How to (maybe) bypass SafetyNet hardware attestation on devices with an unlocked bootloader

How to (maybe) bypass SafetyNet hardware attestation on devices with an unlocked bootloader

Over the last couple of years, the challenge of bypassing SafetyNet Attestation has evolved from a simple cat and mouse game between Google and the modding community to a burgeoning battle chock full of obscure barriers. Thanks to the rise of hardware-backed attestation techniques, it is very difficult to bypass the boot image integrity verification routine and hide root access. Installing Magisk alone wouldn’t be sufficient to circumvent the latest SafetyNet update, especially on newer devices. This is exactly where the Universal SafetyNet Fix Magisk module comes in.

While legacy device owners, as well as custom ROM users, often utilize modules like MagiskHide Props Config to spoof the CTS profile to pass basic attestation, as long as the method in question relies on a valid combination of device and model names, build fingerprints, and security patch levels, there’s no guarantee that the root hiding trick will remain useful in the future. This is due to the fact that Google Play Services is starting to use hardware attestation for CTS profile validation in many cases, even when basic attestation is selected.

In more technical terms, even if the SafetyNet Attestation API response from GMS will report that basic attestation was used, hardware attestation is always used regardless of the reported state in order to enforce integrity. As a consequence, the existence of a bootloader unlocked state in the key attestation report results in SafetyNet Attestation failing to pass.

In case you have an Android device that has an unlocked bootloader (or locked using custom verified boot keys) and thus doesn’t pass hardware attestation, then the Universal SafetyNet Fix Magisk module may fix that. Created by Danny Lin AKA XDA Senior Member kdrag0n, the module works by taking advantage of the opportunistic nature of the hardware attestation routine. Quoting the developer:

… it (hardware attestation) falls back to basic attestation if key attestation fails to run — and prevent GMS from using key attestation at the framework level. This causes it to gracefully fall back to basic attestation and pass SafetyNet with an unlocked bootloader.

The “not implemented” error code from Keymaster is used to simulate the most realistic failure condition to evade detection, i.e. an old device that lacks support for key attestation.

The workaround is already available pre-integrated on the ProtonAOSP ROM from the same developer, which lets you pass SafetyNet without Magisk on fairly modern devices such as the Google Pixel 5. If you are a custom ROM maintainer and you wish to integrate this method with your build, you can do so by cherry-picking the necessary patches from this repository. On the other hand, the latest version of the ready-to-flash Magisk Module variant can be found here. Note that MagiskHide is still required if the target device is rooted.

Universal SafetyNet Fix: XDA Thread ||| GitHub Repo

About author

Skanda Hazarika
Skanda Hazarika

DIY enthusiast (i.e. salvager of old PC parts). An avid user of Android since the Eclair days, Skanda also likes to follow the recent development trends in the world of single-board computing.