26/04/2016

Exploring Qualcomm's Secure Execution Environment

Welcome to a new series of blog posts!

In this series, we'll dive once more into the world of TrustZone, and explore a new chain of vulnerabilities and corresponding exploits which will allow us to elevate privileges from zero permissions to code execution in the TrustZone kernel.

This may sound familiar to those of you who have read the previous series - but let me reassure you; this series will be much more exciting!

First of all, this exploit chain features a privilege escalation which is universal across all Android versions and phones (and which requires zero permissions) and a TrustZone exploit which affects a very wide variety of devices. Secondly, we will dive deep into an as-of-yet unexplored operating system - QSEE - Qualcomm's Secure Execution Environment. Lastly, we'll see some interesting TrustZone payloads, such as directly extracting a real fingerprint from TrustZone's encrypted file-system.

In case you would like to follow along with the symbols and disassembled binaries, I will be using my own Nexus 6 throughout this series, with the following fingerprint:
    google/shamu/shamu:5.1.1/LMY48M/2167285:user/release-keys 

You can find the exact factory image here.

 

 

Oh say can QSEE


In this blog post, we'll explore Qualcomm's Secure Execution Environment (QSEE).

As we've previously discussed, one of the main reasons for the inclusion of TrustZone on devices is the ability to provide a "Trusted Execution Environment" (TEE) - an environment which should theoretically allow computation which cannot be interfered with from the regular operating system, and is therefore "trusted".

This is achieved by creating a small operating system which operates solely in the "Secure World" facilitated by TrustZone. This operating system provides a small number of services directly in the form of system calls which are handled by the TrustZone kernel (TZBSP) itself. However, in order to allow for an extensible model where "trusted" functionality can be added, the TrustZone kernel can also securely load and execute small programs called "Trustlets", which are meant to provide a secure service to the insecure ("Normal World") operating system (in our case, Android).




There are several such Trustlets commonly used on devices:
  • keymaster - Implements the key management API provided by the Android "keystore" daemon. It can securely generate and store cryptographic keys and allow the users to operate on data using these keys.
  • widevine - Implementation of Widevine DRM, which allows "secure" playback of media on the device.
In fact, there are many more DRM related trustlets, depending on the OEM and the device, but these two trustlets are universally used.

Where do we start?


Naturally, one place to start would be to look at a trustlet of our choice, and to try and understand what makes it tick. Since the "widevine" module is one of the most ubiquitous, we'll focus on it.

Searching briefly for the widevine trustlet itself in the device's firmware reveals the following:


Apparently the trustlet is split into a few different files... Opening the files reveals a jumbled up mess - some files contain what looks like code, others contain ELF headers and metadata. In any case, before we can start disassembling the trustlet, we need to make some sense out of this format. We can either do this by opening each of the files and guessing the meaning of each blob, or by following the code-paths responsible for loading the trustlet - let's try a little of both.

Loading a Trustlet


In order to load a trustlet from the "Normal World", applications can use the libQSEECom.so shared object, which exports the function "QSEECom_start_app":


Unfortunately this library's source code is not available, so we'll have to reverse engineer the function's implementation to find out what it does. Doing so reveals that it performs the following operations:
  • Opens the /dev/qseecom device and calls some ioctls to configure it
  • Opens the ".mdt" file associated with the trustlet and reads the first 0x34 bytes from it
  • Calculates the number of ".bXX" files using the 0x34 bytes from the ".mdt"
  • Allocates a physically continuous buffer (using "ion") and copies the ".mdt" and ".bXX" files into it
  • Finally, calls a ioctl to load the trustlet itself, using the allocated buffer
So, still no luck on exactly how the images are loaded, but we're getting there.

First of all, the number 0x34 might look familiar - this is the size of a (32 bit) ELF header. Opening the MDT file reveals that the first 0x34 bytes are indeed a valid ELF header:


Moreover, the "QSEECOM_start_app" function we just had a look at used the word at offset 0x2C in order to calculate the number of ".bXX" files. As you can see above, this corresponds to the "e_phnum" field in the ELF header.

Since the "e_phnum" field is usually used to specify the number of program headers, this hints that perhaps each of the ".bXX" files contains single segment of the trustlet. Indeed, opening each of the files reveals content the seems like it may be a segment of the program being loaded... But in order to make sure, we'll need to find the program headers themselves (and see if they match the ".bXX" files).

Looking further, the next few chunks in the ".mdt" file are in fact the program headers themselves, one for each of the ".bXX" files present.


And, confirming our earlier suspicion, their sizes match the sizes of the ".bXX" files exactly. Great!

Note that the first two program headers above look a little strange - they are both NULL-type headers, meaning they are "reserved" and should not be loaded into the resulting ELF image. Strangely, opening the corresponding ".bXX" files reveals that the first block contains the same ELF header and program headers present in the ".mdt", and the second block contains the rest of the ".mdt" file.

In any case, here's a short schematic summing up what we know so far:



Also, note that since the ELF header and the program headers are all present in the ".mdt", we can use "readelf" in order to quickly dump the information about program headers in the trustlet:




At this point we have all the information we need in order to create a complete and valid ELF file from the ".mdt" and ".bXX" files; we have the ELF header and the program headers, as well as each of the segments themselves. We just need to write a small script that will create an ELF file using this data.

I've written a small python script which does just that. You can find it here:

https://github.com/laginimaineb/unify_trustlet

Reflections on Trusting Trustlets

 

By now have a basic understanding of how trustlets are assembled into an executable file, but we still don't know how they are verified. However, since we know the ".bXX" files contain only the segments to be loaded, this means that this data must reside in the ".mdt" file.

So it's time for some guesswork - if we were to build a trusted loader, how would we do it?

One very common paradigm would be to use hash-and-sign (relying on a CRHF and a digital signature). Essentially - we calculate the hash of the data to be authenticated and sign it using a private key for which a corresponding public key is known to the loader.

If that were the case, we'd expect to find two things in the ".mdt":
  • A certificate chain
  • A signature blob
Let's start by looking for a certificate chain. There are way too many formats for certificates, but since the ".mdt" file only contains binary data, we can assume it'll probably be a binary format, the most common of which is DER.

There's a quick hack we can use to find DER encoded certificates - they almost always start with an "ASN.1 SEQUENCE" blob, which is encoded as: 0x30 0x82. So let's search for these two bytes in the ".mdt" and save each found blob into a file. Now, we can check if these blobs are well-formed certificates using "openssl":


Yup, we guessed correctly - those are certificates.

In fact, the trustlet contains three certificates, one after the other. Just for good measure, we might also want to check that these three certificates are in fact a certificate chain which forms a valid chain of trust. We can do this by dumping the certificates to a single "certificate chain" file and using "openssl" to verify each certificate using this chain:


As for the root of trust of this chain - looking at the root certificate in the chain reveals the same root certificate which is used to verify all other parts of the boot chain in Qualcomm's "Secure Boot" process. There has been some research about this mechanism, which has shown that the validation occurs by comparing the SHA256 of the root certificate to a special value called "OEM_PK_HASH", which is "fused" into the devices QFuses during the production process. Since this value should theoretically not be modifiable after the production of the device, this means that forging such a root certificate would essentially require a second pre-image attack against SHA256.

Now, let's get back to the ".mdt" - we've found the certificate chain, so now it's time to look for a signature. Normally, the private key is used to produce a signature and the public key can be used to recover the signed data. Since we have the public key of the top-most certificate in the chain, we can use it to go over the file and opportunistically try to "recover" each blob.

But how will we know when we've succeeded?

Recall that RSA is a trapdoor permutation family - every blob with the same number of bits as the public modulus N is mapped to another blob of the same size.

However, while the RSA public modulus in our case is 2048 bits long, most hashes are much shorter than that (160 bits for SHA1, 256 bits for SHA256). This means that if we try to "decrypt" a blob using our public key and it happens to end with a lot of "slack" space (for example, zero bytes), there's a very good chance that this is the signature we're looking for (for a completely random permutation, the chance of n consecutive zero bits is 2^-n - extremely small for even a moderate n)

In order to do so, I wrote a small program which loads the public key from the top-most certificate in the chain and tries to "recover" each blob in the ".mdt" (using rsa_public_decrypt with PKCS #1 v1.5 padding). If the "recovered" blob ends with a bunch of zero bytes, the program outputs it. So... Running it on our ".mdt":


We've found a signature! Great.

What's more, this signature is 256 bits long, which implies that it may be a SHA256 hash... And if there's one SHA256 in the ".mdt", perhaps there are more?



Lucky once again!

As we can see, the SHA256 hashes for each of the ".bXX" files are also stored in the ".mdt", consecutively. We can also make an educated guess that this will be the data (or at least some of the data) that is signed to produce the signature we found earlier.

Note that the ".b01" file's hash is missing - why is that? Remember that the ".b01" file contains all the data in the ".mdt" other than the ELF header and program headers. Since this data also contains the signature above, and the signature is (possibly) produced over the hashes of the block files, this would cause a circular dependency (since changing the block file would change the hash, which would change the signature, which would again change the block file, etc.). So it makes sense that this block's hash wouldn't be present.

By now we've actually decoded all of the data in the ".mdt" file apart from a small structure which resides right after the program headers. However, after looking at it for a while, we can see that it simply contains pointers and lengths of the various parts of the ".mdt" that we've already decoded:


So finally, we've decoded all of the information in the ".mdt"... Phew.


Motorola's High Assurance Boot


Although the ".mdt" file format we've seen above is universal for all OEMs, Motorola decided to add a little twist.

Instead of supplying an RSA signature like the one we saw earlier, they actually leave the signature blob empty (in fact, the signature I showed you earlier was from a Nexus 5). In fact, Motorola's signature looks like this:


So how is the image verified?

This is done by using a mechanism which Motorola calls HAB ("High Assurance Boot"). This mechanism allows them to verify the ".mdt" file by appending a certificate chain and a signature over the whole ".mdt" to the end of the file, encoded using a proprietary format used by "HAB":


For more information about this mechanism, you can check out this great research by Tal Aloni. In short, the ".mdt" is hashed and signed using the top-most key in the certificate chain, while the root certificate in the chain is verified using a "Super Root Key", which is hard-coded in one of the bootloader's stages.

 

Life of a Trustlet

After the verification process we saw above, the TrustZone kernel loads the trustlet's segments into a secure memory region ("secapp-region") which is inaccessible from the "Normal World" and assigns an ID to it.

Then, the kernel switches into "Secure World" user-mode and executes the trustlet's entry function:



As you can see, the trustlet registers itself with the TrustZone kernel, along with a "handler function". After registering the trustlet, control is returned to the TrustZone kernel, and the loading process finishes.

Now, once the trustlet is loaded, the "Normal World" can send commands to the trustlet by issuing a special SCM call (called "QSEOS_CLIENT_SEND_DATA_COMMAND") containing the loaded trustlet's ID and the request and response buffers. Here's what it looks like:


The TrustZone kernel (TZBSP) receives the SCM call, maps it to QSEOS, which then finds the application with the given ID and calls the handler function which was registered earlier (from "Secure World" user-mode) in order to serve the request.




What's Next?


Now that we have some understanding of what trustlets are and how they are loaded, we can move on to the exploits! In the next blog post we'll find a vulnerability in a very popular trustlet and exploit it in order to execute code within QSEE.


251 comments:

  1. Great post as always!
    I'm waiting for the next post and in the meanwhile I hope you get some time to release the code for standalone version (without the kernel modification) of the older trustzone exploit :).

    As I understand from the post, trustlets execute in a separate usermode inside QSEE. Can exploiting a trustlet lead to possible bootloader unlock? Since it's just a QSEE usermode application the possibly don't have access privileged instructions like blowing a qfuse right?

    PS: can I know the hex editor you are using? :)

    ReplyDelete
    Replies
    1. I have re-written his original zero-write exploit as a standalone kernel module here: https://github.com/ghassani/qc-tz-es-activated-exploit

      Delete
    2. The hex-editor looks like 010 editor, probably running on linux.

      Delete
    3. Hi Madushan,

      First of all, thank you! Glad you enjoyed the post.

      I totally forgot about the "standalone" version of the older TZ exploit. In any case, I just cleaned it up a little bit and put it up on github, here: https://github.com/laginimaineb/standalone_msm8974

      It relies on the previous kernel exploit (https://github.com/laginimaineb/cve-2014-4322/tree/master/Feud/jni) to get kernel code execution, and then dynamically finds the needed kernel symbols and does all the work without needing a kernel module.

      You should definitely check out Ghassan's version as well! I just found out about it, but looking at the code it looks very clean and easy to use.

      As for your second question - you are absolutely correct. QSEE does not have sufficient privileges in order to blow a QFuse, which means we'll need to go further than just exploiting QSEE - you'll see all the details in tomorrow's blog post :)

      Finally, as shuffle2 mentioned below - yes, I am using 010editor on Linux (which I highly recommend! It's a fantastic tool).

      Cheers,
      Gal.

      Delete
    4. Ghassan -

      Just wanted to say thank you for wrapping the exploit in an LKM! Great work. The code is really clean and well-written. Kudos :)

      Gal.

      Delete
    5. Great :D Thanks all you guys for all the help and sources. I waiting for the next post.

      Delete
    6. Gal, thank you for that shout out. That means a lot! I love reading your articles, I learn so much from your explanations and examples. Glad that I am able to contribute something to you and your readers. Keep it up, I look forward to the next exploit :)

      Delete
    7. Smadav 2020 | The Smadav 2020 code is the champion among the most established antivirus romance, using the supported Tainting Safety Assurance. If your Computer system accepts malady, Smadav 2020 Download Free remotely will enter your device and determine it. On this occasion, change is unlimited, you will get a full price reduction. Download Smadav Antivirus 2020 for PC

      Delete
  2. Just wanted to drop a note and say: you have done some really great work here.

    I actually needed to implement some signing verification tools for Qualcomm's mdt/mbn format very recently. While I have a full set of docs from them it was actually reading through this article that got me most of the information I needed instead :)

    It is funny how reversers often know more about the nitty gritty details of a company's product than they themselves seem to.

    I have also been enjoying the follow up articles on exploitation immensely. Keep up the great work!

    ReplyDelete
    Replies
    1. Thank you Eric, It means a lot to me!

      More posts coming soon :)

      Delete
  3. Very good! Enjoyed reading it, looking forward to new posts.

    Cheers.

    ReplyDelete
    Replies
    1. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.

      Click here
      Go Here
      Click here
      Go Here
      View for more
      Click for more
      Go here
      View for more
      Click here

      Delete
  4. Great post!
    Could this exploit be used on a snapdragon 820? Or is it only limited to the 800 and the 810?

    ReplyDelete
  5. Hi, great post!
    I got lost in the signature recover phase. You wrote:

    "Normally, the private key is used to produce a signature and the public key can be used to recover the signed data"
    Please, could you explain me how you recover the signed data with the public key? It's the first time I heard about it.

    Later on you wrote:

    "This means that if we try to "decrypt" a blob using our public key[...]"
    What do you want to mean by "decrypt"? Again, it's the first time I heard about using a public key RSA to decrypt data.

    I do not understand quite well your process of looking for the signature, what does trydec function do?
    Could not you to try to do it by brute force? Sign-hash blob files with several hash functions and the public key and then looking for the result on the .mdt binary data?

    Maybe the problem is that I am a mathematician (...XD) trying to get your work.

    Thank you again and waiting for more post!

    ReplyDelete
    Replies
    1. Thank you!

      As for you question - the main problem here is terminology regarding RSA.

      First, the mathematical definition of RSA is a trapdoor permutation family. Let's say we have the public exponent e, private exponent d and modulus N.

      Now, for each message m in Zn*, applying m' = (m^e) mod N is a onto one-to-one mapping into Zn*. Recall that we chosen e,d such that e*d = 1 (mod phi(N)). This means that by applying the permutation (m' ^ d) mod N = ((m^e) ^ d) mod N = (m ^ (e*d mod phi (N))) mod N = m (mod N).

      So applying the reverse permutation allowed us to retrieve the original message m.

      Now - people often refer to RSA as an encryption scheme. It isn't (because it's not CPA-secure, as it's completely deterministic). But you *could* think of it as encryption in the sense that after permuting a message with the public exponent, it's hard to retrieve the message without knowing the private exponent.

      In that sense, we can say that the operation (m^e) mod N is public-encryption and (m^d) mod N is private-decryption.

      The inverse is also true (since RSA is symmetric with regards to e,d). So we could say that (m^d) mod N is private-encryption and (m^e) mod N is public-decryption.

      Next comes an important primitive that is often used with RSA - signing. Imagine you have a message and would like to guarantee it was produced *only* by someone who knows the private exponent. You could do this by applying the permutation using the private exponent - that is, for each message m, produce (m^d) mod N. We just called this operation "private-encryption" in the previous paragraph, but when using RSA as a signature scheme, we could call this operation "signing".

      So... how is this useful at all? Well, someone with the public exponent can apply "public-decryption" on the message, and by the commutativity of multiplication: (m' ^ d) mod N = ((m^d) ^ e) mod N = (m ^ (d*e mod phi (N))) mod N = (e*d mod phi (N))) mod N = m (mod N). So anyone with the public key can use this to retrieve the message m from the signature. We'll call this operation "verify".

      Finally, if we already have a signature block produced using the private exponent, and we know the signed message has some unique structure, we can scan each block and attempt to perform RSA-verification ("public-decryption") on every block. This will produce some message m' - if it matches the structure we know, it is (other than a negligible probability) our signature block.

      Cheers,
      Gal.

      Delete
    2. Hi Gal,

      Thank you by your quick response. I know what involves RSA cryptography, part of my daily job is related with crypto issues. The thing was that this was the first time I read the concept of encryption when you want to refer to signing, but I agree is just terminology.

      I know a forum is not the best place to write maths...jajaja but I suppose you wanted to write (the ' was left):

      (m^e) mod N = m' is public-encryption and (m'^d) mod N is private-decryption
      &&
      (m^d) mod N = m' is private-encryption and (m'^e) mod N is public-decryption

      Therefore, what I understand is that when you write "we try to "decrypt" a blob using our public key" what you are looking for is a hash value. Because what has been "encrypted/signed" should be a hash value. That's the way signing process works.

      Then, what is the output of your TryDecrypt function, the hash value of some of the blocks? How did you choose the m message along the .mdt binary to perform the "decryption"?

      Thank you
      Regards

      Delete
    3. Hi Jota,

      Sorry, just wanted to write a full explanation just in case other people find it useful. Anyway, I agree, writing math in a blog post is pretty hard :)

      As for the actual value that is signed - it's actually special version of HMAC-SHA256 (w/ a different i_pad and o_pad) over all the block files' data, concatenated. But you can outright ignore that and still find the signature block.

      Here are a couple of facts:
      1. The signature is 2048 bits long, while the HMAC-SHA256 is only 256 bits long.
      2. The signature uses PKCS#1 v1.5 padding

      If we simply use RSA-public-decrypt w/ the appropriate padding on each 2048-bit block, we'll get a 2048 bit result. For each randomly-chosen block, the resulting block's bits will be roughly uniformly distributed (since RSA is a trapdoor permutation). But we know that in the signature blob the first 2048-256 bits will be zero (remember this is after removing the padding). The chances of that happening in uniformly distributed message is negligibly small 2^(-1792).

      So all TryDecrypt does is iterate over each block, use "RSA public decrypt" w/ the appropriate padding, and check if the resulting block starts with a bunch of leading zeros.

      Delete
    4. Hi Gal (my name is Jose, I use yours so I think is fair you to know mine),

      You do not have to apologize, you did not know it and, probably, some readers have learnt a little more about crypto ;)

      Perfect, everything clear now! Maybe, you will find interesting this article: https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php

      Look for vulnerabilities on non-public things is quite exciting, but have you try to check how good is the implementation of public TEEs such OP-TEE?

      Will you participate at any security conference to talk about this?

      Thank you,
      Regards

      Delete
    5. Hi Jose,

      Sorry for the late response! I missed your response.

      I didn't look at public TEEs yet, but I might get around to it (for example, Trusty TEE looks like it could be interesting...)

      Also, I haven't spoken in any conference yet (and have nothing planned up ahead). Mainly because the conferences happen to coincide with the exam period :)

      All the best,
      Gal.

      Delete
  6. Awesome post!

    I am trying to follow your post and reverse widevine trustlet(and if needed libQSEECom.so for the loading part).
    Is there a easy way to locate the entry function for the trustlet being loaded? Do I have to look at the libQSEECom.so ?

    Thanks in advance

    ReplyDelete
    Replies
    1. Thank you! I think the easiest way is to disassemble the first function (func_0) and look for the function the returns a function pointer. That function pointer points to the entry function. Alternately, you can just search for the Widevine commands (such as PRDiag*) and work backwards from there using XREFs.

      Delete
  7. Cool post!

    "So let's search for these two bytes in the ".mdt" and save each found blob into a file."

    How could you know the length of these blobs?

    ReplyDelete
    Replies
    1. I didn't, but you can save the blob from the match index until the end of the file, and asn1parse will stop at the end of the ASN1 data.

      Delete
  8. Could you share the script to "decrypt" the 2048-bit signature blob?
    I searched the Internet but most of them work on certificates with certain formats, rather than raw-data parameters.

    ReplyDelete
    Replies
    1. Hi CrazyGalaxy,

      I didn't do anything fancy - I simply used OpenSSL's RSA_public_decrypt (https://www.openssl.org/docs/man1.1.0/crypto/RSA_public_decrypt.html) for the "decryption".

      To get OpenSSL to load the public key, I did write a small PyCrypto script to define the public key from the parameters (e,N) using RSA.construct (https://www.dlitz.net/software/pycrypto/api/current/Crypto.PublicKey.RSA-module.html#construct), and then saved them to a PEM.

      All the best,
      Gal.

      Delete

    2. Cool WhatsApp Group Names. Drink Dudes. Walky Talky. Innocent girls. Free Wi-Fi. zindagi na milegi dobara. Dil Dhadakane Do. No girls. Best Dudes. So, Here I am sharing the Best Whatsapp group names for friends Whatsapp Group. Pencil Chors. Play your way. So Called Engineers. Non-Stop Notifications. The Untouchables. Toxic Texting. Wandering Minds. We Tie Until We Die. Cool, Funny Best Whatsapp Group names for friends, family, sports lovers, Girls, Boys, Engineers, Doctors in Hindi, Marathi, gujarathi, Tamil, Punjabi. Ultimate Collection of the best WhatsApp Group Names in 2018. Top, Awesome, funny & cool WhatsApp group names for Friends, lovers, family & cousins. Best WhatsApp Group Names are the first search whenever someone creates a new group on WhatsApp. Hey guys all the best and top rated 500+ best,cool,funny,attitude,savage,boys,girl,friends,family whatsapp group names list 2018 & Whatsapp dare messages.

      Delete
  9. How do you get to the trustlets in the first place? Using the link to the shamu firmware that you provide I find a system.img file in which I assume the widevine trustlet exists, but I cannot continue from here. How did you get to the actual file?

    ReplyDelete
  10. hi
    when i use the QSEECom_start_app,return an error :QSEECom_start_app(.., '/firmware/image/', '***', 1048640) = 'Invalid argument'.
    please help me check
    tks

    ReplyDelete

  11. Thanks, I'm reading this text – I hope you found it useful. I've got browse your journal superb info produce good information article, Your article could be a smart inspiration for this blog. Thanks For different info within the future. Arlo security camera


    ReplyDelete
  12. Hey, thanks for posting amazing articles. These blogs would definitely help us keep posted about new trends in the market.

    Limbo Emulator

    CbseLearner

    ReplyDelete
  13. Nice Article Very Helpful ! Thanks for sharing ! Also check
    Attitude Shayari
    Sad Hindi Shayari
    Shayari99

    ReplyDelete
  14. http://myinfomaniya.com/pubg-name-generator-best-cool-stylish-trending-killer-pubg-names/
    http://myinfomaniya.com/best-pubg-names/

    ReplyDelete
  15. Want to watch live tv on your Android smartphone then download Solid streamz for free. Solid streamz provides access to thousands of channels which you can stream anywhere anytime.

    ReplyDelete

  16. Wow! Nice article. Thank you so much for sharing. Just want to share Nova Launcher Prime Apk which is the best Android Launcher.

    ReplyDelete
  17. Thank you for the great information.
    nox app player

    ReplyDelete
  18. Amazing Article sir, Thank you for giving the valuable Information really awesome.

    Thank you, sir

    Cheers!

    WHATSAPP GROUP JOIN LINK LIST

    ReplyDelete
  19. very nice post thanks for sharing with us
    attitude shayari

    ReplyDelete
  20. Are you here to locate the net worth of your favorite celebrity. Search no more while at the right place. Here you will not more or less the net worth of your favorite superstar but you'll also find all the brand new and details, you are looking for like their films, era and lot more random celebrity net worth,celebrity net worth 2018,celebrity net worth list,celebrity net worth 2019,Forbes richest celebrities net worth,celebrity net worth list 2018
    New Celebrity Net Worth Gucci Mane
    New Celebrity Net Worth Eminem
    New Celebrity Net Beyonce
    New Celebrity Net Adam Sandler
    New Celebrity Net Jerry Seinfeld
    New Celebrity Net Kevin Hart
    New Celebrity Net Triple H
    New Celebrity Net John Cena
    New Celebrity Net Julia Louis Dreyfus
    New Celebrity Net David Bowie

    ReplyDelete
  21. Nice Article. Also check out how to fix to allow access please respond on your iphone error on your iPhone device

    ReplyDelete
  22. This comment has been removed by the author.

    ReplyDelete
  23. Nice article. You may also like Spotify Cracked Apk if you love listening to songs online.

    ReplyDelete
  24. You define your thought classically by this blog, thank you so much for sharing such an amazing blog. Get website designing services by ogen infosystem in delhi, india.
    Website Designing Company in Delhi

    ReplyDelete
  25. Keep more data about this related blog, by and large this is significant for me. Get the best Mutual Fund Advisor and Investor premiums at Mutualfundwala.
    Mutual Fund Advisor

    ReplyDelete
  26. Blockchain is a functions involves conversion of input value to numerical value. the process take a data of fixed length
    learn this process in bitcoin online course

    ReplyDelete
  27. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST TraindDrivingSimulatorFreeGames

    ReplyDelete
  28. Thank you so much for this Post and all the best for your future. You are really a talented person I have ever seen. I am satisfied with the arrangement of your post.

    Brother printer support

    ReplyDelete
  29. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST CarGamesDownload

    ReplyDelete
  30. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST Game

    ReplyDelete
  31. Canada’s new Program for workers and who are wiling to live there so here is a new way for them to go there by AIPP canada

    https://worldimmigrations.blogspot.com/2019/05/how-to-apply-atlantic-immigration-pilot.html

    ReplyDelete
  32. Thank you so much for this Post and all the best for your future. You are really a talented person I have ever seen. I am satisfied with the arrangement of your post.

    Mcafee.com/activate

    ReplyDelete
  33. Nice blog, visit Lifestyle Magazine for page 3 parties, events and other functions.
    Lifestyle Magazine India

    ReplyDelete
  34. Appreciate you sharing, great article.Really looking forward to read more. Really Great.
    I have some suggestions. Here is a blog - Photo editing & photography tips.
    This may help you to find something useful

    ReplyDelete
  35. Wonderful blog! I found it while browsing on Yahoo News

    Regards= office.com/setup

    ReplyDelete
  36. To get started Office 2019, 2016 and office 365 download or installation you must need valid 25 character product key & visit-

    office.com/setup |
    www.office.com/setup |
    office.com/setup

    ReplyDelete
  37. HappyMod is a new generation App Store for Modified Apps and Games that generate premium features.

    https://happymod.vip
    https://www.happymod.vip
    HappyMod
    HappyMod Apk

    ReplyDelete
  38. https://www.brotherprintersupport.co.uk

    https://www.brotherprintersupport.co.uk/brother-printer-support/

    Brother Printer Support or Call : +44-121-286-4615

    How to Solve Installation Problem with my Brother printer using a USB/local connection

    https://www.brotherprintersupport.co.uk/2019/06/27/how-to-solve-installation-problem-with-my-brother-printer-using-a-usblocal-connection/

    How to Setup Brother Wireless Printer Call +44-121-286-4615
    https://www.brotherprintersupport.co.uk/2019/06/28/how-to-setup-brother-wireless-printer-call-44-121-286-4615/
    Brother Wireless Support or Call : +44-121-286-4615

    Brother Printer Support or Call : +44-121-286-4615

    Brother Printer Drivers Call: +44-121-286-4615

    https://www.brotherprintersupport.co.uk/2019/06/27/brother-printer-drivers-call-44-121-286-4615/


    Brother Printer Support Drivers or Call : +44-121-286-4615


    brother printer helpline
    brother printer support number
    brother printer technical support

    ReplyDelete
  39. norton.com/setup to Secure your All Windows, Mac & Android devices. Get norton setup and Run to Install Norton Anti Virus. for more information about norton antivirus, just visit www.norton.com/setup.

    mcafee.com/activate - Get the comprehensive internet security on your device with mcafee activate Antivirus. Get your McAfee installed and activated with easy steps. for more information just visit www.mcafee.com/activate.

    office.com/setup - To get started with Microsoft Office download & install office setup. Find the product key for activation at www.office.com/setup.

    ReplyDelete
  40. Learn how to download, install, activate, and uninstall Microsoft Office Setup on different devices and operating systems such as Mac and Windows. Activate your 25 character alphanumeric product key for Office 365, Office 2016, Office 2013, Office 2010, or Office 2007 at Office.com/setup.
    office.com/setup

    ReplyDelete
  41. Yes, such a great artical i will always follow this blog
    Https://nonupye.in

    ReplyDelete
  42. Setup And Install Your Office Product With Activation Key
    office com setup

    ReplyDelete
  43. WONDERFUL Post for exploring qualcomms secure execution and thanks for share with us keep moving..waiting for more updates - regards - thoptv apk

    ReplyDelete
  44. Exploring qualcomms secure execution was really great info and waiting for more updates - ghd sports & ghd sports apk

    ReplyDelete
  45. code execution in the TrustZone kernel was one of the best article and You made some nice points there - OnMovies App

    ReplyDelete
  46. Thank you for share the explore Qualcomm's Secure Execution Environment. it was really great info thank you - ghd sports apk & gomax tv apk

    ReplyDelete
  47. Everything is very open and very clear explanation for step by step for explore Qualcomm's Secure Execution Environment, waiting for more updates, thank you for sharing with us. - GHDSPORTS & GHD SPORTS Apk

    ReplyDelete
  48. Wow such great and effective guide
    Thank you so much for sharing this.
    Thenku Again

    ReplyDelete
  49. Excellent article. Very interesting to read.I really love to read such a nice article. Thanks! keep rocking.

    www-norton.com/setup

    ReplyDelete
  50. Highly popular among the PC users, the Norton antivirus software has been eliminating malware, viruses and other kinds of online and offline threats from affecting the performance of a computer for years. norton.com/setup | | mcafee.com/activate | office.com/setup

    ReplyDelete
  51. Norton provides world class security solution. Every Norton antivirus system is designed with the latest technology and updated regularly to bring in new virus definitions that help in detecting the viruses. Norton antivirus system is one such program that has numerous all-round protection antivirus. office.com/setup | norton.com/setup | www.norton.com/setup

    ReplyDelete
  52. Wow such great and effective guide
    Thank you so much for sharing this.
    Thenku Again

    ReplyDelete
  53. Wow such great and effective guide
    Thank you so much for sharing this.
    Thenku Again

    ReplyDelete
  54. Get instant access to a huge number of apps for Android, Windows, and Mac operating systems. Download apps from Earnigo Apps
    https://apps.earnigo.com/
    Earnigo Apps
    Earnigo Apps download
    Earnigo Apps for android
    Earnigo Apps Apk

    ReplyDelete
  55. India's one of the most popular T20 Cricket Tournament IPL Next Season Coming soon. Here you can check
    Vivo IPL 2020 Points Table Information.

    ReplyDelete
  56. Www.Office.Com/Myaccount Main Issue: Resolving common installation issues using Microsoft

    resources Activation Issues Connection Issues Operating System Issues SOLUTION: Resolving

    basic establishment issues utilizing Microsoft resources This guide bargains particularly

    with Microsoft Office forms 2013 and 365...

    office.com/myaccount ||
    norton.com/myaccount ||
    office.com/setup

    ReplyDelete
  57. Download latest audio and video file fromvidmate

    ReplyDelete
  58. Download latest audio and video file fromvidmate

    ReplyDelete
  59. Download latest audio and video file fromvidmate

    ReplyDelete
  60. In case you are maintaining a business and need to fix all the major technical issues at that point don't falter to call HP support technician whenever. In case you are confronting any hp error code, at that point around then, you contact the support service and the technician will repair the issues successfully. They will support your profitability and afterward they will spare the time by means of having their services to arrange the settings legitimately from being the company in a first-class way.

    ReplyDelete
  61. Visit Brother support to get instant fix Brother printer issue.

    ReplyDelete
  62. mcafee.com/activate – Facing problems with mcafee products? Get the best instant solution for downloading, installing and activating McAfee Antivirus via mcafee activate and www.mcafee.com/activate.

    norton.com/setup - Learn how to manage, download, install, and activate norton. Visit www.norton.com/setup, Enter norton product key and Install norton setup.

    ReplyDelete
  63. Visit us or you Can Contact whenever you are free to Call us. We are available for support 24*7 to Fix Brother Printer Offline Windows 10 Error. Visit us: Brother Printer Offline Windows 10 Technical Support

    ReplyDelete
  64. Keep it up for more updates about this related blog. Visit Ogen Infosystem for the best Website Design and Development Company in Delhi, India.
    Website Designing Company in India

    ReplyDelete
  65. Get 24/7 service by calling on brother printer support toll-free phone number and troubleshoot all sorts of Brother printer related issues. Get the best help from experts.

    ReplyDelete
  66. Are you facing Ink Cartridge cannot be recognized Error? No need to worry, we are always here 24*7. We have a group of certified experts. Visit us: Ink Cartridges Not Recognized.

    ReplyDelete
  67. Brother Printer UK is the team of best technical support experts who can provide you the best technical service. Call us USA/Canada: +1-888-480-0288 & UK: +44-800-041-8324.

    ReplyDelete
  68. watch this online movie and tv show visit this.
    hd cinema apk 2018

    ReplyDelete
  69. Thank you so much for the wonderful website. Which made my day and got full information about Ac Market. Loved this website and recommended for all the users.

    https://acmarket.one/
    Ac Market

    ReplyDelete

  70. What a superb post! I have no words to describe this post because everthing is clear with your wonderfull words. I really feel out for world reading your post, it is full of fresh and usefull. I really appreciate, keep the work continue.

    norton.com/setup ! www.norton.com/setup ! office.com/setup ! office.com/setup ! mcafee.com/activate ! mcafee.com/activate





    ReplyDelete
  71. With an aim to keep my Brother Printer in running state and in appropriate condition I want to resolve Brother Printer Offline issue. So, I am looking for a reliable support that can guide me to eliminate this error in an easy manner. Someone, please help me to get hold of such service provider that can deliver me results that I want the most.

    ReplyDelete
  72. If you are looking for HP printer Service number. Then hp printer assistant is the best place to find printer customer services team. We have sourced our number +1 8544-00-5545 to save your time on searching over the internet. Our technical experts are available 24/7 to solve every technical issues causes by hp printers. We provide best service as compare to others.
    https://www.hp-printerassistant.com/

    ReplyDelete
  73. If we are working in an organization it is lots of situation that we have to go with. We must be adjustable to cope up with any kind of situation. We can call it as an illusion of control. Thank you for describing more on that here.Jogos 2019
    friv free online Games
    free online friv Games

    ReplyDelete

  74. Brother Printers Support team works 24/7 for customer satisfaction related to their damaged devices. Reach them via Brother Help Online At Brother Printer Support.
    Brother Printer Support Number | Brother Printer Support | Brother Printer Customer Support

    ReplyDelete
  75. If you still have issue while depositing or withdrawing cryptocurrency from Bittrex, even if you fail to create or login to your Bittrex account, just feel free to get in touch with Bittrex Customer Support services for technical assistance with issues related to Bittrex wallet.

    bittrex support number
    bittrex support phone number
    bittrex support


    You can contact Bittrex tech support representatives via phone call or live chat. They are available 24*7 for the convenience of users.

    bittrex exchange
    bittrex customer service
    bittrex phone number

    ReplyDelete
  76. Visit Kalakutir Pvt Ltd for the best Floor Marking Paint and School Bus Painting.
    Floor Marking Paint

    ReplyDelete
  77. Nice one! This post is amazing and very important. Geek squad support Thanks for sharing.

    ReplyDelete
  78. Step-by-step instructions how to download, install, activate. In case of error uninstall and reinstall your software then contact our Experts.
    office.com/setup
    office setup
    www.office.com/setup

    ReplyDelete
  79. Email customer support number has become an essential contact for every user these days. As a part of our daily lives, whether professional or personal, emailing plays a major role. Even a slight problem can affect the email account. Any loophole in email privacy may risk your data and exchanged email. To understand the importance.Read more about Email customer support number
    email customer service
    sbcglobal customer support
    sbcglobal email support
    email support
    aol email support
    Official ATT Email Help Center where you can find tips and tutorials on using Email and other answers to frequently asked questions.
    att customer services numbers
    att email support
    att email customer service

    ReplyDelete
  80. I really happy found this website eventually. This site article is very good. This is a great post.
    www.office.com/setup

    ReplyDelete
  81. If you are looking for any help regarding your Hp Printer then just dial for fast and reliable helpline number of HP Customer Service 1-800-382-3046. Then this is the best direct number to the Hp Printer Customer Services team. We have sourced this number to save your time searching over the internet for the Hp Customer Support Phone Number.

    ReplyDelete
  82. will visit your website again soon. You can check Upcoming BBL 2019-2020 Schedule here

    ReplyDelete
  83. اگر دانشجو هستید و به دنبال ترجمه ارزان می گردید بهترین سایت برای شما سایت ترجمه آنلاین است. این سایت با داشتن تیمی حرفه ای در ضمینه ترجمه متون فارسی به انگلیسی و ترجمه متون انگلیسی به فارسی ، بهترین همراه شما در دوران دانشجویی خواهد بود. تخصص ما ترجمه مقاله های تخصصی دانشگاه است.

    ReplyDelete
  84. Sign in to enter office setup product key. Know how to benefit, download, install, set in movement, uninstall and reinstall MS office setup.
    office.com/setup
    http://officecom-officeoffice.com/
    call us at +1-888-421-9666[tool free]

    ReplyDelete

  85. If you have problems in your Brother Printer Support visit our website for instant solutions.
    Brother Printer Support | Brother Printer Support Number

    ReplyDelete
  86. Norton Setup and Instal Process – For both PC and mobile users. Highly popular among the PC users, the Norton antivirus software has been eliminating malware, viruses and other kinds of online and offline threats from affecting the performance of a computer for years. Norton.com/setup , being a security solution providing company has created

    office.com/setup|| norton.com/setup||norton.com/myaccount ||

    ReplyDelete
  87. Belgian authorities have also changed the basic fabric of the social status by inculcating western principles and norms and gave birth to social practices which were far more westernised. So, the local people feared that they might lose their identity and thus Mouvement des Congolais started.

    Visit: sindika dokolo

    ReplyDelete
  88. Thank you for sharing excellent information. Your website is so cool. I am impressed by the details that you have on this website.
    office.com/setup
    office/setup
    Norton.com/setup

    ReplyDelete

  89. Norton Setup and Instal Process – For both PC and mobile users. Highly popular among the PC

    users, the Norton antivirus software has been eliminating malware, viruses and other kinds of

    online and offline threats from affecting the performance of a computer for years.

    Norton.com/setup , being a security solution providing company has created

    office.com/setup|| norton.com/setup||norton.com/myaccount || office.com/setup

    ReplyDelete
  90. Sign in to enter office setup product key. Know how to benefit, download, install, set in movement, uninstall and reinstall MS office setup.
    office.com/setup
    http://officecom-officeoffice.com/
    call us at +1-888-421-9666[tool free]

    ReplyDelete
  91. Well, this is awesome. I like your work here. I am supportive and here to support you always buddy. Keep up the good share and keep submitting these kinda blogs.
    Best Laptops
    Best smartwatch
    best smartphone
    Best Home Theatre
    amazon best sellers

    ReplyDelete
  92. I am very happy after reading this fantastic Article, I appereciate your work.

    norton.com/setup | norton.com/setup

    ReplyDelete
  93. Brother Printer Support is a team of well experienced experts available round the clock to resolve your printer problems. If you face any problem with your device like cable problem, cartage problem, paper jamming and others then reach the experts at Brother Support toll free number and get instant help.

    ReplyDelete
  94. Really great article, Glad to read the article. It is very informative for us. Thanks for posting.Norton™
    provides industry-leading antivirus and security software
    for your PC, Mca, and mobile devices Visit @: - McAfee.com/activate | Mcafee.com/activate| norton.com/setup

    ReplyDelete
  95. Thanks for sharing this fantastic blog, really very informative. Your writing skill is very good, you must keep writing this type of blogs. Geek Squad Tech Support

    ReplyDelete
  96. This Blog is great, and I never seen a Blog like this…..
    I really be grateful for you work and Thanks for providing us a great Platform for share information’s with others.
    Computer Virus क्या है

    ReplyDelete
  97. Microsoft Office.com/setup could be a suite of work space advantage applications that is sketched out everything thought to be used for workplace or business utilize.
    office.com/setup

    ReplyDelete
  98. Thanks for sharing this fantastic blog, really very informative. Your writing skill is very good, you must keep writing this type of blogs. alexa customer service

    ReplyDelete
  99. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.

    norton.com/setup

    norton.com/setup

    mcafee.com/activate

    kaspersky activation code

    free pogo games

    roadrunner email

    aol mail

    ReplyDelete
  100. Pleasant stuff! I like to peruse the data that you have imparted to us. I need to get more updates to expand my insight.
    canon printer support | lexmark printer support | epson printer support | lexmark printer support |canon printer support | hp printer support

    ReplyDelete
  101. DraStic DS - Fast emulator from Nintendo DS. The emulator also allows you to customize the screen, supports Xperia PLAY and NVIDIA Shield.

    ReplyDelete
  102. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.

    norton.com/setup

    norton.com/setup

    mcafee.com/activate

    kaspersky activation code

    pogo not loading

    roadrunner email

    aol mail password recovery

    ReplyDelete

  103. this blog is very informative & knowledgeable
    www.avg.com/retail

    ReplyDelete
  104. Nice Blog, I have get enough information from your blog and I appreciate your way of writing.
    geek squad webroot |
    geek squad webroot

    ReplyDelete
  105. Norton is bundled with the auto-upgrade feature which updates the firewall against the latest cyber threats. If you find that your device is vulnerable to cyber attacks, then you can easily subscribe to a Norton security product on
    Norton Install with Product Key

    ReplyDelete
  106. Webroot safe (Ultimate security) Download at www.webroot.com/safe
    ,a superb lightweight and super fast internet security is just one click away.Webroot is the next generation security provider to safeguard businesses and consumers in the IT world.Webroot services are global across North America, Europe and the Asia Pacific.Webroot security package is simple to setup & install at webroot.com/safe
    . Simply find 20-character alpha-numeric code that is written on the backside of the retail card.

    ReplyDelete
  107. Very nice!!! This is really good blog information thanks for sharing. We are a reliable third party Quickbooks Help company offering technical support for various any types of technical errors. https://www.quickbooksphonenumber.com/

    ReplyDelete
  108. How to Office Setup. Go to office.com/setup and enter your product key. If you have a previous report of Office or existing Microsoft account, enter your email habitat and password, and click Sign in. Select the Country/Region and Language, and click Continue. On the office.com/myaccount page, pick Install
    office.com/setup
    office.com/setup
    office setup

    ReplyDelete
  109. To start using mcafee antivirus, visit mcafee.com/activate and enter 25 digit mcafee activation code and activate your mcafee subscription.Mcafee activate code is a 25-character alpha-numeric code written on the back of a retail card. It's used to verify mcafee security
    mcafee.com/activate
    www.office.com/setup

    ReplyDelete
  110. Canon Printer Support works effortlessly towards serving the consumers and have a wide stretch toward resolving the issues, our canon printer Support provides you with all the answers to your issues.

    ReplyDelete