Universal fix for Google SafetyNet on Android devices with hardware attestation and unlocked bootloaders.

Universal SafetyNet Fix

This is a universal fix for SafetyNet on devices with hardware-backed attestation and unlocked bootloaders (or custom verified boot keys). It defeats both hardware attestation and the SafetyNet CTS profile updates released in 2021. The only requirement is that you can pass basic attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels. MagiskHide is required as a result.

Passing basic attestation is out-of-scope for this module; this module is meant to defy hardware attestation, as well as reported "basic" attestation that actually uses hardware under-the-hood. Use MagiskHide Props Config to spoof your CTS profile if you have trouble passing basic attestation. This is a common issue on old devices and custom ROMs.

Android versions 7–12 are supported, including OEM skins such as Samsung One UI and MIUI. This module requires Zygisk (for Magisk Canary) or Riru (for stable Magisk).

Installation

The module must be installed using Magisk Manager, not TWRP or any other custom recovery.

Always make sure you have the latest version of the module installed before reporting any issues.

Zygisk

If you are using Magisk Canary, you need the Zygisk version of this module. Download and install the latest Zygisk version of this module from GitHub Releases.

Riru

If you are using stable Magisk, you need the Riru version of this module. Download and install the latest Riru version of this module from GitHub Releases. You will also need to install "Riru" through Magisk Manager.

How does it work?

Google Play Services opportunistically uses hardware-backed attestation to enforce SafetyNet security (since January 12, 2021), and enforces its usage based on the device model name (since September 2, 2021).

This module uses Riru to inject code into the Google Play Services process and then register a fake keystore provider that overrides the real one. When Play Services attempts to use key attestation, it throws an exception and pretends that the device lacks support for key attestation. This causes SafetyNet to fall back to basic attestation, which is much weaker and can be bypassed with existing methods.

However, blocking key attestation alone does not suffice because basic attestation fails on devices that are known by Google to support hardware-backed attestation. This module bypasses the check by appending a space character to the device model name. This has minimal impact on UX when only applied to Google Play Services, but it's sufficient for bypassing enforcement of hardware-backed attestation.

Unlike many other approaches, this doesn't break other features because key attestation is only blocked for Google Play Services, and even within Play Services, it is only blocked for SafetyNet code. As a result, other attestation-based features (such as using the device as a security key) will still work.

ROM integration

Ideally, this workaround should be incorporated in custom ROMs instead of injecting code with a Magisk module. See the ProtonAOSP website for more information.

Support

If you found this module helpful, please consider supporting development with a recurring donation on Patreon for benefits such as exclusive behind-the-scenes development news, early access to updates, and priority support. Alternatively, you can also buy me a coffee. All support is appreciated.

Owner
Danny Lin
Android & full-stack web developer
Danny Lin
Comments
  • Biometrics on Samsung (S10, android 10)

    Biometrics on Samsung (S10, android 10)

    I know Samsung is heavily skinned. Hope we can still get some help, and have sent a few beers if that helps.

    Enabling the fix breaks 3rd party apps from using fingerprint sensor. Two things I noticed:

    1. after enabling the fix, one of those apps complained about "fingerprints have changed, please enroll again" or something to that effect

    2. system.prop in the fix's zip sets ro.boot.veritymode=enforcing and ro.boot.vbmeta.device_state=locked. However, if the fix is not enabled, getprop returns empty for those properties. Are these needed? What would happen if I tried to remove those lines from system.prop?

    Any other idea of what I could test?

  • Shim the keystore service instead of replacing it

    Shim the keystore service instead of replacing it

    This method is more portable, does not require a different executable for each Android version, and avoids breaking ROMs with heavy keystore customizations. It works by injecting a shared library into the keystore service and wrapping the Binder transaction handler in the generated AIDL interface.

    Because the actual attestKey implementation is statically linked into the keystore service executable, we can't hijack it directly without messy and error-prone code patching. Instead, we check each Binder transaction handled by the AIDL stub and hijack transactions with the TRANSACTION_attestKey code.

    In order to keep key attestation working for apps, we only block Google Play Services by checking the command line of the calling process through Binder. This is not infallible and can be spoofed, but it's much easier to do in C++ than looking up the calling UID's package name through PackageManagerService. There are no negative security implications as the only difference is a denied operation.

    We can't set LD_PRELOAD for the keystore service because Magisk modules start too late to modify its init.rc, so we inject the shim library as a dependency instead using patchelf and build it with the DF_1_GLOBAL ELF flag to make the dynamic linker prioritize it in symbol resolution.

    TRANSACTION_attestKey values and AIDL stub names by Android version:

    Android 10 - 11     (SDK 29-30): TX# 28, android::security::keystore::BnKeystoreService
    Android 9           (SDK 28   ): TX# 35, android::security::BnKeystoreService
    Android 7.0 - 8.1.0 (SDK 24-27): TX# 36, android::BnKeystoreService
    

    This needs testing in many different scenarios before it can be considered stable.

    Fixes #32.

    Blocked by #33.

    Scenarios and issues to test

    • 32-bit ARM devices
    • Heavy OEM skins
    • Samsung One UI
    • MIUI
    • Broken biometric authentication in apps
    • Unstable system (i.e. rebooting and/or crashing)
  • ctsProfile check failed

    ctsProfile check failed

    Hi,

    I tried both 2.0.0 and 2.1.0 (preview) versions of safetynet-fix -- I still can't pass ctsProfile. Using XPrivacyLua works, so I expect the problem is on safetynet-fix side.

  • 2.1.0 Breaks Fingerprint Sensor - OP8T

    2.1.0 Breaks Fingerprint Sensor - OP8T

    Installing the latest release of safetynet-fix "breaks" the fingerprint sensor on the OnePlus 8T. After installing the finger print sensor will say hardware unavailable. Removing the module and rebooting will make the sensor function again. At first I thought it was just a coincidence, however I did get confirmation of this behavior on the 8T on the telegram group as well. Please let me know what other information I can supply that maybe helpful, it diagnosing this issue. I'll be happy to help.

  • Oneplus 8T oxygen os 12 FOD error

    Oneplus 8T oxygen os 12 FOD error

    Describe the bug Oxygen os 12 FOD issue is present. Whenever flashing module the safety net fixes but FOD disappear

    To reproduce Steps to reproduce the behavior:

    1. Go to 'Magisk flash safety net fix module,after that reboot,then try to add fingerprint it'll not work'
    2. Click on 'fingerprint enrollment..'
    3. Scroll down to '.fingerprint enrollment.'
    4. See error

    Expected behavior Fingerprint should work after flashing module

    Screenshots If applicable, add screenshots to help explain your problem.

    Device info Device model: Oneplus 8T kb2005 Android version:12 ROM name/version: Oxygen OS 12 Stable build

    Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

    Additional context Add any other context about the problem here.

    Checklist

    • [ ] All information is present
    • [ ] Logs are attached
    • [ ] I have tried installing and configuring [MagiskHide Props Config]https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf)
  • Does not passes CTS profile match in android 12

    Does not passes CTS profile match in android 12

    After successfully installing latest module in magisk these are the output of SafetyNet test Safety Net Request success Response signature validation success Basic Integrity success CTS profile match fail

  • Zygisk breaks Riru in new Canary Magisk

    Zygisk breaks Riru in new Canary Magisk

    Just a heads-up really.

    While Riru and Zygisk (as well as USNF 2.x.x) were working nicely together in vvb2060 Alpha Magisk before todays builds, Riru is now is broken with Zygisk w/ latest TJW commits in both Alpha and TJW's new Canary Magisk.

    John has just provided documentation for "Develping Zygisk Modules"

    "The Zygisk API and sample module is online! Start developing and testing Zygisk modules with the latest canary release 😀" https://github.com/topjohnwu/zygisk-module-sample

    Hope it helps. PW

  • mod causing full phone lockup

    mod causing full phone lockup

    Phones I know of it doing it are 3a, 3a xl and 4a all running stock roms. It'll mostly happen when you plug the phone in to charge, but it'll also happen seemingly at random. I thought I was the one one having this issue until I decided to ask @Skittles9823 if he had any idea why WiFi would cause a lockup as it seemed to stop if you killed WiFi and or mobile data together

    image

    After finding out he had the same issue I was having I decided to ask in another group and found out they were having the same problem. So I started testing, I disabled the pixel launcher like I said in the picture and it didn't lockup for a few days, then last night it did. Well I had scoop running to try and grab the crash and I wasn't able to get a log of the issue. Well it didn't catch the lockup as the entire system locked up. I was able to grab some logs after it rebooted by dumb luck, I got WiFi off apparently mid crash and it grabbed all the logs and then locked up for a few seconds but then came out of it. These are those logs.

    gps.zip

    When I opened the log to read it to see if I could find whats causing it, they were all complaining about the keystore. So I asked the people I knew having the issue if they had your fix installed and they all did. One of them was using 2.0 instead of 1.1

    image

    I figured having the logs might be helpful

  • Please explain the networking calls in v2.1

    Please explain the networking calls in v2.1

    First I would like to say how grateful I am to the contributions made to the community by the awesomely smart people (such as kdrag0n) who work so hard to bring these fixes and work-arounds to us.

    The early access (paid) version of safetynet-fix v2.1 contains obfuscated network calls which appear to connect to a backend controlled by kdrag0n and upload/download encrypted data.

    As this is not present in v2.0, is undocumented and with the module running with root access on a user's phone, this raises significant security concerns. Eg, how can anyone know that this is not malware?

    Please could this be explained? Thank you

  •  under-display fingerprint sensor does not work on Oneplus KB2000 devices

    under-display fingerprint sensor does not work on Oneplus KB2000 devices

    Describe the bug under-display fingerprint sensor does not work

    To reproduce Steps to reproduce the behavior:

    1. open gpay
    2. press finger
    3. no response

    Expected behavior unlock by fingerprint

    Screenshots If applicable, add screenshots to help explain your problem.

    Device info Device model:Oneplus KB2000 Android version: 12 ROM name/version: Coloros 12.1

    Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

    Additional context Add any other context about the problem here.

    Checklist

    • [x] All information is present
    • [ ] Logs are attached
    • [ ] I have tried installing and configuring [MagiskHide Props Config]https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf)
  • Safety net fix does not work lineage os 17.1 (cts profile)

    Safety net fix does not work lineage os 17.1 (cts profile)

    I have a Motorola edge and I have been trying to pass safety net. I have tried everything from spoofing device fingerprint to resetting gapps data and nothing works. Magisk hide is enabled for the google play store, google services framework, and google play services. I think it might be my other magisk modules, but none of them seem like possible issues.

  • Fingerprint not working

    Fingerprint not working

    I have a one plus 7 pro with lineage OS. I have recently rooted it with magisk however the fingerprint to unlock the lock screen and creating new finger prints does not work. I have seen that there are fixes related to oxygen os / color os for the fingerprints with the safetynet-fix module however with this module as well as hide props config nothing works unfortunately. Would like some guidance thanks.

  • It's in not working on magisk 25.2

    It's in not working on magisk 25.2

    Describe the bug A clear and concise description of what the bug is.

    To reproduce Steps to reproduce the behavior:

    1. Go to '...'
    2. Click on '....'
    3. Scroll down to '....'
    4. See error

    Expected behavior A clear and concise description of what you expected to happen.

    Screenshots If applicable, add screenshots to help explain your problem.

    Device info Device model: Android version: ROM name/version:

    Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

    Additional context Add any other context about the problem here.

    Checklist

    • [ ] All information is present
    • [ ] Logs are attached
    • [ ] I have tried installing and configuring MagiskHide Props Config
  • Android  13

    Android 13

    Please support android 13, when i upgrade to android 13 this module doesn't work anymore it doesn't work anymore.

    mobile phone model redmi k50pro Android version 13 Mobile phone system ROM V13.1.22.8.25.DEV 开发版 Screenshot_2022-08-27-13-45-51-937_com topjohnwu magisk

    Screenshot_2022-08-27-13-45-18-461_com android vending Screenshot_2022-08-27-13-42-42-999_com android settings

  • Breaking microG Components

    Breaking microG Components

    Describe the bug It is breaking microG components, when microG is installed as Magisk Module. Though the microG GmsCore resides in actual system and rest of the files as module for obvious reasons. The case is reverted, when installation of microG is done into system or USNF is uninstalled. Here i am explaining in reference to microG Installer containing microG GmsCore & additional components.

    To reproduce A simple installation of USNF is enough to reproduce this issue.

    1. Go to 'microG Settings'
    2. Click on 'Cloud Messaging'
    3. Click on 'Location Modules'
    4. See error

    Expected behavior There must be name of App in microG Settings rather name of App process, can be seen in below screenshot.

    Screenshots microG

    Device info Device model: Redmi Note 10 Pro (sweetin) Android version: 11.0.0 ROM name/version: LineageOS 18.1

    Additional context I haven't seen this error previously, as i have already done systemless installation plenty of times. Below list of installed modules. modules

    Checklist

    • [X] All information is present
    • [ ] Logs are attached
    • [ ] I have tried installing and configuring MagiskHide Props Config
  • Xiaomi Mi 11 Pro - Installing this module boots into the recovery continuously

    Xiaomi Mi 11 Pro - Installing this module boots into the recovery continuously

    Describe the bug A clear and concise description of what the bug is.

    After having Root enabled by TWRP OR Flashing Magisk_modified_boot.img, there is no problem with Root on this device. But after installing the module and reboot, the phone keeps rebooting into the Recovery MUIU 5.0 (NON-TWRP) after a couple reboots (10min later) the phone boots into the phone normally and disable this module V.2.3.1 in Magisk, and reboots, there is NO problem with booting into the phone. This only happens when enable/installing the module and reboots.

    This also happens with TWRP being installed. The phone keeps booting into the TWRP recovery, after a couple reboots the phone boots into the phone normally. Once I been boot normally into the phone and give the phone a normall reboot, it keeps booting into the Recovery TWRP OR Recovery MUIU 5.0 with NON-TWRP

    I can reproduce this problem.

    To reproduce Steps to reproduce the behavior:

    1. Having the phone Xiaomi Mi 11 Pro - MIUI 13 - 13.0.7.0 Stable - EEA (Europe) Xiaomi SKAEUXM
    2. Getting Root by installing Magisk.zip by TWRP OR patch the Boot.img of the current ROM to get the Magisk_moddified_boot.img and patch this by ADB.
    3. Once Magisk is being installed (Version 25.2 - 25200), install only this module V.2.3.1 (latest at this moment)
    4. Give the phone a reboot when this module is being installed, then the phone boots into the recovery. Stock it boot into the MUIU Recovery 5.0 It keeps restarting automaticly, after 10min a reboots cycle further the phone will boot normally. But if you reboot your phone or shutdown, it will be booting automaticly into the recovery.

    TWRP installed, it will boot into the TWRP recovery. Give manually a reboot a couple times. then the phone will boot normally.

    Device info Device model: Xiaomi Mi 11 Pro Chinese - Flashed EEA (europe) Xiaomi ROM - MIUI Global 13.0.7 Stable - 13.0.7.0 (SKAEUXM) Android version: Android 12 - 12 SKQ1.211006.001 ROM name/version: star_eea_global_images_V13.0.7.0.SKAEUXM_20220507.0000.00_12.0_eea_dffd02e396

    Logs Connect your phone to a computer and run adb logcat > issue.log. Attach the log file to this issue.

    • Enable this Module, by enable Zygisk in the settings, otherwise the module is not active.
    • Reboot
    • Phone gets boot into the Recovery / TWRP automaticly.
    • Give this phone another reboot, phone boots again into the recovery / TWRP
    • In TWRP - Advanced - Copy Log - Check, Include Logcat, Include Kernal Log, - Swipe
    • Add 3 log files to this case: dmesg.log, logcat.txt, recovery.log Additional context I always hide my Magisk with Magisk Hide Props Config - SU - Props fingerprint - Xiaomi 11 (china) - This process gets me passing Safetynet.

    So basicly I need these 2 modules to pass my Safetynet coming anything different then the official stockROM.

    That being said, there more people / users having this issue: https://forum.xda-developers.com/t/mi-11-ultra-reboots-to-recovery-mode-several-time-before-rebooting-to-miui.4477991/ dmesg.log logcat.txt recovery.log

    Then I suddenly install ONLY this module, fresh, stock after flashing ROM, then the phone booting into the recovery so the cause is this module.

    For the record; I can be a tester if there is a new module available, just let me know.

    Checklist

    • [x] All information is present
    • [x] Logs are attached
    • [x] I have tried installing and configuring MagiskHide Props Config
Somewhat Universal Widescreen Fix

SUWSF Somewhat Universal Widescreen Fix is intended to enable widescreen aspect ratios (e.g. 21:9, 32:9, 48:9) in games where it is unsupported. WARNI

Sep 28, 2022
This is a library that can fix the crash on android 5.0 and 5.1 caused by modified utf8 converting.

FixModifiedUtf8ConvertError This is a library that can fix the crash on android 5.0 and 5.1 caused by modified utf8 converting. What's this On Android

Nov 23, 2021
Universal State Monitor software for home automation input devices

Universal State Monitor Copyright 2019-2021 SuperHouse Automation Pty Ltd www.superhouse.tv A binary state monitor for DIY home automation projects. T

Aug 24, 2021
Single source file ASTC texture decompression in C++ (derived from Google's open source Android project)

astc_dec astc_dec is a single source file ASTC texture decompressor with the Apache 2.0 license, derived from Google's open source Android sources. Th

Jul 19, 2022
Identify I2C devices from a database of the most popular I2C sensors and other devices

I2C Detective Identify I2C devices from a database of the most popular I2C sensors and other devices. For more information see http://www.technoblogy.

Jun 11, 2022
A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code

flutter-hadk A light-weight Flutter Engine Embedder based on HADK ,which for Android devices that runs without any java code 1.Build by android-ndk-to

Jun 15, 2022
First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template

Android-ML First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template Installation Download this githu

Jul 17, 2022
A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems.

droidports: A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems. Discla

Aug 5, 2022
A customized LGL Android mod menu, containing ESP only for PUBG Mobile 1.3.0 for Android
A customized LGL Android mod menu, containing ESP only for PUBG Mobile 1.3.0 for Android

PUBG Mobile ESP Mod Menu A customized LGL mod menu, containing ESP only for PUBG Mobile 1.3.0 for Android. Everything are fixed so it works with both

Mar 19, 2022
A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview.

AndroidJSModule A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview. Insta

May 24, 2022
Android NDK samples with Android Studio

NDK Samples This repository contains Android NDK samples with Android Studio C++ integration. These samples use the new CMake Android plugin with C++

Sep 23, 2022
Decompilation of the Berry Fix Program included in Pokémon Emerald and FireRed/LeafGreen

Berry Fix This is a decompilation of the "Berry Program" multiboot image which comes compressed within Pokémon FireRed, LeafGreen, and Emerald. It is

Sep 10, 2022
Sep 23, 2022
Quick fix to iphone usb tethering with ios14 or higher for Linux kernel lower than 5.10.4

Quick fix to Linux Iphone USB tethering with IOS 14 or higher (Tested with ubuntu 18.04, kernel 5.4.0-65, if you fail in the build, please download yo

Sep 18, 2022
Fix for various issues in the PC port of Ace Attorney Chronicles.

Hackfix for a few issues in the PC port - Animation framerate can now be set to arbitrary rate. (defaults to 60 but can be freely adjusted in the ini

Sep 27, 2022
Wrapper DLL for NieR Automata (PC ver.) to disable LODs & fix AO issues

NieRAutomata-LodMod An XInput/DXGI wrapper DLL that hooks into NieR Automata (Steam ver.) and disables object LODs, improving visual quality & fixing

Jul 9, 2022
Windows 11 Drag & Drop to the Taskbar (Partial Fix)

Windows 11 Drag & Drop to the Taskbar (Partial Fix) This program partially fixes the missing "Drag & Drop to the Taskbar" support in Windows 11. In th

Sep 27, 2022
Windows 11 Drag & Drop to the Taskbar (Fix)

Windows 11 Drag & Drop to the Taskbar (Fix) This program fixes the missing "Drag & Drop to the Taskbar" support in Windows 11. In the best case, such

Oct 2, 2022
Fix some extrinsic parameter importing problems. 6-axis IMU works now. Lidar without ring works now.

LVI-SAM-MODIFIED This repository is a modified version of LVI-SAM. Modification Add function to get extrinsic parameters.The original code assumes the

Sep 28, 2022