Gmscore: SafetyNet started failing

Last I checked SafetyNet on my phone it passed. When I saw your issue posted, I tried again and I am now getting the same CTS profile match fail result as you. To the best of my knowledge, nothing on my phone that should affect SafetyNet has changed (same versions/builds of Android, microG, etc.) So I can confirm your issue.

OK, since I’ve seen no sign of such an issue on forum of Magisk users for instance, I suppose this is quite μG specific. So we will have to wait for @mar-v-in to take a look at it.

It isn't a problem with microG but more likely with the ROM.
I currently pass SafetyNet completely.

An official LineageOS ROM usually pass SafetyNet while an unofficial one may not pass it (for example because isn't signed).

But there may be additional problems:

• If you install root (even if disabled) your device may not pass SafetyNet, you may be able to hide it but an update to SafetyNet may break you
• If your device support verified boot (and if it fail because you have installed a custom ROM) your device may not pass SafetyNet (until you patch the ROM to simulate the missing support for it)
• If you install Xposed or Magisk your device may not pass SafetyNet (if it isn't hidden to SafetyNet); patching the ROM for signature spoofing can't be detected by SafetyNet

@ale5000-git - None of you points explains my situation: SafetyNet test passed a few weeks ago and doesn't pass now. No change in my ROM, microG, etc.

• I don't have root installed.
• Not sure if the phone supports verified boot or not, but it hasn't changed.
• I don't have Xposed, Magisk or other equivalent software installed.

@n76
Have you done any OTA update?
Have you flashed any ZIP?
I'm not sure but everything can possible break it.

I suggest to try a full wipe to be sure that it isn't a "casual" problem.

The problem may also depend on how you install microG.
My flashable zip also mimic the filenames of real GApps (in some parts), I don't think it matter but just in case.

@ale5000-git
I switched from installing microG into a "normal" distribution to using Lineage with microG. So the only ZIP I've been flashing is the one for my phone from the downloads page.

I do have F-Droid set up with the microG repository and assure that I've the latest versions from that installed. (Signature for microG is the same on the ROM and repository so there is no issue with updating from the repository.)

@ale5000-git It’s way worse than that, I had it working before going to sleep but not when waking up ~8 hours later. Absolutely nothing has changed between those two attempts, the only thing the phone did during this time is… nothing. It was in airplane mode, and that’s all. Not even used it for alarm.

As stated above, I have no root, no Magisk, no Xposed, nothing. Just using official OmniROM. I have two affected phones, a OnePlus One, on which I’m going to try a clean flash (OmniROM and then LineageOS4uG to check), and that does not support verified boot, and a OnePlus 5T, that does support verified boot but of course verified boot is currently disabled because OmniROM, but the important point is that is was working literally just before, so even if not everyone is affected, this is definitively a change in DroidGuard.

So, what we need to figure out is what are the condition for SafetyNet to be tripped, and how to solve it.

@ale5000-git @n76 What ROM are you using (and eventually device)?

SafetyNet fail also if you haven't an internet connection (maybe it fail also if it is inconstant).
Probably also if the firewall block it.

@ArchangeGabriel: Official LineageOS 14.1 on Galaxy S2 + microG unofficial installer.

I had an internet connection of course, I was just saying it was in airplane mode in the eight hours span during my two trials.

I’ll try the LineageOS4uG right now on my OPO.

Does not work either with LineageOS for uG on OPO:

02-07 14:57:52.050 10063 10063 D SafetyNetHelperSAMPLE: SafetyNet start request
02-07 14:57:52.054  4671  5210 D AudioService: Stream muted, skip playback
02-07 14:57:52.056 10063 10063 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
02-07 14:57:52.101 10063 10063 D SafetyNetHelper: apkDigest:ETDTA7RlBujNlWPPrqXoNjm5jFhIzrCa/XwnUIWh6GM=
02-07 14:57:52.108  9034  9046 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRequest, skipping.
02-07 14:57:52.108  9034  9046 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=10084000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
02-07 14:57:52.117 10063 10063 V SafetyNetHelper: Google play services connected
02-07 14:57:52.117 10063 10063 V SafetyNetHelper: running SafetyNet.API Test
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper: 
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper: java.lang.NoSuchFieldException: BUILD
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at java.lang.Class.getField(Class.java:1549)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.createSystemInfoPair(DroidguardHelper.java:169)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.getSystemInfo(DroidguardHelper.java:117)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:64)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at java.lang.Thread.run(Thread.java:761)
02-07 14:57:52.174 10300 10337 D GmsDroidguardHelper: -- Request --
02-07 14:57:52.174 10300 10337 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BUILD, val=unknown}, KeyValuePair{key=BOARD, val=MSM8974}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=oneplus}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=A0001}, KeyValuePair{key=DISPLAY, val=bacon-userdebug 7.1.2 NJH47F 20180205 dev-keys}, KeyValuePair{key=FINGERPRINT, val=oneplus/bacon/A0001:6.0.1/MHC19Q/ZNH2KAS1KN:user/release-keys}, KeyValuePair{key=HARDWARE, val=bacon}, KeyValuePair{key=HOST, val=2d89f046753e}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=OnePlus}, KeyValuePair{key=MODEL, val=A0001}, KeyValuePair{key=PRODUCT, val=bacon}, KeyValuePair{key=RADIO, val=DI.3.0.c6-00241-M8974AAAAANAZM-1}, KeyValuePair{key=SERIAL, val=f9803a9}, KeyValuePair{key=TAGS, val=dev-keys}, KeyValuePair{key=TIME, val=1517798491000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=216677e7a7}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=9.6.83 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=2b8833acccb8fe7894f463bbf3f7bebc]], currentVersion=3, arch=armv7l}
02-07 14:57:52.248 10300 10337 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/2f2dbd0fd341afc7d36bd44feff6262c66a35639/the.apk
02-07 14:57:52.352 10337 10337 W Thread-3: type=1400 audit(0.0:38): avc: denied { read } for name="net" dev="sysfs" ino=7030 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
02-07 14:57:52.478 10300 10337 D SysHook : Replaced TreeSet with specially designed version
02-07 14:57:52.489 10337 10337 W Thread-3: type=1400 audit(0.0:39): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.489 10337 10337 W Thread-3: type=1400 audit(0.0:40): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.492 10337 10337 W Thread-3: type=1400 audit(0.0:41): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.507 10300 10337 D GmsDroidguardHelper: b -> 0
02-07 14:57:52.549 10337 10337 W Thread-3: type=1400 audit(0.0:42): avc: denied { read } for name="/" dev="tmpfs" ino=6826 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0
02-07 14:57:52.555 10300 10337 D GmsDroidguardHelper: c -> com.google.android.gms
02-07 14:57:52.603 10063 10063 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"XWXaPgdZ9jZ9CfhZ7PDafjdGqa3P3khg9RF6ilEKz/g=","timestampMs":1518011872587,"ctsProfileMatch":false,"apkCertificateDigestSha256":[],"basicIntegrity":false,"advice":"RESTORE_TO_FACTORY_ROM"}
02-07 14:57:52.603 10063 10063 D SafetyNetHelperSAMPLE: SafetyNet req success: ctsProfileMatch:false and basicIntegrity, false

@ale5000-git Could you post a working logcat for comparison? I’m wondering whether there is an issue with BUILD.

@ArchangeGabriel I am currently running lineage-14.1-20180117-microG-harpia.zip downloaded from https://download.lineage.microg.org/harpia/ on my Moto G4 Play (XT1607 RETUS). That particular build is no longer in that directory. It is probably time for me to upgrade to a February build to get the latest security updates. . .

@n76 February patches are not in yet. Anyway, we have both OmniROM and LineageOS-uG affected on three different devices, all of them without root and regarding my OnePlus One even with clean flashing.

[ 02-07 23:49:17.516 13759:13759 V/c        ]
running SafetyNet.API Test

[ 02-07 23:49:17.665  2359:12891 I/ActivityManager ]
Start proc 13799:com.google.android.gms.unstable/u0a33 for service org.microg.gms.droidguard/.RemoteDroidGuardService

[ 02-07 23:49:17.790 13799:13799 I/art      ]
Starting a blocking GC AddRemoveAppImageSpace

[ 02-07 23:49:17.791 13799:13799 W/System   ]
ClassLoader referenced unknown path: /system/priv-app/DroidGuard/lib/arm

[ 02-07 23:49:17.845 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libEGL_mali.so

[ 02-07 23:49:17.862 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libGLESv1_CM_mali.so

[ 02-07 23:49:17.907 13799:13815 D/NetworkSecurityConfig ]
No Network Security Config specified, using platform default

[ 02-07 23:49:17.910 13799:13815 W/System   ]
ClassLoader referenced unknown path: /system/framework/tcmclient.jar

[ 02-07 23:49:17.923 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libGLESv2_mali.so

[ 02-07 23:49:17.948 13799:13815 D/GmsDroidguardHelper ]
-- Request --
DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=smdk4210}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=Samsung}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=GT-I9100}, KeyValuePair{key=DISPLAY, val=lineage_i9100-userdebug 7.1.2 NJH47F d671ee8657}, KeyValuePair{key=FINGERPRINT, val=samsung/GT-I9100/GT-I9100:4.1.2/JZO54K/I9100XWMS2:user/release-keys}, KeyValuePair{key=HARDWARE, val=smdk4210}, KeyValuePair{key=HOST, val=agrippa.acc.umu.se}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=samsung}, KeyValuePair{key=MODEL, val=GT-I9100}, KeyValuePair{key=PRODUCT, val=GT-I9100}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=000980d34f3d7f}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1516797199000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=jenkins}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=d671ee8657}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=cb4e88399f46561c5af157eef491ee0c], ByteString[size=20 md5=2b8833acccb8fe7894f463bbf3f7bebc]], currentVersion=3, arch=armv7l}

[ 02-07 23:49:19.641 13799:13815 D/GmsDroidguardHelper ]
Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c.apk

[ 02-07 23:49:19.859 13822:13822 I/dex2oat  ]
/system/bin/dex2oat --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c/the.apk --oat-fd=37 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c/opt/the.dex --compiler-filter=speed

[ 02-07 23:49:19.859 13822:13822 E/cutils-trace ]
Error opening trace file: No such file or directory (2)

[ 02-07 23:49:20.289 13822:13822 I/dex2oat  ]
dex2oat took 432.512ms (threads: 2) arena alloc=312KB (319600B) java alloc=70KB (72096B) native alloc=493KB (505616B) free=1554KB (1591536B)

[ 02-07 23:49:20.427  1987: 2063 D/Yamaha-MC1N2-Audio ]
yamaha_mc1n2_audio_output_stop()

[ 02-07 23:49:20.427  1987: 2063 D/Yamaha-MC1N2-Audio ]
yamaha_mc1n2_audio_route_start()

[ 02-07 23:49:20.577 13799:13815 D/GmsDroidguardHelper ]
c -> com.google.android.gms

[ 02-07 23:49:20.581 13799:13815 D/GmsDroidguardHelper ]
b -> 4136736405143157405

[ 02-07 23:49:20.593 13815:13815 W/Thread-2 ]
type=1400 audit(0.0:893): avc: denied { search } for name="1986" dev=proc ino=36092 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=dir permissive=0

[ 02-07 23:49:20.868 13815:13815 W/Thread-2 ]
type=1400 audit(0.0:894): avc: denied { read } for name="/" dev=tmpfs ino=373 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

[ 02-07 23:49:20.890 13799:13815 E/         ]
Device driver API match
Device driver API version: 29
User space API version: 29 

[ 02-07 23:49:20.890 13799:13815 E/         ]
mali: REVISION=Linux-r3p2-01rel3 BUILD_DATE=Tue Jul 22 19:59:34 KST 2014 

[ 02-07 23:49:20.941 13799:13815 D/GmsDroidguardHelper ]
a: [removed] -> [removed]
7=ARM:Mali-400 MP
8=[removed]
9=[removed]

[ 02-07 23:49:21.675 13759:13759 D/d        ]
decodedJWTPayload json:{"nonce":"[removed]","timestampMs":1518043762800,"apkPackageName":"org.freeandroidtools.safetynettest","apkDigestSha256":"[removed]","ctsProfileMatch":true,"apkCertificateDigestSha256":["[removed]"],"basicIntegrity":true}

You have scontext=u:r:untrusted_app:s0:c512,c768
instead I have scontext=u:r:priv_app:s0:c512,c768

Try to put both microG GmsCore and DroidGuard Helper in /system/priv-app to fix it.
Also in yours I see advice":"RESTORE_TO_FACTORY_ROM" probably for the same cause.

If it still do not work try the official LineageOS (without microG) and then a flashable microG zip.

@ale5000-git Seems you are correct. Doing the following for me gets SafetyNet to pass:

$ adb root
$ adb remount
$ adb push org.microg.gms.droidguard.apk /system/priv-app/
$ adb reboot

I guess I must have upgraded my Lineage with microG after my last successful SafetyNet test. Seems like Lineage with microG ought to install DroidGuard helper along with the other parts of microG.

OK, so this did it. Still, it means something changed on DroidGuard side and that it now requires additional rights, which is never good news.

However, I think that Lineage with uG should still not install DroidGuard Helper at all, it’s quite invasive and not needed by everyone.

And thank you @ale5000-git for figuring this out.

For me it never worked as user app, it is possible you was having DroidGuard Helper as both system and user app and it worked but the OTA update removed the system app.

For me it is fine to have it installed with Lineage with uG since microG GmsCore have it disabled by default, so having it installed doesn't mean anything.

No, I’m sure I wasn’t having it as system-app, and also I remind you that nothing happened on my phone between working and non-working state. It was definitively working as user-app, but not anymore. Even GmsCore is not system-app on my system.

That’s right, SafetyNet being disabled by default, having DroidGuard lying somewhere might not be an issue. @corna should have a look at it. ;)

On many ROMs you won't get location binding if GmsCore is not a system app.
Beside that being a system app will also reduce problems; if you wipe the phone and you don't remember to install GmsCore before other apps you will have a lot of not-working things.

I know, but I use OmniROM so I’m not affected by this first point AFAIK (though I admit having not tried network location with my OnePlus 5T yet, since the GPS works everywhere) and I don’t use GCM so I don’t really need GmsCore to be installed before anything else.

It seems that GmsCore must be installed as system-app for network location to work even under OmniROM apparently… Not sure if that is expected or an issue.

Anyway, this mean that every week I have to push back DroidGuard and GmsCore to /system/priv-app after OTA update… Is there a way to make a flashable zip just installing those two components? Because apparently OmniROM OTA can flash zips in a specific folder after update.

I built LineageOS with patches to allow location providers outside /system and signature spoofing. I installed microG and DroidGuard as normal apps (non-privileged). SafetyNet works enough to start Pokemon GO (Basic Integrity is true, CTS profile match is false).

When using the LineageOS for microG ROM, SafetyNet fails both checks and Pokemon GO fails to start. This started happening relatively recently. I haven't tried pushing DroidGuard to priv-app.

So it seems DroidGuard has to be installed with GmsCore in the same location (standard apps or privileged) in order to work now?

No, it must be installed in privileged app folder due to SELinux.
The position of GmsCore doesn't matter.

I’m surprised PoGO works for you with CTS false… Anyway, sometimes DroidGuard as normal app works, but every time it fails, pushing it to /system/priv-app made it work.

Less than 30 minutes ago, SafetyNet started failing again. Both LineageOS4μG and OmniROM, with DroidGuard in /system/priv-app. Anyone else confirming?

Logcat:

04-09 10:56:45.637  4254  4254 D SafetyNetHelperSAMPLE: SafetyNet start request
04-09 10:56:45.642  4254  4254 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
04-09 10:56:45.687  4254  4254 D SafetyNetHelper: apkDigest:ETDTA7RlBujNlWPPrqXoNjm5jFhIzrCa/XwnUIWh6GM=
04-09 10:56:45.693  3407  4278 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRequest, skipping.
04-09 10:56:45.693  3407  4278 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=10084000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
04-09 10:56:45.703  4254  4254 V SafetyNetHelper: Google play services connected
04-09 10:56:45.703  4254  4254 V SafetyNetHelper: running SafetyNet.API Test
04-09 10:56:45.761  4281  4328 D GmsDroidguardHelper: -- Request --
04-09 10:56:45.761  4281  4328 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8974}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=oneplus}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=A0001}, KeyValuePair{key=DISPLAY, val=bacon-userdebug 7.1.2 NJH47F 20180404 dev-keys}, KeyValuePair{key=FINGERPRINT, val=oneplus/bacon/A0001:6.0.1/MHC19Q/ZNH2KAS1KN:user/release-keys}, KeyValuePair{key=HARDWARE, val=bacon}, KeyValuePair{key=HOST, val=14712d0abb5d}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=OnePlus}, KeyValuePair{key=MODEL, val=A0001}, KeyValuePair{key=PRODUCT, val=bacon}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=f9803a9}, KeyValuePair{key=TAGS, val=dev-keys}, KeyValuePair{key=TIME, val=1522811665000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=a85be089c9}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=bc68b97ff4517bc116cdea1d38e40cf0], ByteString[size=20 md5=fe52fda8d68281f7402a287161c26252], ByteString[size=20 md5=729de0272dc9b6287c1064d60ec83b97], ByteString[size=20 md5=69ddec86ff6b69c952aac03633b7ac85], ByteString[size=20 md5=fd0b06bdf688e65c3180145244166a95], ByteString[size=20 md5=7bc9230cd2666d7fd3db7830d8213021], ByteString[size=20 md5=555123379ef02f4811b4743c7923e7e1], ByteString[size=20 md5=b038b9114fde93b2a0bd3eeb33036834]], currentVersion=3, arch=armv7l}
04-09 10:56:46.071  4281  4328 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/bbb07e2667c85f792643d6f33261226472f58c7f/the.apk
04-09 10:56:46.339  4281  4328 D GmsDroidguardHelper: b -> 0
04-09 10:56:46.378  4281  4328 D GmsDroidguardHelper: c -> com.google.android.gms
04-09 10:56:46.378  4328  4328 W Thread-3: type=1400 audit(0.0:15): avc: denied { read } for name="/" dev="tmpfs" ino=6842 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0
04-09 10:56:46.549  4254  4254 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"2evYOeNcax/5lmAhQJYuFeMwpIQrPmcFYBnv0VW3Hbs=","timestampMs":1523264207077,"ctsProfileMatch":false,"apkCertificateDigestSha256":[],"basicIntegrity":false,"advice":"RESTORE_TO_FACTORY_ROM"}
04-09 10:56:46.550  4254  4254 D SafetyNetHelperSAMPLE: SafetyNet req success: ctsProfileMatch:false and basicIntegrity, false

I can confirm, just checked it, Android 7.1.2, shall get a logcat later...

Logcat during safetynet test with filter guard|safety:

<snipped>

Is that sufficient? (are there any personal details that I should scrub?)

Same here; something dramatic must have changed. I was using microG Core v0.2.4-22-gcb356d2 and Droidguard 0.1.0-4-g0ca6fb2 without problems. About 14 hours ago Safetynet startet to fail, although no changes were made on the phone.
After updating microG files to newer versions logcat-output for "SafetyNet Helper Sample 0.5" looks basically the same as ArchangeGabriel's (I only have other OS, phone, CPU, etc.).

Could this be a reason? Google Play Certification

I don't think so.
Another user replaced microG with a sort of gapps (here: https://github.com/microg/android_packages_apps_GmsCore/issues/510#issuecomment-379859128 ) and the phone worked. So his phone failed because of microG.

I'm not sure if i is a good idea to post all this in an old thread.

@JonnyTech This is not the reason, but it is deeply linked. As I said in #510, Google started enforcing certification y-day, and this certification relies on SafetyNet to pass. They have probably issued an update to DroidGuard or SafetyNet at the same time they started to enforce certification, which means that μG (as long as communication with Google Servers is involved) is currently OOO, including its SafetyNet implementation.

On my end I’ve installed LOS+Pico OpenGAPPS (and did not register any Google Account) on my old device for the only app I use that is affected while waiting for @mar-v-in to come with a solution.

Is it possible to install even less Gapps than in pico OpenGapps?
As far as I know Pico OpenGapps contains: Google system base, Google Android Shared Services, Google Play Store, Google Calendar Sync, Dialer Framework, Google Package Installer (replaces stock/AOSP Package Installer), Google Play services
I coudn't find any information about dependencies between these programs.
It looks like SafetyNet requires Google Play services (but I'm not even sure about this).

Yes, I think you can restrict to Google Play services only. I’ve disabled all other apps from my Pico installation and it works. But maybe disabled and not installed isn’t the same.

From my little understanding of things, DroidGuardHelper makes a POST request to https://www.googleapis.com/androidantiabuse/v1/x/create?alt=PROTO&key=AIzaSyBofcZsgLSS7BOnBjZPEkk4rYwzOIz-lTI with "User-Agent: DroidGuard/10084430".

Then it finds an URL in the response: https://www.gstatic.com/droidguard/00F8692B14190D1C406260EA096D996445DEA8D3

The response is a .jar java archive containing libd7EE82C0B4C66.so, which is a ELF 32 bits LSB shared object.

In the URL https://www.gstatic.com/droidguard/00F8692B14190D1C406260EA096D996445DEA8D3 we have 00F8692B14190D1C406260EA096D996445DEA8D3 that is a checksum of an APK. For example if we replace it with C4C74D1D1373D60A118D28109D7FFAECA7A892F4 (found on the net) we get another .jar containing ELF 64 bits LSB shared object "libd219EE8D6C12D.so".

My thoughts are that the URL https://www.googleapis.com/androidantiabuse/v1/x/create?alt=PROTO&key=AIzaSyBofcZsgLSS7BOnBjZPEkk4rYwzOIz-lTI combined with the user-agent DroidGuard/10084430 does not generate the right link and then we do not download the right .jar, leading to force close of DroidGuardHelper. If we modify the user-agent we also get the same wrong URL so maybe it's just that the user-agent is wrong or that there is some missing POST parameters...

@gabsoftware if the downloaded droidguard binary isn't the correct one, that is most likely because of the POST data being wrong, not the User-Agent.

For the record, on my Fairphone 2 running LineageOS, I get https://www.gstatic.com/droidguard/322D473B5C6076250D7A2CE450FEF526F05A89C4 which is 32-bit as expected, but gets bitten by SELinux, I'm not sure that should happen:

06-06 11:34:44.115 5161 5161 W Thread-2: type=1400 audit(0.0:42): avc: denied { read } for name="/" dev="tmpfs" ino=7035 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

Assuming the served binary is not the correct one (as hinted by https://github.com/microg/android_packages_apps_RemoteDroidGuard/issues/18), I'll try to have a look at why that may be the case (keep in mind that I don't really know how SNet/DroidGuard works, so don't get your hopes up)

EDIT: getSystemInfo is missing SUPPORTED_ABIS, which might explain 32b binaries on 64b systems I guess? But adding it does not solve things for me (I have a 32b CPU anyway). There might also be some fields missing in DGRequest, but I'm not too sure about that. Also, maybe that the correct droidguard binary is downloaded and that the issue lies elsewhere…

My downloaded apk looks like this:

│   AndroidManifest.xml
│   classes.dex
│   libd0D41C1DE5D06.so
│   library.txt
│
└───META-INF
        CERT.RSA
        CERT.SF
        MANIFEST.MF

According to the current source code it will never extract the *.so file to the dgCache-lib folder as there is no lib folder in the apk.

Safetynet started failing again?
I was successful sign in for Pokemon GO yesterday, but now, it's failing.

nexus5 hammerhead (16gb)

• lineage-14.1-20180830-nightly-hammerhead-signed.zip
• microG-unofficial-installer-ale5000-v1.0.31-beta-signed.zip
• NanoDroid-patcher-17.9.20180818.zip
• NanoDroid-fdroid-17.9.20180818.zip
• Magisk-v17.1.zip

I'm sorry for my poor English.

Hi,

I'm fairly experienced at programming and want to investigate this issue. What kind of technical knowledge would I need to investigate how SafetyNet works, and why it fails? Do I need to test on an unmodified phone (maybe Lineage with OpenGapps would also pass SafetyNet)?

Somehow my older testbed phone has 64GB of space which can comfortably fit two dual-boot OSes.

The issue is fixed in https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19 already.

@ArchangeGabriel for me it's not fixed. I'm testing SafetyNet with Magisk's SafetyNet Check (but maybe that never works?!).

Both core and helper are in priv-apps:

• com.google.android.gms-13280012.apk
• org.microg.gms.droidguard-14.apk

Just updated to latest version 14.1-20180926-falcon (Moto G 1st Gen). Magisk is also latest version v17.2.

Has anybody got this working with a LineageOS v14.1 image?

Does your org.microg.gms.droidguard-14.apk include the linked PR? Can you try with https://play.google.com/store/apps/details?id=com.scottyab.safetynet.sample?

Yes, it does. SafetyNet Helper Sample app fails for response validation with error message:

ApiException[14] 14:

I also get an app crash the first time I try it. Retries do not crash the app anymore.

OK, that’s an unknown issue to me, sorry.

Moto g4 plus, LineageMicroG 7.1.

I intermittently got error [14] versus a failed response, not sure what causes it to switch back and forth.

@jimbo1qaz you mean LineageOS for microG 14.1 (Android 7.1), right? I'm still curious if this is working for someone on LineageOS 14.1...

Fairphone 2 on LineageOS 14.1 (going to switch to 15.1 today) and it seems to work. The SafetyNey helper app returns CTS profile match: false, though, but that doesn't prevent me from playing Pokémon Go (the only other SafetyNet-using thing on my phone)

Le 29 septembre 2018 15:25:18 GMT+02:00, jansohn notifications@github.com a écrit :

@jimbo1qaz you mean LineageOS for microG 14.1 (Android 7.1), right? I'm
still curious if this is working for someone on LineageOS 14.1...

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/microg/android_packages_apps_GmsCore/issues/482#issuecomment-425645114

--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

Moto G4 Plus, LineageOS 14.1 microg edition.

I get "microg droidguard helper has stopped", with or without 0.1.0 as a system app (via my custom unreleased magisk module).

MicroG core is 0.2.6.14280-dirty from Git, with a few local hacks related to gmail.

2018-09-29 06:46:24.733 6846-6880/? E/AndroidRuntime: FATAL EXCEPTION: Thread-2
    Process: com.google.android.gms.unstable, PID: 6846
    java.lang.UnsatisfiedLinkError: dalvik.system.PathClassLoader[DexPathList[[zip file "/system/priv-app/microg-droidguard/org.microg.gms.droidguard-4.apk"],nativeLibraryDirectories=[/system/priv-app/microg-droidguard/lib/arm, /system/fake-libs, /system/priv-app/microg-droidguard/org.microg.gms.droidguard-4.apk!/lib/armeabi-v7a, /system/lib, /vendor/lib, /system/lib, /vendor/lib]]] couldn't find "libarthook_native.so"
        at java.lang.Runtime.loadLibrary0(Runtime.java:984)
        at java.lang.System.loadLibrary(System.java:1562)
        at de.larma.arthook.Native.<clinit>(Native.java:22)
        at de.larma.arthook.Native.is64Bit(Native.java:45)
        at de.larma.arthook.ArtHook.<clinit>(ArtHook.java:46)
        at de.larma.arthook.ArtHook.hook(ArtHook.java:75)
        at org.microg.gms.droidguard.SysHook.activate(SysHook.java:52)
        at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:91)
        at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
        at java.lang.Thread.run(Thread.java:761)

apparently my "my custom unreleased magisk module" didn't extract the libs right

I overrode the system droidguard app with 0.1.0-10-gf64bf69, it either spits out 14 immediately, spins for ~15 seconds, before spitting error 14, exactly once I got a failed response.

Sometimes microG itself crashes.

2018-09-29 07:04:49.986 9103-9120/? D/GmsDroidguardHelper: -- Request --
    DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8952}, KeyValuePair{key=BOOTLOADER, val=0xB107}, KeyValuePair{key=BRAND, val=Motorola}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=athene_f}, KeyValuePair{key=DISPLAY, val=lineage_athene-userdebug 7.1.2 NJH47F 20180926 dev-keys}, KeyValuePair{key=FINGERPRINT, val=motorola/athene_f/athene_f:7.0/NPJ25.93-14/16:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=c8c1cb588aa5}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=Motorola}, KeyValuePair{key=MODEL, val=Moto G4 Plus}, KeyValuePair{key=PRODUCT, val=lineage_athene}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=ZY223X6H5X}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1537928018000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=69b7b8da18}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[], currentVersion=3, arch=armv7l}
2018-09-29 07:04:49.989 468-468/? I/cnss-daemon: RTM_NEWROUTE Indication
2018-09-29 07:04:49.989 468-468/? I/cnss-daemon: ip type is ipv6
2018-09-29 07:04:50.363 9103-9120/? D/GmsDroidguardHelper: Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4.apk
2018-09-29 07:04:50.435 9124-9124/? I/dex2oat: /system/bin/dex2oat -j2 --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/the.apk --oat-fd=36 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/opt/the.dex --compiler-filter=speed
2018-09-29 07:04:50.591 9124-9124/? I/dex2oat: dex2oat took 156.341ms (threads: 2) arena alloc=196KB (201072B) java alloc=91KB (93520B) native alloc=508KB (520984B) free=1539KB (1576168B)
2018-09-29 07:04:50.852 9103-9120/? D/GmsDroidguardHelper: b -> 4522138061738393361
2018-09-29 07:04:50.858 9103-9120/? D/GmsDroidguardHelper: c -> com.google.android.gms
2018-09-29 07:04:51.087 957-3716/? I/ActivityManager: Process com.google.android.gms.unstable (pid 9103) has died
2018-09-29 07:04:51.088 957-3716/? D/ActivityManager: cleanUpApplicationRecord -- 9103
2018-09-29 07:04:51.088 445-445/? I/Zygote: Process 9103 exited due to signal (11)
2018-09-29 07:04:51.088 957-3716/? W/ActivityManager: Scheduling restart of crashed service org.microg.gms.droidguard/.RemoteDroidGuardService in 1000ms

2018-09-29 07:07:18.922 9128-9497/? A/art: art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8beb07bb(PC 0x0, entry_point=0x7414f845 current entry_point=0x7414f845) in java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String)

    --------- beginning of crash
2018-09-29 07:07:18.923 9128-9497/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7 in tid 9497 (Thread-2)
2018-09-29 07:07:19.005 9501-9501/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: LineageOS Version: '14.1-20180926-microG-athene'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: Build fingerprint: 'motorola/athene_f/athene_f:7.0/NPJ25.93-14/16:user/release-keys'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: Revision: '0'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: ABI: 'arm'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: pid: 9128, tid: 9497, name: Thread-2  >>> com.google.android.gms.unstable <<<
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7
2018-09-29 07:07:19.011 9501-9501/? A/DEBUG: Abort message: 'art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8beb07bb(PC 0x0, entry_point=0x7414f845 current entry_point=0x7414f845) in java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String)'
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r0 00000003  r1 00080100  r2 00000000  r3 afff97bf
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r4 a9c85300  r5 00000001  r6 2ac29bd8  r7 a89d4220
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r8 2ac2d060  r9 a9c85300  sl 2ac31ac0  fp a89ba000
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     ip a9c05a05  sp a317e3c0  lr a9c05a11  pc a9c05a54  cpsr 600b0030
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG: backtrace:
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #00 pc 003f3a54  /system/lib/libart.so (_ZN3artL12GoToRunnableEPNS_6ThreadE+31)
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #01 pc 003f3a0d  /system/lib/libart.so (_ZN3art12JniMethodEndEjPNS_6ThreadE+8)
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #02 pc 00000b27  /data/data/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/opt/the.dex (offset 0xc000)

2018-09-29 07:27:05.774 7852-7852/? D/SafetyNetHelperSAMPLE: SafetyNet start request
2018-09-29 07:27:05.775 7852-7852/? D/SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
2018-09-29 07:27:05.775 7852-7852/? V/SafetyNetHelper: running SafetyNet.API Test
2018-09-29 07:27:05.816 7654-8012/? W/GmsDroidguardHelper: java.lang.NoSuchFieldException: BUILD
        at java.lang.Class.getField(Class.java:1549)
        at org.microg.gms.droidguard.DroidguardHelper.createSystemInfoPair(DroidguardHelper.java:169)
        at org.microg.gms.droidguard.DroidguardHelper.getSystemInfo(DroidguardHelper.java:117)
        at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:64)
        at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
        at java.lang.Thread.run(Thread.java:761)

EDIT: Lucky patcher or Xposed causes safetynet to fail after 1 second. Uninstalling both leads to the weird behavior above.

I tried installing Droidguard from https://github.com/ThibG/android_packages_apps_RemoteDroidGuard/tree/aarch64 (the unmerged pull request).

• I had to use Lucky Patcher, Toolbox, Patch to Android, "package manager" to overwrite the system APK with my own debug builds.
• I get basically the same issues as above (error 14, stalling, Failed to find Dex offset for PC offset 0x00000000 (i think)).
• I also get error 8 (maybe internet is down).
• Rebooting does not change behavior.

hmm.
Nexus5,lineage-14.1-20180920,Magisk-v17.1,Nanodroid-18.3.1.20180921+microg core 0.2.6.13280,
Safetynet Passed.

If GPS has been turn OFF, I could sign in for Pokemon GO.
But if GPS has been turn ON, I could not do it(This device, OS, or software is not compatible with Pokemon GO.).

i don't see how you could've possibly gotten it to work.

Moto g4 plus, lineage-microg 14.1.

So I got several "safetynet failed" results, decided to backup, wipe, and reflash. Now all I get are error 14/etc.

Removing /system/priv-app/droidguard.apk (I forgot to put in a subfolder) made no difference.

I tried installing Magisk Nanodroid (microG sub module) on top of Lineage-microG and uninstalling my user Droidguard, now microG crashes immediately with error:

    Process: com.google.android.gms.unstable, PID: 6480
    java.lang.NullPointerException: Attempt to invoke virtual method 'android.content.res.Configuration android.content.res.Resources.getConfiguration()' on a null object reference
        at android.app.ActivityThread.updateLocaleListFromAppContext(ActivityThread.java:5115)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5340)
        at android.app.ActivityThread.-wrap2(ActivityThread.java)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1564)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:154)
        at android.app.ActivityThread.main(ActivityThread.java:6186)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)

Both nanodroid and 0.2.6.13280-dirty (git) have same error.

edit: i got safetynet to pass Basic but not CTS Profile. Unfortunately MicroG failed to generate a Play ID.

• remove Magisk nanoguard module
• disable all magisk modules, but don't enable Magisk Core
• microg:
  
  
  
  • Use lucky patcher to allow installing incompatible app signatures
  
  
  • keep system app microg, install microg from git/androidstudio/gradlew.
  
  
  • Clear dalvik cache to hide evidence of signature tampering
  
  
• droidguard:
  
  
  
  • do not add /priv-app/droidguard.apk, build and install droidguard from https://github.com/ThibG/android_packages_apps_RemoteDroidGuard/tree/aarch64
  
  

@jimbo1qaz
I would like to confirm just in case; are you applying NanoDroid-patcher?
it's needed by signature spoofing for microg.
Also, is "Google SafetyNet" that on microG Setting, set to Enabled?
it's necessary to use Safetynet API.

Can you explain your exact setup? I'm guessing:

• lineage-14.1-20180920 (not microG edition)?
• NanoDroid 18.3.1.20180921 (full or microg?)
• NanoDroid-patcher via twrp
• microg core 0.2.6.13280 (how did you bypass the signature mismatch? by installing microg as a user app before nanodroid added a system app?)

Where did you get microg core 0.2.6.13280 apk? Manually compile, or is there a CI build artifact repo with all .apk builds?

@jimbo1qaz
Nexus5 hammerhead (16GB)
Flash zip(TWRP 3.2.3-0):

1. linageos-14.1-20180920-nighty-hammerhead-signed.zip (not "with microg")
2. Magisk-v17.1.zip
3. NanoDroid-setupwizard-18.3.1.20180921.zip (with microg, with Maps API v1)
4. NanoDroid-18.3.1.20180921.zip
5. NanoDroid-patcher-18.3.1.20180921.zip
   (TWRP App not installed)
   After booting:
6. Magisk update
7. Swap /system/priv-app/GmsCore/GmsCore.apk (0.2.6.13280 ,use X-plore, backup and renaming)
8. Reboot
9. Enable Google SafetyNet
10. Reboot
11. SafetyNet API check (Passed)

I used the droidGuard helper apk suggested at this comment by @nanolx and enabled safetynet in microG settings. I then used the SafetyNet Test app from playstore, through Aurora store.

My results were
SafetyNet request: Success
Response Signature Validation: Success
Basic Integrity: Success
CTS Profile match: Fail

I 'm guessing this means that the PR works - because of the response signature success - but something else I did fails? Or maybe something else apart from droid guard helper needs fixing?

P.S. I am using this ROM for the Galaxy S5 Neo that I compiled through the L4mG docker ci/cd image through those steps. I didn't install/flash any extra system modifications (root, magisk, Xposed or anything else).

P.P.S. cc'ing @ArchangeGabriel because of this comment.

I probably missed something, as I 'm still learning but hope the feedback can still be helpful.

CTS Profile is the extended check. If you're on a Galaxy device with unlocked Bootloader, that will trip KNOX and thus CTS Profile match fails as the device is seen as tinkered. So that is not an issue, but the correct result.

The only way around this is Magisk.

@Nanolx This comment on the LineageOS subreddit, saying that knox is not checked by SafetyNet, prompted me to check after I went back to official LineageOs and gapps and frdoid on my S5Neo. When I rerun SafetyNet check everything passed, including CTS Profile match. I 'd guess this should rule out tripped knox as the reason why CTS Profile match failed since now it is passing while I still have a custom ROM and recovery installed.

Unfortunately I no longer have LinageOs with microg installed on the phone to try to debug this (on top of that I wouldn't know where to begin). Just posting here to inform that this problem had to do with safetynet and not knox.

Well for me none of the proposed solutions work. I'm on LineageOS 14.1 unofficial for SM-A300FU. The logcat output also shows DroidHelper crashing and I have the ApiException[14] 14: with the SafetyNet Sample app.

The logcat output:

01-19 16:10:45.879  4845  4845 D SafetyNetHelperSAMPLE: SafetyNet start request
01-19 16:10:45.881  4845  4845 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
01-19 16:10:45.881  4845  4845 V SafetyNetHelper: running SafetyNet.API Test
01-19 16:10:45.979  5113  5132 D NetworkSecurityConfig: No Network Security Config specified, using platform default
01-19 16:10:45.980  5113  5132 W System  : ClassLoader referenced unknown path: /system/framework/tcmclient.jar
01-19 16:10:46.010  5113  5132 D GmsDroidguardHelper: -- Request --
01-19 16:10:46.010  5113  5132 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8916}, KeyValuePair{key=BOOTLOADER, val=A300FUXXU1CPH3}, KeyValuePair{key=BRAND, val=samsung}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=SUPPORTED_ABIS, val=armeabi-v7a,armeabi}, KeyValuePair{key=DEVICE, val=a3ulte}, KeyValuePair{key=DISPLAY, val=lineage_a3ltexx-userdebug 7.1.2 N2G47O e45ef2b5f5 test-keys}, KeyValuePair{key=FINGERPRINT, val=samsung/a3ltexx/a3ulte:7.1.2/N2G47O/e45ef2b5f5:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=winkarbik}, KeyValuePair{key=ID, val=N2G47O}, KeyValuePair{key=MANUFACTURER, val=samsung}, KeyValuePair{key=MODEL, val=SM-A300FU}, KeyValuePair{key=PRODUCT, val=a3ltexx}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=a7405641}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1495735494000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=jenkins}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=e45ef2b5f5}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=13.2.80 (040300-{{cl}}), isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=c7c36e1888f2d6fc56d4fcb1705c6b2e]], currentVersion=3, arch=armv7l}
01-19 16:10:46.338  5113  5132 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk
01-19 16:10:46.699  5113  5132 F art     : art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8ca84c6b(PC 0x0, entry_point=0x7357b395 current entry_point=0x7357b395) in java.nio.charset.CharsetDecoder java.nio.charset.CharsetICU.newDecoder()
01-19 16:10:46.702  5113  5132 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x32627844 in tid 5132 (Thread-2)
01-19 16:10:46.703   263   263 W         : debuggerd: handling request: pid=5113 uid=10069 gid=10069 tid=5132
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:730): avc: denied { read } for uid=0 name="the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:730): avc: denied { open } for uid=0 path="/data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 W debuggerd: type=1300 audit(0.0:730): arch=40000028 syscall=322 per=800008 success=yes exit=9 a0=ffffff9c a1=b6ac1150 a2=20000 a3=0 items=0 ppid=263 ppcomm=debuggerd auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) exe="/system/bin/debuggerd" subj=u:r:debuggerd:s0 key=(null)
01-19 16:10:46.700   262   262 W auditd  : type=1320 audit(0.0:730): 
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:731): avc: denied { getattr } for uid=0 path="/data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 W debuggerd: type=1300 audit(0.0:731): arch=40000028 syscall=197 per=800008 success=yes exit=0 a0=9 a1=bebaf7e0 a2=712048dd a3=0 items=0 ppid=263 ppcomm=debuggerd auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) exe="/system/bin/debuggerd" subj=u:r:debuggerd:s0 key=(null)
01-19 16:10:46.700   262   262 W auditd  : type=1320 audit(0.0:731): 
01-19 16:10:46.729  5136  5136 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-19 16:10:46.729  5136  5136 F DEBUG   : LineageOS Version: '14.1-20170525-UNOFFICIAL-a3ltexx'
01-19 16:10:46.729  5136  5136 F DEBUG   : Build fingerprint: 'samsung/a3ltexx/a3ulte:7.1.2/N2G47O/e45ef2b5f5:user/release-keys'
01-19 16:10:46.729  5136  5136 F DEBUG   : Revision: '1'
01-19 16:10:46.729  5136  5136 F DEBUG   : ABI: 'arm'
01-19 16:10:46.729  5136  5136 F DEBUG   : pid: 5113, tid: 5132, name: Thread-2  >>> com.google.android.gms.unstable <<<
01-19 16:10:46.729  5136  5136 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x32627844
01-19 16:10:46.733  5136  5136 F DEBUG   : Abort message: 'art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8ca84c6b(PC 0x0, entry_point=0x7357b395 current entry_point=0x7357b395) in java.nio.charset.CharsetDecoder java.nio.charset.CharsetICU.newDecoder()'
01-19 16:10:46.733  5136  5136 F DEBUG   :     r0 30376562  r1 b426d140  r2 0001000a  r3 b2ce61cf
01-19 16:10:46.733  5136  5136 F DEBUG   :     r4 646c6568  r5 b2ce61c4  r6 00006953  r7 b426d140
01-19 16:10:46.733  5136  5136 F DEBUG   :     r8 b2b46328  r9 b3dc0497  sl b2ce61cf  fp 32627830
01-19 16:10:46.733  5136  5136 F DEBUG   :     ip b4178b40  sp b2ce6168  lr b3dc34f7  pc b3dfaea6  cpsr 000b0030
01-19 16:10:46.745  5136  5136 F DEBUG   : 
01-19 16:10:46.745  5136  5136 F DEBUG   : backtrace:
01-19 16:10:46.745  5136  5136 F DEBUG   :     #00 pc 000e8ea6  /system/lib/libart.so (_ZN3art11ClassLinker16FindOatMethodForEPNS_9ArtMethodEPb+349)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #01 pc 000b14f3  /system/lib/libart.so (_ZN3art9ArtMethod23GetOatQuickMethodHeaderEj+158)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #02 pc 00328ced  /system/lib/libart.so (_ZN3art12StackVisitor9WalkStackEb+120)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #03 pc 0024d89f  /system/lib/libart.so (_ZN3art9JNIEnvExt19CheckNoHeldMonitorsEv+58)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #04 pc 003f3a2f  /system/lib/libart.so (_ZN3art12JniMethodEndEjPNS_6ThreadE+42)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #05 pc 0000d02f  /data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/opt/the.dex (offset 0xc000)
01-19 16:10:47.070  5132  5132 W Thread-2: type=1701 audit(0.0:732): auid=4294967295 uid=10069 gid=10069 ses=4294967295 subj=u:r:priv_app:s0:c512,c768 reason="memory violation" sig=11
01-19 16:10:47.070  1435  1435 I android.ui: type=1400 audit(0.0:733): avc: denied { open } for uid=1000 path="/system/priv-app/DroidGuard/DroidGuard.apk" dev="mmcblk0p24" ino=94589 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
01-19 16:10:47.086  5136  5136 E         : debuggerd: failed to kill process 5113: No such process
01-19 16:10:47.088  1357  1462 I BootReceiver: Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE)
01-19 16:10:47.093   263   263 W         : debuggerd: resuming target 5113
01-19 16:10:47.070  1435  1435 W android.ui: type=1300 audit(0.0:733): arch=40000028 syscall=322 per=800008 success=yes exit=242 a0=ffffff9c a1=8ecfec10 a2=20000 a3=0 items=0 ppid=581 ppcomm=main auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) exe="/system/bin/app_process32" subj=u:r:system_server:s0 key=(null)
01-19 16:10:47.070   262   262 W auditd  : type=1320 audit(0.0:733): 
01-19 16:10:47.128  1357  1895 I ActivityManager: Process com.google.android.gms.unstable (pid 5113) has died
01-19 16:10:47.128  1357  1895 D ActivityManager: cleanUpApplicationRecord -- 5113
01-19 16:10:47.129   581   581 I Zygote  : Process 5113 exited due to signal (11)
01-19 16:10:47.131  1357  1895 W ActivityManager: Scheduling restart of crashed service org.microg.gms.droidguard/.RemoteDroidGuardService in 1000ms
01-19 16:10:47.135  4845  4845 E SafetyNetHelperSAMPLE: ApiException[14] 14: 
01-19 16:10:47.149  1357  4891 I OpenGLRenderer: Initialized EGL, version 1.4
01-19 16:10:47.149  1357  4891 D OpenGLRenderer: Swap behavior 1
01-19 16:10:47.164  1357  4891 E linker  : readlink("/proc/self/fd/261") failed: Permission denied [fd=261]
01-19 16:10:47.164  1357  4891 E linker  : warning: unable to get realpath for the library "/system/lib/hw/gralloc.msm8916.so". Will use given path.
01-19 16:10:48.144  1357  1432 I ActivityManager: Start proc 5140:com.google.android.gms.unstable/u0a69 for service org.microg.gms.droidguard/.RemoteDroidGuardService
01-19 16:10:48.154   290   325 I Magisk  : proc_monitor: org.microg.gms.droidguard/.RemoteDroidGuardService PID=[5140] ns=[4026534892]
01-19 16:10:48.210  5140  5140 I main    : type=1400 audit(0.0:734): avc: denied { read } for uid=10069 name="u:object_r:spcomlib_prop:s0" dev="tmpfs" ino=2456 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:spcomlib_prop:s0 tclass=file permissive=1
01-19 16:10:48.210  5140  5140 W main    : type=1300 audit(0.0:734): arch=40000028 syscall=334 per=800008 success=yes exit=0 a0=ffffff9c a1=befddb8c a2=4 a3=0 items=0 ppid=581 ppcomm=main auid=4294967295 uid=10069 gid=10069 euid=10069 suid=10069 fsuid=10069 egid=10069 sgid=10069 fsgid=10069 ses=4294967295 tty=(none) exe="/system/bin/app_process32" subj=u:r:priv_app:s0:c512,c768 key=(null)
01-19 16:10:48.210   262   262 W auditd  : type=1320 audit(0.0:734): 
01-19 16:10:48.218  5140  5140 I art     : Late-enabling -Xcheck:jni
01-19 16:10:48.248  5140  5140 I art     : Starting a blocking GC AddRemoveAppImageSpace
01-19 16:10:48.249  5140  5140 W System  : ClassLoader referenced unknown path: /system/priv-app/DroidGuard/lib/arm

Also have Magisk v18.0 hiding DroidGuard as proposed by @Nanolx in https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19#issuecomment-449368819

Official DroidGuard Helper won't work, you need a build with this pull request here merged. Everything fine with that.

I have installed that one and the problem persists... I'll try a clean install and report back if that works.

After several tests my conclusion is: LineageOS 14.1 for A300FU doesn't pass SafetyNet under any of the conditions I tested so far:

• DroidGuard (NanoDroid md5 ea538b995a7bd6143970101458852c94) as user app
• DroidGuard in /system/priv-app/
• DroidGuard hidden by Magisk
• GmsCore (microg) as system app

So far, none of the combinations presented above led me to a successful SafetyNet check.

I installed then a modified version of the stock ROM and installed the nanodroid package with microg, then hide DroidGuard with magisk and SafetyNet check passes now. Though the concerned app I thought was affected by safetynet still doesn't work (airfrance app), but the SafetyNet checks are all green.

@kYc0o it won't help you but I also never got SafetyNet working with LineageOS 14.1 either...

@kYc0o I think you need the following two things:

• GmsCore with PRs that haven't been merged, see here from Nanolx. Nanolx has compiled a GmsCore version on his own fdroid repositoy.
• DroidGuard helper with a PR that also hasn't been merged. See here for details from Nanolx.

I have added both apk's in a fork of mine and I used them to build LineageOS+microG for s5neoltexx (Galaxy S5 neo). Instructions on how I did it, if needed can be found here.

Hopefully that will help you. In my case it was Lineage 15.1 used as a base instead of 14.1 but I _think_ they can also work for 14.1.

Using that updated droidguard apk and adding droidguard to MagiskHide gives me basicIntegrity: true and ctsProfile: false, which is enough for some apps

Thanks @Iolaum for your insight! Actually I also own a S5 neo, although I still prefer the A300FU.

Do you have the compiled apk's of those packages? I couldn't find them and I'd like to check if th md5 matches the versions I have currently installed.

I'll also test your build asap on my s5 neo.

@kYc0o I 've already put those apk in my repository which is linked on my previous post.

You can also get those apk's with the following Linux shell commands:

$ wget https://nanolx.org/fdroid/repo/GmsCore_23.apk
...
$ md5sum GmsCore_23.apk 
0eb42417c1f95e8c954887558b214ff9  GmsCore_23.apk

$ wget https://nanolx.org/fdroid/repo/DroidGuard_0.apk
...
$ md5sum DroidGuard_0.apk 
ea538b995a7bd6143970101458852c94  DroidGuard_0.apk

That is where I got them from.

Update: It looks like there's a newer version GmsCore_23 of the GmsCore from Nanolx.

Well, it turns that's the version I have:

a3ulte:/ $ md5sum /system/priv-app/GmsCore/GmsCore.apk                                                                                                                         
6400f03950b3f1d49a68a7ec10f50d04  /system/priv-app/GmsCore/GmsCore.apk
a3ulte:/ $ md5sum /system/app/DroidGuard/DroidGuard.apk                                                                                                                        
ea538b995a7bd6143970101458852c94  /system/app/DroidGuard/DroidGuard.apk

Actually in my current ROM (SEP 8.5) SafetyNet is all green, but my airfrance app doesn't log in. I guess that problem is related to other things and not to SafetyNet. In #691 I explain more in detail the issue.

Thanks a lot for your help!

@ale5000-git could you close this issue? It's about the old bug fixed by https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19