Related
Tab S4 stock cleanup actions
phablet guide fest continues V30->Note9->6T->Mi9->S10->7T->Tab S6->Tab S4, time to provide some thoughts, easy to click links and guides. Goal is to have a clean device after each update, and have a helper script running at boot or on demand. This is a tablet, we want to achieve flat battery graphs when it is unused (picture attached), hopefully charge once a week with slight usage.
Debloat
What the script does:
* choose 8 categories of app removal, in the beginning of the file
for each say 0=skip 1=remove 2=revert back
* use more switch to disable some questionable/helpful stuff
* disable up to 80 apps with possibility to revert back
* remove usage access for google (do manually)
* remove device admin backdoor "Find My Mobile", you won't recover stolen device this way lol, it doesn't work with Secure Startup! it's useful for Govt.
* remove proca (which was slowing down tablet after rooting), if it doesn't work from your shell, edit the file as below
Tested ok on March stock Pie firmware. Samsung has too much bloatware installed, and requires shocking permissions to run some basic services. We will further need to reclaim privacy. As for debloat list, i've cooked the list based on knowledge of each process, its current presence in the Pie firmware, and what would fit the tablet usage. In this case, i'm leaving Samsung account, Galaxy shop and few pen apps and we assume XPrivacy is sending these snitch services bogus personal details.
Download: (file attached)
Installation:
- run in su terminal once or add to any startup script (3C\Device mgr\Scheduler can assign scripts from /storage/emulated/0/Android/data/ccc71.at/scripts), or to magisk
Rooting
We want encryption. There are no ROMs, and TWRP can be used for many other tasks without access to your files.
OEM unlock in dev settings
when turned off and rather plugged it to your PC with drivers installed, hold Power & Vol+ & Vol- til you see download screen, confirm with Vol+
in ODIN, slap TWRP into AP while "Auto reboot" is unchecked
hold Power & Vol- to exit download mode, then Power & Vol+ to enter recovery
in TWRP, slap kernel and Magisk into tablet from SD card or USB (can be usb flash, can be other mobile, can be adb)
in TWRP, say boot to system and wait 5min
check Magisk app status, enable USB debugging in dev settings
kernel: WETA recovery: TWRP 3.3.1 for PIE SM-T83x
watch kernel log for 20sec
Code:
dmesg -Tw|grep proca
if proca messages appear open /vendor/etc/init/pa_daemon_qsee.rc and comment the lines
You should enable "Secure startup" in "Biometrics and security" settings. Recovery should fail reading encrypted drive sda27 because of its crypto flags and logical mapping.
Which plugins to use
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Make a choice SandHook/Yahfa bipolar release, i never found out which one is better.
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) YouTube Vanced black themed -- brings usable YouTube experience. Unfortunately it's now a horror to install (v15), but v14 from Magisk still works.
* (optional) Move certificates -- perhaps
* (impossible) QuickSwitch -- there's no pill but Samsung custom recents... oh how glad i am for it now! Android10 cancelled this fantastic Pie pill already and you can scroll apps in OneUI!
XPosed plugins:
* Xposed Edge Pro -- a must have and best plugin
* XPrivacy -- Screw the big brother. Must have of the century. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit -- so this is our main customization app irrelevant here: ..and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also for Samsungs it forces Restart "recovery"
* (optional) Xposed Dex -- some tweaks
* (optional) afWall -- Problems with this firewall and some VPN clients for years. Using AdGuard now and happy. It can even control DNS, no need one of those paid lausy apps. This plugin should by disabled in Xposed.
* (optional) Exi for Swiftkey -- you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Root apps:
* TitaniumBackup -- a must since Android was born
* Adaway -- a must but with AdGuard not so.. but i use both
* AdGuard -- can filter more and can amend requests.. that's a game changer. You can have a efficient proxy when rooted.
* 3C toolbox -- too helpful not to pay for the biggest package
* (optional) Root Essentials -- a multitool, have a look
* (optional) MiXplorer -- best file manager, replaces spyware ES File explorer you had before. Edits root files comfortably even when other editors don't
* (optional) FolderSync -- best sync tool
Battery
Battery saving:
- tablet should not be neccessarily always connected, receive notifications, so why not keep it dead when the screen is off
- the key is to disable background network activity:
disable it overall by Medium Power Saving mode
disable background network for individual apps (there's "Allow background data usage" and also nice "Allow background activity" checkbox)
force it with 3C (Device Mgr\Profiler) or Adguard (App Management)
- can't see wifi switch.. to turn wifi off when screen off. no wifi scanning drainer or other "intelligent" bs functions there either. just "Hotspot 2" - turn off.
- nearby scanning should be off, what a useless function of finding unknown devices - once you pair the known, what's the sense? or you keep connection 10 new bt devices each week? just a drain and endless beacon
- location can be off, and again it can be scripted by turning on only when screen is on by 3C
- not installing {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} here
- no signifficant doze functions here {AOD, fp icon, dt2wake, raise2wake} to speak off
- we want battery to remain flat when screen off, last tablet i had could do -1% per week! let's do it here
Other
- i like tender boot screen indicating knox off status, no need to flash boot logos
- no boot keys needed like on Tab s6
- not using multidisabler as i'm on stock and i do want encryption on every device ever
- how to launch camera quickly?? still dind't find out
- don't be afraid to use another device (mobile) as USB drive.. this way you can restore your apps directly via TitaniumBackup without copying it first! also Smart Switch can be used from non-Samsung phones, but it is as weak as Google backup ever was - no data restore
What do you do to run this exactly?
copy the file to storage. open su terminal. Get any root terminal app (ConnectBot, 3C Toolbox, or adb shell) and run as root. I run this script as autostart on each of my devices.
wifi_standby_test: first battery standby test: 37 hours to 91%, i've 'charging protection' so approx 93% that give us 0.19%/hr drain with wifi and bluetooth on. 10x less then a mobile (S10). Good start, nice 3 weeks of standby potential, but let's try medium power saving mode to squeeze it to over month of standby.
Will i loose my data while rooting? Im on Build number PPR1.180610.011.T835DDS4BSL2
doggydog2 said:
Tab S4 stock cleanup actions
phablet guide fest continues V30->Note9->6T->Mi9->S10->7T->Tab S6->Tab S4, time to provide some thoughts, easy to click links and guides. Goal is to have a clean device after each update, and have a helper script running at boot or on demand. This is a tablet, we want to achieve flat battery graphs when it is unused (picture attached), hopefully charge once a week with slight usage.
Debloat
What the script does:
* choose 8 categories of app removal, in the beginning of the file
for each say 0=skip 1=remove 2=revert back
* use more switch to disable some questionable/helpful stuff
* disable up to 80 apps with possibility to revert back
* remove usage access for google (do manually)
* remove device admin backdoor "Find My Mobile", you won't recover stolen device this way lol, it doesn't work with Secure Startup! it's useful for Govt.
* remove proca (which was slowing down tablet after rooting), if it doesn't work from your shell, edit the file as below
Tested ok on March stock Pie firmware. Samsung has too much bloatware installed, and requires shocking permissions to run some basic services. We will further need to reclaim privacy. As for debloat list, i've cooked the list based on knowledge of each process, its current presence in the Pie firmware, and what would fit the tablet usage. In this case, i'm leaving Samsung account, Galaxy shop and few pen apps and we assume XPrivacy is sending these snitch services bogus personal details.
Download: (file attached)
Installation:
- run in su terminal once or add to any startup script (3C\Device mgr\Scheduler can assign scripts from /storage/emulated/0/Android/data/ccc71.at/scripts), or to magisk
Rooting
We want encryption. There are no ROMs, and TWRP can be used for many other tasks without access to your files.
OEM unlock in dev settings
when turned off and rather plugged it to your PC with drivers installed, hold Power & Vol+ & Vol- til you see download screen, confirm with Vol+
in ODIN, slap TWRP into AP while "Auto reboot" is unchecked
hold Power & Vol- to exit download mode, then Power & Vol+ to enter recovery
in TWRP, slap kernel and Magisk into tablet from SD card or USB (can be usb flash, can be other mobile, can be adb)
in TWRP, say boot to system and wait 5min
check Magisk app status, enable USB debugging in dev settings
kernel: WETA recovery: TWRP 3.3.1 for PIE SM-T83x
watch kernel log for 20sec
Code:
dmesg -Tw|grep proca
if proca messages appear open /vendor/etc/init/pa_daemon_qsee.rc and comment the lines
You should enable "Secure startup" in "Biometrics and security" settings. Recovery should fail reading encrypted drive sda27 because of its crypto flags and logical mapping.
Which plugins to use
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Make a choice SandHook/Yahfa bipolar release, i never found out which one is better.
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) YouTube Vanced black themed -- brings usable YouTube experience. Unfortunately it's now a horror to install (v15), but v14 from Magisk still works.
* (optional) Move certificates -- perhaps
* (impossible) QuickSwitch -- there's no pill but Samsung custom recents... oh how glad i am for it now! Android10 cancelled this fantastic Pie pill already and you can scroll apps in OneUI!
XPosed plugins:
* Xposed Edge Pro -- a must have and best plugin
* XPrivacy -- Screw the big brother. Must have of the century. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit -- so this is our main customization app irrelevant here: ..and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also for Samsungs it forces Restart "recovery"
* (optional) Xposed Dex -- some tweaks
* (optional) afWall -- Problems with this firewall and some VPN clients for years. Using AdGuard now and happy. It can even control DNS, no need one of those paid lausy apps. This plugin should by disabled in Xposed.
* (optional) Exi for Swiftkey -- you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Root apps:
* TitaniumBackup -- a must since Android was born
* Adaway -- a must but with AdGuard not so.. but i use both
* AdGuard -- can filter more and can amend requests.. that's a game changer. You can have a efficient proxy when rooted.
* 3C toolbox -- too helpful not to pay for the biggest package
* (optional) Root Essentials -- a multitool, have a look
* (optional) MiXplorer -- best file manager, replaces spyware ES File explorer you had before. Edits root files comfortably even when other editors don't
* (optional) FolderSync -- best sync tool
Battery
Battery saving:
- tablet should not be neccessarily always connected, receive notifications, so why not keep it dead when the screen is off
- the key is to disable background network activity:
disable it overall by Medium Power Saving mode
disable background network for individual apps (there's "Allow background data usage" and also nice "Allow background activity" checkbox)
force it with 3C (Device Mgr\Profiler) or Adguard (App Management)
- can't see wifi switch.. to turn wifi off when screen off. no wifi scanning drainer or other "intelligent" bs functions there either. just "Hotspot 2" - turn off.
- nearby scanning should be off, what a useless function of finding unknown devices - once you pair the known, what's the sense? or you keep connection 10 new bt devices each week? just a drain and endless beacon
- location can be off, and again it can be scripted by turning on only when screen is on by 3C
- not installing {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} here
- no signifficant doze functions here {AOD, fp icon, dt2wake, raise2wake} to speak off
- we want battery to remain flat when screen off, last tablet i had could do -1% per week! let's do it here
Other
- i like tender boot screen indicating knox off status, no need to flash boot logos
- no boot keys needed like on Tab s6
- not using multidisabler as i'm on stock and i do want encryption on every device ever
- how to launch camera quickly?? still dind't find out
- don't be afraid to use another device (mobile) as USB drive.. this way you can restore your apps directly via TitaniumBackup without copying it first! also Smart Switch can be used from non-Samsung phones, but it is as weak as Google backup ever was - no data restore
Click to expand...
Click to collapse
Bro. Is it possible to do this without losing data?
mayank_nigam said:
Will i loose my data while rooting? Im on Build number PPR1.180610.011.T835DDS4BSL2
Click to expand...
Click to collapse
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
doggydog2 said:
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
Click to expand...
Click to collapse
So if we do it without turning oem unlock, will it work?
---------- Post added at 04:41 PM ---------- Previous post was at 04:26 PM ----------
doggydog2 said:
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
Click to expand...
Click to collapse
Any suggestions on backup method?
mayank_nigam said:
So if we do it without turning oem unlock, will it work?
Click to expand...
Click to collapse
ah i see... you need this checkbox unlocked to flash. this device will wipe itself if you just toggle the checkbox. so in the end, data will be wiped in transition from unrooted state.
and regarding backup, just conventional methods like google backup or deeper cable backup by Helium which can partially substitute TitaniumBackup on unrooted device.
How did you get Weta running on the March firmware when it isn't supported?
NM, I see you just used the kernel part.
Running this script did very little for me - no options were given, just a few packages disabled before it errored out
Thank you for the script! It made a great difference on my tab s4, I was able to enable back Chrome and Google.
My device was lagging before... Thanks again for the write up...
Any suggestions on installing apps to sd card? The option under dev options, to force install apps to sd card is not really good.
I just purchased a refurb Tab S4, it should be arriving over the weekend. The seller notes that the S4 is on Oreo.
I noticed references to Pie here. Should boot and I let the tablet update to the latest release from Samsung, and then root / debloat as described in this thread after the Pie update?
¿GotJazz? said:
I just purchased a refurb Tab S4, it should be arriving over the weekend. The seller notes that the S4 is on Oreo.
I noticed references to Pie here. Should boot and I let the tablet update to the latest release from Samsung, and then root / debloat as described in this thread after the Pie update?
Click to expand...
Click to collapse
My Tab S4 arrived today. Should I allow any updates from Samsung be installed before I run through the rooting process described here, or should I do the rooting before getting the Samsung updates?
¿GotJazz? said:
My Tab S4 arrived today. Should I allow any updates from Samsung be installed before I run through the rooting process described here, or should I do the rooting before getting the Samsung updates?
Click to expand...
Click to collapse
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
doggydog2 said:
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
Click to expand...
Click to collapse
Thanks!
But, as it turns out ... I won't be able to root or debloat anyways. I purchased a refurb Tab S4 that appears to be in excellent like-new shape, but it was also mislabeled on Amazon.
Instead of getting a SM-T830, I received a SM-T837T (T-Mobile version). I plan on getting it unlocked so that I can use it on AT&T, but from what I understand, it's unrootable.
Thanks, tho!
¿GJ?
doggydog2 said:
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
Click to expand...
Click to collapse
I was wondering about this. So there is no way to update once rooted, other than a full clean flash and start again?
ghoulie said:
I was wondering about this. So there is no way to update once rooted, other than a full clean flash and start again?
Click to expand...
Click to collapse
later use Frija to get new firmware and update. cleaning is only on first root as we can't avoid it when switching the OEM lock.
This thread is really one of the best thread for tab S4
Thanks for that
Sent from my SM-T830 using Tapatalk
Question, now that 10 is out will you update the OP, some things change.
I am not sure things like exposed can be update? Tried and get some reboot.
Proca not present and other things.
Thank you for your work
Sent from my SM-T830 using Tapatalk
Looks like it is not working anymore on Android 10:
https://forum.xda-developers.com/galaxy-tab-s4/development/rom-t4137013
Is there some way to get back MagiskHide functionality now that it's not supported in core?
I have 23016 installed (for latest p6xl)
Fry-kun said:
Is there some way to get back MagiskHide functionality now that it's not supported in core?
I have 23016 installed (for latest p6xl)
Click to expand...
Click to collapse
It's unnecessary as zygisk works fine to hide apps.
Ooh, I will try that!
Fry-kun said:
Is there some way to get back MagiskHide functionality now that it's not supported in core?
I have 23016 installed (for latest p6xl)
Click to expand...
Click to collapse
In addition to what @jlokos said about using the deny list, the Alpha version of Magisk by vvb2060 still has the Magisk Hide function I believe. Just another option...
Lughnasadh said:
In addition to what @jlokos said about using the deny list, the Alpha version of Magisk by vvb2060 still has the Magisk Hide function I believe. Just another option...
Click to expand...
Click to collapse
I have SafetyNet fix & Zygisk denylist, and it's working for Play store.
It looks like some apps are not happy with Zygisk, though, namely amazon app store (appears to detect root)
Will try vvb2060's, is this it?
Further fix `oplus.fstab` support · vvb2060/[email protected]
A Magic Mask to Alter Android System Systemless-ly - Further fix `oplus.fstab` support · vvb2060/[email protected]
github.com
Hmm not quite, not sure if it includes that yet this one doesn't but the code is in master, looking around
Fry-kun said:
I have SafetyNet fix & Zygisk denylist, and it's working for Play store.
It looks like some apps are not happy with Zygisk, though, namely amazon app store (appears to detect root)
Will try vvb2060's, is this it?
Further fix `oplus.fstab` support · vvb2060/[email protected]
A Magic Mask to Alter Android System Systemless-ly - Further fix `oplus.fstab` support · vvb2060/[email protected]
github.com
Hmm not quite, not sure if it includes that yet this one doesn't but the code is in master, looking around
Click to expand...
Click to collapse
This is the latest (from Telegram group). Join the Telegram group to keep up with latest. Can't give a link b/c it's not allowed.
Latest seems to include the MagiskHide cleanup, and amazon appstore is detecting root
Did you clear data and cache of the ama appstore?
stroke55 said:
Did you clear data and cache of the ama appstore?
Click to expand...
Click to collapse
Yup
Edit: and there are no extra settings for MagiskHide, how is this supposed to be different?
I installed Jeff's crappy appstore, selected it in Magisk Alpha's 23016 hiding list, was able to start it without any root-detection-message and uninstalled it instantly thereafter So it should work. What do mean by extra settings for Magisk hide? I just selected it in the hiding list.
To clarify, the app store starts but hides some apps if it detects root.
Play store does the same if it detects root (currently doesn't, thanks to safety net fix). For instance, Netflix, Pokemon Go, etc..
Also noticed Netflix & such are unable to start with "Sign in ... with your saved password" flashing like crazy & unable to actually sign in.
logcat says
12-16 21:31:18.375 1505 3393 W InputManager-JNI: Input channel object 'aeeda26 com.google.android.gms/com.google.android.gms.auth.api.credentials.assistedsignin.ui.AssistedSignInActivity (client)' was disposed without first being removed with the input manager!
This is very likely a different issue... but present with 23016 canary.
Maybe I should try to reflash & try fresh
Fry-kun said:
Is there some way to get back MagiskHide functionality now that it's not supported in core?
I have 23016 installed (for latest p6xl)
Click to expand...
Click to collapse
Hmm ... you must have done something wrong ... hiding works fine for me. I would suggest to:
- remove all magisk modules (and reboot)
- re-patch boot.img and download to PC
- in the Magisk app, click 'Magisk deinstall
- reboot (no root now)
- reboot to bootloader
- flash patched boot.img
- reboot
- re-install Magisk app, 'hide' the app in settings
- enable zygisk
- configure denylist, make sure that when you select an app you also select ALL services underneath it for hiding
- install USNF 2.2.0
Now check your root detection apps, they should work.
Netflix should also work (clear cache for Play Store and Google Play-services)
All is working fine for me.
I just factory reset, reinstalled magisk, added a plain account (no copy apps from old phone), enabled zygisk, added USNF, hid magisk.
Installed YASNAC (passed), reset storage for Play Store (device is now certified), installed Netflix.
Added Netflix to denylist, reset Netflix storage.
Opening Netflix -- still infinite loop of gray "Sign in ... with your saved password" at the bottom.
Pixel 6 Pro, sq1d firmware. Magisk canary (23016)
Aside, adding Google Play-services to denylist doesn't survive a reboot. There are "denylist rm" entries in the log after safetynet-fix, maybe it removes those..?
Fry-kun said:
I just factory reset, reinstalled magisk, added a plain account (no copy apps from old phone), enabled zygisk, added USNF, hid magisk.
Installed YASNAC (passed), reset storage for Play Store (device is now certified), installed Netflix.
Added Netflix to denylist, reset Netflix storage.
Opening Netflix -- still infinite loop of gray "Sign in ... with your saved password" at the bottom.
Pixel 6 Pro, sq1d firmware. Magisk canary (23016)
Aside, adding Google Play-services to denylist doesn't survive a reboot. There are "denylist rm" entries in the log after safetynet-fix, maybe it removes those..?
Click to expand...
Click to collapse
You should not add Google play services to denylist !
Then clear Netflix cache again, reboot ... try again ...
foobar66 said:
You should not add Google play services to denylist !
Then clear Netflix cache again, reboot ... try again ...
Click to expand...
Click to collapse
I tried it with no Play Services, and clearing Netflix storage, same thing.
This is happening specifically when my google account is on the phone and it has a saved Netflix login info.
Also tried with SD1A fw from Nov., same thing.
I tried removing the saved pw - everything is fine, Netflix works.
Re-saved the pw after logging in, logged out & opened Netflix again -- same issue (see attached)
In other words, it's not really Netflix that's the problem...
Fry-kun said:
I tried it with no Play Services, and clearing Netflix storage, same thing.
This is happening specifically when my google account is on the phone and it has a saved Netflix login info.
Also tried with SD1A fw from Nov., same thing.
I tried removing the saved pw - everything is fine, Netflix works.
Re-saved the pw after logging in, logged out & opened Netflix again -- same issue (see attached)
In other words, it's not really Netflix that's the problem...
Click to expand...
Click to collapse
When you log out of Netflix (from within the app; click profile icon upper right; then 'log out') do you then get the app's login screen? If yes, can you log in properly on that screen?
Only other suggestion which I have is: log out of Netflix from a browser/web. Remove your Netflix password from your Google account (also on the web). Login on Netflix (browser), save password again in your Google account. Then try again on Android/phone.
Will try..
Meanwhile, apparenly Amazon app may just be garbage: https://www.theverge.com/2021/12/1/22811710/amazon-android-12-appstore-drm-issues
Fry-kun said:
Will try..
Meanwhile, apparenly Amazon app may just be garbage: https://www.theverge.com/2021/12/1/22811710/amazon-android-12-appstore-drm-issues
Click to expand...
Click to collapse
Amazon app works for me, just ordered Spigen cover, screen protector and lense protector all from Spigen on Amazon.
My banking app dont even like developer settings enabled or root or root hiding at all, can even see i have bootloader unlocked, so i am forced to live with no root through.
Fry-kun said:
Will try..
Meanwhile, apparenly Amazon app may just be garbage: https://www.theverge.com/2021/12/1/22811710/amazon-android-12-appstore-drm-issues
Click to expand...
Click to collapse
I had a heck of a time with the Amazon app but it didn't have anything to do with root. Was adaway. Had to run the log and white list a few things now it's good to go.
UnifiedNlp enabler for stock ROM (Magisk module)What's this and what does it do?
It's a Magisk module. You need to have Magisk working to use it. This thread can help with that.
It installs UnfiedNlp 1.6.8 as a system app and also does the magic that allows it to work as a location provider alongside Google Apps (aka GApps).
I've only tested it on the stock Sony ROM (firmware 62.0.A.3.163 to be more exact). Reports of whether it works on other versions are welcome.
It can in theory work on other ROMs but it depends a lot on the ROM. ROM variations is actually what makes it so fiddly and why such a deceptively simple module is so hard to find for your device. I don't intend to install other ROMs to test it but again reports are welcome. Please see below for explanations about how it works if you want to tackle it.
No but seriously, what's UnifiedNlp and why do I care?Your location provider (on a stock ROM from an established vendor like Sony) is Google. Elephant in the room, Google spies on you. They watch your location 24/7 and they learn things about you: where you work, where you live, where you shop, where you go to school, where you go in your spare time. They use this information to serve you ads. All vendors that want to be able to carry the Android trademark and be friends with Google are forced to put Google's location provider on their phone.
But Android actually has the ability to install multiple location providers, and switch them on and off at will. Except most stock ROMs come with this ability deactivated.
UnifiedNlp is an open source location provider with very cool features. It uses modules which let you use more privacy-oriented location services when you're online, and also let you determine your location offline, which gives you better privacy and also is very useful when you don't have a data connection. This Magisk module installs UnifiedNlp and tells the stock Sony ROM to let you use it.
But GPS already works fine on my phoneThis isn't about GPS. Every phone/ROM has built-in GPS as a basic location provider. GPS doesn't depend on Google or anything else. You either get direct visibility to 4+ GPS satellites or you don't, and the AGPS (Assisted GPS) data that speeds up GPS fix is freely available online.
This is about being able to use WiFi spots and mobile cell towers for location. This works faster than GPS and also works indoors.
In order to use something to determine your location you need to know its position. The positions of GPS satellites are well known, but the positions of wifi spots and cell towers isn't. To get those positions you need to go to someone who has walked all around your street and has used GPS to determine the exact position of the spots and towers.
Google has cars that go everywhere in the world doing that, but every time you ask Google for this information they also use your location to track you. This module will give you access to that information from sources other than Google.
How do I use this?
Install UnifiedNlp:
Download the attached ZIP on your phone (preferably under Download/).
Open Magisk, go to the modules tab, hit "install from storage" and pick the ZIP, then reboot.
After reboot you should have a UnifiedNlp system app installed. Some launchers will show it in their app drawer or even put it directly on the home screen for you, but regardless you can always open it from Settings > Location > Advanced >UnifiedNlp Settings. If it's not in the settings something is wrong.
Open UnifiedNlp settings and hit "Self Check".This gives you a screen with several checkmarks that should be on so everthing will work fine:
Permissions check: most of this will have been taken care of by the Magisk module, but you still need to tap it at least once. Grant location access if prompted.
Android version supported: will most likely never be checked, but like it says it doesn't mean much.
System supports this location provider: must be already checked. If it isn't, reboot once more after you've granted the location permission.
UnifiedNlp is registered in system: same as above, must be already checked. If it isn't, try a reboot. If this and the above check still don't enable something is wrong and this module doesn't seem to work on your ROM. See below for possible tinkering solutions.
Location backends set up: this will only become enabled after you install some modules. It's ok if it's off for now.
Network based location enabled: if this isn't checked, go to Settings > Location > Advanced > Google Location Accuracy and turn it on. In spite of the name it has nothing to do with Google, this enables/disables the use of wifi and mobile cells for location.
The last two checks ("has known location" and "provides location updates") may or may not show a check, but it doesn't matter, the real test will be getting your apps to work.
Install some modules. UnifiedNlp won't do anything without them. If you have F-Droid installed you can get these modules from it, otherwise you can grab the APKs from the F-Droid website.
NominatimNlpBackend: this is a must-have. It's an address backend, not a location backend. It matches a position to a postal address (city, street, number, that sort of thing).
MozillaNlpBackend or Apple UnifiedNlp Backend: at least one of these must be installed. These are the main location providers, equivalent to Google's. They need a data connection. They send information about nearby wifi spots and cell towers to Mozilla or Apple, and they get back an exact position. Both work equally well. Apple's has slightly higher precision, but Mozilla's privacy policy is better.
Modules below this point are optional. If you just wanted UnifiedNlp to be functional you can skip them, but they can be very useful when you don't have a data connection.
Deja Vu: when you have a GPS fix, this module saves/updates the position of nearby wifi spots and cell towers. When you don't have a GPS fix, it uses previously saved spot/tower positions to give you an approximate location. Doesn't need a data connection, doesn't need you to do anything, and it never needs any external service.
GSM Location Service: this module will offer to download a database of cell tower locations for your area. Then it will use it to determine your location based on cell towers detected nearby. Only needs data connection for the initial database download or for updates, after that it works offline.
WiFi Location Service: same as above, but for wifi spots.
After you install a module you must activate it in the UnifiedNlp settings, under "Configure location backends" or "Configure address backends".
Some of them may have additional settings available in there (gear icon). The GSM and WiFi location modules will need you to indicate your area and download a database.
If you can't enable location modules you've most likely missed a step (Network based location enabled) in Self-check.
If you're using XPrivacyLua you may want to either extempt these modules from restrictions or allow them location access.
Remember to grant Internet access in your firewall, if you have one, to the modules that need a data connection.
Verify that UnifiedNlp works:
Some app suggestions:
The NLP Test app lets you explicitly use "LM" (network-location like wifi/cells) or "GMS" (GPS) and also shows you lots of useful information, accuracy, different map markers for high/low precision etc.
The Gmaps WV app is a lightweight alternative to the Google Maps app (it uses the Google Maps website wrapped in a webview).
The OsmAnd app is a feature-rich map and navigation app that uses open map data from sources completely independent from Google.
The GPS Test app by Chartcross is very good for checking whether you're getting a GPS signal or not.
For testing that network-based location works you want to be indoors and you want GPS positioning to not work.
Disable all location modules in UnifiedNlp and check that NLP Test can't determine "LM" location.
Enable only one module, Mozilla or Apple, and check that NLP Test can get a "LM" location and also what accuracy you get.
The following tests are optional and results will also vary depending on your area and what cell/wifi coverage you get.
Enable only one module in turn between the GSM or WiFi service and see if you can get a "LM" fix with it.
Activate Mozilla or Apple module and Deja Vu, get a GPS fix, wait a minute or two, go indoors, check that you no longer get a GPS fix, disable Mozilla/Apple, and see if you get a "LM" fix in NLP Test with just the Deja Vu module activated.
I don't like it, how do I uninstall and go back to Google location?
Uninstall the module in Magisk and reboot. That's it.
Optionally you can uninstall the UnifiedNlp modules. They don't do anything without UnifiedNlp. Consider keeping them in case you change your mind and reinstall UnifiedNlp later. If you uninstall the modules you also lose the databases that they've created and you'll have to re-download them or let them recreate them (in Deja Vu's case).
How does this work (and how can I make it work on other ROMs)?There are three things needed to make this work:
The UnifiedNlp app needs to be installed as a system app in /system/priv-app/UnifiedNlp/UnifiedNlp.apk. You want the version with GAPPS. Can get it from F-Droid or GitHub.
UnifiedNlp (org.microg.nlp) needs a bunch of system-level permissions. They can be granted manually, but the more elegant method is to put them in /system/etc/permissions/org.microg.nlp.xml.
Overwrite several location provider-related settings in framework-res.apk by using Runtime Resource Overlays (RROs), to allow UnifiedNlp to act as location provider.
Which packages are allowed to act as a location provider is set inside framework-res.apk in the config_locationProviderPackageNames array. This array typically only lists Google packages and org.microg.nlp needs to be added in there. There's also some string settings that indicate the "master" location provider which need to be set to org.microg.nlp.
In the olden days the only way to do this was to unpack framework-res.apk, modify the values, repack it with a custom signature, put it back on the ROM and hope for the best. Often this would fail if the ROM was checking that the apk was not tampered with.
At some point a better method came along: RROs. These are APKs that overwrite values in framework-res.apk. Sounds pretty simple, but it's complicated by the fact that different ROMs have different rules about what overlays can overwrite what settings. The Xperia 10 III (XQ-BT52) /system/build.prop gives the following priority order for RRO locations: odm,vendor,product,system_ext,system. Therefore this module installs the /system/product/overlays/UnifiedNlpOverlay/UnifiedNlpOverlay.apk RRO.
You will need to accomplish all three things above to make this work on another ROM. The 3rd one is the tricky one because there are multiple places where a RRO can go and not all of them work. Some custom ROMs already take care of step 3 for you. Otherwise, check the documentation I linked. You may want to try other dirs instead of /system/product (alternatives are listed in the docs). Or you may need to change the overlay XML files, in which case it gets more complicated, and you'll also need apktool to unpack and repack the overlay.
Credits
The microg project for making UnifiedNlp.
TontyTon for the overlay.
Misaka4e21 for the Magisk module and the permissions XML.
I added the UnifiedNlp.apk to the module and figured out where the overlay needs to be placed on the stock Sony ROM to make it work.
Doesn't seem to install in Magisk. But I'm very interested in this module though ideally I'd want stock rom with microg.
lufei said:
Doesn't seem to install in Magisk. But I'm very interested in this module though ideally I'd want stock rom with microg.
Click to expand...
Click to collapse
What version of Magisk are you using? I'm on v24. Are you getting any errors, or are you just not seeing the zip in the Magisk installer?
wirespot said:
What version of Magisk are you using? I'm on v24. Are you getting any errors, or are you just not seeing the zip in the Magisk installer?
Click to expand...
Click to collapse
When trying to install the zip in Magisk I just get "copying zip to temp directory ! Unzip error" installing other modules work and I use Magisk 24.2
Can you also check that the zip was downloaded correctly? You can do this with md5sum from a terminal or adb shell, it should have checksum a54c4de46ecdbb228c496c59bc2cf275.
You can also try to install the zip from the command line like this: magisk --install-module filename.zip
Found the problem, I was putting the files inside another directory instead of putting them directly in the root of the zip. I've swapped the attachment in the first post with a correct file. Added a MD5 in the filename too, just in case. Thanks @lufei !
wirespot said:
Found the problem, I was putting the files inside another directory instead of putting them directly in the root of the zip. I've swapped the attachment in the first post with a correct file. Added a MD5 in the filename too, just in case. Thanks @lufei !
Click to expand...
Click to collapse
Now it installs and I was able to get all boxes checked, let's see how it works!
Thank you for the detailed explanation.
The topic of finding a location provider other than Google had interested me for a long time.
Until now, however, I had not yet dealt with it.
With this excellent tutorial I am now not only wiser, but can also confirm that everything as described also runs with the LOS18.1 GSI Rom and latest Sony Firmware.
Don't know if it's the GSI lineageOS or because I flashed the OpenGapps via Magisk, but I had trouble getting the current location in certain apps via both "LM" and "GMS".
The error was exactly as described here:
No GPS fix for most apps
With the solution described there, the problem could then be solved:
Code:
adb shell pm grant com.google.android.gms android.permission.ACCESS_COARSE_LOCATION
adb shell pm grant com.google.android.gms android.permission.ACCESS_FINE_LOCATION
Do you still get a LM fix if you disable all location modules in UnifiedNlp, or if you disable this Magisk module? Because I suspect you're actually using the Google location provider.
This Magisk module relies on the assumption that the UnifiedOverlay.apk file is placed in a location that will override the values provided by /system/framework/framework-res.apk. For the stock ROM it seems to work with /system/product but if that's not true for Lineage you may want to try modifying the zip and also copying system/product/overlay as system/vendor/overlay, system/oem/overlay, system/odm/overlay, system/system_ext/overlay and system/overlay.
wirespot said:
Do you still get a LM fix if you disable all location modules in UnifiedNlp
Click to expand...
Click to collapse
No, if I disable the location modules LM fix is not possible anymore.
psychofaktory said:
No, if I disable the location modules LM fix is not possible anymore.
Click to expand...
Click to collapse
Ah that's cool then. It's interesting that it requires .gms to also have location rights even if it's not using it. I guess as long as it's installed and listed as an official location provider it needs to have the permissions that go with it too.
@wirespot
Is there anything against using this Magisk module on a device other than the Xperia 10 III?
It won't break anything, it just won't work if the folders aren't good. UnifiedNlp settings will complain that the service could not be registered.
See post #10 for a list of folders. If it doesn't work as is, duplicate the system/product folder with all those other names, repack the zip, and try with that.
What ROM are you planning to try it on?
wirespot said:
What ROM are you planning to try it on?
Click to expand...
Click to collapse
Offical LineageOS 18.1 von Sony Xperia XA2 an unofficial LineageOS 18.1 on Xiomi Mi 9 lite.
On LineageOS you don't need the overlays (so none of the /system/*/overlay/* files or dirs) because its framework-res.apk already allows you to use UnifiedNlp (it lists org.microg.nlp as an approved location provider). This actually solves a major headache.
You can still use a Magisk module to install the UnifiedNlp apk to /system/priv-app and the permissions file to /etc/permissions/ systemlessly if you want (as opposed to actually mounting the root partition read-write and copying them there). This makes it easier for these modifications to survive LineageOS updates. (If you need to install them physically you will either need to copy them again after every update, or you can use a script that protects them during updates as described here.)
Please note that the actual apk you need to install depends on whether you install with Gapps or without. My module is made for a stock Sony ROM with Google Apps so of course there's already a location provider from Google (com.google.android.gms), so I need to use the UnifiedNlp.apk, package name org.microg.nlp, which is designed to work alongside Gapps. If you plan on installing Gapps on LineageOS then you need to do the same so you can use my module with just the */overlay/* stuff removed.
If you plan to use LineageOS without Gapps then you need to get the NetworkLocation.apk version of UnifiedNlp, which has package name same as the original Google package (com.google.android.gms). You will need to replace /system/priv-app/UnifiedNlp/UnifiedNlp.apk with /system/priv-app/UnifiedNLP/NetworkLocation.apk in the module zip, and also edit /system/etc/permissions/org.microg.nlp.xml and change the package name from "org.microg.nlp" to "com.google.android.gms". (The actual file name of the .xml doesn't matter, the system loads all the .xml files in that dir anyway, but you can change that too if you want to be tidy.)
Thank you very much for your answer.
Whenever possible, I prefer the systemless variant.
Therefore, your Magisk module would be a good way.
For all LineageOS installations I have installed the OpenGApps.
That means I simply remove the system\product\overlay\ folder and its contents from the zip file and can then flash the module directly with Magisk?
Is it enough to adjust the values in the module.prop to change the display name of the module, or is there anything else that needs to be considered here?
Tried with the steps I described in my post above.
Everything worked so far.
Except UnifiedNlp didn't register in system.
What's wrong with my setup?
Does it say "system supports location provider" in UnifiedNlp self-check?
Two common gotchas:
In the Self-check list, tap "permission to access location" at least once. It may be needed to grant additional location permission.
Make sure that using network-based location is enabled in the settings. I don't know what it's called on Lineage. On stock ROM it's called "Google location accuracy" which of course isn't useful.
Reboot once after doing all of the above.
Wait a couple of minutes after restart before you do Self-check, sometimes it takes a bit longer.
If none of this works try copying system/product/overlay as system/vendor/overlay, system/oem/overlay, system/odm/overlay, system/system_ext/overlay and system/overlay, in the zip, reinstall the module and reboot.
Self-check says that system supports location provider. Permissions are set and every mark is checked.
Network-based location is also active.
Phone was rebootet several times and I waited bevore testing with NLP TEST app.
I have created and installed a new ZIP file based on your recommendation. That seemed to did the trick.
Got a location wie LM NLP test. But far from my actually position.
But then I figured out, that the problem came from somewhere else:
Mozilla NLP gave me wrong Informations about my position. So I disabled it and enabled Apple NLP instead.
Since then everything works find.
If I see this correctly, the newly created Magisk module should then work on all LineageOS roms with GApps installed. Regardless of the device type.
Am I correct here?
Hello can u help me.
I am currently using POCO F3, there is an APP called SHOPEE PH. and i am banned in using that app.
i want to use the app again without Reset / install new custom rom.
i tried using apps like device changer, etc that mask device info but i am still banned. is there a way to mask the device info that will look like a new fresh one.
what modules in LPosed should i check for it to work on shopee. i already did some research
I suppose it is not device banned but root prevention. You use magisk and you should in the newest version :
- hide magisk by renaming it
- activate zygisk
- activate enforce denylist
- add your app to denylist
- install universal safety net fix
- install hidepropsconf , restart and set correct fingerprint in termux
- remove cache and data of your app (and for playstore and google play services)
- restart smartfon
You should have playstore certified and your app working.
Tomek0000 said:
I suppose it is not device banned but root prevention. You use magisk and you should in the newest version :
- hide magisk by renaming it
- activate zygisk
- activate enforce denylist
- add your app to denylist
- install universal safety net fix
- install hidepropsconf , restart and set correct fingerprint in termux
- remove cache and data of your app (and for playstore and google play services)
- restart smartfon
You should have playstore certified and your app working.
Click to expand...
Click to collapse
it is really device banned https://prnt.sc/vl8iY8qU8WwT
Try using any android device ID change app, probably will work as long as you have root permission
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
This solve my problem with my bank app thank you so much...!!!
foobar66 said:
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Click to expand...
Click to collapse
I'm not sure what was wrong but simply doing those steps did not work for me. I had to start from scratch and that's why I wrote all this up.
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
Awesome! This is the only method that worked for me after hours of struggling. Thank you!
Method is not working for me. Followed all steps
Not worked for me. Intune still detecting the root
Harshatxda said:
Not worked for me. Intune still detecting the root
Click to expand...
Click to collapse
Harshatxda said:
Method is not working for me. Followed all steps
Click to expand...
Click to collapse
This seems to be an ongoing evolving issue; especially in light of recent updates/events. There are many threads on the site here discussing it, although I've seen some that have been successful (but in various different device forums). The thread (linked below) seems to be fairly up-to-date recently updated that looks most promising...
[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk' (Update: Q1/2023)
Update 04.01.2023: I've updated/added additional steps to make this tutorial work again. This question was asked many times and often all the answers did not work: How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft...
forum.xda-developers.com
Rooted Pixel 6A, rooted and literally <24H out of box. All I did was:
1. Hide Magisk (obviously)
2. Enable Zygisk
3. Configure DenyList (every Microsoft app I saw)
4. Enforce DenyList
5. Reboot
Portal passes device health test, and Teams works like a charm. Both are installed straight from Play Store.