify the device shows up by using
Code:
fastboot devices
Unlock the bootloader of the watch using
Code:
fastboot flashing unlock
View attachment 5925307
Confirm the message on the watch to unlock and wipe the device
Flash and boot the newly created Magisk image using
Code:
adb flash boot name-of-patched-image.img
Select Start in Fastboot to start the watch
After waiting an extremely long time, the watch will hopefully start and will need to be setup again
Reinstall the Magisk app using
Code:
adb install name-of-magisk.apk
Launch the app and it might prompt that it needs to restart the watch
With the watch started and setup, start an adb shell by running
Code:
adb shell
Then, run su to escalate to root privilege. The shell should change symbols from $ to # and running
Code:
whoami
should result in root
View attachment 5925313Bypassing SafetyNet
Download the YASNAC - SafetyNet Checker APK from GitHub:
Releases · RikkaW/YASNAC
Yet Another SafetyNet Attestation Checker. Contribute to RikkaW/YASNAC development by creating an account on GitHub.
github.com
Install it on the watch using
Code:
adb install name-of-yasnac.apk
(Optional) Open the app and run the SafetyNet Attestation to verify your device fails
Download the SafetyNet Fix Magisk module from GitHub:
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Transfer it to watch using
Code:
adb push safetynet-fix-v2.4.0.zip /sdcard/Download
Start an adb shell with the watch using
Code:
adb shell
Elevate to root privileges with
Code:
su
Install the module with
Code:
magisk --install-module /sdcard/Download/safetynet-fix-v2.4.0.zip
Once installed, restart your watch
Now, run YASNAC SafetyNet Attestation again, and you should pass!
Troubleshooting/Tips
If booting the Magisk image results in a bootloop, you can unbrick the device by flashing the corresponding stock boot.img image using
Code:
adb flash boot boot.image
Additionally, you can get into FastBoot mode by tapping on the top left and bottom right of the screen at the same time as the device is booting and the white "G" logo appears.
If Magisk doesn't see the file, try doing the following to your file browser app:
Settings > Apps & Notifications > App permissions > Files and media > AppName > Allow all the time
Wireless debugging allows you to do almost all of this guide except booting the patched boot.img file in Magisk. To enable wireless debugging, go to Settings > Developer options > Check Debug over Wi-Fi. Then, in developer options still, go to Wireless debugging and turn it on. From here, you can connect to your watch remotely from your PC using
Code:
adb connect watchip
ThanksHuge thanks to Asmita Jha (Twitter @aj_0x00) who was there during the first 2 days of the rooting attempts and helped troubleshoot throughout. Additionally, big thanks to Stack Smashing (Twitter @ghidraninja) for giving us the idea to patch the Magisk file on the watch itself, instead of patching the boot image on another device running Magisk. Additionally, this wouldn't be possible without the help of the Google team who gave us access to device and the prototype cradles to interface with the watch reliably. Huge thanks to everyone running Hardwear.io this year where this method was discovered during the Hardpwn hardware hacking contest.
Future PlansTo make the process more accessable, a cheap interfacing solution needs to be created. My idea is to 3D print an enclosure and use pogo pins. Please reach out if have any questions, concerns, or information that would make the process easier. You can find me on Twitter @breaddisease
https://twitter.com/breaddisease
Thanks!
Click to expand...
Click to collapse
Cool
breaddisease said:
You might need to allow the app Files and media permissions all the time, like this:
Settings > Apps & Notifications > App permissions > Files and media > AnExplorer > Allow all the time
Click to expand...
Click to collapse
Thanks! That was it. Now the computer just refuses to recognize it as a fastboot device. It recognizes it with the watch fully on, so I know my wiring and pins are correct.
ClarkIV said:
Thanks! That was it. Now the computer just refuses to recognize it as a fastboot device. It recognizes it with the watch fully on, so I know my wiring and pins are correct.
Click to expand...
Click to collapse
Nice, good to hear! What's the output of
Code:
sudo fastboot devices
Or, if you're on Windows, an elevated terminal with
Code:
fastboot devices
Y'all realize that we already managed to root the watch a long time ago? https://forum.xda-developers.com/t/pixel-watch-successfully-bootloader-unlocked.4508253/
A lot of questions are also answered there.
Yes, it breaks safetynet. You can install this magisk module to get it back.
KineSight said:
Does Rooting it break the Google Pay functionality or SafetyNet (if it has one) ?
Click to expand...
Click to collapse
Tiebe said:
Y'all realize that we already managed to root the watch a long time ago? https://forum.xda-developers.com/t/pixel-watch-successfully-bootloader-unlocked.4508253/
A lot of questions are also answered there.
Click to expand...
Click to collapse
I was not aware that it had been done already! Thanks for the info! I thought I was the first
breaddisease said:
I was not aware that it had been done already! Thanks for the info! I thought I was the first
Click to expand...
Click to collapse
Sadly, no.
Another small thing: You shouldn't download the OTA zip, but the factory images. The OTA zip doesn't always have full boot image, and only a patch image (boot.img.p), which is used in the updating process for patching the current boot image to the newer version. The factory images always have a full boot image.
Other than that: great guide!
Tiebe said:
Sadly, no.
Another small thing: You shouldn't download the OTA zip, but the factory images. The OTA zip doesn't always have full boot image, and only a patch image (boot.img.p), which is used in the updating process for patching the current boot image to the newer version. The factory images always have a full boot image.
Other than that: great guide!
Click to expand...
Click to collapse
Ok, thanks! I updated step 6 and 8 accordingly.
Would it be an issue if someone flashed an un-updated watch with the latest boot.img? Like should I recommend flashing the appropriate version's boot.img, or updating to the latest version before flashing the latest boot.img? Thanks!
breaddisease said:
Ok, thanks! I updated step 6 and 8 accordingly.
Would it be an issue if someone flashed an un-updated watch with the latest boot.img? Like should I recommend flashing the appropriate version's boot.img, or updating to the latest version before flashing the latest boot.img? Thanks!
Click to expand...
Click to collapse
Always flash the boot.img of the version that you're currently on. Happy to help!
@breaddisease
I've also noticed that the safetynet module patched by Displax seems to work better in most cases than the original one by kdrag0n. The one by Displax is just a fork of the one by kdrag0n, with some changes.
breaddisease said:
Nice, good to hear! What's the output of
Code:
sudo fastboot devices
Or, if you're on Windows, an elevated terminal with
Code:
fastboot devices
Click to expand...
Click to collapse
I'm on Linux and 'sudo fastboot devices' didn't list any device. I can communicate via ADB over USB so I know the cable is working. In fastboot mode, the device doesn't show up under 'lsusb' either. I have tried USB 2 and 3 ports.
ClarkIV said:
I'm on Linux and 'sudo fastboot devices' didn't list any device. I can communicate via ADB over USB so I know the cable is working. In fastboot mode, the device doesn't show up under 'lsusb' either. I have tried USB 2 and 3 ports.
Click to expand...
Click to collapse
Are you providing it power through the left pin? Maybe its required for fastboot
breaddisease said:
Are you providing it power through the left pin? Maybe its required for fastboot
Click to expand...
Click to collapse
Yes, I am powering it. Verified by the watch showing its charging when fully booted. Were you on Linux or Windows for this? If Linux what Distro?