2017-07-17 SafetyNet update (Bypass PoC attached)

[coderobe]

What?

Google silently pushed an update to their SafetyNet procedures, breaking both basicIntegrity and ctsProfile.

How?

The updated procedures appear to be looking for a few buildprop values, including (but probably not limited to):

• init.svc.magisk_pfs
• init.svc.magisk_pfsd
• init.svc.magisk_service
• persist.magisk.hide
• ro.magisk.disable

Suggestions

init.* can and probably should be reset after Magisk leaves the system routine;
persist.magisk.hide and similar settings could be stored in a settings file (JSON; XML; SQLite; \n delimited plain text?) instead of the buildprop, that would require an updated interface in Magisk and Magisk-Manager - either simply rerouting those calls to a new settings getter, or by patching getprop to fall back to the settings store.
ro.magisk.disable is only set when magisk is set to core-only mode, again - using a custom key/value store would fix this

Because init.* doesn't appear to be used beyond initialization and persist.magisk.hide currently falls back to true anyways, deleting said props after initialization is a (currently) viable option to pass SafetyNet until the next reboot.

PoC

#!/system/bin/sh
su -c "resetprop --delete init.svc.magisk_pfs; \
resetprop --delete init.svc.magisk_pfsd; \
resetprop --delete init.svc.magisk_service; \
resetprop --delete persist.magisk.hide; \
resetprop --delete ro.magisk.disable"

[gudenau]

The entire point of SafetyNet is for it to get silent updates sadly.

Works for me, so that is good at least. Keep up the good work!

[SemperNattramnar]

Works <3

[ghost]

Nice! Good catch, man.
Excellent work.

[sou7611]

I can confirm this bypasses the new changes as well

[etnperlong]

It works on my LeEco Pro 3 (Paranoid Android 7.2.0), Thank you !!!

[dan-saba]

Can we block silent updates to SafetyNet to avoid stuff like this taking us by surprise in the future? Is anyone working on a module for this?

[SubhrajyotiSen]

Really nice catch. Works on Tipsy v6. 5

[Jiikuy]

You can't disable SafetyNet updates, it's a web based service.

[NinjaBoyLao]

This actually isn't working for me right now, so i must be failing SafetyNet for a different reason

[wernnie]

Hi, how can I use this on my phone to pass safetynet again?

[devz3r0]

I can confirm this workaround too.

[batbloss]

Can anyone tell me What should i do with this code

[devz3r0]

open a terminal application and insert that, or use tasker if you have that. (then without the shebangline and su as you enable that in the task)

[Jean85]

Can confirm it works on a Nexus 5X with Lineage OS

[viper1987234]

all i got was errors never used console before so i dunno if i did it wrong :(

[viper1987234]

Code:
getprop | grep magisk | cut -d'[' -f2 | cut -d']' -f1 | xargs -n1 resetprop --delete

this worked for me

[hegyak]

The POC worked for me.

[sou7611]

For those who want an easier adb-less way to do this, load this task into Tasker and run it :

https://www.dropbox.com/s/e5b58aenm66ohwj/Remove_Build.Prop_Magisk_Entries.tsk.xml?dl=0

You can also attach it to a profile set to execute at boot, if you want.

[NinjaBoyLao]

@viper1987234 that worked for me where the proof of concept did not, what does your command do differently? I am not fluent in linux so i don't know a hundred percent sure myself just from reading it

[viper1987234]

its not my command bro just one i found that worked and shared bro :D happy to help

[viper1987234]

save that commad as u need it every time u restart your phone

[NinjaBoyLao]

I see, do you know who came up with that? Trying to find out what i just did so i at least understand it a little better

[viper1987234]

let me check history on pc 2 secs

[viper1987234]

https://forum.xda-developers.com/showpost.php?p=73056617&postcount=65

there u go bud

[sou7611]

Basically, the command issues getprop, which lists *all* props on the system ... It then does some editing on the results to filter out all but the actual prop names. then it filters *that* for any name containing "magisk", then it runs resetprop --delete on that result set.

…

On Mon, Jul 17, 2017 at 2:48 PM, viper1987234 ***@***.***> wrote: https://forum.xda-developers.com/showpost.php?p=73056617&postcount=65 there u go bud — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFoatDeSMFQKtjpj9M28TM0bpRKbnLgrks5sO6x1gaJpZM4OZdCN> .

[coderobe]

That might have unintended side-effects. I'm not sure if magisk stores any other props which might be required for proper functionality. You should instead print the filtered list, and manually delete other keys one by one and figure out the culprit that way - then you could even post the result and i'll add it to the list of filtered prop keys in the original post.

[sou7611]

I created a tasker task to run at boot, that removes JUST the four props listed in the original POC posting, so far it seems to work just fine. https://www.dropbox.com/s/e5b58aenm66ohwj/Remove_Build.Prop_Magisk_Entries.tsk.xml?dl=0 Just add that task, then create a new profile to run at boot, that calls it.

…

On Mon, Jul 17, 2017 at 4:09 PM, Robin B. ***@***.***> wrote: That might have unintended side-effects. I'm not sure if magisk stores any other props which might be required for proper functionality. You should instead print the filtered list, and manually delete other keys one by one and figure out the culprit that way - then you could even post the result and i'll add it to the list of filtered prop keys in the original post. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFoatO7UE9DhV6gOIIelKTiBKBSzNa6Zks5sO792gaJpZM4OZdCN> .

[sovanyio]

I had to delete more props (persist.magisk.busybox, magisk.version, and ro.magisk.disable) to get past safetynet on a pixel with v12

[stuartpb]

I was going to say it'd be better to at least narrow the grep by (init\.svc|persist)\.magisk than to just blanket-remove every property with magisk in it, but going by reports like this, it sounds like SafetyNet might be doing a straight-up search for any properties with "magisk" in them, in which case passing the output from grep magisk straight to resetprop would actually be the right workaround.

I don't know if Magisk et al includes Bash (or a shell with compatible printf/brace expansion), but if it does, a shorter version of the PoC in the initial comment would be:

printf '%s\n' init.svc.magisk_{pfs,pfsd,service} persist.magisk.hide | xargs -n1 su -c resetprop --delete

[stuartpb]

Another idea: is SafetyNet using getprop to read these, and if so, would it be possible for Magisk Hide to just hand SafetyNet its own version of getprop that filters out all magisk properties? That'd probably be easier than introducing a whole alternative property store.

[viper1987234]

i just found one that worked and i could play pokemon go after rooting my phone so i can still go out with the kiddo

[coderobe]

@stuartpb i've still got several prop values containing magisk, and SafetyNet passes - i don't think it's doing a blanket search

[NinjaBoyLao]

@coderobe running your proof-of-concept did not pass safetynet for me, while the more blanket approach did. android 6.0 on moto x pure, never used anything other than magisk, stock ROM. currently attempting to figure out how to do what you asked so i can add more culprits to your list

[coderobe]

@NinjaBoyLao right, people have reported additional properties safetynet may be looking for, but because everyone is blindly running the blanket removal i can't pinpoint it

[sou7611]

those of you having issues with additional props causing failure need to do the following after a fresh reboot (before deleting any props):

su -c "getprop | grep magisk | cut -d'[' -f2 | cut -d']' -f1"

and report the results.

FWIW, I was able to pass with just the 4 in the OP, removed via tasker task at boot. Stock Moto X Pure on 6.0, with a barebones Magisk (no modules).

[NinjaBoyLao]

@sou7611 run that, report what comes out, and then what do i run to start removing things? the individual commands shown in the main issue report up there courtesy of @coderobe ?

[sou7611]

I'd do a series of individual delete lines (easiest way is to use my tasker task, and just add additional steps), starting with the OP/POC list of 4 props, and try one by one until you find the additional culprits.

Wouldn't hurt for those having issues to post the prop list results here, too, so others can see if they have the same props.

[coderobe]

First you report the ones you've got left over after running my command in the original post, i'll take a look and tell you what can be removed safely

[coderobe]

The best thing would be removing one, checking, readding it, removing a different one, etc etc - to figure out if it's just one of many causing the issue - that will narrow things down

[NinjaBoyLao]

working on it now, waiting for reboot to finish up

[davex2012]

Safety net pass work but Non of modules work. If module is activated, safety net pass fail.

[coderobe]

@davex2012 that's out of scope. this github issue is only targetting the safetynet update from 2017-07-17, it's not a general magisk support thread.

[NinjaBoyLao]

after running the command, i get
"init.svc.magisk_pfs; init.svc.magisk_pfsd; init.svc.magisk_service; persist.magisk.hide; ro.magisk.disable

these appear listed out with each entry on a newline, no semicolons. i added those for readability.

[coderobe]

Well the first problem is that you didn't run my PoC fix. Do that, re-check SafetyNet - if it's still failing try again.

[NinjaBoyLao]

i was about to say that after running your PoC, safetynet still fails, and by adding the last entry in my list, it passes.

i'm aware i didn't run your commands, i was trying to separate my reported list to be compared with others from the report on what causes safetynet to pass

[sou7611]

Have you tried a fresh/clean magisk install? to me, it seems like you have leftover props from earlier versions.

On mine, which I fresh-installed mid-june, the only prop I have after removing the 4 in the OP is:

persist.magisk.root (which is set to "3")

[NinjaBoyLao]

yes, i have. the prop i have left after the PoC is the one responsible for keeping magisk in core only mode

ro.magisk.disable

before i ran the blanket fix earlier, im pretty sure i had the magisk.version prop @sovanyio mentioned removing on a pixel, i remember seeing it and cant find it now. removing ro.magisk.disable fixes it for me.

i believe you have that particular prop due to remaining on magisk v12 @sou7611

[coderobe]

removing ro.magisk.disable might mess with state if core only mode is enabled still. disabling the core only mode would fix that, i'll add it to the OP though

[crian]

Good job at this one

[ingbrzy]

@topjohnwu
Magisk uninstaller should remove also file /data/property/persist.magisk.hide
That one is still left on device with current one..
Thank you

[coderobe]

@ingbrzy out of scope. open a separate issue

[ingbrzy]

@coderobe actually not.. that leftover file was causing my SafetyNet check fail since 17-07-2017.. Even Magisk was uninstalled...

[jordialfb]

@sou7611 caan you explain how to do it with tasker? open file? read file?? Thank you!

[devz3r0]

After 13.3 update that issue is fixed for my oneplus2.

[coderobe]

9c1005f fixes this issue.

[jordialfb]

solved using magisk 13.3!

https://www.youtube.com/watch?v=CsF32cPIo5U&lc=z132sfeqvsmvxlzn123ket04qt3qixrjb04.1500416000667779 here a tutorial very usefull.