This is LineageOS built from official sources (cm14.1 branch), with two patches that allow for Signature Spoofing and Network Location providers to be used outside of /system. These two conditions allow for easy installation of microG and UnifiedNlp.
I also include a few other extras (see ROM Features below), and experiment with things every now and then. Suggestions are welcome!
What is microG and UnifiedNlp? microG is a free re-implementation of Google's proprietary apps and libraries. UnifiedNlp serves as a replacement to Google Location Services and helps your device find its location (more info).
Benefits of microG and UnifiedNlp:
FLOSS
Lightweight
Modular
Can run with relatively-limited permissions
Improved device performance and battery life
Lower data usage
Faster GPS locks and better location accuracy
Significantly more control over privacy
ROM Features:
Upstream up-to-date LineageOS builds (I build multiple times a week)
Location Providers can be installed outside of /system
Can toggle Signature Spoofing for applications that can use it
Steven Black's Unified Hosts File built-in (default extensions)
Latest Version:
2017/07/31
Older Versions:
Google Drive Archive
Instructions:
Can be found in the next post down or by clicking here
Changelog:
My Changes (at the bottom of the linked page)
LineageOS deb Changelog
Compatibility Notes:
This ROM with microG passes SafetyNet
LineageOS and the default kernel support F2FS, however, the unofficial TWRP projects that support F2FS for shamu currently don't support F2FS decryption. Unless you know what you're doing, I suggest using a custom kernel with forced-encryption disabled if you want to have Data and Cache partitions with F2FS (TODO: See if this is still relevant; LineageOS may not force encryption on deb/flo? Also see if F2FS can even work)
I have no idea if this works with flo (non-LTE/Wifi-only); reports about this are welcome
Other Notes:
This ROM should work fine with GApps, but I don't test them. If you choose not to use microG nor go GApp-less, I recommend using Open GApps
This ROM is signed with my key and the build type is userdebug
I (will) use this ROM daily with microG and primarily to play Pokemon GO and Ingress; I should be able to notice any SafetyNet, location, or other issues quickly but all reports are welcome!
The patches and my notes for compiling (below) should be easily adaptable for any device capable of running LineageOS, or any ROM theoretically (change the ASUS manifest for other non-ASUS devices or remove it and supply your own vendor blobs if applicable)
Modifications Done:
Signature Spoofing
Location Provider Outside /system
Steven Black's Unified Hosts File
Additional Support:
microG on xda-developers
UnifiedNlp on xda-developers
microG Website
microG Wiki
Other Resources:
How this ROM is built
My Nexus 7 (2013) configuration and other notes
Reddit guide for setting up microG + UnifiedNlp
Shadow53's notes on flashable zips for microG and Play Store, Google Cal/Contact sync, and other information
Shadow53's NO GAPPS initiative
XDA:DevDB Information
LineageOS for easy microG + UnifiedNlp, ROM for the Nexus 7 (2013)
Contributors
espionage724
ROM OS Version: 7.x Nougat
Based On: LineageOS
Version Information
Status: Nightly
Created 2017-07-26
Last Updated 2017-07-31
Initial Instructions:
Wipe device (TWRP -> Wipe all partitions and Format Data)
Flash ROM (copy the zip over to the Internal Storage of the N7 over USB)
Format Data and Cache to F2FS (optional; need a supporting TWRP (TODO: add link to 3rd-party TWRP if needed) and if used, a custom kernel; note the encryption compatibility note in the first post)
Flash GApps (optional; DO NOT do this if wanting to use microG)
Flash a custom Kernel (optional; the included kernel is default Lineage with forced encryption, I use (TODO: find a custom kernel to vouch for if needed))
Flash Magisk (optional)
Reboot to System
Update Instructions:
Boot to TWRP
Flash updated ROM zip
Flash custom kernel (optional; but if you've used a custom kernel before, it'll be replaced with the default LineageOS one when you update; I recommend using the same kernel or an updated version of it)
Flash Magisk (optional; but it may need re-flashed if you've flashed it previously and either update the ROM, or a custom kernel)
Reboot to System
microG Application Descriptions:
microG Services Core: Core services and UnifiedNlp (required)
microG Services Framework Proxy: Google Cloud Messaging support
microG DroidGuard Helper: SafetyNet support
UnifiedNlp Application Descriptions:
NominatimNlpBackend: Looks up location based on geo-data (required)
LocalGsmNlpBackend: Notes cellular towers you connect to and refers to a local database (created from online sources) to determine location
LocalWifiNlpBackend: Scans nearby WiFi APs, links them to GPS coordinates, and stores them in a local database to determine location
Apple UnifiedNlp: Scans nearby WiFi APs and uses Apple's database to determine location
MozillaNlpBackend: Scans nearby WiFi APs and uses Mozilla's database to determine location (less work to set-up than LocalGSM and LocalWifi)
microG + UnifiedNlp Instructions:
Install F-Droid
Enable Unstable Updates (F-Droid Settings -> Expert mode -> Unstable updates; it's currently required to install the latest unstable microG Services Core)
Add the microG repository (visit https://microg.org/download.html)
Install the following: microG Services Core, NominatimNlpBackend, location backend(s) of choice, and other microG applications of choice for additional features (see the above list)
Enable Signature Spoofing for microG Services Core (Settings -> Apps -> ⚙ -> App permissions -> Spoof package signature)
Grant all permissions available for microG Services Core and location backend(s) of choice Settings -> Apps -> (application) -> Permissions)
Open microG Settings and enable desired features (if using Google SafetyNet, you must do ⋮ -> Advanced -> Use official server)
Configure UnifiedNlp Settings (check Nominatim from address lookup backends, and check desired location backend(s) under location backends)
Verify Self-Check has confirmation on all checks (UnifiedNlp being registered in system may require a reboot to start working)
Recommended microG + UnifiedNlp Packages:
Install microG Services Core, microG Services Framework Proxy, microG DroidGuard Helper, NominatimNlpBackend, and MozillaNlpBackend
If you want to run location resolution locally, install LocalGsmNlpBackend and LocalWifiNlpBackend instead of MozillaNlpBackend, or alternatively, install all three and keep MozillaNlpBackend disabled until required
App Store Notes:
You'll likely either want Yalp Store and FakeStore, or legitimate Google Play Store
If you're trying to avoid Google services, Yalp Store + FakeStore is what you'll want
Play Store will likely be wanted if you want a higher chance at being able to use paid apps and IAP (no guarantees; untested)
Play Store needs to be installed as a privileged application to work properly, and also assigns itself high permissions
You can also choose to install Play Store and Yalp Store; note that FakeStore should not be installed at the same time as Play Store though
You can also use any other app store(s) instead of Play Store or Yalp Store or even choose to not install a store at all, but any apps you install that depend on Play Store will need FakeStore installed still
Yalp Store Application Descriptions:
FakeStore: Fakes the presence of Google Play Store for applications that require it
Yalp Store: Allows downloading and updating of apps from Google Play Store, serves as an alternative to official Google Play Store, and if signed-in with your real Google account, allows for paid-apps to be downloaded; apps that do license checks post-install will fail, and IAP isn't possible currently
Yalp Store Instructions:
Open F-Droid
Install FakeStore and Yalp Store
Enable Signature Spoofing for FakeStore (Settings -> Apps -> ⚙ -> App permissions -> Spoof package signature)
Configure Yalp Store (⋮ -> Settings -> Pretend to be a Nexus 7 2013 (TODO: Fix the name for this) ; this is potentially required to avoid this)
Download desired applications
Enable only updating of applications acquired through Yalp Store (optional; sometimes versions differ from Play Store and F-Droid; ⋮ -> Settings -> Change app white list -> (select apps), and also set the Black or white list of apps for update to Only the chosen apps will be checked for updates)
Play Store Application Description:
Phonesky.apk: This is the name of the Play Store apk; allows for traditional Play Store behavior; apps that do post-install license checks and IAP are personally untested (feedback from anyone who tests this would be awesome)
Play Store Instructions:
Download the latest open_gapps-arm-7.1-pico archive (GitHub or the main site)
Extract it somewhere temporary
Go into the Core folder and find vending-all.tar.lz
Extract its contents
Go into the vending-all/240-320-480/priv-app/Phonesky folder
Take Phonesky.apk and move it somewhere temporary or just note its location
Reboot your device to Recovery
Mount /system on the Android device and use adb push to copy Phonesky.apk from local storage to /system/priv-app/Phonesky.apk
Reboot to System
Reserved
New build (2017/07/27): https://drive.google.com/file/d/0B9CekGWwY1hja2QzOWRmTktHT2c/view?usp=sharing
Reverted 323 DPI (figured the default 320 DPI is close enough), and also resync with LineageOS sources.
New build (2017/07/31): https://drive.google.com/file/d/0B9CekGWwY1hjQndfOS1zMHRQY00/view?usp=sharing
ROM now includes basic telephony support. GSM calling doesn't work (at least for me with T-Mobile), but theoretically SIP calls can work. At the very least, you can seemingly use USSD codes to control/check things (since in/out calls don't work, I forward my number with a USSD code to a spare phone I have).
So I have the following Setup to monitor new apps for Data leakage and privacy violations.
Poco F1 MIUI Globalk 11,0,5 stable
Magisk Manager (renamed) 7.5.1
Magisk 20.4
Magisk Modules:
Always Trust User Certificates 0.4.1
Move Certificates 1.8
Riru Core 21.2
Riru Edxposed 0.4.6.1 YAHFA
Xposed Modules:
Exposed Manager 4.5.7
AFwall+ 3.4.0
to inspect traffic i use HTTPCanary.
Certain Apps like to pin their certificates, so i use justtrustme 0.4 to bypass the various pinning attempts.
Now the issue:
As long as i keep JTM disabled as a module, httpcanary can pickup various connection attempts, some with pinning errors.
If i enable the module and restart the device, the traffic picked up by HTTPCanary dies.
I would assume at least the same amount of connections as before , maybe with a few apps failing to be unpinned, but not such a reduction.
Is there anything obviously wrong with my unpinning setup?
Pixel 4a, SP1A_211105.002 (A12)
Magisk 23.0 stable
Systemless Hosts 1.0
Riru v 26.1.3.r513...
Universal Safetynet Fix v2.1.2
SafetyNet passed seamlessly
For the mods: I did not find a dedicated thread to post this. If a suitable one already exists, please feel free to merge this.
Thanks to all the developers/testers that made this possible.
Cheers,
R
I found a second way to pass SafetyNet. This method uses the new zygist feature in Magisk, which will eventually be the only way in the future. Reminder, enabling zygist will replace riru & disable the module (don't worry it's normal/intended).
-Magisk (zygist enabled)
-LSposed (zygist)
-Universal SafetyNet (zygist)
Screenshot:
Hello All, I have rooted and installed TWRP recovery. Successfully flashed Android 12 GSI. Passes "Basic Integrity" but fails "CTS profile match". Any ideas?
Date: July 6, 2022
Build: SQ3A.220705.003.A1
Security patch level: July 2022
Google Play Services: 21.24.23
Magisk 25.2 (25200) installed and working
Zygisk enabled
MagiskHide Props Config v6. 1.2-v137 installed and working
UniversalSafetynetFix v2.3.1 installed and working
Everything else including Play Store is working perfectly. No lag or any other performance issues compared to the stock ROM too. Really good battery management too.
helo i use magisk delta, how to hide magisk from banking apps? any module to hide ?
MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0
Universal SafetyNet Fix Magisk module Magisk module to work around Google's SafetyNet attestation. This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS...
forum.xda-developers.com