SafetyNet API

[seanrand]

As of version 0.37 Pokemon Go uses GMS's safetynet feature and I for one can't get past login. What is the implementation status on safetynet, is this out of scope for microg?

[BedHead911]

Ok this is strange.... I tried it again a second time and it works. Ignore my last comment, my setup works perfectly. I can now play pokemon go with root + xposed and microg. Thanks for all your work mar-v-in. Btw I'm not a cheater.

[pvase666]

My steps: Delete google play services in system/priv-app Install FakeGapps module and active it. Install MicroG gmscore and gsf. Reboot.

Going to microG settings and choose self check. It says: your rom has no native support for signature spoofing... SN Helper: gg playservices is not available on this device My device: 6.0.1, rooted, xposed working

Edit2 : my fault. Gmscore working. But cant pass SN

SafetyNet request: success Response validation: fail

Error Msg: Response payload validation failed

[BedHead911]

@pvase666 what root app are u using? Because supersu does not work. You have to be using topjohnwu's magisk and with phh's superuser. Also for xposed, you also have to be using systemless xposed also by topjohnwu

You can find a guide on androidpolice

[ghost]

@mar-v-in i get safetynet request: fail. Googleplayservices outdated you are running outdated version:8.7.05.8705438 safetyNet requires minimum 7.3.27 7327000. did i miss something?

[mar-v-in]

@pvase666 did you install the DroidGuard helper?

@Real-Vivacity did you update to the 0.2.4-20 preview build? 0.2.4 stable does not work.

[ghost]

i think i didn't download the right version you're right. i'm not too familiar with the interface sorry, i will try 0.2.4-20 asap

[papjul]

Is this possible for your implementation to customize answer sent from SafetyNet or return false when asked "is device root?"? Installing Magisk + Xposed looks like too much a burden to me… In any case, thank you for your work!

[mar-v-in]

@papjul I use OmniROM 6.0 without Magisk or Xposed or whatever. microG SafetyNet implementation will not report any root tools to Google and as such always announces to be unrooted. If you already use microG and it is fully working, the update and installation of DroidGuard Helper will make SafetyNet return a valid result.

[papjul]

Great work then! However, I'm not able to login on Pokemon Go 0.39.1 (using latest experimental microG and DroidGuard), I will try to extract some logs later then.

[pvase666]

@mar-v-in yes i have installed (apk file) Maybe because my device did not install magisk as @BedHead911 said. I cant install this one because my phone unable to unlock bootloader :( I think because the Xposed. Anyone passed SN with xposed installed?

Details:

ROM: Official Sony ROM Xperia Z3 Marshmallow. Official regular Xposed v86 . Rooted with SYSTEM MODE. Xposed modules: FakeGapps microG Services Core 0.2.4-20-g63fd64f microG DroidGuard Helper 0.1.0 microG Services Framework Proxy 0.1.0

[mid-kid]

@mar-v-in Are these the proper sizes of the downloaded files by DroidGuard helper?

24  ./app_dg_cache/[]/opt/the.dex
252 ./app_dg_cache/[]/lib/lib[].so
116 ./app_dg_cache/[]/the.apk
(Censored all the possibly private parts)

I cleared the app's data several times, but that didn't help. SafetyNet helper returns:

SafetNet request: success
Response validation: fail

Error Msg:
Response payload validation failed

Disabled all xposed modules except FakeGapps, same problem.

Details:

• ROM: Resurrection Remix 5.7.4 (CM 13, android 6.0.1_r66)
• Official regular Xposed v86 for arm64
• Xposed modules: FakeGapps
• microG Services Core 0.2.4-20-g63fd64f
• microG DroidGuard Helper 0.1.0
• microG Services Framework Proxy 0.1.0

[FoxP]

Same for me, i have :

• microG Services Core 0.2.4-20
• microG DroidGuard Helper 0.1.0
• microG Services Framework Proxy v0.1.0
• FakeGapps 1.1
• Suhide 0.53 (+ SafetyNet Check app added to the blacklist)
• SuperSU v2.78 SR1 installed in systemless mode
• topjohnwu 's systemless xposed v86.2
• CM13 ROM (Android 6.0.1)

Since Pokemon Go 0.35 and GMaps are still working, i assume that microG is working. But yet i can't pass the SafetyNet check. I have "success" for the request, but "fail" for response validation.

What can i do to help?

[papjul]

Where do you see the success status? What I have in CatLog for DroidGuard Helper is:

09-25 12:01:32.493 D/GmsDroidguardHelper(4109): -- Request --
09-25 12:01:32.493 D/GmsDroidguardHelper(4109): DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BUILD, val=unknown}, KeyValuePair{key=BOARD, val=MSM8960}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=Xiaomi}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=aries}, KeyValuePair{key=DISPLAY, val=LMY49J}, KeyValuePair{key=FINGERPRINT, val=Xiaomi/aries/aries:5.0.2/LRX22G/5.8.6:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=gh01.farm.blackbriar.pl}, KeyValuePair{key=ID, val=LMY49J}, KeyValuePair{key=MANUFACTURER, val=Xiaomi}, KeyValuePair{key=MODEL, val=MI 2S}, KeyValuePair{key=PRODUCT, val=aries}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=230f1488}, KeyValuePair{key=TAGS, val=test-keys}, KeyValuePair{key=TIME, val=1474057988000}, KeyValuePair{key=TYPE, val=userdebug}, KeyValuePair{key=USER, val=bugi}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=20160916}, KeyValuePair{key=RELEASE, val=5.1.1}, KeyValuePair{key=SDK, val=22}, KeyValuePair{key=SDK_INT, val=22}], versionNamePrefix=9.6.83 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=4e7d7ab8b501da32f9f3c7f5ae202191]], currentVersion=3, arch=armv7l}
09-25 12:01:32.803 D/GmsDroidguardHelper(4109): Using cached file from /data/data/org.microg.gms.droidguard/app_dg_cache/b9658c9bde68e104dcaa9823f98493c3d5433c83/the.apk
09-25 12:01:36.376 D/GmsDroidguardHelper(4109): a: +Una8NT0WzRLjkMoWqwZwODUsa7Q6T6dlA4HcZ2B0Jxs4tzNxi62nFT0QpWj6JkqDrvBJ42YltJeyp18KAHV4w== -> 5=37103186715777b9baa79caf0a74669d1c465201
09-25 12:01:36.376 D/GmsDroidguardHelper(4109): 7=Qualcomm:Adreno (TM) 320
09-25 12:01:36.376 D/GmsDroidguardHelper(4109): 8=-3376461133125262840
09-25 12:01:36.376 D/GmsDroidguardHelper(4109): 9=-6409255726903303402
09-25 12:01:40.350 D/GmsDroidguardHelper(4109): a: 9PJA/OQ0rrvmsi7JfBfCJJI0g6NA/FIh6d9doqGP7GusCuOQEj40INXRb7fgZnMqprLNITfOOm2rxTG+7PAV1w== -> 5=37103186715777b9baa79caf0a74669d1c465201
09-25 12:01:40.350 D/GmsDroidguardHelper(4109): 7=Qualcomm:Adreno (TM) 320
09-25 12:01:40.350 D/GmsDroidguardHelper(4109): 8=-2520757749418560597
09-25 12:01:40.350 D/GmsDroidguardHelper(4109): 9=8350921899557405424
09-25 12:01:40.490 W/GmsDroidguardHelper(4109): java.lang.NoSuchFieldException: BUILD
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at java.lang.Class.getField(Class.java:1082)
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at org.microg.gms.droidguard.DroidguardHelper.createSystemInfoPair(DroidguardHelper.java:169)
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at org.microg.gms.droidguard.DroidguardHelper.getSystemInfo(DroidguardHelper.java:117)
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:64)
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
09-25 12:01:40.490 W/GmsDroidguardHelper(4109):     at java.lang.Thread.run(Thread.java:818)
09-25 12:01:40.520 D/GmsDroidguardHelper(4109): a: PsgRuK87AAmF/iojl02RNSP0p0CPjLqGT5bp0Jbr14uSaMy6gsDih9rvRk8bXPkeEFcZ/KZLVuYNDoFWsuo8zw== -> 5=37103186715777b9baa79caf0a74669d1c465201
09-25 12:01:40.520 D/GmsDroidguardHelper(4109): 7=Qualcomm:Adreno (TM) 320
09-25 12:01:40.520 D/GmsDroidguardHelper(4109): 8=-1491689962834417504
09-25 12:01:40.520 D/GmsDroidguardHelper(4109): 9=-1547117109349413817
09-25 12:01:40.520 D/GmsDroidguardHelper(4109): b -> 3817030169708187029

[mid-kid]

Can confirm @papjul's error. Same thing here.

[mar-v-in]

Assuming the number is in KB, these look valid.

Also note that the consored numbers are not really private data, they should be mostly the same for all of us (different numbers for architecture and certain "level" of trust google assigned to your IP). The first long number should match the sha1 hash of the the.apk in that folder and the name of the lib file is static based on the apk file. You can also download the.apk from https://www.gstatic.com/droidguard/[uppercase-sha1]

[mid-kid]

Ah, yes, I can confirm it's a sha1sum of the.apk. Thanks for clarifying.

About the error, "BUILD" does not seem to be a valid field according to the documentation. The exception doesn't seem to be caught for some reason however.

[mar-v-in]

The "NoSuchFieldException: BUILD" should not cause any harm. I will remove it in a future version.

When using the SafetyNet test app, it reports some line containing "decodedJWTPayload" to logcat. If you have problems, please report this line here, if it does not exist in logcat there might be something not set up correctly on your device.

Please not that I did not analyze root methods and there possible influence on microG. I neither use magisk nor xposed nor root on my test devices. If you have problems on your device please consider testing a system without root/xposed/magisk

[mid-kid]

09-25 12:14:37.446  7605  7605 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"QwvMOOO4dU9M5haYOjsmebf524Zhak1hAWL5J17iapw=","timestampMs":1474798477686,"ctsProfileMatch":false,"extension":"CWNORUq0MZhl","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-25 12:14:44.533  7605  7605 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"hMmUAk7XiqYzpkWMY/rjprKDZNCATkU1vSu+XFF/e0M=","timestampMs":1474798484765,"ctsProfileMatch":false,"extension":"CcsXP+8eLXe6","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-25 12:32:35.364  7605  7605 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"HTlBOw0rkNXXW1qlT+0iY+ElvYw8mD8K73DQR4TVrvE=","timestampMs":1474799555597,"ctsProfileMatch":false,"extension":"CWNfAUqoM5Ga","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-25 12:32:37.863  7605  7605 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"5xYfvL9KS9REFvrTWF4u1XySYvb44nt68zLswifWXGU=","timestampMs":1474799558103,"ctsProfileMatch":false,"extension":"CbB59ZTiaM5K","apkCertificateDigestSha256":[],"basicIntegrity":false}

Will try using Needle instead of Xposed.

[pvase666]

09-25 17:29:55.570  3462  4949 I Xposed  : FakeGApps: returning fake signature to org.microg.gms.droidguard
09-25 17:29:55.960 28150 28150 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"Ahyl6LouoKTftfBZDuk0na5+XUy660nh4ilyb++hGvM=","timestampMs":1474799394964,"ctsProfileMatch":false,"extension":"CbH7iaOH4Z4i","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-25 17:29:55.960 28150 28150 E SafetyNetHelper: invalid packageName, expected = "com.scottyab.safetynet.sample"
09-25 17:29:55.960 28150 28150 E SafetyNetHelper: invalid packageName, response = "null"
09-25 17:29:55.961 28150 28150 E SafetyNetHelperSAMPLE: Response payload validation failed

[FoxP]

Here is my catlog for SafetyNet test app :

09-25 12:37:25.283  1857  2917 I Xposed  : FakeGApps: returning fake signature to org.microg.gms.droidguard
09-25 12:37:25.784  5079  5079 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"GQOhZU0GtbbGPltco2W5deWZGZHr0o65U0MzQrj8w3E=","timestampMs":1474799845723,"ctsProfileMatch":false,"extension":"CfXFHCT9AunW","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-25 12:37:25.785  5079  5079 E SafetyNetHelper: invalid packageName, expected = "com.scottyab.safetynet.sample"
09-25 12:37:25.785  5079  5079 E SafetyNetHelper: invalid packageName, response = "null"
09-25 12:37:25.786  5079  5079 E SafetyNetHelperSAMPLE: Response payload validation failed

[mar-v-in]

@pvase666 @mid-kid @FoxP Seems basic integrity is failing for you can you report contents of the file /proc/mounts.

[mid-kid]

shell@:/ $ cat /proc/mounts                                                                                                                                            
rootfs / rootfs ro,seclabel 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=1877856k,nr_inodes=469464,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,seclabel,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,size=1877856k,nr_inodes=469464,mode=750,gid=1000 0 0
tmpfs /mnt tmpfs rw,seclabel,relatime,size=1877856k,nr_inodes=469464,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
none /dev/cpuset cgroup rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent 0 0
pstore /sys/fs/pstore pstore rw,seclabel,relatime 0 0
none /sys/fs/cgroup/freezer cgroup rw,relatime,freezer 0 0
none /sys/fs/cgroup/bfqio cgroup rw,relatime,bfqio 0 0
/dev/block/bootdevice/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/bootdevice/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/block/bootdevice/by-name/bluetooth /bt_firmware vfat ro,context=u:object_r:bt_firmware_file:s0,relatime,uid=1002,gid=3002,fmask=0333,dmask=0222,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
tmpfs /storage tmpfs rw,seclabel,relatime,size=1877856k,nr_inodes=469464,mode=755,gid=1000 0 0
/dev/fuse /mnt/runtime/default/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /storage/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/read/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/write/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

[FoxP]

Here is my /proc/mounts :

[removed for increased readability]

[papjul]

I have the same response = "null" log. Here is my /proc/mounts:

[removed for increased readability]

[pvase666]

Mine

[removed for increased readability]

[mar-v-in]

Apparently Xposed is blocking out my system modifications. I guess I need to find a way to handle that or provide a custom Xposed module to do some work.

[FoxP]

Do not hesitate to request tests / logs here.

[0x47]

For what it's worth: I don't use Xposed and get the same error:

09-25 12:59:42.020 14037 14037 D SafetyNetHelperSAMPLE: SafetyNet start request
09-25 12:59:42.021 14037 14037 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
09-25 12:59:42.096 14037 14037 D SafetyNetHelper: apkDigest:4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=
09-25 12:59:42.105 13653 13666 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=9080000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
09-25 12:59:42.112 14037 14037 V SafetyNetHelper: Google play services connected
09-25 12:59:42.112 14037 14037 V SafetyNetHelper: running SafetyNet.API Test
09-25 12:59:43.241 14037 14037 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"FRpbqUpKhi+JpBmg0JOFhr/SrJZhteDJB2GAX9VmlZM=","timestampMs":1474801187447,"apkPackageName":"com.scottyab.safetynet.sample","apkDigestSha256":"4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=","ctsProfileMatch":false,"extension":"CYV14SqG11ze","apkCertificateDigestSha256":["MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E="],"basicIntegrity":false}
09-25 12:59:43.541 14037 14037 D SafetyNetHelperSAMPLE: SafetyNet req success: ctsProfileMatch:false

/proc/mounts:

[removed for increased readability]

[mar-v-in]

@0x47 your problem is a different one: your device does not match a CTS profile. This can happen for example when your device never got the android version you are currently using on it. This is another issue that will be tackled through #90. Enforcing CTS is an optional part of SafetyNet, most apps decide to ignore it as it is unreliable.

[0x47]

@mar-v-in indeed, I am using a Nexus 4 with OmniROM (Android 6.0.1). Thanks for all the hard work you're putting into this. Waiting for #90 to be ready then (apparently Pokémon Go enforces CTS).

[papjul]

@mar-v-in Indeed, I have Xposed installed, however I don't have the fake signature module. My custom CyanogenMod rom has your signature spoofing patch. So maybe it comes from something else…

[mar-v-in]

@papjul it's not related to the signature spoofing patch but to a system modification caused by Xposed

Technical details: I use hooking based on ART optimizations to modify the system library. Xposed disables ART optimizations so it can do hooking easier, because it does not need to care ART optimizations. But then my hook based on the optimized code is not called anymore.

The solution is to either modify my hooking approach so that it is able to handle systems with disabled ART optimizations (= Xposed installed) or to just use the hooking feature of Xposed. The latter is probably easier to implement so I guess I will go this way.

[BedHead911]

@FoxP i heard that CM13 has built in root in dev options so ur problem may be that the su files and folders are not removed. Also why not try magisk and phh superuser instead of supersu and suhide?

Root is not even necessary for microg if you use needle/tingle for signature spoofing. The only app I used root for is adaway and xposed installer.

[FoxP]

@BedHead911 Of course i deleted su files with TWRP (system partition mounted). Magisk does not work with my ROM because it does not simply patch boot.img, it just...replaces it. So GPS, bluetooth and internet are broken then. It's a poorly coded script. Plus, phh superuser is old. BTW, @mar-v-in how did you pass SafetyNet check without FakeGApps Xposed addon?

[mid-kid]

After a bunch of fucking around, I managed to deodex my rom and used Needle to patch framework.jar. Only to rip in pepperonies as the CTS profile doesn't match. I wonder why? This phone in particular comes stock with android 6.0.1. What is also checked of the ROM besides the android version?

[mar-v-in]

I just pushed DroidGuard Helper version 0.1.0-1 to the repo and this direct link.

I don't have a device with Xposed installed here, but I blindly added Xposed support. Once installed, Xposed should show you a module that has to be enabled for DroidGuard / SafetyNet to succeed on systems with Xposed. This is also version independent and could work even on devices running older versions of Android.

[mid-kid]

:T

[mar-v-in]

@mid-kid it probably won't fix your CTS issues. This will be a device dependant issue for now.

[seanrand]

With DroidGuard Helper 0.1.0-1 and its Xposed module enabled, I get this when running a check in SafetyNet Helper:

F/art     ( 5692): art/runtime/indirect_reference_table.cc:113] JNI ERROR (app bug): local reference table overflow (max=512)
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113] local reference table dump:
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]   Last 10 entries (of 512):
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       511: 0x12f45230 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       510: 0x12f45230 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       509: 0x12f45220 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       508: 0x12f45220 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       507: 0x12f45210 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       506: 0x12f45210 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       505: 0x12f45200 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       504: 0x12f45200 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       503: 0x12f451f0 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       502: 0x12f451f0 java.util.TreeSet
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]   Summary:
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]       512 of java.util.TreeSet (256 unique instances)
F/art     ( 5692): art/runtime/indirect_reference_table.cc:113]

[mid-kid]

Was just about to post that. Same problem here.

[FoxP]

I can confirm. Same problem.

[removed for increased readability]

[mar-v-in]

That's what I meant with totally untested :cat: , can you give 0.1.0-2 a try?

[FoxP]

Hehe, no problem. With 0.1.0-2 :

09-25 16:06:05.180  4743  4756 E AndroidRuntime: java.lang.NoClassDefFoundError: Failed resolution of: Lorg/microg/gms/droidguard/SysHook;
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:91)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at java.lang.Thread.run(Thread.java:818)
09-25 16:06:05.180  4743  4756 E AndroidRuntime: Caused by: java.lang.ClassNotFoundException: Didn't find class "org.microg.gms.droidguard.SysHook" on path: DexPathList[[zip file "/data/app/org.microg.gms.droidguard-1/base.apk"],nativeLibraryDirectories=[/data/app/org.microg.gms.droidguard-1/lib/arm64, /data/app/org.microg.gms.droidguard-1/base.apk!/lib/arm64-v8a, /vendor/lib64, /system/lib64]]
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    at java.lang.ClassLoader.loadClass(ClassLoader.java:469)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    ... 3 more
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    Suppressed: java.lang.NoClassDefFoundError: org.microg.gms.droidguard.SysHook
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.DexFile.defineClassNative(Native Method)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.DexFile.defineClass(DexFile.java:226)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.DexFile.loadClassBinaryName(DexFile.java:219)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.DexPathList.findClass(DexPathList.java:338)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:54)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        ... 5 more
09-25 16:06:05.180  4743  4756 E AndroidRuntime:    Suppressed: java.lang.ClassNotFoundException: Didn't find class "org.microg.gms.droidguard.SysHook" on path: DexPathList[[dex file "/data/dalvik-cache/xposed_XResourcesSuperClass.dex"],nativeLibraryDirectories=[/vendor/lib64, /system/lib64]]
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        ... 4 more
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        Suppressed: java.lang.ClassNotFoundException: org.microg.gms.droidguard.SysHook
09-25 16:06:05.180  4743  4756 E AndroidRuntime:            at java.lang.Class.classForName(Native Method)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:            at java.lang.BootClassLoader.findClass(ClassLoader.java:781)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:            at java.lang.BootClassLoader.loadClass(ClassLoader.java:841)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:            at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
09-25 16:06:05.180  4743  4756 E AndroidRuntime:            ... 5 more
09-25 16:06:05.180  4743  4756 E AndroidRuntime:        Caused by: java.lang.NoClassDefFoundError: Class not found using the boot class loader; no stack trace available

[mid-kid]

I've been trying different ROMs and configurations. After having just installed a new ROM, I get:

SafetyNet request: fail

Error Msg:
No Google Device Verification ApiKey defined. Marking as failed.
SafetyNet CtsProfileMatch: false

What is this ApiKey, how do I get it? EDIT: Nevermind, just realized I compiled SafetyNet Helper myself and it's missing the SafetyNet API key.

[mid-kid]

Quick update on my findings: Apparently the CTS profile mismatch on my device was related to the fact that /system/bin/su and /system/xbin/su did exist. Considering DroidGuard is running in an isolated environment, how viable would it be to spoof the existence of those files? If you get Xposed working, would RootCloak work? A quick analysis of the downloaded files doesn't yield any hardcoded strings to 'su', not that I'd expect modification of the binaries would even work, as it probably runs a self-check.

[seanrand]

Odd, ever since I've downgraded from DroidGuard Helper 0.1.0-2 to 0.1.0 again, all I get is

D/SafetyNetHelperSAMPLE( 5704): SafetyNet start request
I/Xposed  ( 1592): FakeGApps: returning fake signature to com.scottyab.safetynet.sample
I/Xposed  ( 1592): FakeGApps: returning fake signature to com.scottyab.safetynet.sample
D/SafetyNetHelper( 5704): apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
D/SafetyNetHelper( 5704): apkDigest:4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=
D/SafeParcel( 2039): Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRequest, skipping.
D/GmsSafetyNetClientSvc( 2039): bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=9080000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
V/SafetyNetHelper( 5704): Google play services connected
V/SafetyNetHelper( 5704): running SafetyNet.API Test
W/ActivityManager( 1592): Unable to start service Intent { act=org.microg.gms.droidguard.REMOTE flg=0x10 pkg=org.microg.gms.droidguard } U=0: not found
E/SafetyNetHelperSAMPLE( 5704): SafetyNetApi.AttestationResult success == false or empty payload

Tried un/re-installing microg-core/gsf/droidguard several times, rebooted several times - still the same result every time. This doesn't make any sense.

/data/data/org.microg.gms.droidguard/ is also empty, no cached droidguard files etc.

Edit: Fixed, guess at some point I grabbed the wrong GmsCore version from F-Droid. Duh.

[mar-v-in]

@mid-kid you are not seeing any 'su' strings, because the binary is encrypted and decrypts itself as well as a dynamic blob from the internet into temporary memory.

It seems that DroidGuard has a specific detection for xposed integrated. But I was able to run through SafetyNet with valid CTS using Magisk v6 and Systemless Xposed v86.5 (no root) and microG DroidGuard helper v0.1.0 (please don't use -1 or -2 previews, they are broken)

[mar-v-in]

@seanrand uninstall droidguard and make sure that /data/data/org.microg.gms.droidguard is removed then reboot and re-install droidguard and try again...

[0x47]

@mid-kid How did you figure out it was looking for /system/xbin/su? I have this file, too. Maybe I should check if Magisk makes it work for my Nexus 4.

EDIT: I'd rather not try though, it's such an overkill for just hiding root.

[0x47]

After installing Chainfire's experimental suhide (much smaller footprint than Magisk) the error looks more like the Xposed one:

09-26 01:14:11.679  3673  3673 D SafetyNetHelperSAMPLE: SafetyNet start request
09-26 01:14:11.681  3673  3673 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
09-26 01:14:11.740  3673  3673 D SafetyNetHelper: apkDigest:4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=
09-26 01:14:11.749  1457  1468 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=9080000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
09-26 01:14:11.762  3673  3673 V SafetyNetHelper: Google play services connected
09-26 01:14:11.762  3673  3673 V SafetyNetHelper: running SafetyNet.API Test
09-26 01:14:12.864  3673  3673 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"ySBXzJaKR+FO/icPQPmCb3DavTiNcKyXAd/xBQ1dZWk=","timestampMs":1474845253777,"ctsProfileMatch":false,"extension":"CdowSLDgZ5wz","apkCertificateDigestSha256":[],"basicIntegrity":false}
09-26 01:14:12.864  3673  3673 E SafetyNetHelper: invalid packageName, expected = "com.scottyab.safetynet.sample"
09-26 01:14:12.864  3673  3673 E SafetyNetHelper: invalid packageName, response = "null"
09-26 01:14:12.865  3673  3673 E SafetyNetHelperSAMPLE: Response payload validation failed

@mar-v-in Do you think this is still caused by the missing CTS profile? After all I still see "ctsProfileMatch":false in there. What about @mid-kid's findings regarding the su files? At least Chainfire states that suhide should work for SafetyNet (for the time being).