Here’s a guide on how to “root” your DJI CrystalSky and gain full super user / su access to it. using a Windows PC.
All you need is 20 minutes and a Micro-USB cable to connect the PC to the side port of the CrystalSky.
Make sure your CS is fully charged before you begin
Prerequisites and getting ready:
Step 1 - Make sure your CrystalSky is running firmware v02.06.06.00
— (at the time of writing, this is the latest/current FW release)
Step 2 - Create a folder called adb
on the root of your C: Drive.
C:\adb\
Step 3 - Download the Opcodeffm/csroot
tools from:
The csroot
tool exploits a bug in the CrystalSky firmware and allows you to gain root access to the underlying Android operating system.
Extract the ZIP file to the top level of your C:\adb\
folder.
Step 4 - Download the win-bash
tools from:
Extract the ZIP file to the top level of your C:\adb\
folder.
Step 5 - Download the Android SDK Platform Tools
tools from:
Extract the ZIP file to the top level of your C:\adb\
folder.
This folder will look really messy now. Fear not, you can delete it completely when done.
Step 6 - Power up the CrystalSky and connect it to your PC using the Micro USB connector on the side.
Give Microsoft Windows a minute or two to install the various drivers it needs.
My Windows 7 PC couldn’t install the ADB Driver on it’s own, even after several minutes of it searching online, so I had to download the driver manually. I’ve mirrored a copy here in case your Windows installation has the same issue:
With the CrystalSky powered up and connected to your Windows PC via USB with no issues, you’re ready to start rooting!
Rooting the DJI CrystalSky:
Step 7 - Open a Command prompt and CD to your C:\adb\
directory. Then type:
adb devices
Confirm that Windows can see the connected CrystalSky. If so, you’ll see something along the lines of:
C:\adb>adb devices
List of devices attached
2TSB4MOEP9 device
If not, you need to get that resolved before proceeding (start a new topic if you need help with that).
Step 8 - Start your bash
shell.
To do this, in the same Command window simply type:
start_shell.bat
You’ll now see a bash
prompt like so:
C:\adb>start_shell.bat
bash$
Step 9 - Copy the root exploit on to your CrystalSky.
To do this, in your bash
shell, type:
./copy.sh
The script will check the CrystalSky is still connected, then it’ll copy the files over for you automatically.
Your bash shell will output something like:
bash$ ./copy.sh
checking if adb device is present
List of devices attached
2TSB4MOEP9 device
copying files to device
tmp\: 10 files pushed. 3.6 MB/s (8310310 bytes in 2.196s)
Step 10 - Open the ADB Shell.
To do this, from within your bash
shell, type:
adb shell
Your command prompt will change from:
bash$
To:
shell@zs600b:/ $
Step 11 - Change directory to the /tmp/
folder.
To do this, in your adb shell
, type:
cd data/local/tmp
Your command prompt will change from:
shell@zs600b:/ $
To:
shell@zs600b:/data/local/tmp $
Step 12 - Run the exploit script to gain temporary root access.
To do this, from within your adb shell
, type:
./lordroot
The exploit script will begin to work it’s magic.
Be patient, this will only take a couple of minutes.
Your console output will look something like this:
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
F_SETPIPE_SZ 407
[+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
[+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
get_selinux_state -
- 0
shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
fwrite is count 1 ./kok
shell@zs600b:/data/local/tmp $
You now have temporary root access to your CrystalSky
Step 13 - Gain full root access!
To do this, from within your adb shell
, type:
./mkdevsh
This script will install the su binary
and the SuperSU.apk
Android app.
Your console output will look something like this:
1|shell@zs600b:/data/local/tmp $ ./mkdevsh
2+0 records in
2+0 records out
2 bytes transferred in 0.001 secs (2000 bytes/sec)
4+0 records in
4+0 records out
4 bytes transferred in 0.001 secs (4000 bytes/sec)
12+0 records in
12+0 records out
12 bytes transferred in 0.001 secs (12000 bytes/sec)
Step 14 - Reboot the CrystalSky - you’re done
Once rebooted, go to the Applications
screen on the CrystalSky.
In here you’ll see a new app called SuperSU
Click on the SuperSU
app to launch it.
If an app requests SU permissions then SuperSU will prompt you and give you the option to grant (or refuse). You can also use SuperSU to manage which apps have root privileges, and revoke those permissions at any time, if you desire.
Enjoy