diff --git a/x1/Makefile b/x1/Makefile
index 95abf93..df6af8b 100644
--- a/x1/Makefile
+++ b/x1/Makefile
@@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin
 
 .PHONY:
 clean:
-	@rm -f *.bin spray/*.bin c/*.bin
+	@rm -f *.bin spray/*.bin c/*.bin injector/*.bin injector/*.elf
 
 %.bin: %.S
 	@$(AS) $<
@@ -28,3 +28,14 @@ spray/main.bin:
 	@./extract.py -p a.out spray/bottom_reset.bin
 	@./append_nop.py spray/top.bin spray/bottom.bin spray/bottom_reset.bin spray/main.bin 112 113
 	@rm -f a.out
+
+injector/AppMain.bin:
+	@if [ "$(INJECTED_S)" = "" ]; then \
+		echo "Please specify INJECTED_S."; \
+		exit 1; \
+	fi
+	@$(AS) $(INJECTED_S) -o injector/injected.elf
+	@./extract.py -p injector/injected.elf injector/injected.bin
+	@$(AS) injector/disable_mmu.S -o injector/disable_mmu.elf
+	@./extract.py -p injector/disable_mmu.elf injector/disable_mmu.bin
+	@./injector/inject.py 0xf00000 0x700000 injector/disable_mmu.bin injector/injected.bin injector/AppMain.bin
diff --git a/x1/injector/disable_mmu.S b/x1/injector/disable_mmu.S
new file mode 100644
index 0000000..4ca82ad
--- /dev/null
+++ b/x1/injector/disable_mmu.S
@@ -0,0 +1,17 @@
+.text
+    .align 2
+    .global _start
+
+_start:
+    mov r9, #0
+    ldr r0, =0x67800000
+
+    mrc p15, 0, r10, c1, c0, 0
+    @bic r10, r10, #5  @ disable MMU and dcache
+    bic r10, r10, #1  @ disable MMU
+    @bic r10, r10, #4096  @ disable icache
+    mcr p15, 0, r10, c1, c0, 0 // write ctrl regs
+    #mcr p15, 0, r9, c7, c7, 0 // invalidate cache
+    #mcr p15, 0, r9, c8, c7, 0 // invalidate TLB
+    mov pc, r0
+
diff --git a/x1/injector/disable_mmu.elf b/x1/injector/disable_mmu.elf
new file mode 100644
index 0000000..e696f77
Binary files /dev/null and b/x1/injector/disable_mmu.elf differ
diff --git a/x1/injector/inject.py b/x1/injector/inject.py
new file mode 100755
index 0000000..7591b98
--- /dev/null
+++ b/x1/injector/inject.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+
+import sys
+
+
+def main():
+    if len(sys.argv) < 6:
+        print(f"Usage: {sys.argv[0]} total page_offset disable_mmu.bin injected.bin out.bin")
+        sys.exit(1)
+
+    total, offset, dismmu, injected, out = sys.argv[1:6]
+    total = int(total, base=16 if total.startswith('0x') else 10)
+    offset = int(offset, base=16 if offset.startswith('0x') else 10)
+
+    if total % 4 != 0:
+        print(f'Total is not aligned', file=sys.stderr)
+        sys.exit(1)
+    elif offset % (1024 * 64) != 0:
+        print(f'Page offset is not aligned', file=sys.stderr)
+        sys.exit(1)
+
+    with open(dismmu, 'rb') as dmf, open(injected, 'rb') as injf, open(out, 'wb') as out:
+        nop = b'\x00\x00\xa0\xe1'
+        dm = dmf.read()
+        inj = injf.read()
+
+        out.write(dm)
+        out.write(nop * ((offset - len(dm)) // 4))
+        out.write(nop * ((1024 * 64 - len(inj)) // 4))
+        out.write(inj)
+        out.write(nop * ((total - offset - 1024 * 64) // 4))
+
+
+main()
diff --git a/x1/injector/injected.elf b/x1/injector/injected.elf
new file mode 100644
index 0000000..aab7ec5
Binary files /dev/null and b/x1/injector/injected.elf differ