Rooting DJI CrystalSky in windows. v08 updated Apr 16 2019WARNING!
- “Note: DO NOT revert to an earlier firmware version after updating to v18.104.22.168. Otherwise, CrystalSky will malfunction and the user will be required to contact DJI After-Sales for support.” It has been reported, but not verified, that the current lord root does not work with v22.214.171.124.BIGGER WARNING!!!
- If you try to remove the factory GO Apps you stand a very good chance of rendering your CS inoperable. I've seen at least two occasions where the CS would not boot properly and users were unable to reflash the CS to factory settings. In both events the only fix was to send the CS back to DJI under warranty for repair.WARNING!
- If you have attempted to root your CS and install the play store using other methods STOP!!! Before you continue with this guide, do a factory reset and reinstall v02.06.06.00 firmware for your CS. I'm not responsible if you screw this up!
Howto: Rooting the DJI CrystalSky so you can install the google playstore and then any app you like.
This works on all versions up to and including V02.06.06.00
This guide and my rooting were done on Win7/64
The information in this howto was gathered through many sources on the internet.
No limit dronez http://www.nolimitdronez.com
<--- imagine that
DJI Retroroms Wiki https://dji.retroroms.info/
The good folks over at http://dji-rev.slack.com
Special thanks to Matioupi for all his help in rooting my CS!
Installing tools and gaining Root:
Make a directory/folder on your windows machine to work from(I used) C:\adb This is where you will put the android tools, win-bash, and the CS rooting scripts.
On a windows machine download all of the following tools and scripts to your C:\adb folder.
Download the Opcodeffm/csroot files.
Go to the github listed below and on the "Clone or Download" tab select download. (You may have to make a git hub account.)
Unzip the files to the folder you just made, in my example that is C:\adb folderhttps://github.com/Opcodeffm/csroot
Download and unzip win-bash to your C:\adb folder - select shell.w32-ix86.ziphttps://sourceforge.net/projects/win-bash/files/shell-complete/latest/
Download and unzip the Android Windows platfomtools to your C:\adb folder - select SDK Platform-Tools for Windowshttps://developer.android.com/studio/releases/platform-tools
Hook your CS to your PC with a USB cable. I used the side mico usb.
Start your bash terminal by running the start_shell.bat which is located in your C:\adb folder
This is a basic terminal and the prompt will look like bash$
Now it's time to start rooting the CrystalSky.
From your win-bash terminal, run the following commands. After each command I have listed what the output should look like. You will not see the ******** above and below the output. I just used those to separate the commands from the output.
(this triggers the script to connect to the CS and copy the exploit files)
checking if adb device is present
List of devices attached
copying files to device
tmp/: 11 files pushed. 6.8 MB/s (8348440 bytes in 1.173s)
(this will put in a command line on your CrystalSky)
(changes your working directory)
(runs the exploit to gain temporary root)
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
[+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
[+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
fwrite is count 1 ./kok
NOTE: it is possible that you will see error codes at the end of the " [+] Done " line. I've tested going on with the mkdevsh command and installing the play store and it works just fine.
(runs the script to install su binary and supersu.apk)
1|shell@zs600b:/data/local/tmp $ ./mkdevsh
2+0 records in
2+0 records out
2 bytes transferred in 0.001 secs (2000 bytes/sec)
4+0 records in
4+0 records out
4 bytes transferred in 0.001 secs (4000 bytes/sec)
12+0 records in
12+0 records out
12 bytes transferred in 0.001 secs (12000 bytes/sec)