GalaxySIIGTI9100G » History » Revision 63

« Previous | Revision 63/87 (diff) | Next »
Denis 'GNUtoo' Carikli, 04/03/2020 04:35 AM

Galaxy S II (GT-I9100G)

Device Galaxy S II (GT-I9100G)
Manufacturer Samsung
Release date ?
Codename i9100G ?
Status Not supported yet
Variants GSM: GT-I9100G
Latest images None


Long time ago, we had reports that the "Galaxy SII" had an unsigned bootloader, but we didn't manage to confirm to which exact model it applied to, or if people assumed that the bootloader of the GT-I9100 was unsigned because it uses Xloader which is GPLv2. Samsung also published the source code of various Xloader versions they used on the GT-I9100G for different Android versions. However until now we weren't able to confirm that any device were able to run unsigned bootloaders. Though we verified that at least the bootloader of the I9100G_CHN_CHN is signed.


  • Uses the samsung-ipc protocol
  • The modem probably uses MIPI, so it should be isolated
  • 1G of ram => it should be enough for Replicant 6 and 9

Wiki pages

Various IRC logs of research on it.

  • Read the log below and remove what is not relevant
  • Add what is relevant in various pages of the Replicant wiki or Wikidata and point to that if it's in another page that this one (or wikidata).

About OMAP and signed bootloaders

(03:25:36 AM) sensiblemn:
(03:26:58 AM) sensiblemn: "X-Loader can be signed by Texas Instruments IFT and installed to Nand flash to achieve Nand booting."
(07:17:23 PM) sensiblemn: [...] There's also this curious part... "download the MShield signing tool and use the commands below. Contact your TI representative to get access to this tool."

GT-I9100G bootloader related

(08:47:20 PM) sensiblemn: GNUtoo: i just got a report from a postmarketOS developer saying that booting works with that free software x-loader repo for the i9100G that I found. they had to make a one line commit to get it building, but it boots.
(08:48:24 PM) sensiblemn: so early reports suggest that we found a Galaxy S2 that has a free software bootloader. they said it doesn't even need to be signed with signGP.c.
(10:36:35 PM) hpagseddy[m]: So i have an i9100g and compiled this without any errors in case you guys are interested
(10:49:32 PM) freekurt: thanks for jumping in here hpagseddy. we have been trying for quite some time to find a way to liberate the first stage bootloader on Exynos4 SoC based i9100 and i9300 devices. this is great news that the i9100G seems to have a free software first stage bootloader.
(10:51:08 PM) hpagseddy[m]: Yep, also there is a thing that i9100g is based on TI OMAP

GT-I9100G general

(11:01:27 PM) hpagseddy[m]: Btw Droid 4 has mainline
(11:02:42 PM) hpagseddy[m]: i9100g uses same display and digitizer with i9100, has a broadcom wifi but sadly a PowerVR GPU

OMAP blaze reference platform related

(07:17:23 PM) sensiblemn: GNUtoo: ah, it seems like some OMAP devices are GP and others are HS, so the question is whether we can find smartphones and tablets that are GP. Looks like the Blaze Tablet released by TI is GP. [...]
(07:22:26 PM) sensiblemn: also this very odd looking OMAP Blaze cell phone seems to be GP rather than HS.
(07:23:30 PM) sensiblemn:
(07:24:04 PM) sensiblemn:

(10:58:08 PM) freekurt: 512 MB of RAM seems rough for AOSP 10, especially when we are trying to get it to work with 2D acceleration. 1GB should be much better.
=> TODO: check Android 10 requirements and add them to the wiki

To sort:

(11:10:26 PM) hpagseddy[m]: So you can check display will work
(11:10:48 PM) hpagseddy[m]: Since it uses same display and even same connectors
(11:11:06 PM) hpagseddy[m]: I know it because i am using i9100 display on my i9100g :)
(11:11:17 PM) hpagseddy[m]: Besides capacitive buttons, all functional
(11:11:48 PM) hpagseddy[m]: Even capacitive connector plugged in so if i do some kernel hacks i can get them working too
(11:11:50 PM) freekurt: we really appreciate your willingness to do testing if we decide to proceed with trying to mainline this device, which has yet to be determined.
(11:14:38 PM) freekurt: it seems as though this device would be quite attractive to other pmOS devs as well, now that the freedom of the bootloader appears to have been determined.
(11:15:19 PM) hpagseddy[m]: I hope so, i was the only maintainer over 2 years :)
(11:15:27 PM) hpagseddy[m]: Of this device
(11:15:37 PM) freekurt: :-) thanks for holding down the fort!
(11:15:52 PM) hpagseddy[m]: But if the device gets mainlined, things will definitely change
(11:16:27 PM) freekurt: do you know the precise name of the modem that it uses?
(11:16:39 PM) hpagseddy[m]: Sadly no
(11:16:58 PM) freekurt: i think there is a command you can run in android that will tell you
(11:17:16 PM) freekurt: but i forget what it is. i'll try to find it.
(11:17:29 PM) hpagseddy[m]: If you can provide it, i can tell the output
(11:23:17 PM) freekurt: hpagseddy: can you enter ServiceMode to determine what kind of modem it uses like was done here?
(11:27:59 PM) freekurt: i'm trying to figure out what the code is to enter the service menu.
(11:29:52 PM) sunilmohan [~quassel@swecha/sunilmohan] entered the room.
(11:31:36 PM) freekurt: looks like it is *#32489#
(11:32:06 PM) freekurt: based on the bottom of this random website
(11:34:02 PM) freekurt: i'm sorry, but i don't know how to navigate to the modem information, but it should look like this
(11:34:43 PM) freekurt: hpagseddy: ^
(11:35:53 PM) hpagseddy[m]: Sorry, i had electricity outage
(11:36:06 PM) hpagseddy[m]: Give me 10 minutes
(11:36:32 PM) freekurt: no rush at all! please take your time. sorry to hear that.
(11:39:09 PM) mmu_man left the room (quit: Ping timeout: 260 seconds).
(11:54:03 PM) testman left the room (quit: Quit: The Lounge -
(11:59:27 PM) testman [] entered the room.
(11:59:47 PM) sunilmohan left the room (quit: Ping timeout: 268 seconds).
(02/01/2020 12:06:23 AM) hpagseddy[m]: <freekurt "looks like it is *#32489#"> Didnt work
(12:07:44 AM) sunilmohan [] entered the room.
(12:07:45 AM) sunilmohan left the room (quit: Changing host).
(12:07:45 AM) sunilmohan [~quassel@swecha/sunilmohan] entered the room.
(12:12:20 AM) sunilmohan left the room (quit: Ping timeout: 265 seconds).
(12:14:06 AM) ggoes [~gregf@fsf/staff/ggoes] entered the room.
(12:16:46 AM) sunilmohan [] entered the room.
(12:16:46 AM) sunilmohan left the room (quit: Changing host).
(12:16:46 AM) sunilmohan [~quassel@swecha/sunilmohan] entered the room.
(12:23:11 AM) freekurt: thanks for reporting back. i don't have any more time right now to keep looking for the proper code. will likely ping you sometime later about it.
(12:24:20 AM) hpagseddy[m]: its ok i found the code
(12:24:38 AM) troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] entered the room.
(12:27:24 AM) freekurt: oh nice. if you are able to find the modem type please let us know.
(12:27:42 AM) hpagseddy[m]: So i am at the main menu
(12:27:57 AM) hpagseddy[m]: what kind of modem name am i searching for?
(12:29:48 AM) sensiblemn: XMM6262 is an example of an intel based cellular modem
(12:30:10 AM) sensiblemn: actually, i'm mistaken about that
(12:30:24 AM) sensiblemn: CMC221 is intel if i'm not mistaken
(12:30:31 AM) sensiblemn: MDM9615 is qualcomm
(12:30:51 AM) sensiblemn: i don't know if all cell modem names follow the same naming structure
(12:33:06 AM) sensiblemn: some other qualcomm modems start with IPQ, MSM, QCS, and SDM
(12:33:21 AM) sensiblemn: *i think*
(12:33:23 AM) hpagseddy[m]: SP6260?
(12:37:10 AM) freekurt: yeah, that might be it.
(12:37:25 AM) freekurt: looks like that page suggests that the i9300T has that modem
(12:37:44 AM) hpagseddy[m]: oh nice
(12:38:39 AM) hpagseddy[m]: it was really hard to navigate throught service mode without menu and back keys
(12:39:20 AM) hpagseddy[m]: So the fullname is like SP6260_T1_01.1300
(12:44:13 AM) hpagseddy[m]: What if itis "XMM6260"???
(12:44:19 AM) hpagseddy[m]: * What if it is "XMM6260"???
(12:44:59 AM) sensiblemn: are you seeing that in service mode?
(12:47:36 AM) hpagseddy[m]: no
(12:47:52 AM) hpagseddy[m]: i just saw SP6260_T1_01.1300
(12:48:22 AM) hpagseddy[m]: since the numbers match and XMM6260 used in S2
(12:48:31 AM) hpagseddy[m]: i made a conclusion like this
(12:51:03 AM) forkbomb: i'm pretty sure it would be XMM6260 or XMM6262, same as i9300
(12:51:21 AM) sensiblemn: oh, that sounds convenient!
(12:51:50 AM) hpagseddy[m]: Perfect
(12:51:55 AM) forkbomb: the i9300T is just a Telstra branded i9300 afaik
(12:52:15 AM) hpagseddy[m]: that device could be the true open source phone \o/
(12:52:17 AM) sensiblemn: forkbomb: we are wondering about the i9100G though
(12:52:49 AM) hpagseddy[m]: <freekurt "yeah, that might be it. https://"> i9300T has the same SP6260 naming as i9100g as this shows
(12:53:10 AM) sensiblemn: you're correct
(12:54:16 AM) sensiblemn: also, not sure if this is the correct defconfig, but this kernel from samsung suggests it is xmm6260 also
(12:55:09 AM) hpagseddy[m]: t1, thats correct
(12:55:18 AM) hpagseddy[m]: but the defconfig isnt
(12:55:48 AM) hpagseddy[m]:
(12:55:52 AM) hpagseddy[m]: this is for the device
(12:56:01 AM) forkbomb: hpagseddy[m]: ah, the i9100G is different i think
(12:56:06 AM) forkbomb: it's OMAP based
(12:56:10 AM) hpagseddy[m]: other one was for the development board??
(12:56:15 AM) hpagseddy[m]: Yes it is
(12:56:23 AM) hpagseddy[m]: TI OMAP4430, same as Droid 4
(12:56:58 AM) sensiblemn: actually, this looks like the correct defconfig for it, still says xmm6260
(12:57:38 AM) hpagseddy[m]: i think so
(12:57:48 AM) hpagseddy[m]: if it has t1 then it is i9100g
(12:58:17 AM) sensiblemn: dang, i messed that last link up. this is it. final answer.
(12:59:16 AM) hpagseddy[m]: ah yes
(12:59:34 AM) TheJollyRoger left the room (quit: Ping timeout: 240 seconds).
(12:59:50 AM) hpagseddy[m]: the other one is most likely development board or prototype configs
(01:00:57 AM) sensiblemn: forkbomb: did you hear that we seem to have found a free software first stage bootloader for the i9100G and that it doesn't seem to require any signature checks?
(01:01:27 AM) hpagseddy[m]: yes i compiled and ran it on my device with no problem
(01:01:59 AM) hpagseddy[m]: also fixed the old build a bit
(01:02:02 AM) hpagseddy[m]: >So i have an i9100g and compiled this without any errors in case you guys are interested
(01:05:55 AM) forkbomb: no, i didn't. very nice!
(01:06:35 AM) hpagseddy[m]: well i dont know how to use it so just compiled and flashed with odin
(01:06:45 AM) hpagseddy[m]: also one line fix hehe
(01:07:33 AM) hpagseddy[m]: it compiled with no problem on 4.6 gcc
(01:14:47 AM) sensiblemn: hpagseddy: it is my understanding that, since x-loader is EOL, and since Replicant wants to upstream as much code as we can, we would have to upstream what x-loader is doing into u-boot SPL, which i don't know how long it would take to do. the fact that very similar devices are already in upstream u-boot likely will help though, if we decide to pursue it.
(01:16:01 AM) hpagseddy[m]: Since it is open source, it is ok to keep it untill we have the device booted in my opinion
(01:16:17 AM) sensiblemn: yes, for sure.
(01:17:00 AM) hpagseddy[m]: but well last decision is yours since you guys are the replicant devs :)
(01:22:29 AM) sensiblemn: hpagseddy: have you tested LineageOS 13 on the device before?
(01:23:21 AM) hpagseddy[m]: yes it had several issues but performance was good
(01:23:33 AM) hpagseddy[m]: it had audio error which was so annoying
(01:23:41 AM) hpagseddy[m]: 12.1 was best
(01:24:22 AM) sensiblemn: what kind of audio error?
(01:25:51 AM) hpagseddy[m]: audio was some kind of disorted
(01:39:01 AM) sensiblemn: hpagseddy: did you notice any other issues?
(01:39:11 AM) sensiblemn: with 13?
(01:40:13 AM) hpagseddy[m]: Gps doesnt work
(01:40:18 AM) hpagseddy[m]: Night mode doesnt work
(01:16:15 AM) GNUtoo: do we have a git for u-boot or only a tarball?
(01:16:16 AM) hpagseddy[m]: sensiblemn:
(01:16:20 AM) hpagseddy[m]: i only know this page
(01:17:01 AM) hpagseddy[m]: search u-boot in the page for faster result
(01:17:19 AM) hpagseddy[m]: also this
(01:18:33 AM) hpagseddy[m]: so i know it uses u-boot but cant find a link either
(01:18:35 AM) GNUtoo: thanks
(01:18:56 AM) hpagseddy[m]: you're welcome
(01:19:56 AM) sensiblemn: GNUtoo: this looks like omap-usb-tool but it was recently updated
(01:21:37 AM) hpagseddy[m]: hmm, he forked this repo from
(01:22:03 AM) hpagseddy[m]: so he added sd card booting
(01:22:09 AM) hpagseddy[m]: and some fixed
(01:22:13 AM) hpagseddy[m]: fixes*
(01:22:25 AM) GNUtoo:
(01:22:29 AM) GNUtoo: but it seems down right nw
(01:22:32 AM) GNUtoo: *right now
(01:23:33 AM) GNUtoo: xloader from IRC logs:
(01:23:54 AM) GNUtoo: (thanks hpagseddy[m] )
(01:24:22 AM) hpagseddy[m]: you're welcome
(01:24:51 AM) hpagseddy[m]: i just fixed one line and decided to fork it
(01:26:17 AM) GNUtoo: Yes, I'll try to look into that a bit later, I'm just writing down the important infos in the wiki right now
(01:26:23 AM) GNUtoo: *look into the details
(01:26:59 AM) GNUtoo: And if you tested it on the device, then yours is known to work
01:56 <@GNUtoo> Did LineageOS or Cyanogenmod support it at some point?
01:57 < hpagseddy[m]> Cyanogenmod untill 13.0
01:57 < hpagseddy[m]> Omnirom 4.4 and 5.0.2
01:57 <@GNUtoo> ok, that explains why LineageOS has some stuff on it but nothing on the wiki
01:57 < hpagseddy[m]> thats all i remember and tested
01:58 < hpagseddy[m]> GNUtoo: yeah they just forked it and it just stays there
01:59 < hpagseddy[m]> but 12.1 is still cyanogen
02:00 < sensiblemn> there was an attempt made at 14.1 but it seems like it was unsuccessful because it wouldn't boot
02:00 < sensiblemn>
02:00 < hpagseddy[m]> also someone rebased cm11 to lineage 11


The PIT of the Galaxy SII (GT-I9100G) can be found in the GalaxySIII9100GPit page.

PIT Linux name mount point partition type block device Description
MLO Not visible on Linux First stage of bootloader
EFS mmcblk0p1 modem data partition
SBL1 mmcblk0p2
SBL2 Empty mmcblk0p3
PARAM mmcblk0p4
KERNEL None zImage mmcblk0p5 boot partition, See IsorecRecoveryIssue for more details
RECOVERY None mmcblk0p6 recovery partition, See IsorecRecoveryIssue for more details
CACHE mmcblk0p7 Android cache partition
MODEM mmcblk0p8 modem firmware partition
FACTORYFS mmcblk0p9 Android system partition
DATAFS mmcblk0p10 Android application data
UMS mmcblk0p11 user data (music, pictures, etc)
HIDDEN mmcblk0p12 contains some data, and Samsung APK

This was constructed from the PIT, TODO: check the partitions content


On a I9100G_CHN_CHN with Android 2.3.6 with the OMAP reported as being in HS mode we have:

--- Entry #0 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 1
Attributes: 0 (Read-Only)
Update Attributes: 0
Partition Block Size/Offset: 0
Partition Block Count: 0
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: X-loader
Flash Filename: MLO
FOTA Filename: 

This doesn't give any indication of where is MLO, but it's clearly visible with an hexadecimal editor like vbindiff.

Offset from mmcblk0 size comments
0x20000 (256k) 256k MLO + potentially other stuff
0x40000 (512k) 256k MLO + potentially less other stuff

Though SBL1 and SBL2 have location and size reported my the bootloader with heimdall print-pit:

--- Entry #2 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 2
Attributes: 0 (Read-Only)
Update Attributes: 0
Partition Block Size/Offset: 49152
Partition Block Count: 4096
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SBL1
Flash Filename: Sbl.bin
FOTA Filename: 

--- Entry #3 ---
Binary Type: 0 (AP)
Device Type: 2 (MMC)
Identifier: 3
Attributes: 0 (Read-Only)
Update Attributes: 0
Partition Block Size/Offset: 53248
Partition Block Count: 4096
File Offset (Obsolete): 0
File Size (Obsolete): 0
Partition Name: SBL2
Flash Filename: 
FOTA Filename: 


The device is not supported by TWRP, but it was supported by cyanogenmod recoveries:

That recovery is a zImage. Note that this recovery may not be FSDG compliant, so the first step would be to make a Replicant recovery for this device/

CyanogenMod support and stock Android with the version that has a signed bootloader

According to the I9100G CyanogenMod installation instructions , "Users running Android 2.3 on their I9100G MUST first upgrade to stock Android 4.x before installing CyanogenMod, or the device won't boot into the system due to it relying on a newer bootloader. A 4.1 bootloader is recommended."

However this approach has several issues.

The update doesn't work anymore.

It also requires you to put a SIM card in the device, which results in privacy issues.

In addition to that, it requires you to give the device a network connection, knowing that the device is running a proprietary Android distribution.

Once you do that it still fails with "Processing failed".

Right before the failure you can see "Signup for a Samsung account" on the top of the window with "Terms and conditions".

So it probably tries to access some page like which doesn't exist anymore, and it probably does that to show terms and conditions which were probably unacceptable.

They might also have legally prevented you to work on some part of Replicant if you agreed to them, depending on the country you are located in or you intend to travel to.

This is most probably not an issue with the versions that don't have a signed bootloader as the first stage bootloader could simply be replaced by a free software xloader.


See GTI9100GBootloaderFreedom and GTI9100GBootloaderInterface


As far is we get from what we've seen on the motherboard itself, here are our guesses about chips and what they do:


Updated by Denis 'GNUtoo' Carikli over 4 years ago · 63 revisions

Also available in: PDF HTML TXT