How to root your DJI CrystalSky / Phantom GL300E monitor and gain SuperUser / SU access with some easy hacks

Here’s a guide on how to “root” your DJI CrystalSky and gain full super user / su access to it. using a Windows PC.

All you need is 20 minutes and a Micro-USB cable to connect the PC to the side port of the CrystalSky.

Make sure your CS is fully charged before you begin

Prerequisites and getting ready:

Step 1 - Make sure your CrystalSky is running firmware v02.06.06.00
— (at the time of writing, this is the latest/current FW release)

Step 2 - Create a folder called adb on the root of your C: Drive.

C:\adb\

Step 3 - Download the Opcodeffm/csroot tools from:

{DOWNLOAD FROM THE MEMBERS ONLY CATEGORY }

The csroot tool exploits a bug in the CrystalSky firmware and allows you to gain root access to the underlying Android operating system.

Extract the ZIP file to the top level of your C:\adb\ folder.

Step 4 - Download the win-bash tools from:

{DOWNLOAD FROM THE MEMBERS ONLY CATEGORY }

Extract the ZIP file to the top level of your C:\adb\ folder.

Step 5 - Download the Android SDK Platform Tools tools from:

{DOWNLOAD FROM THE MEMBERS ONLY CATEGORY }

Extract the ZIP file to the top level of your C:\adb\ folder.

This folder will look really messy now. Fear not, you can delete it completely when done.

Step 6 - Power up the CrystalSky and connect it to your PC using the Micro USB connector on the side.

Give Microsoft Windows a minute or two to install the various drivers it needs.

My Windows 7 PC couldn’t install the ADB Driver on it’s own, even after several minutes of it searching online, so I had to download the driver manually. I’ve mirrored a copy here in case your Windows installation has the same issue:

{DOWNLOAD FROM THE MEMBERS ONLY CATEGORY }

With the CrystalSky powered up and connected to your Windows PC via USB with no issues, you’re ready to start rooting!

Rooting the DJI CrystalSky:

Step 7 - Open a Command prompt and CD to your C:\adb\ directory. Then type:

adb devices

Confirm that Windows can see the connected CrystalSky. If so, you’ll see something along the lines of:

C:\adb>adb devices
List of devices attached
2TSB4MOEP9 device

If not, you need to get that resolved before proceeding (start a new topic if you need help with that).

Step 8 - Start your bash shell.

To do this, in the same Command window simply type:

start_shell.bat

You’ll now see a bash prompt like so:

C:\adb>start_shell.bat
bash$

Step 9 - Copy the root exploit on to your CrystalSky.

To do this, in your bash shell, type:

./copy.sh

The script will check the CrystalSky is still connected, then it’ll copy the files over for you automatically.

Your bash shell will output something like:

bash$ ./copy.sh
checking if adb device is present
List of devices attached
2TSB4MOEP9 device

copying files to device
tmp\: 10 files pushed. 3.6 MB/s (8310310 bytes in 2.196s)

Step 10 - Open the ADB Shell.

To do this, from within your bash shell, type:

adb shell

Your command prompt will change from:

bash$

To:

shell@zs600b:/ $

Step 11 - Change directory to the /tmp/ folder.

To do this, in your adb shell, type:

cd data/local/tmp

Your command prompt will change from:

shell@zs600b:/ $

To:

shell@zs600b:/data/local/tmp $

Step 12 - Run the exploit script to gain temporary root access.

To do this, from within your adb shell, type:

./lordroot

The exploit script will begin to work it’s magic.

Be patient, this will only take a couple of minutes.

Your console output will look something like this:

sh: ./patch_script.sh: not found
  max_:3 min:10 i_ret:0x20

  F_SETPIPE_SZ 407
    [+] Done target:dc0df1a0 overflowcheck:200000 map:12670 readv_error:0
    [+] Done target:dc0df1a0 overflowcheck:deadbeef map:12735 readv_error:0
  get_selinux_state -
  - 0
  shellcode_root_self i_pid:1408 ppid:1402 i_thread_info:de9ba000 i_task:db2c5e80 i_cred:dcbfb180 i_init_sid:0
  fwrite is count 1 ./kok
  shell@zs600b:/data/local/tmp $

You now have temporary root access to your CrystalSky

Step 13 - Gain full root access!

To do this, from within your adb shell, type:

./mkdevsh

This script will install the su binary and the SuperSU.apk Android app.

Your console output will look something like this:

1|shell@zs600b:/data/local/tmp $ ./mkdevsh
2+0 records in
2+0 records out
2 bytes transferred in 0.001 secs (2000 bytes/sec)
4+0 records in
4+0 records out
4 bytes transferred in 0.001 secs (4000 bytes/sec)
12+0 records in
12+0 records out
12 bytes transferred in 0.001 secs (12000 bytes/sec)

Step 14 - Reboot the CrystalSky - you’re done

Once rebooted, go to the Applications screen on the CrystalSky.

In here you’ll see a new app called SuperSU

Screenshot_2019-04-19-11-24-542048×1536 366 KB

Click on the SuperSU app to launch it.

Screenshot_2019-04-19-16-12-592048×1536 131 KB

If an app requests SU permissions then SuperSU will prompt you and give you the option to grant (or refuse). You can also use SuperSU to manage which apps have root privileges, and revoke those permissions at any time, if you desire.

Enjoy

Many thanks on this root tutorial. Will try that on my crystal sky 5inch ( when i get ability to download files, since now i can’t see any)
My goal is to get google account with google maps working, hope this will solve my problem

hi i would like to be able be able to download from the members section and it says i dont have access to do so ?

Hi Kyle / @drysdale … and welcome to GADC.

If you take a look at the Membership Levels section on our FAQ , you’ll see why you are (as yet) unable to access that area.

If you have a moment, pop over to #introductions and tell us a little about yourself …. that will also get you on your way to having access to #members-only area.

its all good i got it anyways from elswhere but thanks for the the info on the know how to do this

Does this also work with the remote control with the built-in Crystal Sky Monitor?

The DJI Smart Controller you mean?

I’ve not got one to try…

Let us know how you get on?

No, I mean this remote controler…

Okay, i try it and give a feedback

Ah, ok, I see.

Yeah, it’ll probably work on the P4 screen, it should run the same OS under the hood?

Let us know either way? Curious now

Yes, android also runs on it with the DJI GO app.

I hope to find time on the weekend

I am curious too

It worked
My GL300E is rooted
Version is V01.04.03.00

Thank you for the instructions !!

Now I have to get the NLD app on it.

Nice one - thanks for confirming too

I’ve updated the topic title here @Schenkelspalter to include the GL300E.

To do it in the GL300E, do you have to follow the same instructions?

I think so, but @Schenkelspalter will confirm

Yes. I follow exactly this instruction.

Sincerely Torsten

Mr SchenkelSpalter
You could do it by remote desktop Teamviewer for example?

I have tried but do not understand many concepts in the instructions.

I understand that I am solely responsible if it breaks down. No problem but I need to install two applications.
Thank you.

If you pay him $500 first, then he might consider doing it all for you remotely

First you have to bring your member level to level 2 in order to download the required files.

If there are flight apps (e.g. NLD GO or similar) that you want to install, then unfortunately I have to disappoint you.
Without going into too much detail, as long as the original DJI GO app is running, other flight apps cannot connect to the drone.

And believe me, I tried to bypass everything and grilled a remote control