Gmscore: Is SafetyNet still working without Xposed? What options now for people relying on Xposed signature spoofing?

Note: Magisk/SuperSU/systemless Xposed have been updated and pass SafetyNet again apparently (need to check that here), but my questions/concerns are still valid.

P.S.: OmniROM users, do you know why they aren’t anymore nightly build (https://dl.omnirom.org/) since August 30th?

OK, so I’ve followed http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268 + http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133 + http://forum.xda-developers.com/apps/supersu/suhide-t3450396 + http://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445, but it’s not working (I get a “Response validation: fail”).

1. Does any one have success with systemless Xposed + microG?
2. If not, @mar-v-in, could it be related to how su is currently hided by those setup (SuperSU=blacklisting app ID, which in our case might not be the correct one)?

did you try setups:

• without root
• with phh's superuser instead of SuperSU

did you block the uid of microg helper (package name org.microg.gms.droidguard, follow guide in thread) with suhide?

Note that the DroidGuard thing in microG is still at the very beginning, it's kind of expected that it might not work, especially on systems where it is intended to not work!

Setups I’ve tried:

• Without root: using Magisk v6 and systemless Xposed v86.5, it was working previously but not as of y-day. Apparently, from the systemless Xposed thread, root is now required for SafetyNet, which is funny… I can retry same device with v7 and v86.6 if needed, but that would have to wait tomorrow..
• With phh’s superuser: this was my setup on my main device (Magisk v6, phh’s superuser toggle off through Magisk Manager, Xposed v86.5). It was working to up to y-day, but not anymore.

Now that Magisk doesn’t provide root toggle anymore, the recommended way is to use phh’s suhide (which for now needs to be rebuild in order to add support for custom packages outside of SafetyNet — as com.google.android.gms.unstable) or SuperSU. Since I was expecting something like requiring to blacklist more things through suhide in our case, I went with SuperSU, but wasn’t knowing what to block. My setup at this point was Magisk v7 + systemless Xposed v86.6 + SuperSU + suhide, not passing SafetyNet.

So, I’ve just tried blocking org.microg.gms.droidguard, rebooted, but it still does not work (same error as before).

I obviously don’t expected it to work that easily, and indeed I’m reporting this here so you can improve it. ;) I’ll be glad to provide logs if needed, but I don’t even know how to get them to start with.

In the meantime, I might also look at other signature faking methods.

Hum, about blacklisting droidguard, it might in fact have helped, but apparently (from XDA threads but reddit too) SafetyNet (probably DroidGuard in fact, but people over there don’t do any difference) has already been updated again (around 1 hour ago) and now both phh’s hidesu and SuperSU suhide fail SafetyNet. So we can’t know whether that was the issue or not. Definitively going to look for other signature faking methods.

@ArchangeGabriel: Try without root (after patching for signature spoofing), without Magisk and without Xposed, so at least you can verify if microG still works.

That’s what I was going to do. But actually, that was one of my questions: does it still works for your guys without root and Xposed?

Yes, it's still working on my device (unrooted, no Xposed, OmniROM, Nexus 5x)

I can also confirm that it also stopped working for me as of yesterday.
I was using magisk v6 with phh superuser with systemless xposed. I updated Magisk to v7 and phh superuser to r259 and systemless xposed to 86.6 but safetynet still failed. I realized that the new magisk doesnt have a root toggle so that might've be the new problem.

I was using magisk to get around safetynet but the dev no longer supports this feature, which was the killer feature.

Is the only way to continue using microg is with tingle/needle if you want to pass safetynet?

This is ongoing research, we first have to find out all the things DroidGuard is doing to bypass SafetyNet, which is unfortunately not the easiest thing in the world :smile_cat:

OK, got it working after cleaning everything (removed every addition using their uninstaller, then flashed my CM ROM to be sure and restore /system/{x,}bin/su for Tingle), patched framework.jar using Tingle, and then removed /system/{x,}bin/su. SafetyNet is now working. Thanks @ale5000-git for Tingle, and thanks @mar-v-in for everything else.

Unfortunately on my phones I have never been able to get it working, can someone confirm it still works?

It still works on unrooted, no-Xposed, official OmniROM 6.0 releases.

I have removed su binary from a clean CyanogenMod 14.1 (with sig spoof patch) but it still fails, is there any particular thing that it needs to work?

Android 7 might be the problem, will check that.

Still working here too on CM13 without xposed and with su binary removed.

Can’t test on CM14.1 for now since I can’t use MicroG because the ROM is odexed thus not patchable for sig spoofing.

I’m closing this old thread (just stumbled upon it randomly). I might retry Magisk/XPosed some time in the future (haven’t been using them since switching to OmniROM and LOS4μG), but anyway for now μG as a whole does not pass SafetyNet.