- Download QMat from here: http://revskills.de/pages/download.html

- Unpack QMat and check whether wine can start the .exe

- Insert card in cardreader or G1 phone

- open terminal (on G1 maybe "Better terminal") and execute:
	$ cat /sys/class/mmc_host/mmc1/mmc1:*/cid
	
- Reverse string in pairs, 1234567890 would become 9078563412. The following script might help:
	#!/bin/bash
	SERIAL="acbd18db4cc2f85cedef654fccc4a4d8"
	REVERT=""
	echo "normale:  "$SERIAL
	for (( CNT=30;CNT>=0;CNT=CNT-2 ))
	do
		      REVERT="$REVERT${SERIAL:$CNT:2}"
	done
	echo "revese: "$REVERT
- for the following lets assume your cardreader/G1 is /dev/sdb and you are root

- ensure that your partition type is WFAT32 (b)
	$ fdisk /dev/sdb
		p (shows partitions)
		t (changes partition, use b)
		w (write changes and exit)
	
- format card with FAT32. 
	$ mkdosfs -F 32 /dev/sdb1
	
- either go to http://revskills.de/pages/goldcard.html and generate your image (use reverse cid!) or

- start qmat (wine)
	-> hardware forensics
	-> choose HTC Dream
	-> enter reverse cid
	-> save to image
	
- now that you have your goldcard.img you must write it to the card
	$ dd if=goldcard.img of=/dev/sdb
	
- mount card
	$ mkdir foo
	$ mount /dev/sdb1 foo
	
- after that copy the image (old one with rootexploit) named DREAIMG.nbh to card
	$ cp DREAIMG.nbh foo/
	
- unmount card
	$ umount foo/
	
- put card in G1, press camera+power button, wait for menu to say "press power", flash