Automated tool to extract DJI Fly (drone app) credentials from an Android emulator's memory. These credentials enable access to DJI's cloud APIs for flight records, drone info, and account integration.
See also: DJI Home Credential Extractor — same technique for the DJI Home robot vacuum app.
The DJI Fly app stores authentication tokens in memory after login. This script:
- Sets up an Android emulator — installs Android SDK, creates a rooted AVD (if not already present)
- Installs DJI Fly — side-loads the APK into the emulator
- Waits for you to log in — you manually log in to your DJI account in the emulator
- Dumps process memory — reads
/proc/<pid>/memof the DJI Fly process via root access - Extracts credentials — parses the memory dump for tokens, user IDs, drone serial numbers
- Validates via API — tests the extracted token against DJI's cloud APIs (account info, devices, flight records)
| Field | Description |
|---|---|
DJI_USER_TOKEN |
Authentication token (US_...) — DJI SSO system |
DJI_USER_ID |
Numeric user ID |
DJI_USER_EMAIL |
Account email address |
DJI_DRONE_SN |
Drone serial number |
DJI_DRONE_MODEL |
Drone model name (e.g., DJI Mini 4 Pro) |
| API URLs | DJI cloud endpoints discovered in memory |
| Account/OpenAPI tokens | Additional tokens if present |
- macOS (uses Homebrew for dependencies)
- Android Studio (or Android SDK with Emulator) — download. The script will use your existing SDK or try to install command-line tools; if the emulator is missing, it will ask you to install Android Studio.
- DJI Fly APK (see download instructions below)
- Internet connection
- DJI account
Important: The DJI Fly APK is not included in this repo. You must download it yourself.
- Go to one of these sites:
- Download the APK — make sure you pick the arm64-v8a variant (~700 MB)
- Place it in the same directory as the script
- Rename it to
dji.go.v5.apk(or any name containingflyorgo.v5)
Note: DJI Fly is ~700 MB. Installation in the emulator takes longer than smaller apps.
- Verify the APK is in place:
dji-fly-credential-extractor/
dji_fly_credentials_extractor.py
dji.go.v5.apk <-- arm64-v8a variant, ~700 MB
- Run the extractor:
python3 dji_fly_credentials_extractor.py-
Follow the on-screen instructions:
- The script will install dependencies and start an Android emulator (first run takes ~10 min)
- When the emulator is ready, DJI Fly will open automatically
- Log in to your DJI account in the emulator
- Wait for the main screen to fully load
- Press ENTER in the terminal to start extraction
-
Credentials are saved to:
.env.dji_fly— environment variablesdji_fly_credentials.txt— human-readable summary
Test your token with curl:
# Account info
curl -H "x-member-token: $DJI_USER_TOKEN" \
https://active.dji.com/app/api/v1/member/info| Variable | Description |
|---|---|
DJI_USER_TOKEN |
API authentication token |
DJI_USER_ID |
Numeric user ID |
DJI_USER_EMAIL |
Account email |
DJI_DRONE_SN |
Drone serial number |
DJI_DRONE_MODEL |
Drone model name |
| Issue | Solution |
|---|---|
| Emulator won't start | Ensure you have enough disk space (~10GB) and RAM (~4GB free). Check emulator.log for details. |
| APK not found | Place the .apk file in the same directory as the script |
| Root access denied | Use a Google APIs system image (not Google Play) — the script does this by default |
| Token not found | Make sure you're fully logged in and on the main screen before pressing ENTER |
| API returns error | Token may have expired — re-run the extractor |
| "Broken AVD system path" | SDK components installed in wrong location — the script uses --sdk_root to fix this |
- Uses
google_apissystem image (rootable, unlikegoogle_playimages) - Memory dump reads 800MB starting at offset
0x12c00000(heap region) - Extracts strings matching the DJI SSO token format (
US_...) and native Java/Kotlin storage patterns - DJI Fly is a native Android app (Java/Kotlin), unlike DJI Home which is Flutter-based
This tool is intended for extracting credentials from your own DJI account to enable personal integrations. Use responsibly and only with devices you own.
MIT