Sie haben keine Artikel im Warenkorb.
Montag, 26. Oktober 2020 06:40:33

Howto: Rooting DJI Crystal Sky

7 months ago
#5187 Zitieren
droni wrote:
To install unathorized .apks not signed by DJI, you need to first patch their
annoying installd which checks for whitelisted set of apps, even when you try
to adb install via root adb shell you still have to call the system installd.
Otherwise you will get an ERR_UNAUTHORIZED_APK message in logcat.
I don't know if this step was necessary on previous versions since this is the first
time I got the CS and wanted to make all the work done on the latest firmware.

I will soon upload a patched installd once I verify it doesn't cause instability or other issues. This will also eliminate the need of various "flashers" that are not
open source and unmaintained. Just click any apk from explorer and install it.
I haven't tested it with open-gapps (Google Play services) but Litchi works fine
with Mapbox.
The idea was to prevent any data leaks to DJI servers and any other 3d party - and there are lots, much more than expected when I saw the traffic logs. This was prevented by a local firewall rule only allowing and nothing else.

Also I won't be testing any NLD apks, NFZs, signal boosts etc since they are not compatible with my model (Matrice 200).

As goes for the  regulatory domain hack (5Ghz) - you don't actually need root, all you need is to connect the drone to a WiFi AP which has the country flag set to
the area you want. Then the system will update the /data/property/ file with the corresponding code from the access point and open the bands allowed for that specific country. OpenWRT router firmware allows that for example:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option country 'US'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option doth '0'
        option txpower '20'
        option txpower_max '20'
        option band '5G'
        option disabled '0'
        option org_htmode 'VHT80'
        option noscan '0'

but that's a whole different topic.

Is it not possible install the play store using the method I described in this guide on the v3.x firmware?
7 months ago
#5188 Zitieren
Do you mean using flashfire and SuperSU? I don't know, for me it looks like an additional unecessary step:

First of all, we want to avoid persistent root as it can be detectable by apps.
I didn't notice any behaivior of DJI Go 4.3.16 and Pilot 1.7.0 on a rooted device,
but I didn't give it a very deep look. Didn't even decompile the bytecode of the stock apps, just made sure they work as before.

There are other DJI daemons that run as root and can detect (persistently) rooted device with 99% probability if they wish to do so.
These methods involve looking up several system properties that can only been changed when the device is rooted. If the values don’t match an unrooted device it’ll flag it as rooted. (Super)su and Busybox binaries are often present on rooted devices, so a simple file system check can detect it as well.
Some root handlers mount the /system partition as read-write, another way etc.

Losing warranty, bricking, is only one reason why we want to avoid it.
So SuperSU and other things you would probably don't care about on
an emulator - are extremely important here.
The guide should be focused about gaining a temp root, install the stuff (Gapps, apks, firewall rules that you need, reboot and go to a clean state.
By clean I mean system-wise unrooted, with your stuff installed and working.
This part is totally missing from your guide for now.
People who want persistent root can go all the way further and install the
unstable garbage like SuperSU, but it shouldn't be a default for all.

Also we want to make sure it's future proof for any next updates, as it will
be less trivial for DJI and other apps to check for device modifications,
we can safely sideload/update any userspace app without worries.

Back to the original question, no - that method will not work since the original installd will check for the following manifests:
> dji.pilot.pad, com.DeviceTest,

In the patched installd, this check is zeroed out with 'a's:
<, aaa.aaaaaaaaaa, aaaaaaaaaa.aaaaaaa.aaaa.aaaa

Here are both files -

To patch, just replace /system/bin/installd with the patched one.
7 months ago
#5190 Zitieren
Then I would suggest you make a new thread dedicated to your method of rooting and patching the new firmware. I'd rather not field question about it here.

As far as the methods used in this guide they all work fine with no issues.
7 months ago
#5194 Zitieren
Got the root from under Windows10 on v3.0.2.0.
7 months ago
#5197 Zitieren
CantRepeat wrote:
Rooting DJI CrystalSky in windows. v08 updated Apr 16 2019

WARNING! -  “Note: DO NOT revert to an earlier firmware version after updating to v3.0.2.0. Otherwise, CrystalSky will malfunction and the user will be required to contact DJI After-Sales for support.” It has been reported, but not verified, that the current lord root does not work with v3.0.2.0.

BIGGER WARNING!!! - If you try to remove the factory GO Apps you stand a very good chance of rendering your CS inoperable.  I've seen at least two occasions where the CS would not boot properly and users were unable to reflash the CS to factory settings. In both events the only fix was to send the CS back to DJI under warranty for repair.

WARNING! - If you have attempted to root your CS and install the play store using other methods STOP!!! Before you continue with this guide, do a factory reset and reinstall v02.06.06.00 firmware for your CS. I'm not responsible if you screw this up!

Howto: Rooting the DJI CrystalSky so you can install the google playstore and then any app you like.

This works on all versions up to and including V02.06.06.00

This guide and my rooting were done on Win7/64

The information in this howto was gathered through many sources on the internet.

No limit dronez  <--- imagine that
DJI Retroroms Wiki
The good folks over at - #crystalsky_rooting
Special thanks to Matioupi for all his help in rooting my CS!

Installing tools and gaining Root:
Make a directory/folder on your windows machine to work from(I used) C:\adb This is where you will put the android tools, win-bash, and the CS rooting scripts.

On a windows machine download all of the following tools and scripts to your C:\adb folder.

Download the Opcodeffm/csroot files.

Go to the github listed below and on the "Clone or Download" tab select download. (You may have to make a git hub account.)
Unzip the files to the folder you just made, in my example that is C:\adb folder

Download and unzip win-bash to your C:\adb folder - select

Download and unzip the Android Windows platfomtools to your C:\adb folder - select SDK Platform-Tools for Windows

Hook your CS to your PC with a USB cable. I used the side mico usb.

Start your bash terminal by running the start_shell.bat which is located in your C:\adb folder

This is a basic terminal and the prompt will look like bash$

Now it's time to start rooting the CrystalSky.

From your win-bash terminal, run the following commands. After each command I have listed what the output should look like. You will not see the ******** above and below the output. I just used those to separate the commands from the output.



  (this triggers the script to connect to the CS and copy the exploit files)
  bash$ ./
  checking if adb device is present
  List of devices attached
  1234567890  device

  copying files to device
  tmp/: 11 files pushed. 6.8 MB/s (8348440 bytes in 1.173s)


  adb shell

   (this will put in a command line on your CrystalSky)
   shell@zs600b:/ $

  cd data/local/tmp

  (changes your working directory)
  shell@zs600b:/data/local/tmp $



  (runs the exploit to gain temporary root)
  sh: ./ not found
  max_:3 min:10 i_ret:0x20

    [+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
    [+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
  get_selinux_state -
  - 0
  shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
  fwrite is count 1 ./kok
  shell@zs600b:/data/local/tmp $

NOTE: it is possible that you will see error codes at the end of the " [+] Done " line. I've tested going on with the mkdevsh command and installing the play store and it works just fine.



  (runs the script to install su binary and supersu.apk)
  1|shell@zs600b:/data/local/tmp $ ./mkdevsh
  2+0 records in
  2+0 records out
  2 bytes transferred in 0.001 secs (2000 bytes/sec)
  4+0 records in
  4+0 records out
  4 bytes transferred in 0.001 secs (4000 bytes/sec)
  12+0 records in
  12+0 records out
  12 bytes transferred in 0.001 secs (12000 bytes/sec)
  root@zs600b:/data/local/tmp #
7 months ago
#5206 Zitieren
Denis wrote:
Got the root from under Windows10 on v3.00.02.00.

Hi there,

Managed to get root too from under Windows10 on v3.00.02.00.
Used the old files I downloaded to get root on the Crystalsky running v2.x

I do have a problem though with FlashFire v0.73 not willing to run.
When fired up, it will properly ask for root admission and then runs some internal routines and force closes somewhere on Checking for Pro...

Never had a FlashFire Pro version. Tried downloading again from  other sites as well, but all keep force closing.

Has anybody any clue as to how to solve this issue?

***EDIT 1***
Managed to overcome the issue by downloading the light version from here:

Next problem I now face is that I cannot flash the newly downloaded Gapps ARM 5.1 pico for some reason. :(
Downloaded that package from official site:

And yes, I did download the correct version as I have Android v5.1.1 running.

This is kind of sad as it was the whole reason I tried to upgrade the old playstore v17.4.28-all because it apparently doesn't run under firmware v3.00.02.00 anymore. (Yeah, tried clearing cache and data from Play store app too)

***EDIT 2***
Seems the problem of not being able to flash Gapps resides with the FlashFire app I installed.

***EDIT 3***
Still trying.
Seems like the problem of Playstore not working anymore might be that after the firmware update, there is no device ID for Google servers to be found on the device as the directory /data/data/ is nowhere to be found...

I suppose that would get installed when flashing Gapps, but the flashing tool from Chainfire won't work any more...

Hope anyone else did manage and is willing to share howto.

It worked out.
Read 2 posts below :)

7 months ago
#5208 Zitieren
Yeah, figured as much.

Here's the thought. Don't install the new firmware if you want to root and install the google play store.
7 months ago
#5209 Zitieren
CantRepeat wrote:
Yeah, figured as much.

Here's the thought. Don't install the new firmware if you want to root and install the google play store.

Well here you go.

I managed to get Gapps and all working!

Finally a simple factory reset and reinstalling FlashFire and then flashing Gapps did the trick.

Now over to the second Crystalsky :D

7 months ago
#5210 Zitieren
My wrote:

Now over to the second Crystalsky :D


Hi y'all,

Second CS upgraded to firmware
Factory reset.
Rooted as per OP.
Installed FlashFire.
Flashed latest Gapps.

All working flawlessly.

6 months ago
#5229 Zitieren
Thank you so much for the guide.