How to install AICP (or other ROM), Magisk, and root with SafetyNet, Certified Device & Google Pay working

[mbecroft 82]

I just recently installed AICP on my Pro1 and, in another thread, I was asked how I went about getting root and Safetynet working, including Google Pay working. It was pretty straight-forward really, but I had to dig around a bit to figure it out. Here are the exact steps, as best I recollect them. This may not be the best or only way, but it worked for me. And thanks to a number of developers/contributors and forum posts which I consulted while figuring out this process.

- Wipe phone, fastboot flash Lineage recovery, then adb sideload AICP and NikGapps ZIPs. Checked phone boots into Android no problem.

- Install the Magisk app (apk) latest version 22.0.

- (In Magisk app, "Check SafetyNet" fails for ctsProfile at this point.)

- Go to Magisk github (https://github.com/topjohnwu/Magisk/releases) -> Releases, and download Magisk-v21.4.zip . The last version that is available as a zip.

- Reboot to recovery, adb sideload Magisk-v21.4.zip. Reboot back to Android. (Do not instead try to install from the app. It does not work.)

- In Magisk app, now use the option to install/update to version 22.

- In Magisk app, Install MagiskHide Props Config module. Now use it to spoof fingerprint:

- Reboot, open terminal or adb shell, become root (type su) then type props: follow the directions, option 1, f, then find Fxtec and The Pro1 in the list. Follow the instructions and exit. Reboot.

- Turn on airplane mode

- Clear Google Play and Google Play services data+cache. Reboot. Check that Play store Settings, scroll to bottom, "Play Protect Certification" should now read "Device is certified."

- (You now have root, SafetyNet passes, and App Store sees certified device - all good!)

- If you do not need Google Pay, or if you clear cache and data of Google App and/or Google Pay and it works, you can stop here. Otherwise continue for Google Pay-specific fix...

- In Magisk settings, turn on MagiskHide

- Install Magisk modules: Busybox for Android NDK; SQLite for ARM aarch64 devices (available here: https://forum.xda-developers.com/t/working-magisk-with-google-pay-as-of-gms-17-1-22-on-pie.3929950/page-9#post-79643248).

- I *think* the process was to clear cache+data, then run Google Pay, then exit and continue with the next step. I think a reboot may be needed here as well.

- Finally, install module: GPay SQLite Fix (from same URL above).

- You should now be able to add cards to Google Pay, without the message "your device has been altered...". After adding card, reboot. This is necessary for the GPay fix to work. UPDATE - although the forum post I was working from stated this step was necessary, everything worked fine for me without rebooting after adding a card.

I may have missed something in the above - everyone please feel free to add to/correct me on any of this! The key thing was flashing Magisk 21.4 ZIP first, then updating it from the Magisk app. Root works really well, and you can selectively hide Magisk from certain apps and so on, it is really flexible and seems to work perfectly in every way.

I am not sure what happens if you now alter the system partition - for instance to change the keymap files. I haven't tried this yet, but I hope with Magisk set up as above, it will not be a problem - will find out soon...

Cheers

-Mario

Edited March 16, 2021 by mbecroft
add new info

[ivoanjo 33]

This didn't quite work for me. I've had my Pro 1 on the stock firmware up until today, where I installed LineageOS 18.1 20210401.

I followed this guide, did the magisk hideprops config, and cleared the google play settings, but afterwards the safetynet would still not pass (even in magisk's own check).

I googled a bit, and installed https://github.com/kdrag0n/safetynet-fix (downloaded + installed via magisk), then hid magisk and did the clear data/cache/reboot dance again, and afterwards safetynet passes.

I also installed Google Pay and was able to set up NFC and everything seems to work fine (I didn't need the fix).

[mbecroft 82]

 

On 4/3/2021 at 5:40 AM, ivoanjo said:

This didn't quite work for me. I've had my Pro 1 on the stock firmware up until today, where I installed LineageOS 18.1 20210401.

I followed this guide, did the magisk hideprops config, and cleared the google play settings, but afterwards the safetynet would still not pass (even in magisk's own check).

I googled a bit, and installed https://github.com/kdrag0n/safetynet-fix (downloaded + installed via magisk), then hid magisk and did the clear data/cache/reboot dance again, and afterwards safetynet passes.

I also installed Google Pay and was able to set up NFC and everything seems to work fine (I didn't need the fix).

Agreed, after upgrading from AICP Q to Lineage R it seems to just work - the safetynet test in Magisk fails with API error, but testing with a separate Safetynet test app works, and Google Pay works.

It doesn't seem to affect Google Pay, but one problem I have is that MagiskHide does not survive a reboot. Have to manually disable and re-enable it after rebooting...but even then it does not affect Google pay, but some other apps warn that the device is rooted, if MagiskHide is not running.

[EskeRahn 5,399]

(moved this from "General Discussion" to the "HowTos")

[PokeParadox 62]

3 hours ago, mbecroft said:

 

Agreed, after upgrading from AICP Q to Lineage R it seems to just work - the safetynet test in Magisk fails with API error, but testing with a separate Safetynet test app works, and Google Pay works.

It doesn't seem to affect Google Pay, but one problem I have is that MagiskHide does not survive a reboot. Have to manually disable and re-enable it after rebooting...but even then it does not affect Google pay, but some other apps warn that the device is rooted, if MagiskHide is not running.

Thanks for that... I've been sat twiddling my thumbs waiting for the Magisk fix - didn't think about checking with a separate app. I can continue setting up the rest of my phone apps now! :P

[dreamflasher 120]

It used to work for me, but it stopped working a couple of weeks ago. I do the full offline, clear cache, reboot dance. But it looks like it's working for some of you with Lineage 18.1?

Ahhh I see the problem. There's the safetynet API error in magisk, but in Google Play it shows "certified". That's good to know that Magisk is currently broken.

 

Edited May 5, 2021 by dreamflasher

[PokeParadox 62]

I can also confirm I proceeded to downloaded a separate safety check app, which passed and then logged into my root sensitive apps mostly without a problem.

I setup my GooglePay without a hitch without having to follow the GooglePay specific part of the OP post.

One of my banking apps is still detecting root, however.

[PokeParadox 62]

Magisk has been updated (23.0), so the internal SafetyNet check should work again!

[ivoanjo 33]

On 5/6/2021 at 9:08 AM, PokeParadox said:

One of my banking apps is still detecting root, however.

Have you tried the magisk hide functionality? This did the trick for me for all aps that detected root -- I just add them to the hide list and problem solved.

[PokeParadox 62]

33 minutes ago, ivoanjo said:

Have you tried the magisk hide functionality? This did the trick for me for all aps that detected root -- I just add them to the hide list and problem solved.

Yes, sorry I should have been clearer. I'm using the hide list, but Halifax banking app is somehow still detecting root - other root-sensitive apps aren't. I'm not sure how.

[Rob. S. 1,634]

4 hours ago, PokeParadox said:

I'm using the hide list, but Halifax banking app is somehow still detecting root - other root-sensitive apps aren't. I'm not sure how.

Does the app explicitly complain about 'root', or does it say something more general like 'unsecure phone'? Only a few weeks ago one of my banking apps (Fidor) stopped working on my Pro¹, saying something like 'unsecure phone detected' or some such (can't remember the exact words), and the phone isn't even rooted.  The banking app, same as the 'Entrust Identity' app which generates login tokens for my employer's VPN, seems to already see a security issue if it simply finds an alternative ROM like Lineage or AICP.

That said, I've heard about the existence of an Xposed module that is supposed to deal with that problem. Cannot say more at this point, though, as I've not had the time to try out what this thread is about. It's still on my to do list.

Edited May 13, 2021 by Rob. S.

[Hook 2,907]

32 minutes ago, Rob. S. said:

Does the app explicitly complain about 'root', or does it say something more general like 'unsecure phone'? Only a few weeks ago one of my banking apps (Fidor) stopped working on my Pro¹, saying something like 'unsecure phone detected' or some such (can't remember the exact words), and the phone isn't even rooted.  The banking app, same as the 'Entrust Identity' app which generates login tokens for my employer's VPN, seems to already see a security issue if it simply finds an alternative ROM like Lineage or AICP.

That said, I've heard about the existence of an Xposed module that is supposed to deal with that problem. Cannot say more at this point, though, as I've not had the time to try out what this thread is about. It's still on my to do list.

Is it possible they are detecting the unlocked bootloader (you can't relock it on anything but stock)?  I don't know because my Bank app doesn't complain and I don't care about passing safety net so never studied this problem much, but the possibility occurred to me.

[Rob. S. 1,634]

3 hours ago, Hook said:

Is it possible they are detecting the unlocked bootloader (you can't relock it on anything but stock)?  I don't know because my Bank app doesn't complain and I don't care about passing safety net so never studied this problem much, but the possibility occurred to me.

I can't tell for the banking app, but I know that the identity token app specifically looks for alternative ROMs like Lineage. The message I get is a bit clearer there. 

[dreamflasher 120]

Insular works well for me, it creates a work profile and the apps run there, with this all the banking apps are happy that otherwise complain.

[Rob. S. 1,634]

Anyone able to download the latest Magisk?

Magisk.me links to https://bytestransfer.com/download/zelunlw6jjvqzq4hinulxpeey/, but the download button there just re-links to the same page, whether or not I disable my adblocker...?

Github is the only source where you can get official Magisk information and downloads.

Edited May 28, 2021 by Rob. S.

[Rob. S. 1,634]

Now that I finally did the plunge and moved to LineageOS 18.1 (without loss of data, from 17.1, which unfortunately became unsupported the moment 18.1 was out, but I guess that's a reasonable price to pay for the excellent options we get through those alternative ROMs), I thought I'd go the whole way and get root plus SafetyNet out of it, too, thanks to the instructions here. They seemed straightforward enough, and the adb USB connection from my old and trusted Thinkpad had already proven dependable. 

And it worked like a charm, too!

I'm not completely happy with the results, though, but that's not because anything went wrong, but because passing SafetyNet on a rooted device with an alternative ROM is not the be-all-and-end-all solution for running security-anxious apps anymore. These are the (prelimiary) results:

• (+) SafetyNet passed!
• (+) Google Pay seems to work! At least I could add my debit card and got the approval of my bank (ING), too. 
• (+) Apps like Netflix and Disney Plus appear in the Play Store!  

But:

• (–) My business bank's (Fidor) app doesn't work: "Due to our high security requirements, we currently do not support devices with modified software/firmware". What makes this even more tricky is the fact that this app needs to be on the phone with the SIM card and the phone number that's registered with the bank, and which can only be changed through a written statement signed by both managing partners, so before I move it to another phone (with another SIM card and phone number) I'd like to try everything to get it to work on my daily driver.
• (–) My employer's identity token app (Entrust Identity) for their VPN doesn't work, either: "activation is not supported on an unsecured device". I expected that, I knew they explicitly scan for alternative ROMs.

Now I'll see whether there might be Magisk modules which can help further before I give up and use my spare phone for those two things; I remember I did read something about an Xposed module that's tries to hide the fact that we're on an alternative ROM. I'll also look for something that would be capable of hiding an unlocked bootloader as @Hook suggested which still could be the technical basis in the case of the banking app.

Here are three details in which I deviated from @mbecroft's original instructions:

• Current Magisk version is 23. Since 22, there's no .zip file anymore to download and install through sideloading, but you can just rename the .apk file to .zip (just like .jar or other Java-related archive types, it is a .zip after all) and do the same thing, as described in the official instructions (last item, 'Custom Recovery', which seems to be what we have to use for our device even though there's a warning that it "is deprecated and is maintained with minimum effort"). 
• The device certification and everything else only worked (while, in the current version of the Play Store, I found no statement saying so) after enabling Magisk Hide and going to through the enable airplane mode, clear Google Play/Google Pay data, reboot step a second time.
• So far, it was not necessary to install Busybox for Android NDK, SQLite for ARM aarch64 devices or the GPay SQLite Fix to make Google Pay work. As they say on the originally linked page in a new statement, "you may not need to use this module" (while "no one is quite sure why this is, or how long it will last").

So that's the state of affairs for me, which already looks promising. Thanks to everyone who helped!

Edited May 29, 2021 by Rob. S.

[pebert 98]

On 5/29/2021 at 1:32 PM, Rob. S. said:

These are the (prelimiary) results:

• (+) SafetyNet passed!
• (+) Google Pay seems to work! At least I could add my debit card and got the approval of my bank (ING), too. 
• (+) Apps like Netflix and Disney Plus appear in the Play Store!  

But:

• (–) My business bank's (Fidor) app doesn't work: "Due to our high security requirements, we currently do not support devices with modified software/firmware". What makes this even more tricky is the fact that this app needs to be on the phone with the SIM card and the phone number that's registered with the bank, and which can only be changed through a written statement signed by both managing partners, so before I move it to another phone (with another SIM card and phone number) I'd like to try everything to get it to work on my daily driver.
• (–) My employer's identity token app (Entrust Identity) for their VPN doesn't work, either: "activation is not supported on an unsecured device". I expected that, I knew they explicitly scan for alternative ROMs.!

 

did the bank and vpn work on 17.1?

 

maybe this means thar I dare to upgrade as well... 

[Rob. S. 1,634]

4 minutes ago, pebert said:

 

did the bank and vpn work on 17.1?

maybe this means thar I dare to upgrade as well... 

No, they never worked on anything but stock Android (on my previous phone, as I never had stock on my Pro1)...

[pebert 98]

OK, great then I will upgrade as well.

 

btw, I never got that stuff to work with stock rom either. 

[Rob. S. 1,634]

On 5/29/2021 at 1:32 PM, Rob. S. said:

• (–) My employer's identity token app (Entrust Identity) for their VPN doesn't work, either: "activation is not supported on an unsecured device". I expected that, I knew they explicitly scan for alternative ROMs.

Ok, with the help of LSPosed and the "Entrust IdentityGuard Unblocker" Xposed module it seems that issue is solved, too! Just didn't get the Fidor Bank's banking app to run yet.

[Rob. S. 1,634]

Oh, and Fidor Bank just answered my support request, apologized for not supporting my phone and changed the account from pushTAN via app back to mTAN via SMS, even though this isn't officially available anymore. So while this isn't the best of all possible solutions and will only be supported, as they say, for a limited time, for the time being I can now do everything with the Pro1! And the Moto Z3 Play can finally go back into the drawer, as soon as my employer's fine tech support people will have bound my Pro1 to that VPN token account... 🙂 

Edited June 4, 2021 by Rob. S.

[agent008 238]

Thanks for the guide. 

In order to avoid having to install an "unofficial" Magisk module (Gpay SQlite fix) I simply used "props" command (from Magisk Hide Props Config module) to change my phone's signature to that of a Sony Xperia 10 II (Android 10).

This instantly allowed SafetyNet to pass and adding cards to GPay.

[Rob. S. 1,634]

1 hour ago, agent008 said:

I simply used "props" command (from Magisk Hide Props Config module) to change my phone's signature to that of a Sony Xperia 10 II (Android 10)

Yes, that did it for me, too; except that there actually is an Fxtec Pro1 signature, too, which is what I chose, and it worked as well 🙂  

[agent008 238]

The Fxtec signature didn't work for me. That's why I chose the Sony one.

EDIT: Well, of course, I ran the props command and it showed the current signature my device had. I compared it to the Pro1 key available from the list and found out they were the same. So I didn't confirm the changes and tried safetynet and Gpay, both failed.

Maybe if I had confirmed the props script (even though signatures were the same between current and new one), it would have worked? On the surface it seemed nothing was being changed, but maybe the script would still change something even if confirming with the same Pro1 key.

Edited June 25, 2021 by agent008

[Slion 1,200]

What if I don't need root but want to have a certified device on LOS 18.1?

I would need Netflix, Disney+, Bank apps and company login apps to work too.