Owners of Xiaomi, Redmi and POCO smartphones who experiment with superuser rights or custom firmware installation often face an unpleasant error: Google Play is notified that the device is not certified, and the system settings display the status of CTS Profile Match false. This means that your phoneβs software has not passed the integrity and compliance with Android compatibility standards.
The consequences of this status can be very tangible for everyday use of the gadget: banking applications such as Sberbank, Tinkoff or Mir Pay stop working, Google Pay services refuse to launch, and some streaming platforms reduce video quality to a minimum due to the lack of certification of the Widevine L1. Google Play Protect security marks the device as potentially vulnerable.
Fortunately, in most cases, this problem can be solved by software methods, returning the phone to the status of a certified device. You do not need to go back to the stock firmware and lock the bootloader if you want to save the Root rights. Below we will discuss in detail the verification mechanisms, causes of failures and current methods of correcting the situation for current versions of MIUI and HyperOS.
β οΈ Note: All manipulation of system files, bootloader and Root rights is at your own risk.Incorrect actions may lead to loss of warranty or inability to boot the system.
What is CTS Profile and Why Does It Become False?
CTS (Compatibility Test Suite) is a test set developed by Google to test devices for compliance with the requirements of the Android platform. When you see the inscription CTS Profile Match: false, it is a signal that the system has detected changes in critical memory areas or the software environment.
The main reason for resetting status on Xiaomi is often unlocked bootloader and superuser rights. Even if you just unlocked the bootloader to install global firmware, but did not get a Root right, Google may regard this as a violation of integrity. However, having Magisk installed or its counterparts almost guaranteed leads to a false flag, as it changes the system partition.
Another factor may be the installation of modified system applications or the use of specific modules that are embedded in the system. Google Play Services constantly scans the environment for known root managers and patches signatures. If there is interference with the system or vendor partitions, the check does not pass.
- π± Unlocked Bootloader is the primary trigger for running security checks.
- π Root (Magisk, KernelSU) rights without proper concealment settings.
- π Installation of custom recaveri (TWRP) or modified kernels.
- π¦ Using modules that change system files or imitate other devices.
It is important to understand that the status of the CTS Profile is directly related to SafetyNet (older versions of Android) or the Play Integrity API (newer ones). These are different but interrelated mechanisms. If one of them falls, the overall status of the device in the eyes of Google becomes questionable. On Xiaomi devices, the situation is aggravated by the presence of additional layers of MIUI protection, which can also conflict with attempts to circumvent checks.
Diagnosis: How to check the current status of the device
Before you start fixing, you need to determine exactly what checks your Xiaomi smartphone fails. Standard tools in the settings for this are not enough, so you will need to use specialized utilities, they will show a detailed report on the state of the security system.
The most popular and reliable tool is YASNAC (Yet Another SafetyNet Attestation Check), which is available on Google Play and allows you to quickly get a response from Google servers about the status of the device. Once you start the application, click Check SafetyNet Attestation. You will see two main parameters: Basic Integrity and CTS Profile Match.
If the CTS Profile Match is red and false, it means that the device has not passed the integrity check. Also, you should pay attention to the Basic Integrity item. If it is also false, then the situation is more serious, and many applications may not start at all. In new versions of Android (11, 12, 13, 14), the verification through the Play Integrity API, which can be seen in the Play Integrity API Checker application, is also relevant.
| Verification parameter | Norma status. | "Error" status. | Impact on work |
|---|---|---|---|
| CTS Profile Match | True (Green) | False (Red) | Blocking banks, NFC |
| Basic Integrity | True (Green) | False (Red) | The failure of Google Play |
| Hardware Backed | True | False | DRM quality reduction (HD/4K) |
| MEETS_DEVICE_INTEGRITY | True | False | Sharing access to Google services |
You can also use console commands via ADB (Android Debug Bridge) if you have drivers installed on your computer. the adb shell pm list packages will help you see the list of packages installed, but for a deep diagnosis SafetyNet better use graphical interfaces, which will avoid errors when reading logs.
π‘
Before you start any action, make a full backup of important data to your computer or the cloud. Resetting settings or firmware errors can lead to loss of information.
Using Magisk to bypass inspections
If your Xiaomi smartphone already has Root rights, it is likely that the Magisk manager is installed. This is the main tool for modifying the system without changing the systemless root.It is the built-in features of Magisk that hide the fact that the rights are from the verification applications. However, in the latest versions of Android and MIUI, standard inclusion of the Zygisk function may not be enough.
The first step is to activate Zygisk mode. Go to Magisk settings, find the Zygisk switch and turn it on. The phone needs to be rebooted. Zygisk allows you to embed Magisk code into the Zygote process, which is necessary for modern concealment modules to work. Without this step, further manipulation often makes no sense.
The second critical step is to set up the exception list. In Magisk settings (or through the module if you use the older version), find Configure DenyList. Click three dots in the corner and select Show System Apps. You need to find and tick all of the components of Google: Google Play Services, Google Play Store, Google Services Framework.
com.google.android.gms
com.android.vending
com.google.android.gsfAfter marking apps in DenyList, go back to the main settings menu of Magisk and turn on the Enforce DenyList option, which will cause Magisk to hide the Root and modifications from selected processes. In some cases, you also need to rename the Magisk application package through settings, since some banks detect the fact that the application is installed with the name "Magisk".
- π Enable Zygisk in Magisk settings and restart the device.
- π In DenyList, select all Google apps and banking services.
- π Activate Enforce DenyList switch to take effect.
- π Clear the data of the Google Play Services and Google Play Store.
β οΈ Note: Do not add the Magisk app itself to DenyList if you plan to manage it. Hide only targeted applications that require a clean environment.
Root: Shamiko Modules and Other Solutions
Magisk's standard tools are sometimes scarce, especially on Xiaomi devices with aggressive MIUI protection. Third-party modules come to the rescue. The most effective one at the moment is the Shamiko module. It is designed to enhance Zygisk's concealment features and allows you to bypass even complex detectors that standard DenyList does not see.
To install Shamiko download the current ZIP-The module file and install it through the Modules tab in the Magisk app. After installing and restarting, you will notice an important nuance: the Enforce DenyList switch in the Magisk settings should be turned off. Shamiko manages the exception list itself, but takes its configuration from the same DenyList. If you turn on Enforce DenyList in Magisk itself while Shamiko is active, the cover-up may stop working properly.
Another popular solution is the Universal SafetyNet Fix module (or its forks, since Matt Jongs' original project is no longer supported as it was), which replaces the device's prints with certified ones, giving your phone away after another, such as a tablet or a factory-certified phone, but using the props swapping on newer versions of Android (12+) can be risky and lead to conflicts.
What to do if Shamiko is not working?
There are also modules to hide specific applications, such as Momo Hide or various scripts for LSPosed. The LSPosed framework (replacement of Xposed) allows you to embed code into working applications. The Hide My Applist module allows you to hide the list of installed applications from suspicious programs. The banking application will not see the installed Magisk if you hide it from the list of visible programs.
Magisk + Zygisk + Shamiko + Hide My Applist is currently the gold standard for Xiaomi users. It provides maximum compatibility with banking software while maintaining all customization capabilities. However, remember that this is an arms race: detection methods are updated, and solutions must be up to date.
βοΈ Checklist of Root Hiding Settings
The problem of unlocked bootloader (Bootloader)
One of the main features of Xiaomiβs ecosystem is that it can officially unlock the bootloader. However, for Google, an unlocked bootloader is a sign that the integrity of the boot process is compromised. Even if you donβt get the Root right and use stock firmware, the status of the CTS Profile Match can remain false.
In Android 12 and later, Google has tightened the requirements. Now some applications may require not only a SafetyNet pass, but also a bootloader status check. If the device status is unlocked, access to the features may be limited. Unfortunately, software to "lock" the bootloader back without losing data and returning to the factory firmware is often impossible if you have already made changes.
There is a vbmeta (Android Verified Boot) patch technique that allows you to ignore signature verification when downloading, but this requires you to flash partitions through Fastboot.
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.imgUsing such commands on Xiaomi requires extreme caution. vbmeta.img It can cause a cyclic bootloop, and it can also be used on global firmware versions. MIUI/HyperOS Unlocked bootloader can block camera operation (on some models) or functions NFC (Mi Pay, even if Google Pay works through workarounds.
- π Unlocking the bootloader changes the status of the device to "Unreliable".
- β οΈ Some banks can block the entrance on devices with unlocked bootloader.
- π Backup locking is only possible via the Mi Flash Tool with data clearing.
- π Quality of video streaming (Widevine) L1) may fall to L3 unlocked.
If you're not an advanced user, consider whether you need to unlock the bootloader if the main goal is to keep banking applications running smoothly. For most users, stock firmware without modifications is enough. But if modifications are needed, be prepared to configure workarounds all the time.
π‘
An unlocked bootloader is a fundamental change that Google sees as a security risk, and itβs extremely difficult to hide this fact completely without going back to the drain.
Alternative methods and work with KernalSU
With the development of Android, traditional Magisk (which works in user space) becomes less efficient. It is replaced by kernel-level solutions such as KernelSU. For Xiaomi owners, this is true if they use custom cores or custom cores. GSI-KernelSU provides better insulation and stealth, as it works in kernel space.
If you switched to KernelSU, the logic is similar to Magisk, but the tools are different: you need to install the Zygisk Next module (since there is no built-in Zygisk in KSU), and the SuList module allows you to choose which applications show the presence of Root and which ones hide it.
Another method that is sometimes used is to use GMS Flags or modify build.prop manually, but on modern versions of MIUI this practically does not work and can lead to instability. A more reliable way is to use modules for LSPosed, such as Shamiko (which is compatible with KSU) or specialized scripts to replace device fingerprints.
β οΈ Note: Using KernelSU requires kernel flashing or installation through Magisk (as a module), which carries risks. KSU, before installation.
Also worth mentioning is the possibility of using Island or Shelter, which are applications that create an isolated work profile, you can install banking applications in this profile, and since the work profile does not have access to the main Root rights by default, applications can work correctly. It's a crutch, but it often helps when other methods do not help.