Friday, April 16, 2010

How to create a goldcard with mac or linux for rooting HT-03a

It has been pointed out that many of the guides for rooting Android are Windows-centric. And they are. Because I've gotten tired of waiting for HTC release a build of Eclair (2.x), I've decided to go ahead and root this puppy, which would be a lot easier if two things didn't specifically apply to my HT-03a
  1. It wasn't already upgraded to Donut (1.6). Cupcake (1.5) had a nasty little vulnerability that would allow obtaining root access with one simple click. Unfortunately, this was fixed in Donut.
  2. The HT-03a has a "perfect" SPL (see section 1.4 here).
The first thing to do is getting around the perfect SPL by creating a goldcard, which TheUnlockr describes as "a special SD card that can bypass a phone's security checks."

Here is what we will need to do (If you already have a goldcard image file, skip to the portion about how to write it to the SD card:
  • Install the Android SDK and a Java Development Environment (INTEL MAC ONLY)
  • Create a goldcard image file
  • Write the goldcard image file to the SD card
Install the SDK and a Java Development Environment

Instructions for downloading and installing the SDK are on the Android developer's site and are pretty straight forward. Eclipse seems to be the recommended environment. I downloaded the 64-bit cocoa version because I am running 10.6 snow leopard. Once you've got this up and running, you will probably want to add the tools folder of the SDK to your path.

Open up and type the following

ls -a ~

If you don't see a file called ".bash_profile", then you will need to create one.  If you are not comfortable with vi, you can you Create a new text file (Format > Make Plain Text) and type in the following text, using of course the path to where ever you saved the SDK and the name of the SDK folder if it is different than the example below.

export PATH=${PATH}:/Users/softbanksucks/Documents/android-sdk-mac_x86-1.6_r1/tools

Now save the file as .bash_profile (the dot is important) and say OK to the warning about this creating a system file or something like that. Do not add the extension txt, though sometimes Mac OS will add it anyway so you need to verify the name of the file.

ls -a ~

If you see .bash_profile.txt, do the following.

mv .bash_profle.txt .bash_profile

Now you should be able to type in adb commands without having to switch to the tools directory.

Create a goldcard image file

This is pretty much the biggest pain in the butt, although it has gotten a lot easier.  Referencing TheUnlocker's How to: Create a Goldcard writeup, follow the first three steps: 1) put in an extra unused micro SD card (I used a 1 GB card), unmount and format it, and activate USB debugging.

Next for step 4, there is no need to switch directories since you added the tools folder to your path.  Check to see that your device is recognized

adb devices

and open an interactive shell. To exit the shell later, simply type "exit".

cat /sys/class/mmc_host/mmc1/mmc1:*/cid

Copy the output and continue with next steps stopping at number 9 when the guide calls for the installation of a windows-only hex editor.  There is a much more simple and easy way to proceed from here on a unix-like operating system.

Write the goldcard image file to the SD card

Next, mount the goldcard-to-be on your computer. You can simply leave it in the phone to do this. I pulled this information from here. Back in the Terminal type the following to figure out what your disk is called.

diskutil list

Your SD card will probably be disk1 (or sdb or something like that on linux)

0: FDisk_partition_scheme *1.0 GB disk1
1: Windows_FAT_32 NO NAME 1.0 GB disk1s1

Next you need to unmount the SD card

diskutil unmountDisk /dev/disk1

Finally, simply make the goldcard with one simple command.

sudo dd bs=512 if=~/Downloads/goldcard.img of=/dev/disk1

Enter your admin password and out should pop the following

0+1 records in
0+1 records out
384 bytes transferred in 0.004157 secs (92373 bytes/sec)

I have verified that the goldcard that I made works by dropping on a sappimg.nbh file and fastbooting. I haven't gone any farther yet because it is late in the day and I've spent way too much time on this already. I've also noticed what seem to be some apparent inconsistencies in TheUnlockr's howtos (like how to name the sappimg file), so I will wait to root until I've properly sorted out the next few steps.


  1. When I get to the "cat /sys/class/mmc_host/mmc1/mmc1:*/cid" step it says no such directory?

  2. You should run (from your_android_sdk/tools) :
    ./adb shell
    , then press enter. Another prompt opens, then type :
    cat /sys/class/mmc_host/mmc1/mmc1:*/cid

  3. Thanks. If the tools folder is not added to the path, then yes, cd to the tools directory and use ./

    But if the tools folder is added to the path like I described in the post, then you can use adb from any directory.

  4.  WOW! It's really helpful. I'm using Mac OS X 10.6. I download the latest version of Eclipse on May 15 2011. Since the file 'adb' in this package has been moved to platform-tools, you have to change the path in '.bash-profile'. Here is how I did it. First, open the 'android' in folder 'tools', then install something like 'ADK platform-tools revision 4'. There will be a folder named 'platform-tools' under SDK folder. Now, open terminal, type 'pico .bash-profile' to change the path of 'adb' from folder 'tools' to 'platform-tools'. control + X, then Y (yes), then Enter. Then, use './adb shell', and then copy the 'cat' command. Thanks for the help. :)