SafetyNet started failing

[ArchangeGabriel]

Somewhere around friday morning, SafetyNet started failing (CTS Profile match: false, but Basic Integrity: true). I have not changed anything on my device (OP5T, OmniROM, no root or whatsoever) between the time it worked and the time it stopped working, and I’ve tested on my old phone (OPO) on which it does not work either (but I had to reinstall on OmniROM on it and it has also Basic Integrity: false).

Is anyone else confirming? If not, what should I look for? If yes, I suppose this is due to some DroidGuard update that now detects μG?

[nyanpasu64]

I tried installing Droidguard from https://github.com/ThibG/android_packages_apps_RemoteDroidGuard/tree/aarch64 (the unmerged pull request).

• I had to use Lucky Patcher, Toolbox, Patch to Android, "package manager" to overwrite the system APK with my own debug builds.
• I get basically the same issues as above (error 14, stalling, Failed to find Dex offset for PC offset 0x00000000 (i think)).
• I also get error 8 (maybe internet is down).
• Rebooting does not change behavior.

[Chiffon-Pudding]

hmm. Nexus5,lineage-14.1-20180920,Magisk-v17.1,Nanodroid-18.3.1.20180921+microg core 0.2.6.13280, Safetynet Passed.

If GPS has been turn OFF, I could sign in for Pokemon GO. But if GPS has been turn ON, I could not do it(This device, OS, or software is not compatible with Pokemon GO.).

[nyanpasu64]

i don't see how you could've possibly gotten it to work.

---

Moto g4 plus, lineage-microg 14.1.

So I got several "safetynet failed" results, decided to backup, wipe, and reflash. Now all I get are error 14/etc.

Removing /system/priv-app/droidguard.apk (I forgot to put in a subfolder) made no difference.

I tried installing Magisk Nanodroid (microG sub module) on top of Lineage-microG and uninstalling my user Droidguard, now microG crashes immediately with error:

    Process: com.google.android.gms.unstable, PID: 6480
    java.lang.NullPointerException: Attempt to invoke virtual method 'android.content.res.Configuration android.content.res.Resources.getConfiguration()' on a null object reference
        at android.app.ActivityThread.updateLocaleListFromAppContext(ActivityThread.java:5115)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5340)
        at android.app.ActivityThread.-wrap2(ActivityThread.java)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1564)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:154)
        at android.app.ActivityThread.main(ActivityThread.java:6186)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)

Both nanodroid and 0.2.6.13280-dirty (git) have same error.

---

edit: i got safetynet to pass Basic but not CTS Profile. Unfortunately MicroG failed to generate a Play ID.

• remove Magisk nanoguard module
• disable all magisk modules, but don't enable Magisk Core
• microg:
  • Use lucky patcher to allow installing incompatible app signatures
  • keep system app microg, install microg from git/androidstudio/gradlew.
  • Clear dalvik cache to hide evidence of signature tampering
• droidguard:
  • do not add /priv-app/droidguard.apk, build and install droidguard from https://github.com/ThibG/android_packages_apps_RemoteDroidGuard/tree/aarch64

[Chiffon-Pudding]

@jimbo1qaz I would like to confirm just in case; are you applying NanoDroid-patcher? it's needed by signature spoofing for microg. Also, is "Google SafetyNet" that on microG Setting, set to Enabled? it's necessary to use Safetynet API.

[nyanpasu64]

Can you explain your exact setup? I'm guessing:

• lineage-14.1-20180920 (not microG edition)?
• NanoDroid 18.3.1.20180921 (full or microg?)
• NanoDroid-patcher via twrp
• microg core 0.2.6.13280 (how did you bypass the signature mismatch? by installing microg as a user app before nanodroid added a system app?)

Where did you get microg core 0.2.6.13280 apk? Manually compile, or is there a CI build artifact repo with all .apk builds?

[Chiffon-Pudding]

@jimbo1qaz Nexus5 hammerhead (16GB) Flash zip(TWRP 3.2.3-0):

1. linageos-14.1-20180920-nighty-hammerhead-signed.zip (not "with microg")
2. Magisk-v17.1.zip
3. NanoDroid-setupwizard-18.3.1.20180921.zip (with microg, with Maps API v1)
4. NanoDroid-18.3.1.20180921.zip
5. NanoDroid-patcher-18.3.1.20180921.zip (TWRP App not installed) After booting:
6. Magisk update
7. Swap /system/priv-app/GmsCore/GmsCore.apk (0.2.6.13280 ,use X-plore, backup and renaming)
8. Reboot
9. Enable Google SafetyNet
10. Reboot
11. SafetyNet API check (Passed)

[Iolaum]

I used the droidGuard helper apk suggested at this comment by @nanolx and enabled safetynet in microG settings. I then used the SafetyNet Test app from playstore, through Aurora store.

My results were SafetyNet request: Success Response Signature Validation: Success Basic Integrity: Success CTS Profile match: Fail

I 'm guessing this means that the PR works - because of the response signature success - but something else I did fails? Or maybe something else apart from droid guard helper needs fixing?

P.S. I am using this ROM for the Galaxy S5 Neo that I compiled through the L4mG docker ci/cd image through those steps. I didn't install/flash any extra system modifications (root, magisk, Xposed or anything else).

P.P.S. cc'ing @ArchangeGabriel because of this comment.

I probably missed something, as I 'm still learning but hope the feedback can still be helpful.

[Nanolx]

CTS Profile is the extended check. If you're on a Galaxy device with unlocked Bootloader, that will trip KNOX and thus CTS Profile match fails as the device is seen as tinkered. So that is not an issue, but the correct result.

The only way around this is Magisk.

[Iolaum]

@Nanolx This comment on the LineageOS subreddit, saying that knox is not checked by SafetyNet, prompted me to check after I went back to official LineageOs and gapps and frdoid on my S5Neo. When I rerun SafetyNet check everything passed, including CTS Profile match. I 'd guess this should rule out tripped knox as the reason why CTS Profile match failed since now it is passing while I still have a custom ROM and recovery installed.

Unfortunately I no longer have LinageOs with microg installed on the phone to try to debug this (on top of that I wouldn't know where to begin). Just posting here to inform that this problem had to do with safetynet and not knox.

[kYc0o]

Well for me none of the proposed solutions work. I'm on LineageOS 14.1 unofficial for SM-A300FU. The logcat output also shows DroidHelper crashing and I have the ApiException[14] 14: with the SafetyNet Sample app.

The logcat output:

01-19 16:10:45.879  4845  4845 D SafetyNetHelperSAMPLE: SafetyNet start request
01-19 16:10:45.881  4845  4845 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
01-19 16:10:45.881  4845  4845 V SafetyNetHelper: running SafetyNet.API Test
01-19 16:10:45.979  5113  5132 D NetworkSecurityConfig: No Network Security Config specified, using platform default
01-19 16:10:45.980  5113  5132 W System  : ClassLoader referenced unknown path: /system/framework/tcmclient.jar
01-19 16:10:46.010  5113  5132 D GmsDroidguardHelper: -- Request --
01-19 16:10:46.010  5113  5132 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8916}, KeyValuePair{key=BOOTLOADER, val=A300FUXXU1CPH3}, KeyValuePair{key=BRAND, val=samsung}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=SUPPORTED_ABIS, val=armeabi-v7a,armeabi}, KeyValuePair{key=DEVICE, val=a3ulte}, KeyValuePair{key=DISPLAY, val=lineage_a3ltexx-userdebug 7.1.2 N2G47O e45ef2b5f5 test-keys}, KeyValuePair{key=FINGERPRINT, val=samsung/a3ltexx/a3ulte:7.1.2/N2G47O/e45ef2b5f5:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=winkarbik}, KeyValuePair{key=ID, val=N2G47O}, KeyValuePair{key=MANUFACTURER, val=samsung}, KeyValuePair{key=MODEL, val=SM-A300FU}, KeyValuePair{key=PRODUCT, val=a3ltexx}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=a7405641}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1495735494000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=jenkins}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=e45ef2b5f5}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=13.2.80 (040300-{{cl}}), isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=c7c36e1888f2d6fc56d4fcb1705c6b2e]], currentVersion=3, arch=armv7l}
01-19 16:10:46.338  5113  5132 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk
01-19 16:10:46.699  5113  5132 F art     : art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8ca84c6b(PC 0x0, entry_point=0x7357b395 current entry_point=0x7357b395) in java.nio.charset.CharsetDecoder java.nio.charset.CharsetICU.newDecoder()
01-19 16:10:46.702  5113  5132 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x32627844 in tid 5132 (Thread-2)
01-19 16:10:46.703   263   263 W         : debuggerd: handling request: pid=5113 uid=10069 gid=10069 tid=5132
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:730): avc: denied { read } for uid=0 name="the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:730): avc: denied { open } for uid=0 path="/data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 W debuggerd: type=1300 audit(0.0:730): arch=40000028 syscall=322 per=800008 success=yes exit=9 a0=ffffff9c a1=b6ac1150 a2=20000 a3=0 items=0 ppid=263 ppcomm=debuggerd auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) exe="/system/bin/debuggerd" subj=u:r:debuggerd:s0 key=(null)
01-19 16:10:46.700   262   262 W auditd  : type=1320 audit(0.0:730): 
01-19 16:10:46.700  5136  5136 I debuggerd: type=1400 audit(0.0:731): avc: denied { getattr } for uid=0 path="/data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/the.apk" dev="mmcblk0p27" ino=41145 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
01-19 16:10:46.700  5136  5136 W debuggerd: type=1300 audit(0.0:731): arch=40000028 syscall=197 per=800008 success=yes exit=0 a0=9 a1=bebaf7e0 a2=712048dd a3=0 items=0 ppid=263 ppcomm=debuggerd auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) exe="/system/bin/debuggerd" subj=u:r:debuggerd:s0 key=(null)
01-19 16:10:46.700   262   262 W auditd  : type=1320 audit(0.0:731): 
01-19 16:10:46.729  5136  5136 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-19 16:10:46.729  5136  5136 F DEBUG   : LineageOS Version: '14.1-20170525-UNOFFICIAL-a3ltexx'
01-19 16:10:46.729  5136  5136 F DEBUG   : Build fingerprint: 'samsung/a3ltexx/a3ulte:7.1.2/N2G47O/e45ef2b5f5:user/release-keys'
01-19 16:10:46.729  5136  5136 F DEBUG   : Revision: '1'
01-19 16:10:46.729  5136  5136 F DEBUG   : ABI: 'arm'
01-19 16:10:46.729  5136  5136 F DEBUG   : pid: 5113, tid: 5132, name: Thread-2  >>> com.google.android.gms.unstable <<<
01-19 16:10:46.729  5136  5136 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x32627844
01-19 16:10:46.733  5136  5136 F DEBUG   : Abort message: 'art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8ca84c6b(PC 0x0, entry_point=0x7357b395 current entry_point=0x7357b395) in java.nio.charset.CharsetDecoder java.nio.charset.CharsetICU.newDecoder()'
01-19 16:10:46.733  5136  5136 F DEBUG   :     r0 30376562  r1 b426d140  r2 0001000a  r3 b2ce61cf
01-19 16:10:46.733  5136  5136 F DEBUG   :     r4 646c6568  r5 b2ce61c4  r6 00006953  r7 b426d140
01-19 16:10:46.733  5136  5136 F DEBUG   :     r8 b2b46328  r9 b3dc0497  sl b2ce61cf  fp 32627830
01-19 16:10:46.733  5136  5136 F DEBUG   :     ip b4178b40  sp b2ce6168  lr b3dc34f7  pc b3dfaea6  cpsr 000b0030
01-19 16:10:46.745  5136  5136 F DEBUG   : 
01-19 16:10:46.745  5136  5136 F DEBUG   : backtrace:
01-19 16:10:46.745  5136  5136 F DEBUG   :     #00 pc 000e8ea6  /system/lib/libart.so (_ZN3art11ClassLinker16FindOatMethodForEPNS_9ArtMethodEPb+349)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #01 pc 000b14f3  /system/lib/libart.so (_ZN3art9ArtMethod23GetOatQuickMethodHeaderEj+158)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #02 pc 00328ced  /system/lib/libart.so (_ZN3art12StackVisitor9WalkStackEb+120)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #03 pc 0024d89f  /system/lib/libart.so (_ZN3art9JNIEnvExt19CheckNoHeldMonitorsEv+58)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #04 pc 003f3a2f  /system/lib/libart.so (_ZN3art12JniMethodEndEjPNS_6ThreadE+42)
01-19 16:10:46.745  5136  5136 F DEBUG   :     #05 pc 0000d02f  /data/data/org.microg.gms.droidguard/app_dg_cache/d24334ada8172475d4470af3fefe3d369f2698f5/opt/the.dex (offset 0xc000)
01-19 16:10:47.070  5132  5132 W Thread-2: type=1701 audit(0.0:732): auid=4294967295 uid=10069 gid=10069 ses=4294967295 subj=u:r:priv_app:s0:c512,c768 reason="memory violation" sig=11
01-19 16:10:47.070  1435  1435 I android.ui: type=1400 audit(0.0:733): avc: denied { open } for uid=1000 path="/system/priv-app/DroidGuard/DroidGuard.apk" dev="mmcblk0p24" ino=94589 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
01-19 16:10:47.086  5136  5136 E         : debuggerd: failed to kill process 5113: No such process
01-19 16:10:47.088  1357  1462 I BootReceiver: Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE)
01-19 16:10:47.093   263   263 W         : debuggerd: resuming target 5113
01-19 16:10:47.070  1435  1435 W android.ui: type=1300 audit(0.0:733): arch=40000028 syscall=322 per=800008 success=yes exit=242 a0=ffffff9c a1=8ecfec10 a2=20000 a3=0 items=0 ppid=581 ppcomm=main auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) exe="/system/bin/app_process32" subj=u:r:system_server:s0 key=(null)
01-19 16:10:47.070   262   262 W auditd  : type=1320 audit(0.0:733): 
01-19 16:10:47.128  1357  1895 I ActivityManager: Process com.google.android.gms.unstable (pid 5113) has died
01-19 16:10:47.128  1357  1895 D ActivityManager: cleanUpApplicationRecord -- 5113
01-19 16:10:47.129   581   581 I Zygote  : Process 5113 exited due to signal (11)
01-19 16:10:47.131  1357  1895 W ActivityManager: Scheduling restart of crashed service org.microg.gms.droidguard/.RemoteDroidGuardService in 1000ms
01-19 16:10:47.135  4845  4845 E SafetyNetHelperSAMPLE: ApiException[14] 14: 
01-19 16:10:47.149  1357  4891 I OpenGLRenderer: Initialized EGL, version 1.4
01-19 16:10:47.149  1357  4891 D OpenGLRenderer: Swap behavior 1
01-19 16:10:47.164  1357  4891 E linker  : readlink("/proc/self/fd/261") failed: Permission denied [fd=261]
01-19 16:10:47.164  1357  4891 E linker  : warning: unable to get realpath for the library "/system/lib/hw/gralloc.msm8916.so". Will use given path.
01-19 16:10:48.144  1357  1432 I ActivityManager: Start proc 5140:com.google.android.gms.unstable/u0a69 for service org.microg.gms.droidguard/.RemoteDroidGuardService
01-19 16:10:48.154   290   325 I Magisk  : proc_monitor: org.microg.gms.droidguard/.RemoteDroidGuardService PID=[5140] ns=[4026534892]
01-19 16:10:48.210  5140  5140 I main    : type=1400 audit(0.0:734): avc: denied { read } for uid=10069 name="u:object_r:spcomlib_prop:s0" dev="tmpfs" ino=2456 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:spcomlib_prop:s0 tclass=file permissive=1
01-19 16:10:48.210  5140  5140 W main    : type=1300 audit(0.0:734): arch=40000028 syscall=334 per=800008 success=yes exit=0 a0=ffffff9c a1=befddb8c a2=4 a3=0 items=0 ppid=581 ppcomm=main auid=4294967295 uid=10069 gid=10069 euid=10069 suid=10069 fsuid=10069 egid=10069 sgid=10069 fsgid=10069 ses=4294967295 tty=(none) exe="/system/bin/app_process32" subj=u:r:priv_app:s0:c512,c768 key=(null)
01-19 16:10:48.210   262   262 W auditd  : type=1320 audit(0.0:734): 
01-19 16:10:48.218  5140  5140 I art     : Late-enabling -Xcheck:jni
01-19 16:10:48.248  5140  5140 I art     : Starting a blocking GC AddRemoveAppImageSpace
01-19 16:10:48.249  5140  5140 W System  : ClassLoader referenced unknown path: /system/priv-app/DroidGuard/lib/arm

Also have Magisk v18.0 hiding DroidGuard as proposed by @Nanolx in https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19#issuecomment-449368819

[Nanolx]

Official DroidGuard Helper won't work, you need a build with this pull request here merged. Everything fine with that.

[kYc0o]

I have installed that one and the problem persists... I'll try a clean install and report back if that works.

[kYc0o]

After several tests my conclusion is: LineageOS 14.1 for A300FU doesn't pass SafetyNet under any of the conditions I tested so far:

• DroidGuard (NanoDroid md5 ea538b995a7bd6143970101458852c94) as user app
• DroidGuard in /system/priv-app/
• DroidGuard hidden by Magisk
• GmsCore (microg) as system app

So far, none of the combinations presented above led me to a successful SafetyNet check.

I installed then a modified version of the stock ROM and installed the nanodroid package with microg, then hide DroidGuard with magisk and SafetyNet check passes now. Though the concerned app I thought was affected by safetynet still doesn't work (airfrance app), but the SafetyNet checks are all green.

[jansohn]

@kYc0o it won't help you but I also never got SafetyNet working with LineageOS 14.1 either...

[Iolaum]

@kYc0o I think you need the following two things:

• GmsCore with PRs that haven't been merged, see here from Nanolx. Nanolx has compiled a GmsCore version on his own fdroid repositoy.
• DroidGuard helper with a PR that also hasn't been merged. See here for details from Nanolx.

I have added both apk's in a fork of mine and I used them to build LineageOS+microG for s5neoltexx (Galaxy S5 neo). Instructions on how I did it, if needed can be found here.

Hopefully that will help you. In my case it was Lineage 15.1 used as a base instead of 14.1 but I think they can also work for 14.1.

[benwaffle]

Using that updated droidguard apk and adding droidguard to MagiskHide gives me basicIntegrity: true and ctsProfile: false, which is enough for some apps

[kYc0o]

Thanks @Iolaum for your insight! Actually I also own a S5 neo, although I still prefer the A300FU.

Do you have the compiled apk's of those packages? I couldn't find them and I'd like to check if th md5 matches the versions I have currently installed.

I'll also test your build asap on my s5 neo.

[Iolaum]

@kYc0o I 've already put those apk in my repository which is linked on my previous post.

You can also get those apk's with the following Linux shell commands:

$ wget https://nanolx.org/fdroid/repo/GmsCore_23.apk
...
$ md5sum GmsCore_23.apk 
0eb42417c1f95e8c954887558b214ff9  GmsCore_23.apk

$ wget https://nanolx.org/fdroid/repo/DroidGuard_0.apk
...
$ md5sum DroidGuard_0.apk 
ea538b995a7bd6143970101458852c94  DroidGuard_0.apk

That is where I got them from.

Update: It looks like there's a newer version GmsCore_23 of the GmsCore from Nanolx.

[kYc0o]

Well, it turns that's the version I have:

a3ulte:/ $ md5sum /system/priv-app/GmsCore/GmsCore.apk                                                                                                                         
6400f03950b3f1d49a68a7ec10f50d04  /system/priv-app/GmsCore/GmsCore.apk
a3ulte:/ $ md5sum /system/app/DroidGuard/DroidGuard.apk                                                                                                                        
ea538b995a7bd6143970101458852c94  /system/app/DroidGuard/DroidGuard.apk

Actually in my current ROM (SEP 8.5) SafetyNet is all green, but my airfrance app doesn't log in. I guess that problem is related to other things and not to SafetyNet. In #691 I explain more in detail the issue.

Thanks a lot for your help!

[Nanolx]

@ale5000-git could you close this issue? It's about the old bug fixed by https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19