Hello, I am having an issue with my wife's Robin. The phone is completely stock other than an unlocked bootloader and unencrypted storage. System, boot, recovery, kernel, etc. are all stock and no root. I have even wiped the system partition and reflashed the system.img for good measure. The device is failing SafetyNet checks, however. This means Android Pay is not working and displays the following error. "Android Pay can't be used on this device. This may be because your device is rooted, has an unlocked bootloader, or is running a custom ROM. As a result, Google can't confirm that your device meets Android Pay's security standards." Does anyone else with ONLY an unlocked bootloader have the same issue? Could lack of encryption have anything to do with it? I am puzzled. I have an old Nexus 5 with an unlocked bootloader, rooted, with no encryption and I am still able to toggle root and pass SafetyNet checks. Anyone else have a similar issue? If this is the case, she might as well have root and the advantages (as well as the potential hazards) that come with it.
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
flyfire04 said:
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
Click to expand...
Click to collapse
Thanks for the response and link. I ran the OEM unlock command and have since flashed the boot.img from the official Nextbit factory images. So unless that boot.img is itself patched, then I should be stock (other than the unlocked bootloader of course). That is likely the issue, but I want to see if anyone else who is stock with an unlocked bootloader has the same issue.
Then read this: https://www.xda-developers.com/sult...otloader-check-on-latest-cm13-builds-for-op3/
Then you will understand that an unlocked bootloader by itself can trigger saftynet. magisk removes the the verified boot flag.
Another easy solution is to just lock the bootloader using the oem lock command. This will not wipe the device like unlocking does.
So to be clear, my choices to get SafetyNet to pass are to:
OEM lock thus returning to complete stock or
Flash a modified kernel to suppress the bootloader unlocked flag or
Flash Magisk and phh root and activate Magisk hide
If I do the last option, do I also need a modified kernel or will this hide the bootloader unlock status from SafetyNet with the stock kernel? Thanks for the feedback.
Related
One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Hazuki Amamiya said:
One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Click to expand...
Click to collapse
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Nevermindthelabel said:
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Click to expand...
Click to collapse
Thanks for your reply. I have some bank apps that require the SafetyNet be passed so I need to find a way. I know Xposed/Magisk will work but I wish to find a way not requiring 3rd party (hacking) software.
I aware that locking/unlocking bootloader would wipe data, so I am thinking of locking the bootloader with latest TWRP and never unlocks again, just not sure if it is possible to do so, and I am not sure when after the bootloader is locked , I can go back to TWRP for LineageOS upgrade.
I have no spare phone for testing so hopefully I can get answers from here before I do anything risky
My Pixel 2 XL running on DP2 pass CTS test no problem. I could use Google Pay normally. (with Magisk v16.4)
Today I update to DP3 with factory image (flash-all with wipe), but CTS profile match failed...
I tried to downgrade to Oreo Jun with factory image (flash-all with wipe), CTS profile match still fail...
No TWRP, No Magisk, No Xposed. Tested right after initial configuration (Google account, etc.) The Only APP installed is CTS test APP. Android Pay refused to add credit card, complaining device being rooted.
My 2 XL is oem unlocked (had always been since I got it months ago)...
Any idea?
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
lssong99 said:
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
Click to expand...
Click to collapse
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
ram4ufriends said:
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
Click to expand...
Click to collapse
But before DP2 (as well as Android 8 up to May update) I always have bootloader unlocked with Magisk and CTS profile pass (Stock, Magisked kernel) ... Now CTS doesn't pass with or without Magisk...
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
danielt021 said:
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
Click to expand...
Click to collapse
Yes... I did everything that should be done....
Out of desperation, I still tried to set up a Credit card in Google Pay and interesting thing is that although my system still CTS failed, I was able to add my credit card to Google Pay and made a payment! Really strange.....
Anyway as long as Google Pay works, really don't care about CTS status...
Thanks for all your reply...
Would there be a way to do one-click-root on the Motorola Moto G5 (XT1672) or another way that is easy and does not do a factory reset? Thanks!
vanhead said:
Would there be a way to do one-click-root on the Motorola Moto G5 (XT1672) or another way that is easy and does not do a factory reset? Thanks!
Click to expand...
Click to collapse
I really don't know how this is going from root very well, but as I understand it, you need to unlock the bootloader of the device (which requires a factory reset). If you already have the bootloader unlocked, try KingRoot, The truth is the only root of a click that I know, I have not really tried it on this device, but on an old phone, and it worked fine. The only problem I have had and I do not know if it is the fault of the device or KingRoot, and is that when I try to uninstall an application which I gave it the root permissions, the phone restarts, to uninstall an application I had to deny it permissions and then I could uninstall it, I repeat, I do not know if it is a problem that only happens to me
Postdata: Sorry for my english
vanhead said:
Would there be a way to do one-click-root on the Motorola Moto G5 (XT1672) or another way that is easy and does not do a factory reset? Thanks!
Click to expand...
Click to collapse
Rooting the phone does not require a factory reset but unlocking the bootloader does
So if you haven't unlocked the bootloader you will have to factory reset it during the process
If the bootloader is already unlocked you do not need to factory reset your device again in order to root it
Magisk should be the only way you should root your device - do not use other methods like kingroot as this has bloat and is not systemless (meaning it alters the system partition)
You need to root with magisk in order to maintain the system partition in its original state in order to pass basic integrity & to be able to pass cts profile (may need a magisk module) and to hide the fact you are rooted from apps that will not work if your device is rooted
TheFixItMan said:
Rooting the phone does not require a factory reset but unlocking the bootloader does
So if you haven't unlocked the bootloader you will have to factory reset it during the process
If the bootloader is already unlocked you do not need to factory reset your device again in order to root it
Magisk should be the only way you should root your device - do not use other methods like kingroot as this has bloat and is not systemless (meaning it alters the system partition)
You need to root with magisk in order to maintain the system partition in its original state in order to pass basic integrity & to be able to pass cts profile (may need a magisk module) and to hide the fact you are rooted from apps that will not work if your device is rooted
Click to expand...
Click to collapse
Thank you for your help. I tried several One-click-root, none worked, so I researched, they only work on android 7.
Could you tell me if it is possible to Downgrade from Android 8.1 to 7 without unlocking the bootloader? All the videos I find, the bootloaders are already unlocked.
vanhead said:
Thank you for your help. I tried several One-click-root, none worked, so I researched, they only work on android 7.
Could you tell me if it is possible to Downgrade from Android 8.1 to 7 without unlocking the bootloader? All the videos I find, the bootloaders are already unlocked.
Click to expand...
Click to collapse
As mentioned before - you cannot root a device without unlocking the bootloader!
Why do you want a one click root? They are buggy & full of bloatware
Magisk should be the only method you should be using to root a device - either flashing through twrp or by patching the kernel and flashing the patched image through fastboot
What ever method you choose you need an unlocked bootloader to root!
Why would you want to downgrade? You can flash all parts of a firmware image except gpt & bootloader but again you might need an unlocked bootloader to do this but I don't see the point
TheFixItMan said:
As mentioned before - you cannot root a device without unlocking the bootloader!
Why do you want a one click root? They are buggy & full of bloatware
Magisk should be the only method you should be using to root a device - either flashing through twrp or by patching the kernel and flashing the patched image through fastboot
What ever method you choose you need an unlocked bootloader to root!
Why would you want to downgrade? You can flash all parts of a firmware image except gpt & bootloader but again you might need an unlocked bootloader to do this but I don't see the point
Click to expand...
Click to collapse
In fact, since i need to unlock the bootloader to root, for now, it wouldn't be a good option for me.
But there are apps that I really need and that don't work correctly on Android versions above Nougat, if I could get Downgrade without losing data, that would help me immensely for now.
Is there a possibility that I can downgrade to android 7 with the locked bootloader ? What can go wrong? Brick?
vanhead said:
In fact, since i need to unlock the bootloader to root, for now, it wouldn't be a good option for me.
But there are apps that I really need and that don't work correctly on Android versions above Nougat, if I could get Downgrade without losing data, that would help me immensely for now.
Is there a possibility that I can downgrade to android 7 with the locked bootloader ? What can go wrong? Brick?
Click to expand...
Click to collapse
You would have to format data - it would bootloop otherwise and I've already said. Flash all parts of firmware except gpt and bootloader however it may not flash as your bootloader is not unlocked
If the flashing goes wrong and your bootloader is not unlocked you will not be able to recover the device without taking it to a repair shop
My advice just don't bother - if you want to mod your phone unlock the bootloader!
And what app doesn't work above nougat?
I upgraded to official Lineage 17.1 after holding out from Oreo for a while. Everything is working perfectly, except for passing SafetyNet. CTSprofile continues to return false. After reading about the new security enhancements put into SafetyNet, I searched for a method to sign ROMs so that they would pass dm-verity and be safe to lock the bootloader, but I can't find anyone who has done it for recent ROMs.
How does one sign a custom ROM so that they can pass the bootloader's checks?
Can a Verizon Pixel that's been unlocked with the workaround be unlocked after it has been locked on a custom ROM?
Is it possible to use further tweaks on a signed and locked ROM (eg Magisk, modules, etc) ?
it will not be possible.
Hi,
I unlocked the bootloader of my oneplus 9 pro.
After finding out that I cannot use Google Pay anymore I wanted to lock the device again.
When using fastboot oem lock I get the message that my phone has been tampered with and it will not boot.
I tried flashing the stock rom using payload_dumper and locking the bootloader afterward, but no succes.
The only thing I can do at the moment is unlocking the bootloader and using the phone like this.
Does anyone have a solution?
Never mind I found the solution
-> flash the same OTA twice via local system upgrade
-> reboot into bootloader
-> fastboot oem lock
glad you got it sorted!
That is the correct way to lock. But I am typing on a 9 Pro that has Magisk installed with GPay working flawlessly. Running 11.2.6.6
That is weird.
My gpay app would always say that my device was rooted of tampered with.
I followed the guide to install magisk.
After that I flashed a custom kernel.
Used magisk hide on gpay and my banking apps.
I even used the hide magisk app feature and I was still unable to get gpay working.
I removed magisk and still gpay would not work.
I wonder how you got it to work.