Android Marshmallow, systemless root, and Android Pay

UDATE 2-25-2016: Google had patched this method at the beginning of the month but another user had discovered another way to keep this working. I’ve updated the steps below to reflect what you need to do.

While I’m experienced with Android, rooting, and working with modifications, the addition of SafetyNet, Google’s security system to verify the integrity of Android, threw me a curve ball. SafetyNet is what protects things such as Android Pay. If SafetyNet fails, Android Pay will not work. I won’t try to pretend to know everything about SafetyNet, how it works, and what sets it off because I don’t. Rather, I want to provide what I have learned so far in getting root to work with some light modifications on my Nexus 6 running Marshmallow and still be able to use Android Pay.

First of all, what I know so far, is that SafetyNet is meant to disable certain services if it detects certain files or folders to have been tampered with in the operating system, or system partition. At first, I thought nothing in the system partition could be touched. A Redditor informed me that this is not true. Some portions of the system actually can be modified. This is important because it means adding some modifications are still possible. This matters to me because I enjoy Viper4Android too much to sacrifice for Android Pay.

The downside is that the files required to achieve root access in Android do set off SafetyNet to disable Android Pay. Chainfire, an Android developer behind the current standard for controlling and achieving root access in Android, released what he’s dubbed “systemless root” which achieves root access without modifying the system partition. The timing of the release of systemless root along with Android Pay is coincidental and not directly related, but the systemless root does mean that Android Pay and root can co-exist — at least on Marshmallow.

As of writing this article, Chainfire has built his SuperSU package, the package that installs and establishes root, in a way that auto-detects whether to root using the traditional method or the systemless method. If it uses the traditional method, Android Pay will not work. There is no obvious way to force the systemless root method, but Chainfire has provided some commands that can be run to force this. Below I will lay out the steps to force systemless root in a way that preserves Android Pay functionality and comment a little bit about the kinds of modifications I have done without breaking Android Pay.

January 22nd, 2016: Because the Systemless Root method is in beta and changing often, please refer to the original Systemless SuperSU thread below and notice the date to the left regarding the age of this information. It is very likely that what I present below will become outdated and I am not promising to keep it current.

Systemless root with SuperSU original forum/thread – http://forum.xda-developers.com/apps/supersu/wip-android-6-0-marshmellow-t3219344

Before we begin applying the systemless root method, be sure you are no longer rooted. Some phones offer an unroot method, but installing the factory images will ensure all changes that would conflict with SafetyNet and any root method is gone. The following steps assume you are using a completely stock phone or tablet, are not rooted, and have not installed or made any modifications. Some knowledge of rooting, flashing, and making modifications are also assumed.

  1. Unlock your bootloader if it is not already unlocked
  2. Boot into the bootloader (usually by pressing and holding power+vol down) and install a custom recovery if you do not already have one. I recommend TWRP
  3. Boot into recovery
  4. Using TWRP recovery, tap on Advanced
  5. Tap on Terminal Command
  6. Type the following to force systemless root when you flash SuperSu (NOTE: there is a period after data/ and before supersu)
    echo SYSTEMLESS=true>>/data/.supersu
  7. Type the following to remove root files from the system partition, enabling Android Pay to work (Please note that this may break some root apps) (NOTE: there is a period after data/ and before supersu)
    echo BINDSYSTEMXBIN=false>>/data/.supersu
  8. Press back until you are at the home screen of TWRP
  9. Tap Install
  10. Install the appropriate systemless SuperSU zip from the forum linked above
  11. Reboot into System (normal boot)
  12. Verify that you have root with either Root Checker or your favorite root app
  13. Using your favorite Root File Browser, navigate to the /su/ folder in the root directory
  14. Tap and hold or use whichever method your file browser uses to edit the permissions of the /bin/ folder (should be looking at /su/bin/)
  15. Change the permissions from 755 to 751
  16. Reboot your phone
  17. Verify that Android Pay works by attempting to add a card or making a purchase

If you open Android Pay, try to add a card, and it does not prompt you with an error, everything should work. If you do receive an error which then closes Android Pay, then something went wrong. Either the original root method didn’t get removed, a modification included in your current ROM is conflicting (if you didn’t revert to stock), or a step was not performed correctly causing root to be installed the traditional way rather than the systemless way. You may also need to remove the xbin folder in the root path /su/xbin. It is possible the commands in steps 6 and 7 may not be correct. I will attempt to monitor comments/email regarding this and update as I find errors in my steps.

Once you have verified root and Android Pay is working, you should be able to start installing or making some modifications. I suggest making 1 change at a time, then testing both root and Android Pay again so that you may identify what breaks either function. Always make a backup as well as it is much easier to revert to a backup than attempting to start over.

The modifications I installed/made are:

  • Removed Google Play Movies and TV Shows, Google+, and Google Play Newsstand from the System Partition, re-installed them from the Play Store as normal apps
    • I did this to make room in the System Partition to make additional modifications. Without freeing this space, Viper4Android failed to isntall, build.prop changes failed to save, and AdAway failed to update the hosts.
    • Note that removing system apps (aka Bloat) did not affect Android Pay
  •  Viper4Android
    • I flashed a zip package that installed Viper4Android as a system app as well as other files associated with the modification
    • Busybox was required to install the Viper4Android driver. I used Busybox on Rails to isntall Busybox, then the Viper4Android driver. However, Busybox broke Android Pay, so I had to remove it once the driver was installed for Viper4Android. A symlink might solve this problem if you need to keep Busybox for other purposes
  • Build.prop tweaks
  • AdAway ad blocking
    • I changed the targeting in preferences to /data/data/hosts to preserve Android Pay functionality. Without this change, Android Pay breaks

If you have any questions or want to correct my information as I will admit may be inaccurate as I am working from memory and personal experience, feel free to comment or contact me. I may not stay current with SuperSY and the systemless root because it can change quickly, unexpectedly, and may cause for a complete rewrite of this guide, but I will attempt to correct my mistakes here as they are discovered. Thank you.

Comments are closed.