If I were to unlock my bootloader, flash unmodified 8.1 dev preview and relock the bootloader, would I be able to pass safetynet? Or does unlocking the bootloader mean I'll permanently need to find workarounds no matter what I do afterwards?
Magisk rooting hides that. I can confirm that it works all the way up to November security patch. Look at the developer forum for more information.
TheSt33v said:
If I were to unlock my bootloader, flash unmodified 8.1 dev preview and relock the bootloader, would I be able to pass safetynet?
Click to expand...
Click to collapse
Yes.
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Hobox10 said:
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Click to expand...
Click to collapse
Safetynet checks for Bootloader Status, unlocked doesn't pass.
Hobox10 said:
I have a related question. Is locking the bootloader even necessary? I thought having an unrooted rom on an unlocked bootloader phone passes safetynet?
Click to expand...
Click to collapse
Custom roms often make changes at the kernel level to block safetynet's ability to check the bootloader status, which makes it pass (for now). Magisk also hides bootloader unlock status from safetynet. So there are workarounds.
Related
Hello, I am having an issue with my wife's Robin. The phone is completely stock other than an unlocked bootloader and unencrypted storage. System, boot, recovery, kernel, etc. are all stock and no root. I have even wiped the system partition and reflashed the system.img for good measure. The device is failing SafetyNet checks, however. This means Android Pay is not working and displays the following error. "Android Pay can't be used on this device. This may be because your device is rooted, has an unlocked bootloader, or is running a custom ROM. As a result, Google can't confirm that your device meets Android Pay's security standards." Does anyone else with ONLY an unlocked bootloader have the same issue? Could lack of encryption have anything to do with it? I am puzzled. I have an old Nexus 5 with an unlocked bootloader, rooted, with no encryption and I am still able to toggle root and pass SafetyNet checks. Anyone else have a similar issue? If this is the case, she might as well have root and the advantages (as well as the potential hazards) that come with it.
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
flyfire04 said:
Your wifes robin has an unlocked bootloader and you had to batch the kernel (boot.img) if she is still running stock os.
This is enough to trigger saftynet. If you want to pass saftynet again I suggest you go back to full stock or you flash magisk
( https://forum.xda-developers.com/apps/magisk ) and the phh supersu module. then you could activate magisk hide in the settings and you will pass saftynet. Thats what I am doing to play Pokemon Go
Click to expand...
Click to collapse
Thanks for the response and link. I ran the OEM unlock command and have since flashed the boot.img from the official Nextbit factory images. So unless that boot.img is itself patched, then I should be stock (other than the unlocked bootloader of course). That is likely the issue, but I want to see if anyone else who is stock with an unlocked bootloader has the same issue.
Then read this: https://www.xda-developers.com/sult...otloader-check-on-latest-cm13-builds-for-op3/
Then you will understand that an unlocked bootloader by itself can trigger saftynet. magisk removes the the verified boot flag.
Another easy solution is to just lock the bootloader using the oem lock command. This will not wipe the device like unlocking does.
So to be clear, my choices to get SafetyNet to pass are to:
OEM lock thus returning to complete stock or
Flash a modified kernel to suppress the bootloader unlocked flag or
Flash Magisk and phh root and activate Magisk hide
If I do the last option, do I also need a modified kernel or will this hide the bootloader unlock status from SafetyNet with the stock kernel? Thanks for the feedback.
One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Hazuki Amamiya said:
One benefit of signed and non-rooted LineageOS would be the ability of passing the SafetyNet test. But now my phone is still not passing the SafetyNet test. Some suggestions would be that the unlocked bootloader is the culprit that making the test fail.
I want to ask:
1. How can SafetyNet be passed with Oneplus3 and signed LineageOS?
2. If locking the bootloader is inevitable, is it possible to lock the bootloader with TWRP recovery?
3. If stock recovery is needed for locking the bootloader, is LineageOS updates work with stock recovery?
Thanks in advance!
Click to expand...
Click to collapse
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Nevermindthelabel said:
Never needed to pass safteynet, but i think some of the custom kernels have a flag to mask the unlocked bootloader. Maybe magisk would work, but that would root. And as far as i know anytime you unlock your bootloader it would wipe data, that would get old flashing nightlies!
Click to expand...
Click to collapse
Thanks for your reply. I have some bank apps that require the SafetyNet be passed so I need to find a way. I know Xposed/Magisk will work but I wish to find a way not requiring 3rd party (hacking) software.
I aware that locking/unlocking bootloader would wipe data, so I am thinking of locking the bootloader with latest TWRP and never unlocks again, just not sure if it is possible to do so, and I am not sure when after the bootloader is locked , I can go back to TWRP for LineageOS upgrade.
I have no spare phone for testing so hopefully I can get answers from here before I do anything risky
My Pixel 2 XL running on DP2 pass CTS test no problem. I could use Google Pay normally. (with Magisk v16.4)
Today I update to DP3 with factory image (flash-all with wipe), but CTS profile match failed...
I tried to downgrade to Oreo Jun with factory image (flash-all with wipe), CTS profile match still fail...
No TWRP, No Magisk, No Xposed. Tested right after initial configuration (Google account, etc.) The Only APP installed is CTS test APP. Android Pay refused to add credit card, complaining device being rooted.
My 2 XL is oem unlocked (had always been since I got it months ago)...
Any idea?
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
lssong99 said:
Answering my own question:
I tried lock bootloader-->CTS pass
unlock bootloader-->CTS fail... (However, before by bootloader is always unlocked and CTS pass)
It seems DP3 need bootloader to be locked to pass CTS profile... Anyone notice similar issue?
Click to expand...
Click to collapse
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
ram4ufriends said:
You always need to have bootloader locked or install custom kernel like Flash if bootloader is unlocked to pass safetynet
Click to expand...
Click to collapse
But before DP2 (as well as Android 8 up to May update) I always have bootloader unlocked with Magisk and CTS profile pass (Stock, Magisked kernel) ... Now CTS doesn't pass with or without Magisk...
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
danielt021 said:
Just a wild guess but since you wiped your device and installed from scratch did you enable Magisk Hide from the settings?
Click to expand...
Click to collapse
Yes... I did everything that should be done....
Out of desperation, I still tried to set up a Credit card in Google Pay and interesting thing is that although my system still CTS failed, I was able to add my credit card to Google Pay and made a payment! Really strange.....
Anyway as long as Google Pay works, really don't care about CTS status...
Thanks for all your reply...
So I successfully rooted phone, with TWRP, and Magisk. The only problem I'm having is 1) still getting safety net API error,
and
2) I don't know which command to use to relock the Boot loader.
It is likely that one will fix the other, or at least I think as Google is detecting my unlocked bootloader. I want to be able to re-un-lock it (I've been seeing forums filled people who can't unlock their bootloaders after locking it.
RimWulf said:
So I successfully rooted phone, with TWRP, and Magisk. The only problem I'm having is 1) still getting safety net API error,
and
Click to expand...
Click to collapse
If your device is not 100% stock when you lock the bootloader it will not boot.
RimWulf said:
2) I don't know which command to use to relock the Boot loader.
Click to expand...
Click to collapse
[Guide]Un/locking Motorola Bootloader
UnLocking and ReLocking Motorola Bootloader https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a Moto Bootloader Unlocking site Re-Locking see Post #4 More about bootloader UnLocking Post #2 Can my...
forum.xda-developers.com
RimWulf said:
It is likely that one will fix the other, or at least I think as Google is detecting my unlocked bootloader. I want to be able to re-un-lock it (I've been seeing forums filled people who can't unlock their bootloaders after locking it.
Click to expand...
Click to collapse
I have not seen this problem reported (much) as long as the device was full stock when relocked.
If your device is not 100% stock when you lock the bootloader it will not boot.
Click to expand...
Click to collapse
What do you mean? Can you clarify?
[Guide]Un/locking Motorola Bootloader
Click to expand...
Click to collapse
Thanks for that, So I managed to get it locked and got Google services and Pay working. With hide. (Small learning curve)
I have not seen this problem reported (much) as long as the device was full stock when relocked.
Click to expand...
Click to collapse
It seems to be a new problem. The the safety net check problem seems to be with magisk 22.1 (and 22.0 reportedly works but I'm too lazy to downgrade) as Hide works and I used alternative app to check safety net (SafetyNet Test) and it passed that. So everything is working as it should accept Magisk's internal safety net check tool.
Also, I finally learned how to add quotes, yay me!
sd_shadow said:
If your device is not 100% stock when you lock the bootloader it will not boot.
[Guide]Un/locking Motorola Bootloader
UnLocking and ReLocking Motorola Bootloader https://motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a Moto Bootloader Unlocking site Re-Locking see Post #4 More about bootloader UnLocking Post #2 Can my...
forum.xda-developers.com
I have not seen this problem reported (much) as long as the device was full stock when relocked.
Click to expand...
Click to collapse
Turned out it WAS the magisk build 22.1 was fixed now FOSS works. Thanks with the help about MagiskHide. Now I need a terminal emulator that requests root permission. Any suggestions?
Anyway around this without rooting the phone?
jefffrom said:
Anyway around this without rooting the phone?
Click to expand...
Click to collapse
If your phone version is not Chinese, relock the bootloader.
Don't want to lock the bootloader you misunderstood my question
jefffrom said:
Don't want to lock the bootloader you misunderstood my question
Click to expand...
Click to collapse
That is to say that with so many details in your question, it is difficult to answer precisely but if your device is Chinese only root and magisk will allow this.
If available for your device install a https://xiaomi.eu/community/threads/22-7-6-7.66275/
Better than stock,certified play store with unlocked bootloader without root.
what's the point of an unlocked bootloader if you aren't going to root?
3zozHashim said:
what's the point of an unlocked bootloader if you aren't going to root?
Click to expand...
Click to collapse
downgrade or installing rom,No?
AFAIK no other way than to flash Magisk, enable Zygisk and use Module "SafetyNet-Fix".
If you don't use Root, in Magisk you can set to auto-deny all Root-requests.
So if I installed the EEA stock fastboot rom, I would not pass the Google Play store certification and safetynet if I leave the bootloader unlocked? Just to be sure.
This is the first I've read about this. I was thinking maybe go back to stock for a change.
Can I unlock the bootloader again in the future if I install the rom with clean all and lock?
Yes, simply unlocking the bootloader will fail SafetyNet.
Yes, you can unlock the Bootloader again, at any time.
yes you can unlock again, instantly, you wont need to wait 7 days