Home Google How to bypass SafetyNet Attestation if Bootloader is unlocked

How to bypass SafetyNet Attestation if Bootloader is unlocked

Most of you guys might know about the process of Rooting an Android smartphone. For those who don’t understand what Rooting is, it is the process of permitting Android users to get privileged control of the software. Most of you guys might know that Android is based on the Linux kernel. So rooting an Android device is similar to superuser permissions on Linux or any other Linux-based operating system. Once you have rooted, it will provide access to a lot of functions. The thing is, once you root your device, SafetyNet will fail. Over the years bypassing SafetyNet attestation has been an enormous task. It was super easy initially, but now it’s becoming a complicated task. The reason for this is the hardware-backed attestation techniques because of which hiding root access is a massive task now. Earlier, installing Magisk would have solved the issue, but now it’s not the case.

SafetyNet

Must See: How to install Xposed Framework on Android 11?

The reason for this is the new hardware-backed attestation and CTS Profile updates introduced by Google. Without SafetyNet, your favorite apps won’t work. With this article, we will look into fixing the same with the new Universal SafetyNet Fix. Recently, some developers used Magisk Hide to spoof and passed the CTS profile. But it will not work in the future. Even Google Play Store has started using hardware-backed attestation techniques. The problem began in May 2020, when Google started to verify Android devices’ integrity using hardware-backed keys. The new method will send a device-specific Keystore certificate to SafetyNet servers to confirm if the Verified boot is enabled or not. Later Google confirmed how the new attestation works. The tech world was in shock because it’s been years since a drastic change came in validating SafetyNet.

Ways to bypass SafetyNet attestation

What Magisk did all these years?

Magisk has been famous for the tech world since 2016 because it replaced the long-lasting Supersu. It was modifying the system to pass the test but without actually changing anything. Custom ROM users used Magisk worldwide to root their smartphone, bypassing the CTS test. It will create a particular environment that will hide the root and bootloader status. Since the attestation tech has been changed, it will not work. Magisk can hide the root status but not the bootloader status. The old method will work until Google rolls out the same. Till now, Google has done only the server-side changes till now.

SafteyNet

The new attestation tech rollout will be based on the Android version, region, and device brand. To check if the attestation has changed in your device, open Magisk to check. After opening, tap on the Check SafetyNet button. Once the results are out, you can see a whole new evalType field out there. It confirms that the new attestation tech has been activated on your device. It can have any of the following two values.

  • BASIC: You can see the same if the typical signals and reference data are used for evaluation.
  • HARDWARE: It will be seen if the new hardware-backed key attestation has been used for SafetyNet evaluation.

The new field gives information about the parameters which are used for testing the ctsProfileMatch and basicIntegrity. If you see HARDWARE in Magisk, you can be hundred percent sure that your device has activated hardware attestation. However, a developer has found a way to fix the same.

How to pass the new hardware-backed attestation?

As we said, a developer has released a Universal SafetyNet Fix module, which will help you bypass the new attestation. Since Google has changed the attestation tech, it will turn False when the TrustZone reports that it found an unlocked bootloader. TrustZone will declare that it has found Android Verified Boot disabled. 

The loophole is that when the attestation fails to run, it will switch back to the older attestation method. Then the Keystore will report the error not implemented. The module will take advantage by blocking key attestation access to the Google Mobile Service (GMS). However, it will not work with devices running below Android 8 Oreo. 

Which devices are compatible with the new module?

The module has been tested on a dozen smartphones and is compatible with devices running on Android 8 Oreo, Android 9 Pie, Android 10, and the latest Android 11. We have a list that lists the devices which have been tested to date.

  • Asus Zenfone Max Pro M1, which is running on Android 9 Pie.
  • All Google Pixel devices start from 3 XL, followed by Pixel 3a, Pixel 4 XL, Pixel 4a, Pixel 4a 5G, and Pixel 5.
  • Motorola Moto Z Play (Android 9 stock firmware)
  • OnePlus 8 (OOS 11.0.3.3 / Android 11)
  • OnePlus 8 Pro
  • Huawei Mediapad M5
  • Poco F1 (Android 11 – MIUI V12.0.3.0)
  • Poco F2 Pro (Android 11 – One OS ROM)
  • Poco X3 (MIUI V12.0.7.0)
  • Realme 6
  • Samsung Galaxy A20 
  • Samsung Galaxy A40
  • Samsung Galaxy S9 (Android 10)
  • Samsung Galaxy S10 (Android 10)
  • Samsung Galaxy S20+ (Android 11)
  • Samsung Galaxy S20 FE (Android 11)
  • Samsung Galaxy Tab A7 10.4 (Android 10)
  • Mi 9 (Android 11) 
  • Mi 9T Pro (Android 11)
  • Mi Mix 3 5G (Android 9 Pie)
  • Mi Note 10 Lite
  • Redmi Note 9 Pro (MIUI V12.0.3.0)
  • Redmi Note 9s

How to use the Universal SafetyNet Fix to bypass SafetyNet attestation on your device?

  • For this, first, enable MagsikHide and make sure that your device will pass the necessary attestation. 

To pass this test, do hide your Magisk. If you don’t know how to do the same, then follow the steps mentioned below.

  1. First, press the cog icon, which you can see on the top-right. 
  2. Then you can get access to the Settings menu
  3. From here, scroll down to find the ‘Magisk’ section and then turn on the toggle near to the MagiskHide. 
  4. Now, Magisk will hide and make sure to hide all Google and Banking apps from here.
  5. Then go back to the menu and tap on the Check SafetyNet button.
  6. Make sure that your device has passed the basicIntegrity test.
  • Finally, install Universal SafetyNet Fix Module on your device.

The next process is to install the module. You can download the module from the following links. Then follow the steps below that to install the module.

  1. Navigate to the Modules section (For this, tap on the last icon, which you can see on the bottom navbar). 
  2. Then select the Install from Storage button, which will open the file selection window. Finally, navigate to the device storage and tap on the module which you have downloaded.
  3. Magisk will install the module, and it has installed, then restart your device once.
  4. Now open Magisk again and tap on the Check SafetyNet button. In 90% of the cases, it will pass the test. That is, you can see evalType showing BASIC along with other things as Passed.  In case if it didn’t pass, follow the steps mentioned below.
  • You should install MagiskHide Props Config to Pass CTS Profile.
  1. In some cases, the SafetyNet would not pass, so you guys should use the MagiskHide Props Config module. 
  2. Open the Magisk app and then navigate to the Modules section.
  3. Now search for the MagiskHide Props Config from here.
  4. Then, download the same and install it. Reboot your device once the installation is done.
  5. Read the thread to configure the MagiskHide Props Config.
  6. Once you have configured, then check if SafetyNet passes or not. For this, tap on the Check SafetyNet button.

Before ending this post, we want to Thank Danny Lin, who is popularly known as kdragon on XDA-Developers and Github. So, this was our guide for bypassing the SafetyNet attestation on your device. Do share the article with your friends who use Custom ROMs. Comment if you have got any doubts about the topic.

Related: How to Unlock Bootloader of LG G8, G8S, G8X, and V50 ThinQ?