Develop Bugs

Root & Rom Advice from the Ground Up

I need some help and I've looked all over but the information is fragmented and there is too many unfamiliar acronyms used which make it incredibly difficult for some like myself to catch up. So for the benefit of others who may be new I wanted to get some additional guidance.
I got the Pixel XL Google Version
Objectives:
1. Root with the ability to hide root so other apps will work
2. Native Mobile Hotspot
3. The ability to easily receive android updates without having to reflash etc..
4. Stay close to stock if possible, but willing to explore other options as long as security is trusted, and has good
compatibility.
5. Security is a concern, I tried a rom in the past with a Galaxy S4 and swear it had a backdoor installed in the rom.
What do you guys recommend? And how do I go about doing it?
Thank you!

If security is truly a concern you will not unlock your bootloader and root your phone.
Otherwise it all depends on which version phone you have, Verizon or Google?

1. You need magisk root for that.
3. No updates when you are rooted
4.5. Never heard of any custom rom with a backdoor. That's absolutely bull****. More likely it was an app you installed.
Unlocked bootloader is a security issue, so better to stay on full stock.
Root is a big security issue so better stay on full stock.
Jokes aside the only security issue is your phone gets stolen or you install apps outside playstore.
If you stay encrypted and use a hard pattern with fingerprint you are fine and there is always the way to delete your phone when it gets stolen.

mikaole said:
1. You need magisk root for that.
3. No updates when you are rooted
4.5. Never heard of any custom rom with a backdoor. That's absolutely bull****. More likely it was an app you installed.
Unlocked bootloader is a security issue, so better to stay on full stock.
Root is a big security issue so better stay on full stock.
I have the Pixel XL - Google Version
Jokes aside the only security issue is your phone gets stolen or you install apps outside playstore.
If you stay encrypted and use a hard pattern with fingerprint you are fine and there is always the way to delete your phone when it gets stolen.
Click to expand...
Click to collapse
My point about security really was that it's quite possible a ROM could have a backdoor. That a side..
Root is not a big security issue for me as long as the rom is trusted etc..
Shouldn't I be able to turn root off then be able to update and turn it back on again?

jadensmith said:
1. Root with the ability to hide root so other apps will work
Click to expand...
Click to collapse
It's possible to root to one slot with SuperSU while the other slot remains unrooted, and then the phone can be switched between slots with TWRP or fastboot commands. Kernels have been posted with safetynet patches, to hide that the bootloader is unlocked, but I'm not sure if any are available with the software version on my phone's current slot. As noted, Magisk can also hide root and that the bootloader is unlocked, so it's probably less hassle than trying to root and hide using SuperSU.
3. The ability to easily receive android updates without having to reflash etc.
Click to expand...
Click to collapse
FlashFire can use the OTA to update and stay rooted with SuperSU. The past couple months I've used FlashFire to update my phone, and it seems quicker and easier than the sideloading and reinstalling process I had been using. I'm not aware of anything similar to FlashFire for Magisk users, so to me it seems like you would have to decide if 1 or 3 is more personally important.
jadensmith said:
Shouldn't I be able to turn root off then be able to update and turn it back on again?
Click to expand...
Click to collapse
While reading I got the impression that I might be able to uninstall SuperSU and use the OTA update, but that didn't work with SuperSU the times I tried it, so I presume something SuperSU changed or something I did with root must have caused the update to fail. I haven't read the Magisk threads as much, yet I've seen that other SuperSU users also indicate that OTA updates no longer worked for them after rooting the phone.

alluringreality said:
It's possible to root to one slot with SuperSU while the other slot remains unrooted, and then the phone can be switched between slots with TWRP or fastboot commands. Kernels have been posted with safetynet patches, to hide that the bootloader is unlocked, but I'm not sure if any are available with the software version on my phone's current slot. As noted, Magisk can also hide root and that the bootloader is unlocked, so it's probably less hassle than trying to root and hide using SuperSU.
FlashFire can use the OTA to update and stay rooted with SuperSU. The past couple months I've used FlashFire to update my phone, and it seems quicker and easier than the sideloading and reinstalling process I had been using. I'm not aware of anything similar to FlashFire for Magisk users, so to me it seems like you would have to decide if 1 or 3 is more personally important.
That didn't work with SuperSU the times I tried it, so I presumed that something I did with root must have caused the update to fail to install.
Click to expand...
Click to collapse
Wow thanks for the great reply! It's so refreshing!
What do you mean by root one slot?

The phone has two "slots" for Android. The basic idea is that you have two copies of Android on the phone that share the same user data. On a stock phone it's intended to allow for less noticeable updates, and it also can allow the phone to fall back to the previous software version if something goes wrong with an update. On the May update my phone did automatically switch between slots, due to what is discussed in the second link below. The first link below gives some information and additional links to discussion about the slots on these phones.
http://www.androidpolice.com/2016/1...-partition-changes-and-new-fastboot-commands/
https://forum.xda-developers.com/an...signing-boot-images-android-verified-t3600606

Is it possible to keep stock or near stock and just have root with the ability to hide root, and hotspot?
That's all I really need. What would be the best way to to do this?

Unlock, Root, Xposed and then relock

Hi, my Mix2 arrived few days ago and I find MiUI quite nice, yet lacking few things. Those are easily available via xposed, hence I need to root. I'm also not so lucky in these matters so before I start to tinker with it I'd like to learn few things.
What are least dangerous ways to unlock and root phone? (heard sth about magisk, its quite new for me, haven't been rooting phones for couple years now) Is it good?
Suppose I succeed unlocking, rooting and flashing xposed, can I relock bootloader? I want that because ie AndroidPay needs that to work, and I haven't found any working rootcloack or similar (at least on Note2)
How reliable is 'the most official tool' for xiaomi flashing (from eu.xiaomi.com ?)? I mean can it bring back the dead or revert phone back to where I started, without any trace of tinkering?
As a new xiaomi owner are there any critical things I need to know?
Thanks!

If you flash magisk, which is the best thing ever btw, you won't have to relock bootloader to get Android pay working.

yeyeoke said:
If you flash magisk, which is the best thing ever btw, you won't have to relock bootloader to get Android pay working.
Click to expand...
Click to collapse
Thanks, I read about that and intend to use it. Though, there might be some issues with magisk and different versions. What features does it have?
So far, need to wait 3 days to unlock bootloader.

Mighty_Ahti said:
Thanks, I read about that and intend to use it. Though, there might be some issues with magisk and different versions.
So far, need to wait 3 days to unlock bootloader.
Click to expand...
Click to collapse
I've been using magisk on my Note 3 Pro since release and I've never had an issue. Yes, I got my mix 2 today and I'm also waiting for 3 days..

Mighty_Ahti said:
Hi, my Mix2 arrived few days ago and I find MiUI quite nice, yet lacking few things. Those are easily available via xposed, hence I need to root. I'm also not so lucky in these matters so before I start to tinker with it I'd like to learn few things.
What are least dangerous ways to unlock and root phone? (heard sth about magisk, its quite new for me, haven't been rooting phones for couple years now) Is it good?
Suppose I succeed unlocking, rooting and flashing xposed, can I relock bootloader? I want that because ie AndroidPay needs that to work, and I haven't found any working rootcloack or similar (at least on Note2)
How reliable is 'the most official tool' for xiaomi flashing (from eu.xiaomi.com ?)? I mean can it bring back the dead or revert phone back to where I started, without any trace of tinkering?
As a new xiaomi owner are there any critical things I need to know?
Thanks!
Click to expand...
Click to collapse
It's generally considered to be dangerous to relock a bootloader with anything other than perfectly stock/factory firmware installed. It may be ok to do this technically but it sort of "ties your hands" in some ways after making an unofficial modification and makes it a bit harder to recover from a botched situation.
You can have an unlocked bootloader and still use Android Pay. This can be achieved either with a ROM that is built to accomplish this (Epic ROM is an example of this) or by using Magisk, which allows root without any sort of SafetyNet trip in many cases. I don't believe there's *any* way to install Xposed and also use Android Pay or any other SafetyNet apps...the best alternative if you really want Xposed is to use Magisk and then install the Xposed Magisk module...you still can't pass SafetyNet with this setup but Magisk allows you to disable Xposed if you're willing to uncheck it in the Magisk Manager app and reboot the phone, after which time SafetyNet should pass ok...at least with this setup you'll be able to kind of have your cake and eat it too, though it's not ideal as you'll have to reboot if you want to change the status of Xposed.
https://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268

Thank you for detailed answer. I didn't know that.
flyer_andy said:
the best alternative if you really want Xposed is to use Magisk and then install the Xposed Magisk module...you still can't pass SafetyNet with this setup but Magisk allows you to disable Xposed
Click to expand...
Click to collapse
I tried AndroidPay few times past few days and it didn't work at all. Perhaps terminals were not compatibile. So lets say I gave up on AndroidPay - can I use regular Xposed along with Magisk? Or does it have to be that module?

Mighty_Ahti said:
Thank you for detailed answer. I didn't know that.
I tried AndroidPay few times past few days and it didn't work at all. Perhaps terminals were not compatibile. So lets say I gave up on AndroidPay - can I use regular Xposed along with Magisk? Or does it have to be that module?
Click to expand...
Click to collapse
Oh! I think I may be able to help you with the Android Pay issue - my phone didn't work right with Android Pay until I made sure *all* Google apps' permissions were allowed via the Apps menu in Settings (along with "Autostart" via the security app)...and also toggled the NFC setting where it lets you select between "embedded secure element" and "HCE Wallet." It probably is on "HCE Wallet" but try toggling to "embedded secure element" and then back to "HCE Wallet" a couple of times. My Mix 2 would not make a terminal connection until I did this...it would just say "card read error." Seems like a firmware bug. Let me know if that helps!
But yeah if you don't want to use Android Pay then normal Xposed should be fine...you wouldn't need Magisk I don't think. Though, I'm not sure but I think the Magisk Xposed module probably functions the same as normal Xposed so I'm not sure there's an advantage in doing so. But of course it's all about personal preference!

Whoah, I'm still new to xiaomi/android7+ policies, where each app's permissions are reduced to bare minimum (messenger not being able to show notifications for example). I will definitely try this tomorrow.
So far I just managed to unlock BL, flash recovery and install magisk. SafetyNet checks ok. Will try xposed tomorrow after some payments ;D Thanks!

HCE wallet worked for me (I had it set to SIM wallet).
If I understand correctly here is the possible solution to xposed+magisk+androidPay.
I'd need phh's su binaries for that and keep crossing fingers for it to work on 7.1
I need to learn more about that stuff before I break something

So as I was expecting I experience troubles in installing Xposed.
I followed official way as in here And got bootloop.
I removed magisk stuff in recovery and fixed bootloop, then installed v89.0 (not .1) and also bootloop.
Im using SDK25, and miui 9 - 7.1.1 so it should be ok I think

Mighty_Ahti said:
So as I was expecting I experience troubles in installing Xposed.
I followed official way as in here And got bootloop.
I removed magisk stuff in recovery and fixed bootloop, then installed v89.0 (not .1) and also bootloop.
Im using SDK25, and miui 9 - 7.1.1 so it should be ok I think
Click to expand...
Click to collapse
Disable hooks from the xposed apps settings before flashing xposed

What hooks? I dont have any modules yet

Mighty_Ahti said:
What hooks? I dont have any modules yet
Click to expand...
Click to collapse
It's a toggle in the settings under experimental, disable resource hooks

Boot took longer but it works. Thanks! Do I have to keep it on all the time ?

Mighty_Ahti said:
Boot took longer but it works. Thanks! Do I have to keep it on all the time ?
Click to expand...
Click to collapse
Yeah, phone won't boot with it on. Don't think it makes much difference anyway

Hi @Mighty_Ahti, how much time was "longer"? it's been loading for over 5 minutes already. Thanks

Certainly below 5 minutes.

ctsProfile: false - Allthough not rooted

Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.

wsjoke said:
Some kernels lack the feature needed to pass cts without magisk installed you can either
1. install magisk to pass CTS
2. Use a kernel that has the patch (loki and my own kernel "chunchunmaru" should have it but both are for Q only as off now)
Click to expand...
Click to collapse

First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details

wsjoke said:
Hi there,
It might be a dumb question, but im kinda clueless.
I have my device not rooted and the SavetyNet-Check of Magisk says ctsProfile: false.
My bootloader is unlocked since the beginning. Could that be the reason for it? And if so how could I avoid it? Rooting or Relocking the bootloader?
Background:
Because I experience problems with a couple of banking apps that they dont start/crash on startup and one of them saying it might be of having my device rooted.
So thats why I thought maybe SafetyNet Check is not good and checked it and figured out one check is not passing.
Click to expand...
Click to collapse
I assume that you are from stock. It is the problem from Mi A2 Lite's device fingerprint that somehow it is not certified. Probably for reasons:
1. Magisk manager is present
2. Unlocked bootloader
3. Usually, it will pass when fingerprint has the same value from 10.0.1.0. After that, it fails for no reason. One theory suggests it might have to do with vulnerabilities present from our device (the System Toolkit app, when you dial *#*#64663#*#*), thus revoking certification from Play Store.
If you're on custom ROM, that would be it, except from POSP that has passed CTS. Also it could be the GApps you are using.

Os_Herdz said:
First, in what rom you are? Why u install magisk manager if u don't have root? What apps don't open? We aren't magicians or clairvoyants, please always mention more details
Click to expand...
Click to collapse
Stock rom, I previously had my phone rooted, thats why I still have installed magisk.
Various Banking Apps doesnt work as intended. For example https://play.google.com/store/apps/details?id=de.commerzbanking.mobil&hl=de cant unlock with fingerprint anymore. https://play.google.com/store/apps/details?id=com.starfinanz.mobile.android.dkbpushtan&hl=de doesnt open at all and opens a website which says a rooted phone could cause this issue.

Oneplus 5t security updates vs custom ROM newbie

Hi I've never wanted to root or custom ROM. I read the instructions and they are pages deep and the issues that come up and are discussed in threads have such confusing back and forth discussions using lingo and abbreviations that make my head spin.
However... Oneplus did their last update on my 5t my fourth oneplus phone... With an already old security update.
Is the only way to not throw away a perfectly working, phone with good Ram and a fairly new battery I paid to have installed just months ago?
If I'm wanting to hold on another year or 2 use the only option custom ROMs that contain security updates?
Is there a way to add security updates without a ROM? Or maybe at least just learn to root and then add just updates or is it only in ROMs?
I could probably happily use my phone as is but worried what effect no security updates really is to my use.
I really tried videos on doing so this myself I'm not comfortable if problems happen. Not very techy.
Any help appreciated

Unfortunately you can no longer get security updates once your device is deemed as old.
Your options will be to get an antivirus app on your phone, install a custom ROM (like LOS or pixel exp), or you can get a new phone.
Since you're new to this stuff I highly recommend you just get a new phone or simply install an antivirus.
Not sure which anti virus is better than which. But I'm confident in Avira, McAfee, and Norton. You may want to purchase their plan though.
Hope I helped.

Thanks alot for the reply. I'll start with an antivirus.

Hello,
I have similar issue, since I would need security patch update to keep running company mails and apps.
I have 2 doubts:
- if I root and install Android 11 custom ROM, security patches will be updated too?
- after this, would I be able to unroot and install company mail apps ( if rooted they will not work) ?
Thanks

Personally I think that your company has put an unfair burden on you to run company mail and apps on your personal phone while expecting you to have an updated phone at the same time. An updated phone should have been "given" to you.
That being said, you can actually flash and run a custom rom without root. Root is optional.
Process is as follows: (you'll need a PC for this)
1. Backup ALL your data
2. Unlock the bootloader
3. Install custom recovery and reboot to recovery
4. Wipe cache & system and format internal memory
5. Copy custom rom & gapps to internal memory
6. Flash custom rom & gapps and reboot system

miloinodense said:
Hello,
I have similar issue, since I would need security patch update to keep running company mails and apps.
I have 2 doubts:
- if I root and install Android 11 custom ROM, security patches will be updated too?
- after this, would I be able to unroot and install company mail apps ( if rooted they will not work) ?
Thanks
Click to expand...
Click to collapse
Yes if you install custom ROM you'll have security updates. It doesn't have to be Android 11 and you don't need root to install a custom ROM.
Also make sure to follow a precise guide about it so you don't encounter any issues. Always make a backup even if you're 100% sure you won't need it.
As far as I know mail apps don't check the integrity or do a SafetyNet check, so even if you root or don't it will work fine.
If you mean banking apps then you can install some modules to bypass the check or just completely remove root. Assuming that you rooted the device.

It shows my lack of knowledge never ever did I think you could Flash a ROM without being rooted.
Thanks

I successfully installed custom ROM w/o root.
But regarding company mail apps, I would need to hide bootloader unlocked status.
maybe it's impossible, if someone has a good idea...

miloinodense said:
I successfully installed custom ROM w/o root.
But regarding company mail apps, I would need to hide bootloader unlocked status.
maybe it's impossible, if someone has a good idea...
Click to expand...
Click to collapse
My banking apps working fine without root with crdroid 7.3 and flamegapps. Might work for your company mail app too.
Some roms readily hide bootloader status

Thanks for the hint, but these company mails apps are checking security patch date too. Last available for oneplus 5t are September 2020, and no further support from oneplus.

miloinodense said:
Thanks for the hint, but these company mails apps are checking security patch date too. Last available for oneplus 5t are September 2020, and no further support from oneplus.
Click to expand...
Click to collapse
Hence that's why the burden should be on the company to provide the "up to date" phone

miloinodense said:
Thanks for the hint, but these company mails apps are checking security patch date too. Last available for oneplus 5t are September 2020, and no further support from oneplus.
Click to expand...
Click to collapse
And that's why the burden should be on the company to provide the "up to date" phone

miloinodense said:
Thanks for the hint, but these company mails apps are checking security patch date too. Last available for oneplus 5t are September 2020, and no further support from oneplus.
Click to expand...
Click to collapse
I think if you change build.prop to some other phone with recent security patches you can bypass this.

XDHx86 said:
I think if you change build.prop to some other phone with recent security patches you can bypass this.
Click to expand...
Click to collapse
Today, I was thinking that this could be good way.
Root, change build.prop, and then unroot.
If you have a link for a good tutorial on change bulid.prop would be nice, thanks.

miloinodense said:
Today, I was thinking that this could be good way.
Root, change build.prop, and then unroot.
If you have a link for a good tutorial on change bulid.prop would be nice, thanks.
Click to expand...
Click to collapse
Just for update:
I tried to Root a stock ROM, edit build.prop (security patch date), unroot, and then lock bootloader.
But even if it was a stock ROM, OP5T was not booting.
Booloader was stopping boot since it was detecting a non-stock ROM.
Indeed, I had to unbrick OP5T since I was not possible to unlock bootloader.
So, still not solved

miloinodense said:
Just for update:
I tried to Root a stock ROM, edit build.prop (security patch date), unroot, and then lock bootloader.
But even if it was a stock ROM, OP5T was not booting.
Booloader was stopping boot since it was detecting a non-stock ROM.
Indeed, I had to unbrick OP5T since I was not possible to unlock bootloader.
So, still not solved
Click to expand...
Click to collapse
Just edit build.prop and use magisk hide module from magisk manager.

XDHx86 said:
Just edit build.prop and use magisk hide module from magisk manager.
Click to expand...
Click to collapse
Edit build.prop w/o root and unlock bootloader is not possible...
Moreover, hiding root will not work with more recent android updates and for sure it will not hide unlock bootloader.

miloinodense said:
Edit build.prop w/o root and unlock bootloader is not possible...
Moreover, hiding root will not work with more recent android updates and for sure it will not hide unlock bootloader.
Click to expand...
Click to collapse
Yeah I assumed you would know that you should root first. But seeing you even attempted to lock bootloader after modifying the device, seems I assumed wrong.
Magisk hide is working fine on later android versions like 8+. And for the bootloader it only trips CTS if your bootloader is using hardware backed key - Which is the case with OP5 - as CTS check also has hardware attestation. But it is possible to bypass said check by using SafetyNet Fix module, of course you will also install that from magisk manager.

How To Guide Gain L1 on OnePlus 9 Pro T-Mobile (Widevine)

Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!

razercortex said:
Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!
Click to expand...
Click to collapse
Nice find! Too bad I used the Indian MSM on my T-Mobile variant so I can't cross-flash anymore.

It also seems to survive MSM flashing, updates, custom ROMs, and bootloader locking/relocking

razercortex said:
It also seems to survive MSM flashing, updates, custom ROMs, and bootloader locking/relocking
Click to expand...
Click to collapse
Do you think it'll work for me when though I use the OP9 Indian MSM?

Not sure. You'd have to unlock bootloader first, then do a full system upgrade to check.

razercortex said:
Not sure. You'd have to unlock bootloader first, then do a full system upgrade to check
Click to expand...
Click to collapse
I'm already unlocked. It doesn't really matter though since I haven't given a yit about L1 since, ever. Just didn't know if you knew or not.

Thanks! Worked!
razercortex said:
Hi guys,
Just made a breakthrough discovery!
To gain Widevine:
Crossflash EU firmware to your device with craznazn's MSM here https://androidfilehost.com/?fid=14943124697586337355, unlock bootloader but DO NOT update yet! Then, you want to flash magisk, reboot and turn on Zygisk and do whatever you need to pass SafetyNet.
Afterwards, you can upgrade, it should be a FULL system upgrade, not an incremental. It should detect root and download ~3000 MB. Install the update and reboot, you should get L1 now!
Click to expand...
Click to collapse
Worked!
Thanks

I didn't use your method to get to c.63 (a12) for my TMobile OnePlus 9 pro. i dont know i can back to tmobile stock. Now I currently rooted and using magisk. All video apps work but I can't get L1 widedine. Is there another way?

Thanks for this. I have a 9 pro coming.
Edited
Thanks

I've had success using this method to keep L1 up to A12, but any attempt to upgrade to A13 downgrades Widevine to L3.

What is l1? What is widevine?

immortalwon said:
What is l1? What is widevine?
Click to expand...
Click to collapse
It is the security level of the firmware. It effects the certain apps like banking apps etc...

immortalwon said:
What is l1? What is widevine?
Click to expand...
Click to collapse
L1 is a drm (digital rights content management) state. L1 means the content is being digitally decoded or decrypted in a trusted environment. (I believe some of these are done in hardware with hardware verification only). It is the highest protection level.
In short, some apps will not work or will not play HD content without L1 state of drm. For us, when we lose L1, we go to L3. This could mean apps won't work at all, or they could be reduced in functionality.
Netflix for example, with L3, is limited to 480p video (however some bypass this with casting and get to 720p resolution).
Typically, when you unlock the bootloader of a phone, it will drop drm to L3 as it's considered a not-trusted environment.
This behavior is mixed by device, firmware versions and sometimes region (I have read some devices have shipped without Widevine keys to certain areas). This is bypass-able in some devices. For example, my 9P on oos11 is L1 with bootloader unlocked and rooted, using the standard magisk modules for Safetynet and clearing system cache.
Some phones will not regain L1 with unlocked bootloader (and maybe some versions of firmware also). They will be stuck with L3 Widevine until they relock the bootloader or unroot. And some firmwares are broken and will not have L1 because they implemented drm wrong.
On my 10T, netflix would not launch with unlocked bootloader. That may have been resolved by now but I was limited to L3 in drm checker (play store app) anyway.
For my 9P, I lost L1 (to L3) when I flashed Eu conversion to 11.2.2.2 - someone said that was an issue with early OnePlus firmwares where they implemented drm wrong or the key was problematic somehow. Whether that's true or not, I regained L1 when I temporarily unrooted and took the OTA.
This is likely going to be an increasing problem going forward as more devices go to hardware (only) attestation for everything. I suspect we will eventually see a magisk method of patching these apps and running them as modded apks. There used to be some patched netflix apks around. I think forced updates and signature checking made these obsolete. We may eventually see someone modify the individual apks, perhaps injecting a software mechanism for drm. Like taking the entire process of decoding, from an older device, into the apk itself. That might be overkill for the situation but eventually these bypasses we have currently, will not work anymore. We will be relying on some form of device spoofing, patching apks, standalone or redirected drm decoding, or a combination of all of those things.
That's assuming someone with that much skill is interested in doing all or any of that work.
Perhaps we will reach a point where unlocked bootloader or rooting breaks regular use so much that it's no longer worth the headache. It seems that's what they're going for. 'They' being app developers and phone manufacturers.
Here's a link to drm checker (DRM info) in play store if you'd like to find your current state: https://play.google.com/store/apps/details?id=com.androidfung.drminfo

Appreciative said:
L1 is a drm (digital rights content management) state. L1 means the content is being digitally decoded or decrypted in a trusted environment. (I believe some of these are done in hardware with hardware verification only). It is the highest protection level.
In short, some apps will not work or will not play HD content without L1 state of drm. For us, when we lose L1, we go to L3. This could mean apps won't work at all, or they could be reduced in functionality.
Netflix for example, with L3, is limited to 480p video (however some bypass this with casting and get to 720p resolution).
Typically, when you unlock the bootloader of a phone, it will drop drm to L3 as it's considered a not-trusted environment.
This behavior is mixed by device, firmware versions and sometimes region (I have read some devices have shipped without Widevine keys to certain areas). This is bypass-able in some devices. For example, my 9P on oos11 is L1 with bootloader unlocked and rooted, using the standard magisk modules for Safetynet and clearing system cache.
Some phones will not regain L1 with unlocked bootloader (and maybe some versions of firmware also). They will be stuck with L3 Widevine until they relock the bootloader or unroot. And some firmwares are broken and will not have L1 because they implemented drm wrong.
On my 10T, netflix would not launch with unlocked bootloader. That may have been resolved by now but I was limited to L3 in drm checker (play store app) anyway.
For my 9P, I lost L1 (to L3) when I flashed Eu conversion to 11.2.2.2 - someone said that was an issue with early OnePlus firmwares where they implemented drm wrong or the key was problematic somehow. Whether that's true or not, I regained L1 when I temporarily unrooted and took the OTA.
This is likely going to be an increasing problem going forward as more devices go to hardware (only) attestation for everything. I suspect we will eventually see a magisk method of patching these apps and running them as modded apks. There used to be some patched netflix apks around. I think forced updates and signature checking made these obsolete. We may eventually see someone modify the individual apks, perhaps injecting a software mechanism for drm. Like taking the entire process of decoding, from an older device, into the apk itself. That might be overkill for the situation but eventually these bypasses we have currently, will not work anymore. We will be relying on some form of device spoofing, patching apks, standalone or redirected drm decoding, or a combination of all of those things.
That's assuming someone with that much skill is interested in doing all or any of that work.
Perhaps we will reach a point where unlocked bootloader or rooting breaks regular use so much that it's no longer worth the headache. It seems that's what they're going for. 'They' being app developers and phone manufacturers.
Here's a link to drm checker (DRM info) in play store if you'd like to find your current state: https://play.google.com/store/apps/details?id=com.androidfung.drminfo
Click to expand...
Click to collapse
Excellent summary of Widevine! I've tested extensively using every method I could find on XDA, and I've come to the conclusion that it isn't possible to attain L1 status in A13 with an unlocked bootloader on my OP 9 Pro.

Reznor7 said:
Excellent summary of Widevine! I've tested extensively using every method I could find on XDA, and I've come to the conclusion that it isn't possible to attain L1 status in A13 with an unlocked bootloader on my OP 9 Pro.
Click to expand...
Click to collapse
Have you surveyed others on a13 to see their Widevine state? I have heard some users on custom roms (In crDroid group) using 13, claiming they're L1. I haven't verified that first hand, just saw it in threads and telegram groups.
If it's true that I can't retain or regain L1 in regular stock oos13, I will never make the move to 13

1. https://github.com/Displax/safetynet-fix/releases/tag/v2.3.1-MOD_2.0
2. https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-126
3. In Magisk, hide Magisk, enable Zygisk, Configure DenyList (make sure all Google apps and Netflix are selected) and DO NOT enforce DenyList (for Shamiko to work). The Mount Namespace Mode should be Isolated Namespace.
4. Google Play Services, Google Play Store, and Netflix, clear storage. Restart your phone and give it some time. You should be able to search and find Netflix in Google Play Store (may need to try few times to force Google to check your phone), the Netflix should pass L1 too.
5. DO NOT use MagiskHide Props Config, it's not working at all.

yanggame said:
1. https://github.com/Displax/safetynet-fix/releases/tag/v2.3.1-MOD_2.0
2. https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-126
3. In Magisk, hide Magisk, enable Zygisk, Configure DenyList (make sure all Google apps and Netflix are selected) and DO NOT enforce DenyList (for Shamiko to work). The Mount Namespace Mode should be Isolated Namespace.
4. Google Play Services, Google Play Store, and Netflix, clear storage. Restart your phone and give it some time. You should be able to search and find Netflix in Google Play Store (may need to try few times to force Google to check your phone), the Netflix should pass L1 too.
5. DO NOT use MagiskHide Props Config, it's not working at all.
Click to expand...
Click to collapse
I'm on stock A13 unlocked and rooted with Magisk. I did all of this exactly as listed and am still stuck at L3.

Reznor7 said:
I'm on stock A13 unlocked and rooted with Magisk. I did all of this exactly as listed and am still stuck at L3.
Click to expand...
Click to collapse
You can try to reset you phone and finish all steps without login your account first. See if there is any difference. But it's probably will not work.
The best solution is to go back to stock OOS11 and flash Omega or Arter97 kernel since the leak is probably kernel side and only custom kernels can hide it.

yanggame said:
You can try to reset you phone and finish all steps without login your account first. See if there is any difference. But it's probably will not work.
The best solution is to go back to stock OOS11 and flash Omega or Arter97 kernel since the leak is probably kernel side and only custom kernels can hide it.
Click to expand...
Click to collapse
I've done enough flashing for a while. I'll leave it to someone else to try.

I got L1 with unlocked bootloader and Magisk.
I have LE2110. I used MSM tool (Global) to get back to OOS 11. It locked the bootloader; it always does. So I set up the phone offline (without connecting to WiFi or Mobile Data). Then I upgraded to OOS 11.2.10.10 version through local upgrade. Then opened Developer Options for OEM Unlocking. The option was greyed out and it asked to connect to internet. So I connected my WiFi for a minute or two until that OEM Unlocking was available. I enabled it, and disconnected WiFI. I DID NOT login to my Google account or opened Play Store. I rebooted to fastboot, and unlocked bootloader. Then rebooted. Then did the initial setup again (without connecting to WiFi or Mobile Data). Then I turned off and got the boot.img through MSM tool's readback option. (I was on slot_b so I got boot_b from MSM). Patched this boot.img with Magisk. Booted it temporarily and then through Magisk app, gainded permanent root by Direct Install. Rebooted. Enabled Zygisk from Magisk and Enforce Denylist, and rebooted again. Installed Universal SafetyNet Fix through Magisk and rebooted again. Opened Magisk and hid the Magisk app (just named it Settings; it installed and then showed root lost, but I just closed the app, and reopened new hidden Magisk again). Rebooted. Then I went ahead and connected to WiFi, logged in to my Google account and stuff. Checked from YASNAC and DRM Info and found that Safety Net passed as well as got L1.
I did not put any Google related app to Denylist.