Ваша корзина пуста.
15 сентября 2019 г. 12:59:22

Howto: Rooting DJI Crystal Sky

11 months ago
#116 Цитировать
Rooting DJI CrystalSky in windows. v08 updated Apr 16 2019



BIGGER WARNING!!! - If you try to remove the factory GO Apps you stand a very good chance of rendering your CS inoperable.  I've seen at least two occasions where the CS would not boot properly and users were unable to reflash the CS to factory settings. In both events the only fix was to send the CS back to DJI under warranty for repair.

WARNING! - If you have attempted to root your CS and install the play store using other methods STOP!!! Before you continue with this guide, do a factory reset and reinstall v02.06.06.00 firmware for your CS. I'm not responsible if you screw this up!

Howto: Rooting the DJI CrystalSky so you can install the google playstore and then any app you like.

This works on all versions up to and including V02.06.06.00

This guide and my rooting were done on Win7/64

The information in this howto was gathered through many sources on the internet.

No limit dronez http://www.nolimitdronez.com  <--- imagine that
DJI Retroroms Wiki https://dji.retroroms.info/
The good folks over at http://dji-rev.slack.com - #crystalsky_rooting
Special thanks to Matioupi for all his help in rooting my CS!



Installing tools and gaining Root:
----------------------------------
Make a directory/folder on your windows machine to work from(I used) C:\adb This is where you will put the android tools, win-bash, and the CS rooting scripts.

On a windows machine download all of the following tools and scripts to your C:\adb folder.

Download the Opcodeffm/csroot files.

Go to the github listed below and on the "Clone or Download" tab select download. (You may have to make a git hub account.)
Unzip the files to the folder you just made, in my example that is C:\adb folder

https://github.com/Opcodeffm/csroot

Download and unzip win-bash to your C:\adb folder - select shell.w32-ix86.zip

https://sourceforge.net/projects/win-bash/files/shell-complete/latest/

Download and unzip the Android Windows platfomtools to your C:\adb folder - select SDK Platform-Tools for Windows

https://developer.android.com/studio/releases/platform-tools



Hook your CS to your PC with a USB cable. I used the side mico usb.

Start your bash terminal by running the start_shell.bat which is located in your C:\adb folder

This is a basic terminal and the prompt will look like bash$



Now it's time to start rooting the CrystalSky.

From your win-bash terminal, run the following commands. After each command I have listed what the output should look like. You will not see the ******** above and below the output. I just used those to separate the commands from the output.

  

  ./copy.sh
  

  
  (this triggers the script to connect to the CS and copy the exploit files)
  ***********
  bash$ ./copy.sh
  checking if adb device is present
  List of devices attached
  1234567890  device

  copying files to device
  tmp/: 11 files pushed. 6.8 MB/s (8348440 bytes in 1.173s)
  bash$
  ***********

  

  adb shell
  

  
   (this will put in a command line on your CrystalSky)
   ***********
   shell@zs600b:/ $
   ***********
  
  

  cd data/local/tmp
  

  
  (changes your working directory)
  ***********
  shell@zs600b:/data/local/tmp $
  ***********

  

  ./lordroot
  

  
  (runs the exploit to gain temporary root)
  ***********
  sh: ./patch_script.sh: not found
  max_:3 min:10 i_ret:0x20

  F_SETPIPE_SZ 407
    [+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
    [+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
  get_selinux_state -
  - 0
  shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
  fwrite is count 1 ./kok
  shell@zs600b:/data/local/tmp $
  ***********

NOTE: it is possible that you will see error codes at the end of the " [+] Done " line. I've tested going on with the mkdevsh command and installing the play store and it works just fine.

  

  ./mkdevsh
  

  
  (runs the script to install su binary and supersu.apk)
  **********
  1|shell@zs600b:/data/local/tmp $ ./mkdevsh
  2+0 records in
  2+0 records out
  2 bytes transferred in 0.001 secs (2000 bytes/sec)
  4+0 records in
  4+0 records out
  4 bytes transferred in 0.001 secs (4000 bytes/sec)
  12+0 records in
  12+0 records out
  12 bytes transferred in 0.001 secs (12000 bytes/sec)
  root@zs600b:/data/local/tmp #
  ***********
0
11 months ago
#117 Цитировать
continued -

Reboot your CS and once at the main DJI launcher continue

If you have not done so turn on your wifi and connect to the internet so SuperSU can update.

In the main apps on your CS you now have SuperSU (SU), run SU(double tap), this is where you'll give Super User access to your apps. Most times when an app needs root you will get a popup from SU. You can now close SU.

At the SuperSU menu select new user and when ask select normal method of update.

Now that you have root on your CS I want to make a very strong suggestion. Wait make that an order.

First things first! You now have root access on your CS so you need to make a back of the system by making a system.img file.  Go to the link below and just do it!!

https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image


Installing google play store and framework

Once root is gained from the previous steps, you need a flashing tool and the needed zip which contains the Play Store, Framework etc.


Download flashfire

Flashfire - there are newer versions of flashfire then the link below but this is what I used.

https://www.apkmirror.com/apk/chainfire/flashfire/flashfire-0-71-release/root-flashfire-0-71-android-apk-download/


Down load Google Playstore/framework(ARM) - pay very close attention to the version you download, if you get the wrong one you could brick your CS!!!******

Open this link and then read below this link to understand which package you are getting.

http://opengapps.org/


Look at the webpage, there are three columns named, PLATFORM, ANDROID, and VARIANT. Look below each column and select the correct choice. For CrystalSky it is the following. DON'T MESS THIS UP!!!

Choose
Platform: “ARM”
Android: “5.1”
Variant: “pico” (really take care choosing the right version)

Here is a pic of the correct selection!  

You should have file named open_gapps-arm-5.1-pico-xxxxxxx.zip   where the xxxxxxx is the date you downloaded the file. For me that was open_gapps-arm-5.1-pico-20180912.zip and yours will have a different date.

Now copy both eu.chainfire.flash_0.71-710_minAPI17(armeabi-v7a,x86)(nodpi)_apkmirror.com.apk AND open_gapps-arm-5.1-pico-20180912.zip to a micro sd card and put it in sd card1 slot on your CS.

Installing flashfire and playstore.


- From the main boot menu on the CS open the explorer and select SD Card 1
- Locate the chainfire file and open it.
- Give flashfire su, if asked (should be asked)
- In flashfire, tap the “+” sign on the right hand corner.
- Choose “Flash ZIP or OTA”
- Tap on top of the filebrowser to change to “Filesystem root”
- Navigate to “mnt/external_sd1”
- Choose your zip file
- Leave “Auto-mount” and “Mount/system read/write” unchecked
- Hit the checkmark and there you go

After several reboots, you will be greeted with the setup assistant. Step through it, make your desired settings and that should be it.


This has been tested on an CrystalSky 5.5 and 7.85, System Version up to 2.06.06.00

Once installed, you will be required to self register the CS as an uncertified Android device. This way you can install apps. You can do this by following the next set of steps below.


Retrieve your android device ID and register your device with Google:
----------------------------------

You need to get the android_id for your Crystalsky to register it with google so you can download and install apps from the playstore.

There are several ways to retrieve your android device ID. This is the method I prefer.

We are going to pull the gservers.db to your PC and then read the android device ID from it.

Open an bash terminal in your adb folder using start_shell.bat and then a root shell.


adb devices
adb shell
su
cd /
cp /data/data/com.google.android.gsf/databases/gservices.db /mnt/internal_sd/Download/gservicesNEW1.db
exit
exit
adb pull /mnt/internal_sd/Download/gservicesNEW1.db
sqlite3 gservicesNEW1.db
select * from main where name = 'android_id';


You'll get a line that looks this.

android_id|4410XXXXXX78871773XXX

Open this link in a web browser with your Google Account and logged in. Note: This doesn't have to happen on your CS.

https://www.google.com/android/uncertified/

Register your CS by typing or copy and paste your android_id and click the register button.

Wait a few minutes (this can take upwards of 10 minutes or longer if the servers are busy) for the device to be authorized on Google servers.
0
11 months ago
#118 Цитировать
continued -

Now you should be able to open the PlayStore on your CS and install any app you like from there.

I use apk installer to install the NLD GO4 app after I've patch it in the NLD program.

https://play.google.com/store/apps/details?id=com.apkinstaller.ApkInstaller&hl=en_US



If you are going to run NLD apk app on your CS here are some specifics for that.
--------------

With firmware 2.06.03.00 and 2.06.06.00 of crystal sky (5.5 and 7.85 versions) there is a bug in DJI Launcher that cause the following side effect :

Some times t he NLD app gets hidden. There is a fix for this.

Install both terminal window and ES file explorer if you have not already done so.

https://play.google.com/store/apps/details?id=com.estrongs.android.pop.pro


Step 1 :

Start your terminal window on your CS then issue the following command


su -c "pm enable dji.pilot.pad"


This will make the NLD app appear if it was hidden.


Step 2 :

From ES Explorer Pro, enable the root explorer mode and hidden files(there is a small slider in app settings to do so)

Start a winbash terminal window on your PC using the start_shell.bat batch file.

Start an adb shell and root with these commands in your bash terminal window and copy the file we need to modify.


adb shell
su
cd /
cp /data/data/dji.system.launcher/shared_prefs/dji.system.launcher.xml /mnt/internal_sd/Download/


The first time you run a root level adb shell you will get a popup on your CS asking you to grant root access to the shell.



Now in shell verify dji.system.launcher.xml has been copied to your sd card.


cd /mnt/internal_sd/Download
ls


You should now see the dji.system.launcher.xml listed.

Back in the shell, we are going to exit the shell and transfer the file to your PC enter these commands.


exit
exit
adb pull /mnt/internal_sd/Download/dji.system.launcher.xml


Verify the xml file is on your PC and exit the bash terminal by using exit one more time.

Edit dji.system.launcher.xml file with notepad++ on your PC

Add or edit this <string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>  as the 3rd line so your xml file looks something like this.

NOTE: if you have <string name="KEY_MUTEX_PREF_PKG">dji.go.v4</string> just edit dji.go.v4 to dji.pilot.pad

DO NOT copy and paste the text below, edit your file.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <int name="KEY_APP1_INDEX" value="2" />
    <int name="KEY_APP2_INDEX" value="2" />
  <string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>
    <long name="KEY_BOOT_CNT" value="18" />
    <int name="KEY_F1_INDEX" value="0" />
    <string name="KEY_TRAFFIC_USED_TIMESTAMP">2019-04-14</string>
    <long name="KEY_TRAFFIC_USED_TOTAL" value="214388073" />
    <long name="KEY_TRAFFIC_USED_TODAY" value="26259130" />
    <int name="KEY_F2_INDEX" value="1" />
</map>

Save the file.

Now back on your CS start a terminal window and get root, use this command to unhide the NLD app


su

su -c "pm enable dji.pilot.pad"



Verify you can now see the NLD APP icon in applications.

Start a NEW bash terminal with start_shell.bat and transfer the edited file.


adb push dji.system.launcher.xml /mnt/internal_sd/Download/


Now open a root shell and move the xml file.


adb shell
su
cd /
mv -f /mnt/internal_sd/Download/dji.system.launcher.xml /data/data/dji.system.launcher/shared_prefs/



Reboot your CS and verify the NLD APP is still in the apps menu.

continued -
0
11 months ago
#119 Цитировать
continued -

--------------------------------

Software I recommend you install, I have no game in this, they are just suggestions.

In no particular order.

No Root Firewall - I use it to block all the factory DJI apps and IP numbers
Nova Launcher (Prime) - us it to replace the DJI launcher, I like it so I got the prime version
ES File Explorer (Pro) great all around file explorer (again pro if you like it) https://play.google.com/store/apps/details?id=com.estrongs.android.pop.pro
Terminal Emulator - used to further customize your CS and shell https://play.google.com/store/apps/details?id=jackpal.androidterm
Quick Edit (Pro) - great all around text editor, pro if you like it
Chrome to replace the CS internet browser
Sqlite (prime) - great tool for looking in DJI and other databases/gservices
Last but not least - check out no limit dronez www.nolimitdronz.com It's your bird, fly it how you want to, but be safe!

What your CS can look like with Nova Launcher -

No Root Firewall blocking DJI stuffs -
0
11 months ago
#135 Цитировать
Appreciate the write up mate!
0
10 months ago
#160 Цитировать
CantRepeat wrote:

After several reboots, you will be greeted with the setup assistant.

I've made it this far, but I'm not getting the setup assistant.
Any suggestions?
0
10 months ago
#164 Цитировать
Thomas wrote:

After several reboots, you will be greeted with the setup assistant.

I've made it this far, but I'm not getting the setup assistant.
Any suggestions?


So you installed the correct playstore zip file using flashfire?

----------------------------

Installing flashfire and playstore.


- From the main boot menu on the CS open the explorer and select SD Card 1
- Locate the chainfire file and open it.
- Give flashfire su, if asked (should be asked)
- In flashfire, tap the “+” sign on the right hand corner.
- Choose “Flash ZIP or OTA”
- Tap on top of the filebrowser to change to “Filesystem root”
- Navigate to “mnt/external_sd1”
- Choose your zip file
- Leave “Auto-mount” and “Mount/system read/write” unchecked
- Hit the checkmark and there you go
0
10 months ago
#166 Цитировать
CantRepeat wrote:


So you installed the correct playstore zip file using flashfire?

Yes, had trouble getting zip from gapps, used older one (same version) first, later whatever was up w/the web site let me down load latest version. So I skipped the older and flashed newest. Followed install instructions.
I gave CS several (many) reboots and reflashed several (many) times to give it another chance but just not seeing play store.

0
10 months ago
#167 Цитировать
Thomas wrote:


Yes, had trouble getting zip from gapps, used older one (same version) first, later whatever was up w/the web site let me down load latest version. So I skipped the older and flashed newest. Followed install instructions.
I gave CS several (many) reboots and reflashed several (many) times to give it another chance but just not seeing play store.



What do you mean older vs newer one?

0
10 months ago
#168 Цитировать
CantRepeat wrote:

What do you mean older vs newer one?
The gapps file is playstore and there is no newer or older one you can use. It must be the one outlined in the howto.


opengapps.org wasn't working, threw an error, so I went looking for other sources and found open_gapps-arm-5.1-pico-20161006.zip

Later when opengapps.org did allow me to dl I used open_gapps-arm-5.1-pico-20181023.zip
0