Messages in crystalsky_rooting
[2017-08-08 12:03:54]
opcode :
@opcode has joined the channel
[2017-08-08 12:07:59]
opcode :
plug and play debug. thank you DJI. :slightly_smiling_face:
[2017-08-08 12:08:01]
opcode :
sh-3.2# adb devices
List of devices attached
1TSBXXXX device
sh-3.2# adb shell
shell@zs600b:/ $ ls
acct
bcm4329_cybertan.hcd
bcm4329_samsung.hcd
bcm4329_usi.hcd
cache
charger
config
d
data
default.prop
dev
drmboot.ko
etc
file_contexts
fstab.rk30board
fstab.rk30board.bootmode.emmc
fstab.rk30board.bootmode.unknown
init
init.connectivity.rc
init.environ.rc
init.rc
init.rk30board.bootmode.emmc.rc
init.rk30board.bootmode.unknown.rc
init.rk30board.environment.rc
init.rk30board.rc
init.rk30board.usb.rc
init.rockchip.rc
init.trace.rc
init.usb.rc
init.zygote32.rc
metadata
mnt
proc
property_contexts
res
rk30xxnand_ko.ko.3.10.0
root
sbin
sdcard
seapp_contexts
selinux_version
sepolicy
service_contexts
storage
sys
system
ueventd.rc
ueventd.rk30board.rc
vendor
shell@zs600b:/ $
[2017-08-08 12:11:05]
kilrah :
@kilrah has joined the channel
[2017-08-08 12:14:11]
opcode :
shell@zs600b:/ $ cd data
shell@zs600b:/data $ ls
opendir failed, Permission denied
255|shell@zs600b:/data $ cd app
shell@zs600b:/data/app $ ls
opendir failed, Permission denied
255|shell@zs600b:/data/app $
[2017-08-08 12:14:13]
opcode :
heh
[2017-08-08 12:19:27]
goof :
@goof has joined the channel
[2017-08-08 12:52:50]
bin4ry :
@bin4ry has joined the channel
[2017-08-08 12:53:01]
bin4ry :
Which android version?
[2017-08-08 12:56:08]
opcode :
upgrading right now, will tell you. .-)
[2017-08-08 12:56:10]
opcode :
:slightly_smiling_face:
[2017-08-08 12:57:37]
bin4ry :
You can try dirtycow if the age matches
[2017-08-08 12:57:53]
bin4ry :
<https://github.com/timwr/CVE-2016-5195?files=1>
[2017-08-08 13:03:17]
opcode :
nice, thanks. :slightly_smiling_face:
[2017-08-08 13:26:01]
nocommie :
@nocommie has joined the channel
[2017-08-08 15:30:12]
solution :
@solution has joined the channel
[2017-08-08 21:30:01]
opcode :
adb shell
shell@zs600b:/ $ su
root@zs600b:/ #
[2017-08-08 21:30:07]
opcode :
Step 1 :slightly_smiling_face:
[2017-08-08 21:46:02]
rolands888 :
@rolands888 has joined the channel
[2017-08-08 21:48:00]
rolands888 :
Looking forward to this
[2017-08-08 22:55:57]
blade-strike :
@blade-strike has joined the channel
[2017-08-08 23:57:42]
skywalk3r :
@skywalk3r has joined the channel
[2017-08-09 05:20:09]
kilrah :
haha yay :slightly_smiling_face:
[2017-08-09 07:47:26]
bin4ry :
Just like this? No exploit?
[2017-08-09 14:01:50]
opcode :
nah, exploit was needed. :slightly_smiling_face:
[2017-08-09 14:08:40]
bin4ry :
Dirtycow or which one?
[2017-08-09 15:27:23]
bin4ry :
upload it already so we can take it apart
[2017-08-09 15:27:49]
opcode :
i tell those bits and bytes to hurry :slightly_smiling_face:
[2017-08-09 15:28:55]
martinbogo :
@martinbogo has joined the channel
[2017-08-09 15:28:55]
freaky123 :
@freaky123 has joined the channel
[2017-08-09 15:28:55]
hostile :
@hostile has joined the channel
[2017-08-09 15:30:24]
opcode :
ff0f0000.rksdmmc/by-name/system of=/mnt/external_sd1/sys.img <
6291456+0 records in
6291456+0 records out
3221225472 bytes transferred in 466.181 secs (6909817 bytes/sec)
root@zs600b:/system/app #
[2017-08-09 15:37:54]
hostile :
you bastards gonna make me buy a Crystal Sky
[2017-08-09 15:38:23]
hostile :
def pull that Pilot.app beta off there for us =]
[2017-08-09 15:39:05]
hostile :
@opcode did you try "su" to see if you can become root
[2017-08-09 15:39:15]
hostile :
looks like the ADB property to run as root isn't set
[2017-08-09 15:39:25]
hostile :
can you type "getprop" for me on the ADB shell ?
[2017-08-09 15:39:44]
hostile :
NEVER mind! <https://dji-rev.slack.com/archives/C6K376JGZ/p1502227801425465>
[2017-08-09 15:39:47]
hostile :
I'm slow
[2017-08-09 15:40:14]
hostile :
@opcode can you type "getprop" for me... we can set that ADB shell to run as root by default
[2017-08-09 15:46:14]
opcode :
Heh
[2017-08-09 15:48:04]
opcode :
just to clarify, i still had to root it. su was not there. simple ADB running with shell.
[2017-08-09 15:48:51]
hostile :
[ro.dji.security_enable]: [false]
[2017-08-09 15:48:53]
hostile :
lol
[2017-08-09 15:49:01]
hostile :
hey @freaky123 there is that god damn Rock chip!
[2017-08-09 15:49:02]
hostile :
[ro.product.usbfactory]: [rockchip_usb]
[2017-08-09 15:49:24]
hostile :
does assistant see Crystal Sky at all when plugged in?
[2017-08-09 15:49:48]
opcode :
didnt try. was happy, that adb is enabled by default.:-)
[2017-08-09 15:50:06]
hostile :
I think sys.rkadb.root = 1 makes it run as root
[2017-08-09 15:51:10]
hostile :
stop adbd && setprop service.adb.root 0 && start adbd &
[2017-08-09 15:51:14]
hostile :
is the alternae I think
[2017-08-09 15:51:21]
hostile :
I forget if 1 or 0 is good setting
[2017-08-09 15:51:22]
hostile :
=]
[2017-08-09 15:51:36]
hostile :
setprop service.adb.root 0
[2017-08-09 15:51:37]
opcode :
root is not the problem, its more the android.packageinstaller is well protected by DJI. :slightly_smiling_face:
[2017-08-09 15:51:39]
hostile :
yeah that should make it root
[2017-08-09 15:51:51]
hostile :
well IF you want to adb pull files..
[2017-08-09 15:51:55]
hostile :
not runnig as root sucks
[2017-08-09 15:52:13]
hostile :
just a minor convenience thing
[2017-08-09 15:52:20]
opcode :
yap. but DJI spend me nice SD slots .... lol
[2017-08-09 15:52:38]
hostile :
semantics all of this of course =]
[2017-08-09 15:53:30]
freaky123 :
What is the goal with the crystalsky?
[2017-08-09 15:53:47]
hostile :
it replaces your phone basically
[2017-08-09 15:53:54]
hostile :
and has REAL nice display for outdoors
[2017-08-09 15:53:59]
hostile :
dedicated Go tablet basically
[2017-08-09 15:54:06]
freaky123 :
Ok nice
[2017-08-09 15:54:44]
freaky123 :
Can you cat /etc/cmdline @opcode ?
[2017-08-09 15:55:22]
freaky123 :
Is the one you have a pre-production or just a normal version? (Since adb is enabled)
[2017-08-09 15:56:09]
opcode :
shell@zs600b:/ $ cat /etc/cmdline
/system/bin/sh: cat: /etc/cmdline: No such file or directory
[2017-08-09 15:56:25]
opcode :
normal version, one of the first two my dealer got.
[2017-08-09 15:56:53]
freaky123 :
Aha because normally adb is only enabled on pre production devices
[2017-08-09 15:57:01]
freaky123 :
At least for their drones
[2017-08-09 15:57:24]
opcode :
yeah, i was wondering too. was enabled with simple shell.
[2017-08-09 15:58:34]
freaky123 :
Oh @opcode I meant /proc/cmdline
[2017-08-09 15:58:52]
freaky123 :
Btw don't forget to remove your private info from that response
[2017-08-09 15:59:02]
freaky123 :
Or send in private
[2017-08-09 15:59:39]
freaky123 :
Curious to see if that line says production and contains similair keys as the other dji devices
[2017-08-09 15:59:46]
opcode :
send DM
[2017-08-09 16:12:56]
bin4ry :
we can just modify the android packagemanger to remove the dji check
[2017-08-09 16:13:00]
bin4ry :
would not be a real problem
[2017-08-09 16:13:04]
bin4ry :
he has root already
[2017-08-09 16:13:05]
bin4ry :
:smile:
[2017-08-09 16:27:44]
hotelzululima :
@hotelzululima has joined the channel
[2017-08-09 17:36:03]
opcode :
<provider android:authorities="dji.go.v4.fileProvider" android:exported="false" android:grantUriPermissions="true" android:name="com.tencent.bugly.beta.utils.BuglyFileProvider">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/provider_paths"/>
</provider>
<service android:exported="false" android:name="com.tencent.bugly.beta.tinker.TinkerResultService"/>
<service android:exported="false" android:name="com.tencent.tinker.lib.service.TinkerPatchService" android:process=":patch"/>
<service android:exported="false" android:name="com.tencent.tinker.lib.service.TinkerPatchService$InnerService" android:process=":patch"/>
<service android:exported="false" android:name="com.tencent.tinker.lib.service.DefaultTinkerResultService"/>
[2017-08-09 17:36:21]
opcode :
Tinker @ Crystalsky´s DJI GO
[2017-08-09 17:36:48]
hostile :
<https://dji-rev.slack.com/archives/C60LBFP9Q/p1502063578091554>
[2017-08-09 20:10:46]
hostile :
man the APK is small compared to the normal DJI go apk
[2017-08-09 20:20:22]
opcode :
Yeah. But it crashes constantly on my CS. It doesn't even start.
[2017-08-09 20:25:35]
hostile :
I don't think it is a complete apk
[2017-08-09 20:25:42]
hostile :
there are no .dex files in it
[2017-08-09 20:26:20]
bin4ry :
Haven't looked into the system yet. Is the ROM deodexed ?
[2017-08-09 20:29:06]
bin4ry :
If not you need to do it yourself
[2017-08-09 20:29:26]
bin4ry :
Late here already will take a look tomorrow myself :wink:
[2017-08-09 20:32:20]
bin4ry :
Bcs when you say there is no dex inside most likely the ROM is odexed which means every apk has an .odex too which optimized dex in ir
[2017-08-09 20:33:49]
bin4ry :
Look if you see an arm folder with an odex file
[2017-08-09 20:35:01]
bin4ry :
This will be the optimized classes dex file basically speaking.
[2017-08-09 20:35:23]
bin4ry :
Ok have to go now, if you want to play yourself you have some info now :joy:
[2017-08-09 20:36:45]
opcode :
root@zs600b:/system/priv-app/djipilot # ls
arm
djipilot.apk
lib
[2017-08-09 20:36:57]
opcode :
arm should be the dex
[2017-08-09 20:38:37]
bin4ry :
Arm is a folder
[2017-08-09 20:38:39]
bin4ry :
Look inside
[2017-08-09 20:38:52]
bin4ry :
Will be a odex file
[2017-08-09 20:38:59]
opcode :
i know, djipilot.odex inside :slightly_smiling_face:
[2017-08-09 20:39:04]
bin4ry :
:wink:
[2017-08-09 20:39:07]
bin4ry :
Cu tomorrow
[2017-08-09 20:39:31]
opcode :
sleep well! and thanks for your help! :slightly_smiling_face:
[2017-08-09 20:50:34]
the_lord :
@the_lord has joined the channel
[2017-08-09 21:05:33]
hostile :
<https://www.youtube.com/watch?v=UeBnhZGB_30>
[2017-08-09 21:23:43]
the_lord :
<https://drive.google.com/open?id=0B3wIy_i8O8a2TjJQTFF1SHRLTmc>
DJIService.apk --^
[2017-08-09 21:58:25]
exculpo :
@exculpo has joined the channel
[2017-08-10 00:29:36]
digital1 :
@digital1 has joined the channel
[2017-08-10 07:18:10]
bin4ry :
@hostile --^ this is the deodexed version.
[2017-08-10 07:34:14]
bin4ry :
nice thing is
[2017-08-10 07:34:19]
bin4ry :
this is not obfuscated :smile:
[2017-08-10 09:03:49]
triangular :
@triangular has joined the channel
[2017-08-10 09:08:18]
ender :
@ender has joined the channel
[2017-08-10 09:10:04]
ender :
@bin4ry : did the pilot APK get special treatment from you ? (like FCC enebled) or is it “just” plain extracted & deodexed ?
[2017-08-10 09:10:23]
ender :
<--- beeing dumb, should there be an advantage compared to DJI GO ?!
[2017-08-10 09:10:57]
bin4ry :
no
[2017-08-10 09:10:59]
bin4ry :
just deodexed
[2017-08-10 09:11:08]
ender :
ok !
[2017-08-10 09:11:21]
bin4ry :
this djipilot has a shitload less of crapware
[2017-08-10 09:11:50]
ender :
now thats an advantage ! Probably also faster that way…
[2017-08-10 09:13:30]
bin4ry :
i think so
[2017-08-10 09:13:36]
bin4ry :
but did not try the app yet
[2017-08-10 09:13:37]
bin4ry :
just shared
[2017-08-10 09:14:11]
tom4711 :
@tom4711 has joined the channel
[2017-08-10 09:29:17]
freaky123 :
How does this thing get the map?
[2017-08-10 09:29:34]
freaky123 :
Does it have wifi or cellular inet?
[2017-08-10 09:31:29]
opcode :
wifi
[2017-08-10 12:35:40]
hostile :
"this djipilot has a shitload less of crapware" blade said that would be the case on RCG... someone mentioned a split pilot / social app
[2017-08-10 14:25:29]
bin4ry :
so to explain this
[2017-08-10 14:25:43]
bin4ry :
dji modded the installd so it only allowed 3 apps to install
[2017-08-10 14:26:01]
bin4ry :
i simply changed a few bits to skip the check
[2017-08-10 14:26:14]
bin4ry :
so after you rooted the device
[2017-08-10 14:26:24]
bin4ry :
you want to use this installd to be able to install google play
[2017-08-10 14:26:43]
bin4ry :
along with it's needed framework
[2017-08-10 14:27:09]
bin4ry :
see here the tutorial for fire phone, this should work here too: <https://forum.xda-developers.com/fire-phone/general/fire-phone-how-to-install-google-play-t2977237/>
[2017-08-10 14:30:21]
bin4ry :
also allow unknown sources before you do that
[2017-08-10 14:30:22]
hostile :
LOLOLOLO nice work @bin4ry
[2017-08-10 14:30:25]
bin4ry :
# settings put global install_non_market_apps 1
[2017-08-10 14:31:47]
bin4ry :
well .. we shut put this to wiki
[2017-08-10 14:31:51]
bin4ry :
before it is los
[2017-08-10 14:31:52]
bin4ry :
*t
[2017-08-10 14:41:44]
hostile :
damn @bin4ry that Go app on Crystal Sky is like night and day re: bloat ware....
[2017-08-10 14:44:01]
goof :
the pilot beta? or is the CS DJI Go app different to iOS/Android?
[2017-08-10 14:45:16]
bin4ry :
pilot beta
[2017-08-10 14:45:25]
bin4ry :
the other ones are the same on the CSky
[2017-08-10 14:50:21]
goof :
It'd be tempting if I didn't already have the iPad
[2017-08-10 14:51:33]
hostile :
DJI Pilot Beta: V 0.3.3
[2017-08-10 14:51:52]
hostile :
<http://dl.djicdn.com/downloads/CrystalSky/20170804/CrystalSky_Release_Notes_EN.pdf>
[2017-08-10 14:59:58]
the_lord :
upgraded the P4P+ to latest version and still there is no SU
[2017-08-10 15:02:18]
bin4ry :
SU ?
[2017-08-10 15:02:34]
the_lord :
for the RC built in screen
[2017-08-10 15:02:34]
hostile :
"su"
[2017-08-10 15:02:57]
bin4ry :
p4p+ the same as crystalsky ?
[2017-08-10 15:03:04]
bin4ry :
try some public exploit then
[2017-08-10 15:03:09]
bin4ry :
kingoroot or such
[2017-08-10 15:03:53]
bin4ry :
they implemented a wide range of exploits to test :wink:
[2017-08-10 15:18:33]
the_lord :
It's almost same as crystalsky
[2017-08-10 15:19:20]
the_lord :
I'll read about kingroot
[2017-08-10 15:19:44]
the_lord :
@opcode did you do anything special to su to root?
[2017-08-10 15:21:01]
opcode :
no, try kingoroot, not kingroot.
[2017-08-10 15:21:21]
opcode :
but be careful, the installer on your Windows Machine installs some spam soft.
[2017-08-10 15:24:39]
bin4ry :
@the_lord if you got root and cannot sideload the apks
[2017-08-10 15:24:46]
bin4ry :
you might try the same installd
[2017-08-10 15:25:09]
bin4ry :
i think they will use the same protection on similar devices
[2017-08-10 15:27:07]
the_lord :
I'll see what can I do
[2017-08-10 15:27:38]
the_lord :
I'm trying to gain root to enable FCC coz it's range is very bad
[2017-08-10 15:28:13]
bin4ry :
i see
[2017-08-10 15:31:36]
the_lord :
This drone will be used in very restricted area and I will not be able to change anything once they take it
For that I'm trying to customize what ever i can before that
[2017-08-10 15:46:53]
bin4ry :
let me check it
[2017-08-10 15:47:15]
bin4ry :
yup
[2017-08-10 15:47:19]
bin4ry :
has the same bullshit
[2017-08-10 15:47:35]
the_lord :
so i can safely use your patched one
[2017-08-10 15:47:45]
bin4ry :
gimme a minute to check if it is the same file
[2017-08-10 15:47:51]
bin4ry :
if not i will patch yours too
[2017-08-10 15:49:21]
bin4ry :
@the_lord confirmed. you can use the patched version above
[2017-08-10 15:49:41]
the_lord :
thanks
[2017-08-10 15:53:18]
the_lord :
just to sum up
replace installd to be able to install kingoapp to be able to gain root
right?
[2017-08-10 15:53:29]
bin4ry :
no
[2017-08-10 15:53:38]
bin4ry :
kingoroot is to root
[2017-08-10 15:54:08]
bin4ry :
installd replacement can be done once you are root. this is needed if you want to install another apk (litchi f.e.)
[2017-08-10 15:54:24]
bin4ry :
because dji changed the installd to prevent all apk installations except 3 specified apps
[2017-08-10 15:54:30]
bin4ry :
i removed that check simply :wink:
[2017-08-10 15:56:00]
the_lord :
i understand why installd patched
but i think i can replace installd without root coz its owner is shell which i'm logged in with
[2017-08-10 15:56:34]
bin4ry :
but /system is ro normally
[2017-08-10 15:56:38]
bin4ry :
to remount you need root
[2017-08-10 15:57:14]
the_lord :
just tested it, you are correct
[2017-08-10 15:58:16]
bin4ry :
yah
[2017-08-10 15:58:28]
bin4ry :
make sure you set the correct file permissions if you overwrite it
[2017-08-10 15:59:55]
the_lord :
don't worry the p4 is still bricked because of chmod 755 :wink:
[2017-08-10 16:01:33]
bin4ry :
argh
[2017-08-10 16:01:59]
the_lord :
how kingoroot roots the device?
[2017-08-10 16:02:42]
bin4ry :
it is a multiroot, they just packed many rooting methods into the software and i don't think they tell you what they do on what device
[2017-08-10 16:03:42]
the_lord :
sorry for asking too much , but this drone is not mine and not covered by my work budget
so no big balls here :sweat_smile:
[2017-08-10 16:03:59]
bin4ry :
haha
[2017-08-10 16:04:39]
bin4ry :
kingoroot is basically a multiroot package someone did, it decideds which exploit to use on it's own. they install a ton of crap on your windowspc to make money on ads
[2017-08-10 16:05:04]
bin4ry :
apart from that i would think it is okay to use, but they do not tell you what they do to root
[2017-08-10 16:05:14]
bin4ry :
so, just run it and then you will get su :smile:
[2017-08-10 16:06:19]
hostile :
some of those tools are messy and install shit that fights for control of your phone
[2017-08-10 16:06:29]
hostile :
does dirtyc0w work on it?
[2017-08-10 16:06:53]
hostile :
<https://gist.github.com/Arinerron/0e99d69d70a778ca13a0087fa6fdfd80>
[2017-08-10 16:06:54]
bin4ry :
idk i did not try it myself so
[2017-08-10 16:07:04]
bin4ry :
posted the dirtyc0w link yesterday
[2017-08-10 16:07:24]
hostile :
<https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs>
[2017-08-10 16:07:45]
bin4ry :
worth a try to run this script
[2017-08-10 16:07:49]
bin4ry :
cannot hurt much
[2017-08-10 16:07:53]
bin4ry :
either it works or not
[2017-08-10 16:07:58]
bin4ry :
and you atleast know whats happening :smile:
[2017-08-10 16:10:16]
the_lord :
i don't feel comfort to use kingoroot
[2017-08-10 16:10:46]
bin4ry :
i can understand that
[2017-08-10 16:10:51]
bin4ry :
try the dirtyc0w then
[2017-08-10 16:15:07]
the_lord :
i saw @hostile mentioned it can be rooted with something related to getprop
[2017-08-10 16:15:36]
bin4ry :
try runnign adb root
[2017-08-10 16:15:41]
bin4ry :
see if it pops as root shell up
[2017-08-10 16:16:20]
the_lord :
adb root doesn't do anything
[2017-08-10 16:17:26]
bin4ry :
no error?
[2017-08-10 16:17:29]
bin4ry :
then run adb shell now
[2017-08-10 16:17:45]
the_lord :
still on shell and no su
[2017-08-10 16:18:02]
bin4ry :
you need to run adb root outside the adb shell
[2017-08-10 16:18:14]
the_lord :
C:\ADB>adb root
C:\ADB>adb shell
shell@gl300e:/ $ su
/system/bin/sh: su: not found
127|shell@gl300e:/ $
[2017-08-10 16:18:14]
bin4ry :
not when you are still on the shell
[2017-08-10 16:18:19]
bin4ry :
ok
[2017-08-10 16:18:20]
the_lord :
i know man
[2017-08-10 16:18:22]
bin4ry :
sorry :smile:
[2017-08-10 16:18:40]
bin4ry :
no if the prop is set you do not have "su" you just have #
[2017-08-10 16:18:45]
bin4ry :
after running adb root
[2017-08-10 16:21:00]
bin4ry :
so if this did not work
[2017-08-10 16:21:10]
bin4ry :
it has this not enabled by default
[2017-08-10 16:21:14]
bin4ry :
you need to run an exploit then
[2017-08-10 16:21:53]
kilrah :
hehe well done for the patch :sweat_smile:
[2017-08-10 16:22:37]
the_lord :
@bin4ry loud and clear
[2017-08-10 16:23:06]
bin4ry :
<https://github.com/timwr/CVE-2016-5195>
[2017-08-10 16:23:14]
bin4ry :
you can also try this dirtycow implementaiton
[2017-08-10 16:23:36]
bin4ry :
@kilrah thanks, was too easy to patch out, just invalidated the strings and set BNE.W instead BEQ.W
[2017-08-10 16:23:37]
bin4ry :
:stuck_out_tongue:
[2017-08-10 16:23:53]
kilrah :
:laughing:
[2017-08-10 16:24:10]
bin4ry :
made sure to invalidate the strings, so you can still install the 3 apps if you like :smile:
[2017-08-10 16:25:32]
kilrah :
haha a version without them invalidated would be funny to distribute - here you go, install anything you want EXCEPT that crap :stuck_out_tongue:
[2017-08-10 16:25:35]
bin4ry :
@the_lord or this one
[2017-08-10 16:25:35]
bin4ry :
<https://forum.xda-developers.com/android/software-hacking/root-tool-dirtycow-apk-adb-t3525120>
[2017-08-10 16:26:47]
bin4ry :
i think the c0w will do the job :wink:
[2017-08-10 16:26:59]
bin4ry :
depending on the implementation
[2017-08-10 16:27:07]
bin4ry :
you will need to copy over su and Superuser.apk yourself then
[2017-08-10 16:31:54]
opcode :
Thanks to @bin4ry for the installd help. :slightly_smiling_face:
[2017-08-10 16:38:31]
kilrah :
:heart:
[2017-08-10 16:38:50]
kilrah :
I start wanting one now, must not :sweat_smile:
[2017-08-10 16:39:27]
bin4ry :
i am waiting for updates from @the_lord :smile: :stuck_out_tongue:
[2017-08-10 16:39:43]
opcode :
its really a nice unit, the display is great. i dont get it, why DJI is blocking the installation of other flight apps.
[2017-08-10 16:39:45]
goof :
1000cd 7.85" is looking **very** temping if rooted :S
[2017-08-10 16:40:38]
bin4ry :
yop
[2017-08-10 16:40:41]
bin4ry :
but still expensive
[2017-08-10 16:41:04]
the_lord :
i'm reading reading reading
i don't want to apply anything i don't understand
[2017-08-10 16:41:09]
bin4ry :
sure ok
[2017-08-10 16:41:14]
bin4ry :
just keep me in the loop
[2017-08-10 16:41:18]
bin4ry :
i am interested whih exploit works
[2017-08-10 16:41:24]
bin4ry :
but my bet is on dirtyc0w
[2017-08-10 16:43:15]
opcode :
@the_lord i couldnt get along with dirtycow, tried for hours. so youre not alone. :smile:
[2017-08-10 16:43:46]
kilrah :
what did you root with?
[2017-08-10 16:43:56]
the_lord :
but at least you have root user
[2017-08-10 16:44:01]
opcode :
kingoroot
[2017-08-10 16:44:50]
the_lord :
i'm confused, why did you use kingoroot if you already have root shell?
[2017-08-10 16:48:57]
bin4ry :
he did not had a rootshell before
[2017-08-10 16:52:41]
the_lord :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1502287310829985?thread_ts=1502227801.425465&cid=C6K376JGZ>
[2017-08-10 16:53:13]
the_lord :
i understood it as no exploit was need
for that i upgraded to latest version
[2017-08-10 16:54:59]
bin4ry :
ok, simple misunderstanding then
[2017-08-10 16:56:58]
opcode :
cant someone with experience put this dirtycow stuff together for the_lord? would be the savest way.
[2017-08-10 16:57:21]
opcode :
as i said, kingoroot worked for me, but installed a lot of crap into my Windows VM:
[2017-08-10 16:57:37]
bin4ry :
he is able to do it himself, i am pretty sure of that, he just wants to understand what he does because that is his way of doing stuff :slightly_smiling_face:
[2017-08-10 16:58:12]
opcode :
great. so, im the noob here. :smile:
[2017-08-10 16:58:25]
bin4ry :
:wink: hehe
[2017-08-10 16:58:29]
bin4ry :
you said that
[2017-08-10 16:59:17]
opcode :
@bin4ry reading into that now <http://opengapps.org/>
[2017-08-10 16:59:22]
opcode :
looks promising
[2017-08-10 17:00:49]
bin4ry :
yes sure, but you need a recovery to install it the way they promote it, or you need to do it manually, which can be done too
[2017-08-10 17:01:34]
opcode :
cant i fire up adb recovery for that?
[2017-08-10 17:02:43]
kilrah :
this kind of stuff on phones needs custom recovery... but there's none for CS
[2017-08-10 17:03:06]
kilrah :
and the stock recovery on CS may be botched/"protected" in who knows what ways by DJI
[2017-08-10 17:03:26]
opcode :
yep, youre right.
[2017-08-10 17:05:13]
bin4ry :
DO NOT BOOT INTO RECOVERY
[2017-08-10 17:05:19]
bin4ry :
we bricked some devices by doing that
[2017-08-10 17:05:25]
bin4ry :
DO NEVER DO IT !!!!!!!!!!!!
[2017-08-10 17:05:47]
bin4ry :
offline for today
[2017-08-10 17:06:18]
opcode :
bye :slightly_smiling_face:
[2017-08-10 17:06:46]
digital1 :
Ohh root
[2017-08-10 17:22:11]
nocommie :
Damn good work guys! I have been holding off getting a CS but now that it is actually useful I may have to.
[2017-08-10 17:40:08]
knorren :
@knorren has joined the channel
[2017-08-10 18:51:10]
triangular :
Fucking awesome. Truly Original Gangsters here!
[2017-08-10 18:54:16]
martinbogo :
Gangsters my ass :slightly_smiling_face:
[2017-08-10 18:54:26]
martinbogo :
Gangsters extort people ... we set data free :slightly_smiling_face:
[2017-08-10 18:54:42]
triangular :
OG
[2017-08-10 19:02:09]
dpitman :
Robin Hood's merry men then ? :stuck_out_tongue:
>Gangsters my ass :slightly_smiling_face:
>Gangsters extort people ... we set data free :slightly_smiling_face:
[2017-08-10 19:02:52]
hostile :
depends on your definition of a gangster I suppose
[2017-08-10 19:03:05]
hostile :
you can be gangster in spirit and have morals as it were
[2017-08-10 19:03:16]
hostile :
sometimes you need to get hostile tho :wink:
[2017-08-10 19:04:08]
hostile :
simple representation of status... in this case
[2017-08-10 19:04:15]
hostile :
OG vs. BG....
[2017-08-10 19:04:20]
hostile :
and wannabes...
[2017-08-10 19:05:14]
hostile :
but lets be honest here... we represent the "black market" of all things DJI 0day related...
[2017-08-10 19:06:49]
triangular :
So is that pilot app something that can be run independently on a phone or tablet, in place of Go?
[2017-08-10 19:07:30]
hostile :
heh let me check...
[2017-08-10 19:07:30]
hostile :
$ adb install djipilot.apk
[ 93%] /data/local/tmp/djipilot.apk
[2017-08-10 19:07:43]
hostile :
djipilot.apk: 1 file pushed. 6.3 MB/s (47486996 bytes in 7.212s)
pkg: /data/local/tmp/djipilot.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]
[2017-08-10 19:07:48]
hostile :
let me apk sign it
[2017-08-10 19:12:28]
triangular :
If it can be installed Id like to try it
[2017-08-10 19:14:03]
kilrah :
works here with @bin4ry 's apk, no need to sign
[2017-08-10 19:15:31]
kilrah :
scales very badly on my device's resolution
[2017-08-10 19:16:21]
kilrah :
and it seems pretty shitty... i.e not just DJI go without the editor/social crapwre, but more like "noob pilot" version with a lot of aircraft/flight related stuff removed too
[2017-08-10 19:17:21]
triangular :
so the app that comes with CS is limited, less functional than the standard app?
[2017-08-10 19:17:42]
kilrah :
new map provider, mapbox
[2017-08-10 19:17:56]
kilrah :
@triangular it's an ADDITIONAL app, the normal ones are there too
[2017-08-10 19:18:30]
triangular :
oh ok. so the Pilot app is something that runs on top of Go?
[2017-08-10 19:18:46]
kilrah :
no it's just another app...
[2017-08-10 19:19:29]
kilrah :
strange they made yet one more, there's already the P4P+ one that's pretty good
[2017-08-10 19:19:51]
triangular :
whats the purpose of these additional apps, if Go is already there?
[2017-08-10 19:19:54]
dpitman :
they are hailing the Pilot app as the pro's app for control without the bloat.
[2017-08-10 19:20:15]
kilrah :
becasue lots of people are complaining about the useless crap in GO like editor etc
[2017-08-10 19:21:09]
dpitman :
That includes me. I want a single purpose racecar...errrr. control app. But you're saying the aircraft control is lacking?
[2017-08-10 19:21:30]
triangular :
but if its missing flight related stuff, that doesnt seem very pro to me. It makes sense to have an editor as a separate app, but the piloting app should be fully featured
[2017-08-10 19:25:40]
kilrah :
well it's obviously VERY beta
[2017-08-10 19:26:02]
kilrah :
lots of stuff missing but lots that don't apply to the connected aircraft too, so well
[2017-08-10 19:27:25]
kilrah :
don't think much can be said at this point
[2017-08-10 19:41:01]
digital1 :
It's a very basic app designed for purely flight, no logs, no fligh modes no nothing other than video, basic telem and controls, it's what people were asking for
[2017-08-10 19:43:31]
kilrah :
if that's what they think they misunderstood what people want.
[2017-08-10 19:44:43]
kilrah :
what people want is GO4 with only the first "tab" at the bottom. No editor, no skypixel, no "Me" social/store stuff
[2017-08-10 19:45:11]
kilrah :
so flight with all features and logs.
[2017-08-10 19:47:31]
nocommie :
I was able to install the Pilot app on my tablet and run it. Seems ok but definitely still beta. Waypoint planning is disabled. I had to sign in with my DJI account. I imagine the existing patches for Go will not work with Pilot? (login bypass etc)
[2017-08-10 21:37:29]
digital1 :
Trying to copy installd to /system/bin getting message Text file busy ?
[2017-08-11 01:31:48]
fallengod :
Is the crystalsky app more stable then dji go?
[2017-08-11 01:52:16]
dpitman :
The crystalsky comes with 3 apps. Go, Go 4, Pilot. Which one are you referring to?
[2017-08-11 01:54:23]
fallengod :
The pilot one
[2017-08-11 01:54:34]
fallengod :
The one that is stripe down
[2017-08-11 04:03:18]
kilrah :
it's in a state that's so beta I'm even surprised they already include it...
[2017-08-11 04:04:03]
kilrah :
no idea about stability though, didn't fly... but that's becasue it's barely usable for flying at this point IMO
[2017-08-11 04:26:18]
gregw :
Just installed the DJIPilot.apk from @bin4ry on my Samsung S7... Needs to login, but unfortunately the app scales so badly that the interface buttons are basically blocking everything, so no chance to actually even try flying with it... 2nd @kilrah's comment that what we need is a lightweight app that just has the first tab in DJI Go 4... nothing else...
[2017-08-11 10:38:39]
ender :
@opcode, how do you do that without google play framework ?! At least last when i tried i couldnt make Litchi run on My Moverio BT-300 that also has no Playstore installed. Only hacked versions ran. Would you care to elaborate ?
[2017-08-11 10:39:02]
ender :
is CS also Android 4.4 based ? Or 5.x ?
[2017-08-11 10:42:20]
goof :
5.x IIRC
[2017-08-11 10:45:02]
digital1 :
How are you guys replacing the installd file as in rooted now
[2017-08-11 10:45:08]
goof :
I think the guys mentioned something about trying to get the play store + services on there, but I'm not sure if progress was made...
[2017-08-11 10:45:33]
goof :
I think they were rooting it with kingroot or something like that first
[2017-08-11 10:45:38]
goof :
not sure of the spelling
[2017-08-11 10:46:20]
goof :
have to do it in a VM though, kingroot installs a bunch of crapware onto windows :confused:
[2017-08-11 10:46:51]
goof :
kingoroot*
[2017-08-11 10:54:31]
bin4ry :
what do you mean? you just replace it in /system/bin and take care the file permissions remain the same as before
[2017-08-11 10:54:59]
bin4ry :
@goof yeah install kingoroot in a vm to use it or try dirtyc0w i am pretty sure dirtyc0w works
[2017-08-11 10:58:19]
kilrah :
He mentioned earlier he couldn't becasue file in use...
[2017-08-11 11:00:02]
bin4ry :
i see, should not be in use if you are not installing anything
[2017-08-11 11:00:43]
bin4ry :
@digital1 how you try to do it? cp installd /system/bin/installd should work :smile:
[2017-08-11 11:07:37]
bin4ry :
so you made it finally ?
[2017-08-11 11:07:40]
bin4ry :
or still not working ?
[2017-08-11 11:08:14]
digital1 :
@bin4ry no I gave up yesterday, will try again later
[2017-08-11 11:08:23]
goof :
`kill <pid> && cp installd /system/bin/installd`? or is that a bash thing....
[2017-08-11 11:08:28]
bin4ry :
do not forget to mount the system partition rw
[2017-08-11 11:08:38]
opcode :
@ender google play service is constantly crashing at the crystalsky at the moment. but i got it working so far, to log in. thats all that was needed to sideload the litchi apk and litchi could check the license. play store is still not working properly, working on it. CS is running Lollipop 5.1.1
[2017-08-11 11:09:07]
bin4ry :
@opcode still the odd could not login error msg? or a different now?
[2017-08-11 11:10:08]
opcode :
no, i could login once. but then the play services keep crashing again.
[2017-08-11 11:10:22]
bin4ry :
maybe post another logcat now
[2017-08-11 11:10:27]
bin4ry :
maybe the error is different now
[2017-08-11 11:10:28]
bin4ry :
:wink:
[2017-08-11 11:10:43]
opcode :
you get pm in a sec :wink:
[2017-08-11 11:15:35]
the_lord :
Unfortunately my HDD is RIP now
I'll be offline until i fix my PC or buy new one
[2017-08-11 11:16:19]
opcode :
:disappointed:
[2017-08-11 11:22:08]
kilrah :
damn
[2017-08-11 11:22:37]
kilrah :
also have a drive that just (logically) failed
[2017-08-11 11:22:47]
digital1 :
@bin4ry so just to confirm this should be it adb shell
su
mount -o rw,remount,rw /system
cp installd/system/bin/installd
[2017-08-11 11:25:38]
bin4ry :
yeah but a space after the first installd
[2017-08-11 11:25:46]
bin4ry :
also check file permission before and after
[2017-08-11 11:30:14]
digital1 :
@bin4ry sorry I'm in not big on Linux how you doing that, heading off to google now to see too :face_with_rolling_eyes:,
[2017-08-11 11:30:24]
goof :
`ls -la`
[2017-08-11 11:31:48]
goof :
you want to look at the `root root rwxr----- ... installd` lines
could say something different on the actual device
[2017-08-11 11:32:26]
ender :
@opcode: strange, i did the same thing (installed the magic Google framework / login / service apk’s found in those FireTV & FireTablet threads on the BT-300 and thus got here maps to work as a first on BT-300 but Litchi still refuses. I am in contact with the Litchi guys complaining that people now need hacked versions on legit devices and they consider putting it up on Amazon App store as that works fine on many non-google-play devices… Could you detail which versions you installed ?
[2017-08-11 11:35:01]
ender :
These have been the magic ones for the Fire Tablet guys:
[2017-08-11 11:35:02]
ender :
- Google Services Framework, 4.4.4-1227136
- Google Play Services, 10.0.84 (036-13749526)
- Google Account Manager, 4.4.4-1227136
- Google Play Store, 7.2.13.J-all [0] [PR] 138561921
[2017-08-11 11:35:33]
ender :
using those i can login fine to google and after that i can transfer & use my bought apks but can not use play store or run Litchi…
[2017-08-11 11:35:53]
ender :
Well, maybe i have to retry, which build of Litchi do you run, maybe they changed licensing ?!
[2017-08-11 11:35:57]
opcode :
@ender framework, account manager, and play store are not so critical. play service is the thing. try to find here the right version depending on android version, architecture etc
[2017-08-11 11:36:05]
ender :
yup
[2017-08-11 11:36:05]
opcode :
<http://www.apkmirror.com/apk/google-inc/google-play-services/>
[2017-08-11 11:36:37]
ender :
i tried them all i guess :-)Many swear the others ARE important as well and the ORDER in which installing. So which version did you use ?
[2017-08-11 11:37:36]
bin4ry :
found this in the settings apk
[2017-08-11 11:37:49]
bin4ry :
so some of them might be differnt than on the device
[2017-08-11 11:37:56]
bin4ry :
and enable some features
[2017-08-11 11:46:08]
opcode :
@ender play service 8.4.89 (230), store 6.2.10.A-all, account 4.4.4-1227136, framework 4.4.4-1227136
[2017-08-11 11:46:35]
bin4ry :
this are set in the build.prop under /system
[2017-08-11 11:46:43]
bin4ry :
i mean the variables i found
[2017-08-11 11:46:56]
ender :
ooold, didnt think they run on lollipop…gotta try later, thx
[2017-08-11 11:47:41]
bin4ry :
@ender we try to get the settings open, you will need to go through the user account once
[2017-08-11 11:47:45]
bin4ry :
to let playstore work properly
[2017-08-11 11:47:49]
bin4ry :
i think that is the issue here
[2017-08-11 11:47:56]
bin4ry :
opcode tests the new build.prop
[2017-08-11 11:48:02]
bin4ry :
if it works i'll post it here too
[2017-08-11 11:48:17]
bin4ry :
but not so much changed, only the dji settings from false to ture :wink:
[2017-08-11 11:48:20]
bin4ry :
*true
[2017-08-11 11:52:32]
opcode :
works!
[2017-08-11 11:53:05]
bin4ry :
this is the build.prop you need
[2017-08-11 11:58:21]
bin4ry :
<http://dji.retroroms.info/howto/crystalsky>
[2017-08-11 11:58:34]
bin4ry :
please add more info
[2017-08-11 11:58:46]
bin4ry :
i just added some info there now to start off
[2017-08-11 12:24:17]
bin4ry :
what i think regarding google apps
[2017-08-11 12:24:29]
ender :
You probably all know but for other readers, be 100% about what you do with the build.prop (contents & file permissions & name) otherwise you can easily have a very expensive brick…
[2017-08-11 12:24:52]
bin4ry :
once rooted you should install <https://flashfire.chainfire.eu/>
[2017-08-11 12:25:10]
bin4ry :
with this you can install the Google App 5.0 Nano package from here: <http://opengapps.org/>
[2017-08-11 12:25:49]
bin4ry :
if the app asks anything about recovery DO NOT USE recovery, as you most likely don't have one we can use, we have DJI drones stuck in recovery, we don't want this here. So keep away from recovery
[2017-08-11 12:26:05]
bin4ry :
i think this GApps "flashing" will give you a fully working Gapps
[2017-08-11 12:26:25]
bin4ry :
@ender regarding the build.prop. You can edit the wiki too :wink:
[2017-08-11 12:26:36]
goof :
might pay to block network on the windows VM running kingoroot, in the past they've been stealing IMEIs and other info: <https://forum.xda-developers.com/general/general/kingo-root-steals-imei-t3268525>
[2017-08-11 12:27:28]
bin4ry :
please add this info to the wiki
[2017-08-11 12:27:29]
ender :
of course, but i have no real business in the CS, also dont have one and wouldn’t buy one unless threatened with a firearm :slightly_smiling_face: Was just drawn here by the pilot app and your Litchi news as i fight a similar fight on the Moverios :slightly_smiling_face:
[2017-08-11 12:27:51]
bin4ry :
@ender doesn't mean you cannot add cruical info to the wiki :stuck_out_tongue: :stuck_out_tongue:
[2017-08-11 12:28:15]
ender :
yeah, kingo & king root are always a last resort, only run it on my “designed to be deleted” VM :slightly_smiling_face:
[2017-08-11 12:28:25]
ender :
yes bin4ry :slightly_smiling_face:
[2017-08-11 12:28:27]
goof :
to be fair it could also be installing something on the android side to send it home..... we really need for someone with a CS to work out which exploit it uses and just use that
Kingoroot seems rather.... nefarious.... as hostile eluded to a day or two ago
[2017-08-11 12:28:37]
bin4ry :
yeah ...
[2017-08-11 12:28:41]
bin4ry :
send me one and i will do it
[2017-08-11 12:28:42]
bin4ry :
:smile:
[2017-08-11 12:28:43]
ender :
@goof: it DOES install crap on the Android side.
[2017-08-11 12:28:46]
goof :
xD
[2017-08-11 12:28:58]
ender :
So first step is always to replace with chainfire SU and got rid of the leftovers
[2017-08-11 12:29:04]
goof :
nice
[2017-08-11 12:29:06]
bin4ry :
yep
[2017-08-11 12:29:14]
bin4ry :
i am pretty sure diryc0w will work
[2017-08-11 12:29:30]
bin4ry :
but opcode had problems to follow it
[2017-08-11 12:29:34]
bin4ry :
and i don't have a device
[2017-08-11 12:29:51]
goof :
is there any way to run the CS OS in a VM and try this?
[2017-08-11 12:29:57]
ender :
Just as an advice: may look for the FireTV & FireTablet & FirePhone guys as they have similar troubles (google framework, build.prop, …)
[2017-08-11 12:30:09]
bin4ry :
nope sadly not
[2017-08-11 12:30:15]
bin4ry :
yes firetv guides may come in handy
[2017-08-11 12:30:31]
bin4ry :
but the fire-flash from chainfire should take care of the gapps install
[2017-08-11 12:30:41]
bin4ry :
so you can just "flash" openGapps for lolipop
[2017-08-11 12:30:42]
ender :
Is there no nandroid backup for CS ? Recovery is a nogo i heard but via ADB ?!
[2017-08-11 12:30:50]
bin4ry :
i have a system dump
[2017-08-11 12:30:55]
bin4ry :
done through dd
[2017-08-11 12:31:10]
bin4ry :
thats what i've been using to deodex
[2017-08-11 12:31:15]
bin4ry :
and stuff
[2017-08-11 12:31:16]
bin4ry :
:smile:
[2017-08-11 12:31:16]
bin4ry :
...
[2017-08-11 12:31:17]
ender :
dd is a reliable friend :slightly_smiling_face:
[2017-08-11 12:32:06]
ender :
But TWRP would’ve been luxury :slightly_smiling_face:
[2017-08-11 12:32:20]
bin4ry :
this is a rk device
[2017-08-11 12:32:28]
bin4ry :
so basically it should be possible to do that
[2017-08-11 12:32:33]
bin4ry :
but we don't know much about the device yet
[2017-08-11 12:32:52]
bin4ry :
i would need one to make the recovery and play with it
[2017-08-11 12:33:01]
bin4ry :
or someone else who is used to do such stuff
[2017-08-11 12:33:10]
bin4ry :
but for now
[2017-08-11 12:33:12]
ender :
rk is usually open as a cow fence but to risk the $$$ CS :slightly_smiling_face:
[2017-08-11 12:33:17]
bin4ry :
root and flashfire should be enough
[2017-08-11 12:33:34]
bin4ry :
rk is problematic crap tbh
[2017-08-11 12:33:36]
bin4ry :
:wink:
[2017-08-11 12:34:04]
ender :
yes, never kept a RK device long enough except the Tablets for the Kids :slightly_smiling_face:
[2017-08-11 12:34:21]
bin4ry :
i did some android brngup in rk devices before
[2017-08-11 12:34:39]
bin4ry :
professional = paid
[2017-08-11 12:34:44]
bin4ry :
hard to work with them
[2017-08-11 12:34:48]
goof :
more fun times with kingo: <https://forum.xda-developers.com/fire-tv/general/psa-kingoroot-exploit-users-major-t3502824>
may or may not be relevant today
[2017-08-11 12:34:48]
bin4ry :
they don't give you much to work with
[2017-08-11 12:35:22]
bin4ry :
@goof could you add this as a warning to the wiki page ?
[2017-08-11 12:35:40]
goof :
TL;DR something kingoroot related was using up his entire inode table, preventing new file creation
[2017-08-11 12:35:54]
goof :
I'll create an account and see what I can do
[2017-08-11 12:35:58]
bin4ry :
thx
[2017-08-11 12:37:30]
ender :
ouch, thx for sharing goof, more proof to go the chainfore wy as soon as kingo /king opened the gate
[2017-08-11 12:37:56]
bin4ry :
chainfire way ?
[2017-08-11 12:38:04]
bin4ry :
what is a chainfire way ? :smile:
[2017-08-11 12:38:12]
bin4ry :
or do you mean chainfires su ?
[2017-08-11 12:38:22]
ender :
yes
[2017-08-11 12:38:24]
bin4ry :
ah ok
[2017-08-11 12:38:26]
bin4ry :
yeah
[2017-08-11 12:38:28]
goof :
haha several posts down in that thread: `"Never attribute to malice that which is adequately explained by stupidity" - Hanlon's razor`
hopefully applies to the current Tinker situation with DJI....
[2017-08-11 12:38:49]
ender :
lots of websites explain how to remove king(o) stuff and replace by cf su, of course changing with revisions
[2017-08-11 12:39:02]
bin4ry :
yeah i would love to get my hands on the crystalsky
[2017-08-11 12:39:09]
bin4ry :
and make a proper root
[2017-08-11 12:39:29]
bin4ry :
but maybe @the_lord will come up with a working way sooner or later
[2017-08-11 12:39:34]
bin4ry :
he has hands on
[2017-08-11 12:39:59]
ender :
you should do that on the BT-300, worth the trouble, not just a hilariously priced Rk Tablet with 3 times the LED power :slightly_smiling_face:
[2017-08-11 12:40:21]
bin4ry :
what is BT-300 ?
[2017-08-11 12:40:52]
ender :
EPSON Moverio BT-300: Goggles that solve the FPV vs. LOS Law that we have to obey…
[2017-08-11 12:40:58]
ender :
No root until now…
[2017-08-11 12:41:23]
ender :
Could send you mine for a wekk or two if you feeloptimistic :slightly_smiling_face:
[2017-08-11 12:41:43]
kilrah :
BT300 are much more of a waste of money than a CS IMO :smile:
[2017-08-11 12:41:54]
ender :
thats called opinion :slightly_smiling_face:
[2017-08-11 12:42:00]
ender :
But i got the message & shutup
[2017-08-11 12:42:02]
bin4ry :
lol @ epson
[2017-08-11 12:42:05]
hostile :
@goof "hopefully applies to the current Tinker situation with DJI...." if they weren't Chinese... and if they weren't using other Tencent stuff (and if Wechat censorship wasnt' a thing... I'd agree" but it LOOKS awful no matter how you slice it
[2017-08-11 12:42:12]
bin4ry :
Die Moverio BT-300 enthält die hochmoderne, auf Silikon basierende OLED-Technologie
[2017-08-11 12:42:20]
bin4ry :
Silikon?
[2017-08-11 12:42:30]
bin4ry :
vllt drumrum aber nicht basierend
[2017-08-11 12:42:38]
ender :
Kraut !
[2017-08-11 12:42:40]
bin4ry :
sorry for german but could not translate this
[2017-08-11 12:42:42]
bin4ry :
:wink:
[2017-08-11 12:42:53]
ender :
silikon = 99% of Dolly Buster :wink:
[2017-08-11 12:42:58]
bin4ry :
:smile:
[2017-08-11 12:43:05]
bin4ry :
typical error
[2017-08-11 12:43:21]
hostile :
Dolly Parton? Silicone?
[2017-08-11 12:43:27]
bin4ry :
you can send it to me if you don't mind me bricking it, since there is the risk of that :smiley: so i would say maybe better not
[2017-08-11 12:43:31]
bin4ry :
yeah silicone
[2017-08-11 12:43:31]
ender :
same type different business :slightly_smiling_face:
[2017-08-11 12:43:37]
bin4ry :
they write
[2017-08-11 12:43:54]
bin4ry :
the Moverio BT-300 includes modern on silicone based OLED-technology
[2017-08-11 12:44:02]
ender :
in short there are two DLP Projectors producing a stereo HUD
[2017-08-11 12:44:05]
ender :
haha
[2017-08-11 12:44:08]
hostile :
^--- Dolly Parton
[2017-08-11 12:44:29]
kilrah :
lool
[2017-08-11 12:44:37]
ender :
<http://www.wz.de/polopoly_fs/1.84556.1289909325!/httpImage/onlineImage.jpg_gen/derivatives/landscape_550/onlineImage.jpg>
[2017-08-11 12:44:38]
hostile :
LOLOL
[2017-08-11 12:44:41]
ender :
Dolly the buster
[2017-08-11 12:44:42]
kilrah :
i still have a bt200 laying around somewhere, need to sell the thing
[2017-08-11 12:45:11]
ender :
Well dont build yout BT-300 opinion on the BT-200, had the BT-200 for 2 days, still too long :slightly_smiling_face:
[2017-08-11 12:45:25]
goof :
100% agree, but a man can hope :stuck_out_tongue:
[2017-08-11 12:45:40]
bin4ry :
so the oled are basically based on dollys ?
[2017-08-11 12:45:43]
kilrah :
well same principle
[2017-08-11 12:45:45]
bin4ry :
:smiley:
[2017-08-11 12:46:03]
kilrah :
don't see anything I could make use of them for - especially not flying DJI things :slightly_smiling_face:
[2017-08-11 12:46:23]
ender :
More on topic, on contributing to the WiKi: i need alogin, right ? (On another notice, its already pretty clear what to do not to f*ck up the build prop, would only add a severe warning)
[2017-08-11 12:46:39]
bin4ry :
yeah you need to register on the top right site
[2017-08-11 12:46:54]
bin4ry :
i only made a small writeup of the actual situation
[2017-08-11 12:46:59]
bin4ry :
there is much info missing
[2017-08-11 12:47:22]
ender :
@kilrah: bt-200 are too slow, couldnt even handle dobby 320x200 stream :slightly_smiling_face: BT-300 is a different story. I would buy a next version with larger FOV in a microsecond, only grief…
[2017-08-11 12:48:10]
goof :
@bin4ry added a wiki clause warning of kingoroot's past activities
[2017-08-11 12:48:32]
bin4ry :
thank you
[2017-08-11 12:50:00]
kilrah :
Yeah I just don't find that type of display appropriate for any existing application
[2017-08-11 12:50:41]
kilrah :
would be nice for AR stuff, but Epson are too stupid to put hardware in that can actually to that with any decency, so well
[2017-08-11 12:52:15]
ender :
Chipset isn’t too shabby but i agree they are half hearted. But as i like FPV and at least try to follow the law at times its the **only** goggles option.
[2017-08-11 12:53:45]
ender :
EPSON sent me $100 of free stuff after i published the here maps workaround for DJI go, so they are desperate to get into the market but they get no $$$ for Marketing. And no resources for developing killer apps themselves…
[2017-08-11 12:55:14]
bin4ry :
which here maps workaround?
[2017-08-11 12:55:23]
bin4ry :
here maps not working anymore?
[2017-08-11 12:56:44]
bin4ry :
btw, i think i accidently found a way to make gmaps for self-signed apps
[2017-08-11 12:56:45]
ender :
here maps require google stuff to be installed. Wasnt there on the Moverio, hence my interest in the FireTV solutions to get Google Framework stuff running…
[2017-08-11 12:56:57]
bin4ry :
ah i see, cool
[2017-08-11 12:57:28]
bin4ry :
in the google framework you can disable the signature against apikey check of google maps
[2017-08-11 12:57:37]
bin4ry :
so "all" you need to do is crack the framework
[2017-08-11 12:57:37]
ender :
nice!
[2017-08-11 12:59:22]
bin4ry :
but how did one read so ofter
[2017-08-11 12:59:37]
bin4ry :
the implementaion is to be done by the educated reader itself :smile:
[2017-08-11 12:59:39]
bin4ry :
or smth like this
[2017-08-11 12:59:40]
bin4ry :
lol
[2017-08-11 13:01:45]
ender :
…added some more warning about build.prop tinkering to the Wiki…
[2017-08-11 13:02:35]
bin4ry :
thx :smiley:
[2017-08-11 13:24:25]
triangular :
oh you guys talking about the BT-300. I have a set, its pretty nice.
[2017-08-11 13:26:16]
triangular :
only slightly more awkward than regular shades. solves the problem of bright sun on a screen display, and its the perfect hybrid between fpv and los vision.
[2017-08-11 13:28:34]
triangular :
Android 5.1 with no Play store or google services, but it has wifi and you can side load. the modded apk works fine. great display.
[2017-08-11 14:35:48]
kilrah :
display on the 200 doesn't work well for me either so I doubt the 300 would - my eyes are too close to each other, would literally have to cut them, remove 5mm of material, and glue again
[2017-08-11 14:41:05]
ender :
@kilrah: yes, the interpupilar distance is a problem, i only differ 2mm from Standard so its okay. People who differ more can get prismatic correctional lenses (either hilariously expensive from Rochester Optics OR you find an educated expert nearby and can get it below $100 locally) thats a grief…
[2017-08-11 14:41:51]
triangular :
@kilrah theres no interpuppilary adjustment, thats true, but neither is there on the DJI Goggles. If you wear glasses there is a company Rochester Optical who makes custom prescription frames for the BT300 that include your pupillary measurement to correct for a perfect image. For me though, its fine. I think it is shifted only just slightly to the left, but I can still see the edges clearly through both eyes. Im impressed with the BT300, its a great display and takes external shades if you need them in brighter sunlight.
[2017-08-11 14:42:26]
kilrah :
There is on the DJI goggles... and they work perfect for me :slightly_smiling_face:
[2017-08-11 14:42:52]
ender :
only a very small FOV if you are used to fully immersive Goggles but thats okay for me…
[2017-08-11 14:43:43]
ender :
I agree that it makes no sense, but nevertheless its there :disappointed:
[2017-08-11 14:43:59]
triangular :
oh, my mistake then, i didnt think there was. Ive heard lots of complaints from people wearing glasses with the DJI Goggles. Anyway, the BT300 is more expensive but I think its a better deal for some. Its much smaller for sure, and I prefer it over having a completely isolated fpv vision. I like being able to see peripherally and keep environmental awareness with BT300.
[2017-08-11 14:45:15]
ender :
yup, like that as well, always used to shortly lift my Headplay goggles to peek at the real world and for takeoff & landing. Those times are over now…
[2017-08-11 14:45:39]
ender :
And you dont look like a freak anymore, ppl dont get nervous… :wink:
[2017-08-11 14:45:52]
triangular :
haha thats true
[2017-08-11 14:46:24]
ender :
Well enough of that from me regarding that topic, got carried away, its the CS_root channel :wink:
[2017-08-11 14:47:49]
kilrah :
unless you're also never flying your aircraft beyond 2-300m you're still an outlaw anyway, so...
[2017-08-11 15:49:07]
ender :
I know and i am… What i did once is to pretend that i see the drone When a guy asked me, holding back full throttle while talking to him until he was also able to see it :wink:
[2017-08-11 15:54:20]
bin4ry :
:slightly_smiling_face:
[2017-08-11 15:54:27]
bin4ry :
we made it :smile:
[2017-08-11 15:54:52]
ender :
very cool, what was the magic trick ?
[2017-08-11 15:55:25]
bin4ry :
we used opengapps
[2017-08-11 15:55:32]
bin4ry :
and fireflash to install it without recovery
[2017-08-11 15:55:43]
ender :
ah yes, you’re rooted which i am not on the BT-300, arghh
[2017-08-11 15:55:45]
bin4ry :
opcode will document it to the wiki
[2017-08-11 15:55:54]
hostile :
@bin4ry did you see this ? <https://dji-rev.slack.com/archives/C60LBFP9Q/p1502390853818992>
[2017-08-11 15:56:01]
hostile :
this could be useful for you
[2017-08-11 15:56:06]
bin4ry :
i saw thx @hostile
[2017-08-11 15:56:46]
kilrah :
@opcode is that the 1000 or 2000nit CS?
[2017-08-11 15:56:51]
opcode :
1000
[2017-08-11 15:57:10]
opcode :
2000 was never seen till now
[2017-08-11 15:57:18]
kilrah :
looks a little washed out like if they cheated a little on the gamma to get their rating
[2017-08-11 15:57:28]
opcode :
i ordered the 2000, but after 10 weeks of waiting i switched over to the 1000
[2017-08-11 15:57:34]
kilrah :
wow lol
[2017-08-11 15:57:40]
opcode :
no, pic taken with iphone 6
[2017-08-11 15:57:48]
opcode :
and downsized
[2017-08-11 15:58:16]
kilrah :
ok
[2017-08-11 15:58:30]
opcode :
its really top qulity display
[2017-08-11 15:58:36]
opcode :
*quality
[2017-08-11 15:59:35]
kilrah :
cool
[2017-08-11 16:08:39]
kilrah :
LOL, always have that in mind too
[2017-08-11 16:11:48]
triangular :
what is the resolution on the 2 CS models?
[2017-08-11 16:12:25]
kilrah :
written on the specs page
[2017-08-11 16:12:32]
triangular :
yeah... i guess so... haha ok
[2017-08-11 16:13:24]
opcode :
2048x1536, 320dpi, 60hz
[2017-08-11 16:13:42]
triangular :
thanks. This is all I needed, something else to be tempted to buy
[2017-08-11 16:13:44]
kilrah :
small one is 1920x1080
[2017-08-11 16:15:55]
goof :
if it proves to be more reliable + faster than the iPad I might have to get one
it's already brighter
[2017-08-11 16:16:00]
triangular :
small is only about as big as a phone. that is the perfect push to go for the 7.85"
[2017-08-11 16:16:20]
goof :
especially if litchi + mapsmadeeasy / pix4d work well on it
[2017-08-11 16:17:24]
triangular :
yeah the only thing still limiting to me is no hdmi or video input as an external monitor. I hear there is supposed to be a dongle adapter.
[2017-08-11 16:17:54]
opcode :
yes, 2 x sdi in, 2 x hdmi in adapter is in the making.
[2017-08-11 16:18:22]
kilrah :
yum
[2017-08-11 16:18:40]
triangular :
i wonder how well thats going to work. but rooting with google services is now beginning to look more worth the price
[2017-08-11 16:19:17]
triangular :
i look forward to seeing this process well documented in the wiki
[2017-08-11 16:58:49]
opcode :
CrystalSky Wiki updated
[2017-08-11 17:07:36]
digital1 :
Link ?
[2017-08-11 17:08:14]
opcode :
<http://dji.retroroms.info/howto/crystalsky>
[2017-08-11 17:24:24]
digital1 :
How can we figure out what root was used ?
[2017-08-11 17:26:48]
hostile :
@digital1 as I understand Kingroot... it checks your android version.. . then talks to its server... then gets a list of exploits to try, and then uses em
[2017-08-11 17:26:58]
hostile :
maybe sniff the exploit selection traffic
[2017-08-11 17:32:58]
digital1 :
Interesting <https://forum.xda-developers.com/general/general/kingo-root-steals-imei-t3268525>
[2017-08-11 17:33:17]
digital1 :
Info on finding what it's done, sniff USB traffic.
[2017-08-11 17:40:01]
hostile :
in good company with DJI Go App then :wink:
[2017-08-11 17:45:49]
kilrah :
LOL
[2017-08-11 17:46:26]
kilrah :
damn, hurts to think that the 3 wiring harnesses I've made today are worth more than a 7.8" CS... each :confused:
[2017-08-11 17:48:58]
digital1 :
Should have read first :face_with_rolling_eyes:
[2017-08-11 17:54:15]
opcode :
We need someone with knowledge check out DirtyCow to get a saver root solution.
[2017-08-11 18:53:19]
bin4ry :
<https://twitter.com/Bin4ryDigit/status/896081597421690880>
[2017-08-11 18:53:21]
bin4ry :
:smile:
[2017-08-11 19:02:47]
bin4ry :
someone savage enough to post this here: <https://forum.dji.com/thread-103078-1-1.html> :smile: :smile:
[2017-08-11 19:08:19]
hostile :
someone call for a savage?
[2017-08-11 19:10:20]
hostile :
<https://forum.dji.com/forum.php?mod=redirect&goto=findpost&ptid=103078&pid=908906&fromuid=23450>
[2017-08-11 19:11:20]
hostile :
@bin4ry run Litchi on it...
[2017-08-11 19:11:22]
hostile :
take screen shot
[2017-08-11 19:11:26]
hostile :
watch heads explode
[2017-08-11 19:11:50]
opcode :
Was thinking about posting my pics @ dji forum :smile:
[2017-08-11 19:14:25]
bin4ry :
Do it
[2017-08-11 19:17:57]
ender :
better post screenshots to wiki and i can post a link to it.
[2017-08-11 19:18:17]
ender :
looks much more harmless at first and when dji deletes the post people can still remember the link+
[2017-08-11 19:18:35]
ender :
i dont care zero fucks for dji forum, so why not
[2017-08-11 19:20:56]
hostile :
I posted pix above btw... on their forum
[2017-08-11 19:21:03]
opcode :
Haha
[2017-08-11 19:21:27]
ender :
haha
[2017-08-11 19:21:50]
ender :
its still valid what i said, the link is easier to remember when dji deletes stuff…
[2017-08-11 19:22:45]
opcode :
Mod the Falun Gong Logo in the CS Boot Logo and take video while booting? :thinking_face:
[2017-08-11 19:23:07]
ender :
added link :slightly_smiling_face:
[2017-08-11 19:23:25]
hostile :
LOLOLOLOLOL
[2017-08-11 19:24:03]
hostile :
I do think Falun Gong trolling of DJI is hilarious FWIW
[2017-08-11 19:24:41]
ender :
i wonder if they just delete the posts or also throw me out :slightly_smiling_face:
[2017-08-11 19:25:18]
ender :
(Me just beeing a naive “oh look its there” Minion, no OG like fans9c860586 :wink: )
[2017-08-11 19:26:55]
kilrah :
"yesss finally crystalsky becomes interesting" :smile:
[2017-08-11 19:27:35]
hostile :
=]
[2017-08-11 19:28:06]
opcode :
Amazing .... :smile:
[2017-08-11 19:29:20]
ender :
kilrah: why oh why ? Still amazingly overpriced and **now** catching up to functionalty of outdated Lollipop Tablet :stuck_out_tongue:
[2017-08-11 19:29:29]
ender :
It IS amazing :stuck_out_tongue:
[2017-08-11 19:29:32]
ender :
haha
[2017-08-11 19:30:40]
ender :
Damn, need to put some resources into rooting my darn BT-300 (other reasons then DJI GO). But i am really afraid to brick it …
[2017-08-11 19:30:56]
ender :
@hostile : you are aware that that is MY posting, right ? :wink:
[2017-08-11 19:31:09]
hostile :
indeed
[2017-08-11 19:31:18]
hostile :
not everyone likes to click links and such
[2017-08-11 19:31:20]
ender :
haha, okay…
[2017-08-11 19:31:24]
hostile :
makes it easier to eyeball and chuckle =]
[2017-08-11 19:31:36]
ender :
Its slow, i would have expected 1 minute reaction time of either Users or admins
[2017-08-11 19:31:52]
ender :
Bad censorship, makes me sad :slightly_smiling_face:
[2017-08-11 19:32:45]
kilrah :
middle of the night there, and I doubt they'd trust anyone in other TZs with their forum :stuck_out_tongue:
[2017-08-11 19:33:07]
ender :
i would at least have a bot watching for strings like redherring, root, modder, retroroms, whatnot…
[2017-08-12 09:41:44]
bin4ry :
Goapp is exactly the same as you can download on play. So ...
[2017-08-12 09:43:56]
opcode :
what is /system/bin/fxload_dji ?
[2017-08-12 09:44:00]
opcode :
Usage: fxload [-v] [-V] [-t type] [-d vid:pid] [-p bus,addr] -i firmware
� -i <path> -- Firmware to upload
� -t <type> -- Target type: an21, fx, fx2, fx2lp, fx3
� -d <vid:pid> -- Target device, as an USB VID:PID
� -p <bus,addr> -- Target device, as a libusb bus number and device address path
� -v -- Increase verbosity
� -q -- Decrease verbosity (silent mode)
� -V -- Print program version
[2017-08-12 09:44:02]
opcode :
any idea?
[2017-08-12 15:17:48]
the_lord :
@opcode fxload is used to upgrade none Linux boards over USB
[2017-08-12 16:29:08]
opcode :
@the_lord thanks. wonder what thats doing on the Crystalsky.
[2017-08-12 16:30:14]
the_lord :
as you know DJI keep using their old code so it could be from other devices just like P4P+ code :wink:
[2017-08-12 17:39:36]
opcode :
Hehe, yes. Did you make progress on rooting your P4P+ ?
[2017-08-12 17:48:08]
the_lord :
i tried several methods including dirtycow run-as with no success
[2017-08-12 17:48:48]
the_lord :
i'm preparing NDK build environment to be able to compile several other dirtycow methods
[2017-08-12 18:35:06]
opcode :
Yeah, there are a lot of DirtyCow variants around. Wonder, where this kingoroot crap pulls the known exploits from.
[2017-08-12 19:26:10]
golumn69 :
Has anyone come up with a way of reinstalling a fw image ?
[2017-08-12 19:48:33]
opcode :
You mean reinstalling the whole rom? Not yet.
[2017-08-14 16:47:10]
kilrah :
nice
[2017-08-14 17:33:46]
golumn69 :
Any more info on the root method ?
[2017-08-14 17:38:52]
opcode :
@golumn69 <http://dji.retroroms.info/howto/crystalsky>
[2017-08-14 17:59:21]
the_lord :
i managed to use kingoroot without installing any crap by extracting the needed files from the installer and pulled the files kingo root used to root the screen
[2017-08-14 17:59:41]
the_lord :
now i'm trying to root it manually without kingoroot
[2017-08-14 18:14:14]
opcode :
@the_lord Great! Good Luck! A safe way for rooting CS is really needed.
[2017-08-14 18:15:31]
opcode :
There are also tools available to switch to SuperSU from Kingoroot. I linked it in the wiki.
[2017-08-14 19:08:53]
the_lord :
ok now i can root the P4P+ builtin screen anytime i want without using kingoroot :smile:
[2017-08-14 19:09:19]
the_lord :
the good thing is the root is not persistent and doesn't install anything to the screen
[2017-08-14 19:10:08]
hostile :
which exploit did it?
[2017-08-14 19:10:14]
hostile :
CVE #?
[2017-08-14 19:10:36]
the_lord :
kingoroot name it "rootkit_baka"
[2017-08-14 19:11:16]
the_lord :
of course kingoroot installs a lot of garbage files
[2017-08-14 19:19:06]
the_lord :
i'll make small script for rooting the P4P+ screen
[2017-08-14 21:17:10]
golumn69 :
Ohh any chance there can be an app that roots and removes the 3rd party limitation in one hit based on this , that would be cool.
[2017-08-14 21:17:28]
the_lord :
yes i'm working on it :wink:
[2017-08-14 21:17:45]
the_lord :
not an app but a script
[2017-08-14 21:18:19]
the_lord :
but i'm working on P4P+ screen not a CS
[2017-08-14 21:18:32]
the_lord :
i'm not sure if its exactly the same or not
[2017-08-14 21:22:22]
hostile :
" in one hit" lol these fucking one hit wonder dreams
[2017-08-14 21:22:37]
hostile :
the answer should be a **no** out of mere principle
[2017-08-14 21:23:00]
hostile :
if you have to ask that question... and can't code that "all in one"... welllllllll lol "NO"!
[2017-08-14 21:26:04]
golumn69 :
Ok then based on what you have posted about kingoroot one that is not going to steal all your data :wink:
[2017-08-14 21:27:02]
the_lord :
although i striped kingoroot before using it, still after rooting the screen was not stable and keeps freezing
[2017-08-14 21:27:40]
the_lord :
BTW this screen is brand new and never been used LOL
[2017-08-14 21:29:46]
opcode :
@the_lord change from kingoroot to supersu?
[2017-08-14 21:30:34]
opcode :
<https://s3-us-west-2.amazonaws.com/supersu/download/zip/SuperSU-v2.79-20161205182033.apk>
[2017-08-14 21:30:49]
the_lord :
currently i'm able to root it manually without kingoroot windows application and i'll replace kingouser.apk with SuperSU.apk :wink:
[2017-08-14 21:31:16]
opcode :
Great. Is your screen android 5.1.1?
[2017-08-14 21:31:43]
the_lord :
yes
[2017-08-14 21:32:16]
opcode :
Hmm. Why is it not stable? Crashing apps?
[2017-08-14 21:33:43]
the_lord :
if rooting with kingoroot windows app and leave it until the screen saver starts, adb shell freezes and the screen itself doesn't respond till i turn it off/on
[2017-08-14 21:34:03]
the_lord :
i'm sure its because of the kingouser.apk
[2017-08-14 21:34:14]
digital1 :
@the_lord any idea what crap Kingoroot has installed on mine that I routed with the of app :face_with_rolling_eyes:
[2017-08-14 21:35:16]
opcode :
Strange. Kingoroot never installed anything to my CS. Checked the whole system.
[2017-08-14 21:36:03]
the_lord :
maybe because i rooted mine 100 times :smile:
[2017-08-14 21:36:24]
opcode :
:smile:
[2017-08-14 21:36:59]
the_lord :
which better make script to root it temporary or make the root persistent ?
[2017-08-14 21:37:35]
opcode :
I think it wasn't able to install anything, until I changed the installd. Then I installed supersu as first mover.
[2017-08-14 21:38:15]
opcode :
Hmm. Why not permanent root?
[2017-08-14 21:38:31]
the_lord :
i didn't replace installd but it could install an application once
[2017-08-14 21:38:54]
the_lord :
i feel not permanent is more safe
[2017-08-14 21:38:54]
digital1 :
I still have not been able to do the installd, sorry was getting text file busy but don't fully understand how to check permissions :upside_down_face:
[2017-08-14 21:39:38]
opcode :
@digital1 use the ll command in the shell
[2017-08-14 21:39:57]
digital1 :
If you can change installd on script it don't need to be permanent imo
[2017-08-14 21:41:01]
the_lord :
this is what i'm thinking of
[2017-08-14 21:41:47]
opcode :
I think there are some differences in the ROM's of CS and P4P+
[2017-08-14 21:42:39]
digital1 :
@opcode sorry the problem is I don't fully understand what it means to check permissions and and what to do, I'm still trying to understand this stuff, got to file swap then hit that wall with the busy error, I will try to mount again and transfer over installd in a minute but that's where I am lost sorry.
[2017-08-14 21:44:03]
opcode :
Be careful with installd swapping. This can brick your CS.
[2017-08-14 21:45:30]
digital1 :
This is why I stoped.
[2017-08-14 21:46:03]
opcode :
@digital1 <https://forum.xda-developers.com/galaxy-s2/general/guide-noob-guide-to-set-file-permissions-t1857648>
[2017-08-14 21:46:32]
digital1 :
@opcode :+1::+1::+1:
[2017-08-14 21:47:30]
opcode :
Correct file permissions are essential! :blush:
[2017-08-14 21:50:36]
digital1 :
Ok understand now, So to be sure, should check current permissions of installd, swap then set to same as original
[2017-08-14 21:51:51]
opcode :
Yep. Then reboot
[2017-08-14 21:55:35]
digital1 :
:+1:I think I'd like that a script lol too
[2017-08-14 21:57:21]
opcode :
Noooo. Help yourself and learn something. :blush:
[2017-08-15 00:43:10]
hostile :
@digital1 "hit that wall with the busy error" kill the running process first...
[2017-08-15 00:43:23]
hostile :
the file is busy, because the process is running still, and it is being used.
[2017-08-15 00:43:35]
hostile :
you can't delete / replace a binary that is actively running so to speak
[2017-08-15 13:57:26]
the_lord :
guys how could you replace the installd file? every time i kill its process it starts again
i even tried kill PID && cp installd /system/bin/installd && chmod 755 /system/bin/installd with no success
[2017-08-15 14:00:55]
hostile :
"stop installd"
[2017-08-21 16:09:39]
opcode :
New Version for CS 7.85 is available. If you like to play around : <http://mydjiflight.dji.com/file/links/ZSB90_20170817>
[2017-08-21 16:10:07]
opcode :
1.Added availability of battery usage status on the battery page of Quick Settings. \n2.Optimized Quick Settings menu and some logos on the page. \n3.Optimized compass calibration program. \n4.Optimized Wi-Fi connection performance through Quick Settings. \n5.Updated battery profile. \n6.Fixed an issue where the system crashes when you press and hold down an image in the gallery. \n7.Fixed an issue where the monitor displays a green screen for the first few seconds of a local cache video. \n8.Optimized stability of both DJI GO and DJI GO 4 apps. \n9.Updated DJI GO app to 3.1.10. \n10.Updated DJI GO 4 app to 4.1.5. \n11.Updated DJI Pilot Beta to 0.3.4.&quot;,&quot;ja&quot;:&quot;1.Added availability of battery usage status on the battery page of Quick Settings. \n2.Optimized Quick Settings menu and some logos on the page. \n3.Optimized compass calibration program. \n4.Optimized Wi-Fi connection performance through Quick Settings. \n5.Updated battery profile. \n6.Fixed an issue where the system crashes when you press and hold down an image in the gallery. \n7.Fixed an issue where the monitor displays a green screen for the first few seconds of a local cache video. \n8.Optimized stability of both DJI GO and DJI GO 4 apps. \n9.Updated DJI GO app to 3.1.10. \n10.Updated DJI GO 4 app to 4.1.5. \n11.Updated DJI Pilot Beta to 0.3.4.
[2017-08-24 07:30:48]
digital1 :
Anyone looked at the latest images? Was rooting method discovered in the end
[2017-08-24 13:25:03]
hostile :
I'll be able to play soon
[2017-08-24 13:25:08]
hostile :
CS enroute
[2017-08-24 13:27:28]
opcode :
Yes, the whole System gets flashed with any update they release. I didnt try, since im on a rooted CS. First I´ll try the DirtyCow vulnerability test, to see if rooting with this is possible. Long time Goal should be to mod the OTA updates, to have all in one package (root, play store etc).
[2017-08-24 13:27:52]
opcode :
@hostile 7.85?
[2017-08-25 16:54:58]
hostile :
I'm in the game finally fellas
[2017-08-25 16:55:07]
hostile :
I'll take a bit to catch up.. yeah the 7.85 @opcode
[2017-08-25 17:05:07]
opcode :
Yeah! :smiley:
[2017-08-25 17:40:16]
hostile :
Settings->About Device -> Click System version 12 times does open the "Developer Options" menu as expected FWIW.
[2017-08-25 17:43:22]
opcode :
Yes, but ADB was enabled by default. Did you try?
[2017-08-25 17:43:34]
opcode :
And did you already update?
[2017-08-25 17:44:36]
hostile :
indeed, but the menu has other stuff in it
[2017-08-25 17:44:46]
hostile :
not just enable USB adb =]
[2017-08-25 17:46:43]
opcode :
Is dji_system_update already bothering you to update? :smile:
[2017-08-25 17:47:15]
hostile :
I've not connected it to my Wifi
[2017-08-25 17:47:17]
hostile :
<https://www.exploit-db.com/platform/?p=Android>
[2017-08-25 17:47:27]
hostile :
good place to cross refrence exploits possibly
[2017-08-25 17:48:30]
hostile :
[ro.build.description]: [zs600b-user 5.1.1 v0.0.9.0-98a777ae eng.gl300.20170817.211933 release-keys]
[2017-08-25 17:48:39]
hostile :
$ busybox uname -a
Linux localhost 3.10.0 #1 SMP PREEMPT Thu Aug 17 21:04:00 CST 2017 armv7l GNU/Linux
[2017-08-25 17:49:25]
hostile :
Is it vuln to StageFright? <https://www.exploit-db.com/exploits/40436/>
[2017-08-25 18:03:12]
opcode :
Wouldn't it be easier to patch the OTA to gain root and throw out all unnecessary stuff?
[2017-08-25 19:03:11]
hostile :
for grabbing quick root?
[2017-08-25 19:03:32]
hostile :
<https://source.android.com/security/bulletin/2017-07-01> should also apply... <https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c>
[2017-08-25 19:03:47]
hostile :
@opcode I thought folks were using kingroot and such to take root... feel free to point me to an OTA patcher...
[2017-08-25 19:27:14]
opcode :
@hostile That still has to be written. :wink:
[2017-08-25 19:27:35]
hostile :
ahh you were speaking theoretically
[2017-08-25 19:27:51]
hostile :
much easier for me to grab a sploit... compile and ./ it!
[2017-08-25 19:27:57]
opcode :
What i found so far : <https://github.com/cfig/Android_OTA_pkg_editor>
[2017-08-25 19:27:59]
hostile :
hence my pseudonym of "d0tslash"
[2017-08-25 19:28:07]
opcode :
hehe
[2017-08-25 19:28:23]
hostile :
OTA seems like fast path to a brick for me
[2017-08-25 19:28:29]
hostile :
gonna stay in my comfort zone
[2017-08-25 19:28:44]
hostile :
shell@zs600b:/ $ id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
[2017-08-25 19:28:47]
hostile :
so I'm good :wink:
[2017-08-25 19:29:09]
opcode :
great! which exploit did you use?
[2017-08-25 19:29:28]
hostile :
still checking its pedigree...
[2017-08-25 19:29:39]
hostile :
one from the auto tools that just hammer device till it pops
[2017-08-25 19:30:18]
hostile :
I think I have some rock chip notes laying around too...
[2017-08-25 19:30:19]
hostile :
system 922 173 721216 23628 ffffffff b6e91670 S android.rockchip.update.service
[2017-08-25 19:31:13]
opcode :
the thing is, as soon as youre rooted and mod the device to your needs you still will have the problem how to get updates on the device. bugfixes etc
[2017-08-25 19:31:29]
opcode :
thats why im thinking of modding the OTA
[2017-08-25 19:31:31]
hostile :
sounds like an artificial problem to me
[2017-08-25 19:31:32]
hostile :
=]
[2017-08-25 19:31:35]
opcode :
:slightly_smiling_face:
[2017-08-25 19:31:36]
hostile :
indeed
[2017-08-25 19:31:57]
hostile :
chattr +i does wonderful things fwiw
[2017-08-25 19:33:58]
opcode :
what i dont get, why DJI is pushing recovery.img and boot.img with the last updates. if the OTA would only wipe and update the /system then i would try to update
[2017-08-25 19:34:01]
opcode :
write_raw_image(package_extract_file("recovery.img"), "recovery");
show_progress(0.750000, 0);
format("ext4", "EMMC", "/dev/block/rknand_system", "0", "/system");
mount("ext4", "EMMC", "/dev/block/rknand_system", "/system", "max_batch_time=0,commit=1,data=ordered,barrier=1,errors=panic,nodelalloc");
package_extract_dir("system", "/system");
[2017-08-25 19:34:25]
opcode :
at the end:
[2017-08-25 19:34:27]
opcode :
write_raw_image(package_extract_file("boot.img"), "boot");
show_progress(0.200000, 10);
clear_misc_command();
unmount("/system");
[2017-08-25 19:35:36]
opcode :
ive read somehwere that its fine to edit the update script, as long as you dont unpack and repack the .zip, which would harm the singning.
[2017-08-25 19:37:15]
hostile :
yeah we already had one OTA brick here. I won't be number two!
[2017-08-25 19:39:48]
opcode :
Yeah, I know. Just thinking out loud and trying to dig deeper. But rooted and without recovery no update.
[2017-08-25 19:48:20]
bin4ry :
The updater script is inside the zip. So it is impossible to change it without changing the zip and thus the signature. You can check if /etc/security/otacerts.zip contain testkey or real key. If testkey we can sign the zip again. On this device a recovery brick is totally unlikely since you have a real tablet here and with normal recovery partition. Please test if you have fastboot interface too. If yes then try to fastboot unlock, worth a try :joy: tell me all the results then :wink:next week we can play with this. I will have more time then , but I am really interested if they use testkey or real key here. On drones they used the testkey. Ahhh also please try keycombo to boot into recovefy.
[2017-08-25 20:02:44]
opcode :
Thanks for the info @bin4ry :smiley: Will dig into that on Sunday.
[2017-08-25 20:07:04]
the_lord :
Adb reboot recovery will boot it in recovery but no volume buttons to navigate
[2017-08-25 20:10:32]
opcode :
Maybe the F Buttons?
[2017-08-25 20:17:50]
hostile :
does USB work in recovery?
[2017-08-25 20:22:11]
bin4ry :
Most important is: is there any fastboot interface you can boot into?
[2017-08-25 20:24:25]
bin4ry :
Or similar (rk bootloader interface or such)
[2017-08-25 20:25:17]
hostile :
pretty sure the rk bootloader stuff is build into Assitant Libraries FWIW
[2017-08-25 20:25:48]
bin4ry :
Might be true @ender did send me ota link some time ago
[2017-08-25 20:26:07]
bin4ry :
On Monday I will take a look there and I will tell you if we can use recovery to root safely
[2017-08-25 20:26:15]
bin4ry :
Should be much different here
[2017-08-25 20:26:20]
bin4ry :
:grinning:
[2017-08-25 20:26:28]
bin4ry :
I mean as on drones
[2017-08-25 20:26:41]
bin4ry :
But try adb reboot bootloader please
[2017-08-25 20:26:50]
bin4ry :
If you get fastboot you can try to unlock
[2017-08-25 20:27:17]
hostile :
USB keyboards work in SOME recovery menus IIRC
[2017-08-25 20:27:19]
bin4ry :
Who knows if they removed it (like they should on release or add oem unlock with key)
[2017-08-25 20:28:01]
bin4ry :
Make sure to have the keyboard and otg plugged before booting, sometimes they only work if already plugged during boot time
[2017-08-25 20:28:09]
bin4ry :
Have to go now for today
[2017-08-25 20:28:38]
bin4ry :
Hope to get some results to my questions from you soon :wink:
[2017-08-26 06:42:21]
opcode :
radical_update.x509.pem testkey.x509.pem
bash-3.2$
[2017-08-26 07:11:39]
opcode :
adb reboot bootloader gives me a black screen
[2017-08-26 07:12:15]
opcode :
adb reboot recovery works, but i dont have an usb keyboard handy
[2017-08-26 07:25:11]
bin4ry :
Abre reboot bootloader Yes is intended to give you a black screen. Please look if you can see any USB devices , fastboot has no GUI.
[2017-08-26 07:27:38]
opcode :
nope, no devices.
[2017-08-26 07:28:12]
bin4ry :
About the otacerts.... This is the testkey from Google. Omg. Again? We can for sure exploit this very easy. If you can see the the fastboot device the bricking chance is nearly 0
[2017-08-26 07:29:19]
opcode :
im not 100% sure if fastboot is working correctly on my OSX. but should be, installed adb/fastboot via google tools. does ADB and fastboot use the same driver?
[2017-08-26 07:34:30]
bin4ry :
Lsusb
[2017-08-26 07:34:40]
bin4ry :
Tell me if you see a device
[2017-08-26 07:34:58]
bin4ry :
If yes there is your fastboot and you only have a driver issue
[2017-08-26 07:35:31]
bin4ry :
Also please boot into recovery
[2017-08-26 07:35:59]
bin4ry :
And tell me if you get a device listing when you type "adb devices"
[2017-08-26 07:43:07]
opcode :
no lsusb on OSX :wink:
[2017-08-26 07:43:10]
opcode :
Composite Device:
Product ID: 0x320a
Vendor ID: 0x2207 (Fuzhou Rockchip Electronics Co., Ltd.)
Version: 1.00
Speed: Up to 480 Mb/sec
Location ID: 0x14300000 / 64
Current Available (mA): 500
Current Required (mA): 400
Extra Operating Current (mA): 0
[2017-08-26 07:43:17]
opcode :
there it is
[2017-08-26 07:43:41]
opcode :
bash-3.2$ adb devices
List of devices attached
bash-3.2$
[2017-08-26 07:44:01]
opcode :
bash-3.2$ fastboot devices
bash-3.2$
[2017-08-26 07:44:16]
opcode :
i´ll reinstall fastboot
[2017-08-26 07:53:19]
opcode :
reinstalled, still cant see the device
[2017-08-26 07:54:11]
kilrah :
which port are you using on the CS
[2017-08-26 07:56:05]
bin4ry :
port?
[2017-08-26 07:57:23]
kilrah :
there's a micro usb on the side and an usb-c at the bottom... could only be active on the _other_
[2017-08-26 07:58:23]
bin4ry :
ahhh ok
[2017-08-26 07:58:29]
bin4ry :
but he sees the usb device
[2017-08-26 07:58:33]
opcode :
good idea. tried the micro only.
[2017-08-26 07:58:50]
bin4ry :
this is in fastboot mode or ? Composite Device:
Product ID: 0x320a
Vendor ID: 0x2207 (Fuzhou Rockchip Electronics Co., Ltd.)
Version: 1.00
Speed: Up to 480 Mb/sec
Location ID: 0x14300000 / 64
Current Available (mA): 500
Current Required (mA): 400
Extra Operating Current (mA): 0
[2017-08-26 07:59:27]
bin4ry :
but to be honest
[2017-08-26 07:59:32]
bin4ry :
you need windows anyway
[2017-08-26 07:59:44]
bin4ry :
if you want to flash the CWM / TWRP recovery
[2017-08-26 07:59:58]
bin4ry :
you need rockchips flashing tool
[2017-08-26 08:00:02]
kilrah :
yeah maybe the usb link goes up, but no service runs on that port
[2017-08-26 08:00:02]
bin4ry :
which is afaik windows only
[2017-08-26 08:04:43]
bin4ry :
it might be that the device does notboot fastboot but the RKLoader One
[2017-08-26 08:04:54]
bin4ry :
@opcode do you have any windows pc ready ?
[2017-08-26 08:05:01]
kilrah :
indeed
[2017-08-26 08:05:51]
bin4ry :
which resolution does this tablet have ?
[2017-08-26 08:06:39]
opcode :
there we go :
[2017-08-26 08:06:44]
opcode :
bash-3.2$ fastboot devices
0123456789 fastboot
bash-3.2$
[2017-08-26 08:07:04]
bin4ry :
yay
[2017-08-26 08:07:17]
opcode :
still micro usb, seems reinstalling fastboot helped
[2017-08-26 08:07:25]
bin4ry :
tell me the resolution
[2017-08-26 08:07:57]
opcode :
good, question. one sec ...
[2017-08-26 08:08:44]
bin4ry :
which display size is it ?
[2017-08-26 08:09:10]
opcode :
2048x1536
[2017-08-26 08:09:15]
opcode :
7.85
[2017-08-26 08:09:52]
bin4ry :
try
[2017-08-26 08:10:04]
kilrah :
heh
[2017-08-26 08:10:06]
opcode :
flash via fastboot?
[2017-08-26 08:10:06]
bin4ry :
fastboot boot TWRP_2048x1536_CrewRKTablets_v2.2.img
[2017-08-26 08:10:56]
bin4ry :
not flash yet
[2017-08-26 08:10:59]
bin4ry :
try to fastboot boot it
[2017-08-26 08:11:05]
opcode :
got it
[2017-08-26 08:11:08]
bin4ry :
works ?
[2017-08-26 08:11:10]
opcode :
one sec ...
[2017-08-26 08:11:18]
kilrah :
that way if it doesn't work you don't get a brick :smile:
[2017-08-26 08:11:41]
bin4ry :
exactly :smile:
[2017-08-26 08:11:53]
kilrah :
boot from ram = cool
[2017-08-26 08:12:03]
bin4ry :
yeah :smile:
[2017-08-26 08:12:06]
bin4ry :
and if it works
[2017-08-26 08:12:13]
bin4ry :
you can do everything
[2017-08-26 08:13:20]
bin4ry :
.... i am inpatient :smile:
[2017-08-26 08:13:21]
bin4ry :
lol
[2017-08-26 08:13:31]
opcode :
hmm ...
[2017-08-26 08:13:47]
opcode :
command executed, but still black screen
[2017-08-26 08:13:59]
bin4ry :
ok, then this will not work
[2017-08-26 08:15:12]
opcode :
:disappointed:
[2017-08-26 08:16:30]
bin4ry :
do you have windows ?
[2017-08-26 08:16:39]
bin4ry :
we NEED windows to flash the recovery then
[2017-08-26 08:17:04]
opcode :
no. bricked my last VM. have to reinstall first
[2017-08-26 08:18:00]
opcode :
doesnt even respond to bash-3.2$ fastboot getprop unlocked
[2017-08-26 08:18:22]
bin4ry :
yes, might be no real interface
[2017-08-26 08:19:16]
opcode :
have to go shopping now. will install VM in the afternoon.
[2017-08-26 08:19:24]
bin4ry :
here i found this
[2017-08-26 08:19:25]
bin4ry :
<http://crewrktablets.arctablet.com/?wpfb_dl=2389>
[2017-08-26 08:19:34]
bin4ry :
1.) install driver
[2017-08-26 08:19:39]
bin4ry :
2.) start RKAndroid tool
[2017-08-26 08:19:52]
bin4ry :
select only recovery which fits your screen size
[2017-08-26 08:19:55]
bin4ry :
and then flash it
[2017-08-26 08:20:00]
bin4ry :
after that you hav eTWRP
[2017-08-26 08:20:14]
bin4ry :
this is exactly for rk3288 tablet
[2017-08-26 08:20:29]
opcode :
great, thanks.
[2017-08-26 08:20:40]
bin4ry :
this is not from me
[2017-08-26 08:20:46]
bin4ry :
but this guys made a good job as it seems
[2017-08-26 08:21:02]
kilrah :
i want a crystalsky :smile:
[2017-08-26 08:21:17]
opcode :
:smile:
[2017-08-26 08:21:32]
bin4ry :
it has also instructions
[2017-08-26 08:21:36]
bin4ry :
only flash the recovery
[2017-08-26 08:21:39]
bin4ry :
there are some other files
[2017-08-26 08:21:49]
bin4ry :
which are rooting etc, we don't need it and i did not check it
[2017-08-26 22:35:26]
hostile :
sooo... we may be able to use APKRenamer to get around the chicken / egg problem of installd restricting the apk names FWIW
[2017-08-26 22:35:59]
hostile :
re: <https://dji-rev.slack.com/archives/C6K376JGZ/p1502380464820537>
[2017-08-26 22:38:22]
hostile :
"dji.pilot.pad, com.DeviceTest, com.google.android.apps.maps" are those the three apps?
[2017-08-26 23:18:02]
hostile :
confirmed
[2017-08-26 23:19:14]
hostile :
I used a script called “rename-apk-namespace” <https://codeload.github.com/gist/8596303/zip/a428b503571bfcefff8b8650e2e9ead90e537b52>
[2017-08-26 23:19:48]
hostile :
./rename-apk-namespace ~/Downloads/TheAppIwanted.apk com.the.app.i.wanted.origina.namespace com.DeviceTest
[2017-08-26 23:19:59]
hostile :
Sign that… (becuase his tool is written poorly)
[2017-08-26 23:20:00]
hostile :
$ /Applications/dex2jar/d2j-apk-sign.sh debug.apk
sign debug.apk -> debug-signed.apk
[2017-08-26 23:20:11]
hostile :
$ adb install debug-signed.apk
debug-signed.apk: 1 file pushed. 2.6 MB/s (1139445 bytes in 0.413s)
pkg: /data/local/tmp/debug-signed.apk
Success
[2017-08-26 23:20:21]
hostile :
boom… no root required to install a different APK.
[2017-08-26 23:20:44]
hostile :
now you can install a local version of kingroot or **other** android rooting tools that deploy via apk
[2017-08-26 23:26:44]
hostile :
D/DefContainer( 1283): Copying /data/local/tmp/debug-signed.apk to base.apk
D/PackageManager( 493): Renaming /data/app/vmdl98333274.tmp to /data/app/com.DeviceTest-1
I/ActivityManagerService( 493): Force stopping com.DeviceTest appid=10040 user=-1: uninstall pkg
I/PackageManager( 493): Package com.DeviceTest codePath changed from /data/app/com.DeviceTest-2 to /data/app/com.DeviceTest-1; Retaining data and using new
I/PackageManager( 493): Running dexopt on: /data/app/com.DeviceTest-1/base.apk pkg=com.DeviceTest isa=arm vmSafeMode=false
I/dex2oat ( 1584): /system/bin/dex2oat --zip-fd=5 --zip-location=/data/app/com.DeviceTest-1/base.apk --oat-fd=6 --oat-location=/data/dalvik-cache/arm/data@app@com.DeviceTest-1@base.apk@classes.dex --instruction-set=arm --instruction-set-features=div --runtime-arg -Xms64m --runtime-arg -Xmx512m --swap-fd=7
I/dex2oat ( 1584): dex2oat took 1.119s (threads: 4) arena alloc=86KB java alloc=2MB native alloc=4MB free=656KB
W/PackageManager( 493): Code path for pkg : com.DeviceTest changing from /data/app/com.DeviceTest-2 to /data/app/com.DeviceTest-1
I/ActivityManagerService( 493): Force stopping com.DeviceTest appid=10040 user=-1: update pkg
W/PackageManager( 493): Resource path for pkg : com.DeviceTest changing from /data/app/com.DeviceTest-2 to /data/app/com.DeviceTest-1
D/JobSchedulerService( 493): Receieved: android.intent.action.PACKAGE_REMOVED
D/BackupManagerService( 493): Received broadcast Intent { act=android.intent.action.PACKAGE_REMOVED dat=package:com.DeviceTest flg=0x4000010 (has extras) }
D/InputMethodMana
[2017-08-26 23:26:53]
hostile :
@bin4ry --^
[2017-08-27 01:51:43]
hostile :
This ALMOST works…
[2017-08-27 01:57:39]
hostile :
Triggering some integrity check tho :)
[2017-08-27 02:06:56]
hostile :
@bin4ry also, as soon as you plug in an SD card… the DJIService kicks in and looks for an update.zip
[2017-08-27 02:06:57]
hostile :
D/ViewRootImpl( 652): 2048<<<<<< BACK FROM relayoutnull
D/MediaScannerService( 584): start scanning volume external: [/mnt/external_sd1]
D/DJIService assistant( 921): WorkHandler::handleMessage() : To perform 'COMMAND_CHECK_LOCAL_UPDATING'.
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /mnt/internal_sd/update.zip
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /data/media/0/update.zip
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /mnt/external_sd/update.zip
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /mnt/external_sd1/update.zip
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /mnt/usb_storage/update.zip
D/DJIService assistant( 921): getValidFirmwareImageFile() : Target image file path : /mnt/usb_storage/USB_DISK2/udisk0/update.zip
D/DJIService assistant( 921): djixxx check _big upfalse
D/MediaScannerService( 584): done scanning volume external
[2017-08-27 07:04:54]
bin4ry :
Yes this is rockchip update
[2017-08-27 07:05:26]
bin4ry :
Safest way is to root through exploit atm
[2017-08-27 07:05:54]
bin4ry :
Ota is not signed with testkey as far as I could see
[2017-08-27 07:06:12]
bin4ry :
But I did not had much time yet to dissect it
[2017-08-27 07:06:22]
bin4ry :
Will look further on monday
[2017-08-27 07:07:32]
bin4ry :
Good idea with the package rename, but you should overwrite installd anyway because if not you cannot use playstore :wink:
[2017-08-27 07:08:09]
bin4ry :
Once you have root please try to install the recovery from the package I posted
[2017-08-27 07:08:14]
bin4ry :
It should work
[2017-08-27 07:08:33]
bin4ry :
But you need rkandroid tool for Windows to flash this recovery through rockchip loader
[2017-08-27 07:08:58]
bin4ry :
No root system root needed then :joy:
[2017-08-27 07:11:56]
bin4ry :
Good thing is that we have the original recovery partition too
[2017-08-27 07:12:33]
bin4ry :
So if anything goes south with the twrp recovery we can still flash original recovery through the rkandroid tool :wink:
[2017-08-27 07:13:13]
kilrah :
IF you can still enter the loader, I thought nobody had found a key combo?
[2017-08-27 07:42:17]
bin4ry :
There are several known
[2017-08-27 07:42:35]
bin4ry :
Vol up and power is one of them
[2017-08-27 07:42:38]
bin4ry :
Another one is
[2017-08-27 07:42:55]
bin4ry :
Power for several seconds and while doing that hook the cable inside
[2017-08-27 07:43:25]
bin4ry :
You can see in rkandroid tool in which state the device is
[2017-08-27 07:43:37]
bin4ry :
It also can switch states fwiw
[2017-08-27 07:46:52]
kilrah :
yeah but yesterday someone said they didn't work on the CS which has no vol buttons?
[2017-08-27 07:49:42]
opcode :
Good Morning! Rkandroid description says, that you can switch state with the tool. Hopefully this is working, as CS has no volume buttons.
[2017-08-27 07:51:21]
opcode :
I need to obtain a fresh Windows VM, mine is totally broken. Till now couldn't find one that's halfway trustworthy.
[2017-08-27 07:52:54]
opcode :
@hostile in the update screen of CS you can even point it to where the update.zip is stored.
[2017-08-27 07:55:25]
kilrah :
install your own? W10 can be freely downloaded and will work, jsut with a nag
[2017-08-27 09:02:00]
opcode :
hah, just forgot about that you can install it freely. installing now. :slightly_smiling_face:
[2017-08-27 09:12:12]
bin4ry :
you don't need volume buttons
[2017-08-27 09:14:25]
bin4ry :
is there a reset pin ?
[2017-08-27 09:14:54]
bin4ry :
on some rockchips (the ones without volume buttons) you need to push the reset button instead
[2017-08-27 09:14:59]
bin4ry :
so the procedure would be
[2017-08-27 09:15:01]
bin4ry :
power off
[2017-08-27 09:15:14]
bin4ry :
push reset button and plug usb cable while keeping the reset button pushed
[2017-08-27 09:15:16]
opcode :
no reset pin/buttom
[2017-08-27 09:15:21]
bin4ry :
ok
[2017-08-27 09:15:39]
bin4ry :
then hold the power button (keep holding it) and plug the usb cable
[2017-08-27 09:15:40]
opcode :
prerequisites
a) best is to use a win7 PC; do not use USB3.0 ports
b) make sure you use the original USB cable
[2017-08-27 09:15:51]
bin4ry :
try this please:
[2017-08-27 09:15:52]
bin4ry :
then hold the power button (keep holding it) and plug the usb cable
[2017-08-27 09:15:57]
bin4ry :
instead of volume
[2017-08-27 09:15:57]
opcode :
great. im on win 10 and have only usb 3 ports. :smile:
[2017-08-27 09:15:59]
bin4ry :
while off
[2017-08-27 09:17:59]
bin4ry :
also if all is lost you can always pull pin6 on the nand against GND, i did flash some rockchips this way before in a project i was working :smile:
[2017-08-27 09:19:36]
bin4ry :
and ?
[2017-08-27 09:20:33]
opcode :
installing tool ATM
[2017-08-27 09:20:45]
bin4ry :
but what about the keycombo? did you test it?
[2017-08-27 09:20:51]
bin4ry :
you don't need the tool for that only lsusb :wink:
[2017-08-27 09:21:01]
bin4ry :
sorry i am impatient as usual
[2017-08-27 09:27:10]
bin4ry :
also
[2017-08-27 09:27:12]
bin4ry :
i just confirmed
[2017-08-27 09:27:31]
bin4ry :
i have the key they used to sign the OTA package of Crystalsky
[2017-08-27 09:29:17]
opcode :
long push with plug seems to work, but firswt have to fix that the CS gets routed to the win vm while in recovery
[2017-08-27 09:29:22]
opcode :
ah, great!
[2017-08-27 09:29:35]
bin4ry :
nice that the button combo works atleast :smile:
[2017-08-27 09:32:58]
bin4ry :
ehm
[2017-08-27 09:33:06]
bin4ry :
@opcode
[2017-08-27 09:33:10]
bin4ry :
you want to try something ?
[2017-08-27 09:33:31]
bin4ry :
which version of supersu have you currently installed ?
[2017-08-27 09:33:42]
bin4ry :
2.79 or ?
[2017-08-27 09:33:53]
opcode :
that doesnt work at all. cant root the CS to win while in recovery. could also be the usb 3 ports.
[2017-08-27 09:33:59]
bin4ry :
ok
[2017-08-27 09:34:01]
opcode :
let me check
[2017-08-27 09:34:04]
bin4ry :
thanks
[2017-08-27 09:34:47]
opcode :
yes, 2.79
[2017-08-27 09:35:03]
bin4ry :
i am uploading a update.zip
[2017-08-27 09:35:11]
bin4ry :
please put this update.zip on your sdcard
[2017-08-27 09:35:25]
bin4ry :
and then tell me what happens
[2017-08-27 09:35:56]
opcode :
yup, one sec
[2017-08-27 09:36:08]
opcode :
other idea to flash the recovery : flashfire?
[2017-08-27 09:36:12]
bin4ry :
no
[2017-08-27 09:36:17]
bin4ry :
please test this
[2017-08-27 09:37:13]
bin4ry :
make sure you really use and sdcard
[2017-08-27 09:37:15]
bin4ry :
i mean an external
[2017-08-27 09:37:17]
bin4ry :
put the file on it
[2017-08-27 09:37:19]
bin4ry :
and plug it in
[2017-08-27 09:40:36]
opcode :
nothing. let me retry with an empty sd
[2017-08-27 09:40:55]
bin4ry :
did you do the systme update already ?
[2017-08-27 09:41:07]
opcode :
no
[2017-08-27 09:41:19]
bin4ry :
GOOD
[2017-08-27 09:45:49]
opcode :
ah. have to go through file eyplorer and hit the zip. "update package found, would you like to install?"
[2017-08-27 09:46:05]
bin4ry :
try it
[2017-08-27 09:46:08]
bin4ry :
yes
[2017-08-27 09:46:16]
opcode :
rebooting
[2017-08-27 09:46:38]
opcode :
installing system update
[2017-08-27 09:46:42]
opcode :
rebooting
[2017-08-27 09:46:46]
bin4ry :
:smile:
[2017-08-27 09:46:49]
bin4ry :
lets see
[2017-08-27 09:46:54]
bin4ry :
did he copy the supersu ?
[2017-08-27 09:46:58]
bin4ry :
did you read anything ?
[2017-08-27 09:47:22]
opcode :
nope. now he prompts me again that an update is found on sd card
[2017-08-27 09:47:35]
bin4ry :
aha so it may be triggered on boot
[2017-08-27 09:47:39]
opcode :
what shgould have happend? copy supersu to sd?
[2017-08-27 09:47:50]
bin4ry :
it was an rooting package
[2017-08-27 09:47:54]
bin4ry :
install supersu and su etc
[2017-08-27 09:48:00]
bin4ry :
so supersu should be on version 2.82 now
[2017-08-27 09:48:02]
bin4ry :
instead 2.79
[2017-08-27 09:48:24]
opcode :
still on 2.79
[2017-08-27 09:48:27]
bin4ry :
ok
[2017-08-27 09:48:44]
bin4ry :
i might know why
[2017-08-27 09:48:47]
opcode :
let me do it one more time to check if anything gets displayed
[2017-08-27 09:48:48]
bin4ry :
gimme a sec please
[2017-08-27 09:50:14]
opcode :
ah. installing system update. error!. then reboot
[2017-08-27 09:51:38]
bin4ry :
please try this package
[2017-08-27 09:53:26]
opcode :
yep
[2017-08-27 09:53:37]
opcode :
could you just explain in short terms, what we are doing here?
[2017-08-27 09:54:33]
bin4ry :
ok i forged the update.zip, i took the original ota, removed everything except the recovery.img, then i changed the recovery.img to a TWRP recovery.img , then i resigned it with the key
[2017-08-27 09:54:45]
bin4ry :
so it should now flash a TWRP recovery as the update
[2017-08-27 09:55:06]
opcode :
ahhh, very cool. logical, as you found the key. :slightly_smiling_face:
[2017-08-27 09:55:12]
bin4ry :
after the ota is applied you can try to reboot into recovery and should be greeted with a nice TWRP from the CrewRK tablet guys
[2017-08-27 09:57:07]
opcode :
error!
[2017-08-27 09:59:05]
bin4ry :
gm
[2017-08-27 09:59:09]
bin4ry :
any error message ?
[2017-08-27 09:59:20]
opcode :
just "error!"
[2017-08-27 10:02:25]
bin4ry :
please try to pull
[2017-08-27 10:02:30]
bin4ry :
/cache/recovery/log
[2017-08-27 10:02:40]
bin4ry :
or
[2017-08-27 10:02:46]
bin4ry :
/cache/recovery/last_log
[2017-08-27 10:03:32]
opcode :
yup
[2017-08-27 10:04:43]
bin4ry :
i think they added another verification apart from the android standard
[2017-08-27 10:04:50]
bin4ry :
just found a publicKey.bin in the recovery ramdisk
[2017-08-27 10:05:31]
bin4ry :
this is the "rockchip" seucirty
[2017-08-27 10:05:32]
bin4ry :
:smile:
[2017-08-27 10:05:42]
opcode :
muhaha
[2017-08-27 10:06:40]
bin4ry :
any luck with the log ?
[2017-08-27 10:10:26]
bin4ry :
thx
[2017-08-27 10:10:57]
opcode :
have also last_install, last_kmsg, last_locale
[2017-08-27 10:13:09]
bin4ry :
not needed
[2017-08-27 10:13:11]
bin4ry :
found it
[2017-08-27 10:13:17]
bin4ry :
rk verify_file fails
[2017-08-27 10:13:25]
bin4ry :
this is a source to it i found online
[2017-08-27 10:13:44]
bin4ry :
so it adds another signature to the package
[2017-08-27 10:15:38]
opcode :
E/ [File] : bootable/recovery/install.cpp; [Line] : 392; [Func] : really_install_package; signature verification failed
[2017-08-27 10:17:51]
bin4ry :
cannot find the keys online
[2017-08-27 10:18:01]
bin4ry :
all rk3288 repos are android 5.1
[2017-08-27 10:18:09]
bin4ry :
and i think they introduced this at android 6
[2017-08-27 10:18:13]
bin4ry :
this new signing
[2017-08-27 10:18:48]
bin4ry :
if anyone can find rk3288 privateKey.bin and publicKey.bin along with the signing tools we can craft an own update.zip which doesn't get rejected
[2017-08-27 10:18:59]
opcode :
yeah, i was reading about a new package signing method somewhere, but i thought 5.1.1 was the last version wit the old signing.
[2017-08-27 10:18:59]
bin4ry :
for now if you want to have TWRP
[2017-08-27 10:19:18]
bin4ry :
you can either install TWRP from the shell with dd
[2017-08-27 10:19:22]
bin4ry :
or through the RKAndroid tool
[2017-08-27 10:19:26]
bin4ry :
both will still work
[2017-08-27 10:19:56]
opcode :
yes, but it would be nice to have our own update.zip even for release to the public
[2017-08-27 10:20:07]
bin4ry :
well, not needed
[2017-08-27 10:20:11]
bin4ry :
rkAndroid tool works flawless
[2017-08-27 10:20:21]
bin4ry :
used it like 1 million times on rockchip devices
[2017-08-27 10:21:23]
opcode :
hmm. but how do i get the CS updates then?
[2017-08-27 10:21:37]
bin4ry :
easy
[2017-08-27 10:21:40]
bin4ry :
download the update
[2017-08-27 10:21:41]
opcode :
there are some bug fixes i would also like to have
[2017-08-27 10:21:47]
bin4ry :
remove recovery.img
[2017-08-27 10:21:57]
bin4ry :
form file and updater_script
[2017-08-27 10:22:00]
bin4ry :
and isntall it from twrp
[2017-08-27 10:22:09]
bin4ry :
since twrp gives a shit on the signature
[2017-08-27 10:22:09]
opcode :
ah, i get it.
[2017-08-27 10:22:40]
opcode :
is it also possible to edit the boot.img ? i would like to get rid of the dji booting logo.
[2017-08-27 10:22:45]
bin4ry :
if i rememer right twrp had an optipn to "protect" itself from being overwritten
[2017-08-27 10:22:52]
bin4ry :
sure it is possible
[2017-08-27 10:23:26]
opcode :
great. then i will try to get the driver issue fixed to use rkandroid.
[2017-08-27 10:23:32]
bin4ry :
yes do that
[2017-08-27 10:23:39]
bin4ry :
or use a proper computer to do it :smile:
[2017-08-27 10:23:40]
bin4ry :
:open_mouth:
[2017-08-27 10:23:43]
bin4ry :
:stuck_out_tongue:
[2017-08-27 10:23:46]
opcode :
:disappointed:
[2017-08-27 10:23:50]
opcode :
i love my mac
[2017-08-27 10:23:59]
bin4ry :
throw it in the trashbin where it belongs
[2017-08-27 10:24:00]
bin4ry :
:wink:
[2017-08-27 10:24:01]
bin4ry :
haha
[2017-08-27 10:24:10]
opcode :
never ever :slightly_smiling_face:
[2017-08-27 10:24:37]
bin4ry :
if you really want
[2017-08-27 10:24:44]
bin4ry :
you can also install TWRP from adb shell
[2017-08-27 10:25:33]
opcode :
its possible to flash recovery over adb?
[2017-08-27 10:25:54]
bin4ry :
dd if=/sdcard/recovery.img of=/dev/block/platform/ff0f0000.rksdmmc/by-name/recovery
[2017-08-27 10:26:12]
bin4ry :
SHOULD work, but make sure the blockdevice exists i was just guessing here
[2017-08-27 10:26:48]
bin4ry :
as root this command will overwrite the current recovery image and install the new one
[2017-08-27 10:27:40]
bin4ry :
wait
[2017-08-27 10:27:42]
bin4ry :
even simpler
[2017-08-27 10:27:44]
bin4ry :
and better
[2017-08-27 10:27:47]
bin4ry :
gimme a second
[2017-08-27 10:27:55]
opcode :
:slightly_smiling_face:
[2017-08-27 10:30:08]
opcode :
root@zs600b:/dev/block/platform/ff0f0000.rksdmmc/by-name # ll
lrwxrwxrwx root root 2017-08-27 11:57 backup -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2017-08-27 11:57 boot -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2017-08-27 11:57 cache -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2017-08-27 11:57 kernel -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2017-08-27 11:57 kpanic -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2017-08-27 11:57 metadata -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2017-08-27 11:57 misc -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2017-08-27 11:57 radical_update -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2017-08-27 11:57 recovery -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2017-08-27 11:57 resource -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2017-08-27 11:57 system -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2017-08-27 11:57 uboot -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2017-08-27 11:57 user -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2017-08-27 11:57 userdata -> /dev/block/mmcblk0p12
[2017-08-27 10:30:22]
bin4ry :
please wait
[2017-08-27 10:30:30]
opcode :
yeah, just checked
[2017-08-27 10:32:12]
bin4ry :
extract this
[2017-08-27 10:32:20]
bin4ry :
chmod +x install_recovery.sh
[2017-08-27 10:32:29]
bin4ry :
then run it on your pc
[2017-08-27 10:32:45]
bin4ry :
it will transfer the recovery.img aslong with the flash_recovery bin from rockchip to your device
[2017-08-27 10:32:46]
bin4ry :
and run it
[2017-08-27 10:33:02]
bin4ry :
if it cannot work
[2017-08-27 10:33:13]
bin4ry :
then do it manually
[2017-08-27 10:33:17]
bin4ry :
but make sure you have root
[2017-08-27 10:33:26]
bin4ry :
you need root for this
[2017-08-27 10:33:31]
bin4ry :
ah
[2017-08-27 10:33:33]
bin4ry :
wait
[2017-08-27 10:34:40]
bin4ry :
here again
[2017-08-27 10:34:49]
bin4ry :
cannot work as a script as you don't have adb root
[2017-08-27 10:34:55]
bin4ry :
i included a txt file now
[2017-08-27 10:34:58]
bin4ry :
do what it says
[2017-08-27 10:35:12]
bin4ry :
and you should have TWRP then
[2017-08-27 10:35:46]
opcode :
holy cow, youre fast
[2017-08-27 10:35:59]
opcode :
will try in the afternoon and report back
[2017-08-27 10:36:16]
opcode :
thanks for your effort btw. :slightly_smiling_face:
[2017-08-27 10:36:29]
bin4ry :
ah ok
[2017-08-27 10:36:29]
bin4ry :
sure
[2017-08-27 10:36:44]
bin4ry :
then i don't have to wait for immediate feedback :smile:
[2017-08-27 10:36:47]
bin4ry :
thing is
[2017-08-27 10:36:57]
bin4ry :
the most easy wait to root a rockchip device is
[2017-08-27 10:37:07]
bin4ry :
run RKAndroid tool in windows (make sure you have proper drivers)
[2017-08-27 10:37:12]
bin4ry :
then flash recovery from the tool
[2017-08-27 10:37:15]
bin4ry :
and tada you are done
[2017-08-27 10:37:16]
bin4ry :
:smile:
[2017-08-27 10:37:24]
bin4ry :
since you have root already
[2017-08-27 10:37:28]
bin4ry :
you can now isntall the TWRP
[2017-08-27 10:37:32]
bin4ry :
which is the other way around
[2017-08-27 10:37:47]
bin4ry :
@hostile ^--- read this when yo uwake up :smile:
[2017-08-27 10:37:51]
opcode :
yes, i will first try to use rkandroid.
[2017-08-27 10:37:58]
bin4ry :
yes
[2017-08-27 10:38:11]
bin4ry :
let's repost the link for hostile
[2017-08-27 10:38:23]
bin4ry :
you have it?
[2017-08-27 10:38:51]
bin4ry :
@hostile follow this: <http://crewrktablets.arctablet.com/?wpfb_dl=2389>
[2017-08-27 10:38:54]
opcode :
which one? rkandroid package?
[2017-08-27 10:38:59]
opcode :
ah, yes
[2017-08-27 13:08:22]
hostile :
@bin4ry "but you should overwrite installd anyway because if not you cannot use playstore " yeah ... this is to possibly help with the chicken / egg problem. We can push an .apk with modded name, that roots, and sets up a fort for us. =]
[2017-08-27 13:09:11]
bin4ry :
Just use rkandroid to flash a custom recovery :wink:
[2017-08-27 13:23:00]
hostile :
@bin4ry "if anyone can find rk3288 privateKey.bin and publicKey.bin" try @martinbogo ? <https://dji-rev.slack.com/archives/C6K376JGZ/p1503829071000029>
[2017-08-27 13:24:50]
hostile :
@bin4ry "the most easy wait to root a rockchip device is then flash recovery from the tool" <https://dji-rev.slack.com/archives/C6K376JGZ/p1503830267000009>"
[2017-08-27 13:25:32]
hostile :
indeed... just looking at SUPER noob friendly routes (hence changing the APK name). I am looking at things we can chain together for ease of rooting / installd patching, etc. combo "one shot" as it were.
[2017-08-27 13:28:18]
bin4ry :
Yes, we would need an exploit for ot
[2017-08-27 13:28:47]
bin4ry :
Someone with the device would need to root through kingo and dump the USB traffic
[2017-08-27 13:28:56]
bin4ry :
So we can extract the root they jse
[2017-08-27 13:29:05]
bin4ry :
Or find another exploit
[2017-08-27 13:47:24]
hostile :
yeah that is what I am doing now.... @the_lord isolated one from kingroot external.... but I need to figure out exactly which it is
[2017-08-27 13:47:33]
hostile :
I ALMOST got dirtyc0w compiled / working correctly, but no dice
[2017-08-27 13:59:47]
bin4ry :
I see
[2017-08-27 16:30:25]
digital1 :
Wow you guys are moving fast, can you just explain the 3rd party app install with out root ?
[2017-08-27 16:59:10]
bin4ry :
Change the package name to one supported
[2017-08-27 17:32:23]
hostile :
@digital1 Just scroll up! <https://dji-rev.slack.com/archives/C6K376JGZ/p1503786926000051>
[2017-08-27 17:32:53]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1503787102000063>
[2017-08-27 17:32:54]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1503789588000008>
[2017-08-28 15:16:15]
opcode :
No luck with rkandroid so far. Thinking about setting up a dual boot. Also tried to find saver rooting methods, it always gets back to kingo, towel, supersu and flashing. Most elegant would be if we have the keys for OTA.
[2017-08-28 15:27:11]
bin4ry :
ah yes i forgot to ask martin for that one
[2017-08-28 15:27:19]
bin4ry :
but i cannot understand why you have problems with rkadrnoid
[2017-08-28 15:27:25]
bin4ry :
use a proper pc for once
[2017-08-28 15:27:25]
bin4ry :
lol
[2017-08-28 15:27:26]
bin4ry :
:smile:
[2017-08-28 15:29:12]
kilrah :
send me your CS, I have a proper PC :laughing:
[2017-08-28 15:45:54]
opcode :
proper and PC in one sentence? :grin:
[2017-08-28 15:47:25]
opcode :
I think, it's the way VM Ware hands over the USB to the VM. Works for ADB, but not fastboot.
[2017-08-28 15:51:31]
kilrah :
try virtualbox, got it to work with everything (including the finicky mavic rc)
[2017-08-29 15:11:36]
opcode :
so, you used the run-as test and it didnt work?
[2017-08-29 15:33:49]
hostile :
it said uid=0 on the output... but could not spawn a shell
[2017-08-29 15:42:05]
opcode :
Hmm. So you didnt see this: UID=0(root), your device is vulnerable!
[2017-08-29 15:47:31]
hostile :
Depends on exactly which exploit you use
[2017-08-29 15:49:00]
opcode :
CVE-2016-5195
[2017-08-29 15:49:20]
opcode :
<https://forum.xda-developers.com/z5-compact/general/dirtycow-vulnerability-test-suite-t3490411>
[2017-08-29 15:49:48]
hostile :
that is not one I tested... I'll check it
[2017-08-29 15:50:55]
opcode :
if this is working, it shouldnt be to hard to modify it to spawn root
[2017-08-29 16:07:43]
hostile :
@opcode cool... I was trying <https://github.com/timwr/CVE-2016-5195.git> previously
[2017-08-29 16:08:12]
hostile :
also
[2017-08-29 16:08:13]
hostile :
<https://github.com/hyln9/VIKIROOT.git>
[2017-08-29 16:08:51]
hostile :
and...
[2017-08-29 16:08:52]
hostile :
<https://github.com/timwr/CVE-2014-3153.git>
[2017-08-29 16:09:49]
opcode :
hmm. i just saw, that you can compile it with NDK for different instruction sets. did you try that? in CS case armeabi?
[2017-08-29 16:10:23]
hostile :
soon as my battery charges I'll try your example
[2017-08-29 16:11:02]
opcode :
i have my CS battery nonstop charging and discharging. :smile:
[2017-08-29 16:11:16]
opcode :
$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Entering directory '/home/user/dev/git/exploits/CVE-2016-5195'
[arm64-v8a] Install : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install : run-as => libs/arm64-v8a/run-as
[x86_64] Install : dirtycow => libs/x86_64/dirtycow
[x86_64] Install : run-as => libs/x86_64/run-as
[mips64] Install : dirtycow => libs/mips64/dirtycow
[mips64] Install : run-as => libs/mips64/run-as
[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as
[armeabi] Install : dirtycow => libs/armeabi/dirtycow
[armeabi] Install : run-as => libs/armeabi/run-as
[x86] Install : dirtycow => libs/x86/dirtycow
[x86] Install : run-as => libs/x86/run-as
[mips] Install : dirtycow => libs/mips/dirtycow
[mips] Install : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/user/dev/git/exploits/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (17944) differ
[2017-08-29 16:12:11]
hostile :
let me know if you have any success
[2017-08-29 16:12:43]
opcode :
unsure if this will work, as im already root.
[2017-08-29 16:12:53]
hostile :
su - nobody?
[2017-08-29 16:12:54]
hostile :
lol
[2017-08-29 16:13:32]
opcode :
dirtycow should work, system info says security patch 2015-12-01.
[2017-08-29 16:15:48]
opcode :
@hostile forget my example. its for 64bit.
[2017-08-29 16:15:49]
opcode :
./testvuln.sh
dirtycow: 1 file pushed. 1.2 MB/s (10000 bytes in 0.008s)
run-as: 1 file pushed. 1.1 MB/s (5904 bytes in 0.005s)
Running exploit, may take some time
/system/bin/sh: /data/local/tmp/dirtycow: not executable: 64-bit ELF file
Usage: run-as <package-name> <command> [<args>]
[2017-08-29 16:16:14]
hostile :
yup... that was biggest issue I think I was hitting
[2017-08-29 16:16:20]
hostile :
we can recompile since they gave source tho
[2017-08-29 16:18:35]
opcode :
got one compiled
[2017-08-29 16:18:37]
opcode :
<https://build.nethunter.com/android-tools/dirtycow/armv7/>
[2017-08-29 16:19:48]
hostile :
I just compiled the source above...
[2017-08-29 16:20:07]
hostile :
cow/obj/local has all the arches
[2017-08-29 16:24:05]
opcode :
./testvuln.sh
dirtycow: 1 file pushed. 1.7 MB/s (13732 bytes in 0.008s)
run-as: 1 file pushed. 1.6 MB/s (13732 bytes in 0.008s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x51c
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x1
UID=0(root), your device is vulnerable!
[2017-08-29 16:24:10]
opcode :
:slightly_smiling_face:
[2017-08-29 16:29:51]
hostile :
nice
[2017-08-29 16:30:01]
hostile :
did you replace with one of the binaries from the cow.tgz?
[2017-08-29 16:30:52]
opcode :
yap. armeabi and armeabi-v7a both work
[2017-08-29 16:31:43]
opcode :
so, who is rewriting the tool now? :smile:
[2017-08-29 16:32:41]
hostile :
I'll try to look at it tonight
[2017-08-29 16:32:59]
hostile :
we can combine with @the_lord 's detail from REing Kingroot
[2017-08-29 16:33:07]
hostile :
and make a package that we have full source code to
[2017-08-29 16:33:25]
opcode :
that would be great
[2017-08-29 17:11:31]
bin4ry :
Aha See. Dirtyc0w worked at the end. Nice one
[2017-08-29 17:21:48]
hostile :
yeh worked here too @opcode
[2017-08-29 17:21:50]
hostile :
$ ./testvuln.sh
dirtycow: 1 file pushed. 2.2 MB/s (47544 bytes in 0.021s)
run-as: 1 file pushed. 2.0 MB/s (44644 bytes in 0.021s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x51c
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x1
UID=0(root), your device is vulnerable!
[2017-08-29 17:23:59]
hostile :
word... so this just overwrites a file basically
[2017-08-29 17:24:57]
hostile :
yeah it overwrote my run-as binary with
[2017-08-29 17:24:59]
hostile :
"int main(int argc, char **argv)
{
printf("%s\n", is_vulnerable() ? "UID=0(root), your device is vulnerable!" : "Your device is not vulnerable!");
}"
[2017-08-29 17:50:54]
the_lord :
i tested dirty cow before but it didn't work for me on P4P+ for some reason
[2017-08-29 18:53:04]
bin4ry :
Should I bundle it as an easy to run exploit to root and put my installd ? :grin:
[2017-08-29 19:09:00]
bin4ry :
And maybe PlayStore too :joy:
[2017-08-29 19:35:11]
hostile :
@bin4ry yes... that was the plan. LOL at PlayStore
[2017-08-29 19:35:13]
hostile :
that would be EPIC
[2017-08-29 19:35:39]
hostile :
OGCrystalSkyMod.zip is on the way !
[2017-08-29 19:40:57]
hostile :
@the_lord try this specific version... there are 32 vs 64 bit differences, and I found many of the example exploits did not work
[2017-08-29 19:41:08]
hostile :
I've been fucking with c0w for days now... this is first I saw it work
[2017-08-29 19:41:52]
hostile :
@the_lord where did the mkdevsh, SuperSU.apk, supolicy, installd, etc all come from in your package?
[2017-08-29 19:42:21]
hostile :
I know install-recovery.sh, debuggerd, su, supolicy, libsupol.so, etc are common in post rooting setups. I just wanted to know the specific pedigree of yours.
[2017-08-29 19:44:23]
hostile :
adb shell 'getprop ro.product.cpu.abilist' when you get a chance
[2017-08-29 21:17:14]
digital1 :
This is brilliant guys :+1::+1::+1::+1:
[2017-08-29 21:35:59]
the_lord :
@hostile
SuperSU.apk downloaded from <https://s3-us-west-2.amazonaws.com/supersu/download/zip/SuperSU-v2.79-20161205182033.apk>
installd patched by @bin4ry
and all others pulled from screen while kingoroot was patching
but the mkdevsh is modified by me
[2017-08-29 22:55:37]
hostile :
This is all documented in FastRoot.class for Kingroot FWIW . <https://forum.xda-developers.com/showpost.php?p=70801248&postcount=898>
[2017-08-30 01:21:15]
hostile :
$ ./LastSkyCry.sh
dirtycow: 1 file pushed. 2.3 MB/s (47568 bytes in 0.020s)
run-as: 1 file pushed. 2.2 MB/s (44800 bytes in 0.019s)
SlackOGCrystalSkyLove.sh: 1 file pushed. 0.1 MB/s (441 bytes in 0.004s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x558
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x1
Trying to run: /data/local/tmp/SlackOGCrystalSkyLove.sh
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
remounting /system
mount: Operation not permitted
Enjoy the rooted CrystalSky, brought to you by your friendly neighborhood OGs!
[2017-08-30 01:21:23]
hostile :
need to fix the mounting of /system problem...
[2017-08-30 01:30:51]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow>
[2017-08-30 01:30:56]
hostile :
if anyone wants to follow along
[2017-08-30 01:36:23]
hostile :
This guy talks about the unable to remount problem...
[2017-08-30 01:36:23]
hostile :
<http://wenhua-shi.blogspot.com/2017/01/>
[2017-08-30 04:59:19]
hostile :
@here those of you that replaced installd with a simple mount -o remount... what version of Crystal Sky software are you on? I am on V02.02.09.00 and can't remount the /system particion as I mentioned above.
[2017-08-30 07:19:46]
opcode :
Same on 02.02.08.01
[2017-08-30 07:20:05]
opcode :
shell@zs600b:/ $ mount -o remount,rw /system
mount: Operation not permitted
[2017-08-30 07:21:11]
opcode :
nice GangsterCow btw ... :smile:
[2017-08-30 07:31:37]
bin4ry :
yeah you should remount when being root not shell
[2017-08-30 07:31:39]
bin4ry :
:wink:
[2017-08-30 07:35:35]
opcode :
this was just a test, if mount is permitted at CS without su
[2017-08-30 07:36:29]
bin4ry :
remount would not be permitted afaik
[2017-08-30 07:37:16]
opcode :
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
[2017-08-30 07:37:16]
opcode :
Good idea :
[2017-08-30 07:37:36]
opcode :
this is for amazon fire stick
[2017-08-30 07:38:39]
bin4ry :
@hostile please check if SELinux is activated, also it COULD be that they blocked it kernel wise or it is just a simple fuck up, try "mount -o rw /dev/blaba.... /system", sometimes remount is broken. So this is another idea. IF ALL FAILS -> install the recovery from the link i send to with a "dd" to the blockdevice dd if=/....../recovery.img of=/dev/...... then reboot into the recovery, from there all is possible :stuck_out_tongue:
[2017-08-30 07:40:14]
bin4ry :
@opcode why would that help? if you have run-as you can just put the su in place on the /system/ partition, all of that is not needed here on this device IMHO, you would want to have a proper su / Superuser.apk envoirment to work with. not a permanent root. If you want a permanent root just 06755 to the sh binary and you will be done :smile:
[2017-08-30 07:44:32]
bin4ry :
@hostile now i re-read your picture. What you should do is this file: <https://dji-rev.slack.com/files/bin4ry/F6U8SJQQ2/rec-installer.zip> Just follow the "instructions" :wink: it will push the recovery to the recovery partition with that "insecure" recovery you can work further
[2017-08-30 07:45:05]
bin4ry :
@hostile your friend is right, there are some manufacturers blocking this at kernel level, thats why you usually go the recovery way :slightly_smiling_face:
[2017-08-30 08:00:05]
opcode :
sure, flashing recovery will work. i find the dirtycow method way more elegant. :wink:
[2017-08-30 08:02:12]
bin4ry :
you did not understand correct. you still need an isecure recovery if they have blocked remounting at kernel level. So you can only write to system while you are in recovery. Dirtyc0w or not. Dirtyc0w then only gives your root which enables you to flash revovery from the shell
[2017-08-30 08:02:54]
bin4ry :
and if that is the case
[2017-08-30 08:03:06]
bin4ry :
then we can just flash recovery from rkandroid directly anyway :smile:
[2017-08-30 08:03:36]
bin4ry :
but still you can flash recovery from a root shell with the zip file i shared. so you don't need any windows PC
[2017-08-30 08:04:10]
bin4ry :
there might be other ways around the remount issue... but if they stopped remounting at kernel level it gets more complicated
[2017-08-30 08:11:56]
bin4ry :
on your older firmware we did not need it, dirtyc0w instead of kingo will be fine, then you can stop installd and remount rw sytem and chjange the installd then you are done :smile:
[2017-08-30 08:12:06]
bin4ry :
but in his more recent it seems to be a problem
[2017-08-30 08:12:25]
bin4ry :
so you will again end with a insecure recovery :wink:
[2017-08-30 08:21:50]
opcode :
in th end, it should be the easiest way for the end user to open up the CS. The update policy for OTA updates DJI provides is also a little hardcore in my eyes. flash recovery, wipe /system, flash boot etc
[2017-08-30 08:49:48]
opcode :
@bin4ry root@zs600b:/ # dev/flash_image recovery /dev/recovery.img
failed with error: -1
[2017-08-30 08:50:29]
opcode :
-rwxr-xr-x root root 885236 2017-08-30 10:43 flash_image
[2017-08-30 08:50:47]
opcode :
-rwx------ root root 4551242 2017-08-30 10:43 recovery.img
[2017-08-30 09:26:20]
digital1 :
The real big interest for users is 3rd part app installation now if that's with or with out root does not matter to a point imo.
[2017-08-30 10:22:41]
bin4ry :
True. You can only install fake packages (change package name) or you need it switch installd to do that you need root again and on latest firmware most likely a recovery
[2017-08-30 11:47:08]
hostile :
@bin4ry headed to an IEP meeting for my son... SELinkux is set to False when I did a check for it
[2017-08-30 11:51:19]
hostile :
will be back in a bit to rest recovery shits
[2017-08-30 12:11:57]
bin4ry :
i have an idea
[2017-08-30 12:12:19]
bin4ry :
@opcode @hostile please both send me your current rk30xxnand_ko.ko.3.10.0
[2017-08-30 12:12:25]
bin4ry :
should be laying around in /
[2017-08-30 12:12:30]
bin4ry :
will be back in 1 h
[2017-08-30 13:04:43]
bin4ry :
ok
[2017-08-30 13:04:45]
bin4ry :
no files yet :smile:
[2017-08-30 13:04:49]
bin4ry :
let me tell you what i think
[2017-08-30 13:04:52]
bin4ry :
this is the nand driver
[2017-08-30 13:04:58]
bin4ry :
most likely it has the protection in it
[2017-08-30 13:05:14]
bin4ry :
so it might be the solution to force load the "old" version driver on @hostile 's device
[2017-08-30 13:08:38]
bin4ry :
@hostile did you read getenforce value? is it 0 ?
[2017-08-30 13:08:39]
bin4ry :
try
[2017-08-30 13:08:45]
bin4ry :
setenforce 0
mount -o rw,remount /system
[2017-08-30 13:46:38]
hostile :
getenforce value was "False"
[2017-08-30 13:50:11]
hostile :
remounting /system
mount: Operation not permitted
try remounting /system (again)
setenforce: SELinux is disabled
mount: Operation not permitted
[2017-08-30 13:51:00]
hostile :
@bin4ry here is the nand driver
[2017-08-30 13:54:24]
bin4ry :
thx
[2017-08-30 13:54:30]
bin4ry :
need the old file from @opcode
[2017-08-30 13:54:31]
bin4ry :
:smile:
[2017-08-30 14:00:44]
bin4ry :
sadly this driver is a blob
[2017-08-30 14:01:21]
hostile :
:confused:
[2017-08-30 14:01:57]
hostile :
I'll try the: "mount -o rw /dev/blaba.... /system" here in a bit
[2017-08-30 14:02:46]
hostile :
may alternately be able to mkdir /data/local/fuckery
[2017-08-30 14:02:52]
hostile :
and mount /dev/blahblah /data/local/fuckery
[2017-08-30 14:03:02]
the_lord :
@hostile the binary named lordroot gives you instant root and mount is working fine
[2017-08-30 14:03:21]
hostile :
I need to double check on crystal sky...
[2017-08-30 14:03:34]
hostile :
and I still have yet to identify what exploit that actually is
[2017-08-30 14:03:42]
hostile :
I have qualms about running a binary that I can't compile the source to
[2017-08-30 14:04:05]
hostile :
IF we can identify it.... we can compile our own. I didn't wanna just give the binary you used out, since you had efforts to collect it as well.
[2017-08-30 14:04:33]
hostile :
once my battery charges I will check if on this current firmware I can remount /system with your exploit variant
[2017-08-30 14:05:00]
bin4ry :
lordroot ?
[2017-08-30 14:05:02]
hostile :
yeh
[2017-08-30 14:05:43]
bin4ry :
is it the extracted kingo exploit
[2017-08-30 14:05:44]
bin4ry :
?
[2017-08-30 14:05:49]
hostile :
yes
[2017-08-30 14:05:56]
bin4ry :
i see, can i have it aswell?
[2017-08-30 14:05:59]
bin4ry :
@the_lord ?
[2017-08-30 14:06:05]
the_lord :
yes sure
[2017-08-30 14:06:09]
bin4ry :
thx
[2017-08-30 14:07:01]
bin4ry :
@hostile did you actually try the lordroot ? does it enable you to remount? maybe it is just the new firmware version where they added the kernel driver
[2017-08-30 14:08:00]
hostile :
did a quick test and got root a few days ago, but did not try to remount
[2017-08-30 14:08:09]
bin4ry :
thx
[2017-08-30 14:08:11]
bin4ry :
files match
[2017-08-30 14:08:19]
bin4ry :
so it is not this driver
[2017-08-30 15:29:26]
hostile :
@here this is the result using the exploit @the_lord has captured from Kingroot computer based exploitation over USB.: shell@zs600b:/data/local/tmp/theLordPwn $ ./lordroot
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:dbad2ae0 overflowcheck:200000 map:16493 readv_error:58
[+] Done target:dbad2ae0 overflowcheck:deadbeef map:6573 readv_error:0
get_selinux_state -
- 0
shellcode_root_self i_pid:1216 ppid:1208 i_thread_info:da270000 i_task:d9d3f8c0 i_cred:dda76800 i_init_sid:0
fwrite is count 1 ./kok
shell@zs600b:/data/local/tmp/theLordPwn $ id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
[2017-08-30 15:30:47]
hostile :
shell@zs600b:/data/local/tmp/theLordPwn $ mount -o remount,rw /system
[2017-08-30 15:30:53]
hostile :
works sans complaint
[2017-08-30 15:35:46]
hostile :
lol so weird
[2017-08-30 15:35:47]
opcode :
great @hostile ! :slightly_smiling_face:
[2017-08-30 15:35:48]
hostile :
$ adb shell
cal/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as <
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
shell@zs600b:/ $ run-as
WARNING: linker: run-as: unused DT entry: type 0x6ffffffe arg 0x558
WARNING: linker: run-as: unused DT entry: type 0x6fffffff arg 0x1
Trying to run: /data/local/tmp/SlackOGCrystalSkyLove.sh
# id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
# mount -o remount,rw /system
mount: Operation not permitted
[2017-08-30 15:37:02]
hostile :
I did this before connecting in...
[2017-08-30 15:37:03]
hostile :
shell@zs600b:/data/local/tmp $ cat > SlackOGCrystalSkyLove.sh
busybox sh
[2017-08-30 15:37:17]
the_lord :
i told you cowroot didn't work for me
[2017-08-30 15:37:31]
hostile :
thats fine... we need to understand what aspects are not working
[2017-08-30 15:37:44]
the_lord :
for that i extracted kingoroot tools
[2017-08-30 15:37:49]
hostile :
and I am not going to use the kingroot binary until I can identify exactly what exploit it is and have an analog for source
[2017-08-30 15:38:03]
opcode :
understandable
[2017-08-30 15:38:27]
the_lord :
for that also i didn't publish it coz i don't know how it is rooting
[2017-08-30 15:38:37]
hostile :
so number one goal for me... determine which exploit kingroot is using
[2017-08-30 15:38:59]
the_lord :
i have another binary which also can root
[2017-08-30 15:40:09]
opcode :
snififng usb while rooting with kingo?
[2017-08-30 15:40:10]
bin4ry :
very strange
[2017-08-30 15:40:20]
bin4ry :
what kingo does different is that they modify the SELinux
[2017-08-30 15:40:29]
bin4ry :
but enforce is 0
[2017-08-30 15:40:32]
bin4ry :
so again strange
[2017-08-30 15:41:09]
bin4ry :
hostile
[2017-08-30 15:41:13]
bin4ry :
did you run with a proper su shell
[2017-08-30 15:41:17]
bin4ry :
or with this runas shell ?
[2017-08-30 15:41:21]
hostile :
runas shell
[2017-08-30 15:41:24]
hostile :
not invoked su yet
[2017-08-30 15:41:45]
bin4ry :
run the su from /data/local/tmp
[2017-08-30 15:41:52]
bin4ry :
give it sticky bit
[2017-08-30 15:41:58]
bin4ry :
and go outside the runas again
[2017-08-30 15:42:04]
bin4ry :
and gain root with su
[2017-08-30 15:42:08]
bin4ry :
form tmp folder
[2017-08-30 15:42:12]
bin4ry :
to have a proper su shell
[2017-08-30 15:42:25]
hostile :
# ./su
root@zs600b:/data/local/tmp # mount -o remount,rw /
mount: Operation not permitted
[2017-08-30 15:42:33]
bin4ry :
ok
[2017-08-30 15:42:35]
bin4ry :
worth a try
[2017-08-30 15:42:36]
bin4ry :
:smile:
[2017-08-30 15:42:40]
hostile :
hang on
[2017-08-30 15:42:46]
hostile :
-rwsr-sr-x shell shell 75364 2017-08-15 16:59 su
[2017-08-30 15:42:56]
hostile :
root@zs600b:/data/local/tmp # chown root su
chown: su: Operation not permitted
[2017-08-30 15:42:59]
hostile :
lol wtf
[2017-08-30 15:43:20]
hostile :
root@zs600b:/data/local/tmp # ls -al file
-rw-rw-rw- root root 0 2013-01-21 23:13 file
root@zs600b:/data/local/tmp # touch file
root@zs600b:/data/local/tmp # ls -al file
-rw-rw-rw- root root 0 2013-01-21 23:13 file
[2017-08-30 15:43:25]
hostile :
I'm like **kinda** root
[2017-08-30 15:43:27]
hostile :
heh
[2017-08-30 15:43:44]
bin4ry :
yeah
[2017-08-30 15:43:45]
bin4ry :
hm
[2017-08-30 15:43:46]
bin4ry :
strange
[2017-08-30 15:43:48]
bin4ry :
only kinda
[2017-08-30 15:43:50]
bin4ry :
:smile:
[2017-08-30 15:43:51]
hostile :
root@zs600b:/data/local/tmp # chown root file
(no problem)
[2017-08-30 15:44:04]
bin4ry :
chmod 06755 it
[2017-08-30 15:44:44]
hostile :
root@zs600b:/data/local/tmp # chmod 06755 file
root@zs600b:/data/local/tmp # ls -al file
-rwsr-sr-x root root 0 2013-01-21 23:13 file
[2017-08-30 15:48:53]
bin4ry :
please try getenforce inside and outside the run-as
[2017-08-30 15:49:16]
hostile :
shell@zs600b:/ $ getenforce
Disabled
[2017-08-30 15:49:25]
bin4ry :
ok
[2017-08-30 15:49:25]
hostile :
root@zs600b:/data/local/tmp # getenforce
Disabled
[2017-08-30 15:49:28]
bin4ry :
ok
[2017-08-30 15:50:34]
the_lord :
bin4ry don't get confused, my mkdevsh is not cleaned
[2017-08-30 15:50:57]
bin4ry :
ok
[2017-08-30 15:51:06]
bin4ry :
does the settings screen also display selinux as disabled ?
[2017-08-30 15:51:15]
bin4ry :
Settings > More > About Device
[2017-08-30 15:51:37]
the_lord :
unfortunately i don't have the p4p+ to check
[2017-08-30 15:51:38]
bin4ry :
just asking because this sounds soooooo much like SELinux
[2017-08-30 15:52:49]
bin4ry :
ok
[2017-08-30 15:53:09]
bin4ry :
etc / syscofig / selinux
[2017-08-30 15:53:11]
bin4ry :
what has it ?
[2017-08-30 15:53:23]
bin4ry :
becasue in the ramdisk there is the selinux config too
[2017-08-30 15:53:27]
bin4ry :
in the boot.img
[2017-08-30 15:56:15]
hostile :
# busybox find / -name sysconfig 2>/dev/null
#
[2017-08-30 15:56:31]
hostile :
# busybox find / -name selinux 2>/dev/null
#
[2017-08-30 15:58:38]
bin4ry :
okokokok
[2017-08-30 15:58:39]
bin4ry :
:stuck_out_tongue:
[2017-08-30 15:59:17]
bin4ry :
so all we can say it that this cowroot gives a broken root shell
[2017-08-30 16:02:01]
hostile :
there is a /sepolicy file
[2017-08-30 16:02:35]
bin4ry :
that is what i am saying, it is in /
[2017-08-30 16:02:41]
bin4ry :
i see the ramdisk here
[2017-08-30 16:03:56]
bin4ry :
cat /sys/fs/selinux/enforce
[2017-08-30 16:04:03]
bin4ry :
would be the android folder iirc
[2017-08-30 16:04:32]
bin4ry :
but sohuld do the same as getenforce anyway
[2017-08-30 16:06:02]
hostile :
sh: cat: /sys/fs/selinux/enforce: No such file or directory
[2017-08-30 16:06:18]
bin4ry :
yeah good
[2017-08-30 16:06:23]
bin4ry :
then selinux is really noit running
[2017-08-30 16:07:34]
hostile :
cat selinux_version
Android/zs600b/zs600b:5.1.1/v0.0.9.0-98a777ae/gl30008172109:user/release-keysroot@zs600b
[2017-08-30 16:08:22]
hostile :
"mount u:object_r:system_server_service:s0" IF by chance that means something
[2017-08-30 16:09:41]
hostile :
Possible details on dirtyc0w policy issues here.
[2017-08-30 16:09:42]
hostile :
<https://github.com/matteoserva/dirtycow-arm32>
[2017-08-30 16:10:06]
hostile :
"you can dirtycow the default /sepolicy and trigger a reload"
[2017-08-30 16:10:08]
hostile :
sneaky!
[2017-08-30 16:11:49]
bin4ry :
cool
[2017-08-30 16:11:59]
bin4ry :
well it might be similar to what the kingoroot does
[2017-08-30 16:12:20]
bin4ry :
also afterwards they make sure all is finished off for the next boot with the bunch of files
[2017-08-30 16:52:54]
hostile :
@bin4ry I noted this from the kingroot exploit
[2017-08-30 16:52:56]
hostile :
"get_selinux_state -
- 0
shellcode_root_self i_pid:1216 ppid:1208 i_thread_info:da270000 i_task:d9d3f8c0 i_cred:dda76800 i_init_sid:0"
[2017-08-30 16:53:12]
hostile :
I wonder what this root_self function is doing...
[2017-08-30 16:58:06]
bin4ry :
Well let's extract the shellcodd
[2017-08-30 17:03:42]
hostile :
my suspicion... is they are using CVE-2015-3636
[2017-08-30 17:06:47]
hostile :
looks like it definately is patching sepolicy too
[2017-08-30 17:06:49]
bin4ry :
Would not explain the shellcode function you say they run.
[2017-08-30 17:07:13]
bin4ry :
Ah maybe more than one exploit k the binary
[2017-08-30 17:07:16]
hostile :
no it wouldn't... but I still wanna know the exact exploit they aer using too
[2017-08-30 17:07:53]
bin4ry :
And then hold a few in the bin and decide which one to use on the environment
[2017-08-30 21:20:41]
hostile :
@bin4ry I see this in dmesg when the lordroot exploit runs
[2017-08-30 21:20:43]
hostile :
<4>[ 58.083789] qtaguid: ctrl_cmd_tag(): User space forgot to open /dev/xt_qtaguid? pid=1197 tgid=1197 uid=2000
<11>[ 82.091135] init: untracked pid 1199 exited with status 1
[2017-08-30 21:20:49]
hostile :
my be a clue for us
[2017-08-30 21:24:45]
hostile :
In the exploit is also... /proc/%d/net/xt_qtaguid/ctrl
failed open
[2017-08-30 21:25:17]
hostile :
so I bet this is a kernel exploit for this functionality?
[2017-08-30 21:26:57]
hostile :
@bin4ry here we go...
[2017-08-30 21:27:03]
hostile :
"The driver also exposes a control interface, with which a user can query the current sockets and their tags, along with the user-ID and process-ID from which the socket has been opened. This control interface is facilitated by a world-accessible file, under /proc/net/xt_qtaguid/ctrl."
[2017-08-30 21:27:05]
hostile :
<http://bits-please.blogspot.com/2015/08/effectively-bypassing-kptrrestrict-on.html>
[2017-08-30 21:27:21]
hostile :
<http://powerofcommunity.net/poc2016/x82.pdf>
[2017-08-30 21:29:35]
hostile :
it was stated that this technique "improve the stability of CVE-2015-3636 exploit"
[2017-08-31 00:36:46]
hostile :
<https://source.android.com/security/bulletin/2015-09-01>
[2017-08-31 01:01:34]
hostile :
@bin4ry this looks like where the exploit does something that enables /system ?
[2017-08-31 01:02:05]
hostile :
note the /proc/mounts and the /system
[2017-08-31 01:03:02]
hostile :
I also see a refrence to: pvR_timewQ
[2017-08-31 01:03:40]
hostile :
<https://github.com/hitmoon/android-root-misc/blob/master/cve3636/becomeRoot.cpp#L118>
[2017-08-31 01:08:49]
hostile :
I notice after hitting xt_qtaquid/crtl the exploit does indeed check a socket tag too
[2017-08-31 01:08:51]
hostile :
"sock=%lx tag=0x%llx"
[2017-08-31 01:43:59]
hostile :
fuck I wanna ID this exploit 100% soooo bad.
[2017-08-31 04:07:05]
hostile :
so back to the qtaquid shit...
[2017-08-31 04:07:12]
hostile :
this explains why it would be an attractive route
[2017-08-31 04:07:15]
hostile :
"This means that if, for example, we have a vulnerability that allows us to overwrite a specific kernel address (like the vulnerability presented in the previous blog post), we could simply:
Open a socket and tag it with "qtaguid"
Look for the socket's address within /proc/net/xt_qtaguid/ctrl
Overwrite the pointer to the "socket" structure to an address within our address-space
Populate the overwritten address with a dummy "socket" structure containing fully controller function pointers
Perform any operation on the socket (like closing it), in order to cause the kernel to execute our own code"
[2017-08-31 04:25:50]
hostile :
<https://hitcon.org/2016/CMT/slide/day1-r1-c-1.pdf>
[2017-08-31 04:46:38]
hostile :
Now... I wonder if this is the sort of shit that stops my mount of /system
[2017-08-31 04:46:54]
hostile :
<http://www.modaco.com/forums/topic/362803-cannot-mount-system-as-rw-even-as-root/?do=findComment&comment=2127880>
[2017-08-31 04:58:50]
hostile :
also @bin4ry I noticed in the /init scripts.. even though the kernel says selinux=disbaled, they have seclabel definitions
[2017-08-31 04:58:52]
hostile :
<https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf>
[2017-08-31 05:19:25]
hostile :
heh fuckers
[2017-08-31 05:19:27]
hostile :
<https://github.com/timwr/CVE-2016-5195/issues/9#issuecomment-255938197>
[2017-08-31 05:19:55]
hostile :
<https://github.com/timwr/CVE-2016-5195/issues/9#issuecomment-255939351>
[2017-08-31 05:20:10]
hostile :
"You can disable selinux in selinux. The init context can enable (or disable) it.
So wherever init is. Over write it"
[2017-08-31 05:27:18]
hostile :
This shit is starting to make sense now
[2017-08-31 05:33:59]
hostile :
shell@zs600b:/system/bin $ ls -alZ | grep toolbox | grep -v ">"
-rwxr-xr-x root shell u:object_r:toolbox_exec:s0 toolbox
shell@zs600b:/system/bin $ ls -al | grep mount
lrwxrwxrwx root root 2017-08-19 16:44 mount -> toolbox
lrwxrwxrwx root root 2017-08-19 16:44 umount -> toolbox
[2017-08-31 05:34:45]
hostile :
$ ls -alZ /system/bin/run-as
-rwxr-x--- root shell u:object_r:runas_exec:s0 run-as
[2017-08-31 05:38:05]
hostile :
I think the libsepol.a in lordroot is for sepolicy injection...
[2017-08-31 05:38:10]
hostile :
<https://bitbucket.org/joshua_brindle/sepolicy-inject>
[2017-08-31 05:44:25]
hostile :
@bin4ry looks like we just need to maneuver around the /init selinux domain shit.... this does so in a fashion that triggers recogery like you are seeking to do. <https://github.com/jcadduono/android_external_dirtycow>
[2017-08-31 05:44:48]
hostile :
the various "contexts" these binaries run in are interesting
[2017-08-31 15:14:07]
opcode :
@hostile could you pls check, if fastboot sees your device on OSX? adb boot recovery followed by fastboot devices gives me no devices.
[2017-08-31 15:24:59]
hostile :
yeh... battery is dead atm
[2017-08-31 15:32:23]
opcode :
lol
[2017-08-31 19:04:59]
hostile :
I'm going to take a stab at replacing /system/bin/app_process32 next
[2017-08-31 19:36:02]
opcode :
I'm looking at the boot.img from the OTA at the moment. trying to build a custom update.zip to make update for rooted CS easy with already included Play Store while keeping root. Seems like custom adb is used, no policy's found in init.rc / default.prop.
[2017-08-31 19:39:11]
opcode :
Already installed custom recovery @bin4ry provided via dd. But as long as I don't have working fastboot into recovery I will not experiment further. :smile:
[2017-08-31 19:58:13]
hostile :
LOL I overwrote app_process32... and shit cascaded in crashing all over the place
[2017-08-31 19:58:44]
hostile :
<https://github.com/timwr/CVE-2016-5195/issues/9#issuecomment-256373864>
[2017-08-31 19:59:05]
hostile :
same here... the Crystal Sky GUI just took a shit... and all I have is the boot logo sitting on the screen
[2017-08-31 19:59:14]
hostile :
(still have adb root access tho)
[2017-08-31 19:59:29]
hostile :
the recovery overwrite scares me!
[2017-08-31 19:59:33]
hostile :
avoiding it
[2017-08-31 20:27:35]
opcode :
Problem is, no custom recovery=no updates. The ota wipes the whole CS.
[2017-08-31 20:41:00]
hostile :
"recovery=no updates" not familiar with that one
[2017-08-31 20:45:15]
bin4ry :
Opcode did the DD overwrite work? Actually a custom recovery is the safest way
[2017-08-31 20:46:00]
opcode :
Yes, worked fine with dd. But still no fastboot devices present
[2017-08-31 20:46:37]
hostile :
@bin4ry we may be able to do a "Temporal root" too... I think we can use Dirtyc0w to replace /system/bin/installd
[2017-08-31 20:47:08]
bin4ry :
Yeah would be good
[2017-08-31 20:47:15]
hostile :
on reboot said installd will be replaced tho... (as shit does with dirtyc0w)
[2017-08-31 20:47:29]
bin4ry :
Opcode: Ok so you can also use the recover, yes?
[2017-08-31 20:47:34]
hostile :
APks we installed would be legit tho right?
[2017-08-31 20:47:53]
bin4ry :
If you replace installd you can install what you like
[2017-08-31 20:49:21]
opcode :
@bin4ry just to clarify: if I want to keep su ant the other stuff, i need to mod the update.zip and to get the system accepting the unsigned zip i need custom recovery, right?
[2017-08-31 20:49:48]
bin4ry :
Correct, did you boot into the recovery yet?
[2017-08-31 20:49:58]
opcode :
It gives me the black screen again, no recovery menu
[2017-08-31 20:50:05]
bin4ry :
@hostile custom recovery is actually the safest way
[2017-08-31 20:50:11]
bin4ry :
I was fearing that
[2017-08-31 20:50:25]
bin4ry :
The chipsst is the same but it may still be a bit different
[2017-08-31 20:50:43]
bin4ry :
I can try to pack one with the kernel I extracted from the recovery image
[2017-08-31 20:50:52]
bin4ry :
Then it will work :grin:
[2017-08-31 20:50:59]
opcode :
But I think I should be safe without menu as long as fastboot would be working and I would be able to flash unsigned stuff.
[2017-08-31 20:51:21]
bin4ry :
We need it working right
[2017-08-31 20:51:35]
hostile :
we also need to test USB keyboard
[2017-08-31 20:52:03]
opcode :
If you can point me to the correct twrp recovery it would be great.
[2017-08-31 20:52:25]
bin4ry :
You have it already
[2017-08-31 20:52:42]
bin4ry :
Only extract the ramdisk with rockchip tools
[2017-08-31 20:52:55]
bin4ry :
And repack it with kernel from original ramdisk
[2017-08-31 20:53:01]
hostile :
This installd from Auth 10th is the way to go, right?
[2017-08-31 20:53:04]
bin4ry :
Also make init scripts like in original
[2017-08-31 20:53:17]
bin4ry :
@hostile yes
[2017-08-31 20:53:25]
bin4ry :
That is the file I patches
[2017-08-31 20:53:29]
bin4ry :
Patched
[2017-08-31 20:53:43]
opcode :
Huh? Didn't you say the recovery menu should come up?
[2017-08-31 20:53:44]
bin4ry :
It will disable the package name limit
[2017-08-31 20:54:03]
bin4ry :
Yes it should. But you said it does not
[2017-08-31 20:54:45]
opcode :
Ok, then im on the right way. Will install dual boot Windows tomorrow and try fastboot with windows.
[2017-08-31 20:55:19]
bin4ry :
I am lost now. Fastboot != Recovery
[2017-08-31 20:55:36]
bin4ry :
If you have the recovery installed you should be able to boot into recovery with
[2017-08-31 20:55:43]
bin4ry :
Reboot recovery
[2017-08-31 20:55:46]
bin4ry :
From the shell
[2017-08-31 20:57:03]
opcode :
As I told you, I don't get the recovery menu. Maybe this is "normal" for the CS. When in recovery with fastboot devices i should see the CS, correct?
[2017-08-31 20:58:12]
bin4ry :
No
[2017-08-31 20:58:16]
bin4ry :
Only ADB
[2017-08-31 20:58:30]
bin4ry :
Fastboot is before recovery it is bootloader
[2017-08-31 20:58:36]
bin4ry :
And no you should see the menu
[2017-08-31 20:58:42]
bin4ry :
If not something is wrong
[2017-08-31 20:59:03]
opcode :
Ok to clarify : adb reboot recovery
[2017-08-31 20:59:12]
opcode :
Screen gets black
[2017-08-31 20:59:24]
opcode :
ADB devices : no devices
[2017-08-31 20:59:35]
opcode :
Fastboot devices : no devices
[2017-08-31 21:00:01]
opcode :
Several pushes to power button : device reboots normal
[2017-08-31 21:00:29]
bin4ry :
Something wrong then. ADB devices should show the recovery device
[2017-08-31 21:00:44]
bin4ry :
Prolly kernel incompatible in the recovery image
[2017-08-31 21:00:56]
bin4ry :
Will do one tomorrow
[2017-08-31 21:01:08]
bin4ry :
With Cs kernel
[2017-08-31 21:01:33]
opcode :
Great. Thanks.
[2017-08-31 21:01:39]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504192447000180>
[2017-08-31 21:01:42]
hostile :
checking now
[2017-08-31 21:02:26]
bin4ry :
Gn8
[2017-08-31 21:02:26]
opcode :
Also check adb devices, as @bin4ry mentioned
[2017-08-31 21:02:44]
opcode :
Night! :sleeping:
[2017-08-31 21:03:09]
hostile :
I see nothing over USB
[2017-08-31 21:03:39]
opcode :
Same for me. And you have to Original recovery.img
[2017-08-31 21:04:19]
hostile :
LOLOLOL
[2017-08-31 21:04:21]
hostile :
guys...
[2017-08-31 21:04:26]
hostile :
the touch screen works in recovery
[2017-08-31 21:04:28]
hostile :
ya fucking nerds
[2017-08-31 21:04:31]
opcode :
???
[2017-08-31 21:04:44]
hostile :
you can navigate the menu with your fingers by swiping
[2017-08-31 21:04:46]
hostile :
up and down
[2017-08-31 21:04:57]
opcode :
Gimme a sec, I'll try
[2017-08-31 21:04:59]
opcode :
LOL
[2017-08-31 21:05:17]
kilrah :
BAHAHA
[2017-08-31 21:05:21]
hostile :
just sayin
[2017-08-31 21:05:25]
hostile :
LOLOLOLOLOLOLOLOL
[2017-08-31 21:05:38]
kilrah :
knew we needed more people trying things
[2017-08-31 21:05:51]
hostile :
#outsidetheboxthinker
[2017-08-31 21:07:13]
opcode :
Not working with the custom recovery
[2017-08-31 21:07:28]
opcode :
I'll Reflash original one
[2017-08-31 21:08:31]
bin4ry :
Cool.but still you need an rexovery which allows unsigned zips. The original one does sadly not. Ok sleep now. Cu tomorrow
[2017-08-31 21:09:18]
opcode :
@hostile batt empty. Lol
[2017-08-31 21:09:30]
opcode :
Can you do a screenshot?
[2017-08-31 21:10:30]
hostile :
shell@zs600b:/data/local/tmp $ ./dirtycow /system/bin/installd ./installd
[2017-08-31 21:10:46]
hostile :
may have to wait... about to walk out the door and trying this installd overwrite first
[2017-08-31 21:10:52]
hostile :
what u need screenshotted?
[2017-08-31 21:11:05]
opcode :
The recovery menu
[2017-08-31 21:11:49]
hostile :
fuck yeah dirtyc0w on installd is gold
[2017-08-31 21:11:56]
opcode :
Heh
[2017-08-31 21:12:15]
hostile :
just used it to install the rowhammer example apk
[2017-08-31 21:12:16]
hostile :
$ adb install drammer.apk
drammer.apk: 1 file pushed. 4.1 MB/s (2336755 bytes in 0.537s)
pkg: /data/local/tmp/drammer.apk
Success
[2017-08-31 21:12:53]
opcode :
Yeah!
[2017-08-31 21:13:13]
hostile :
honestly
[2017-08-31 21:13:17]
hostile :
what else do we need?
[2017-08-31 21:13:24]
hostile :
if these apks stick after reboot
[2017-08-31 21:13:39]
kilrah :
not much really
[2017-08-31 21:13:40]
opcode :
Kick out the stock go
[2017-08-31 21:13:44]
hostile :
for **basics**... apart for more advanced peeps
[2017-08-31 21:13:55]
hostile :
opcode we can do that with patched installd now
[2017-08-31 21:13:59]
opcode :
Kick out dji_update
[2017-08-31 21:14:31]
opcode :
Sure? It all runs as system apps
[2017-08-31 21:14:40]
hostile :
ahh
[2017-08-31 21:15:44]
opcode :
i also Patched the stock CS Go App, it's a little bit different then the play store app
[2017-08-31 21:16:18]
hostile :
can you give me that .apk?
[2017-08-31 21:16:25]
hostile :
I wanna see if I can replace it
[2017-08-31 21:16:52]
hostile :
adb install -r -d your.apk outta do it
[2017-08-31 21:17:00]
opcode :
Sure, but you also have to kick out the odex stuff
[2017-08-31 21:18:30]
opcode :
Do a peek in /system/priv-app/
[2017-08-31 21:23:04]
hostile :
I just wanna see how installd handles it...
[2017-08-31 21:23:56]
opcode :
PM
[2017-08-31 21:27:38]
hostile :
ok so first round sans patch
[2017-08-31 21:27:39]
hostile :
$ adb install ./mod.apk
./mod.apk: 1 file pushed. 4.5 MB/s (133065030 bytes in 28.374s)
pkg: /data/local/tmp/mod.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
[2017-08-31 21:28:09]
opcode :
Maybe because it's 4.1.3 and you have a newer one installed
[2017-08-31 21:28:39]
hostile :
$ adb install -rd ./mod.apk
./mod.apk: 1 file pushed. 4.3 MB/s (133065030 bytes in 29.566s)
pkg: /data/local/tmp/mod.apk
Failure [INSTALL_FAILED_VERSION_DOWNGRADE]
[2017-08-31 21:28:40]
opcode :
Yeah sure, that's why it says "update"
[2017-08-31 21:29:48]
opcode :
Heh, it checks the keys also I think, mine is signed with test keys :wink:
[2017-08-31 21:30:30]
opcode :
You need to rm first the system go 4.
[2017-08-31 21:31:12]
hostile :
hang tight I haven't patched installd yet either
[2017-08-31 21:31:55]
opcode :
Adb hide?
[2017-08-31 21:32:01]
opcode :
<https://www.google.de/amp/s/amp.reddit.com/r/Android/comments/3eav7t/get_rid_of_unwanted_system_apps_adb_shell_pm_hide/>
[2017-08-31 21:33:37]
hostile :
which package is yours package:dji.pilot or package:dji.go.v4
[2017-08-31 21:33:50]
hostile :
package:com.dji.industry.pilot
[2017-08-31 21:34:27]
opcode :
Go.v4
[2017-08-31 21:34:39]
hostile :
$ adb uninstall dji.go.v4
Failure [DELETE_FAILED_INTERNAL_ERROR]
[2017-08-31 21:34:59]
hostile :
replace em with dirtycow ? lol
[2017-08-31 21:35:05]
opcode :
LOL
[2017-08-31 21:35:29]
opcode :
What is industry pilot?
[2017-08-31 21:35:32]
hostile :
no clue
[2017-08-31 21:35:48]
opcode :
There should be Go,go4,pilot
[2017-08-31 21:36:49]
opcode :
Could you list priv-app folder pls?
[2017-08-31 21:38:36]
hostile :
This has been updated to provide temporal installd patch... so you can install what ever
[2017-08-31 21:38:37]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow/blob/master/README.md>
[2017-08-31 21:38:41]
hostile :
until reboot
[2017-08-31 21:41:26]
opcode :
Ah. Dji Pilot=go3, industrypilot=the beta pilot app
[2017-08-31 21:42:50]
opcode :
One step further. :blush: have to sleep, gn8
[2017-09-01 01:11:03]
hostile :
I just tried to overwrite /init... phone reboots if you do it wrong. =]
[2017-09-01 01:11:09]
hostile :
details here:
[2017-09-01 01:11:10]
hostile :
<http://www.redtile.io/security/galaxy/>
[2017-09-01 05:36:49]
bin4ry :
@hostile you using my installd ? then install should work without a problem
[2017-09-01 05:38:53]
bin4ry :
@hostile nevermind just read through the backlog :stuck_out_tongue: But IF you update the modification to the System partition will be gone. i.e. they will overwrite again with their installd, that is why we need a custom recovery, so you can install your own updates and remove stuff you do not want :slightly_smiling_face: If you now install an OTA the original recovery will just overwrite any changes on the system partition IF there are the same files inside teh update package, so for installd , it will be killed due to overwrite
[2017-09-01 06:04:59]
bin4ry :
@hostile @opcode found this: <https://github.com/linuxerwang/rkflashkit>
[2017-09-01 06:37:38]
bin4ry :
ok
[2017-09-01 06:37:42]
bin4ry :
i rebuild a recovery
[2017-09-01 06:37:43]
bin4ry :
:slightly_smiling_face:
[2017-09-01 06:38:44]
bin4ry :
i am pretty sure this will work, the CS seems to use another format (android standard) where rockchip devices before used a different img standard
[2017-09-01 06:39:09]
bin4ry :
so @opcode @hostile please try to dd this onto the recovery partition
[2017-09-01 06:45:47]
opcode :
One more coffee and I'll try :-)
[2017-09-01 06:46:00]
bin4ry :
cool thx
[2017-09-01 06:46:01]
bin4ry :
:smiley:
[2017-09-01 06:46:54]
bin4ry :
thing is the "old" rockchip format uses a completely differnt structure and the recovery from this CrewRK guys uses this "old" rockchip structure. i took a look into the recovery.img from the OTA and saw that it is the "normal" android structure, with kernel and ramdisk
[2017-09-01 06:47:15]
bin4ry :
also it has a second ramdisk-like part, with bootlogo but i did not touch this
[2017-09-01 06:47:40]
bin4ry :
so i did a mix of both, used the original recovery and changed the binarys and edited the scripts a little
[2017-09-01 06:48:40]
bin4ry :
i hope the binary works, but if not i can still do something different :wink: if this fails i do the "hardcore" way and give you just adb root in the unmodified recovery, since i don't have the device and i cannot this easy setup a good device tree without to debug and recompile the recovery binary all the time :smile:
[2017-09-01 06:55:29]
opcode :
ah! wonderd where they where hiding the first bootlogo. shouldnt that be in the ramdisk of boot.img?
[2017-09-01 07:05:25]
bin4ry :
sure it is there
[2017-09-01 07:06:25]
bin4ry :
but in another part
[2017-09-01 07:06:33]
bin4ry :
like ramdisk 2 or something like this
[2017-09-01 07:06:34]
bin4ry :
:smile:
[2017-09-01 07:06:45]
opcode :
bash-3.2$ adb reboot recovery
bash-3.2$ adb devices
List of devices attached
bash-3.2$ fastboot devices
bash-3.2$
[2017-09-01 07:06:47]
opcode :
:disappointed:
[2017-09-01 07:06:56]
bin4ry :
no picture ?
[2017-09-01 07:06:59]
opcode :
nope
[2017-09-01 07:07:17]
bin4ry :
when you do the very same with the original recovery.img you see a picture on the screen?
[2017-09-01 07:07:49]
opcode :
ill try. hostile said, he could use the touchscreen.
[2017-09-01 07:08:08]
bin4ry :
yes, should be possible
[2017-09-01 07:08:15]
bin4ry :
new recoverys can be used through swiping
[2017-09-01 07:08:19]
bin4ry :
or hardware buttons
[2017-09-01 07:08:33]
bin4ry :
please make sure you are able to boot into the original recovery first
[2017-09-01 07:08:52]
opcode :
gimme a min
[2017-09-01 07:08:54]
bin4ry :
sure
[2017-09-01 07:13:23]
opcode :
works
[2017-09-01 07:13:26]
opcode :
i have the menu
[2017-09-01 07:14:43]
opcode :
but still cannot be seen by adb
[2017-09-01 07:14:46]
opcode :
bash-3.2$ adb devices
List of devices attached
bash-3.2$
[2017-09-01 07:15:06]
bin4ry :
yeah original has no adb
[2017-09-01 07:15:13]
bin4ry :
ok gimme some minutes i will try something
[2017-09-01 07:15:20]
opcode :
:slightly_smiling_face:
[2017-09-01 07:27:42]
bin4ry :
@opcode
[2017-09-01 07:28:10]
opcode :
rebooting right now ....
[2017-09-01 07:28:16]
bin4ry :
ah ok :smile:
[2017-09-01 07:28:28]
bin4ry :
if this works i will patch the original recover bin to skip the keycheck :smile:
[2017-09-01 07:28:42]
opcode :
nope
[2017-09-01 07:28:46]
opcode :
black screen
[2017-09-01 07:28:49]
bin4ry :
oh
[2017-09-01 07:28:52]
bin4ry :
ok
[2017-09-01 07:29:01]
bin4ry :
then the problem is in the re-building of th eimg
[2017-09-01 07:29:16]
opcode :
additional key check?
[2017-09-01 07:29:34]
bin4ry :
don't think so
[2017-09-01 07:29:53]
bin4ry :
fall back to your original for now
[2017-09-01 07:29:59]
opcode :
yap
[2017-09-01 07:30:07]
bin4ry :
problem is that i do not hav ethis much time today :smile:
[2017-09-01 07:30:15]
bin4ry :
so i am not able to do another one
[2017-09-01 07:30:31]
opcode :
no worries :slightly_smiling_face:
[2017-09-01 07:33:19]
bin4ry :
:wink:
[2017-09-01 07:33:38]
bin4ry :
you are already equipped now with the installd and stuff, so you can be happy :smile:
[2017-09-01 07:35:07]
bin4ry :
@hostile reading through the backlog, your system image has odex files. this means the apk has the dex part splitted out. To install a new version of the same app you have to remove or deactivate the system-app first! Due to key-mismatch you cannot update from the original version. So what you need to do is remove the old version from /system/priv-app or deactivate it from androids menu under settings -> apps -> AppName
[2017-09-01 07:35:17]
opcode :
yeah, but still updates missing. but i think the way for public is, as you said : flash recovery, mod update.zip to include root, playstore, modded go 4, disable those dji_services etc.
[2017-09-01 07:35:31]
bin4ry :
yeah, but why do you want to update anyway?
[2017-09-01 07:35:51]
bin4ry :
there is nothing diffrent as far as i can tell except some dji bins
[2017-09-01 07:36:01]
opcode :
several compass problems got fixed etc
[2017-09-01 07:36:04]
bin4ry :
most likely they are only updating dji go
[2017-09-01 07:36:05]
bin4ry :
ah really?
[2017-09-01 07:36:09]
bin4ry :
then just update an re-root
[2017-09-01 07:36:10]
opcode :
jerky compass
[2017-09-01 07:36:18]
bin4ry :
you dont even need to re-root
[2017-09-01 07:36:25]
bin4ry :
you only need to re install installd
[2017-09-01 07:36:30]
bin4ry :
root should stay
[2017-09-01 07:36:50]
opcode :
no, i have such a nice setup right now. including modded hosts :wink:
[2017-09-01 07:37:09]
bin4ry :
hah, ok, do you have compass problems ?
[2017-09-01 07:37:23]
opcode :
it jerks around a little, not to much a problem
[2017-09-01 07:37:49]
opcode :
<https://forum.dji.com/thread-109767-1-1.html>
[2017-09-01 07:38:00]
bin4ry :
maybe you should extract some files from the OTA and update them manually on your device
[2017-09-01 07:38:32]
opcode :
can i just rm and rewrite the stuff in priv-app?
[2017-09-01 07:38:50]
bin4ry :
in priv-app ? sure but what you want to do there ?
[2017-09-01 07:39:02]
opcode :
update pilot beta
[2017-09-01 07:39:25]
bin4ry :
ah, yes you can just overwrite it with the new files from the new pacakge since they are odex too
[2017-09-01 07:40:12]
bin4ry :
also i would update the "firmware" folder maybe it fixes your compass problem
[2017-09-01 07:40:13]
bin4ry :
:wink:
[2017-09-01 07:40:14]
opcode :
ahhhh important: where in the android system can i find the script that starts apks with booting?
[2017-09-01 07:40:33]
bin4ry :
there is no script for that
[2017-09-01 07:40:33]
opcode :
is that in the boot.img?
[2017-09-01 07:41:48]
opcode :
djiupdate and system-upgrade get started with booting, want to kick them out.
[2017-09-01 07:42:39]
bin4ry :
they will recevie the boot complete intent and start themselves then
[2017-09-01 07:42:49]
bin4ry :
just deactivate them from the android menu
[2017-09-01 07:43:10]
bin4ry :
settings -> apps -> find the app and click deactivate
[2017-09-01 07:43:57]
opcode :
yeah, thats the way i handle it now.
[2017-09-01 07:44:41]
bin4ry :
yep that is how you should do it
[2017-09-01 07:44:51]
bin4ry :
there is nothing like autostart scripts for UI apps on android
[2017-09-01 07:44:55]
bin4ry :
all works with intents etc
[2017-09-01 07:48:12]
opcode :
ok, thanks
[2017-09-01 13:23:34]
hostile :
@bin4ry "they will overwrite again with their installd, that is why we need a custom recovery" yes... BUT... with a Temporal installd... we can install any APK we want... and reboot and it is still there, no custom recovery needed, unless you want root with proper su access and non selinux limited contexts.
[2017-09-01 13:25:15]
bin4ry :
yes correct
[2017-09-01 13:38:06]
hostile :
I **THINK** this technique should work... <https://forum.xda-developers.com/android/software-hacking/root-tool-dirtycow-apk-adb-t3525120>
[2017-09-01 13:38:18]
hostile :
also looking at patching /init still... but that technique is fucked!
[2017-09-01 13:39:08]
hostile :
none the less still confused as to how the SELinux contexts are being enforced even though it is set to "off". Wondering if there are gradients of how enabled it is... the presence of the /se* files for example implies a policy DOES exist.
[2017-09-01 13:53:12]
hostile :
the SD card attack against vold should be reproducible
[2017-09-01 13:54:27]
hostile :
alternate details here on patching /init
[2017-09-01 14:33:24]
hostile :
more detail on SELinux stuff I **think** we are bumping into
[2017-09-01 14:33:25]
hostile :
<https://su.chainfire.eu/#selinux-detection>
[2017-09-01 15:44:57]
opcode :
just half-bricked my CS. played around with the pilot app, tried to install the newer version. now the launcher went nuts, crashing all the time. good time to pull the update over, reroot with kingoroot and sniff usb while rooting. :slightly_smiling_face:
[2017-09-01 15:48:13]
hostile :
lol
[2017-09-01 15:48:19]
hostile :
whoops
[2017-09-01 17:12:07]
johnhoving :
Newbie here. I am guessing that this process is for experienced people and not for the faint of heart. I was really interested in using my crystalsky with my Hoover and dobby drone apps. But maybe an easier method will come along at some point?
[2017-09-01 17:14:18]
kilrah :
the whole point of the discussion here is figuring out how to do it reliably so it can be packaged in an easier method…
[2017-09-01 17:16:06]
hostile :
@johnhoving we just released the easy method.... <https://twitter.com/d0tslash/status/903660280588247040>
[2017-09-01 17:16:32]
hostile :
@johnhoving run OriginalGangsterCow... then just install your dobby app via "adb install"
[2017-09-01 17:21:35]
opcode :
updated to 09.00, my installed apps are still there, google play not working, su gone.
[2017-09-01 17:22:51]
johnhoving :
Thanks for the information. Do I do this on an SD card? Is it stable? Would this void warranty or can unit be retired to factory settings?
[2017-09-01 17:23:11]
hostile :
no, sure, no, and yes
[2017-09-01 17:23:26]
hostile :
@opcode OGCow it and reinstall GooglePlay?
[2017-09-01 17:23:37]
hostile :
should be able to install apps until reboot
[2017-09-01 17:23:43]
hostile :
(when installd is replaced)
[2017-09-01 17:24:00]
johnhoving :
No to as card?
[2017-09-01 17:24:03]
opcode :
yes. last time i flashed the google stuff with opengapps
[2017-09-01 17:24:07]
johnhoving :
Sd
[2017-09-01 17:24:18]
hostile :
all questions answered in order asked
[2017-09-01 17:24:19]
hostile :
=]
[2017-09-01 17:24:24]
hostile :
No you do not run this from an sd card
[2017-09-01 17:24:36]
hostile :
you run it from your computer with CS connected via USB
[2017-09-01 17:24:40]
johnhoving :
From the unit itself?
[2017-09-01 17:24:47]
opcode :
@hostile i wrote down the versions that work, if you want to try: google account manager 5.1.1-2168912, google services framework 5.1.1-2168912, google play services 11.3.04 (238-161736131), google play store 8.1.27.S-all (0) (PR) 164542306
[2017-09-01 17:25:00]
hostile :
drop an apk here if you have em @opcode
[2017-09-01 17:25:10]
hostile :
or link me to em
[2017-09-01 17:25:12]
hostile :
I'll test
[2017-09-01 17:25:45]
johnhoving :
Ahhhh. can u do it with a Mac?
[2017-09-01 17:26:11]
hostile :
it was written on a Mac
[2017-09-01 17:26:19]
johnhoving :
Thanks man
[2017-09-01 17:26:32]
hostile :
just pull the repo
[2017-09-01 17:26:37]
hostile :
and run ./LastSkyCry.sh
[2017-09-01 17:26:40]
hostile :
and you should be rocking
[2017-09-01 17:27:08]
johnhoving :
That’s above my pay grade :flushed:
[2017-09-01 17:28:29]
hostile :
no it isn't
[2017-09-01 17:28:33]
hostile :
pull your skirt up!
[2017-09-01 17:28:45]
hostile :
you on your mac now?
[2017-09-01 17:28:51]
hostile :
do you have your CS now?
[2017-09-01 17:29:04]
johnhoving :
Give me a second
[2017-09-01 17:29:06]
hostile :
k
[2017-09-01 17:33:22]
johnhoving :
Ok both in front of me
[2017-09-01 17:39:42]
johnhoving :
I have cs plugged into macbook but don’t see it
[2017-09-01 17:46:28]
johnhoving :
I’m lost!
[2017-09-01 17:52:15]
johnhoving :
You still there?
[2017-09-01 17:52:21]
hostile :
sorry @johnhoving took a shower
[2017-09-01 17:52:28]
hostile :
power CS on...
[2017-09-01 17:52:31]
hostile :
unplug USB
[2017-09-01 17:52:33]
hostile :
plug it back in
[2017-09-01 17:52:37]
hostile :
type "adb devices"
[2017-09-01 17:53:05]
kilrah :
a step 0: install adb might be needed :slightly_smiling_face:
[2017-09-01 17:53:46]
hostile :
or "hit command space then type terminal and hit enter"
[2017-09-01 17:54:18]
hostile :
install brew? (if you are lazy)
[2017-09-01 17:54:23]
hostile :
/usr/bin/ruby -e "$(curl -fsSL <https://raw.githubusercontent.com/Homebrew/install/master/install>)"
[2017-09-01 17:54:29]
johnhoving :
When I power back on it just goes to the same home screen
[2017-09-01 17:54:36]
hostile :
that is fine...
[2017-09-01 17:54:41]
hostile :
we want it there
[2017-09-01 17:54:50]
hostile :
so do you have "adb" installed?
[2017-09-01 17:54:52]
hostile :
is the first question
[2017-09-01 17:55:05]
hostile :
open up terminal
[2017-09-01 17:55:11]
hostile :
and type "adb devices" on your Mac...
[2017-09-01 17:56:31]
johnhoving :
Not found
[2017-09-01 17:56:53]
hostile :
no devices found or adb command not found?
[2017-09-01 17:57:12]
johnhoving :
Command not found
[2017-09-01 17:57:19]
hostile :
lets try brew
[2017-09-01 17:57:26]
hostile :
type "brew"
[2017-09-01 17:57:58]
johnhoving :
Same command not found
[2017-09-01 17:58:04]
hostile :
lets do this
[2017-09-01 17:58:05]
johnhoving :
Oh boy
[2017-09-01 17:58:09]
hostile :
/usr/bin/ruby -e "$(curl -fsSL <https://raw.githubusercontent.com/Homebrew/install/master/install>)"
[2017-09-01 17:58:13]
hostile :
relax...
[2017-09-01 17:58:16]
hostile :
this is fine
[2017-09-01 17:59:33]
johnhoving :
Do I enter all that in terminal
[2017-09-01 18:02:50]
hostile :
yes
[2017-09-01 18:02:54]
hostile :
that whole command
[2017-09-01 18:03:32]
johnhoving :
Done
[2017-09-01 18:06:44]
hostile :
great
[2017-09-01 18:07:11]
hostile :
type:
[2017-09-01 18:07:20]
hostile :
brew install caskroom/cask/android-sdk
[2017-09-01 18:07:44]
hostile :
when done you should get the adb command
[2017-09-01 18:07:52]
hostile :
and "adb devices" should work
[2017-09-01 18:11:03]
johnhoving :
nothing seems to be happening after i typed that in
[2017-09-01 18:16:10]
opcode :
did soemthing happen when you typed brew install caskroom/cask/android-sdk
[2017-09-01 18:16:12]
opcode :
?
[2017-09-01 18:16:23]
johnhoving :
nothing
[2017-09-01 18:17:02]
hostile :
"brew search android-sdk"
[2017-09-01 18:17:03]
johnhoving :
I tried to do it again closed terminal and reopened no joy
[2017-09-01 18:17:17]
hostile :
can you paste screen shots please?
[2017-09-01 18:17:21]
hostile :
or paste actual output
[2017-09-01 18:17:47]
opcode :
@hostile WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
./LastSkyCry.sh: line 8: unexpected EOF while looking for matching `"'
./LastSkyCry.sh: line 9: syntax error: unexpected end of file
[2017-09-01 18:17:59]
hostile :
bad "
[2017-09-01 18:18:00]
hostile :
one sec
[2017-09-01 18:18:01]
hostile :
...
[2017-09-01 18:18:06]
opcode :
mooohhh made my Cs reboohhhth :slightly_smiling_face:
[2017-09-01 18:19:03]
hostile :
git pull @opcode
[2017-09-01 18:20:52]
hostile :
wrong image I assume @johnhoving =]
[2017-09-01 18:21:15]
johnhoving :
whoops sorry
[2017-09-01 18:21:35]
hostile :
some how you missed a "
[2017-09-01 18:21:39]
hostile :
hit ctrl +c
[2017-09-01 18:21:43]
hostile :
your terminal is fucked up
[2017-09-01 18:21:49]
hostile :
or re-open it
[2017-09-01 18:21:57]
opcode :
bash-3.2$ ./LastSkyCry.sh
dirtycow: 1 file pushed. 1.9 MB/s (47568 bytes in 0.024s)
installd: 1 file pushed. 2.0 MB/s (38424 bytes in 0.018s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
Install what ever you want now via 'adb install'
bash-3.2$
[2017-09-01 18:22:01]
opcode :
:slightly_smiling_face:
[2017-09-01 18:22:25]
hostile :
when you ran the command to install brew... did it install @johnhoving ?
[2017-09-01 18:22:29]
hostile :
it should have looked like this
[2017-09-01 18:22:31]
hostile :
$ /usr/bin/ruby -e "$(curl -fsSL <https://raw.githubusercontent.com/Homebrew/install/master/install>)"
==> This script will install:
/usr/local/bin/brew
/usr/local/share/doc/homebrew
/usr/local/share/man/man1/brew.1
/usr/local/share/zsh/site-functions/_brew
/usr/local/etc/bash_completion.d/brew
/usr/local/Homebrew
Press RETURN to continue or any other key to abort
==> /usr/bin/sudo /bin/mkdir -p /Library/Caches/Homebrew
Password:
==> /usr/bin/sudo /bin/chmod g+rwx /Library/Caches/Homebrew
==> /usr/bin/sudo /usr/sbin/chown kfinisterre /Library/Caches/Homebrew
==> Downloading and installing Homebrew...
remote: Counting objects: 70, done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 70 (delta 59), reused 42 (delta 34), pack-reused 0
Unpacking objects: 100% (70/70), done.
From <https://github.com/Homebrew/brew>
+ daa0ea4b...81877768 master -> origin/master (forced update)
HEAD is now at 81877768 Merge pull request #3112 from mistydemeo/search_online_failure
Updated 3 taps (caskroom/cask, homebrew/core, homebrew/science).
==> Cleaning up /Library/Caches/Homebrew...
==> Migrating /Library/Caches/Homebrew to /Users/kfinisterre/Library/Caches/Homebrew...
==> Deleting /Library/Caches/Homebrew...
==> New Formulae
erlang@17 homebrew/science/lrsim
[2017-09-01 18:22:32]
hostile :
...
[2017-09-01 18:22:49]
hostile :
did it look like that @johnhoving ?
[2017-09-01 18:23:03]
hostile :
@opcode does "adb install" rock out now for you?
[2017-09-01 18:23:46]
opcode :
yap. works! installing google stuff right now
[2017-09-01 18:24:14]
johnhoving :
nope!
[2017-09-01 18:25:04]
opcode :
whoops. google framework constantly crashing
[2017-09-01 18:25:40]
hostile :
ok @johnhoving that means you mistpasted something on the brew install
[2017-09-01 18:25:41]
hostile :
one second
[2017-09-01 18:25:54]
hostile :
go here
[2017-09-01 18:25:55]
hostile :
<https://brew.sh>
[2017-09-01 18:26:12]
hostile :
this is where teh command I told you to type came form
[2017-09-01 18:26:24]
hostile :
copy and paste it form this web page... and type into terminal as it says
[2017-09-01 18:28:34]
johnhoving :
ok its installing
[2017-09-01 18:28:47]
johnhoving :
==> Next steps:
- Run `brew help` to get started
- Further documentation:
<https://docs.brew.sh>
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:29:08]
johnhoving :
finished
[2017-09-01 18:30:09]
opcode :
@hostile dont try to install the google stuff! im caught in a crash loop of the google framework
[2017-09-01 18:32:01]
johnhoving :
If you meant "android-sdk" specifically:
It was migrated from homebrew/core to caskroom/cask.
You can access it again by running:
brew tap caskroom/cask
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:32:44]
opcode :
yeah, run it "brew tap caskroom/cask"
[2017-09-01 18:33:16]
opcode :
they moved the sdk from brew to cask, thats why you get that message
[2017-09-01 18:33:22]
johnhoving :
with quotes?
[2017-09-01 18:33:26]
opcode :
no, without
[2017-09-01 18:33:59]
johnhoving :
Tapping caskroom/cask
Cloning into '/usr/local/Homebrew/Library/Taps/caskroom/homebrew-cask'...
remote: Counting objects: 3822, done.
remote: Compressing objects: 100% (3803/3803), done.
remote: Total 3822 (delta 37), reused 505 (delta 15), pack-reused 0
Receiving objects: 100% (3822/3822), 1.30 MiB | 0 bytes/s, done.
Resolving deltas: 100% (37/37), done.
Tapped 0 formulae (3,831 files, 4.1MB)
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:34:24]
johnhoving :
now what?
[2017-09-01 18:34:59]
opcode :
brew cask install android-platform-tools
[2017-09-01 18:35:38]
hostile :
or
[2017-09-01 18:35:39]
hostile :
brew install caskroom/cask/android-sdk
[2017-09-01 18:36:06]
hostile :
after that you should have "adb devices" working
[2017-09-01 18:39:49]
johnhoving :
Hoving-MacBook-11:~ hoving13$ adb devices
List of devices attached
1TSB3HTYO2 device
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:40:12]
johnhoving :
i think it is being recognized now.
[2017-09-01 18:40:29]
johnhoving :
now I'm a little nervous on next steps
[2017-09-01 18:40:31]
hostile :
hoo ray!
[2017-09-01 18:40:34]
hostile :
man up
[2017-09-01 18:40:36]
hostile :
relax
[2017-09-01 18:40:39]
hostile :
we are teaching you to fish
[2017-09-01 18:40:46]
johnhoving :
thanks!
[2017-09-01 18:40:48]
hostile :
these fish are harmless... they don't bite too hard
[2017-09-01 18:40:57]
hostile :
ok so now... type "git"
[2017-09-01 18:41:14]
johnhoving :
ok
[2017-09-01 18:41:18]
hostile :
you are being hand trained by some of the best OGs right now... you are in good hands
[2017-09-01 18:41:52]
johnhoving :
I appreciate the time your taking on this and not making fun of a newbie!
[2017-09-01 18:42:02]
hostile :
there is plenty of time to harass ya!
[2017-09-01 18:42:10]
hostile :
hence me telling you to pull your skirt up :wink:
[2017-09-01 18:42:16]
johnhoving :
got it
[2017-09-01 18:42:19]
johnhoving :
its up
[2017-09-01 18:42:22]
hostile :
we have a tough love around here to force people to be involved and pass some of their fears aside
[2017-09-01 18:42:36]
hostile :
type: "git clone <https://github.com/MAVProxyUser/OriginalGangsterCow.git>"
[2017-09-01 18:43:15]
johnhoving :
now to be clear i paste everything including the linl
[2017-09-01 18:43:20]
johnhoving :
link
[2017-09-01 18:43:22]
hostile :
yes sir
[2017-09-01 18:43:28]
hostile :
in terminal
[2017-09-01 18:43:32]
hostile :
at $ prompt
[2017-09-01 18:43:33]
hostile :
git clone <https://github.com/MAVProxyUser/OriginalGangsterCow.git>
[2017-09-01 18:44:03]
hostile :
it should look like this
[2017-09-01 18:44:04]
hostile :
$ git clone <https://github.com/MAVProxyUser/OriginalGangsterCow.git>
Cloning into 'OriginalGangsterCow'...
remote: Counting objects: 138, done.
remote: Compressing objects: 100% (109/109), done.
remote: Total 138 (delta 37), reused 121 (delta 27), pack-reused 0
Receiving objects: 100% (138/138), 222.71 KiB | 0 bytes/s, done.
Resolving deltas: 100% (37/37), done.
[2017-09-01 18:44:39]
johnhoving :
concept guides. See 'git help <command>' or 'git help <concept>'
to read about a specific subcommand or concept.
Hoving-MacBook-11:~ hoving13$ git clone <https://github.com/MAVProxyUser/OriginalGangsterCow.git>
Cloning into 'OriginalGangsterCow'...
remote: Counting objects: 138, done.
remote: Compressing objects: 100% (109/109), done.
remote: Total 138 (delta 37), reused 121 (delta 27), pack-reused 0
Receiving objects: 100% (138/138), 222.71 KiB | 0 bytes/s, done.
Resolving deltas: 100% (37/37), done.
Hoving-MacBook-11:~ hoving13$ git clone <https://github.com/MAVProxyUser/OriginalGangsterCow.git>
fatal: destination path 'OriginalGangsterCow' already exists and is not an empty directory.
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:45:14]
opcode :
grrrrrrrrrrrrrrr
[2017-09-01 18:45:15]
opcode :
shell@zs600b:/ $ pm uninstall com.google.android.gms
Failure [DELETE_FAILED_DEVICE_POLICY_MANAGER]
[2017-09-01 18:45:45]
hostile :
use adb uninstall
[2017-09-01 18:46:20]
johnhoving :
environment variables:
$ADB_TRACE
comma-separated list of debug info to log:
all,adb,sockets,packets,rwx,usb,sync,sysdeps,transport,jdwp
$ADB_VENDOR_KEYS colon-separated list of keys (files or directories)
$ANDROID_SERIAL serial number to connect to (see -s)
$ANDROID_LOG_TAGS tags to be used by logcat (see logcat --help)
Hoving-MacBook-11:~ hoving13$
[2017-09-01 18:46:49]
johnhoving :
what happened?
[2017-09-01 18:46:49]
hostile :
oh sorry jon hat was for opcode
[2017-09-01 18:47:00]
hostile :
did your "git" command finish as mine did above?
[2017-09-01 18:47:00]
johnhoving :
oh no
[2017-09-01 18:47:22]
hostile :
I see now that it did
[2017-09-01 18:47:23]
hostile :
sorry
[2017-09-01 18:47:35]
johnhoving :
did i uninstall it
[2017-09-01 18:47:41]
hostile :
nope you good
[2017-09-01 18:47:44]
hostile :
type "cd OriginalGangsterCow"
[2017-09-01 18:48:08]
johnhoving :
Hoving-MacBook-11:OriginalGangsterCow hoving13$
[2017-09-01 18:48:10]
hostile :
then type ./LastSkyCry.sh
[2017-09-01 18:48:30]
johnhoving :
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
[2017-09-01 18:48:39]
hostile :
this is good...
[2017-09-01 18:48:41]
hostile :
just wait for it
[2017-09-01 18:49:08]
johnhoving :
is it doing something behind the scenes
[2017-09-01 18:49:24]
johnhoving :
Install what ever you want now via 'adb install'
Hoving-MacBook-11:OriginalGangsterCow hoving13$
[2017-09-01 18:49:35]
hostile :
good
[2017-09-01 18:49:36]
hostile :
so
[2017-09-01 18:49:41]
hostile :
tell me about this program you want to install
[2017-09-01 18:49:47]
hostile :
cuz we can install it now
[2017-09-01 18:51:06]
johnhoving :
<https://gethover.com/support>
[2017-09-01 18:51:27]
opcode :
bash-3.2$ adb uninstall com.google.android.gms
Failure [DELETE_FAILED_DEVICE_POLICY_MANAGER]
[2017-09-01 18:51:29]
opcode :
shell@zs600b:/ $ pm disable com.google.android.gsf
Error: java.lang.SecurityException: Permission Denial: attempt to change component state from pid=3559, uid=2000, package uid=10051
[2017-09-01 18:51:31]
opcode :
great
[2017-09-01 18:52:24]
johnhoving :
and this one: <http://www.zerotech.com/en/softwaredown-en.html>
[2017-09-01 18:54:09]
hostile :
k one sec
[2017-09-01 18:54:20]
hostile :
did you already download the .apk?
[2017-09-01 18:54:43]
hostile :
the dobby download does not work
[2017-09-01 18:54:48]
johnhoving :
<https://play.google.com/store/apps/details?id=com.yuneec.android.flyingcamera>
[2017-09-01 18:55:05]
johnhoving :
and this one. let me get the hoover i think i have in downloads from the other day
[2017-09-01 18:55:08]
hostile :
so what you need to do... is download the apk you want from apkpure or similar
[2017-09-01 18:55:31]
hostile :
<https://apkpure.com/breeze-cam/com.yuneec.android.flyingcamera>
[2017-09-01 18:55:50]
hostile :
so from your computer
[2017-09-01 18:55:52]
hostile :
on the terminal
[2017-09-01 18:56:00]
hostile :
"adb install /path/to/that/apk"
[2017-09-01 18:56:10]
hostile :
you can drag the apk on to the terminal and the path will get typed out for you
[2017-09-01 18:56:18]
hostile :
sometimes the Crystal Sky falls asleep...
[2017-09-01 18:56:27]
hostile :
and you have to wake it back up and re plug in the USB
[2017-09-01 18:56:29]
johnhoving :
ok i will try
[2017-09-01 18:56:30]
hostile :
cuz the adb dies
[2017-09-01 18:57:28]
johnhoving :
Hoving-MacBook-11:OriginalGangsterCow hoving13$ adb install /path/to/that/apk
No APK file on command line
Hoving-MacBook-11:OriginalGangsterCow hoving13$
[2017-09-01 18:59:28]
hostile :
no no no
[2017-09-01 18:59:34]
hostile :
"/path/to/that/apk"
[2017-09-01 18:59:36]
johnhoving :
No APK file on command line
[2017-09-01 18:59:38]
hostile :
that is THE path to YOUR apk...
[2017-09-01 18:59:43]
hostile :
you need to know that path
[2017-09-01 18:59:54]
hostile :
OR as I said... you can drag the file from Finder... onto the terminal window
[2017-09-01 18:59:57]
hostile :
and it will type that path out for you
[2017-09-01 19:00:05]
johnhoving :
i did that
[2017-09-01 19:00:07]
hostile :
most likely /Users/yourname/Downloads/something.apk
[2017-09-01 19:00:21]
hostile :
or ~/Downloads/something.apk for the shorthand
[2017-09-01 19:00:27]
hostile :
where did you save the file?
[2017-09-01 19:00:38]
johnhoving :
desktop
[2017-09-01 19:01:04]
hostile :
so type "adb install ~/Desktop/HoverCamera-0.4.14-poiiewrq.apk"
[2017-09-01 19:01:31]
johnhoving :
nvironment variables:
$ADB_TRACE
comma-separated list of debug info to log:
all,adb,sockets,packets,rwx,usb,sync,sysdeps,transport,jdwp
$ADB_VENDOR_KEYS colon-separated list of keys (files or directories)
$ANDROID_SERIAL serial number to connect to (see -s)
$ANDROID_LOG_TAGS tags to be used by logcat (see logcat --help)
Hoving-MacBook-11:OriginalGangsterCow hoving13$
Hoving-MacBook-11:OriginalGangsterCow hoving13$
[2017-09-01 19:01:55]
hostile :
seems like you mispasted possible
[2017-09-01 19:02:04]
johnhoving :
ok its installing
[2017-09-01 19:02:16]
johnhoving :
oving-MacBook-11:OriginalGangsterCow hoving13$ adb install ~/Desktop/HoverCamera-0.4.14-poiiewrq.apk
/Users/hoving13/Desktop/HoverCamera-0.4.14-poiiewrq.apk: 1 file pushed. 4.4 MB/s (51164689 bytes in 11.006s)
pkg: /data/local/tmp/HoverCamera-0.4.14-poiiewrq.apk
Success
Hoving-MacBook-11:OriginalGangsterCow hoving13$
[2017-09-01 19:02:21]
hostile :
there you go
[2017-09-01 19:02:31]
hostile :
you are now the first person in the world with HoverCam app on your Crystal Sky
[2017-09-01 19:02:48]
johnhoving :
wow!
[2017-09-01 19:03:15]
hostile :
it should be in your Applications folder now... (from the Home Screen)
[2017-09-01 19:03:30]
johnhoving :
roger that! can i try another?
[2017-09-01 19:03:56]
hostile :
sure
[2017-09-01 19:04:02]
hostile :
download... lather rinse repeat
[2017-09-01 19:04:11]
hostile :
just remember... IF you reboot... you have to run Gangster Cow again.
[2017-09-01 19:04:21]
hostile :
IF you wish to install more apps
[2017-09-01 19:05:05]
hostile :
You can use the "Settings -> Apps" menu to uninstall
[2017-09-01 19:05:19]
hostile :
OR use "adb uninstall com.app.packagename.goes.here"
[2017-09-01 19:05:50]
hostile :
if you don't know your apps package name and can't just use the settings menu and insist on using adb unistall technique... you can get package names via
[2017-09-01 19:05:53]
hostile :
adb shell "pm list packages"
[2017-09-01 19:06:21]
johnhoving :
so the current terminal window that is open is not going to install another program
[2017-09-01 19:06:27]
hostile :
sure it will
[2017-09-01 19:06:32]
hostile :
as long as you don't reboot the CS
[2017-09-01 19:06:48]
hostile :
if it goes to sleep you need to wake it up and unplug / re plug the USB in...
[2017-09-01 19:06:53]
hostile :
but as long as it doesn't reboot...
[2017-09-01 19:06:59]
hostile :
you can use that window to install packages all day long if you want
[2017-09-01 19:08:07]
johnhoving :
how do i get the app from here: <https://play.google.com/store/apps/details?id=com.yuneec.android.flyingcamera&rdid=com.yuneec.android.flyingcamera>
[2017-09-01 19:08:21]
hostile :
apkpure...
[2017-09-01 19:08:33]
hostile :
<https://apkpure.com/breeze-cam/com.yuneec.android.flyingcamera>
[2017-09-01 19:10:01]
johnhoving :
[BACKUP_MESSAGE_ID: 4136812401112121772] This Google account is not yet associated with a device. Please access the Play Store app on your device before installing apps.
[2017-09-01 19:10:28]
johnhoving :
thanks!
[2017-09-01 19:10:59]
hostile :
that was when you tried to install the apk?
[2017-09-01 19:11:06]
hostile :
or when downloading from the apkpure?
[2017-09-01 19:11:31]
hostile :
@opcode may have to help you if that app has some weird tie to the play store for some odd reason
[2017-09-01 19:11:37]
hostile :
but we CAN work around this.
[2017-09-01 19:11:45]
johnhoving :
breeze installed
[2017-09-01 19:11:57]
hostile :
what was that error from?
[2017-09-01 19:12:27]
johnhoving :
when i was ag the google play store
[2017-09-01 19:12:37]
hostile :
did you test the apps? they should work, but there is no telling how compatible they will be with the CS device. generally speaking they should work fine.
[2017-09-01 19:12:57]
johnhoving :
now i need the aka pure of dobby
[2017-09-01 19:13:02]
hostile :
nailed it
[2017-09-01 19:13:09]
hostile :
see... we have you catching your own fish now
[2017-09-01 19:13:10]
hostile :
:wink:
[2017-09-01 19:13:28]
hostile :
your next assignment is to teach a friend or peer with a Crystal Sky what you learned today
[2017-09-01 19:13:45]
hostile :
(share on a forum, or what ever)
[2017-09-01 19:13:45]
johnhoving :
got it
[2017-09-01 19:13:47]
hostile :
spread the love
[2017-09-01 19:14:11]
johnhoving :
and I will! I will test them next and let you know!
[2017-09-01 19:14:16]
johnhoving :
thanks you so much!
[2017-09-01 19:14:19]
hostile :
for sure...
[2017-09-01 19:14:25]
hostile :
glad you didn't run away!
[2017-09-01 19:14:32]
hostile :
looks like you've upped your paygrade
[2017-09-01 19:14:34]
hostile :
=]
[2017-09-01 19:15:23]
pure3d :
@hostile which CS did you get?
[2017-09-01 19:15:33]
hostile :
the small one
[2017-09-01 19:15:58]
hostile :
CS785 model number
[2017-09-01 19:16:22]
pure3d :
ah, it's spendy even at $469, but based on reviews that I've seen, it's sticker shock but then when people started using it, they see the value in it
[2017-09-01 19:16:22]
johnhoving :
not getting the dobby in though, hold on let me try again
[2017-09-01 19:17:03]
hostile :
I'm pretty happy with it so far @pure3d
[2017-09-01 19:17:38]
johnhoving :
got it
[2017-09-01 19:18:04]
hostile :
now you are obligated to send a picture of your apps screen with these installed =]
[2017-09-01 19:18:13]
johnhoving :
i have small one as well. might get the larger now!
[2017-09-01 19:18:56]
johnhoving :
testing hoover now
[2017-09-01 19:20:00]
pure3d :
the small one is approx. the size of an iphone 6plus isn't it?
[2017-09-01 19:20:13]
johnhoving :
yep
[2017-09-01 19:20:34]
hostile :
how big is 6P screen?
[2017-09-01 19:20:40]
hostile :
this thing is a tank compared to iphone
[2017-09-01 19:20:44]
hostile :
even the big fuckers
[2017-09-01 19:21:20]
kilrah :
5.5"
[2017-09-01 19:21:22]
pure3d :
iphone6plus is 5.5" (1920 x 1080)
[2017-09-01 19:21:28]
kilrah :
CS is same
[2017-09-01 19:22:10]
hostile :
if I take a ruler... corner to corner... it is 7.85 inches screen
[2017-09-01 19:22:14]
pure3d :
5.5" is 16:9, 7.85" is 4:3
[2017-09-01 19:22:23]
hostile :
10inches corner to corner for the device
[2017-09-01 19:22:44]
kilrah :
which is why as much as I'd like a small CS to have a robust thing with HDMI out I feel i might be deceived as I'm used to my 6" mate 8
[2017-09-01 19:22:45]
pure3d :
CS785 is the 7.85" isn't it?
[2017-09-01 19:22:49]
hostile :
yes
[2017-09-01 19:23:12]
pure3d :
ah ok you said smaller one so I assumed 5.5"
[2017-09-01 19:23:18]
kilrah :
it's the big one then :smile:
[2017-09-01 19:23:28]
hostile :
oh didn't realize there was a 5.5
[2017-09-01 19:24:09]
hostile :
for some reason I thought it was 7.85 and a bigger one =]
[2017-09-01 19:24:14]
kilrah :
heh
[2017-09-01 19:24:31]
kilrah :
3rd one is 7.85 too but twice the brightness
[2017-09-01 19:24:41]
hostile :
ahh there we go
[2017-09-01 19:24:47]
hostile :
and the brightness is crazy as fuck already !
[2017-09-01 19:24:50]
pure3d :
a 10" screen would be $$$
[2017-09-01 19:24:52]
kilrah :
heh
[2017-09-01 19:25:22]
pure3d :
so even in direct sunlight, CS785 is as bright as a regular smartphone while indoors?
[2017-09-01 19:25:58]
hostile :
I was watching tv with wife in dimly lit room
[2017-09-01 19:26:06]
hostile :
and had to like sheild my eyes
[2017-09-01 19:26:08]
hostile :
fucker was so bright
[2017-09-01 19:27:07]
pure3d :
with the 2000 nit version, you'd be temp blind? :stuck_out_tongue:
[2017-09-01 19:27:57]
hostile :
lol
[2017-09-01 19:27:59]
hostile :
truth!
[2017-09-01 19:28:37]
kilrah :
if we ever see one of them things, starting to lose hope lol
[2017-09-01 19:29:15]
hostile :
they on delay @kilrah ?
[2017-09-01 19:29:39]
kilrah :
massively yeah, not one been delivered yet and still no estimates
[2017-09-01 19:32:04]
pure3d :
how's the 4k video playback on it? one reviewer who received a pre-production model said it was choppy
[2017-09-01 19:37:02]
johnhoving :
so the hoover app opens, I can connect to the drone via wifi but once connected the app doesn't launch into the dashboard. i will try the dobby now
[2017-09-01 19:38:16]
hostile :
you can use "adb logcat" to maybe get info on **why**
[2017-09-01 19:58:37]
johnhoving :
dobby doesn't work either :disappointed:
[2017-09-01 19:59:00]
johnhoving :
software loads i can connect but thats as far as it will go
[2017-09-01 20:02:11]
hostile :
you'll have to "adb logcat" to learn why
[2017-09-01 20:04:53]
johnhoving :
its generating a lot of data
[2017-09-01 20:06:36]
johnhoving :
your never going to want to see this!
[2017-09-01 20:07:01]
hostile :
paste it as a .txt snippet
[2017-09-01 20:07:10]
hostile :
using the + sign
[2017-09-01 20:07:19]
hostile :
trust me... we've been staring at shit like that for months
[2017-09-01 20:07:29]
johnhoving :
there's pages and pages!
[2017-09-01 20:07:54]
johnhoving :
and still going!
[2017-09-01 20:08:21]
johnhoving :
i can save it as a txt file when done
[2017-09-01 20:12:56]
johnhoving :
its never ending!
[2017-09-01 20:13:33]
johnhoving :
W/PackageManager( 486): Not granting permission android.permission.REAL_GET_TASKS to package com.zerozero.hover (protectionLevel=18 flags=0x48be44)
[2017-09-01 20:14:53]
kilrah :
it IS never ending :slightly_smiling_face: just gives you log output in realtime
[2017-09-01 20:15:13]
kilrah :
i.e. you run that, and while it^s spitting out stuff you replicate the error, and catch it in the stream
[2017-09-01 20:15:59]
hostile :
That app may be too old for the version of android
[2017-09-01 20:16:00]
hostile :
<https://stackoverflow.com/questions/27974583/get-tasks-permission-deprecated>
[2017-09-01 20:16:45]
hostile :
try this
[2017-09-01 20:17:00]
hostile :
adb shell pm list packages
[2017-09-01 20:17:06]
hostile :
and find the pacakge name for your app
[2017-09-01 20:17:07]
hostile :
then
[2017-09-01 20:17:19]
johnhoving :
how do i stop the output
[2017-09-01 20:17:22]
hostile :
adb shell pm grant com.appname.goes.here android.permission.REAL_GET_TASKS
[2017-09-01 20:17:27]
hostile :
control c
[2017-09-01 20:19:35]
johnhoving :
Hoving-MacBook-11:~ hoving13$ adb shell pm list packages
package:com.android.providers.telephony
package:com.android.providers.media
package:com.android.wallpapercropper
package:com.dji.industry.pilot
package:com.android.documentsui
package:com.android.galaxy4
package:com.android.externalstorage
package:com.android.htmlviewer
package:com.android.mms.service
package:com.android.providers.downloads
package:com.android.winstart
package:com.android.browser
package:com.android.defcontainer
package:com.android.providers.downloads.ui
package:com.android.pacprocessor
package:com.zerotech.cameratime
package:com.dji.gps.recoder
package:com.android.certinstaller
package:android.rockchip.update.service
package:android
package:com.android.backupconfirm
package:com.android.provision
package:com.android.wallpaper.holospiral
package:com.android.phasebeam
package:com.android.providers.settings
package:com.android.sharedstoragebackup
package:com.android.dreams.basic
package:dji.go.v4
package:dji.pilot
package:com.android.webview
package:com.android.rk
package:com.android.inputdevices
package:com.android.musicfx
package:com.android.onetimeinitializer
package:com.android.server.telecom
package:com.android.keychain
package:com.android.gallery3d
package:dji.system.upgrade
package:com.android.packageinstaller
package:com.svox.pico
package:com.android.proxyhandler
package:com.android.inputmethod.latin
package:com.android.musicvis
package:com.android.managedprovisioning
package:com.android.rk.mediafloat
package:com.android.dreams.phototable
package:dji.system.launcher
package:com.android.noisefield
package:com.android.wallpaper.livepicker
package:com.cghs.stresstest
package:jp.co.omronsoft.openwnn
package:com.android.settings
package:com.google.android.inputmethod.pinyin
package:com.yuneec.android.flyingcamera
package:com.google.android.apps.pdfviewer
package:com.android.wallpaper
package:com.android.vpndialogs
package:com.zerozero.hover
package:com.android.phone
package:com.android.shell
package:com.android.providers.userdictionary
package:com.android.location.fused
package:com.android.systemui
package:com.android.exchange
package:dji.system.setup
package:com.android.captiveportallogin
package:android.rk.RockVideoPlayer
Hoving-MacBook-11:~ hoving13$
[2017-09-01 20:20:32]
johnhoving :
like this? adb shell pm grant com.hover android.permission.REAL_GET_TASKS
control c
[2017-09-01 20:20:43]
hostile :
yup
[2017-09-01 20:20:53]
hostile :
the control c was just to stop the adb logcat
[2017-09-01 20:21:01]
hostile :
adb shell pm grant com.hover android.permission.REAL_GET_TASKS
[2017-09-01 20:21:06]
hostile :
should do it hopefully
[2017-09-01 20:25:38]
johnhoving :
how do i stop this data from streaming
[2017-09-01 20:25:46]
hostile :
hit control
[2017-09-01 20:25:48]
hostile :
press c
[2017-09-01 20:26:17]
hostile :
your picture doesn't show any data streaming btw..
[2017-09-01 20:26:20]
hostile :
I assume you mean from logcat
[2017-09-01 20:26:43]
johnhoving :
yes thanks
[2017-09-01 20:26:46]
hostile :
hold down button on keyboard labeld "control" often bweteen function and opt
[2017-09-01 20:26:48]
hostile :
and press c
[2017-09-01 20:26:51]
hostile :
while holding it down
[2017-09-01 20:27:06]
hostile :
<https://en.wikipedia.org/wiki/Control-C>
[2017-09-01 20:28:26]
johnhoving :
there is the output file is extraordinarily long
[2017-09-01 20:28:43]
hostile :
only reason I needed it was to figure why your app was complaining
[2017-09-01 20:28:48]
hostile :
you found the line on your own
[2017-09-01 20:29:04]
hostile :
did you try the app after using the "grant" command above?
[2017-09-01 20:29:14]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504297261000377>
[2017-09-01 20:32:51]
hostile :
you can just paste into the chat btw... no need to make into an RTF
[2017-09-01 20:33:03]
hostile :
click the plus sign... and choose "Code or snippet"
[2017-09-01 20:33:12]
hostile :
and you can paste the text buffer you are pasting into the .rtf files...
[2017-09-01 20:33:17]
hostile :
save yourself and me a step
[2017-09-01 20:33:18]
hostile :
=]
[2017-09-01 20:33:36]
hostile :
Bad argument: java.lang.IllegalArgumentException: Unknown package: com.hover
[2017-09-01 20:33:44]
hostile :
looks like we missed part of the package name some how
[2017-09-01 20:34:35]
johnhoving :
use this as name: com.hover
[2017-09-01 20:35:33]
hostile :
the error that came back said that is the wrong naem for some reason
[2017-09-01 20:35:57]
hostile :
I gotta go make dinner
[2017-09-01 20:36:03]
hostile :
you gonna have to hang around ask other
[2017-09-01 20:36:08]
hostile :
folks teach yourself some more, etc
[2017-09-01 20:36:16]
hostile :
but seems like you are right on the cusp of things working for you
[2017-09-01 20:36:21]
hostile :
just some minor permissions issues
[2017-09-01 20:36:30]
hostile :
I'm sure someone else can may be help you work forward
[2017-09-01 20:36:37]
johnhoving :
HoverCamera
[2017-09-01 20:37:06]
hostile :
no the android app name...
[2017-09-01 20:37:17]
johnhoving :
ok i appreciate your time
[2017-09-01 20:37:28]
hostile :
try com.zerozero.hover
[2017-09-01 20:37:49]
johnhoving :
HoverCamera-0.4.14-poiiewrq
[2017-09-01 20:38:02]
johnhoving :
that was the actual app name from download
[2017-09-01 20:38:08]
hostile :
you aren't understanding me
[2017-09-01 20:38:14]
hostile :
that is the friendly name..the human name...
[2017-09-01 20:38:20]
hostile :
android has a special package name
[2017-09-01 20:38:25]
hostile :
com.zerozero.hover I think is what it is for you
[2017-09-01 20:38:43]
hostile :
try: adb shell pm list packages | grep hover
[2017-09-01 20:38:49]
johnhoving :
those are two diferant apps there
[2017-09-01 20:39:03]
hostile :
ahh
[2017-09-01 20:39:20]
hostile :
well you'll need to find the internal name it seems com.hover is a bad name per the pm error you got
[2017-09-01 20:39:27]
hostile :
Bad argument: java.lang.IllegalArgumentException: Unknown package: com.hover
[2017-09-01 20:39:46]
hostile :
all that tells me is the second arguement to: adb shell pm grant com.hover android.permission.REAL_GET_TASKS is wrong
[2017-09-01 20:39:58]
hostile :
it needs to be something other than "com.hover"
[2017-09-01 20:41:08]
hostile :
$ adb shell pm list packages | grep hover
package:com.zerozero.hover
[2017-09-01 20:41:10]
hostile :
yeah see
[2017-09-01 20:41:11]
hostile :
...
[2017-09-01 20:41:51]
hostile :
sadly for you
[2017-09-01 20:41:52]
hostile :
$ adb shell pm grant com.zerozero.hover android.permission.REAL_GET_TASKS
Operation not allowed: java.lang.SecurityException: Permission android.permission.REAL_GET_TASKS is not a changeable permission type
[2017-09-01 20:41:53]
hostile :
lol
[2017-09-01 20:42:42]
hostile :
which part of the app does not work for you?
[2017-09-01 20:42:51]
hostile :
I don't have one... but I am able to click around the main screen just fine
[2017-09-01 20:44:12]
johnhoving :
it won't launch the dashboard to fly the drone.
[2017-09-01 20:44:27]
johnhoving :
How does one uninstall these apps if their not going to work?
[2017-09-01 20:44:44]
hostile :
scroll up to where I told you how earlier :wink:
[2017-09-01 20:45:06]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504292705000403>
[2017-09-01 20:45:34]
hostile :
if shit got hairy.... you could probably patch the manifest to not request that permission
[2017-09-01 20:46:41]
johnhoving :
what is that?
[2017-09-01 20:47:07]
hostile :
the permissions that app requests to use... which is what it was telling you it was not allowed to use preventing the launch
[2017-09-01 20:47:16]
johnhoving :
ahh
[2017-09-01 20:47:22]
johnhoving :
oh well we tried!
[2017-09-01 20:47:25]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504296813000266>
[2017-09-01 20:47:39]
hostile :
that is telling you why it can't launch... you can see said permission listed above
[2017-09-01 20:48:38]
hostile :
"This bug was introduced when google deployed a fix to the stagefright bug" <https://stackoverflow.com/questions/31948830/android-activity-manager-real-get-tasks-error>
[2017-09-01 20:48:53]
hostile :
lol a security fix is screwing you
[2017-09-01 20:48:59]
hostile :
because their app makes bad choices
[2017-09-01 20:49:10]
hostile :
that behavior could be patched out in theory
[2017-09-01 20:49:14]
hostile :
but I am outtie 5
[2017-09-01 20:49:22]
hostile :
and beyond my level of fucks for a drone I don't own!
[2017-09-01 20:50:29]
johnhoving :
Failure [DELETE_FAILED_INTERNAL_ERROR]
[2017-09-01 21:09:08]
johnhoving :
looks like yunec breeze works though!
[2017-09-01 21:11:23]
hostile :
which delete method failed?
[2017-09-01 21:11:31]
hostile :
try using the settings applet
[2017-09-01 22:36:24]
johnhoving :
Got it! I wonder why those permissions are locked. Seemed easier to hack the Cs than the hover app. I guess there is no way to install the google play app so one could install other apps. I imagine this for the time being is the process to install.
[2017-09-01 22:59:37]
pure3d :
has anyone tried VLC player or another media player for viewing 4k content on a CS?
[2017-09-01 23:06:47]
hostile :
@johnhoving we've had Play on older versions... as you came in this morning we were working on Play for current version via OG cow
[2017-09-02 08:13:18]
kilrah :
@johnhoving The real problem is why the hover app is so broken it can't even be put on the Play Store and they don't seem to care to do their job correctly...
[2017-09-02 11:15:57]
jeff :
did anyone try yet to run a modified GO apk installed with OriginalGangsterCow?
[2017-09-02 12:50:46]
hostile :
should work fine @jeff did you have issues with it?
[2017-09-02 13:50:01]
opcode :
E/AndroidRuntime( 4545): FATAL EXCEPTION: main
E/AndroidRuntime( 4545): Process: com.google.process.gapps, PID: 4545
E/AndroidRuntime( 4545): java.lang.RuntimeException: Unable to get provider com.google.android.gsf.settings.GoogleSettingsProvider: java.lang.SecurityException: You need MANAGE_USERS permission to: get the profile parent
[2017-09-02 13:50:25]
opcode :
That was no good idea, to install Google Stuff via mooooooo.
[2017-09-02 13:51:36]
opcode :
It looks like the Google Components try to communicate with each other, try to read/write to folders etc and doesnt get permission from the system and everything get screwed up.
[2017-09-02 13:52:24]
opcode :
Was caught in a crash loop of the Google Framework, constant message that framework has crashed, no chance to get to the uninstallter screen.
[2017-09-02 13:53:53]
opcode :
am kill and intent.action.delete saved my ass
[2017-09-02 14:03:35]
hostile :
Meh
[2017-09-02 14:03:48]
hostile :
Now we know !
[2017-09-02 14:38:45]
opcode :
bash-3.2$ adb shell
shell@zs600b:/ $ su
root@zs600b:/ #
[2017-09-02 14:39:08]
opcode :
Good news. Kingroot apk is working! So, no more need of Kingoroot! :slightly_smiling_face:
[2017-09-02 14:39:50]
opcode :
use the moooooo to adb install kingroot. kingroot gives you easy root.
[2017-09-02 14:42:10]
hostile :
I still trying to take apart their binary
[2017-09-02 14:42:20]
hostile :
and understand the method they used... so I can have a full source code release
[2017-09-02 14:42:51]
opcode :
dont confound Kingoroot with Kingroot!
[2017-09-02 14:42:59]
opcode :
Kingroot ist save AFAIK
[2017-09-02 14:42:59]
hostile :
I Belived it is related to qtaquid exploitation.
[2017-09-02 14:43:00]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504128041000366>
[2017-09-02 14:43:03]
hostile :
I just can't figure it out
[2017-09-02 14:43:16]
hostile :
type dmesg after your root....
[2017-09-02 18:23:13]
jeff :
@hostile no im thinking about buying a crystalsky but i wanna run modified GO apk for FCC etc. so thats one of my buying conditions :slightly_smiling_face:
[2017-09-02 19:30:12]
johnhoving :
Hover app is in play store. It has something to do with permissions. Same issue for the Dobby app. Yuneec breeze works though for some reason.
[2017-09-02 20:53:28]
kilrah :
With what device, and running what version of android? Isn't there here with mine.
[2017-09-02 20:56:50]
hostile :
Their SDK stopped at 4.1 iirc
[2017-09-02 20:56:58]
hostile :
CS is 5.1.1
[2017-09-02 21:01:15]
kilrah :
yeah that's my point, pretty sure it just isn't available in play store for anything decently recent
[2017-09-02 21:01:31]
kilrah :
he only gets it becasue he's on an old 4.x phone
[2017-09-02 23:20:11]
equipoa :
FCC in CS ??
[2017-09-03 13:09:39]
opcode :
@equipoa should be possible with modded GO 4.
[2017-09-04 14:13:14]
opcode :
Back to full stock on my CS. Kingroot works great, but is also some kind of annoying. always runs in background and hard to overwrite with SuperSU. We really need a rooting source code for the CS.
[2017-09-04 14:14:10]
the_lord :
you can do like what i did with kingOroot
[2017-09-04 14:17:06]
opcode :
im fine. its more the thing what method is safest to the public. didnt try @hostile your method?
[2017-09-04 14:18:39]
the_lord :
i mean you can replace kingroot with SuperSU the same way i did with kingOroot
[2017-09-04 14:20:56]
opcode :
oh, that you mean. yeah, the thing is i tried to find a easier method to root wit h kingroot not kingoroot. patch installd with mooooo, sideload kingroot apk and replace with SuperSU after rooting. But the Kingroot is really hard to remove without loosing root.
[2017-09-04 14:22:04]
opcode :
and anyway, you need to flash Google Stuff, manual install messed my whole CS up. And without proper Google Stuff, no store and no maps on Litchi, Pix4D etc
[2017-09-04 14:26:17]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow/issues/1>
[2017-09-04 14:26:42]
hostile :
funny Lord... I am sitting here now trying to find the exploit used. =]
[2017-09-04 14:28:48]
hostile :
I was in the process of examining the output "max_:3 min:10 i_ret:0x20"
[2017-09-04 14:28:57]
hostile :
wondering if maybe iret exploit
[2017-09-04 14:29:05]
hostile :
<https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/>
[2017-09-04 14:30:14]
hostile :
also reading... <http://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D1T2-Tim-Xia-Adaptive-Android-Kernel-Live-Patching.pdf>
[2017-09-04 14:30:30]
hostile :
as I wondered about CVE-2015-1805
[2017-09-04 14:30:48]
opcode :
could you extract something out of the usbcap i send you?
[2017-09-04 14:31:17]
hostile :
I did not on the inital pass... I need to look more
[2017-09-04 14:31:34]
hostile :
let me try to examine it more
[2017-09-04 14:32:17]
opcode :
its huge, i know. i think it downloaded the likely working exploits after examining the architecture of my device
[2017-09-04 14:32:37]
hostile :
I have a working package from theLord
[2017-09-04 14:32:46]
hostile :
slimmed down. I just can't extract the sploit from it
[2017-09-04 14:33:03]
hostile :
@the_lord does @opcode have your package lordroot?
[2017-09-04 14:33:10]
opcode :
yes
[2017-09-04 14:33:19]
hostile :
yeah so that is the one I am trying to RE
[2017-09-04 14:33:22]
hostile :
the answer is there
[2017-09-04 14:33:30]
opcode :
i see
[2017-09-04 14:33:30]
the_lord :
yes he gave it to you :wink:
[2017-09-04 14:33:34]
opcode :
heh
[2017-09-04 14:33:50]
hostile :
these papers I am posting also have the answer... just must read / and try techniques :confused:
[2017-09-04 14:35:40]
hostile :
I feel this is very important... <https://dji-rev.slack.com/archives/C6K376JGZ/p1504128043000098>
[2017-09-04 14:36:02]
hostile :
cuz many exploits use memory leaks after gaining root to then do full priv esc
[2017-09-04 14:36:48]
hostile :
we seek to be the creators of these untracked pids
[2017-09-04 14:37:50]
hostile :
this needs tested for example. <https://github.com/dosomder/iovyroot>
[2017-09-04 14:37:55]
hostile :
cuz we know kingroot uses it
[2017-09-04 14:38:04]
unusuario128 :
I don't own a CrystalSky, however, may I ask why is better to start building the home by the roof? The kernel exploit is a great and clean method for gaining root, but maybe is partially easier to look at the bootloader.
[2017-09-04 14:38:28]
hostile :
we can put it in recovery mode...
[2017-09-04 14:39:15]
unusuario128 :
No, I don't mean recovery mode, but the SBL.
[2017-09-04 14:39:32]
hostile :
risky++ =]
[2017-09-04 14:39:44]
unusuario128 :
The thing that manages the fastboot protocol (if implemented) and boots the kernel.
[2017-09-04 14:39:47]
hostile :
I'm going least likely to brick my shit route
[2017-09-04 14:39:53]
hostile :
we can't see it with fastboot
[2017-09-04 14:39:54]
hostile :
:confused:
[2017-09-04 14:40:14]
unusuario128 :
May I "read" a dump of the eMMC?
[2017-09-04 14:41:40]
unusuario128 :
`for partition in /dev/block/platform/*/by-name/*; do dd if="$partition" of="/sdcard/$(basename "$partition").img"; done`
[2017-09-04 14:41:58]
unusuario128 :
or something like that.
[2017-09-04 14:42:05]
opcode :
easiest way is still to make custom recovery as @bin4ry mentioned. from there flash Google Play, mod installd. later one simply mod the OTA that will sureley be coming from DJI.
[2017-09-04 14:42:43]
bin4ry :
use the rkAndroidFlash tool
[2017-09-04 14:42:50]
bin4ry :
to recover
[2017-09-04 14:42:56]
bin4ry :
make sure you can flash stock packages through it
[2017-09-04 14:42:59]
bin4ry :
then you can play with it
[2017-09-04 14:43:09]
unusuario128 :
Is it rockchip?
[2017-09-04 14:43:10]
bin4ry :
i posted linux tools and windows tools to flash :wink:
[2017-09-04 14:43:14]
bin4ry :
it is rockchip ye
[2017-09-04 14:43:15]
bin4ry :
s
[2017-09-04 14:43:21]
bin4ry :
rk3288
[2017-09-04 14:45:57]
unusuario128 :
<https://github.com/rockchip-linux/rkbin/tree/master/tools>
[2017-09-04 14:46:22]
hostile :
buy one and go all in!
[2017-09-04 14:46:25]
hostile :
heh I don't have nuts for that
[2017-09-04 14:46:28]
bin4ry :
:smile:
[2017-09-04 14:46:32]
bin4ry :
i don't want one
[2017-09-04 14:46:37]
unusuario128 :
:grinning:
[2017-09-04 14:46:44]
bin4ry :
pretty useless device imho
[2017-09-04 14:47:58]
unusuario128 :
@hostile, however, could you `dd` all the non-user partitions and upload then to somewhere?
[2017-09-04 14:49:02]
opcode :
@bin4ry the rkandroid stuff didnt work for me. even dual boot windows didnt see the device, in the description was also mentioned that you should use USB 2.0
[2017-09-04 14:49:07]
opcode :
i only have 3.0
[2017-09-04 14:49:43]
bin4ry :
@unusuario128 we have the OTA it has recovery and boot partition
[2017-09-04 14:50:02]
bin4ry :
@opcode yeah rockchip's are pretty wonky :smile:
[2017-09-04 14:50:26]
unusuario128 :
@bin4ry: Do you mean the boot partition where Android saves the kernel and the initrd?
[2017-09-04 14:51:11]
unusuario128 :
That is not as interesting as can be to have the aboot- uboot- or lk-based SBL partiton
[2017-09-04 14:51:28]
bin4ry :
we have an OTA. which has the update for boot.img and recovery.img. boot has kernel and initrd, recovery has kernel and recovery-initrd
[2017-09-04 14:51:29]
unusuario128 :
However, it looks great for post-kernel exploitation
[2017-09-04 14:52:07]
unusuario128 :
Can you bring me the recovery initial ramdisk?
[2017-09-04 14:52:21]
bin4ry :
mom i send oyu the link in PM
[2017-09-04 14:52:26]
unusuario128 :
Ok
[2017-09-04 14:55:54]
unusuario128 :
Don't bother in extracting the initrd, you can upload the bulk recovery.img
[2017-09-04 14:59:38]
opcode :
@unusuario128 Here you can dl the full OTA <http://mydjiflight.dji.com/file/links/ZSA90_20170817>
[2017-09-04 15:00:05]
unusuario128 :
@opcode: Thanks!
[2017-09-04 15:00:10]
opcode :
:slightly_smiling_face:
[2017-09-04 15:02:24]
opcode :
@bin4ry any more ideas regarding custom recovery? if you remember, i also dd the recovery you send me, but we ended up without menu and without fastboot. :disappointed:
[2017-09-04 15:05:44]
bin4ry :
nah, had no time yet to think about it
[2017-09-04 15:51:52]
opcode :
<https://dji.retroroms.info/howto/crystalsky>
[2017-09-04 15:52:01]
opcode :
Fast OriginalGangsterCow update
[2017-09-04 17:22:48]
unusuario128 :
Does the recovery mode allow ADB (unprivileged) access?
[2017-09-04 17:45:18]
bin4ry :
nope
[2017-09-04 17:45:20]
hostile :
that moment you run into old co-workers when trying to sort shit out. lol
[2017-09-04 17:45:21]
hostile :
<https://twitter.com/jduck/status/759174473710907392>
[2017-09-04 17:50:49]
hostile :
if anything I am learning lots about Android exploitation!
[2017-09-04 17:50:49]
hostile :
<http://burningcodes.net/android-privilege-escalation-step-by-step/>
[2017-09-04 17:53:36]
opcode :
Kingoroot, Kingroot, Hostileroot? :blush:
[2017-09-04 18:21:04]
unusuario128 :
Maybe this is an interesting read: <https://github.com/hqvv/rk3288_android5.1_sdk/blob/master/bootable/recovery>
[2017-09-04 18:34:58]
bin4ry :
Cs uses new rockchip images. Make sure this recovery is build for that
[2017-09-04 18:53:57]
unusuario128 :
Yes, it uses rockchip images (whose have been somewhat "rebranded" to dji) in the recovery of the CS.
[2017-09-04 19:36:31]
bin4ry :
Ok. I only saw that this is somewhat more similar to the standard Android image format than old rockchip images i saw :slightly_smiling_face: that is what I meant
[2017-09-04 19:39:05]
unusuario128 :
I've stopped digging in the recovery because I feel like A3 now :wink:
[2017-09-04 19:40:17]
unusuario128 :
Just a question. What Android version and kernel does the CS use?
[2017-09-04 20:00:43]
dpitman :
@bin4ry I heard hostile pronounce your handle (username) as "binary". Is that correct? In my head, I pronounced it "bine-four-ree" Maybe it's a language thing? (sorry..been wondering :thinking_face:
[2017-09-04 20:02:02]
kilrah :
@dpitman <https://en.wikipedia.org/wiki/Leet#Orthography>
[2017-09-04 20:02:31]
kilrah :
so yes, 4=A
[2017-09-04 20:04:42]
dpitman :
haha...thanks! there is just soooo much I don't know !!
[2017-09-04 20:05:43]
unusuario128 :
@dpitman: 7H3 0R161N4L 1N73N710N 0F 7H3 N4M3 W45 70 B3 5P3LL3D 45 "binary" :wink:
[2017-09-04 20:07:00]
dpitman :
looks like lots of choices for "A"
<https://qntm.org/l33t>
[2017-09-04 20:08:08]
kilrah :
011000100110100101101110011000010111001001111001 is just too annoying to type
[2017-09-04 20:10:07]
dpitman :
I see. <http://sticksandstones.kstrom.com/appen.html>
@unusuario128 still has me stumped though!
[2017-09-04 20:11:06]
kilrah :
don't concentrate on what the symbols usually are, just look at the basic shape - the faster you read it the more obvious it goes :wink:
[2017-09-04 20:13:08]
unusuario128 :
68 65 78 34 64 65 63 69 6d 61 6c :smile:
[2017-09-04 20:13:29]
unusuario128 :
All this should go to ~random to avoid polluting the thread.
[2017-09-04 20:13:39]
kilrah :
indeed :smile:
[2017-09-04 20:14:06]
dpitman :
kilrah's hint did it. Sorry for the o/t, my fault.
[2017-09-04 20:45:02]
opcode :
@unusuario128 CS runs Android 5.1.1 Lollipop and Kernel is 3. something :thinking_face:
[2017-09-05 01:16:08]
hostile :
funny going back and re-reading shit.. I keep running into old friends notes and papers. <https://dji-rev.slack.com/archives/C6K376JGZ/p1504128441000080>
[2017-09-05 01:16:34]
hostile :
I used to pay this x82 guy to write exploits for me over a decade ago.
[2017-09-05 01:37:24]
hostile :
I finally found an exploit example using the memory leak I suspect kingroot is using.
[2017-09-05 01:37:26]
hostile :
<https://github.com/hitmoon/android-root-misc/blob/master/iovyroot/jni/getroot.c#L69>
[2017-09-05 03:38:27]
hostile :
ok... well SOMETHING just went right for me
[2017-09-05 03:38:29]
hostile :
2|shell@zs600b:/ $ ls -al /system/xbin/su
-rwxr-xr-x root root 75364 2016-12-16 11:20 su
shell@zs600b:/ $ su
root@zs600b:/ # id
uid=0(root) gid=0(root)
root@zs600b:/ # mount -i remount,rw /system
[2017-09-05 04:04:15]
hostile :
ok... so this exploit works (it just shits all over your terminal, which I thought was a problem before)
[2017-09-05 04:05:26]
hostile :
After it runs, it mounts a new /system from an image it has on hand.
[2017-09-05 04:05:27]
hostile :
...........................................................................
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon
shell@zs600b:/data/local/tmp $
shell@zs600b:/data/local/tmp $ ls -al /system/xbin/su
-rwxr-xr-x root root [75364 2016-12-16](tel:753642016-12-16) 11:20 su
shell@zs600b:/data/local/tmp $ mount | grep /system
/dev/block/platform/ff0f0000.rksdmmc/by-name/system /system ext4 ro,noatime,nodiratime,noauto_da_alloc,data=ordered 0 0
/dev/sutmp /system/xbin ext4 rw,relatime,data=ordered 0 0
[2017-09-05 04:05:51]
hostile :
technique is described here: <https://forum.xda-developers.com/showpost.php?p=70249601&postcount=7>
[2017-09-05 04:15:03]
hostile :
the second I remount /system the phone reboots though :confused:
[2017-09-05 04:15:22]
hostile :
this root is a bit different though, than were I have been previously hung up
[2017-09-06 01:45:30]
hostile :
this is another crazy read... <https://hackernoon.com/hacking-android-phone-how-deep-the-rabbit-hole-goes-18b62ad65727>
[2017-09-06 07:00:59]
opcode :
great read. very detailed.
[2017-09-06 15:08:00]
hostile :
the ole "ro.kernel.qemu=1" trick
[2017-09-06 15:18:30]
bin4ry :
no only to kitkat
[2017-09-06 15:19:06]
opcode :
:confused:
[2017-09-06 19:24:58]
hostile :
ok @bin4ry so quick sanity check post dirtyc0w r00t via su.img mount in /system/xbin: 'dd if=/dev/block/platform/ff0f0000.rksdmmc/by-name/boot of=/dev/block/platform/ff0f0000.rksdmmc/by-name/recovery' followed by "adb reboot recovery" works as expected. Right back into the OS. So now to try something more fun
[2017-09-06 19:37:25]
hostile :
ok just flashed the last recovery file you sent over @bin4ry .... and rebooting now
[2017-09-06 19:37:27]
hostile :
dd if=recovery.img of=/dev/block/platform/ff0f0000.rksdmmc/by-name/recovery
[2017-09-06 19:38:20]
hostile :
this <https://dji-rev.slack.com/files/bin4ry/F6XPSL5C6/recovery-bin4ry2.img> results in a black screen and nothing via fastboot, or adb devices.
[2017-09-06 19:38:53]
hostile :
so what ever that was == no dice
[2017-09-06 20:32:57]
hostile :
trying more fun things... dd if=TWRP_1920x1080_CrewRKTablets_v3.0.img of=/dev/block/platform/ff0f0000.rksdmmc/by-name/recovery
[2017-09-06 20:33:04]
hostile :
still only a black screen
[2017-09-06 20:33:05]
hostile :
:confused:
[2017-09-06 20:44:15]
hostile :
I can see it tho...
[2017-09-06 20:45:53]
hostile :
both via Android Tool... (kinda) and rkflashtool
[2017-09-06 20:47:19]
hostile :
$ rkflashtool v
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: chip version: 320A-2014.08.13-V200
$ rkflashtool n
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: Flash ID: 45 4d 4d 43 20
rkflashtool: info: Flash Info:
Manufacturer: Samsung (0)
Flash Size: 59640MB
Block Size: 512KB
Page Size: 2KB
ECC Bits: 0
Access Time: 40
Flash CS: <0>
$ rkflashtool p
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: reading parameters at offset 0x00000000
rkflashtool: info: size: 0x000005c0
FIRMWARE_VER:5.0.0
MACHINE_MODEL:rk3288
MACHINE_ID:007
MANUFACTURER:RK3288
MAGIC: 0x5041524B
ATAG: 0x60000800
MACHINE: 3288
CHECK_MASK: 0x80
PWR_HLD: 0,0,A,0,1
#KERNEL_IMG: 0x62008000
#FDT_NAME: rk-kernel.dtb
#RECOVER_KEY: 1,1,0,20,0
CMDLINE:console=ttyFIQ0 androidboot.selinux=disabled androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00080000@0x00050000(cache),0x00002000@0x000D0000(kpanic),0x00600000@0x000D2000(system),0x00008000@0x006D2000(metadata),0x00600000@0x006DA000(userdata),0x00020000@0x00CDA000(radical_update),-@0x00CFA000(user)
# in section; per section 512(0x200) bytes
#CMDLINE:console=ttyFIQ0 androidboot.baseband=N/A androidboot.selinux=permissive androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(misc),0x00008000@0x00006000(resource),0x00008000@0x0000e000(kernel),0x00010000@0x00016000(boot),0x00010000@0x00026000(recovery),0x0001a000@0x00036000(backup),0x00040000@0x00050000(cache),0x00002000@0x00090000(kpanic),0x00100000@0x00092000(system),0x00008000@0x00192000(metadata),0x00020000@0x0039A000(radical_update),-@0x003BA000(userdata)
[2017-09-06 20:47:36]
hostile :
@bin4ry ...
[2017-09-06 21:07:54]
opcode :
Strange, that it seem to doesn't "accept" those recoverys and we are left with a black screen ....
[2017-09-06 21:09:11]
hostile :
but good that you can see it with Rockchip tools when this occurs
[2017-09-06 21:09:26]
hostile :
note that we may be able to write to the kernel command line for example
[2017-09-06 21:11:42]
opcode :
Yeah, rockchip tools work. But why "no device" with fastboot? At least for me.
[2017-09-06 21:41:55]
hostile :
because they use DJI update
[2017-09-06 21:42:01]
hostile :
and give zero fucks about fastboot
[2017-09-06 21:42:07]
hostile :
what is the usecase for them to use it?
[2017-09-06 21:42:19]
hostile :
device gets bricked... it comes back... the rkflash it
[2017-09-06 22:05:26]
opcode :
You are right. One more reason to install custom recovery.
[2017-09-06 22:06:30]
opcode :
I hope @bin4ry will build something :blush:
[2017-09-06 22:12:00]
pure3d :
rockchip tools can always flash it back when bricked?
[2017-09-07 01:18:26]
hostile :
should be able to
[2017-09-07 02:52:44]
pure3d :
sweet!
[2017-09-07 11:53:13]
hostile :
semi related new bugs... BootStomp: On the Security of Bootloaders
in Mobile Devices <https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf>
[2017-09-07 13:12:17]
bin4ry :
Will try to help out next week
[2017-09-07 13:12:29]
bin4ry :
i will be on the road on a small trip starting tomorrow
[2017-09-07 13:12:31]
hostile :
no stress!
[2017-09-07 13:12:34]
bin4ry :
first berlin then munich
[2017-09-07 13:12:39]
bin4ry :
some interviews etc :wink:
[2017-09-07 13:12:42]
hostile :
sitting her now trying to modify boot.img to mount rw /system
[2017-09-07 13:12:47]
hostile :
then will flash it to recovery partition
[2017-09-07 13:12:49]
bin4ry :
so i will be pretty busy, so only chatting no devleopment :wink:
[2017-09-07 13:13:00]
bin4ry :
i guess till then you will have it already
[2017-09-07 13:13:07]
hostile :
eyeballing things with this now. <http://newandroidbook.com/tools/imgtool.html>
[2017-09-07 13:13:08]
bin4ry :
there are some tools to modify bootimg and recovermg
[2017-09-07 13:13:14]
bin4ry :
yeah exactly what i meant :smile:
[2017-09-07 13:13:16]
bin4ry :
lol
[2017-09-07 13:13:20]
bin4ry :
there are a bunch more
[2017-09-07 13:13:31]
bin4ry :
since some manufacturers try fucking with the image format
[2017-09-07 13:13:47]
bin4ry :
also you should checkout rockchip repos with full android trees
[2017-09-07 13:13:56]
bin4ry :
they MAY have the rockchip image tools :wink: or SHOULD have
[2017-09-07 13:13:58]
hostile :
Aye been doing so
[2017-09-07 13:14:21]
bin4ry :
since the img's are falling out at the end ofthe build process :wink:
[2017-09-07 13:15:16]
hostile :
imgRePackerRK_106 is the one I need to try
[2017-09-07 13:15:36]
bin4ry :
thats the one i created the images with you tried
[2017-09-07 13:15:45]
hostile :
then I'll skip that one! lol
[2017-09-07 13:15:48]
bin4ry :
:smile:
[2017-09-07 13:15:54]
bin4ry :
i THINK they changed the format
[2017-09-07 13:16:03]
bin4ry :
it looks more like standard android IMHO
[2017-09-07 13:19:20]
bin4ry :
i still have this in my bookmarks to check out @hostile : <http://rockchip.wikidot.com/linux-user-guide>
[2017-09-07 13:19:52]
hostile :
have you tried this one? <https://github.com/osm0sis/mkbootimg>
[2017-09-07 13:20:08]
bin4ry :
the mk-image.sh from this repo's should be the one we need to build the reocery
[2017-09-07 13:20:27]
bin4ry :
nah did not try the one you linked
[2017-09-07 13:20:36]
bin4ry :
if i were you, i would try the original scripts first :wink:
[2017-09-07 13:20:48]
bin4ry :
atleast to re-build it
[2017-09-07 13:21:20]
bin4ry :
the rkimagerepacker can give you the ramdisk and kernel, for the ramdisk you have to run it again on the file it yields
[2017-09-07 13:21:24]
bin4ry :
but rebuilding does not work
[2017-09-07 13:22:05]
hostile :
btw look up rk30board... hence firefly repos you pointed to
[2017-09-07 13:22:11]
hostile :
that is the devkit for this platform
[2017-09-07 13:22:17]
bin4ry :
yep
[2017-09-07 13:24:16]
hostile :
I'll try this one too <https://github.com/ggrandou/abootimg>
[2017-09-07 13:24:37]
bin4ry :
try them all :smile:
[2017-09-07 13:24:44]
bin4ry :
but go for the original build tools first :wink:
[2017-09-07 13:24:54]
bin4ry :
i think it wil lsave you much time
[2017-09-07 13:24:55]
bin4ry :
:smile:
[2017-09-07 13:27:13]
hostile :
anyway this process seems pretty straight forward. <http://droidcore.blogspot.com/2012/12/how-to-edit-initrc-in-android.html>
[2017-09-07 13:28:12]
opcode :
@bin4ry come visit Frankfurt. Right in the middle between Berlin and Munich. :wink:
[2017-09-07 13:29:37]
bin4ry :
was driving past it last month :smile:
[2017-09-07 13:29:47]
opcode :
:smile:
[2017-09-07 13:30:20]
opcode :
<https://forum.xda-developers.com/showthread.php?p=32965365#post32965365>
[2017-09-07 13:32:03]
hostile :
I am looking at the boot image now... I see there is a refrence to /property_contexts
/data/security/current/property_contexts
I have seen people drop their own files there to override selinux contexts.
[2017-09-07 13:33:07]
opcode :
ok. and then flash with a flashing tool?
[2017-09-07 13:33:11]
hostile :
<https://forum.xda-developers.com/showpost.php?p=70470509&postcount=55>
[2017-09-07 13:34:26]
hostile :
followed up here
[2017-09-07 13:34:27]
hostile :
<https://forum.xda-developers.com/android/software-hacking/root-tool-dirtycow-apk-adb-t3525120/page14>
[2017-09-07 13:34:53]
hostile :
this is why people were trageting app_process32 in some other exploits I think
[2017-09-07 13:35:07]
hostile :
man I've totally gotten a crash course (I didn't want) on Android security
[2017-09-07 13:35:43]
opcode :
ah. mooooo to have su and then patch supolicy
[2017-09-07 13:36:52]
opcode :
but after all, you would still need to flash google stuff to make i.e. litchi work.
[2017-09-07 13:41:22]
hostile :
**but**... point is gaining a shell where you can: remount -o remount,rw /system
[2017-09-07 13:41:29]
hostile :
cuz of differing contexts and such
[2017-09-07 13:41:59]
hostile :
cuz with cow variants I have two things happen: 1. NO access remount /system, OR access resulting in an instant reboot
[2017-09-07 13:42:31]
hostile :
if only my OCD would just let me use lordRoot without understanding what it does
[2017-09-07 13:42:32]
hostile :
lol
[2017-09-07 13:44:22]
opcode :
heh
[2017-09-07 13:44:52]
opcode :
yesterday i extracted the ramdisk of the original recovery.img
[2017-09-07 13:45:20]
hostile :
sitting here looking at both recovery and boot.img right now
[2017-09-07 13:45:32]
opcode :
on early-init
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
write /sys/fs/selinux/checkreqprot 0
[2017-09-07 13:45:32]
opcode :
ah
[2017-09-07 13:45:39]
hostile :
goal now is to take boot.img,,, change /system to rw, repack... and flash it to recovery partition
[2017-09-07 13:54:26]
opcode :
why dont we get adb in original recovery?
[2017-09-07 13:54:28]
opcode :
# Always start adbd on userdebug and eng builds
on property:ro.debuggable=1
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 2207
write /sys/class/android_usb/android0/idProduct 0006
write /sys/class/android_usb/android0/functions adb
write /sys/class/android_usb/android0/enable 1
write /sys/class/android_usb/android0/iManufacturer $ro.product.manufacturer
write /sys/class/android_usb/android0/iProduct $ro.product.model
write /sys/class/android_usb/android0/iSerial $ro.serialno
start console
start adbd
# Restart adbd so it can run as root
on property:service.adb.root=1
write /sys/class/android_usb/android0/enable 0
restart adbd
write /sys/class/android_usb/android0/enable 1
[2017-09-07 13:55:31]
hostile :
adbd binary missing?
[2017-09-07 13:55:43]
opcode :
let me check
[2017-09-07 13:57:01]
opcode :
no, present in sbin
[2017-09-07 14:07:15]
opcode :
service adbd /sbin/adbd --root_seclabel=u:r:su:s0 --device_banner=recovery
disabled
[2017-09-07 14:07:30]
opcode :
seit it to enabled? :smirk:
[2017-09-07 14:08:00]
bin4ry :
no
[2017-09-07 14:08:05]
hostile :
do we have downgrade images for CS btw?
[2017-09-07 14:08:23]
bin4ry :
services not working liek that, start it from an init scrpt :wink:
[2017-09-07 14:08:27]
bin4ry :
set the ro.property correct
[2017-09-07 14:08:31]
bin4ry :
and it will start
[2017-09-07 14:09:15]
opcode :
yes, i have 8.1 and 9.0 as downloaded OTA
[2017-09-07 14:11:14]
hostile :
is that how the DJI updater updates tho?
[2017-09-07 14:11:27]
hostile :
downloads OTA?
[2017-09-07 14:11:37]
bin4ry :
i already tried to fuck with the OTA
[2017-09-07 14:11:43]
bin4ry :
you need the privateKey.bin
[2017-09-07 14:11:48]
hostile :
I don't wanna fuck with it... I just wanna revert
[2017-09-07 14:11:51]
bin4ry :
the rk signature :smile:
[2017-09-07 14:11:52]
bin4ry :
ok
[2017-09-07 14:11:52]
bin4ry :
:smiley:
[2017-09-07 14:12:07]
hostile :
and was currious if the standard DJI downloader would take an older update file if served one
[2017-09-07 14:12:28]
bin4ry :
ah
[2017-09-07 14:12:33]
bin4ry :
test it
[2017-09-07 14:12:35]
bin4ry :
could be
[2017-09-07 14:12:40]
hostile :
I need an image first lol
[2017-09-07 14:12:45]
hostile :
back to my original question...
[2017-09-07 14:12:51]
hostile :
does the dji updater download the ota?
[2017-09-07 14:12:51]
bin4ry :
opcode said he has it
[2017-09-07 14:12:58]
hostile :
or some other form of packaged update?
[2017-09-07 14:13:03]
bin4ry :
you can put the ota to cache
[2017-09-07 14:13:11]
bin4ry :
look in the DJIUpdater
[2017-09-07 14:13:18]
bin4ry :
it is mainly the rk updater packaged
[2017-09-07 14:13:18]
hostile :
hehe in due time
[2017-09-07 14:13:32]
hostile :
face in something else, so kinda thinking outloud
[2017-09-07 14:14:23]
opcode :
@hostile dl 8,1 <http://mydjiflight.dji.com/file/links/ZSA90_20170817>
[2017-09-07 14:15:11]
opcode :
@bin4ry i only have default.prop in the ramdisk
[2017-09-07 14:15:48]
bin4ry :
you have 2 prop files
[2017-09-07 14:15:51]
bin4ry :
one in ramdisk
[2017-09-07 14:15:54]
bin4ry :
one in system partition
[2017-09-07 14:16:03]
bin4ry :
if system boots the prop in system is also read
[2017-09-07 14:16:16]
bin4ry :
if only recovery boots the prop in reocvery ramdisk is used
[2017-09-07 14:16:43]
bin4ry :
if normal boot you have critical stuff in boot.img ramdisk prop file (since not changeable) and not so much critical or relevant to system partition in system ramdisk
[2017-09-07 14:21:21]
opcode :
hmm. thanks for the info. to go one step further beside adb: what is needed to swtich off signing check? mod prop in ramdisk enough?
[2017-09-07 14:21:43]
bin4ry :
what signing check do you mean?
[2017-09-07 14:22:05]
opcode :
flash modded ota zip via recovery
[2017-09-07 14:22:24]
bin4ry :
you would need another recovery binary for this
[2017-09-07 14:22:32]
bin4ry :
inside the recovery ramdisk
[2017-09-07 14:22:36]
bin4ry :
the binary runs it all
[2017-09-07 14:22:37]
bin4ry :
the whole show
[2017-09-07 14:22:54]
bin4ry :
OR you change the publicKey.bin inside the ramdisk
[2017-09-07 14:23:00]
bin4ry :
to something you know the privateKey.bin for
[2017-09-07 14:23:10]
hostile :
so to be clear... the ZSA90_20170817 is an OTA file... so the standard DJI update is just done via OTA
[2017-09-07 14:23:13]
bin4ry :
but doesnt matter, if you can change the ramdisk you can just do what you like
[2017-09-07 14:23:26]
opcode :
hostile, yes it wipes the whole CS
[2017-09-07 14:23:53]
opcode :
.... /system, recovery.img, boot.img
[2017-09-07 14:25:16]
opcode :
@bin4ry thats my goal. to make a working public solution, flash the recovery.img, then mod the update.zip with modded Go App, hosts, and play store. all in one.
[2017-09-07 14:25:44]
bin4ry :
yes, compile your own twrp / cwm or whatever
[2017-09-07 14:25:56]
bin4ry :
but for that you first need to be able to build the img structure at all
[2017-09-07 14:26:01]
bin4ry :
if you can build the image
[2017-09-07 14:26:05]
bin4ry :
the rest is easy
[2017-09-07 14:26:51]
opcode :
have to dig into that further, not so easy.
[2017-09-07 14:26:58]
opcode :
but hanks for your help again.
[2017-09-07 14:27:01]
opcode :
+t
[2017-09-07 14:28:20]
opcode :
@hostile place in CS to see the update.zip dl path /data/data/dji.system.upgrade/shared_prefs/dji.system.upgrade.xml
[2017-09-07 16:08:01]
hostile :
@bin4ry @opcode I wonder if we can change the keycodes for vol button some how?
[2017-09-07 16:08:03]
hostile :
"keycodes 114 115 116"
[2017-09-07 16:17:03]
hostile :
looks like /system/usr/keylayout has a pile of files (that we won't be able to edit of course)
[2017-09-07 16:18:59]
hostile :
cat rk29-keypad.kl <
key 59 MENU
key 102 HOME
key 114 VOLUME_DOWN
key 115 VOLUME_UP
key 116 POWER
key 142 SLEEP
key 143 WAKEUP
key 148 DJI_FUNC1
key 149 DJI_FUNC2
key 158 BACK
key 212 CAMERA
key 217 SEARCH
key 187 APP_SWITCH
key 202 3D_MODE
[2017-09-07 16:47:04]
hostile :
@opcode I don't have that dji.system.upgrade.xml file
[2017-09-07 16:53:11]
hostile :
did you guys notice the radical_update partition?
[2017-09-07 16:53:18]
hostile :
seems to be a rockchip specific thing
[2017-09-07 16:54:06]
hostile :
lol I wonder if we can run Ubuntu on Crystal SKy now... <http://bbs.t-firefly.com/forum.php?mod=viewthread&tid=263>
[2017-09-07 16:55:54]
hostile :
there ya go @bin4ry @opcode /system/app/DJIService/lib/arm/librockchip_update_jni.so
[2017-09-07 16:56:19]
hostile :
symlink to /system/lib/librockchip_update_jni.so
<https://github.com/msink/android_packages_apps_rkupdateservice/blob/master/jni/android_rockchip_update_UpdateService.cpp>
[2017-09-07 17:02:23]
hostile :
Firefly SDK... <https://drive.google.com/drive/folders/0B7HO8lbGgAqAblpqVFk4ZmZoSlE>
[2017-09-07 17:02:33]
hostile :
Firefly-RK3288 Android5.1 SDK release
[2017-09-07 17:02:41]
hostile :
firefly-rk3288_android5.1_git_20150910.tar
[2017-09-07 17:07:10]
opcode :
Maybe if you swap the numbers? But for what purpose?
[2017-09-07 17:08:08]
hostile :
just looking for a non root way to get into recovery for example
[2017-09-07 17:08:14]
hostile :
we have no vol up button remember =]
[2017-09-07 17:08:24]
hostile :
looks non viable
[2017-09-07 17:08:46]
opcode :
Huh? Did you ever update the CS? It should prompt you, that an update is available as soon as you go online. I think the xml gets generated while the system upgrade checks for updates.
[2017-09-07 17:10:01]
opcode :
Hmm. But as we have adb: adb reboot recovery
[2017-09-07 17:10:02]
hostile :
it is on 02.02.09.00 (and always was)
[2017-09-07 17:10:07]
hostile :
<https://github.com/msink/android_packages_apps_rkupdateservice/blob/master/src/android/rockchip/update/service/RecoverySystem.java>
[2017-09-07 17:10:20]
hostile :
this is the code the update service is using
[2017-09-07 17:11:13]
opcode :
Ah, then I think it gets generated as soon as it sees a new update. I'll send you the xml, then you can have a look.
[2017-09-07 17:13:08]
hostile :
noted
[2017-09-07 17:13:38]
hostile :
sometimes after recovering from a failed attempt, I don't feel like booting all the way back up and then doing that
[2017-09-07 17:13:46]
hostile :
was just looking for a key combo I could maybe use
[2017-09-07 17:13:55]
hostile :
or a way to enable it
[2017-09-07 17:17:58]
hostile :
"versionlist_in2_b_ZS":
[
{"date":"1490870074",
"release_note": {
"zh_cn":"Bcn",
"zh_tw":"ABtw",
"en":"Ben",
"ja":"Bja"
},
"version":"02.02.03.00",
"m1302": "0.0.0.0&0",
"packurl":"<http://mydjiflight.dji.com/file/links/ZS600B_v0030_20170401>",
"zssize": 946902456,
"ota_md5":"831e03d10c6d1b8198daaf951acb23fe",
"rom_updates":[
{
"version" :"0.0.0.0",
"packurl" :"<https://mydjiflight.dji.com/links/links/RC_ZSdiff1>",
"size": 45630881,
"ota_md5":"067d2fea6017bbcd4e96dae7b937361e"
},
{
"version" :"0.0.0.0",
"packurl" :"<https://mydjiflight.dji.com/links/links/RC_ZSdiff2>",
"size": 45634340,
"ota_md5":"9570ec037dc3c719bfb61ab1a8da4da8"
}
],
"priority":"0"
}
]
}
[2017-09-07 17:18:16]
hostile :
at the bottom of /mnt/internal_sd/Android/data/dji.go.v4/cache/list.json
[2017-09-07 17:21:37]
hostile :
2017-06-25 07:03:15 system.upgrade(87) e: DJIVersionChecker->checkNew result : CrystalSky,no RC chipM
[2017-09-07 17:21:42]
hostile :
heh I want one WITH an RC chip!
[2017-09-07 17:22:14]
hostile :
There is your CC settings ...
[2017-09-07 17:22:15]
hostile :
2017-06-25 07:03:15 system.upgrade(87) e: redirect,cnt=0M
2017-06-25 07:03:15 system.upgrade(87) i: [],[US],[],[],M
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerget onSuccess:cc=US,strategy=getFromBeWithMobileGpsM
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerset,Empty->return!!M
2017-06-25 07:03:15 system.upgrade(87) i: [],[US],[],[US],M
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerget onSuccess:cc=US,strategy=getFromBeWithoutGpsM
2017-06-25 07:03:15 system.upgrade(87) e: redirect,cnt=1M
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerset, countryCodeOfOs = USM
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerset,equals->return!!M
[2017-09-07 17:32:37]
hostile :
so risk AF... but I can mount the system.img I just made in linux
[2017-09-07 17:33:07]
hostile :
since it is a standard ext4 fs.
[2017-09-07 17:33:54]
opcode :
<string name="KEY_GPS">{&quot;date&quot;:&quot;Aug 14, 2017 5:27:32 PM&quot;,&quot;mLat&quot;:XX.07029833333333,&quot;mLng&quot;:XX.670037333333333,&quot;timeLong&quot;:1502724452617}</string>
[2017-09-07 17:34:32]
opcode :
oh man. why does DJI Update for CS again locate me via GPS?
[2017-09-07 17:37:55]
opcode :
honestly, wtf? dont tell me its only for pdate to decide between chinese and english update?
[2017-09-07 17:38:03]
opcode :
*update
[2017-09-07 17:38:30]
hostile :
see above... the CE settings
[2017-09-07 17:38:54]
hostile :
2017-06-25 07:03:15 system.upgrade(87) e: ccmanagerget onSuccess:cc=US,strategy=getFromBeWithoutGpsM
[2017-09-07 17:39:01]
opcode :
CE Settings for Crystalsky? huh?
[2017-09-07 17:39:07]
hostile :
--->>>> getFromBeWithoutGpsM
[2017-09-07 17:39:14]
hostile :
EVERYTHING with wifi in it has to comply bro
[2017-09-07 17:39:18]
hostile :
this is not anything new
[2017-09-07 17:39:26]
hostile :
FCC smack down
[2017-09-07 17:39:47]
opcode :
ok, i see. but still very unconfortable to get located in that way.
[2017-09-07 17:39:50]
hostile :
<https://hackaday.com/2016/02/26/fcc-locks-down-router-firmware/>
[2017-09-07 17:39:54]
hostile :
result of this
[2017-09-07 17:40:08]
hostile :
welcome to the "Internet of Shit" bro! lol
[2017-09-07 17:40:12]
opcode :
lol
[2017-09-07 17:40:44]
hostile :
basically.. THIS... <http://wiki.prplfoundation.org/wiki/Complying_with_FCC_rules_on_Wifi#Linux_regulatory_system_overview>
[2017-09-07 18:01:38]
opcode :
what you could try: power down cs. unplug usb. push and hold power button until the screen goes black. plug usb in. maybe your flash tool sees the device? adb/fastboot doesnt see my device in that state.
[2017-09-07 19:42:14]
hostile :
something else to test... <https://yadi.sk/d/Js2JShWopHAkN>
[2017-09-08 01:20:21]
hostile :
OK @channel I've 100% confirmed that default "fastboot" for Crystal Sky goes into RockChip mode...
[2017-09-08 01:21:16]
hostile :
I left AndroidTool_Release_v2.3 open... and did an "adb reboot fastboot", and it immediately came up as "Found One ADB Device"
[2017-09-08 01:22:20]
hostile :
in my config.ini for AndroidTool I have "MSC_VID=0x2202" and "MSC_PID=0x320a"
[2017-09-08 01:23:21]
hostile :
annnnnnd wait for it
[2017-09-08 01:23:28]
hostile :
"fastboot devices" works.
[2017-09-08 01:24:18]
hostile :
I think you have to have the **exact** correct* drivers installed
[2017-09-08 01:24:44]
hostile :
on Windows I used some DriverAssistant_v4.1.1 Russian stuff to get it working
[2017-09-08 01:26:54]
hostile :
<http://chinagadgetsreviews.com/download-rockchip-driver-assistant-v4-3.html>
[2017-09-08 01:27:43]
hostile :
SOMEhow... this is now working on my OSX when it was not before
[2017-09-08 01:27:44]
hostile :
sh-3.2# fastboot devices
0123456789 fastboot
[2017-09-08 01:27:54]
hostile :
@bin4ry @hdnes !!!
[2017-09-08 01:29:56]
hostile :
damnit... commands just hang
[2017-09-08 01:33:21]
hostile :
on my windows device it **acted** like it responded to "fastboot oem unlock"
[2017-09-08 04:49:03]
hostile :
$ adb reboot recovery == Android Default Recovery
[2017-09-08 04:49:14]
hostile :
$ adb reboot bootloader == RockChip Bootloader
[2017-09-08 04:49:40]
hostile :
in "bootloader" mode things like rkflashtool work
[2017-09-08 04:49:41]
hostile :
$ rkflashtool v
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: chip version: 320A-2014.08.13-V200
[2017-09-08 04:51:39]
hostile :
when I do adb reboot bootloader on my Mac, I get "Found one MSC device" in the Android Tool window.
[2017-09-08 04:53:03]
hostile :
$ rkflashtool r recovery > recovery
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: working with partition: recovery
rkflashtool: info: size of parameter block: 1472
rkflashtool: info: found offset: 0x00026000
rkflashtool: info: found size: 0x00010000
rkflashtool: info: reading flash memory at offset 0x00035fe0... Done!
[2017-09-08 04:53:24]
hostile :
$ rkflashtool w recovery < recovery
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: working with partition: recovery
rkflashtool: info: size of parameter block: 1472
rkflashtool: info: found offset: 0x00026000
rkflashtool: info: found size: 0x00010000
rkflashtool: info: writing flash memory at offset 0x00035fe0... Done!
[2017-09-08 04:54:01]
hostile :
$ rkflashtool r system > system
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: working with partition: system
rkflashtool: info: size of parameter block: 1472
rkflashtool: info: found offset: 0x000d2000
rkflashtool: info: found size: 0x00600000
[2017-09-08 04:58:30]
hostile :
rkflashtool: info: reading flash memory at offset 0x006d1fe0... Done!
[2017-09-08 04:58:58]
hostile :
$ file system
system: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)
[2017-09-08 04:59:14]
hostile :
$ rkflashtool w system < system
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: working with partition: system
rkflashtool: info: size of parameter block: 1472
rkflashtool: info: found offset: 0x000d2000
rkflashtool: info: found size: 0x00600000
rkflashtool: info: writing flash memory at offset 0x006d1fe0... Done!
[2017-09-08 05:05:08]
hostile :
$ rkflashtool b
rkflashtool: info: rkflashtool v6.1
rkflashtool: info: Detected RK3288...
rkflashtool: info: interface claimed
rkflashtool: info: rebooting device...
[2017-09-08 05:08:32]
hostile :
also
[2017-09-08 05:08:57]
hostile :
simply renaming the downloaded ota zip files as "update.zip" and putting them on the SD card / rebooting is enough to install
[2017-09-08 05:10:15]
hostile :
I am not sure you can **downgrade**
[2017-09-08 05:10:31]
hostile :
I got an error 800 after it rebooted (from trying to install)
[2017-09-08 05:11:12]
hostile :
and time the SD card is inserted with "update.zip" on it, the popup occurs
[2017-09-08 05:22:31]
hostile :
$ adb reboot bootloader == RockChip Bootloader
so the **final** bit... on a **windows** box with "RockChip ADBDriver" installed, and "Minimal ADB & Fastboot", I was able to run the command "adb reboot fastboot" and the box came up in Fastboot mode, and responded to fastboot commands ONLY via the "Minimal ADB & Fastboot" shell, my OSX fastboot command refuses to speak to it, as did **updated / brand new** downloads of android-platform-tools version of fastboot. It is unclear exactly which version they are using. If you have AndroidTool open, you will see "Found ONE ADB Device".
[2017-09-08 05:34:27]
hostile :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot devices
0123456789 fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar product
product: fastboot
finished. total time: 0.022s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar version
version: 2017-04-07#2.19
finished. total time: 0.015s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar version-bootloader
version-bootloader: fastboot
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar version-baseband
version-baseband: n/a
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot -w
wiping userdata...
Erase successful, but not automatically formatting.
File system type raw not supported.
wiping cache...
Erase successful, but not automatically formatting.
File system type raw not supported.
erasing 'userdata'...
OKAY [ 0.016s]
erasing 'cache'...
OKAY [ 0.003s]
finished. total time: 0.022s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot erase recovery
erasing 'recovery'...
OKAY [ 0.002s]
finished. total time: 0.002s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery e:\current_recovery.img
target didn't report max-download-size
sending 'recovery' (32768 KB)...
FAILED (remote: device is locked)
finished. total time: 0.016s
[2017-09-08 05:35:41]
hostile :
update complained...
[2017-09-08 05:37:46]
hostile :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot update e:\update.zip
W/ ( 192): Zip: 260 extraneous bytes at the end of the central directory
error: failed to open zip file 'e:\update.zip': Invalid file
[2017-09-08 06:21:24]
hostile :
for what ever reason the rkflashtool is not **actually** writing, but it is reading
[2017-09-08 06:21:31]
hostile :
perhaps the “locked” bootloader
[2017-09-08 07:18:16]
opcode :
fastboot getvar unlocked
[2017-09-08 07:18:31]
opcode :
fastboot getvar all
[2017-09-08 07:18:33]
opcode :
?
[2017-09-08 07:19:32]
hostile :
its a VERY limited fastboot implementation
[2017-09-08 07:19:38]
hostile :
'all' keyword does not work
[2017-09-08 07:19:46]
hostile :
I'm going to bed!
[2017-09-08 07:19:48]
hostile :
have fun
[2017-09-08 07:20:00]
opcode :
Sleep well
[2017-09-08 07:20:03]
opcode :
:-)
[2017-09-08 14:31:53]
opcode :
i still dont fully understand the correlation betrween locked bootloader and flashing stuff. does this only come in play when in fastboot?
[2017-09-08 14:33:15]
opcode :
my to do for the weekend:
[2017-09-08 14:33:18]
opcode :
<https://forum.xda-developers.com/android/software/guide-how-to-compile-twrp-source-step-t3404024>.
[2017-09-11 13:36:25]
opcode :
So, i dont get this stuff compiled. to complicated for me, also missing kernel and device tree stuff. :disappointed:
[2017-09-11 13:44:46]
hostile :
my desire to reverse engineer that lordRoot exploit is getting the best of me
[2017-09-11 13:44:51]
hostile :
*shakes his fist.*
[2017-09-11 13:45:04]
hostile :
I refuse to use a random binary I don't know the pedigree of in sharing root with others.
[2017-09-11 13:45:09]
hostile :
soooooo close
[2017-09-11 13:45:10]
hostile :
yet so far
[2017-09-11 13:52:03]
opcode :
maybe if @bin4ry finds some time, he could look into the recovery problem.
[2017-09-11 13:54:31]
bin4ry :
I most likely could build a device tree and kernel tree that is good enough for a recovery , this is what I did as a job before and what I did for Sony devices in the CyanogenMod team. But I have not much time and I don't have the device, so its even harder for me. Maybe Ill look into it once I have some time.
[2017-09-11 13:57:10]
bin4ry :
Also the kernel tree is not really needed, one could use the prebuild kernel and integrate this as a starter, still you need to setup the device in some Android tree. Start from publicity rk3288 repos it's easy from there
[2017-09-11 14:02:51]
opcode :
i tried all the crewrktablets stuff. no luck. next idea, was to compare original recovery with rk twrp recovery to get myself familiar with the stuff thats going on in there, but i cant even open the custom recoverys with split_bootimage, says no android magic found.
[2017-09-11 14:08:30]
bin4ry :
Yeah I wrote that like 1hundred times already. It is not stock Android image structure you need a proper rockchip tree along with it's tools :wink:
[2017-09-11 14:48:39]
unusuario128 :
Just saying: Why not just asking for the right kernel to the right person? GPLv2 is great...
[2017-09-11 14:53:03]
bin4ry :
True that
[2017-09-11 14:58:57]
hostile :
We should bug the GPL team on it
[2017-09-11 14:59:05]
hostile :
they supposedly have one set up and all...
[2017-09-11 14:59:31]
hostile :
For questions or comments, please contact us at [opensource@dji.com](mailto:opensource@dji.com).
[2017-09-11 15:48:00]
unusuario128 :
@opcode: `dd if=TWRP_{resolution}_CrewRKTablets_{version} of=TWRP_{resolution}_CrewRKTablets_{version}.cpio bs=8 skip=1`
[2017-09-11 15:53:17]
opcode :
what does this do?
[2017-09-11 15:54:12]
unusuario128 :
Removes the first 8 bytes of the CrewRKTablets TWRP recovery images.
[2017-09-11 15:54:32]
unusuario128 :
The header is formed by two `uint32_t` fields. The first is ASCII `KRNL` and the second should be some sort of CRC32
[2017-09-11 15:55:02]
unusuario128 :
Followed by an CPIO archive
[2017-09-11 15:55:17]
opcode :
ahhh, then it should be able to open via imageasplit
[2017-09-11 15:55:21]
unusuario128 :
If you remove these first bytes, you can read the CPIO as usual.
[2017-09-11 15:56:09]
opcode :
great, thanks. will try that later. :slightly_smiling_face:
[2017-09-11 15:56:51]
unusuario128 :
Even if you feel the need of repacking, you can get some info here:
[2017-09-11 15:56:55]
unusuario128 :
You're welcome
[2017-09-11 15:58:35]
unusuario128 :
Also, maybe this is somewhat related to what you need:
[2017-09-11 16:37:44]
hostile :
generates black screeen
[2017-09-11 16:42:58]
opcode :
@unusuario128 no love for the img file, when first 8 bytes removed. if you want to try :
[2017-09-11 16:47:05]
unusuario128 :
@opcode: You didn't remove the first 8 bytes. If you remove the first 8 bytes of the file attached above, you will get a pretty `.cpio.gz` file
[2017-09-11 16:50:00]
opcode :
hah, one second after you typed it i unzipped it. :slightly_smiling_face: thats the original i uploaded, not the one with 8 bytes removed.
[2017-09-11 16:52:11]
unusuario128 :
:smile:
[2017-09-11 17:36:33]
unusuario128 :
Even if it may be obvious: If when booting to TWRP the screen remains black, don't panic. Plug the device to the computer and try to `adb shell`. A problem of the screen driver generally won't keep you from using the TWRP ADB interface.
[2017-09-12 13:38:18]
hostile :
This may apply... <https://www.youtube.com/watch?v=Az-l90RCns8>
[2017-09-12 15:27:05]
opcode :
Interesting. Do we even have Bluetooth?
[2017-09-12 15:27:11]
opcode :
Android
All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).
[2017-09-13 14:30:11]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot devices
0123456789 fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem device-info
...
FAILED (remote: device is locked)
finished. total time: 0.500s
[2017-09-13 14:31:02]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot boot "C:\TWRP_2048x1536_CrewRKTablets_v2.2.img"
creating boot image...
creating boot image - 4554752 bytes
downloading 'boot.img'...
FAILED (remote: device is locked)
finished. total time: 0.031s
[2017-09-13 14:31:50]
opcode :
fastboot hangs on OSX for me, but works fine in Win10.
[2017-09-13 14:32:33]
opcode :
But Bootload is locked, as you can see.
[2017-09-13 14:44:10]
hostile :
yeah there is a known bug on osx
[2017-09-13 14:44:14]
hostile :
it works in linux too
[2017-09-13 14:44:38]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504848867000122>
[2017-09-13 14:45:06]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504848151000064>
[2017-09-13 14:45:16]
opcode :
<http://opensource.rock-chips.com/wiki_Fastboot>
[2017-09-13 14:45:30]
hostile :
nice
[2017-09-13 14:45:57]
hostile :
"This VID is not in Google's original fastboot code. So every fastboot command have to use "-i" parameter to specify vid to fastboot."
[2017-09-13 14:45:59]
hostile :
those fuckers
[2017-09-13 14:46:00]
hostile :
lol
[2017-09-13 14:46:57]
hostile :
try this
[2017-09-13 14:47:25]
opcode :
Rockchip Vendor ID is 0x2207, and the product ID for different SoCs are different.
Rockusb product ID:
RK3288: 0x320a
RK3328: 0x320c
RK3399: 0x330c
[2017-09-13 14:47:34]
hostile :
very interesting
[2017-09-13 14:48:07]
hostile :
try oem unlock
[2017-09-13 14:49:07]
opcode :
unlocking bootloader wipes the device, afaik
[2017-09-13 14:51:59]
hostile :
well copy the partitions first. =]
[2017-09-13 14:52:11]
hostile :
I'll do it later
[2017-09-13 14:52:13]
hostile :
IDGAF
[2017-09-13 14:52:22]
hostile :
#Bricks4Jesus
[2017-09-13 14:54:40]
opcode :
lol
[2017-09-13 14:55:21]
opcode :
im wondering, if the bootloader is preventing to boot the TWRP recovery.
[2017-09-13 15:00:43]
hostile :
yes
[2017-09-13 15:00:44]
opcode :
i mean the one i tried to flash with dd.
[2017-09-13 15:01:00]
hostile :
yes being locked stops us from modifying critical partitions
[2017-09-13 15:01:02]
hostile :
boot and system
[2017-09-14 15:06:19]
opcode :
backup.img kernel.img misc.img resource.img user.img
boot.img kpanic.img radical_update.img system.img userdata.img
cache.img metadata.img recovery.img uboot.img
bash-3.2$
[2017-09-14 15:06:26]
opcode :
backup-o-manic
[2017-09-14 15:06:32]
opcode :
now lets brick it :slightly_smiling_face:
[2017-09-14 15:20:40]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar unlocked
unlocked: no
finished. total time: 0.909s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem unlock
...
OKAY [ 0.266s]
finished. total time: 1.599s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem unlock_accept
...
OKAY [ 0.339s]
finished. total time: 1.420s
C:\Program Files (x86)\Minimal ADB and Fastboot>
[2017-09-14 15:30:07]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot devices
0123456789 fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar unlocked
unlocked: yes
finished. total time: 0.000s
[2017-09-14 15:30:44]
opcode :
wiped all my apps, but basic system is working. :slightly_smiling_face:
[2017-09-14 15:32:29]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>adb devices
List of devices attached
1TSBXXX8B device
C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell
shell@zs600b:/ $ su
root@zs600b:/
[2017-09-14 15:51:52]
hostile :
niiiice work dude
[2017-09-14 15:51:59]
hostile :
you officially had the cajones
[2017-09-14 15:52:13]
hostile :
well fucking done
[2017-09-14 16:12:45]
kilrah :
HAHA awesome
[2017-09-14 16:35:52]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery twrp.img
target didn't report max-download-size
sending 'recovery' (4444 KB)...
OKAY [ 0.125s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 0.141s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery recovery.img
target didn't report max-download-size
sending 'recovery' (24912 KB)...
OKAY [ 0.625s]
writing 'recovery'...
OKAY [ 1.329s]
finished. total time: 1.954s
[2017-09-14 16:36:16]
opcode :
it lets me flash the original recovery, but not the twrp one. hmmm.
[2017-09-14 16:37:27]
hostile :
I believe there is a secondary unlock command
[2017-09-14 16:37:36]
hostile :
for the critical partitions
[2017-09-14 16:37:37]
hostile :
I forget
[2017-09-14 16:37:55]
opcode :
but where. in the bootloader?
[2017-09-14 16:37:55]
hostile :
fastboot flashing unlock_critical
[2017-09-14 16:37:57]
hostile :
try that
[2017-09-14 16:38:46]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flashing unlock_critical
...
FAILED (remote failure)
finished. total time: 0.016s
[2017-09-14 16:39:29]
hostile :
does it matter at this point?
[2017-09-14 16:39:36]
hostile :
can you remount,rw /system now?
[2017-09-14 16:41:14]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell
shell@zs600b:/ $ mount -o remount,rw /system
mount: Operation not permitted
255|shell@zs600b:/ $
[2017-09-14 16:41:19]
hostile :
su
[2017-09-14 16:41:22]
hostile :
gotta be root
[2017-09-14 16:41:35]
opcode :
sure i can, but i was root before.
[2017-09-14 16:41:49]
opcode :
i rooted via kingroot, remember?
[2017-09-14 16:41:56]
hostile :
as root previously... pre unlocked bootloader we can't in some cases
[2017-09-14 16:42:05]
hostile :
you are now fresh image
[2017-09-14 16:42:21]
hostile :
or did I confuse what you did post oem unlock
[2017-09-14 16:42:39]
opcode :
i think you confused it. my play store is also alive.
[2017-09-14 16:42:48]
opcode :
flashed it before.
[2017-09-14 16:42:54]
hostile :
ahh I thought it erased all you did
[2017-09-14 16:43:03]
hostile :
and you had su after oem unlock
[2017-09-14 16:43:10]
opcode :
yep.
[2017-09-14 16:43:28]
hostile :
(without doing anything extra)
[2017-09-14 16:43:29]
opcode :
su and google play survived somehow
[2017-09-14 16:43:35]
hostile :
got it
[2017-09-14 16:43:49]
opcode :
go apps and all apps i installed vie play store got wiped
[2017-09-14 16:47:20]
opcode :
i guess the bootloader is fucked
[2017-09-14 18:33:54]
bin4ry :
su and google play are on system partition, only data partition gets wiped =))
[2017-09-15 12:05:18]
opcode :
as i can not flash the twrp recovery, it can only be the bootloader who prevents that. so, flash a new bootloader? seems risky in my eyes.
[2017-09-15 12:12:45]
bin4ry :
the fastboot flash can also fail if the img has the wrong format
[2017-09-15 12:12:48]
bin4ry :
that is what i think
[2017-09-15 12:12:54]
bin4ry :
did you try to flash one of my images ?
[2017-09-15 12:13:02]
bin4ry :
i did upload 2 custom images iirc
[2017-09-15 12:13:09]
bin4ry :
i tried to mimic the img format
[2017-09-15 12:13:34]
bin4ry :
on sony phones for example it is the same. if the img file does to match the structure fastboot will yield a "failed"
[2017-09-15 12:36:37]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>adb reboot fastboot
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery bin1.img
target didn't report max-download-size
sending 'recovery' (25984 KB)...
OKAY [ 0.610s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 0.625s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery bin2.img
target didn't report max-download-size
sending 'recovery' (24960 KB)...
OKAY [ 0.594s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 0.609s
C:\Program Files (x86)\Minimal ADB and Fastboot>
[2017-09-15 12:36:56]
opcode :
these are the both images you gave me.
[2017-09-15 12:40:22]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar version
version: 2017-06-16#2.19
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar version-bootloader
version-bootloader: fastboot
finished. total time: 0.000s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar unlocked
unlocked: yes
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar secure
secure: no
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar partition-type:recovery
partition-type:recovery: raw
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar partition-size:recovery
partition-size:recovery: 0x0000000000010000(blk)
finished. total time: -0.000s
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar partition-offset:recovery
partition-offset:recovery: 0x00026000
finished. total time: 0.016s
[2017-09-16 11:29:33]
opcode :
Also notice : Flags: Kernel Image
[2017-09-16 11:34:51]
unusuario128 :
Could you send me the original recovery along with the TWRP you try to install?
[2017-09-16 11:34:52]
opcode :
the only reason i can think of, that twrp is not working, is the missing kernel
[2017-09-16 11:35:20]
bin4ry :
Yeah flashfire is most likely not able to recognize the special rockchip format
[2017-09-16 11:35:52]
opcode :
@unusuario128 sure, ill upload them here in a minute.
[2017-09-16 11:40:23]
unusuario128 :
@opcode: Can you also attach the original recovery?
[2017-09-16 11:40:36]
opcode :
uploading is slow .... :slightly_smiling_face:
[2017-09-16 11:40:43]
opcode :
just a min
[2017-09-16 11:41:50]
unusuario128 :
Thanks!
[2017-09-16 11:42:05]
opcode :
np. thats the original recovery from the latest OTA
[2017-09-16 11:42:05]
unusuario128 :
Digesting... :wink:
[2017-09-16 11:43:26]
opcode :
if they somehow built in some signing check in the scondary uboot, we are fucked.
[2017-09-16 11:44:25]
opcode :
as far as my reading goes, this has been done sometime from companys, but unlikley.
[2017-09-16 11:48:55]
unusuario128 :
What is the maximum (raw) size of the `recovery` partition?
[2017-09-16 11:51:11]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar partition-size:recovery
partition-size:recovery: 0x0000000000010000(blk)
finished. total time: -0.000s
[2017-09-16 11:51:24]
unusuario128 :
512K blocks?
[2017-09-16 11:52:05]
opcode :
flashfire says 4096 block size
[2017-09-16 11:52:20]
unusuario128 :
Then, the partition is huge!
[2017-09-16 11:53:27]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery bin1.img
target didn't report max-download-size
sending 'recovery' (25984 KB)...
OKAY [ 0.610s]
[2017-09-16 11:53:39]
opcode :
so, looks like no size limit
[2017-09-16 11:54:42]
opcode :
will try, just a min
[2017-09-16 11:56:07]
opcode :
file does not match any partitions
[2017-09-16 11:56:13]
opcode :
try via dd?
[2017-09-16 11:57:31]
unusuario128 :
Yes, or via fastboot, if you can.
[2017-09-16 11:58:09]
opcode :
ok, first try fastboot
[2017-09-16 12:00:36]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery TWRPnew.img
target didn't report max-download-size
sending 'recovery' (27648 KB)...
OKAY [ 0.672s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 0.688s
[2017-09-16 12:00:44]
unusuario128 :
Why?
[2017-09-16 12:01:04]
opcode :
good question :slightly_smiling_face:
[2017-09-16 12:01:26]
unusuario128 :
If you dd on it, you can flash later the original with fastboot?
[2017-09-16 12:01:35]
opcode :
yes
[2017-09-16 12:01:50]
unusuario128 :
Give it a try.
[2017-09-16 12:02:03]
unusuario128 :
And, md5sum check the flash success.
[2017-09-16 12:02:33]
opcode :
how?
[2017-09-16 12:02:42]
opcode :
command for that?
[2017-09-16 12:03:56]
unusuario128 :
Do you have busybox installed?
[2017-09-16 12:04:20]
opcode :
yep
[2017-09-16 12:04:49]
unusuario128 :
Can you post the output of `ls -l /dev/block/platform/*/by-name`?
[2017-09-16 12:06:56]
opcode :
root@zs600b:/ # ls -l /dev/block/platform/*/by-name
lrwxrwxrwx root root 2017-09-16 20:02 backup -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2017-09-16 20:02 boot -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2017-09-16 20:02 cache -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2017-09-16 20:02 kernel -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2017-09-16 20:02 kpanic -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2017-09-16 20:02 metadata -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2017-09-16 20:02 misc -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2017-09-16 20:02 radical_update -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2017-09-16 20:02 recovery -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2017-09-16 20:02 resource -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2017-09-16 20:02 system -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2017-09-16 20:02 uboot -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2017-09-16 20:02 user -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2017-09-16 20:02 userdata -> /dev/block/mmcblk0p12
[2017-09-16 12:07:56]
unusuario128 :
Then, run `md5sum TWRPnew.img`, and compare the output with `md5sum /dev/block/mmcblk0p6` after flashing.
[2017-09-16 12:13:30]
opcode :
root@zs600b:/ # busybox md5sum /mnt/external_sd1/TWRPnew.img
3620dc97cd7aa143eaf26edbcf21f7b8 /mnt/external_sd1/TWRPnew.img
root@zs600b:/ #
root@zs600b:/ #
g of=/dev/block/platform/ff0f0000.rksdmmc/by-name/recovery <
55296+0 records in
55296+0 records out
28311552 bytes transferred in 3.059 secs (9255165 bytes/sec)
root@zs600b:/ # busybox md5sum /dev/block/mmcblk0p6
ee61ae53bb87c774783002a09103bb7a /dev/block/mmcblk0p6
root@zs600b:/ ~crystalsky_rooting
[2017-09-16 12:13:37]
opcode :
doesnt match :disappointed:
[2017-09-16 12:17:45]
unusuario128 :
Oopsie... However, try to boot into recovery.
[2017-09-16 12:19:02]
opcode :
black screen, no adb.
[2017-09-16 12:20:32]
unusuario128 :
Does the default recovery expose (unprivileged) adb?
[2017-09-16 12:21:28]
opcode :
nope
[2017-09-16 12:21:43]
unusuario128 :
Let me try to do some things.
[2017-09-16 12:23:12]
opcode :
got only 15 min time left today.
[2017-09-16 12:23:40]
opcode :
maybe tomorrow in the afternoon, evening?
[2017-09-16 12:25:09]
unusuario128 :
Don't worry. What timezone?
[2017-09-16 12:25:21]
opcode :
same as you. CRE
[2017-09-16 12:25:25]
opcode :
CET
[2017-09-16 12:25:28]
opcode :
:slightly_smiling_face:
[2017-09-16 12:25:44]
unusuario128 :
I'm on CEST :wink:
[2017-09-16 12:25:50]
opcode :
lol
[2017-09-16 12:25:52]
opcode :
:wink:
[2017-09-16 12:26:34]
opcode :
thanks for your help mate, appreciated
[2017-09-16 12:27:07]
unusuario128 :
You're welcome. I'm uploading just now a tweaked default recovery with privileged ADB.
[2017-09-16 12:27:25]
unusuario128 :
When you can try it, please post the result.
[2017-09-16 12:27:37]
unusuario128 :
Ever try first to flash with fastboot, and then dd.
[2017-09-16 12:27:48]
opcode :
yes, i have some minutes left
[2017-09-16 12:28:23]
opcode :
goal for recovery should be to install unsigned update.zip. to have all the goodies flashed at once. :slightly_smiling_face:
[2017-09-16 12:28:31]
unusuario128 :
Tomorrow we will probably can talk relaxedly again after 18:00 or so. What moment is best for you?
[2017-09-16 12:29:26]
unusuario128 :
I've only modded the ADBD because with this starting point we can debug the TWRP boot and port it successfully.
[2017-09-16 12:31:11]
opcode :
18.00 is fine
[2017-09-16 12:31:16]
unusuario128 :
OK.
[2017-09-16 12:36:28]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery ADB.img
target didn't report max-download-size
sending 'recovery' (24960 KB)...
OKAY [ 0.626s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 0.626s
[2017-09-16 12:41:03]
opcode :
.../dev/block/platform/ff0f0000.rksdmmc/by-name/recovery <
49920+0 records in
49920+0 records out
25559040 bytes transferred in 2.282 secs (11200280 bytes/sec)
[2017-09-16 12:41:15]
opcode :
black screen, still no adb.
[2017-09-16 12:41:38]
unusuario128 :
So, I'll need to investigate a bit about the fastboot tricks.
[2017-09-16 12:41:43]
opcode :
i have an image of the bootloader. upload it here?
[2017-09-16 12:41:53]
unusuario128 :
Yes, may be a good idea.
[2017-09-16 12:42:13]
unusuario128 :
I'll need to pray to St. IDA... :wink:
[2017-09-16 12:42:22]
opcode :
lol
[2017-09-16 12:43:03]
unusuario128 :
Also, I'll start by checking if the image is pure AOSP or if uses the custom headers for something ugly.
[2017-09-16 12:43:19]
opcode :
great, thanks. way over my head.
[2017-09-16 13:08:17]
unusuario128 :
@opcode: Do you know how useful can be 4MB of 0x00?
[2017-09-16 13:08:48]
unusuario128 :
Something didn't work when pulling the U-Boot image...
[2017-09-16 13:09:29]
unusuario128 :
Please double-check the U-Boot dump.
[2017-09-16 13:17:36]
unusuario128 :
_Habemus papam_
[2017-09-16 13:22:30]
opcode :
huh
[2017-09-16 13:22:46]
unusuario128 :
Annuntio vobis supplicium magnum:
HABEMUS SIGNATUREM!
Eminentissimum ac reverendissimum Dominum,
Dominum Unknownus DJI Cardinalem Tecnicus,
Qui sibi nomen imposuit Overkillium III.
[2017-09-16 13:23:06]
opcode :
hehe
[2017-09-16 13:23:10]
opcode :
check this one
[2017-09-16 13:23:45]
opcode :
have to leave now
[2017-09-16 13:23:49]
opcode :
cu
[2017-09-16 13:24:14]
unusuario128 :
Don't worry.
[2017-09-16 13:24:26]
unusuario128 :
It is zero-filled also.
[2017-09-16 13:24:33]
opcode :
what?
[2017-09-16 13:24:36]
opcode :
why that?
[2017-09-16 13:24:48]
unusuario128 :
Read-out protection?
[2017-09-16 13:24:51]
opcode :
i dd it
[2017-09-16 13:25:07]
unusuario128 :
Yes, but maybe there is something keeping you from reading it.
[2017-09-16 13:25:30]
unusuario128 :
After the _habemus signaturem_ from Overkillius III, I can expect anything.
[2017-09-16 13:28:16]
opcode :
lol
[2017-09-16 13:28:22]
opcode :
lets try tomorrow
[2017-09-16 13:28:30]
opcode :
thanks anyway and cu :slightly_smiling_face:
[2017-09-16 13:30:22]
unusuario128 :
Good bye!
[2017-09-16 14:14:43]
hostile :
nice work @opcode "TWRP gets recognized as recovery, but small size."
[2017-09-17 13:15:40]
opcode :
boot/secondary bootloader backup made via flashfire
[2017-09-17 13:16:17]
opcode :
surprisingly small? @unusuario128 can you take a look?
[2017-09-17 14:24:41]
unusuario128 :
Howdy!
[2017-09-17 14:28:32]
unusuario128 :
You've sent me two files full of zeros again. This is really funny, but... :wink:
[2017-09-17 14:31:46]
unusuario128 :
Seems like there is a piece of code in the kernel or in some bootloader that keeps you from reading the U-Boot zone.
[2017-09-17 14:32:20]
unusuario128 :
Is there any way of getting the contents of `/dev/block/mmcblk0p1` and `/dev/block/mmcblk0p5`?
[2017-09-17 14:34:31]
unusuario128 :
Maybe somebody here can try to dump the internal memory using the Rockchip Android Flash Tool...
[2017-09-17 14:34:59]
unusuario128 :
Would be appropriate to ping the entire channel for that?
[2017-09-17 14:35:32]
unusuario128 :
However, I've never touched the Rockchip tool and I don't know if this is possible.
[2017-09-17 14:35:48]
unusuario128 :
@opcode: What do you think?
[2017-09-17 15:27:37]
unusuario128 :
<https://forum.xda-developers.com/showthread.php?t=2749082>
[2017-09-17 15:30:29]
opcode :
did it via androidtool with CS in bootloader mode
[2017-09-17 15:31:00]
unusuario128 :
Maybe my hex editor is wrong... but I see zeros again.
[2017-09-17 15:31:21]
unusuario128 :
Can you do a full dump of the internal memory?
[2017-09-17 15:32:02]
opcode :
hmm
[2017-09-17 15:32:05]
opcode :
let me check
[2017-09-17 15:33:15]
unusuario128 :
Would be something like `Export Image` from `0x00000000` to `0xEND_OF_THE_MEMORY_IN_BYTES_HEX`
[2017-09-17 15:34:19]
opcode :
Understanding NAND layout:
Your NAND chips is broken into "partitions" or parts if you will call it that.
Each one of these servers a purpose. Here are all the partitions of a RockChip ROM.
Loader.bin - this is low in NAND and special. You can flash it but cannot dump it.
parameter - this file tells the loader how NAND memory is split up into partitions.
misc.img - this is a special area that tells the recovery system what to do on boot.
boot.img - this is the boot section and basically is the ram disk the kernel uses to boot.
kernel.img - this is of course the kernel.
cache.img - this is an area APPs store information like Google Play for instance.
kpanic.img - this is a special area for use by the kernel.
metadata.img - this is a NEW area for KitKat only. It does not exist in pre-kitkat ROMs. It's used for Encryption.
recovery.img - this is like boot.img but boots the recovery menu system.
[2017-09-17 15:35:12]
opcode :
"Loader.bin - this is low in NAND and special. You can flash it but cannot dump it."
[2017-09-17 15:35:34]
opcode :
im afraid, its not possible to dump the loader
[2017-09-17 15:39:33]
opcode :
full backup wouldnt change a thing, as it still reads zeroes from the uboot partition.
[2017-09-17 15:49:12]
unusuario128 :
@opcode: Could you dump the "backup" partition and upload it?
[2017-09-17 15:50:10]
opcode :
sure
[2017-09-17 15:50:25]
unusuario128 :
`0x1a000` to `0x36000`
[2017-09-17 15:50:41]
opcode :
just to clarify, the uboot.img is completley zero?
[2017-09-17 15:52:01]
unusuario128 :
Nope, simply it keeps you from dumping it.
[2017-09-17 15:52:28]
unusuario128 :
It "lies" you and returns all zeros, but the partition is not empty in the device memory.
[2017-09-17 15:52:59]
unusuario128 :
Also, I've found an entertaining read:
[2017-09-17 15:53:23]
opcode :
so, the bootloader itself is preventing the download.
[2017-09-17 15:53:28]
opcode :
interesting.
[2017-09-17 15:54:23]
unusuario128 :
The bootloader seems to verify the files against the ¿rockchip, dji? public key and keeps them from being flashed and/or booted (AFAIK).
[2017-09-17 15:54:36]
unusuario128 :
Also it keeps us from reading itself (the bootloader)
[2017-09-17 15:54:49]
unusuario128 :
Maybe I'm wrong.
[2017-09-17 15:55:37]
opcode :
thats what im guessing too. and it prevents the "unsigned" TWRP recovery to start.
[2017-09-17 15:56:22]
opcode :
Supported Rockchip's SoC
VID:PID description tested on
========= ========= =========
0bb4:2910 MSC device (USB debug off)
0bb4:0c02 MSC device (USB debug on)
2207:0000 MSC device (USB debug off)
2207:0010 MSC device (USB debug on)
2207:330A RK3368 Artway X6
2207:320C RK3328 A5X Plus mini
2207:320B RK3229 MXQ 4K
2207:320A RK3288 Jesurun T034
2207:310D RK3126 Proscan PLT9650G
2207:310C RK3128 CS918-rk3128
2207:310B RK3188 PIPO Max M9 Pro
2207:300B RK3168 Starmobile Engage7+
2207:300A RK3066 UG802
2207:292C RK3026/RK3028 ONYX BOOX C67SML COLUMBUS/?
2207:292A RK2928 Lexibook Tablet Master 2
2207:290A RK2906 TeXeT TB-138
[2017-09-17 15:56:45]
opcode :
Interesting: the CS comes up as 2207:320A
[2017-09-17 15:57:01]
opcode :
so, basically i have an TV-Stick. lol
[2017-09-17 15:59:57]
unusuario128 :
Along with a 1000+ cd/m2 TV :wink:
[2017-09-17 16:00:14]
opcode :
:smile:
[2017-09-17 16:04:38]
opcode :
Verification keys
Bootloader integrity is always verified using a hardware root of trust. For verifying boot and recovery partitions, the bootloader has a fixed OEM key available to it. It always attempts to verify the boot partition using the OEM key first and try other possible keys only if this verification fails.
In Class B implementations, it is possible for the user to flash software signed with other keys when the device is UNLOCKED. If the device is then LOCKED and verification using the OEM key fails, the bootloader tries verification using the certificate embedded in the partition signature. However, using a partition signed with anything other than the OEM key results in a notification or a warning, as described below.
[2017-09-17 16:04:50]
opcode :
<https://source.android.com/security/verifiedboot/verified-boot>
[2017-09-17 16:07:33]
unusuario128 :
Yes, however, the implementation of the chain of trust is not the Android official. It is some sort of Rockchip-specific odd job.
[2017-09-17 16:09:57]
opcode :
So, if i put this all together, the bootloader is fucking with us.
[2017-09-17 16:10:05]
opcode :
prevents readout
[2017-09-17 16:10:14]
opcode :
prevents custom recovery
[2017-09-17 16:10:39]
opcode :
its possible to flash a different bootloader, but afaik its VERY risky
[2017-09-17 16:10:51]
opcode :
and we dont have an backup of the original one
[2017-09-17 16:13:52]
unusuario128 :
Seeing the price tag of the CS, I would not mess with the bootloader writing by now. :confused:
[2017-09-17 16:14:44]
unusuario128 :
Let me check the latest dump.
[2017-09-17 16:19:54]
unusuario128 :
RK3288 Boot Loader V2.19.10
[2017-09-17 16:20:22]
opcode :
extracted from the backup.img?
[2017-09-17 16:20:27]
unusuario128 :
Only for static analysis. Not intended to flash.
[2017-09-17 16:20:29]
unusuario128 :
Yes.
[2017-09-17 16:20:33]
opcode :
yeah
[2017-09-17 16:21:18]
opcode :
can you take a look at singning stuff in it?
[2017-09-17 16:21:34]
unusuario128 :
I'll try.
[2017-09-17 16:21:47]
unusuario128 :
Let's see if IDA can digest it...
[2017-09-17 16:22:19]
opcode :
then we would know, that the custom recovery gets fucked by the bootloader.
[2017-09-17 16:22:50]
opcode :
there is still a chance, to get custom recovery running. maybe we missed something.
[2017-09-17 16:24:59]
unusuario128 :
We missed many things, but the main obstacle was/is here: <https://dji-rev.slack.com/files/U6VMY3L90/F758SQC7R/diff_of_the_first_bytes_of_the_header.txt>
[2017-09-17 16:36:49]
opcode :
btw ... uboot is under GPL :slightly_smiling_face:
[2017-09-17 16:39:26]
opcode :
@hostile ask DJI for the source? :wink:
[2017-09-17 16:40:40]
unusuario128 :
Matrioshka-like firmware packaging... Yet more depth of packaging layers.
[2017-09-17 16:41:50]
opcode :
yep, seen this stuff with text editor
[2017-09-17 16:41:52]
opcode :
BOOTf�����á9%A023f���9���9Ø���9����������������������������������������������������������9���3�2�_�L�P�D�D�R�2�_�2�0�0�M�H�z�_�L�P���J���0�����9���r�k�3�2�x�x�u�s�b�p�l�u�g���������������J1���°������9���F�l�a�s�h�D�a�t�a�����������������������Já���0������9���F�l�a�s�h�B�o�o�t�����������������������J�������<m Á¿ë:´-^vÿ
[2017-09-17 16:47:41]
opcode :
i dont get it :smile:
[2017-09-17 16:49:19]
unusuario128 :
`0xBADC0DE` :slightly_smiling_face:
[2017-09-17 16:52:41]
opcode :
LOL
[2017-09-17 16:55:00]
unusuario128 :
It is worth digging on it.
[2017-09-17 16:57:36]
unusuario128 :
I need to search for crypto constants and figure out if is possible to bypass the signed boot.
[2017-09-17 16:57:38]
opcode :
"SIGN"
[2017-09-17 16:58:21]
unusuario128 :
I'll leave it for the next spare time interval I'll have.
[2017-09-17 16:58:47]
unusuario128 :
This "SIGN" is the one on the recovery.img and boot.img first page. ¿Do you remember?
[2017-09-17 16:59:05]
unusuario128 :
Having to leave now. See you later.
[2017-09-17 17:00:28]
opcode :
Great finding. :smiley: Sure, see you later.
[2017-09-17 17:13:55]
hostile :
@freaky123 you in here
[2017-09-17 18:09:38]
freaky123 :
Yeah
[2017-09-17 18:11:00]
freaky123 :
Whats the problem?
[2017-09-17 18:23:21]
freaky123 :
I didn't follow the full conversation
[2017-09-17 18:26:36]
freaky123 :
But if it uses the same LeadCore chip the bootloader is most likely signed
[2017-09-17 18:46:30]
unusuario128 :
The bootloader seems to be signed, indeed.
[2017-09-17 18:48:07]
freaky123 :
<https://github.com/fvantienen/dji_rev/blob/master/tools/check_uboot.py>
[2017-09-17 18:48:12]
freaky123 :
Try this...
[2017-09-17 19:03:49]
unusuario128 :
Anybody can run `fastboot oem ucmd printenv` and paste the result?
[2017-09-17 19:06:13]
unusuario128 :
@freaky123: Is your script intended to be ran over the uboot.bin file?
[2017-09-17 19:43:08]
freaky123 :
Yeah.. but it is made for leadcore
[2017-09-17 19:54:09]
unusuario128 :
I suspect that there is a flaw here. Need to investigate the 0x3C14 function.
[2017-09-17 19:55:11]
unusuario128 :
So late now.
[2017-09-17 19:55:27]
hostile :
nice work
[2017-09-17 19:56:09]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem ucmd printenv
...
OKAY [ 0.047s]
finished. total time: 0.047s
C:\Program Files (x86)\Minimal ADB and Fastboot>
[2017-09-18 04:57:08]
pure3d :
another asshole not giving proper credit: <https://www.dirtyjdesigns.com/blogs/news/having-some-fun-hacking-and-unlocking-our-dji-crystalsky-monitor-today>
[2017-09-18 08:24:51]
opcode :
"A coder much brighter than ourselves had modified the file and we just needed to ADB into the crystalsky to write the modified file over the stock one. " @bin4ry that's for you :smiley:
[2017-09-18 08:25:44]
bin4ry :
:smile: lolz
[2017-09-18 09:39:27]
unusuario128 :
@opcode: Can you try to flash/boot the recovery named wontwork.img?
[2017-09-18 09:40:07]
unusuario128 :
Also, does UpgradeDllTool provide a way of unlocking the secure boot?
[2017-09-18 09:44:01]
opcode :
morning! yeah, sure. :slightly_smiling_face:
[2017-09-18 09:44:13]
opcode :
you mean the androidtool ?
[2017-09-18 09:44:48]
unusuario128 :
Nope.
[2017-09-18 09:45:01]
opcode :
i already unlocked the bootloader, not sure if this has something to do with secure boot?
[2017-09-18 09:45:08]
unusuario128 :
There is a tool to change IMEI and do that sort of low-level operations called UpgradeDllTool
[2017-09-18 09:45:21]
unusuario128 :
Nothing to do with secure boot.
[2017-09-18 09:45:30]
opcode :
k. ill check it out.
[2017-09-18 09:47:25]
unusuario128 :
The secure boot feature enforces the verification of all the code, forming an effective trust chain. In example: the mask rom checks wether the feature is enabled and checks the first NAND boot code against the Rockchip signature, and then that boot code calls the primary bootloader, verifying it also against the OEM signature... etc. until it verifies and boots the Linux kernel.
[2017-09-18 09:49:35]
opcode :
ah, thanks for the explanation. i was guessing, that it some kind of secure handshake all the chain downwards.
[2017-09-18 09:49:44]
opcode :
any idea, where to download the tool?
[2017-09-18 09:50:20]
opcode :
<http://freaktab.com/forum/development-area/rom-hacks-and-mods-development/10509-rockchip-upgradedlltool-v1-26>
[2017-09-18 09:50:23]
opcode :
link is dead
[2017-09-18 09:55:06]
opcode :
found it
[2017-09-18 10:02:15]
unusuario128 :
<https://github.com/geekboxzone/lollipop_RKTools>
[2017-09-18 10:04:39]
opcode :
"switch device failed" i have also in androidtool. dont know what this means. its in bootloader mode.
[2017-09-18 10:05:40]
opcode :
will try the link you just gave me. newer version, 1.35
[2017-09-18 10:09:00]
opcode :
nope, same.
[2017-09-18 10:09:48]
unusuario128 :
Maybe is some sort of silly issue... Does it have administrator rights?
[2017-09-18 10:10:06]
unusuario128 :
About the latest recovery? Did it work?
[2017-09-18 10:10:18]
opcode :
didnt flash till now.
[2017-09-18 10:10:22]
opcode :
gimme a min
[2017-09-18 10:13:55]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot flash recovery wontwork.img
target didn't report max-download-size
sending 'recovery' (24960 KB)...
OKAY [ 0.609s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 1.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>
[2017-09-18 10:14:00]
opcode :
now try dd
[2017-09-18 10:18:01]
opcode :
nope. black screen.
[2017-09-18 10:19:37]
unusuario128 :
Ok.
[2017-09-18 10:26:01]
unusuario128 :
Just a question: Does `fastboot oem log` output something meaningful?
[2017-09-18 10:26:25]
opcode :
let me check
[2017-09-18 10:27:40]
opcode :
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot oem log
...
OKAY [ 0.016s]
finished. total time: 0.016s
C:\Program Files (x86)\Minimal ADB and Fastboot>
[2017-09-18 10:28:22]
opcode :
just found a linux tool in this rockchip tools package
[2017-09-18 10:28:24]
opcode :
SecureBootConsole instructions
Instructions:
Create a key pair
Example: SecureBootConsole -k. \ Output \
Create a 1024bit key pair, save in the. \ Output directory
Signature Loader
Example: SecureBootConsole -sl publickey.bin loader.bin
Provide publickey.bin public key, signature on loader.bin
Signature Image
Example: SecureBootConsole -si privatekey.bin boot.img
Provide privatekey.bin private key to sign boot.img
Signature update.img Summary
Example: SecureBootConsole -sh privatekey.bin update.img
Provide the privatekey.bin private key to sign the update.img digest
Generate the signature of the update.img step
Signature loader
Signed boot.img and recovery.img
Package update.img
Signature update.img Summary
[2017-09-18 10:29:36]
opcode :
creat key, write to loader, sign packages with the key?
[2017-09-18 10:30:34]
unusuario128 :
This is beautiful. The pity is that we don't have the private key that was used to sign the file? Or do we have it?
[2017-09-18 10:30:43]
opcode :
nope
[2017-09-18 10:30:59]
opcode :
its just from google translator, all chinese stuff
[2017-09-18 10:31:05]
unusuario128 :
Maybe we should ask for it in ~general, as there are some DJI technicians here :wink:
[2017-09-18 10:31:12]
opcode :
lol
[2017-09-18 10:31:59]
unusuario128 :
With the DLLTool we can know a bit more about the device, but the pity is that it doesn't work.
[2017-09-18 10:32:35]
opcode :
MAYBE its because i only have usb 3 ports and windows 10 VM.
[2017-09-18 10:33:03]
opcode :
read somewhere, that usb 2 is recommended for the tools
[2017-09-18 10:54:39]
unusuario128 :
Talking about @opcode, I'll be executing 0x90 for a while. :wink: See you later.
[2017-09-18 10:55:32]
unusuario128 :
Would be great if someone could run DllTool and ~~brick its device~~ post some screenshots.
[2017-09-18 10:55:40]
opcode :
lol
[2017-09-18 10:55:57]
opcode :
installing kali linux vm later and will try that
[2017-09-18 14:57:50]
unusuario128 :
Leaving now.
[2017-09-18 15:08:07]
unusuario128 :
@opcode: Attaching a file. Please flash it **via fastboot** and after receiving the `FAIL` message, try to issue another fastboot command. Let me know if you can issue mre fastboot commands after trying to flash that file.
[2017-09-18 15:08:47]
unusuario128 :
`fastboot flash recovery kill-fastboot.img` and then run some `getvar` command to check if it works.
[2017-09-18 15:09:14]
unusuario128 :
See you later.
[2017-09-18 15:38:17]
opcode :
ok. switched to linux now, no difference. but will try your kill-fastboot.img
[2017-09-18 15:43:43]
opcode :
root@kali:~/rkflashkit/binaries# fastboot flash recovery '/root/Schreibtisch/kill-fastboot.img'
target didn't report max-download-size
sending 'recovery' (24960 KB)...
OKAY [ 1.866s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 1.878s
root@kali:~/rkflashkit/binaries# fastboot getvar version
version: 2017-06-16#2.19
finished. total time: 0.010s
root@kali:~/rkflashkit/binaries# fastboot getvar unlocked
unlocked: yes
finished. total time: 0.008s
root@kali:~/rkflashkit/binaries# fastboot getvar secure
secure: no
finished. total time: 0.008s
root@kali:~/rkflashkit/binaries#
[2017-09-18 16:13:46]
unusuario128 :
Well, something went wrong...
[2017-09-18 16:16:42]
opcode :
it still looks like it simply doesnt even boot the recovery. signing check failed: no boot. my guess.
[2017-09-18 16:18:08]
opcode :
there are also 2 ways i can flash stuff: in fastboot mode with command line fastboot commands or via tools in bootloader mode
[2017-09-18 16:21:38]
unusuario128 :
Does happen "anything" if you issue `fastboot oem ucmd reset`?
[2017-09-18 16:22:27]
opcode :
let me check
[2017-09-18 16:22:33]
unusuario128 :
Well, the signing check should fail, indeed. However, the pity is that my edited recovery doesn't seem to touch the RAM as intended.
[2017-09-18 16:23:27]
opcode :
with rkflashkit you can even do a verify after the writing of the img, it compares the partition with the image. passed.
[2017-09-18 16:24:08]
unusuario128 :
As the SHA hash check seems to be performed **after** loading the memory into its place, knowing the uboot load address would alow us to temporarily live-patch the bootloader (AFAIK).
[2017-09-18 16:24:35]
unusuario128 :
The problem isn't with the flashing, but with the booting.
[2017-09-18 16:25:31]
unusuario128 :
However, seems like it isn't loaded low. Maybe anybody here knows where is loaded the U-Boot binary from the mask rom bootloader?
[2017-09-18 16:25:53]
opcode :
bash-3.2$ fastboot devices
0123456789 fastboot
bash-3.2$ fastboot oem ucmd reset
^C
bash-3.2$ fastboot reboot
^C
bash-3.2$
[2017-09-18 16:25:59]
opcode :
something has changed.
[2017-09-18 16:26:14]
opcode :
fastboot commands "hang" now in fastboot mode.
[2017-09-18 16:26:35]
unusuario128 :
Ok, reboot the device. You may need to hold the power button for a while.
[2017-09-18 16:26:56]
opcode :
yeah, but is this the effect you wanted to have?
[2017-09-18 16:27:23]
unusuario128 :
Exactly that. This means that `ucmd` works. I simply issued a CPU reset from U-Boot.
[2017-09-18 16:27:54]
opcode :
let me check without the ucmd command, just to be sure.
[2017-09-18 16:29:07]
opcode :
bash-3.2$ fastboot devices
0123456789 fastboot
bash-3.2$ fastboot getvar unlocked
^C
bash-3.2$ fastboot reboot
^C
bash-3.2$
[2017-09-18 16:29:11]
opcode :
nope, still hangs
[2017-09-18 16:29:14]
opcode :
hmmm
[2017-09-18 16:30:37]
unusuario128 :
Did you reset the device?
[2017-09-18 16:30:47]
opcode :
yeah, sure.
[2017-09-18 16:30:53]
opcode :
comes back to life normally
[2017-09-18 16:31:17]
unusuario128 :
And when did it "still hang"?
[2017-09-18 16:31:44]
opcode :
every fastboot command
[2017-09-18 16:31:54]
opcode :
didnt even accept "fastboot reboot"
[2017-09-18 16:32:19]
unusuario128 :
:thinking_face:
[2017-09-18 16:32:29]
opcode :
hmmmm
[2017-09-18 16:32:31]
opcode :
strange
[2017-09-18 16:33:18]
opcode :
root@kali:~/rkflashkit/binaries# fastboot getvar unlocked
unlocked: yes
finished. total time: 0.008s
[2017-09-18 16:33:28]
unusuario128 :
Run some "neutral" U-Boot command like `fastboot oem ucmd help`
[2017-09-18 16:33:29]
opcode :
my OSX adb is fucked up someway.
[2017-09-18 16:33:40]
opcode :
so, everything is fine on linux vm
[2017-09-18 16:33:45]
unusuario128 :
Well, then this is not an issue.
[2017-09-18 16:33:50]
opcode :
nope
[2017-09-18 16:34:15]
unusuario128 :
Does the "reset" effectively hang the device or otherwise reset it using Kali?
[2017-09-18 16:34:28]
unusuario128 :
`fastboot oem ucmd reset`
[2017-09-18 16:34:50]
opcode :
aahhhh, on linux the ucmd command reboots the device to normal state
[2017-09-18 16:34:58]
unusuario128 :
Ok. This is great.
[2017-09-18 16:35:24]
opcode :
root@kali:~/rkflashkit/binaries# fastboot oem ucmd reset
...
FAILED (status read failed (No such device))
finished. total time: 5.056s
[2017-09-18 16:35:32]
unusuario128 :
Ok
[2017-09-18 16:35:52]
opcode :
looks like a time out. anyway, it triggers a reboot to normal
[2017-09-18 16:38:04]
unusuario128 :
Can you flash the `ADB.img` that I've sent you some time ago to the recovery partition using fastboot?
[2017-09-18 16:38:55]
opcode :
yep. but i guess it will fail again with fastboot flash?
[2017-09-18 16:40:21]
opcode :
root@kali:~/rkflashkit/binaries# fastboot flash recovery '/root/Schreibtisch/ADB.img'
target didn't report max-download-size
sending 'recovery' (24960 KB)...
OKAY [ 1.873s]
writing 'recovery'...
FAILED (remote: Write partition:recovery)
finished. total time: 1.886s
[2017-09-18 16:41:06]
unusuario128 :
Yes, it will fail.
[2017-09-18 16:42:17]
unusuario128 :
`fastboot oem ucmd go 0x60408000`
[2017-09-18 16:42:31]
unusuario128 :
Try to run that command.
[2017-09-18 16:42:41]
opcode :
reboot after flashing?
[2017-09-18 16:42:45]
unusuario128 :
No
[2017-09-18 16:43:55]
opcode :
root@kali:~/rkflashkit/binaries# fastboot oem ucmd go 0x60408000
...
FAILED (status read failed (No such device))
finished. total time: 5.185s
[2017-09-18 16:44:04]
opcode :
boots back to normal
[2017-09-18 16:45:53]
unusuario128 :
What a pity. Seems like fastboot hangs after a failed upload.
[2017-09-18 17:07:04]
unusuario128 :
Can you issue `fastboot getvar:all`?
[2017-09-18 17:11:19]
opcode :
root@kali:~/rkflashkit/binaries# fastboot getvar all
all:
finished. total time: 0.013s
[2017-09-18 17:11:27]
opcode :
not talky at all :slightly_smiling_face:
[2017-09-18 17:16:45]
unusuario128 :
And `fastboot oem $'\x03\xC5\xDD'`?
[2017-09-18 17:18:08]
opcode :
root@kali:~/rkflashkit/binaries# fastboot oem $'\x03\xC5\xDD'
...
FAILED (remote: invalid command)
finished. total time: 0.008s
[2017-09-18 17:19:22]
unusuario128 :
Seems like the raw hex string was not transmitted correctly because some bash parsing mistake. The bootloader has a condition for that case. Really strange.
[2017-09-18 17:21:13]
opcode :
fastboot seems very limited.
[2017-09-18 17:21:39]
unusuario128 :
Yes.
[2017-09-18 17:21:46]
hostile :
@opcode "my OSX adb is fucked up someway." yes this is a known thing...
[2017-09-18 17:22:33]
hostile :
fastboot oem ` `echo -e "\x03\xC5\xDD"` `
[2017-09-18 17:22:57]
hostile :
that will fix the bash parsing mistake
[2017-09-18 17:23:25]
unusuario128 :
Nope. `fastboot oem "$(printf "\x03\xC5\xDD")"` :wink:
[2017-09-18 17:23:38]
unusuario128 :
The backticks are deprecated, though widely used.
[2017-09-18 17:23:45]
hostile :
same thing, multiple ways to skin a cat
[2017-09-18 17:23:54]
hostile :
I've NEVER seen a bash shell that didn't accept backticks !
[2017-09-18 17:24:17]
unusuario128 :
It accepts backtics for backwards compatibility.
[2017-09-18 17:24:32]
hostile :
there will be a revolt if they ever pull that
[2017-09-18 17:24:33]
hostile :
lol
[2017-09-18 17:24:51]
opcode :
root@kali:~/rkflashkit/binaries# fastboot oem "$(printf "\x03\xC5\xDD")"
...
FAILED (remote: invalid command)
finished. total time: 0.010s
[2017-09-18 17:25:02]
unusuario128 :
@hostile: Just a question: do you know the position of the uboot bootloader into the RAM?
[2017-09-18 17:25:33]
unusuario128 :
The mask bootloader should load it low, but I don't know where it lies exactly.
[2017-09-18 17:26:29]
unusuario128 :
@opcode: I think that this command doesn't deserve more attention by now. However, will be possible to transmit the exact sequence by building a custom fastboot with the command hardcoded.
[2017-09-18 17:26:53]
opcode :
okidoki
[2017-09-18 17:28:17]
opcode :
@hostile dont you have some old PC with usb 2 to check out if those androidtools work? theres still a little chance that my VM´s and USB 3 fuck up the communication.
[2017-09-18 17:30:53]
hostile :
@opcode yes... but I am deep in the middle of prepping for my talk friday. I am out of pocket largely.
[2017-09-18 17:31:18]
unusuario128 :
@hostile: Do you think that this can be possible?
[2017-09-18 17:31:33]
unusuario128 :
Leaving now. See you later.
[2017-09-18 17:31:39]
hostile :
this is why I asked if @freaky123 was still in here. =]
[2017-09-18 17:31:46]
hostile :
this is very much his turf
[2017-09-18 18:25:21]
unusuario128 :
Now we have some possible attack vectors:
[2017-09-18 18:27:20]
unusuario128 :
1. RAM overwritten by "malicious" `recovery.img` flashed with `fastboot` (after further investigation, seems to be impossible)
[2017-09-18 18:27:34]
unusuario128 :
2. `fastboot oem ucmd` raw U-Boot commands. (this can be the way to go)
[2017-09-18 18:28:58]
unusuario128 :
3. Efuse OTP value modification with some obscure Rockchip trick.
[2017-09-18 19:08:57]
unusuario128 :
4. Invasive methods like entering into the mask rom bootloader by shortcutting the NAND flash pins, soldering an UART adapter to the mainboard...
[2017-09-18 19:50:45]
unusuario128 :
The way to go may be between the points 2 and 3.
[2017-09-18 19:52:10]
unusuario128 :
We can achieve unlimited RAM contents overwriting using *2* and later deal with the memory-mapped efuse interface to clear the secure boot bit.
[2017-09-18 20:03:26]
unusuario128 :
Now the handicaps:
[2017-09-18 20:04:07]
unusuario128 :
1. We can't get the output from running `fastboot oem ucmd` raw U-Boot commands. Unless we solder some UART wires. So we're blind.
[2017-09-18 20:07:15]
unusuario128 :
2. The efuses are intended to behave as OTP. This means that there isn't any (officially documented) method to change the values intended to be one-time programmable. Hello, DllTool?
[2017-09-18 20:07:45]
opcode :
maybe we should first grep for all the special fastboot oem commands
[2017-09-18 20:08:14]
opcode :
could be some interesting stuff
[2017-09-18 20:08:55]
opcode :
soldering and hardware stuff is no way, for obvious reasons. :wink:
[2017-09-18 20:09:58]
hostile :
I'm considering opening mine up at some point
[2017-09-18 20:10:02]
hostile :
just been too fucking busy :confused:
[2017-09-18 20:10:29]
opcode :
but what should that help? only for understanding?
[2017-09-18 20:10:59]
hostile :
pretty much
[2017-09-18 20:11:25]
hostile :
hardware uart may spit out debug messages during the process you are trying
[2017-09-18 20:12:21]
opcode :
i see. im just the noob here. :smile:
[2017-09-18 20:12:55]
hostile :
@diff where the fuck are you hommie? you would be useful on this shit.
[2017-09-18 20:13:58]
opcode :
understandable. anyway, thank you very much @unusuario128! :slightly_smiling_face:
[2017-09-18 20:15:28]
unusuario128 :
@opcode: You're welcome! Don't doubt to contact (and/or mention) me for solving questions or helping a bit.
[2017-09-18 20:16:01]
opcode :
mille grazie! :wink:
[2017-09-18 20:17:31]
unusuario128 :
> mille grazie mio signore del favore dell'onore
[2017-09-18 20:17:35]
unusuario128 :
:wink:
[2017-09-18 20:17:59]
unusuario128 :
Sung that a few months ago.
[2017-09-18 20:18:27]
unusuario128 :
What a beautiful opera.
[2017-09-18 20:18:59]
opcode :
:blush:
[2017-09-18 21:17:56]
unusuario128 :
Off-topic: Great recording here:
[2017-09-18 21:17:58]
unusuario128 :
<https://www.youtube.com/watch?v=enEVv02f6bo>
[2017-09-18 21:24:34]
opcode :
Years ago, I've been to "Aida" in Arena di Verona. Beautiful.
[2017-09-19 08:24:40]
unusuario128 :
Also, having the private RSA key, is possible to send a command via USB (raw USB, I mean) to ¿temporarily? disable the secure boot feature.
[2017-09-19 08:24:56]
unusuario128 :
Even if this won't happen, is useful to document it.
[2017-09-19 08:30:58]
opcode :
But thats the thing. How to obtain the private key?
[2017-09-19 08:31:43]
unusuario128 :
len(e) = 2048...
[2017-09-19 08:32:13]
unusuario128 :
No way unless you have a quantum computer that implements the shor algorithm.
[2017-09-19 08:32:20]
opcode :
for me, the only reason installing custom recovery is to be able to make a nice selfmade OTA with all the goodies in it.
[2017-09-19 08:33:11]
unusuario128 :
The only way to get the key is to have it from DJI.
[2017-09-19 08:33:52]
opcode :
they wont give it out. :wink:
[2017-09-19 08:34:10]
unusuario128 :
The only viable (but difficult) method that I see, is to generate a new keypair and writing it to the memory.
[2017-09-19 08:34:39]
unusuario128 :
This would also imply updating the hash of the key, stored into the efuses.
[2017-09-19 08:57:12]
opcode :
<https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445>
[2017-09-19 08:57:26]
opcode :
VERY interesting.
[2017-09-19 09:48:11]
opcode :
<https://github.com/topjohnwu/Magisk/blob/master/docs/applets.md#resetprop>
[2017-09-19 09:52:28]
unusuario128 :
> _Magisk modifies boot image_
[2017-09-19 09:52:49]
unusuario128 :
...and it is signed.
[2017-09-19 09:53:30]
opcode :
i know. its more "resetprop" and "magikspolicy" what i find interesting
[2017-09-19 09:54:36]
opcode :
really great tool, even it its not directly useable for us.
[2017-09-19 10:42:34]
unusuario128 :
Yes, indeed.
[2017-09-20 12:30:57]
opcode :
New Version is out: 02.03.00.00
[2017-09-20 12:31:05]
opcode :
Download: <http://mydjiflight.dji.com/file/links/ZSA_100_20170920>
[2017-09-20 12:31:35]
opcode :
1.Added separate updating for DJI GO and DJI GO 4 apps. \n2.Added support to DJI Spark. \n3.Optimized screen flash due to unexpected shutdown. \n4.Optimized both DJI GO and DJI GO 4 app editor interfaces and fixed some other issues. \n5.Optimized both DJI GO and DJI GO 4 app loading times. \n6.Optimized stability of both DJI GO and DJI GO 4 apps. Fixed an issue where system crashes. \n7.Fixed an issue where compass cannot work properly when the screen is rotated 180 degrees. \n8.Updated DJI GO app to 3.1.11. \n9.Updated DJI GO 4 app to 4.1.6. \n10.Updated DJI Pilot Beta to 0.3.6.&quot;,&quot;ja&quot;:&quot;1.Added separate updating for DJI GO and DJI GO 4 apps. \n2.Added support to DJI Spark. \n3.Optimized screen flash due to unexpected shutdown. \n4.Optimized both DJI GO and DJI GO 4 app editor interfaces and fixed some other issues. \n5.Optimized both DJI GO and DJI GO 4 app loading times. \n6.Optimized stability of both DJI GO and DJI GO 4 apps. Fixed an issue where system crashes. \n7.Fixed an issue where compass cannot work properly when the screen is rotated 180 degrees. \n8.Updated DJI GO app to 3.1.11. \n9.Updated DJI GO 4 app to 4.1.6. \n10.Updated DJI Pilot Beta to 0.3.6.
[2017-09-20 12:33:50]
opcode :
Just noticed the "ce" in downloaded filename. "ota_signed_v0.1.0.0-ce685212-release-20170920102830.zip"
[2017-09-20 12:34:25]
opcode :
Could someone from the US try to download it and see if he gets FCC? :slightly_smiling_face:
[2017-09-20 14:40:00]
opcode :
@hostile is there an seperate update tab now ? "1.Added separate updating for DJI GO and DJI GO 4 apps."
[2017-09-20 14:43:46]
hostile :
nope
[2017-09-20 14:43:56]
hostile :
not that I can see
[2017-09-20 14:45:04]
opcode :
Hmm. maybe inside the go apps. strange.
[2017-09-20 14:45:31]
hostile :
[ro.build.characteristics]: [tablet]
[ro.build.date.utc]: [1505873850]
[ro.build.date]: [Wed Sep 20 10:17:30 CST 2017]
[ro.build.description]: [zs600b-user 5.1.1 v0.1.0.0-ce685212 eng.gl300.20170920.101228 release-keys]
[ro.build.display.id]: [v0.1.0.0-ce685212 release-keys]
[ro.build.fingerprint]: [Android/zs600b/zs600b:5.1.1/v0.1.0.0-ce685212/gl30009201017:user/release-keys]
[ro.build.flavor]: [zs600b-user]
[ro.build.host]: [djiand02-rd]
[ro.build.id]: [v0.1.0.0-ce685212]
[ro.build.product]: [zs600b]
[ro.build.tags]: [release-keys]
[ro.build.type]: [user]
[ro.build.user]: [gl300]
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [eng.gl300.20170920.101228]
[ro.build.version.release]: [5.1.1]
[ro.build.version.sdk]: [22]
[ro.build.version.security_patch]: [2015-12-01]
[2017-09-20 14:46:15]
hostile :
shell@zs600b:/ $ busybox uname -a
Linux localhost 3.10.0 #1 SMP PREEMPT Wed Sep 20 09:57:29 CST 2017 armv7l GNU/Linux
[2017-09-20 14:48:33]
hostile :
this is all I have from the old version
[2017-09-20 14:48:43]
hostile :
[ro.build.description]: [zs600b-user 5.1.1 v0.0.9.0-98a777ae eng.gl300.20170817.211933 release-keys]
$ busybox uname -a
Linux localhost 3.10.0 #1 SMP PREEMPT Thu Aug 17 21:04:00 CST 2017 armv7l GNU/Linux
[2017-09-20 14:49:16]
hostile :
Build dates a month newer in each
[2017-09-20 14:49:32]
hostile :
Wed Sep 20 10:17:30 CST 2017 vs. Thu Aug 17 21:04:00
[2017-09-20 14:49:35]
hostile :
and
[2017-09-20 14:50:04]
hostile :
eng.gl300.20170920.101228 vs. eng.gl300.20170817.211933
[2017-09-20 14:50:08]
hostile :
as expected
[2017-09-20 14:53:37]
hostile :
running Original GangsterCow now causes CrystalSky to reboot FWIW
[2017-09-20 14:53:59]
opcode :
ups
[2017-09-20 14:54:07]
opcode :
so they fixed it
[2017-09-20 14:57:13]
hostile :
so I think they didn’t patch the actual kernel bug tho
[2017-09-20 14:57:24]
hostile :
they may have added a check to make sure installd isn’t replaced
[2017-09-20 14:57:36]
hostile :
130|shell@zs600b:/data/local/tmp $ su
root@zs600b:/data/local/tmp # id
uid=0(root) gid=0(root)
[2017-09-20 14:57:38]
hostile :
lol
[2017-09-20 15:01:00]
hostile :
as soon as you remount system the device shuts off too
[2017-09-20 15:01:04]
hostile :
root@zs600b:/ # mount -o remount,rw /system
root@zs600b:/ #
[2017-09-20 15:05:22]
hostile :
I may have just figured out how lordroot gets a good root shell too
[2017-09-20 15:06:50]
hostile :
I just noticed they replace debuggerd
[2017-09-20 15:07:00]
hostile :
and I believe that has special SeLinux context
[2017-09-20 15:09:51]
hostile :
./lordroot <
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:dbd16ae0 overflowcheck:200000 map:5874 readv_error:78
[+] Done target:dbd16ae0 overflowcheck:deadbeef map:5729 readv_error:188
get_selinux_state -
- 0
shellcode_root_self i_pid:1536 ppid:1534 i_thread_info:da436000 i_task:dbddbf00 i_cred:d9c73100 i_init_sid:0
fwrite is count 1 ./kok
1|shell@zs600b:/data/local/tmp/theLORD_P4P+SCREEN_Rooting/tmp $
1|shell@zs600b:/data/local/tmp/theLORD_P4P+SCREEN_Rooting/tmp $ id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
shell@zs600b:/data/local/tmp/theLORD_P4P+SCREEN_Rooting/tmp $ su
/system/bin/sh: su: not found
127|shell@zs600b:/data/local/tmp/theLORD_P4P+SCREEN_Rooting/tmp $ ./su
ount -o remount,rw /system
[2017-09-20 15:09:55]
hostile :
yes this still works the same.
[2017-09-20 15:21:28]
opcode :
patch the sepolicy live?
[2017-09-20 15:21:47]
opcode :
<https://github.com/topjohnwu/Magisk/blob/master/docs/applets.md#magiskpolicy>
[2017-09-20 15:58:11]
hostile :
oh hey!
[2017-09-20 15:58:13]
hostile :
check this shit
[2017-09-20 15:58:15]
hostile :
/data/system/dropbox/SYSTEM_RECOVERY_LOG@1505917055800.txt.gz
/data/system/dropbox/SYSTEM_BOOT@1505917055807.txt
/data/system/dropbox/SYSTEM_LAST_KMSG@1505917055873.txt.gz
/data/system/dropbox/SYSTEM_RECOVERY_KMSG@1505917055937.txt.gz
/data/system/dropbox/SYSTEM_AUDIT@1505917056094.txt
/data/system/dropbox/SYSTEM_BOOT@1505919219290.txt
/data/system/dropbox/SYSTEM_LAST_KMSG@1505919219317.txt.gz
/data/system/dropbox/SYSTEM_AUDIT@1505919219323.txt
/data/system/dropbox/SYSTEM_BOOT@1505919766519.txt
/data/system/dropbox/SYSTEM_LAST_KMSG@1505919766638.txt.gz
/data/system/dropbox/SYSTEM_AUDIT@1505919766649.txt
/data/system/dropbox/SYSTEM_BOOT@1505922787810.txt
/data/system/dropbox/SYSTEM_LAST_KMSG@1505922787864.txt.gz
/data/system/dropbox/SYSTEM_AUDIT@1505922787877.txt
[2017-09-20 15:58:56]
hostile :
looks like we can debug our failed recovery attempts?
[2017-09-20 15:59:32]
hostile :
I/ [File] : bootable/recovery/verifier.cpp; [Line] : 515; [Func] : load_keys; read key e=3 hash=20
I/ [File] : bootable/recovery/install.cpp; [Line] : 383; [Func] : really_install_package; 2 key(s) loaded from /res/keys
Verifying update package...
E:rk verify mode.
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 231; [Func] : verify_file; rk verify mode.
E:int rk_verify_file(unsigned char*, size_t) publickey len 2048
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 171; [Func] : rk_verify_file; int rk_verify_file(unsigned char*, size_t) publickey len 2048
E:footer is signed
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 183; [Func] : rk_verify_file; footer is signed
E:image size 806212799
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 192; [Func] : rk_verify_file; image size 806212799
E:md5 value 18686865535a3cba7c55b6b8ace53c4d
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 197; [Func] : rk_verify_file; md5 value 18686865535a3cba7c55b6b8ace53c4d
E:md5_decrypt 18686865535a3cba7c55b6b8ace53c4d
E/ [File] : bootable/recovery/verifier.cpp; [Line] : 209; [Func] : rk_verify_file; md5_decrypt 18686865535a3cba7c55b6b8ace53c4d
E:sign verify pass
[2017-09-20 16:10:37]
hostile :
root@zs600b:/data/local/tmp # ps | grep drm
drm 181 1 12020 3852 ffffffff b6f401e8 S /system/bin/drmserver
[2017-09-20 16:10:41]
hostile :
also noticed some sort of drm server
[2017-09-20 16:10:46]
hostile :
/data/drm
/data/drm/fwdlock
/data/drm/fwdlock/kek.dat
[2017-09-20 16:10:53]
hostile :
<https://android.googlesource.com/platform/frameworks/av/+/fdd65a0/drm>
[2017-09-20 16:18:00]
opcode :
yeah! :slightly_smiling_face:
[2017-09-21 16:57:27]
diff :
@hostile drm server is the norm drm server on android AFAIk
[2017-09-21 17:13:06]
hostile :
Word up! Thx @diff
[2017-09-21 17:40:14]
diff :
@the_lord @hostile my first gut instinct says, if you think it's dirtyc0w
[2017-09-21 17:40:22]
diff :
we should just compile it outselves than use kingroots
[2017-09-21 17:41:07]
the_lord :
i tested many dirtyc0W codes but it didn't give me the same result KingoRoot did
[2017-09-21 17:41:38]
hostile :
I already have a working dirryc0w…
[2017-09-21 17:41:47]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow>
[2017-09-21 17:41:52]
hostile :
but it handles differently than lord root
[2017-09-21 17:43:32]
hostile :
@diff scroll back to the past… <https://dji-rev.slack.com/archives/C6K376JGZ/p1504141729000129>
[2017-09-21 17:43:46]
hostile :
I suspect xt_qtaquid/crtl is being used to overwrite UID and SEcontexts…
[2017-09-21 17:46:10]
diff :
im a bit lost in context right now then
[2017-09-21 17:46:16]
diff :
so `lordroot` is not <https://github.com/MAVProxyUser/OriginalGangsterCow> ?
[2017-09-21 17:46:38]
diff :
and the issue is that `lordroot` is rebooting and we don't know what it is? or that dirtycow is rebooting?
[2017-09-21 17:47:26]
hostile :
correct
[2017-09-21 17:47:31]
hostile :
on the first count
[2017-09-21 17:47:42]
hostile :
and dirtycow causes reboot… lordroot does not
[2017-09-21 17:48:06]
hostile :
I was attemptting to find a nonbinary hack we could distribute… OGCow was the stop gap… (using dirtycow) but it is limited… for some unknown reason.
[2017-09-21 17:48:27]
diff :
jcase said he's gunna look at it tonight
[2017-09-21 17:48:33]
hostile :
when lordroot runs… in dmesg you can see a xt_qtaquid message… making me suspect that is the technique they use
[2017-09-21 17:48:34]
diff :
his implimentation of DC might be different than yours
[2017-09-21 17:48:34]
hostile :
word
[2017-09-21 17:48:41]
hostile :
tell him I said what up!?
[2017-09-21 17:48:46]
diff :
will do :slightly_smiling_face:
[2017-09-21 17:48:52]
diff :
they both /might/ be dc
[2017-09-21 17:48:59]
diff :
but the public DC didn't disable selinux via kernel
[2017-09-21 17:49:06]
hostile :
indeed. one with more tooling
[2017-09-21 17:49:07]
diff :
which, can cause reboots
[2017-09-21 17:49:12]
hostile :
**hat tip**
[2017-09-21 17:49:21]
diff :
i think he's got all the code necessary
[2017-09-21 17:49:30]
hostile :
either way I’d still be keen on the xt_qtaquid technique…
[2017-09-21 17:49:30]
diff :
i'll try to look at lordroot and see what it si
[2017-09-21 17:49:48]
hostile :
did not seem to see it documented in public code., just brief explaination of how it is done.
[2017-09-21 17:50:16]
hostile :
aka <http://powerofcommunity.net/poc2016/x82.pdf>
[2017-09-21 17:50:36]
hostile :
that shit should be in metasploit for future pwnage =]
[2017-09-21 17:50:51]
hostile :
also… Crystal Sky has a brower installed FWIW.
[2017-09-21 17:51:02]
diff :
interesting
[2017-09-21 17:51:07]
diff :
ftw is crystal sky anyway
[2017-09-21 17:51:25]
hostile :
I’m not current on $latest ($ last year ) browser sploits… but could be another route to enable the end users.
[2017-09-21 17:51:55]
hostile :
you asking what it is?
[2017-09-21 17:51:56]
hostile :
<https://www.dji.com/crystalsky>
[2017-09-21 17:52:13]
hostile :
really bright outdoor tablet dedicated to DJI GO App basically.
[2017-09-21 18:11:42]
diff :
ah ok
[2017-09-21 18:11:52]
diff :
this makes more sense :slightly_smiling_face:
[2017-09-21 21:42:48]
jcase :
wubbadubbatubba
[2017-09-21 21:42:53]
jcase :
So
[2017-09-21 21:43:09]
jcase :
does it have app_process32 app_process or what
[2017-09-21 21:43:11]
jcase :
in /system/bin
[2017-09-21 21:43:39]
jcase :
also not worth trying to jack kingroot exploits, rewrite easier
[2017-09-21 21:43:56]
hostile :
indeed… I am headed off to do dad duties… I will be back around 9pm EST… indeed that was the plan!
[2017-09-21 21:44:09]
hostile :
this is KF obviously if my avatar doesn’t give it away =]
[2017-09-21 21:44:28]
jcase :
ya
[2017-09-21 21:44:30]
jcase :
ok
[2017-09-21 21:44:39]
jcase :
ping me on twitter when you are back
[2017-09-21 21:44:42]
jcase :
and ill get on slack
[2017-09-21 21:44:58]
hostile :
word. a few of the other guys have Crystal Sky as well… so can help out.
[2017-09-21 21:45:06]
jcase :
i dont know what crystal sky is
[2017-09-21 21:45:14]
hostile :
the android device we are exploiting…
[2017-09-21 21:45:18]
jcase :
o ok
[2017-09-21 21:45:24]
jcase :
kernel src?
[2017-09-21 21:45:33]
jcase :
or not
[2017-09-21 21:45:35]
hostile :
<https://www.dji.com/crystalsky>
[2017-09-21 21:45:42]
jcase :
cool
[2017-09-21 21:45:47]
jcase :
@diff ping me when you are around
[2017-09-21 21:46:16]
diff :
yo
[2017-09-21 21:46:42]
jcase :
can you give me listing of /system/bin
[2017-09-21 21:46:47]
jcase :
and ill build my exploit
[2017-09-21 21:46:52]
jcase :
and you can test
[2017-09-21 21:48:04]
hostile :
I’ll charge my battery it is apparantly dead =]
[2017-09-21 21:48:15]
jcase :
ill be back and forth
[2017-09-21 21:48:19]
jcase :
painter coming
[2017-09-21 21:48:24]
jcase :
to paint bee building
[2017-09-21 21:48:29]
hostile :
anyone <!here> hook @jcase up… it is in our best interests to use his time wisely.
[2017-09-21 21:48:31]
jcase :
i blew fuse in my generator doing it, said f it
[2017-09-21 21:48:32]
hostile :
thx
[2017-09-21 21:48:34]
hostile :
peace!
[2017-09-21 21:48:37]
jcase :
welcome
[2017-09-21 21:49:06]
diff :
you got a paint thrower then?
[2017-09-21 21:49:12]
jcase :
yeah i do
[2017-09-21 21:49:16]
diff :
took me a second to realize how you could blow a fuse painting
[2017-09-21 21:49:19]
jcase :
but cant power air compressor
[2017-09-21 21:49:24]
jcase :
on littel generator
[2017-09-21 21:49:24]
diff :
but i'm too cheap to use anything but a brush
[2017-09-21 21:49:28]
jcase :
big one is too big
[2017-09-21 21:49:34]
jcase :
paint sprayer is $15
[2017-09-21 21:49:37]
jcase :
harbor freight
[2017-09-21 21:49:40]
jcase :
little shitty one but works
[2017-09-21 21:49:58]
jcase :
Carrie and I just got back from checking bees
[2017-09-21 21:50:22]
jcase :
15 more hives to go after painter leaves
[2017-09-21 21:56:54]
opcode :
hey @jcase thanks for joining and help. :slightly_smiling_face:
[2017-09-21 21:57:08]
opcode :
you can DL the whole /system here <http://mydjiflight.dji.com/file/links/ZSA_100_20170920>
[2017-09-21 21:58:53]
opcode :
its the most recent OTA for the Crystalsky, with everything you should need for testing
[2017-09-21 22:01:25]
opcode :
/system/bin
[2017-09-21 22:01:27]
opcode :
7za bmi dpm install_go.sh make_ext4fs pm schedtest toolbox
Vend_Ax.iic bootanimation drmserver installd mdnsd pppd screencap tune2fs
adb bu drmservice ip media pppoe screenrecord uiautomator
adbd_tcp.sh bugreport dumpstate ip6tables mediaserver pppoe-connect sdcard uncrypt
am busybox dumpsys iptables mke2fs pppoe-repay sensorservice update_startup.sh
app_process32 busybox1.11 fpsservice iso monkey pppoe-setup service usb_modeswitch
applypatch chat fsck_msdos istd8303 mtpd pppoe-sniff service_startup.sh usb_modeswitch.sh
appops clatd fxload_dji iw ndc pppoe-start servicemanager vdc
appwidget climax_hostSW getbootmode.sh iwconfig netcfg pppoe-status settings vold
assistant content gzip iwlist netd pppoe-stop sh wfd
athtestcmd dalvikvm32 hardware_monitor.sh keystore ntfs-3g preinstall_cleanup.sh sre whtest.sh
atrace debuggerd hostapd_qc linker oatdump racoon surfaceflinger wifi_ff_tx.sh
bcc dex2oat idmap lmkd patchoat reboot svc wm
blkid dhcpcd ime logcat pcba_core requestsync tc wpa_supplicant_qc
bmd displayd input logd ping rild tinycap
bmgr dnsmasq install-recovery.sh logwrapper ping6 run-as tinyplay
[2017-09-21 22:08:14]
jcase :
@opcode thanks jim, any chance on kernel src or not?
[2017-09-21 22:08:44]
hostile :
DJI has not shared the kernel source… I had to strong arm them into GPL requests…
[2017-09-21 22:08:48]
jcase :
wait
[2017-09-21 22:08:56]
jcase :
it has app_process32 bit not app_process?
[2017-09-21 22:08:58]
hostile :
do we have a **right** to it? if so I can start that process
[2017-09-21 22:09:14]
jcase :
i dont see why you dont have right to kernel src
[2017-09-21 22:09:38]
hostile :
I’m not familiar with Android licensing semantics. But I know we are working on **all** the GPL shit.
[2017-09-21 22:09:54]
jcase :
its linux kerntel
[2017-09-21 22:09:59]
jcase :
android is on top of it
[2017-09-21 22:10:02]
hostile :
<http://www.dji.com/opensource>
[2017-09-21 22:10:04]
jcase :
same licensing kernel wise
[2017-09-21 22:10:11]
hostile :
is all we have not. Let me ping the guys I was harassing.
[2017-09-21 22:10:23]
hostile :
Bruce got involved from busybox… and got some shit rolling
[2017-09-21 22:10:46]
hostile :
I believe LeadCore is involved in the fuckery re: kernel source.
[2017-09-21 22:10:55]
hostile :
the android soc is LC1860 IIRC
[2017-09-21 22:11:03]
jcase :
so do we have /system/bin/app_process?
[2017-09-21 22:11:08]
jcase :
or just app_process32?
[2017-09-21 22:11:27]
jcase :
never heard of that soc
[2017-09-21 22:11:40]
jcase :
uboot?
[2017-09-21 22:12:01]
hostile :
yes
[2017-09-21 22:12:23]
hostile :
shit… excuse me.
[2017-09-21 22:12:30]
hostile :
I am mixing stuff up cuz I am in a rush
[2017-09-21 22:12:33]
hostile :
the drones are Leadcore
[2017-09-21 22:12:39]
hostile :
the Crystal Sky is RockChip
[2017-09-21 22:12:39]
jcase :
go do your thing with kiddo
[2017-09-21 22:12:41]
hostile :
forgive me
[2017-09-21 22:12:44]
jcase :
lolrockchip
[2017-09-21 22:13:09]
jcase :
wtf
[2017-09-21 22:13:13]
jcase :
$470 for a rockchip device
[2017-09-21 22:13:31]
jcase :
i figured it was like $70 when i you said rockchip, i was gunna roder one
[2017-09-21 22:13:34]
jcase :
order
[2017-09-21 22:14:13]
hostile :
just mailed our massive since May GPL thread with GPL legal… @freaky123 been trolling the fuck out of the whole thing for months
[2017-09-21 22:14:42]
hostile :
its basically rugged… and bright as fuck out doors and dedicated to DJI GO
[2017-09-21 22:15:02]
hostile :
and yeah likely over priced AF at its core
[2017-09-21 22:15:08]
hostile :
AFK++
[2017-09-21 22:16:43]
jcase :
grabbing OTA, when you or tim are back ill build a poc
[2017-09-21 22:17:56]
opcode :
Rockchip is rk3288 btw
[2017-09-21 22:18:17]
jcase :
@opcode do you have this device?
[2017-09-21 22:18:34]
opcode :
And we have a problem Installing custom recovery like twrp due to signing check
[2017-09-21 22:18:39]
jcase :
uhh
[2017-09-21 22:18:40]
opcode :
Yep, I own it
[2017-09-21 22:18:53]
jcase :
am i dumb
[2017-09-21 22:18:57]
jcase :
or is the OTA signed with test keys?
[2017-09-21 22:19:13]
opcode :
Is it? Lol
[2017-09-21 22:19:15]
jcase :
cool, can you run <http://theroot.ninja/diag.apk>
[2017-09-21 22:19:17]
jcase :
and give me the identifier
[2017-09-21 22:19:31]
jcase :
idk I need to double check, i hope it is cause @diff is the master of compromised keys
[2017-09-21 22:19:37]
opcode :
Sure, give me a min, have to fire everything up
[2017-09-21 22:19:38]
jcase :
but the cert has google details
[2017-09-21 22:19:41]
jcase :
which indicates test keys
[2017-09-21 22:19:43]
jcase :
sure
[2017-09-21 22:21:02]
jcase :
kek
[2017-09-21 22:24:36]
opcode :
bcc9a93c
[2017-09-21 22:24:43]
jcase :
thx
[2017-09-21 22:25:04]
jcase :
ok yeah
[2017-09-21 22:25:06]
jcase :
cool
[2017-09-21 22:25:09]
jcase :
few min
[2017-09-21 22:25:26]
opcode :
np. just a sidenote: my device is rooted via kingroot
[2017-09-21 22:25:43]
opcode :
in case it makes a difference :wink:
[2017-09-21 22:28:50]
jcase :
@hostile looks like we have private key to sign updates
[2017-09-21 22:28:55]
jcase :
is there a reason we cant just use it
[2017-09-21 22:29:58]
opcode :
That would be great. So we could mod the ota and give the ppl root etc with the ota.
[2017-09-21 22:30:06]
jcase :
well, let me correct myself, havent verified, but it looks like the OTA is signed with test-key
[2017-09-21 22:30:18]
jcase :
i guess dji could have made their own test key with google info
[2017-09-21 22:32:56]
opcode :
Not 100% sure, but someone mentioned that uboot checks the signing of the recovery and the recovery checks the ota keys. Let's see what hostile says ...
[2017-09-21 22:36:07]
jcase :
doesnt matter
[2017-09-21 22:36:09]
jcase :
i think we got it
[2017-09-21 22:39:56]
jcase :
hrmp
[2017-09-21 22:40:35]
jcase :
yeah no they must have reused Googles shit
[2017-09-21 22:40:39]
jcase :
and regenertated keys
[2017-09-21 22:40:39]
jcase :
lame
[2017-09-21 22:41:17]
jcase :
@opcode since you are rooted, have you dumped hte bootloader?
[2017-09-21 22:41:20]
jcase :
loaders
[2017-09-21 22:42:39]
opcode :
Yep, one sec
[2017-09-21 22:46:12]
jcase :
weirdok
[2017-09-21 22:46:29]
opcode :
And that's what @unusuario128 did so far
[2017-09-21 22:47:58]
opcode :
Ahh, we couldn't dump it. Was somehow protected and dd only created img filled with 00
[2017-09-21 22:48:20]
jcase :
any write protect to flash?
[2017-09-21 22:48:24]
opcode :
unusario extracted it from /backup
[2017-09-21 22:48:48]
jcase :
eg does root go away with kingroot when reboot
[2017-09-21 22:49:30]
opcode :
Nope, Kingoroot stays. I used supersu to switch from kingroot to supersu
[2017-09-21 22:49:51]
jcase :
can you boot into fastboot mode?
[2017-09-21 22:49:56]
opcode :
Yep
[2017-09-21 22:50:05]
opcode :
But limited commands
[2017-09-21 22:50:18]
opcode :
Unlocked bootloader with rockchip commands
[2017-09-21 22:50:23]
jcase :
you did?
[2017-09-21 22:50:24]
jcase :
ok
[2017-09-21 22:50:31]
jcase :
you did the unlock_accept command?
[2017-09-21 22:50:36]
opcode :
Yep
[2017-09-21 22:50:42]
jcase :
and what did it do
[2017-09-21 22:50:58]
opcode :
Status is "ok"
[2017-09-21 22:51:14]
opcode :
Bootloader unlocked "yes"
[2017-09-21 22:51:24]
opcode :
And secure "no"
[2017-09-21 22:52:03]
opcode :
But I.e. Fastboot flash recovery twrp.img gives "failed"
[2017-09-21 22:54:38]
jcase :
can you try
[2017-09-21 22:54:43]
jcase :
fastboot boot test-dji.img
[2017-09-21 22:54:51]
jcase :
sorry if im asking for dumb things, but it is rockchip
[2017-09-21 22:54:56]
jcase :
so dumb things are worthwhile
[2017-09-21 22:55:28]
opcode :
Just a min
[2017-09-21 22:55:47]
opcode :
Np, I'm the noob here :smile:
[2017-09-21 22:56:15]
jcase :
hungry
[2017-09-21 22:59:23]
opcode :
root@kali:~# adb reboot fastboot
root@kali:~# fastboot devices
0123456789 fastboot
root@kali:~# fastboot boot '/root/Schreibtisch/test-dji.img'
downloading 'boot.img'...
OKAY [ 0.511s]
booting...
OKAY [ 0.002s]
finished. total time: 0.513s
root@kali:~# adb devices
List of devices attached
root@kali:~# fastboot devices
0123456789 fastboot
root@kali:~#
[2017-09-21 22:59:35]
opcode :
black screen. nothing happens
[2017-09-21 22:59:38]
jcase :
do
[2017-09-21 22:59:40]
jcase :
fastboot continue
[2017-09-21 22:59:50]
jcase :
after fastboot boot
[2017-09-21 23:00:41]
opcode :
root@kali:~# fastboot continue
resuming boot...
[2017-09-21 23:00:43]
opcode :
hangs
[2017-09-21 23:00:51]
jcase :
lame
[2017-09-21 23:01:02]
jcase :
hard reset it
[2017-09-21 23:01:09]
jcase :
im going to start on dinner
[2017-09-21 23:01:55]
opcode :
enjoy your meal :slightly_smiling_face:
[2017-09-21 23:05:39]
hostile :
when you test that image… check these logs too… see if anything useful: <https://dji-rev.slack.com/archives/C6K376JGZ/p1505923095000356>
[2017-09-21 23:06:41]
hostile :
whoot <https://dji-rev.slack.com/archives/C6K376JGZ/p1506032930000066>
[2017-09-21 23:09:32]
opcode :
have to sleep now. will check the logs tomorrow. If there is something to test for me meanwhile, leave it here. Will post results then. :sleeping:
[2017-09-22 09:03:44]
unusuario128 :
@jcase: Boot and Recovery are both signed with RSA2048.
[2017-09-22 09:04:17]
unusuario128 :
You can see some interesting facts in the chat history.
[2017-09-22 13:04:30]
jcase :
@unusuario128 is validation still enforced after unlocking the bootloader, is that why it is hanging?
[2017-09-22 13:05:12]
unusuario128 :
Yes, as far as I know
[2017-09-22 13:05:23]
jcase :
validation of boot and recovery is expected
[2017-09-22 13:05:30]
jcase :
what is unexpected is they are not validating system
[2017-09-22 13:06:00]
unusuario128 :
System should be validated by boot
[2017-09-22 13:06:06]
jcase :
correct
[2017-09-22 13:06:09]
jcase :
dmverity
[2017-09-22 13:06:10]
jcase :
but it isnt
[2017-09-22 13:06:25]
unusuario128 :
If they didn't do it... Better for the user
[2017-09-22 13:07:59]
jcase :
need to do 2 things today, 1) check see if google changed teh test-key at some point recently (last few yr), DJI's certs are setup like test keys, with the android team address etc, however they dont match the original aosp test keys
[2017-09-22 13:08:06]
jcase :
but ive had those sitting here for r6+ yr
[2017-09-22 13:08:22]
jcase :
2) need to get someone to run a poc for me, but need to buiold first
[2017-09-22 13:24:21]
unusuario128 :
1) Do you mean the update.zip test-keys?
[2017-09-22 13:24:39]
unusuario128 :
2) When your PoC is ready, ping (at)opcode.
[2017-09-22 13:24:41]
jcase :
both system applications and the ota have certs that look like test-key signed
[2017-09-22 13:25:19]
hostile :
@bin4ry can you share your test keys quotes in here from DJI support… they are valuable comments.
[2017-09-22 13:25:20]
jcase :
but they dont match the old test key, ill sync aosp in a bit and see
[2017-09-22 13:25:48]
jcase :
probably lost cause
[2017-09-22 13:25:50]
jcase :
but worth looking
[2017-09-22 13:26:03]
jcase :
@hostile do you have this device?
[2017-09-22 13:27:30]
hostile :
yeah, but it is packed up and I am about to go cop this tesla so I can drive to derby
[2017-09-22 13:27:34]
hostile :
I speak tomorrow at 2pm
[2017-09-22 13:27:42]
jcase :
does diff have one?
[2017-09-22 13:27:51]
hostile :
@kilrah does for sure
[2017-09-22 13:27:57]
bin4ry :
thats no applicable here, was trying that already on CS but its doing it different than the AC
[2017-09-22 13:27:58]
jcase :
hmm
[2017-09-22 13:28:04]
hostile :
I’ll have it up when I get to derby for fuckery.
[2017-09-22 13:28:11]
unusuario128 :
<https://github.com/android/platform_build/tree/master/target/product/security>
[2017-09-22 13:28:13]
hostile :
I’ll be in tonight 9pm ish
[2017-09-22 13:28:14]
jcase :
@bin4ry same vinary with the adb backup vuln from back in the day
[2017-09-22 13:28:41]
jcase :
or different bin4ry?
[2017-09-22 13:29:00]
bin4ry :
correct testkey signature problem
[2017-09-22 13:29:41]
bin4ry :
but rockchip uses non standard android recovery binary, so it does not parse the otacerts at all
[2017-09-22 13:29:50]
jcase :
lol
[2017-09-22 13:29:51]
bin4ry :
this is different than on AirCraft
[2017-09-22 13:29:56]
bin4ry :
where they use otacerts
[2017-09-22 13:30:11]
bin4ry :
but have a stage before that and secure only the delivery
[2017-09-22 13:30:18]
bin4ry :
which i know how to break
[2017-09-22 13:30:22]
bin4ry :
but they think it is safe
[2017-09-22 13:30:29]
jcase :
<https://forum.xda-developers.com/member.php?u=1346722> < same bin4ry?
[2017-09-22 13:30:38]
bin4ry :
yah thats me
[2017-09-22 13:30:42]
jcase :
hey long time!
[2017-09-22 13:31:00]
jcase :
did i ever tell you about the confusion from that adb bug?
[2017-09-22 13:31:34]
unusuario128 :
Rockchip checks the rkimage-style updates with the .bin keyfile
[2017-09-22 13:32:02]
jcase :
@bin4ry we hit the same bug in adb restore, but when google patched your bug, my exploit kept working
[2017-09-22 13:32:08]
jcase :
was really confusing
[2017-09-22 13:32:13]
jcase :
ended up having to ask google why
[2017-09-22 13:32:21]
bin4ry :
@jcase really? i did we talk about it? i don't remember :smile:
[2017-09-22 13:32:27]
jcase :
turns out their fix could be jumped in an edge case
[2017-09-22 13:32:53]
bin4ry :
i see
[2017-09-22 13:32:56]
jcase :
yeah if app you were restoring was a system uid app, was not deodexed
[2017-09-22 13:33:01]
jcase :
and backup included the apk
[2017-09-22 13:33:10]
jcase :
the patch against your bug, was "jumped" over
[2017-09-22 13:33:13]
jcase :
it kept working lol
[2017-09-22 13:33:25]
bin4ry :
yes, thats what i meant. First as i saw the otacerts i thought **jackpot** then i looked into the recovery binary and was sad :wink:
[2017-09-22 13:33:45]
bin4ry :
wow that was so fucking long ago :smile:
[2017-09-22 13:33:53]
jcase :
yeah
[2017-09-22 13:34:09]
jcase :
it was pretty confusing, i spent months trying to figure out why my poc didnt die
[2017-09-22 13:34:14]
jcase :
ended up going to google
[2017-09-22 13:34:21]
jcase :
and asking them why the helll it still worked
[2017-09-22 13:36:15]
hostile :
“really? i did we talk about it? i don’t remember :smile:” small world! lol
[2017-09-22 13:36:59]
bin4ry :
@jcase yah, this tickle deep in the brain when you need to know something but cannot figure it out :smile:
[2017-09-22 13:37:23]
bin4ry :
indeed small world, but like minded people tend to gravitate together
[2017-09-22 13:38:23]
jcase :
@bin4ry do you have this device?
[2017-09-22 13:38:46]
bin4ry :
nope
[2017-09-22 13:38:52]
jcase :
ok, will wait for hostile
[2017-09-22 13:38:57]
bin4ry :
if i had i would have put more effore into it :stuck_out_tongue:
[2017-09-22 13:39:08]
bin4ry :
just here to kick in ideas
[2017-09-22 13:39:22]
bin4ry :
but @unusuario128 came and took over :wink: he seems to know rockchip pretty well
[2017-09-22 13:39:30]
bin4ry :
so i am here for the learning :smile:
[2017-09-22 13:39:32]
jcase :
ive got a root im using in sunshine
[2017-09-22 13:39:36]
jcase :
that i think will get us somewhere
[2017-09-22 13:39:51]
unusuario128 :
@bin4ry: Absolutely. I never touched an rockchip device.
[2017-09-22 13:40:05]
unusuario128 :
...until now, I mean.
[2017-09-22 13:40:11]
bin4ry :
@unusuario128 really? then your read pretty quick :smile:
[2017-09-22 13:40:12]
jcase :
rockchips are crap
[2017-09-22 13:40:21]
bin4ry :
seemed to me like you had some pre-knowledge
[2017-09-22 13:40:32]
bin4ry :
but either way, good job in the last days to fuck with it
[2017-09-22 13:41:04]
unusuario128 :
@bin4ry: I have some (superficial) knowledge in qcom and mediatek devices.
[2017-09-22 13:41:30]
bin4ry :
i see
[2017-09-22 13:41:33]
unusuario128 :
Also, S3C (pre-exynos). However, Rockchip is a new thing for me.
[2017-09-22 13:41:52]
bin4ry :
i did some device bringup with rockchip but that was 4 gen ago
[2017-09-22 13:41:58]
jcase :
rockchip is typically what is found in the super low cost tablets
[2017-09-22 13:42:01]
unusuario128 :
Maybe you find interesting the pinned IDA database on this thread.
[2017-09-22 13:42:04]
jcase :
like the ones cheaper than the mediatek ones
[2017-09-22 13:42:20]
bin4ry :
have a pretty old rockchip tree, but thats so old it does not help at all
[2017-09-22 13:42:28]
bin4ry :
what i can tell you, CHAOS pure CHAOS in the code :stuck_out_tongue:
[2017-09-22 13:42:55]
bin4ry :
have to go, cu later
[2017-09-22 13:43:04]
unusuario128 :
Bye!
[2017-09-22 13:43:52]
unusuario128 :
@bin4ry @jcase: Interesting things:
[2017-09-22 13:44:04]
jcase :
grabbed it last night, going to look in a bit
[2017-09-22 13:44:18]
jcase :
after I finish duties for the day
[2017-09-22 13:44:26]
jcase :
im told dirty cow is not patched in this?
[2017-09-22 13:44:45]
jcase :
did they disable loadable modules in the kernel?
[2017-09-22 13:45:01]
unusuario128 :
I don't know. As far as I know the userspace hacking is done by hostile, the_lord and opcode
[2017-09-22 13:45:05]
jcase :
if not then we can overwrite zygote, change our context to systrem_server
[2017-09-22 13:45:11]
jcase :
then just load a kernel module
[2017-09-22 13:45:51]
unusuario128 :
I've heard of something called lord_root and some dirtyc0w exploits that succeed.
[2017-09-22 13:45:54]
jcase :
ive got that all written, except im no good at hacking modules to run without kernel source
[2017-09-22 13:46:09]
jcase :
yeah ive got a good dc exploit, the one we used to unlock google pixel bootloader
[2017-09-22 13:46:23]
jcase :
it works well
[2017-09-22 13:46:33]
jcase :
stable enough
[2017-09-22 13:46:58]
unusuario128 :
Probably you can build modules against the kernel headers of that version. Without the complete sources.
[2017-09-22 13:47:20]
unusuario128 :
Just need to ask for `uname -a` to someone here.
[2017-09-22 13:47:25]
jcase :
yeah probably
[2017-09-22 13:47:29]
jcase :
im not sure how rockchpi is
[2017-09-22 13:47:34]
jcase :
on dropping kernel source
[2017-09-22 13:47:45]
jcase :
most shitastic SOCs are a pita finding src
[2017-09-22 13:48:48]
unusuario128 :
Not rockchip (AFAIK): <https://github.com/rockchip-linux/kernel>
[2017-09-22 13:48:57]
jcase :
nice
[2017-09-22 13:49:07]
unusuario128 :
[wiki.t-firefly.com/index.php/Firefly-RK3288/Build_kernel](http://wiki.t-firefly.com/index.php/Firefly-RK3288/Build_kernel)
[2017-09-22 13:49:51]
jcase :
will see if i can overwrite zygote when hostile is back
[2017-09-22 13:50:00]
jcase :
worry about module later when i have more time
[2017-09-22 13:57:18]
hostile :
@kilrah and @opcode usually show up mid day, and definitely have one on tap.
[2017-09-22 15:26:58]
opcode :
@jcase anything to test for me? :-)=
[2017-09-22 15:28:17]
jcase :
no later maybe, need to take care of some stuff
[2017-09-22 15:28:35]
jcase :
1) wait for painter to show up who is late
[2017-09-22 15:28:40]
jcase :
2) go through bee hives
[2017-09-22 15:28:43]
jcase :
3) work work
[2017-09-22 15:28:49]
jcase :
4) get kids
[2017-09-22 15:28:52]
jcase :
5)work work
[2017-09-22 15:28:53]
opcode :
lol
[2017-09-22 15:28:57]
jcase :
6) drink
[2017-09-22 15:29:02]
jcase :
7) play with android
[2017-09-22 15:29:22]
jcase :
o somewhere i gotta figure out how to replace toner in printer
[2017-09-22 15:29:27]
jcase :
ive never ran out of toner before lol
[2017-09-22 15:29:42]
opcode :
usually its a toner cartridge
[2017-09-22 15:29:45]
opcode :
:wink:
[2017-09-22 15:29:47]
jcase :
ya i have one
[2017-09-22 15:29:53]
jcase :
havent replaced before
[2017-09-22 15:29:56]
jcase :
printers and i dont get along
[2017-09-22 15:30:01]
opcode :
not so into printing?
[2017-09-22 15:30:04]
opcode :
lol
[2017-09-22 15:30:10]
jcase :
well before i got a laser printer
[2017-09-22 15:30:17]
jcase :
it was cheaper to just buy new printers
[2017-09-22 15:30:24]
jcase :
when on sale on black friday
[2017-09-22 15:30:35]
jcase :
upgraded to laser printer and yeah toner lasts long time
[2017-09-22 15:30:54]
opcode :
yeah, thats the market today. throw away your printer and buy a new one is cheaper then getting the cartridges.
[2017-09-22 15:31:01]
jcase :
yeah
[2017-09-22 15:31:06]
jcase :
i got a brother laser printer
[2017-09-22 15:31:10]
jcase :
for $80
[2017-09-22 15:31:14]
jcase :
i like it
[2017-09-22 15:31:19]
jcase :
fast, toner last for ages
[2017-09-22 15:31:26]
jcase :
best part? since it is black and white
[2017-09-22 15:31:30]
jcase :
none of the family wants to use it
[2017-09-22 15:31:34]
opcode :
lol
[2017-09-22 15:31:37]
jcase :
hence toner lasting a long time
[2017-09-22 15:31:59]
opcode :
"naaaaah, thats only b/w. how 1990"
[2017-09-22 15:32:00]
opcode :
lol
[2017-09-22 15:32:04]
jcase :
painter is 1.5hr late
[2017-09-22 15:34:29]
opcode :
typical craftsman i would say. lol
[2017-09-22 15:37:14]
jcase :
probably a reason he only charges $10 an hour
[2017-09-22 15:37:28]
jcase :
had another painter but they freaked out yesterday
[2017-09-22 15:37:43]
jcase :
decided they didnt want to paint near a bunch of bees
[2017-09-22 15:41:55]
opcode :
oh. is it a beehive?
[2017-09-22 15:42:15]
opcode :
that can indeed be dangerous.
[2017-09-22 17:05:48]
jcase :
18 bee hives
[2017-09-22 17:05:49]
jcase :
nah
[2017-09-22 17:05:53]
jcase :
painter is a wimp
[2017-09-22 19:15:49]
kilrah :
Nope I don’t have a CS! I wish :smile:
[2017-09-24 16:15:04]
urkiata :
Hi, can I downgrade CS 5.5 from last fw to the previous one? If yes, how? can you link a tutorial step by step?
[2017-09-25 01:54:52]
hostile :
I’m back @jcase **finally**. will be back in action tomorrow / rest of the week.
[2017-09-25 07:27:21]
opcode :
@urkiata we never tried to downgrade. are you rooted? you could try to download the previous OTA for the 5.5, put it on an SD Card and try to install. Download path can be found here: /data/data/dji.system.upgrade/shared_prefs/dji.system.upgrade.xml
[2017-09-25 07:40:08]
urkiata :
Thank you for your help. Please I tried point to this path data/data/dji.system.upgrade/shared_prefs/dji.system.upgrade.xml to download the OTA but I guess I didn't understand how, I'm just like a 5 years old boy, can you tell me how to download it?
[2017-09-25 07:42:17]
urkiata :
No I didn't root. How should I root? do you have a tutorial step by step?
[2017-09-25 07:44:39]
opcode :
There is no click and go stuff available. A good start for you is here : <http://dji.retroroms.info/>
[2017-09-25 07:45:30]
opcode :
After that go here <http://dji.retroroms.info/howto/crystalsky>
[2017-09-25 08:37:47]
urkiata :
need to be root to download this path /data/data/dji.system.upgrade/shared_prefs/dji.system.upgrade.xml and reinstall OTA from SD?
[2017-09-25 09:22:00]
opcode :
yep. otherwise you get a permission denied.
[2017-09-25 12:17:26]
urkiata :
Thank you
[2017-09-25 14:05:19]
hostile :
@opcode the system did not like downgrade when I tried. it just told me no
[2017-09-25 14:05:41]
hostile :
I attempted via SD card.
[2017-09-25 14:05:58]
hostile :
if a file is present it will auto update if it see it.
[2017-09-25 14:20:04]
opcode :
then it really checks the version of the OTA vs the installed one.
[2017-09-25 14:21:32]
opcode :
damnit. we need custom recovery.
[2017-09-25 14:39:41]
hostile :
or a spoofed version =]
[2017-09-25 14:40:27]
opcode :
:slightly_smiling_face:
[2017-09-25 14:40:48]
opcode :
crawled through all the log files, nothing to see there.
[2017-09-25 14:45:53]
hostile :
darn
[2017-09-25 14:46:17]
opcode :
ro.product.ota.host=10.60.20.153:2300
[2017-09-25 14:46:28]
opcode :
shouldnt that point to some rockchip address?
[2017-09-25 14:53:44]
opcode :
<https://github.com/Magendanz/android_device_rockchip>
[2017-09-25 14:54:22]
opcode :
"On Rockchip devices, the offset to the bootloader message block in the /misc partition is 16384, rather than the usual zero or 2048. "
[2017-09-25 14:54:40]
opcode :
did we miss that?
[2017-09-25 14:56:10]
hostile :
nice find bro!
[2017-09-25 15:07:03]
urkiata :
If I will root automatically I will update too?
[2017-09-25 15:08:03]
urkiata :
Is there somebody that could provide a service to root? I can pay for job.
[2017-09-25 15:09:37]
hostile :
what do you need root for? just use dirtyc0w! or OG cow (if just installing sofware)
[2017-09-25 15:16:04]
opcode :
@urkiata downgrade wont work. hostile tried it. so, root doesnt get you anywhere unfortunatley.
[2017-09-25 15:17:56]
urkiata :
Nevermind I love this fw but I would like root without update to the last one. Is possible?
[2017-09-25 15:21:34]
opcode :
what do you mean with "without update to the last one"?
[2017-09-25 15:23:01]
hostile :
you can root current and last just the same
[2017-09-25 15:23:10]
hostile :
your root is current limited via selinux context tho
[2017-09-25 15:23:20]
hostile :
you can use lordroot to get around this
[2017-09-25 15:23:31]
hostile :
root means nothing
[2017-09-25 15:23:36]
hostile :
what you do post root is what matters
[2017-09-25 15:23:51]
hostile :
why do you need root is the running question, what are you trying to accomplish?
[2017-09-25 15:24:29]
urkiata :
I mean that now I'm running v02.02.08.01 and I need root. After rooting can I still run the same fw version?
[2017-09-25 15:25:33]
hostile :
that makes no sense
[2017-09-25 15:25:38]
hostile :
if you need root take it
[2017-09-25 15:25:42]
hostile :
nothing is stopping you
[2017-09-25 15:26:02]
hostile :
rooting has nothing to do with running any specific firmware version at this time
[2017-09-25 15:27:14]
urkiata :
So rooting will not obbligate to update fw too
[2017-09-25 15:28:00]
urkiata :
Can you provide a service?
[2017-09-25 15:28:14]
hostile :
nope
[2017-09-25 15:28:18]
hostile :
go do github and just do it
[2017-09-25 15:28:23]
hostile :
pull up your skirt.
[2017-09-25 15:28:45]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow>
[2017-09-25 15:29:05]
urkiata :
:sweat_smile:
[2017-09-25 15:29:10]
urkiata :
Thank you
[2017-09-25 15:32:07]
urkiata :
First I have to connect by wire CS to Mac then in terminal OSX just run LastSkyCry.sh to root. Is correct?
[2017-09-25 15:33:03]
opcode :
you also need adb. are you on OSX?
[2017-09-25 15:33:11]
urkiata :
Yes
[2017-09-25 15:34:27]
urkiata :
Does it work with CS 5.5 too?
[2017-09-25 15:35:20]
opcode :
<http://www.androidbeat.com/2015/11/how-to-set-up-adb-and-fastboot-on-mac/>
[2017-09-25 15:36:08]
opcode :
<https://developer.android.com/studio/command-line/adb.html>
[2017-09-25 15:40:20]
urkiata :
Worderful this is the steps to install adb only right? After I connect CS to the mac and launch LastSkyCry.sh? That's all?
[2017-09-25 15:41:39]
opcode :
yep. after that you can sideload any app you like.
[2017-09-25 15:42:52]
urkiata :
Any risk after launch LastSkyCry.sh? Does it ask some password to me? Or to choose something else?
[2017-09-25 15:43:20]
opcode :
just check the code at github what this shell script is doing.
[2017-09-25 15:44:16]
opcode :
in your own interest, google: "what is adb", "what is github", "what is dirtyc0w" etc to get yourself familiar with what you are doing and what happens.
[2017-09-25 15:46:57]
urkiata :
Thank you so much now I start search these words... any way if you would write a step by step tutorial I will grateful a lot.
[2017-09-25 15:55:05]
hostile :
we don’t do step by step tutorials here
[2017-09-25 15:55:30]
hostile :
people that ask are tasked with figuring it out them selves and feeling free to obtain a wiki account and share. <http://dji.retroroms.info>
[2017-09-25 16:07:17]
pure3d :
@urkiata once you figure it out, you could write a step-by-step tutorial to help others out if you want
[2017-09-25 16:07:35]
hostile :
and if you don’t… no worries!
[2017-09-25 16:07:42]
hostile :
IMHO code documents itself
[2017-09-25 16:09:35]
urkiata :
Sure I will do it if I will earn the competence to do.
[2017-09-25 16:14:56]
hostile :
not IF
[2017-09-25 16:14:58]
hostile :
**when**
[2017-09-25 16:15:04]
hostile :
we are big about teaching yourself to fish her
[2017-09-25 16:15:10]
hostile :
just hike the skirt up and do it
[2017-09-25 16:15:18]
hostile :
hesitations need not apply
[2017-09-26 09:17:02]
opcode :
@jcase any news for us? could you find something to make custom recovery work?
[2017-09-26 13:23:55]
hostile :
he’s been tied up this week, and he and I need to sync up in his copious free time.
[2017-09-30 16:17:48]
digital1 :
Know I’m being an idiot but can some one walk me though OGW, Iv not looked at it yet and am going to try and install an app now. Sorry being a newb
[2017-09-30 16:31:53]
digital1 :
I’m not able to get LastSkyCry to run :slightly_frowning_face:
[2017-09-30 16:42:21]
digital1 :
Ahhh I’m using Windows will try on Mac later
[2017-09-30 19:58:42]
digital1 :
Damn all done instantly on Mac, you guys are amazing :+1::+1:
[2017-10-01 01:34:33]
hostile :
Thx man! I’ll try to fix for windows soon!
[2017-10-01 12:24:10]
digital1 :
Any ideas on how to install the latest Go app for Android, it’s an Xapk and behaves differently it seems.
[2017-10-01 12:35:16]
kilrah :
huh?
[2017-10-01 12:36:18]
hostile :
Just use apkpure to get the non xapk only certain devices use that format @digital1
[2017-10-01 15:33:41]
bin4ry :
Xapk is only APK with obb merged, nothing too special
[2017-10-01 17:05:55]
digital1 :
No it just would not adb install.
[2017-10-01 19:00:02]
bin4ry :
that is indeed correct, you need an "installer" for that
[2017-10-03 23:20:57]
digital1 :
Thanks all will try that later, where did you guys get to with root after I lost track in the end after Kingroot.
[2017-10-03 23:29:22]
hostile :
we waiting on @jcase to get some free time and come back and help us bust heads. =]
[2017-10-04 00:50:05]
jcase :
sorry
[2017-10-04 00:50:07]
jcase :
im down sick atm
[2017-10-04 00:51:10]
jcase :
and prepping the property for coming rains
[2017-10-04 01:01:25]
hostile :
you are find bro!
[2017-10-04 01:01:42]
hostile :
ping me when ev @jcase I’ve always got plenty to do =]
[2017-10-21 19:15:40]
hostile :
install over adb?
[2017-10-21 19:19:11]
haloweenhamster :
<https://adhoc.djiservice.org/show_app/AndroidApp/DJIGO4>
[2017-10-21 19:20:41]
haloweenhamster :
If you download from dji website its already incorporated
[2017-10-21 20:45:28]
haloweenhamster :
Not got a cs so would be good to know if either adb or dji app worked
[2017-10-21 22:41:14]
digital1 :
That worked via the SD card now have V4.1.10 installed, the startup image don’t look correct as it’s aspect is wrong but the app is working it seems.
[2017-10-22 06:23:30]
bin4ry :
Then you downloaded the phone version and not the tablet version
[2017-10-22 06:26:19]
haloweenhamster :
The 3 type has both sets of files by the look of it, maybe wrong though, first app I've looked at
[2017-10-23 13:44:17]
opcode :
DJI is always talking about optimized GO Versions for CS in the Forum. But i cant find any differences in terms of performance till now. OK, there are .odex versions installed on CS, but thats all.
[2017-10-23 13:55:39]
hostile :
“optimized” means they only tested it on that tablet . lol
[2017-10-23 14:06:30]
opcode :
lol
[2017-10-23 21:49:20]
digital1 :
Iv not tried looking for another version yet, so are there phone and tablet versions of Go ?
[2017-10-27 13:43:53]
codeforge :
hi to all, how can i remount system filesystem? is this correct: mount -o remount,rw /system ?
thanks
[2017-10-27 13:45:36]
hostile :
currently can’y on CS… we only have temporal root
[2017-10-27 13:45:49]
hostile :
what are you trying to accomplish?
[2017-10-27 13:46:01]
codeforge :
i want to overwrite installd
[2017-10-27 13:46:13]
hostile :
is your goal just to install software?
[2017-10-27 13:46:30]
codeforge :
after doing that, the screen remain black. i think i bricked my crystal sky
[2017-10-27 13:46:47]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow>
[2017-10-27 13:46:51]
codeforge :
yes i already install google play store
[2017-10-27 13:47:14]
hostile :
yeah scroll up… a month or so back. we were trying to replace the recovery, etc.
[2017-10-27 13:47:16]
hostile :
that is standard
[2017-10-27 13:47:49]
hostile :
“black in:#crystalsky_rooting ” in your search bar…
[2017-10-27 13:48:09]
hostile :
like you need to go back deep into september. <https://dji-rev.slack.com/archives/C6K376JGZ/p1504726700000366>
[2017-10-27 13:48:42]
hostile :
@opcode @unusuario128 and @jcase and a small hand full of others were working on rooted images…
[2017-10-27 13:49:44]
hostile :
next time use the Gangster Cow…
[2017-10-27 13:57:40]
codeforge :
hi, thanks, i will try to restore firmware but the link doesn't work... do you have the img file?
[2017-10-27 14:21:24]
hostile :
someone in @channel can likely get you one. I don’t have one handy
[2017-10-27 14:25:00]
opcode :
@codeforge this is the complete OTA:
[2017-10-27 14:25:03]
opcode :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1506031028000037>
[2017-10-27 14:27:48]
hostile :
thanks opcode!
[2017-10-27 14:28:22]
opcode :
:slightly_smiling_face:
[2017-10-27 14:55:56]
codeforge :
all done.. thanks guys
[2017-10-28 23:45:30]
rxhenn :
Hi guys does gangster cow currently work on the CS? Was reading a post from a while back that the latest CS firmware restarts the device if installd was modified. And if gangster cow does work can it install patched apks of the dji go apps? Was reading something over on RC groups that root was needed for the dji go apps, but I can’t see why that would be needed...
[2017-10-29 00:03:28]
hostile :
depends on what version of the Firmware IIRC. Latest is still vuln to dirtyc0w, but the made some slight changes.
[2017-10-29 07:07:54]
digital1 :
I’m using it on the latest firmware with out issue, even installed the solo app for kicks :stuck_out_tongue_winking_eye:, I was going to post a how to video shortly I just need to mask my SN, spent long enough learning all this stuff asking questions time I gave something back. What changes did Dji make ?
[2017-10-29 15:15:43]
hostile :
@digital1 now 100% sure, but with the latest firmware, I was seeing some reboots.
[2017-10-29 17:32:50]
rxhenn :
thanks @hostile and @digital1 for the advice and for confirming it’s good to go. Thanks for also making the how to video, look forward to seeing it
[2017-10-31 17:25:42]
hai :
hi guys just picked up a 5.5" CS, v2.2.5.0 ran the script, but when it came time to use adb install myap.apk it failed
[2017-10-31 17:26:10]
hai :
htran$ adb install AeroRanger_Build2000.apk
AeroRanger_Build2000.apk: 1 file pushed. 8.9 MB/s (61476078 bytes in 6.606s)
pkg: /data/local/tmp/AeroRanger_Build2000.apk
Failure [INSTALL_FAILED_INSUFFICIENT_STORAGE]
[2017-10-31 17:26:26]
hai :
$ df
Filesystem Size Used Free Blksize
/dev 2.0G 52.0K 2.0G 4096
/sys/fs/cgroup 2.0G 0.0K 2.0G 4096
/sys/fs/cgroup/memory: Permission denied
/mnt/asec 2.0G 0.0K 2.0G 4096
/mnt/obb 2.0G 0.0K 2.0G 4096
/mnt/usb_storage 2.0G 0.0K 2.0G 4096
/system 2.9G 1.0G 1.9G 4096
/cache 248.0M 256.0K 247.7M 4096
/metadata 11.7M 68.0K 11.7M 4096
/data 2.9G 52.6M 2.9G 4096
/mnt/internal_sd 22.6G 53.3M 22.6G 8192
/mnt/secure/asec: Permission denied
/mnt/external_sd1 29.7G 1.2G 28.5G 32768
[2017-10-31 17:26:52]
hai :
$ ./LastSkyCry.sh
dirtycow: 1 file pushed. 2.3 MB/s (47568 bytes in 0.020s)
installd: 1 file pushed. 3.3 MB/s (38424 bytes in 0.011s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
Install what ever you want now via 'adb install'
[2017-10-31 17:27:22]
hostile :
in the manifest of that apk… what does “android:installLocation” say?
[2017-10-31 17:27:56]
hostile :
is there other stuff in /data/local/tmp ?
[2017-10-31 17:28:12]
opcode :
Idea: try 'adb shell pm getInstallLocation'
[2017-10-31 17:31:08]
bin4ry :
Just copy the APK into the app folder manually
[2017-10-31 17:31:12]
bin4ry :
:wink:
[2017-10-31 17:33:31]
hai :
it's not letting me write to that app directory
[2017-10-31 17:33:47]
hai :
`/system/app $ mkdir Aeroranger
mkdir failed for Aeroranger, Read-only file system`
[2017-10-31 17:34:09]
hostile :
soo as you try to remount /system I believe it will reboot on you
[2017-10-31 17:35:02]
hai :
$ adb shell pm get-install-location
2[external]
[2017-10-31 17:35:46]
bin4ry :
Try remount system first
[2017-10-31 17:35:46]
opcode :
It's set to external? Huh?
[2017-10-31 17:35:58]
hai :
how do i do that?
[2017-10-31 17:36:28]
hostile :
@hai do you have an SD card inserted?
[2017-10-31 17:36:33]
hai :
yes
[2017-10-31 17:36:42]
hai :
and I was able to upload to the sd card
[2017-10-31 17:37:39]
hai :
`/mnt/external_sd1 $ ls
DCIM
LOST.DIR
MISC
aeroranger.apk
[2017-10-31 17:38:50]
digital1 :
Does he not need to set it to internal storage via pm set-install-location ?
[2017-10-31 17:39:03]
opcode :
Try @bin4ry advice first, if not try set install location to internal with 'adb shell pm setInstallLocation 1'
[2017-10-31 17:39:21]
hai :
ok how do i remount?
[2017-10-31 17:40:04]
bin4ry :
mount -o remount,rw /system
[2017-10-31 17:40:11]
bin4ry :
Then try to copy again the APK
[2017-10-31 17:40:27]
bin4ry :
And set file permissions correct on the apk
[2017-10-31 17:40:32]
hai :
shell@zs600a:/ $ mount -o remount,rw /system
mount: Operation not permitted
[2017-10-31 17:40:42]
bin4ry :
You are not root
[2017-10-31 17:41:19]
hai :
sudo and su - don't seem to work
[2017-10-31 17:41:28]
hai :
I'm not familar with hacking dji stuff
[2017-10-31 17:44:17]
bin4ry :
Hm. Which root method did you use?
[2017-10-31 17:44:55]
hai :
probably none
[2017-10-31 17:45:21]
hai :
I tried the LastSkyCry.sh script then tried to upload SuperSU.apk
[2017-10-31 17:45:23]
hai :
didn't work
[2017-10-31 17:45:36]
hai :
tried Kingoroot
[2017-10-31 17:45:38]
hai :
didn't work
[2017-10-31 17:46:02]
digital1 :
Do you want root or just 3rd part install as you don’t need root for apps with The GC
[2017-10-31 17:46:47]
hai :
I'd be happy with installing 3rd party apps
[2017-10-31 17:47:02]
hai :
I have an app we wrote, but can't get it installed
[2017-10-31 17:47:13]
hai :
can't install any apps
[2017-10-31 17:47:41]
hai :
Ideally I'd like to be able to install the play store
[2017-10-31 17:49:33]
digital1 :
These guys are the experts on PS but I can’t remember how far along they got on that as I though there were issues that were not resolved
[2017-10-31 17:50:47]
hai :
tried setting install location to 1
[2017-10-31 17:50:49]
hai :
didn't work
[2017-10-31 17:52:18]
digital1 :
Strange as Iv done GC on both the 5.5 and 7.85 on latest fw in the last 24 hours with out issue, hopefully these guys will figure it out.
[2017-10-31 17:52:41]
hai :
what steps did u take?
[2017-10-31 17:52:49]
hai :
wht version are u running on the 5.5?
[2017-10-31 17:58:50]
digital1 :
Everything latest, just follow the the GC instructions, try a factory reset including clearing the SD card and do the exploit again.
[2017-10-31 18:00:23]
bin4ry :
Strange lastcrysky should work
[2017-10-31 18:00:39]
bin4ry :
And installd patch will enable you to install what you like
[2017-10-31 18:00:53]
bin4ry :
I personally removed the check for dji apps
[2017-10-31 18:01:52]
bin4ry :
But overall I am only on mobile atm so I am not much help here. Maybe @hostile can better debug together with @digital1 as it worked for him :wink:
[2017-10-31 18:02:31]
hai :
when u say GC instructions u mean <https://github.com/MAVProxyUser/OriginalGangsterCow> ?
[2017-10-31 18:02:56]
digital1 :
I will be home in about an hour my self, will reset and try again then. I know it worked as I recorded it ready for the video
[2017-10-31 18:03:06]
hai :
thx
[2017-10-31 18:03:15]
hai :
its 2am here, I'm off to bed
[2017-10-31 18:04:17]
bin4ry :
You will work it out guys :wink::grin:
[2017-10-31 18:04:36]
digital1 :
Yea I used $ ./LastSkyCry.sh and all good.
The only things I had issues with was apps with long names or spaces,
[2017-10-31 18:05:10]
hai :
would be good to know what system version u are having sucess with
[2017-10-31 18:05:42]
digital1 :
Try a full factory reset by going into Settings, Backup & Reset, Factory Data Reset then clicking Reset Device making sure you clear the SD card data as well.
[2017-10-31 18:06:22]
digital1 :
I am on latest on both 5.5 and 7.85,have access to both models as ones mine and ones my partners.
[2017-10-31 18:11:16]
hai :
I didn't accept the DJI Update, should I?
[2017-10-31 18:14:37]
hai :
CS as asking me to update from 2.2.5 to 2.03.0
[2017-10-31 18:18:16]
digital1 :
I am 99.9% I am on 2.03.0000 but will check now. As have my CS in the car
[2017-10-31 18:18:16]
hai :
erases SD card, full factory reset, didn't work
[2017-10-31 18:18:27]
hai :
ok I'll upxate then
[2017-10-31 18:19:11]
hai :
I'm always hestiatant to update when DJI asks me to
[2017-10-31 18:26:50]
hai :
YAY!
[2017-10-31 18:27:05]
hai :
updating to 2.03.00 and then running scripts worked
[2017-10-31 18:28:12]
digital1 :
Boom :sunglasses:
[2017-10-31 18:29:10]
hai :
thanks very much for all your help
[2017-10-31 18:29:47]
opcode :
great it worked out for you :smiley:
[2017-10-31 18:31:05]
digital1 :
I wish I could write crap as we could do with an app for this for windows and Mac.
[2017-10-31 18:39:03]
bin4ry :
What app? It is an simple script you can translate the sh script to bat if you want it for Windows :wink:
[2017-10-31 18:39:14]
bin4ry :
It's only copy of 2 files and run of 1 basically
[2017-10-31 19:29:36]
digital1 :
That’s beyond me haha, could we build a scrips that would not need google tools or would that always be needed for ADB ?
[2017-11-01 03:14:28]
hai :
guys is there a tool available to root the CS yet? is is kingoroot the tool?
[2017-11-01 06:32:31]
bin4ry :
The lastcrysky essentially is a root exploit we use it to copy over installd you could also use it to copy over su and superuser.apk check the lastcrysky.sh script!
[2017-11-01 17:16:33]
opcode :
set the channel topic: <http://dji.retroroms.info/howto/crystalsky>
[2017-11-04 01:52:41]
hostile :
“nobody cared to actually look which exploit they use, might be dirtyc0w. I” hah you lying bastards! I slaved over looking… just could not ID it yet =]
[2017-11-04 01:54:20]
hostile :
start here <https://dji-rev.slack.com/archives/C6K376JGZ/p1504535202000050>
[2017-11-04 01:54:38]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1504535740000132>
[2017-11-04 08:48:54]
digital1 :
@hostile who was saying that :joy:
[2017-11-04 08:58:21]
bin4ry :
It's inside the wiki. We wrote it there at the very first day when we rooted the thing in a few hours :joy:
[2017-11-04 16:02:01]
hostile :
indeed. I was just being silly. =]
[2017-11-04 17:16:41]
digital1 :
Sorry was early lol
[2017-11-09 07:47:47]
kilrah :
ooh new CS fw with 20 3rd party apps allowed
[2017-11-09 08:08:44]
opcode :
Good move from DJI. But I'm afraid a lot of ppl will screw up their devices and want support from DJI for that.
[2017-11-09 08:42:04]
hai :
any issues with updating a rooted v2.03.00 to 2.04?
[2017-11-09 08:44:09]
opcode :
shouldnt be a problem, as the system partition gets wiped
[2017-11-09 08:44:47]
hai :
sorry I mean will I have to root the system again?
[2017-11-09 08:44:59]
hai :
has dji closed the vulnerability?
[2017-11-09 08:45:23]
opcode :
nope. every OTA is wiping the system partition and rewrites it. so su will be gone.
[2017-11-09 08:45:43]
hai :
stick with 2.03 then?
[2017-11-09 08:46:02]
hai :
of will the dirtycow hack work on that as well?
[2017-11-09 08:46:18]
opcode :
nobody knows its brand new.
[2017-11-09 08:48:39]
hai :
thanks
[2017-11-09 08:48:47]
hai :
I won't been keen on being the first to try :slightly_smiling_face:
[2017-11-09 08:49:03]
opcode :
not? :wink:
[2017-11-09 09:01:51]
hai :
took me ages to get [aeroranger.com](http://aeroranger.com) on my crystal sky
[2017-11-09 09:02:07]
hai :
it kill me if after updating it didn't work
[2017-11-09 09:34:02]
opcode :
Seems like the updates get now splitted in ZSA and ZSB.
[2017-11-09 09:41:43]
opcode :
`<https://mydjiflight.dji.com/links/links/RC_ZSdiff1>` `<https://mydjiflight.dji.com/links/links/RC_ZSdiff2>`
[2017-11-09 09:41:51]
opcode :
hmm
[2017-11-09 09:59:07]
opcode :
updated to latest version. will try to root later.
[2017-11-09 10:12:17]
opcode :
@hai where to dl the aeroranger apk? i can try if it runs well.
[2017-11-09 12:07:55]
kilrah :
They’ve put a big message that they don’t recommend and if you’ve loaded 3rd party apps they basically won’t support you with anything until you’ve factory reset it. All good.
[2017-11-09 13:04:17]
hai :
@opcode sorry I was out shopping
[2017-11-09 13:04:20]
hai :
@opcode <https://www.dropbox.com/s/5py2mj5s2oiofap/Aeroranger_Build2552.apk?dl=0>
[2017-11-09 13:05:06]
hai :
I'm just keen to find out of the new firmware can be rooted the same way
[2017-11-09 13:26:23]
kilrah :
unknown yet, but do you actually need root now given the new permissions?
[2017-11-09 14:26:25]
opcode :
@kilrah you would still need root for play store dependent apps like litchi to flash play store.
[2017-11-09 15:35:06]
opcode :
successfully rooted 02.04.02.00
[2017-11-09 17:00:21]
hai :
@opcode nice!
[2017-11-09 17:00:28]
hai :
same method as for 2.03?
[2017-11-09 17:22:16]
opcode :
your aeroranger works without root. just sideload with adb install.
[2017-11-09 17:23:08]
opcode :
if you still want to root, check my repo
[2017-11-09 17:23:19]
opcode :
<https://github.com/Opcodeffm/csroot>
[2017-11-09 17:39:34]
hai :
aeroranger needs google play services for google maps etc tho
[2017-11-09 17:39:55]
hai :
@opcode thanks
[2017-11-09 23:41:41]
digital1 :
Do we know what DJI have done to remove the restriction ? Is it the installd has been disabled as any app will install it seems.
[2017-11-10 07:26:37]
kilrah :
most likely a different installd patch that uses a count instead of the hardcoded package names
[2017-11-10 08:45:24]
bin4ry :
a count?
[2017-11-10 08:45:30]
bin4ry :
how many are officially allowed to install ?
[2017-11-10 10:01:50]
kilrah :
20
[2017-11-10 10:02:56]
kilrah :
guess that's 20 simultaneously so that people don't complain about their thing not working when it's bloated with 100 apps
[2017-11-10 10:04:42]
bin4ry :
ok
[2017-11-10 10:04:57]
bin4ry :
i can remove that limit if you guys want it
[2017-11-10 10:05:05]
bin4ry :
if someone uploads the installd for me
[2017-11-10 10:38:32]
hai :
how does one install one of the 20 apps?
[2017-11-10 10:38:42]
hai :
i just updated my CS to 2.04.00
[2017-11-10 10:39:19]
hai :
it didn't wipe my app, but google play services stopped working, so I reset the device, but I don't see how to install the 20 apps
[2017-11-10 10:44:40]
hai :
looks like u can install apk files via adb without any hacks now
[2017-11-10 11:16:11]
hai :
kingo root didn
[2017-11-10 11:16:21]
hai :
didnt work on my 2.04 device
[2017-11-10 11:22:01]
hai :
@opcode your root scripts worked perfectly
[2017-11-10 11:49:54]
opcode :
good to hear :slightly_smiling_face:
[2017-11-10 12:30:31]
hai :
still had to use Flashfire to install Open Gapp as the play services apk doesn't work.
[2017-11-10 12:30:49]
hai :
once I installed Open Gapp, everything works sweet including installing apps via the Play store
[2017-11-10 14:19:17]
opcode :
yes, flashing is the only option to get play store to work properly.
[2017-11-10 14:38:21]
hai :
Was expending a "dji store" with 20 app they choose when I update my CS firmware today
[2017-11-10 14:44:55]
opcode :
nope. you´re dealing with DJI here. :wink:
[2017-11-10 14:45:09]
hai :
yeah they always half do it
[2017-11-10 16:26:44]
opcode :
Updated the wiki
[2017-11-10 16:26:45]
opcode :
<https://dji.retroroms.info/howto/crystalsky>
[2017-11-10 16:59:55]
kilrah :
*official" way is likely putting the APK on an SD card and installing from file browser
[2017-11-11 16:51:33]
digital1 :
Haha, so what’s the reason for no play do we know?
[2017-11-11 16:58:13]
opcode :
probably c64 datasette is to old. lol
[2017-11-11 17:10:29]
hostile :
“Up to 20 third-party applications are supported and can be removed from System Settings -> Apps” lol @kilrah <https://forum.dji.com/thread-119112-1-1.html>
[2017-11-12 19:23:30]
norcalcobra :
Anyone know if they will be doing the same on the pro4+ RC? Since its essentially crystalsky firmware.
[2017-11-12 20:11:34]
norcalcobra :
Oh. They did release a new one. However it only allows you to update djigo4 seperately now. No sign of being able to install 3rd party apps.
[2017-11-12 21:48:25]
bin4ry :
Do you have a link?
[2017-11-13 22:01:34]
norcalcobra :
to the new firmware? No.. My RC downloaded it on its own.... Let me see if I can find it
[2017-11-13 22:04:30]
norcalcobra :
Not sure why it is dated a month ago. But here..
<http://mydjiflight.dji.com/file/links/GL300E_PACK_v1220_20170929>
[2017-11-15 13:36:17]
freaky123 :
how does the crystalsky update btw?
[2017-11-15 13:36:26]
freaky123 :
where does it get its updates from?
[2017-11-15 13:47:49]
freaky123 :
does someone <!here> knows that?
[2017-11-15 13:49:41]
bin4ry :
OTA android update
[2017-11-15 13:50:29]
bin4ry :
i did not yet look into the updater service to look where it is asking for updates (which api)
[2017-11-15 14:33:45]
hostile :
@freaky123 you can update it via .zip on an SD card
[2017-11-15 15:14:36]
freaky123 :
yeah I was interested in the API which it comes from
[2017-11-18 02:43:27]
jcase :
still looking for a cheap used drone and tablet
[2017-11-18 02:43:31]
jcase :
doesnt have to be fully working
[2017-11-18 02:43:33]
jcase :
jsut booting
[2017-11-18 04:04:40]
hostile :
@jcase for DJI go app?
[2017-11-18 04:04:50]
hostile :
@jcase send me an address….
[2017-11-18 04:15:10]
jcase :
no for general fuckery
[2017-11-18 04:15:29]
jcase :
got important confrence call next week
[2017-11-18 04:15:34]
jcase :
could be my infosec exit
[2017-11-18 04:19:56]
hostile :
send me an address…
[2017-11-18 04:20:08]
hostile :
I’ll send you an Nvidia Sheild with a battery that was never replaced
[2017-11-18 04:20:18]
hostile :
(works fine)
[2017-11-18 04:20:51]
hostile :
someone in here had an old android phone to give a way too… @nocommie was that you?
[2017-11-18 04:21:00]
hostile :
@jcase ping @nocommie I think
[2017-11-18 04:46:36]
jcase :
o no
[2017-11-18 04:46:48]
jcase :
i have 400 +/-20 android devices
[2017-11-18 04:46:52]
jcase :
looking for dji crap
[2017-11-18 04:47:06]
jcase :
but thanks
[2017-11-18 04:57:46]
hostile :
@jcase want a core board? with a lipo?
[2017-11-18 04:57:52]
hostile :
that is plenty to fuck with android
[2017-11-18 08:02:02]
kilrah :
got your shield protected against the kill?
[2017-11-18 18:14:01]
the_lord :
if anyone want's to use .DJI.configs file in CS or P4P+ CS you need to place it in the below location
CS:
/mnt/internal_sd/Android/data/dji.go.v4/files
P4P+:
/mnt/internal_sd/Android/data/dji.pilot.pad/files
BTW /sdcard = /mnt/internal_sd
[2017-11-18 18:14:44]
opcode :
@the_lord could you update the wiki pls? :slightly_smiling_face:
[2017-11-18 19:31:11]
digital1 :
Just looking at playstore what was the issue with google play services crashing with out root ?
[2017-11-18 19:43:13]
opcode :
The Google Framework is someway fragile in installing. That's why we flash it and for that root is needed.
[2017-11-18 19:55:01]
digital1 :
Ohh ok tried on adb and it just spate out.
[2017-11-21 15:55:31]
mingtao :
tryed csroot an CS and
get copying files to device
error: insufficient permissions for device
error: insufficient permissions for device
error: insufficient permissions for device
error: insufficient permissions for device
[2017-11-21 15:56:20]
mingtao :
02.04.02.00
[2017-11-21 15:57:31]
mingtao :
List of devices attached
1TSB3JRRCM no permissions
[2017-11-21 16:08:35]
bin4ry :
you have not accepted the adb prompt on the device most likely. first time you connect a pc android shows a popup if you trust this pc
[2017-11-21 16:15:04]
mingtao :
so how i can do it ? if no any popup
[2017-11-21 16:17:42]
bin4ry :
i don't have an CS device, this was only an assumption since it is like this on other android devices. lets wait for someone with the device to tell you :wink:
[2017-11-21 16:21:16]
hostile :
where are you trying to copy files to @mingtao? what folder?
[2017-11-21 16:21:52]
hostile :
maybe try ADB from a different device if “adb shell” does not allow you to connect.
[2017-11-21 16:21:58]
bin4ry :
this actually shows that your adb daemon does not accept connections from your PC
[2017-11-21 16:22:18]
hostile :
is this a fresh install of Crystal Sky? maybe reset it?
[2017-11-21 16:22:31]
bin4ry :
on an normal android device you would see an popup asking for permission
[2017-11-21 16:22:37]
bin4ry :
maybe reboot your device and connect it again
[2017-11-21 16:23:05]
mingtao :
@hostile what you mean?
[2017-11-21 16:23:16]
hostile :
like software reset it.
[2017-11-21 16:23:30]
hostile :
oh make yourself root
[2017-11-21 16:23:40]
hostile :
sudo su
[2017-11-21 16:23:42]
hostile :
adb shell
[2017-11-21 16:34:02]
bin4ry :
i told you ...
[2017-11-21 16:34:15]
bin4ry :
the permission gets rejected on device side
[2017-11-21 16:48:06]
mingtao :
so is any way to accept ?
[2017-11-21 16:48:33]
mingtao :
on CS no any popup.. after reset same - no any popup...
[2017-11-21 16:53:27]
bin4ry :
try another pc
[2017-11-21 16:54:42]
kilrah :
disable/reenable usb debugging, revoke usb debug authorizations...
[2017-11-21 17:10:46]
opcode :
looks like usb debugging is not enabled on crystalsky?
[2017-11-22 09:55:56]
bin4ry :
new CS build.prop
[2017-11-22 09:56:17]
bin4ry :
this will also raise the count of app you can install from20 to 1000
[2017-11-22 09:56:26]
bin4ry :
they made the count a sys property
[2017-11-22 16:04:20]
mingtao :
@bin4ry how i can push this build.prop ..to CS
[2017-11-22 16:04:24]
mingtao :
?
[2017-11-22 16:04:32]
bin4ry :
like every other android
[2017-11-22 16:04:46]
mingtao :
i get SU on my CS already
[2017-11-22 16:11:11]
bin4ry :
then you should know how to push files to devices :wink:
[2017-11-22 16:12:58]
hostile :
@mingtao how are you so magical at Stm32 design, yet get hung up on some really goofy software stuff!
[2017-11-22 16:13:28]
mingtao :
))) no android in my life)
[2017-11-22 16:13:34]
mingtao :
Nokia 3310 forever)
[2017-11-22 16:13:46]
hostile :
how long you been messing with Stm32?
[2017-11-22 16:14:00]
hostile :
I was surprised to see one in some of your hardware NFZ bypass design
[2017-11-22 16:14:36]
mingtao :
stm -1 week
[2017-11-22 16:14:43]
hostile :
I forget what you used in the NFZ PH3… F405 was it?
[2017-11-22 16:15:16]
mingtao :
yep stm32f405rgt6
[2017-11-22 16:15:48]
hostile :
so you are a PCB wizard then? that is quick design for such short time with STM32
[2017-11-22 16:16:02]
mingtao :
i have huge plans on this chip ... but ti much for NFZ
[2017-11-22 16:16:12]
hostile :
I recall you using a USB HUB chip connected to it
[2017-11-22 16:16:38]
hostile :
your board was autorouted, or you are specializing in PCB design too?
[2017-11-22 16:17:10]
mingtao :
autorouted for 80% ... 20% by hand and brain)
[2017-11-22 16:17:23]
mingtao :
Diptrace
[2017-11-22 16:17:27]
hostile :
makes sense. there seemed to be lots of Vias!
[2017-11-22 16:17:54]
hostile :
I thought you were a bastard for enabling the memory protection on the STm32 I was really looking forward to seeing your CANBUS frame technique in IDA pro
[2017-11-22 16:18:14]
hostile :
=]
[2017-11-22 16:18:45]
hostile :
nice job for an auto routed board and 1 week in stm32!! that is quite impressive, and I am sure you made a damn mint.
[2017-11-22 16:19:37]
mingtao :
thanks) it was a very fun time
[2017-11-22 16:20:38]
hostile :
I was kind of surprised to see you drop in here to be honest! I figured you’d be pissed at us as a group collectively
[2017-11-22 16:21:09]
hostile :
Your packer… also very annoying =]
[2017-11-22 16:21:48]
mingtao :
)
[2017-11-22 16:23:39]
mingtao :
if you are hackin something, then be ready that when someone hack you
[2017-11-22 16:24:00]
hostile :
always cat and mouse games!
[2017-11-22 16:24:13]
hostile :
glad you stopped by and there is more of a joint effort now
[2017-11-22 16:24:26]
mingtao :
so at now my mouse is a DJI
[2017-11-22 16:25:24]
mingtao :
but 405 stil alive .. and may be will alive in new project - anti DJI AirScope
[2017-11-22 16:26:46]
hostile :
they got PISSED at me over my DroneID paper
[2017-11-22 17:00:22]
mingtao :
guys . is any way to uninstal dji go 4 on CS ? whant to change for my (4.1.3)
[2017-11-22 17:09:46]
opcode :
throw out /system/priv-app/DJI-GO4/ and /data/data/dji.go.v4/
[2017-11-22 17:09:57]
opcode :
reboot and then install your go4 apk
[2017-11-22 17:56:22]
the_lord :
@mingtao i asked Gollandec to join us here but he is still improving his CosmoStreamer and his excuse was he doesn’t have drone to play with
[2017-11-22 17:58:22]
mingtao :
yes ..Sergey very busy with your Cosmostreamer .. like a child with ballon)
[2017-11-22 17:58:47]
the_lord :
But he did great job
[2017-11-22 17:59:11]
mingtao :
but the job will have future!
[2017-11-22 18:00:30]
mingtao :
anytime you need work a little bit faster than growing market .. or all you work die
[2017-11-22 18:01:16]
mingtao :
so he need a team)
[2017-11-22 18:01:24]
mingtao :
or fan support)
[2017-11-22 18:01:30]
mingtao :
or beer support)
[2017-11-22 18:03:00]
the_lord :
What you did with him on inspire 1 Dm368 external usb recording can b done easily on CS
[2017-11-22 18:04:16]
mingtao :
about CS .. i whant to downgrade DJI go to 4.1.3
[2017-11-22 18:04:30]
mingtao :
for two RC supporting )
[2017-11-22 18:05:04]
mingtao :
because only two country dont have this feauture... Russia and Israel )
[2017-11-22 18:05:36]
the_lord :
What do you mean two RC supporting?
[2017-11-22 18:05:46]
mingtao :
master and slave
[2017-11-22 18:05:58]
the_lord :
:flushed:
[2017-11-22 18:06:01]
mingtao :
throw out command not work on CS
[2017-11-22 18:06:17]
the_lord :
How come?
[2017-11-22 18:06:43]
mingtao :
DJI rules))
[2017-11-22 18:07:38]
the_lord :
With root you can install it
[2017-11-22 18:08:18]
mingtao :
i get SU on CS ..
[2017-11-22 18:08:36]
mingtao :
root same as SU ?
[2017-11-22 18:08:42]
the_lord :
Yes
[2017-11-22 18:09:04]
the_lord :
You can also install apk files during the rooting
[2017-11-22 18:09:33]
the_lord :
I didn’t check latest update which allows 20 apps
[2017-11-22 18:11:04]
mingtao :
i patch build.prop for 1000 apps
[2017-11-22 18:11:56]
the_lord :
You can install apk files using adb
[2017-11-22 18:12:02]
mingtao :
but how to remove ... it is enigma for me
[2017-11-22 18:12:24]
the_lord :
I don’t have CS now
[2017-11-22 18:12:28]
mingtao :
i tryed ... no way .. 4.1.3 do not whant install over adb and over another way
[2017-11-22 18:51:20]
opcode :
@mingtao throw out is no command :smile:
[2017-11-22 18:52:24]
opcode :
And did you rw remount /system ?
[2017-11-23 03:52:18]
mingtao :
yes ,i install ES explorer - and click mount /system rw
[2017-11-23 03:52:37]
mingtao :
but stil cant delete DJI GO 4 from system (priv-app)
[2017-11-23 03:53:06]
mingtao :
1|shell@zs600b:/ $ mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,relatime,mode=750,gid=1000 0 0
none /sys/fs/cgroup/memory cgroup rw,relatime,memory 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/memcg cgroup rw,relatime,memory 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
none /dev/blkio cgroup rw,relatime,blkio 0 0
tmpfs /mnt/usb_storage tmpfs rw,relatime,mode=555,uid=1013,gid=1023 0 0
/dev/block/platform/ff0f0000.rksdmmc/by-name/system /system ext4 ro,noatime,nodiratime,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/ff0f0000.rksdmmc/by-name/cache /cache ext4 rw,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/ff0f0000.rksdmmc/by-name/metadata /metadata ext4 rw,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/ff0f0000.rksdmmc/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,nodiratime,discard,noauto_da_alloc,errors=panic,data=ordered 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime,mode=755 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:14 /mnt/internal_sd vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:14 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
[2017-11-23 07:47:57]
opcode :
@mingtao type "su" and hit enter. then type "id" and hit enter. post the result here.
[2017-11-23 08:05:06]
opcode :
great
[2017-11-23 08:05:09]
opcode :
now
[2017-11-23 08:05:11]
opcode :
mount -o remount,rw /system
[2017-11-23 08:19:30]
mingtao :
done) !!
[2017-11-23 08:19:46]
mingtao :
but still cant delete priv-app/DJI GO 4
[2017-11-23 08:28:03]
mingtao :
after my finish, will make faq for newbe..think help for anyone.
[2017-11-23 08:32:33]
opcode :
cd /system/priv-app
[2017-11-23 08:32:47]
opcode :
rm -r /DJI-GO4
[2017-11-23 08:36:43]
opcode :
youre still not root. see the "shell" in your prompt?
[2017-11-23 08:36:52]
opcode :
type su again
[2017-11-23 08:37:06]
opcode :
and you dont need to screenshot. just copy and paste the results.
[2017-11-23 08:37:26]
mingtao :
shell@zs600b:/system/priv-app $ su
root@zs600b:/system/priv-app # rm -r /DJI-GO4
rm: /DJI-GO4: No such file or directory
1|root@zs600b:/system/priv-app #
[2017-11-23 08:37:34]
opcode :
ll
[2017-11-23 08:38:43]
opcode :
type ll
[2017-11-23 08:39:18]
mingtao :
1|root@zs600b:/system/priv-app # ||
sh: syntax error: '||' unexpected
1|root@zs600b:/system/priv-app #
[2017-11-23 08:39:27]
opcode :
lol
[2017-11-23 08:39:42]
opcode :
instead of ls type ll
[2017-11-23 08:40:07]
opcode :
you really need to get yourself familiar with linux shell commands.
[2017-11-23 08:40:26]
opcode :
double L in small capitals ll
[2017-11-23 08:43:33]
mingtao :
)))
[2017-11-23 08:43:53]
mingtao :
1|root@zs600b:/system/priv-app # ll
drwxr-xr-x root root 2017-11-13 10:51 BackupRestoreConfirmation
drwxr-xr-x root root 2017-11-23 02:47 DJI-GO3
drwxr-xr-x root root 2017-11-23 02:46 DJI-GO4
drwxr-xr-x root root 2017-11-13 10:52 DefaultContainerService
drwxr-xr-x root root 2017-11-13 10:52 DownloadProvider
drwxr-xr-x root root 2017-11-13 10:52 ExternalStorageProvider
drwxr-xr-x root root 2017-11-13 10:52 FusedLocation
drwxr-xr-x root root 2017-11-13 10:52 GoogleInput
drwxr-xr-x root root 2017-11-13 10:52 Google_pdf_viewer
drwxr-xr-x root root 2017-11-13 10:52 InputDevices
drwxr-xr-x root root 2017-11-13 10:52 ManagedProvisioning
drwxr-xr-x root root 2017-11-13 10:52 MediaProvider
drwxr-xr-x root root 2017-11-13 10:52 MmsService
drwxr-xr-x root root 2017-11-13 10:52 MusicFX
drwxr-xr-x root root 2017-11-13 10:52 OneTimeInitializer
drwxr-xr-x root root 2017-11-13 10:52 ProxyHandler
drwxr-xr-x root root 2017-11-13 10:52 Settings
drwxr-xr-x root root 2017-11-13 10:52 SettingsProvider
drwxr-xr-x root root 2017-11-13 10:52 SharedStorageBackup
drwxr-xr-x root root 2017-11-13 10:52 Shell
drwxr-xr-x root root 2017-11-13 10:52 StressTest
drwxr-xr-x root root 2017-11-13 10:52 SystemUI
drwxr-xr-x root root 2017-11-13 10:52 TeleService
drwxr-xr-x root root 2017-11-13 10:52 Telecom
drwxr-xr-x root root 2017-11-13 10:52 TelephonyProvider
drwxr-xr-x root root 2017-11-13 10:52 VpnDialogs
drwxr-xr-x root root 2017-11-13 10:52 WallpaperCropper
drwxr-xr-x root root 2017-11-23 02:47 djipilot
[2017-11-23 08:44:10]
opcode :
rm -r DJI-GO4
[2017-11-23 08:44:55]
mingtao :
root@zs600b:/system/priv-app # rm -r DJI-GO4
override rwxr-xr-x root:root for 'DJI-GO4'?
root@zs600b:/system/priv-app # ll
drwxr-xr-x root root 2017-11-13 10:51 BackupRestoreConfirmation
drwxr-xr-x root root 2017-11-23 02:47 DJI-GO3
drwxr-xr-x root root 2017-11-23 02:46 DJI-GO4
drwxr-xr-x root root 2017-11-13 10:52 DefaultContainerService
drwxr-xr-x root root 2017-11-13 10:52 DownloadProvider
drwxr-xr-x root root 2017-11-13 10:52 ExternalStorageProvider
drwxr-xr-x root root 2017-11-13 10:52 FusedLocation
drwxr-xr-x root root 2017-11-13 10:52 GoogleInput
drwxr-xr-x root root 2017-11-13 10:52 Google_pdf_viewer
drwxr-xr-x root root 2017-11-13 10:52 InputDevices
drwxr-xr-x root root 2017-11-13 10:52 ManagedProvisioning
drwxr-xr-x root root 2017-11-13 10:52 MediaProvider
drwxr-xr-x root root 2017-11-13 10:52 MmsService
drwxr-xr-x root root 2017-11-13 10:52 MusicFX
drwxr-xr-x root root 2017-11-13 10:52 OneTimeInitializer
drwxr-xr-x root root 2017-11-13 10:52 ProxyHandler
drwxr-xr-x root root 2017-11-13 10:52 Settings
drwxr-xr-x root root 2017-11-13 10:52 SettingsProvider
drwxr-xr-x root root 2017-11-13 10:52 SharedStorageBackup
drwxr-xr-x root root 2017-11-13 10:52 Shell
drwxr-xr-x root root 2017-11-13 10:52 StressTest
drwxr-xr-x root root 2017-11-13 10:52 SystemUI
drwxr-xr-x root root 2017-11-13 10:52 TeleService
drwxr-xr-x root root 2017-11-13 10:52 Telecom
drwxr-xr-x root root 2017-11-13 10:52 TelephonyProvider
drwxr-xr-x root root 2017-11-13 10:52 VpnDialogs
drwxr-xr-x root root 2017-11-13 10:52 WallpaperCropper
drwxr-xr-x root root 2017-11-23 02:47 djipilot
root@zs600b:/system/priv-app
[2017-11-23 08:45:37]
opcode :
override rwxr-xr-x root:root for 'DJI-GO4'?
[2017-11-23 08:45:41]
opcode :
did you hit y ?
[2017-11-23 08:45:51]
mingtao :
yes
[2017-11-23 08:46:05]
opcode :
strange. let me check something.
[2017-11-23 08:46:34]
mingtao :
wait
[2017-11-23 08:47:37]
opcode :
mount -o remount,rw /system
[2017-11-23 08:47:50]
opcode :
rm -r DJI-GO4
[2017-11-23 08:48:24]
mingtao :
root@zs600b:/system/priv-app # rm -r DJI-GO4
override rwxr-xr-x root:root for 'DJI-GO4'? yes
override rwxr-xr-x root:root for 'DJI-GO4/arm'? yes
override rw-r--r-- root:root for 'DJI-GO4/arm/DJI-GO4.odex'? yes
rm: DJI-GO4/arm/DJI-GO4.odex: Read-only file system
rm: DJI-GO4/arm: Read-only file system
override rwxr-xr-x root:root for 'DJI-GO4/lib'? yes
override rwxr-xr-x root:root for 'DJI-GO4/lib/arm'? yes
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libBugly.so'? yes
rm: DJI-GO4/lib/arm/libBugly.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libCertResourcesPkg.so'? yes
rm: DJI-GO4/lib/arm/libCertResourcesPkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libChineseFontPkg.so'? yes
rm: DJI-GO4/lib/arm/libChineseFontPkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libFREncrypt.so'? yes
rm: DJI-GO4/lib/arm/libFREncrypt.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libFlyForbid.so'? yes
rm: DJI-GO4/lib/arm/libFlyForbid.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libGroudStation.so'? yes
rm: DJI-GO4/lib/arm/libGroudStation.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libLohitIndicFontPkg.so'? yes
rm: DJI-GO4/lib/arm/libLohitIndicFontPkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libMAPSJNI.so'? yes
rm: DJI-GO4/lib/arm/libMAPSJNI.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libMapsEngineResourcePkg.so'? yes
rm: DJI-GO4/lib/arm/libMapsEngineResourcePkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libNanumGothicFontPkg.so'? yes
rm: DJI-GO4/lib/arm/libNanumGothicFontPkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libNlpResourcePkg.so'? yes
rm: DJI-GO4/lib/arm/libNlpResourcePkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libPositioningResourcePkg.so'? yes
rm: DJI-GO4/lib/arm/libPositioningResourcePkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libSDKRelativeJNI.so'? yes
rm: DJI-GO4/lib/arm/libSDKRelativeJNI.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libSdkResourcePkg.so'? yes
rm: DJI-GO4/lib/arm/libSdkResourcePkg.so: Read-only file system
override rw-r--r-- root:root for 'DJI-GO4/lib/arm/libUpgradeVerify.so'? yes
[2017-11-23 08:48:36]
mingtao :
1|root@zs600b:/system/priv-app # ll
drwxr-xr-x root root 2017-11-13 10:51 BackupRestoreConfirmation
drwxr-xr-x root root 2017-11-23 02:47 DJI-GO3
drwxr-xr-x root root 2017-11-23 02:46 DJI-GO4
drwxr-xr-x root root 2017-11-13 10:52 DefaultContainerService
drwxr-xr-x root root 2017-11-13 10:52 DownloadProvider
drwxr-xr-x root root 2017-11-13 10:52 ExternalStorageProvider
drwxr-xr-x root root 2017-11-13 10:52 FusedLocation
drwxr-xr-x root root 2017-11-13 10:52 GoogleInput
drwxr-xr-x root root 2017-11-13 10:52 Google_pdf_viewer
drwxr-xr-x root root 2017-11-13 10:52 InputDevices
drwxr-xr-x root root 2017-11-13 10:52 ManagedProvisioning
drwxr-xr-x root root 2017-11-13 10:52 MediaProvider
drwxr-xr-x root root 2017-11-13 10:52 MmsService
drwxr-xr-x root root 2017-11-13 10:52 MusicFX
drwxr-xr-x root root 2017-11-13 10:52 OneTimeInitializer
drwxr-xr-x root root 2017-11-13 10:52 ProxyHandler
drwxr-xr-x root root 2017-11-13 10:52 Settings
drwxr-xr-x root root 2017-11-13 10:52 SettingsProvider
drwxr-xr-x root root 2017-11-13 10:52 SharedStorageBackup
drwxr-xr-x root root 2017-11-13 10:52 Shell
drwxr-xr-x root root 2017-11-13 10:52 StressTest
drwxr-xr-x root root 2017-11-13 10:52 SystemUI
drwxr-xr-x root root 2017-11-13 10:52 TeleService
drwxr-xr-x root root 2017-11-13 10:52 Telecom
drwxr-xr-x root root 2017-11-13 10:52 TelephonyProvider
drwxr-xr-x root root 2017-11-13 10:52 VpnDialogs
drwxr-xr-x root root 2017-11-13 10:52 WallpaperCropper
drwxr-xr-x root root 2017-11-23 02:47 djipilot
root@zs600b:/system/priv-app #
[2017-11-23 08:49:05]
mingtao :
YAHOOO!!!)
[2017-11-23 08:49:13]
opcode :
you didnt remount it
[2017-11-23 08:49:50]
opcode :
to gain write access, you have to enable it first for /system, even as root with: mount -o remount,rw /system
[2017-11-23 08:50:01]
mingtao :
root@zs600b:/system/priv-app # ll
drwxr-xr-x root root 2017-11-13 10:51 BackupRestoreConfirmation
drwxr-xr-x root root 2017-11-23 02:47 DJI-GO3
drwxr-xr-x root root 2017-11-13 10:52 DefaultContainerService
drwxr-xr-x root root 2017-11-13 10:52 DownloadProvider
drwxr-xr-x root root 2017-11-13 10:52 ExternalStorageProvider
drwxr-xr-x root root 2017-11-13 10:52 FusedLocation
drwxr-xr-x root root 2017-11-13 10:52 GoogleInput
drwxr-xr-x root root 2017-11-13 10:52 Google_pdf_viewer
drwxr-xr-x root root 2017-11-13 10:52 InputDevices
drwxr-xr-x root root 2017-11-13 10:52 ManagedProvisioning
drwxr-xr-x root root 2017-11-13 10:52 MediaProvider
drwxr-xr-x root root 2017-11-13 10:52 MmsService
drwxr-xr-x root root 2017-11-13 10:52 MusicFX
drwxr-xr-x root root 2017-11-13 10:52 OneTimeInitializer
drwxr-xr-x root root 2017-11-13 10:52 ProxyHandler
drwxr-xr-x root root 2017-11-13 10:52 Settings
drwxr-xr-x root root 2017-11-13 10:52 SettingsProvider
drwxr-xr-x root root 2017-11-13 10:52 SharedStorageBackup
drwxr-xr-x root root 2017-11-13 10:52 Shell
drwxr-xr-x root root 2017-11-13 10:52 StressTest
drwxr-xr-x root root 2017-11-13 10:52 SystemUI
drwxr-xr-x root root 2017-11-13 10:52 TeleService
drwxr-xr-x root root 2017-11-13 10:52 Telecom
drwxr-xr-x root root 2017-11-13 10:52 TelephonyProvider
drwxr-xr-x root root 2017-11-13 10:52 VpnDialogs
drwxr-xr-x root root 2017-11-13 10:52 WallpaperCropper
drwxr-xr-x root root 2017-11-23 02:47 djipilot
root@zs600b:/system/priv-app
[2017-11-23 08:50:20]
mingtao :
DJI-GO 4 removed! ... done ) thanks @opcode
[2017-11-23 08:50:27]
opcode :
dont forget the other folder
[2017-11-23 08:51:21]
opcode :
/data/data/dji.go.v4/
[2017-11-23 08:51:36]
mingtao :
also rm -r ?
[2017-11-23 08:51:48]
opcode :
yep
[2017-11-23 08:51:55]
opcode :
cd /data/data/
[2017-11-23 08:52:03]
opcode :
rm -r dji.go.v4
[2017-11-23 08:52:56]
mingtao :
seems to be removed earlier
[2017-11-23 08:53:05]
opcode :
then reboot cs
[2017-11-23 08:53:11]
opcode :
then install go4 apk
[2017-11-23 08:54:06]
opcode :
and check the linux commands for the future, that you know what youre doing there
[2017-11-23 08:54:08]
opcode :
<https://www.liquidweb.com/kb/new-user-tutorial-basic-shell-commands/>
[2017-11-23 08:54:42]
mingtao :
thanks.. will read. asap
[2017-11-23 09:18:47]
mingtao :
tryed to install DJI GO v4 4.1.3 .. and failed
[2017-11-23 10:03:03]
mingtao :
adb install f:/dji.apk
[100%] /data/local/tmp/dji.apk
pkg: /data/local/tmp/dji.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
[2017-11-23 10:09:35]
mingtao :
tested also 4.1.10... no way.
[2017-11-23 10:26:24]
opcode :
this usually means, there are some leftovers from the .14 go app. "update incompatible"
[2017-11-23 10:26:50]
opcode :
check /data/app/
[2017-11-23 10:27:12]
opcode :
check /data/app-private
[2017-11-23 10:27:38]
opcode :
check /data/data
[2017-11-23 11:36:49]
mingtao :
root@zs600b:/data/data # ls
android.rk.RockVideoPlayer
android.rockchip.update.service
com.android.backupconfirm
com.android.browser
com.android.captiveportallogin
com.android.certinstaller
com.android.defcontainer
com.android.documentsui
com.android.dreams.basic
com.android.dreams.phototable
com.android.exchange
com.android.externalstorage
com.android.galaxy4
com.android.gallery3d
com.android.htmlviewer
com.android.inputdevices
com.android.inputmethod.latin
com.android.keychain
com.android.location.fused
com.android.managedprovisioning
com.android.mms.service
com.android.musicfx
com.android.musicvis
com.android.noisefield
com.android.onetimeinitializer
com.android.packageinstaller
com.android.pacprocessor
com.android.phasebeam
com.android.phone
com.android.providers.downloads
com.android.providers.downloads.ui
com.android.providers.media
com.android.providers.settings
com.android.providers.telephony
com.android.providers.userdictionary
com.android.provision
com.android.proxyhandler
com.android.rk
com.android.rk.mediafloat
com.android.server.telecom
com.android.settings
com.android.sharedstoragebackup
com.android.shell
com.android.systemui
com.android.vpndialogs
com.android.wallpaper
com.android.wallpaper.holospiral
com.android.wallpaper.livepicker
com.android.wallpapercropper
com.android.webview
com.android.winstart
com.cghs.stresstest
com.dji.gps.recoder
com.google.android.apps.pdfviewer
com.google.android.inputmethod.pinyin
com.svox.pico
dji.system.launcher
dji.system.setup
dji.system.share
dji.system.upgrade
eu.chainfire.supersu
jp.co.omronsoft.openwnn
root@zs600b:/data/data
[2017-11-23 11:37:09]
mingtao :
seems to no any leftovers
[2017-11-24 01:19:06]
hostile :
INSTALL_FAILED_UPDATE_INCOMPATIBLE @mingtao add a “-r” to your adb statement
[2017-11-24 13:27:01]
hostile :
new shit eh!
[2017-11-24 13:27:10]
hostile :
did you share with @bin4ry? and the ~android_apk_patching guys?
[2017-11-24 15:10:38]
mingtao :
not yet
[2017-11-24 18:01:41]
mingtao :
anyone can share DJi GO 4 from CS ?
[2017-11-24 18:02:49]
mingtao :
tryed to install DJI GO 4 from app store and all time failed .. but original DJIGO4 from CS .. installed ok .. ?what difference ?
[2017-11-24 18:12:44]
haloweenhamster :
would you need version 3 like what's off dji website? Not got a CS so only a guess
[2017-11-24 18:18:38]
kilrah :
did you try the phone or tablet version? need at least tablet one probably
[2017-11-24 18:19:02]
mingtao :
wher i can find tablet version?
[2017-11-24 18:20:16]
mingtao :
just download from DJI site
[2017-11-24 19:44:23]
kilrah :
dji site should be universal
[2017-11-24 19:44:32]
kilrah :
apkmirror has the specific versions
[2017-11-24 20:18:59]
bin4ry :
Even the other versions work. We had experimented with them they will install ok but lack features. You NEED the go4 which came preinstalled due to some features the device requires, if you really want another one you would need to start debug and fix some of the stuff the CS device needs. Dji also states in their forums that they installed a special version to the CS, so our assumptions when we started to play with this decides were right. Dji also say in the forums that normal go4 versions are not going to work ok. BUT you should be able to install them like it was explained before.
[2017-11-25 15:27:15]
hostile :
lol <https://twitter.com/thedjiproblem/status/847849508318855168>
[2017-12-05 12:59:07]
mingtao :
Hi guys.. need help with CS .. i got update file and extract from him DJI-GO4.apk ..how i can install this apk manually - just copy
[2017-12-05 12:59:09]
mingtao :
?
[2017-12-05 12:59:32]
mingtao :
<http://dropmefiles.com/UUfLY>
[2017-12-05 13:32:48]
opcode :
which update is this? 02.04.02.00?
[2017-12-05 17:28:46]
bin4ry :
Adb install
[2017-12-05 17:28:52]
bin4ry :
First try it
[2017-12-05 17:29:02]
bin4ry :
If it fails tell us the error
[2017-12-06 14:07:40]
mingtao :
yes
[2017-12-08 00:40:15]
rxhenn :
does anyone have the apk for flashfire? Trying to get Google Play Store on my CS but the only option to download flashfire from their website is through the google play store which is problem...and I don't have any android devices besides the CS
[2017-12-08 00:58:44]
rxhenn :
Er never mind found that there’s apkmirror site to download from. Sorry, all good here. And if another noob needs it here’s the link: <https://www.apkmirror.com/apk/chainfire/flashfire/flashfire-0-73-release/root-flashfire-0-73-android-apk-download/>
[2017-12-08 09:09:08]
opcode :
looks like they removed the direct download link. will update the wiki. thanks for the info.
[2017-12-08 13:09:38]
mathieu.peyrega :
Just following the retroroom for rooting and adding gapps to new CS. Rooting seems ok so far. I'm having a question about "Install (sideload) flashfire"
[2017-12-08 13:09:58]
mathieu.peyrega :
do it mean to load it from SD card or though some adb commands ?
[2017-12-08 13:10:50]
mathieu.peyrega :
(asking because I see a rboot sideload option in adb command list)
[2017-12-08 13:17:10]
rxhenn :
I installed using the command: adb install
[2017-12-08 13:21:12]
mathieu.peyrega :
thanks so it's just regular install of an apk
[2017-12-08 13:23:21]
rxhenn :
Yeah just a regular install and then when flashfire is run on the cs give it root access when the prompt appears on the screen
[2017-12-08 13:35:23]
mathieu.peyrega :
done... good :slightly_smiling_face:
[2017-12-08 13:35:43]
mathieu.peyrega :
just add a few "Play service stopped" already. Is this a known issue ?
[2017-12-08 13:35:55]
mathieu.peyrega :
or am i missing some config param ?
[2017-12-08 13:41:55]
rxhenn :
Haven’t seen that, have you opened the google play store app and logged in? I was having some issue where it would crash whenever I tried to install apps from the google play store. Rebooting the cs let me install from the store without crashing
[2017-12-08 13:42:38]
mathieu.peyrega :
seems stable now... don't know what happenend...
[2017-12-08 13:43:03]
mathieu.peyrega :
I disabled the app auto update in playstore, is there an equivalent setting somewhere for the whole CS and firmware ?
[2017-12-08 13:49:28]
rxhenn :
Not sure about the whole cs and firmware. I might try installing noroot firewall to see if maybe I can block some of the update processes from checking for updates
[2017-12-08 15:00:48]
opcode :
Its always wise to reboot after you logged into google play at first start. then everything should work fine.
[2017-12-08 15:02:10]
opcode :
@rxhenn the dji update process checks from time to time if there is an update available. but there is no forced or automatic update. if you like, you can block it but its not neccessary in my eyes.
[2017-12-08 15:31:42]
mathieu.peyrega :
@opcode thanks for the info about DJI Update...
[2017-12-08 17:31:10]
mathieu.peyrega :
I just added Nova instead of DJI launcher... but I have no status bar with clock or battery level icons. Does anyone knows how to enable it ? (if this is possible)
[2017-12-08 20:26:47]
mathieu.peyrega :
is it possible to update supersu after rooting or should I avoid that ?
[2017-12-08 20:50:26]
opcode :
For what reason do you want to update supersu?
[2017-12-08 21:17:44]
mathieu.peyrega :
because it is asking for it (or google play is)
[2017-12-08 21:17:54]
mathieu.peyrega :
otherwise no reasons I guess
[2017-12-08 21:19:40]
opcode :
yeah, should be no problem. i dont remember updating my supersu. to long ago. :wink:
[2017-12-09 16:40:09]
mathieu.peyrega :
I did update Super SU and everything went smoothly
[2017-12-11 15:35:34]
hostile :
define “clone”
[2017-12-14 17:24:20]
jcase :
hey
[2017-12-14 17:24:28]
jcase :
what bootmodes
[2017-12-14 17:24:32]
jcase :
does crystalsky have
[2017-12-14 17:25:48]
jcase :
android recovery
[2017-12-14 17:25:50]
hostile :
I haven’t touched mine since I invited you here and you got busy
[2017-12-14 17:25:52]
jcase :
some bootlaoder or download mode?
[2017-12-14 17:25:58]
hostile :
its a rokchip iirc
[2017-12-14 17:26:05]
hostile :
I bet lots of the history is gone too
[2017-12-14 17:26:11]
hostile :
from the ~crystalsky_rooting room
[2017-12-14 17:26:29]
jcase :
can you run lsusb on a box, without it plugged in, then in each boot mode?
[2017-12-14 17:26:30]
jcase :
when you have time
[2017-12-14 17:26:35]
hostile :
I’m packing for a trip so am Semi AFK … but when I get back I can plug it all in
[2017-12-14 17:26:37]
jcase :
i have this memory
[2017-12-14 17:26:40]
hostile :
maybe honestly if you want
[2017-12-14 17:26:43]
hostile :
I can send it to you
[2017-12-14 17:26:45]
jcase :
about some odd rockchip boot mode
[2017-12-14 17:26:48]
hostile :
if you sent it back later
[2017-12-14 17:26:51]
jcase :
yeah
[2017-12-14 17:26:54]
jcase :
i cant promise lots of work on it
[2017-12-14 17:26:55]
jcase :
but sure
[2017-12-14 17:27:01]
hostile :
I don’t need any promises
[2017-12-14 17:27:02]
hostile :
=]
[2017-12-14 17:27:10]
hostile :
I may in a few months be like YOOO
[2017-12-14 17:27:12]
hostile :
send me that shit
[2017-12-14 17:27:26]
jcase :
i just have this memory about some usb interface
[2017-12-14 17:27:31]
jcase :
on rockchip
[2017-12-14 17:27:40]
jcase :
it might have been when poking that stupid nintendo classic
[2017-12-14 17:27:42]
jcase :
or sometablet
[2017-12-14 17:50:13]
jcase :
@all if anyone has a crystal sky and a linux box, please ping me
[2017-12-14 17:52:40]
opcode :
@jcase how can i help?
[2017-12-14 17:56:43]
jcase :
can you plug it in
[2017-12-14 17:56:47]
jcase :
in android
[2017-12-14 17:56:52]
jcase :
without usb debugging enabled
[2017-12-14 17:56:53]
jcase :
and fun
[2017-12-14 17:56:54]
jcase :
lsusb
[2017-12-14 17:57:01]
jcase :
then do the same with usbdebugging enabled
[2017-12-14 17:57:14]
jcase :
then do it in recovery, then do it in bootloader or any other bootmode
[2017-12-14 17:58:41]
opcode :
uh, this wont work. im running VM Kali Linux
[2017-12-14 17:59:19]
mathieu.peyrega :
same, my true linux box is at home... only have a VM with me
[2017-12-14 17:59:33]
jcase :
can you not pass the interface
[2017-12-14 17:59:35]
jcase :
to kali
[2017-12-14 17:59:46]
jcase :
on mac or windows?
[2017-12-14 17:59:49]
jcase :
can do same thing on both
[2017-12-14 17:59:52]
jcase :
im not sure how on windows
[2017-12-14 18:00:09]
hostile :
you’d have to go into device manager
[2017-12-14 18:00:17]
hostile :
and get the VID / PID off the second tab
[2017-12-14 18:00:31]
jcase :
ioreg -p IOUSB
[2017-12-14 18:00:33]
jcase :
on mac
[2017-12-14 18:03:25]
opcode :
usbdebugging disabled completley gone
[2017-12-14 18:04:33]
jcase :
im thinking teh interface was up in bootloader mode, if that is accessable
[2017-12-14 18:04:56]
opcode :
adb reboot recovery -> completley gone
[2017-12-14 18:06:22]
jcase :
Rockchip devices typically contain a hidden download mode
[2017-12-14 18:07:12]
jcase :
maybe not so hidden
[2017-12-14 18:07:21]
opcode :
i think its about 2 months ago, when hostile/bin4ry and i played around with this rockchip shit. unfortunaltey the history is gone here in this chat
[2017-12-14 18:07:44]
opcode :
ive seen somewhere in the OTA that adb is disabled for recovery
[2017-12-14 18:07:50]
jcase :
yeah normal
[2017-12-14 18:07:55]
jcase :
and pretty useless now a days
[2017-12-14 18:08:01]
jcase :
it used to be if you enable it in recovery
[2017-12-14 18:08:06]
jcase :
it was a free root shell
[2017-12-14 18:08:17]
jcase :
but now its limited to shell user, with selinux enforcing
[2017-12-14 18:08:59]
opcode :
if you need, i have a complete OTA handy which includes everything.
[2017-12-14 18:09:01]
jcase :
yeah RK3066 has this mode
[2017-12-14 18:09:04]
jcase :
sure lets see it
[2017-12-14 18:09:18]
jcase :
it should be a completely unauthenicated download mode
[2017-12-14 18:10:59]
jcase :
possibly some interace like 0x2207 0x300A
[2017-12-14 18:11:11]
jcase :
in bootloader mode
[2017-12-14 18:12:55]
opcode :
we tried these rockchip tools, dont remember the name anymore. but didnt work.
[2017-12-14 18:13:15]
jcase :
right, not looking to try those tools, jsut see if any interfaces exist
[2017-12-14 18:14:07]
jcase :
mainly cause those tools are in python and i dont know python lol
[2017-12-14 18:14:14]
opcode :
i have to run now, dinner. gone for the evening. if you want me to try stuff leave it here or pm me. :slightly_smiling_face:
[2017-12-14 18:14:41]
jcase :
ok, i jsut want to know what interfaces are up
[2017-12-14 18:14:43]
jcase :
in bootlaoder mode
[2017-12-14 18:14:51]
opcode :
or mr @hostile has to grab his crystalsky :slightly_smiling_face:
[2017-12-14 18:15:20]
jcase :
he is mailing his here
[2017-12-14 18:15:37]
opcode :
i think the bootlader is included in the OTA, maybe you can take a look there.
[2017-12-14 18:15:56]
opcode :
ahhh, great. thanks for your help, appreciated. would be great to have custom recovery.
[2017-12-14 18:16:07]
jcase :
yeah i cant do a modern custom recovery
[2017-12-14 18:16:13]
jcase :
i could barely do CWR
[2017-12-14 18:16:25]
jcase :
but im sure we can get deestroy to help
[2017-12-14 18:16:44]
jcase :
i just want to poke at the donwload mode
[2017-12-14 18:16:46]
jcase :
if it exists
[2017-12-14 18:17:36]
jcase :
no bootlaoder in ota
[2017-12-14 18:35:04]
opcode :
damn. I’ll pull it of my cs tomorrow
[2017-12-14 22:10:32]
mathieu.peyrega :
cs tells me about new fw 02.04.06.00 does someone have release notes ?
[2017-12-14 22:11:19]
mathieu.peyrega :
will it be "safe" installing on a rooted gapps'd device ?
[2017-12-15 09:10:13]
opcode :
it will wipe your /system and root will be gone.
[2017-12-15 09:11:23]
mathieu.peyrega :
and not sure that the exploit to root will work on the new fw I guess ?
[2017-12-15 09:13:33]
opcode :
nope :wink:
[2017-12-15 09:15:31]
mathieu.peyrega :
so i'll wait until someone smarter than me tries...
[2017-12-15 14:24:07]
jcase :
morning
[2017-12-15 14:24:14]
jcase :
can someone tell me what usb interfaces are up in bootloader mode
[2017-12-16 03:01:14]
hostile :
@jcase should be able to play a bit more with you guys next week… I sent him my Crystal Sky
[2017-12-16 03:12:29]
jcase :
maybe
[2017-12-16 03:28:26]
hostile :
next **few** open time increments. Hearby defined as “next week”, but sans obligation, could be next month, or next year. :wink:
[2017-12-16 03:42:05]
jcase :
@opcode @hostile is fastboot up at all in bootloader
[2017-12-16 03:44:38]
hostile :
sadly I’ve forgotten everything I did…. and chat history is gone
[2017-12-16 03:44:41]
hostile :
:confused:
[2017-12-16 03:44:48]
hostile :
hence why I sent that beast to you
[2017-12-16 03:44:52]
hostile :
she’d been collecting dust
[2017-12-16 03:45:00]
jcase :
ok
[2017-12-16 06:49:37]
dbz :
hello i have permission denied
[2017-12-16 06:49:47]
dbz :
why?
[2017-12-16 06:50:15]
dbz :
i woold rooing my crystalsky
[2017-12-16 06:50:26]
dbz :
but lordroot permission dednied
[2017-12-16 08:53:12]
opcode :
@dbz pls post what you did exactly and the upcoming error message
[2017-12-16 08:56:04]
mathieu.peyrega :
when i did the rooting of my CS, i believe I had similar error when trying to run the script. manually pushing files and running command solved the issue...
[2017-12-16 08:56:32]
mathieu.peyrega :
I don't know why the script did not work... all chmod permission look ok...
[2017-12-16 09:53:11]
dbz :
thanks but for me adb shell chmod 755
[2017-12-16 09:53:21]
dbz :
work very well
[2017-12-16 10:41:24]
mathieu.peyrega :
which version of cs firmware are you rooting ?
[2017-12-16 11:10:06]
dbz :
work well with adb shell chmod 755
[2017-12-16 11:10:13]
dbz :
i have roted fine
[2017-12-16 11:11:20]
dbz :
02.04.02.00
[2017-12-16 12:11:33]
opcode :
@mathieu.peyrega 02.04.06.00 is still rootable with csroot. checked by me.
[2017-12-16 12:46:04]
mathieu.peyrega :
thanks
[2017-12-16 13:31:50]
mathieu.peyrega :
confirmed csroot still works. I also had to reflash gapps
[2017-12-16 15:32:19]
jcase :
what is csroot
[2017-12-16 15:36:57]
opcode :
<https://github.com/Opcodeffm/csroot>
[2017-12-16 15:38:51]
jcase :
bah making me read code to figure out the vuln
[2017-12-16 15:39:15]
jcase :
o no
[2017-12-16 15:39:17]
jcase :
its not code
[2017-12-16 15:39:19]
jcase :
wtf is lord root
[2017-12-16 15:59:12]
bin4ry :
Lord root :wink: @the_lord extracted some root exploit feom kingo (or such I am not sure) and put it in there. Iirc we also have an dirtycow working for some Cs firmware version. Regarding fastboot , it brings up the rockchip flash device and some rudimentary fastboot too. But I think the rkflash is the way to go to send an custom boot :wink:
[2017-12-16 16:02:21]
jcase :
ah
[2017-12-16 16:02:40]
jcase :
@bin4ry yeah the goal is to figure out the rkflash protocol
[2017-12-16 16:02:44]
jcase :
hostile sent me his CS
[2017-12-16 16:03:06]
jcase :
ive got a custom framework for usb exploit development, and i have a good usb analyzer (hw)
[2017-12-16 16:05:05]
bin4ry :
IIR it is rk3288
[2017-12-16 16:05:10]
bin4ry :
problem is i don't have the device
[2017-12-16 16:05:20]
jcase :
yeah
[2017-12-16 16:05:23]
jcase :
ill hvae one shortly
[2017-12-16 16:05:25]
bin4ry :
so i tried to reconstruct some boot.img and send it over slack here
[2017-12-16 16:05:28]
jcase :
@opcode that uboot.img you sent
[2017-12-16 16:05:32]
jcase :
its blank
[2017-12-16 16:05:34]
jcase :
its all 000000
[2017-12-16 16:05:38]
bin4ry :
but they failed to flash from recovery
[2017-12-16 16:05:44]
bin4ry :
it has another "layer" in recovery
[2017-12-16 16:05:59]
bin4ry :
they don't rely on normal keys but have an own key implemented
[2017-12-16 16:06:14]
bin4ry :
so i think the best way is to go through the rockchip flash interface directly
[2017-12-16 16:06:23]
jcase :
yeah that is the plan
[2017-12-16 16:06:24]
bin4ry :
like on all the other china tablets :stuck_out_tongue:
[2017-12-16 16:06:36]
jcase :
but i dont want to use their utility
[2017-12-16 16:06:41]
bin4ry :
i see
[2017-12-16 16:06:51]
bin4ry :
wasn't there some opensource utility for that ?
[2017-12-16 16:06:56]
jcase :
idk
[2017-12-16 16:06:57]
bin4ry :
let me check my files
[2017-12-16 16:07:03]
jcase :
do you have the bootloaders?
[2017-12-16 16:08:25]
bin4ry :
i only have this one on my hdd
[2017-12-16 16:08:31]
bin4ry :
but i am not sure that this is the one they used
[2017-12-16 16:09:20]
bin4ry :
this is one i found online along with some other stuff
[2017-12-16 16:09:45]
jcase :
encrypted?
[2017-12-16 16:10:10]
bin4ry :
this is the linux tool seems outdated but might kickstart you
[2017-12-16 16:10:11]
bin4ry :
<https://github.com/linuxerwang/rkflashkit>
[2017-12-16 16:10:27]
jcase :
please dont be pythoon
[2017-12-16 16:10:34]
jcase :
damn it
[2017-12-16 16:11:08]
jcase :
really i need to find a binary of the server for this interface
[2017-12-16 16:11:19]
jcase :
doesnt have to be from CS
[2017-12-16 16:11:22]
jcase :
i want to see if we can read data
[2017-12-16 16:11:27]
jcase :
so we can dump CS entirely
[2017-12-16 16:12:42]
jcase :
this looks ismple enough
[2017-12-16 16:13:51]
bin4ry :
did not look at the uboot image at all
[2017-12-16 16:14:03]
bin4ry :
just searched for rk stuff on my hdd
[2017-12-16 16:14:04]
bin4ry :
:smile:
[2017-12-16 16:14:04]
jcase :
nice they have the crc worked out
[2017-12-16 16:14:33]
bin4ry :
the flasher repo i had in a txt file with "links to investigate" :wink:
[2017-12-16 16:14:38]
bin4ry :
kindof todo :wink:
[2017-12-16 16:14:49]
bin4ry :
most likely i thought this looks good :smile:
[2017-12-16 16:14:56]
jcase :
well
[2017-12-16 16:15:01]
jcase :
rockchip is like mediatek but worse
[2017-12-16 16:15:01]
jcase :
right
[2017-12-16 16:15:11]
jcase :
i found all kinds of crazy shit in mediatek's download mode
[2017-12-16 16:15:13]
jcase :
so
[2017-12-16 16:15:17]
jcase :
i have hopes
[2017-12-16 16:15:38]
bin4ry :
yeah the way of thinking on this companies is most likely the same
[2017-12-16 16:15:50]
jcase :
my goal is to figure out how to dump partitions
[2017-12-16 16:15:50]
bin4ry :
security by obscurity
[2017-12-16 16:15:55]
jcase :
then figure out
[2017-12-16 16:16:01]
jcase :
how lock/unlock works
[2017-12-16 16:16:04]
bin4ry :
i am pretty sure you will make it :wink:
[2017-12-16 16:16:07]
bin4ry :
if you do please let me know
[2017-12-16 16:16:10]
jcase :
well it depends on time
[2017-12-16 16:16:18]
bin4ry :
btw, on work somebody dragged in the android security internals book
[2017-12-16 16:16:27]
jcase :
thats a good book
[2017-12-16 16:16:29]
jcase :
out dated now
[2017-12-16 16:16:30]
bin4ry :
i read the foreword and found your wrote the foreword :wink:
[2017-12-16 16:16:36]
jcase :
:slightly_smiling_face:
[2017-12-16 16:16:48]
jcase :
check this out
[2017-12-16 16:16:50]
bin4ry :
and i chuckeld as you also mentioned the old restore bug
[2017-12-16 16:16:51]
bin4ry :
:smile:
[2017-12-16 16:16:56]
jcase :
yeah dude
[2017-12-16 16:17:01]
jcase :
i was sad when you dropped that
[2017-12-16 16:17:02]
jcase :
so sad
[2017-12-16 16:17:10]
bin4ry :
sorry mate :wink:
[2017-12-16 16:17:14]
jcase :
then so confused when they patched it
[2017-12-16 16:17:16]
jcase :
and mine kept working
[2017-12-16 16:17:24]
bin4ry :
yah you said that
[2017-12-16 16:17:25]
jcase :
i thought it was the same
[2017-12-16 16:17:41]
jcase :
but my poc contains a system uid APK in the backup
[2017-12-16 16:17:42]
bin4ry :
i would have kept it for some while if someone asked me too
[2017-12-16 16:17:47]
jcase :
and that bypassed
[2017-12-16 16:17:48]
bin4ry :
did not know of you backthen
[2017-12-16 16:17:50]
jcase :
the fix
[2017-12-16 16:17:52]
jcase :
nah no worries
[2017-12-16 16:17:54]
jcase :
it happens
[2017-12-16 16:17:58]
jcase :
first come first serve man
[2017-12-16 16:18:26]
bin4ry :
yah thats the deal, and i gave it even away for free :wink:
[2017-12-16 16:18:28]
jcase :
was jsut funny "include apk in backup, bypass fix"
[2017-12-16 16:18:52]
jcase :
and for most OEMs you could find a system signed apk lol
[2017-12-16 16:18:56]
jcase :
with dex in it
[2017-12-16 16:18:58]
jcase :
so it worked
[2017-12-16 16:19:12]
bin4ry :
:smile:
[2017-12-16 16:19:22]
bin4ry :
yeah
[2017-12-16 16:19:26]
bin4ry :
this was a so nice bug
[2017-12-16 16:19:30]
jcase :
ok yeah according to thise repo
[2017-12-16 16:19:33]
bin4ry :
i love it, and it killed some devices
[2017-12-16 16:19:35]
jcase :
they have a dump command
[2017-12-16 16:19:39]
bin4ry :
"killed" -> worked on
[2017-12-16 16:19:40]
bin4ry :
sorry :wink:
[2017-12-16 16:19:51]
jcase :
it worked on ALL devices, with tweaks
[2017-12-16 16:20:04]
bin4ry :
yeah all current ones back then
[2017-12-16 16:20:15]
bin4ry :
we kept adding mods to my package to get it working on other devices
[2017-12-16 16:20:24]
bin4ry :
so this dump command
[2017-12-16 16:20:34]
jcase :
and it works in bulk mode, which is good cause i understand it
[2017-12-16 16:20:38]
bin4ry :
hehe
[2017-12-16 16:20:56]
bin4ry :
so you are kickstarted already then
[2017-12-16 16:21:04]
bin4ry :
have to go
[2017-12-16 16:21:08]
bin4ry :
some beer is waiting for me
[2017-12-16 16:21:12]
jcase :
0x80 0x000a1400
[2017-12-16 16:21:17]
jcase :
looks like dump partition
[2017-12-16 16:21:20]
jcase :
cmd
[2017-12-16 16:21:22]
jcase :
ok peace
[2017-12-16 16:21:26]
jcase :
im waiting on UPS form hostile
[2017-12-16 16:21:29]
bin4ry :
hehe
[2017-12-16 16:21:32]
jcase :
before i can do shit
[2017-12-16 16:21:36]
bin4ry :
i am really interested what you find out
[2017-12-16 16:21:44]
bin4ry :
i don'T have enough "play money" for the device
[2017-12-16 16:21:56]
bin4ry :
and not enough time anyway
[2017-12-16 16:21:58]
bin4ry :
:wink:
[2017-12-16 16:22:00]
bin4ry :
ok cu mate
[2017-12-16 16:25:45]
jcase :
yeah im broke too
[2017-12-16 16:25:46]
jcase :
cya
[2017-12-16 16:26:02]
jcase :
im going through devices now looking for a rockchip device
[2017-12-16 16:33:34]
jcase :
this protocol, despite the program being in python that i dont understand
[2017-12-16 16:33:36]
jcase :
looks easy
[2017-12-16 16:33:50]
jcase :
idk if its little or big edian, will have to figure that out
[2017-12-16 16:34:13]
opcode :
@jcase ah shit. I remember this error that the img from uboot was empty when dumped. Don’t remember how to solve this ...
[2017-12-16 16:34:29]
jcase :
its ok i think i cna dump it
[2017-12-16 16:35:41]
opcode :
As far as I remember it was nothing special, standard uboot. It’s really a pitty that the chat history is gone here, it was all there. :confused:
[2017-12-16 16:36:18]
jcase :
well
[2017-12-16 16:36:24]
jcase :
i want to know where this interface is
[2017-12-16 16:36:25]
jcase :
im getting
[2017-12-16 16:36:29]
jcase :
its pbl / sbl
[2017-12-16 16:38:19]
opcode :
And we played with the Rockchip tool in bootloader mode. Could connect from Windows VM to the cs, tool connected but gave some errors.
[2017-12-16 16:38:20]
jcase :
if you get a chance later, lsusb -v
[2017-12-16 16:38:33]
jcase :
yeah idk
[2017-12-16 16:38:40]
jcase :
thats why i want the loader responsible
[2017-12-16 16:38:50]
jcase :
im not going to mess with some other tool
[2017-12-16 16:38:54]
jcase :
im going to go from scratch
[2017-12-16 16:39:08]
jcase :
endpoints should be 0x01 and 0x02
[2017-12-16 16:41:32]
opcode :
Tried also different twrp‘s for rockchip devices, flashed well. But I guess the bootloader prevented it from going into twrp recovery cause it checks the signing of the recovery.
[2017-12-16 16:48:43]
opcode :
this is in running mode
[2017-12-16 16:48:46]
jcase :
ugh
[2017-12-16 16:48:51]
jcase :
that might not be what we want
[2017-12-16 16:48:53]
jcase :
will have to see
[2017-12-16 16:48:53]
opcode :
in bootloader mode too?
[2017-12-16 16:48:59]
jcase :
ah yes please
[2017-12-16 16:49:01]
jcase :
bootloader lol
[2017-12-16 16:49:05]
opcode :
:slightly_smiling_face:
[2017-12-16 16:49:06]
jcase :
that is adb i think
[2017-12-16 16:55:55]
jcase :
hmm that doesnt look right either but we shall see
[2017-12-16 16:56:35]
opcode :
but thats the correct device. ID 2207:320a, i see it getting recognized by VM Ware.
[2017-12-16 16:58:04]
opcode :
2207:320A RK3288 Jesurun T034
[2017-12-16 16:59:18]
opcode :
<https://forum.xda-developers.com/showpost.php?p=56219933&postcount=2>
[2017-12-16 17:19:33]
hostile :
@bin4ry when @jcase is done you are welcome to timeshare my CrystalSky for a bit if you need
[2017-12-16 20:26:36]
jcase :
@hostile i got uboot src for RK3288, is that new?
[2017-12-16 20:40:01]
jcase :
so, IF they are using the standfard unlock
[2017-12-16 20:40:10]
jcase :
and using flash_env
[2017-12-16 20:40:17]
jcase :
looks like we can just write 0x01
[2017-12-16 20:40:19]
jcase :
to an offset
[2017-12-16 20:40:23]
jcase :
and unlock the tablet
[2017-12-16 20:46:35]
mathieu.peyrega :
@jcase does "unlocking" means installing something like lineage would be possible ?
[2017-12-16 20:49:03]
jcase :
@mathieu.peyrega depends on many factors
[2017-12-16 20:52:29]
mathieu.peyrega :
that would be great !
[2017-12-16 21:18:14]
jcase :
@opcode if by chance you have a partition list
[2017-12-16 21:43:28]
opcode :
@jcase
[2017-12-16 21:56:58]
opcode :
@mathieu.peyrega what kind of crystalsky you have? 7.85?
[2017-12-16 22:05:50]
jcase :
@opcode can you dump misc, and metadata
[2017-12-16 22:06:07]
jcase :
if i can find where uboot env is saved, we can probably unlock it
[2017-12-17 00:27:54]
jcase :
looks like
[2017-12-17 00:28:00]
jcase :
fastboot oem ucmd XXXXXXXX
[2017-12-17 00:28:07]
jcase :
will send command to uboot
[2017-12-17 09:14:15]
dbz :
hello what is button to enter in recovery mode my crystalsky block on logo dji
[2017-12-17 09:18:10]
dbz :
build.prop corrupt
[2017-12-17 09:18:16]
dbz :
thanks in advance
[2017-12-17 09:29:31]
mathieu.peyrega :
@opcode 7.85 Ultra
[2017-12-17 09:33:38]
mathieu.peyrega :
@opcode at first, I wanted to setup my own device built on top of an odroid XU4 running 7.1.2 but I've not been able to find a bright touchescreen...
[2017-12-17 16:15:15]
jcase :
anyone here with a CS that could run a fastboot command and give me the output
[2017-12-17 17:21:35]
mathieu.peyrega :
@jcase: get "fastboot not found" (in normal and su modes) in which path is supposed to be the binary ,
[2017-12-17 17:21:38]
mathieu.peyrega :
?
[2017-12-17 17:35:37]
dbz :
helloo 7.85 ultra block to dji on startup because my build.prop is corrupt... adb and fastboot not found my device
[2017-12-17 17:36:07]
dbz :
what is the method to resolv my pb thanks in advance
[2017-12-17 18:30:15]
opcode :
@dbz what did you do? play around with build.prop? where does it stop? do you still see the DJI logo animation?
[2017-12-17 18:40:55]
dbz :
yes just dji logo animation
[2017-12-17 18:42:59]
dbz :
crystalsky is bootloop
[2017-12-17 19:30:17]
opcode :
When powering on, hold the power button till screen goes dark. Then check if device is present. fastboot devices. What OS are you on?
[2017-12-17 19:32:16]
dbz :
windows and fastboot don't show the device
[2017-12-17 19:37:43]
opcode :
Can you see it in win device manager?
[2017-12-17 19:41:10]
jcase :
@mathieu.peyrega you gotta install the binary
[2017-12-17 19:41:18]
jcase :
DBZ are you adding the vendor id?
[2017-12-17 19:41:22]
jcase :
fastboot -i 0xWhatever
[2017-12-17 20:09:54]
dbz :
no
[2017-12-17 20:14:54]
dbz :
how ?
[2017-12-17 20:39:44]
dbz :
it s not see in win device manger
[2017-12-17 21:28:54]
opcode :
Are you sure? No 0x2207 device in device manager?
[2017-12-17 21:30:10]
opcode :
Without ADB or fastboot you’re screwed. Maybe ask DJI if theres a button combination to get into recovery.
[2017-12-18 08:21:08]
mathieu.peyrega :
@jcase seeing @dbz situation makes me a little nervous trying that... I really only have a (too) superficial understanding of those Android and bootloader stuffs...
[2017-12-18 16:35:39]
dbz :
yes no
[2017-12-18 17:00:08]
jcase :
@dbz if you cant fix it, i would love to tkae it apart and do a flash dump on it
[2017-12-18 17:00:24]
jcase :
i could possinly fix it in the process
[2017-12-18 17:01:07]
jcase :
or damage it beyond repair
[2017-12-18 17:36:48]
mathieu.peyrega :
if it get to that end and if the display & touchscreen part are usable with HDMI & usb interfaces, i could be interrested to try interfacing them with an odroid C2 or XU4 platforms...
[2017-12-18 17:37:13]
mathieu.peyrega :
(and if the touchscreen part vendor can be seen/retrieved, i'd be interested by the info too)
[2017-12-18 20:05:36]
dbz :
howo flash without connexion usb
[2017-12-18 20:05:41]
dbz :
how to
[2017-12-18 20:29:58]
opcode :
@dbz
[2017-12-18 21:34:04]
dbz :
hello i have find recovery but please have you got firmware or install.zip for restore my build.prop thanks in advance (version 2.4.2)
[2017-12-18 21:34:49]
dbz :
because no usb no device view on adb or fastboot
[2017-12-18 21:41:18]
opcode :
[mydjiflight.dji.com/file/links/ZSB_220_20171108](http://mydjiflight.dji.com/file/links/ZSB_220_20171108)
[2017-12-18 21:41:24]
opcode :
@dbz
[2017-12-19 17:04:06]
dbz :
thanks but in recovery y haven't install from zip or other it 's normal
[2017-12-19 17:33:09]
opcode :
How did you get it in recovery? Button Combination?
[2017-12-19 17:47:02]
dbz :
power and button return
[2017-12-19 17:48:09]
dbz :
but usb connect it s required
[2017-12-19 17:49:47]
opcode :
you could try to put the OTA on a sd card, put it in sd slot 1 and kick it in recovery. i remember seeing some additional options when it detects the OTA.
[2017-12-19 17:50:23]
dbz :
yes i put it on sdcard but nothing
[2017-12-19 17:55:38]
dbz :
your file?
[2017-12-19 18:04:46]
dbz :
i have rock usb device in my windows manager but fastboot not ok why
[2017-12-19 18:06:09]
opcode :
did you try the wipe data/factory reset option in recovery?
[2017-12-19 18:09:10]
dbz :
yes no work
[2017-12-19 18:33:38]
opcode :
then im out of ideas atm
[2017-12-19 18:59:21]
dbz :
what is rockchip cpu on crystal 7.85 ultimate
[2017-12-19 19:15:50]
dbz :
USB\VID_2207&PID_320A
[2017-12-19 19:16:00]
dbz :
there is adb driver
[2017-12-19 20:05:32]
opcode :
one more idea
[2017-12-19 20:05:56]
opcode :
as youre on 2.4.2, it may be that the recovery doesnt accept the OTA, cause its the same version.
[2017-12-19 20:06:11]
opcode :
pull the latest version here : <http://mydjiflight.dji.com/file/links/ZSB_260_20171214>
[2017-12-19 20:06:35]
opcode :
put it on an empty sdcard and kick the crystalsky in recovery
[2017-12-19 20:08:08]
dbz :
i think is adb driver for VID_2207&PID_320A missing . for why adb no detect device
[2017-12-19 20:10:11]
dbz :
ok i try it.. i m rename your package to update.zip or not
[2017-12-19 20:13:10]
opcode :
no, don’t touch it. Copy it to empty micro sd, put it in the upper sd card slot of the cs and kick the cs in recovery
[2017-12-19 20:17:10]
dbz :
ok
[2017-12-19 20:17:21]
dbz :
10min for downloading
[2017-12-19 20:34:43]
dbz :
no option zip install
[2017-12-19 20:36:12]
opcode :
Hmm. Was worth a try.
[2017-12-19 20:38:24]
dbz :
there is no flash rk for crystlsky
[2017-12-19 20:39:54]
opcode :
Sure there is. Rockchip flashtool. But you don’t have a complete system.img to flash. And god knows what DJI changed in there.
[2017-12-19 20:50:31]
dbz :
ok thanks
[2017-12-19 20:59:12]
dbz :
rockchip batch tool v1.8 work but i havent firmware
[2017-12-19 21:00:57]
mathieu.peyrega :
@dbz @opcode is it possible to dump full firmware from another CS ?
[2017-12-19 21:01:59]
dbz :
i don't know
[2017-12-19 21:04:18]
opcode :
@mathieu.peyrega dd of recovery etc was all filled with zeros. this stuff is protected too. you would need a signed system.img for DBZ, as he only has bootloader mode.
[2017-12-19 21:06:30]
opcode :
One more reason for custom recovery, we could easily do a nandroid backup.
[2017-12-19 21:07:32]
dbz :
yes but i haven't
[2017-12-19 21:54:09]
jcase :
well
[2017-12-19 21:54:14]
jcase :
IF this tool works out
[2017-12-19 21:54:18]
jcase :
we can probably fix his tablet
[2017-12-19 21:54:39]
jcase :
im still not 100% if possible
[2017-12-19 21:55:35]
jcase :
@dbz what modes can you boot into
[2017-12-19 22:28:01]
jcase :
@opcode now you said those flashing tools never worked
[2017-12-19 22:28:07]
jcase :
did you ever actually kick it into download mode
[2017-12-19 22:37:03]
opcode :
Yeah, but I don’t remember how. There was recovery, bootloader and let’s call it “Rockchip mode” in which the Rockchip tools partly connected to the crystalsky. But it threw errors and we didn’t go further with it.
[2017-12-19 22:38:39]
opcode :
Still have them at my Win VM
[2017-12-19 22:40:19]
opcode :
Wait. iirc, I kicked it into bootloader mode, connected with the Rockchip tool and put it into download mode with the tool.
[2017-12-19 22:42:54]
jcase :
cool
[2017-12-19 22:42:59]
jcase :
ok thanks
[2017-12-19 22:55:04]
opcode :
I’ll take a look tomorrow and send you the links of what i find.
[2017-12-19 23:03:00]
jcase :
ill be fine
[2017-12-19 23:03:04]
jcase :
ill hook up the usb analyzer
[2017-12-19 23:03:08]
jcase :
and get teh command format
[2017-12-19 23:03:11]
jcase :
for kicking it into
[2017-12-19 23:03:14]
jcase :
that mode
[2017-12-19 23:03:16]
jcase :
and then we can play
[2017-12-20 01:55:09]
jcase :
@hostile i wonder if crystal sky just used standard rockchip uboot?
[2017-12-20 01:55:15]
jcase :
i wonder if its a refrence device
[2017-12-20 01:55:19]
jcase :
like the config is there
[2017-12-20 06:09:08]
bin4ry :
@jcase I am pretty sure they just rebranded some ref device. Maybe another display and some extra buttons but they are lazy af from my experience with them :wink: so the uboot I send you might be good as reference
[2017-12-20 07:42:18]
mathieu.peyrega :
this is really the item i'd like to know where it comes from (the screen)
[2017-12-20 09:52:41]
opcode :
@jcase @mathieu.peyrega were now able to dump and flash every part of the crystalsky. we just need a "clean" dump, as mine is rooted etc
[2017-12-20 10:37:34]
mathieu.peyrega :
@opcode mine is rooted too
[2017-12-20 14:36:58]
opcode :
if everything goes well, i´ll have an ultra bright with me tomorrow. i´m quite sure we could fix DBZ´s device with a virgin system.img.
[2017-12-20 14:37:47]
opcode :
only thing im not quite sure, is if the device performs any checks if the flashed images are correctly signed.
[2017-12-20 14:56:03]
mathieu.peyrega :
nice ! I hope this will also allow us to make "backups" !
[2017-12-20 14:56:38]
opcode :
yeah, sure. i´ll pull all partitions off the virgin cs to have a save backup for us.
[2017-12-20 15:02:12]
mathieu.peyrega :
did you had to use some internal uart ?
[2017-12-20 16:36:15]
jcase :
@opcode stounf
[2017-12-20 16:36:18]
jcase :
around?
[2017-12-20 16:37:52]
opcode :
yep
[2017-12-20 16:39:39]
jcase :
ah lame did you get that download mode working
[2017-12-20 20:45:31]
jcase :
@hostile that brick arrived
[2017-12-20 20:45:43]
jcase :
brick as it wtf that is heavy for a tablet
[2017-12-20 20:53:31]
mathieu.peyrega :
@jcase but screen is bright
.. i'd like to know the vendor/model
[2017-12-20 20:54:18]
mathieu.peyrega :
(contrast not that good...)
[2017-12-20 20:56:43]
kilrah :
typical “rugged” heavy alu casing etc
[2017-12-20 20:58:46]
mathieu.peyrega :
Stands -15c when the drone only stands 0c
[2017-12-20 21:01:33]
jcase :
it really doesnt like my raspberry pi
[2017-12-20 21:01:35]
jcase :
that i use for usb work
[2017-12-20 21:03:58]
jcase :
root@fuzzypie:/home/jcase# fastboot -i 0x2207 devices
root@fuzzypie:/home/jcase# lsusb
Bus 001 Device 023: ID 2207:320a
[2017-12-20 21:04:02]
jcase :
am i being dumb
[2017-12-20 21:04:03]
jcase :
or something
[2017-12-20 21:04:40]
jcase :
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
[2017-12-20 21:04:44]
jcase :
end points look liek fast boot to me
[2017-12-21 01:11:51]
jcase :
@opcode ok man, im about to give up and get a windows box, i cant get linux or osx to pick up fastboot
[2017-12-21 01:12:09]
jcase :
which is odd
[2017-12-21 09:44:41]
opcode :
@jcase huh? and adb?
[2017-12-21 15:39:24]
jcase :
adb works
[2017-12-21 15:39:26]
jcase :
fastboot isnt
[2017-12-21 15:39:27]
jcase :
and id ont get it
[2017-12-21 16:12:47]
opcode :
i use standard kali linux in VM
[2017-12-21 16:12:57]
opcode :
adb/fastboot already included
[2017-12-21 16:13:10]
opcode :
i changed nothing, works
[2017-12-21 16:17:36]
jcase :
does it work on osx
[2017-12-21 16:17:38]
jcase :
for you
[2017-12-21 16:17:46]
jcase :
maybe i need to update fastboot on my raspberrypi
[2017-12-21 16:17:52]
opcode :
nope, fastboot is fucked on my osx
[2017-12-21 16:18:00]
jcase :
i use a pi for usb work, cause i cant get libusb working very well on mac
[2017-12-21 16:18:02]
jcase :
its buggy
[2017-12-21 16:18:10]
jcase :
and my linux box is in closet
[2017-12-21 16:20:11]
opcode :
root@kali:~# fastboot --version
fastboot version 1:7.0.0+r33-2
root@kali:~#
[2017-12-22 02:29:38]
jcase :
@opcode @hostile im going crazy here, I cant get a fastboot connection
[2017-12-22 02:29:42]
jcase :
3 PCs
[2017-12-22 02:29:52]
jcase :
fastboot -i 0x2207
[2017-12-22 02:30:16]
jcase :
fuck it, what is the proper windows driver for htis piece of shit
[2017-12-22 02:31:14]
jcase :
imma update the tablet it self maybe
[2017-12-22 02:48:05]
jcase :
wtf @opcode that isnt google standard fastboot response, where wonder if that is some modified one
[2017-12-22 03:06:18]
jcase :
hmm
[2017-12-22 03:09:50]
jcase :
@opcode @hostile ok so its kicking into downloadmode lol, how do i get it into uboot?
[2017-12-22 03:13:35]
jcase :
LOL
[2017-12-22 03:13:38]
jcase :
updating this POS
[2017-12-22 03:13:43]
jcase :
swapped the touch panel
[2017-12-22 03:13:48]
jcase :
left side is the right side
[2017-12-22 03:15:32]
jcase :
<https://www.youtube.com/watch?v=kuiGPiEq35A>
[2017-12-22 03:26:06]
jcase :
ok in fastboot
[2017-12-22 04:16:20]
hostile :
@jcase maybe try fucking with /data/data/touchscreen.calibration/files/
[2017-12-22 04:16:40]
hostile :
lol adb install? <https://play.google.com/store/apps/details?id=redpi.apps.touchscreencalibration&hl=en>
[2017-12-22 06:34:24]
bin4ry :
@jcase this is dji fucking with you. Get used to it :joy:
[2017-12-22 15:41:16]
ben_lin :
is there a way to sideload modded DJI GO 4 App onto CS?
[2017-12-22 15:41:41]
ben_lin :
or does it use a different type of GO 4 that we can't mod yet?
[2017-12-22 15:47:09]
mathieu.peyrega :
you have to make a clone with a different package name and a few other twists, and apply a patch from the modded to allow running on CS
[2017-12-22 15:48:09]
ben_lin :
so it is indeed possible
[2017-12-22 15:48:39]
ben_lin :
the wiki doesnt indicate how to do that
[2017-12-22 15:48:45]
ben_lin :
could you pls enlight me
[2017-12-22 17:04:12]
jcase :
@opcode so "adb reboot bootloader" seems to toss me into download mode, and "adb reboot fastboot" into fastboot, is this how you get into those modes?
[2017-12-22 17:44:22]
opcode :
@jcase correct.
[2017-12-22 17:46:55]
ben_lin :
can someone teach me how to install modded dji go 4 app on CS
[2017-12-22 17:47:01]
ben_lin :
I know how to root and stuff
[2017-12-22 17:47:05]
opcode :
what i still couldnt find out, is why my uboot dump is empty. maybe they played with the memory addresses
[2017-12-22 17:47:29]
ben_lin :
but it seems like cs is refusing to accept the new GO app
[2017-12-22 17:47:53]
opcode :
@ben_lin did you uninstall go 4 system app
[2017-12-22 17:48:13]
ben_lin :
I did not do that
[2017-12-22 17:48:37]
opcode :
you need to remove the system app residing in /system/priv-app/
[2017-12-22 17:48:56]
ben_lin :
and then install the new app correct?
[2017-12-22 17:49:10]
ben_lin :
I thought CS uses a different type of GO4...
[2017-12-22 17:49:12]
opcode :
to be specific /system/priv-app/DJI-GO4
[2017-12-22 17:49:29]
opcode :
yes, odex version. but you can install regular apk.
[2017-12-22 17:50:02]
opcode :
but it may be, that the installation is still blocked. were working on a workaround.
[2017-12-22 17:50:28]
ben_lin :
so... no one tried this before?
[2017-12-22 17:50:39]
ben_lin :
when i was trying this with the P4P+ remote
[2017-12-22 17:50:52]
ben_lin :
it says "this app is not authorized by DJI"
[2017-12-22 17:51:10]
opcode :
sure, but there are changes in the crystalsky OS with every new release they bring
[2017-12-22 17:51:37]
opcode :
are we talking crystalsky or p4p+?
[2017-12-22 17:51:48]
ben_lin :
OK thanks.... I am just trying to get rid of the dynamic nfz update in the newest CS GO 4 app
[2017-12-22 17:51:52]
ben_lin :
mainly the cs
[2017-12-22 17:52:07]
ben_lin :
the p4p+ is pretty much ignored by this commiunity by now....
[2017-12-22 17:53:27]
ben_lin :
If i recall correctly, you can disable NFZ by changing parameters with older FW, but then from GO 4 v4.1.0 they added the dynamic NFZ update, which overrides the parameter change
[2017-12-22 17:53:56]
ben_lin :
I wonder if GO 4 app released before the launch of CS would work?
[2017-12-22 17:54:37]
opcode :
sure, why not? in the end crystalsky is an android device with lollipop
[2017-12-22 17:55:06]
opcode :
but there may still be hooks from dji which stop you from installing other versions of go 4.
[2017-12-22 17:57:16]
ben_lin :
the catch here is that
[2017-12-22 17:57:30]
ben_lin :
on the intial start of GO4
[2017-12-22 17:57:37]
ben_lin :
u need to download the resource files
[2017-12-22 17:58:08]
ben_lin :
from DJI servers.... and they turned that function off for both cs and p4p+ remote
[2017-12-22 17:58:24]
ben_lin :
unless someone has the obb file...
[2017-12-22 17:58:25]
opcode :
use this version:
[2017-12-22 17:58:27]
opcode :
!apk
[2017-12-22 17:58:47]
ben_lin :
oh so this is the deejayeye mod version
[2017-12-22 17:58:59]
ben_lin :
it wont require that download? thanks a lot
[2017-12-22 17:59:47]
ben_lin :
I should attempt applying the go-offline patch for this and see if it works on either the p4p+ remote or cs
[2017-12-22 18:00:07]
ben_lin :
this would help those who wants the new app while disabled nfz
[2017-12-22 18:00:21]
opcode :
go ahead. and report back if it worked out for you on p4p+. should be.
[2017-12-22 18:00:39]
ben_lin :
need to make sure that it would even install...
[2017-12-22 18:00:55]
ben_lin :
the p4p+ remote is basically an android tablet
[2017-12-22 18:01:16]
ben_lin :
but then i cant detect it with my PC as an Android device
[2017-12-22 18:01:43]
ben_lin :
I am now flashing the p4p+ rc to lowest factory version
[2017-12-22 18:01:47]
ben_lin :
FU to DJI
[2017-12-22 18:04:28]
ben_lin :
!firmware
[2017-12-22 18:05:18]
jcase :
@opcode lol that was confusing as fuck but thanks
[2017-12-22 18:30:40]
opcode :
@jcase DJI stuff is always confusing :smile:
[2017-12-22 19:18:27]
ben_lin :
hmm
[2017-12-22 20:14:44]
ben_lin :
@opcode I cant even adb load the modded GO app onto p4p+ remote
[2017-12-22 20:14:57]
ben_lin :
how do you guys do it with CS?
[2017-12-22 20:15:37]
kilrah :
probably needs the installd patch?
[2017-12-22 20:15:45]
jcase :
@ben_lin give me logcat
[2017-12-22 20:15:52]
jcase :
after failed sideload
[2017-12-22 20:16:07]
jcase :
what is the p4p+ another android powered remote like cs
[2017-12-22 20:16:25]
ben_lin :
INSTALL_FAILED_ILLEGITIMATE_APK
[2017-12-22 20:16:40]
ben_lin :
yes, android 5.0 based tablet
[2017-12-22 20:17:01]
jcase :
give me the logcat output
[2017-12-22 20:17:03]
jcase :
not the error
[2017-12-22 20:17:16]
ben_lin :
the same thing happens if u try to install it directly on the p4p+ remote, a pop up shows saying "not authorized to do so"
[2017-12-22 20:17:29]
ben_lin :
I dont know how to do the logcat... I am stupid
[2017-12-22 20:17:43]
jcase :
adb install filename.apk the as soon as that errors do adb logcat >logcat.txt
[2017-12-22 20:17:47]
jcase :
wait a few seconds
[2017-12-22 20:17:49]
jcase :
then control x
[2017-12-22 20:17:50]
jcase :
err
[2017-12-22 20:17:53]
jcase :
control + C
[2017-12-22 20:18:08]
ben_lin :
ok give a minute
[2017-12-22 20:18:12]
ben_lin :
re-run
[2017-12-22 20:20:18]
ben_lin :
ee
[2017-12-22 20:20:21]
ben_lin :
nothing happened
[2017-12-22 20:20:38]
ben_lin :
after I do adb logcat>logcat.txt
[2017-12-22 20:20:44]
ben_lin :
wait, there is a space...
[2017-12-22 20:21:10]
jcase :
its creating a file called logcat.txt
[2017-12-22 20:21:12]
jcase :
control C
[2017-12-22 20:21:15]
jcase :
then upload file
[2017-12-22 20:21:48]
ben_lin :
hmm where is the file located
[2017-12-22 20:21:58]
ben_lin :
as ctrl v in here show nothing
[2017-12-22 20:22:51]
jcase :
where ever you current dir was
[2017-12-22 20:23:52]
ben_lin :
found it
[2017-12-22 20:25:17]
ben_lin :
alright
[2017-12-22 20:25:20]
ben_lin :
this is it
[2017-12-22 20:25:38]
ben_lin :
i am a total noob on this
[2017-12-22 20:26:14]
ben_lin :
but i guess if we root the p4p+remote, we can turn off "veriy apps over usb" and solve this problem
[2017-12-22 20:26:24]
ben_lin :
but then who is going to root the remote...
[2017-12-22 20:26:29]
jcase :
was /data/local/tmp/mod-41.apk to base.apk the file
[2017-12-22 20:26:37]
jcase :
is the p4p+ not roooted?
[2017-12-22 20:26:44]
jcase :
give me spec sheet for it
[2017-12-22 20:27:07]
ben_lin :
as I know it is not rooted
[2017-12-22 20:27:25]
ben_lin :
not sure about the file directory
[2017-12-22 20:27:40]
ben_lin :
but mod-41.apk is the apk I am trying to adb load
[2017-12-22 20:27:47]
ben_lin :
let me go find the specs
[2017-12-22 20:28:53]
jcase :
i mean there is not root exploit for it yet?
[2017-12-22 20:29:07]
jcase :
cause i mean, that would make me happy to drop something on dji for christmas
[2017-12-22 20:29:19]
ben_lin :
nobody ever talked about it, like ever
[2017-12-22 20:29:27]
ben_lin :
what exact specs do you need
[2017-12-22 20:29:35]
jcase :
i want to know the SOC/CPU
[2017-12-22 20:29:39]
jcase :
and android version
[2017-12-22 20:29:54]
ben_lin :
Android 5.1.1
[2017-12-22 20:30:16]
opcode :
you can try csroot on it, just the exploit
[2017-12-22 20:30:18]
opcode :
<https://github.com/Opcodeffm/csroot>
[2017-12-22 20:30:25]
jcase :
E/installd( 160): package:dji.go.v4 is not allow install!
[2017-12-22 20:30:37]
jcase :
@opcode you are ruining my fun here
[2017-12-22 20:30:52]
jcase :
lol
[2017-12-22 20:30:53]
ben_lin :
i dont think that would work
[2017-12-22 20:31:00]
jcase :
@ben_lin what cpu/soc is it
[2017-12-22 20:31:11]
jcase :
ive got a stockpile of bugs for some
[2017-12-22 20:31:13]
jcase :
which is why im asking
[2017-12-22 20:31:18]
ben_lin :
uploading the about device section
[2017-12-22 20:31:19]
jcase :
but im guessing it is some obscure shit
[2017-12-22 20:31:41]
jcase :
@opcode do we have OTAs for this thing?
[2017-12-22 20:32:45]
opcode :
yeah, I think the product code is GL300E
[2017-12-22 20:32:59]
jcase :
where can i grab it
[2017-12-22 20:33:03]
opcode :
Im Home in 15 min, then I’ll check for download link
[2017-12-22 20:33:05]
ben_lin :
the cpu/soc is not stated on DJI's site, but i am uploading a screen shot of the "about device" section
[2017-12-22 20:33:07]
jcase :
thanks
[2017-12-22 20:33:15]
jcase :
@ben_lin adb shell getprop
[2017-12-22 20:33:18]
jcase :
then give me output
[2017-12-22 20:33:21]
jcase :
that should tell me
[2017-12-22 20:33:31]
ben_lin :
running now
[2017-12-22 20:34:12]
ben_lin :
[service.bootanim.exit]: [1]
[sf.power.control]: [2073600]
[sys.audio.agc.state]: [1]
[sys.audio.nsx.state]: [1]
[sys.boot_completed]: [1]
[sys.display.oritation]: [2]
[sys.ggralloc.version]: [1.0.2]
[sys.ggsurflgr.version]: [1.000]
[sys.ghwc.version]: [2.067-3288MID]
[sys.gmali.version]: [r6p0-02rel0-13-12@0]
[sys.grga.version]: [2.000]
[sys.hwc.compose_policy]: [6]
[sys.pms.finishscan]: [true]
[sys.resolution.changed]: [false]
[sys.rkadb.root]: [0]
[sys.status.hideStatusbar_enable]: [true]
[sys.status.hidebar_enable]: [true]
[sys.status.hidebar_poweron]: [true]
[sys.sysctl.extra_free_kbytes]: [24300]
[sys.usb.config]: [mass_storage,adb,acm]
[sys.usb.state]: [mass_storage,adb,acm]
[sys.usb.umsavailible]: [true]
[sys.vold.hasAsec]: [true]
[sys.wallpaper.rgb565]: [0]
[testing.mediascanner.skiplist]: [/mnt/internal_sd/Android/]
[vold.post_fs_data_done]: [1]
[wifi.interface]: [wlan0]
[wifi.supplicant_scan_interval]: [15]
[2017-12-22 20:35:41]
ben_lin :
FCC ID: SS3-GL300E1609
[2017-12-22 20:36:40]
jcase :
adb shell getprop > props.txt
[2017-12-22 20:36:42]
jcase :
send file
[2017-12-22 20:41:30]
jcase :
@ben_lin are you on windows or mac or linux
[2017-12-22 20:41:51]
ben_lin :
win10
[2017-12-22 20:41:57]
jcase :
@opcode is probably right, that exploit should work
[2017-12-22 20:42:09]
jcase :
if not, i can write something that will, but i cant write windows stuff
[2017-12-22 20:42:27]
ben_lin :
I can get access to a Mac
[2017-12-22 20:42:49]
ben_lin :
let me try the exploit..
[2017-12-22 20:42:54]
jcase :
ok
[2017-12-22 20:43:05]
jcase :
actually, looks like libusb works in windows
[2017-12-22 20:43:30]
ben_lin :
the platform name is rk3288
[2017-12-22 20:43:33]
ben_lin :
seems like
[2017-12-22 20:43:53]
jcase :
yep
[2017-12-22 20:44:11]
ben_lin :
indeed some obscure shit
[2017-12-22 20:44:24]
jcase :
well, obscure shit with some really shit software
[2017-12-22 20:44:26]
jcase :
easy root
[2017-12-22 20:44:29]
ben_lin :
I guess this is why the GO APP is so terrible on Android
[2017-12-22 20:44:32]
jcase :
ive got one now
[2017-12-22 20:44:39]
ben_lin :
oh wow
[2017-12-22 20:44:53]
jcase :
CS is same shit
[2017-12-22 20:44:57]
jcase :
its what ive been working on this morning
[2017-12-22 20:45:02]
ben_lin :
the same board??
[2017-12-22 20:45:13]
jcase :
its rockchip
[2017-12-22 20:45:22]
ben_lin :
AKA terrible
[2017-12-22 20:45:51]
ben_lin :
why would they even stay on lolipop
[2017-12-22 20:46:05]
jcase :
becaues it costs money to upgrade
[2017-12-22 20:46:28]
ben_lin :
wouldnt 8.0 be way more efficient and stable
[2017-12-22 20:46:47]
ben_lin :
the fking app crashed at least 30 times on my Oreo OP5T
[2017-12-22 20:46:56]
jcase :
not really
[2017-12-22 20:47:03]
jcase :
that board may not even have support for oreo
[2017-12-22 20:47:12]
ben_lin :
facepalm
[2017-12-22 20:47:44]
ben_lin :
so this board they using on cs and p4p+ is the reason they are holding back on normal Android app
[2017-12-22 20:47:57]
jcase :
well the normal android app
[2017-12-22 20:48:06]
jcase :
its going to be held back due to the packer the yare using probably
[2017-12-22 20:48:09]
jcase :
it adds a lot of overhead
[2017-12-22 20:48:39]
ben_lin :
they got some bad programmers then...
[2017-12-22 20:50:01]
jcase :
lmk on that root
[2017-12-22 20:50:10]
jcase :
if it fails then ill have something in coming week
[2017-12-22 20:50:14]
jcase :
depending on when i get my desk cleaned off
[2017-12-22 20:50:26]
jcase :
gotta put back together all these phones
[2017-12-22 20:50:27]
jcase :
to do that
[2017-12-22 20:50:47]
ben_lin :
lol ok... I am reading the instruction to do cs root
[2017-12-22 20:51:01]
ben_lin :
just follow the wiki right?
[2017-12-22 20:52:38]
jcase :
nfi
[2017-12-22 20:53:01]
jcase :
id assume so
[2017-12-22 20:54:43]
ben_lin :
this link no longer works...
[2017-12-22 20:55:46]
jcase :
i wouldnt install that
[2017-12-22 20:55:55]
jcase :
see if that root works
[2017-12-22 20:56:01]
jcase :
then we can look at patching installd
[2017-12-22 20:56:45]
opcode :
@jcase not sure if this is the right dl for the p4p+ <http://mydjiflight.dji.com/file/links/GL300E_v1220_20170928>
[2017-12-22 20:57:10]
ben_lin :
that is a newer fw than I am using
[2017-12-22 20:57:14]
opcode :
@ben_lin dl my csroot, but manually upload only lordroot to /tmp
[2017-12-22 20:57:25]
jcase :
thx
[2017-12-22 20:57:43]
opcode :
execute lordroot on your cs with ./lordroot and show us the output
[2017-12-22 20:58:11]
ben_lin :
whats the command for pushing that file
[2017-12-22 20:58:14]
jcase :
adb push lordroot /data/local/tmp
[2017-12-22 20:58:15]
ben_lin :
sorry newbie here
[2017-12-22 20:58:20]
ben_lin :
ok thx
[2017-12-22 20:58:24]
jcase :
adb shell chmod 755 /data/local/tmp/lordroot
[2017-12-22 20:58:29]
jcase :
adb shell /data/local/tmp/lordroot
[2017-12-22 21:04:06]
ben_lin :
this is absurd
[2017-12-22 21:04:15]
ben_lin :
i pushed the file to p4p+
[2017-12-22 21:04:26]
ben_lin :
only figure out it doesnt have a file viewer
[2017-12-22 21:04:44]
opcode :
you dont need
[2017-12-22 21:04:49]
opcode :
adb shell pls
[2017-12-22 21:05:10]
ben_lin :
adb shell chmod 755 /data/local/tmp/lordroot
[2017-12-22 21:05:14]
ben_lin :
and then
[2017-12-22 21:05:21]
ben_lin :
adb shell /data/local/tmp/lordroot
[2017-12-22 21:05:24]
ben_lin :
right?
[2017-12-22 21:06:14]
opcode :
yeah, but just to be sure, type "adb shell"
[2017-12-22 21:06:17]
opcode :
and enter
[2017-12-22 21:06:33]
ben_lin :
the command just ran
[2017-12-22 21:06:45]
opcode :
cd /data/local/tmp
[2017-12-22 21:06:56]
jcase :
what output
[2017-12-22 21:07:23]
ben_lin :
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:d90fdfa0 overflowcheck:200000 map:5499 readv_error:10
sh: can't create ./tdexit: Read-only file system
[+] Done target:d90fdfa0 overflowcheck:200000 map:26338 readv_error:3749
sh: can't create ./tdexit: Read-only file system
sh: ./busybox: not found
sh: ./busybox: not found
sh: ./busybox: not found
get_selinux_state 0
shellcode_root_self i_pid:2509 ppid:2506 i_thread_info:dc7fc000 i_task:dbc6e3c0 i_cred:dc762400 i_init_sid:0
R write: Bad address
R write: Bad address
fopen: Read-only file system
[2017-12-22 21:07:25]
opcode :
@ben_lin yeah, pls copy/paste all output here
[2017-12-22 21:07:45]
ben_lin :
i havent ran cd /data/local/tmp
[2017-12-22 21:08:03]
ben_lin :
seems like it failed
[2017-12-22 21:08:10]
opcode :
stop
[2017-12-22 21:08:18]
ben_lin :
or I did something wrong..
[2017-12-22 21:08:20]
ben_lin :
ok
[2017-12-22 21:08:24]
opcode :
are you in a shell now?
[2017-12-22 21:09:00]
ben_lin :
the device is not...
[2017-12-22 21:09:18]
opcode :
back to start
[2017-12-22 21:09:30]
opcode :
"adb shell" and enter to connect to device
[2017-12-22 21:10:01]
ben_lin :
shell@gl300e:/ $
[2017-12-22 21:10:05]
ben_lin :
this is the output
[2017-12-22 21:10:15]
opcode :
cd /data/local/tmp
[2017-12-22 21:10:18]
opcode :
and enter
[2017-12-22 21:11:24]
ben_lin :
device not found
[2017-12-22 21:11:31]
ben_lin :
havent run cd/data
[2017-12-22 21:11:36]
ben_lin :
restart...
[2017-12-22 21:12:10]
opcode :
what? you mean it restarts by itself?
[2017-12-22 21:12:17]
ben_lin :
noo
[2017-12-22 21:12:37]
ben_lin :
i mean we should do something about this "device not found" output
[2017-12-22 21:12:54]
opcode :
you are still in the shell?
[2017-12-22 21:13:09]
ben_lin :
yes
[2017-12-22 21:13:12]
opcode :
ls
[2017-12-22 21:13:14]
opcode :
and enter
[2017-12-22 21:13:53]
ben_lin :
**/system/bin/sh: Is: not found
127|shell@gl300e:/ $ **
[2017-12-22 21:14:23]
ben_lin :
the p4p+ remote is sitting there just fine, system and app running good
[2017-12-22 21:14:50]
ben_lin :
should I reconnect the remote?
[2017-12-22 21:16:06]
ben_lin :
...
[2017-12-22 21:16:33]
opcode :
reconnect? no. it is connected with an usb cable to your computer?
[2017-12-22 21:17:11]
ben_lin :
yes
[2017-12-22 21:17:17]
ben_lin :
micro usb cable...
[2017-12-22 21:17:33]
opcode :
ok
[2017-12-22 21:17:38]
opcode :
exit
[2017-12-22 21:17:40]
opcode :
and enter
[2017-12-22 21:17:48]
opcode :
then
[2017-12-22 21:17:51]
opcode :
adb devices
[2017-12-22 21:17:55]
opcode :
and enter
[2017-12-22 21:19:03]
ben_lin :
List of devices attached
1TSB3BQY0N device
[2017-12-22 21:19:27]
opcode :
ok
[2017-12-22 21:19:34]
opcode :
youre in the dir of csroot?
[2017-12-22 21:19:41]
ben_lin :
this matches the serial numbe of p4p+
[2017-12-22 21:19:47]
opcode :
ony your win?
[2017-12-22 21:20:13]
ben_lin :
on my win, but I pulled cmd by WIN+R tho
[2017-12-22 21:20:32]
opcode :
you need to be in the /tmp dir of csroot
[2017-12-22 21:20:49]
ben_lin :
the csroot dir is in the same folder with adb tools..
[2017-12-22 21:20:51]
ben_lin :
ok
[2017-12-22 21:21:32]
ben_lin :
shoul i go add the /tmp dir to the path value
[2017-12-22 21:22:14]
opcode :
what path value? no. you just have to be in the /tmp dir of csroot.
[2017-12-22 21:22:24]
opcode :
then do a "dir" and show me the content
[2017-12-22 21:24:29]
ben_lin :
Directory of C:\ADB\platform-tools\csroot-master\tmp
12/23/2017 04:59 AM <DIR> .
12/23/2017 04:59 AM <DIR> ..
12/23/2017 04:56 AM 1,126,000 busybox
12/23/2017 04:56 AM 75,364 daemonsu
12/23/2017 04:56 AM 465 debuggerd
12/23/2017 04:56 AM 979 install-recovery.sh
12/23/2017 04:56 AM 170,232 libsupol.so
12/23/2017 04:56 AM 245,576 lordroot
12/23/2017 04:56 AM 4,487 mkdevsh
12/23/2017 04:56 AM 75,364 su
12/23/2017 04:56 AM 6,581,871 SuperSU.apk
12/23/2017 04:56 AM 29,972 supolicy
10 File(s) 8,310,310 bytes
2 Dir(s) 59,348,291,584 bytes free
[2017-12-22 21:25:20]
ben_lin :
Sorry for being a noob
[2017-12-22 21:25:28]
opcode :
adb push lordroot /data/local/tmp
[2017-12-22 21:25:39]
opcode :
np, im in a good mood today :smile:
[2017-12-22 21:26:06]
opcode :
and always show me the ouput after the commands
[2017-12-22 21:27:08]
ben_lin :
C:\Users\Lin Jinhan>adb push C:\ADB\platform-tools\csroot-master\tmp\lordroot /data/local/tmp
C:\ADB\platform-tools\csroot-master\tmp\lordroot: 1 file pushed. 3.8 MB/s (245576 bytes in 0.062s)
[2017-12-22 21:27:15]
ben_lin :
seems like it went through
[2017-12-22 21:27:35]
opcode :
adb shell chmod 755 /data/local/tmp/lordroot
[2017-12-22 21:28:11]
ben_lin :
no respond
[2017-12-22 21:28:17]
ben_lin :
hit enter and, blank
[2017-12-22 21:28:52]
opcode :
adb shell /data/local/tmp/lordroot
[2017-12-22 21:29:29]
ben_lin :
C:\Users\Lin Jinhan>adb shell /data/local/tmp/lordroot
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:da8768a0 overflowcheck:200000 map:7096 readv_error:457
sh: can't create ./tdexit: Read-only file system
[+] Done target:da8768a0 overflowcheck:deadbeef map:15799 readv_error:8193
sh: can't create ./tdexit: Read-only file system
sh: ./busybox: not found
sh: ./busybox: not found
sh: ./busybox: not found
get_selinux_state 0
shellcode_root_self i_pid:4686 ppid:4683 i_thread_info:d8786000 i_task:db69f380 i_cred:db4b6180 i_init_sid:0
R write: Bad address
R write: Bad address
fopen: Read-only file system
[2017-12-22 21:30:00]
opcode :
hmmm
[2017-12-22 21:30:02]
opcode :
adb shell
[2017-12-22 21:30:40]
ben_lin :
C:\Users\Lin Jinhan>adb shell
shell@gl300e:/ $
[2017-12-22 21:30:43]
opcode :
id
[2017-12-22 21:31:05]
ben_lin :
shell@gl300e:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
shell@gl300e:/ $
[2017-12-22 21:31:36]
opcode :
@jcase exploit doesnt work due to read-only i guess
[2017-12-22 21:31:46]
jcase :
ok
[2017-12-22 21:31:55]
ben_lin :
alright then
[2017-12-22 21:32:11]
ben_lin :
what info you guys need to root this
[2017-12-22 21:32:20]
ben_lin :
the hardware is on my hand so I can try to help
[2017-12-22 21:32:58]
jcase :
well
[2017-12-22 21:33:00]
jcase :
easiest route
[2017-12-22 21:33:03]
jcase :
probably dump system
[2017-12-22 21:33:08]
jcase :
via the rockchip backdoor
[2017-12-22 21:33:10]
jcase :
patch it
[2017-12-22 21:33:11]
jcase :
reflash
[2017-12-22 21:33:22]
jcase :
i mean, DJI gave yall a perm root
[2017-12-22 21:33:23]
jcase :
through that
[2017-12-22 21:33:34]
jcase :
i dont think they can disable it
[2017-12-22 21:34:05]
ben_lin :
is there a similliar tutorial i can look up online
[2017-12-22 21:34:28]
ben_lin :
it sounds like all i need is the system firmware package from DJI
[2017-12-22 21:34:32]
ben_lin :
which i have
[2017-12-22 21:34:48]
opcode :
iirc, @the_lord rooted the P4P+ ^^^
[2017-12-22 21:34:50]
jcase :
nah need to dump raw one off device
[2017-12-22 21:35:13]
jcase :
imma try and clean my desk now
[2017-12-22 21:35:44]
ben_lin :
i mean if he did root it we should probably have something pinned or shared by now...
[2017-12-22 21:36:00]
ben_lin :
this thing isnt so popular so i guess people barely cared
[2017-12-22 21:36:30]
ben_lin :
now my mavic is gone to DJI for repairs I cant test the modded 4.1.14
[2017-12-22 21:36:48]
ben_lin :
but it is funny tho
[2017-12-22 21:37:25]
ben_lin :
"DJI TROLL USER" is you account name if you sign in with fake account on modded 4.114
[2017-12-22 21:43:05]
ben_lin :
@opcode @jcase thanks for the help though
[2017-12-22 21:44:13]
opcode :
np, maybe the_lord will drop in and knows more.
[2017-12-22 21:45:08]
ben_lin :
hope so
[2017-12-22 21:45:27]
ben_lin :
I've seen people adb loading apps into the p4p+
[2017-12-22 21:45:44]
ben_lin :
but then I cant get it to work as the apk is rejected everytime
[2017-12-22 21:45:49]
ben_lin :
fking dji
[2017-12-22 21:46:46]
jcase :
need to patch installd
[2017-12-22 21:47:41]
ben_lin :
wouldnt that require root
[2017-12-22 21:50:22]
jcase :
actually not on rock chip
[2017-12-22 21:50:22]
jcase :
lol
[2017-12-22 21:51:31]
ben_lin :
impressive
[2017-12-22 21:52:21]
ben_lin :
lmao I just googled it
[2017-12-22 21:52:45]
ben_lin :
"""""""You can always flash the MarsBoard, it never bricks (as the name :))"""""""
[2017-12-22 23:19:11]
jcase :
@opcode you know
[2017-12-22 23:19:31]
jcase :
looks like you can boot an image or even a second uboot build off sdcard
[2017-12-22 23:26:39]
opcode :
I think I read tabout his in the uboot documentation. Does the sdcard get mounted in bootloader mode?
[2017-12-22 23:32:30]
jcase :
im not sure how it works yet
[2017-12-22 23:39:24]
opcode :
Maybe we are able to execute direct uboot commands in fastboot mode:
[2017-12-22 23:39:29]
opcode :
To execute u-Boot command:
fastboot oem ucmd <UBOOT cmds>
[2017-12-22 23:39:42]
opcode :
<http://opensource.rock-chips.com/wiki_Fastboot>
[2017-12-22 23:41:13]
opcode :
fastboot boot <Image> didn’t work iirc
[2017-12-22 23:47:54]
jcase :
it appears you can
[2017-12-22 23:47:58]
jcase :
i havent gotten fastboot working yet
[2017-12-22 23:48:00]
jcase :
it hangs
[2017-12-22 23:48:19]
jcase :
im going to rewrite a fastboot client from scratch in a bit
[2017-12-22 23:48:31]
jcase :
there some things i want to see if i can pull off
[2017-12-22 23:48:36]
jcase :
looking at the uboot implemnetaiton
[2017-12-23 11:51:32]
ben_lin :
any new ideas on the p4p+ root
[2017-12-23 16:29:45]
jcase :
yeah
[2017-12-23 16:30:05]
jcase :
going to take time to implement a test tho
[2017-12-23 16:33:22]
ben_lin :
good luck dude
[2017-12-23 16:33:44]
ben_lin :
tell me If you need to run anything on the actual hardware
[2017-12-23 16:34:19]
jcase :
you should check with @the_lord to ensure he doesnt have a solution
[2017-12-23 16:34:30]
jcase :
my goal is a compromise
[2017-12-23 16:34:33]
jcase :
not a nice neat tool
[2017-12-23 16:35:57]
ben_lin :
OK
[2017-12-23 16:37:17]
the_lord :
@ben_lin actually when the guys were testing on CS i was doing the same on P4P+
[2017-12-23 16:37:44]
the_lord :
So the rooting tools we used are tested on the P+
[2017-12-23 16:38:37]
ben_lin :
are those tools publicly accessible ?
[2017-12-23 16:39:26]
the_lord :
Yes sure
[2017-12-23 16:40:17]
ben_lin :
I just need some initial directions to do this
[2017-12-23 16:41:04]
ben_lin :
we tried the cs root yesterday but it didn't work due to Read-only file systems
[2017-12-23 16:43:23]
the_lord :
If you need temporary root just execute ./lordroot
Which is enough to do anything you need
[2017-12-23 16:44:41]
jcase :
didnt work for him
[2017-12-23 16:44:47]
opcode :
@the_lord we tested that yesterday. didnt work. seems like read-only errors
[2017-12-23 16:45:00]
jcase :
@the_lord you guy see the shit like /dev/mem being owned by media?
[2017-12-23 16:45:07]
jcase :
so any of those countless mediaserver vulns that pop up
[2017-12-23 16:45:09]
jcase :
are kernel execution
[2017-12-23 16:45:13]
jcase :
on the CS?
[2017-12-23 16:45:21]
opcode :
lol, yeah. have seen your twitter post
[2017-12-23 16:46:30]
jcase :
thats like
[2017-12-23 16:46:33]
jcase :
unacceptablly bad
[2017-12-23 16:46:42]
jcase :
1) selinux should be enabled blocking that
[2017-12-23 16:46:47]
jcase :
2 mem shouldnt exist
[2017-12-23 16:46:53]
jcase :
3 it shouldnt be owned by media
[2017-12-23 16:47:18]
ben_lin :
this is dji we talking about
[2017-12-23 16:47:21]
ben_lin :
lol
[2017-12-23 16:48:29]
mathieu.peyrega :
I really hope we will be able to have a lineage running on CS soon !
[2017-12-23 16:49:19]
mathieu.peyrega :
I know I already asked, but does anybody know the vendor/model of the CS touchscreen ?
[2017-12-23 16:49:26]
ben_lin :
I just wish there will be a 3rd party company that makes high brightness tablets
[2017-12-23 16:49:34]
the_lord :
@opcode I’m driving now
Did you try adb shell
Then cd to tmp then ./lordroot ?
[2017-12-23 16:49:52]
ben_lin :
we did
[2017-12-23 16:49:58]
ben_lin :
still failed
[2017-12-23 16:50:07]
mathieu.peyrega :
@ben_lin: with an nice HDMI touchescreen and a Odroid C2 (or XU4) you can make a nice setup
[2017-12-23 16:50:28]
the_lord :
I’ll test it when arrive to my repair shop
[2017-12-23 16:50:34]
mathieu.peyrega :
XU4 is more powerfull but does not have OTG. C2 is only 1GB RAM
[2017-12-23 16:50:38]
ben_lin :
@mathieu.peyrega not convenient as cs tho
[2017-12-23 16:51:01]
mathieu.peyrega :
of course need a bit of packaging...
[2017-12-23 16:51:40]
mathieu.peyrega :
but he board themselves are not much thicker than the CS (especilly if you remove headers)
[2017-12-23 16:52:04]
ben_lin :
battery solutions?
[2017-12-23 16:52:30]
ben_lin :
maye Apple will make next gen iPads ultra bright
[2017-12-23 16:54:04]
mathieu.peyrega :
that would at least be a reason for their prices...
[2017-12-23 16:54:18]
mathieu.peyrega :
I'm not sure if the CS features optical bonding or not
[2017-12-23 16:54:36]
mathieu.peyrega :
(should have, but they make no statements about it)
[2017-12-23 16:55:18]
ben_lin :
prob not
[2017-12-23 16:56:09]
mathieu.peyrega :
if they dont this a little "stupid" because they could have reduced quite a lot the brightness for same result
[2017-12-23 16:57:14]
opcode :
@ben_lin just to be sure, pls try that again. fire up a shell "adb shell" then "cd /data/local/tmp" then "./lordroot" and show us the ouput
[2017-12-23 17:00:08]
ben_lin :
on my way home, gimme a few minutes
[2017-12-23 17:03:01]
jcase :
well
[2017-12-23 17:03:06]
jcase :
if anyone wants to build a custom uboot for CS
[2017-12-23 17:03:09]
jcase :
lol
[2017-12-23 17:03:09]
jcase :
i can boot it
[2017-12-23 17:03:21]
jcase :
not sure if i have the uboot experience to build one
[2017-12-23 17:03:39]
jcase :
but i can boot off any memory location, and i can write memory
[2017-12-23 17:06:52]
the_lord :
@ben_lin also which FW version ?
[2017-12-23 17:08:30]
opcode :
@jcase i would be the first to flash all the DJI shit out of the Crystalsky. But as long as i dont know how to backup the shitty uboot ....
[2017-12-23 17:12:05]
jcase :
wouldnt need to, should be able to boot from memory
[2017-12-23 17:12:14]
jcase :
non the less, we have execution in uboot now
[2017-12-23 17:15:20]
ben_lin :
@the_lord p4p+ remote fw v1.1.3.0
[2017-12-23 17:15:45]
ben_lin :
dji go 4 v4.0.4(3-dpad)
[2017-12-23 17:19:03]
ben_lin :
1|shell@gl300e:/ $ cd /data/local/tmp
shell@gl300e:/data/local/tmp $ ./lordroot
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:dbcd7aa0 overflowcheck:200000 map:5888 readv_error:38
[+] Done target:dbcd7aa0 overflowcheck:deadbeef map:5950 readv_error:78
sh: ./busybox: not found
sh: ./busybox: not found
sh: ./busybox: not found
get_selinux_state 0
shellcode_root_self i_pid:2099 ppid:2085 i_thread_info:d9984000 i_task:daa29a40 i_cred:dc1d9100 i_init_sid:0
fwrite is count 1 ./kok
[2017-12-23 17:19:23]
the_lord :
Did you copy all the files??
[2017-12-23 17:19:31]
the_lord :
And chmod 755 ?
[2017-12-23 17:19:47]
ben_lin :
chmod 755 we did yesterday
[2017-12-23 17:19:55]
ben_lin :
i only pushed lordroot
[2017-12-23 17:20:05]
the_lord :
It’s showing the busybox is missing too
[2017-12-23 17:20:55]
ben_lin :
well, last night they instructed me to push only lordroot
[2017-12-23 17:21:09]
ben_lin :
so i left the other files in /tmp
[2017-12-23 17:28:10]
the_lord :
@ben_lin what is the screen version
Currently i have 01.02.02.00
[2017-12-23 17:29:14]
ben_lin :
screen version is 1.1.3.0
[2017-12-23 17:29:27]
ben_lin :
thats what it shows on my settings page
[2017-12-23 17:31:45]
ben_lin :
yes it says 1.1.3.0
[2017-12-23 17:32:04]
ben_lin :
pad@0.1.3.0
[2017-12-23 17:32:26]
the_lord :
urs is too old and not updated
[2017-12-23 17:32:47]
the_lord :
my dji go 4 version 4.1.6
[2017-12-23 17:33:05]
the_lord :
i can't downgrade it
[2017-12-23 17:33:08]
ben_lin :
so newer fw allows rooting
[2017-12-23 17:33:17]
ben_lin :
i can send u the fw file to flash it
[2017-12-23 17:33:21]
the_lord :
IIRC even older version was rootable
[2017-12-23 17:33:35]
the_lord :
let me check maybe i have the old version
[2017-12-23 17:34:09]
ben_lin :
so your new version doesn't root...
[2017-12-23 17:34:30]
the_lord :
i only have
GL300E_v1200_20170609.bin
GL300E_v1220_20170927.bin
both are rootable
[2017-12-23 17:34:50]
ben_lin :
i can just flash fw and root then
[2017-12-23 17:35:10]
ben_lin :
I am trying to install the modded dji go 4.1.14 on the scree
[2017-12-23 17:35:13]
the_lord :
try to push all files then adb shell
cd /data/local/tmp
[2017-12-23 17:35:17]
ben_lin :
ok
[2017-12-23 17:35:18]
the_lord :
then ./lordroot
[2017-12-23 17:39:53]
ben_lin :
is there a way i can adb push a folder
[2017-12-23 17:39:58]
ben_lin :
i am too stupid
[2017-12-23 17:45:12]
the_lord :
are you on windows?
[2017-12-23 17:45:26]
ben_lin :
yes
[2017-12-23 17:46:06]
the_lord :
adb push tmp /data/local/
[2017-12-23 17:46:28]
the_lord :
then
adb shell chmod 755 /data/local/tmp/lordroot
adb shell chmod 755 /data/local/tmp/busybox
[2017-12-23 17:46:55]
the_lord :
then adb shell
cd /data/local/tmp
./lordroot
[2017-12-23 17:46:59]
mathieu.peyrega :
@the_lord: don't know why but i was not able eithe rto push a full directory like that. I had to move file by file
[2017-12-23 17:47:27]
the_lord :
i'm on windows too and i'm always able to push folders
[2017-12-23 17:47:46]
the_lord :
you should be 1 directory before tmp
[2017-12-23 17:47:46]
ben_lin :
C:\tmp\: 10 files pushed. 5.8 MB/s (8310310 bytes in 1.361s)
[2017-12-23 17:48:08]
mathieu.peyrega :
which version of adb are you using ?
[2017-12-23 17:48:14]
mathieu.peyrega :
maybe I have a too old one
[2017-12-23 17:48:34]
the_lord :
Android Debug Bridge version 1.0.36
Revision af05c7354fe1-android
[2017-12-23 17:48:41]
the_lord :
i use the one came with assistant 2
[2017-12-23 17:48:52]
the_lord :
@ben_lin so
[2017-12-23 17:49:17]
ben_lin :
C:\Users\Lin Jinhan>adb shell chmod 755 /data/local/tmp/lordroot
C:\Users\Lin Jinhan>adb shell chmod 755 /data/local/tmp/busybox
C:\Users\Lin Jinhan>adb shell
shell@gl300e:/ $
[2017-12-23 17:49:19]
mathieu.peyrega :
i'll check that. I'm using 1.0.32 so not that old
[2017-12-23 17:49:34]
ben_lin :
this is where i am at
[2017-12-23 17:50:08]
ben_lin :
chmod 755 seems to respond with nothing
[2017-12-23 17:50:47]
the_lord :
then now cd /data/local/tmp
[2017-12-23 17:51:45]
ben_lin :
C:\Users\Lin Jinhan>adb shell
shell@gl300e:/ $ cd /data/local/tmp
shell@gl300e:/data/local/tmp $
[2017-12-23 17:51:57]
the_lord :
./lordroot
[2017-12-23 17:52:43]
ben_lin :
shell@gl300e:/data/local/tmp $ ./lordroot
sh: ./patch_script.sh: not found
max_:3 min:10 i_ret:0x20
#
F_SETPIPE_SZ 407
[+] Done target:dba896a0 overflowcheck:200000 map:7795 readv_error:4893
[+] Done target:dba896a0 overflowcheck:deadbeef map:7843 readv_error:197
get_selinux_state -
- 0
shellcode_root_self i_pid:4343 ppid:4321 i_thread_info:debc8000 i_task:da93cec0 i_cred:dafc5980 i_init_sid:0
fwrite is count 1 ./kok
[2017-12-23 17:52:53]
the_lord :
id
[2017-12-23 17:53:12]
ben_lin :
shell@gl300e:/data/local/tmp $ id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
shell@gl300e:/data/local/tmp $
[2017-12-23 17:53:16]
ben_lin :
seems like no root
[2017-12-23 17:53:28]
the_lord :
uid=0(root) gid=0(root)
[2017-12-23 17:53:31]
the_lord :
rooted
[2017-12-23 17:53:43]
the_lord :
but temporary root not permanent
[2017-12-23 17:53:53]
the_lord :
once you reboot it goes
[2017-12-23 17:54:02]
ben_lin :
so i can adb push the modded app now?
[2017-12-23 17:54:12]
ben_lin :
or just install it
[2017-12-23 17:54:23]
the_lord :
you need to uninstall the old one
[2017-12-23 17:54:35]
the_lord :
BTW once this adb session ends there is no root
[2017-12-23 17:54:49]
ben_lin :
ahhhhh
[2017-12-23 17:54:58]
ben_lin :
ok
[2017-12-23 17:55:25]
ben_lin :
so under the temp root
[2017-12-23 17:55:40]
mathieu.peyrega :
@the_lord is is ok to clean /data/local/tmp after rooting or better to keep the files ?
[2017-12-23 17:56:16]
the_lord :
yes you can clean it but usually i keep it coz i don't make permanent root
[2017-12-23 17:56:43]
mathieu.peyrega :
and is it possible to revert after makinf it permanent ?
[2017-12-23 17:59:32]
ben_lin :
@the_lord how do i uninstall the old one
[2017-12-23 18:00:00]
the_lord :
Yes sure
Read the mkdevsh script @mathieu.peyrega
[2017-12-23 18:00:05]
ben_lin :
the 3rd part app install is blocked on the screen
[2017-12-23 18:00:11]
ben_lin :
not sure if the root removed that
[2017-12-23 18:00:29]
mathieu.peyrega :
thanks i'll do that (i'm on patc hstuff right now)
[2017-12-23 18:01:50]
the_lord :
most welcome
[2017-12-23 18:06:18]
ben_lin :
@the_lord still cant load 3rd party apps on there
[2017-12-23 18:06:49]
jcase :
got root?
[2017-12-23 18:06:55]
jcase :
if so, send me your installd
[2017-12-23 18:07:07]
the_lord :
@ben_lin you need patched installd file to install third party apps
[2017-12-23 18:07:24]
jcase :
@the_lord we know if they CS one works on p4p+?
[2017-12-23 18:07:36]
the_lord :
some versions yes
[2017-12-23 18:07:38]
ben_lin :
correct
[2017-12-23 18:07:55]
the_lord :
but latest CS firmware has different installd file
[2017-12-23 18:07:59]
jcase :
i would like a copy
[2017-12-23 18:08:03]
jcase :
of the non patched installd
[2017-12-23 18:08:09]
ben_lin :
well does the csroot files provide that installd file
[2017-12-23 18:08:29]
the_lord :
send us your current installd file
[2017-12-23 18:09:21]
ben_lin :
hmmm
[2017-12-23 18:09:27]
ben_lin :
how should I do that
[2017-12-23 18:09:41]
ben_lin :
:disappointed: I feel like I am asking too much but cant contribute
[2017-12-23 18:10:15]
ben_lin :
verbose logging maybe?
[2017-12-23 18:10:59]
jcase :
adb pull /system/bin/installd
[2017-12-23 18:11:31]
ben_lin :
do that in a shell or exit shell before doing?
[2017-12-23 18:14:03]
ben_lin :
got it
[2017-12-23 18:16:28]
bin4ry :
Old installd was patched by me
[2017-12-23 18:16:54]
bin4ry :
I just hard patched the check to jump to allow instead of checking at all :joy:
[2017-12-23 18:17:05]
bin4ry :
Should still work here too
[2017-12-23 18:17:12]
bin4ry :
They changed their check to before
[2017-12-23 18:17:36]
bin4ry :
But the old version should still be good I think
[2017-12-23 18:17:56]
bin4ry :
Ofc I @jcase has free time he can patch it himself
[2017-12-23 18:18:09]
bin4ry :
As I know dji it should be easy to do :wink:
[2017-12-23 18:18:34]
ben_lin :
hmmmm
[2017-12-23 18:18:57]
ben_lin :
wait
[2017-12-23 18:18:58]
jcase :
i just wanted to see
[2017-12-23 18:19:20]
bin4ry :
Just cracked it as anyone would :joy:
[2017-12-23 18:19:27]
jcase :
hmm
[2017-12-23 18:19:30]
jcase :
what was teh error
[2017-12-23 18:19:30]
bin4ry :
Easy way out :wink:
[2017-12-23 18:19:47]
bin4ry :
What do you mean?
[2017-12-23 18:20:12]
bin4ry :
Before it rejected packages if you want to install from adb or package manager
[2017-12-23 18:20:18]
ben_lin :
yes
[2017-12-23 18:20:27]
bin4ry :
That check was done in installd
[2017-12-23 18:20:34]
bin4ry :
They looked for the package name
[2017-12-23 18:20:34]
jcase :
E/installd( 160): package:dji.go.v4 is not allow install!
[2017-12-23 18:20:46]
bin4ry :
Yep this kind of error
[2017-12-23 18:21:08]
bin4ry :
My patched installd just skips the check at all and reports back that all is fine
[2017-12-23 18:21:24]
ben_lin :
so all i need to do is to swap the installd file?
[2017-12-23 18:21:42]
jcase :
weird
[2017-12-23 18:21:53]
bin4ry :
Well I had the file uploaded a few month back when we first rooted the device
[2017-12-23 18:22:04]
jcase :
what is com.DeviceTest
[2017-12-23 18:22:04]
bin4ry :
It was on an earlier firmware
[2017-12-23 18:22:12]
bin4ry :
I have not checked if they changed something
[2017-12-23 18:22:26]
ben_lin :
I am on march fw
[2017-12-23 18:22:34]
jcase :
so they only allow install of dji.pilot.pad and com.DeviceTest
[2017-12-23 18:22:35]
jcase :
?
[2017-12-23 18:22:44]
bin4ry :
Yeah exactly jcase
[2017-12-23 18:22:59]
ben_lin :
btw the p4p+ screen app apk file is not easy to find
[2017-12-23 18:23:09]
bin4ry :
Compare the unpatched and patched installd
[2017-12-23 18:23:11]
ben_lin :
and you cant mod it with the deejayeye tool
[2017-12-23 18:23:23]
bin4ry :
You will see it is just one instruction I patched
[2017-12-23 18:23:40]
jcase :
what is ro.dji.app_install_cnt
[2017-12-23 18:23:46]
bin4ry :
Ofc not @ben_lin you need to make patches for each version.
[2017-12-23 18:23:57]
bin4ry :
That is the count @jcase
[2017-12-23 18:24:02]
jcase :
of what
[2017-12-23 18:24:13]
bin4ry :
They allow up to 20 apps to be sideloaded or so
[2017-12-23 18:24:20]
bin4ry :
Atleast that is what I read somewhere
[2017-12-23 18:24:21]
jcase :
lol
[2017-12-23 18:24:33]
ben_lin :
that limit was for cs iirc
[2017-12-23 18:24:39]
bin4ry :
But that was some firmware versions later than my patch
[2017-12-23 18:24:46]
bin4ry :
So I am not up to speed on that matter
[2017-12-23 18:25:07]
ben_lin :
what fw u running
[2017-12-23 18:25:20]
ben_lin :
i can just flash to that one and use ur installd file
[2017-12-23 18:25:22]
jcase :
i thought this only allowed dji.polet.pad and com.DeviceTest
[2017-12-23 18:25:24]
jcase :
to be installed
[2017-12-23 18:25:42]
jcase :
@ben_lin ill patch this for you if yo uwant
[2017-12-23 18:26:26]
ben_lin :
Please do so if you got the time... Makes flying in china so much easier
[2017-12-23 18:26:39]
bin4ry :
@jcase i think we are mixing stuff here. Let me start over :smile:
[2017-12-23 18:27:26]
ben_lin :
Does swapping the installd file require root
[2017-12-23 18:27:48]
bin4ry :
On the OLD version of the firmware. It was like they only allowed certain package names to be isntalled, if the package name was not matching the whitelist in installd then it reported back the error you posted. On NEW firmware AFAIK they removed this whitelist but allowed 20 apps to be installed. the limit can easily be rised through the ro. property change
[2017-12-23 18:28:11]
bin4ry :
if think the whitelist should not be inside the installd of any new firmwrae
[2017-12-23 18:28:40]
ben_lin :
but since what fw did the 20 app started
[2017-12-23 18:28:50]
bin4ry :
p4p+ and cs share the smae installd
[2017-12-23 18:28:57]
bin4ry :
i compared it some time ago
[2017-12-23 18:29:02]
ben_lin :
I get rejections on both march and september fw
[2017-12-23 18:29:02]
bin4ry :
and the patched worked on both devices
[2017-12-23 18:29:09]
ben_lin :
so maybe go to the newest
[2017-12-23 18:29:25]
bin4ry :
i am not sure which firmware version introduced the "new" limit
[2017-12-23 18:29:44]
bin4ry :
my patches was from august
[2017-12-23 18:30:47]
ben_lin :
on CS V02.04.02.00
[2017-12-23 18:30:55]
ben_lin :
the 20 app is allowed
[2017-12-23 18:31:09]
ben_lin :
release date Nov.09
[2017-12-23 18:31:23]
bin4ry :
aha
[2017-12-23 18:31:36]
bin4ry :
in THIS version then the installd should be already the new one
[2017-12-23 18:31:39]
bin4ry :
without whitelist
[2017-12-23 18:31:50]
bin4ry :
so my patch is deprecated anyway
[2017-12-23 18:31:51]
bin4ry :
:wink:
[2017-12-23 18:31:58]
bin4ry :
just root and rise the ro property
[2017-12-23 18:32:04]
bin4ry :
then you can isntall as many as you want
[2017-12-23 18:32:12]
bin4ry :
but i don't have this devices
[2017-12-23 18:32:19]
bin4ry :
i only worked through this slack channel
[2017-12-23 18:32:20]
bin4ry :
:smile:
[2017-12-23 18:32:50]
bin4ry :
keep nagging @jcase he has the device now and he knows what he is doing
[2017-12-23 18:33:07]
bin4ry :
just wanted to share some of my knowledge so you guys don't need to re-invent the wheel
[2017-12-23 18:33:33]
ben_lin :
cool.. not sure if the latest p4p+ screen fw matches with cs
[2017-12-23 18:34:18]
bin4ry :
dunno :smile:
[2017-12-23 18:34:23]
ben_lin :
v01.02.02.00 is latest for p4p+ screen, on Sept 30
[2017-12-23 18:34:34]
bin4ry :
it's dji everything is possible
[2017-12-23 18:34:47]
ben_lin :
this latest verstion is rootable tho
[2017-12-23 18:34:58]
bin4ry :
thats good then
[2017-12-23 18:35:02]
jcase :
so is the app install restriction
[2017-12-23 18:35:06]
jcase :
only if they have 20 apps installed
[2017-12-23 18:35:27]
bin4ry :
that could be true
[2017-12-23 18:35:30]
jcase :
or am i reading this wrong
[2017-12-23 18:35:35]
bin4ry :
that would explain the whitelist then
[2017-12-23 18:35:38]
jcase :
@ben_lin do you have a bunch of apps installed
[2017-12-23 18:35:42]
ben_lin :
no
[2017-12-23 18:35:46]
ben_lin :
just the stock apps
[2017-12-23 18:35:53]
ben_lin :
but I am not on newest fw
[2017-12-23 18:35:58]
jcase :
run
[2017-12-23 18:36:05]
jcase :
adb shell getprop ro.dji.app_install_cnt
[2017-12-23 18:36:06]
jcase :
for me
[2017-12-23 18:36:20]
ben_lin :
0
[2017-12-23 18:36:38]
bin4ry :
thats not much
[2017-12-23 18:36:38]
bin4ry :
^^
[2017-12-23 18:36:41]
ben_lin :
lol
[2017-12-23 18:39:44]
bin4ry :
paste your build.prop here please
[2017-12-23 18:41:06]
ben_lin :
whats the command for that
[2017-12-23 18:41:47]
bin4ry :
adb pull /system/build.prop
[2017-12-23 18:41:53]
bin4ry :
an post that file here
[2017-12-23 18:44:14]
bin4ry :
there are some interesting properties in there
[2017-12-23 18:44:27]
bin4ry :
ro.dji.app_install_cnt=0
this one you want to set higher
[2017-12-23 18:44:56]
bin4ry :
ro.dji.advanced_enable=false
--> what is this? maybe set it to true
[2017-12-23 18:45:02]
bin4ry :
and see what happens then :smile:
[2017-12-23 18:45:37]
ben_lin :
so edit it and send it back to the screen
[2017-12-23 18:45:51]
ben_lin :
whats the command for swapping it
[2017-12-23 18:46:05]
bin4ry :
well
[2017-12-23 18:46:19]
bin4ry :
first of all
[2017-12-23 18:46:26]
bin4ry :
change the values in this file on you computer
[2017-12-23 18:46:33]
bin4ry :
i hope you don't use windows
[2017-12-23 18:46:43]
jcase :
i can patch that out i guess
[2017-12-23 18:46:43]
ben_lin :
rip
[2017-12-23 18:46:47]
ben_lin :
i am on win10
[2017-12-23 18:46:53]
ben_lin :
no mac or linux access now
[2017-12-23 18:47:05]
bin4ry :
@jcase do it :slightly_smiling_face:
[2017-12-23 18:47:23]
ben_lin :
but can I do the swapping on windows tho
[2017-12-23 18:47:25]
bin4ry :
@ben_lin make sure that you use notepad++ or such software which keeps the lineendings
[2017-12-23 18:47:37]
jcase :
better if he did that change
[2017-12-23 18:47:37]
ben_lin :
got it
[2017-12-23 18:47:48]
bin4ry :
then remount /system with rw
[2017-12-23 18:47:51]
bin4ry :
adb shell
[2017-12-23 18:47:54]
bin4ry :
su
[2017-12-23 18:47:59]
bin4ry :
mount -o remount,rw /system
[2017-12-23 18:48:14]
bin4ry :
exit
[2017-12-23 18:48:17]
bin4ry :
exit
[2017-12-23 18:48:25]
bin4ry :
adb push build.prop /system/build.prop
[2017-12-23 18:48:28]
bin4ry :
adb shell
[2017-12-23 18:48:30]
bin4ry :
cd system
[2017-12-23 18:48:35]
bin4ry :
chmod 644 build.prop
[2017-12-23 18:48:40]
bin4ry :
after that
[2017-12-23 18:48:41]
bin4ry :
reboot
[2017-12-23 18:48:47]
bin4ry :
and pray that you did all correct
[2017-12-23 18:48:52]
ben_lin :
"remount /system with rw" is this the full command
[2017-12-23 18:49:01]
ben_lin :
noobs on the field lol
[2017-12-23 18:49:07]
bin4ry :
no
[2017-12-23 18:49:21]
bin4ry :
the commands start below that
[2017-12-23 18:49:35]
bin4ry :
you should reconsider to do that by yourself if you are too noob mate :wink:
[2017-12-23 18:49:50]
bin4ry :
@jcase i am not sure what is less risky, build prop or installd
[2017-12-23 18:50:01]
bin4ry :
so as we got an property for it why not use it ?
[2017-12-23 18:50:02]
bin4ry :
:smile:
[2017-12-23 18:50:19]
ben_lin :
well you guys are helping so the noob is fine i guess
[2017-12-23 18:50:30]
bin4ry :
start from the adb shell line
[2017-12-23 18:50:35]
bin4ry :
and put one command after the other
[2017-12-23 18:50:42]
bin4ry :
but make sure none has errors
[2017-12-23 18:50:53]
bin4ry :
and ofc you need to be rooted before you attempt to swap the file
[2017-12-23 18:51:04]
bin4ry :
yay
[2017-12-23 18:51:16]
bin4ry :
go for jcases installd
[2017-12-23 18:51:19]
jcase :
well
[2017-12-23 18:51:21]
jcase :
im not sure
[2017-12-23 18:51:22]
jcase :
lol
[2017-12-23 18:51:25]
bin4ry :
it will get rid of it for you :smile:
[2017-12-23 18:51:27]
bin4ry :
or do both
[2017-12-23 18:51:28]
bin4ry :
lol
[2017-12-23 18:51:29]
bin4ry :
^^
[2017-12-23 18:51:31]
jcase :
i may have branched to the wrong address
[2017-12-23 18:52:02]
bin4ry :
heh
[2017-12-23 18:52:20]
bin4ry :
make sure you use arm asm
[2017-12-23 18:52:43]
ben_lin :
so run the commands with jcase's file
[2017-12-23 18:53:05]
bin4ry :
you can decide which way you go
[2017-12-23 18:53:09]
bin4ry :
both are possible
[2017-12-23 18:53:13]
jcase :
dont
[2017-12-23 18:53:14]
bin4ry :
either swap the build.prop
[2017-12-23 18:53:15]
jcase :
i dont think this is right
[2017-12-23 18:53:19]
bin4ry :
ok
[2017-12-23 18:53:22]
bin4ry :
:smile:
[2017-12-23 18:53:22]
ben_lin :
ok
[2017-12-23 18:53:22]
bin4ry :
try the build.prop
[2017-12-23 18:53:58]
bin4ry :
i have to go now
[2017-12-23 18:54:00]
ben_lin :
C:\Users\Lin Jinhan>adb shell
shell@gl300e:/ $ su
/system/bin/sh: su: not found
127|shell@gl300e:/ $
[2017-12-23 18:54:07]
bin4ry :
you are not rooted
[2017-12-23 18:54:15]
bin4ry :
you need to be rooted before you can do that
[2017-12-23 18:54:29]
ben_lin :
somehow the temp root is gone
[2017-12-23 18:54:32]
ben_lin :
dang it
[2017-12-23 18:54:36]
bin4ry :
heh
[2017-12-23 18:54:37]
bin4ry :
anyway
[2017-12-23 18:54:39]
bin4ry :
i need to go
[2017-12-23 18:54:43]
bin4ry :
cu
[2017-12-23 18:54:45]
jcase :
i gotta run a bit too
[2017-12-23 18:54:48]
ben_lin :
ay mate, have a good one
[2017-12-23 18:54:56]
bin4ry :
evening here
[2017-12-23 18:55:04]
bin4ry :
movies night starting :wink:
[2017-12-23 18:55:08]
bin4ry :
cu mates
[2017-12-23 18:55:37]
ben_lin :
cya
[2017-12-23 19:00:01]
ben_lin :
ro.rk.install_non_market_apps=false
[2017-12-23 19:00:28]
ben_lin :
ro.adb.secure=0
[2017-12-23 19:04:48]
ben_lin :
2 lines that is, maybe worth u guys' attention?
[2017-12-23 19:05:28]
jcase :
bottom one isnt
[2017-12-23 20:43:56]
jcase :
who was it that determined something was still checking for signatures after unlocking?
[2017-12-23 20:43:58]
jcase :
got a question
[2017-12-23 21:18:12]
opcode :
you mean after unlocking bootloader? @jcase
[2017-12-23 21:20:36]
opcode :
we flashed a lot of different recovery’s, but no luck. Always black screen. So we suspected that the bootloader is doing a check for correct signing of the recovery.
[2017-12-23 21:22:09]
jcase :
ooo
[2017-12-23 21:22:12]
jcase :
so thats not verified however?
[2017-12-23 21:22:14]
jcase :
k
[2017-12-23 21:26:16]
jcase :
ah ok i see
[2017-12-23 21:26:22]
opcode :
nope. Just a guess.
[2017-12-23 21:37:07]
mathieu.peyrega :
is there a way to change the "app" partition size. the CS see a small partition for apps that i'd like to make bigger
[2017-12-23 21:41:49]
jcase :
app partition size?
[2017-12-23 21:41:52]
jcase :
there is no app partition
[2017-12-23 21:43:22]
mathieu.peyrega :
when going to storage it displays 2 partitions one about 3gb and one about 100gb (don't have cs with me)
[2017-12-23 21:43:42]
mathieu.peyrega :
the 3gb is where app goes
[2017-12-23 21:44:34]
jcase :
uh
[2017-12-23 21:44:36]
jcase :
shouldnt be
[2017-12-23 21:44:37]
jcase :
hold on
[2017-12-23 21:45:38]
jcase :
ah
[2017-12-23 21:45:55]
jcase :
so
[2017-12-23 21:47:47]
jcase :
interesting
[2017-12-24 05:58:38]
mathieu.peyrega :
it looks like this (there are colors but DJI screenshot system messes it up when taking snaphot)
[2017-12-24 05:59:51]
mathieu.peyrega :
this 2.91 "partition" (dont know how to call it) is gettign saturated very quicky and it prevents installing new apps. Also the move to SD card button seems no to be working in application details (even for non system apps)
[2017-12-24 08:02:25]
ben_lin :
same thing with the move to sd on my end
[2017-12-24 08:03:47]
mathieu.peyrega :
and with the 3GB "app partition" ? do you also have it ?
[2017-12-24 08:06:58]
ben_lin :
let me Check
[2017-12-24 08:07:20]
ben_lin :
I have p4p+ screen not cs tho
[2017-12-24 08:08:12]
ben_lin :
nope it doesnt
[2017-12-24 08:11:23]
mathieu.peyrega :
thanks for checking. If other CS owner can give a check, that would be nice !
[2017-12-26 06:19:31]
ben_lin :
@mathieu.peyrega Just updated fw
[2017-12-26 06:19:40]
ben_lin :
and that portion is there
[2017-12-26 06:19:44]
ben_lin :
mine is 3gb
[2017-12-26 07:33:36]
mathieu.peyrega :
@ben_lin thanks for feedback. I hope there will be a way to get rid of it...
[2017-12-26 17:12:52]
jcase :
@mathieu.peyrega do "df"
[2017-12-26 17:12:53]
jcase :
and
[2017-12-26 17:12:55]
jcase :
"mount"
[2017-12-26 17:12:56]
jcase :
paste here
[2017-12-26 17:38:53]
mathieu.peyrega :
i dont't know if there are 2 storage devices, but at least 2 partitions... on 2.9 GB in ext4 and the big one in vfat... (your 20 apps have to be 20 small apps... especially as the apps data get on the small partition ! )
[2017-12-26 17:39:58]
mathieu.peyrega :
(e.g. the /DJI/ directory happens to fall on this 2.9 GB partition when the here maps caching already eat a lot ! )
[2017-12-26 17:43:07]
ben_lin :
wait
[2017-12-26 17:43:23]
ben_lin :
so the offline map goes into the 3gb?
[2017-12-26 17:44:46]
mathieu.peyrega :
yes, and also the flight records...
[2017-12-26 17:51:19]
mathieu.peyrega :
maybe an easy fix for some of the stuff would be though simlinks...
[2017-12-26 17:51:33]
mathieu.peyrega :
i mean not "fix" but "workaround"
[2017-12-26 17:59:20]
ben_lin :
now I see why 20 apps
[2017-12-29 08:20:51]
ben_lin :
for the p4p+ screen
[2017-12-29 08:21:10]
ben_lin :
every time I exit the adb shell, the temporary root is gone
[2017-12-29 08:21:24]
ben_lin :
is there a way to make it permanent
[2017-12-29 08:21:50]
ben_lin :
@jcase @bin4ry
[2017-12-29 08:22:25]
ben_lin :
or I need to somehow be able to swap the build.prop file in the shell
[2017-12-29 08:57:39]
bin4ry :
i don't know which temp root you got. there are some methods, but once you got temp root just make system rw and pop the su binary and apk in there , set permissions right and you should be fine. should not be hard.
[2017-12-29 09:04:26]
ben_lin :
i did lordroot
[2017-12-29 09:04:28]
ben_lin :
su
[2:47]
mount -o remount,rw /system
[2:48]
exit
[2:48]
exit
[2:48]
adb push build.prop /system/build.prop
[2:48]
adb shell
[2:48]
cd system
[2:48]
chmod 644 build.prop
[2:48]
after that
[2:48]
reboot
[2017-12-29 09:04:43]
ben_lin :
and above was the command you gave me
[2017-12-29 09:04:55]
ben_lin :
the exit command killed the root
[2017-12-29 09:05:07]
ben_lin :
I think thats why it doesnt work
[2017-12-29 09:45:53]
bin4ry :
Ofc not
[2017-12-29 09:46:43]
bin4ry :
You need to get some basic knowledge of Unix systems. :wink:
[2017-12-29 09:48:03]
bin4ry :
While you are in the rootshell copy over your su binary and superuser APK to the system partition you just remounted rw. When you have done that make sure your file permissions on this 2 files are correct. If all is fine you wont need the lord root to get the rootshell but then you can simply type su
[2017-12-29 09:49:06]
bin4ry :
This thing with the build prop was a complete different thing . It was for the app install limit and not to make root stick
[2017-12-29 09:52:41]
ben_lin :
ok thanks... trying to figure this out lol
[2017-12-29 10:09:50]
ben_lin :
after rooting the device, i tried to "su" but it says su not found
[2017-12-29 10:09:58]
ben_lin :
it is rooted..
[2017-12-29 10:10:57]
bin4ry :
Ofc. Su has nothing to do with being rooted
[2017-12-29 10:11:46]
ben_lin :
I did get the temporary root with lordroot; root is required for swapping the build.props file
[2017-12-29 10:12:22]
bin4ry :
Imagine it as a helper to decide who gets root permission and who does not. On consumer phones and tablets this is mostly not present, so that is what I told you that you should install it manually. After you have installed su and superuser.apk to the system partition you can then gain root permissions without the exploit
[2017-12-29 10:13:06]
ben_lin :
so under the root shell, adb push superuser.apk and su
[2017-12-29 10:13:53]
bin4ry :
No
[2017-12-29 10:14:02]
bin4ry :
You cannot adb push under the root shell
[2017-12-29 10:14:14]
bin4ry :
Since to adb push you would need to leave the shell
[2017-12-29 10:15:20]
ben_lin :
leaving the shell kills the temporary root though
[2017-12-29 10:17:37]
bin4ry :
You should copy the files over to/data/local/tmp/ or similar to the device before.(preparation step). The temproot with lord root then remount system then copy su to /system/bin/su and superuser.apk to /system/app/superuser.apk . Also give the correct file permissions to su and superuser.apk. please do some research how to do that and which are the right permissions on your own. I want to make sure that you understand what you are doing that is why I leave this details and will not give an step by step. Please try to understand what you are doing first :wink:
[2017-12-29 10:18:25]
ben_lin :
:slightly_smiling_face: noobs training time
[2017-12-29 10:18:29]
ben_lin :
thanks
[2017-12-29 10:19:14]
bin4ry :
:grin:
[2017-12-29 10:19:21]
ben_lin :
***Goes to find tutorials***
[2017-12-29 10:19:21]
bin4ry :
This should get you pretty far already
[2017-12-29 10:19:58]
ben_lin :
I was trying to do what you said, but there must be some details that I got wrong
[2017-12-29 10:20:03]
ben_lin :
so I need to teach myself
[2017-12-29 10:20:05]
bin4ry :
Better try to find scripts and read them this will help you understand. Tutorials are bad, they lift the need of own thinking
[2017-12-29 10:20:29]
ben_lin :
true...
[2017-12-29 10:20:43]
ben_lin :
this is going all the way to the basics of Android
[2017-12-29 10:21:22]
bin4ry :
Linux basics
[2017-12-29 10:21:30]
bin4ry :
Not android specially
[2017-12-29 10:21:35]
bin4ry :
It is the same on all systems
[2017-12-29 10:21:57]
bin4ry :
Only on android you have the APK which is an userland app
[2017-12-29 10:22:05]
ben_lin :
you right
[2017-12-29 10:22:17]
bin4ry :
Have to go
[2017-12-29 10:22:22]
bin4ry :
Cu later
[2017-12-29 10:22:31]
ben_lin :
have a good one
[2017-12-29 10:52:26]
ben_lin :
@bin4ry is remounting the system to RW allowed under adb shell?
[2017-12-29 10:52:35]
ben_lin :
trying to find the command for that
[2017-12-29 10:57:55]
ben_lin :
cd to /system
[2017-12-29 11:01:37]
mathieu.peyrega :
should be something like "mount -o rw,remount,rw /system"
[2017-12-29 11:01:50]
mathieu.peyrega :
or maybe / instead of /system
[2017-12-29 11:02:11]
mathieu.peyrega :
and remount read only by replacing rw with ro after your done
[2017-12-29 11:03:23]
ben_lin :
so under the shell i should "cd /"?
[2017-12-29 11:03:37]
ben_lin :
gonna start everything again see if it works
[2017-12-29 11:04:33]
ben_lin :
the process here is to temp root the device, remount under adb shell, copy SuperSU.apk and su to their correct directories, give them permission and reboob
[2017-12-29 11:04:39]
ben_lin :
reboot*
[2017-12-29 11:06:46]
ben_lin :
@mathieu.peyrega did you figure out the storage on cs
[2017-12-29 11:16:35]
ben_lin :
1|shell@gl300e:/ $ cp /data/local/tmp/su /system/bin
shell@gl300e:/ $ su
/system/bin/sh: su: can't execute: Permission denied
126|shell@gl300e:/ $ id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
shell@gl300e:/ $
[2017-12-29 11:17:02]
ben_lin :
@bin4ry @mathieu.peyrega can you guys check this?
[2017-12-29 11:17:19]
ben_lin :
the devices is still rooted but su cant execute
[2017-12-29 11:31:54]
ben_lin :
wait
[2017-12-29 11:47:39]
ben_lin :
shouldn't the "$" be showing up as "#" if rooted?
[2017-12-29 11:47:49]
ben_lin :
or is this an issue with temp root
[2017-12-29 11:49:59]
mathieu.peyrega :
you should have the whoami command to display current user
[2017-12-29 11:50:56]
ben_lin :
i am still under the shell...
[2017-12-29 11:51:39]
ben_lin :
shell@gl300e:/ $ whoami
/system/bin/sh: whoami: not found
[2017-12-29 11:51:56]
ben_lin :
I feel like I am learning something but man this take some time
[2017-12-29 11:53:00]
ben_lin :
I havent assigned permissions with chomd 777 yet...
[2017-12-29 11:57:20]
ben_lin :
ok go it
[2017-12-29 11:57:32]
ben_lin :
chmod 777 and i have root operation
[2017-12-29 13:22:31]
ben_lin :
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[2017-12-29 13:22:35]
ben_lin :
GOOD NEWS
[2017-12-29 13:23:06]
ben_lin :
I ROOTED P4P+ AND GOT 3RD PARTY APPS ON THERE!!!!
[2017-12-29 13:23:39]
ben_lin :
YOU GUYS TRAINED A NOOB TO DO THIS, YOU GUYS ARE FKING GREAT
[2017-12-29 13:23:58]
ben_lin :
@mathieu.peyrega @jcase @bin4ry
[2017-12-29 13:24:59]
mathieu.peyrega :
next step : install a modded version of GO4 :slightly_smiling_face:
[2017-12-29 13:25:23]
mathieu.peyrega :
(maybe flash gapps before... don't know if it's possible on the P4P+ device)
[2017-12-29 13:25:52]
ben_lin :
the p4p+ go app and regular go app has different package names
[2017-12-29 13:25:57]
ben_lin :
should be able to install both
[2017-12-29 13:26:33]
mathieu.peyrega :
ok. you still should apply the "CS" patch
[2017-12-29 13:26:40]
mathieu.peyrega :
whats the device name ?
[2017-12-29 13:27:10]
ben_lin :
device name?
[2017-12-29 13:27:19]
ben_lin :
GL300E is model number
[2017-12-29 13:27:43]
ben_lin :
I applied the cs patch to my modded apk already tho
[2017-12-29 13:28:04]
mathieu.peyrega :
then yes, the smali/dji/midware/data/config/a/a.smali contains reference to that model
[2017-12-29 13:28:32]
mathieu.peyrega :
the run_on_CrystalSky.patch change the name so that the device is treated as any regular device
[2017-12-29 13:28:43]
mathieu.peyrega :
(I admit this is a dirty fix...)
[2017-12-29 13:29:11]
mathieu.peyrega :
maybe it's not necessary for the GL300E but it was on the CS, i was not able to run the modded version on it without this patch
[2017-12-29 13:30:16]
ben_lin :
see if i can install the patched apk directly...
[2017-12-29 13:31:31]
ben_lin :
wait
[2017-12-29 13:31:45]
ben_lin :
do the 2 apps have comlete seperate files?
[2017-12-29 13:34:10]
mathieu.peyrega :
what the installed package name ?
[2017-12-29 13:35:00]
ben_lin :
dji.pilot.pad
[2017-12-29 13:35:14]
mathieu.peyrega :
the app uses the /DJI directory on "sdcard" and then the dji.go.v4 directory inside /DJI
[2017-12-29 13:35:35]
ben_lin :
the /DJI dir already exist
[2017-12-29 13:35:47]
ben_lin :
I can just remove the old app
[2017-12-29 13:35:53]
mathieu.peyrega :
I believe it's safe installing GO4 side to your other package
[2017-12-29 13:36:12]
ben_lin :
alright, hitting install now, see what goes
[2017-12-29 13:36:22]
mathieu.peyrega :
it's probably installed as a system app that you cannot easily remove
[2017-12-29 13:36:33]
ben_lin :
i have supersu on
[2017-12-29 13:37:17]
ben_lin :
interesting how after the root the system reminds me to update
[2017-12-29 13:37:25]
ben_lin :
eventhough i am already on newest fw
[2017-12-29 13:37:26]
ben_lin :
hmm
[2017-12-29 13:38:24]
ben_lin :
install complete
[2017-12-29 13:39:04]
ben_lin :
CONFIRMED
[2017-12-29 13:40:43]
ben_lin :
@channel on p4p+ v 1.2.2.0, you can root it like a cs and then have supersu, all other 3rd party apps on
[2017-12-29 13:41:33]
ben_lin :
and the secneo DJI GO 4 v4.1.14, after applying cs patch, can be directly installed with no issue, two apps exist side by side
[2017-12-29 13:42:14]
bin4ry :
You mean nosecneo?
[2017-12-29 13:42:20]
mathieu.peyrega :
you package name is still dji.go.v4 ? then HereMaps should still work too
[2017-12-29 13:42:22]
ben_lin :
ah yes
[2017-12-29 13:42:23]
bin4ry :
Secneo is the encrypted one
[2017-12-29 13:43:04]
ben_lin :
@mathieu.peyrega yes
[2017-12-29 13:43:13]
mathieu.peyrega :
HereMaps stop working as soon as you change package name from dji.go.v4
[2017-12-29 13:43:20]
ben_lin :
and on the patched app, it works like it should
[2017-12-29 13:43:24]
ben_lin :
oh really
[2017-12-29 13:43:29]
mathieu.peyrega :
could you extract the HereKey from the other package name ?
[2017-12-29 13:43:47]
mathieu.peyrega :
the dji.pilot.dpad
[2017-12-29 13:44:10]
mathieu.peyrega :
I'd like to give a try cloning GO 4 with this package name and setting the other key
[2017-12-29 13:44:28]
ben_lin :
give me instructions...
[2017-12-29 13:45:03]
mathieu.peyrega :
do you know how to use deejay-eye modder ?
[2017-12-29 13:45:09]
ben_lin :
yes
[2017-12-29 13:45:18]
mathieu.peyrega :
are you using it on windows or Linux ?
[2017-12-29 13:45:34]
ben_lin :
win
[2017-12-29 13:45:36]
ben_lin :
actually
[2017-12-29 13:45:38]
ben_lin :
i take that back
[2017-12-29 13:45:51]
ben_lin :
the drone is not being recognized by the patched app
[2017-12-29 13:45:59]
ben_lin :
but the app does run...
[2017-12-29 13:46:05]
ben_lin :
and i can fake login
[2017-12-29 13:46:11]
mathieu.peyrega :
check that the other app is fully stoped
[2017-12-29 13:46:25]
mathieu.peyrega :
go to settings apps and do "force stop"
[2017-12-29 13:46:30]
mathieu.peyrega :
on the stock app
[2017-12-29 13:47:49]
mathieu.peyrega :
@ben_lin: easiest is if you can use apk extractor to extract the apk of the original app and make it available
[2017-12-29 13:48:00]
ben_lin :
still nothing
[2017-12-29 13:48:04]
ben_lin :
ok
[2017-12-29 13:48:11]
mathieu.peyrega :
(then i'll get the HereMap key from its manifest)
[2017-12-29 13:49:22]
mathieu.peyrega :
try using the logcat command (from adb and see if there are error messages related to DJI GO4 not able to reach the drone)
[2017-12-29 13:49:36]
ben_lin :
one sec
[2017-12-29 13:52:08]
ben_lin :
no...
[2017-12-29 13:53:37]
ben_lin :
@mathieu.peyrega I can get the motor started but the app cant recognize
[2017-12-29 13:55:53]
ben_lin :
and logcat shows no error, from power on AC to connection
[2017-12-29 13:56:03]
ben_lin :
the app just cant recognize it
[2017-12-29 14:02:18]
mathieu.peyrega :
I have no idea how to help more with current information level
[2017-12-29 14:02:49]
ben_lin :
the worst is that the app cant even see the RC
[2017-12-29 14:03:01]
ben_lin :
trying to uninstall original
[2017-12-29 14:03:11]
ben_lin :
how did it work on CS?
[2017-12-29 14:03:37]
mathieu.peyrega :
worked as soon as I applyed the run_on_CS patch
[2017-12-29 14:04:02]
mathieu.peyrega :
I searched within decrypted strings for occurence of device name to see if it add special behaviour on it
[2017-12-29 14:04:20]
mathieu.peyrega :
I'll check if GL300E has other occurences than the one I patched
[2017-12-29 14:06:04]
mathieu.peyrega :
smali/dji/midware/data/config/a/a.smali is the only file where it occurs...
[2017-12-29 14:07:14]
ben_lin :
a shit ton of logs pumped up as soon as I open original app
[2017-12-29 14:12:08]
ben_lin :
I didnt change that file, I guess?
[2017-12-29 14:12:25]
ben_lin :
a lot of permission denied showed up
[2017-12-29 14:12:42]
ben_lin :
Let me try to give the patche app access permission
[2017-12-29 15:29:05]
hostile :
congrats @ben_lin ! <https://dji-rev.slack.com/archives/C6K376JGZ/p1514553819000133> make sure to spread to your Chinese brethren =]
[2017-12-29 15:29:41]
ben_lin :
:disappointed: only partial success
[2017-12-29 15:29:56]
ben_lin :
the patched go4 cant recognize rc and ac on the p4p+
[2017-12-29 15:30:00]
ben_lin :
trying to figure it out
[2017-12-29 15:30:24]
hostile :
welcome to the game
[2017-12-29 15:30:33]
hostile :
we’ve all been liiving like this and not sleeping for 6+ months
[2017-12-29 15:30:35]
hostile :
=]
[2017-12-29 15:30:46]
hostile :
you are on the path to becoming a proper OG
[2017-12-29 15:31:10]
ben_lin :
lol i gotta learn unix and install linux on my pc first
[2017-12-29 15:31:25]
ben_lin :
i uploaded the specialized go app apk
[2017-12-29 15:31:34]
hostile :
best of luck bro
[2017-12-29 15:31:36]
ben_lin :
so if you guys are getting bored....can take a shot at it
[2017-12-29 15:31:48]
ben_lin :
I guess it has to do with permissions
[2017-12-29 15:39:47]
ben_lin :
let me see if moving modded go into system/app would work
[2017-12-29 15:40:01]
ben_lin :
as the d-pad version is a system app
[2017-12-29 15:42:05]
hostile :
logcat is your friend
[2017-12-29 15:44:35]
ben_lin :
i saw lots of permission denied when running the modded app
[2017-12-29 15:44:48]
ben_lin :
and then I went to chmod 777 the modded one
[2017-12-29 15:44:56]
ben_lin :
reboot, still nohting
[2017-12-29 15:45:04]
ben_lin :
so moving it might work
[2017-12-29 15:45:15]
ben_lin :
but the rc ran out of battery :disappointed:
[2017-12-29 15:52:34]
mathieu.peyrega :
is it filesystem permissions (file access issues) or Android permissions (like wifi access or stuff like that) ?
[2017-12-29 17:25:43]
mathieu.peyrega :
anyone wouls still have the 0.3 beta djipilot apk ?
[2017-12-29 17:55:03]
d95gas :
I have the djipilot from the very early days but cannot guarantee is 0.3 beta.... I can add it to dropbox if you want to try it?
[2017-12-29 17:55:24]
ben_lin :
@mathieu.peyrega
[2017-12-29 17:57:29]
mathieu.peyrega :
@d95gas: would be nice !
[2017-12-29 17:57:48]
d95gas :
2 mins and will post link to the 2 that I have
[2017-12-29 17:58:56]
d95gas :
1st one: <https://www.dropbox.com/s/08z8emn536lpm0a/djipilot.apk?dl=0>
[2017-12-31 08:27:54]
opcode :
@ben_lin ok, so no adb?
[2017-12-31 08:28:17]
ben_lin :
no adb, no nothing
[2017-12-31 08:28:28]
ben_lin :
the micro-usb port is dead
[2017-12-31 08:28:29]
opcode :
ok. newest FW?
[2017-12-31 08:28:33]
ben_lin :
yes
[2017-12-31 08:29:45]
opcode :
3 ways, all untested. :slightly_smiling_face: 1. put the most recent OTA on an micro SD and reboot. maybe it accepts it and goes into recovery.
[2017-12-31 08:30:32]
opcode :
2. flashing the system partition while in bootloader mode. are there any buttons which you coud try to kick it in bootloader mode? or even recovery?
[2017-12-31 08:30:40]
ben_lin :
no.. the sd card has the newest fw
[2017-12-31 08:30:50]
ben_lin :
2 was the thing i am trying to figure
[2017-12-31 08:31:00]
ben_lin :
as I tried many button combos, no nothing
[2017-12-31 08:31:07]
ben_lin :
but there is a recovery
[2017-12-31 08:31:18]
ben_lin :
Not even DJI support knows how to get there
[2017-12-31 08:32:09]
opcode :
thats the dumb shit DJI has done to the crystalsky´s. an android with no explanation how to kick it in recovery. :face_with_rolling_eyes:
[2017-12-31 08:32:21]
opcode :
how far does it boot? does it even boot?
[2017-12-31 08:33:03]
ben_lin :
boot, stuck at DJI logo screen
[2017-12-31 08:33:08]
ben_lin :
RC button works
[2017-12-31 08:33:32]
opcode :
@bin4ry any idea how to mod an OTA, so the device thinks its a newer version?
[2017-12-31 08:34:11]
opcode :
youre on win, right?
[2017-12-31 08:34:18]
ben_lin :
yeah, the worst one
[2017-12-31 08:34:43]
opcode :
but you have buttons on the p4p screen like on crystalsky, right?
[2017-12-31 08:35:33]
ben_lin :
not exactly
[2017-12-31 08:35:38]
bin4ry :
If I had an idea I would have told alread
[2017-12-31 08:35:43]
ben_lin :
on p4p screen there is only a power button
[2017-12-31 08:36:17]
bin4ry :
Afaik there is no button combo on cs
[2017-12-31 08:36:27]
bin4ry :
So might be similar to p4p
[2017-12-31 08:36:39]
bin4ry :
There was no mention anywhere for ot
[2017-12-31 08:36:52]
bin4ry :
Only way to enter recovery is from android reboot
[2017-12-31 08:37:07]
ben_lin :
there is a button combo for rebinding , but not into recovery
[2017-12-31 08:37:09]
bin4ry :
However there should be anyway to enter download mode
[2017-12-31 08:37:21]
bin4ry :
Rockchip download mode
[2017-12-31 08:37:29]
bin4ry :
From where one can flash too
[2017-12-31 08:37:46]
bin4ry :
@jcase is working / was working on it for cs
[2017-12-31 08:38:07]
bin4ry :
Also it might be possible to boot to recovery from there
[2017-12-31 08:38:20]
ben_lin :
rockchip batch tool doesn't recognize the device
[2017-12-31 08:38:49]
opcode :
i flashed an sd-card while ago with an linux image for android devices, it recognized it but refused to boot. question is, if we could use that to kick it in bootloader mode.
[2017-12-31 08:39:25]
bin4ry :
It should , it is an rk3288 afaik
[2017-12-31 08:39:33]
bin4ry :
Make sure you install the correct drivers
[2017-12-31 08:39:36]
bin4ry :
Brb 1h
[2017-12-31 08:39:38]
opcode :
@ben_lin did you take a look into you usb devices/device manager if it even gets recognized?
[2017-12-31 08:39:58]
ben_lin :
recognized as usb3.1extensible
[2017-12-31 08:40:12]
ben_lin :
but not from the micro usb port
[2017-12-31 08:42:10]
opcode :
let me check some things, 15 min
[2017-12-31 08:52:13]
ben_lin :
just checked again, it doesnt recognize
[2017-12-31 08:52:19]
ben_lin :
from the micro usb port
[2017-12-31 08:53:17]
mathieu.peyrega :
maybe stupid question, but are you sure of your micro usb cable ? those cable often become shitty
[2017-12-31 08:53:57]
ben_lin :
it is the cable that came with the box
[2017-12-31 08:54:57]
opcode :
ok, good news. the flashed sd card with linux i made kicks the crystalsky into bootloader mode.
[2017-12-31 08:55:15]
opcode :
so from there you could flash a new system image.
[2017-12-31 08:56:19]
opcode :
but before we take this route, we need a fitting system.img
[2017-12-31 08:56:37]
ben_lin :
which I cant pull from the device
[2017-12-31 08:56:49]
ben_lin :
unless we can figure it out from the firmware files
[2017-12-31 08:57:16]
opcode :
we have the ota where, iirc, the whole /system gets flashed
[2017-12-31 08:57:21]
mathieu.peyrega :
there is the updated version : <http://mydjiflight.dji.com/file/links/ZSA_260_20171214>
[2017-12-31 08:57:39]
opcode :
nope, thats the one for small crystalsky
[2017-12-31 08:58:05]
opcode :
zsa: small crystalsky, zsb: big crystalsky, gl300e: p4p
[2017-12-31 08:58:15]
mathieu.peyrega :
i'm interested if you have the link for fl300e then
[2017-12-31 08:58:43]
opcode :
<http://mydjiflight.dji.com/file/links/GL300E_v1220_20170928>
[2017-12-31 09:00:03]
mathieu.peyrega :
thanks
[2017-12-31 09:03:24]
ben_lin :
I think the gl300e and cs have the same logic when it comes to storage
[2017-12-31 09:03:30]
ben_lin :
so this shuold work
[2017-12-31 09:03:36]
ben_lin :
anything I need to download?
[2017-12-31 09:08:06]
opcode :
this is for flashing image to sd card
[2017-12-31 09:09:52]
opcode :
<https://drive.google.com/file/d/0B99O3A0dDe67XzBhYTRKS1BqTnc/edit>
[2017-12-31 09:10:15]
opcode :
this is an ubuntu image for rockchip devices.
[2017-12-31 09:11:32]
opcode :
@ben_lin unpack the image, then flash it to an sd-card 8gb or larger.
[2017-12-31 09:11:48]
ben_lin :
ok
[2017-12-31 09:12:18]
opcode :
we dont want to boot it into linux, just kick it in bootloader. its quite large, but i dont have another image handy and thats the image that works for me.
[2017-12-31 09:13:05]
opcode :
if this is working, we can think about the system.img flashing.
[2017-12-31 09:14:12]
ben_lin :
downloading
[2017-12-31 09:21:49]
opcode :
does the screen have 2 sdcard slots?
[2017-12-31 09:22:04]
ben_lin :
1
[2017-12-31 09:22:15]
opcode :
ok
[2017-12-31 09:23:40]
opcode :
when you flashed the sdcard, power down the remote completley, put the sdcard in and power up. you should see a black screen only.
[2017-12-31 09:31:11]
ben_lin :
extracting the 7z file
[2017-12-31 09:31:43]
ben_lin :
guess I shuold fromatt the sd card before flashing?
[2017-12-31 09:31:50]
opcode :
nope, not needed.
[2017-12-31 09:34:07]
ben_lin :
windisk32 tool for flashing...
[2017-12-31 09:37:46]
ben_lin :
writte complete
[2017-12-31 09:38:58]
ben_lin :
@opcode as u said, put it in p4p+ and turn on, black screen
[2017-12-31 09:39:15]
opcode :
great
[2017-12-31 09:39:35]
opcode :
now connect to your pc and see if it gets recognized
[2017-12-31 09:40:37]
ben_lin :
USB Mass storage device
[2017-12-31 09:40:39]
ben_lin :
no adb
[2017-12-31 09:41:13]
opcode :
great, now fire up ROM_Dumper_Tool.exe i send you
[2017-12-31 09:42:53]
ben_lin :
found one loader device
[2017-12-31 09:42:57]
opcode :
yeah!
[2017-12-31 09:43:21]
opcode :
go to the advanced function tab
[2017-12-31 09:44:06]
opcode :
in "Start:" put "0", in "Count:" put "2" and klick ExportImage
[2017-12-31 09:44:43]
ben_lin :
Export Image Success
[2017-12-31 09:45:16]
ben_lin :
the file is 1KB in size
[2017-12-31 09:45:30]
opcode :
In the dir where rom dumper tool is, there is an "Output" folder. there is the xported image. open it with text editor and post the output here
[2017-12-31 09:47:52]
ben_lin :
wth
[2017-12-31 09:47:54]
ben_lin :
wrong
[2017-12-31 09:47:58]
ben_lin :
one sec
[2017-12-31 09:48:56]
ben_lin :
somehow using word pad copy and paste doesnt work
[2017-12-31 09:49:00]
ben_lin :
so I uploaded it
[2017-12-31 09:52:06]
opcode :
hmm. no system partition
[2017-12-31 09:52:21]
opcode :
ah
[2017-12-31 09:52:23]
opcode :
fuck
[2017-12-31 09:52:51]
opcode :
thats the partitions of the linux image
[2017-12-31 09:52:54]
opcode :
lol
[2017-12-31 09:53:28]
ben_lin :
rip
[2017-12-31 09:53:44]
opcode :
no, that shows that we can kick it in bootloader mode
[2017-12-31 09:55:41]
opcode :
this is all experimental, so guess and try.
[2017-12-31 09:56:01]
ben_lin :
OK。。what now
[2017-12-31 09:56:48]
opcode :
need to do more research. but at last we got some steps forward.
[2017-12-31 09:56:55]
opcode :
you need it urgently fixed?
[2017-12-31 09:57:39]
ben_lin :
kind of...was planning to send it back to DJI today
[2017-12-31 09:57:47]
ben_lin :
got a spare mavic tho
[2017-12-31 09:59:59]
opcode :
ah, did you try fastboot devices?
[2017-12-31 10:00:58]
ben_lin :
having dinner now...gonna try in 15min
[2017-12-31 10:23:48]
ben_lin :
@opcode how do I get it into fastboot from the android tool
[2017-12-31 10:27:46]
ben_lin :
in the ROM flash tool it doesnt recognize the device
[2017-12-31 10:43:43]
opcode :
yeah, you should do just a check if fastboot is present with "fastboot devices". this has nothing to do with android tool.
[2017-12-31 10:47:46]
ben_lin :
ok...
[2017-12-31 10:48:51]
ben_lin :
in cmd it shows nothing...
[2017-12-31 11:02:48]
ben_lin :
sending this bad boi back to DJI... leaving for trip soon, just gonna bring my mavic
[2017-12-31 11:12:12]
opcode :
should be your best option. i can not guarantee you that we fix it in time, as this is all experimental.
[2017-12-31 11:13:15]
ben_lin :
curious how DJI would deal with it
[2018-01-01 20:15:36]
mathieu.peyrega :
is there a way to change the /mnt/internal_sd filesystem from vfat to ext4 or something that supports symbolic links ?
[2018-01-02 01:48:20]
moto234 :
Can you tell me the details of the crystalsky root in detail?
[2018-01-02 08:09:45]
mathieu.peyrega :
<https://dji.retroroms.info/howto/crystalsky>
[2018-01-04 14:27:15]
moto234 :
use linux os?
[2018-01-04 14:59:29]
jcase :
you dont need to use linux
[2018-01-04 14:59:35]
jcase :
you can just push the exploit to device
[2018-01-04 14:59:37]
jcase :
through adb
[2018-01-04 14:59:38]
jcase :
and run it
[2018-01-04 18:42:40]
nixuspix :
Hello to everyone here! How to install patched dgigo4 4.1.15 on crystalsky? I have 4.14 stock on it currently and patched is prevented from installation
[2018-01-04 18:59:36]
mathieu.peyrega :
to install on CS, you needs to change a few things : the package name must be different than the one of an app installed on the CS) in the manifest, you also need to have a different facebook...providerId. The new RunMeNG.sh scripts on the modder repo can take care of that. You also need to apply the patch runonCS because otherwise, the app is checking at run time that it's on a CS
[2018-01-04 19:00:32]
mathieu.peyrega :
In the process, you will need to generate a Google Map API key and you will loose Here Maps in profit of Google Maps.
[2018-01-04 19:01:02]
mathieu.peyrega :
The other way may be to delete the DJI GO 4 system App first (if this is possible)
[2018-01-04 19:01:59]
mathieu.peyrega :
If you are able to do so, you can use the dji.go.v4 package name, you will not loose HereMaps as the packagename vs. HereMap key in manifest is still valid, you still have to apply the runoncs patch
[2018-01-04 20:21:54]
nixuspix :
Thank You Matioupi for comprehensive answer. But for noobs, like me it generates more questions only, unfortunately. First, how to apply runoncs patch. I have downloaded from modder repo to my mac. Trying to delete looks easier for me, but i know that deleting may lead to unpredicted results as well. Will i be able to restore through factory reset, or i can brick my CS?
[2018-01-04 20:27:41]
nixuspix :
Looks i have to learn a lot of things first
[2018-01-04 20:29:55]
nixuspix :
I guess the modded djigo4 version i have is already patched for CS, as i can see on start the string " run on crystalsky..."
[2018-01-05 17:28:49]
opcode :
@channel Great news. I found a way, to kick the CrystalSky into Bootloader Mode with a button combination. Power down CS, press and hold power and back button for about 5 seconds. Voila, Bootloader Mode. :slightly_smiling_face:
[2018-01-05 17:30:14]
opcode :
As we can already backup and flash the system partition, this is a good way to get a backup and reflash if something goes mess in the system.
[2018-01-05 17:30:17]
jcase :
downlaod or uboot
[2018-01-05 17:30:30]
jcase :
you can also use it for root
[2018-01-05 17:30:33]
jcase :
with pre rooted system image
[2018-01-05 17:31:26]
opcode :
It kicks it in "Loader" Mode, means it gets recognized by the Rockchip Android Flash Tool
[2018-01-05 17:32:16]
opcode :
yep, that was my goal. i should backup my clean system from my CS Ultra and try to flash it to my "normal" CS.
[2018-01-05 17:32:52]
codeforge :
great :+1: :+1: :+1:
[2018-01-05 17:33:40]
opcode :
Thats really great. We vcan make prebuild system images, with root and modded GO4 apk pre installed. :slightly_smiling_face:
[2018-01-05 17:33:50]
ben_lin :
I cry...
[2018-01-05 17:33:55]
opcode :
lol
[2018-01-05 17:34:12]
opcode :
but that wouldnt work with your p4p screen. no back button
[2018-01-05 17:34:16]
ben_lin :
I tried damn Hard to find butto combo for p4p
[2018-01-05 17:34:18]
ben_lin :
ik
[2018-01-05 17:34:35]
opcode :
you only have power button, right?
[2018-01-05 17:34:40]
ben_lin :
yeah
[2018-01-05 17:34:51]
ben_lin :
which doesn't even turn off the remote
[2018-01-05 17:34:55]
ben_lin :
facepalm
[2018-01-05 17:35:22]
opcode :
tell dji to keep their crap and send you an CS instead.
[2018-01-05 17:35:53]
ben_lin :
I am cool with it as long as the app don't override my nfz parameter I Told DJI that and they say no
[2018-01-05 17:36:46]
ben_lin :
I was about to exchange remote with my friend
[2018-01-05 17:36:51]
jcase :
well i can no longer fly in apiary
[2018-01-05 17:36:52]
jcase :
updated
[2018-01-05 17:37:33]
ben_lin :
why
[2018-01-05 17:37:48]
jcase :
updated drone
[2018-01-05 17:38:03]
ben_lin :
p4p?
[2018-01-05 17:38:18]
jcase :
mavic
[2018-01-05 17:38:39]
ben_lin :
I don't see why... u can turn off nfz and stuff
[2018-01-05 17:39:08]
jcase :
i tohught you couldnt
[2018-01-05 17:39:10]
jcase :
on the newest firmware?
[2018-01-05 17:39:26]
ben_lin :
yes u can
[2018-01-05 17:39:33]
ben_lin :
dude u enabled us to do so
[2018-01-05 17:39:51]
jcase :
no i enabled downgrade
[2018-01-05 17:40:28]
ben_lin :
downgrade to 700, open newest fw file with 7z, delete module 305 306, confirm and close window, then flash this modded fw
[2018-01-05 17:40:35]
ben_lin :
boom, u good
[2018-01-05 17:40:40]
jcase :
ah nah i want to stay stock now, research mode
[2018-01-05 17:41:01]
ben_lin :
ok...just sayin it is possible
[2018-01-05 17:41:38]
jcase :
thanks
[2018-01-05 17:41:52]
jcase :
my kids love this thing so much
[2018-01-05 17:41:58]
jcp711 :
You know that DJI is just worked up about a lot of nothing when the people that hack the drones don't actually care about flying them hacked. LOL
[2018-01-05 17:42:20]
jcp711 :
It's more about the thrill of the hack.
[2018-01-05 17:42:25]
ben_lin :
ikr
[2018-01-05 17:42:59]
ben_lin :
I spent more time trying to learn what the OGs did than actually flying in rencent 2months
[2018-01-05 17:44:37]
jcp711 :
I think I spent more time reading this slack group than actually flying. And I've not even hacked my drone yet. Just knowing I can though makes me feel good. LOL
[2018-01-05 17:45:14]
ben_lin :
SO TRUE
[2018-01-05 17:45:26]
ben_lin :
and watching DJI get rekt is also fun
[2018-01-05 17:45:41]
ben_lin :
especially knowing that there arw DJI spies here
[2018-01-05 17:45:41]
hostile :
@jcp711 LOL yeah I am a total bench queen
[2018-01-05 17:46:08]
hostile :
@ben_lin some poor DJI employee gets paid to sit here and watch the company get destroyed every day, and take notes.
[2018-01-05 17:46:15]
hostile :
*waves at the poor employee now*
[2018-01-05 17:46:35]
hostile :
<https://twitter.com/d0tslash/status/949097951716134912>
[2018-01-05 17:47:10]
ben_lin :
***while bowing to th Chinese government***
[2018-01-05 17:49:04]
opcode :
@jcase the only thing that fucks me up, is this bootloader/uboot shit. did DJI reply to your remark about uboot GPL other then wanting you to sign NDA?
[2018-01-05 17:50:16]
ben_lin :
wait...GPL used and want ppl to sign NDA?
[2018-01-05 17:50:22]
ben_lin :
WTF are they doing
[2018-01-05 17:52:56]
opcode :
@ben_lin <https://twitter.com/jcase/status/944800130196152320>
[2018-01-05 17:53:54]
digital1 :
Well done all good news to have backup now
[2018-01-05 17:56:24]
ben_lin :
Well I smell NDA
[2018-01-05 17:56:33]
ben_lin :
And loads of bs
[2018-01-05 17:59:12]
jcase :
they never replied
[2018-01-05 17:59:56]
opcode :
what else :face_with_rolling_eyes:
[2018-01-05 18:22:10]
bin4ry :
You need to wait 2 weeks for them to respond :joy::joy::joy::joy:
[2018-01-05 20:33:46]
kilrah :
I think it's 2 weeks per keyboard letter pressed
[2018-01-06 18:46:30]
mathieu.peyrega :
Just reading that the bootloader mode can be reach with key combo. Does it mean we can reflash fresh image anytime if something goes wrong ?
[2018-01-06 18:47:23]
ben_lin :
Just got my p4p+ back
[2018-01-06 18:48:39]
mathieu.peyrega :
that was fast ! (compared to the key pressing rate described right above :slightly_smiling_face: )
[2018-01-06 18:49:52]
ben_lin :
Well their hw department is better is guess
[2018-01-06 18:50:13]
ben_lin :
prob the keyboard for emails are broken
[2018-01-06 19:22:15]
jcase :
@mathieu.peyrega yes CS is more or less non brickage from bad software
[2018-01-09 09:11:46]
opcode :
What a fuckery. I can backup the partitions, but flashing or erase doesnt work. I highly suspect the bootloader protecting everything, even i unlocked it.
[2018-01-09 15:30:41]
opcode :
@jcase any idea? ^^
[2018-01-09 15:44:11]
jcase :
no
[2018-01-09 15:44:18]
jcase :
hmm
[2018-01-09 15:49:47]
opcode :
root@kali:/# fastboot devices
0123456789 fastboot
root@kali:/# fastboot oem unlock
...
FAILED (remote: already unlocked)
finished. total time: 0.008s
root@kali:/# fastboot getvar secure
secure: no
finished. total time: 0.008s
root@kali:/#
[2018-01-09 15:57:14]
opcode :
I just noticed an interesting beahviour of the cs. if you kick it in fastboot or bootloader mode, the device connects, stays for some seconds, disconnects and comes back up. i have read somewhere, that this is the bootdelay from uboot to stop booting with a command and get into the uboot console.
[2018-01-09 16:08:39]
mathieu.peyrega :
I have some devices like that at work
[2018-01-09 16:09:07]
mathieu.peyrega :
but you need access though UART to stop the boot
[2018-01-09 16:38:36]
opcode :
ah, yes thats what i saw. wonder, if theres an serial over usb up in these 5 seconds on the cs.
[2018-01-10 14:39:40]
hostile :
yeah @opcode this is what I am recalling too. <https://dji-rev.slack.com/archives/C6K376JGZ/p1515489106000395>
[2018-01-10 14:40:18]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1515514147000661> when @jcase is done with my CS... I'll crack it open and find the UART
[2018-01-10 14:41:45]
jcase :
@hostile what are you using to do that?
[2018-01-10 14:41:59]
jcase :
I can ship it anytime
[2018-01-10 14:42:56]
hostile :
Saleae Logic
[2018-01-10 14:43:18]
hostile :
<https://www.saleae.com/originallogic>
[2018-01-10 14:44:22]
hostile :
I have both classic and $current logic 8 <https://www.adafruit.com/product/2313>
[2018-01-10 14:44:25]
jcase :
i have one
[2018-01-10 14:44:28]
jcase :
not sure how to use it
[2018-01-10 14:44:36]
jcase :
had a gig that had huge budget
[2018-01-10 14:44:39]
jcase :
i got a lot of stuff lol
[2018-01-10 14:44:48]
hostile :
just put one on ground... tap a fuck ton of pins
[2018-01-10 14:44:49]
hostile :
click start
[2018-01-10 14:44:55]
hostile :
done
[2018-01-10 14:44:58]
jcase :
how do i tell
[2018-01-10 14:45:01]
jcase :
what is uart
[2018-01-10 14:45:03]
jcase :
and isnt
[2018-01-10 14:45:08]
hostile :
go to samples window and choose analyzers like "Serial UART"
[2018-01-10 14:45:14]
jcase :
ah
[2018-01-10 14:45:18]
hostile :
and it either decodes, or it doesn't
[2018-01-10 14:45:24]
jcase :
shame you cant get data sheets or repair guides
[2018-01-10 14:45:27]
hostile :
after a while you'll recognize what serial data looks like
[2018-01-10 14:45:29]
jcase :
thats what i do for phones
[2018-01-10 14:45:42]
hostile :
lC1860 is what we need data sheet for
[2018-01-10 14:45:48]
hostile :
on the drone side
[2018-01-10 14:45:52]
jcase :
does the mavic have a usable serial port
[2018-01-10 14:46:16]
hostile :
yeah, but only @martinbogo knows about it... and there is some weird switching / router thing internally that we think has it disabled.
[2018-01-10 14:46:23]
hostile :
there is a available uart on the transmitter IIRC
[2018-01-12 10:03:33]
mathieu.peyrega :
nice ! do you have the screen vendor visible ?
[2018-01-12 10:04:19]
opcode :
nope, didnt disassemble the frontside. seems easy to break. but i found a lot of i/o stuff pins.
[2018-01-12 10:05:30]
mathieu.peyrega :
you mean like uart to get the boot console and stop atu-boot ?
[2018-01-12 10:05:58]
opcode :
yup
[2018-01-12 10:13:51]
mathieu.peyrega :
even labeled ! are you able to power on while they get exposed ?
[2018-01-12 10:14:17]
opcode :
yes, they are on the upside of the board. so its possible.
[2018-01-12 10:14:28]
opcode :
but i dont have any equipment to do that.
[2018-01-12 10:15:01]
mathieu.peyrega :
you mean the probes or to put on the other side ?
[2018-01-12 10:15:29]
mathieu.peyrega :
or check the voltage logic levels ?
[2018-01-12 10:16:11]
opcode :
you can access the probes, while everything is installed. only the battery slot could become a bit difficult but it could be done.
[2018-01-12 10:17:34]
mathieu.peyrega :
sure this require preparation to avoid sorting something that should not !
[2018-01-12 10:18:14]
opcode :
yup. in first place i was hunting for some reset switch to put it in maskrom mode, but nothing to find.
[2018-01-12 15:26:41]
hostile :
ohhh snap @opcode you cracked her open!
[2018-01-12 15:26:52]
hostile :
make sure those photos get in wiki
[2018-01-12 15:27:19]
hostile :
all you need is an FTDI USB adapter!
[2018-01-12 15:28:50]
mathieu.peyrega :
unless the voltage is 1.8V, would that work with FTDI ?
[2018-01-12 15:29:27]
mathieu.peyrega :
I mean FTDI is for 3.3V/5V levels only or can it also be used in case of lower levels
[2018-01-12 15:29:34]
mathieu.peyrega :
?
[2018-01-12 16:01:27]
opcode :
@hostile pretty easy to open. just be careful, when pulling off the backcover. :slightly_smiling_face:
[2018-01-12 16:03:18]
opcode :
@mathieu.peyrega already looking for documentation of the UART of RK3288.
[2018-01-12 16:27:16]
opcode :
wonder whats the difference between those 2 UARTs. RK3288 documentation is unclear about that. RK3288 all in all has 5 UART´s.
[2018-01-12 16:31:26]
hostile :
@opcode just connect to it bro
[2018-01-12 16:31:31]
hostile :
do you have a serial to uart adapter?
[2018-01-12 16:31:48]
hostile :
literally connect to tx, rx, and gnd with ANY ftdi adapter
[2018-01-12 16:32:30]
opcode :
first have to order one. :wink:
[2018-01-12 16:33:25]
hostile :
<https://www.amazon.com/FT232RL-Serial-Converter-Adapter-Arduino/dp/B06XDH2VK9/ref=sr_1_5?s=electronics&ie=UTF8&qid=1515774792&sr=1-5&keywords=ftdi+usb+to+serial>
[2018-01-12 16:33:50]
opcode :
thanks. any other way then soldering to connect?
[2018-01-12 16:34:06]
opcode :
those probes are tiny
[2018-01-12 16:46:07]
kilrah :
if levels are 1.8 you CAN fry something, best to measure first or at least add a series resistor
[2018-01-13 16:09:36]
hostile :
I've NEVER ever needed to do that in my whole life of embedded security work generally speaking
[2018-01-13 16:09:43]
hostile :
heard the wives tale... never seen it happen
[2018-01-13 16:22:25]
mathieu.peyrega :
I did fried an odroid XU4 which have 1.8 logics using a usua adapter without level shifting first
[2018-01-14 09:46:33]
opcode :
FTDI Adapter will arrive tomorrow. Time to pull the soldering iron out. :slightly_smiling_face:
[2018-01-16 15:22:06]
opcode :
its 3.3 volt luckily. have to get another soldering iron. mine is way to big.
[2018-01-16 16:47:53]
hostile :
good luck!
[2018-01-16 18:22:33]
opcode :
@hostile i cannot stop the booting with hitting enter. any idea?
[2018-01-16 18:24:58]
mathieu.peyrega :
is your terminal in CR or CR+LF mode ?
[2018-01-16 18:25:11]
opcode :
CR
[2018-01-16 18:25:20]
mathieu.peyrega :
i usually use teraterm for those stuff and sometime you have to set up CR+LF
[2018-01-16 18:25:30]
mathieu.peyrega :
otherwise your keystrokes are not interpreted
[2018-01-16 18:25:42]
mathieu.peyrega :
in teraterm there is a setting for this
[2018-01-16 18:27:29]
mathieu.peyrega :
also the first thing you may have to do is to change the watchdog timer value, I don't have the command here (i'm at hotel). I'll have a look tomorrow at work with a device where I can get the info
[2018-01-16 18:28:07]
mathieu.peyrega :
I had a system where I could enter U-boot, but if I did not issue the watchdog timout command fast enought, it would keep booting anyway
[2018-01-16 18:28:34]
opcode :
yeah, thats what i probably need.
[2018-01-16 18:30:22]
opcode :
may also be a bad soldering connection. its VERY hard to get something to stick to these tiny probes
[2018-01-16 18:34:57]
mathieu.peyrega :
you could try some of these : <https://www.adafruit.com/product/2430>
[2018-01-16 18:35:09]
mathieu.peyrega :
with a third hand-like tool
[2018-01-16 18:37:01]
mathieu.peyrega :
for the watchdog, you can try :
[2018-01-16 18:37:06]
mathieu.peyrega :
set watchdog-timeout=3600
[2018-01-16 18:38:02]
mathieu.peyrega :
saveenv
[2018-01-16 18:40:21]
mathieu.peyrega :
I found a log of u-boot from my device : the variable was watchdog_t
[2018-01-16 18:41:12]
mathieu.peyrega :
so maybe set watchdog_t 3600 (with or without = sign, I don't remember) and then saveenv
[2018-01-16 18:44:32]
opcode :
thanks. will try that
[2018-01-16 18:45:18]
mathieu.peyrega :
the u-boot I had also feature a tftp server
[2018-01-16 18:45:50]
mathieu.peyrega :
I had to issue commadn like tftp 4000000 uNewRamDisk to update the firmware at some point
[2018-01-16 18:46:06]
mathieu.peyrega :
full sequence was
[2018-01-16 18:46:36]
mathieu.peyrega :
addresses would need to be changed probably
[2018-01-16 21:08:47]
hostile :
bro! congrats first off... big step forawrd. <https://dji-rev.slack.com/files/U60JWFFC3/F8T1BT672/-.txt>
[2018-01-16 21:09:21]
hostile :
yeah... may be a bad RX pad... <https://dji-rev.slack.com/archives/C6K376JGZ/p1516127422000668>
[2018-01-16 21:10:06]
hostile :
@opcode I usually sit mashing the keys over and over
[2018-01-16 21:10:27]
hostile :
if you don't hit enter to go into FIQ mode... does it drop to a # shell after the thing boots?
[2018-01-16 21:12:29]
hostile :
<http://developer.t-firefly.com/thread-10232-1-1.html>
[2018-01-16 21:29:15]
opcode :
resoldered it to be sure. for the first output of the console i posted, i used another software which didnt work correctly. output now with the "serial" app on osx works fine and looks like this
[2018-01-16 21:29:54]
hostile :
so once all that stops, and you press enter.
[2018-01-16 21:29:58]
hostile :
are you at a linux prompt?
[2018-01-16 21:30:04]
hostile :
or did they not spawn a shell
[2018-01-16 21:30:22]
opcode :
nothing. and it never stops. everything thats happening on the device gets to the serial console.
[2018-01-16 21:30:28]
opcode :
no shell
[2018-01-16 21:30:32]
opcode :
no prompt
[2018-01-16 21:30:59]
opcode :
somehow i need to hit enter at the right moment to get into that fiq debugger.
[2018-01-16 21:31:11]
hostile :
ahh so they just sent kernel messages there
[2018-01-16 21:31:24]
hostile :
you do have keyboard input though, right?
[2018-01-16 21:31:32]
hostile :
like it is working just hard to get timing right?
[2018-01-16 21:31:35]
opcode :
yep. maybe wrong UART? i have antoher one on the board
[2018-01-16 21:31:44]
hostile :
cuz interrupting the uboot is really what you wanna do
[2018-01-16 21:31:56]
hostile :
and you should be able to just keep mashing keeys as it boots like as soon as you turn it on
[2018-01-16 21:32:03]
hostile :
and don' t stop
[2018-01-16 21:32:25]
hostile :
I'd certainly test the other UART too
[2018-01-16 21:32:27]
opcode :
what do you recommend for serial stuff on osx? screen? minicom?
[2018-01-16 21:32:29]
hostile :
no reason not to =]
[2018-01-16 21:32:36]
hostile :
yeah I use screen /dev/port 115200
[2018-01-16 21:32:50]
opcode :
reason not to test: tiny soldering fuckery. :smile:
[2018-01-16 21:32:59]
hostile :
haha noted!
[2018-01-16 21:33:06]
hostile :
get you some 22gauge wires
[2018-01-16 21:33:17]
opcode :
i used screen -L /dev/port 115200 -L
[2018-01-16 21:33:22]
opcode :
but didnt echo any commands
[2018-01-16 21:33:33]
hostile :
yeah -L is nice to trap the logging
[2018-01-16 21:33:44]
hostile :
yeah it not echoing is why i was confiming it was actually accepting input
[2018-01-16 21:34:11]
hostile :
like the first one you pasted...
[2018-01-16 21:34:13]
hostile :
```Starting kernel ...
<hit enter to activate fiq debugger>
Welcome to fiq debugger mode
Enter ? to get command help
debug>
Welcome to fiq debugger mode
Enter ? to get command help
debug> @
Welcome to fiq debugger mode
Enter ? to get command help
debug> ```
[2018-01-16 21:34:17]
opcode :
im not 100% sure if the commands go through.
[2018-01-16 21:34:18]
hostile :
you clearly did break into the debugger
[2018-01-16 21:34:23]
hostile :
can you type help there?
[2018-01-16 21:34:44]
opcode :
yeah, that log was from the fucked terminal soft i first used. but this somehow triggered the fiq debugger
[2018-01-16 21:35:03]
hostile :
you must have been mashing the enter key repeatedly?
[2018-01-16 21:35:16]
hostile :
```The Android FIQ debugger is often shipped as part of Google’s Nexus products and is similar in concept to kdb debugger found in the mainline kernel. Both debuggers allow a developer connected via a serial port to use a simple interactive command interpreter to examine the state of the system. The FIQ debugger has a number of interesting features that did not exist within kdb, these are summarized in an article describing our early work on the FIQ debugger.
```
[2018-01-16 21:35:21]
hostile :
<https://www.linaro.org/blog/debugging-arm-kernels-using-nmifiq/>
[2018-01-16 21:35:25]
opcode :
no, it was sending strings unintentinally with no input, thats why i switch to another terminal soft
[2018-01-16 21:35:50]
hostile :
is your ground ok?
[2018-01-16 21:36:26]
opcode :
yup, tested
[2018-01-16 21:37:21]
opcode :
to clarify, if i use screen i simply connect and type in the window, even there is no echo of my commands?
[2018-01-16 21:38:08]
hostile :
test the other one, and lets go from there
[2018-01-16 21:38:32]
hostile :
@jcase you wanna drop mine in the mail bro?
[2018-01-16 21:39:14]
jcase :
shit yeah i will sorry
[2018-01-16 21:39:20]
jcase :
ive got sick kids right now
[2018-01-16 21:39:25]
jcase :
ill get my wife to do it
[2018-01-16 21:56:03]
hostile :
weird
[2018-01-16 21:57:29]
hostile :
sounds like we need to get you a better RX connection from your TX end!
[2018-01-16 21:57:42]
hostile :
or that you need to move faster with your button mashing =]
[2018-01-16 22:12:01]
opcode :
Emulation XTerm is correct?
[2018-01-16 22:16:41]
hostile :
try vt100
[2018-01-16 22:56:30]
opcode :
no chance. Tried putty and teraterm on win. cannot kick it in fiq debugger
[2018-01-16 23:25:49]
opcode :
Hmm. There is Tx3d which I’m connected to, Tx2d which gave the strange Ram output and I think I found another UART, U4rx.
[2018-01-16 23:26:10]
opcode :
But where is Tx1d ?
[2018-01-17 10:42:49]
opcode :
lol. pulled tx from crystalsky to ground, and boom in fiq debugger. jumper back to corrrect connection and everything works. :slightly_smiling_face:
[2018-01-17 15:31:28]
hostile :
haha nice
[2018-01-17 15:31:55]
hostile :
I think you can use the reboot command to shellout IIRC
[2018-01-17 15:35:47]
hostile :
<https://www.usenix.org/system/files/conference/woot17/woot17-paper-hay.pdf>
[2018-01-17 15:35:50]
hostile :
see here:
[2018-01-17 15:35:55]
hostile :
for an example
[2018-01-17 15:36:11]
hostile :
try "console"
[2018-01-17 15:37:44]
hostile :
also: <https://nvd.nist.gov/vuln/detail/CVE-2017-0510>
[2018-01-17 15:38:15]
hostile :
that is Nexus specific abuse tho. <https://www.securityfocus.com/bid/96800>
[2018-01-17 15:41:50]
hostile :
@opcode "when a certain voltage threshold on the MIC pin is reached, turns that channel into a UART debug interface" <https://www.usenix.org/system/files/conference/woot17/woot17-paper-hay.pdf>
[2018-01-17 15:41:59]
hostile :
sounds kinda like what you did.
[2018-01-17 16:51:42]
opcode :
ah, nice documentation.
[2018-01-17 16:53:21]
opcode :
unfortunately, most commands give me „command bus busy“ including reboot. Maybe it gets fucked up through this flodding while tx pulled to gnd. :confused:
[2018-01-18 02:09:04]
jcase :
try
[2018-01-18 02:09:06]
jcase :
reset?
[2018-01-18 02:09:10]
jcase :
reset
[2018-01-18 02:09:25]
jcase :
i think reset is the one i used to confirm it was working
[2018-01-18 09:44:51]
opcode :
nope. reset simply restarts the device
[2018-01-18 10:54:25]
opcode :
now its fully working. you can kick it into fiq debugger anytime while the cs is running with pulling the RX3D pad to gnd shortly.
[2018-01-18 11:12:13]
opcode :
Seems like CVE-2017-0510 is still active on cs, as i have a full fiq debugger menu. but the reboot oem-42 doesnt work. as this is an nexus 9 specific command, it likely doesnt work on cs.
[2018-01-18 11:12:54]
opcode :
maybe we can "scan" for hidden fastboot oem commands with <https://github.com/alephsecurity/abootool>
[2018-01-18 11:13:53]
opcode :
@hostile but i have no idea how to install the python-adb for that
[2018-01-18 14:31:55]
hostile :
pup install python-adb ?
[2018-01-18 16:45:21]
opcode :
no chance with pip. trying manually. i HATE this packet and dependencies shit!
[2018-01-18 18:08:01]
jcase :
CVE-2017-0510 shouldnt impact crystal sky
[2018-01-18 18:08:13]
jcase :
unless i read it wrong
[2018-01-18 18:08:32]
jcase :
We can ask Roee
[2018-01-18 18:08:37]
jcase :
he is a good guy
[2018-01-18 18:08:49]
jcase :
met him after I burned his pixel bugs (reported them hours before he did)
[2018-01-18 18:09:50]
jcase :
@opcode if you can get it booting a modified image with the cmd line, which there should be a cmd for it, then we can do it over ucmd probably without opening cs
[2018-01-18 18:45:04]
opcode :
@jcase Hmm. I already tried adb side load, flashing, sd card with different images and the help of @bin4ry. Nothing worked. Seems like the bootloader is protecting everything. I hope that the uboot source will help with flashing another bootloader.
[2018-01-18 18:46:08]
opcode :
I’m sure fiq debugger has also some undiscovered options beside oem fastboot commands.
[2018-01-18 18:46:43]
jcase :
right i mean
[2018-01-18 18:46:54]
jcase :
you should be able to boot from memory address
[2018-01-18 18:46:58]
jcase :
with uboot cmd line
[2018-01-18 18:47:04]
jcase :
probably bypasses wahtever check
[2018-01-18 18:48:34]
opcode :
yeah, that’s why I wanted to use abootool, but it’s hard to get it to work.
[2018-01-18 18:48:56]
jcase :
im pretty sure i have all the fastboot oem cmds
[2018-01-18 18:48:57]
jcase :
mapped out
[2018-01-18 18:48:58]
jcase :
in it
[2018-01-18 18:49:23]
jcase :
your going to want fastboot oem ucmd and fastboot download
[2018-01-18 18:49:28]
jcase :
download lets you put a blob into memory
[2018-01-18 18:49:32]
jcase :
ucmd does the uboot cmds
[2018-01-18 18:50:27]
opcode :
never did that kind of stuff. got something to read for me?
[2018-01-18 18:50:40]
jcase :
not really, im not familiar enough with uboot unforunately
[2018-01-18 18:50:50]
jcase :
but from what i read, there is a command to boot from a memory address
[2018-01-18 18:51:06]
jcase :
i do know the download cmd (need custom fastboot client, i can write one ) will upload data
[2018-01-18 18:51:12]
jcase :
to a pre defined address
[2018-01-18 18:51:19]
jcase :
but need to pull that address out of the boot binary
[2018-01-18 18:53:01]
opcode :
ah, I get it. but I guess we are not in uboot mode atm, we are simply in the debugger. we have the boot.img btw, via the OTA.
[2018-01-18 18:53:34]
hostile :
did you try "console"
[2018-01-18 18:53:39]
hostile :
over that FIR debugger btw
[2018-01-18 18:54:02]
hostile :
I was currious if it gave a proper shell
[2018-01-18 19:01:30]
opcode :
yeah, it starts a console, but no idea what commands work there @hostile
[2018-01-18 19:01:53]
hostile :
screen it?
[2018-01-18 19:01:56]
hostile :
'help'
[2018-01-18 19:01:57]
hostile :
?
[2018-01-18 19:01:58]
hostile :
ps
[2018-01-18 19:02:00]
hostile :
id
[2018-01-18 19:02:00]
hostile :
ls
[2018-01-18 19:02:02]
hostile :
whoami
[2018-01-18 19:02:03]
hostile :
lol
[2018-01-18 19:02:34]
opcode :
All tried, except lol :smile:
[2018-01-18 19:04:14]
hostile :
show me the prompt
[2018-01-18 19:04:22]
jcase :
$$$$$
[2018-01-18 19:04:26]
jcase :
thats the prompt from dji
[2018-01-18 19:04:33]
hostile :
LOL
[2018-01-18 19:04:40]
hostile :
nah DJI be like:
[2018-01-18 19:04:49]
hostile :
(o) <---- insert that above here
[2018-01-18 19:05:05]
hostile :
#bendingoverforus #R-U-N?
[2018-01-18 19:05:40]
opcode :
lol
[2018-01-18 19:09:56]
opcode :
?ebug> ?
FIQ Debugger commands:
pc PC status
regs Register dump
allregs Extended Register dump
bt Stack trace
reboot [<c>] Reboot with command <c>
reset [<c>] Hard reset with command <c>
irqs Interupt status
kmsg Kernel log
version Kernel version
last_kmsg Last kernel log
sleep Allow sleep while in FIQ
nosleep Disable sleep while in FIQ
console Switch terminal to console
cpu Current CPU
cpu <number> Switch to CPU<number>
ps Process list
sysrq sysrq options
sysrq <param> Execute sysrq with <param>
consoleconsole
console mode
[ 51.167524] init: untracked pid
[2018-01-18 19:11:50]
opcode :
in console mode the messages are back:
[2018-01-18 19:11:58]
opcode :
[ 51.167524] init: untracked pid 1737 killed by signal 9
[ 61.102003] max_speed=99,cur_speed=0,enabled=0,cpu_temp=28
[ 120.299366] max_speed=99,cur_speed=0,enabled=0,cpu_temp=28
[ 179.496821] max_speed=99,cur_speed=0,enabled=0,cpu_temp=29
[2018-01-18 19:12:45]
opcode :
its more like simply kicked out of debug
[2018-01-18 19:13:08]
opcode :
rx to gnd and back in debugger
[2018-01-18 19:22:42]
hostile :
What happens if you press enter or Ctrlc now
[2018-01-18 19:22:54]
opcode :
nothing
[2018-01-18 20:15:19]
hostile :
literal syslog console
[2018-01-18 20:16:34]
hostile :
heh
[2018-01-18 20:16:38]
hostile :
try "sysreq e"
[2018-01-18 20:18:03]
hostile :
also "sysreq p"
[2018-01-18 20:28:32]
opcode :
I’m on mobile now. yeah, very likely. will try that tomorrow.
[2018-01-19 06:06:09]
hotelzululima :
heh heh I fried a gigabyte motherboard in the same fashion switching it on from an arduino pin..
[2018-01-19 06:11:41]
hotelzululima :
i find in those circumstance that degreasing the contacts to be soldered first with 90%+ isopropyl alcohol and using a flux pen can help also using wire which has above average “wetting” characteristics.. my goto is 30gauge silver plated copper /kynex insulated wire wrap wire, also mil spec 30gauge silver conductor teflon insulated(latter is a bitch to strip however)…
[2018-01-19 09:29:59]
opcode :
Hehe, yeah. but i have only basic equipment. but its good now. :slightly_smiling_face:
[2018-01-19 14:47:16]
hostile :
@opcode you can actually try glitching the memory and it may still drop you to a prompt FWIW...
[2018-01-19 14:48:26]
hostile :
@opcode I bet the NAND glitching still works... <https://www.exploitee.rs/index.php/Wink_Hub%E2%80%8B%E2%80%8B#NAND_Glitch_Method_.28Works_on_any_Wink_Hub_FW.29>
[2018-01-19 14:48:40]
hostile :
"After U-Boot starts, as the kernel begins loading, hold a wire and run it from GND to the NAND I/O 0 pin (#29). The kernel image will fail to load, dropping the user back to a U-Boot shell."
[2018-01-19 14:48:43]
hostile :
that works on LOTS of shit
[2018-01-19 14:49:49]
jcase :
those guys are great
[2018-01-19 14:49:59]
hostile :
I used to work with Amir at Accuvant
[2018-01-19 14:50:01]
jcase :
they taught me all the flash shit i know
[2018-01-19 14:50:33]
jcase :
Sequim, WA Bee Package 4 Pound Carniola Queen $135.00 X 20 = $2700.00
----------------------------------------------------------------------
Product Total $2,700.00
Sales Tax $216.00
Coupon Discount ($216.00)
[2018-01-19 14:50:35]
jcase :
whelp
[2018-01-19 14:50:40]
jcase :
80lbs of bees bought
[2018-01-19 14:50:47]
hostile :
shipped to DJI?
[2018-01-19 14:50:47]
jcase :
we going full on this year
[2018-01-19 14:50:50]
hostile :
=]
[2018-01-19 14:50:52]
jcase :
lol fuck that
[2018-01-19 14:51:02]
jcase :
thats my kids college funds bro
[2018-01-19 14:51:05]
hostile :
oh I thought you found the arficanized stash
[2018-01-19 14:51:12]
jcase :
who knows what these are
[2018-01-19 14:51:16]
jcase :
ill kill the queens in them
[2018-01-19 14:51:23]
jcase :
and replace with my queens
[2018-01-19 14:51:38]
jcase :
if there is any africanized genetics in them, it will onbly last a few weeks
[2018-01-19 14:51:55]
hostile :
yeh just bad jokes about sending killer bees to dji
[2018-01-19 14:51:59]
jcase :
lol o
[2018-01-19 14:52:01]
jcase :
sorry
[2018-01-19 14:52:05]
jcase :
people actually worry about that
[2018-01-19 14:52:13]
jcase :
AHB dont survive here
[2018-01-19 14:52:26]
jcase :
and if you replace the queens, teh gernetisc filter out
[2018-01-19 14:52:26]
hostile :
I remember a documentary on the island where they did the original breeding that they escaped from
[2018-01-19 14:52:29]
hostile :
was cool shi t
[2018-01-19 14:52:36]
jcase :
yeah, well the funny thing
[2018-01-19 14:52:39]
jcase :
its not the african honey bee
[2018-01-19 14:52:44]
jcase :
that makes them grumpy
[2018-01-19 14:52:56]
jcase :
its the crossing of the african subspecies with the european one
[2018-01-19 14:53:17]
jcase :
actual african honey bee isnt an asshole like the corsses
[2018-01-19 14:53:21]
hostile :
yeah I don't recall the minute detail but it was a cool retro documentary in that pesudo color
[2018-01-19 14:53:22]
hostile :
=]
[2018-01-19 14:53:30]
jcase :
the added genetics divirsity
[2018-01-19 14:53:35]
jcase :
makes them more vigorous
[2018-01-19 14:53:45]
hostile :
hybrid vigor is understood
[2018-01-19 14:53:50]
jcase :
yes!
[2018-01-19 14:53:56]
hostile :
it manifests elsewhere
[2018-01-19 14:54:05]
jcase :
yeah
[2018-01-19 14:54:13]
jcase :
well in bees it can manifest in a couple ways
[2018-01-19 14:54:17]
jcase :
a hive that THRIVES
[2018-01-19 14:54:24]
jcase :
and makes massive amounts of bees and honey
[2018-01-19 14:54:27]
jcase :
oooorrr
[2018-01-19 14:54:30]
jcase :
an asshole hive
[2018-01-19 14:54:39]
jcase :
lol
[2018-01-19 14:55:32]
jcase :
so the "african ones" we have here are Apis mellifera scutellata X Apis mellifera ligustica,
[2018-01-19 14:55:40]
jcase :
ligustica is italian sub species
[2018-01-19 14:55:58]
jcase :
scutella is centeral/west african
[2018-01-19 14:56:05]
jcase :
they make a really angry cross
[2018-01-19 14:56:56]
jcase :
now you cross ligustica with carnica, you get a hive that grows fast, and collects lots of nectar
[2018-01-19 14:57:01]
jcase :
really interesting
[2018-01-19 14:57:08]
jcase :
you can "hack" bees
[2018-01-19 14:58:38]
jcase :
my goal is to apply the same mindset in what we do, to bee farming
[2018-01-19 14:58:51]
jcase :
so far it is working very well
[2018-01-19 14:59:32]
jcase :
i want to talk to nostarch lol
[2018-01-19 14:59:36]
jcase :
about a hacking the hive book
[2018-01-19 15:03:57]
hostile :
sorry SCRUM
[2018-01-19 15:03:58]
hostile :
back in a bit
[2018-01-19 15:04:19]
hostile :
<https://dji-rev.slack.com/archives/C6K376JGZ/p1516373828000563>
[2018-01-19 15:04:22]
hostile :
Mendel
[2018-01-19 15:04:29]
hostile :
bee fuzzing
[2018-01-19 15:04:43]
hostile :
good name "hacking the hive"
[2018-01-19 15:04:57]
jcase :
mendel's model doesnt apply
[2018-01-19 15:05:01]
jcase :
bees are diploid
[2018-01-19 15:05:06]
jcase :
mendel couldnt figure out the bee
[2018-01-19 15:05:10]
jcase :
he was really confused on it
[2018-01-19 15:06:04]
hostile :
interesting
[2018-01-19 15:06:06]
hostile :
did not know that
[2018-01-19 15:06:09]
jcase :
it REALLY is
[2018-01-19 15:06:11]
jcase :
super interesting
[2018-01-19 15:06:18]
hostile :
crispr time!
[2018-01-19 15:06:18]
jcase :
the whole genetics model is fucking WEIRD
[2018-01-19 15:06:20]
jcase :
its why i like it
[2018-01-19 15:06:22]
jcase :
have fun
[2018-01-19 15:06:38]
hostile :
no I mean crispr bees!
[2018-01-19 15:06:52]
hostile :
I'm already in scrum. =] and half listening to the other scrumpdates
[2018-01-19 15:07:03]
jcase :
o, i dont know these terms you are using lol
[2018-01-19 15:07:10]
jcase :
i jsut learned scrum lol
[2018-01-19 15:07:21]
hostile :
scrumpdate == play on words SCRUM Update
[2018-01-19 15:07:38]
hostile :
aka my 5 minutes "this is what I am working on today, this is what I worked on yesterday, this is where I am blocked"
[2018-01-19 16:56:36]
opcode :
but not accesible on the cs
[2018-01-19 18:30:48]
jcase :
you have to desolder
[2018-01-19 18:30:49]
jcase :
to get that
[2018-01-19 18:38:50]
hostile :
you trace out all the test points and other shit case?
[2018-01-19 19:27:41]
jcase :
ive done it on phones
[2018-01-19 19:27:45]
jcase :
mavic someone in hardware did
[2018-01-19 19:28:00]
jcase :
im not good at reballing, so i dont want to do it unless i have to
[2018-01-20 10:43:20]
opcode :
nope. recovery is still there.
[2018-01-20 10:44:50]
opcode :
now even all the tools report that the device is in maskrom mode, i cant write to the device.
[2018-01-20 10:48:57]
opcode :
root@kali:~/Schreibtisch/rkflashtool-master# sudo ./rkflashtool
rkflashtool: info: rkflashtool v5.2
rkflashtool: fatal: usage:
rkflashtool b [flag] reboot device
rkflashtool l <file load DDR init (MASK ROM MODE)
rkflashtool L <file load USB loader (MASK ROM MODE)
rkflashtool v read chip version
rkflashtool n read NAND flash info
rkflashtool i offset nsectors >outfile read IDBlocks
rkflashtool j offset nsectors <infile write IDBlocks
rkflashtool m offset nbytes >outfile read SDRAM
rkflashtool M offset nbytes <infile write SDRAM
rkflashtool B krnl_addr parm_addr exec SDRAM
rkflashtool r partname >outfile read flash partition
rkflashtool w partname <infile write flash partition
rkflashtool r offset nsectors >outfile read flash
rkflashtool w offset nsectors <infile write flash
rkflashtool p >file fetch parameters
rkflashtool P <file write parameters
rkflashtool e partname erase flash (fill with 0xff)
rkflashtool e offset nsectors erase flash (fill with 0xff)
[2018-01-20 16:43:05]
hostile :
*flips a table for you*
[2018-01-20 16:51:09]
opcode :
I’m going to gnd the emmc pin tomorrow. Fuck it.
[2018-01-20 16:57:08]
opcode :
btw, the whole “behavior” of the cs is very strange compared to other rk3288 devices. Simply annoying, even for the regular customer. No chance to fix i.e.via recovery. For every shit you have to send it back to dji. Only reason I can think of: big brother dji wants to control everything.
[2018-01-20 16:57:16]
opcode :
rant over. :smile:
[2018-01-20 17:02:57]
hostile :
we need to do that serial XOR authenticaion to the CDC device
[2018-01-20 17:03:53]
opcode :
yeah, but no idea how.
[2018-01-21 14:33:37]
hostile :
damn!
[2018-01-21 14:33:40]
hostile :
the glitch no worky
[2018-01-21 14:33:43]
hostile :
mother fuckers
[2018-01-21 14:34:12]
hostile :
was that a continual hard short @opcode like you never let go?
[2018-01-21 14:34:27]
hostile :
if so try taping it repeatedly to only temporarily glitch it
[2018-01-21 14:35:32]
hostile :
<https://www.youtube.com/watch?v=YoBP_6yD-lw>
[2018-01-21 14:59:38]
opcode :
yeah, that happens when you short it from the beginning. cant do anything.
[2018-01-21 15:00:06]
opcode :
but wating 2-3 sec into booting you get that :
[2018-01-21 15:00:32]
opcode :
glitch doesnt work.
[2018-01-21 15:00:55]
opcode :
but we are able to write the parameters file!
[2018-01-21 15:03:25]
opcode :
i guess the stuff with # in front of it, are leftovers @hostile?
[2018-01-21 15:40:09]
hostile :
niiiice bro!
[2018-01-21 15:40:12]
hostile :
where is that stored?
[2018-01-21 15:40:26]
hostile :
people are lazy and comment shit out all the time
[2018-01-21 15:41:10]
hostile :
change it to say init=/bin/sh
[2018-01-21 15:41:14]
hostile :
should drop you a shell
[2018-01-21 16:08:35]
opcode :
yeah, already reading into that. will try later. :slightly_smiling_face:
[2018-01-21 16:08:38]
opcode :
another idea:
[2018-01-21 16:08:39]
opcode :
<http://linuxforengineers.blogspot.de/2012/12/modify-u-boot-configuration-in-linux.html>
[2018-01-21 16:09:01]
opcode :
but im to dumb to compile stuff. :confused:
[2018-01-21 16:09:38]
opcode :
idea would be to modify the uboot config, to give a big timeout on boot.
[2018-01-21 17:16:40]
hostile :
@opcode get all that into the wiki so we don’t lose it :)
[2018-01-21 17:16:43]
hostile :
Good job
[2018-01-21 17:49:10]
hostile :
That shell is good too... just not the uboot shell you wanted
[2018-01-21 17:49:35]
hostile :
We may be able to get there by setting different arguments (or invalid ones)
[2018-01-21 19:14:46]
opcode :
I’m going to do a wiki on my GitHub. :blush:
[2018-01-21 19:15:56]
opcode :
It’s a bit frustrating atm. My goal was a custom recovery for everyone. Never wanted to dive that deep in the cs.
[2018-01-21 19:29:48]
hostile :
@jcase did you write the tool to push code into memory for @opcode yesterday? re: bootm
[2018-01-21 19:32:15]
jcase :
no but i can
[2018-01-21 19:32:23]
jcase :
does he have an image to push?
[2018-01-21 19:32:41]
jcase :
look at the pyfastboot implementation, that might be the fastest way to get a tool up to do it
[2018-01-21 19:33:15]
jcase :
but i can soonish
[2018-01-21 19:33:23]
jcase :
its the download command
[2018-01-21 19:33:36]
jcase :
someone would need to look in src or binary and figure out the mem location it getes pushed to
[2018-01-21 19:46:47]
opcode :
The question is, even if we push an image to memory, can we boot it? Afaik, the bootloader does a signing check of the images, i.e. the recovery. Or is it the kernel?
[2018-01-21 19:47:12]
jcase :
well im guessing booting from memory might skip that, have you found the code that checks it?
[2018-01-21 19:49:33]
opcode :
nope. I’m very bad at looking at source codes. I’m not even sure if it’s uboot that does this checking. at last, I was able to erase the recovery partition with shorting the emmc clock.
[2018-01-21 19:50:26]
opcode :
What is protecting the uboot and kernel from readout? is uboot capable of this?
[2018-01-21 19:51:02]
jcase :
could be a few things, the emmc controller itself, or pbl/sbl
[2018-01-21 19:52:12]
opcode :
ok. and where is the signing check done for the recovery?
[2018-01-21 22:48:49]
jcase :
that i dont know
[2018-01-23 19:18:55]
martinbogo :
nope... code signing is enforced by the CPU
[2018-01-24 12:17:30]
paulpaws :
Hi what the lastest cs version safe to go to. Without fear off being loxk from hacks by dji?
[2018-01-24 13:42:39]
opcode :
@paulpaws What exactly do you want to be able to do on the crystalsky?
[2018-01-24 20:18:30]
paulpaws :
Run the modded go 4 app and to have the FCC mode
[2018-01-25 17:44:39]
urkiata :
hello, I rooted CS 5,5 and created the NLDGO4114.apk from nolimitdronez website but I don't know how to install it. Is there somebody that can tell me what I have to do? side load or add failed installation
[2018-01-25 17:45:58]
urkiata :
adb not add sorry
[2018-01-25 20:48:45]
mathieu.peyrega :
Sorry, I don't know the NLD version and/or if it aplies the needed patches to run on the CS.
[2018-01-25 20:49:09]
mathieu.peyrega :
on the CS, the native DJI GO 4 is a system app, so I guess you would first need to remove it
[2018-01-25 20:49:50]
mathieu.peyrega :
then in DJI GO code, there are some special logics when running on the CS detected from the device name. You need to patch those in order to let the codeconsider the CSas any other devices
[2018-01-25 21:12:57]
urkiata :
Thank you for your answer. How can I remove first the native DJI GO 4? And how can I retrive if necessary in the future?
[2018-01-26 13:46:03]
bin4ry :
Just use the real patcher at the github. To remove the system version use n root explorer or such to do so
[2018-01-26 14:26:31]
urkiata :
Is possible to restore the system version DJI go 4 removed using n root explorer if I find some issue with the new one?
[2018-01-26 14:34:14]
hostile :
@urkiata "adb install NLDGO4114.apk" with the device connected via USB, or move the APK to a sd card, and open with a file explorer...
[2018-01-26 14:34:37]
hostile :
if those fail... send us output of "adb logcat" while running the "adb install" @urkiata
[2018-01-26 14:34:48]
hostile :
make sure you remove you exiting DJI go...
[2018-01-26 14:35:02]
hostile :
adb install -r perhaps?
[2018-01-26 15:15:05]
mathieu.peyrega :
I'll try to write a small howto for aking a specific CS version. I have one that is working perfectly without needing to remove the system app. The idea is to use the cloning mecanims I added in the modding system to change the package name so you can use it aside the dji.go.v4 package
[2018-01-26 15:15:52]
mathieu.peyrega :
you'll loose HereMaps because the heremap key is valid for a given package name only, so this will revert you to google maps
[2018-01-26 15:16:53]
mathieu.peyrega :
There is a way to keep Here Maps working : you use a package name from another DJI application with a know Here Maps key (such as GO 3 or the package from the P4+ tablet)
[2018-01-26 15:17:36]
mathieu.peyrega :
There are a few tweaks with that because some logics in the app depends on the package name and you'll have to patch (I'll write a small how to for that asap)
[2018-01-26 15:18:28]
mathieu.peyrega :
To sum up, the easiest way it : make a clone with the cloning mecanism implemented in the modder : you'll be able to install aside the GO4 system app (but will loose Here Maps)
[2018-01-26 15:19:01]
mathieu.peyrega :
If you are confident it's working, yo ucan then remove the official system app DJI GO 4 and regen with dji.go.v4 package name which will restore HereMaps
[2018-01-26 15:19:31]
mathieu.peyrega :
The harder way is to get a HereMap key from another app and make your custom manifest
[2018-01-26 18:28:30]
urkiata :
@hostile CS 5,5 is rooted. First I installed system app remover apk, and I removed Dji Go 4 system app. A prompt advised me that it was removed and I can reinstall from the bin. I did't try empty the bin, then I copied NLDGO4114.apk on my sd card from my computer, tried to install with root browser app, gave grant permission SU, after a few seconds I read App not installed. Then I tried via adb. From terminal I connected CS to the computer from small usb, I type adb install /Users/urkiata/Desktop/NLDGO4114.apk it starts push files... after a few second I read/Users/urkiata/Desktop/NLDGO4114.apk: ... 8.7 MB/s (188170837 bytes in 20.525s)
pkg: /data/local/tmp/NLDGO4114.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
[2018-01-26 18:28:58]
hostile :
try gangster cow?
[2018-01-26 18:29:03]
hostile :
I don't have my CS atm
[2018-01-26 18:29:54]
urkiata :
@hostile no I didn't. Can you explain me exactely what I have to type?
[2018-01-26 18:40:13]
urkiata :
@mathieu.peyrega Thank you I really appreciate if you can write a guide to clone DJI go 4. Doesn't matter for the maps. Anyway I tried extract DJI go 4 system app and create the .apk package to test if I could remove system app, and reinstall it by adb or side load. I saw I can't. First I extracted DJI GO 4 with apk extractor app and I moved .apk to my sd, these part seems work correctly, then with system app remover I removed DJI go 4 system app. App said DJI go 4 successfully uninstalled but I didn't try to empty the bin. Later I tried to install djigo4.apk that I obtained from apk extractor again via adb or side load but installation failed. I guess that I should empty the bin of system app remover to really delete everything, but what's if later I need to restore? any idea why I can't remove DJI go 4 system app?
[2018-01-26 18:49:54]
hostile :
We aren’t really “write a guide” kinda people
[2018-01-26 18:50:10]
hostile :
!wiki
[2018-01-26 18:50:33]
hostile :
If it ain’t there it’s on you to add it
[2018-01-26 19:05:31]
urkiata :
@hostile sorry hostile, nevermind you are not wiki, I can run gangster cow by myself. You are right. Just a question: if I push NLDGO4114.apk via abd gangster cow will I overwrite something on the native DJI GO 4 so that could be damage the native app even in case of the NLDGO4114.apk will fail installation?
[2018-01-26 19:07:49]
hostile :
I look at is as EVERYTHING is fixable
[2018-01-26 19:07:51]
hostile :
=]
[2018-01-26 19:09:28]
urkiata :
Can you suggest me the right app or method to create a nandroid before try gangster cow?
[2018-01-26 19:11:43]
hostile :
I've backed up my CS exactly 0 times
[2018-01-26 19:11:47]
hostile :
you have more worries than me
[2018-01-26 19:17:43]
urkiata :
@hostile this is why you know more than me on Android. Unfortunately I searched how to goal several days before ask here. After rooted CS how did you install a new version of DJI go 4? If you did?
[2018-01-26 21:05:51]
urkiata :
@hostile just tried OriginalGangsterCow, doesn't work, I broke and fix already, but I'm still searching to install new DJI GO 4. This is what I see: iMac:OriginalGangsterCow-master urkiata$ adb devices
List of devices attached
1TSB34KL5G device
iMac:OriginalGangsterCow-master urkiata$ adb install /Users/urkiata/Desktop/NLDGO4114.apk
/Users/urkiata/Desktop/NLDGO4114.apk: ... 8.5 MB/s (188170837 bytes in 21.004s)
pkg: /data/local/tmp/NLDGO4114.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
iMac:OriginalGangsterCow-master urkiata$ ls
LastSkyCry.sh README.md dirtycow installd src
iMac:OriginalGangsterCow-master urkiata$ ./LastSkyCry.sh
dirtycow: 1 file pushed. 5.0 MB/s (47568 bytes in 0.009s)
installd: 1 file pushed. 4.7 MB/s (38424 bytes in 0.008s)
Running exploit, may take some time
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
Install what ever you want now via 'adb install'
iMac:OriginalGangsterCow-master urkiata$ adb install /Users/urkiata/Desktop/NLDGO4114.apk
/Users/urkiata/Desktop/NLDGO4114.apk: ... 9.0 MB/s (188170837 bytes in 20.038s)
pkg: /data/local/tmp/NLDGO4114.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
[2018-01-26 21:08:05]
djislack :
@urkiata Excuse me if this is a dumb question - but is the App that is usually on CS older than the newest DJI Go 4 ?
[2018-01-26 21:12:33]
hostile :
<https://stackoverflow.com/questions/11891848/install-failed-update-incompatible-when-i-try-to-install-compiled-apk-on-device>
[2018-01-26 21:13:09]
urkiata :
yes it is. On my CS I have 4.1.14 and if I update I can get 4.1.18 I guess, but on Play store Dji realesed 4.2.4.
[2018-01-26 21:46:34]
djislack :
I see
[2018-02-05 19:29:58]
dbz :
hello
[2018-02-05 19:30:25]
dbz :
it is pssible to root with the last update or no
[2018-02-05 19:57:51]
mathieu.peyrega :
which version ? is there a new one today ?
[2018-02-06 00:47:07]
the_lord :
even the CS in Aeroscope is rooted :stuck_out_tongue:
[2018-02-06 01:14:32]
tjtyler :
Should I root the CS before running OriginalGangsterCow? Also, can you enlighten me on the purpose of uboot?
[2018-02-06 01:15:44]
tjtyler :
I've been trying to load the NLDGO4114 on the CS by sideloading and it will not install.
[2018-02-06 06:34:14]
bin4ry :
You need to roll your own app with the patcher and add the CS patch
[2018-02-06 06:51:10]
tjtyler :
Thanks bin4ry, are you referring to the NLD patcher, the deejayeye-modder, or another on github?
[2018-02-06 16:59:32]
bin4ry :
Ofc deejayeye-modder. There is no other way to roll your own :wink:
[2018-02-06 17:40:50]
tjtyler :
@bin4ry Thanks again for pointing me in the right direction... I'll give it a shot
[2018-02-06 17:48:28]
mathieu.peyrega :
For CS i really suggest that you use the RunMeNg.sh version with cloning because there is already a dji.go.v4 package installed as a system app that you may not want to remove
[2018-02-06 17:49:43]
mathieu.peyrega :
some user reported that there was an issue at login screen were the "enter" button was hidden with version 4.1.15 but I don't remember facing this issue... the patch was supposed to be pre-applied in the non secneo version for 4.1.15
[2018-02-06 17:52:43]
tjtyler :
@mathieu.peyrega Thanks, I remember you mentioning previously about cloning the app. You wouldn't have a link handy for the RunMeNg.sh?
[2018-02-06 17:54:18]
mathieu.peyrega :
its in the latest version of modder on github, but the RunMeNg.sh script will only run on Linux or OSX
[2018-02-06 17:54:41]
mathieu.peyrega :
you can type RunMeNg.sh --help to get the full syntax
[2018-02-06 17:55:03]
mathieu.peyrega :
basically you'll need to add -c true switch for cloning
[2018-02-06 17:55:24]
mathieu.peyrega :
-i true if you want to give a new color to the cloned app
[2018-02-06 17:56:01]
mathieu.peyrega :
read all the messages that may print, it will give you indications about the missing packages that you may have to install on your computer
[2018-02-06 17:56:14]
mathieu.peyrega :
(and howto get them)
[2018-02-06 17:57:41]
mathieu.peyrega :
if you're on Windows, setup a small Linux virtual machine with VirtualBox. There are tons of tutorial for that. if you go this way, I suggest you use Ubuntu Mate 16.04 or 17.10 as system (because this is what i'm using to develop the script and you'll maximize you chances of success :slightly_smiling_face: )
[2018-02-06 18:11:39]
tjtyler :
@mathieu.peyrega Thanks for all the info ... Looks like I've got some reading to do before I move forward. I had previously read a piece by Bruce Lovelace and he talked about installing Linux <http://brianlovelace.com/allow-3rd-party-apps-on-dji-phantom-4-pro-plus-tutorial/> .... I am using Windows7, have the Mavic Pro and running the stock DJIGo4 4.1.14 in airplane mode on the CS and hoping DJI doesn't screw me around ... right now my main concern is in keeping it from phoning home and forcing any updates. I'm much more inclined to go with your suggestions ... Thanks
[2018-02-06 18:16:13]
mathieu.peyrega :
the link seems a detailed step by step tutorial. I really sggest Ubuntu Mate instead of debian. You'll find the ISO you need to feed your VirtualMachine here : <https://ubuntu-mate.org/download/>
[2018-02-06 18:17:11]
mathieu.peyrega :
for start and for app patching purposes you don't need to go thought all those adb install and config stuff
[2018-02-06 18:23:54]
tjtyler :
I'll definitely give it a go and giving me the link. I'll report back if I hit a wall somewhere or if it went smooth sailing ... I truly appreciate all the help.
[2018-02-06 18:36:29]
tjtyler :
If all else fails then I will go with bin4ry's suggestion of deejayeye-modder
[2018-02-06 18:48:29]
bin4ry :
@tjtyler what @mathieu.peyrega mentioned IS the deejayeye-modder :wink: the runmeng.sh is part of the modder github
[2018-02-06 19:21:42]
tjtyler :
I just took a peek in there and saw it, thanks for setting me straight. I've always thought that learning Linux would be nice at any rate. I'm just about to the point that I feel like the DJIGo4 app on the CS is like an alien and I want to rid myself of it .. lol:alien: If I can side step it and leave it on there then that's great but if not then I don't mind dumping it regardless of any warranty issues with DJI.
[2018-02-07 04:34:38]
bin4ry :
You don't need to learn any Linux stuff. That's basically just a click and run thing, only for cmdline. If that is over your head you need to ask someone to do it for you and send you the file. We personally don't share any files and only work on the patcher. NLD and others just use this patcher too.
[2018-02-07 04:35:15]
bin4ry :
So if I were you I would just run a live Ubuntu and run the .sh script. That is nothing more as a click and run to be honest
[2018-02-07 06:53:08]
tjtyler :
@bin4ry I'll probably play around with Linux anyway at some point but for what I'm trying to do here, I'll just go with the instructions in deejayeye-modder and with the information that you and @mathieu.peyrega have offered me here and see what I can work out. If I don't feel comfortable with how things are going then I'll reach out for additional help. I had patched the DJIGo4 4.1.4.apk a few weeks ago with the NLD Mod Client apk patcher but the CS won't let it install with adb or sideloading and I could not find a way with the CS to uninstall their proprietary DJIGo4 version. I'm hoping that cloning it will allow me to either install the modded version of 4.1.4 along side the original or simply replace the installed version. I'll post something here and let you guys know how things work out. I want to thank you both again for all your assistance and concerns.
[2018-02-09 14:52:07]
mathieu.peyrega :
seems like csroot (<https://github.com/Opcodeffm/csroot>) do not work anymore on the 2.05.00.00 version of CS firmware....
[2018-02-09 14:56:23]
mathieu.peyrega :
wrong alert... work after rebooting after fw upddate...
[2018-02-09 14:56:43]
mathieu.peyrega :
but first try to re-root righ after upgrading firmware failed
[2018-02-09 15:21:46]
mathieu.peyrega :
also had to reflash gapps
[2018-02-13 02:16:03]
hostile :
Just confirmed Crystal Sky is an ImgTec Malta... <http://imgtec.com>
[2018-02-13 02:16:59]
hostile :
MIPS® MaltaTM Platform User’s Guide - <ftp://ftp.trace32.com/Education/CodeScape/Documentation/Simulators/IASim_3_1_0/MIPS/MD01089-2B-MALTA-USG-00.70.pdf>
[2018-02-13 02:54:56]
djislack :
wow! That is seriously helpful
[2018-02-13 02:55:39]
djislack :
interesting
[2018-02-13 02:55:43]
djislack :
it will work with a MIPS64
[2018-02-13 02:56:51]
djislack :
now I have something to read all night :smile:
[2018-02-19 07:32:02]
ben_lin :
Anybody checked the runoncs patch for 4.1.22 yet?
[2018-02-24 07:09:14]
ben_lin :
@tjtyler did the root method work for you
[2018-02-24 15:36:19]
tjtyler :
@ben_lin I did not root the CS. I was successful using ./RunMeNg.sh -c true -i true for both 4.1.3 and 4.1.14. Both clones installed on the CS without any issues ... opened the apps and looks to be working but I haven't had the chance to try them out in the field. The only reason I may root for now is to be able to use Litchi and get google services to work without the annoying popups that are generated.
[2018-02-24 15:54:24]
tjtyler :
I was my own worst enemy in getting it done. @mathieu.peyrega suggested using Vitual Box and Ubuntu Mate and I found just installing it and carefully reading the notes and installing the added installs that it asks for finally did the trick for me. I made the mistake of trying to install Java and that gave me problems but I realized that Ubuntu included Java JDK and I left it at that and it worked great. Same for installing the toolchain, you have to carefully read the notes and install what it say to install. After that just used @bin4ry deejayeye-modder to do all the work. Once again following all the instruction given. Do take any shortcuts it will screw you up.
[2018-02-24 15:56:19]
tjtyler :
Do "not" take any shortcuts
[2018-02-24 20:51:13]
tjtyler :
As it turns out 4.1.3 clone did not install correctly on the CS but 4.1.14 clone is ok
[2018-02-28 08:38:35]
ben_lin :
@mathieu.peyrega did you ever got around that CS system partion issue
[2018-02-28 08:48:29]
ben_lin :
so i rooted the cs and google maps works perfectly
[2018-02-28 08:48:35]
ben_lin :
after installing google services
[2018-03-01 12:50:48]
mathieu.peyrega :
No... I dont think there is any easy workaround...
[2018-03-03 23:36:35]
tjtyler :
@ben_lin Do you get any of the popups about "google services not working" after you rooted the CS?
[2018-03-03 23:41:31]
ben_lin :
nope
[2018-03-04 00:15:08]
tjtyler :
@ben_lin Thanks, that's what I wanted to hear. I think I'm going to follow your lead and give it a go when I get some time this week.
[2018-03-04 00:42:58]
ben_lin :
@tjtyler I followed methods on the wiki and worked like a champ
[2018-03-04 00:58:29]
binburra :
I'm a little behind on progress here so pardon the question if I'm off point. Has anyone managed to root the latest CS firmware?
[2018-03-04 01:06:57]
ben_lin :
@binburra root method on wiki for cs works on latest
[2018-03-04 01:07:05]
ben_lin :
I just rooted a week ago
[2018-03-04 01:22:49]
binburra :
I managed to root with a Linux terminal and lord root this time but haven't been able to successfully load the patched go4 apps. I could before but not since rooting the new CS version, I'm not sure what I've done wrong? Anyone got a clue?
[2018-03-04 01:30:01]
ben_lin :
You actually can’t load go4 patched as an update
[2018-03-04 01:30:29]
ben_lin :
@binburra you need to change the package name and install as separate version
[2018-03-04 01:42:56]
binburra :
I patched the apk file with NDL and accepted the default app name of NLDGO4, is that all I should need to do?
[2018-03-04 01:50:51]
ben_lin :
Did NLD offer function to change package name of apk?
[2018-03-04 02:01:45]
binburra :
no, nothing there to do that, just input file and out put file options to browse to and the programme dose the rest. It worked fine before I upgraded and rooted the second time round - -
[2018-03-04 02:06:52]
ben_lin :
Dji introduced apk verification for dji apps
[2018-03-04 02:07:03]
ben_lin :
In the newest fw for cs
[2018-03-04 02:07:25]
ben_lin :
So patched go4 apps can’t be installed without changing package name
[2018-03-04 02:07:58]
ben_lin :
You need to go through the clone process to create that separate apk
[2018-03-04 02:18:10]
binburra :
ok, so before the way only way I could get the app loaded was to use an app cloner that worked great but now that isn't working. Would have the update killed that process? So is there anyway I can clone the NLD apk or do I need to start from scratch- - thanks for your responses to date, its very helpful- -
[2018-03-04 06:00:07]
bin4ry :
Use the repo and run he script on Linux . It has an option to do that inbuild
[2018-03-05 16:41:33]
jcase :
@ben_lin which kind of verification? They had it previously via some metadata tag, and i posted a patch to the app for that
[2018-03-05 16:41:34]
jcase :
in here
[2018-03-05 18:44:25]
ben_lin :
@jcase something to do with the signing key not matching, so u cant install as update.
[2018-03-05 18:44:30]
ben_lin :
I need to logcat it later
[2018-03-05 18:44:37]
jcase :
thats normal
[2018-03-05 18:44:44]
jcase :
thats basically nadroid
[2018-03-05 18:44:48]
jcase :
you can overwrite something
[2018-03-05 18:44:54]
jcase :
with a different key
[2018-03-05 18:45:28]
ben_lin :
yeah. for most ppl it would be easier to just change package name and install them side by side
[2018-03-05 18:45:35]
ben_lin :
or just remove the original one
[2018-03-06 05:28:43]
paulpaws :
Hi what version cs is safe to go to for the side loading of patched go4 apps. I modded most of the go 4 app from 4.1.3 up to 4.1.22. Also do I need to do root in order to side load these modded apps. (Not sure what version my cs is on, will have to check) Thanks in advance.
[2018-03-07 14:23:10]
hostile :
Original Gangster cow @paulpaws or the other one by @opcode <https://github.com/Opcodeffm/csroot>
[2018-03-07 14:23:33]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow>
[2018-03-07 22:13:22]
paulpaws :
Thanks for that @hostile. But do I need to root in order in install the modded go apps. And what version of CS an I’m safe to go to before rooting if I need too. I just need an informed decision before I go and do this. Don’t wanna f something up. :)
[2018-03-07 22:15:17]
jakub :
damn... I would like already have root on my CS, but instead I got rected with power adapter (mavic pro user) lol...
[2018-03-07 22:15:45]
jakub :
!wiki
[2018-03-07 22:16:18]
jakub :
@paulpaws navigate to HowToHack -> CS
[2018-03-07 22:24:52]
paulpaws :
On the wiki page right ? I have read that’s info already. But want some answers regarding last version safe to do so. @jakub
[2018-03-07 22:25:54]
mathieu.peyrega :
it's ok with latest DJI public firmware for CS
[2018-03-07 22:26:41]
mathieu.peyrega :
2.05.0000
[2018-03-07 22:29:59]
paulpaws :
Thanks for that’s @mathieu.peyrega do I need to root In order to run the modded go apps or not needed.
[2018-03-07 22:30:15]
paulpaws :
If not need is it best to root also ?
[2018-03-07 22:31:28]
mathieu.peyrega :
You don't need to depending what you want to do
[2018-03-07 22:32:09]
mathieu.peyrega :
You need (I think) clone to run on CS
[2018-03-07 22:33:08]
mathieu.peyrega :
if you clone without a matching HereMap API key vs package name (eg from another DJi app) then you probably want Google Maps
[2018-03-07 22:33:33]
mathieu.peyrega :
and for Google Maps you need Google Play serices
[2018-03-07 22:33:45]
mathieu.peyrega :
then Gapps... then root
[2018-03-07 22:34:26]
mathieu.peyrega :
In the end... root will make your life easier anyway and it's really straightforward
[2018-03-07 22:35:28]
mathieu.peyrega :
I have a 2.05.000 7.85 in version rooted. Works well with 4.1.22
[2018-03-08 02:12:22]
paulpaws :
@mathieu.peyrega thanks for that. So I Just follow all the info from the retro rom wiki and its should all be good to go! If I have problems you don’t mine me asking for help do you ?
[2018-03-08 20:43:18]
jakub :
stupid USB-C...
[2018-03-08 20:43:33]
jakub :
can I move csroot files via filemanager on CS itself?
[2018-03-08 20:43:49]
jakub :
or `/data/local` partition is not accessible on it?
[2018-03-08 20:46:26]
jakub :
nvm, found adapter :wink:
[2018-03-08 20:46:38]
jakub :
I'm amazed how much stuff I can find in my own stuff...
[2018-03-08 22:15:58]
jakub :
<http://dji.retroroms.info/howto/crystalsky>
```
You've found a Glitch!
You've found yourself in a weird place.
Probably not the place you were looking for. ¯\_(ツ)_/¯
```
for both modified installd and build.prop links.
Can someone link those ?
Thanks!
[2018-03-08 22:32:17]
jakub :
nvm, found out that `installd` is not working on new CS versions, though edited `build.prop` would be great :wink:
[2018-03-13 13:13:25]
hostile :
weird Len, that page works for me
[2018-03-13 13:51:38]
jakub :
@hostile wiki page is working, but links to `installd` and `build.prop` are broken
[2018-03-13 14:27:37]
hostile :
use the one in OG Cow? <https://github.com/MAVProxyUser/OriginalGangsterCow>
[2018-03-13 14:27:49]
hostile :
<https://github.com/MAVProxyUser/OriginalGangsterCow/blob/master/installd>
[2018-03-13 14:27:56]
hostile :
fix the wiki links if that works for you
[2018-03-13 14:33:03]
jakub :
@hostile <https://github.com/Opcodeffm/csroot/commit/113d86ee4040aecc48aa21c42d4161e3677ce7ab> looks like `installd` is not working on new CS fw
[2018-03-13 14:33:10]
jakub :
yeah I'll register and fix things in free time
[2018-03-13 14:33:39]
jakub :
but still no access to `build.prop` :wink: so if you'll find a sec please push your own, ofc if you're using wiki's one
[2018-03-14 00:13:54]
jcase :
<!here> did crystal sky get updated for air?
[2018-03-14 00:48:36]
ben_lin :
@jcase yes
[2018-03-14 00:48:43]
ben_lin :
4.2.6 on cs
[2018-03-14 00:51:32]
jcase :
is it secneo procted?
[2018-03-14 06:16:05]
mathieu.peyrega :
Yes
[2018-03-15 05:25:11]
tjtyler :
I used ./RunMeNg.sh in Linux Ubuntu from deejayeye-modder to clone 4.1.14 nosecneo and it is working great. Cleared the data and disabled the original DJI GO4 4.1.14 on the CS. Also have google maps and imagery working on it too. No root.
[2018-03-15 05:34:05]
tjtyler :
./RunMeNg.sh -c true -i true
[2018-03-15 14:31:34]
timopro :
I tried to Root the CS.. but when I lunch the ./copy.sh it say no permission to the folder ../temp/..
[2018-03-15 23:51:49]
timopro :
<https://forum.xda-developers.com/android/software-hacking/replace-kingoroot-supersu-manually-t3573361>
[2018-03-15 23:53:20]
timopro :
I used it to root mz CS 5.5 (with latest FW) and I was able to install the Google Play Store with the procedure found in <https://dji.retroroms.info/howto/crystalsky> .. cose with the CS rooting procedure I was not able to do it...
[2018-03-25 12:12:22]
digital1 :
Any news on Google Play easy install for CS ?
[2018-03-25 12:47:14]
paulpaws :
Its all in the wiki
[2018-03-25 12:48:07]
paulpaws :
!wiki
[2018-04-09 22:06:44]
wetzel.timo :
APK installation blocked
DJI blocked apk installation, they do this through a modified installd. Bin4ry patched the installd to allow installations again, download it here: <https://dji-rev.slack.com/files/bin4ry/F6L7R9ZFT/installd> With root remount the system partion rw and then overwrite the original installd in /system/bin/installd. Make sure you keep the correct file permissions.
This will allow sideloading of APKs.
[2018-04-09 22:06:58]
wetzel.timo :
this link is offline :disappointed:
[2018-04-09 22:32:37]
jakub :
@wetzel.timo temporary <https://github.com/MAVProxyUser/OriginalGangsterCow>
[2018-04-09 22:32:43]
jakub :
or just <https://github.com/Opcodeffm/csroot>
[2018-04-09 22:33:09]
jakub :
csroot will provide you way to install apk's
[2018-04-09 22:51:41]
wetzel.timo :
thanks!
[2018-04-12 15:56:29]
mathieu.peyrega :
new fw versions available. The installed DJI GO 4.2.8 is with secneo
[2018-04-12 15:56:42]
mathieu.peyrega :
not installed and not tested if rooting still works
[2018-04-12 16:33:07]
mathieu.peyrega :
rooting still works with the new firmware version
[2018-04-12 17:29:48]
jakub :
anything else... wort updating?
[2018-04-12 17:30:55]
mathieu.peyrega :
not sure... i cannot install my special CS version anymore... even rooted strange
[2018-04-12 17:31:20]
mathieu.peyrega :
the install success, but at the end, I cannot select "Open" only "Done" and then the app does not appear in the app list
[2018-04-12 17:31:22]
mathieu.peyrega :
fuck
[2018-04-12 17:32:38]
jakub :
:confused:
[2018-04-12 17:33:39]
jakub :
@channel for now don't upgrade CS
[2018-04-12 17:33:50]
jakub :
@mathieu.peyrega what about google apps?
[2018-04-12 17:33:59]
jakub :
maybe try installing other launcher, maybe they locked it within it?
[2018-04-12 17:36:03]
ben_lin :
Good luck with that
[2018-04-12 17:36:13]
ben_lin :
You can’t even set wallpapers
[2018-04-12 17:37:55]
jakub :
hmm.. sounds like launcher again, or settings or systemui packages
[2018-04-12 17:40:16]
jakub :
I'm still on v02.05.00.00, if you need anything let me know
[2018-04-12 17:42:04]
jakub :
```system ui - 5.1.1-eng.dji.20180209.144907
launcher 2.0.09.09
settings 5.1.1-eng.dji.20180209.144907
system setup 1.2.11.22``` those are for 02.05
[2018-04-12 17:43:27]
ben_lin :
I am perfectly happy with the update that brought 4.1.22
[2018-04-12 17:43:44]
ben_lin :
Not using MA so ain’t gonna update or complain lol
[2018-04-12 17:44:20]
jakub :
```Lin [7:36 PM]
Good luck with that
You can’t even set wallpapers``` how do you know about it, if you're still on old fw ? :wink:
[2018-04-12 17:44:23]
jakub :
brb dinner
[2018-04-12 17:44:36]
mathieu.peyrega :
just make a factory reset and seems to solves stuff...
[2018-04-12 17:44:45]
mathieu.peyrega :
dinner times here... i'll keep informed !
[2018-04-12 17:44:55]
ben_lin :
Cuz on my older fw
[2018-04-12 17:45:12]
ben_lin :
I can’t set my wallpaper while running Nova
[2018-04-12 17:45:26]
ben_lin :
Even with the system settings app
[2018-04-12 18:25:04]
timopro :
@mathieu.peyrega Which FW ?
[2018-04-12 19:02:25]
mathieu.peyrega :
V2.06.03... I factory reset, which let me install my CS version, but I cannot get flashfire to work anymore... it's crashing at "enumerating properties stage"
[2018-04-12 19:02:53]
mathieu.peyrega :
it seems the devcie is in a "intermediate state"... is there a way to perform a full factory reset ?
[2018-04-12 19:28:59]
mathieu.peyrega :
help appreciated if android gurus around :slightly_smiling_face:
[2018-04-12 19:37:36]
jakub :
@mathieu.peyrega can you pull `build.prop` file ?
[2018-04-12 19:51:54]
mathieu.peyrega :
@mathieu.peyrega uploaded a file: [Sans titre](https://dji-rev.slack.com/files/U84HERNVC/FA70U7FFH/-.txt)
[2018-04-13 06:24:48]
mathieu.peyrega :
things seems solved right now, I had to use <https://www.google.com/android/uncertified/> to register the devcie as a custom ROM (seems a new Google Policy) and things seems to be all OK now !
[2018-04-13 07:15:39]
timopro :
:+1: :ok_hand:
[2018-04-13 10:17:20]
mathieu.peyrega :
seems very likely that they implemented a mecanism that is deleting "unofficial DJI apps" !
[2018-04-13 10:17:40]
mathieu.peyrega :
my special CS version disapeared now ! (all other stuff is ok)
[2018-04-13 11:08:32]
jakub :
ah right.. they mentioned about disabling support few days ago
[2018-04-13 11:14:35]
mathieu.peyrega :
disabling support for what ?
[2018-04-13 11:14:58]
mathieu.peyrega :
right now it seems they are "hidding" the patched dji app...
[2018-04-13 11:15:04]
jakub :
google - for unregistered devices
[2018-04-13 11:16:15]
mathieu.peyrega :
i'm not talking about google, i'm talking about the patched DJI GO 4 app for CS... I can insall it and lauch it, after a while, the app is not "there" anymore, but it's still in /data/app/
[2018-04-13 11:16:33]
mathieu.peyrega :
I can uninstall it via adb uninstall "package name"
[2018-04-13 11:21:22]
mathieu.peyrega :
reintall and lauch after adb uninstall
[2018-04-13 11:21:47]
mathieu.peyrega :
but the app "auto disappear" after a while... i'll try disabling a few services / startup services
[2018-04-13 11:23:03]
jakub :
@mathieu.peyrega asked before, did you try other launcher ?
[2018-04-13 11:23:10]
jakub :
or you can't get it working as well
[2018-04-13 11:23:33]
mathieu.peyrega :
i'm using nova
[2018-04-13 11:55:16]
mathieu.peyrega :
the app "disappears" when pressing the "settings" middle button on the CS at next boot after install...
[2018-04-13 12:25:05]
mathieu.peyrega :
app can be "unhide" through adb : pm enable "package name" but this is quite nasty that the app is disabled all time...
[2018-04-13 12:25:28]
mathieu.peyrega :
can this "hidding app" android feature can be disabled at OS level ?
[2018-04-13 14:55:57]
bin4ry :
They may trigger a custom script to do that
[2018-04-13 14:56:17]
bin4ry :
Can you dump the me rom or give me a link to the OTA zip?
[2018-04-13 15:01:23]
mathieu.peyrega :
the OTA zip is on the english crystal sky page / download section
[2018-04-13 15:02:46]
mathieu.peyrega :
<http://mydjiflight.dji.com/file/links/ZSA_pack_2630_20180412>
[2018-04-13 15:02:56]
mathieu.peyrega :
<http://mydjiflight.dji.com/file/links/ZSB_pack_2630_20180412>
[2018-04-13 15:05:45]
bin4ry :
I'll take a look
[2018-04-13 15:06:40]
mathieu.peyrega :
does someone have the previous / full system images ? is it possible to downgrade in case ?
[2018-04-13 16:33:07]
ben_lin :
IIRC you can’t
[2018-04-13 16:33:26]
ben_lin :
You can’t chose to flash older zips anymore
[2018-04-13 16:33:41]
ben_lin :
Not sure after root though
[2018-04-13 16:36:15]
ben_lin :
I am still on previous version
[2018-04-13 17:21:37]
ben_lin :
dji really hates us
[2018-04-13 18:49:15]
mathieu.peyrega :
not sure it's DJI "on purpose" or some kind of side effect... anyway, I found a way to mitigate the issue so far...
[2018-04-14 08:53:42]
timopro :
@mathieu.peyrega Using PM unhide?
[2018-04-14 09:36:02]
mathieu.peyrega :
su;pm enable "package name"
[2018-04-14 09:41:05]
mathieu.peyrega :
or su -c "pm enable dji.package.patched"
[2018-04-14 09:41:20]
mathieu.peyrega :
which I added as an easy call script...
[2018-04-14 12:16:32]
jakub :
@mathieu.peyrega please pull all files from `/etc/init.d/` and upload them. If ther's `/data/init.sh` this one as well
[2018-04-14 12:16:49]
jakub :
maybe they are running custom script at every boot hmm
[2018-04-14 13:23:25]
jakub :
@mathieu.peyrega <https://www.diffchecker.com/iEVty4Vc> build.prop diff
[2018-04-14 13:23:52]
jakub :
and `init*` files from `/` path on my CS
[2018-04-14 13:24:15]
jakub :
diff them, maybe there's something in there
[2018-04-14 13:24:37]
jakub :
if not, probably in some apk
[2018-04-14 13:25:07]
mathieu.peyrega :
maybe this line : ro.dji.dpad=true would trigger some behaviour...
[2018-04-14 13:25:37]
mathieu.peyrega :
I tryed installing the app as a system app but this does not changed behaviour...
[2018-04-14 13:25:44]
jakub :
check init files first
[2018-04-14 13:26:06]
jakub :
they are running scripts on boot
[2018-04-14 13:27:18]
jakub :
on cs: `mkdir /sdcard/tmp; cp /init* /sdcard/tmp/` on pc `adb pull /sdcard/tmp .`
[2018-04-14 13:27:26]
jakub :
I have to go out see you soon :slightly_smiling_face:
[2018-04-14 21:15:21]
jakub :
@mathieu.peyrega did you managed to compare files ?
[2018-04-15 08:11:06]
mathieu.peyrega :
ound another mitigation way... edit the /data/data/dji.system.launcher/shared_prefs/dji.system.launcher.xml andreplace the prefered package name inside...
behaviour seems to be rather a side effect than a purpose behaviour by DJI...
(see how diplomatic I am not calling this a bug :slightly_smiling_face: )
[2018-04-16 07:07:29]
mathieu.peyrega :
<https://forum.dji.com/thread-144019-1-1.html>
seems a lot of side effects for Go3 with this version of firmware
[2018-04-20 18:50:18]
hostile :
nice I need to send mine back to get repaired
[2018-04-22 16:46:57]
mathieu.peyrega :
does someone have an idea how to prevent crystal sky using GPS for wifi regdom setting ? I've delete all Wifi settings, turned Wlan off, do iw reg set US to go FCC, confirmed by iw reg get.
Upon reboot, iw reg get show france again...
Ths is shitty with Spark because it prevents using 2.4 GHz... the time Wifi reboots, the regdom returns to "FR" and then the CS cannot pair with the RC AP which is on 5.8 now
[2018-04-22 16:59:43]
mathieu.peyrega :
does not even seems to be GPS related... with GPS off still the same
[2018-04-22 18:11:41]
mathieu.peyrega :
can someone with a CS in USA give me the content of its /data/property/persist.country.code file ?
[2018-04-22 18:12:38]
mathieu.peyrega :
mine is 80FA
[2018-04-23 10:46:57]
timopro :
Im in CH...
[2018-04-23 12:03:52]
mathieu.peyrega :
and what's the code you have in the file I gave ?
[2018-04-23 12:04:55]
mathieu.peyrega :
i'm struggling to find where this f...ing "FR" default regdom is stored on the device... Could it be set in some jar/odex file at installation time, IIRC, you have to provide your country name at this moment
[2018-04-23 13:17:16]
timopro :
Ill tell you this evening...now im at work..
[2018-04-23 14:20:10]
mathieu.peyrega :
I'd also be interested if you can disable Wifi, disable location, reboot and issue command iw reg get and see which default country code the tablet is on...
[2018-04-23 15:57:06]
timopro :
Persist.country.code on my CS is 817C
[2018-04-23 15:57:52]
timopro :
In in Switze&
[2018-04-23 15:59:54]
mathieu.peyrega :
ok, so that may actually be the code to change !
[2018-04-23 16:00:06]
mathieu.peyrega :
glad if someone can provide the "US" value
[2018-04-23 16:00:25]
mathieu.peyrega :
@timopro: thanks for testing
[2018-04-23 16:00:47]
mathieu.peyrega :
do you have "US" in the other perist that looks like country related
[2018-04-23 16:00:53]
mathieu.peyrega :
same directory
[2018-04-23 16:00:58]
mathieu.peyrega :
(don't remember the name)
[2018-04-23 16:03:51]
timopro :
On persist.local.country there is US
[2018-04-23 16:04:04]
mathieu.peyrega :
same as me !
[2018-04-23 16:04:16]
mathieu.peyrega :
nice !
[2018-04-23 16:04:46]
mathieu.peyrega :
I have hope the other value is a coded version of the regdom (but don't get the coding obvious).
[2018-04-23 16:05:24]
mathieu.peyrega :
FR is 80FA CH is 817C (do you have "CH" when doing a iw reg get call ?
[2018-04-23 16:09:43]
timopro :
What is the exact command?
[2018-04-23 16:12:28]
mathieu.peyrega :
iw reg get
[2018-04-23 16:15:17]
mathieu.peyrega :
(right after boot without wifi or gps enabled)
[2018-04-23 16:18:51]
timopro :
I do not why but I have IT (italy)
[2018-04-23 16:20:07]
mathieu.peyrega :
ok, so 80FA is FR and 817C is IT
[2018-04-23 16:20:24]
mathieu.peyrega :
(I guess)
[2018-04-23 16:24:17]
timopro :
On my I still have the previews FW...not updated yet to the 02.06.03.00...
[2018-04-23 16:25:08]
mathieu.peyrega :
should not make difference
[2018-04-23 17:31:13]
mathieu.peyrega :
anyone with an idea of the coding can help me... maybe its obvious but I'm blind with this??? its not a direct ascii hexa coding, not a simple XOR...
[2018-04-23 18:59:51]
mathieu.peyrega :
mathieu@ZBook15G3:~/CS/_ZS600A_v2630_20180412.bin.extracted/system$ grep -r 'persist.country.code' .
Fichier binaire ./bin/assistant correspondant
Fichier binaire ./app/SystemSetup/arm/SystemSetup.odex correspondant
Fichier binaire ./app/SystemUpgrade/arm/SystemUpgrade.odex correspondant
Fichier binaire ./lib/libhardware_legacy.so correspondant
[2018-04-23 19:00:11]
mathieu.peyrega :
looks like this is indeed set at setup time... narrowing track...
[2018-04-23 19:21:11]
mathieu.peyrega :
mathieu@ZBook15G3:~/CS/_ZS600A_v2630_20180412.bin.extracted/system/app/SystemSetup/arm/SystemSetup$ adb shell
shell@zs600a:/ $ grep -r -I "80FA" .
./sdcard/DJI/dji.system.upgrade/LOG/CACHE/log-2018-04-13.txt:2018-04-13 16:26:42 system.upgrade(172) e: setCountry = 80FA
[2018-04-23 19:52:56]
mathieu.peyrega :
{
"AL" : "8008" , //ALBANIA
"DZ" : "800C" , //ALGERIA
"AR" : "8020" , //ARGENTINA
"AM" : "8033" , //ARMENIA
"AW" : "8215" , //ARUBA
"AU" : "8024" , //AUSTRALIA
"AT" : "8028" , //AUSTRIA
"AZ" : "801f" , //AZERBAIJAN
"BH" : "8030" , //BAHRAIN
"BD" : "8032" , //BANGLADESH
"BB" : "8034" , //BARBADOS
"BY" : "8070" , //BELARUS
"BE" : "8038" , //BELGIUM
"BZ" : "8054" , //BELIZE
"BO" : "8044" , //BOLVIA
"BA" : "8046" , //BOSNIA
"BR" : "804C" , //BRAZIL
"BN" : "8060" , //BRUNEI
"BG" : "8064" , //BULGARIA
"KH" : "8074" , //CAMBODIA
"CA" : "807C" , //CANADA
//"CA" : "9389" , //CANADA_AP
"CL" : "8098" , //CHILE
"CN" : "809C" , //CHINA
"CO" : "80AA" , //COLOMBIA
"CR" : "80BC" , //COSTA
"HR" : "80BF" , //CROATIA
"CY" : "80C4" , //CYPRUS
"CZ" : "80CB" , //CZECH
"DK" : "80D0" , //DENMARK
"DO" : "80D6" , //DOMINICAN
"EC" : "80DA" , //ECUADOR
"EG" : "8332" , //EGYPT
"SV" : "80DE" , //EL
"EE" : "80E9" , //ESTONIA
"FI" : "80F6" , //FINLAND
"FR" : "80FA" , //FRANCE
"F2" : "80FF" , //FRANCE2
"GE" : "810C" , //GEORGIA
"DE" : "8114" , //GERMANY
"GR" : "812C" , //GREECE
"GL" : "8130" , //GREENLAND
"GD" : "8134" , //GRENADA
"GU" : "813C" , //GUAM
"GT" : "8140" , //GUATEMALA
"HT" : "814C" , //HAITI
"HN" : "8154" , //HONDURAS
"HK" : "8158" , //HONG
"HU" : "815C" , //HUNGARY
"IS" : "8160" , //ICELAND
"IN" : "8164" , //INDIA
"ID" : "8168" , //INDONESIA
"IR" : "816C" , //IRAN
"IE" : "8174" , //IRELAND
"IL" : "8178" , //ISRAEL
"IT" : "817C" , //ITALY
"JM" : "8184" , //JAMAICA
"JP" : "8188" , //JAPAN
"JO" : "8190" , //JORDAN
"KZ" : "818E" , //KAZAKHSTAN
"KE" : "8194" , //KENYA
"KP" : "8198" , //NORTH
"KR" : "819A" , //KOREA_REPUBLIC
"K2" : "819B" , //KOREA
"K3" : "819C" , //KOREA
"KW" : "819E" , //KUWAIT
"LV" : "81AC" , //LATVIA
"LB" : "81A6" , //LEBANON
"LI" : "81B6" , //LIECHTENSTEIN
"LT" : "81B8" , //LITHUANIA
"LU" : "81BA" , //LUXEMBOURG
"MO" : "81BE" , //MACAU
"MK" : "8327" , //MACEDONIA
"MY" : "81CA" , //MALAYSIA
"MT" : "81D6" , //MALTA
"MX" : "81E4" , //MEXICO
"MC" : "81EC" , //MONACO
"MA" : "81F8" , //MOROCCO
"NP" : "820C" , //NEPAL
"NL" : "8210" , //NETHERLANDS
"AN" : "8212" , //NETHERLANDS_ANTILLES
"NZ" : "822A" , //NEW_ZEALAND
"NO" : "8242" , //NORWAY
"OM" : "8200" , //OMAN
"PK" : "824A" , //PAKISTAN
"PA" : "824F" , //PANAMA
"PE" : "825C" , //PERU
"PH" : "8260" , //PHILIPPINES
"PL" : "8268" , //POLAND
"PT" : "826C" , //PORTUGAL
"PR" : "8276" , //PUERTO_RICO
"QA" : "827A" , //QATAR
"RO" : "8282" , //ROMANIA
"RU" : "8283" , //RUSSIA
"RW" : "8286" , //RWANDA
"SA" : "82AA" , //SAUDIA
"ME" : "81F3" , //MONTENEGRO
"RS" : "82B0" , //SERBIA
"SG" : "82BE" , //SINGAPORE
"SK" : "82BF" , //SLOVAKIA
"SI" : "82C1" , //SLOVENIA
"ZA" : "82C6" , //SOUTH
"ES" : "82D4" , //SPAIN
"LK" : "8090" , //SRI
"SE" : "82F0" , //SWEDEN
"CH" : "82F4" , //SWITZERLAND
"SY" : "82F8" , //SYRIA
"TW" : "809E" , //TAIWAN
"TH" : "82FC" , //THAILAND
"TT" : "830C" , //TRINIDAD
"TN" : "8314" , //TUNISIA
"TR" : "8318" , //TURKEY
"UG" : "8320" , //UGANDA
"AE" : "8310" , //UNITED
"UA" : "8324" , //UKRAINE
"GB" : "833A" , //UNITED_KINGDOM
"US" : "8348" , //UNITED_STATES
//"US" : "8349" , //UNITED
"PS" : "834A" , //UNITED_STATES_PS
"UY" : "835A" , //URUGUAY
"UZ" : "835C" , //UZBEKISTAN
"VE" : "835E" , //VENEZUELA
"VN" : "82C0" , //VIETNAM
"YE" : "8377" , //YEMEN
"ZW" : "82CC" //ZIMBABWE
}
[2018-04-23 19:57:11]
mathieu.peyrega :
bingo, setting the /data/persist.country.code to 8348 make the boot time wifi setup to 8348, at least without GPS... I have to make some further tests...
[2018-04-24 05:16:59]
hostile :
nice
[2018-04-25 16:46:39]
mathieu.peyrega :
somehow the file that I set in 8348 came back in 80FA... I set it back and made the file read only... let's see if it holds...
[2018-04-25 17:25:50]
mathieu.peyrega :
even with file read-only, property is reset each time I connect to a WiFi network with a "FR" broadcasted CC
[2018-04-25 17:27:58]
mathieu.peyrega :
but not set back to 8348 when I connect to my Spark RC in FCC mode broacasting "US"
[2018-04-25 17:28:18]
mathieu.peyrega :
so I guess they are using geocoding IP and it's only when the stuff get on the internet...
[2018-04-26 07:21:58]
mathieu.peyrega :
all this "mess" i driven by dji.system.upgrade servcie DJIUpServiceOsProtocol, disabling it and the tablet boot to "JP" regdom whatever the value of the persist.country.code file
[2018-04-26 07:23:59]
mathieu.peyrega :
I rebuild a patched SystemUpgrade.apk but need to remove the system app for installing...
[2018-04-26 10:31:41]
mathieu.peyrega :
Succedded building a custom patched SystemUpgrade.apk / dji.system.upgrade package so that now it set the file to 8348 anyway :slightly_smiling_face:
[2018-04-26 12:42:40]
jakub :
@mathieu.peyrega what you are working on btw ? :wink:
[2018-04-26 12:43:27]
jakub :
it's FCC for CS stock app ?
[2018-04-26 12:44:17]
mathieu.peyrega :
FCC for CS stock app is already on the special CS version that you have. I'm working on the FCC/CE on the CS itself
[2018-04-26 12:45:00]
mathieu.peyrega :
for the wifi part of the CS. This is mainly for Spark users because the RC to CS link is in Wifi with Spark
[2018-04-26 12:45:46]
mathieu.peyrega :
and the regulatory domains (regdom) in Europe as applyed by Android stack (wrong) prevent to use the 5.8 GHz channels that DJI is using
[2018-04-26 12:46:46]
mathieu.peyrega :
this is why so many EU users are complaining about the Spark... With Android phones you can only use a 5.8 Ghz link between RC and Spark and 2.4 GHz between phone and RC
[2018-04-26 12:47:53]
mathieu.peyrega :
because the android regdom database is not up to date of lateste (2014) rules that apply in EU, or maybe because those rules are so stupid (ultra low power allowed) that they purposly not added it to DB so that user do not have to experience a bad link quality
[2018-04-26 12:48:50]
mathieu.peyrega :
Where it getss funny is that DJI themselves could have tuned the regdom DB so that EU sparks users can change the freq freely from 2.4 to 5.8 without even breaking any legal rules...
[2018-04-26 12:49:11]
mathieu.peyrega :
But they did not... Even with CS, U Spark users are stucked.
[2018-04-26 12:49:33]
mathieu.peyrega :
The patch I made should solves this... (Unfortunatly, I cannot test reight now because I bricked my Spark :slightly_smiling_face: )
[2018-04-26 12:49:46]
mathieu.peyrega :
(but this is different story)
[2018-04-26 14:13:00]
jakub :
thanks for explaining @mathieu.peyrega:wink:
[2018-04-26 14:13:19]
jakub :
well done! (ofc not talking about bricked spark :stuck_out_tongue: )
[2018-04-26 19:45:28]
wetzel.timo :
Can I test it for you?
[2018-05-01 14:36:11]
paulpaws :
Any news on the CS version of go 4 app with all the nfz patches or can we just mod 4.1.22 with deejayeye with option -c true in order to run CS along side the original app which can't be removed. I would like the offline maps, but doing it this way breaks also breaks it.
[2018-05-01 19:00:15]
ben_lin :
nope it wont
[2018-05-01 19:00:22]
ben_lin :
use google maps
[2018-05-01 19:00:27]
ben_lin :
nvm
[2018-05-02 02:34:19]
paulpaws :
Yes thanks Lin. But I don't want to use Google maps as CS has no data and I don't wanna wifi hotspot to phone in order to have maps. Rather us offline maps as it more useful for me. Plus parts of Australia don't have phone coverage for data coverage.
[2018-05-02 03:27:33]
ben_lin :
I would suggest to read more about matioupi’s posts regarding this matter, if you haven’t already
[2018-05-02 03:27:51]
ben_lin :
Here maps in cloned app is definitely possible
[2018-05-02 12:23:43]
paulpaws :
Thanks again
[2018-05-03 06:19:11]
mathieu.peyrega :
deos anyone have the previous firmware files (2.050.00.00 and 2.04.06.00 for both 5.5 and 7.85 versions) ?
[2018-05-03 06:24:18]
paulpaws :
thats the WAY Mat, need to make a repo for this LOL
[2018-05-03 22:13:10]
dan143 :
@dan143 has joined the channel
[2018-05-03 22:14:38]
dan143 :
woo!
[2018-05-03 22:14:47]
dan143 :
so i've rooted my crystalsky
[2018-05-03 22:14:52]
dan143 :
but i cant seem to get a modded apk to install correctly on it
[2018-05-03 22:15:47]
dan143 :
i've tried:
- adb install via cmdline from ubuntu workstation, i get errors and the installation doesnt complete
- installing from the filesystem, result is "app wasnt installed"
- installing from / "this package is broken"
- in installed es file explorer to help a bit with moving things around, still no luck
[2018-05-03 22:15:52]
dan143 :
i'm now out of ideas.
[2018-05-03 22:16:12]
dan143 :
i dont suppose its possible to manually delete stuff and then force install the modded apk?
[2018-05-03 22:20:45]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAHCX7SCQ/image.png)
[2018-05-03 22:34:56]
dan143 :
i installed chainfire, and im now installing gapps
[2018-05-03 22:38:46]
dan143 :
HAHAH!
[2018-05-03 22:38:56]
dan143 :
i get "this device is not certified by google" errors when trying to install gapps.
[2018-05-03 22:51:21]
jakub :
@dan143 <https://www.google.com/android/uncertified/>
[2018-05-03 22:52:46]
dan143 :
yeah i did that just now, it either takes a while or it didnt work, because its still giving me the same error
[2018-05-03 22:53:08]
dan143 :
ive tried rebooting it, when it comes back i'll try gapps one more time
[2018-05-03 22:54:16]
dan143 :
ah, the reboot seemed to fix the uncertified issue
[2018-05-03 22:56:01]
dan143 :
huh, i wonder what happens if I download the dji app from google play
[2018-05-03 22:58:37]
hotelzululima :
@dan143 ??
[2018-05-03 22:59:06]
hotelzululima :
whoops never mind
[2018-05-03 22:59:08]
dan143 :
?
[2018-05-03 22:59:16]
dan143 :
heh
[2018-05-03 22:59:16]
dan143 :
im having no luck here
[2018-05-03 23:05:28]
dan143 :
!apk
[2018-05-03 23:10:26]
jakub :
@dan143 what's your problem?
[2018-05-03 23:10:37]
jakub :
also on latest version of CS there was few issues...
[2018-05-03 23:10:45]
jakub :
@mathieu.peyrega was checking them lately
[2018-05-03 23:10:47]
dan143 :
i cant install the apk
[2018-05-03 23:10:55]
dan143 :
ive tried a bunch of different methods
[2018-05-03 23:10:58]
jakub :
mhm
[2018-05-03 23:11:00]
jakub :
any apk?
[2018-05-03 23:11:06]
jakub :
or just dji go?
[2018-05-03 23:11:12]
dan143 :
no, i can install other stuff, like es file explorer, chainfire supersu etc..
[2018-05-03 23:11:16]
jakub :
kk
[2018-05-03 23:11:17]
dan143 :
dji go 4, the modded apk
[2018-05-03 23:11:20]
dan143 :
refuses to install
[2018-05-03 23:11:24]
jakub :
give me a second...
[2018-05-03 23:11:38]
dan143 :
im trying 4.14 now, just to see
[2018-05-03 23:11:43]
dan143 :
its modding at the moment
[2018-05-03 23:12:53]
dan143 :
nup.
[2018-05-03 23:12:54]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAJ4LKJ90/image.png)
[2018-05-03 23:13:16]
jakub :
I think @mathieu.peyrega didn't pushed his correct cs patch to gh yet
[2018-05-03 23:13:33]
dan143 :
ah
[2018-05-03 23:47:30]
dan143 :
hah, so it started ONCE. it ran and i was able to get it to talk to the aircraft, but it wouldnt let me take off
[2018-05-03 23:47:49]
dan143 :
so i exited it, and i havent been able to get back in. when i hit the app on the desktop it says launcher is hung and wont load
[2018-05-03 23:48:04]
dan143 :
im guessing that trying to uninstall the 'system apps' version of dji go 4 was a bad idea
[2018-05-04 00:00:43]
paulpaws :
@dan143 you did you RunMe.sh -C true for cloning? as you can not delete the pre installed app on CS, you can not have 2 Go App 4 load at the time unless you clone and runame the app via -C true
[2018-05-04 00:04:01]
dan143 :
i did not use -C
[2018-05-04 00:04:04]
dan143 :
lemme tryu that
[2018-05-04 00:04:05]
dan143 :
sec
[2018-05-04 00:04:31]
dan143 :
feh, adb shell isnt working anymore
[2018-05-04 00:06:32]
paulpaws :
-c true and give a different name like my.go.ap or whatever you like, the default i believe is dji.go.v4
[2018-05-04 00:07:41]
dan143 :
goddamit for some reason i cant get adb to talk to the damn thing
[2018-05-04 00:10:47]
paulpaws :
quickfix, just copy to sd card and side load it
[2018-05-04 00:12:08]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAJ96R6NR/image.png)
[2018-05-04 00:12:13]
dan143 :
:smile:
[2018-05-04 00:13:31]
dan143 :
:D
[2018-05-04 00:13:32]
dan143 :
there.
[2018-05-04 00:13:34]
dan143 :
turned emoji off.
[2018-05-04 00:13:52]
paulpaws :
so could re rename?
[2018-05-04 00:13:59]
dan143 :
im trying
[2018-05-04 00:14:09]
dan143 :
but for some reason i cant get the thing to show up under adb anymore, so i need to sort that out
[2018-05-04 00:15:42]
paulpaws :
just -c true and then when app name comes up type [xxx.xxx.xxx](http://xxx.xxx.xxx) , "XXX" what ever you like as long as its not dji.go.v4
[2018-05-04 00:16:23]
dan143 :
yeah ive done that, but now for some reason the device doesnt show up anymore when i plug it into my computer
[2018-05-04 00:16:26]
paulpaws :
you should be able in install along your original go app on your cs
[2018-05-04 00:16:28]
dan143 :
and adb shell whines there's no device
[2018-05-04 00:16:45]
dan143 :
so i need to figure out why suddenly cs doesnt want to talk over adb
[2018-05-04 00:16:55]
paulpaws :
you unlock developer mode
[2018-05-04 00:17:09]
dan143 :
where you go tap on the kernel version or the model version a bunch of times?
[2018-05-04 00:17:15]
dan143 :
it runs some ... stress test app?
[2018-05-04 00:17:19]
paulpaws :
yes
[2018-05-04 00:17:29]
paulpaws :
and turn on the usb option
[2018-05-04 00:17:42]
dan143 :
this is not like regular android tablets
[2018-05-04 00:17:52]
paulpaws :
yes i know
[2018-05-04 00:17:54]
paulpaws :
i have one
[2018-05-04 00:18:20]
dan143 :
i havent been able to find a usb debugging option
[2018-05-04 00:18:27]
dan143 :
im looking around in the stress test tool
[2018-05-04 00:18:47]
paulpaws :
in the same place as an android app
[2018-05-04 00:19:15]
dan143 :
ah shit i found it
[2018-05-04 00:19:18]
dan143 :
i wasnt scrolling far enough
[2018-05-04 00:20:05]
dan143 :
bah, still nothing.
[2018-05-04 00:20:29]
paulpaws :
in console you use adb devices
[2018-05-04 00:21:03]
dan143 :
yeah, im familar with it
[2018-05-04 00:21:07]
dan143 :
looks like its the cable.
[2018-05-04 00:21:15]
dan143 :
i took the usb cable out, turned it upside down, and suddenly now it works
[2018-05-04 00:21:20]
dan143 :
so i guess its a physical issue with the cable
[2018-05-04 00:21:26]
paulpaws :
anyway you can sort that out later
[2018-05-04 00:21:35]
paulpaws :
did you cloning work for you?
[2018-05-04 00:21:47]
dan143 :
i prepared a new app, im gonna copy it to the cs in a sec
[2018-05-04 00:22:03]
paulpaws :
o one other thing
[2018-05-04 00:22:22]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAK23J1FY/image.png)
[2018-05-04 00:22:26]
paulpaws :
if you want a different colour icon
[2018-05-04 00:23:26]
paulpaws :
use -i true also can you can change your icon colour
[2018-05-04 00:23:29]
dan143 :
heh
[2018-05-04 00:23:31]
dan143 :
thats good to know
[2018-05-04 00:23:40]
dan143 :
honestly i really only care about having a stable flight experience
[2018-05-04 00:23:44]
dan143 :
all that extra customization i may do later
[2018-05-04 00:23:56]
paulpaws :
yes same here,
[2018-05-04 00:23:59]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAHE68JUQ/image.png)
[2018-05-04 00:24:19]
paulpaws :
yes
[2018-05-04 00:24:26]
paulpaws :
in okay it
[2018-05-04 00:25:59]
paulpaws :
only reason you want different icon colour as you may mix up stock goapp from the modded app
[2018-05-04 00:26:27]
paulpaws :
also I see you named you app FAA VIOLATION GENERATOR
[2018-05-04 00:26:35]
dan143 :
:D
[2018-05-04 00:26:37]
dan143 :
hahaha
[2018-05-04 00:27:31]
paulpaws :
Nice , it all working for you now
[2018-05-04 00:28:23]
dan143 :
er
[2018-05-04 00:28:26]
dan143 :
not .. exactly
[2018-05-04 00:28:29]
dan143 :
i cant sign into the app
[2018-05-04 00:28:41]
dan143 :
once i start typing things, the sign in button disappears.
[2018-05-04 00:29:34]
paulpaws :
they need to fix that
[2018-05-04 00:29:49]
paulpaws :
they backing in and out a few times
[2018-05-04 00:29:59]
paulpaws :
you really anoying
[2018-05-04 00:31:59]
dan143 :
so just keep hitting back and trying to login over and over again?
[2018-05-04 00:32:09]
paulpaws :
yes
[2018-05-04 00:32:24]
paulpaws :
you have the 5.5" version
[2018-05-04 00:33:02]
dan143 :
yeah
[2018-05-04 00:33:05]
dan143 :
the small one
[2018-05-04 00:33:37]
paulpaws :
if you can Matioupi maybe able to help, hes is the king at this
[2018-05-04 00:34:06]
paulpaws :
hes has a special version i believe
[2018-05-04 00:34:16]
dan143 :
len sent me a special version that I installed
[2018-05-04 00:34:30]
dan143 :
but once i installed it, i couldnt run it again after initial installation.
[2018-05-04 00:34:34]
dan143 :
i guess it wasn't run with -c
[2018-05-04 00:34:38]
dan143 :
it doesnt appear in applications
[2018-05-04 00:35:08]
paulpaws :
no nothing to do with -c
[2018-05-04 00:35:16]
paulpaws :
if can install
[2018-05-04 00:35:30]
dan143 :
yeah it definitely installs, but i just cant see it anymore once it does get installed.
[2018-05-04 00:35:56]
paulpaws :
its been clone already i.e the app name has been changed
[2018-05-04 00:36:07]
paulpaws :
Hello, yes it should. If it does not work as expected, i can provide you with another (working) solution...
Please note that the latest CS firmware 2.06.03.00 has a bug and will "hide" the package named dji.pilot.pad aech time you press the middle button to go to the setting/brightness/WLAN page
This is not intentionnal by DJI, the best workaround is to edit the file /data/data/dji.system.launcher/shard_prefs/dji.system.launcher.xml
and to replace inside the default package from dji.go.v4 to dji.pilot.pad (then the crappy behaviour of hiding the package will fall to the official go4 app)
Your CS needs to be rooted to do that.
[2018-05-04 00:36:24]
paulpaws :
that notes from Matioupi
[2018-05-04 00:36:26]
dan143 :
yeah its rooted
[2018-05-04 00:36:28]
dan143 :
lemme get in there
[2018-05-04 00:36:57]
paulpaws :
there is bug in CS firmware 2.06.03.00
[2018-05-04 00:39:53]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAK28DBF0/image.png)
[2018-05-04 00:40:06]
dan143 :
so I replaced that string in there, dji.go.v4 with dji.pilot.pad and overwrote the file
[2018-05-04 00:40:42]
dan143 :
this is weird.
[2018-05-04 00:40:47]
dan143 :
i put the new file in place and it changed itself?
[2018-05-04 00:40:50]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAK6UA4B1/image.png)
[2018-05-04 00:41:45]
paulpaws :
rooted?
[2018-05-04 00:41:48]
dan143 :
yup
[2018-05-04 00:41:58]
paulpaws :
try again
[2018-05-04 00:42:28]
paulpaws :
pull the file edit on computer and push back, maybe
[2018-05-04 00:42:41]
dan143 :
thats what i did
[2018-05-04 00:42:44]
dan143 :
theres no editor on the tablet
[2018-05-04 00:42:51]
dan143 :
i copypasted the text into vi, changed it, then adb pushed it back across
[2018-05-04 00:44:41]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAK29LZCN/image.png)
[2018-05-04 00:44:46]
paulpaws :
okay
[2018-05-04 00:45:11]
paulpaws :
LOL
[2018-05-04 00:45:33]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAK29TT38/image.png)
[2018-05-04 00:45:42]
dan143 :
so there, you can see the new file is in place
[2018-05-04 00:45:53]
paulpaws :
maybe put es explorer pro on it
[2018-05-04 00:46:18]
dan143 :
heh
[2018-05-04 00:46:18]
dan143 :
what i really wanna do is install a better keyboard
[2018-05-04 00:46:33]
dan143 :
i need to redo the device registration through google, i guess it gave itself a new device id number?
[2018-05-04 00:46:43]
dan143 :
i tried to open the play store again and google griped at me
[2018-05-04 00:47:03]
paulpaws :
you dont need too if you happy with the here map
[2018-05-04 00:47:10]
paulpaws :
and offline maps
[2018-05-04 00:47:52]
paulpaws :
the google map is only good if you have data for you cs via phone other wise useless
[2018-05-04 00:48:10]
dan143 :
yeah
[2018-05-04 00:48:22]
paulpaws :
where and when i fly i dont have 4g covage so offline maps are better for me
[2018-05-04 00:49:38]
paulpaws :
so anthing fix for you now?
[2018-05-04 00:49:55]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAHEDEW9W/image.png)
[2018-05-04 00:50:00]
dan143 :
i reboot and it changes the string text
[2018-05-04 00:50:02]
dan143 :
thats weird
[2018-05-04 00:50:08]
paulpaws :
if not Matioupi will help
[2018-05-04 00:51:46]
dan143 :
nope, its still refusing to behave
[2018-05-04 00:53:07]
paulpaws :
i dont have mine here, at work
[2018-05-04 00:53:36]
paulpaws :
looking at the setting in cs at launcher
[2018-05-04 00:53:48]
paulpaws :
you can see the default app
[2018-05-04 00:54:18]
paulpaws :
make sure both are set to the cs 4 and not the go 3 or pilot app
[2018-05-04 00:55:58]
dan143 :
i tried to change it to other things and it just keeps getting reset to whats in the screenshot
[2018-05-04 00:55:58]
paulpaws :
setting and then launcher settings
[2018-05-04 00:56:33]
paulpaws :
maybe ask Matioupi
[2018-05-04 00:57:20]
paulpaws :
looking at the setting in cs at launcher
you can see the default app
make sure both are set to the cs 4 and not the go 3 or pilot app
setting and then launcher settings
[2018-05-04 00:58:35]
dan143 :
the launcher settings only let me choose the official dji apps, i set them both to dji go 4
[2018-05-04 00:58:51]
dan143 :
but when i hit either icon, it just hangs and android tells me launcher has stopped and asks me if i want to wait or kill it
[2018-05-04 00:59:00]
dan143 :
i can go into apps and i can run the custom app
[2018-05-04 00:59:06]
dan143 :
but i cant sign into it at all
[2018-05-04 00:59:57]
paulpaws :
delete custom app for the time being as the signing bug problem
[2018-05-04 01:03:52]
paulpaws :
the app that Len gave you installed fine, but it has the Hidding Bug from CS, that whole note of editing the file /data/data/dji.system.launcher/shard_prefs/dji.system.launcher.xml
[2018-05-04 01:04:19]
paulpaws :
should fix it
[2018-05-04 01:04:29]
dan143 :
they're both installed
[2018-05-04 01:04:44]
dan143 :
im trying to install the app len gave me again by going through the patching process again and renaming it
[2018-05-04 01:05:13]
jakub :
@dan143 there's a loot of changed assets in there, for detail ask @mathieu.peyrega
[2018-05-04 01:05:22]
jakub :
though this version should work just fine
[2018-05-04 01:05:56]
paulpaws :
i would remove both app from cs and start from scratch
[2018-05-04 01:07:55]
paulpaws :
./RunMe.sh -k true -d false -c false -i false -r true - p false -w special_CS_build_NFZ_limit_mods -o CS_version.apk
[2018-05-04 01:08:11]
paulpaws :
that should work for you Viss
[2018-05-04 01:08:30]
dan143 :
on the one that len gave me? or a stock version?
[2018-05-04 01:08:55]
paulpaws :
after the -w "special_CS_build_NFZ_limit_mods" is your director at the working files that Len/Matioupi gave you
[2018-05-04 01:09:10]
paulpaws :
the len gave you
[2018-05-04 01:10:00]
paulpaws :
no need to clone or patch, use that command and it should make apk for you already patch with green icon
[2018-05-04 01:10:23]
jakub :
@dan143 ah btw... I did defog on all files on this version :stuck_out_tongue: so keep in mind that you might have to patch things by hand
[2018-05-04 01:10:26]
dan143 :
@dan143 uploaded a file: [image.png](https://dji-rev.slack.com/files/U79CJDH9S/FAJ5N6KNE/image.png)
[2018-05-04 01:10:28]
jakub :
as all strings are defogged
[2018-05-04 01:10:50]
dan143 :
is there a guide for patching by hand?
[2018-05-04 01:11:11]
jakub :
I guess no...
[2018-05-04 01:11:16]
jakub :
what are you willing to patch btw?
[2018-05-04 01:12:22]
paulpaws :
I do know what Len did, so I cant help you, maybe he can help
[2018-05-04 01:13:03]
dan143 :
im willing to patch whatever
[2018-05-04 01:13:06]
dan143 :
i just want the thing to work :D
[2018-05-04 01:13:06]
dan143 :
heh
[2018-05-04 01:13:11]
jakub :
it's not working?
[2018-05-04 01:13:55]
dan143 :
it took some work the first time around, i got it to come to life once, i managed to get it to connect to the mavic, but it wouldnt let me take off
[2018-05-04 01:14:03]
dan143 :
so i exited the app, but then i wasnt able to get back into it
[2018-05-04 01:14:14]
jakub :
sounds like new fw "bug"
[2018-05-04 01:14:45]
jakub :
for me it's working out of the box..
[2018-05-04 01:14:56]
jakub :
sorry no idea, I guess you have to wait for Matioupi
[2018-05-04 01:15:10]
dan143 :
i tried to mess with some stuff to see if i could move the stock versions of the app out of the way
[2018-05-04 01:15:17]
dan143 :
i tried to uninstall them using es file explorer
[2018-05-04 01:15:20]
dan143 :
it said it was sucessful
[2018-05-04 22:16:08]
dan143 :
whoof okay
[2018-05-04 22:16:31]
dan143 :
so the charger came today, and i was able to charge the cs, and run the factory firmware install to wipe the thing completely clean.
[2018-05-04 22:17:06]
dan143 :
i did the csroot, then the originalgangstercow scripts, but now any time i try to install anything it complains that im out of space
[2018-05-04 22:17:13]
dan143 :
i adb shell into it and i see its got free space.
[2018-05-04 22:17:16]
dan143 :
wacky!
[2018-05-04 22:18:33]
dan143 :
it appears rooted, but i cant install supersu cuz it whines its out of space
[2018-05-04 22:18:43]
dan143 :
i even tried remounting / and /system as rw to see if that would help
[2018-05-04 22:24:41]
dan143 :
oh.
[2018-05-04 22:24:42]
dan143 :
okay
[2018-05-04 22:24:46]
dan143 :
i learned a new thing
[2018-05-04 22:25:20]
dan143 :
if you have cs plugged into your computer and you tell it to reboot, it doesnt actually reboot. You have to unplug it, select "power down" and fully power it down, then plug it back in. all the 'rebooting' it seems to do while plugged into a power source is ... fakery.
[2018-05-05 06:14:29]
mathieu.peyrega :
@dan143 : as for your space thing : I suggest you reflash the stock firmware with the SD card method : download the firmware fle from dji website : <https://www.dji.com/fr/crystalsky/info#downloads>
then extract the .bin file inside the zip to a micro-sd card. Insert the card in slot 1, reboot
Then after csroot, you don't need the originalgangstercow script anymore with recent fw .It allows you to install app from scratch.
Still after rooting, you will probably want to flash gapps as explained on wiki : <https://dji.retroroms.info/howto/crystalsky>
There will be one additionnal step that is "self approving" the CS to google services : <https://www.google.com/android/uncertified/>
You'll find a sql command line on the link above to extract your device "id" from one of google db. Then register this id to the site. Wait a few minutes. Done
[2018-05-05 07:38:57]
dan143 :
@mathieu.peyrega thats exactly what I did. I rebooted the thing hard, and when it came back up it seemed to behave.
[2018-05-05 07:39:09]
dan143 :
it seems to have come to life, finally
[2018-05-07 12:53:05]
yihuasteven :
Hi, anyone here runs modded go 4 on flipped mode CS? Since CS is mounted upside and down on Mavic remote, the flipped option is turned on, however, in modded app, the indicator and map diagrams display in the opposite direction, it seems that it is running under flipped display mode but still takes the original direction. Anyone has the same problem here?
[2018-05-07 19:04:23]
mathieu.peyrega :
I have not noticed that (which does not mean its not a real thing :slightly_smiling_face: ). I'll check next time I fly
[2018-05-07 19:09:29]
jakub :
same here, didn't experienced that
[2018-05-08 01:19:38]
yihuasteven :
@mathieu.peyrega @jakub thx , it works correctly in the stock cs go4 app under flipped mode, but for me in the modded app. the indicator and map rotation diagram are all in opposite direction. I am guessing it may be a bug of the common version go4 to run on CS
[2018-05-08 04:47:21]
timopro :
I used the C$ with the Mat.upi special 4.1.22 on Spark I didnt notice that.....
[2018-05-08 04:47:41]
timopro :
Ill try also during the WE on the Mavic...
[2018-05-08 12:05:24]
timopro :
I checked the Mat-upi special CS 4.1.22 is ok... I installed a normal app build with run on CS (4.1.22) and the Nord reference is opposite as mentioned by Ivon..both on compass and on the maps...
[2018-05-08 12:17:37]
mathieu.peyrega :
So working ok with CS version ?
[2018-05-08 12:20:57]
yihuasteven :
@timopro Thanks a lot buddy, you have offered me a link of this version in a deejayeye-modder github issue, can I just use deejayeye-modder to add patches to it?
[2018-05-08 12:33:22]
mathieu.peyrega :
@yihuasteven: yes, the github patches should apply. Maybe it will not play directly from the runme.sh script (unless you edit the patches/version.txt to make it match your start point apk), but you also have the option to :
runme.sh -k true -d true -p false -r false -a source_apk.apk -w directory_name_you_choose
and in a second run
runme.sh -k true -d false -p true -r true -w directory_name_you_choose -o output_modded_apk_name.apk
[2018-05-08 12:34:16]
mathieu.peyrega :
the first step would decompile only (not pacth nor rebuild)
the second step would let you apply the pacthes abd rebuild
do not use the run_on_CS patch if you are using the special CS version
[2018-05-08 12:34:44]
jakub :
@mathieu.peyrega we really should create "patch" with assets etc :stuck_out_tongue:
[2018-05-08 12:37:35]
yihuasteven :
@mathieu.peyrega I will try that, Thank you ! :blush:I think I have got the version had been already decombiled, what I need to do is to add patches and rebuild it by the second step, am I right?
[2018-05-09 15:41:11]
mathieu.peyrega :
@yihuasteven: right
[2018-05-09 16:15:14]
timopro :
Someone had modified the "DJI Home page" to allow other launcher? I need to pur a widget on the home page but with Dji launcher im not able...
[2018-05-09 16:23:21]
timopro :
It I try to install any launcher i gut the error code -501...
[2018-05-09 16:23:56]
mathieu.peyrega :
i'm using Nova Prime without issue (rooted CS + gapps)
[2018-05-09 16:29:51]
timopro :
I tried but I get always error code -501.. CS rooted + gapps..
[2018-05-09 16:30:10]
timopro :
I have still the 2.05 fw...
[2018-05-09 16:30:40]
mathieu.peyrega :
I use it sinc 2.04 or maybe even before
[2018-05-09 16:33:06]
timopro :
Ok...mmmm you installed it Using adb?
[2018-05-09 16:33:25]
timopro :
Or directory for Google store?
[2018-05-09 16:33:49]
mathieu.peyrega :
directly from playstore
[2018-05-09 16:34:39]
mathieu.peyrega :
googling around seem other people are having this -501 error for various devices, did you gave a look ? Do you have a recent playstore version ?
[2018-05-09 16:35:47]
mathieu.peyrega :
<https://updato.com/how-to/how-to-fix-google-play-store-error-501>
[2018-05-09 16:35:53]
mathieu.peyrega :
no idea if this will work...
[2018-05-09 16:36:51]
mathieu.peyrega :
always seems related to custom roms... maybe this new uncertified stuff... <https://www.google.com/android/uncertified/>
[2018-05-09 16:37:22]
mathieu.peyrega :
get you own framework id from the sqlite3 command given on the link above and self register your CS
[2018-05-09 16:46:05]
timopro :
I tried to install Using adb..and I test [Install failed illegitimate apk]
[2018-05-09 16:46:19]
timopro :
Thanks for support Mat
[2018-05-09 16:49:34]
mathieu.peyrega :
maybe as a last try you can try flashing a more recent version of gapps... (thsi for sure will require registering uncertified device)
[2018-05-09 16:49:52]
mathieu.peyrega :
you can also try to install from amazon appstore
[2018-05-09 16:50:18]
mathieu.peyrega :
i saw that litchi offer this option for "regular" non rooted non gappsed CS users
[2018-05-09 17:34:24]
timopro :
Done it...thanks...I installed a new Play Store..fine with that..It worked out..
[2018-05-09 17:34:43]
timopro :
I have now the nova prime
[2018-05-09 22:36:51]
rgluckman :
New here. Need some Help! I have a Crystal Sky and I’m having hell of a time trying to patch it.
[2018-05-09 23:17:07]
ben_lin :
@rgluckman u need to provide more details
[2018-05-11 14:01:52]
umbr4 :
did anyone "find" a source tree for the CS firmware
[2018-05-15 11:46:27]
mathieu.peyrega :
For 7.85 crystalsky owners...
this is method Ldji/midware/data/manager/a/c->i :
@ProtectMeVmpMethod private boolean i() {
boolean v0 = true;
if(b.getBoardVer() > 1 || !d.getInstance().isCrystalSky785()) {
v0 = false;
}
return v0;
}
(the isCrystalSky785 is renamed by me... obfuscated in original code)
getBoardVer match the getprop persist.board.version property you can get from adb (even non root)
Adn the whole class is about Fans controlling logics, so DJI seems clearly aware that there is an overheating issue with 7.85 board rev 1...
[2018-05-15 11:46:54]
mathieu.peyrega :
hopefully for me :slightly_smiling_face:
[2018-05-15 11:54:10]
jakub :
@mathieu.peyrega hmm.. do you think we could gain more stability on other devices by masking board version? so DJI GO app will think it's running on CS instead any other device? It's just an idea... to verify part of code which is checking it, as there might be something "on purpose" ~
[2018-05-15 11:56:36]
mathieu.peyrega :
It should be possible to run the CS version of other devices by letting it believe it's running on a CS (this should really be possible)
The class Ldji/dji/midware/data/manager/a/d implements (class name renames - i'm using JEB) :
public boolean isNotRegularDevice() {
boolean v0 = this.b != dji.midware.data.config.a.a.RegularDevice ? true : false;
return v0;
}
public boolean isGL300E() {
boolean v0 = this.b == dji.midware.data.config.a.a.GL300E ? true : false;
return v0;
}
public boolean isACrystalSkyDevice() {
boolean v0 = this.b == dji.midware.data.config.a.a.ZS600A || this.b == dji.midware.data.config.a.a.ZS600B ? true : false; // test crystalsky
return v0;
}
public boolean isCrystalSky785() {
boolean v0 = this.b == dji.midware.data.config.a.a.ZS600B ? true : false;
return v0;
}
[2018-05-15 11:58:14]
mathieu.peyrega :
so basically, you need to for the Ldji/dji/midware/data/manager/a/d->b field to one of small or large CS from the enum in dji.midware.data.config.a :
static {
a.RegularDevice = new a("None", 0, 0, "Unknown");
a.GL300E = new a("Pomato", 1, 101, "GL300E");
a.ZS600A = new a("CrystalSkyA", 2, 201, "ZS600A");
a.ZS600B = new a("CrystalSkyB", 3, 202, "ZS600B");
a.AG405 = new a("Mg1S", 4, 301, "AG405");
a.h = new a[]{a.RegularDevice, a.GL300E, a.ZS600A, a.ZS600B, a.AG405};
}
[2018-05-15 11:58:58]
mathieu.peyrega :
and then you should be able to use the special CS version on any device (only the screen resolutions may need to match more or less I guess)
[2018-05-15 11:59:15]
mathieu.peyrega :
However, I don't know if this would add or remove stability...
[2018-05-15 11:59:46]
jan2642 :
Has anyone ever seen references to an ‘h2h protocol’ in DJI GO ?
[2018-05-15 12:02:22]
mathieu.peyrega :
I just grep check in 4.1.22 for h2h htoh h_to_h with or without capitals and no result
[2018-05-15 12:04:02]
jan2642 :
Ok, thanks. It’s referenced in the Spark & MA remotes as the protocol it uses to connect to a PC over USB.
[2018-05-15 12:06:35]
mathieu.peyrega :
maybe host 2 host ?
[2018-05-15 12:32:17]
jan2642 :
I guess so, yes.
[2018-05-15 12:33:40]
mathieu.peyrega :
nothing with that name... but quite a lot about usbhost things
[2018-05-15 12:46:25]
jakub :
@mathieu.peyrega was just curious, worth checking in future :slightly_smiling_face:
[2018-05-15 16:05:17]
mathieu.peyrega :
I just did the test and it's possible to mod the app to run a "CS" version on a nonCS device. There are very little things to change. I have no idea if this has any interest...
[2018-05-15 21:36:25]
chipmangini :
@mathieu.peyrega I have a set of Epson Moverio's that run Android [v5.xxx](http://v5.xxx) and would love to be able to run the CS Firmware on tyhem if possible. There are many other owners that would LOVE to be able to do that too, if possible! <https://tech.moverio.epson.com/en/bt-300/>
[2018-05-16 05:45:55]
mathieu.peyrega :
@chipmangini: what do you mean running CS firmware on it ? like the full Android system or just the GO4 applciation ? Why would the CS version application perform better than the regular go4 patched application on these ?
[2018-05-16 05:46:56]
mathieu.peyrega :
I believe having the full CS stack running on this would be quite a great effort... Having a custom application should be simpler
[2018-05-16 08:19:58]
mathieu.peyrega :
I've been debug tracking the d-opt setting with special CS patched version. It's read an live changed are tracked, also, i'm really not sure this has an effect anyway...
[2018-05-16 08:42:09]
skyplay2018 :
How do I do CS routing in the Windows 10 operating system environment?
[2018-05-16 08:42:42]
mathieu.peyrega :
kept tracking d-opt... this is working ONLY in PAL video mode !
[2018-05-16 08:43:10]
mathieu.peyrega :
at least all the fps manageme,t stuff gets activated only if you turn your video in PAL
[2018-05-16 08:43:31]
skyplay2018 :
Allow debugging mode to CS
Connect CS to PC
Then I do not know how to use ADB.
[2018-05-16 12:59:00]
paulpaws :
it all here <https://dji.retroroms.info/howto/crystalsky>
[2018-05-16 20:19:45]
chipmangini :
@mathieu.peyrega We don't have the Play Store on the Epsom Moverio's because apparently it's hardware description doesn't fit any of Googles parameters. It's not a tablet, phone, or chromebook, so it's not anything... Because of this, Litchi, etc don't work.
[2018-05-16 20:23:22]
mathieu.peyrega :
can you still isntall apk on it ?
[2018-05-16 20:29:55]
chipmangini :
Yes, you can sideload anything. I can get Google Maps running by installing google play services, and the play store, but the play store doesn't open, so you can't sign in, screwing up trying to load software you've already paid for.
[2018-05-16 20:31:27]
mathieu.peyrega :
did you tryed this : <https://www.google.com/android/uncertified/>
[2018-05-16 20:31:58]
mathieu.peyrega :
if this is some kind of custom ROM/custom Android, it may need it
[2018-05-16 20:35:54]
chipmangini :
I haven't, but will. I had no idea that Google offered this. Thank you @mathieu.peyrega!
[2018-05-16 20:38:55]
chipmangini :
From the ADB commands I see, wouldn't I need root to get this ID?
[2018-05-16 20:43:19]
mathieu.peyrega :
i'm not sure of that, you should not I guess...
[2018-05-16 20:43:38]
mathieu.peyrega :
they may even be some apps to get this Id
[2018-05-16 20:48:00]
chipmangini :
K thanks, I'll see when I get home and try. Thanks again!
[2018-05-16 22:01:35]
chipmangini :
Just got home, and no android ID. I installed a compatible Google Services Framework, rebooted, and still no ID...
[2018-05-16 22:07:56]
chipmangini :
I found 2 apps like you suggested, still nothing.....:stuck_out_tongue_winking_eye:
[2018-05-25 16:49:25]
mathieu.peyrega :
there is a new CS firmware.... but I did not found the download links yet... (5.5 and 7.85)
[2018-05-25 16:49:59]
mathieu.peyrega :
I did the test to upgrade and test if root stays for at least 2 or 3 versions and would appreciate if someone else go first :slightly_smiling_face:
[2018-05-25 16:50:16]
ben_lin :
Links to patch notes?
[2018-05-25 16:50:47]
mathieu.peyrega :
<https://forum.dji.com/forum.php?mod=viewthread&tid=149852&extra=page%3D1%26filter%3Dtypeid%26typeid%3D463%26typeid%3D463>
[2018-05-25 17:37:38]
mathieu.peyrega :
<http://mydjiflight.dji.com/file/links/ZSA_pack_2660_20180525>
<http://mydjiflight.dji.com/file/links/ZSB_pack_2660_20180525>
[2018-05-26 13:39:04]
mathieu.peyrega :
root still works etc... playstore seemed fucked so i made a factorey reset + reupgrade + fresh install....
[2018-05-26 19:42:18]
jakub :
you're impatient @mathieu.peyrega:wink:
[2018-05-26 20:02:36]
mathieu.peyrega :
you think so ?
[2018-05-26 20:02:42]
mathieu.peyrega :
:slightly_smiling_face:
[2018-06-01 08:19:53]
ls7454 :
anyone know where i can find V02.04.02.00 for ZS600B CS? or any older versions for that matter :+1:
[2018-06-06 05:43:03]
mathieu.peyrega :
<http://mydjiflight.dji.com/file/links/ZSA_260_20171214>
<http://mydjiflight.dji.com/file/links/ZSB_260_20171214>
<http://mydjiflight.dji.com/file/links/ZSA_220_20171108>
<http://mydjiflight.dji.com/file/links/ZSB_220_20171108>
[2018-06-06 05:45:54]
mathieu.peyrega :
I did not took time to dig older versions, if you do and try forging the URL with respct to the release note dates and versions : <http://dl.djicdn.com/downloads/CrystalSky/20180416/CrystalSky_Release_Notes_EN_0412_1.pdf> please post them here
[2018-06-06 05:46:02]
mathieu.peyrega :
@ls7454
[2018-06-06 06:16:41]
paulpaws :
@mathieu.peyrega do the lastest firmware of CS break anything? ie is root still possible? I not sure what version Im on, need to check
[2018-06-06 06:21:55]
mathieu.peyrega :
the 2.06.06.00 is still ok to root and flash gapps
[2018-06-06 06:22:38]
mathieu.peyrega :
nothing broken as far as I can tell, seems they addresses soem overheating issues (that I personnaly never faced)
[2018-06-06 06:22:58]
paulpaws :
okay cool, any problems with upgrade and downgrading of firmware with out problems? i going to download all of them just in case LOL
[2018-06-06 06:23:20]
mathieu.peyrega :
I4ve never tried to downgrade on the CS, I don't know if it's possible
[2018-06-06 06:23:30]
paulpaws :
okay thanks
[2018-06-06 06:58:12]
ls7454 :
Thanks Matioupi. Your a legend. Thanks for your help mate. :+1:
[2018-06-06 07:02:08]
ls7454 :
yes, downgrade cs works (only tried 2630 & 2660 so far). Local update from the sd card. Just about to try some older versions now. :+1:
[2018-06-06 07:17:09]
mathieu.peyrega :
@ls7454 : why do you want to downgrade in first place ?
[2018-06-06 07:23:44]
ls7454 :
want to tweak installd but also want to have a look. My obsessive compulsive drone dis-order i guess. :hugging_face:
[2018-06-10 23:14:47]
739461411 :
Excuse me, how to root crystalsky? Is there any teaching video?
[2018-06-12 11:41:06]
ls7454 :
the files you need are on github. Will also need "open gapps" (pico), and chainfire.
[2018-06-13 02:36:31]
paulpaws :
All the info is here <http://dji.retroroms.info/howto/crystalsky>
[2018-06-13 02:37:05]
paulpaws :
<https://github.com/Opcodeffm/csroot>
[2018-06-16 13:22:54]
timopro :
I update the CS 5.5" to the new fw but no success to root..any idea?
[2018-06-16 19:41:11]
timopro :
ok I found out... !
[2018-06-17 07:56:06]
timopro :
on the csroot-master the copy.sh file I had to modify, is anywhone alse found that or had to do ?
[2018-06-17 07:56:26]
timopro :
adb push tmp /data/local/tmp
adb shell chmod 755 /data/local/tmp/lordroot
adb shell chmod 755 /data/local/tmp/busybox
adb shell chmod 755 /data/local/tmp/mkdevsh
[2018-06-17 07:57:12]
timopro :
I had to add the "tmp" folder, as in the original file is not there !?
[2018-06-17 07:57:20]
timopro :
original copy.sh:
[2018-06-17 07:57:22]
timopro :
adb push tmp /data/local/
adb shell chmod 755 /data/local/tmp/lordroot
adb shell chmod 755 /data/local/tmp/busybox
adb shell chmod 755 /data/local/tmp/mkdevsh
[2018-06-17 07:57:42]
timopro :
After that the root was easy going...
[2018-06-22 14:33:23]
abdo054 :
Can anyone confirm if CS 02.06.06.00 is compatible? I've been trying to install a patched APK without any success for a while now.
[2018-06-22 15:37:11]
timopro :
Yes it is compatible hsve a look here:<http://dji.retroroms.info/howto/crystalsky>
[2018-06-22 17:08:53]
abdo054 :
I checked and there are no mentions of this version being compatible .. Am i not understanding right?
[2018-06-22 18:34:47]
mathieu.peyrega :
@abdo054: please give more details about which apk, how you get/build it.
[2018-06-22 18:35:09]
mathieu.peyrega :
what is the package name (dji.go.v4 / dji.pilot.pad something else )
[2018-06-22 18:35:28]
mathieu.peyrega :
it's definetly possible to have a patched 4.1.22 running on the CS, need a few tweaks
[2018-06-22 18:35:38]
mathieu.peyrega :
NLD will very soon offer an easy to go solution
[2018-06-22 19:35:00]
abdo054 :
Thanks for the reply @mathieu.peyrega I used deejayeye-modder to patch a 4.1.22-3028592-noseceo. Package name is dji.go.v4 ( all patches were chosen)
The issue I'm facing is after installing the modded APK on the CS. After opening the app I can't go pass the login page, whenever I try to type the username or password the login button underneath disappears.
CS is unrooted V02.06.06.00
[2018-06-22 22:29:57]
timopro :
The trick for the login buttun is to never realease the finger.. and use copy and paste...than it works...
[2018-06-23 00:05:44]
abdo054 :
Thanks for the tip @timopro I'll sure try it and report back.
[2018-06-23 03:57:16]
abdo054 :
Thank you!! @timopro it worked.
[2018-06-23 04:14:57]
abdo054 :
Now one last thing @timopro How can I install offline maps other than for China?
Only Chinese cities is listed.
[2018-06-23 04:22:02]
paulpaws :
@abdo054 did you clone the app or are you using it along side the original default cs go 4 app
[2018-06-23 04:23:23]
abdo054 :
@paulpaws I'm using it alongside the original. Is there anything I should be aware of?
[2018-06-23 06:15:23]
timopro :
To have the maps you have to patch a nosecneo go4 apk, and selcet offline maps, which you can find here in slack.....you are using CS? The instruction you can find in the !wiki
[2018-06-23 06:19:12]
mathieu.peyrega :
@mathieu.peyrega uploaded a file: [bools.xml](https://dji-rev.slack.com/files/U84HERNVC/FBCMH7059/bools.xml)
[2018-06-23 06:19:37]
mathieu.peyrega :
@abdo054: try replacing the /res/values/bool.xml with this one before rebuilding the app.
[2018-06-23 06:20:14]
mathieu.peyrega :
not sure if it will be engough. There is a special CS version around, maybe someone can share it with you
[2018-06-23 06:20:33]
mathieu.peyrega :
the "standard" version app will have issues on CS like the one you described
[2018-06-23 15:53:17]
abdo054 :
Thanks @timopro @mathieu.peyrega
[2018-06-23 18:35:01]
abdo054 :
@timopro I don't see offline maps on the patches list. Are you referring to use-GoogleMap patch?
[2018-06-23 18:47:42]
mathieu.peyrega :
restore_MapsDownload.patch
[2018-06-23 18:48:45]
mathieu.peyrega :
@abdo054: o you have the CS version now ?d
[2018-06-23 18:54:28]
abdo054 :
Yes sir
[2018-06-25 02:44:20]
dyokd :
@dyokd shared a file: [Untitled](https://dji-rev.slack.com/files/UBDSA3VJA/FBCKVTBK3/-)
[2018-06-25 08:07:35]
ben_lin :
Wrong
[2018-06-25 08:07:48]
ben_lin :
CS now allows 3rd party apps
[2018-06-25 08:07:58]
ben_lin :
But notI patched GO
[2018-06-25 08:08:19]
ben_lin :
In order to solve this just use a different package name for the go app
[2018-06-25 08:08:37]
ben_lin :
That way you can have original go and patched go simultaneously
[2018-06-25 08:08:51]
ben_lin :
@dyokd
[2018-06-25 13:22:34]
timopro :
The is a specialversion of the 4.1.22 for CS with you can use...may someone can share with you...if not you can patch a 4.1.22 nosecneo use the -c command (clone) and change the name kike dji.go.v5 but u have to struggle eith the login...
[2018-06-25 17:28:15]
dyokd :
Thanks for the reply, I will give that a shot.
[2018-06-26 00:38:21]
dyokd :
I must be missing the obvious, I've changed the name using an apk editor and it still won't install. I will keep trying different things maybe I will get lucky, thanks again.
[2018-06-26 06:19:43]
mathieu.peyrega :
@dyokd: the name bust be changed in many files, I guess the apk editor you use would miss most of them, especially when strings are fogged. I don't understand why you don't use the cloning facility of the modder. It's been designed for this particular purpose.
[2018-06-26 06:20:52]
mathieu.peyrega :
Also on recent firmwares of CS, there is an issue where some package name app, may be auto hidden when you press the middle button (one that brings WLAN/brightness settings) first time after each boot
[2018-06-26 06:21:27]
mathieu.peyrega :
a first quick workaround to show the app again is to issue the command su -c "pm enable your.package.name"
[2018-06-26 06:21:53]
mathieu.peyrega :
from adb. There is a permanent workaround once you get things working with this dirty quick one
[2018-06-26 06:47:53]
dyokd :
I wanted to use that but i'm having issues getting the libwebp installed, will spend some time tomorrow on that.
[2018-06-26 06:48:17]
mathieu.peyrega :
libwebp is no mandatory if you don't want to change color of icon
[2018-06-26 06:48:28]
mathieu.peyrega :
just comment the line that test if it's here in the script
[2018-06-26 06:48:33]
mathieu.peyrega :
and don't use -i true
[2018-06-26 06:48:55]
dyokd :
Great, I won't worry about that then. Thanks for the info!
[2018-06-26 19:46:24]
dyokd :
Just one more question, what linux distro do people generally use for modding GO app? I'm going to use an older laptop for a dedicated linux machine instead of using a virtual machine.
[2018-06-26 19:57:50]
mathieu.peyrega :
i'm using Ubuntu Mate, I was using 16.04 andupgraded to 18.04 a few days ago)
[2018-06-26 19:59:19]
mathieu.peyrega :
it is supposed to be a bit lighter than regular Ubuntu
[2018-06-26 20:36:12]
jakub :
@dyokd why like that? you can even use WSL and modding DJI GO app doesn't require you to use GUI at all
[2018-06-26 20:36:38]
jakub :
even using laptop, you can install ubuntu server and do everything from command line :stuck_out_tongue_winking_eye:
[2018-06-26 22:27:08]
dyokd :
I need a reason to use that machine, otherwise it probably would never power up:blush:
[2018-06-26 22:28:10]
dyokd :
Thanks for the replies, will give it a try.
[2018-06-26 23:10:00]
jakub :
make sense :slightly_smiling_face:
[2018-06-27 03:09:11]
dyokd :
Thanks for all the advice, patched up using Ubuntu and Bin4ry's files, props to him and everyone that makes this possible. Did a couple of flights today, worked a treat.:wink:
[2018-06-30 12:20:23]
chipmangini :
I just picked up a P4P+ RC (GL300E). Will the Crystal Sky exploit work on this controller. Any chance of getting a modded GO4 app on it?
[2018-06-30 14:13:14]
mathieu.peyrega :
it's certainly possible, but nobody on active people here have one to do the work and test... so your mostly on your own with this device model...
[2018-06-30 14:57:25]
ben_lin :
Remember my GL300E?
[2018-06-30 14:57:41]
ben_lin :
It was a mess @mathieu.peyrega
[2018-06-30 14:58:13]
mathieu.peyrega :
yes, testing debugging without having the device is no go for me now...
[2018-07-01 02:12:26]
ls7454 :
the crystal sky mods work fine on the GL300E but you need to use a 3rd party launcher and delete the original go4, otherwise it always runs in the background.
[2018-07-01 02:15:47]
ls7454 :
GL300E, will also have to delete something, like whats app, to make room on the drive, before flashing.
[2018-07-01 02:24:04]
ls7454 :
@ls7454 uploaded a file: [GL300E.jpg](https://dji-rev.slack.com/files/UB0PXD5AB/FBJ2DREVD/gl300e.jpg)
[2018-07-04 11:55:47]
mathieu.peyrega :
奇怪的是它没有用,因为它几乎和使用谷歌翻译一样容易
[2018-07-05 05:31:13]
sebastian :
haha you got me
[2018-08-11 11:06:59]
739461411 :
the crystalsky have third party system os ?thanks.
[2018-08-11 11:07:07]
739461411 :
[2018-08-11 12:43:47]
739461411 :
I mean, can i install a different os?
[2018-08-11 17:14:16]
aciid :
@sami.keskinen
[2018-08-11 17:14:19]
sami.keskinen :
@sami.keskinen has joined the channel
[2018-08-13 03:25:24]
739461411 :
Does anybody know how to install a new os on crystalsky?thanks.
[2018-08-13 06:42:12]
aciid :
i wouldnt do it, it's a special device that requires a specific set of drivers and native setting screens to function properly
[2018-08-15 03:26:21]
739461411 :
The crystalsky how to install this sysrem?
[2018-08-15 09:56:48]
timopro :
If you mean Google store and other app you need to root the CS...you can find the HOW to into the OG wiki.... I did on my unit 5.5" and it works fine...yours is the PH4 Display..I don t know if it the same..
[2018-08-15 11:33:16]
739461411 :
It seems like a new system,not the dji's os.
[2018-08-15 12:02:53]
jezzab :
Its Windows or skinned to look like windows (more likely)
[2018-08-15 13:24:14]
ls7454 :
its just a third party launcher which is required if you want your way with the 300e.
[2018-08-15 20:40:53]
chipmangini :
Do the Crystal Sky mods work on the GL300E controller that has the built in screen?
[2018-08-16 08:22:58]
ls7454 :
yes doc. But will need to delete some stuff to make room for the flash. Then there's a bit more work to make your flight programs run smoothly. Cloning the std app is also a good option.
[2018-08-16 10:16:05]
chipmangini :
@ls7454 Thanks for the info
[2018-08-21 01:07:46]
cantrepeat :
Is there a site that has Crystalsky firmwares archived for downloading?
[2018-08-21 09:13:50]
739461411 :
i also want yo konw
[2018-08-21 23:37:40]
cantrepeat :
btw: if you doing rooting from a windows PC you can use win bash as your shell and then follow the rooting guide.
[2018-08-22 01:51:34]
denkos73 :
I can not get root
[2018-08-22 01:54:39]
denkos73 :
[2018-08-22 02:01:38]
jezzab :
how did you run the `copy.sh` shell script in a Windows Command line? @denkos73
[2018-08-22 02:08:33]
denkos73 :
Is this from under linux?
[2018-08-22 02:13:01]
cantrepeat :
If you are on a windows based PC you can use win bash as your terminal. [www.win-bash.sourceforge.net](http://www.win-bash.sourceforge.net) - I also recommend just unzipping them in the same folder you put the android platform tools in. Use the start-bash.bat file to run the terminal and continue. However, I didn't use the scripts from howtos on this site. Rather I used the ones from here. <https://github.com/Opcodeffm/csroot> I was successful in getting root on 2.4.7.0 and am told it works all the way up to current release.
[2018-08-22 02:14:41]
jezzab :
or you could do it by hand from Windows Command
[2018-08-22 02:15:41]
jezzab :
make sure you have your adb working (which you show you have in the pic. And run from the windows commandline (with `tmp` being a sub directory of the dir you are in from the git repo):
`adb push tmp /data/local/`
`adb shell chmod 755 /data/local/tmp/lordroot`
`adb shell chmod 755 /data/local/tmp/busybox`
`adb shell chmod 755 /data/local/tmp/mkdevsh`
[2018-08-22 02:16:03]
jezzab :
then continue the rest of the guide
[2018-08-22 02:18:32]
jezzab :
(But WSL or bash would be nicer)
[2018-08-22 02:20:21]
denkos73 :
Ok
[2018-08-22 02:20:42]
cantrepeat :
This is all really great stuff and turning your crystalsky in a table is great too. I need to get flashfire and the google stuff installed tomorrow.
[2018-08-22 02:23:23]
cantrepeat :
Denis did you just open a normal windows cmd terminal? If so then, like jezzab asked, you probably didn't copy the needed files to your crystalsky and therefor wont be able to run them correctly. A normal, non bash windows terminal will not execute ./copy.sh
[2018-08-22 02:23:56]
jezzab :
hes run `adb shell`
[2018-08-22 02:24:00]
jezzab :
and thats where he has ended up
[2018-08-22 02:24:10]
jezzab :
the shell script has never been run
[2018-08-22 02:24:14]
jezzab :
how i see it anyway
[2018-08-22 02:24:30]
jezzab :
he would have gone `./copy.sh` and it would have done nothing in windows
[2018-08-22 02:24:36]
jezzab :
then hes continued on
[2018-08-22 02:24:38]
denkos73 :
Thanks already understood
[2018-08-22 02:24:43]
cantrepeat :
I agree
[2018-08-22 02:24:57]
cantrepeat :
OK good luck
[2018-08-22 02:52:38]
denkos73 :
[2018-08-22 02:52:58]
denkos73 :
What's wrong
[2018-08-22 02:58:50]
jezzab :
whats the problem
[2018-08-22 02:58:55]
jezzab :
just `adb shell` now
[2018-08-22 02:59:15]
jezzab :
and the files should be in `/data/local/tmp` on the device
[2018-08-22 03:00:06]
jezzab :
and continue with your guide
[2018-08-22 03:12:27]
jezzab :
Just follow the guide you posted a screen shot of. You are up to the point to stopped last time
[2018-08-22 04:10:15]
denkos73 :
[2018-08-22 04:11:34]
denkos73 :
Thank you all, everything turned out.
[2018-08-22 04:13:27]
denkos73 :
[2018-08-22 04:23:19]
jezzab :
:+1:
[2018-08-22 04:24:24]
denkos73 :
Through bash
[2018-08-22 05:59:59]
denkos73 :
:grin:
[2018-08-22 12:36:02]
denkos73 :
What else to correct?
[2018-08-22 12:42:02]
mathieu.peyrega :
you need a special version of App to run on CS, NLD has the option
[2018-08-22 12:46:20]
denkos73 :
I patch through deejayeye-modder
[2018-08-22 12:48:59]
mathieu.peyrega :
then you also need to clone, or delet the system app dji go 4 first
[2018-08-22 12:50:15]
denkos73 :
Deleted
[2018-08-22 12:51:57]
pingspike :
Not been here for a few months... you can delete the built in GO4?! (on a rooted cs only I guess?) I didn't know that :+1: Does that mean you can have your modded go4 on the main launcher homescreen page?
[2018-08-22 12:52:31]
denkos73 :
The "input" button disappears when registering 4.1.22
[2018-08-22 12:58:59]
denkos73 :
[2018-08-22 13:00:48]
denkos73 :
[2018-08-22 13:06:13]
denkos73 :
[2018-08-22 17:06:21]
cantrepeat :
I miss spoke, I could not get the non patch GO4 4.1.22 to load. I had the wrong apk on my SD card. The patch version from NLD installed.
[2018-08-22 19:46:19]
timopro :
@denkos73 ok the trick for that is you have to copy your user name in anothwr app, than paste it on thw field on go4 without lift your finger and move it away...same for the pass the button than doesnt disappear...
There is a special version of the go4 for the CS... that works without this issue...
[2018-08-23 00:33:29]
denkos73 :
:+1: :+1: :ok_hand:
[2018-08-23 09:27:43]
denkos73 :
Need a folder system from the firmware.
[2018-08-23 09:28:38]
mathieu.peyrega :
get the firmware file from dji website and binwalk it
[2018-08-23 09:29:44]
denkos73 :
I can not open it bin.
[2018-08-23 09:30:22]
mathieu.peyrega :
rename it to tar or zip, or better use binwalk to extarct stuff from the bin
[2018-08-23 09:31:16]
mathieu.peyrega :
you can also reflash a full stock firmware by putting the .bin on the sd card in slot 1
[2018-08-23 09:31:21]
denkos73 :
:joy: :ok_hand: :+1:
[2018-08-23 09:32:49]
denkos73 :
In that continually, I removed the update application:joy:
[2018-08-23 09:33:14]
mathieu.peyrega :
maybe if you've been doing many "experiments" is better to restart from a fresh stat
[2018-08-23 09:33:41]
denkos73 :
Ok
[2018-08-23 09:36:10]
mathieu.peyrega :
first fo a factory reset from system menu and then flash with sd card
[2018-08-23 09:41:43]
denkos73 :
:ok_hand:
[2018-08-23 09:45:05]
denkos73 :
I did not like CrystalSky, nor brightness nor functionality. My xiaomi mi mix is 100 times better
[2018-08-23 09:50:01]
denkos73 :
I liked only the presence of hdmi
[2018-08-23 12:12:57]
cantrepeat :
Has anyone uninstalled the default launcher on CS? FW 2.4.7
[2018-08-23 12:13:15]
cantrepeat :
Just wondering if it will just boot to apps screen or crash without it.
[2018-08-25 04:27:38]
denkos73 :
Need a firmware dump CrystalSky 5.5 :joy:
[2018-08-25 04:44:55]
denkos73 :
Can be done through: rkDumper
[2018-09-02 10:56:02]
cantrepeat :
has anyone tried or had luck changing the default CS launcher to point other apps, IE instead of default GO have it point to NLD 4.1.22 app?
[2018-09-02 10:58:03]
denkos73 :
Yes
[2018-09-02 10:59:32]
cantrepeat :
can you point in a direction @denkos73
[2018-09-02 11:30:04]
mathieu.peyrega :
[2018-09-02 11:59:22]
mathieu.peyrega :
@catalinaskirace: i'm using Nova Launcher "prime" on my CS without issues. Just follow guide above for rooting/installing gapps/installing the workaround to DJI bug and ask if you need more help
[2018-09-02 12:03:55]
mathieu.peyrega :
[2018-09-02 12:37:41]
mstalzer :
I followed guide for rooting and skipped adding google play store - the apk installed flawlessly (once I grabbed the right apk that is)
[2018-09-02 12:37:58]
mstalzer :
It’s very simple and straightforward
[2018-09-02 13:54:22]
cantrepeat :
I have it rooted and play store installed. @mathieu.peyrega I'm on 2.4.7 CS so I never thought that write applied to me. I've never heard of Nova Launcher as well. I'll check it out. tnx
[2018-09-02 14:46:27]
cantrepeat :
Nova Launcher is pretty sweet!
[2018-09-03 16:55:41]
cantrepeat :
@mathieu.peyrega what widget is that displaying date/mem/temp/battery
[2018-09-03 16:58:22]
mathieu.peyrega :
<https://play.google.com/store/apps/details?id=com.droid27.transparentclockweather.premium>
[2018-09-03 17:00:15]
cantrepeat :
awesome, do you have an app to record the screen? I tried screen recorder but doesn't seem to work in CS.
[2018-09-03 17:02:47]
mathieu.peyrega :
it works on mine (screenshots I mean). I never tried video recording, is CSsupposed to have one builtin ?
[2018-09-03 17:04:10]
mathieu.peyrega :
from an adb shell to the CS can you type : getprop persist.board.version
[2018-09-03 17:18:01]
cantrepeat :
I don't believe so, every search I've done on "recording CS screen" has come up with other people looking for an app to do so.
[2018-09-03 17:18:24]
cantrepeat :
yeah let me get the shell started
[2018-09-03 17:21:23]
cantrepeat :
board version 2 ??
[2018-09-03 17:23:51]
mathieu.peyrega :
same than mine. In DJI GO 4 code they are testing this board version and trigerring special fan control for board rev 1 (I think they know they have some overheating issues with some board rev...)
[2018-09-03 17:27:48]
cantrepeat :
ah so version 2 doesn't have the overheating issues I read about? I saw in a fix for temp in V02.06.06.00
[2018-09-03 17:30:38]
mathieu.peyrega :
They say they add fix, but they don't say how or for which board rev... I'm in 2.06.06.00 and never add any issue...
[2018-09-03 17:33:28]
cantrepeat :
I'm on 2.4.7, didn't want to upgrade until I learned more about and which firmwares did what.
[2018-09-03 17:36:23]
cantrepeat :
I'll probably update and reconfig the CS sometime this week.
[2018-09-03 17:36:51]
cantrepeat :
i've learned a lot of the last couple of weeks so it should goes easier this time.
[2018-09-04 02:05:57]
cantrepeat :
One thing is for sure, 02.06.06.00 runs a lot cooler!!
[2018-09-07 11:15:21]
ls7454 :
seems that you can run nld 4122 cs side by side with the std go app, without root, simply by cloning & renaming. Cant see any side effects other than having to copy some map files.
[2018-09-14 13:33:05]
cantrepeat :
Anyone with a CS install the new GO 4 app on it to see if it works with MP2 yet?
[2018-09-19 18:35:01]
martinbogo :
I can do that
[2018-09-19 18:40:15]
kilrah :
CS got updated by now :slightly_smiling_face:
[2018-09-19 18:45:28]
cantrepeat :
yeah
[2018-09-19 18:45:40]
cantrepeat :
both ios and apk are out
[2018-09-20 14:35:10]
martinbogo :
Looks like everything works as expected
[2018-09-20 14:35:13]
martinbogo :
No issues
[2018-09-22 16:14:52]
flyingkite :
Hello all, The 2 firmware bin files available for the crystalsky via DDD, are those for the 5.5 or 7.85 version for the crystalsky?
[2018-09-22 16:47:57]
cantrepeat :
@flyingkite The CS firmwares are not model dependent. They will work with either size.
[2018-09-22 16:48:10]
cantrepeat :
What firmware are you currently on?
[2018-09-22 20:10:26]
flyingkite :
@catalinaskirace The CS I recently purchased is on .300 firmware. The DJI site show 2 versions of the latest fw, for each CS. Wanted to check if those on DDD would work regardless of which CS you have in case I wanted to go back a version.
[2018-09-22 23:23:45]
cantrepeat :
I stand corrected, they do show different firmware. @cs2000 Can you make a change in the CrystalSky firmwares I uploaded. They are both for the 7.85"
[2018-09-22 23:26:34]
cantrepeat :
I sent CS2000 a message suggesting the name change.
[2018-09-23 01:25:20]
flyingkite :
I have the latest bin and also was able to obtain the previous version from DJI servers. Since those currently on DDD is for the CS 7.85, I'll send the 2 I have via DDD for the CS 5.5 version.
[2018-09-23 07:56:16]
cantrepeat :
I made the suggestion to cs2000 on name changes to the current 7.85s on DDD now to CrystalSky_ZS600B_7.85_v02.06.0600.bin
[2018-09-23 07:56:49]
cantrepeat :
and CrystalSky_ZS600B_7.85_v02.06.0300.bin
[2018-09-24 18:08:48]
jcase :
anyone have issue factory resetting crystal sky
[2018-09-24 18:10:14]
jcase :
lol
[2018-09-24 18:10:14]
jcase :
or anyone know what the volume buttons are
[2018-09-24 18:10:18]
jcase :
so i can control in recovery
[2018-09-24 18:53:20]
cantrepeat :
um, I'm not sure there is a hardware volume, and I'm not sure there isn't. But the software button for volume is on the homepage of the DJI factory launcher
[2018-09-24 18:58:22]
cantrepeat :
You can remap the F1 and F2 buttons in the home screen but neither can be mapped to volume in the app.
[2018-09-24 18:59:28]
kilrah :
that doesn't matter anyway, the point is in recovery mode
[2018-09-24 18:59:35]
kilrah :
software not running
[2018-09-24 18:59:42]
jcase :
yeah cant move the menu
[2018-09-24 18:59:48]
jcase :
and i cant get CS to fully reset it seems
[2018-09-24 18:59:53]
jcase :
it looks like a quick and dirty reset
[2018-09-24 18:59:54]
jcase :
lame
[2018-09-24 19:01:11]
cantrepeat :
factory data reset? I think it just removes all added software and reverts to factory defaults. At least when I ran it that's what it seem to do. After the reset everything was gone except what was on it out of the box
[2018-09-24 19:01:23]
jcase :
it should be formating userdata partition
[2018-09-24 19:01:24]
jcase :
it isnt
[2018-09-24 19:11:12]
cantrepeat :
possibly the lowest button/return?
[2018-09-24 19:12:05]
cantrepeat :
na, that didn't do anything
[2018-10-12 10:41:34]
cantrepeat :
If any of you get really, really bored today and want to proof my CS rooting howto - <https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky#116>
[2018-10-16 11:28:48]
xela75 :
hey guys !
[2018-10-16 11:33:15]
xela75 :
I'm here thanks to CantRepeat
[2018-10-16 11:36:35]
xela75 :
I got a CS 5.5 and Go4.1.22 modded by deejayeyemodder
[2018-10-16 11:37:38]
xela75 :
And I have the [INSTALL_FAILED_UPDATE_INCOMPATIBLE] error when installing this apk
[2018-10-16 11:42:53]
xela75 :
It makes sense because when I installed the apk, it displays that it will update the existing dji go 4 already pre-installed on my CS...
[2018-10-16 11:43:06]
xela75 :
Any ideas ? thx
[2018-10-16 11:45:20]
xela75 :
I think I have to change some id in the apk to lure the OS
[2018-10-16 12:00:49]
cantrepeat :
Hey, I thought you were using the NLD CS GO APP 4.1.22? Didn't you ask questions on NLD forums?
[2018-10-16 12:04:03]
xela75 :
That's right. It's because you've made un (excellent) howto about this
[2018-10-16 12:04:36]
xela75 :
but I don't use NLD, I should...I know...
[2018-10-16 12:06:07]
cantrepeat :
Yeah, probably should have made that clear in your postings over there.
[2018-10-16 12:06:33]
cantrepeat :
I'm still working my way through deejayeye
[2018-10-16 12:08:04]
xela75 :
ok so i'm not dumb. Deejayeye is not equal to NLD. I was not sure of this.
[2018-10-16 12:08:53]
cantrepeat :
I would not call it equal but just two ways to do things
[2018-10-16 12:09:04]
cantrepeat :
NLD does ahve a few more features
[2018-10-16 12:09:23]
cantrepeat :
However, you should be able to get modder to work on your CS
[2018-10-16 12:10:52]
xela75 :
ok thx you. I got to go deeper in apk stuff
[2018-10-17 11:28:34]
xela75 :
2
[2018-10-18 13:09:48]
andik :
@xela75 I have the same problem but with any APK can you install any other APK?
[2018-10-18 14:07:28]
xela75 :
I can install whatever apks
[2018-10-18 14:08:04]
xela75 :
but not the djigo4.1.22 one
[2018-10-18 14:11:56]
xela75 :
once your cs rooted, you have to flash opengapps in order to have playstore
[2018-10-18 14:12:22]
xela75 :
but all you have to do is follow this <https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky#116>
[2018-10-18 14:13:31]
cantrepeat :
Do you have superSU installed?
[2018-10-24 01:28:30]
denkos73 :
do somebody dump firmware 5.5
[2018-10-24 07:57:38]
cantrepeat :
@denkos73 what version?
[2018-10-24 07:59:44]
denkos73 :
Need a dump from the latest version 5.5
[2018-10-24 08:02:19]
cantrepeat :
ah, sorry, I don't have it.
[2018-10-24 08:50:43]
denkos73 :
can any
[2018-10-24 08:50:44]
denkos73 :
can any
[2018-10-24 12:31:12]
xela75 :
V02.06.0600 or is there a newer one ?
[2018-10-24 12:56:41]
cantrepeat :
That is the current FW version
[2018-10-24 13:09:31]
xela75 :
@denkos73 so you can DL it on DJI site :<https://www.dji.com/fr/crystalsky/info#downloads>
[2018-10-24 13:14:45]
cantrepeat :
CrystalSky Firmware (5.5'') v02.06.06.00 is the newest firmware
[2018-10-24 13:14:55]
cantrepeat :
you can download it with !DDD
[2018-10-24 13:22:27]
denkos73 :
I wrote that I need a firmware dump, that is, all its partitions, and not the firmware itself.
[2018-10-24 14:19:55]
xela75 :
Ok sorry. I can't help you
[2018-10-24 17:08:25]
jcase :
@mellowamoya what part of firmware
[2018-11-02 21:14:07]
wouter :
@denkos73 i'd be happy to create a firmware dump for you since i have the 7.85" on v02.06.06.00, i have adb ready to go, just tell me how :wink:
[2018-11-02 21:20:21]
jcase :
If you have root
[2018-11-02 21:20:32]
jcase :
Just dd the partitions
[2018-11-02 21:21:00]
wouter :
i need to root still :disappointed: working on that now
[2018-11-02 21:23:06]
jcase :
If someone reminds me, I'll do it when I get home next week
[2018-11-02 21:23:22]
wouter :
nice avatar
[2018-11-02 22:20:23]
wouter :
!apk
[2018-11-02 22:28:14]
cantrepeat :
rooting your CS -> <https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2018-11-02 23:49:25]
wouter :
Thanks! I actually used the meeting described here.<https://github.com/Opcodeffm/csroot>
[2018-11-02 23:50:56]
wouter :
It worked I'm pretty sure because I was able to run supersu and update it. Had to run shortly after.
[2018-11-02 23:51:17]
wouter :
Next. Need to figure out how to get boost. working
[2018-12-12 11:57:30]
chipmangini :
Could someone tell me if the "Crystal Sky" rooting tutorial pertains to the Phantom 4 Plus controller with the built in screen? <https://dji.retroroms.info/howto/crystalsky>
[2018-12-12 12:17:56]
cantrepeat :
Doc it wasn't you pming me on NLD was it?
[2018-12-12 12:41:43]
chipmangini :
Not recently, why?
[2018-12-12 12:45:06]
chipmangini :
I just checked, and no....
[2018-12-12 13:15:52]
cantrepeat :
had someone pming me about this very topic.
[2018-12-12 13:16:22]
cantrepeat :
saying that my guide was used to get the NLD app onto a P4P+
[2018-12-12 13:16:40]
cantrepeat :
I don't have nor have I worked on a P4P+ controller
[2018-12-12 13:17:21]
cantrepeat :
I went and read all the post again and couldn't find anything about the guide being used on P4P+
[2018-12-12 13:17:50]
cantrepeat :
there is one post by @cs2000 saying some users have gotten the app on to that controller but he doesn't know how.
[2018-12-12 13:19:14]
cantrepeat :
other then that I have no clue about the P4P+ controller, I guess it's a has a built in screen GL3000 something or other.
[2018-12-12 14:13:19]
cat.db :
wiki is down ?
[2018-12-12 14:13:26]
cat.db :
!wiki
[2018-12-12 14:27:38]
jcase :
p4p+ is easy, but its older firmware
[2018-12-12 14:27:53]
jcase :
you need to use the old method by the dirtycow/installd exploit
[2018-12-12 14:27:57]
jcase :
the dirty cow one
[2018-12-12 16:15:53]
cantrepeat :
Yeah, I've never used it or read about, mostly because I don't have a P4P+ ; was just being told my guide was used and I must know. But I don't. I freely give out any information I have, even when it's wrong; :smile: lol
[2018-12-12 17:08:29]
jcase :
p4p+ sucks
[2018-12-12 17:08:34]
jcase :
i could never get it to update to newer firmware
[2019-01-25 12:40:34]
dronepilot :
Hi guys i bricked my CS 5.5, everything worked well attempting rooting. But i deleted dji go 4 and dji launcher, had installed APEX launcher but no i can’t get everything back to normal it stays only dji logo when powered on and dose nothing else.
Which version of twrp can i upload via fastboot and where can i get the firmware in zip format?
Thanks
[2019-01-25 12:54:55]
denkos73 :
through adb, replace the modified files in the system folder
[2019-01-25 13:14:20]
cantrepeat :
google dji crystal sky firmware it's already in a zip format on DJIs site
[2019-01-25 13:15:53]
denkos73 :
bin in the archive
[2019-01-25 13:26:36]
dronepilot :
@denkos73 the big problem is that the bootloader is closed i have aces on adb.
[2019-01-25 13:29:27]
cantrepeat :
I haven't tried with a CS but on other android devices you can install the zip through fastboot.
[2019-01-25 13:43:19]
dronepilot :
Downloading the zip file on dji website.
[2019-01-25 13:44:05]
dronepilot :
[2019-01-26 01:16:35]
bagotfish :
Thanks for let me join! Rod in Alaska checking in..
[2019-01-30 18:54:14]
marijus75 :
Hello. Rooted my CrystalSky 5.5", got Google Play working. Is it possible to remove Go 4 app, and install the latest android Go 4.3.11? I removed original CS Go 4.2.16 with Titanium Backup, but have no success installing from Google Play store. Go 4 downloads, installation begins, but after it completed, app is not installed. I can repeat this many times - the same story. What am I doing wrong? Other apps installed without any problems.
[2019-01-31 00:05:24]
wouter :
sold my CrystalSky, any tips on how to unroot this thing?
[2019-01-31 05:20:49]
timopro :
The CS Go 4 app is different, its not possibile to install trough Play store....
[2019-01-31 08:29:48]
wouter :
figured it out, did a local install of the latest firmware from dji's site
[2019-02-01 05:52:05]
marijus75 :
What are the benefits from rooting regarding to dji go 4 applications?
[2019-02-01 12:01:14]
timopro :
Depending the app you can use Google maps or here by modifing a file and able to activate altitude indication...for those you need root... other of course you can install Google store...
[2019-02-01 13:11:59]
cantrepeat :
You can install other software onto the CS including the NLD Go4app
[2019-02-01 13:13:50]
cantrepeat :
<https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2019-02-01 14:29:52]
marijus75 :
I have Google Store. Why can't I install latest android Go 4 version 4.3.12 from Google Store?
[2019-02-01 14:31:16]
marijus75 :
Google Play Store
[2019-02-01 17:02:39]
cantrepeat :
because that version of the GO 4 app is not made for a CS
[2019-02-01 17:05:33]
bin4ry :
you would need to mod it, which is not possible
[2019-02-01 17:17:22]
cantrepeat :
nosec bad!!
[2019-02-01 17:44:27]
marijus75 :
NLD Go4app, OK. What other choices? Can I have 2 versions of GO4 (CS latest 4.3.4 and some other one)?
[2019-02-01 17:47:22]
marijus75 :
What does it mean "not made for a CS". Why do other apps installed from Play Store work in CS?
[2019-02-01 17:56:59]
bin4ry :
because dji don’t want it and they don’t deliver playstore
[2019-02-01 17:59:47]
bin4ry :
i am not sure if you can have both
[2019-02-01 17:59:54]
bin4ry :
someone with a cs should answer that
[2019-02-01 18:15:13]
cantrepeat :
You can have both the go 4 apps installed, that is the one that comes in the firmware and the NLD CS4.1.22 ap
[2019-02-01 18:15:23]
cantrepeat :
apk*
[2019-02-01 23:17:31]
marijus75 :
The only thing I want from NLD CS4.1.22 is force FCC. Can you advise me what is the latest Spark firmware which works properly with force FCC mode? My Spark has .600 version and RC .400 Is it worth to upgrade till Spark .1000 and RC .600 ?
[2019-02-02 03:31:31]
cantrepeat :
You can send a ticket to make sure but I believe the bird map is up to date <https://nolimitdronez.com/birdmap> . Ask over in ~nld
[2019-02-02 03:33:09]
cantrepeat :
looks like V01.00.1000
[2019-02-03 14:46:54]
007 :
Hi.
Before I buy one the high/ultra crystalsky can someone tell me is worth buying the ultra 7.85 ?
[2019-02-03 14:54:03]
cantrepeat :
I have the non high brightens model and it works well in bright sun light. I'm not sure if the extra money is worth the ultra.
[2019-02-03 15:02:31]
007 :
Ok, Thanks.
[2019-02-04 13:03:52]
xela75 :
Hi. Does anyone know why it's not possible to install modded GO 4.1.22 on CS ?
[2019-02-04 13:04:51]
denkos73 :
can
[2019-02-04 13:06:51]
denkos73 :
[2019-02-04 13:08:31]
xela75 :
Is it NLD Go version ?
[2019-02-04 13:10:10]
xela75 :
or bin4ry version ?
[2019-02-04 13:10:14]
denkos73 :
Deeyayeye-Modder
[2019-02-04 13:10:41]
xela75 :
i can't install bin4ry or Deeyayeye-Modder version...
[2019-02-04 13:11:48]
xela75 :
I tried to clone the patched Go 4.1.22 because of already GO 4 pre-installed but no success...
[2019-02-04 13:12:29]
xela75 :
thx for the screenshots
[2019-02-04 13:12:55]
xela75 :
it seems that you also cloned the app before installing it ?
[2019-02-04 13:13:59]
xela75 :
I can install the cloned Go 4.1.22 app but when it crashes when i play it...
[2019-02-04 13:17:06]
mathieu.peyrega :
[2019-02-04 13:21:57]
xela75 :
thx for your help but i think if you don't clone the app, you won't be able to install the modded app
[2019-02-04 13:22:38]
xela75 :
and it's not mentioned on help
[2019-02-04 13:26:22]
xela75 :
@denkos73 Did you have to uninstall existing dji go app ?
[2019-02-04 13:27:29]
denkos73 :
Yes
[2019-02-04 13:28:23]
xela75 :
ok and you cloned your Deeyayeye-Modder app to give it a new name ?
[2019-02-04 13:30:49]
denkos73 :
4.1.22 nosecneo
[2019-02-04 13:33:00]
xela75 :
ok i'm going to retry that with no dji name on the filename...
[2019-02-04 13:33:03]
xela75 :
thx
[2019-02-04 13:47:31]
xela75 :
@denkos73 Could you please send me your dji go 4 apk ?
[2019-02-04 13:53:22]
denkos73 :
I have a Russian translation and voice acting
[2019-02-04 13:54:06]
denkos73 :
redo give a link
[2019-02-04 13:55:55]
xela75 :
ok
[2019-02-05 14:25:19]
007 :
Hi.
I am going to purchase the crystalsky can someone give me the place with the best&easy guide ?
Thanks
[2019-02-05 15:13:03]
cantrepeat :
<https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2019-02-05 15:15:44]
007 :
Thanks
[2019-02-06 11:22:52]
marijus75 :
Hi. I successfully installed NLDGO4.1.22CS to rooted CrystalSky. But this app is not good if using Spark with OTG. So I uninstalled it and tried to install NLDGO4.1.14 which is also compatible with CrystalSky according to [nolimitdronez.com](http://nolimitdronez.com), and works well with Spark OTG. But the installation was unsuccessful. I put app on microSD card and clicked on it in CS Explorer for installation. Maybe the installation procedure should be different?
[2019-02-08 16:22:13]
xela75 :
@catalinaskirace About showing battery percentage, do you install an apk for this ?
[2019-02-08 16:22:49]
xela75 :
because on CS, with nova launcher, i do not have battery percentage...
[2019-02-08 16:25:04]
cantrepeat :
let me double check that
[2019-02-08 16:26:50]
xela75 :
thx
[2019-02-08 16:34:16]
cantrepeat :
I think the batt percent might be part of the transparent clock and weather premium app
[2019-02-08 16:36:25]
cantrepeat :
yeah it's that app but I'm trying to find the location to turn it on/set it up
[2019-02-08 16:36:25]
xela75 :
ok that’s what I was thinking...
[2019-02-08 16:36:58]
xela75 :
you mean on nova ?
[2019-02-08 16:37:07]
cantrepeat :
no it's not in nova
[2019-02-08 16:37:23]
xela75 :
i looked for on setting and nova but nothing
[2019-02-08 16:38:52]
cantrepeat :
it's in the transparent clock and weather app / settings > appearance settings > display system information
[2019-02-08 16:40:33]
xela75 :
ok i'm gonna install this thx
[2019-02-10 10:31:23]
007 :
Hi.
I read the instructions on the howto-rooting-dji-crystalsky.... and I didn't find exactly where should I start the root ?
Thanks
[2019-02-11 10:04:12]
007 :
Hi.
Can you give me more inf about how to download? I download the software and open the shell.bat from that moment I don't know how to continue with the command.
Thanks
[2019-02-11 12:08:40]
007 :
Hi.
I do not get along with making the root, I am trying with the NLD web and djiwiki, and still stuck.
Can you tell me what to to do in the first steps ?( with the command).
Thanks
[2019-02-13 07:46:18]
007 :
Hi.
After the rooting cs it's possible to download the modder dji go 4 ?
[2019-02-13 07:47:07]
denkos73 :
Yes
[2019-02-13 07:54:10]
007 :
How ?
[2019-02-13 07:55:18]
denkos73 :
[2019-02-13 07:56:43]
007 :
And ?
[2019-02-13 07:57:19]
007 :
There is dji go 4 on cs newer, I need to delete?
[2019-02-13 07:59:48]
denkos73 :
I have 4.1.22, new ones are not needed. mavic pro
[2019-02-13 08:04:16]
007 :
Ok, thaks
[2019-02-13 08:18:47]
007 :
Sorry Denis, were did you put the 4.1.22 file ?
[2019-02-13 08:20:12]
denkos73 :
Yes
[2019-02-13 08:20:19]
denkos73 :
Clone
[2019-02-13 08:20:44]
007 :
?
[2019-02-13 08:22:26]
007 :
On the ad?
[2019-02-13 08:22:30]
007 :
Sd
[2019-02-13 14:32:07]
007 :
I need to remove the dji go 4 that came with the cs ? And is that possible to install 2-3 app of dji, nld dji modded ?
[2019-02-13 14:33:05]
denkos73 :
Yes
[2019-02-13 14:34:00]
007 :
Something is not wrong?
[2019-02-13 14:35:19]
007 :
I can't install the dji go 4.1.22 and I can't see the nld app after the download
[2019-02-13 14:40:02]
denkos73 :
[2019-02-13 14:40:13]
007 :
Denis can you advice me
[2019-02-13 14:40:56]
007 :
V8 & v7 what are they ?
[2019-02-13 14:42:02]
007 :
Were can I find the apk file ? Google play
[2019-02-13 14:44:17]
flyingkite :
Is it possible to revert back a CS to stock after rooting?
[2019-02-13 14:52:37]
cantrepeat :
yes, just reflash the latest DJI firmware 2.06 something
[2019-02-13 14:54:12]
cantrepeat :
v02.06.06.00
[2019-02-13 15:05:25]
007 :
That firmware I have
[2019-02-13 16:25:30]
007 :
Hi.
In nld wed, what is terminal cs ?
I can't see the nld app on screen.
Thanks
[2019-02-13 16:39:06]
timopro :
Step 1 :
Start your terminal window on your CS then issue the following command
su -c "pm enable dji.pilot.pad"
This will make the NLD app appear if it was hidden.
Step 2 :
From ES Explorer Pro, enable the root explorer mode (there is a small slider in app settings to do so) and navigate to the normally inaccessible file system section :
/data/data/dji.system.launcher/shared_prefs/
copy the file dji.system.launcher.xml to the local storage /Download/ full path is /mnt/sdcard/Download/
From there, open the file with a text editor (ES Explorer Pro has an embedded one) or quickedit pro and modify the file so it looks like :
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<int name="KEY_APP1_INDEX" value="1" />
<int name="KEY_APP2_INDEX" value="0" />
<string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>
<long name="KEY_BOOT_CNT" value="165" />
<int name="KEY_F1_INDEX" value="0" />
<string name="KEY_TRAFFIC_USED_TIMESTAMP">2018-06-14</string>
<int name="KEY_FREEZE_ROTATION" value="0" />
<long name="KEY_TRAFFIC_USED_TOTAL" value="7363457756" />
<int name="KEY_F2_INDEX" value="4" />
<long name="KEY_TRAFFIC_USED_TODAY" value="127043018" />
</map>
The line to add/modify is <string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>
it may be missing or be <string name="KEY_MUTEX_PREF_PKG">dji.go.v4</string>
Once again, add or change it to <string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>
Save the file.
Once the file is saved, copy it from /Download/ (in local storage) to the original place : /data/data/dji.system.launcher/shared_prefs/
and overwrite the original file.
Reboot CS. Should now never lose NLD app.
Some times the NLD app will continue to dissapear. To fix this edit the file on your windows PC with notepad ++
On the CS
copy the /data/data/dji.system.launcher/shared_prefs/dji.system.launcher.xml to /mnt/sdcard/Download/
On your PC in an adb shell:
adb pull /mnt/sdcard/Download/dji.system.launcher.xml
this will download the file on PC.
Modify the file on PC side with a text editor (e.g. notepad++) to add the line
<string name="KEY_MUTEX_PREF_PKG">dji.pilot.pad</string>
or replace dji.go.v4 with dji.pilot.pad in it if already there.
Save the file on PC side.
Then upload it back to the CS, in an adb shell:
adb push dji.system.launcher.xml /mnt/sdcard/Download/
Use ES explorer pro copy / paste the xml file from /Download/ to /data/data/dji.system.launcher/shared_prefs/
(you should get asked to overwrite : say YES)
Reboot CS, try pressing middle button, NLD should still be there and stick now.
You might need to redo this if you later install or change the launcher to avoid the awful DJI one e.g. Nova, Google Now Launcher, Windows Launcher)
[2019-02-13 17:29:45]
cantrepeat :
flash it and you'll be back to stock without root
[2019-02-13 19:54:01]
flyingkite :
Thanks!
[2019-02-13 23:38:13]
dronepilot :
Still no luck backing up CS 5.5, deleted dji launcher accidentally when rooted, now can’t instal the original firmware.
[2019-02-14 10:12:02]
xela75 :
But you still have adb enabled ?
[2019-02-14 10:13:25]
denkos73 :
most likely there is no desire to understand
[2019-02-14 10:16:08]
cantrepeat :
Last he posted he could adb to the CS.
[2019-02-14 10:16:57]
cantrepeat :
terminal is a program you install on the CS
[2019-02-14 10:18:08]
007 :
Yes
[2019-02-14 10:21:07]
007 :
I mean it's on my cs but cannot see the nld app
[2019-02-14 10:29:19]
xela75 :
ok and when you start your CS, you have black screen ?
[2019-02-14 10:29:30]
xela75 :
do you try to install nova launcher ?
[2019-02-14 10:30:20]
cantrepeat :
I think he said it hangs at the DJI logo
[2019-02-14 10:32:32]
xela75 :
ouch too bad
[2019-02-14 10:33:24]
xela75 :
i think you deleted more thant launcher...
[2019-02-14 10:33:38]
dronepilot :
Correct it dose ADB the loader shows closed. When powered on only shows dji start logo only.
[2019-02-14 10:34:17]
xela75 :
and what about adb install recovery ?
[2019-02-14 10:35:52]
dronepilot :
Didn’t se that yet, the instal recovery.
[2019-02-14 10:36:43]
dronepilot :
I’m trying to launch the original firmware but the bootloader is closed.
[2019-02-14 10:41:46]
denkos73 :
[2019-02-14 10:43:03]
denkos73 :
I will change emmc
[2019-02-14 10:44:16]
denkos73 :
Samsung KLMBG2JENB-B041/32GB
[2019-02-14 10:47:08]
denkos73 :
[2019-02-14 10:48:17]
cantrepeat :
that is also explained in the guide
[2019-02-14 11:16:17]
007 :
Please help to understand what I am doing wrong?
[2019-02-14 11:17:38]
007 :
I am doing exactly the guide and still not see the nld app
[2019-02-14 11:18:48]
007 :
There something to uninstall after rooting ?
[2019-02-14 14:01:57]
xela75 :
@rgf8aerial I think, if you do not have ADB access, the only chance to fix your CS is to flash the emmc
[2019-02-14 14:02:45]
denkos73 :
:+1:
[2019-02-14 14:02:58]
xela75 :
But you need some tools...
[2019-02-14 14:04:23]
denkos73 :
InfinityBox
[2019-02-14 14:07:00]
denkos73 :
And dump
[2019-02-14 14:09:37]
xela75 :
I don't know Infinity Box
[2019-02-14 14:09:42]
xela75 :
how does it work ?
[2019-02-14 14:09:53]
xela75 :
I saw it's a dongle
[2019-02-14 14:10:06]
xela75 :
but do you have any box or cables ?
[2019-02-14 14:10:12]
xela75 :
with it
[2019-02-14 14:51:05]
xela75 :
ok it's Z3x box
[2019-02-14 16:49:39]
dronepilot :
Currently i have access through adb and fast boot, the problem is that doesn’t unblock the boot loader to run by rom.
How can I load the recovery through twrp and witch version would ir work.
Thanks
[2019-02-14 16:53:34]
denkos73 :
fix the system folder and that's it
[2019-02-14 18:27:25]
dronepilot :
Didn’t understand Denis.
[2019-02-15 16:46:04]
007 :
Hi Denis.
Can you tell me were should I found the inside dji go 4 that came with the cs, that for uninstall to install at other dji go 4 ?
Thanks
[2019-02-15 16:58:09]
denkos73 :
you need apk dji go 4 of CS
[2019-02-15 16:59:01]
007 :
But I am trying to install and it's crash
[2019-02-15 17:00:04]
denkos73 :
what version of dji go 4
[2019-02-15 17:00:32]
007 :
I make one on 4.1.22 with mark the cs on the modder
[2019-02-15 17:01:09]
007 :
Sorry about my English
[2019-02-15 17:03:21]
denkos73 :
he is not mine either:grin:
[2019-02-15 17:04:00]
denkos73 :
Русский
[2019-02-15 17:04:22]
007 :
More info
[2019-02-15 17:05:26]
denkos73 :
mod do from under windows
[2019-02-15 17:06:00]
007 :
Ok I will try
[2019-02-15 17:06:15]
007 :
It's something on my win 10 ?
[2019-02-15 17:06:51]
007 :
I need to uninstall the launcher on cs ?
[2019-02-15 17:07:38]
denkos73 :
what for
[2019-02-15 17:08:11]
007 :
That not prevent from dji go 4 to install?
[2019-02-15 17:08:39]
denkos73 :
not
[2019-02-15 17:08:50]
007 :
I can't find the dji go 4 that came inside the cs
[2019-02-15 17:10:19]
denkos73 :
:thinking_face:
[2019-02-15 17:12:56]
007 :
I am looking in settings - app and not see
[2019-02-15 18:31:01]
dronepilot :
Any one could help me out to get the CS back to life?
[2019-02-17 18:33:18]
007 :
Hi.
summarizing the app on the screen and running. Inserting the commands exactly as specified has returned them and is no longer collapsing because on the nld site I did not mark the cs.
Thanks
[2019-02-18 02:36:19]
marko :
Is it possible to install normal version of Go4 on CS instead of stock one. have rooted device and when I try to update app I get error code 910!
[2019-02-18 09:05:33]
007 :
Yes me too
[2019-02-20 05:58:19]
007 :
Hello.
Does anyone know if there is a possibility to see the battery status of the crystalsky when flying on the Nova Launcher ?
[2019-02-20 12:47:06]
cantrepeat :
You can not install a non CS modded GO app on the crystal sky.
[2019-02-20 12:47:34]
cantrepeat :
I know of no way to display the CS battery level in the GO app while flying.
[2019-02-20 12:49:57]
007 :
Hi
Thanks
What ways ?
[2019-02-20 12:51:57]
007 :
I make by my self a cs modded go file but it's stuck when I download ?
[2019-02-20 13:11:35]
007 :
The same modded apk working fine on my Android.
[2019-02-20 13:11:38]
cantrepeat :
Well, clearly you have done something wrong
[2019-02-20 13:12:19]
cantrepeat :
a Crystal Sky and another Android device are not the same. Moreover, that is the exact issue. A normal android GO app will not install on a CS.
[2019-02-20 13:12:56]
cantrepeat :
if you are using the modder version of GO then there is a known issue with naming it to install on a CS but I do not know how to fix that.
[2019-02-20 13:13:43]
007 :
On the modded I mark all the options even the cs
[2019-02-20 13:14:44]
cantrepeat :
There is an issue with naming that does not allow it to install. I don't know how to fix that issue. Go buy NLD it works great on the CS.
[2019-02-20 13:16:20]
007 :
I all ready done this, but I whant something that I made
[2019-02-20 13:17:56]
007 :
Which ways you can tell me about the battery level wile I am flying?
[2019-02-20 13:26:27]
007 :
I am using at the nova launcher
[2019-02-20 13:31:14]
cantrepeat :
I can't, I know of no way to show CS battery level in the go app while you are flying.
[2019-02-20 13:33:02]
007 :
Ok thanks.
[2019-02-21 08:48:04]
xela75 :
@rgf8aerial have you try this command : adb shell recovery
[2019-02-21 09:24:00]
xela75 :
@shacharmilo <https://dji-rev.slack.com/archives/C60LBFP9Q/p1549382292196100>
[2019-02-21 09:24:09]
xela75 :
follow this thread
[2019-02-21 09:24:58]
xela75 :
@shacharmilo You have to use Linux instead of Windows to run DJI GO4.1.22 modder
[2019-02-21 09:28:58]
007 :
Ok, Thanks.
[2019-02-21 10:18:45]
cantrepeat :
@xela75 were you able to make a modder apk that would install on a CS?
[2019-02-21 12:59:18]
xela75 :
I did not understand why my modded go4.1.22 did not work on my CS
[2019-02-21 13:00:08]
xela75 :
And the only reason why is that under Windows, cloning is not working.
[2019-02-21 13:00:35]
xela75 :
so the only thing to make it work is to run the modder under Linux
[2019-02-21 13:05:53]
xela75 :
but bin4ry could explain us better why
[2019-02-21 13:07:07]
cantrepeat :
no
[2019-02-21 13:08:10]
cantrepeat :
it has nothing really to do with win vs linux, it has to do with the package name. I've heard them talk about it. This is why NLD doesn't have the issue because they do that for you. modder does not. I just never really paid enough attention to because I use NLD.
[2019-02-21 13:09:08]
cantrepeat :
I've made a modder in linux and it still has the same install issues.
[2019-02-21 13:10:35]
xela75 :
i know about package name because i made some test with the AppCloner application
[2019-02-21 13:11:49]
xela75 :
I changed the package name and the modded DJI Go4 has been installed correctly
[2019-02-21 13:11:51]
xela75 :
but
[2019-02-21 13:12:21]
xela75 :
when I ran it, it crashed
[2019-02-21 13:12:22]
xela75 :
...
[2019-02-21 13:13:18]
xela75 :
so bin4ry said to me that Linux version works better than Windows one
[2019-02-21 13:14:03]
cantrepeat :
yes that is true, because he wrote the linux and someone else wrote the win batch file and has not kept up with it in a while. He stated that in the link you gave.
[2019-02-21 13:14:08]
xela75 :
Because of version of tools...(see the link i prodvided above)
[2019-02-21 13:16:29]
xela75 :
Anyway what to remember is to use Linux to mod the dji GO 4 and only Linux for CS case
[2019-02-21 13:17:03]
denkos73 :
:100: :+1:
[2019-02-21 13:20:31]
xela75 :
and by the way, just be root for Dji Go 4 to work on CS
[2019-02-21 13:21:11]
xela75 :
Having playstore is just useful to install apks but not mandatory
[2019-02-21 14:03:21]
cantrepeat :
The only thing I've heard about a non CS GO app on a CS is that it crashes all the time.
[2019-04-03 08:53:03]
denkos73 :
the chat is dead .. was it possible to fix the synchronization in the "flight records" on the CS mode
[2019-04-03 09:50:42]
cantrepeat :
I'm not sure what you are asking.
[2019-04-03 09:54:50]
denkos73 :
The "flight recording" function does not work on the 4.1.22 crystals mode
[2019-04-03 09:55:37]
cantrepeat :
Works fine on mine
[2019-04-03 09:56:19]
cantrepeat :
are you using deejayeye modder 4.1.22?
[2019-04-03 09:56:35]
denkos73 :
Yes
[2019-04-03 09:56:52]
cantrepeat :
then it's not an issue with the Crystal Sky but with your app
[2019-04-03 09:57:02]
cantrepeat :
I use NLD CS app and it works fine.
[2019-04-03 09:58:19]
denkos73 :
I do not have NLD
[2019-04-03 09:58:54]
cantrepeat :
You should be asking this question in ~android_apk_patching
[2019-04-03 09:59:02]
cantrepeat :
this is not an issue with the crystal sky
[2019-04-03 09:59:18]
cantrepeat :
the crystal sky doesn't record anything
[2019-04-03 10:01:02]
denkos73 :
I know the problem is in mod 4.1.22
[2019-04-03 10:02:24]
cantrepeat :
ok this channel is crystal sky rooting, you'd probably get more attention on the apk patching channel
[2019-04-08 18:32:11]
nocommie :
Hey guys, I am ready to get a 7.85" Crystal Sky. But before I do, just to confirm, once rooted I can run the patched app and Litchi correct? Any caveats? Thanks
[2019-04-08 18:36:10]
cantrepeat :
I am running NLD 4.1.22 CS on my 7.85. However, I do not own Litchi so can't say for sure. I "believe" there are others that have installed and ran litchi
[2019-04-08 18:36:20]
nocommie :
awesome thanks dude
[2019-04-08 18:36:29]
nocommie :
you have the high or ultra bright?
[2019-04-08 18:37:05]
cantrepeat :
<https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2019-04-08 18:37:15]
cantrepeat :
I have the standard non ultra model
[2019-04-08 18:37:50]
nocommie :
Hmmm. trying to decide between the high and ultra. Hqave you ever had an issue where it wasn't bright enough in direct sunlight?
[2019-04-08 18:38:02]
cantrepeat :
nope, never
[2019-04-08 18:38:37]
nocommie :
ok. I will prob go with the high then. Quite a difference in cost
[2019-04-08 18:38:41]
denkos73 :
[2019-04-08 18:38:51]
cantrepeat :
On a side note, I have heard about over heating issues with the ultra. I don't have one so cant say for sure.
[2019-04-08 18:39:25]
nocommie :
yeah I recall hearing that too
[2019-04-08 18:39:31]
nocommie :
and burned out backlights
[2019-04-08 18:39:36]
nocommie :
or pixels
[2019-04-08 18:40:10]
cantrepeat :
the latest version of the FW is can be rooted so no issues there.
[2019-04-08 18:40:24]
nocommie :
sweet
[2019-04-08 18:40:37]
nocommie :
are you using the special mount?
[2019-04-08 18:40:45]
nocommie :
worth it?
[2019-04-08 18:40:58]
cantrepeat :
I have two different mounts, both are worth it.
[2019-04-08 18:41:55]
nocommie :
the specific dji crystal sky mount? Like in this bundle? <https://www.amazon.com/DJI-CrystalSky-Monitor-Bundle-High-Brightness/dp/B0748YWXKF/ref=sr_1_4?keywords=crystal+sky+7.85+high&qid=1554748755&s=gateway&sr=8-4>
[2019-04-08 18:42:46]
nocommie :
I will be using it on several platforms so probably dont want to buy 5 additional bottom mounts
[2019-04-08 18:43:10]
cantrepeat :
I have a mavmount and a flyhigh CS mount
[2019-04-08 18:43:34]
cantrepeat :
the flyhigh uses that mount in the amazon link but comes with a polymer mount
[2019-04-08 18:44:22]
nocommie :
cool. thanks for the info
[2019-04-08 18:44:47]
cantrepeat :
if you buy that link then you can just get the mount
[2019-04-08 18:44:50]
cantrepeat :
<https://flyhighusa.com/product/mavic-pro-crystal-sky-onyxcarbon-fiber-mounting-bracket/>
[2019-04-08 18:45:40]
cantrepeat :
I also got the sweet polar cloud CS protective cover
[2019-04-08 18:46:05]
cantrepeat :
<https://www.amazon.com/PolarPro-Screen-Cover-Crystalsky-7-85/dp/B078C8QKYQ>
[2019-04-08 18:47:22]
cantrepeat :
This thread shows the two mounts I have, not my post
[2019-04-08 18:47:23]
cantrepeat :
<https://forum.dji.com/thread-131102-1-1.html>
[2019-04-08 18:48:21]
nocommie :
cool, thanks
[2019-04-08 20:15:51]
nocommie :
Ordered the high brightness 7.85" :slightly_smiling_face:
[2019-04-09 07:56:04]
xela75 :
@catalinaskirace nice assembly ! And about antennas, how great is it ?
[2019-04-09 07:59:11]
cantrepeat :
The photo is not mine, just a photo that shows the two mounts I use. That said, I do not have the antenna shown in the photo. Sorry.
[2019-04-09 08:01:03]
xela75 :
aah ok...anyway it must be heavy.
[2019-04-09 08:21:10]
cantrepeat :
dunno, I did make a custom mount for the mavmount, I added a lanyard hook close to the bottom of the CS so the weight is pretty even on it now.
[2019-04-09 08:22:32]
xela75 :
Quad808 must know a lot about that.
[2019-04-09 08:26:10]
cantrepeat :
[2019-04-09 09:05:23]
xela75 :
it's yours ?
[2019-04-09 09:10:42]
cantrepeat :
Yes, that photo is of mine
[2019-04-09 11:29:24]
xela75 :
ok that sound perfect ! with grey style USB cable ! :+1:
[2019-04-09 17:28:14]
pingspike :
hi everyone, been a looong time since I was active here. Last year I was running a CrystalSky 02.04.02.00 with a custom GO4.1.22 but I suffered the backlight failure in the end :/
so now I have a CS running 02.06.03.00 and when I install my old GO app it simply vanishes.... what are my options here guys in order to get my old GO app going again?
[2019-04-09 17:31:07]
pingspike :
do I need to root and rollback? Or root and do something to unhide the app? The retroroms stuff for the CS looks quite out of date, any better / more recent rooting guides around? (Assuming this is my only option)
[2019-04-09 17:52:11]
cantrepeat :
<https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2019-04-09 18:12:11]
pingspike :
Thanks mate! Do I need to install Google Play services? I have no need for it, I just want my old custom GO working again :) can I just root and then unhide the app using the method in your forum post? :thinking_face:
[2019-04-09 22:44:02]
cantrepeat :
Sorry, I don't know if you can or can't do that. I am only familiar with the method in the doc.
[2019-04-10 03:32:56]
timopro :
I rooted the CS in a diffrent way, many months ago, but the best and elegant, is to use the OG way... and follow the instruction to unhide the CS-GO app, google play is not mandatory, but could be usefull...on my CS now Im 100% rid off of all DJI sw.... works perfectly..
[2019-04-10 10:27:54]
cantrepeat :
Which OG way are you referring to?
[2019-04-10 15:28:52]
timopro :
That one which is also listed under NLD..
[2019-04-10 15:30:46]
timopro :
<https://dji.retroroms.info/howto/crystalsky>
[2019-04-10 15:31:10]
timopro :
Which is the same..way...
[2019-04-10 15:31:37]
timopro :
I used a different method..but use the NLD or OG way...
[2019-04-10 16:48:30]
cantrepeat :
Yeah, the wiki needs some updating when it comes to CS stuff. Maybe I'll work on it this weekend. The OG way still works but I'm not sure why they(read someone else) talk about the installd file not being available since it is contained in the dirty cow git hub.
[2019-04-10 16:51:41]
cantrepeat :
The Opcodeffm rooting is solid
[2019-04-10 19:34:14]
nocommie :
hey @catalinaskirace thanks for the great writeup on NLD for rooting the CS! I am about to give ti a go. One question. It is new out of the box. Should I go through the initial setup and update the FW before the rooting process or should I root without any setup?
[2019-04-10 19:41:32]
cantrepeat :
You can update to the latest FW which has a heat update.
[2019-04-10 19:43:16]
nocommie :
ok, cool. I remember you said the latest FW was still rootable, just didnt know if it was best to go through the initial setup or not.
[2019-04-10 20:18:51]
nocommie :
So I got 10 files pushed instead of 11. Then in the next step got error 679, and error 243
[2019-04-10 20:36:17]
nocommie :
rebooted and ran again, seems ok. SuperSU installed
[2019-04-10 20:50:50]
cantrepeat :
what 10 instead of 11 files are you talking about
[2019-04-10 20:52:32]
cantrepeat :
oh from copy.sh command
[2019-04-10 20:56:53]
nocommie :
yeah, I looked at there were only 10 files to be copied in the folder.
[2019-04-10 20:57:21]
nocommie :
Anyway, I am up and running. Waiting on my device ID to register so I can sign into playstore.
[2019-04-10 21:10:27]
nocommie :
Hmm, which ID should I register? The "uncertified" page is asking for "Google Services Framework ID". I initially entered my "Android Device ID" as outlined in your tutorial but after approx 30 min, it still doesnt let me in so I just entered the framework ID and still cant get in. Maybe it hasn't been long enough.
[2019-04-10 21:19:09]
nocommie :
Not sure which one worked but I am in now
[2019-04-10 21:22:24]
nocommie :
So how can I uninstall Go4 that comes preinstalled?
[2019-04-10 21:37:12]
nocommie :
I am trying to install my patched app but it just keeps failing (app not installed)
[2019-04-10 21:37:44]
nocommie :
When I click to install it is seeing the original Go4 and treating the patched app as an update
[2019-04-10 21:49:00]
nocommie :
Well, I was able to uninstall Go4 using Titanium Backup, but patched app still does not install
[2019-04-10 22:53:04]
cantrepeat :
I never used modder but I know there is something to do with cloning and renaming the package to get installed. However, I’ve not looked further into it.
[2019-04-10 23:51:22]
nocommie :
ah ok. Figured it had something to do with the certificate. I am factory resetting and starting over and then will try a cloned go app.
[2019-04-11 00:46:14]
nocommie :
Can anyone share the stock APKs that come installed on the CS? I found the Go4 APK. Looking for Go3 and I think a couple others.
[2019-04-11 00:47:02]
denkos73 :
cloning does not interfere, everything works
[2019-04-11 00:48:14]
nocommie :
Cool. I tried installing my modded 4.1.22 and it wouldnt install so I tried uninstalling the stock DJI apps. That didnt work either. So I did a factory reset trying to get back to stock and it didnt install the factory apps.
[2019-04-11 00:48:24]
nocommie :
Trying to start over, or install the stock apps manually
[2019-04-11 00:48:32]
nocommie :
Then I will install a cloned Go4 modded
[2019-04-11 01:41:09]
nocommie :
well, looks like all I am missing now is Go3. Would appreciate it if someone could pull it off their CS
[2019-04-11 01:42:20]
denkos73 :
can be taken from the firmware
[2019-04-11 01:43:08]
nocommie :
Ah ok. I will look
[2019-04-11 01:46:58]
nocommie :
found it, thanks
[2019-04-11 01:49:20]
nocommie :
Hm. Wont install. Gives "App Not Installed"
[2019-04-11 05:19:36]
nocommie :
Well, completely frustrated. Got everything working except I can't get Go3 installed or a modded 4.1.22. Tried app cloner and it installs but crashes after launching. Going to bed. Will tackle it again tomorrow. Any suggestions appreciated.
[2019-04-11 07:26:49]
cantrepeat :
Well the quick answer is, I know it works with NLD Go4 App.
[2019-04-11 07:27:37]
cantrepeat :
The long answer is I might buy a 5.5 and work on that to document what needs to happen to successfully install the modder Go4 app.
[2019-04-11 07:28:03]
cantrepeat :
Maybe @denkos73 could add some information about what he did to get those installs done.
[2019-04-11 07:30:21]
cantrepeat :
@nocommie Did you clone by changing the Set name of clone application label in the Settings.xml file?
[2019-04-11 07:33:02]
cantrepeat :
Also the new package name?
[2019-04-11 07:33:33]
007 :
NLD works just fine.
Modder apk with win 10 and Linux not work on my rooted cs. :sob:
I change the name from setting.xml file but still not working.
[2019-04-11 07:34:42]
007 :
Denis Denis ????
[2019-04-11 07:41:24]
cantrepeat :
@shacharmilo what all did you change in the setting.xml?
[2019-04-11 07:42:26]
cantrepeat :
Did you change both the app name and label?
[2019-04-11 08:01:33]
007 :
Just the name
[2019-04-11 08:04:19]
007 :
The modder apk file works fine on my Android mobile but not on my cs.
[2019-04-11 08:12:40]
cantrepeat :
I would try changing the Activate Clone Step script option (-c true). -->
<newapplabel></newapplabel>
[2019-04-11 08:12:52]
cantrepeat :
see if that makes a difference on the CS
[2019-04-11 08:13:24]
cantrepeat :
<!-- Set name of clone application label (e.g. "IDJ OG 4.x mod").
[2019-04-11 08:15:25]
xela75 :
it's mandatory to clone the modded Go 4.1.22 with deejayeye_modder
[2019-04-11 08:15:53]
xela75 :
so you should use "-c true" option
[2019-04-11 08:16:09]
xela75 :
and exlusively on linux OS
[2019-04-11 08:16:36]
xela75 :
Windows OS deejayeye does not propose that option
[2019-04-11 08:19:58]
cantrepeat :
yes, set new package name and new package label in the settings.xml file and use the -c true
[2019-04-11 08:43:33]
007 :
What am I supposed to do with -c true ?
[2019-04-11 08:48:27]
xela75 :
-c true enables cloning function
[2019-04-11 08:50:38]
xela75 :
just do : ./Runme.sh -c true
[2019-04-11 08:50:47]
xela75 :
and nothing else
[2019-04-11 08:52:28]
xela75 :
I dont remenber if you have to give a new name to the cloned app...But if so, imagine one...
[2019-04-11 08:53:17]
007 :
Thanks
[2019-04-11 10:48:35]
cantrepeat :
I'm working on a cloned modder for CS with new keys and DTM sub system patched
[2019-04-11 10:51:57]
cantrepeat :
I don't want to roll back my 7.8 to mess with it so probably going to buy a 5.5 today
[2019-04-11 10:58:33]
cantrepeat :
whelp, I just ordered a 5.5, hoping it gets here Sat. I'll do all the research on modder and get a CS version built and installed. Once done I'll update the NLD guide.
[2019-04-11 11:01:19]
denkos73 :
he is working fine
[2019-04-11 11:02:48]
cantrepeat :
who is working fine?
[2019-04-11 11:03:05]
cantrepeat :
and check that, I wont update the NLD guide with modder specific info but rather the wiki
[2019-04-11 11:03:34]
denkos73 :
modder
[2019-04-11 11:04:26]
cantrepeat :
modder is not a he so I assume you mean it is working fine. True, but the information to get it to work on a CS is not documented very well. Thus, many users are having issues
[2019-04-11 11:05:33]
denkos73 :
everything works for me ..
[2019-04-11 11:49:57]
cantrepeat :
@denkos73 yes, you've said that. But you have not said what you did to modder to get it to install on your CS.
[2019-04-11 12:53:05]
nocommie :
Thanks @catalinaskirace! Looking forward to what you find. Let me know if you need me to do any testing.
[2019-04-11 12:57:27]
nocommie :
I may give NLD a try in the mean time. I wonder, has anyone flashed the CS with Odin or TWRP? I would like to start over fresh but it wont re-flash the latest FW via wifi (says it has the latest) and just sits on 0% when trying to reflash it from local. At least I can get Go3 back on it.
[2019-04-11 12:59:18]
cantrepeat :
I believe you can get it back to stock FW by doing a factory resest.
[2019-04-11 12:59:46]
cantrepeat :
likewise, put the FW on an SD card and put it in SD slot1 and it should flash ok
[2019-04-11 13:01:38]
nocommie :
I tried a factory reset and when it rebooted it wasn't factory. Had a different setup process (like a generic phone/tablet). Like it mentioned a SIM and was still showing as unregistered google device. Playstore was still installed and it was still rooted. When I try locally with the FW on the SD card, it just sits at 0%. Even got a previous FW and tried a local update it did the same thing.
[2019-04-11 13:02:51]
nocommie :
Oh, and Go3 and Go4 were still missing
[2019-04-11 13:03:10]
nocommie :
tried twice
[2019-04-11 13:10:51]
cantrepeat :
where did you get the firmware? I believe !DDD has a couple versions
[2019-04-11 13:11:35]
nocommie :
here as a bin <https://www.dji.com/crystalsky/info>
[2019-04-11 13:12:11]
cantrepeat :
yeah the 0600 is the latest
[2019-04-11 13:12:30]
cantrepeat :
did you try the 0300 ?
[2019-04-11 13:13:06]
nocommie :
I think it was a version older. Let me check
[2019-04-11 13:13:22]
nocommie :
they both just sit at 0%. You can tell it isn't doing anything
[2019-04-11 13:13:39]
nocommie :
You can back out with no lag etc
[2019-04-11 13:14:01]
nocommie :
Tried 2.6.3.0 as well
[2019-04-11 13:14:21]
nocommie :
It cant be flashed via DDore can it?
[2019-04-11 13:15:00]
nocommie :
BTW, it came with 2.6.6.0 installed
[2019-04-11 13:15:46]
nocommie :
From what I have read, it can't be downgraded or "re-flashed" with the current FW
[2019-04-11 13:15:59]
nocommie :
but that was from a DJI post
[2019-04-11 13:18:36]
cantrepeat :
Pull the 0600 from dank and try that in an sd card
[2019-04-11 13:18:53]
nocommie :
will do
[2019-04-11 13:19:11]
cantrepeat :
Make sure you get the version for your size CS
[2019-04-11 13:19:51]
nocommie :
yep
[2019-04-11 15:04:11]
007 :
I will check later why I can't see the map ?
[2019-04-11 15:14:25]
xela75 :
np
[2019-04-11 15:15:10]
xela75 :
you should be able to see map but only here maps, not satellite or hybride one
[2019-04-11 15:25:43]
007 :
I am flying right know the p4 not see the here map, maybe something with the key ?
[2019-04-11 15:26:14]
007 :
[2019-04-11 16:04:40]
xela75 :
Enjoy !
[2019-04-11 16:04:48]
xela75 :
Where are you flying ?
[2019-04-11 16:12:19]
007 :
In the M.E
[2019-04-11 16:17:23]
007 :
Change the icon color same command -c true on change app color.sh ?
[2019-04-11 16:52:57]
denkos73 :
:thinking_face:
[2019-04-11 17:59:51]
007 :
Hi Xela.
You can tell me were I need to put the google key ?
I have one key that I can put him on xml file or id and code and key from premium sdk key ?
[2019-04-12 04:02:55]
007 :
Hi.
I find that if I put -I true with the runme.sh I can to change the icon but not the name ?
Can I put the two code (-c true and -I true)
?
[2019-04-12 07:34:03]
xela75 :
normally, you don't have to put any api key
[2019-04-12 07:34:35]
xela75 :
I've never have to. So I can't help you
[2019-04-12 07:35:28]
xela75 :
M.E ?
[2019-04-12 07:37:23]
007 :
Middle East
[2019-04-12 07:39:12]
xela75 :
Ok
[2019-04-12 07:41:42]
007 :
Without key I will see the map ?
[2019-04-12 07:42:49]
denkos73 :
Middle East. a country?
[2019-04-12 07:46:09]
007 :
The Drones country
Denis good morning
[2019-04-12 07:47:49]
denkos73 :
we have lunch:grin:
[2019-04-12 08:04:07]
007 :
Yep
[2019-04-12 09:05:03]
xela75 :
yes there is already key in apk
[2019-04-12 09:15:08]
007 :
Thanks
[2019-04-12 17:11:47]
timopro :
Did you find it? I have one I can put somewhere ... when at home...
[2019-04-12 17:12:04]
timopro :
I have also a mod one for CS if you need...
[2019-04-13 15:11:25]
cantrepeat :
has anyone done any work on unlocking the bootloader on a CS?
[2019-04-13 15:23:16]
denkos73 :
No, but restored via Gtag
[2019-04-13 15:27:18]
denkos73 :
Recovery
[2019-04-13 16:54:34]
cantrepeat :
yeah, we can get into the bootloader but can't flash a bin in there.
[2019-04-13 17:11:24]
nocommie :
@denkos73 do you mean jtag? Can you explain how you did it? Any chance of being able to flash the stock FW bin using jtag?
[2019-04-13 17:13:37]
007 :
Hi Xela.
I tried several times to make an app with my Linux and I success, but all off them not success to see the map ? I tried with the modder key and my key but without success, maybe you know why ?
Thanks
[2019-04-13 17:14:58]
denkos73 :
can be restored much easier through the shell
[2019-04-13 17:17:49]
cantrepeat :
ok how?
[2019-04-13 17:20:45]
denkos73 :
rewrite system in mmcblk0p10 block
[2019-04-13 17:21:36]
denkos73 :
[2019-04-13 17:23:39]
denkos73 :
I have system.img for 5.5
[2019-04-13 17:26:22]
cantrepeat :
nocommie is working on a 7.85
[2019-04-13 17:30:28]
denkos73 :
5.5 and 7.8 only build.prop differ
[2019-04-13 17:34:34]
denkos73 :
adb shell su
adb shell dd if=/sdcard/system.img of=/dev/block/mmcblk0p10
[2019-04-13 17:49:47]
007 :
Hi.
I tried several times to make an app with my Linux and I success, but all off them not success to see the map ? I tried with the modder key and my key but without success, maybe you know why ?
Thanks
[2019-04-13 17:52:57]
denkos73 :
Maybe the key is not valid
[2019-04-13 17:53:17]
007 :
I have a new one
[2019-04-13 17:53:39]
007 :
Id code and key
[2019-04-13 18:11:04]
denkos73 :
[2019-04-13 18:13:14]
007 :
Which name I need to right the same on the inside the modder apk file ?
[2019-04-13 18:14:49]
denkos73 :
package name must be bound to keys
[2019-04-13 18:23:05]
007 :
Ok thanks
[2019-04-13 18:58:36]
nocommie :
Anyone have any idea why I keep getting errors when I run lordroot?
[2019-04-13 18:59:40]
nocommie :
I was able to root previously on stock 2.6.6.0 but it took a couple times until I didnt get errors.. Restored using local update and am trying again and continue to get errors
[2019-04-13 19:08:22]
nocommie :
FYI, it finally worked. Just kept trying lordroot with about 20 sec in between and finally worked
[2019-04-13 21:48:56]
nocommie :
FYI anyone have an issue installing gapps on the latest FW. It kept failing saying file not found when looking for the zip on teh ext sd. I ended up copying the gapps zip to the internal storage/sdcard0/downloads and installed it from there with Flashfire and it worked great.
[2019-04-14 15:19:57]
nocommie :
Anyone know where the jtag is on the CS? I have it opened and have a couple possibilities but not certain
[2019-04-14 15:29:08]
denkos73 :
Why do you need this. You have that it does not load
[2019-04-14 15:29:25]
cantrepeat :
no root on his CS
[2019-04-14 15:46:12]
nocommie :
yeah, I have an image to reload. I can boot the CS and it boots into the standard android setup wizard (not DJIs) but I cant do anything with it because of persistent error message loops that take focus.
[2019-04-14 15:47:08]
nocommie :
I have the CS disasebled and am trying to locate the jtag in hopes of transferring my good image to it
[2019-04-14 15:48:59]
nocommie :
Nothing here seems to look like a standard jtag <https://fccid.io/SS3-CS785U1706/Internal-Photos/Int-Photos-3514573>
[2019-04-14 15:51:54]
cantrepeat :
and as a side note, DJI may have disable jtag on the CS as it seems they did that on the mavic and phantom as well
[2019-04-14 15:52:20]
cantrepeat :
<https://forums.hak5.org/topic/39735-reversing-mavic-pro-firmware/>
[2019-04-14 15:53:55]
nocommie :
I thought @denkos73 said he has used it?
[2019-04-14 15:56:04]
cantrepeat :
dunno if I actually saw him say that. If he has that would be sweet
[2019-04-14 16:02:20]
cantrepeat :
looks like we're gonna need the bootloader unlocked after all
[2019-04-14 16:02:41]
cantrepeat :
need to get a twrp in fastboot and then flashing a fw should be pretty basic
[2019-04-14 20:06:57]
nocommie :
BOOM!!!!!!!! @catalinaskirace figured out how to resurrect my CS 7.85 from a soft brick, no jtag, no recovery/fastboot needed! He is writing up a howto now so we can spread the knowledge! Big thanks dude! We worked on this for 3 days!
[2019-04-14 20:11:36]
cantrepeat :
@denkos73 was a big help in here, pointed me in the right direction, had to do some more reading to get it understood and working.
[2019-04-14 20:12:19]
cantrepeat :
There will be a write up on the process on NLD for others who end up in this situation.
[2019-04-14 20:12:42]
cantrepeat :
protip, don't just remove the stock go apps unless you know what your are doing
[2019-04-14 20:12:49]
nocommie :
lol
[2019-04-14 20:12:49]
cantrepeat :
probably do a write up on that as well
[2019-04-14 20:13:20]
nocommie :
yeah, just use NLD for CS as opposed to trying to get a modded Go4 installed
[2019-04-14 20:13:34]
cantrepeat :
^^
[2019-04-14 20:14:01]
nocommie :
shoutout to @cs2000 as well!
[2019-04-14 20:14:50]
cantrepeat :
@cs2000 we're hoping you will host the two system.img files for the 8.75 and 5.5 CS
[2019-04-14 20:16:01]
cantrepeat :
I could burn them to dvd and snail mail them faster then I can upload them :smile:
[2019-04-14 20:19:57]
cs2000 :
If you need me to host something @catalinaskirace just say mate
[2019-04-14 20:26:17]
cantrepeat :
thanks man, gonna get with @nocommie and mail him a disc, my upload speed is too slow to send them through DDD
[2019-04-14 20:26:47]
cantrepeat :
I could walk to his house in the time it would take me to upload them and he's two states aways!
[2019-04-14 20:30:58]
cs2000 :
:joy: no worries mate
[2019-04-14 20:46:45]
nocommie :
lol
[2019-04-15 08:59:50]
xela75 :
ls
[2019-04-15 09:01:09]
cantrepeat :
ls -l
[2019-04-15 09:05:04]
xela75 :
:grin: oups wrong focus
[2019-04-15 13:04:29]
cantrepeat :
I'm looking for a couple of tester, I think I figured out what was wrong with NLD icon not sticking in apps menu using the work around on crystal sky.
[2019-04-15 19:22:24]
007 :
Hi.
There is a way to use at same time on two command, -c true and -i true ?
If I choose -i I only change icon color, without the name and there can't install on cs, if I choose -c I change only name and not the icon color ?
Thanks
[2019-04-15 19:23:28]
cantrepeat :
try -c -i true
[2019-04-15 19:23:43]
007 :
Ok I will try
[2019-04-15 19:25:16]
cantrepeat :
it could also be -c true -i true
[2019-04-15 19:26:51]
cantrepeat :
no comma
[2019-04-15 19:27:05]
007 :
??
[2019-04-15 19:27:09]
007 :
Ok ?
[2019-04-15 19:34:20]
cantrepeat :
well that didn't work
[2019-04-15 19:34:47]
cantrepeat :
try the second one -c true -i true no comma
[2019-04-15 19:36:34]
cantrepeat :
you could also edit the RunMe.sh and put ture in there
[2019-04-15 19:36:48]
cantrepeat :
# Default selected options for output APK creation
keep_temp="false"
decompile_step="true"
patch_step="true"
clone_step="false"
iconmod_step="false"
iconrep_step="false"
repack_step="true"
add_timestamp="false"
source_defog="false"
[2019-04-15 19:38:21]
007 :
-c true -i true works
[2019-04-15 19:38:54]
007 :
Thanks CantaRepeat
[2019-04-15 19:39:03]
cantrepeat :
no worries, glad you got it working
[2019-04-16 05:00:08]
007 :
Hi.
Another question, someone knows why when I start up the app modder on my mobile or cs at the time I see the map after the first start at the second I can't see the map ? I put the same key name on the package name and the same on the label name ?
[2019-04-16 17:16:37]
007 :
Hi
It's happened just on my mobile ?
[2019-04-17 04:13:59]
007 :
Hi.
Any suggestions for my issue with the map on Android mobile ?
[2019-04-17 15:12:37]
nocommie :
So @catalinaskirace and myself have been trying to figure out why the NLD app keeps getting hidden on the CS. Maybe it is related to the fact that there are no app icons for Go4, Go3 or Pilot. You can only access them via the DJI launcher. Maybe the launcher looks for "dji related" apps/icons and removes them? Possibly because NLD is close enough to the DJI name etc, it gets removed? Any ideas? @bin4ry any thoughts?
[2019-04-17 15:23:24]
nocommie :
Just to add, it usually disappears as soon as you bring up the DJI launcher or launch "quick settings" (middle button).
[2019-04-17 15:39:40]
bin4ry :
they just hide it on boot trigger etc. you can usually enable it with pm packageid enable (or similar i cannot remember the cmd from the top of my head)
[2019-04-17 16:15:26]
cantrepeat :
yeah su -c "pm enable dji.pilot.pad" will unhide it,
[2019-04-17 16:15:55]
cantrepeat :
it seems for most people moving the xml file rather then coping it to the pref folder is working.
[2019-04-17 16:56:14]
nocommie :
I have mixed results adding that to the xml but have it set to run at boot via a terminal. But, having it keep disappearing after boot if I use the middle button or quick settings is a PITA lol
[2019-04-17 16:57:53]
007 :
Hi CantRepeat.
I try several time to make apk modder from my Linux to my Android but without success to see the map, I try with my key and with the default key no success?
I put the right name in package.
What is my mistake?
[2019-04-17 17:28:10]
cantrepeat :
Sorry, 007 I'm not that knowledgeable about fixing maps in modder. I haven't tried to build a modder with new map keys and tested it so I don't think I can offer any help.
[2019-04-17 17:29:12]
007 :
Ok, Thanks
[2019-05-07 04:03:40]
abdo054 :
Anyone running both stock and NLD go app on CS?
[2019-05-07 04:04:44]
abdo054 :
Trying to update the stock app and worried if it would result in unwanted issues!
[2019-05-07 04:07:27]
abdo054 :
When I try to update the stock app through Play store I get this
[2019-05-07 04:07:58]
abdo054 :
[2019-05-07 04:09:15]
denkos73 :
There are no CS versions on Google Play
[2019-05-07 04:34:51]
abdo054 :
Oo that's right :joy: .. thanks!
[2019-05-07 04:49:21]
abdo054 :
Is there a way to update the cs stock app without causing anything to NLD?
[2019-05-07 17:11:07]
nocommie :
Yeah, just go into the app and update
[2019-05-07 17:11:33]
nocommie :
I updated my stock app and it didnt cause any issues with NLD
[2019-05-07 17:57:40]
abdo054 :
Thanks @nocommie
[2019-05-07 18:24:59]
cantrepeat :
Just remember that if you fly the stock app along side the NLD the stock GO WILL send all the data to !DJI that it normally sends. NLD does not block the communication between DJI and the stock GO app.
[2019-05-07 18:35:14]
abdo054 :
Thanks for the heads up
[2019-05-08 19:57:46]
nocommie :
anyone now how to reboot into recovery with the hard buttons?
[2019-05-22 03:08:49]
weddingjoe :
Anyone know the location of waypoints.db in CS?
[2019-05-22 19:26:04]
briljantst :
altered build.prop on rooted crystal sky
now only shows dji logo at boot
bricked?
[2019-05-22 20:49:50]
cantrepeat :
why did you alter the build.prop ?
[2019-05-22 21:41:30]
nocommie :
lol, sounds familiar. I did the same thing trying to get an app made for newer android to install. Had to send it back to DJI. What it comes down to is that there is no way to boot into recovery without it being able to connect via ADB. No hard-button way to boot directly into recovery.
[2019-05-23 00:48:44]
denkos73 :
now only the programmer can be fixed. need to shoot emmc
[2019-05-23 00:59:10]
cantrepeat :
the crystal sky part of the wiki needs a wicked update.
[2019-05-30 19:01:18]
prochoice :
crystal sky stuck android 5.1? or does updating firmware up android?
[2019-05-30 20:41:03]
cantrepeat :
no, the DJI firmware for the CS does not update the android OS
[2019-06-11 22:02:57]
cypresskb :
Successfully rooted CS but can't get GO4 patched using deejayeye-modder. Getting errors about apktool.jar and Could not find 'tools\bspatch.exe' Trying to follow this tutorial <https://dji.retroroms.info/howto/crystalsky#rooting>
[2019-06-12 09:05:02]
cantrepeat :
Patching the go app and rooting the CS are two very different things. I think you need to post over in ~android_apk_patching
[2019-06-12 12:37:48]
cypresskb :
:+1:
[2019-06-12 15:16:37]
bin4ry :
you need to run the tools download
[2019-06-12 15:16:51]
bin4ry :
this error means that you didn’t download all needed tools
[2019-06-12 15:17:51]
bin4ry :
number 2 in the reader
[2019-06-12 15:17:54]
bin4ry :
readme
[2019-06-12 15:20:14]
bin4ry :
the readme of deejayeye modder
[2019-06-12 15:26:04]
cypresskb :
ty. I did and it downloaded folder/files but not everything i guess. went NLD for patching. Trying to delete stock GO4 app + files now
[2019-07-05 15:28:49]
dronepilot :
Any one here no how to write back a firmware to a crystalsky 5.5 monitor? I did root it back a few months, but did delete everything and now it doesn’t skip dji home screen.
[2019-07-05 16:50:56]
nocommie :
Not sure what you are asking. Are you wanting to restore it to factory? If so, just reflash the FW.
[2019-07-05 17:00:36]
quad808 :
put a front end on it
[2019-07-05 17:01:49]
quad808 :
like nova launcher
[2019-07-05 18:02:14]
dronepilot :
@quad808 but i doesn’t move from the dji logo screen, since the day i deleted the dji launcher.
I did conect to the pc and gives me that usb sound, i have tried to conect on dji assistant but nothing happens and dmld shows no connection.
Would be very helpful that a could unbrick the screen.
Thanks
[2019-07-05 18:16:17]
cantrepeat :
I assume your other CS is rooted so
[2019-07-05 18:16:19]
cantrepeat :
You need an adb shell to the CS. Start your shell and enter the command below.
adb shell
Now get root going.
su
I like to do these commands at the root so do this command.
cd /
The command to get all of the system files into a system.img file is this.
dd if=/dev/block/mmcblk0p10 of=/mnt/internal_sd/Download/system.img
You should see something like:
****************** root@zs600b:/ # dd if=/dev/block/mmcblk0p10 of=/mnt/internal_sd/Download/system.img 6291456+0 records in 6291456+0 records out 3221225472 bytes transferred in 68.097 secs (47303485 bytes/sec) root@zs600b:/ # *****************
[2019-07-05 18:17:05]
cantrepeat :
once you have the system image you can copy it over to your broken CS
[2019-07-05 18:46:08]
nocommie :
@rgf8aerial listen to @catalinaskirace He helped me un-brick my CS but I had to have a 2nd CS to get the needed files from
[2019-07-05 19:56:10]
dronepilot :
Nice i will give a try, thanks.
[2019-07-05 20:24:35]
cantrepeat :
@nocommie good times!!!
[2019-08-03 01:54:06]
jemo07 :
Hi, any how-to for rooting my CS?
[2019-08-03 09:49:22]
cantrepeat :
Have you already tried to root it?
[2019-08-03 09:50:04]
cantrepeat :
@jemo07 have you already attempted to root it?
[2019-08-03 12:57:18]
jemo07 :
No, just arrived so I though I’d give it a go. :) I did find this <https://dji.retroroms.info/howto/crystalsky> so will give that a try.
[2019-08-03 15:13:07]
cantrepeat :
<https://pastebin.com/sY1PiRjH>
[2019-08-07 23:05:13]
dronepilot :
Is there anyway to get fcc on dji goggles re?
[2019-08-08 08:21:41]
cat.db :
Does anybody make a twm recovery for crystalsky ? Crystalsky is android 5.1.1, if we have recovery ,we can flash other bin file ,if it has .
[2019-08-08 09:41:44]
cantrepeat :
I've never seen one, but it would be nice to have it.
[2019-08-08 09:52:52]
dronepilot :
I have a brick 5.5 CS can i add another system to use since its android base?
[2019-08-08 10:53:44]
cantrepeat :
haven't we already discussed your bricked 5.5?
[2019-08-08 10:57:16]
denkos73 :
no, but can be cured
[2019-08-08 11:02:43]
cantrepeat :
@denkos73 I think it's bricked to the point of not being able to adb to it. So can't restore the system img
[2019-08-08 11:07:37]
denkos73 :
remove the memory and the programmer
[2019-08-08 11:37:11]
cantrepeat :
for most people it's probably easier and faster just to send it back to DJI
[2019-08-08 11:40:09]
denkos73 :
I tried, it didn’t work, I had to go my own way
[2019-08-08 12:26:17]
cantrepeat :
Then you should do a howto and post that up for others to use.
[2019-08-08 13:32:34]
dronepilot :
Yes it has been discussed, the question is since it’s brick can’t be used for another thing?
[2019-09-18 16:53:05]
007 :
Hi every 1.
I try to fly my p4p today with my root cs on Litchi app.
I am not success to change the 2.4 frequency to 5.8 GHz. (with the nld its working)
I press on button and saw the 2.4, 5.7 &5.8 GHz.
Thanks
[2019-11-07 22:43:04]
chipmangini :
Has anyone tried rooting CS 7.85 running v2.6? It's still on Android v5.1, so I would imagine so, but I would rather not brick it and have to send it to !dji
[2019-11-07 23:00:59]
cantrepeat :
You can use my howto on NLD, 2.6 works the same
[2019-11-07 23:07:23]
chipmangini :
@catalinaskirace, Thanks, your next hooker is on me! :stuck_out_tongue_winking_eye:
[2019-11-07 23:08:19]
chipmangini :
Oh, and an 8 Ball too!
[2019-11-07 23:12:52]
chipmangini :
@catalinaskirace Link? (maybe too much tequila...)
[2019-11-07 23:15:13]
chipmangini :
NVM, found it. Just needed more tequila...
[2019-11-07 23:15:55]
cantrepeat :
<https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky>
[2019-11-07 23:16:06]
cantrepeat :
in case, there are a couple on there
[2019-11-07 23:17:39]
cantrepeat :
there's link in that guide to making a backup of your system.img before you root. it lets you restore from a partial brick.
[2019-11-07 23:17:59]
cantrepeat :
well after you root actually
[2019-11-07 23:33:27]
chipmangini :
@catalinaskirace I've rooted every Android device I've owned since the OG Droid. Now on Pixel 4XL. Hell, I just unlocked the bootloader on my $25 Walmart TracPhone I got yesterday so I could fly my Tello. (the Tello app won't run on Android 10 :neutral_face:)
[2019-11-07 23:34:21]
chipmangini :
Thanks again, I'll put in a good word to the Oligarchs for you...
[2019-11-07 23:34:50]
cantrepeat :
bill for hookers and blow is in the mail!
[2019-11-07 23:37:29]
chipmangini :
@catalinaskirace You got it B A B Y !
[2019-11-08 00:22:49]
cantrepeat :
I’m gonna install NLD go app on my trucks android pie 10 stereo head unit!!
[2019-11-08 00:37:48]
chipmangini :
Here's my rooftop mount for my 4W amplified panel that stick to my cars roof so I can fly when it's cold or hot outside:
[2019-11-08 01:49:44]
cantrepeat :
now that's some hardcore dedication to flying right there
[2019-11-17 20:30:43]
pingspike :
anyone successfully changed the DJI logo that's displayed while the CS is booting?
[2019-11-17 20:44:22]
cantrepeat :
If you scroll all the way back to some time in 2017 you will see someone was working on it, not sure if they got it done or not.
[2019-11-17 20:47:58]
pingspike :
*gets scrolling*
[2019-12-20 02:55:14]
fstephan1 :
New firmware update for Crystal Sky v3.0.2.0 - <https://www.kopter-support.de/viewtopic.php?p=3115#p3115>
[2019-12-20 09:09:08]
xela75 :
Interesting to see if root still works on that version...
[2019-12-20 11:32:27]
fstephan1 :
Unhappy CrystalSky customer, DJI don't care :disappointed: - <https://forum.dji.com/forum.php?mod=forumdisplay&fid=129&filter=typeid&typeid=690>
[2019-12-20 13:01:09]
xela75 :
Too bad ! All this guys from DJI Forum have to root their CS to get it work !
[2019-12-20 13:41:17]
nocommie :
"*Note:*
• DO NOT revert to an earlier firmware version after updating to v3.0.2.0. Otherwise, CrystalSky will malfunction and the user will be required to contact DJI After-Sales for support."
[2019-12-20 20:37:57]
cantrepeat :
Thanks @nocommie added to the wiki
[2019-12-20 20:38:25]
cantrepeat :
hopefully we can help prevent a rash of bricked CSs
[2019-12-20 20:38:59]
cantrepeat :
anyone brave enough to test the new firmware and see if the current root still works? #notit!
[2019-12-20 20:41:09]
cantrepeat :
according to some of the post in the DJI forums the current root does not work with this new firmware.
[2019-12-20 21:02:22]
pingspike :
which reminds me, I followed your guide @catalinaskirace on taking a backup aaagggeeees ago
did you ever write a guide on how to restore? :thinking_face:
[2019-12-20 22:40:10]
cantrepeat :
I've got it done, @nocommie tested it for me so that's good. Just need to grammar it up and post it.
[2019-12-20 22:41:20]
nocommie :
Yep, still much appreciated @catalinaskirace! That was a marathon hacking week!
[2019-12-20 22:42:39]
cantrepeat :
good times had by all!
[2019-12-20 22:44:42]
cantrepeat :
added the warning Note to the NLD guide as well
[2019-12-21 14:17:12]
pingspike :
great work guys - very grateful :+1::skin-tone-2:
[2019-12-21 14:17:53]
pingspike :
was anyone brave enough to upgrade to v3.0.2.0 and test root? :scream:
[2019-12-21 14:18:23]
pingspike :
I don't think the upgrade offers us anything special
[2019-12-21 14:19:43]
pingspike :
so I'll probably stay put on v2.06.06.00
[2019-12-21 21:03:31]
cantrepeat :
Yeah, considering I run a 4.1.22 NLD GO app I see nothing in the new DJI CS firmware I need.
[2019-12-21 21:04:00]
cantrepeat :
To me, it just looks like they are trying to tighten up their product security is all.
[2019-12-24 01:55:17]
dronepilot :
@catalinaskirace don’t no if you remember i have a bricked cs 5.5 and i just received a new one today.
Any way to copy the system from the new one e instal everything back on the bricked?
[2019-12-24 02:05:00]
cantrepeat :
not without having rooted ADB working on your bricked CS
[2019-12-24 02:07:28]
dronepilot :
The adb works but doesn’t open the port to load.
[2019-12-24 10:00:11]
fstephan1 :
Try to get waranty for the old one with the papers from the new one.
[2019-12-24 13:36:07]
dronepilot :
It’s a option
[2019-12-25 14:29:59]
dronepilot :
Any suggestion on witch screen recorder to use on cs 5.5 that won’t give me lag.
[2019-12-25 16:51:48]
dronepilot :
Any way to instal dji fly app on cs 5.5
[2019-12-25 23:03:31]
cantrepeat :
@rgf8aerial I never found a screen recorder that would not lag on a CS and I tried many of them. At least 5 different apps. The only thing that worked for me was an external screen capture hardware device.
[2019-12-25 23:04:26]
cantrepeat :
I used this with an external battery. <https://www.amazon.com/gp/product/B01IF3RH90/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1>
[2019-12-25 23:09:40]
dronepilot :
@catalinaskirace I downloaded a few screen recorder also. Like you said didn’t find any that doesn’t lag.
[2019-12-25 23:10:25]
dronepilot :
Anyway to update dji go 4 past version 4.3.16 on the CS?
[2019-12-25 23:12:05]
cantrepeat :
Not that I know of.
[2019-12-25 23:13:07]
cantrepeat :
But, I've not really looked into it past the info on here. I use NLD 4.1.22 so I'm not concerned about other versions.
[2019-12-25 23:14:21]
nocommie :
The CS is old hardware and ancient android (5.5). Don't expect many new apps to work on it. I doubt you will find a screen recorder that won't lag.
[2019-12-25 23:14:26]
dronepilot :
Nice but NLD 4.1.22 doesn’t suporte M2 unfortunately.
[2019-12-25 23:15:14]
dronepilot :
@nocommie your correct. Would love to install dji fly
[2019-12-25 23:15:21]
nocommie :
I am using my CS with M2pro with the stock app and also have NLD installed. I am not on the latest FW either
[2019-12-25 23:15:48]
nocommie :
I use modded m2p with the stock Go on CS with no issues
[2019-12-25 23:16:37]
dronepilot :
Same here running on a M2 and MPP. Just wished it would work with the mini also.
[2019-12-25 23:18:59]
nocommie :
Fly app requires android 6 or higher so you are out of luck. I tried hacking the CS to trick apps that need a higher version of android to install and bricked it.
[2019-12-25 23:19:34]
nocommie :
I was looking for help to mod a generic android 7 to install but didnt get any takers
[2019-12-25 23:22:11]
nocommie :
I have even looked at using a rasberrypie to make my own high brightness android tablet but got stuck at finding a usb touchscreen digitizer that was plug and play with android.
[2019-12-25 23:26:37]
dronepilot :
@nocommie did you manage to bring back to life your bricked CS?
[2019-12-25 23:28:24]
nocommie :
Yep. @catalinaskirace helped me get it back. But, I still had adb access and another CS to pull the image from. Well, that was the first time. I bricked it again really good and had to send it back to DJI. Sure wish there was a custom recovery for it.
[2019-12-25 23:30:31]
nocommie :
So now I use a Note 8 for my Parrot anafi thermal, Skydio2 and anything else I can't run on the CS. It is the brightest tablet/phone you can get and with an antiglare film on it, it is pretty good.
[2019-12-25 23:34:47]
quad808 :
I wonder if Apowermirror would work...screen share an up to date android phone to the rooted CS
[2019-12-25 23:34:55]
dronepilot :
Yes CS is awesome. Wished @catalinaskirace would help me unbrick my cs, like i said did purchase a new cs just to get the image from the new one and unbrick the other.
[2019-12-25 23:35:12]
nocommie :
I thought you didnt have adb access?
[2019-12-25 23:36:44]
nocommie :
Probably would @quad808
[2019-12-25 23:37:20]
dronepilot :
I have access to adb the problem is the bootloader that’s closed.
[2019-12-25 23:37:58]
nocommie :
what do you mean? Can you get root access in adb?
[2019-12-25 23:39:50]
dronepilot :
adb have access the only command that doesn’t work is the to load the bootloader
[2019-12-26 01:25:34]
quad808 :
confirming connection from Samsung s9+ using tether wifi to CS monitor
[2019-12-26 01:27:40]
quad808 :
so, why would you do this? You could use this in order to use the CS as just a monitor, but be able to fly whatever device you have connected to your phone. The CS is mirroring the phone, but you can't control the phone with the CS. Both are running Apowermirror over the Samsungs wifi
[2019-12-26 01:28:26]
quad808 :
There is a slight lag, but if you are just using a camera drone, this would work great
[2019-12-26 01:30:36]
quad808 :
@nocommie check this out
[2019-12-26 01:36:37]
quad808 :
I had to side load ApowerMirror after I used APK Extractor to get the APK from the phone. Google play on the CS wouldn't let me download it.
[2019-12-26 01:37:45]
quad808 :
Also, I have a dedicated phone for flying, but no SIM, so on that phone, can't tether the wifi connection. Both need to be on the same wifi.
[2019-12-30 02:10:02]
dronepilot :
Dose any fake gps work on CS?
[2019-12-30 17:31:22]
pingspike :
Never tried... the GPS receiver in the CS is bloody terrible :pensive:
[2019-12-30 17:31:52]
pingspike :
You could probably just shout at it and it'd change locations.
[2019-12-30 19:17:56]
quad808 :
bwahahahahaha
[2019-12-30 20:15:34]
cantrepeat :
**shouts** Beer Frig!!!!!
[2019-12-31 00:28:06]
dronepilot :
How to downgrade cs 5.5 firmware didn’t enjoy the latest.
[2019-12-31 00:32:25]
nocommie :
**Note:**
• DO NOT revert to an earlier firmware version after updating to v3.0.2.0. Otherwise, CrystalSky will malfunction and the user will be required to contact DJI After-Sales for support."
[2019-12-31 00:44:55]
dronepilot :
Any way to downgrade @nocommie ?
[2019-12-31 00:45:59]
dronepilot :
I did upgrade to 3.0.2.0 and now it’s very lag.
[2019-12-31 00:49:18]
nocommie :
Per the release notes (always good to read ahead of time BTW)
_*Note:*_
• _*DO NOT revert to an earlier firmware version after updating to v3.0.2.0. Otherwise, CrystalSky will malfunction and the user will be required to contact DJI After-Sales for support."*_
[2019-12-31 00:57:50]
dronepilot :
Oh boy got jammed in this firmware?
[2019-12-31 02:04:11]
cantrepeat :
Gezz the hell! Told everyone in here and posted it on both the NLD forums and the wiki
[2019-12-31 02:05:16]
cantrepeat :
Did you try rooting it?
[2019-12-31 02:06:02]
dronepilot :
Nope this is the brand new cs only the other that was rooted and now is bricked.
[2019-12-31 02:06:36]
cantrepeat :
The root didn't cause the brick
[2019-12-31 02:08:00]
cantrepeat :
did you root your new one and get a back up?
[2019-12-31 02:08:12]
cantrepeat :
before you updated the firmware?
[2019-12-31 02:09:25]
dronepilot :
Nope the root went perfect. The problem was that i deleted dji launcher from it. It was a brand new never used cs. And now i update another brand bew and used today first time and I’m very disappointed.
[2019-12-31 02:10:44]
dronepilot :
Didn’t root the new one just hit the update bottom. I’m so pissed on me.
[2019-12-31 02:11:51]
cantrepeat :
It happens
[2019-12-31 02:13:47]
dronepilot :
Any fix all this mess?
[2019-12-31 02:21:40]
cantrepeat :
You'd need to root the new one and install a good system image from a good CS. Which is why you should have rooted it first and made the back up of the good system image.
[2019-12-31 02:38:15]
quad808 :
@catalinaskirace did you give ApowerMirror a try yet? works a treat
[2019-12-31 11:35:53]
cantrepeat :
No, hadn't looked at it yet.
[2019-12-31 16:30:07]
dronepilot :
@catalinaskirace next week will borrow a friend cs 5.5 same as mine to back up everything like you said above.
How can i proceed to get everything nice.
[2019-12-31 19:32:31]
cantrepeat :
Well, you'll need to root your new CS, I'm not sure if the lordroot will work on the new firmware but you can try it. The android OS should still be the same.
[2019-12-31 19:32:59]
cantrepeat :
if the root works and you can get adb on you can try putting the good system image on it.
[2019-12-31 19:43:52]
007 :
Happy New year for all helpers and hard workers.
[2019-12-31 21:51:22]
pingspike :
> I'm not sure if the lordroot will work on the new firmware
Nobody has been brave enough to test this one yet I guess?
[2019-12-31 22:14:43]
cantrepeat :
well, the issue is that no one other then Rubens has upgraded to the v3.0.2.0. firmware so no one has tried the root
[2019-12-31 22:15:07]
cantrepeat :
the reason no one other then Ruben has upgraded to the firmware is the fear of not being able to downgrade.
[2019-12-31 22:15:19]
cantrepeat :
so it's up to ruben to test the root
[2020-01-01 02:11:41]
dronepilot :
I will try CantRepeat can you help me on the process by giving me the steps?
[2020-01-01 08:09:38]
pingspike :
@rgf8aerial there’s a guide here [https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky](https://nolimitdronez.com/boards/topic/39/howto-rooting-dji-crystal-sky)
[2020-01-01 10:43:09]
fstephan1 :
Thr guide is very old. And no one knows is working on the v3.0.2.0. Firmware.
[2020-01-01 11:59:01]
cantrepeat :
The guide is current and that's the point of Ruben testing the root on new firmware.
[2020-01-01 16:06:07]
dronepilot :
Thanks guys will be back shortly as soon my friend get back to town from his new year’s trip.
[2020-03-22 04:21:16]
denkos73 :
how to make DJI go4.1.22 patch work on crystalsky 3.0.2.0
[2020-03-26 12:44:15]
cantrepeat :
It has been confirmed, if you install firmware v03.00.02.00 (12/09/2019) you will not be able to install firechain and google play store as outlined on <https://dji.retroroms.info/howto/crystalsky#crystal_sky_rooting> or the nolimitdorne guide.
[2020-03-26 13:38:37]
denkos73 :
everything is normal to be put
[2020-03-26 13:40:28]
denkos73 :
[2020-03-26 13:41:04]
denkos73 :
Vvb
[2020-03-27 10:11:23]
cantrepeat :
@denkos73, so did you get the playstore and firechain to install on v03.00.02.00 ??
[2020-03-27 10:25:32]
denkos73 :
Yes
[2020-03-27 10:27:32]
denkos73 :
[2020-03-27 10:39:18]
denkos73 :
If someone has "bricks", I will restore them.
[2020-03-27 12:54:49]
cantrepeat :
What if any issues did you run into? I read that a reboot at a particular stage is now necessary. If I can get this figured out I'll update the guide and the wiki.
[2020-03-27 13:08:48]
cat.db :
can you share your dji go 4 app to me ?
[2020-03-27 21:38:55]
007 :
Hi
Maybe someday know why I get on my rooting cs that message?
I click ok and the cs works ok.
[2020-03-28 07:43:06]
bin4ry :
adb logcat
[2020-03-28 07:43:31]
bin4ry :
and read the log to see what is crashing
[2020-03-28 08:50:35]
007 :
How ?
[2020-03-28 09:00:44]
cantrepeat :
@hydrop75 How are you restoring them? I'd like to get that added to the wiki as well.
[2020-03-28 09:33:11]
007 :
I think I found from terminal on my cs I right logcat and get a long message, I make screenshot from the beginning when I can see something failure?
[2020-03-28 09:35:43]
007 :
[2020-03-29 16:48:24]
007 :
Hi
I going in side to Device-dev-blkiobg_non_interactive_tasks and I get a numbers, look at the photos.
You know what is the issue ?
Thanks
[2020-03-29 16:49:13]
007 :
[2020-03-29 16:49:35]
007 :
[2020-03-29 17:32:00]
bin4ry :
do a full logcat on console and save it
[2020-03-29 17:32:05]
bin4ry :
or export it from an app
[2020-03-29 17:32:16]
bin4ry :
only a full logcat can show the problem
[2020-03-29 17:32:25]
bin4ry :
not a screenshot, sorry
[2020-03-29 17:45:41]
007 :
how can i copy the file from the terminal ?
[2020-03-29 19:00:44]
bin4ry :
and logcat > log.txt from s linux computer connected to it
[2020-03-29 19:01:04]
bin4ry :
but i guess there might be 100 programs to do that, just google a bit what suits you best
[2020-03-29 19:44:40]
007 :
Ok thanks I will upload it soon
[2020-03-30 17:08:38]
007 :
i hope that file is ok ?
[2020-03-31 13:27:45]
bin4ry :
yes you can read the file yourself too :wink: just search for crash and you will see many apps that crash, an app which is crashing all over the time is "clashofclans", so maybe that is your problem here ;)
[2020-03-31 13:53:20]
007 :
Thanks bin4ry, You're the expert.
[2020-03-31 15:44:35]
007 :
[2020-03-31 15:45:19]
007 :
I found that error, you recognize what is this ?
[2020-03-31 16:33:47]
bin4ry :
nope
[2020-03-31 17:31:57]
steventisseyre :
Is it possible to extract a complete image from a CrystalSky and reinstall it onto another one?
[2020-03-31 17:33:11]
denkos73 :
Yes
[2020-03-31 17:53:28]
steventisseyre :
Thank you @denkos73, what would be the method of doing this please? Any particular software / hardware required?
[2020-03-31 17:56:58]
denkos73 :
why do you need to completely rewrite it?.
[2020-03-31 18:26:44]
cantrepeat :
<https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image>
[2020-03-31 18:28:18]
cantrepeat :
The two CSs should be the same size.
[2020-03-31 18:30:23]
denkos73 :
And still in working order and have root:joy:
[2020-03-31 18:33:11]
cantrepeat :
NIce
[2020-03-31 18:33:24]
cantrepeat :
I have a 5.5 I might update to document it.
[2020-03-31 19:10:57]
steventisseyre :
Many thanks for the link, I shall give it a go :+1::skin-tone-3:
[2020-04-20 10:44:35]
steventisseyre :
Is anyone able to help and provide an upload of a clean 7.85” CS image please?
[2020-05-10 09:13:12]
steventisseyre :
:point_up: Anyone able to assist please?
[2020-08-17 13:07:40]
nocommie :
Considering selling one of my 7.85 CrystalSkys. It will come rooted with play services installed and ready for you to sign into your google account to install whatever you want that is compatible with android 5.5. US only and you must have been around here for awhile. Includes 2 batteries and charging hub (need your own power source) $700 shipped. DM me if interested.
[2020-08-17 14:09:36]
ben_lin :
so you have more than one:thinking_face:
[2020-08-17 14:09:56]
ben_lin :
That's some heavy investment right there
[2020-08-17 15:14:11]
nocommie :
lol, well, I bricked one and bought another to extract the rom to reinstall. All due to @catalinaskirace helping.
[2020-08-28 09:32:29]
cantrepeat :
Just to clarify, my help didn't brick his first one, @nocommie did that on his own. :smile: I just helped him unbrick it.
[2020-08-28 09:37:47]
denkos73 :
it was possible not to buy. I have all the dumps and have been recovering a long time ago
[2020-08-28 21:13:06]
cantrepeat :
Yes, if you had a good image you could restore from that but no commie didnt have one.
[2020-08-28 21:36:50]
steventisseyre :
Does anyone have an image of a CS 7.85” that they are will to share please for a recovery? It would be much appreciated.
[2020-09-04 16:06:49]
abdo054 :
I remember a while ago someone mentioned that he was able to find a tablet that is more up to date than the crystalsky and works great with DJI and Anafi. Would appreciate if the Amazon link could be shared again .. Thanks!
[2020-09-04 16:32:51]
pingspike :
a 2000nits tablet? :thinking_face:
[2020-09-04 16:43:19]
mel69hash :
Its a Feelworld 4K 2200 nit brightness
[http://www.feelworld.cn/ShowInfo.aspx?id=598](http://www.feelworld.cn/ShowInfo.aspx?id=598)
[2020-09-04 16:43:38]
mel69hash :
Not a tablet though
[2020-09-04 17:11:04]
abdo054 :
If I recall correctly, yes
[2020-09-04 17:11:20]
abdo054 :
Thanks a lot
[2020-09-04 17:53:02]
quad808 :
this one? <https://dji-rev.slack.com/archives/C5ZR0QXUG/p1597342333097700>
[2020-09-04 18:33:58]
abdo054 :
Thank you
[2020-09-29 10:24:55]
fbi.airfield51 :
Hi, new to slack, I have a root crystalsky related question, has anyone tried running exposed on it? By using fireflas, or once SU is installed switct it over to majisk?
Thanks
[2020-09-29 10:27:04]
denkos73 :
will not work
[2020-10-22 19:18:05]
hofmann_torsten :
Hello everybody.
Some time ago I rooted my GL300E remote control because I read on NLD that it was necessary to be able to install the NLD app.
That worked, too. Then I tried to install the PlayStore using the NLD instructions. But that was canceled due to insufficient memory.
In a German forum, a user wrote that you can use Titanium Backup to uninstall unnecessary apps.
I did that to make room (Facebook, Instagram, etc.). And carelessly, I've already deleted the original DJI GO app. So I had no more possibility to do anything on the device, because nothing else comes out except the DJI LOGO.
Does anyone have any ideas how I can get the remote control working again?
What I've tried so far ...
- The NLD GO $ 4 app installed via "adb install"
However, I didn't manage to start the app via "adb shell am start"
-Install the original DJI ROM via "adb sideload".
That didn't work either :-(
[2020-10-23 00:39:41]
fbi.airfield51 :
Yes, I did that, I followed NLD instructions and did the same thing, uninstalled the stock go 4 app and it booted the same way
[2020-10-23 00:40:17]
fbi.airfield51 :
On a crystal sky, not the remote, did you make dd backup?
[2020-10-23 00:44:40]
fbi.airfield51 :
I'm not sure you carlessly deleted it, to me it looked like an instruction, first uninstalled stock go 4 then install modded app. Rebooted stuck on logo
[2020-10-23 01:04:22]
fbi.airfield51 :
May have to do with firmware versions , I'm using the newest one that has been stated won't work, some usrers said it does. I can't flash gapps with flash fire, I'm tempted to try to downgrade but I'm afraid I'm gonna make a real brick instead of a fixable 1/2 brink.
[2020-10-23 05:25:28]
hofmann_torsten :
I used Titanium Backup to back up the original DJI Go app before deleting it. But without this app there is no interface via which the backup can be restored.
My next idea is to flash a TWRP recovery because the STOCK recovery has no option to install a ROM and you cannot boot it into the sideload mode.
But I don't know yet which TWRP version I can take :thinking_face:
The last resort is to send the remote control to DJI support before it is completely broken :neutral_face:
[2020-10-23 11:12:06]
fbi.airfield51 :
When you rooted, after you installed SU, before anything else, did you make a dd backup of your system?
[2020-10-23 11:13:43]
fbi.airfield51 :
Don't attempt anything else don't attempt to change your recovery stop here.
[2020-10-23 11:14:30]
fbi.airfield51 :
Right now you may have a chance if you did what I did, you make it any worse you may have a complete brick
[2020-10-23 11:17:46]
fbi.airfield51 :
I used a restored my DD backup from my own system, but I also read the backup doesn't have to be your own, it just has to be the same model (at least for crystal sky). I don't have a smart controller but I would assume this can be done the same way as a crystal sky, did the method you rooted with use lord root and install SU?
[2020-10-23 11:27:46]
fbi.airfield51 :
[2020-10-23 11:28:01]
fbi.airfield51 :
Oh just looked up , its a phantom controller, looks like you posted at a site that shows your remote next to a crystal sky, is this yours?
[2020-10-23 11:29:55]
fbi.airfield51 :
Those instructions are good for rooting but not fixing a problem, should have read NLD backup/restore, you need someone who followed the backup instructions and have them send you a copy to restore your remote
[2020-10-23 11:31:08]
fbi.airfield51 :
[https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image](https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image)
[2020-10-23 11:32:23]
fbi.airfield51 :
dd if=/dev/block/mmcblk0p10 of=/mnt/internal_sd/Download/system.img
[2020-10-23 11:33:25]
fbi.airfield51 :
mmcblk0p10 may differ on your remote but I have a feeling this is what you need to read to fix it
[2020-10-23 11:36:13]
fbi.airfield51 :
If you did that command, I got a good feeling your fix is as easy as this, and if you know someone with same remote that has a backup, or will root their device and back a backup and send you system.bin your fix is this command dd if=/mnt/external_sd1/system.img of=/dev/block/mmcblk0p10
[2020-10-23 21:19:19]
hofmann_torsten :
434/5000
@fbi.airfield51
Yes, that's me at [greyarro.ws](http://greyarro.ws)
And no, I didn't do a DD backup. To be honest, I just had to see what a DD backup was.
I treated the Phantom Controller like a CrystalSky and rooted it with Lord Root and then installed SU.
The idea of having the DD backup from an identical controller is great !! :star-struck:
Now I just have to find someone who has made or would do such a backup :sweat_smile:
[2020-10-24 17:18:19]
pingspike :
that could be the hard part :grimacing:
could always ask in ~general as you never know...
[2020-10-31 18:14:54]
dnkeil :
Has anyone managed to get the CS NLD app working on the GL300E? I gave up when I couldn't see how to change the launcher program on it and the NLD app install failed.
[2020-10-31 18:38:14]
fbi.airfield51 :
Out of curiosity, you got your remote to boot cs firmware?
[2020-10-31 18:39:18]
fbi.airfield51 :
Oh the app, is it rooted?
[2020-10-31 18:40:52]
fbi.airfield51 :
I don't have that remote but I know it needs root, and launcher wise nova is nice
[2020-11-01 03:32:33]
dnkeil :
I'll check out nova launcher, thanks.
[2020-11-01 06:44:24]
hofmann_torsten :
Good Morning. I now have the image file and have already copied it to the SD card.
I know a bit about LINUX, but I'm not quite sure about the command line.
Can someone help me there?
[2020-11-01 13:24:45]
fbi.airfield51 :
You can use windows
[2020-11-01 13:25:25]
fbi.airfield51 :
Use the tools from nld
[2020-11-01 13:27:38]
fbi.airfield51 :
Make sure when your in you SU and it shows Root as the user, first time I did restore it didn't work as first and realized I wasnt in as root
[2020-11-01 13:30:31]
fbi.airfield51 :
It'll look like this root@zs600b (zs600b) will be diffent in your case I think
[2020-11-01 13:34:23]
fbi.airfield51 :
[https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image](https://nolimitdronez.com/boards/topic/266/howto-backing-up-your-dji-crystal-sky-system-image) first link on "how to root" has all the tools, windows will not show progress during a dd, it'll look like its stuck but its not, wait till its done, Linux does same but to make it not look stuck you can use - status=progress and it'll kinda show your its transferring,
[2020-11-01 14:57:23]
steventisseyre :
Hi @hofmann_torsten, do you have an image for a 7.85” CrystalSky please, I’ve been trying to source one to reflash my unit.
[2020-11-01 14:58:52]
fbi.airfield51 :
I think he's just got a phantom 3 image, its what he's working on, I only have a 5.5 cs sorry
[2020-11-01 15:03:05]
fbi.airfield51 :
Did you remove go4 stock app too? You use the newest firmware? This may be a step that needs to be skipped on the new firmware, I just disssabled it when I restored ,I haven't tried to uninstall it again to see if it happens again
[2020-11-01 17:08:34]
hofmann_torsten :
@steventisseyre No, unfortunately not. I'm sorry !!
[2020-11-01 17:11:12]
hofmann_torsten :
Thanks for the hint :+1:
[2020-11-01 17:15:52]
hofmann_torsten :
Yes, I also uninstalled the GO4 Stock App.
A second time I will not make this mistake !!
[2020-11-01 18:27:17]
fbi.airfield51 :
I also have titanium backup on my CS its OK to disable it/freeze
[2020-11-01 18:45:53]
hofmann_torsten :
When I start the shell it shows:
shell @ gl300e: / $
When I enter "su", it does not display "root @ gl300e: / $", but rather "1 | shell @ gl300e: / $"
I am a perplexed :thinking_face:
[2020-11-01 18:46:46]
fbi.airfield51 :
There is something u can get it I had the same problem at first but its get able
[2020-11-01 18:47:57]
fbi.airfield51 :
It was late at night I was tired didn't work noticed wasn't as root
[2020-11-01 18:48:40]
fbi.airfield51 :
Maybe I even tried rerootinf there?
[2020-11-01 18:49:03]
fbi.airfield51 :
I may have rerun the ./lordroot
[2020-11-01 18:50:30]
fbi.airfield51 :
If you can't get it I'll try and unistall the go4 app and go into a bootloop/brick mine and tell you, but try first if you don't get it let me know
[2020-11-01 18:53:10]
fbi.airfield51 :
Did you try running without root and restore and get errors?
[2020-11-01 19:22:38]
hofmann_torsten :
No, I didn't try without root.
But running ./lordroot again is a good idea.
I'll try that out tomorrow.
[2020-11-01 19:22:58]
hofmann_torsten :
Thanks and good night.
[2020-11-02 10:41:21]
hofmann_torsten :
That did not work. :disappointed_relieved: Now the display stays black and I no longer have access via adb :sob:
[2020-11-02 10:54:50]
hofmann_torsten :
[2020-11-02 10:55:13]
hofmann_torsten :
That was the output in the shell :neutral_face:
[2020-11-02 11:26:42]
hofmann_torsten :
Hopefully I haven't destroyed the remote now :cold_sweat:
[2020-11-02 20:52:06]
pingspike :
:pensive:
[2020-11-02 21:07:12]
fbi.airfield51 :
Were you supposed to unzip it first?
[2020-11-02 21:07:39]
fbi.airfield51 :
Isn't 7z a zip?
[2020-11-02 21:14:43]
fbi.airfield51 :
It may be compressed
[2020-11-02 21:14:53]
fbi.airfield51 :
Not sure about space
[2020-11-02 21:22:23]
fbi.airfield51 :
I never did a 7z but it may be like this example example: 7za x /mirror/backup-sda.7z -so | dd of=/dev/sda bs=1024
[2020-11-02 21:23:55]
fbi.airfield51 :
I used to do rasperberry PI ssd disk I think there were compression options but I honetly can't rmemebr it was so long ago
[2020-11-02 21:24:52]
fbi.airfield51 :
It opens like a zip, but I've never tried to open a backup image before, they all may
[2020-11-02 21:32:39]
hofmann_torsten :
There were various system files in the archive.
[2020-11-02 21:35:38]
hofmann_torsten :
I am completely at a loss :pensive:
[2020-11-02 21:36:27]
hofmann_torsten :
Mainly because ADB no longer works
[2020-11-02 21:37:17]
hofmann_torsten :
I'll call DJI tomorrow
[2020-11-02 21:38:22]
fbi.airfield51 :
How old is it?
[2020-11-02 22:12:14]
fbi.airfield51 :
Yes that was compressed with big files, a regular image isn't a compressed its an exact copy, the size can't be bigger than the drive tour trying to restore, sorry, I have seen flashing done my phones, seen people with bricks have been able to recover drivers and scripts, use XDA? That may have some tools to look into
[2020-11-02 22:14:04]
fbi.airfield51 :
Some able to get black screens working again, its phones mainly but the idea may be the same.
[2020-11-02 22:26:44]
fbi.airfield51 :
Something like this, [https://phantompilots.com/threads/fixing-flash-programming-in-dm365-chip-within-gl300-remote-controller.144123/](https://phantompilots.com/threads/fixing-flash-programming-in-dm365-chip-within-gl300-remote-controller.144123/)
[2020-11-15 17:00:52]
hofmann_torsten :
Hello @fbi.airfield51
This weekend I finally had time to take a look at the link.
I do a lot myself and I have a lot of confidence in myself. But that is beyond my capabilities.
Nevertheless, thank you very much for your efforts !!
I will send the remote control to DJI now :pensive:
[2021-01-30 11:54:40]
bin4ry :
@channel who has the CS on latest firmware available to test something for me? (adb access needed!)
[2021-01-30 18:18:09]
mathieu.peyrega :
I let it on the previous rootable one but seing how much I use it now, I can upgrade it.
[2021-01-30 18:18:48]
mathieu.peyrega :
related to CVE-2021-3156 ?
[2021-01-31 07:28:28]
bin4ry :
something different, will send pm
[2021-03-16 15:27:13]
djibot.5150 :
Have you tried making a custom ROM for CrystalSky? I know the boot loader is locked, but if I'm not mistaken an older kindle(otter I believe) had a locked bootloader and was able to be flashed with new Roms with fireflash
[2021-03-24 22:37:21]
mad_angler1 :
It would be fantastic to see some new life for CS somehow.
[2021-03-25 08:44:52]
pingspike :
being able to run a newer version of Android would be a life saver for the CS
[2021-03-25 08:45:10]
pingspike :
and it would save me having to buy a Tripltek
[2021-03-25 13:56:08]
djibot.5150 :
I mean, if you look on XDA they explain how to make / port roms
[2021-03-25 13:56:56]
djibot.5150 :
I think all you need is the hardware template if I'm not mistaken
[2021-03-25 14:38:47]
pingspike :
is that something that can be extracted from the CS? (I don't know anything about this)
[2021-03-25 14:39:02]
pingspike :
is there a bounty for this? I'd contribute :+1::skin-tone-2:
[2021-03-26 17:43:04]
djibot.5150 :
I honestly don't remember I haven't looked at that in a long time, one of my old phones that I ran a custom ROM stopped updating its probably explained on lineage which is what I use now but I think the Templates with better wording on how to compile was in resurrected ROM, roms are bigger but also a little nicer for customizing, lineage is basic
[2021-08-15 23:06:52]
measo420 :
Has Smart Controller been rooted yet?
[2021-08-16 05:27:34]
pingspike :
not that I’ve seen
[2021-08-16 05:27:46]
pingspike :
would be interested to hear if anyone has though
[2021-10-28 18:10:06]
pixel :
pixel joined the channel.
[2021-10-29 16:57:43]
dronedavid :
dronedavid joined the channel.
[2021-10-30 12:17:21]
jj :
madmaqx joined the channel.
[2021-10-31 00:19:18]
will :
will joined the channel.
[2021-11-02 07:32:17]
fly2high213 :
fly2high213 joined the channel.
[2021-11-10 16:50:14]
aszeszo :
aszeszo joined the channel.
[2021-11-12 10:35:04]
cs2000 :
cs2000 joined the channel.
[2021-11-12 10:35:10]
cs2000 :
dji-rev-bot added to the channel by cs2000.
[2021-11-12 10:35:14]
cs2000 :
@cs2000 left the channel.
[2021-11-13 01:49:45]
dotysan :
dotysan joined the channel.
[2021-11-15 11:10:15]
ass :
ass joined the channel.
[2021-11-22 10:29:21]
cooker :
cooker joined the channel.
[2021-11-28 00:27:41]
tissy :
tissy joined the channel.
[2021-11-30 17:26:34]
dronepilot :
dronepilot joined the channel.
[2021-12-06 01:40:24]
dronepilot :
@dronepilot left the channel.
[2021-12-10 01:00:52]
aol :
aol joined the channel.
[2022-01-03 18:16:52]
droneuser :
biosblob joined the channel.
[2022-01-18 00:48:18]
il1oo0 :
il1oo0 joined the channel.
[2022-02-09 17:09:16]
djifans :
djifans joined the channel.
[2022-03-30 11:13:14]
windoze :
windoze joined the channel.
[2022-04-01 10:59:15]
kon :
kon joined the channel.
[2022-04-22 02:19:46]
diff :
@diff left the channel.
[2022-05-23 20:50:50]
jjbyrnes29 :
jjbyrnes29 joined the channel.
[2022-06-14 13:34:14]
albertoe :
albertoe joined the channel.
[2022-06-17 16:43:20]
droneuser :
@droneuser left the channel.
[2022-06-21 23:06:04]
deniss-i979 :
deniss-i979 joined the channel.
[2022-06-21 23:07:11]
deniss-i979 :
@deniss-i979 left the channel.
[2022-06-22 03:21:25]
kinev1337 :
kinev1337 joined the channel.
[2022-09-01 15:32:35]
anesta :
anesta joined the channel.
[2022-09-26 01:17:18]
jackmax :
jackmax joined the channel.
[2022-10-09 22:11:35]
jack117wb :
jack117wb joined the channel.
[2022-10-27 06:58:59]
crashing_bird :
crashing_bird joined the channel.
[2022-10-30 06:44:45]
bob.alki :
bob.alki joined the channel.
[2022-11-10 06:19:06]
areoc :
areoc joined the channel.
[2022-11-16 15:26:38]
sharptak :
sharptak joined the channel.
[2022-12-05 07:26:22]
prettymuchathrowaway69 :
prettymuchathrowaway69 joined the channel.
[2023-01-01 20:38:38]
fantom :
fantom joined the channel.
[2023-01-01 20:38:55]
fantom :
@fantom left the channel.
[2023-01-04 07:13:26]
creased :
creased joined the channel.
[2023-02-03 19:59:23]
lokidokister :
lokidokister joined the channel.
[2023-02-08 08:21:40]
accountfrompl :
accountfrompl joined the channel.
[2023-02-13 19:17:22]
sistor :
sistor joined the channel.
[2023-02-24 05:27:08]
ibndias :
ibndias joined the channel.
[2023-03-23 06:12:12]
chinanumberone :
chinanumberone joined the channel.
[2023-03-24 08:17:02]
retrocall :
retrocall joined the channel.
[2023-03-24 17:54:32]
efimato_re :
efimato_re joined the channel.
[2023-04-04 15:50:06]
brillio :
brillio joined the channel.
[2023-04-11 15:43:56]
blowfish448 :
blowfish448 joined the channel.
[2023-04-11 15:53:48]
urca87 :
urca87 joined the channel.
[2023-05-30 18:24:01]
qgig :
qgig joined the channel.
[2023-05-30 18:24:09]
qgig :
@qgig left the channel.
[2023-06-11 01:12:53]
milenovic :
milenovic joined the channel.
[2023-07-24 03:04:06]
dji-rev.concierge132 :
dji-rev.concierge132 joined the channel.
[2023-07-24 03:04:41]
dji-rev.concierge132 :
@dji-rev.concierge132 left the channel.
[2023-08-09 17:13:57]
negual :
negual joined the channel.
[2023-08-13 06:10:34]
deonisray :
deonisray joined the channel.
[2023-08-18 14:16:14]
pigeon :
nullp1 joined the channel.
[2023-08-18 14:16:22]
pigeon :
@nullp1 left the channel.
[2023-08-24 18:59:16]
bengutt :
bengutt joined the channel.
[2023-09-13 10:14:16]
molda :
molda joined the channel.
[2023-09-24 06:48:49]
madmikem16 :
madmikem16 joined the channel.
[2023-10-15 20:50:58]
dumldore_newbi :
dumldore_newbi joined the channel.
[2023-10-16 22:23:47]
dreamer :
dreamer joined the channel.
[2023-10-23 09:14:30]
jdan7387 :
jdan7387 joined the channel.
[2023-10-24 17:34:04]
caseygibson :
caseygibson joined the channel.
[2023-11-02 07:00:47]
dronedog :
dronedog joined the channel.
[2024-01-15 14:53:32]
shinoby :
shinoby joined the channel.
[2024-01-15 14:57:43]
shinoby :
@shinoby left the channel.
[2024-01-16 14:36:21]
zjm605186980 :
zjm605186980 joined the channel.
[2024-01-18 15:43:19]
basilius :
basilius joined the channel.
[2024-02-01 19:01:57]
joyz :
joyz joined the channel.
[2024-02-01 19:02:32]
joyz :
@joyz left the channel.
[2024-02-06 19:58:15]
ryantkasher :
ryantkasher joined the channel.
[2024-02-06 20:09:54]
ryantkasher :
@ryantkasher left the channel.
[2024-02-12 20:44:30]
lining-preps.0u :
lining-preps.0u joined the channel.
[2024-05-10 08:22:07]
dreamtree :
dreamtree joined the channel.
[2024-05-21 07:02:10]
wag-on :
wag-on joined the channel.
[2024-06-24 16:47:23]
devnull :
devnull joined the channel.
[2024-07-01 17:29:09]
mrsmith :
mrsmith joined the channel.
[2024-07-06 14:18:36]
chengcheng :
chengcheng joined the channel.
[2024-07-26 15:52:41]
ogini_ayotanom :
ogini_ayotanom joined the channel.
[2024-08-14 12:45:38]
symza :
symza joined the channel.
[2024-08-22 14:38:19]
swaggyc :
swaggyc joined the channel.
[2024-09-09 14:40:43]
ar2rgo :
ar2rgo joined the channel.
[2024-09-11 22:10:58]
fred73 :
fred73 joined the channel.
[2024-12-23 13:01:29]
osama-binladen :
osama-binladen joined the channel.
×
User Info
Username:
Last Login:
First Name:
Last Name: