15/06/2016

TrustZone Kernel Privilege Escalation (CVE-2016-2431)

In this blog post we'll continue our journey from zero permissions to code execution in the TrustZone kernel. Having previously elevated our privileges to QSEE, we are left with the task of exploiting the TrustZone kernel itself.

"Why?", I hear you ask.

Well... There are quite a few interesting things we can do solely from the context of the TrustZone kernel. To name a few:
  • We could hijack any QSEE application directly, thus exposing all of it's internal secrets. For example, we could directly extract the stored real-life fingerprint or various secret encryption keys (more on this in the next blog post!).
  • We could disable the hardware protections provided by the SoC's XPUs, allowing us to read and write directly to all of the DRAM. This includes the memory used by the peripherals on the board (such as the modem).
  • As we've previously seen, we could blow the QFuses responsible for various device features. In certain cases, this could allow us to unlock a locked bootloader (depending on how the lock is implemented).
So now that we've set the stage, let's start by surveying the attack surface!




 

Attack Surface


Qualcomm's Secure Environment Operating System (QSEOS), like most operating systems, provides services to the applications running under it by means of system-calls.

As you know, operating systems must take great care to protect themselves from malicious applications. In the case of system-calls, this means the operating system mustn't trust any information provided by an application and should always validate it. This forms a "trust-boundary" between the operating system itself and the running applications.

So... This sounds like a good place to start looking! Let's see if the TrustZone kernel does, in fact, cover all the bases.

In the "Secure World", just like the "Normal World", user-space applications can invoke system-calls by issuing the "SVC" instruction. All system-calls in QSEE are invoked via a single function, which I've dubbed "qsee_syscall":

As we can see, the function is a simple wrapper which does the following:
  • Stores the syscall number in R0
  • Stores the arguments for the syscall in R4-R9
  • Invokes the SVC instruction with the code 0x1400
  • Returns the syscall result via R0
So we know how syscalls are invoked, now let's look for the code in the TrustZone kernel which is used to handle SVC requests. Recall that when executing an SVC instruction in the "Secure World", similarly to the "Normal World", the "Secure World" must register the address of the vector to which the processor will jump when such an instruction is invoked.

Unlike SMC instructions (used to request "Secure World" services from the "Normal World"), which use the MVBAR (Monitor Vector Base Address Register) register to provide the vector's base address, SVC instructions simply use the "Secure" version of the VBAR (Vector Base Address Register).


Accessing the VBAR is done using the MRC/MCR opcodes, with the following operands:


So this means we can simply search for an MCR opcode with the following operands in the TrustZone kernel, and we should be able to find the address of secure copy of the VBAR. Indeed, searching for the opcode in the TrustZone image returns the following match:


According to the ARM documentation, the "Secure Vector" has the following structure:

At this point we can start tracing the execution from the SVC handler in the vector table.

The code initially does some boilerplate preparations, such as saving the passed arguments and context, and finally gets to the main entry point which is used to actually handle the requested system-call. Qualcomm have helpfully left a single logging string in this function containing it's original name "app_syscall_handler", so we'll use that name as well. Let's take a look at the function's high-level graph overview:

app_syscall_handler graph overview


...Okay... That's a lot of code.

However, on closer inspection, the graph seems very shallow, so while there are a lot of different code-paths, they are all relatively simple. In fact, the function is simply a large switch-case, which uses the syscall command-code supplied by the user (in R0) in order to select which syscall should be executed.


snippet from app_syscall_handler's switch-case

But something's obviously missing! Where are the validations on the arguments passed in by the user? app_syscall_handler does no such effort, so this means the validation can only possibly be in the syscalls themselves... Time to dig deeper once more!

As you can see in the screenshot above, most of the syscalls aren't directly invoked, but rather indirectly called by using a set of globally-stored pointers, each pointing to a different table of supported system-calls. I've taken to using the following (imaginative) names to describe them:


Cross-referencing these pointers reveals the locations of the actual system-call tables to which they point. The tables' structure is very simple - each entry contains a 32-bit number representing the syscall number within the table, followed by a pointer to the syscall handler function itself. Here is one such table:


As you can see, there is some logic behind the "grouping" of each set of syscalls. For example, the sixth table (above) contains only syscalls relating to memory management (although, admittedly, most tables are more loosely cobbled together).

Finally, let's take a look at a simple syscall which must perform validation in order to function correctly. A good candidate would be a syscall which receives a pointer as an argument, and subsequently writes data to that pointer. Obviously, this is incredibly dangerous, and would therefore require extra validation to make sure the pointer is strictly within the memory regions belonging to the QSEE application.

Digging through the widevine application, we find the following syscall:

This syscall receives four arguments:
  • A pointer to a "cipher" object, which has previously been initialized by calling "qsee_cipher_init"
  • The type of parameter which is going to be retrieved from the cipher object
  • The address to which the read parameter will be written
  • An unknown argument
Of course, QSEE applications always play nice and set the output pointer to a sensible address, but what's actually going on under the hood in the TrustZone kernel? Well, we now know enough to pop the literary hood and check out for ourselves. Going through app_syscall_handler's switch-case, we find the syscall table and offset of the kernel implementation of "qsee_cipher_get_param", leading us to the actual implementation of qsee_cipher_get_param:


This is our lucky day! Apparently the TrustZone kernel blindly trusts nearly all the parameters passed in by the user. Although the function does perform some sanity checks to make sure the given pointers are not NULL and the param_type is within the allowed range, it automatically trusts the user-supplied "output" argument. More importantly, we can see that if we use the parameter type 3, the function will write a single byte from our cipher to the supplied pointer!

Note that this was more than just a stroke of luck - taking a peek at the implementation of all the other syscalls reveals that the TrustZone kernel does not perform any validation on QSEE-supplied arguments (more specifically, it freely uses any given pointers), meaning that at the time all syscalls were vulnerable.

For the sake of our exploit, we'll stick to qsee_cipher_get_param, since we've already started reviewing it.

Full Read-Write


As always, before we start writing an exploit, let's try and improve our primitives. This is nearly always worth our while; the more time we spend on improving the primitives, the cleaner and more robust our exploit will be. We might even end up saving time in the long-run.

Right now we have an uncontrolled-write primitive - we can write some uncontrolled data from our cipher object to a controlled memory location. Of course, it would be much easier if we were able to control the written data as well.

Intuitively, since "qsee_cipher_get_param" is used to read a parameter from a cipher object, it stands to reason that there would be a matching function which is used to set the parameter. Indeed, searching for "qsee_cipher_set_param" in the widevine application confirms our suspicion:


Let's take a look at the implementation of this syscall:


Great!

It looks like we can set the parameter's value by using the same param_type value (3), and supplying a pointer to a controlled memory region within QSEE which will contain the byte we would later like to write. The TrustZone kernel will happily store the value we supplied in the cipher object, allowing us to later write that value to any address by calling qsee_cipher_get_param with our target pointer.

Putting this together, we now have relatively clean write-what-where primitive. Here's a run-down of our new primitive:
  • Initialize a cipher object using qsee_cipher_init
  • Allocate a buffer in QSEE
  • Write the wanted byte to our allocated QSEE buffer
  • Call qsee_cipher_set_param using our QSEE-allocated buffer as the param_value argument
  • Call qsee_cipher_get_param, but supply the target address as the output argument

You might have also noticed that we could use the inverse of this in order to get an arbitrary read primitive. All we would need to do is call qsee_cipher_set_param supplying the address we'd like to read as the param_value argument - this'll cause the TrustZone kernel to read the value at that address and store it in our cipher object. Then, we can simply retrieve that value by calling qsee_cipher_get_param.

Writing an Exploit


Using the primitives we just crafted, we finally have full read-write access to the TrustZone kernel. All that's left is to achieve code-execution within the TrustZone kernel in a controllable way.

The first obvious choice would be to write some shellcode into the TrustZone kernel's code segments and execute it. However, there's a tiny snag - the TrustZone kernel's code segments in newer devices are protected by special memory protection units (called XPUs), which prevent us for directly modifying the kernel's code (along with many different protected memory regions). We could still modify the kernel's code (more information in the next blog post!), but it would be much harder...

...However, we have already come across a piece of dynamically allocated code in the "Secure World" - the QSEE applications themselves!

So here's a plan - if we could ignore the access-protection bits on the code pages of the QSEE applications (since they are all marked as read-execute), we should be able to directly modify them from the context of the TrustZone kernel. Then, we could simply jump to the our newly-created code from the context of the kernel in order to execute any piece of code we'd like.

Luckily, ignoring the access-protection bits can actually be done without modifying the translation table at all, by using a convenient feature of the ARM MMU called "domains".

In the ARM translation table, each entry has a field which lists its permissions, as well as a 4-bit field denoting the "domain" to which the translation belongs.

Within the ARM MMU, there is a register called the DACR (Domain Access Control Register). This 32-bit register has 16 pairs of bits, one pair for each domain, which are used to specify whether faults for read access, write access, both, or neither, should be generated for translations of the given domain.


Whenever the processor attempts to access a given memory address, the MMU first checks if the access is possible using the access permissions of the given translation for that address. If the access is allowed, no fault is generated.

Otherwise, the MMU checks if the bits corresponding to the given domain in the DACR are set. If so, the fault is suppressed and the access is allowed.

This means that simply setting the DACR's value to 0xFFFFFFFF will cause the MMU to enable access to any mapped memory address, for both read and write access, without generating a fault (and more importantly, without having to modify the translation table).

Moreover, the TrustZone kernel already has a piece of code that is used to set the value of the DACR, which we can simply call using our own value (0xFFFFFFFF) in order to fully set the DACR.

TrustZone kernel function which sets the DACR

All that said and done, we're still missing a key component in our exploit! All we have right now is read/write access to the TrustZone kernel, we still need a way to execute arbitrary functions within the TrustZone kernel and restore execution. This would allow us to change the DACR using the gadget above and subsequently write and execute shellcode in the "Secure World".

Hijacking Syscalls


As we've seen, most QSEE system-calls are invoked indirectly by using a set of globally-stored pointers, each of which pointing to a corresponding system-call table.

While the system-call tables themselves are located in a memory region that is protected by an XPU, the pointers to these tables are not protected in any way! This is because they are only populated during runtime, and as such must reside in a modifiable memory region.

This little tidbit actually makes it much simpler for us to hijack code execution in the kernel in a controllable manner!

All we need to do is allocate our own "fake" system-call table. Our table would be identical to the real system-call table, apart from a single "poisoned" entry, which would point to a function of our choice (instead of pointing to the original syscall handler).

It should be noted that since we don't want to cause any adverse effects for other QSEE applications, it is important that we choose to modify an entry corresponding to an unused (or rarely used) system call.

Once we've crafted the "fake" syscall table, we can simply use our write primitive in order to modify the global syscall table pointer to point to our newly created "fake" table.

Then, whenever the "poisoned" system-call is invoked from QSEE, our function will be executed within the context of the TrustZone kernel! Not only that, but app_syscall_handler will also conveniently make sure the return value from our executed code will be returned to QSEE upon returning from the SVC call.



Putting it all together


By now we have all the pieces we need to write a simple exploit which writes a chunk of shellcode in the "Secure World", executes that shellcode in the context of the TrustZone kernel, and restores execution.

Here's what we need to do:
  • Allocate a "fake" syscall table in QSEE
  • Use the write primitive to overwrite the syscall table pointer to point to our crafted "fake" syscall table
  • Set the single "poison" syscall entry in the "fake" syscall table to point to the DACR-modifying function in the TrustZone kernel
  • Invoke the "poison" syscall in order to call the DACR-modifying function in the TrustZone kernel - thus setting the DACR to 0xFFFFFFFF
  • Use the write gadget to write our shellcode directly to a code page in QSEE belonging to our QSEE application
  • Invalidate the instruction cache (to avoid conflicts with the newly written code)
  • Set the single "poison" syscall entry in the "fake" syscall table to point to the written shellcode
  • Invoke the "poison" syscall in order to jump to our newly-written shellcode from the context of the TrustZone kernel!
Here's a small illustration detailing all of these steps:


Playing With The Code


As always, the full exploit source code is available here:

https://github.com/laginimaineb/cve-2016-2431

The exploit builds upon the previous QSEE exploit, in order to achieve QSEE code-execution. If you'd like to play around with it, you might want to use the following two useful functions:
  • tzbsp_execute_function - calls the given function with the given arguments within the context of the TrustZone kernel.

  • tzbsp_load_and_exec_file - Loads the shellcode from a given file and executes it within the context of the TrustZone kernel.

I've also included a small shell script called "build_shellcode.sh", which can be used to build the shellcode supplied in the file "shellcode.S" and write it into a binary blob (which can then be loaded and executed using the function above).

Have fun!

Timeline

 

  • 13.10.2015 - Vulnerability disclosed and minimal PoC sent
  • 15.10.2015 - Initial response from Google
  • 16.10.2015 - Full exploit sent to Google
  • 30.03.2016 - CVE assigned
  • 02.05.2016 - Issue patched and released in the Nexus public bulletin
As far as I know, this vulnerability has been present in all devices and all versions of QSEOS, until it was finally patched in 02.05.2016. This means that effectively up to that point, obtaining code-execution within QSEE was equivalent to having code-execution within the TrustZone kernel (i.e., fully controlling nearly every aspect of the device).

As there was no public research into QSEE up to that point, this issue wasn't discovered. Hopefully in the future further research into QSEE and TrustZone in general will help uncover similar issues and make the security boundary between QSEOS and QSEE stronger.

132 comments:

  1. great work as always laginimaineb...

    and could you explain a bit more please shellcode.S https://github.com/laginimaineb/cve-2016-2431/blob/master/jni/shellcode.S

    how can we supply it with normal shell commands like execv or chmod or setguid?

    thanx
    regards

    ReplyDelete
    Replies
    1. Hi Oğuzhan,

      Thank you for reading the post. As the the shellcode - it's executed in the TZ kernel, which isn't a POSIX OS, but rather a proprietary OS written by Qualcomm. This means you don't have any commands like "execv", etc. Instead, you can directly execute assembly code in the kernel.

      Just write the ARM assembly you want to execute under shellcode.S, run build_shellcode.sh, and execute the exploit with the generated payload.

      Delete
    2. Hi Laginimaineb

      Thanx for your reply

      for example 32 bit arm architecture simple hello world program:

      .global _start
      _start:
      MOV R7, #4
      MOV R0, #1
      MOV R2, #12
      LDR R1, =string
      SWI 0
      MOV R7, #1
      SWI 0
      .data
      string:
      .ascii "Hello Worldn"

      is there anything while we are adapting it into aarch64 architecture?

      and also the exploit only works on shamu right? how can we adapt to other devices? which parameters should be changed? i found only this device-spesific parameter/address https://github.com/laginimaineb/cve-2016-2431/blob/master/jni/symbols.h#L17

      thanx
      regards

      Delete
    3. Hi Oğuzhan,

      You're welcome!

      The code you posted would work when running an application *under the Linux Kernel*. In this case, we are executing shellcode directly in the TrustZone kernel - so no SWIs (because there are no syscalls to call - you're already in the kernel), also no public documentation available for whatever APIs are exposed in the TZ kernel.

      I did post some neat stuff you could do from that context, like reading/writing QFuses, and hijacking the "Normal World" OS (see previous posts). I'm going to upload another post soon about more interesting stuff you can do using the TZ kernel.

      As for the exploit - all the parameters that are device/version specific are under symbols.h (the file you linked). You'll have to follow the QSEE post closely to understand exactly which changes need to be made, but it's do-able :)

      Delete
  2. Hi laginimaineb. Sorry for spamming but I have decided to put my questions here as in most blog to be seen.
    The questions are:
    1) How did you define the values SECURE_APP_REGION_START, SECURE_APP_REGION_SIZE ? Are these value same for different families of the Qualcomm SoC's ?
    2) What is the memory management of the TZ kernel ? While scanning the secapp region, the trustlet is crushed, I suppose by the TZ kernel, in case if it tries to access not own memory region. What is the probability that TZ kernel will load the crashed trastlet in the same memory ?
    3) And stupid question... Does TZ kernel operate with the virtual addresses or with physical addresses through switching the modes by means of the special flags in the system register/s ?

    Thanks.

    ReplyDelete
    Replies
    1. No problem! Sorry if I missed your questions earlier.

      1. These values are constant per-device. They are also a part of the kernel dtb. In any case, you can find by looking the region by looking at dmesg when the device boots. You'll see something along the lines of:

      QSEECOM: qseecom_probe: qsee-ce-hw-instance=0x0QSEECOM: qseecom_probe: secure app region addr=0xd600000 size=0x500000

      2. That's a great question, but hard to answer. I've reversed some of the code responsible for loading applications in the secure region, but don't have a definitive answer... Sorry.

      3. The MMU is always present, so we're always working with virtual addresses. But - most TZ kernel contexts simply have a "flat" translation table - that is, every virtual address is mapped to the corresponding physical address. You could change the mappings and map in whatever you like, just like you would in a regular kernel.

      Delete
  3. It seems my last comment was lost. Strange.

    You replied "But - most TZ kernel contexts simply have a "flat" translation table - that is, every virtual address is mapped to the corresponding physical address."
    It was my doubt, thanks.
    Another interesting thing is to estimate the memory range allocation by the TZ kernel to find out whether the memory range from the secapp region will be reserved for the specific TA once it was run within a cycle from CPU's reset to reset. Another words, to find out whether the TZ kernel retains metadata to indentify the specific TA to load it in the predefined (where it was loaded at the first time) place. Run exploit at first time to find memory location. Modify the exploit so that to load another one TA after crashing the original TA and compare the result.
    ...and another bundle of questions of you don't mind
    1) When are the /persist/data/app_g/sfs/*.dat files decrypted ? Immediately after invoking the QSEE_sfs_open or before read/write operations ?
    2) Is it possible to load encrypted TA for security reason. Does Qualcomm's secure kernel support such feature ? It can be useful to prevent analyzing of the TA's. Did you ever face with the encrypted secure kernel which is decrypted on boot up by means of boot loader ? In my opinion it would decrease the number of 0-day vulnerabilities.
    3) I noticed that the data segment is used to allocate/deallocate the dynamic memory through the SVC directed to the TZ kernel. But how we can find the bottom of the stack and its size ? As I understand, it is possible to dump out whole current state of the TA if somehow read the data segment. Right ? Because she/he will dump the static and dynamic memory.
    4) The R9 register is used to point to the data segment and it is initialized by the sub_50() but I didn't find any reference to this function. When it is invoked and who it invokes ?

    ReplyDelete
    Replies
    1. For some reason blogger marked your comment as spam... I un-spammed it.

      About the allocation pattern - I'm pretty sure there's randomization involved. Booting the device up normally twice results in two different load addresses (deduced on an older MSM8974 device, on which I have TZ kernel code exec without going through QSEE).

      As for the questions:

      1. The SFS always remains encrypted on the flash, it's only decrypted on a per-block basis in QSEE's memory, never on-disk.

      2. This kind of model isn't used on QC devices, but you can find something rather similar in the Apple ecosystem. There's a Crypto Engine which has different GID keys accessible to each core, which are used to decrypt the firmware itself only on-chip. It might help, but one could argue that it's also doing some damage... On the one hand, it prevents researchers from looking for bugs. On the other hand, government agencies/people with access to the source code will be more likely to find bugs, since the code hasn't been audited by white-hats at all. Anyway, as far as I know, there's no support for such a feature.

      3. Once you have code-execution in QSEE, you can dump the whole data segment and, as you said, you'll get the full state of the application (stack, heap, globals).

      4. It's initialized by the TZ kernel when setting up the context for the QSEE application (before jumping in to the application's initialization function).

      Delete
    2. Thanks for the very informative reply!

      Delete
  4. Hi laginimaineb. What tz version did you disassemble ? I tried shamu-lmy48m and got such program header list:
    Program Headers:
    Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
    NULL 0x000000 0x00000000 0x00000000 0x00254 0x00000 0
    NULL 0x001000 0xfe840000 0xfe840000 0x01b48 0x02000 0x1000
    LOAD 0x003000 0x0fc86000 0x0fc86000 0x02000 0x03b98 RWE 0x1000
    LOAD 0x0050cc 0x0fc8d000 0x0fc8d000 0x3210c 0x3210c R E 0x100
    LOAD 0x037fcc 0xfe806000 0xfe806000 0x09fb0 0x09fb0 R E 0x1000
    LOAD 0x041f7c 0xfe810000 0xfe810000 0x08f58 0x08f58 R E 0x10000
    <...>
    Pay attention on the permission for the 3-rd program header. It contains code and has RWE permissions. Does it mean that this version of tz uses self-modified code ? Also it demands fixing the virtual address for 2-nd and 3-rd program headers.

    Can you also a bit explain the loading of the tz on boot up stage. For me, it should look like the boot loader parses the ELF header of the tz image, finds the entry point there and jumps at 0xfe810000. But I am confused with the vector table stored at 0xfe810000. Disassembler listing tells address of the symbol "start" is loaded in the secure vector base (VBAR)
    ldr r0, =start
    mcr p15, 0, r0, c12, c0,0

    but one of your blog (exploring-qualcomms-trustzone) claims that the address of the start symbol is loaded in the monitor vector base (MVBAR).
    What statement is correct ?

    Thanks.

    ReplyDelete
    Replies
    1. The segments that you pointed out refer to a special memory region which initially contains the TZ code, but only when the device is booting. Afterwards the TZ code isn't actually stored at that address but rather at the location of the special NULL segment you pointed out. I explained some of this in the very first TZ blog post, but in short you need to remove the dummy NULL segment from the ELF and relocate the third and fourth segments to their correct load address.

      Delete
    2. Oh and the MVBAR was a mistake in the older blog post, it's actually the secure MVBAR.

      Delete
    3. Hi laginimaineb,
      So in this scenario what is the correct address of third and four segment? How do I find it?

      I tried to give 0xfe840000 to the third segment with RWE permissions, 0xfe843c00 to the fourth segment and invalid address(0xfe890000) to Null segment . However, I see lot of un-referenced code. Could you please help me here?

      Delete
    4. Hi Karthik,

      When you change the load addresses does the binary load correctly in IDA? If so, which segment contains the unreferenced code? I would try and look for pointers to invalid memory locations in other segments and try and correlate those with the addresses in the incorrect segment.

      All the best,
      Gal.

      Delete
    5. Yes, it load correctly. Okay, I did that and it worked. Thank you

      Delete
  5. Did you ever try to change the pointer to the SMC handler from the monitor vector table from the secure world user mode context ? I mean whether is it possible to change the address space of the TZ kernel at address 0xfe80de28 (pointer to the smc handler) from the trustlet ?

    ReplyDelete
    Replies
    1. From what I recall by looking at the secure world user mode translation table, the only addresses there are mapped in are in the trustlet, so all the high TrustZone kernel addresses are in accessible. Also, you can map them in using qsee_register_xxx

      Delete
  6. Thanks for the information! Your posts are all really good!!
    I have a few doubts though.
    Can you make a post about how would it be possible to blow fuses and get keys from the qsee to then unlock the bootloader?
    Thanks :)

    ReplyDelete
    Replies
    1. Hi hytzname,

      Already done! You can check out the post about unlocking the Motorola bootloader.

      All the best,
      Gal.

      Delete
  7. "There are quite a few interesting things we can do solely from the context of the TrustZone kernel...To name a few:
    We could hijack any QSEE application directly, thus exposing all of it's internal secrets..."

    I guess this is not true...since in your next post (extracting qualcomm keys) you mention that one application cannot interact with another due to XPU constrains. Am i correct?

    Thanks once again for your excellent posts!

    ReplyDelete
    Replies
    1. Hi Chris,

      Thank you for reading!

      Trustlets can't interact with one another directly, but instead rely on the TrustZone kernel to do so. Therefore, as I wrote, the kernel can be used to hijack any trustlet. Read the next blog post in the series (breaking FDE) for more information.

      Gal.

      Delete
  8. I own an AT&T Galaxy S5 (MSM8974 SoC), so my bootloader is locked down tight. However, if we were to use this exploit to get full access to the TrustZone, wouldn't we be able to overwrite the public key use to verify firmware packages, and replace it with a key that has a publicly available private key? (Or better yet remove the verification step entirely, but that doesn't sound very possible).
    Let me know what your thoughts are, I'd be down to test anything you come up with! :)

    ReplyDelete
  9. How do i test on moto g4 play which command should i use

    ReplyDelete
  10. Access to computers and other control systems which might provide you with information about the way the world revolves around technology should be unlimited and total. All information should be free and accessible to all. That is why we at INTEGRATEDHACKS  have come come up with a team of highly motivated and dedicated hackers to help you get access to information you are being deprived of. Our services include and are not limited to hacking of social media accounts,email accounts, tracking of phones hacking of bank cards and many more.
     Have you ever been hacked? Need to recover your stolen account, Want to monitor your kids,spouse or partner, Change your school results track messages from an email or mobile number and many more, INTEGRATEDHACKS is the one for you. Hundreds of our clients have their phones, social media accounts, emails, servers, may bots and PCs hacked consistently and efficiently. Our professional hackers for hire team is highly qualified and can hack anything or device you desire without giving the target any form of notification which makes us one of the best.


     ★ Contact Us For Your Desired Hacking services via : integratedhacks@cyberservices.com and experience cyber hacking like never before.

    ReplyDelete
  11. 2016/01/android-privilege-escalation-to.html?showComment=1551712783247#c765619034436648644

    ReplyDelete
  12. Printer support Today in this world of technology, there are many companies which are booming up because of the software as well as hardware services which they offer. Browser Support This has become one of the leading forms of business as computers have entered every nook and corner in today’s world. The competition is also too high, that only those companies which excel in the service provided can survive.
    Garmin Connect Sign in
    Netgear Router Support Number
    Support for Quickbooks
    Pogo Game Support Number |
    garmin.com/express

    ReplyDelete
  13. We are the world best leading online newspaper portal. You all are the most welcome in our newspaper.If you want to get regular newslatter from our newspaper, please go home page business news and click the below subscribe button.

    World News :
    View FOX world news today for international news and videos from Europe, Asia, Africa, the Middle East and the Americas. Visit world news now for up-to-the-minute news, breaking news, video, audio and feature stories.

    Politics News :
    Politics at FOX has news, opinion and analysis of American and global politics Find news and video about elections, the White House, the U.N and much more. What You Need To Know About politics news today.

    Business News :
    The latest FOX Business News: breaking personal finance, company, View the latest business news for today about the world's top companies, and explore articles on global.

    Entertainment News :
    View entertainment news for today and videos for the latest movie, music, TV and celebrity headlines on worldfoxnews.com

    Technology News :
    Get the latest FOX technology news today : breaking news and analysis on computing, the web, blogs, games, gadgets, social media, broadband and more.

    Science News :
    Get the latest FOX science news latest and Environment News: breaking news, analysis and debate on science and nature in the UK and around the world.

    Health News :
    Get the latest FOX health news global: breaking health and medical news from the UK and around the world, with in-depth features on well-being and lifestyle.

    Daily Life :
    What You Need To Know About The daily life quotes? Get the latest lifestyle news with articles and videos on pets, parenting, fashion, beauty, food, travel, relationships and more on Fox news.

    ReplyDelete
  14. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST TraindDrivingSimulatorFreeGames

    ReplyDelete
  15. Great post I would like to thank you for the efforts you have made in writing this interesting and knowledgeable article.

    www TrendMicro Bestbuypc
    webroot secureanywhere
    Norton com setup
    www mcafee activate
    avg product key

    ReplyDelete
  16. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST CarGamesDownload

    ReplyDelete
  17. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST Game

    ReplyDelete
  18. Great post I would like to thank you for the efforts you have made in writing this interesting and knowledgeable article.
    www trendmicro bestbuypc
    webroot safe
    avg product key
    www mcafee activate
    norton com/setup

    ReplyDelete
  19. AC Market APK is a free app that is dedicated to provide free cracked apps and games only for Android devices.
    https://acmarket.xyz/
    ac market
    AC Market APK
    ac market downloading
    ac market latest version

    ReplyDelete
  20. This is quite an extensive read. You've put a lot of work into crafting this. Your audience appreciates this.
    foxsportsgo.com/roku activate

    ReplyDelete
  21. PosLaju parcel tracker of the Malaysia & World. Add tracking number to track your PosLaju packages as well as obtain delivery status online.
    https://poslajutracking.xyz/
    poslaju tracking
    poslaju track and trace
    poslaju tracking number
    poslaju tracking express

    ReplyDelete
  22. This is one of the best bitcoin exchanger trusted platfrom where you can convert any cryptocurrency with paypal, moneygram, perfect money, bank account or any other account. This is best chance for you to get best services. Visit now for more details. https://www.bitcoinsxchanger.com

    ReplyDelete
  23. Vshare is a download manager which lets users download any app that is available in it.
    https://vshare.one
    https://www.vshare.one
    Vshare
    Vshare APK

    ReplyDelete
  24. You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this... Where Is My Train

    ReplyDelete

  25. Thank you for sharing excellent information. Your website is so cool. I am impressed by the details that you have on this website. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my friend, ROCK! I found simply the info I already searched everywhere and simply could not come across. What a great web site. Visit@: my sites :- office.com/setup »Norton.com/setup»McAfee.com/Activate

    ReplyDelete
  26. TutuApp iOS Free Download Latest Version 2019 Best Version Free! here And Also more...
    TutuApp
    TutuApp Download

    ReplyDelete
  27. I must say a nice article has been written by the author. Covering this topic in a single article was very difficult. The author has given very amazing facts and information on this interesting topic.
    Avast customer service

    ReplyDelete
  28. You could definitely see your skills in the article you write. The world hopes for even more passionate writers like you who aren’t afraid to say how they believe. All the time go after your heart.
    Dell c1760nw wireless setup

    ReplyDelete
  29. I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people.
    Dell update utility windows 10

    ReplyDelete
  30. This comment has been removed by the author.

    ReplyDelete
  31. If you are new user to sage 50 accounting software and looking for the sage 50 technical support.If yes than you have come to right place as we provide efficient technical support service to customers who show complete faith in us. With our efficient and highly qualified team ,we never disappoint our customers.You can reach us at 1844-871-6289 at any hour of the day. You can also visit our website at https://www.accountingadvice.co/ for the complete knowledge of the sage products and services.


    The Services we offered are following-

    Sage Support Phone Number

    Sage 50 Technical Support

    Sage Technical Support Phone Number

    Sage 100 support phone number

    Sage 100 contractor support

    Sage 50 live chat

    Sage Support Number

    Sage Customer Service Number

    Sage Support Phone Number

    ReplyDelete

  32. If you are new user to sage 50 accounting software and looking for the sage 50 technical support.If yes than you have come to right place as we provide efficient technical support service to customers who show complete faith in us. With our efficient and highly qualified team ,we never disappoint our customers.You can reach us at 1800-961-4623 at any hour of the day. You can also visit our website at https://www.helplinenumber.support/ for the complete knowledge of the sage products and services.

    The Services we offered are following-

    Sage 50 2019 has stopped working

    Sage 50 customer service number

    Sage 50 Technical support number

    Sage 100 Technical support phone number

    Sage 200c Tech support phone number

    Sage fixed assets support number

    Sage 50 customer service number

    Sage 50 support

    Sage 300 Tech Support Number

    ReplyDelete

  33. If you are new user to sage 50 accounting software and looking for the sage 50 technical support.If yes than you have come to right place as we provide efficient technical support service to customers who show complete faith in us. With our efficient and highly qualified team ,we never disappoint our customers.You can reach us at 1800-961-4623 at any hour of the day. You can also visit our website at https://www.helplinenumber.support/ for the complete knowledge of the sage products and services.

    The Services we offered are following-

    Sage 50 payroll support number

    Sage timeslips 2020

    Sage 50cloud hosting Support

    Sage 50 Technical Support Number United Kingdom

    Sage 50 Technical Support Ireland

    Sage 50 Technical Support South Africa

    Sage 50 Technical Support Phone Number Canada

    ReplyDelete

  34. If you are new user or exiting user of QuickBooks accounting software and looking for the QuickBooks technical support.If yes than you have come to right place as we provide efficient technical support service to customers who show complete faith in us. With our efficient and highly qualified team ,we never disappoint our customers.You can reach us at 1800-961-4623 at any hour of the day. You can also visit our website at https://www.quick.helplinenumber.support/ for the complete knowledge of the QuickBooks products and services.

    The Services we offered are following-

    QuickBooks Technical Support Phone Number
    QuickBooks Technical Support Number
    QuickBooks Tech Support Phone Number
    QuickBooks Tech Support Number
    QuickBooks Customer Support Phone Number
    QuickBooks Customer Support Number
    QuickBooks Desktop Support Number
    QuickBooks Enterprise Support Phone Number
    QuickBooks Premier Support Number
    QuickBooks Pro Support Phone Number
    QuickBooks Payroll Support Number
    QuickBooks Cloud Hosting Support Phone Number

    ReplyDelete
  35. The article has actually peaks my interest. I am going to bokmarks your web site and maintain checking for brand new information.
    Dell printers troubleshooting

    ReplyDelete




  36. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites!

    https://apkfasak.com/


    https://apkmoto.com/


    ReplyDelete
  37. QuickBooks Support Phone Number has helped millions of QuickBooks Users all around the world. We have been recognized multiple times for our round the clock exceptional QuickBooks Support Services. Our QuickBooks Support Team comprises of highly skilled individuals who have went through extensive training regime and certifications. You can blindly trust the vast practical and theoretical knowledge of these QuickBooks ProAdvisors. QuickBooks works on a very intricate algorithm and follows a highly specific syntax. If the syntax is not followed, the Users might encounter errors on their screens. Sometimes, the third-party applications installed on computers start interfering with the QuickBooks processes which can put your business on a halt. We are pretty sure that no one wants to hamper their work efficiency and production due to an error or issue. That is where we come in, we are committed to provide high quality QuickBooks Tech Support Services round the clock.

    ReplyDelete
  38. QuickBooks Support Phone Number
    QuickBooks is one of the most sought-after financial accounting software in the marketplace. Due to its great variety of features, it has become extremely popular among its users. However, it can from time to time be plagued by certain technical hindrances. This where the QuickBooks Support Phone Number comes into play. Once you get in touch with the QuickBooks Support team, our expert technicians will provide you with the technical assistance that you require in order to get rid of whatever issues that might be bogging your system down.Apart from getting amazing quality services, you will get one single solution for all your critical problems through remote assistance. The certified professionals are best and well experienced and always available 24/7 to deliver services on-time or before time. So, if you want to contact the team then easily dial our toll-free number of QuickBooks customer support and get one stop solution for all your problems and build your business. Furthermore, we also provide technical assistance for QuickBooks Payroll Support in case you are in need of it.toll free number +1-888-422-3444.

    ReplyDelete
  39. If you need Quickbooks Proadvisor Support Phone Number then you can dial +1-833-781-7901​ for help and support. Our technical proadvisors always provides you the best help.

    ReplyDelete
  40. If we are working in an organization it is lots of situation that we have to go with. We must be adjustable to cope up with any kind of situation. We can call it as an illusion of control. Thank you for describing more on that here.Jogos 2019
    friv free online Games
    free online friv Games

    ReplyDelete
  41. For Quickbooks Pro Support Phone Number dial +1-800-901-6679 if you get instant solution. Our Quickbooks Pro technical support agents always provides you the suitable help.

    ReplyDelete
  42. We Provides Quickbooks For Mac Support Phone Number dial +1-800-901-6679 if you get instant solution for MAC. Our Quickbooks Mac technical support agents always provides you the suitable help.

    ReplyDelete
  43. Nice Article. We are authorised support partner in Quickbooks Payroll. If you required any help for Quickbooks Proadviser Support Phone Number 1-800-986-4591. if you are Expand your business to a new hike, with progressive approach. Seeking for the best accounting software? Then, get quickbooks installed in your system. The software proves to be more profitable to the business.

    ReplyDelete
  44. Nice Article. We are authorised support partner in Quickbooks Payroll. If you required any help for Quickbooks Support Phone Number 1-800-986-4591. if you are Expand your business to a new hike, with progressive approach. Seeking for the best accounting software? Then, get quickbooks installed in your system. The software proves to be more profitable to the business.

    ReplyDelete
  45. Nice Article. We are authorised support partner in Quickbooks Payroll. If you required any help for Quickbooks Support in USA 1-800-986-4591. if you are Expand your business to a new hike, with progressive approach. Seeking for the best accounting software? Then, get quickbooks installed in your system. The software proves to be more profitable to the business.

    ReplyDelete
  46. Nice Blog If you need Quickbooks Tech Support Phone Number then you can dial +1-800-986-4591 for help and support. Our technical support team always provides you the best technical help.

    ReplyDelete
  47. Thanks for the sharing such an useful information with me

    Website : Ask2bro

    ReplyDelete
  48. I found this post very amazing and knowledgeable. You have very smart mind, and your post seeks my attention. I have never seen such a post and I am very thankful and satisfied with this interesting post.
    How to reset netflix password

    ReplyDelete
  49. Doing this last step thoroughly can save you the trouble and expense of having to re-do all your printing again. Have a number of people review the leaflet design and text to ensure effectiveness and readability.
    top graphics training institute in delhi

    ReplyDelete
  50. It is a given fact that the data scientists are the ones who get higher paying jobs as compared to other engineers and people working on similar job profiles.
    data analyst training in delhi

    ReplyDelete
  51. Thank™ you for sharing excellent information. ✆ Your website is so cool. I am impressed by the details that you have on this website☞ It reveals how nicely you understand this subject. Bookmarked♠ this website page, will come back for extra articles. You, my friend, ROCK£ I found simply the info I already searched everywhere and simply could not come across. What a great website. Visit௹☞ Norton.com/setupoffice.com/setupTelstra supportPlumbers customer | office.com/setup.

    ReplyDelete
  52. Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, we can see more on this. Are you aware of any other websites on this subject.
    Dell support assistant not responding

    ReplyDelete
  53. Thank for important information . I like your explanation of topic and ability to do work.I really found your post very interesting .
    Netflix Password Reset

    ReplyDelete

  54. It’s very easy to find out any matter on net as compared to textbooks, as I found this article at this site.
    How to connect brother hl-2270dw printer to wifi

    ReplyDelete
  55. When you are good to go to set up your organization, the most significant part is of the organization enrollment. For getting your organization enlisted, you need to pursue the approaches and techniques to frame the organization methodically. There are a couple of rules you ought to carefully stick to frame the organization.
    Private Limited Company Registration

    ReplyDelete
  56. This is the best platform which ever talk about the latest news and posts about the trending news like prizes in economics. You have described very well and really love your article.
    Reset Microsoft Account password

    ReplyDelete
  57. Thanks for the sharing this informative and interesting post with us, I really admire your post as its it's really very helpful.
    regards,
    factocert
    iso certification in iraq
    iso certification in jordan
    iso certification in lebanon
    iso certification in oman

    ReplyDelete
  58. It has been great to read this article it was quiet to be nice you every detail about the topic Thanks for sharing this article with us.
    Restore Computer

    ReplyDelete
  59. The article you have shared here very good. This is really interesting information for me. Thanks for sharing!
    regards
    iso certification in saudi arabia
    factocert

    ReplyDelete
  60. All the information given on your website is very accurate and true. Your website has a good ranking on Google. Thank you very much for giving this kind of information.
    We give a very 100% accurate prediction of the result of cricket match on our website. All our information, keeping in mind every little detail of every t20 match between the two teams. Cricket match prediction 100% sure . We are going to give 100% sure correct prediction of all MSL T20 matches and upcoming Bigbash League-- MSL T20 prediction --msl t20 predictor--MSL 2019 today match prediction--Cricket Betting Tips--today ball by ball win tips

    ReplyDelete
  61. I'm very thankful to you to give us this amazing information. I appreciate your intelligence and knowledge. And if you are not able to change the default password on Brother Printer then visit our website and solve this problem in no time by following the simple steps given by our printer experts.

    ReplyDelete
  62. Do you require HP printer setup for your mac operating system? Is your printer driver not suitable for macOS? Then visit the 123.hp.com/setup to get the software and driver for better functioning of your printer. You can also call our expert HP support team for services.

    ReplyDelete
  63. I take pleasure in introducing myself as an expert who could help you in the selection and activation of the best channels available. There are so many channels available today on television. There is every chance of you missing the best channel because of not being aware of it.

    visit my site : espn.com/activate

    ReplyDelete
  64. It is convenient to access Top Essay Writing from Online Essay Writer at some clicks on your personal computer from Best Writing Services.

    ReplyDelete
  65. It's not a tough job to install Kodak Verite 55 Plus Driver. If software CD is available with the package, insert it to the computer and start to extract the setup file to the required directory. Speak to our techies for more updates

    ReplyDelete
  66. Its really nice post.if you need any assistance on activating pbs channel on roku or if you have troubleshoot roku device please contact our toll-free number which is in our webpage pbs.org/activate

    ReplyDelete
  67. nice one.Thanks for the post .please visit @ tubi.tv/activate on roku please contact our technical support +1-844-525-1240 and resolve all your issues.

    ReplyDelete
  68. All our words are but crumbs that fall down from the feast of the mind. You should know the secret to express yourself through the words to be call as a Writer. I think I know that secret very well. Read my words in these blogs given below.

    My Words : pbs.org/activate | pbskids.org/activate

    ReplyDelete
  69. We support all types of HP printer troubleshooting and service. Just enter the model number of your printer in 123.hp.com/setup to identify the software and drivers your printer requires. Download and install it in your mac and 'Run' the file. The process is easy however if you have any doubts or queries regarding HP printers contact us.

    ReplyDelete

  70. I can learn a lot and could also be a reference
    I hope to read the next your article updates


    judi bola sbobet

    daftar sbobet

    ReplyDelete
  71. Bitdefender Login provides automatic upgradation and continuous protection to your device. It gives you all-round protection for your home, business and enterprises.
    Bitdefender login

    ReplyDelete
  72. Garmin is a leading champion of consumer and professional class products that integrates the cutting edge GPS technology. It offers an enormously wide range of products for aviation, automotive, marine, outdoor, fitness and sports activities. For eg. Satellite Navigation device, GPS based Wearable Devices, Cameras, Software Applications,




    Garmin Login

    ReplyDelete
  73. BT Mail integrates some of the most ingenious, resourceful and user friendly features to offer best in class, avant garde mailing service. Given below is a glimpse of some of it’s wonderful features:-

    BT Mail

    ReplyDelete
  74. My.avast.com extends it’s world class security and privacy without complicating your lives. This is made possible by simple and easy to use User Interface. It allows quick access to regularly used key features. Moreover, the homepage is customizable to suit your preferences. Consequently, it maintains an overall clean and uncluttered look for utmost convenience.

    my.avast.com

    ReplyDelete
  75. TomTom Home - Just Download and Install TomTom MyDrive Connect in order to do TomTom Update. Manage Your TomTom Devices Here
    .



    TomTom Home

    ReplyDelete
  76. Microsoft Office includes products for business, home, and enterprises. It offers various applications and services for example Word, Excel, Powerpoint, Access, Publisher, Outlook, etc. It is helpful in creating spreadsheets and presentations for both the Office and Home use. To use any product of Office, you need to install it on your device. Hence, for office.com/setup, follow the below-given guide.



    office.com/setup

    ReplyDelete
  77. Garmin Express is a comprehensive management console designed for the users of innovative Garmin devices. It is an intuitive one-stop application that facilitates hassle-free management and operations of state-of-the-art Garmin devices. It allows users to set up, register, manage and update all of their Garmin devices. Besides, it gives them the opportunity to personalize their device and unleash its full potential.


    Garmin Express

    ReplyDelete
  78. Camps.intuit.com is a customer account management portal for Quickbooks desktop. Therefore, with the help of this portal, you can manage your Quickbooks desktop account in one place. Hence, it is necessary to create an Intuit account to access any of Intuit’s products. Just after completing the Intuit login process, you can access Quickbooks.

    Camps.intuit.com

    ReplyDelete
  79. TurboTax Login - Sign in to Your MyTurboTax Account to Manage different Services like check the e-file, start, continue or amend a tax return and many more.



    turbotax login

    ReplyDelete
  80. Let us help you to execute canon.com/ijsetup. The device setup manual will have the necessary instructions. Switch on your printer to proceed to activate the network. If the wireless direct method is available, enable it to activate the connection automatically. Now update the software visiting the canon software download page. It’s time to use the toll-free number and speak to our techies for more guidance

    ReplyDelete
  81. It's not a tough job to start 123.hp.com/envy5055 setup. Select the model if you are expecting high-quality print outs. Wireless connection is best for good speed. Start your search to find if an auto wireless connect feature is available. If so you can enable it. It's the HP software and driver download page where you can find the software. Update it to carry on with the remaining step. Speak to our techies for assistance

    ReplyDelete
  82. If you are Kodak Verite 55 plus user and do not know how to update the software. Let us help you to execute the task. It’s the software download page you have to visit. The process is easy, navigate to the Kodak Verite 55 Plus Driver download page and provide the required data. For guidance speak to our techies right away

    ReplyDelete

  83. Jio Recharge MobileJio REchargeJio Recharge 399, Jio recharge 444, Jio REcharge 555, Jio Recharge 222

    ReplyDelete