Moderator Announcement: THREAD CLOSED on request of OP. If you're interested in the hardened LOS for the OnePlus 3 or 3T please follow this thread in the cross-device section in future: https://forum.xda-developers.com/oneplus-3/oneplus-3--3t-cross-device-development/rom-hardened-lineageos-16-0-oneplus-3t-t4034869
This thread is dedicated to provide hardened Lineage-OS 15.1 builds with microG included for the OnePlus 3/3T with current security patches.
This thread is discontinued, please visit the LineageOS 16.0 successor thread
Features of this ROM
Download here
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed AuroraStore
[*]Pre-Installed pre-release of microG DroidGuard helper to have a working SafetyNet attestation (see comments below!)
Adapted LockClock app without wake-locks (fix of frozen weather widget after boot)
OTA Support
Additional security hardening features listed below
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disabling of captive portal detection
Option to define own DNS
No submission of IMSI/phone number to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Option to deny new USB connections
Additional restrictions for secondary users
Increased password length
Kernel kept up to date with ASB patches and Google kernel/common 'android-3.18' branch
Current release levels
Security string: 2020-01-05
AOSP tag: 8.1.0_r52
Bromite System Webview: M79
Source-code and build instructions
Kernel: https://github.com/lin15-microG/android_kernel_oneplus_msm8996/tree/lin-15.1-microG
Build manifest: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
Download the most current .ZIP file of the ROM and place it to your phone's internal memory
An unlocked bootloader (see e.g. LineageOS install instructions)
You need at least OxygenOS 5.0 firmware, otherwise you'll get error 7 when installing the zip. (Recommended 5.0.8 - DO NOT use 9.x firmware)
Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
IMPORTANT NOTE - The official TWRP 3.2.3-1 is broken - DO NOT USE!
Please use the TWRP link in the official LineageOS install instructions instead.
To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
Code:
fastboot flash recovery twrp-x.x.x-x-oneplus3.img
Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and hold Power and vol.down) - DO NOT boot into the phone's Android system after having flashed TWRP! Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP must be TWRP in recovery mode.
Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
Install ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
If you update from a previous version of our ROM, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!
Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.
This happens at your own risk - make a backup with TWRP before!
Download and extract the file migration.sh from this archive
This file helps you to migrate from a build signed with the publicly available test keys (i.e. all builds around, which do not state that they are signed). If you come from another signed build (e.g. official LineageOS), you have to adapt the file accordingly (see below links).
boot into TWRP
push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
(In case you receive an error, try sh ./migration.sh official instead)
flash the ROM .zip
wipe Cache and Dalvik/ART Cache
reboot system
More background information and the "theory behind" can be found in the LineageOS wiki and AOSP reference.
SafetyNet:
Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.
If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)
If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.
The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.
microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system. A sandboxed version of DroidGuard has been added to this microG build as a prebuilt “DroidGuard Helper” app to run the Google code in an isolated environment. The chosen approach in my build is proposed and discussed within the microG project, but not yet officially implemented by microG.
As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
So, if you need SafetyNet and you also need root, Magisk would be the way to go.
To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
Currently not working, hence not bundled
There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)
IMPORTANT
I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
(Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we? - At least I, besides others, exactly for that reason, do not use Gapps!)
Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.
Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits
AOSP project
LineageOS project
microG project
CopperheadOS project
csagan5 (Bromite)
Yeriomin (Yalp)
XDA:DevDB Information
[ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T, ROM for the OnePlus 3T
Contributors
MSe1969
Source Code: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
ROM OS Version: 8.x Oreo
ROM Kernel: Linux 3.x
Based On: LineageOS
Version Information
Status: Stable
Stable Release Date: 2020-01-13
Created 2019-01-21
Last Updated 2020-04-30
Change Log
February 7th, 2020
Announcement to discontinue the LineageOS 15.1 builds - Please visit my LineageOS 16.0 thread, which continues with LineageOS 16.0 builds
January 14th, 2020
ASB Security string 2020-01-05
Bromite Webview on 79.0.3945.107
AuroraStore updated to 3.1.7
AuroraServices updated to 1.0.5
December 7th, 2019
ASB Security string 2019-12-05
Bromite Webview on 78.0.3904.119
AuroraStore updated to 3.1.5
November 10th, 2019
ASB Security string 2019-11-05
Bromite Webview on 78.0.3904.72
Updated microG GMS core 0.2.9.x
October 13th, 2019
ASB Security string 2019-10-06
AuroraStore updated to 3.1.3
Bromite Webview on 77.0.3865.104
September 10th, 2019
ASB Security string 2019-09-05
AuroraServices updated to 1.0.4
August 11th, 2019
ASB Security string 2019-08-05
Bromite Webview on 76.0.3809.100
Aurorastore 3.0.9 with AuroraServices install method
Updated microG GMS core 0.2.8.x
OTA Support
July 4th, 2019
ASB Security string 2019-07-05
Bromite Webview on 75.0.3770.109
June 12th, 2019
ASB Security string 2019-06-05
Kernel upstreamed to 3.18.140
Bromite Webview on 75.0.3770.86
Replaced Yalpstore with Aurorastore
Removed RemoteDroidGuard
Updated F-Droid & priv. extension
Updated microG GMS core 0.2.7.x
May 9th, 2019
ASB Security string 2019-05-05
SystemWebView: Bromite updated to 74.0.3729.106
Kernel: Upstreamed to 3.18.139
Backport of 'Deny new USB' feature
Option to set own DNS
Additional options for secondary users
Increased password length
April 8th, 2019
ASB Security string 2019-04-05
SystemWebView: Bromite updated to 73.0.3683.97
Kernel: Upstreamed to 3.18.138
Control switch in dev. settings for hosts file update
March 11th, 2019
ASB Security string 2019-03-05
SystemWebView: M73-Bromite (includes CVE-2019-5786)
Kernel: Upstreamed to 3.18.136
February 19th, 2019 - 2nd interim release
New upstreamed kernel (3.18.134) from here (yet w/o CAF tag LA.UM.6.5.r1-10600-8x96.0)
February 13th, 2019 - interim release
Reverted Kernel fixes, which seem to have caused crashes after wiping cache&dalvik
Prebuilt microG DroidGuard helper app to pass SafetyNet attestation
February 9th, 2019
ASB Security string 2019-02-05
SystemWebView: M72-Bromite
Kernel: CAF tag LA.UM.6.5.r1-10600-8x96.0
January 21st, 2019
Initial load
ASB Security string 2019-01-05
AOSP tag android-8.1.0_r52
SystemWebView: M71-Bromite
Initial feature list:
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed YalpStore (Version 0.45)
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disable captive portal detection
No submission of IMSI/IMEI to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Security Hardening Features - Details
1. Pre-installed microG and F-Droid
same as the LineageOS for microG project
2. Pre-installed AuroraStore
works w/o having to enable the "unknown sources feature"
3. Restrict access to /proc/net for user apps
An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitor has been bundled.
4. Enhanced Privacy Guard - Sensor permission switches and background control
An own sensor template to control access to motion sensors ('ask' mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Further, the following background activities can be restricted in Privacy guard:
Background Clipboad access (forbidden by default, can be allowed per app)
Background Location access (allowed by default, if location access as such is allowed, can be forbidden per app)
Background Audio recording (allowed by default, if microphone access as such is allowed, can be forbidden per app)
5. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
6. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 15.1 (all settings can be changed at any time later):
Privacy Guard is enabled on install (proposal during Setup)
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Camera app: Location tagging disabled by default
Apps having the PACKAGE_USAGE_STATS permission appear by default as "not allowed" under Settings => Security & privacy => Apps with usage access (instead of opting out here, the user needs to explicitly opt-in in order to have the app collecting this data)
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without
7. Optional blocking of Facebook- and Google-Tracking
Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Apply iptables block script"
Starting with May 2019 build: Settings => Network & Internet (scroll down)
When activated, all outgoing connection attempts to Facebook servers will be suppressed.
Same applies to Google, but certain apps on an internal exception list will still be able to connect (Yalpstore, microG, or e.g. NewPipe, if installed)
8. Optional disable captive portal detection
Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Disable Captive Portal"
Starting with May 2019 build: Settings => Network & Internet (scroll down)
When activated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used.
9. No submission of IMSI or phone number to Google/Sony when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
10. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)
11. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
12. Deny new USB option
Settings => Security & Privacy
Control, what happens, if a USB device is connected to the device: Allow, allow when unlocked or block.
13. Option to define an own DNS
Settings => Network & Internet (scroll down)
You can optionally define an own DNS, which is used instead of the default DNS of the ISP (uses iptables)
Note: If your ISP intercepts DNS queries to enforce their own ISP - e.g. to enforce surveillance/censorship - this option won't work . . .
14. Maximum password length increased to 64
15. Additional restriction options for secondary users
- Disallow app installation option
- Disallow audio recording option
Further tips & tricks
Root
The ROM does not come with root baked in. A couple of features in this ROM even reduces the usual need for root.
Nevertheless, if you need/want to grant root permissions to some of your apps, the most popular options are:
Official LineageOS su addon (use 'addonsu-15.1-arm64-signed.zip')
Magisk (please search XDA on your own)
SuperSU
Note that I cannot and will not support any issues related to Magisk and/or SuperSU
Weather Widget
LineageOS does currently not offer Weather provider apps for LineageOS 15.1 for download (only for LineageOS 14.1)
I have built an APK for OpenWeatherMap for download from the LineageOS sources here, which works well with LineageOS 15.1
microG initial configuration after 1st install
After the first installation of this ROM, you need to setup microG.
Please read the instructions given on the LineageOS for microG site, section "Post Install - UnifiedNlp"
Firmware
You need at least OxygenOS 5.0 firmware, latest firmware recommended. Firmware updates (or downgrades, if needed) as flashable ZIP can be obtained e.g. here or here.
Do not confuse OnePlus 3 and OnePLus 3T firmware or you will brick your device!
Oooh thanks. I'll be having that!
Do you expect to release the 9.0 version when LOS 16 for 3T is ready?
sysak said:
Oooh thanks. I'll be having that!
Do you expect to release the 9.0 version when LOS 16 for 3T is ready?
Click to expand...
Click to collapse
Eventually yes - but not immediately, as I need some time to investigate to port the features.
MSe1969 said:
Eventually yes - but not immediately, as I need some time to investigate to port the features.
Click to expand...
Click to collapse
Maybe you can work together with nvertigo67, he has a rock solid los16 build. In the past, he has also promoted Android without Google Apps.
His thread: https://forum.xda-developers.com/on...oss-device-development/rom-nlos-16-0-t3879405
phoberus said:
Maybe you can work together with nvertigo67, he has a rock solid los16 build. In the past, he has also promoted Android without Google Apps.
His thread: https://forum.xda-developers.com/on...oss-device-development/rom-nlos-16-0-t3879405
Click to expand...
Click to collapse
Thanks for the information. I am aware of his thread and also his very knowledgeable feedbacks in the 'official' OP3T thread and I think I'll definitely try to get in touch with him.
For the time being however, I would like to concentrate on the "stable" LineageOS 15.1 (building also for the 'amami' device from same sources) to be used as a daily driver rather than bringing up a device for a new android version (I am actually not that good in this area). So I am somehow a little bit more "conservative"
this is something new ?
I'm new to this so my question is google playstore included??
and how is the gaming performance
Playstore not included
vip57 said:
this is something new
I'm new to this so my question is google playstore included??
and how is the gaming performance
Click to expand...
Click to collapse
Google play store is not included, but it had Pre installed yalp store. About gaming performance I can't comment because I don't play games.
Incase you are Intrested more info regarding micro g can be found here. https://microg.org/
Can you provide some additional information on how each step was done?
I'm specifically curious about the changes to Privacy Guard, changing the default DNS, and not submitting IMEI/IMSI/phone number on GPS requests
Thank you!
MXIIA said:
Can you provide some additional information on how each step was done?
I'm specifically curious about the changes to Privacy Guard, changing the default DNS, and not submitting IMEI/IMSI/phone number on GPS requests
Thank you!
Click to expand...
Click to collapse
The source code is linked in the OP (the link leads to the local build manifest) - you will find the commits for the features you've asked for always in the 'lin-15.1-microG' branch of my frameworks/base fork, for the sensors in PG additionally in frameworks/native and to make the PG switches visible, obviously packages/apps/Settings, always the 'lin-15.1-microG' branch.
Location services doesn't seem to be working and trying to access the location settings just fc the settings app.
Ahki767 said:
Location services doesn't seem to be working and trying to access the location settings just fc the settings app.
Click to expand...
Click to collapse
I am using this build myself w/o issues. Do you have a log?
One general advice: After 1st install, you should enter the microG settings and perform the setup as described in the link "LineageOS for microG" in OP. (I'll add a line telling this to the installation instructions)
EDIT: In short, click on 'unified NLP' and configure the location providers. Afterwards go to 'Self test' and click on each "unchecked" item and follow the instructions.
Huge thanks for the extra effort you gave to this. I was so excited when I week ago found this thread and yesterday got my Oneplus 3T and installed this.
Few questions: When I activate Iptables block script it breaks Spotify. I know spotify tries to connect graph.facebook.com so is this the cause? And can I edit iptables script somehow? I am quite newb with this stuff. Or maybe just disable script and edit Hosts file to add graph.facebook.com (its not there)? Though I would like to use this script.
eightfiveseven said:
Huge thanks for the extra effort you gave to this. I was so excited when I week ago found this thread and yesterday got my Oneplus 3T and installed this.
Few questions: When I activate Iptables block script it breaks Spotify. I know spotify tries to connect graph.facebook.com so is this the cause? And can I edit iptables script somehow? I am quite newb with this stuff. Or maybe just disable script and edit Hosts file to add graph.facebook.com (its not there)? Though I would like to use this script.
Click to expand...
Click to collapse
graph.facebook.com is FB's track&spy server, so unless you use an "original" FB product like their spy app or one of their messengers, there is no reason to allow any connection to FB. (OK, some people also allow their Login services spying on them...)
The reason, why Spotify breaks, is that Spotify is hosted on Google servers. I may think about adding the Spotify app to the exception list for Google (from its permissions however, this app seems also quite invasive, so not sure yet) This would mean that this app would still send tracking data to the Google trackers Ads, Crashlytics and DoubleClick and others (Spotify uses 9 trackers, according to Exodus, which is a lot!)
Yes, you can edit the script, but for this you need a root shell (e.g. via adb) - the script file is /system/bin/z_iptables and you would need to add the line com.spotify.music into the list under list_apps()
Regards, M.
MSe1969 said:
graph.facebook.com is FB's track&spy server, so unless you use an "original" FB product like their spy app or one of their messengers, there is no reason to allow any connection to FB. (OK, some people also allow their Login services spying on them...)
The reason, why Spotify breaks, is that Spotify is hosted on Google servers. I may think about adding the Spotify app to the exception list for Google (from its permissions however, this app seems also quite invasive, so not sure yet) This would mean that this app would still send tracking data to the Google trackers Ads, Crashlytics and DoubleClick and others (Spotify uses 9 trackers, according to Exodus, which is a lot!)
Yes, you can edit the script, but for this you need a root shell (e.g. via adb) - the script file is /system/bin/z_iptables and you would need to add the line com.spotify.music into the list under list_apps()
Regards, M.
Click to expand...
Click to collapse
Thanks for the info! I edited z_iptables to bypass Spotify and now its working. I also added graph.facebook.com to hosts file and to the z_iptables (graph.facebook.com IP is 31.13.71.1 and it was missing from iptables) and now its blocked (dont know which one is blocking it). Btw what does the number after IP mean? Example 31.13.24.0/21
But I still get some calling to settings.crashlytics.com, app.adjust.com and clients3.google.com according to my Pi-hole (which are blocked in it).
Might have to add them too.
Though my adb pull command for the Hosts file stopped working... (freezes in 14%) Any ideas why? This is first time I am doing anything like this so I'm bit nervous.
eightfiveseven said:
Thanks for the info! I edited z_iptables to bypass Spotify and now its working. I also added graph.facebook.com to hosts file and to the z_iptables (graph.facebook.com IP is 31.13.71.1 and it was missing from iptables) and now its blocked (dont know which one is blocking it). Btw what does the number after IP mean? Example 31.13.24.0/21
But I still get some calling to settings.crashlytics.com, app.adjust.com and clients3.google.com according to my Pi-hole (which are blocked in it).
Might have to add them too.
Though my adb pull command for the Hosts file stopped working... (freezes in 14%) Any ideas why? This is first time I am doing anything like this so I'm bit nervous.
Click to expand...
Click to collapse
Be careful!
The "/21" in 31.12.24.0/21 means range 31.12.24.0 . . . 31.12.31.255 and the also specified blocking entry 31.13.64.0/18 means 31.13.64.0 . . . 31.13.127.255, which includes 31.13.71.1 - further explanation of the subnets can be found e.g. here
Therefore, if you could still reach graph.facebook.com resolving to 31.13.71.1, the iptables config may not be effective at all (the calls to adjust and goole indicate so)! Please open a browser on your device and simply enter 'facebook.com' as address - if you are redirected to FB for logon, the firewall-blocking is inactive - in that case, please try to deactivate and reactivate the iptables block script and try again. If it persists, open an adb root shell, cd to /system/bin and execute the command ./z_iptables set and watch out for error messages.
MSe1969 said:
Be careful!
The "/21" in 31.12.24.0/21 means range 31.12.24.0 . . . 31.12.31.255 and the also specified blocking entry 31.13.64.0/18 means 31.13.64.0 . . . 31.13.127.255, which includes 31.13.71.1 - further explanation of the subnets can be found e.g.
Therefore, if you could still reach graph.facebook.com resolving to 31.13.71.1, the iptables config may not be effective at all (the calls to adjust and goole indicate so)! Please open a browser on your device and simply enter 'facebook.com' as address - if you are redirected to FB for logon, the firewall-blocking is inactive - in that case, please try to deactivate and reactivate the iptables block script and try again. If it persists, open an adb root shell, cd to /system/bin and execute the command ./z_iptables set and watch out for error messages.
Click to expand...
Click to collapse
Yes you were correct. Script was inactive but after I removed the IP I added the script started working again. Thanks again!
Hi,
Thank you for your work! I just have two questions: do you spread updates via normal OTA or do we have to go to this thread to check for updates? I will definitely root it too with Magisk, would I need to redo this after every update?
Hello.
After updating the magisk module and magisk app, the safety net disappeared. What can I do to get my safetynet back and make mobile payments?
Root is working.
Google play - The device is certified.
All moduls installed.
1- Enable Zygisk (by enabling Zygisk, riru will be disabled)
2- Remove Universal Safetynet Fix
3- Enable "Enforce DenyList"
4- "Configure Denylist" > "Show system apps" > "Google Play Services" > enable gms and gms unstable
5- Reboot
6- Install Universal Safetynet Fix Zygisk version
7- Reboot
3zozHashim said:
1- Enable Zygisk (by enabling Zygisk, riru will be disabled)
2- Remove Universal Safetynet Fix
3- Enable "Enforce DenyList"
4- "Configure Denylist" > "Show system apps" > "Google Play Services" > enable gms and gms unstable
5- Reboot
6- Install Universal Safetynet Fix Zygisk version
Click to expand...
Click to collapse
Please download link to Safetynet Fix Zygisk version.
Thanks
Release v2.2.1 (Zygisk) · kdrag0n/safetynet-fix
Changes Fixed under-display fingerprint sensor on Realme devices (thanks @osm0sis, @byxiaorun, @Jowat97) Clarified definition of "basic attestation" in readme Add check to prevent installation on ...
github.com
Thank you.
I did everything according to your instructions, but I still can't see Safetynet.
After the reboot, the checked options in Google play services will disappear
Download an application called YASNAC to check safetynet.
Magisk no longer checks for safetynet
jkmaxfli said:
After the reboot, the checked options in Google play services will disappear
Click to expand...
Click to collapse
the same happens to me but even after reboots, safetynet passes
Is it right?
CTS profile match - FAIL
After second reboot pass
Thank you very much
jkmaxfli said:
Please download link to Safetynet Fix Zygisk version.
Thanks
Click to expand...
Click to collapse
It works! Thx alot
Hi! This method still works! Thanks for info! (MI11, Android 12, xiaomi.eu MIUI 13 stable ROM)
G.
3zozHashim said:
1- Enable Zygisk (by enabling Zygisk, riru will be disabled)
2- Remove Universal Safetynet Fix
3- Enable "Enforce DenyList"
4- "Configure Denylist" > "Show system apps" > "Google Play Services" > enable gms and gms unstable
5- Reboot
6- Install Universal Safetynet Fix Zygisk version
7- Reboot
Click to expand...
Click to collapse
I love you! this worked perfectly.