Develop Bugs

LineageOS 16.0 (build 20190425) - Microg, sig spoofing with full SafetyNet

UPDATE 06 OCT 2019: I will be returning to the project next week...
Apologies for my long silence over the past few months. After the initial release of this ROM I started focusing on getting the fingerprint sensor to work, which after some struggle I got it working. I then began spending time on removing non-FLOSS apps, services and providers that comes with lineageOS and replacing them with even better FLOSS alternatives. I made some good progress on this and created an automated build script for this. I also wanted to make the installation of the ROM easier, so I even created a script that automates the entire flashing procedure for you....yip...it's pretty cool On the security side I also made some good progress: I've applied several recommended hardening patches to the base system, and also patched the flawed mac-address randomization implementation that still exists in android today.
As I got close to preparing for release, google decided to stop support for maps-api V1 which is used by migrog. This completely broke all map views in apps and even started crashing the mobile browser. Because of the complexity of the android build workflow and tool-chain, I initially thought I screwed something up, but it was only after a couple of days of pulling my hair out people started reporting it on github. I had to wait for the mapbox implementation of microg to be released, and it eventually came a few weeks later.
It was shortly after the release that my personal priorities changed. I've been occupied (visa related) with that ever since but I'm happy to report that I should be able to return back to the project next week. Obviously some time has passed, so I will have to get up to speed with the latest releases of all of the repos and get that merged with my local changes, but that should only take a day. Hopefully there won't be many breaking changes, and if that is the case then I should be in a position to release V2 in about two weeks!
Cheers,
fanix (git-repo here: https://github.com/FaN11X?tab=repositories). Once you see commits you'll know I've started.
New build is available apparently.... don't know if it's the same dev..
UPDATE 08 MAY 2019: I'm in the process of adding support for the in-display fingerprint sensor. Stay tuned.
This is a lineageos 16.0 build from source on 25 April using latest source. The ROM is has been prepatched for system lavel signature spoofing based on the MicroG Android Pie patch (url removed, sigh). I did however change the protection level from "Dangerous" to "Signature|Restricted". This is a more secure way of enable signature patching as it requires the app using signature spoofing to be privaliaged, in other words, it needs to be installed to /system/priv-app in order for it to be granted this permission. This means that you wont be at risk of downloading and installing apps that might abuse signature spoofing.
The ROM also passes FULL SafetyNet with microg installed. It uses a custom build from Nanadroid which contains all the latest code changes which you wont find in there official releases as its not yet been packaged as a release. This solved many issues for me, like safetyNet now passing which allows me to install and run banking applications (like Barclay's Mobile Banking) and also uber seems to work just fine using the UnifiedNLP backend providers.
This custom ROM has NO google related apps or code, and you have the ability to switch on google released integration services through the microg services menu.
WORKING
So far... everything I've tested. (except fingerprint)
NOT WORKING
On-display fingerprint.
Installation steps:
1. Restore to stock firmware. I recommend the following Fastboot ROM as thats the one I used. *url removed* (download file search google "equuleus global images V10.2.2.0.PECMIXM")
2. Put device in fastboot mode (adb reboot bootloader or Power Button + Vol Down)
3. Flash using MiFlash (Find it on google and be sure to select the "FLASH ALL.bat" option at the bottom and NOT the LOCK on, otherwise you will relock your device)
4. After flashing the stock ROM, let it boot up, then enable developer options and USB debugging.
5. Flash TWRP
* adb reboot bootloader
* fastboot erase recovery
* fastboot flash TWRP_equuleus_1102.img
* fastboot boot TWRP_equuleus_1102.img
6. Once in TWRP, goto WIPE and select DATA. Enter the word "yes" and once it is complete, go back to main menu, RESTART=>RECOVERY to reboot and automatically boot back into recovery.
7. Goto WIPE again, but this time WIPE DalvicCache, SYSTEM & Cache by selecting all 3 and wiping them (NO NOT RESTART AFTER THIS STEP
8. Once wipe is complete, push the content from the download folder provided below to the sdcard folder of the phone.
* adb push download_folder_containing_all_the_files /sdcard/
example: adb push /home/fanix/Downloads/lineageosrom /sdcard/
9. Once complete, you are now ready to flash lineage ROM. Select the lineageos zip file and flash it. (filename => lineage-16.0-20190425-UNOFFICIAL-equuleus.zip)
10. Once complete, you can then reboot to system to load lineage. After going through the lineage setup, you can then install microg (if you want)
Optional - Installing microg (from latest nanodroid) FULL SAFETYNET SUPPORTED
* Boot into TWRP (adb reboot recovery)
* Goto INSTALL, and select the following file: (NanoDroid-microG-20.7.92.20190424.zip).
* NOTE: This will install microg, including MsfProxy and UnifiedNLP with 4 backend providers. It will also install Aurora Store & Fake store.
* When install is complete, reboot and once in lineage, you can configure microg. You can log into google store using Aurora, either with your own account or their anonymised account. This allows you to download anything form the google app store, including apps that require verification, like mobile banking apps.
* If you want, you can test your SafetyNET using Magisk. You can find the magisk manager in the download folder. Install that and test SafetyNET. You do NOT need to root your phone to test this, you can simply install the manager. If you want to root your phone, simply boot back into TWRP and select the magisk 19.0 zip file and that will then also root your device.
Enjoy!
DOWNLOAD LINK:
https://drive.google.com/open?id=1aJ...bkaHPw86sgHYMj

I've contacted one of the mods and asked if thye could post the link. Hope they do, otherwise if someone has the ability to post links then message me and i'll PM you the download link which you can then share to the thread.
Cheers
fanix

Hi fanix-uk,
Thank you very much! Is 3D face recognition working or just the 2d with the front camera?

mateHD said:
Hi fanix-uk,
Thank you very much! Is 3D face recognition working or just the 2d with the front camera?
Click to expand...
Click to collapse
Not sure, I haven't tried it. To be honest I've never used that feature on this phone before.

fanix-uk said:
Not sure, I haven't tried it. To be honest I've never used that feature on this phone before.
Click to expand...
Click to collapse
I tried it. Face unlock works with google smartlock. It use IR sensor, not the front camera, but it isn't 3D. So it works without light, but less secure than the stock rom version.
Btw. the rom works perfectly. Thanks again.

Is possible to have the miui camera with this rom?

mateHD said:
I tried it. Face unlock works with google smartlock. It use IR sensor, not the front camera, but it isn't 3D. So it works without light, but less secure than the stock rom version.
Btw. the rom works perfectly. Thanks again.
Click to expand...
Click to collapse
You are most welcome! Thanks for testing it... I'm working on a new release with some really cool features, including
Updated, hardened kernel.
Wireguard kernel module built into kernel.
Removal of non-FOSS apps/providers/services and replace with FOSS alternatives
Weather provider integration with openweathermap.
In-display fingerprint

perillo95 said:
Is possible to have the miui camera with this rom?
Click to expand...
Click to collapse
I can try and grab the camera app and drivers from stock and package it for you, but won't be including proprietary software in this build. I'll keep you posted.

fanix-uk said:
You are most welcome! Thanks for testing it... I'm working on a new release with some really cool features, including
Updated, hardened kernel.
Wireguard kernel module built into kernel.
Removal of non-FOSS apps/providers/services and replace with FOSS alternatives
Weather provider integration with openweathermap.
In-display fingerprint
Click to expand...
Click to collapse
Looking forward to it. I will probably try the current version as soon as I'm allowed to unlock my bootloader.

fanix-uk said:
I can try and grab the camera app and drivers from stock and package it for you, but won't be including proprietary software in this build. I'll keep you posted.
Click to expand...
Click to collapse
With miui camera and the in-display fingerprint would be a perfect ROM, Great work

thanks a lot for LOS!
Q: do i need to install gapps after ROM?

eerastov said:
thanks a lot for LOS!
Q: do i need to install gapps after ROM?
Click to expand...
Click to collapse
Yes.
Whats up with the new version? Can i help somehow?

Thanks
Hi Fanix
I really appreciate what you have done for Mi8 Pro. If you did not share your work here, I think I nearly sell my phone, as the MIUI is pretty trash.
Also, thanks for your progress on adding in-display finger sensor, after you done it I feel you can create one link for donation. I really hope you can keep develop on this phone and make LOS Andorid Q available in the future.
Kind regards
One of Mi8 Pro users
---------- Post added at 07:51 AM ---------- Previous post was at 07:47 AM ----------
I flashed this rom on my phone, it works really well. And I flashed a Gapps on my phone, work well as well. I did not flash the Nanadroid on my phone, is it necessary? I just worry about it becasue you said something related to SafetyNet, ahaha. I do not know if I do not have it, is my phone still safe?
Thanks a lot again.

fanix-uk said:
UPDATE 08 MAY 2019: I'm in the process of adding support for the in-display fingerprint sensor. Stay tuned.
This is a lineageos 16.0 build from source on 25 April using latest source. The ROM is has been prepatched for system lavel signature spoofing based on the MicroG Android Pie patch (url removed, sigh). I did however change the protection level from "Dangerous" to "Signature|Restricted". This is a more secure way of enable signature patching as it requires the app using signature spoofing to be privaliaged, in other words, it needs to be installed to /system/priv-app in order for it to be granted this permission. This means that you wont be at risk of downloading and installing apps that might abuse signature spoofing.
The ROM also passes FULL SafetyNet with microg installed. It uses a custom build from Nanadroid which contains all the latest code changes which you wont find in there official releases as its not yet been packaged as a release. This solved many issues for me, like safetyNet now passing which allows me to install and run banking applications (like Barclay's Mobile Banking) and also uber seems to work just fine using the UnifiedNLP backend providers.
This custom ROM has NO google related apps or code, and you have the ability to switch on google released integration services through the microg services menu.
WORKING
So far... everything I've tested. (except fingerprint)
NOT WORKING
On-display fingerprint.
Installation steps:
1. Restore to stock firmware. I recommend the following Fastboot ROM as thats the one I used. *url removed* (download file search google "equuleus global images V10.2.2.0.PECMIXM")
2. Put device in fastboot mode (adb reboot bootloader or Power Button + Vol Down)
3. Flash using MiFlash (Find it on google and be sure to select the "FLASH ALL.bat" option at the bottom and NOT the LOCK on, otherwise you will relock your device)
4. After flashing the stock ROM, let it boot up, then enable developer options and USB debugging.
5. Flash TWRP
* adb reboot bootloader
* fastboot erase recovery
* fastboot flash TWRP_equuleus_1102.img
* fastboot boot TWRP_equuleus_1102.img
6. Once in TWRP, goto WIPE and select DATA. Enter the word "yes" and once it is complete, go back to main menu, RESTART=>RECOVERY to reboot and automatically boot back into recovery.
7. Goto WIPE again, but this time WIPE DalvicCache, SYSTEM & Cache by selecting all 3 and wiping them (NO NOT RESTART AFTER THIS STEP
8. Once wipe is complete, push the content from the download folder provided below to the sdcard folder of the phone.
* adb push download_folder_containing_all_the_files /sdcard/
example: adb push /home/fanix/Downloads/lineageosrom /sdcard/
9. Once complete, you are now ready to flash lineage ROM. Select the lineageos zip file and flash it. (filename => lineage-16.0-20190425-UNOFFICIAL-equuleus.zip)
10. Once complete, you can then reboot to system to load lineage. After going through the lineage setup, you can then install microg (if you want)
Optional - Installing microg (from latest nanodroid) FULL SAFETYNET SUPPORTED
* Boot into TWRP (adb reboot recovery)
* Goto INSTALL, and select the following file: (NanoDroid-microG-20.7.92.20190424.zip).
* NOTE: This will install microg, including MsfProxy and UnifiedNLP with 4 backend providers. It will also install Aurora Store & Fake store.
* When install is complete, reboot and once in lineage, you can configure microg. You can log into google store using Aurora, either with your own account or their anonymised account. This allows you to download anything form the google app store, including apps that require verification, like mobile banking apps.
* If you want, you can test your SafetyNET using Magisk. You can find the magisk manager in the download folder. Install that and test SafetyNET. You do NOT need to root your phone to test this, you can simply install the manager. If you want to root your phone, simply boot back into TWRP and select the magisk 19.0 zip file and that will then also root your device.
Enjoy!
DOWNLOAD LINK:
https://drive.google.com/open?id=1aJ...bkaHPw86sgHYMj
Click to expand...
Click to collapse
hello I have tried treble version but i got MusicFX Force Close i hope you can fix this
and maybe you can port Miui Camera on this ROM thanks for your work

I found a bug :
NFC is not found in Settings and NFC Icon on status bar is error
Edit :
sometimes when opening the camera, freeze and got pop-up cannot be connected to the camera
And for musicFX is working...

Thanks
fanix-uk said:
UPDATE 08 MAY 2019: I'm in the process of adding support for the in-display fingerprint sensor. Stay tuned.
This is a lineageos 16.0 build from source on 25 April using latest source. The ROM is has been prepatched for system lavel signature spoofing based on the MicroG Android Pie patch (url removed, sigh). I did however change the protection level from "Dangerous" to "Signature|Restricted". This is a more secure way of enable signature patching as it requires the app using signature spoofing to be privaliaged, in other words, it needs to be installed to /system/priv-app in order for it to be granted this permission. This means that you wont be at risk of downloading and installing apps that might abuse signature spoofing.
The ROM also passes FULL SafetyNet with microg installed. It uses a custom build from Nanadroid which contains all the latest code changes which you wont find in there official releases as its not yet been packaged as a release. This solved many issues for me, like safetyNet now passing which allows me to install and run banking applications (like Barclay's Mobile Banking) and also uber seems to work just fine using the UnifiedNLP backend providers.
This custom ROM has NO google related apps or code, and you have the ability to switch on google released integration services through the microg services menu.
WORKING
So far... everything I've tested. (except fingerprint)
NOT WORKING
On-display fingerprint.
Installation steps:
1. Restore to stock firmware. I recommend the following Fastboot ROM as thats the one I used. *url removed* (download file search google "equuleus global images V10.2.2.0.PECMIXM")
2. Put device in fastboot mode (adb reboot bootloader or Power Button + Vol Down)
3. Flash using MiFlash (Find it on google and be sure to select the "FLASH ALL.bat" option at the bottom and NOT the LOCK on, otherwise you will relock your device)
4. After flashing the stock ROM, let it boot up, then enable developer options and USB debugging.
5. Flash TWRP
* adb reboot bootloader
* fastboot erase recovery
* fastboot flash TWRP_equuleus_1102.img
* fastboot boot TWRP_equuleus_1102.img
6. Once in TWRP, goto WIPE and select DATA. Enter the word "yes" and once it is complete, go back to main menu, RESTART=>RECOVERY to reboot and automatically boot back into recovery.
7. Goto WIPE again, but this time WIPE DalvicCache, SYSTEM & Cache by selecting all 3 and wiping them (NO NOT RESTART AFTER THIS STEP
8. Once wipe is complete, push the content from the download folder provided below to the sdcard folder of the phone.
* adb push download_folder_containing_all_the_files /sdcard/
example: adb push /home/fanix/Downloads/lineageosrom /sdcard/
9. Once complete, you are now ready to flash lineage ROM. Select the lineageos zip file and flash it. (filename => lineage-16.0-20190425-UNOFFICIAL-equuleus.zip)
10. Once complete, you can then reboot to system to load lineage. After going through the lineage setup, you can then install microg (if you want)
Optional - Installing microg (from latest nanodroid) FULL SAFETYNET SUPPORTED
* Boot into TWRP (adb reboot recovery)
* Goto INSTALL, and select the following file: (NanoDroid-microG-20.7.92.20190424.zip).
* NOTE: This will install microg, including MsfProxy and UnifiedNLP with 4 backend providers. It will also install Aurora Store & Fake store.
* When install is complete, reboot and once in lineage, you can configure microg. You can log into google store using Aurora, either with your own account or their anonymised account. This allows you to download anything form the google app store, including apps that require verification, like mobile banking apps.
* If you want, you can test your SafetyNET using Magisk. You can find the magisk manager in the download folder. Install that and test SafetyNET. You do NOT need to root your phone to test this, you can simply install the manager. If you want to root your phone, simply boot back into TWRP and select the magisk 19.0 zip file and that will then also root your device.
Enjoy!
DOWNLOAD LINK:
https://drive.google.com/open?id=1aJ...bkaHPw86sgHYMj
Click to expand...
Click to collapse
Current anything is good ！
thanks a lot again

Any news plss

Any news?
Still others are maintaining this rom, looking forward to updating

I was willing to bring up the rest of the hardware and make this device official, but I don't have the device. Is there any interest in donating a device for such purpose?

bgcngm said:
I was willing to bring up the rest of the hardware and make this device official, but I don't have the device. Is there any interest in donating a device for such purpose?
Click to expand...
Click to collapse
Would love to be in a position to do that. However, I have just had my OnePlus 6T stolen, and now need my Mi 8 Pro as a daily driver. Would be happy to donate to get the fingerprint reader working on AOSP / GSI-Treble ROMs for the MI 8 Pro.

Passing SafetyNet

Well, I have this Moto G5 with LineageOS 16, Magisk 19.3 and TWRP 3.2.3-2-cedric-arm64 and unlocked bootloader.
When I test SafetyNet with Magisk Manager It says to me
SafetyNet check passed
ctsProfile: false
basicIntegrity: false
I have hidden Magisk Manager and changed the device fingerprint with the MagiskHide Props Config (I chosed the Moto G5 7.0 fingerprint)
What should do I do to get them both to true?
Srry for bad english
P.S. I'm having problems with Pokémon GO, this is why I'm doing this

If you flash the magisk uninstall zip and restart the device and run a safetynet check (use a 3rd party app from playstore) does basic integrity pass?
If so try an older version of magisk or try the canary build - if basic integrity still fails and you have tested it again after a clean flash then try a different rom

TheFixItMan said:
If you flash the magisk uninstall zip and restart the device and run a safetynet check (use a 3rd party app from playstore) does basic integrity pass?
If so try an older version of magisk or try the canary build - if basic integrity still fails and you have tested it again after a clean flash then try a different rom
Click to expand...
Click to collapse
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?

OnionMaster03 said:
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?
Click to expand...
Click to collapse
If it doesn't pass with a clean flash then yes

OnionMaster03 said:
I've uninstalled Magisk and checked safety net, it still gives both false.
So I should change rom?
Click to expand...
Click to collapse
Los16 doesn't support safetynet on our device, you can use the magisk safetynet Modul that fixed your problem.

OnionMaster03 said:
Well, I have this Moto G5 with LineageOS 16, Magisk 19.3 and TWRP 3.2.3-2-cedric-arm64 and unlocked bootloader.
When I test SafetyNet with Magisk Manager It says to me
SafetyNet check passed
ctsProfile: false
basicIntegrity: false
I have hidden Magisk Manager and changed the device fingerprint with the MagiskHide Props Config (I chosed the Moto G5 7.0 fingerprint)
What should do I do to get them both to true?
Srry for bad english
P.S. I'm having problems with Pokémon GO, this is why I'm doing this
Click to expand...
Click to collapse
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.

Tiki Thorsen said:
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.
Click to expand...
Click to collapse
If you try copying the fingerprint key from the system build.prop into the vendor build.prop replacing the existing value it should solve that issue
Not tried it as don't own device

Tiki Thorsen said:
I had the same problem, the ONLY thing that worked was installing the Magisk module "SafetyNet Fix" (you can find it the "Downloads" section of Magisk). The issue with that is that it creates a conflict with the "key" so you can an error message every time you start your phone, but you can ignore/clear it.
Click to expand...
Click to collapse
I have the same problem. When I install SafetyPatch, the phone hangs in an bootloop.

I choose pixel 2xl fingerprint. Its working fine for me

[Tutorial][How to] SafetyNet with root

My device: SM-M315F (M31), Android 11, OneUI3,1
SafetyNet can detect if you have rooted your device. If you don't pass the SafetyNet check, some secure apps (e.g. Google Pay) wont work!
Here's how I got around it (starting from stock):
Install TWRP and flash Magisk (root): https://forum.xda-developers.com/t/recovery-unofficial-3-5-2-twrp-for-galaxy-m31.4260181/
Make changes with Magisk to bypass SafetyNet: https://www.droidwin.com/pass-magisk-safetynet-android-11-root/
Make sure to also do Step #5 in the second link! Without that, my device failed the ctsProfile test.

M315FXXU2ATIC (Android 10) Magisk v23 stable. Google Pay.
Enabled Magisk hide, then installed modules - Riru v26.1.3 (from repo), LSPosed v1.6.5 (from repo), Universal SafetyNet Fix v2.1.2 (Riru version), then reboot. Now Google Pay accepted the card but still reported the device was not compliant. Clearing data (not cache) of Google Pay and Google Services helped.
PS: updated to M315FXXU2BUAD (Android 11) via ODIN and HOME_CSC, flashed Magisk again - all modules remained - Google Pay works.

How To Guide How to root and pass SafetyNet on XQ-BT52 62.0.A.3.163

How to root and pass SafetyNet on Sony Xperia 10 III (XQ-BT52)​Tested on firmware 62.0.A.3.163.
Disclaimer:
This guide assumes you're familiar with the concepts of rooting, Magisk, SafetyNet, fastboot, adb and so on. I will explain why things are done but if I explained everything it would become too long.
This guide is limited to getting root and apps working on the stock Sony ROM. It doesn't cover installing other ROMs.
You can mess up your phone if you don't know what you're doing. This is not a beginner's guide.
Before you do anything else, do these preparations:
Make sure your device is updated to the latest firmware. Getting updates after you unlock the bootloader will be more complicated.
Use XperiFirm to grab a copy of your current firmware (after you've updated it). It can run on Linux too, either via Mono or in a virtual machine. It's basically just a downloader, it doesn't need any fancy hardware access.
Screenshot everything under Settings > System.
Open the dialer and enter *#*#7378423#*#*. Screenshot everything in the service submenus.
Unlock developer options (tap Settings > About > Build number 7 times) then find it under Settings > System > Advanced. Activate USB debugging. Activate OEM unlocking.
Install the Android SDK Platform Tools. On Linux they're most likely in a package provided by your distro.
Copy the screenshots to your PC because the phone will be reset at some point.
Boot into fastboot by turning the phone off, then connect it to PC via USB, and press POWER and VOLUME UP together. The phone led will turn blue. On PC run fastboot devices and make sure it lists your phone and has the serial number you got from the service menu.
Unlocking the bootloader:
This is the point of no return as far as warranty is concerned!
This will factory reset the phone! Make sure you got everything you needed off it.
Obtain the unlock code (you will need the IMEI of the 1st SIM slot).
Boot into fastboot, check again that fastboot devices lists the phone.
Issue the unlock command using the code you got earlier: fastboot oem unlock 0x<unlock code here>
Reboot the phone (you can say fastboot reboot). It will say "can't check for corruption" and "erasing" a couple of times but will eventually boot up to the factory setup.
Enabling Magisk & root:
Download the latest Magisk apk to the phone and install it. Right now that means v24+.
Open boot_X-FLASH-ALL-8A63.sin from the original firmware with any archive manager (it's a tar.xz), 7zip will work fine.
Extract boot.000, rename it to boot.img and put it on the phone.
Open the Magisk app, next to "Magisk" tap "install", choose "Select and patch a file", pick the "boot.img" file.
Download the patched img to PC (will be next to boot.img called something like magisk_patched-24100_MKPRJ.img).
Boot into fastboot, check again that fastboot devices lists the phone.
Flash the patched boot image: fastboot flash boot magisk_patched-24100_MKPRJ.img
Must say OKAY. Can then reboot the phone (you can say fastboot reboot).
Open the Magisk app again, it should say "installed" now next to "Magisk". Also the Superuser and Modules buttons should now be enabled.
Go into Magisk settings and activate "Hide the Magisk app". This is NOT MagiskHide, it does not hide Magisk from other apps, it hides the Magisk Manager app from other apps. More on this later.
Go into Magisk settings and activate Zygisk. This is a built-in replacement for Riru going forward.
Reboot!
Install a root checker app and verify that you get a prompt from Magisk to give root and that the checker says it got root.
Important changes about Magisk:
Riru is now obsolete. It has been replaced by a feature built-into Magisk called Zygisk (which is essentially Riru running in Zygote). It is strongly recommended to go into Magisk settings and activate Zygisk (even if you don't use Riru modules). Do not install Riru anymore. All modules that needed Riru should have Zygisk versions by now unless they're abandoned.
Magisk no longer maintains a module repository, To find and install modules install Fox's Magisk Module Manager. It's a dedicated module management app that supports the old Magisk repo as well as new ones. Inside Magisk you can still enable/disable/remove/install manually and can also update if the module has an update URL, so you can do without Fox if you get your modules directly from their XDA or GitHub pages.
MagiskHide has been replaced by a new feature called Deny list (it's in Magisk settings). It's much more powerful because the apps & processes added to the deny list will be completely excluded from anything based on Magisk so it's impossible for them to detect leaks anymore. On the downside, excluded apps can't be affected by any Magisk or LSPosed modules (LSPosed will grey out such apps and say "it's on the deny list".) This feature should be used sparingly (see below) because Magisk still does a good job of evading detection.
Passing SafetyNet:
Install YASNAC to check your SafetyNet status. At this point you're probably not passing either Basic or CTS check.
Go into Magisk settings. Enable "Enforce deny list". Enter "Configure deny list", find Google Services, check it, expand it, and select only the process ending in .gms and the one ending in .gms.unstable.
Reboot. Check YASNAC. At this point you should be passing Basic check but probably not CTS.
Install Universal SafetyNet Fix (aka USNF) by kdrag0n in Magisk. (Some GIS ROMs already include what this module does, so if you install a GIS ROM you may not need it.) This module hijacks the CTS verification and drops an error which causes the Google service to fall back to Basic verification, which we already fixed in the previous step.
Reboot. Check YASNAC. At this point you should be passing both Basic and CTS. That's it!
You may need to clear storage & cache for Google Play & Services. Go to Settings > Apps & notifications > See all apps, select "All apps", find them in the list, clear storage/cache and reboot. After that try searching for a restricted app such as Netflix on the Play store, if it shows up in results you're all good.
Remember to also add to deny list other apps that try to detect if you're using root, like banking apps.
Other SafetyNet related fixes:
People using non-stock GIS ROMs will probably need module MagiskHide Props Config by Didgeridoohan. This will install a props command line util that you can use (as root) to force Basic attestation, apply extra Magisk hiding techniques, spoof device fingerprint, change the way fingerprinting is checked, or even impersonate another device altogether. Install, reboot, enter adb shell, type su to go root (will need to grant root to shell on the phone when prompted), then run props and follow the options.
People running extra-stubborn banking apps (or other apps that try to detect root extra-hard) that don't work even when added to the Magisk deny list can try module Shamiko by LSPosed. This module adds extra hiding techniques for the apps on the deny list. Please note that Shamiko will disable the Magisk "enforce deny list" option but that's ok, that's an extra feature, the deny list is in effect even without it.

Working apps and modules​Please note that this list is limited to stuff that I personally use. I can't and won't install other stuff to test it.
Root apps:
AFWall(+): Works, but configure it to use its own internal busybox and iptables. Applying rules fails occasionally and you need to retry.
Call Recorder by skvalex: Recording works out of the box, no fiddling required with either headset of mic recording.
JuiceSSH, Termux etc. and other terminal apps: No issues getting root with su.
Busybox: you can install zgfg's module which exposes Magisk's internal Busybox to the rest of the system (bonus: will be updated with Magisk); or you can install osm0sys's module which contains a standalone separate Busybox. As of now both of them provide Busybox 1.34.
MyBackup Pro: Works fine. Used it to transfer 15k+ SMS messages from Android 8.
Solid Explorer: Can access root partitions without issues.
Tasker: No issues.
Titanium Backup: Works but will hang when restoring APKs whose target API doesn't support the ROM's Android version (ie. APKs you can't install directly either).
OAndBackupX: Modern alternative to Titanium, works perfectly.
XPERI+: Version 6 works well and allows you to remap the assistant button and has another couple of features. Version 7 crashes.
Magisk modules:
AFWall Boot AntiLeak
Backup
Builtin BusyBox
Magisk Bootloop Protector
MagiskHide Props Config
Shamiko
SQLite for ARM aarch64 devices
Systemless Hosts (comes with Magisk, enable it in settings)
Universal SafetyNet Fix
Zygisk LSPosed
LSPosed modules:
App Settings Reborn: Works well. May require a couple of reboots before the targeted apps start showing the modifications.
Disable Flag Secure: com.varuns2002 is working, sort of. Please read the module's page. Apps got wise to rooted devices ignoring FLAG_SECURE so now they use hardware DRM or detect screenshots and show you something else (Netflix). So it works only in older versions of apps, or apps that haven't bothered to detect screenshots.
GravityBox [R]: Everything I tried works perfectly.
Physical Button Master Control: The module works as intended, the companion config app has some issues, hopefully they'll be solved soon.
XPrivacyLua: Works perfectly. No issues with SafetyNet.
Not working:
...

Other tested and working Root Apps:
AdAway
Fox's Magisk Module Manager
Franco Kernel Manager
Termux
Not testet yet:
Call Recorder
FolderSync
Total Commander
Vanced Manager
WireGuard
Other tested and working Magisk modules:
1Controller - 1 Module to support all Controllers
Call Recorder - SKVALEX
F-Droid Privileged Extension
Move Certificates (version by Androidacy)
Other tested and working LSPosed modules:
BubbleUPnP AudioCast

How To Guide Passing SafetyNet on Magisk>=24.0 [Poco F3, Mi 11x, Redmi K40]

All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too (EDIT: it works on LineageOS 19 for microG too). Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.

Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
Although you put your thread in the right place, I miss the Poco F3 in the title of this Guide.
This is why I came across this in a general search and that's actually a shame. Maybe you can edit your title ???
The content of your guide is interesting!

Hi,
I run the Descendant 12 rom and had issues with my banking apps detecting root even after i renamed magisk from within Magisk and adding my banking apps to the DenyList, after much research on XDA i found users freezing magisk to stop prying apps searching for it, the app is called SD MAID
thank you for the updated install instruction for Magisk/Zygisk

Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
Hi,
I would like to understand better how to use the list in Magisk, If in this list I put a tick on an app. what does it mean?

Sorry for hijacking the post, here is a Youtube video from,
the amazing "Munchy", i found it very helpfull, he has released loads of informative videos regarding android and custom roms.

johnr64 said:
Hi,
I run the Descendant 12 rom and had issues with my banking apps detecting root even after i renamed magisk from within Magisk and adding my banking apps to the DenyList, after much research on XDA i found users freezing magisk to stop prying apps searching for it, the app is called SD MAID
thank you for the updated install instruction for Magisk/Zygisk
Click to expand...
Click to collapse
Freezing Magisk can help, some banking apps are stubborn... Also, SD Maid can freeze apps?

For me personally, I only had to flash the SafetyNet Fix Magisk Module. Using Xiaomi.eu Weekly Android 12.

Ludoboii said:
... added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
...
Click to expand...
Click to collapse
Hi,
I have followed the procedure but checking with SafetyNet it tells me "SafetyNet request: success
Response signature validation: error".
I'm sorry but I didn't understand which app you are referring to that I have to put the flag in DenyList?

pegasoc said:
Hi,
I have followed the procedure but checking with SafetyNet it tells me "SafetyNet request: success
Response signature validation: error".
I'm sorry but I didn't understand which app you are referring to that I have to put the flag in DenyList?
Click to expand...
Click to collapse
I was referring to SafetyNet Helper Sample. I also get the same answer and apps that would previously complain about root have stopped doing it.

pegasoc said:
Hi,
I would like to understand better how to use the list in Magisk, If in this list I put a tick on an app. what does it mean?
Click to expand...
Click to collapse
It means the app will not be able to gain root access nor interact with Magisk in any way, and should not be able to detect Magisk. If you tap on the app name instead of the box you'll get the option to add its various services in the DenyList, I usually add all of them for apps that I want to put in the DenyList. You should also see some sort of progress bar above the app's name after ticking the box, it tells you how many services of that app are in the DenyList. In my case it's full for each app I ticked because I also ticked all its services.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

I'm still not able to pass safetynet CTS profile, after all these steps :|

tegazinho said:
I'm still not able to pass safetynet CTS profile, after all these steps :|
Click to expand...
Click to collapse
I've been having issues with not passing CTS profile on a couple of roms even after following all tutorials, I wonder what the issue is? Arrowos and crDroid both fail but PixelOS passes (all android 12). Strange this is it doesn't seem to stop any of my banking apps from working. Did you upgrade to Miui 13 stock before unlocking bootloader? What app are you using to test safetynet? YASNAC?

SimpleStevie said:
I've been having issues with not passing CTS profile on a couple of roms even after following all tutorials, I wonder what the issue is? Arrowos and crDroid both fail but PixelOS passes (all android 12). Strange this is it doesn't seem to stop any of my banking apps from working. Did you upgrade to Miui 13 stock before unlocking bootloader? What app are you working u using to test safetynet? YASNAC?
Click to expand...
Click to collapse
No, my bootloader was unlocked back when I bought the phone with the android 11. I've had xiaomi.eu miui version though previously before getting back now to crDroid, which I tried everything in the guide plus a lot of more stuff, like matching the firmware version with the signature on props just, and nothing works.
As for the app, I tried them all, actually YASNAC is my favorite, but for the sake of following this guide I tried the OP suggested app too.
I've must have clean flashed my phone 10 times and rebooted more than 100 times today for everything I've tried. I even went back to magisk 23 to see if I got lucky, but since is not fully supported on A12 was just another miss.
EDIT: Also if PixelOS I can get the safety pass I will install it, I will trade less features for the safety passing, and anything is better than miui or miui look roms like xiaomi.eu (I really hate them).

It's super weird, I've been flashing roms on android phones for as long as I can remember and I've never had an issue that I couldn't fix up til now. I wonder if downgrading to one based on android 11 would work?

"Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList."
Thank you! That, I didn't know.

SimpleStevie said:
It's super weird, I've been flashing roms on android phones for as long as I can remember and I've never had an issue that I couldn't fix up til now. I wonder if downgrading to one based on android 11 would work?
Click to expand...
Click to collapse
Note that you may have to adjust the fingerprint of your device to make it appear like running a "legit" rom.

Ludoboii said:
All instructions that I was able to find on how to pass SafetyNet on a rooted phone with a custom ROM were for older version of Magisk, so I figured I'd write a guide on how I did it on version 24.3. I'm running LineageOS 18.1 for microG (no gapps) but hopefully it works for other ROMs too. Step 3 is probably not needed for phones using the stock ROM.
Prerequisites: POCO F3 rooted with Magisk>=24.0.
Steps:
Open Magisk and go to settings, enable both Zygisk and Enforce DenyList. Tap Configure DenyList and check all apps that need to pass SafetyNet. You should probably check all system apps by Google that are usually preinstalled in Android devices, except for com.google.android.gms. Reboot.
Install the module Universal SafetyNet Fix. Make sure you install the latest Zygisk version and not the Riru one. Reboot. Note that after rebooting com.google.android.gms will not be in the DenyList anymore if you checked it during step 1, do not enable it again because you will not pass SafetyNet when it's in the DenyList.
Install module MagiskHide Props Config. Reboot. Open any terminal emulator. Type "su" (without the quotes) then hit enter, give root permission if requested. Type "props" then enter, type "1" then enter, type "f" then enter, type the number for POCO (should be 22) then enter, pick the version for your model, region and Android version then enter, answer yes to all questions including when asked to reboot.
I used this app to run a test after every step:
SafetyNet Helper Sample - Apps on Google Play
Sample app to check if your device passes the Google SafetyNet CTS test
play.google.com
I got a pass on basic integrity after step 2 and a pass on CTS profile match after step 3. I added the app to the DenyList, I'm not sure what the result would be if I didn't do that.
If some apps still complain about root try hiding the Magisk app from Magisk's settings.
Click to expand...
Click to collapse
The same problem with me, I used a MI 11 x indian veron, all apps including Banking apps working fine but Jio sim not working with error you used a rooted device. Any solution plz.

thanks. crdroid 8.5 mi 11x passed safetynet with step 1 and 2 only.

For LineageOS users, we have ih8sn. No need for Magisk/Root.

Odd. I just install magisk, activate zygisk, restart and compose my deny list. Hide magisk launcher. Clear all data for Play Services and Gpay. Restart.
Can use Gpay fine.
My banking apps work fine without Zygisk but Gpay doesn't.
On miui.eu