How to root your DJI CrystalSky / Phantom GL300E monitor and gain SuperUser / SU access with some easy hacks

Here’s a guide on how to “root” your DJI CrystalSky and gain full super user / su access to it. using a Windows PC.

All you need is 20 minutes and a Micro-USB cable to connect the PC to the side port of the CrystalSky.

Make sure your CS is fully charged before you begin :+1:t2:

Prerequisites and getting ready:

Step 1 - Make sure your CrystalSky is running firmware v02.06.06.00
(at the time of writing, this is the latest/current FW release)

Step 2 - Create a folder called adb on the root of your C: Drive.


Step 3 - Download the Opcodeffm/csroot tools from:


The csroot tool exploits a bug in the CrystalSky firmware and allows you to gain root access to the underlying Android operating system.

Extract the ZIP file to the top level of your C:\adb\ folder.

Step 4 - Download the win-bash tools from:


Extract the ZIP file to the top level of your C:\adb\ folder.

Step 5 - Download the Android SDK Platform Tools tools from:


Extract the ZIP file to the top level of your C:\adb\ folder.

This folder will look really messy now. Fear not, you can delete it completely when done.

Step 6 - Power up the CrystalSky and connect it to your PC using the Micro USB connector on the side.

Give Microsoft Windows a minute or two to install the various drivers it needs.

My Windows 7 PC couldn’t install the ADB Driver on it’s own, even after several minutes of it searching online, so I had to download the driver manually. I’ve mirrored a copy here in case your Windows installation has the same issue:


With the CrystalSky powered up and connected to your Windows PC via USB with no issues, you’re ready to start rooting!

Rooting the DJI CrystalSky:

Step 7 - Open a Command prompt and CD to your C:\adb\ directory. Then type:

adb devices

Confirm that Windows can see the connected CrystalSky. If so, you’ll see something along the lines of:

C:\adb>adb devices
List of devices attached
2TSB4MOEP9 device

If not, you need to get that resolved before proceeding (start a new topic if you need help with that).

Step 8 - Start your bash shell.

To do this, in the same Command window simply type:


You’ll now see a bash prompt like so:


Step 9 - Copy the root exploit on to your CrystalSky.

To do this, in your bash shell, type:


The script will check the CrystalSky is still connected, then it’ll copy the files over for you automatically.

Your bash shell will output something like:

bash$ ./
checking if adb device is present
List of devices attached
2TSB4MOEP9 device

copying files to device
tmp\: 10 files pushed. 3.6 MB/s (8310310 bytes in 2.196s)

Step 10 - Open the ADB Shell.

To do this, from within your bash shell, type:

adb shell

Your command prompt will change from:



shell@zs600b:/ $

Step 11 - Change directory to the /tmp/ folder.

To do this, in your adb shell, type:

cd data/local/tmp

Your command prompt will change from:

shell@zs600b:/ $


shell@zs600b:/data/local/tmp $

Step 12 - Run the exploit script to gain temporary root access.

To do this, from within your adb shell, type:


The exploit script will begin to work it’s magic.

Be patient, this will only take a couple of minutes.

Your console output will look something like this:

sh: ./ not found
  max_:3 min:10 i_ret:0x20

    [+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
    [+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
  get_selinux_state -
  - 0
  shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
  fwrite is count 1 ./kok
  shell@zs600b:/data/local/tmp $

You now have temporary root access to your CrystalSky :+1:t2:

Step 13 - Gain full root access!

To do this, from within your adb shell, type:


This script will install the su binary and the SuperSU.apk Android app.

Your console output will look something like this:

1|shell@zs600b:/data/local/tmp $ ./mkdevsh
2+0 records in
2+0 records out
2 bytes transferred in 0.001 secs (2000 bytes/sec)
4+0 records in
4+0 records out
4 bytes transferred in 0.001 secs (4000 bytes/sec)
12+0 records in
12+0 records out
12 bytes transferred in 0.001 secs (12000 bytes/sec)

Step 14 - Reboot the CrystalSky - you’re done :bowing_man:

Once rebooted, go to the Applications screen on the CrystalSky.

In here you’ll see a new app called SuperSU

Click on the SuperSU app to launch it.

If an app requests SU permissions then SuperSU will prompt you and give you the option to grant (or refuse). You can also use SuperSU to manage which apps have root privileges, and revoke those permissions at any time, if you desire.

Enjoy :smiley:


Many thanks on this root tutorial. Will try that on my crystal sky 5inch ( when i get ability to download files, since now i can’t see any)
My goal is to get google account with google maps working, hope this will solve my problem :slight_smile:

hi i would like to be able be able to download from the members section and it says i dont have access to do so ?

1 Like

Hi Kyle / @drysdale … and welcome to GADC. :+1:

If you take a look at the Membership Levels section on our FAQ , you’ll see why you are (as yet) unable to access that area.

If you have a moment, pop over to #introductions and tell us a little about yourself …. that will also get you on your way to having access to #members-only area. :wink:


its all good i got it anyways from elswhere but thanks for the the info on the know how to do this :slight_smile:


Does this also work with the remote control with the built-in Crystal Sky Monitor?

The DJI Smart Controller you mean?

I’ve not got one to try…

Let us know how you get on?

No, I mean this remote controler…


Okay, i try it and give a feedback :+1::blush:

Ah, ok, I see.

Yeah, it’ll probably work on the P4 screen, it should run the same OS under the hood?

Let us know either way? Curious now :slight_smile:

Yes, android also runs on it with the DJI GO app.

I hope to find time on the weekend :face_with_monocle:

I am curious too :upside_down_face:

It worked :sunglasses:
My GL300E is rooted :+1:
Version is V01.04.03.00

Thank you for the instructions !!

Now I have to get the NLD app on it.


Nice one - thanks for confirming too :+1:t2:

1 Like

I’ve updated the topic title here @Schenkelspalter to include the GL300E.