04/08/2015

Exploring Qualcomm's TrustZone implementation

In this blog post, we'll be exploring Qualcomm's TrustZone implementation, as present on Snapdragon SoCs. If you haven't already, you might want to read the previous blog post, in which I go into some detail about TrustZone in general.

Where do we start?

First of all, since Qualcomm's TrustZone implementation is closed-source, and as far as I could tell, there are no public documents detailing its architecture or design, we will probably need to reverse-engineer the binary containing the TrustZone code, and analyse it.


Acquiring the TrustZone image

We can attempt to extract the image from two different locations; either from the device itself, or from a factory image of the device.

My personal Nexus 5 device was already rooted, so extracting the image from the device should be pretty straight forward. Since the image is stored on the eMMC chip, and the blocks and partitions of the eMMC chip are available under "/dev/block/platform/msm_sdcc.1", I could simply copy the relevant partition to my desktop (using "dd").

Moreover, the partitions have meaningfully named links to them under "/dev/block/platform/msm_sdcc.1/by-name":


As you can see, there are two partitions here, one named "tz" (short for TrustZone), and one named "tzb", which serves as a backup image to the "tz" image, and is identical to it.

However, having extracted the image this way, I was still rather unsatisfied, for two reasons:
  • Although the TrustZone image is stored on the eMMC chip, it could easily be made inaccessible to the "Normal World" (by requiring the AxPROT bit on the system bus to be set), or several parts of it could be missing.
  • Pulling the entire partition's data doesn't reveal information about the real (logical) boundary of the image, so it will require some extra work to determine where the image actually ends. (Actually, since the "tz" image is an ELF binary, its size is contained within the ELF header, but that's just a fluke on our part).
So, having extracted one image from the device, let's take a look at a factory image.

The Nexus 5's factory images are all available to download from Google. The factory image contains a ZIP with all the default images, and additionally contains the bootloader image.

After downloading the factory image and grepping for strings related to TrustZone, it quickly became apparent that the bootloader image contains the wanted code.

However, there was still a minor problem to solve here - the bootloader image was in an unknown format (although maybe some Google-fu could reveal the answers needed). Regardless, opening the file with a hex-editor and guessing at its structure revealed that the format is actually quite simple:

 

The bootloader file has the following structure:
  • Magic value ("BOOTLDR!") - 8 bytes
  • The number of images - 4 bytes
  • The offset from the beginning of the file to the beginning of the image's data - 4 bytes
  • The total size of the data contained in the images - 4 bytes
  • An array with a number of entries matching the "number of images" field, above. Each entry in the array has two fields:
    • The image name - 64 bytes (zero padded)
    • The image length - 4 bytes
As you can see in the image above, the bootloader image contains an image called "tz", which is the image we're after. In order to unpack this file, I've written a small python script (available here) which receives a bootloader image and unpacks all of the files contained within it.

After extracting the image, and comparing it to the one extracted previously from the device, I verified that they were indeed identical. So I guess this means we can now move on to examine the TrustZone image.

Fixing up the TrustZone image

First of all, examining the file reveals that it is in fact an ELF file, which is pretty good news! This means that the memory segments and their mapped addresses should be available to us.

After opening the file with IDA Pro and letting the auto-analysis to run for a while, I wanted to start reversing the file. However, surprisingly, there seemed to be a lot of branches to unmapped addresses (or rather, addresses that weren't contained within the "tz" binary).

After taking a closer look, it seemed as though all the absolute branches that pointed to invalid addresses were within the first code segment of the file, and they were pointing into high addresses that weren't mapped. Also, there were no absolute branches to the address of that first code segment.

This seemed a little fishy... So how about we take a look at the ELF file's structure? Executing readelf reveals the following:


There's a NULL segment mapped to a higher address, which actually corresponds with the address range to which the invalid absolute branches were pointing! The guys over at Qualcomm are sneaky pandas :)

Anyway, I made a rather safe guess, which is that the first code segment is in fact mapped to the wrong address, and should actually be mapped to the higher address - 0xFE840000. So naturally, I wanted to rebase the segment using IDA's rebase feature, but lo and behold! This causes IDA to crash spectacularly:


I'm actually not sure if this was intended as an anti-reversing feature by Qualcomm, or if the NULL segment is just a result of their internal build process, but this can be easily bypassed by fixing the ELF file manually. All that's required is to move the NULL segment to an unused address (since it is ignored by IDA anyway), and to move the first code segment from its wrong address (0xFC86000) to the correct address (0xFE840000), like so:



Now, after loading the image in IDA, all the absolute branches are valid! This means we can move on to analyse the image.

Analysing the TrustZone image

First, it should be noted that the TrustZone image is a rather large (285.5 KB) binary file, with quite a small amount of strings, and with no public documentation. Moreover, the TrustZone system is comprised of a full kernel with capabilities such as executing applications, and much more. So... it's not clear where we should start, as reversing the whole binary would probably take far too long.

Since we would like to attack the TrustZone kernel from the application processor, the largest attack surface would probably be the secure monitor calls which enable the "Normal World" to interact with the "Secure World".

It should be noted, of course, that there are other vectors with which we can interact with the TrustZone, such as shared memory or maybe even interrupt handling, but since these pose a much smaller attack-surface, it is probably better to start by analysing the SMC calls.

So how do we find where the TrustZone kernel handles the SMC calls? First of all, let's recall that when executing an SMC call, similarly to the handling of SVC calls (that is, regular system calls in the "Normal World"), the "Secure World" must register the address of the vector to which the processor will jump when such an instruction is encountered.

The "Secure World"'s equivalent is the MVBAR (Monitor Vector Base Address Register), which provides the address of the vector containing the handling functions for the different events which are handled by the processor in "Secure World".

Accessing the MVBAR is done using the MRC/MCR opcodes, with the following operands:


So this means we can simply search for an MCR opcode with the following operands in the TrustZone image, and we should be able to find the "Monitor Vector". Indeed, searching for the opcode in IDA returns the following match:


As you can see, the address of the "start" symbol (which is, by the way, the only exported symbol), is loaded into the MVBAR.

According to the ARM documentation, the "Monitor Vector" has the following structure:


Which means that if we look at the "start" symbol mentioned earlier, we can assign the following names to the addresses in that table:


Now, we can analyse the SMC_VECTOR_HANDLER function. Actually, this function is responsible for quite a few tasks; first, it saves all the state registers and the return address in a predefined address (in the "Secure World"), then, it switches over the stack to a preallocated area (also in the "Secure World"). Finally, after performing the necessary preparations, it goes on to analyse the operation requested by the user and operate according to it.

Since the code to issue SMCs is present in the Qualcomm's MSM branch of the Linux kernel, we can take a look at the format of commands which the "Normal World" can issue to the "Secure World".

SMC and SCM

Confusingly, Qualcomm chose to name the channel through which the "Normal World" interacts with the "Secure World" via SMC opcodes - SCM (Secure Channel Manager).

Anyway, as I've mentioned in the previous blog post, the "qseecom" driver is used to communicate with the "Secure World" using SCMs.

The documentation provided by Qualcomm in the relevant source files is quite extensive, and is enough to get quite a good grip on the format of SCM commands.

Putting it shortly, SCM commands fall into one of two categories:

Regular SCM Call - These calls are used when there is information that needs to be passed from the "Normal World" to the "Secure World", which is needed in order to service the SCM call. The kernel populates the following structure:



And the TrustZone kernel, after servicing the SCM call, writes the response back to the "scm_response" structure:


In order to allocate and fill these structures, the kernel may call the wrapping function "scm_call", which receives pointers to kernel-space buffers containing the data to be sent, the location to which the data should be returned, and most importantly, the service identifier and command identifier.

Each SCM call has a "category", which means which TrustZone kernel subsystem is responsible for handling that call. This is denoted by the service identifier. The command identifier is the code which specifies, within a given service, which command was requested.

After the "scm_call" function allocates and populates the "scm_command" and "scm_response" buffers, it calls an internal "__scm_call" function which flushes all the caches (inner and outer caches), and calls the "smc" function.

This last function actually executes the SMC opcode, transferring control to the TrustZone kernel, like so:


Note that R0 is set to 1, R1 is set to point to a local kernel stack address, which is used as a "context ID" for that call, and R2 is set to point to the physical address of the allocated "scm_command" structure.

This "magic" value set in R0 indicates that this is a regular SCM call, using the "scm_command" structure. However, for certain commands where less data is required, it would be rather wasteful to allocate all these data structures for no reason. In order to address this issue, another form of SCM calls was introduced.

Atomic SCM Call - For calls in which the number of arguments is quite low (up to four arguments), there exists an alternate way to request an SCM call.

There are four wrapper functions, "scm_call_atomic_[1-4]", which correspond to the number of arguments requested. These functions can be called in order to directly issue an SMC for an SCM call with the given service and command IDs, and the given arguments.

Here's the code for the "scm_call_atomic1" function:



Where SCM_ATOMIC is defined as:


Note that both the service ID and the command ID are encoded into R0, along with the number of arguments in the call (in this case, 1). This is instead of the previous "magic" value of 1 used for regular SCM calls.

This different value in R0 indicates to the TrustZone kernel that the following SCM call is an atomic call, which means that the arguments will be passed in using R2-R5 (and not using a structure pointed to by R2).

Analysing SCM calls

Now that we understand how SCM calls work, and we've found the handling function in the TrustZone kernel which is used to handle these SCM calls, we can begin disassembling the SCM calls to try and find a vulnerability in one of them.

I'll skip over most of the analysis of the SCM handling function, since most of it is boilerplate handling of user input, etc. However, After switching the stack over to the TrustZone area and saving the original registers with which the call was performed, the handling function goes on to process the service ID and the command ID in order to see which internal handling function should be called.

In order to easily map between the service and command IDs and the relevant handling function, a static list is compiled into the TrustZone image's data segment, and is referenced by the SCM handling function. Here is a short snipped from the list:




As you can see, the list has the following structure:
  • Pointer to the string containing the name of the SCM function
  • "Type" of call
  • Pointer to the handling function
  • Number of arguments
  • Size of each argument (one DWORD for each argument)
  • The Service ID and Command ID, concatenated into a single DWORD - For example, the "tz_blow_sw_fuse" function above, has the type 0x2002 which means it belongs to the service ID 0x20 and its command ID is 0x02.
Now all that's left is to start disassembling each of these functions, and hope to find an exploitable bug.

The Bug!

So after pouring over all of the aforementioned SMC calls (all 69 of them), I finally arrived at the following function:



Normally, when an SCM command is called using the regular SCM call mechanism, R0 will contain the "result address" which points to the "scm_response" buffer which was allocated by the kernel, but which is also validated by the TrustZone kernel to make sure it is actually a physical address within an "allowed" range - that is, a physical address which corresponds to the Linux kernel's memory, and not, for example, a memory location within the TrustZone binary.

This check is performed using an internal function which I will cover in more detail in the next blog post (so keep posted!).

But what happens if we use an atomic SCM call to execute a function? In that case, the "result address" used is the first argument passed by the atomic call.

Now - can you see the bug in the function above?

As opposed to other SCM handling functions, this function fails to validate the value in R0, the "result address", so if we pass in:
  • R1 as a non-zero value (in order to pass the first branch)
  • The fourth argument (which is passed in at var_1C above) is non-zero
  • R0 as any physical address, including an address within the range of the TrustZone address space
The function will reach the left-most branch in the function above, and write a zero DWORD at the address contained in R0.


Responsible Disclosure

I'd like to point out that I've responsibly disclosed this vulnerability to Qualcomm eleven months ago, and the issue has been fixed by them (amazingly fast!). I'll share a detailed timeline and explanation in the next blog post, but I'd like to point out that the people at Qualcomm have been very responsive and a pleasure to work with.

What's next?

In the next blog post I will share a detailed (and quite complex!) exploit for the vulnerability described above, which enables full code execution within the TrustZone kernel. I will also publish the full exploit code, so stay tuned!

Also, since this is only my second blog post, I'm really looking for some (any) input, specifically:
  • What should I write more (or less) about?
  • Blog design issues
  • Research ideas :)

114 comments:

  1. Really interesting, can't wait for more blog posts!

    ReplyDelete
    Replies
    1. Thank you very much! The next post is already written and will be published within a day :)

      Delete
    2. GOOD Day !

      We have USA fresh & Verified SSN Leads with best connectivity score
      All info checked & genuine

      Info in LEADS
      First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term deal
      ->Interested buyers will be welcome

      **Contact Information**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. impressive work! well done

    ReplyDelete
  3. Just wondering if var_1C should be non-zero (instead of zero) to reach the left most branch at CBZ RO, loc_FE84B372?

    ReplyDelete
    Replies
    1. Thank you for noticing, you're absolutely right! My bad, I'll fix it right away.

      Delete
    2. Thanks for your great job

      About tzbsp_es_is_activated, you say "The fourth argument [...] var_1C". But from what I gather tzbsp_es_is_activated does only take 2 arguments (*cmd, len), var_1C would be a local variable that is set by sub_FE814CE6 (passed by address in r3), some kind of boolean.

      Delete
    3. Also to pass the first branch you need r0 != 0, not r1 != 0. The Z flag is set by MOVS r6, r0. (MOV without Z doesn't set the flag)

      Delete
  4. Nice blog...waiting for the exploit..Loved the writing style too

    ReplyDelete
  5. Very nice write up! Thanks for posting it.

    In trying to duplicate what you did with my own device, an S4, I dumped the tz image from its partition but it is definitely not an ELF image. I see trustzone type strings in the image so I know it's the right partition. Any thoughts on how to proceed with mapping code and data segments?

    thanks!

    David

    ReplyDelete
    Replies
    1. Sure!

      I've done something similar with the Moto X's TZ image (which is within a binary called motoboot.img, also not an ELF file) some time ago.

      Generally the bootloader loads the TZ binary, which is why the TZ image can appear in a different format...

      But IIRC, the TZ image on the S4 is in the MBN file format, right? If so, there's an IDA plugin for MBN files here: https://github.com/daxgr/qcom-mbn-ida-loader, and the format of the file is explained here: http://forum.xda-developers.com/showthread.php?t=2641245

      Let me know if you need more help!

      Delete
    2. Thanks for the info! Yes the S4 is MBN, That helped a bunch.

      David

      Delete
  6. Thank you for this nice article. It was very educational. Hope to read more from you in the future.

    Thank you.

    ReplyDelete
  7. I need to know the frame format of Trust zone in snapdragon .how its works can u please give the details how to compile and get the binary images and required apps in userspace

    ReplyDelete
  8. Seems my post a few minutes ago did not upload for some reason; this is my second attempt. First of all thank you for a detailed and useful blog. One suggestion I have is to perhaps try to connect the APIs, and code you refer to above to TZ functionality. That is, you mention SMC call above, and the cmd_id and svc_id. This leaves me wondering how one might leverage these commands in creating credentials for their application. How they can create hashes for instance, and how those hashes can be validated within the TZ. Is there a list of SMC command IDs and the associated numbers?

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. Very very nice post!
    I think 'FE810000'(instead of FE810004) is the first address of Monitor Vector. In order to pass the first branch, 'MOVS R6, R0'(instead of MOV R5, R1) can modify the CPSR flag, so the first argument should be non-zero value.

    ReplyDelete
    Replies
    1. You're right - I wrote this post a year after the original research, and made a few such mistakes in the post. Hopefully I will get around to fixing this when I get a little free time, but if not, my apologies!

      Delete
  11. Hi, I came across your post while trying to evaluate security of hardware-backed key stores in Android.

    You describe extracting TZ image from eMMC. Is the internal state of the "Secure World" also commonly retained in eMMC? Given sufficient access to the device (e.g. JTAG), should it be possible to extract eMMC, attempt device unlock (e.g. guess PIN), then restore internal state (prior to unlock attempt) and try again?

    ReplyDelete
    Replies
    1. Hi Nadav,

      I'm not 100% I understand what you mean; the eMMC only contains the code for the TrustZone image, not the actual state - that's stored in RAM. If you had full JTAG access you could halt the application processor in the TrustZone kernel, and try to perform a RAM dump (and restore it later). However - there are many reasons why I suspect this won't work - for one, there are physical XPUs on the SoC which prevent access to different memory locations, based on the processor requesting the access. Depending on which processor you get JTAG access to, you could read certain such parts. Then, even if you were able to restore the state, it is very highly dependant on the state of other subsystems on the SoC (such as the modem, etc.), so simply restoring a huge portion of memory will probably cause a lot of unpredictable behaviour.

      Delete
    2. Thank you for answering,

      What I meant by internal-state was persistent state, i.e. any state written by the "Secure World" to persistent media during operation. Is all such state commonly persisted to eMMC, or should we assume additional and more elusive storage locations?

      To restate the original question: during incorrect device unlock attempt, what storage locations are generally affected?

      Delete
    3. Oh I see what you mean -

      Generally, for information persisted by the TZ kernel, this could be a *lot* harder than you would initially assume. First of all, the eMMC is aware of the current world executing (via the AXPROT bus), and therefore disallows access to any location on the eMMC which is used by the secure world to store data. But not only that - there is a secure file-system which is encrypted using a crypto processor on the SoC. I think it uses a hardware key which is unique per-device, and shouldn't be readable in any way using software. This means that even if you de-solder the eMMC and access it fully, you still wouldn't be able to read the data. There's some information in a patent filed by Qualcomm (http://www.google.com/patents/US7921303), but I'm sure if you google SFS you can find out more.

      Ultimately, I would say this: reverse the code responsible for the unlocking attempt and just see where the state is saved. It could be that you're lucky and the data is simple to access, by I would guess otherwise.

      Delete
    4. What I had in mind is a bit more straightforward:
      1) extract full eMMC, including all partitions — encrypted and otherwise, without attempting decryption
      2) boot the partially disassembled device and attempt a few PIN code guesses (assume device has a 4-digit PIN), stopping short of lockout
      3) restore previously extracted eMMC state via direct write
      4) repeat from step #2 until we guess the PIN code correctly

      Would you expect full read/write operations as stated above to succeed, provided we are able (hypothetically) to repeatedly de-solder and re-solder the eMMC with no damage?

      Delete
    5. Oh I see what you mean - I assumed earlier you were trying to restore the state on a "live" device.

      I think if the eMMC remains fully intact between attempts, this should work. AFAIK, there is no chip on the SoC which has an internal memory\battery and is used to save the unlocking attempts done so far (like Apple's "Secure Enclave").

      However, IIRC the unlocking itself is designed to be computationally intensive, which means each attempt takes ~150 ms for the application processor to perform. This means that you would be limited to the search space * 150 ms. For small PINs (e.g., 4 digits) this is fast enough. For longer ones (passwords or unlock patterns), the search space could be much bigger and it would be infeasible to wait that amount of time.

      Delete
  12. Cool post! Bud I'm not really understand how to copy image by "dd" command, could you please show me the whole command?

    ReplyDelete
    Replies
    1. If you don't know how to dd a img to your desired location then you are WAY over your head with this topic were talking about. Not trying to be a dick, just don't want you bricking a device. Use some google-fu and you'll find out how to dd.

      Delete
  13. Hi,

    Im having an issue after exploiting the tz on my phone (MSM8916). Im not able to read/access the modem ram. It should be mapped somewhere at 0xC0XXXXXX but when i attempt to read the region simply everything hangs. Also the display stops working when exploiting the tz. It still unclear why. Everything else seems to work fine thru, can read tz ram, kernel etc

    ReplyDelete
    Replies
    1. Hi Raducu,

      You cannot freely read certain regions such as the modem's RAM, since they are protected by a hardware security mechanism (called an XPU). It may be possible to configure XPUs using TrustZone kernel code-execution, though I've never attempted this.

      All the best,
      Gal.

      Delete
  14. Hi! I'm a vulnerability researcher who recently decided to break into the world of android (for fun, not work). First, I want to say amazing work! What I love most about this field is the clever and ingenious exploitation techniques used to get code exec. You did not disappoint! As I am waiting for my android device to be shipped, I have been reading your blog.

    In this article, you post a picture of what appears to be file-system listings as root. Were these taken from the phone? Is it possible to have a serial terminal with the phone via USB? Or is this some kind of app / software that allows you to access the phone like a linux terminal?

    Thank you and great job!

    ReplyDelete
    Replies
    1. Hi Mizz,

      Thank you for the kind words! Yes, you can communicate with the phone over USB using the Android Debug Bridge (ADB). In certain configurations, you can also run the debug daemon under root.

      Gal.

      Delete
  15. Hi! Great post!

    I'm trying to hack the bootloader of my device(which has snapDragon 820), and to make it load the linux kernel at Exception Level 2(that is, hypervisor/virtualization level). Do you have any idea how this can be done?

    I have diseemblied the xbl.elf file where I found lots of *_ELx codes, which is totally a mess. I would really appreciate it if you could give some comments.

    ReplyDelete
    Replies
    1. Hi Zesen, sorry for the late response -- I haven't been checking the blog lately.

      First of all, you need to consider the fact that Qualcomm's Hypervisor is already running at EL2. However, if you'd like to run your own code in their hypervisor regardless, I suggest taking one of two routes:

      1. Find an exploit a vulnerability in the Hypervisor. For example, you could use the DMA attack that I covered on the Project Zero blog (https://googleprojectzero.blogspot.co.uk/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) in order to read/write directly into the Hypervisor (allowing you to freely inject code).

      2. You could look for a way to disable secure boot on the device so that you could provide your own unsigned (or self-signed) image for the hypervisor. Some devices don't have secure boot configured in the first place, though that should be quite rare. In other cases, blowing certain fuses could allow loading unsigned images.

      All the best!
      Gal.

      Delete
  16. Hi Gal.

    Excellent work.

    Just one small question: you imply that for arguments with pointer to addresses passed by atomic SCM calls, the TZ kernel does not verify whether they are in the correct range (e.g., not in the TZ kernel). However, you mention for regular SCM calls, the TZ kernel does perform a verification. Is my understanding correct? if yes why such an implememtation?

    Thank you very much for the education you provide

    ReplyDelete
  17. Hello there,
    Lg h820 at & t phone was dead boot.
    Tot file available, how do we fix this phone with this method?

    ReplyDelete
  18. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST CarGamesDownload

    ReplyDelete
  19. i am unable to extract keys from my nexus 5 device can you please help me out??

    ReplyDelete
  20. This is such an awesome asset, to the point that you are giving and you give it away for nothing. I adore seeing blog that comprehend the benefit of giving a quality asset to free.jogos online 2019
    play Games friv
    school friv

    ReplyDelete
  21. I visit your web page. It is really useful and easy to understand. Hope everyone get benefit. Thanks for sharing your Knowledge and experience with us.
    Norton setup - Get started with Norton by downloading the setup and installing it on the device. Enter the unique 25-character alphanumeric product key for activation. Check your subscription norton.com/setup | norton.com/setup

    ReplyDelete
  22. Norton Setup-To get protection, access your Norton account and download the Norton product on your device. Installing the Norton software and activate with 25-digit alphanumeric product key at Official platform of Norton Setup.
    norton.com/setup |norton.com/setup

    ReplyDelete
  23. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such

    blog.
    norton.com/setup

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. I am really impressed by your work, we also work in Auto Reverse from Bounderie . The Stitchmax Provide best embroidery digitizing service, it is a great way to start creating and editing professional embroidery designs on a VERY low budget.

    ReplyDelete
  27. Gradually, with the new digital dominating world the options have increased of installing any program to the device; Norton.com/setup is an innovative and productive way to download, activate and complete the installation of Norton antivirus.

    ReplyDelete
  28. www.Norton.com/Setup At Norton Setup Use norton installation, further.norton.com, norton activate, install norton, reinstall norton, norton.com/setup, norton.com/activate Technical Support Help.

    ReplyDelete
  29. Norton.com/setup To activate Norton visit www.norton.com/setup and verify product key or Get Technical support for Norton setup download, install and online activation. If you do not have Norton subscription do not worry, sign in and download and follow steps for setup. If you are the stuck call for norton support.

    ReplyDelete
  30. Office Setup is an independent support provider on On-Demand Remote Technical Services For Microsoft Office products. Use of Microsoft Name, logo, trademarks & Product Images is only for reference and in no way intended to suggest that office.com/setup Technology has any business association with Microsoft Office.

    ReplyDelete
  31. TomTom is a location technology specialist who uses unique technologies to navigate people to their destination with the help of GPS MAP. The continuous TomTom update is available for latest advancement so that user can get safer driver over any of place.
    tomtom.com/getstarted |
    tomtom get started |
    www.tomtom.com/getstarted |
    tomtom update

    ReplyDelete
  32. BullGuard Internet Security has presented comprehensive security suite packages in 2020 with quickest bullguard download and BullGuard login procedures. BullGuard users should be relaxed because BullGuard has launched additional security features. www.bullguard.com/is-mdl-install | www.bullguard.com is-install-mdl-install | bullguard login | bullguard Internet security | bullguard download

    ReplyDelete
  33. After reading this post, I must say that the post is written after deep research. The writer has given more importance to content quality. www.trendmicro.com/getmax

    ReplyDelete
  34. Office for Mac: Sign in to your Microsoft account on workplace setup. From the home page, click on on Install Office. As stated before, you can use either of the www.office.com/setup or install-office.com/setup to immediately sign into your account. Start your Microsoft Office setup the usage of your product key.

    ReplyDelete
  35. The final of the three can offer protection for as many as 10 devices! To get these products, you need to purchase them. You may even use their trial versions. Their norton setup are available at norton.com/setup.

    ReplyDelete
  36. i am browsing this website dailly and get nice facts from here all the time.

    ReplyDelete
  37. Activate Hulu by using www.hulu.com/activate and revel in live on-demand streaming provider hulu.com/activate. Find out how to do hulu.com/activate efficiently with convenient steps.

    ReplyDelete
  38. norton.com/setup The Norton licence key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is a numeric-letters in order code accompany Norton’s membership. Go to the rear of membership card and locate your 25 digits code. Utilization of Norton item key at norton.com/setup to confirm your membership.

    ReplyDelete
  39. Activate Office by visiting www.office.com/setup and enter your office product key. Click on Get Started to Install and Activate Office on your device.
    www.office.com/setup

    office com setup

    office.com/setup

    office.com setup

    office setup


    ReplyDelete
  40. Bitwig Studio is an advanced sound workstation for Windows, macOS, and Linux. As opposed to numerous other programming sequencers, Bitwig is intended to be an instrument for live exhibitions just as an apparatus for creating, recording, orchestrating, blending, and acing.
    https://proactivatorkeys.com/bitwig-studio-crack-serial-key-full-versionlatest/

    ReplyDelete
  41. www.hulu. com/activate – For hulu channel activation, just start with hulu login or starts with hulu activate guide to watch all your favorite movies, TV shows, news, and live sports just a click away at hulu.com/activate and enter hulu activation code.

    www.hulu. com/activate – hulu activate guide to watch all your favorite movies, TV shows, news, and live sports just a click away at hulu.com/activate and enter hulu activation code.

    www.hulu.com/activate – For hulu channel activation, just start with hulu login or starts with hulu activate guide to watch all your favorite movies, TV shows, news, and live sports just a click away at hulu.com/activate and enter hulu activation code.

    ReplyDelete
  42. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.

    norton.com/setup

    spectrum email login

    aolmail password recovery

    kaspersky antivirus download

    ReplyDelete
  43. https://crackedpcgame.com/
    Pc Games Free Download Full Version Is Here.

    ReplyDelete
  44. where can i download free pc games full version
    Saints Row Pc Download: is an action and adventure fighting pc game. Volition are the developers and THQ are the publishers of Saints Row Torrent. It is the first game in the Saint Rows Games series. The game features both single and multiplayer gameplay modes for the players.

    ReplyDelete
  45. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.

    norton.com/setup

    spectrum email login

    www.aolmail.com

    office.com/setup

    kaspersky activation

    ReplyDelete
  46. https://autocracked.org/save-wizard-torrent-crack/
    Save Wizard Crack is a complete, master copy and good slicker code. That is used in the play station store. The save wizard is discovered in 2017. Now it is play slickers in hundred of the games. For example, Max gold keys used for borderland 3.Save wizards for PS4 play about affairs for anyone.

    ReplyDelete
  47. https://approvedcrack.com/easeus-data-recovery-wizard-crack-torrent/
    EaseUS Data Recovery Wizard Crack is the beautiful software that retrieves the deleting data of any file. This software retrieves the website data those by chance loss. This software work for recovery reason. Is the best software for data recovery purpose. Retrieve the data of any location. Sometimes user deletes the file permanently in the computer and laptop, then installs the EASEUS Data Recovery software in the computer or android system and recovers the complete data.

    ReplyDelete
  48. https://chsofts.com/sidify-music-converter-crack-full/
    Sidify Music Converter Crack Free Download Here:- This software segregates DRM from Spotify songs and varied Spotify music into the mp3, AAC, WAV and FLAC arrangement at 5x speed. It brought serious improvement in Spotify music converter for window V1.2.7, invented by Sidify Inc. company. Sidify music converter is a kind of software which is used for windows and MACOS. It can change your Spotify music into DRM free translation, which is enjoyable everywhere.

    ReplyDelete
  49. https://crackedos.com/fl-studio-crack/
    FL Studio 20 Crack is software provided with proper tools for composing, arranging, mixing, editing and recording for the production of master or professional quality music. Its price varies according to required features unlocks. Its key feature is the digital piano roll.

    ReplyDelete
  50. https://rootcracks.org/wondershare-filmora-crack-plus-key-download/
    Wondershare Filmora 9.4.6.2 Crack is the most loyal software for producing new and editing old videos. It is ample of marvellous gadgets with producing and editing videos. And its new update is with the more reliable and wonderful tools. These support you to choose media lists and allows you to edit them. Next, you will begin to perceive. And the rate you will take from it will depend on the performance of your Pc.

    ReplyDelete
  51. https://hmzapc.com/wise-data-recovery-crack-full-serial-key/
    Wise Data Recovery Crack is a reliable data recovery software. That has the aptitude and skill to acts strong as its opponent’s software. And it has a pack of solitary qualities than the other related software. In this manner, it is unique to other recovery tools. This is miniature and minor in size software. You can use it to revive the data of any type. That erased haphazardly from your device. Further, you have several choices to do a retrieval scan by selecting the record. And the extra claims are to examine by the title of the file. And by the varying forms.

    ReplyDelete
  52. https://activatorpros.com/movavi-video-editor-crack-plus-activation-keys/
    Movavi Video Editor Crack is an easy-to-use Video Editor that permits basic enhancing and modifying of all picture stuff. It provides a complete collection of functions and tools, using the assistance which we’ll set sub-titles, impacts, fascinating tweaks around the movie or incorporate a documented voice for a soundtrack. It provides aid for keyframe cartoons of sub-titles or even overlay video clips. Certainly one of those choices is Movavi Video-Editor Activation Key, which attracts programs to generate demonstrations in moments.

    ReplyDelete
  53. https://crackpluskey.com/tenorshare-4ukey-full-registration-code/
    Tenorshare 4uKey Full Cracked is software that concedes you to unhitch your device iPhone if you misremember your key or code or you don’t understand your iPhone – iPad or other device key or password. This not matters if it’s a 4-numbers key or code, an 8-numbers code or key, a face key or a serial number. You will be capable to unlock every kind of key. Memorize important keys in moments with connection parts and figures.

    ReplyDelete
  54. world of warships download pc
    World of Warships Pc Download Free Full Game is a naval troops warfighting, and shooting video game. Wargaming Group Ltd developed it and published World Of Warships Torrent worldwide. Most importantly, both Single and multiplayer gameplay modes are available for those players who want to play the World Of Warships Free Download.

    ReplyDelete
  55. https://geeeksquaad.blogspot.com/

    ReplyDelete
  56. https://geeeksquaad.blogspot.com/

    ReplyDelete
  57. Activatehulu.com help you to activate your hulu. you can watch hulu shows online. enter your hulu activation code on hulu com activate or www.Hulu.com/Activate are related words for hulu activation.
    check out Hulu News for latest hulu activation news.

    ReplyDelete
  58. Activatehulu.com help you to activate your hulu. you can watch hulu shows online. enter your hulu activation code on hulu com activate or www.Hulu.com/Activate are related words for hulu activation.
    check out Hulu News for latest hulu activation news.

    ReplyDelete
  59. Activatehulu.com help you to activate your hulu. you can watch hulu shows online. enter your hulu activation code on hulu com activate or www.Hulu.com/Activate are related words for hulu activation.
    check out Hulu News for latest hulu activation news.

    ReplyDelete
  60. There are some steps to install norton antivirus and sign up on norton website.Go to sign up mail box click link. This is a activation keys for Norton Users. Renew your Norton antivirus with product key from fill and activate norton antivirus in system.

    norton.com/setup
    webroot.com/safe

    ReplyDelete

  61. Your membership starts when you enter the 25-character norton.com/setup key found on item card or request affirmation email norton.com/setup.


    Norton.com/setup

    ReplyDelete


  62. AVG antivirus is a prominent virus protection program among the world of software . As many hackers and data stealers are waiting for the user’s mistake, they can misuse of user’s identity and other data.
    www.avg.com/retail |
    avg.com/retail

    ReplyDelete
  63. NAGAQQ: AGEN BANDARQ BANDARQ ONLINE ADUQ ONLINE DOMINOQQ TERBAIK

    Yang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua

    Bonus yang diberikan NagaQQ :
    * Bonus rollingan 0.5%,setiap senin di bagikannya
    * Bonus Refferal 10% + 10%,seumur hidup
    * Bonus Jackpot, yang dapat anda dapatkan dengan mudah
    * Minimal Depo 15.000
    * Minimal WD 20.000

    Memegang Gelar atau title sebagai Agen BandarQ Terbaik di masanya

    Games Yang di Hadirkan NagaQQ :
    * Poker Online
    * BandarQ
    * Domino99
    * Bandar Poker
    * Bandar66
    * Sakong
    * Capsa Susun
    * AduQ
    * Perang Bacarrat (New Game)

    Tersedia Deposit Via pulsa :
    Telkomsel & XL

    Info Lebih lanjut Kunjungi :
    Website : NagaQQ
    Facebook : NagaQQ Official
    Kontakk : Info NagaQQ
    linktree : Agen Judi Online
    WHATSAPP : +855977509035
    Line : Cs_nagaQQ
    TELEGRAM : +855967014811


    BACA JUGA BLOGSPORT KAMI YANG LAIN:
    agen bandarq terbaik
    Winner NagaQQ
    Daftar NagaQQ
    Agen Poker Online

    ReplyDelete
  64. GOOD Day !

    We have USA fresh & Verified SSN Leads with best connectivity score
    All info checked & genuine

    Info in LEADS
    First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact Information**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  65. Download the Norton setup file by creating an account on www.norton.com/setup. Install the setup and activate it on norton.com/setup.

    ReplyDelete
  66. A very good and interesting article, Last week we went to Las Rozas, and looking for we found 2 Restaurante Chapoo ,2 food delivery ,we were very satisfied with the treatment and the food.
    if you need to print large posters on canvas the company,2 IMC Impresiones company dedicated to large format printing with a 24-hour emergency service so that you do not miss out on your roll up, painting, poster, canvas and much more.
    Looking for Charming Rural Houses I find 2 La Alquería del Hoyo , they are only 30 minutes from Cuenca in Cañada del Hoyo, an area with a footprint of millions of years, in the middle of Monte de los Palancares we can find the Torcas.
    I found the website if you need to celebrate a wedding, communion in Madrid you have website 2 Grupo Acadi, catering for events at2 Acadi Catering. If you are looking for a classy terrace visit2 Jardin de Acadi.all with more than 10 years of experience.

    ReplyDelete
  67. https://zsactivationkey.com/genymotion-crack/
    There’s always something to be thankful for. If you can’t pay your bills, you can be thankful you’re not one of your creditors.

    ReplyDelete
  68. https://zscrack.com/4k-video-downloader-crack/
    Thank you for always being there for me even when I’m being a pain in the rear.

    ReplyDelete
  69. https://chproductkey.com/aomei-partition-assistant-crack/
    I couldn’t find a card that expressed my gratitude the way I wanted. I need a card that gives you a big hug.

    ReplyDelete
  70. https://letcracks.com/hitman-pro-crack/
    We make a living by what we get, but we make a life by what we give.

    ReplyDelete
  71. https://cracksmad.com/driver-genius-professional-crack/
    Kind words can be short and easy to speak, but their echoes are truly endless.

    ReplyDelete
  72. https://shehrozpc.com/sound-forge-pro-crack/
    There is no better way to thank God for your sight than by giving a helping hand to someone in the dark.

    ReplyDelete
  73. https://cracksmod.com/avast-premier-license-keys-2020/
    It’s not about how much we give but how much love we put into giving.

    ReplyDelete
  74. I am genuinely glad to glance at this weblog posts which consists of lots of helpful data, thanks for providing such information. McAfee antivirus is the best in class security protection program for home and office users. The Mcafee antivirus comes with great protection programs by mcafee.com/activate. If you want to learn more about the McAfee application, please visit our website.

    ReplyDelete
  75. Canon printer is ubiquitous these days. You can find it in many homes and offices, providing very efficient printing services via canon.com/ijsetup or you can also visit the official website at ij.start.canon.

    ReplyDelete
  76. How To Norton Activate Card. Simply Follow The Below Mentioned 3 Simple Steps To get Your norton Antivirus Product Product Installed And Activated in your computer system.

    norton.com/setup

    ReplyDelete

  77. Visit office.com/setup, enter the unique product key, download and install Microsoft Office setup. For activation, go to office.com/setup.

    Office.com/setup

    ReplyDelete
  78. Roku device is the best service in the USA, Do you have an issue with your Roku Device? Get instant solution and support by Roku Helpline Number. We are dealing with a wide range of Roku streaming players and provide a complete solution for Roku devices.call +1-888-720-1310 visit here https://roku-helpnumber.com/
    https://roku-helpnumber.com/services/
    https://roku-helpnumber.com/roku-customer-service-phone-number/
    Roku Help Phone Number
    Change Roku Stick Factory Setting Without Remote
    How to Fix Common Roku Error Codes
    Roku Customer Service Phone Number
    Contact Roku Customer Service Number

    ReplyDelete