Related
Well, I have this Moto G5 with LineageOS 16, Magisk 19.3 and TWRP 3.2.3-2-cedric-arm64 and unlocked bootloader.
When I test SafetyNet with Magisk Manager It says to me
SafetyNet check passed
ctsProfile: false
basicIntegrity: false
I have hidden Magisk Manager and changed the device fingerprint with the MagiskHide Props Config (I chosed the Moto G5 7.0 fingerprint)
What should do I do to get them both to true?
Srry for bad english
P.S. I'm having problems with Pokémon GO, this is why I'm doing this
If you flash the magisk uninstall zip and restart the device and run a safetynet check (use a 3rd party app from playstore) does basic integrity pass?
If so try an older version of magisk or try the canary build - if basic integrity still fails and you have tested it again after a clean flash then try a different rom
TheFixItMan said:
If you flash the magisk uninstall zip and restart the device and run a safetynet check (use a 3rd party app from playstore) does basic integrity pass?
If so try an older version of magisk or try the canary build - if basic integrity still fails and you have tested it again after a clean flash then try a different rom
Click to expand...
Click to collapse
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?
OnionMaster03 said:
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?
Click to expand...
Click to collapse
If it doesn't pass with a clean flash then yes
OnionMaster03 said:
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?
Click to expand...
Click to collapse
Los16 doesn't support safetynet on our device, you can use the magisk safetynet Modul that fixed your problem.
OnionMaster03 said:
Well, I have this Moto G5 with LineageOS 16, Magisk 19.3 and TWRP 3.2.3-2-cedric-arm64 and unlocked bootloader.
When I test SafetyNet with Magisk Manager It says to me
SafetyNet check passed
ctsProfile: false
basicIntegrity: false
I have hidden Magisk Manager and changed the device fingerprint with the MagiskHide Props Config (I chosed the Moto G5 7.0 fingerprint)
What should do I do to get them both to true?
Srry for bad english
P.S. I'm having problems with Pokémon GO, this is why I'm doing this
Click to expand...
Click to collapse
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.
Tiki Thorsen said:
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.
Click to expand...
Click to collapse
If you try copying the fingerprint key from the system build.prop into the vendor build.prop replacing the existing value it should solve that issue
Not tried it as don't own device
Tiki Thorsen said:
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.
Click to expand...
Click to collapse
I have the same problem. When I install SafetyPatch, the phone hangs in an bootloop.
I choose pixel 2xl fingerprint. Its working fine for me
Hi,
I recently tried to change my phone's fingerprint with Magisk Hide Prop module through terminal emulator but now the Magisk SafetyNet Check is returning BOTH ctsProfile AND basicIntegrity as FALSE, when before basicIntegrity returned as TRUE.
How do I find the newest factory fingerprint so I can manually change it back to what it was or something that returns one OR both values as TRUE?
OK, so I just re-flashed back to factory image and re-rooted with Magisk and now the basicIntegrity is returning as TRUE but the ctsProfile is still returning as false.
However, I cannot enable in-store payment with Google Pay. Is there a way to circumvent this that doesn't involve Magisk Hide module, because when I tried that the end result was BOTH values returned as FALSE. Maybe like a module that hides root from certain app instead of completely changing the fingerprint?
EDIT: I renamed the package name and turned on Magisk Hide and checked the box next to Google Pay and it still won't let me setup in-store payments due to the phone being detected as rooted.
ALSO, now the basicIntegrity value is returning as FALSE, as well... WTF.
UPDATE: I attempted the solution found here: https://forum.xda-developers.com/apps/magisk/magisk-google-pay-gms-17-1-22-pie-t3929950 . Didn't work.
I did notice that when I typed the chmod command and pressed enter the terminal emulator didn't return any text back at all, it just started a new blank line. Maybe the chmod command didn't go through correctly?
I have installed Lineage 18.1 GSI and trying to install gapps. I have rooted and using franko to flash opengapps pico and get an error 70 that there is not enough space on /system. What is the way to get this done? Thanks in advance!
I would like to know that as well.
Tried to flash via stock recovery but that aborted because signature verification failed.
Apps like Flashify, Flash Gordon, Flashfire or Rashr didn't work either.
With MagiskGapps-basic-module from wacko1805 the playservice framework always crashed.
I think the easiest and best way would be to flash opengapps via TWRP.
@ada12 seems to have a TWRP build that still has some bugs, but can be used to flash unsigned zip files.
Maybe he can share this with us.
I feel like this should not be a collasal effort, but it has become one. I have spent the whole day trying to figure it out. I want to use Lineage OS 18.1 with gapps from Andyyan, not any other rom.
psychofaktory said:
I think the easiest and best way would be to flash opengapps via TWRP.
Click to expand...
Click to collapse
I suspect that Magisk should be able to do whatever TWRP is doing (which is just putting some files in certain places, for the most part). Have you tried to find a Magisk module with OpenGapps? Or you can try making your own (but be warned that lzip is not available by default on any Android or Linux).
Edit: nevermind, I see you found a LiteGapps Magisk module.
Thanks @wirespot
The hint with the linked script to create a custom Magisk module on the preferred OpenGapps bundle was worth gold!
Now I have another problem that comes from installing the OpenGapps via Magisk.
For passing SafetyNet I have to add com.google.android.gms and com.google.android.gms.unstable to the deny list.
But when restarting Magisk all modules are reloaded. So also the OpenGapps module.
As a result, the adjustments to the deny list for the Google Play services are discarded again with every restart and the SafetyNet check fails.
How can I prevent that the two entries are no longer removed from the deny list?
Or how can I ensure that the entries are automatically added to the deny list on restart?
Edit:
It seems that this is what Magisk intended and com.google.android.gms and ...gms.unstable are automatically added to the deny list.
But now I have the question, how can I pass the SafetyNet test?
wirespot said:
I suspect that Magisk should be able to do whatever TWRP is doing (which is just putting some files in certain places, for the most part). Have you tried to find a Magisk module with OpenGapps? Or you can try making your own (but be warned that lzip is not available by default on any Android or Linux).
Edit: nevermind, I see you found a LiteGapps Magisk module.
Click to expand...
Click to collapse
Yes, but there is an issue with litegapps, the google contacts sync is broken unfortunately...
psychofaktory said:
It seems that this is what Magisk intended and com.google.android.gms and ...gms.unstable are automatically added to the deny list.
But now I have the question, how can I pass the SafetyNet test?
Click to expand...
Click to collapse
The deny list only lets you pass Basic check. To also pass CTS you need the USNF module (Universal SafetyNet Fix) and possibly other modules too. More details in this thread (check the end of the post), but try with just deny list and USNF first.
Neither the basic integrity check, nor cts profile match are passed.
Besides the denial list, I tried the modules "Shamiko", "Universal SafetyNet Fix" and "MagiskHide Props Config".
With the latter I have also tried various combinations, unfortunately unsuccessful in each case.
It looks like the deny-list does not work.
I suspect here also a connection with the message together that Magisk displays with each call:
Code:
An "su" command that does no belong to Magisk is detected. Please remove the other unsupported su
I have already been able to disable Phh-su with these commands:
Code:
adb shell
phh-su
mount -o remount,rw /
mount -o remount,rw /system
remount
mount -o remount,rw /
mount -o remount,rw /system
/system/bin/phh-securize.sh system.img
But the message in Magisk still appears.
Yeah passing SafetyNet with a custom ROM may be tricky. Didgeridoohan has a few more tips on their website you can try.
OK, I am already a big step closer to the solution.
After installing Magisk regularly, I first installed the Franco Kernel Manager.
Through this I was then able to flash UnSu.zip, which completely removed phh-su.
This also removed the message "An "su" command that does no belong to Magisk is detected" from Magisk.
Magisk had to be set up again afterwards, since it was also cleaned up by the UnSu script.
YASNAC now already showed "Basic integrity -> Pass".
But now I have not found a way to pass the CTS-profile match.
Does anyone here know what settings to set via MagiskHideProps Config?
And could someone send me the fingerprint of the stock rom (62.0.A.9.11)?
Code:
getprop ro.build.fingerprint
After some tests I discovered a big disadvantage with the variant to flash OpenGapps via Magisk.
Push notifications do not seem to work.
I use too many services that rely on Google Push notifications, so I can't do without them.
Compared to the "normal" variant of flashing OpenGapps via recovery before the first boot, the Magisk variant seems to be missing important dependencies and permissions that are only set during the first boot of the rom.
Therefore, the only useful variant is to flash GApps via recovery.
I really hope that we will soon have the possibility to flash unsigned zip files here!
Another approach:
Opengapps-zip files cannot be flashed via the stock recovery because it fails signature verfication.
The GSI roms can be flashed via the stock recovery. So they seem to be signed correctly.
Would it be possible to sign the Opengapps-Zip files with the same signature keys as the GSI-Roms to be able to flash them via the stock recovery?
Aren't GSI ROMs flashed through fastboot? Since they're partition images not zip installers like OpenGapps.
Of course. You are right.
Would it be possible to merge a GAPPS zip file into a GSI image and then flash the image with fastboot?
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too (EDIT: it works on LineageOS 19 for microG too). Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
Although you put your thread in the right place, I miss the Poco F3 in the title of this Guide.
This is why I came across this in a general search and that's actually a shame. Maybe you can edit your title ???
The content of your guide is interesting!
Hi,
I run the Descendant 12 rom and had issues with my banking apps detecting root even after i renamed magisk from within Magisk and adding my banking apps to the DenyList, after much research on XDA i found users freezing magisk to stop prying apps searching for it, the app is called SD MAID
thank you for the updated install instruction for Magisk/Zygisk
Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
Hi,
I would like to understand better how to use the list in Magisk, If in this list I put a tick on an app. what does it mean?
Sorry for hijacking the post, here is a Youtube video from,
the amazing "Munchy", i found it very helpfull, he has released loads of informative videos regarding android and custom roms.
johnr64 said:
Hi,
I run the Descendant 12 rom and had issues with my banking apps detecting root even after i renamed magisk from within Magisk and adding my banking apps to the DenyList, after much research on XDA i found users freezing magisk to stop prying apps searching for it, the app is called SD MAID
thank you for the updated install instruction for Magisk/Zygisk
Click to expand...
Click to collapse
Freezing Magisk can help, some banking apps are stubborn... Also, SD Maid can freeze apps?
For me personally, I only had to flash the SafetyNet Fix Magisk Module. Using Xiaomi.eu Weekly Android 12.
Ludoboii said:
... added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
...
Click to expand...
Click to collapse
Hi,
I have followed the procedure but checking with SafetyNet it tells me "SafetyNet request: success
Response signature validation: error".
I'm sorry but I didn't understand which app you are referring to that I have to put the flag in DenyList?
pegasoc said:
Hi,
I have followed the procedure but checking with SafetyNet it tells me "SafetyNet request: success
Response signature validation: error".
I'm sorry but I didn't understand which app you are referring to that I have to put the flag in DenyList?
Click to expand...
Click to collapse
I was referring to SafetyNet Helper Sample. I also get the same answer and apps that would previously complain about root have stopped doing it.
pegasoc said:
Hi,
I would like to understand better how to use the list in Magisk, If in this list I put a tick on an app. what does it mean?
Click to expand...
Click to collapse
It means the app will not be able to gain root access nor interact with Magisk in any way, and should not be able to detect Magisk. If you tap on the app name instead of the box you'll get the option to add its various services in the DenyList, I usually add all of them for apps that I want to put in the DenyList. You should also see some sort of progress bar above the app's name after ticking the box, it tells you how many services of that app are in the DenyList. In my case it's full for each app I ticked because I also ticked all its services.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'm still not able to pass safetynet CTS profile, after all these steps :|
tegazinho said:
I'm still not able to pass safetynet CTS profile, after all these steps :|
Click to expand...
Click to collapse
I've been having issues with not passing CTS profile on a couple of roms even after following all tutorials, I wonder what the issue is? Arrowos and crDroid both fail but PixelOS passes (all android 12). Strange this is it doesn't seem to stop any of my banking apps from working. Did you upgrade to Miui 13 stock before unlocking bootloader? What app are you using to test safetynet? YASNAC?
SimpleStevie said:
I've been having issues with not passing CTS profile on a couple of roms even after following all tutorials, I wonder what the issue is? Arrowos and crDroid both fail but PixelOS passes (all android 12). Strange this is it doesn't seem to stop any of my banking apps from working. Did you upgrade to Miui 13 stock before unlocking bootloader? What app are you working u using to test safetynet? YASNAC?
Click to expand...
Click to collapse
No, my bootloader was unlocked back when I bought the phone with the android 11. I've had xiaomi.eu miui version though previously before getting back now to crDroid, which I tried everything in the guide plus a lot of more stuff, like matching the firmware version with the signature on props just, and nothing works.
As for the app, I tried them all, actually YASNAC is my favorite, but for the sake of following this guide I tried the OP suggested app too.
I've must have clean flashed my phone 10 times and rebooted more than 100 times today for everything I've tried. I even went back to magisk 23 to see if I got lucky, but since is not fully supported on A12 was just another miss.
EDIT: Also if PixelOS I can get the safety pass I will install it, I will trade less features for the safety passing, and anything is better than miui or miui look roms like xiaomi.eu (I really hate them).
It's super weird, I've been flashing roms on android phones for as long as I can remember and I've never had an issue that I couldn't fix up til now. I wonder if downgrading to one based on android 11 would work?
"Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList."
Thank you! That, I didn't know.
SimpleStevie said:
It's super weird, I've been flashing roms on android phones for as long as I can remember and I've never had an issue that I couldn't fix up til now. I wonder if downgrading to one based on android 11 would work?
Click to expand...
Click to collapse
Note that you may have to adjust the fingerprint of your device to make it appear like running a "legit" rom.
Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
The same problem with me, I used a MI 11 x indian veron, all apps including Banking apps working fine but Jio sim not working with error you used a rooted device. Any solution plz.
thanks. crdroid 8.5 mi 11x passed safetynet with step 1 and 2 only.
For LineageOS users, we have ih8sn. No need for Magisk/Root.
Odd. I just install magisk, activate zygisk, restart and compose my deny list. Hide magisk launcher. Clear all data for Play Services and Gpay. Restart.
Can use Gpay fine.
My banking apps work fine without Zygisk but Gpay doesn't.
On miui.eu
This guide is intended to help people to achieve having a Pixel 6 Pro using GrapheneOS with Root (using Magisk) and a Locked Boot Loader
Though it should be possible to do this with any device that GrapheneOS officially supports.
Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root. This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition. In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed. This effectively renders the device hard bricked.
I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
Simple method without building from source Although I highly recommend building Graphene yourself,
All you really need to do is patch the official OTA released by graphene using AVBRoot
Simply flash the official factory graphene build, then your patched OTA, then flash the avb_pkmd.bin you created following the instructions for AVBRoot and you can lock the bootloader, with patched rooted graphene.
You will need to patch each new OTA to update and sideload the update as explained HERE Flash it to Both Slots
Better Method, But requires more time and a decent computer
Only Recommended for people with experience things building from source
The first step is to build GrapheneOS from its sources or to use AVBRoot on official builds. I will include some of the information specific for Pixel 6 Pro to help with the build process
Part one, follow this guide to build GrapheneOS from source
You will want to build a Stable Release using the TAG_NAME
Code:
TP1A.221105.002.2022111000
this an EXAMPLE Tag for the Pixel 6 Pro
Find the Latest tag on the Releases page https://grapheneos.org/releases#raven-stable
Build the Kernal for Raviole (6th generation Pixels) and follow all the instructions there
When it comes to the step of "Extracting vendor files for Pixel devices"
The DEVICE is
Code:
raven
and an Example of the BUILD_ID is
Code:
tp1a.221105.002
Check the TAG_NAME for the Latest BUILD_ID
Continue to follow the guide until completion, creating your own Keys during the process
I do recommend testing to Lock the Boot Loader, Just to see if you are able to
In my experience if the pixel does not detect a valid signed boot etc, it will not allow you to lock the bootloader
So if it brings up the screen on your phone where you can confirm the locking of the bootloader
at this stage you can just select No / Do not lock
To build with a specific BUILD_NUMBER use the command
Code:
export BUILD_NUMBER=2022112500
Replacing the number with what matches the version you are attempting to build
Remove the encryption from keys/raven/avb.pem that was created for Graphene so that you can use it with AVBRoot
Use the script
Code:
script/decrypt_keys.sh
https://grapheneos.org/build#encrypting-keys
And set a copy of the key aside for the next steps.
Use the following process to create the correct keys for AVBRoot & GrapheneOS
Use the avb.pem you decrypted in the last step
Convert the avb.pem to avb.key with the following command
Code:
openssl rsa -outform der -in avb.pem -out avb.key
Then clone the avb.key and rename it to ota.key
as it says "The boot-related components are signed with an AVB key and OTA-related components are signed with an OTA key. They can be the same RSA keypair, though the following steps show how to generate two separate keys."
Convert the public key portion of the AVB signing key to the AVB public key metadata format. This is the format that the bootloader requires when setting the custom root of trust.
Code:
PATH/TO/avbroot/external/avb/avbtool.py extract_public_key --key avb.key --output avb_pkmd.bin
Generate a self-signed certificate for the OTA signing key. This is used by recovery for verifying OTA updates.
Code:
openssl req -new -x509 -sha256 -key ota.key -out ota.crt -days 10000 -subj '/CN=OTA/'
I also edit the "CN" to match what I used earlier when I generated the keys for Graphene
I am not entirely certain what other of the keys I should use instead, I think this is the best approach for now
as it creates all the keys it requires and this process works for me
Copy the OTA (raven-ota_update-*.zip) from the folder where you have your own Factory Graphene Build and use this with AVBRoot
Then you will have all the keys and files you need to continue the guide and use the AVBRoot script
Now it's time to follow the instructions Here https://github.com/chenxiaolong/avbroot
To create a full factory installer, Intall it and lock the bootloader.
When you are done with AVBRoot and you have the boot.img, vbmeta.img and vendor_boot.img
All patched and signed by AVBRoot, Take a factory image from your Graphene Build and Extract it anywhere
Open the image-raven-*.zip with an Archive manager
Delete the existing boot.img, vbmeta.img and vendor_boot.img files and replace them the patched ones
also replace the avb_pkmd.bin with the one you have created in the previous steps for AVBRoot (might work without this step)
Finally, you are able to run the flash-all.sh and then lock the bootloader
Code:
./flash-all.sh
Code:
fastboot flashing lock
Updating is very simple, Once you use AVBRoot to create the Patched OTA.zip
you can reboot to recovery and flash the patched ota.zip with adb sideload
Code:
adb sideload raven-ota_update-*.zip.patched
https://grapheneos.org/usage#updates-sideloading
Creating the patched full factory installer is not required if you simply flash the avb custom key and the patched OTA zip before locking the bootloader, after flashing the unpatched full system install build
This for me allowed me after much struggle to achieve a Rooted, Locked Boot Loader using GrapheneOS and Magisk
Now though with this guide worked out, I think it should be quite easy for anyone with basic terminal knowledge to accomplish.
Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity
To Be Clear, Although it already should be, This is NOT Modifying the official Graphene OS Sources, it is simply using them as a SOURCE for a GUIDE, You build it using unmodified grapheneOS source code so it is an unnofficial build according to their website
Sources: GrapheneOS, AVBRoot, Magisk
PayPal Donation Link
I highly recommend using your own build that is signed with your own keys that you can keep secure!
I make no promises to provide any updates to this rom at this time
Here more as a proof of concept that it works and updates are possible
Latest builds moved to: Unofficial GrapheneOS, Magisk Patched for Pixel 6 / 6 Pro
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Spl4tt said:
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Click to expand...
Click to collapse
I haven't worked out updating yet but all it requires is patching an updated OTA with AVBRoot in theory
I have been quite busy irl and haven't had much time to play around with it, if you do figure it out then please let me know
Spl4tt said:
This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!
How would you update the rom? Repeat the whole process?
Click to expand...
Click to collapse
now that I have had time to do it, Updating was very easy
I have also updated and improved the process for getting and creating the correct keys used for signing
After updating it booted normally, still rooted, no apparent problems or issues
New Release 2022111000
Changes since the 2022110800 release:
remove TrustCor Certificate Authority due to malicious domain squatting and ties to entites involved in surveillance which should have very little impact on web compatibility due to this CA barely being used by anyone other than a specific dynamic DNS provider
ignore wireless alert channels being marked as always-on to prevent channel configuration overriding presidential alert toggle
GmsCompatConfig: change app label from "GmsCompat config" to "GmsCompatConfig"
GmsCompatConfig: disable TelecomTaskService to resolve sandboxed Google Play services crash caused by feature flag
kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR1 Beta 3 to ship the December security update early
Vanadium: update Chromium base to 107.0.5304.105
Download Moved to https://forum.xda-developers.com/t/...magisk-patched-13-raven.4518953/post-87728629
Hey, thanks for the excellent guide, this is all about to be applicable to me
I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error
openssl rsa -outform der -in avb.pem -out avb.key
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.
Thanks!
Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.
holofractal said:
Hey, thanks for the excellent guide, this is all about to be applicable to me
I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error
openssl rsa -outform der -in avb.pem -out avb.key
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.
Thanks!
Click to expand...
Click to collapse
Thank you, I am glad that it has been helpful for you, I have not encountered that error myself but I did use a password initially for the steps to create the keys for Graphene, I don't think this should matter though
If you don't mind and are able to, can you create another copy of the avb.pem, see if the problem still occurs and share it with me if it does, so I can test if I get the same error when I use your .pem
EonOfBlack said:
Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.
Click to expand...
Click to collapse
I do clearly say in the first post
> Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
I don't believe just using magisk is really such an issue, you are able to deny root from any applications you don't want to use it
it is possible there are unknown security vulnerabilities in magisk, but that's the same with anything.
Even though it may introduce some potential security vulnerabilities that Graphene combats against
I believe it should be everyones choice to use root and lock their boot loader if they choose to do so
holofractal said:
routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate
Click to expand...
Click to collapse
This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920
A great and helpful guide!
Thank you, dear FireRattus
FireRattus said:
This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920
Click to expand...
Click to collapse
openssl x509 -outform der -in avb.pem -out avb.crt
It was this command
Code:
openssl x509 -outform der -in avb.pem -out avb.crt
Could not read cert etc. of certificate from avb.pem
4087C8C0777F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Following grapheneos's guide, that is generated with:
openssl genrsa 4096 | openssl pkcs8 -topk8 -scrypt -out avb.pem
I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.
At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?
So if I read over everything right, I believe the solution here would be to use
openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'
But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.
I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you
FireRattus said:
I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you
Click to expand...
Click to collapse
So you don't even need that last section.
There are some small differences for the pixel 7 though, but it was easy enough.
I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.
This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.
This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.
I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!
holofractal said:
So you don't even need that last section.
There are some small differences for the pixel 7 though, but it was easy enough.
I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.
This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.
This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.
I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!
Click to expand...
Click to collapse
I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time
Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices
and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.
holofractal said:
I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.
At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?
So if I read over everything right, I believe the solution here would be to use
openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'
But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.
Click to expand...
Click to collapse
I have tested it now and the last command I had to create the files was an unnecessary step I left in by mistake, I have updated and corrected the guide so that now people should be able to use those commands without error to create the required files for AVBRoot
there should be no need to have an avb.crt and if there is, then the ota.crt should suffice
I believe it was this change to AVBRoot which led to me making this mistake
Merge pull request #3 from tnagorran/master · chenxiaolong/[email protected]
Update README.md
github.com
FireRattus said:
I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time
Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices
and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.
Click to expand...
Click to collapse
Oh I meant the part about avb.crt.
As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.
I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.
holofractal said:
Oh I meant the part about avb.crt.
As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.
I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.
Click to expand...
Click to collapse
I did end up figuring out that is what you probably meant. since the differences for the pixel 7 are essentially in the graphene build guide, I don't think any changes are really necessary for the guide, I do recommend just following the official guide for that part, I just include some information to help make that process a bit easier for peoples first time building the rom
for me, it wasn't very clear what the TAG_NAME and BUILD_ID were supposed to be as they didn't provide examples, but a little bit of trial and error helped me work it out
Although, since you flash init_boot, does that init_boot get patched by avbroot?
I would also like to setup an OTA server, although I don't really have the funds to do that at the moment
Guide has been updated with a much simpler method thanks to https://forum.xda-developers.com/m/boom15.11870611/
I haven't tested it myself but it was pointed out, that for those who want to
All you need to do is use AVBRoot to patch the official OTA's provided by Graphene following the instructions in the readme here https://github.com/chenxiaolong/avbroot
I did think this should be possible, but I still recommend building it from source yourself if you are able to