This doc describes the way that the Osaifu-Keitai feature is disabled on non-Japanese Google Pixel SKUs and gives solutions on how to overcome this artificial limitation in order to enable it.
(TLDR: Need ROOT to modify MID/FeliCa configuration file or a system app.)
The only real limiting factor for Osaifu-Keitai support is a requirement for one of the following to be present on a device:
- Dedicated Mobile FeliCa chip or NFC SWP support for FeliCa SIM
FelicaRf
(original, old implementation); - Global Platform based Secure Element with FeliCa applet
FelicaGp
(new implementation).
Google Pixel series starting from 4 and 6 have the required FeliCa applet provisioned into the Secure Element (SE) from the factory regardless of target region. As for other models, they have to be verified separately.
To verify that your device is supported, download the Osaifu-Keitai app com.felicanetworks.mfm.main
and try opening it. If you're on a non-Japanese/unsupported model, you'll be met with one of the following errors:
This phone doesn't support Osaifu-Keitai function. Close this application
:
This error means that the Osaifu-Keitai configuration file has not been found in a system. In this case there is very little chance to enable support, as the device most probably lacks required hardware capabilities. The only extra thing to try in this case is installing JP ROM that may have the config, but it wouldn't help if an applet is missing too.This app contains configuration files for services in Japan and has no menu items
:
This is the error that should give you hope, as it means that your device has required applet and configuration files, but configuration informs the app that it should not allow you in.
After decompiling the APK and inspecting the code, we see that this app does following operations that lead to this error:
-
Upon start,
isFelicaSupported
method looks for a file at system paths:/product/etc/felica/common.cfg
;/vendor/etc/felica/common.cfg
;/system/etc/felica/common.cfg
.
If no file is found. App returns error 1):
-
If a file is found,
innerLoad
method reads all entries/keys inside of it and saves them into a hash map . We are interested in following entries:00000018
00000015
00000014
-
On UI initialization, application calls
isCheckInbound
method, which then does the following:
a) If key00000018
is available, it checks if its value is1
for success;
b) If keys00000015
and00000014
are missing too, returns success (thanks to @palBazzi for pointing this out);
c) Otherwise, it retrieves ContentProvider URL from key00000014
and column index00000015
. Application queries the provider, if it returns1
result is considered a success.
If any check returns a failure, app returns error 2).
- This is the moment Pixel users are being screwed.
The provider in case of Google Pixel has URL:
content://com.google.android.pixelnfc.provider.DeviceInfoContentProvider/isJapanSku
, which corresponds tocom.google.android.pixelnfc
application.
Inside the source code we see that this app retreives SKU from system build props and checks if it is in a whitelist using theisDeviceJapanSku
method, returning1
if it is and0
otherwise to the application that queries the provider.
In conclusion, this app actually makes your device worse. It's not responsible for proper NFC operation in any way, unlike what the name may lead people to think. Its only purpose is to tell Osaifu-Keitai app if it should or shouldn't let you in.
TLDR: no proven methods without ROOT.
No known working ROOT-less methods.
Following list is provided for reference and to give a possible starting point for people who might want to dig further:
- Manipulate
com.google.android.pixelnfc
:
(Failure) System apps are well-protected against manipulation.- Uninstall this app:
(Failure) It is a system application and thus cannot be uninstalled. - Install your own app with same provider URL:
(Failure) You cannot install a new application that declares a provider with conflicting URL until you uninstall an old one. - Decompile and patch the apk, adding your SKU to whitelist:
(Failure) Not possible as Android requires app overwrites/updates to have the same signature.
- Uninstall this app:
- Manipulate
com.felicanetworks.mfm.main
:
(Theory) This might be possible to do without root, but I did not attempt to finish it to the end as it proved to be too complex lacking any experience with Android development.
Thing is,com.felicanetworks.mfm.main
communicates with,com.felicanetworks.mfc
(Mobile FeliCa client),com.felicanetworks.mfs
(Mobile FeliCa settings),com.google.android.gms.pay.sidecar
(Google Play services for payments) which all do mutual signature verification, thus requiring you to patch ALL of those apps for them to work, replacing signatures and fixing API access due to signature changes.
As rootless solutions have led us to a dead end, we're gonna join the dark side.
TLDR: ROOT-based solutions work.
Warning
Following solutions should ONLY be attempted if you know what you are doing as it is possible to PERMANENTLY render your device unusable.
I assume no responsibility for your actions in case you go forward and encounter an issue.
Warning
This section consciously does not provide a detailed step-by-step guide to discourage people lacking enough understanding from trying and breaking their devices.
If someone creates a full-fledged tutorial, links and references to them will be added here.
Let's look at root-based solutions, some of which were tested and work:
-
(Success) It is possible to permamently modify the model ID (aka MID) of Google Pixel devices using custom recovery or Root+ Magisk so that they pass the check.
For more details, read this forum topic at XDA.
This solution has following upsides:- It does not require keeping ROOT, so no SafetyNet cat and mouse and you can get OTA;
- Easy to reproduce by following tips presented in source thread.
But there are also downsides:
- You get shutter sound and that some cellular bands used in your region might be disabled for JP.
- Modifying MID is not a safe operation, with an even increased risk of bricking a device if something goes wrong in comparison to ROOT;
- Currently available MID patcher script contains big binary data blobs (which are probably just blocks of model-specific configuration data) and pieces of undocumented code inside of
update-binary
file.
I lack required expertise to fully assess safety and correctness of that script, so the only assurance in this case is the high forum reputation of its creator.
There are no implications it's malicious, but if you're uncomfortable with this fact, it's advised to look at the other two solutions. (This is the reason why I did the other ones, personally).
-
(Success) Creating a magisk module that modifies FeliCa configuration file:
- (Success) With the
00000018
key set to1
, while keys00000015
and00000014
have to be removed fully; - (Theory) With keys
00000015
and00000014
pointing to the provider created by your own app. Harder than 1).
This solution has following upsides:
- Safer to try around;
- .1) can be done without programming experience.
And following downsides:
- Requires keeping ROOT for retaining access to the Osaifu-Keitai app. Need to play the SafetyNet survival horror game in order to keep access to Google Wallet.
- (Success) With the
-
(Success) By meddling with the
com.google.android.pixelnfc
application:- (Success) Via an Xposed module that patches
com.google.android.pixelnfc
, using a following piece of code (thanks to @yjwong for finding this out):private void hookPixelNFC(final LoadPackageParam lpparam) { findAndHookMethod( "com.google.android.pixelnfc.provider.DeviceInfoContentProvider", lpparam.classLoader, "isDeviceJapanSku", String.class, new XC_MethodReplacement() { @Override protected Object replaceHookedMethod(MethodHookParam param) throws Throwable { return true; } } ); }
- (Success) By removing the original
com.google.android.pixelnfc
apk and uploading a patched one that returns successful check on every request. As MSM does not check its signature (cause as of now there is no way for it to do so) everything works from the get go.
This is the way i've done it (proof in the GIFs at the beginning of this page). This solution has the same upsides and downsides as 2), although more complex to replicate.
- (Success) Via an Xposed module that patches
Both solution 2) and 3) were proven to work by many independent user reports. For links to concrete tools and testimonies, visit the tools section;
If you go with 2) or 3), you should know the following tips:
- If you want to initialize Osaifu-Keitai with Google Wallet, you have to install Universal SafetyNet Fix in order to pass SafetyNet. For me it did the job from the get go;
- To verify successful SafetyNet attestation, you can use the YASNAC. It should return PASS;
- To delete a system app, you can use De-Bloater. Reboot the system after removing the patch;
- To unpack and pack apk into modifiable SMALI form, use apktool;
- To verify that your SMALI modifications did not break the code, you can decompile the app into java source code using jadx and check that the modified code has no errors; Be aware that this decompilation is lossy and cannot be used for patching;
- To sideload required apps to your device in case they aren't available on Play Store, use APKMirror or APKPure. Beware most APK upload sites allow user contributions, so be careful when selecting which app to download as protections are not failproof.
Best alternative to those sites is Aurora Store, which allows to spoof any device/client/region in order to download required app directly from Google's servers. Beware that Google isn't really happy about it as it breaks their TOS, so you might encounter problems using it. Moreover, don't not use your personal account with it; - Some Osaifu-Keitai partner apps are geoblocked, I had to use multiple VPNs before it let me provision some services;
- Some apps detect root by trying to invoke Magisk. In this case you have to hide Magisk and add the problematic app into the denylist;
- If you plan on unrooting, DO NOT lock the bootloader before verifying that an unrooted install is bootable. You can use recovery if direct factory image flashing does not work;
- When following tutorials, watch/read the tutorial FIRST before going forward with its steps. Rewatch/Reread multiple times, and follow the tutorial closely in order not to skip an important step.
In order to enable Japanese Google Wallet UI, you have to install com.felicanetworks.mfc
and turn on Japanese VPN. After a couple of minutes the wallet app should go into "Updating" state, in a couple of minutes after that it will start up with a new Japanese UI.
Be aware that for Osaifu-Keitai functionality to work with Google Wallet, you have to install all following applications:
com.felicanetworks.mfm.main
com.felicanetworks.mfc
com.felicanetworks.mfs
com.google.android.gms.pay.sidecar
If you unroot/reinstall the system after provisioning the services, they'll continue to be available because the Osaifu-Keitai applet (Unlike CarKey applet and etc) is not cleared upon system reset. So the device will continue to act as a super-card with all provisioned services.
If you reinstall all applications related to Osaifu-Keitai after returning to stock, while the Osaifu-Keitai app itself won't work, other applications will continue to operate. This includes:
- Google Wallet;
- Pasmo, Suica;
- Rakuten, Nanaco, Waon.
I have not tested if the full functionality is available (topup/new service creation), but those apps at least open and allow to look at provisioned service info.
This section contains comments and thoughts that appeared when researching this topic:
-
This document was created in order to shed light on feature lock out and try to give some pointers to the people that want to try and overcome this limitation.
-
There is no way to be fully sure why Google decided to lock global users out of using this feature.
In my opinion, the following explanations, even with some overlap, could be valid:- Google does not want to commit enabling Osaifu-Keitai for global markets where this feature is not required, allowing them to switch up chip/hardware suppliers in the future models without actually "taking back" any functionality from users.
- Google may not want to promote "closed" Osaifu-Keitai solution, trying to push FeliCa networks into implementing/allowing support via Android Ready SE Alliance, which could be beneficial as it would give Google more control in terms of software and UX, similarly to the way it was done by Apple;
- Google did not pay licensing fees for non-Japanese models, even though all chips come preconfigured, so they are obliged by contractual obligations to attempt to lock unlicensed devices out;
- Lack of proper communication between development teams who are/were unaware of this capability in global models.
-
Android implementation is worse in comparison to the one Apple has:
- Google Wallet app wraps external apps instead of implementing all functionality on its own.
- System does not display active SE/FeliCa-related interactions in any meaningful way (animation, sound, vibration), some apps add a button for manual state refresh as the system does not guarantee state synchronization, and the only way to know that something had happened with your service is with a notification that comes after the transaction.
It is either a manifestation of barebones software implementation on the OS side, or a limitation imposed by a CRS/FeliCa-specific applet. - Provisioned "systems" share? same logical space, therefore having multiple services with overlapping service and system codes is not possible, user has to reconfigure 'move to/from mainland' on the applet each time he wants to enable one of the conflicting systems.
-
Japanese UI of google wallet is better than global one. Displaying payment cards vertically instead of in a horizontal carousel is not only more space-efficient, but also better in terms of UX as opening a credit card "tile" to pay with a particular card requires more intention from the end user, thus preventing payment with a wrong card due to accidental horizontal swipe.
-
During the tests i've found out that CarKey applet does not work on rooted system as it requires hardware-backed SafetyNet attestation before configuration, which cannot be achieved with root. It signals the end of time for SafetyNet bypass, as in the near future more devs will start mandating the hardware-based check in their apps, thus making root-based bypass irreversibly unusable.
- If you have any information to add, found an issue/typo, feel free to raise an Issue or create a PR;
- At this moment I'm unable to create a comprehensive step-by-step tutorial on how to reproduce my findings. I think that it's better not to publish one at all rather than doing an incomplete/untested/messed up one, thus luring regular users into a situation where their device may become inoperable due to a mistake made by me.
If a full-fledged text-based tutorial or video comes around, I'll surely add a link to it. Meanwhile, assume all info provided in this repository is intended for experienced users only; - In case you've been able to re-create the provided steps, feel free to report your success and findings through the proccess;
- Resources directory contains code snippets of the apps related to Osaifu-Keitai functionality lock-out.
Creator / Reporter | Method | Confirmed models | Tool or proof |
---|---|---|---|
(many) | 1) via Magisk | Pixel 6, Pixel 7 | https://xdaforums.com/t/converting-japanese-pixel-6-to-global-version.4365275/ |
@jjyao88 | 2) via Magisk | Pixel 4, Pixel 8 | https://github.com/jjyao88/unlock-felica-pixel |
@starks | 2) via Magisk | Pixel 7, Pixel 8 | https://github.com/starks/PixelFeliCaMod |
@yjwong | 3) via Xposed | Pixel 6 | #3 |
@Gliese129 | 3) via Manual | Pixel 6 | #2 |
@kormax | 3) via Manual | Pixel 7 | https://github.com/kormax/osaifu-keitai-google-pixel |
There's no indication that any of the methods shouldn't work any pixel model, but for safety they'll be added only if there's a direct confirmation for each model combo.
- Useful links:
- Converting Japanese Google Pixel to Global version - information from this thread can be used to do everything in reverse;
- Android Ready SE Alliance.
- Secure Element, FeliCa info:
- Tools or websites to download APK files with:
- Aurora Store - best solution for downloading fresh and secure APKs that are not allowed for your region and/or device model.
Violates Google's TOS, strongly advised not to use personal Google account with it, instead try anonymous mode or a throwaway account; - APKMirror;
- APKPure.
- Aurora Store - best solution for downloading fresh and secure APKs that are not allowed for your region and/or device model.
- Tools and applications:
- Analysed applications: