search

microg / GmsCore

Free implementation of Play Services
https://microg.org
Apache License 2.0
8.42k stars 1.71k forks source link

Test SafetyNet attestation fails: CTS profile does not match #1798

Closed cmonty14 closed 1 year ago

cmonty14 commented 2 years ago

Describe the bug Running test SafetyNet attestation fails with this error: Warning: CTS profile does not match

To Reproduce Steps to reproduce the behavior:

  1. Open 'microG Settings'
  2. Click on 'Google SafetyNet'
  3. Activate 'Allow device attestation'
  4. Click on 'Test SafetyNet attestation'

Expected behavior Running 'Test SafetyNet attestation' completes w/o error.

System Android Version: 12 Custom ROM: 19-20220823-microG-dumpling microG Services Core version: 0.2.24.214816

Screenshots Screenshot_20221002-144213_microG Services Core

defkev commented 2 years ago

CTS profile mismatch usually boils down to the fingerprint reported by your phone being unknown to Google:

Custom ROM: 19-20220823-microG-dumpling

so find a fingerprint matching your device Google has certified and use that in a custom profile:

 <data key="Build.FINGERPRINT" value="..." />

I never bothered to look into this with microG as all my apps insisting on device attestation work as long as i hide the unlocked bootloader and root.

Cheers

mjnck commented 2 years ago

You can use this to fake cts profile https://github.com/luk1337/ih8sn

defkev commented 2 years ago

I tried MagiskHide Props Config (https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf) over the weekend:

  1. Flash zip
  2. Reboot
  3. Run props in elevated terminal and spoof fingerprint
  4. Reboot
  5. Done

Screenshot_20221010-095140_microG_Services_Core

cmonty14 commented 1 year ago

Thanks for sharing this instruction.

Could you please advise what should be entered here? Screenshot_20221014-164745_Terminalemulator

defkev commented 1 year ago

f then pick your device (e.g. OnePlus 5T) then your API (e.g. 31 for Android 12), save and reboot.

If there is no fingerprint matching your API just pick the latest available, imho the API isn't too important but the vendor is so you don't get offered grab for download incompatible with your device.

https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/blob/master/README.md#can-i-use-any-fingerprint

mar-v-in commented 1 year ago

There are several reasons for SafetyNet to not pass. Passing SafetyNet is an issue independent of microG and whatever is required to pass SafetyNet with original Google services on your device / OS applies for microG as well. Support for specific devices or OS are out of scope here.

Forage commented 8 months ago

If you are using Magisk, remove the Universal SafetyNet Fix module and reset plus remove the MagiskHide Props Config module and use PlayIntegrityFix instead. Worked for my OnePlus 6.

defkev commented 7 months ago

I can confirm that PlayIntegrityFix does indeed work in-place of Universal SafetyNet Fix w/ MagiskHide Props Config:

Screenshot_20240220-110526_microG_Services

This has the added benefit that its all in a single package, especially since neither Universal SafetyNet Fix nor MagiskHide Props Config seem to be maintained any more.