Help with Integrity

We understand the critical importance of maintaining a robust and secure Android environment. In the world of advanced Android customization, achieving a seamless balance between powerful root access and uncompromised system integrity is a primary objective for many users. The journey often involves tools like KernelSU Next and SUSFS, particularly when you are pushing the boundaries of a device’s native capabilities. When you see system integrity checks returning red flags, it can be a source of significant frustration. We are here to provide a comprehensive, detailed guide on restoring your system’s integrity metrics to a verified, green state, ensuring your device remains secure, stable, and capable of passing the most stringent checks.

This guide is tailored for users seeking a deep understanding of how to configure their rooted environment correctly. We will explore the methodologies behind integrity protection, the specific role of modules like SUSFS, and the step-by-step configurations required to achieve a “green” status. Whether you are running a device like the Nord CE 4 Lite on OxygenOS 16 or a different configuration on Android 16, the principles remain consistent, though specific file paths and version numbers may vary.

Understanding System Integrity: The Red vs. Green Paradigm

Before implementing fixes, we must first understand what these integrity states represent. In the context of Android security, “integrity” refers to the verifiable state of the system partition, boot image, and critical system files.

The Role of Hardware Attestation

Modern Android devices utilize hardware-backed security measures, such as the Trusted Execution Environment (TEE) and StrongBox. These hardware elements perform attestation, cryptographically verifying that the boot chain has not been tampered with. When a device is rooted using standard methods (like Magisk or direct kernel patching), the cryptographic hash of the boot image changes. Consequently, hardware attestation detects this modification and returns a red integrity state (often referred to as MEETS_BASIC_INTEGRITY failing or CERTIFIED failing).

Why KernelSU Next Changes the Game

KernelSU Next represents a shift in how root is managed. Unlike traditional userspace root solutions that rely on modifying the system partition, KernelSU operates directly within the kernel space. It provides a mechanism for managing root access with finer granularity. However, simply installing KernelSU Next is often not enough to pass strong integrity checks. The kernel itself is modified to include the KernelSU interface, which alters its fingerprint. This is where SUSFS (Suspend Overlay Mounts Filesystem) becomes essential. SUSFS is a sophisticated tool designed to hide these modifications from the perspective of integrity checks.

The Significance of “Green” Integrity

Achieving a “green” integrity state (often indicating MEETS_DEVICE_INTEGRITY or MEETS_BASIC_INTEGRITY) is crucial for several reasons:

1. Google Pay and Banking Apps: Many financial applications rely on SafetyNet or Play Integrity API checks. A red status will block access to these services.
2. Widevine L1: Streaming services often require a secure environment to play high-definition content. Integrity failures can downgrade your Widevine certification from L1 to L3.
3. App Compatibility: Certain high-security applications (corporate apps, games with anti-cheat) will refuse to run on a compromised system.

Deploying SUSFS: The Foundation of Integrity Hiding

The user’s scenario mentions a “SUSFS compatible kernel.” This is the cornerstone of the solution. SUSFS works by creating a “shadow” layer over the filesystem. It hides specific files, directories, and mount points from the rest of the system, including integrity checking services.

Prerequisites for SUSFS Implementation

To effectively use SUSFS with KernelSU Next, we must ensure the environment is correctly set up:

1. KernelSU Next Installation: Ensure the kernel is patched correctly with KernelSU Next. The kernel must support OverlayFS and specific kernel configurations required for SUSFS (such as CONFIG_OVERLAY_FS and specific namespace support).
2. SUSFS Binary: You need the appropriate susfs binary compatible with your kernel version. This binary is typically placed in /data/adb/susfs/.
3. Magisk Module Repository Access: We will be utilizing modules available from your repository. Ensure you have access to the Magisk Module Repository at https://magiskmodule.gitlab.io/magisk-modules-repo/.

Critical Module: Zygisk-Next and Shamiko

While SUSFS handles the filesystem layer, we need a companion module to handle the runtime environment. We strongly recommend installing Zygisk-Next (a successor to the original Zygisk) and Shamiko.

Zygisk-Next provides the framework for module injection, while Shamiko is a powerful module that hides the root manager itself from applications. Shamiko works synergistically with SUSFS. While SUSFS hides file modifications, Shamiko ensures that the root manager (KernelSU Next) is not detected via common detection vectors (like checking for su binaries or specific properties).

Configuration Steps for Nord CE 4 Lite (OOS16 / Android 16)

For a device running OxygenOS 16 based on Android 16, the system architecture may have evolved, but the underlying security principles remain. We will assume you have already installed KernelSU Next and a compatible kernel. Now, we focus on the configuration to turn those red flags green.

Step 1: Verify KernelSU Next Status

First, confirm that KernelSU Next is active.

1. Open the KernelSU Next application.
2. Verify that the “KernelSU” status is active and the version is displayed.
3. Check the “Superuser” list to ensure apps have the necessary permissions if you have already granted them. However, for integrity purposes, we often recommend keeping the Superuser list minimal until stability is confirmed.

Step 2: Installing the SUSFS Module

We need to apply the SUSFS logic to the system. Since you have a compatible kernel, you must ensure the userspace component is active.

1. Download the SUSFS for KernelSU module from the Magisk Module Repository. Look for the version specifically tagged for KernelSU Next.
2. Install the module via the KernelSU Next manager or Magisk Manager if you are using a hybrid setup.
3. Reboot your device. This is mandatory for the module to mount correctly and register its overlay services.

Step 3: Configuring Zygisk-Next and Shamiko

This is where many users falter. The configuration of these modules dictates the success of the integrity check.

1. Install Zygisk-Next: Download this from the Magisk Module Repository. This module replaces the internal Zygisk implementation with a more robust, updated version.
2. Install Shamiko: Download and install the Shamiko module. Shamiko requires Zygisk (or Zygisk-Next) to be active.
3. Shamiko Configuration: After installation, Shamiko does not have a UI. You configure it via a configuration file located at /data/adb/shamiko/config.toml (or similar, depending on the version).
   • Hide Magisk App: Ensure this is enabled if you are using the Magisk app, or hide the KernelSU app if supported.
   • Enforce DenyList: You must configure the “Enforce DenyList” (also known as the DenyList in KernelSU). This tells the system to unmount the module mounts for specific apps.
   • Target Apps: Add the following to your DenyList to test integrity:
     • Google Play Services
     • Google Play Store
     • Google Services Framework
     • Any banking app you use

Step 4: The Universal SafetyNet Fix (USNF) Module

Although Google deprecated SafetyNet in favor of the Play Integrity API, legacy checks still persist for some apps. The Universal SafetyNet Fix (USNF) module by Displax (or updated forks) is essential.

1. Download the latest USNF module compatible with Android 16 from the Magisk Module Repository.
2. Install the module.
3. Reboot.
4. This module spoofs the device fingerprint to that of a certified device (often a Pixel device), tricking the Play Integrity API into granting a passing grade.

Advanced KernelSU Next and SUSFS Tuning

If the basic installation does not yield a “green” status, we must look at advanced tuning. The “Nord CE 4 Lite” uses specific hardware (Snapdragon) which has unique security flags.

Managing System Props and Fingerprints

To pass Play Integrity on Android 16, you may need to manually inject a certified device fingerprint into your build.prop.

1. Use a file explorer with root access to navigate to /system/build.prop (or /vendor/build.prop).
2. Create a backup.
3. You can use a module like Systemless Hosts or a specific props module to inject the following lines (example only, you must find the active fingerprint for a device certified on Android 16, such as the latest Pixel):
   • ro.build.fingerprint=google/panther/panther:13/TP1A.221005.003/9113488:user/release-keys
   • ro.build.version.security_patch=2023-10-05
   • ro.product.model=Pixel 7
   • ro.product.brand=google
4. Note: Modifying /system/build.prop directly is risky. We recommend using a Magisk Module that systemlessly overlays these properties. Look for a “Props Config” module in the Magisk Module Repository.

Configuring SUSFS to Hide Specific Partitions

SUSFS is powerful because it allows you to hide specific partitions from integrity checks. The red flags often come from the /system, /vendor, and /boot partitions being read by the attestation service.

1. Locate the SUSFS configuration file (usually in /data/adb/susfs/susfs_config or managed via a GUI app if available).
2. You must ensure that the following paths are “cloned” or hidden:
   • /system
   • /vendor
   • /product
   • /odm
   • /boot
3. SUSFS creates a clone of these partitions in a tmpfs or overlayfs, presenting a “stock” view to the attestation service while the actual modified files remain hidden underneath.

Handling Magisk Delta or KernelSU Next Specifics

If you are using KernelSU Next specifically, you need to ensure that the root manager is not leaking information.

1. Randomize Package Name: If you have the option to randomize the package name of the KernelSU manager, do so. This prevents apps from looking for the specific com.topjohnwu.magisk or me.weishu.kernelsu package.
2. Hide Mount Points: Ensure that KernelSU Next’s mount points (usually in /debug_ramfs or /sys/kernel/debug) are not accessible. SUSFS should handle this, but verify that no debug logs are left in /data or /sdcard.

Troubleshooting Common Red Flags on Android 16

Android 16 (and OxygenOS 16) may introduce new security layers. If your integrity remains red after applying the above, consider the following:

Checking the “Trusted Boot” State

OnePlus devices often have a separate “Trusted Boot” chain. Even if the kernel is patched with KernelSU Next, if the vbmeta partition or the avb (Android Verified Boot) is not disabled or patched, the hardware attestation will fail.

1. Disable AVB (Android Verified Boot): This usually requires flashing a vbmeta image with verification disabled.
   • fastboot flash vbmeta vbmeta.img --disable-verity --disable-verification
2. Warning: This step is advanced and carries risk. Ensure you have a backup of your original partitions before proceeding.

The “Play Integrity API” vs. “SafetyNet”

We must distinguish between the two.

• SafetyNet: Deprecated, but still used by some legacy apps. Handled by USNF.
• Play Integrity API: The new standard. This requires the device to be certified and pass the “Basic Integrity” and “Device Integrity” checks.
  • If you see “MEETS_BASIC_INTEGRITY: RED” but “MEETS_DEVICE_INTEGRITY: GREEN”, this usually indicates a hardware mismatch or a broken keybox.
  • Fix: This often requires a valid key attestation chain. Some devices have hardware-backed keys that cannot be faked. However, SUSFS and props spoofing usually bypass this by making the device look like a standard Pixel, which allows basic integrity.

Ensuring Module Load Order

In KernelSU Next and Magisk, module load order matters.

1. Zygisk-Next should load early.
2. SUSFS should load after the core system is mounted.
3. USNF and Props modules should load before Zygisk if they modify system props, but usually after SUSFS. If you use the Magisk Module Repository, read the descriptions for specific load order instructions. Some modules have a “before” or “after” syntax in their module.prop file.

Step-by-Step Recovery for a “Green” Status

If your system is currently “all red,” follow this strict recovery plan. This assumes you have root access via KernelSU Next and a terminal app (like Termux) or file explorer.

1. Clean Slate Preparation:

   • Disable all Magisk/Zygisk modules except Zygisk-Next and SUSFS.
   • Reboot and check if the system is stable. If not, boot into recovery and remove modules manually.

2. Install Core Modules from Magisk Module Repository:

   • Zygisk-Next: Essential for module injection.
   • SUSFS: Essential for hiding modifications.
   • Universal SafetyNet Fix: Essential for basic SafetyNet.
   • Shamiko: Essential for hiding root (optional but recommended for banking apps).

3. Configure Shamiko/DenyList:

   • Open KernelSU Next -> Settings -> Configure DenyList.
   • Select “GMS” (Google Mobile Services), “Play Store,” and “Framework.”
   • This ensures that when these apps check for root, they see an unrooted environment.

4. Verify Props:

   • Download a terminal app.
   • Run getprop ro.build.fingerprint.
   • Ensure it matches a certified device. If not, install a Magisk Props Module from the repository to spoof it.

5. Reboot and Test:

   • Reboot the device fully.
   • Download Play Integrity API Checker or YASNAC (Yet Another SafetyNet Attestation Checker).
   • Run the check.
   • Success Criteria:
     • Basic Integrity: Green
     • Device Integrity: Green
     • Meets Strong Integrity: This is usually impossible on rooted devices without physical hardware modifications, but “Green” on Basic and Device is the goal.

Maintaining Integrity Long-Term

Achieving a green status is not a one-time fix. Updates to Google Play Services, the Play Store, and the Android OS itself can break these configurations.

Updating Modules Safely

1. Always check the Magisk Module Repository for updates to Zygisk-Next, Shamiko, and USNF.
2. Before updating a module, read the changelog. A minor update to Zygisk-Next might require a change in how Shamiko interacts with it.
3. Backup your working setup. Once you achieve green integrity, take a backup of your boot image and your module list. If an update breaks integrity, you can revert to the known working state.

Monitoring for Detection

If you use banking apps, they may update their detection methods. If an app suddenly stops working:

1. Check the DenyList configuration. Sometimes an update resets the list.
2. Verify that Zygisk-Next is still active.
3. Ensure that SUSFS is not experiencing a mount leak (check logs if possible).

Specific Considerations for Nord CE 4 Lite (OOS16)

The Nord CE 4 Lite is a mid-range device with specific firmware characteristics. OxygenOS 16 (based on Android 16) likely uses a dynamic partition scheme.

Dynamic Partitions and SUSFS

When dealing with dynamic partitions (system, vendor, product, odm), SUSFS must be configured to handle the overlay mounting correctly.

1. Ensure that your KernelSU Next kernel supports mounting overlays on dynamic partitions.
2. If you encounter bootloops after installing SUSFS, it is likely due to a conflict with the kernel’s fstab or mount flags. You may need to adjust the susfs_config to exclude certain mount points initially, then gradually add them back.

OxygenOS Specific Modifications

OnePlus often modifies the framework layer. If you are seeing red integrity specifically related to vendor or product:

1. Identify which partition contains the modified files. Use a root file explorer to look for files with recent modification dates in /vendor.
2. Add these specific paths to your SUSFS hide list.
3. You may need to use a tool like Systemless Magisk Hide (built into some modules) to mask these changes.

Advanced Troubleshooting: Log Analysis

If the steps above do not yield results, we must analyze the logs. This is the professional way to diagnose why integrity is failing.

1. Logcat: Use logcat in a terminal to view system logs.
   • Filter for PlayIntegrity, SafetyNet, or DroidGuard.
   • Look for errors like NO_MATCHING_DEVICE, TERMINATED, or BIND_ERROR.
   • These errors indicate that the fingerprint being presented does not match the device’s certified profile or that the attestation server is rejecting the connection.
2. KernelSU Logs: Check the KernelSU Next app for any kernel-level errors. If the kernel is unstable, the attestation service may crash, leading to a red flag.

Summary of Essential Modules for “Green” Status