Tuesday, February 28, 2017

Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)


Nitay Artenstein (@nitayart) and Gilad Goldman (@gnull00)



Samsung's Secure Bootloader (S-Boot) for Android lies at the heart of Samsung's chain of trust concept. An attacker who compromises S-Boot could potentially load an untrusted kernel and system image, therefore bypassing most of the phone's security mechanisms.


This is a well-known attack vector: It's often used by the Android rooting and modding community, but our guess is that it's way more popular with law enforcement and government agencies.

All the more interesting, then, that S-Boot on contains several memory corruption bugs, one of which could be used to reach full code execution within the bootloader.

We can currently confirm the existence of the vulnerability only on Exynos chipsets. It seems universal to approximately 90% of the Samsung Exynos ROMs running on S5, S6 and S7. The very newest ROMs for S7 (February 2017) appear to include a fix for this bug, but we'll confirm this in a few days.

There's a lot of ground to cover, so we'll break up this write-up into two posts. In this post we'll focus on some S-Boot internals, then explore the bootloader's attack surface and get basic debugging capabilities. We'll end the post with the discovery of an especially interesting attack surface. In the next post we'll disclose the actual vulnerability and how we exploited it to get code execution in S-Boot.

We won't go into much detail on the basics of reversing S-Boot, such as how to load it into IDA or find the base address. Fernand Lone Sang (@_kamino_) is about to publish a great article exactly about that and I'll put a link for it here when it's out. If you need any help beyond that, just DM me and I'd be glad to give you a hand if I can.


Understanding S-Boot

The boot stages on Samsung phones

The Android boot process on Samsung begins with code running in the Boot ROM, which verifies the integrity of the next-stage bootloader using the OEM public key, known on Samsung devices as the Samsung Secure Boot Key (SSBK). It then loads two separate processes into memory: One is S-Boot itself, and the other is the TrustZone TEE (Trusted Execution Environment), running in the so-called "Secure world".

The two processes work in tandem. The TEE OS, which in the Exynos case is Trustonic (formerly MobiCore), is called from S-Boot to verify that images are properly signed before they're loaded or flashed. Therefore, a compromise in either S-Boot or the TEE will mean a potential compromise of the whole system.


S-Boot itself is divided in two: The first stage bootloader, BL1, is called from the Boot ROM and initializes the low-level system primitives. BL2, which BL1 jumps into after verifying its signature, is already a minimal OS on its own, complete with driver support for USB, display and I/O.

Since we were interested in finding a bug that will let us subvert the boot process, we decided to look for it as close to the actual kernel booting as possible. That's because we knew we'd already have an initialized system at our disposal, making further operations such as disk I/O - which we'll need to do to flash our custom image - rather trivial. So we decided to jump into BL2 and ignore BL1 at this stage (although we're sure it'll be fascinating to reverse it at a later stage).

At this stage we didn't have any debugging capabilities at all, just the sboot.bin blob that comes together with the standard Samsung Exynos image. So we opened the blob in IDA and honed in on BL2.



A typical function in BL2. Notice the quantity of strings

This was pretty easy: knowing that BL1 is mainly responsible for low-level initialization, while BL2 is almost a full-featured OS, we concluded that functions belonging to BL2 will be necessarily bigger and with more debug strings and references to other functions. Once we determined where BL2 was, we used some old reversing tricks to determine the base address of the image in memory.

From a high level, BL2 has several interesting responsibilities, including but not limited to:

  1. Booting the kernel


  2. Flashing a new firmware image

  3. Displaying a basic user interface during firmware updates


  4. Debugging (if we're lucky)


On bootloaders, the mechanism to load a new firmware image is usually the best attack surface to start with, since it involves direct input from the attacker as well as fairly complicated logic. So that's where we set our sights first.



Odin, the Samsung flashing client. A 90s era beauty

Into Odin

Anyone who's had any research experience with Samsung's Android phones knows Odin, the venerable but somewhat clumsy piece of software which flashes firmware ROMs to the device's storage.

On the device side, flashing new firmware involves first switching the phone to Download Mode, which is implemented in S-Boot, by pushing a three-key combination, then connecting it via USB to the host which is running the Odin client. The Odin client then sends the selected firmware image to an Odin server running on the device. You can't just flash any image, of course, and on locked Samsungs the bootloader will reject firmware that is not signed by Samsung.

Download mode. Locked bootloaders reject unsigned images

On the bootloader side, Odin utilizes a fairly comprehensive protocol in the bootloader to receive and transfer data over USB. So that's where we first concentrated our efforts.


If you want to follow along with our analysis, the ROM version we're using here is G930FXXU1APF2. That's a Samsung Galaxy S7. Go ahead and download it from Sam Mobile

The key function in the Odin handler code, which handles almost all of the Odin protocol, is process_packet (at address 0x8F00A0A4). And we're immediately faced with a bug as soon as we read the function:

The beginning of process_packet

As you can see, the Odin protocol looks at the packet ID and chooses the relevant branch of the code. Packet ID 0x65 tells Odin that we're about to do an operation related to a PIT file (PITs contain partitioning information, read more about them at this XDA thread).


When the code runs into ID 0x65, it can either read out the current PIT file to a buffer or write a new one to the special partition which holds the PIT data. If the second byte of the packet is 1, Odin goes ahead and copies the current PIT to a buffer which will then be transferred to the Odin client. The client needs this to determine whether the new firmware fits within the current partitioning scheme.

But where does the buffer to which the PIT is copied (
xfer_data.pit_buf) get initialized? Apparently, it only gets allocated in this case:


The allocated of pit_buf

Meaning you have to first send an initialization packet (ID 0x64) before the buffer gets allocated. If you don't, the buffer just points to 0. And if you try to copy the PIT before the buffer gets allocated, the code just goes ahead and tries to copy to 0: a classic null-pointer dereference.

This bug is similar to many other bugs that we found in Odin, in that it crashes the bootloader but is probably not exploitable. In this case, since we're on an ARM64 architecture, the address 0 is just not mapped and any attempt to copy to it results in instant panic. Things aren't so bad on ARM32 architectures, since the address 0 could contain the Exception Vector Table (EVT) which could be overwritten. The problem with this is that we still don't control what we write, since we don't control the PIT data.

But this bug does give us something else. What do we get on the screen when we trigger the bug and crash the bootloader?


Inside Upload Mode


Dumping Memory

A quick look at the code reveals that the bootloader exception handler prints the above output to screen, then enters something that's referred to as "Upload Mode". That's an interesting development: Upload Mode is a semi-secret bootloader mode that's been puzzling the modding community for years. Some users report getting it after especially bad kernel panics; others say that it comes up because of PMIC issues. Now we also know that we enter it during bootloader exceptions.

Looking at the code, we see that Upload Mode is implemented as an inline function in usbd3_rdx_process (at address 0x8F028C1C). We've edited and simplified the code a bit for clarity.


mode_switch = p_board_info->mode_switch;

if ( mode_switch & UPLOAD_MODE )
{
  if ( !transaction_data.response_buffer )
  {
    transaction_data.response_buffer = (char *)malloc(0x80000);

    if ( !transaction_data.response_buffer )
    {
      printf("%s: buffer allocation failed.\n", "usbd3_rdx_process");
      goto INFINITE_LOOP;
    }
  }
  if ( !strcmp(packet_buf, "PoWeRdOwN") )
  {
    goto POWERDOWN;
  }
  if ( !strcmp(packet_buf, "PrEaMbLe") )
  {
    memcpy(transaction_data.response_buffer, "AcKnOwLeDgMeNt", 15);
    goto SEND_RESPONSE;
  }
  if ( !strcmp(packet_buf, "PrObE") )
  {
    memcpy(transaction_data.response_buffer, log_location_buf, log_location_buf_size);
    goto SEND_RESPONSE;
  }
  ...
  dump_start_addr = strtol(packet_buf, NULL, 16);
  dump_end_addr = strtol(packet_buf + 9, NULL, 16);
  ...
  (some length checks)
  ...
  memcpy(transaction_data.response_buffer, dump_start_addr,   dump_end_addr - dump_start_addr);
  goto SEND_RESPONSE;



This is a fairly basic protocol to dump memory from the device. After sending a sequence of initialization packets, you simply send a dump start address and a dump end address, and you get back the dump over USB.


This is extremely useful for debugging and reversing purposes, since we can dump a memory image after a crash, look at the registers and the stack and generally get an idea of what's going on. We can, of course, also dump the full range of memory to aid us with reversing. We'll see that this ability will become useful in the second part of this write-up.

Since we haven't been able to find a public tool which dumps RAM over Upload Mode, we've written up one of our own. Feel free to experiment with it.



Fuzzing Odin

At this stage we went back into the Odin protocol, hopefully to find an exploitable bug. One of the things we automatically do when diving into new attack surfaces is to write raw, basic fuzzers as we go along to help find some easy wins.

This proved a bit harder to do with S-Boot, because it uses a proprietary protocol over CDC ACM (a form of serial) and it's pretty hard and frustrating to get to work with correctly. The small details are hard to get right: For instance, you have to send in an empty packet after every standard packet, some packets need to be 1024 bytes even if they only contain only 4 bytes of real data, etc. Writing a packet fuzzer from scratch was too slow for our time limits.

That's where Benjamin Dobell's awesome Heimdall comes in. Heimdall is an open-source implementation of the Odin client protocol which takes care of all the annoying bits of talking to the Odin bootloader code, so we used this as a basis for a basic fuzzer and just extended it a bit.


We've added a command line option called "fuzz", which just takes a bunch of raw packets that you can pre-generate with some Python code, then sends them to the device in sequence while taking care of the low-level details. You can get it here.

We got some interesting crashes in Odin using this approach, but none that seemed exploitable at first glance. We were about to go deeper into Odin when we decided that we want to spend some time on extending our debugging capabilities. And this is when we made an interesting discovery.



The UART Console

Searching through the binary, we found a set of suggestive string pointers at 0x8F08BD78:


The possible command list


These looked like pairs of command names and descriptions, possibly some kind of terminal interface left open for diagnostic purposes - quite a common find in other embedded projects that we've done, but not one that we expected here.

Assuming that there's some sort of serial interface which will enable us to connect to this terminal, we found out that members of XDA have already been here before.

It turns out that Samsung have been leaving a UART terminal open via the bootloader, through which they have exposed some low level commands for service and diagnostics. Some of these commands enable you to boot the kernel with special parameters, write or read from storage and trigger various USB modes.

However, since the original XDA publication in 2012, there have been no public reports of anyone getting input to these terminals, leaving many researchers to assume that this interface has been cut off. This was an assumption we wanted to test.

After some further reading, and especially based on Michael Ossmann and Kyle Osborn's Black Hat presentation from 2013, we realized that Samsung phones, as well as all of Google's Nexus phones, feature a multiplexer IC (MUIC) that is placed between the USB connector and the USB controller. By detecting the resistance between the ID and ground pins on the USB connector, the multiplexer switches different connection paths on the device.

Two such paths that are openly documented are normal USB and USB OTG. Another mode, which isn't mentioned in any public documentation, is UART.

The Samsung Anyway
We then set to work on getting a connection to this undocumented UART terminal. Our first port of call was the Samsung Anyway Jig, a device that Samsung is pretty secretive about. It's used by Samsung engineers and it's rather hard to get one, although they do show up on eBay every once in a while.

Apparently, the Anyway does nothing more than set several predefined resistance levels to the ID pin and breaks out the D+/D- lines to a DSUB connector which can then be connected to a PC via a serial-to-USB adapter.

Getting a used Anyway on eBay, we tested various combinations of switches to try and get the MUIC to switch to UART terminal mode. This did work on older Samsung phones, but we only succeeded with getting input - we got logs from the bootloader and kernel, but we didn't actually get a terminal.

At this stage we decided to build our own makeshift UART cable, similar to what Joshua Drake did with the Nexus 4 UART cable
We collected various scraps of data from XDA regarding ID pin resistor values and corresponding manufacturer’s modes. We also got some hints from the kernel DTS files. This is what we came up with:




Our makeshift jig


Since we wanted control over a range of resistances, we used a variable resistor which we would set to the desired value (measured using a multimeter) and connect to the S7.

Our jig is quite simple: an RS232-to-USB has its TX/RX lines connected to the D+/D- USB lines of the micro USB connector and the ID pin is connected to the ground pin via the variable resistor.

It turned out that the correct resistance value is 619K ohm. When set to that resistance, we'd get some output when booting up the device. But that still didn't seem to do the trick, since the output would go silent after a few lines - and we still couldn't get a terminal.


The initial UART output. Logs went silent after ifconn_com_to_open
Digging deeper to find the source of the problem, we had a look at the function we labeled get_initial_uart_str (0x8F006ECC). It appeared that the UART console was only started if this function returned non-null:

get_initial_uart_str
From this, and especially from LABEL_9, we can see that the bootloader is expecting a sequence of at least four carriage returns before it enters console mode.

The way was now clear: By mashing the 'enter' key on startup while the jig is connected, as well as pushing the volume down and power button at the same time, we managed to clear both the ifconn_com_to_open check and the terminal check.

And, finally, we got our reward:





As you can see, the console already exposes some pretty interesting commands. But we're keeping the real fun for our next post. 


87 comments:

  1. Very impressive work, well done! waiting for your next post :)

    ReplyDelete
  2. Nice work. We've been doing similar experiments with Samsung Wave some years ago. Regarding the upload mode, we've done also tool for that. It can be found in Samsung Wave forum on XDA somewhere around 2011. With the bootloader we had, there were some special addresses you could ask for in upload mode that had special meaning. Did you look for similar behavior?

    ReplyDelete
    Replies
    1. Hi. Yeah, Upload Mode puts the log and some other diagnostic data in special addresses, and there's a command which gives back an index of those addresses. My focus was on understanding the firmware and developing an exploit, so once I got the ability to read an arbitrary memory address I didn't dig deeper. But I probably should. I looked around XDA for your code and couldn't find it, mind posting a link here or sending it over to me by DM?

      Delete
    2. Hi can you link me to your post on xda

      Delete
  3. Kamino's article is here:
    http://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html

    ReplyDelete
  4. Great work.
    I tried to downgrade my sboot (dd if=sboot5.1 of=/dev/block/sdb) and phone is completely dead, pc does not recognize any device, not even exynos7420 serial device (first time that happen)
    I build uart before i saw your article, but i got only some tabs or space when i connect phone.
    ALso tried with my friend S4 but, can't enter sbl, i see only log in terminal.
    Is any chance for reviving my device? Maybe uart does not work, i don't know does tx works...
    Do you first plug uart or press volum - and power on device?
    Thanks for your work and sorry for my questions :)

    ReplyDelete
    Replies
    1. google Sd_card method, you short a testpoint to a resistor next to the screen cable, you then power up using power button and it alternately boots the scard.

      Delete
    2. Not sure it is possible because s6 edge does not have sd card. Also can't find backup of working G925A (AT&T), asked on many forums, but no one answered....
      Are you sure it can be done, with usb-otg?
      Thanks for reply :)

      Delete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. Wow! it's looking awesome but also this is so careful activity. it needs perfect guide to do it. Thanks for sharing this amazing guide. Really It's an awesome blog.
    #Mobile App Development in California

    ReplyDelete
  10. Great! I wonder to know if the jig you made can be used with Samsung S5/S6?

    ReplyDelete
  11. This is great! When will part two come out?

    ReplyDelete
  12. Great approach,looking for part 2

    ReplyDelete
  13. I thought haven’t read such distinctive material anywhere else on-line.www.sosav.co.uk

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. for Sharing....do you have any idea about where get UFS Sector/size ? for ufs erase_normal and ufs erase_boot.... example ufs_erase normal 316928 512

    ReplyDelete
  16. When is number 2 coming? Id like to see what can be done inside aboot!

    ReplyDelete


  17. In the last few months we've seen a lot of Health Care Reform rules and regulations being introduced by the Health and Human Services Department. Every time that happens, the media gets hold of it and all kinds of articles are written in the Wall Street Journal, the New York Times, and the TV network news programs talk about it. All the analysts start talking about the pros and cons, and what it means to businesses and individuals. Health is God

    ReplyDelete
  18. Free Download Samsung Mobile USB Drivers For Windows XP / 7 / 8 / 8.1 / VISTA / MAC https://www.yluvm.com/2018/10/download-samsung-usb-drivers.html

    ReplyDelete
  19. HealRun is a health news blog we provide the latest news about health, Drugs and latest Diseases and conditions. We update our users with health tips and health products reviews. If you want to know any information about health or health product (Side Effects & Benefits) Feel Free To ask HealRun Support Team.

    ReplyDelete
  20. Supplements For Fitness People with preexisting health problems who take thermogenic drugs may experience severe reactions such as seizures, heart attack, coma and even death.

    ReplyDelete
  21. Pilpedia is supplying 100 percent original and accurate information at each moment of time around our site and merchandise, and the intent is to improve the usage of good and pure health supplement. For More Info please visit Pilpedia online store.

    ReplyDelete
  22. Vital Keto : Je m'attends à ce que ça vous aide. Je ne peux pas croire que nous avons oublié cela plus tôt, mais votre perte de poids ne fait pas vraiment cela pour vous.

    Visitez-nous : Vital Keto

    Vous pouvez également visiter : bit.ly/2QNfWny

    ReplyDelete

  23. Renewal Derm: As a matter of fact, let's start. It was a troublesome pill to swallow. I thought it was a Skin care enigma. For starters, it'd be sensible if you had Skin care as a result of Maybe this has additional than one meaning. I conjointly sent an e-mail touching on Skin care. Apprentice saved my ass this afternoon. That isn't a vital part. These are the vital things you must be doing with Skin care.

    https://beautysecretanswers.com/renewal-derm-skin/

    ReplyDelete
  24. Genodrive : It's all the Testosterone booster insight that you wish. Male Enhancement provides an abstract solution to the easy downside of Male Enhancement. This is the truth of things. You'll be able to go from novice to professional quick. It's the inside track on Testosterone booster. The Male Enhancement path you choose will have a robust impact. It's typically required on behalf of me to outline things just a touch.

    BUY NOW HERE : https://www.nutrifitweb.com/genodrive/

    Read More : https://www.smore.com/q9b6t-viralis-rx

    ReplyDelete
  25. Nulante Cream :I am inclined typically to believe this because it considerations Skin care because the last four and half years of my life have been filled with chaos. I was instructed by many totally different experienced folks earlier. Skin care offers delight to everyone.

    https://beautysecretanswers.com/nulante-cream/

    ReplyDelete


  26. Thermofight X
    Weight lose has been accuracy tested. In weight loss formula terms, this is seen as an isolated context and I am giving voice to what you all feel with reference to weight lose. There were a jillion weight lose. I'm hip deep in weight loss. You and you alone are responsible for the way that your fat burner operates. How can wizards get one's hands on painless fat burner steps? I imagine that is incorrect for fat burner and I'm not the kind of person to use gimmicks. Permit me to lay that on the line. That is how to deal with worrying in respect to weight lose. This is urgent.
    http://supplementsbook.org/thermofight-x/

    ReplyDelete
  27. The 619K value could have been easily found on FSA9480 datasheet :D
    https://media.digikey.com/pdf/Data%20Sheets/Fairchild%20PDFs/FSA9480.pdf

    ReplyDelete
  28. Healthy GNC - In usa is a wide variety of health,wellness and Male health performance products.which has include protein,male health performance and weight Loss management supplements.This product is really made to help improve your health, whether you are at the beginning of your fitness. Healthy GNC,gnc,weightloss,bodybuilding,vitamins,energy,fitness,strength,healthfulness, stamina, Wellness.
    For more info - http://www.healthygnc.com/

    ReplyDelete
  29. BrainFX is the best nootropics pills available in the United States to enhance focus, memory, and concentration. It’s Neuro Fuel FX formula is truly very beneficial to boost your cognitive health. It is a advanced brain pill made with 100% pure and natural ingredients to speed up your memory. Visit On http://www.powerenrich.com/brainfx-best-nootropics-pills-to-enhance-focus-memory-and-concentration/

    ReplyDelete
  30. Keto Buzz is a weight loss supplement known for providing its ketogenic diet and keeping body healthy and in perfect shape without doing many efforts. Keto Buzz is totally safe for the user and there is no such side effect in using the keto buzz. It has been made up of the natural ingredients so using this would not give you any adverse effect.
    Kindly Visit on Keto Buzz


    ReplyDelete
  31. Nutrisystem is a commercial weight loss diet that involves eating the company’s prepackaged and delivered meals and snacks, along with some produce you shop for yourself. By outsourcing meal-management chores, you won’t have to think about portion control, meal prep, or meal timing, but you may tire of heat-and-eat meals and smallish portions. Nutrisystem is also built around the glycemic index, a measure of how various carbs affect your blood sugar. Kindly Visit on Nutrisystem- Lose Weight Faster

    ReplyDelete
  32. Rhino RX Advanced Muscle boosterr statements to be a weight training complement. As the name suggests Rhino RX is a advanced level muscle boosting complement. The complement statements to help you develop the muscle tissue faster and enhance your durability than you would do yourself with its combination of components. It is stated by the company that this method exempt from any dangerous substances, filler injections or binders because of which you can have guarantee about what you are placing in your whole body system. Visit On http://www.theapexme.com/rhino-rx-advanced-muscle-booster-pills-for-increased-stamina/

    ReplyDelete
  33. I am thankful to Dumpspass4sure for being a source of information for me during preparation of Checkpoint exam. I downloaded Pass4sure Checkpoint dumps from this site and started my preparation without any delay. I could not have passed my exam without a proper material like Pass4sure Checkpoint pdf dumps.

    ReplyDelete
  34. Ultra-Fast Keto Boost contains BHB which is called beta-hydroxybutyrate in the medical terms. To make it easy for you BHB is what that takes your body to the ketosis state. You might have heard about ketones which are good for your system. BHB is what produces different types of ketones which function to promote weight loss. There is no other best remedy that you can go for if it is having BHB you have everything. Visit on http://www.theapexhealth.com/ultra-fast-keto-boost-reviews-1-weight-loss-pills/

    ReplyDelete
  35. Insta Keto may be a natural dieting supplement that is designed in such a means that you will be in a position to attain ketosis process. It elevates the metabolic rate within the body by promoting healthy ketosis to manage carbs conversion into fats and build it utilised as energy boosters for the body.

    https://insta-keto.org/

    ReplyDelete
  36. The most precise targeting and premium inventory comes at a price: you invest significant time and resources to reap the finest fruits from the ad campaign tree. With this knowledge, best practices and little hustle, media buying can be an exciting and worthwhile discipline that generates real sales and supports marketing efforts from the bottom up. Research indicated that, while e-tailers provided an entire gamut of product services and information, e-shoppers invariably had to leave the website or use manual means to track their purchases. We can even incorporate the time of day you would like your ads to run, whether you want to target certain days of the week or even certain hours of the day. Their team helped with concept branding, digital advertising, script writing, web redesign, email outreach, SEO work, and more. A media buyer purchases advertising space in print, outdoor, broadcast, and online outlets, such as magazines, billboards, radio stations, television stations, and websites. Company will keep its business account information updated.

    Our Business Services are not intended for distribution to or use in any country where such distribution or use would violate local law. Media buyers tend to work primarily in an office environment, since a substantial part of their job can be managed through telephone and online communications. Ultimately, programmatic has shifted the focus of advertising from a media-centric approach to a user-centric approach, which was missing in traditional advertising. Incorporating an SEO strategy into your media buying and planning activities helps your landing pages show up in search results, getting your messaging in front of your ideal audiences. Social Pulse Marketing balances short-term analytic gains with long-term brand goals in order to help you and your team succeed. In fact, the Group is best placed to buy such media as will solve the marketing communication problems of its clients. Social Media forms a core strategy of marketing plan for most brands. For this reason, a relatively new (first available in Wyoming in 1977 and other states in the 1990s) business structure, a limited liability company (LLC) , is available; this structure combines the pass-through taxation benefits of a partnership with the limited-liability benefits of a corporation.

    However, if you want to take advantage of the new Adobe Admin Console for easier licence management or you want your users to access cloud-based storage or services, then you'll want to deploy the creative apps to named users using either Adobe IDs or Enterprise IDs. The cotton buds manufacturing business can be started with an investment of Rs 20,000-Rs 40,000. The program provides a deeper trust for clients who place their brand investment in the hands of their agency representatives. Track your benchmarks on a weekly basis and use a combination of reporting tools (e.g., Google Analytics, Facebook, Sprout, SEMRush, RivalIQ, Moz etc.) to gain insights that allow you to continually prioritize your audiences, ad placements and media buying budget. Many of the logo designers there keep it really simple for a basic sale (add a company name to a template), but offer extra services that can add $100 or more to an order. After you've taken a dive into your campaign, the historical data collected will be key to pivot your strategy to reach your goals. https://www.reviewengin.com/5-simple-media-buying-lessons-to-boost-your-business/

    ReplyDelete
  37. This is a fabulous post I seen because of offer it. It is really what I expected to see trust in future you will continue in sharing such a mind boggling post game apk download

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
  39. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. zcode discount

    ReplyDelete
  40. Wow i can say that this is another great article as expected of this blog.Bookmarked this site.. armed security guard

    ReplyDelete
  41. Forex Master Levels Review

    In marketing , customer lifetime value (CLV or often CLTV), lifetime customer value (LCV), or life-time value (LTV) is a prediction of the net profit attributed to the entire future relationship with a customer. A: You can trade whenever the Scientific Trading Machine alerts you to a signal, no matter the time day or night. Most new forex traders will fall victim to one of three fatal mistakes. Nonetheless the foregoing, cati may give the axe this correspondence at any time with a scripted notice to tradeology xxx (30) days earlier such final result. The great component concerning the system is that Nicola Delic does not release a lots of systems and revenue simply from it. Rather, he is trading real cash as well as most of the cash money is originating from trading, not from selling products.

    Multi-asset web-based trading platform with the fastest in the industry financial charts and advanced technical analysis tools. Many forex traders favor technical analysis Technical Analysis - A Beginner's GuideTechnical analysis is a form of investment valuation that analyses past prices to predict future price action. The guru put in 20 hour days in order to keep up with his various tasks in Forex trading and training. The Odin Forex Robot uses advanced grid calculations to find the best trades on your forex charts automatically.

    Working with a broker that offers multiple outlets for customer service is highly recommended for beginning traders. While a lot of foreign exchange is done for practical purposes, the vast majority of currency conversion is undertaken with the aim of earning a profit. I never thought it was that special until other traders started freaking out about my results. If you have a forex trading strategy with clear rules on when to buy and sell, it can be programmed into an expert advisor. These are both proprietary indicators that overlay on your MetaTrader 4 platform and provide precise signals on Forex currency pairs that you can trade.

    As a trader, you explore various foreign exchange products, systems, and services. Because there is no central location, you can trade forex 24 hours a day. The fact is, during well trending markets majority of Forex traders trade profitably and comfortably, but once a trend is over all kinds of problems arise: trend-following systems no longer work, frequency of false entry signals increases bringing additional losses which eat up earlier accumulated profits. You decide how much of your account you are going to risk in a trade. https://www.reviewengin.com/infinite-profit-system-review/

    ReplyDelete
  42. Great survey. I'm sure you're getting a great response. yoga studio

    ReplyDelete
  43. I think I have never seen such blogs ever before that has complete things with all details which I want. So kindly update this ever for us. Auto Detailing in Oakland Area

    ReplyDelete
  44. We are tied directly into the sate’s renewal database which allows us to process your request almost instantly. buy essays St. Louis wedding photographer

    ReplyDelete
  45. Well we really like to visit this site, many useful information we can get here. Alcohol delivery London

    ReplyDelete
  46. Nice post. I had a problem with Galaxy S6. Its charging rate was very slow. On the forum, I found the solution that I needed to flash my phone. Further, there was a problem with finding the official firmware, I spent a long time searching for a source where I could download what I needed. So I want to recommend you a site with excellent firmness and a large selection of firmware. https://sfirmware.com

    ReplyDelete
  47. I think it could be more general if you get a football sports activity עורך דין ביטוח לאומי

    ReplyDelete
  48. I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Hex To Decimal

    ReplyDelete
  49. It should be noted that whilst ordering papers for sale at paper writing service, you can get unkind attitude. In case you feel that the bureau is trying to cheat you, don't buy term paper from it. garden clogs

    ReplyDelete
  50. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. detective privado madrid

    ReplyDelete
  51. I just couldn't leave your website before telling you that I truly enjoyed the top quality info you present to your visitors? Will be back again frequently to check up on new posts.
    private investigators Madrid

    ReplyDelete
  52. Very informative post ! There is a lot of information here that can help any business get started with a successful social networking campaign ! https://etcher.download/

    ReplyDelete
  53. It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! outdoor blinds

    ReplyDelete
  54. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own Blog Engine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. cmc triggers

    ReplyDelete
  55. I would also motivate just about every person to save this web page for any favorite assistance to assist posted the appearance. Renoveringsarbeten

    ReplyDelete
  56. Check the IMEI of your device https://imei.guru/
    Free download Samsung firmware https://sfirmware.com/

    ReplyDelete
  57. Through this post, I know that your good knowledge in playing with all the pieces was very helpful. I notify that this is the first place where I find issues I've been searching for. You have a clever yet attractive way of writing. tutor

    ReplyDelete
  58. Somebody to split sboot.bin in parts

    ReplyDelete
  59. The value of your investment will fluctuate over time, and you may gain or lose money. Any screenshots, charts, or company trading symbols mentioned are provided for illustrative purposes only and should not be considered an offer to sell, a solicitation of an offer to buy, or a recommendation for the security.

    If you’re ready to buy a new product at an Apple Store, you can bring your old device with you. If it’s eligible for trade-in, we’ll apply an instant credit at the time of purchase. Whether you’re making a purchase or not, we’ve made it easy to trade in an eligible device either in a store or online. Just answer a few questions regarding the brand, model, and condition of your device. We’ll provide an estimated trade-in value or a simple way to recycle it.

    We’ll give you a prepaid trade-in kit or shipping label to send it off. We’ll either give you instant credit toward the purchase of a new product or send your device on to our recyclers. Based on what you tell us, we’ll offer you a competitive trade-in estimate for an Apple Gift Card or instant credit at an Apple Store.1 Or you’ll have the option to recycle it for free. Boston Globe Patriots beat reporter Ben Volin also mentioned the Patriots’ financial situation as a reason why he doesn’t see Jones ending up in New England. Tracking Currency Manipulation Currency manipulation is one way countries can shift patterns of trade in their favor. But currency intervention by U.S. trading partners leads to job losses in parts of the U.S. economy, which is one reason why the United States has run persistent trade deficits. If Atlanta cuts the seven-time Pro Bowler before June 1, it will have more than $40 million in dead money on the books for next season.

    $0.00 commission applies to online U.S. equity trades, exchange-traded funds and options (+ $ 0.65 per contract fee) in a Fidelity retail account only for Fidelity Brokerage Services LLC retail clients. Sell orders are subject to an activity assessment fee (from $0.01 to $0.03 per $1,000 of principal). There is an Options Regulatory Fee (from $0.03 to $0.05 per contract,) which applies to both option buy and sell transactions.

    Join our Trading Strategy Desk® coaches to help build your knowledge on technical analysis, options, Active Trader Pro®, and more. Delve into trading and learn new strategies with timely insights and guided education to help you get to your next level. "As we've stated since the season ended, we are committed to Aaron in 2021 and beyond," Gutekunst told Schefter in April. "Aaron has been a vital part of our success, and we look forward to competing for another championship with him leading our team." The GM used the team's first-round pick last offseason to draft the Rodgers' eventual replacement in Jordan Love. U.S. Trade Representative Katherine Tai on Monday told European officials she wanted to develop "a more positive and productive" trade relationship with Europe, despite disputes over aircraft subsidies and digital services taxes, USTR said. China Beige Book CEO Leland Miller discusses Chinese pressure on U.S. companies and the chip shortage in the auto industry. https://www.reviewengin.com/trade-command-center-review/

    ReplyDelete
  60. This is a great post.I am going to write on this topic based on your writing.
    Would you please come to my blog and give me some advice? We look forward to your feedback
    gk quiz
    amazon quiz
    current affairs quiz
    general knowledge quiz
    english stories
    bedtime stories
    short stories
    short english stories
    short bedtime stories
    english bedtime stories
    short bedtime english stories

    ReplyDelete
  61. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Oxford Liquor Store

    ReplyDelete
  62. This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck the best forex system

    ReplyDelete
  63. My dear readers around the globe, it is a great privilege to tell you about this great man who helped me overcome the tragedy in my relationship, and how his herbal medicine helped me too. My relationship became so complicated to a stage that I was scared of losing my wife to another, lasting long in bed was a problem and I knew deep down in my that my wife was not happy about it. Sometimes when I asked for sex the way she would act before the sex I noticed it was because I was not satisfying her, when she needed it more I hard already come and it was not the best. So I needed to find solution that was how I came in contact with DR Andrew  he really changed my sex life and ever since then life has been fun because my wife now love me more than she used to, all thanks to DR Andrew  for this great thing he did for me.. If you ever need help with any kind of sickness like DIABETES.. HERPES.. you can visit DR Andrew  for a solution (doctorandrew08@gmail.com)  or what's app  (+2348166219279)...

    ReplyDelete
  64. This was really one of my favorite website. Please keep on posting. Affordable Local SEO

    ReplyDelete
  65. This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post. empleo

    ReplyDelete
  66. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. Private detectives in Madrid

    ReplyDelete
  67. Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. Tito's Distilled

    ReplyDelete
  68. I’ve been searching for some decent stuff on the subject and haven't had any luck up until this point, You just got a new biggest fan!.. medical malpractice attorney

    ReplyDelete
  69. I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. Tito's Distilled

    ReplyDelete
  70. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. Harvey Insurance

    ReplyDelete
  71. Amazing knowledge and I like to share this kind of information with my friends and hope they like it they why I do Construction Jobs

    ReplyDelete
  72. There’s no reason why grocery stores cannot excel online, so if you make it niche-based by offering organic foods and drinks, your business could be quite successful. Because of all these events happening collectively, U.S food delivery and ordering services are expecting a massive growth of 79% by 2022. Therefore, starting an ecommerce business that is delivering food door-to-door is a promising one. So if you’re more into curating than creating, these types of easy online business ideas would be a solid fit.
    Make allergy sufferers happy by dedicating your online grocery to their specific product needs. Appeal to as many people within your target market as you can. Get your health products in front of them when they’re feeling zen. Make your customers happy and send them any nice-smelling product, from eye masks to cacao nibs.
    Starting an electronic or smart devices business with reliable technology and a great idea is a solid plan, especially if you can offer something that your competitors don’t. Therefore, it’s a great business option to consider if you have the necessary skills to create your own standout pieces or a great eye for spotting them. If you have a flair for creativity, an eye for fashion, or even just a geeky love for something in particular—like funny slogan t-shirts—starting a fashion business is a great option. Or Celia B, a Spanish brand selling high-quality garments with colorful textiles and patterns inspired by cultures around the world. Fashion is a hyper-competitive industry but since there are so many niches and unique personal styles, there’s also plenty of ways to start your own clothing line. There’s one mistake some sellers of this product make, and that is plastic packaging.
    You can design and manufacture a brand new product to meet pet owners’ pain points or turn your culinary skills to making delicious pet treats. If you don’t want to create your own product, you can source a curated range of electronic materials from all over the world or look into selling refurbished items. I love how everyone answers the same question from a slightly different perspective. So if you’re considering a new niche, taking all of this advice will not only put you on a more profitable path, you’ll also be growing more easily. Most of the advice seems geared towards ranking in Google.
    https://www.reviewengin.com/10-ecommerce-business-ideas-2022/

    ReplyDelete
  73. It’s how search bots estimate exactly how well a website or web page can give the searcher what they’re searching for. Poor for developing awareness in comparison with other media channels. Searchers already have to be familiar with a brand or service to find it. However, it offers the opportunity for less well-known brands to ‘punch above their weight' and to develop awareness following clickthrough. Visitors are searching for particular products or services so will often have a high intent to purchase – they are qualified visitors.
    Writing a meta description tag that has no relation to the content on the page. Letting your internal search result pages be crawled by Google. Users dislike clicking a search engine result only to land on another search result page on your site. Basic technical knowledge will help you optimize your site for search engines and establish credibility with developers. If search engines literally can't find you, none of the rest of your work matters. This chapter shows you how their robots crawl the Internet to find your site and add it to their indexes. https://www.reviewengin.com/category/seo/

    ReplyDelete
  74. Just the way I have expected. Your website really is interesting. Leftie Wine

    ReplyDelete
  75. Hey thanks for sharing such a nice blog I was looking for Detektei and found your blog. Keep it up.

    ReplyDelete
  76. Awesome information! Such a wonderful reference! Thanks for all the hard work you have obviously put into this!
    Private Investigation Agency Malaysia

    ReplyDelete