diff --git a/lab5/src/lib/kernel/exception.c b/lab5/src/lib/kernel/exception.c
index 928ba84b9..3e5e6ad90 100644
--- a/lab5/src/lib/kernel/exception.c
+++ b/lab5/src/lib/kernel/exception.c
@@ -82,6 +82,7 @@ void irq_handler_c(trapframe_t *tf)
             schedule();
     }
 
+    // only do signal handler when return to user mode (0b0000)
     if ((tf->spsr_el1 & 0b1100) == 0) {
         check_signal(tf);
     }
@@ -147,15 +148,12 @@ void el0_sync_router(trapframe_t *tf)
         kill(tf, (int)tf->regs[0]);
         break;
     case 8:
-        // uart_printf("syscall_no: %d\n", syscall_no);
         signal_register(tf->regs[0], (void (*)())tf->regs[1]);
         break;
     case 9:
-        // uart_printf("syscall_no: %d\n", syscall_no);
         signal_kill(tf->regs[0], tf->regs[1]);
         break;
     case 50:
-        // uart_printf("syscall_no: %d\n", syscall_no);
         signal_return(tf);
         break;
     default:
@@ -188,6 +186,7 @@ void el0_irq_router(trapframe_t *tf)
             schedule();
     }
 
+    // only do signal handler when return to user mode (0b0000)
     if ((tf->spsr_el1 & 0b1100) == 0) {
         check_signal(tf);
     }
diff --git a/lab5/src/lib/kernel/sched.c b/lab5/src/lib/kernel/sched.c
index 68f8f4039..9c53b4f86 100644
--- a/lab5/src/lib/kernel/sched.c
+++ b/lab5/src/lib/kernel/sched.c
@@ -69,7 +69,7 @@ thread_t *thread_create(void *start, int priority)
     r->used = 1;
     r->ustack_ptr = (char *)kmalloc(USTACK_SIZE);
     r->kstack_ptr = (char *)kmalloc(KSTACK_SIZE);
-    r->cpu_context.lr = (unsigned long)start;
+    r->cpu_context.lr = (unsigned long)start; // current thread's return address
     r->cpu_context.sp = (unsigned long)(r->ustack_ptr + USTACK_SIZE);
     r->cpu_context.fp = (unsigned long)(r->ustack_ptr + USTACK_SIZE);
 
@@ -190,11 +190,13 @@ int exec_thread(char *data, unsigned int datasize)
 
 void run_user_process()
 {
-    asm("msr tpidr_el1, %0\n\t"
-        "msr elr_el1, %1\n\t"
-        "msr spsr_el1, xzr\n\t"
+    asm("msr tpidr_el1, %0\n\t" // Hold the "kernel(el1)" thread structure information
+        "msr elr_el1, %1\n\t"   // When el0 -> el1, store return address for el1 -> el0
+        "msr spsr_el1, xzr\n\t" // Enable interrupt in EL0 -> Used for thread scheduler
         "msr sp_el0, %2\n\t"
         "mov sp, %3\n\t"
         "eret\n\t" ::"r"(&current->cpu_context),
-        "r"((unsigned long)current->data), "r"(current->cpu_context.sp), "r"(current->kstack_ptr + KSTACK_SIZE));
+        "r"((unsigned long)current->data), "r"(current->cpu_context.sp),
+        "r"(current->kstack_ptr + KSTACK_SIZE)); // sp is reference for the same el process. For example, el2 cannot use
+                                                 // sp_el2, it has to use sp to find its own stack.
 }
\ No newline at end of file
diff --git a/lab5/src/lib/kernel/syscall.c b/lab5/src/lib/kernel/syscall.c
index a67580dc4..2f1a2527f 100644
--- a/lab5/src/lib/kernel/syscall.c
+++ b/lab5/src/lib/kernel/syscall.c
@@ -161,6 +161,7 @@ void signal_return(trapframe_t *tf)
 {
     unsigned long signal_ustack; // to get the start address of the user stack
     if (tf->sp_el0 % USTACK_SIZE != 0) {
+        // if the stack uses stack, return to the start of the stack
         signal_ustack = tf->sp_el0 - (tf->sp_el0 % USTACK_SIZE);
     }
     else {
diff --git a/lab6/.gitignore b/lab6/.gitignore
new file mode 100644
index 000000000..d558147b0
--- /dev/null
+++ b/lab6/.gitignore
@@ -0,0 +1,3 @@
+.vscode
+build/
+img/
\ No newline at end of file
diff --git a/lab6/Makefile b/lab6/Makefile
new file mode 100644
index 000000000..b64a14140
--- /dev/null
+++ b/lab6/Makefile
@@ -0,0 +1,57 @@
+CC = aarch64-linux-gnu
+CFLAGS = -Wall -nostdlib -nostartfiles -ffreestanding -Iinclude -mgeneral-regs-only
+
+SRC_DIR = src
+INCLUDE_DIR = include
+KERNEL_DIR = kernel
+LIB_DIR = lib
+BOOT_DIR = bootloader
+BUILD_DIR = build
+IMG_DIR = img
+
+OBJECTS = $(patsubst $(SRC_DIR)/%.c, $(BUILD_DIR)/%.o, $(wildcard $(SRC_DIR)/*.c))
+OBJECTS += $(patsubst $(SRC_DIR)/%.S, $(BUILD_DIR)/%_s.o, $(wildcard $(SRC_DIR)/*.S))
+
+HEADERS = $(wildcard $(INCLUDE_DIR)/*.h)
+
+ELF_NAME = kernel8.elf
+IMG_NAME = kernel8.img
+BOOT_ELF_NAME = bootloader.elf
+BOOT_IMG_NAME = bootloader.img
+CPIO_FILE = initramfs.cpio
+
+all: clean $(OBJECTS) $(HEADERS)
+	$(CC)-ld -T $(SRC_DIR)/linker.ld -o $(BUILD_DIR)/$(ELF_NAME) $(OBJECTS)
+	$(CC)-objcopy -O binary $(BUILD_DIR)/$(ELF_NAME) $(IMG_DIR)/$(IMG_NAME)
+
+$(BUILD_DIR)/%.o: $(SRC_DIR)/%.c
+	@mkdir -p $(BUILD_DIR)
+	@mkdir -p $(IMG_DIR)
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+$(BUILD_DIR)/%_s.o: $(SRC_DIR)/%.S
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR) $(IMG_DIR)
+
+dump:
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(IMG_NAME) -initrd $(CPIO_FILE) -display none -d in_asm -dtb bcm2710-rpi-3-b-plus.dtb
+
+run: all
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(IMG_NAME) -initrd $(CPIO_FILE) -display none -serial null -serial stdio -s -dtb bcm2710-rpi-3-b-plus.dtb
+
+tty:
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(BOOT_IMG_NAME) -initrd $(CPIO_FILE) -display none -serial null -serial pty
+
+upload:
+	sudo python3 upload.py
+
+cpio:
+	cd rootfs && find . | cpio -o -H newc > ../$(CPIO_FILE)
+
+screen:
+	sudo screen /dev/ttyUSB0 115200
+
+userprog:
+	cd user_program && make clean && make
diff --git a/lab6/bcm2710-rpi-3-b-plus.dtb b/lab6/bcm2710-rpi-3-b-plus.dtb
new file mode 100644
index 000000000..38395a23f
Binary files /dev/null and b/lab6/bcm2710-rpi-3-b-plus.dtb differ
diff --git a/lab6/bootloader/bcm2710-rpi-3-b-plus.dtb b/lab6/bootloader/bcm2710-rpi-3-b-plus.dtb
new file mode 100644
index 000000000..38395a23f
Binary files /dev/null and b/lab6/bootloader/bcm2710-rpi-3-b-plus.dtb differ
diff --git a/lab6/bootloader/bootloader.img b/lab6/bootloader/bootloader.img
new file mode 100755
index 000000000..714047f83
Binary files /dev/null and b/lab6/bootloader/bootloader.img differ
diff --git a/lab6/bootloader/config.txt b/lab6/bootloader/config.txt
new file mode 100644
index 000000000..15654a481
--- /dev/null
+++ b/lab6/bootloader/config.txt
@@ -0,0 +1,3 @@
+kernel=bootloader.img
+arm_64bit=1
+initramfs initramfs.cpio 0x8000000
diff --git a/lab6/bootloader/include/bcm2837/rpi_base.h b/lab6/bootloader/include/bcm2837/rpi_base.h
new file mode 100644
index 000000000..e3259e8de
--- /dev/null
+++ b/lab6/bootloader/include/bcm2837/rpi_base.h
@@ -0,0 +1,6 @@
+#ifndef	_RPI_BASE_H_
+#define	_RPI_BASE_H_
+
+#define PERIPHERAL_BASE 0x3F000000
+
+#endif  /*_RPI_BASE_H_ */
diff --git a/lab6/bootloader/include/bcm2837/rpi_gpio.h b/lab6/bootloader/include/bcm2837/rpi_gpio.h
new file mode 100644
index 000000000..e5133708a
--- /dev/null
+++ b/lab6/bootloader/include/bcm2837/rpi_gpio.h
@@ -0,0 +1,25 @@
+#ifndef _RPI_GPIO_H_
+#define _RPI_GPIO_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define GPFSEL0         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200000))
+#define GPFSEL1         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200004))
+#define GPFSEL2         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200008))
+#define GPFSEL3         ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020000C))
+#define GPFSEL4         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200010))
+#define GPFSEL5         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200014))
+#define GPSET0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020001C))
+#define GPSET1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200020))
+#define GPCLR0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200028))
+#define GPLEV0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200034))
+#define GPLEV1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200038))
+#define GPEDS0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200040))
+#define GPEDS1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200044))
+#define GPHEN0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200064))
+#define GPHEN1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200068))
+#define GPPUD           ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200094))
+#define GPPUDCLK0       ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200098))
+#define GPPUDCLK1       ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020009C))
+
+#endif /*_RPI_GPIO_H_*/
diff --git a/lab6/bootloader/include/bcm2837/rpi_uart1.h b/lab6/bootloader/include/bcm2837/rpi_uart1.h
new file mode 100644
index 000000000..959130656
--- /dev/null
+++ b/lab6/bootloader/include/bcm2837/rpi_uart1.h
@@ -0,0 +1,19 @@
+#ifndef	_RPI_UART1_H_
+#define	_RPI_UART1_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define AUX_ENABLES     ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215004))
+#define AUX_MU_IO_REG   ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215040))
+#define AUX_MU_IER_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215044))
+#define AUX_MU_IIR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215048))
+#define AUX_MU_LCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021504C))
+#define AUX_MU_MCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215050))
+#define AUX_MU_LSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215054))
+#define AUX_MU_MSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215058))
+#define AUX_MU_SCRATCH  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021505C))
+#define AUX_MU_CNTL_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215060))
+#define AUX_MU_STAT_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215064))
+#define AUX_MU_BAUD_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215068))
+
+#endif  /*_RPI_UART1_H_ */
diff --git a/lab6/bootloader/include/power.h b/lab6/bootloader/include/power.h
new file mode 100644
index 000000000..baf990974
--- /dev/null
+++ b/lab6/bootloader/include/power.h
@@ -0,0 +1,8 @@
+#ifndef	_POWER_H_
+#define	_POWER_H_
+
+#define PM_PASSWORD 0x5a000000
+#define PM_RSTC     0x3F10001c
+#define PM_WDOG     0x3F100024
+
+#endif /*_POWER_H_*/
diff --git a/lab6/bootloader/include/shell.h b/lab6/bootloader/include/shell.h
new file mode 100644
index 000000000..702f5eb14
--- /dev/null
+++ b/lab6/bootloader/include/shell.h
@@ -0,0 +1,23 @@
+#ifndef _SHELL_H_
+#define _SHELL_H_
+
+#define CLI_MAX_CMD 3
+#define CMD_MAX_LEN 32
+#define MSG_MAX_LEN 128
+
+typedef struct CLI_CMDS
+{
+    char command[CMD_MAX_LEN];
+    char help[MSG_MAX_LEN];
+} CLI_CMDS;
+
+void cli_cmd_clear(char*, int);
+void cli_cmd_read(char*);
+void cli_cmd_exec(char*);
+void cli_print_banner();
+
+void do_cmd_help();
+void do_cmd_loadimg();
+void do_cmd_reboot();
+
+#endif /* _SHELL_H_ */
diff --git a/lab6/bootloader/include/uart1.h b/lab6/bootloader/include/uart1.h
new file mode 100644
index 000000000..329d25c81
--- /dev/null
+++ b/lab6/bootloader/include/uart1.h
@@ -0,0 +1,11 @@
+#ifndef	_UART1_H_
+#define	_UART1_H_
+
+void uart_init();
+char uart_getc();
+char uart_recv();
+void uart_send(unsigned int c);
+int  uart_puts(char* fmt, ...);
+void uart_2hex(unsigned int d);
+
+#endif /*_UART1_H_*/
diff --git a/lab6/bootloader/include/utils.h b/lab6/bootloader/include/utils.h
new file mode 100644
index 000000000..e65ece675
--- /dev/null
+++ b/lab6/bootloader/include/utils.h
@@ -0,0 +1,11 @@
+#ifndef _UTILS_H_
+#define _UTILS_H_
+
+#define VSPRINT_MAX_BUF_SIZE 128
+
+unsigned int sprintf(char *dst, char* fmt, ...);
+unsigned int vsprintf(char *dst,char* fmt, __builtin_va_list args);
+
+int  strcmp(const char*, const char*);
+
+#endif /* _UTILS_H_ */
diff --git a/lab6/bootloader/makefile b/lab6/bootloader/makefile
new file mode 100644
index 000000000..b81bad692
--- /dev/null
+++ b/lab6/bootloader/makefile
@@ -0,0 +1,42 @@
+ARMGNU ?= aarch64-linux-gnu
+
+CFLAGS = -Wall -nostdlib -nostartfiles -ffreestanding -Iinclude -mgeneral-regs-only
+ASMFLAGS = -Iinclude
+
+BUILD_DIR = build
+SRC_DIR = src
+#---------------------------------------------------------------------------------------
+
+C_FILES = $(wildcard $(SRC_DIR)/*.c)
+ASM_FILES = $(wildcard $(SRC_DIR)/*.S)
+OBJ_FILES = $(C_FILES:$(SRC_DIR)/%.c=$(BUILD_DIR)/%_c.o)
+OBJ_FILES += $(ASM_FILES:$(SRC_DIR)/%.S=$(BUILD_DIR)/%_s.o)
+
+DEP_FILES = $(OBJ_FILES:%.o=%.d)
+-include $(DEP_FILES)
+
+$(BUILD_DIR)/%_c.o: $(SRC_DIR)/%.c
+	@mkdir -p $(@D)
+	$(ARMGNU)-gcc $(CFLAGS) -MMD -c $< -o $@
+
+$(BUILD_DIR)/%_s.o: $(SRC_DIR)/%.S
+	$(ARMGNU)-gcc $(ASMFLAGS) -MMD -c $< -o $@
+
+bootloader.img: $(SRC_DIR)/link.ld $(OBJ_FILES)
+	$(ARMGNU)-ld -T $(SRC_DIR)/link.ld -o $(BUILD_DIR)/bootloader.elf  $(OBJ_FILES)
+	$(ARMGNU)-objcopy $(BUILD_DIR)/bootloader.elf -O binary bootloader.img
+
+all: bootloader.img
+
+clean:
+	rm -rf $(BUILD_DIR) *.img
+
+run_std:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -serial null -serial stdio -initrd initramfs.cpio -dtb bcm2710-rpi-3-b-plus.dtb
+
+run_pty:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -serial null -serial pty -initrd initramfs.cpio -dtb bcm2710-rpi-3-b-plus.dtb
+
+debug:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -display none -S -s
+
diff --git a/lab6/bootloader/src/boot.S b/lab6/bootloader/src/boot.S
new file mode 100644
index 000000000..c872f56a7
--- /dev/null
+++ b/lab6/bootloader/src/boot.S
@@ -0,0 +1,52 @@
+/* ARMv8 Assembly Instruction */
+/**
+
+mov x0, x1
+    sets: x0 = x1
+ldr x0, <addr>
+    load 32bits from <addr> to x0
+ldr w0, <addr>
+    load 64bits from <addr> to w0
+cbz x0, <label>
+    if x0 == 0, jump to <label>
+cbnz x0, <label>
+    if x0 != 0, jump to <label>
+str x0 [x1] #8
+    store x0 in addr<x1> then x1=x1+8
+b   <label>
+    jump to <label>
+bl  <label>
+    jump to <label> and copies bl's next instruction into link register
+wfe
+    Wait for event, core in low-power state (power on, clk off)
+
+**/
+
+// x0 is used for dtb physical address
+.section ".text.boot"
+
+.global _start
+
+_start:
+setup_stack:
+    ldr     x1, =_stack_top
+    mov     sp, x1
+
+setup_bss:
+    ldr     x1, =_bss_top
+    ldr     w2, =_bss_size
+
+init_bss:
+    cbz     w2, run_main
+    str     xzr, [x1], #8
+    sub     w2, w2, #1
+    cbnz    w2, init_bss
+
+run_main:
+    ldr     x1, =_dtb
+    str     x0, [x1], #8
+    bl      main
+
+proc_hang:
+    wfe
+    b       proc_hang
diff --git a/lab6/bootloader/src/link.ld b/lab6/bootloader/src/link.ld
new file mode 100644
index 000000000..a5a05ddaa
--- /dev/null
+++ b/lab6/bootloader/src/link.ld
@@ -0,0 +1,30 @@
+_heap_stack_size = 1M;  
+# heap_size 0x100000
+
+SECTIONS
+{
+    . = 0x80000;
+    _start = .;
+    .text : { *(.text.boot) *(.text) }
+    .rodata : { *(.rodata) }
+    .data : { *(.data) }
+    .bss : {
+        _bss_top = .;
+        *(.bss) 
+    }
+    _bss_size = SIZEOF(.bss) >> 3;
+    .heap : {
+        . = ALIGN(8);
+        _heap_top = .;
+    } 
+    . = . + _heap_stack_size;
+    .stack : {
+        . = ALIGN(8);
+        _stack_top = .;
+    }
+    _end = .;
+
+    . = 0x3000000;
+    _bootloader_relocated_addr = 0x3000000;
+}
+__code_size = (_end - _start);
diff --git a/lab6/bootloader/src/main.c b/lab6/bootloader/src/main.c
new file mode 100644
index 000000000..9681dcd7b
--- /dev/null
+++ b/lab6/bootloader/src/main.c
@@ -0,0 +1,46 @@
+#include "shell.h"
+#include "uart1.h"
+
+extern char *_bootloader_relocated_addr;
+extern unsigned long long __code_size;
+extern unsigned long long _start;
+char *_dtb;
+
+int relocated_flag = 1;
+
+/* Copies codeblock from _start to addr */
+void code_relocate(char *addr)
+{
+    unsigned long long size = (unsigned long long)&__code_size;
+    char *start = (char *)&_start;
+    for (unsigned long long i = 0; i < size; i++) {
+        addr[i] = start[i];
+    }
+
+    ((void (*)(char *))addr)(_dtb);
+}
+
+/* x0-x7 are argument registers.
+   x0 is now used for dtb */
+void main(char *arg)
+{
+    _dtb = arg;
+    char *relocated_ptr = (char *)&_bootloader_relocated_addr;
+
+    /* Relocate once only */
+    if (relocated_flag) {
+        relocated_flag = 0;
+        code_relocate(relocated_ptr);
+    }
+
+    char input_buffer[CMD_MAX_LEN];
+
+    uart_init();
+
+    while (1) {
+        cli_cmd_clear(input_buffer, CMD_MAX_LEN);
+        uart_puts("# ");
+        cli_cmd_read(input_buffer);
+        cli_cmd_exec(input_buffer);
+    }
+}
diff --git a/lab6/bootloader/src/shell.c b/lab6/bootloader/src/shell.c
new file mode 100644
index 000000000..b962e444c
--- /dev/null
+++ b/lab6/bootloader/src/shell.c
@@ -0,0 +1,101 @@
+#include "shell.h"
+#include "power.h"
+#include "uart1.h"
+#include "utils.h"
+
+#define SHIFT_ADDR 0x100000
+
+extern char *_dtb;
+extern char _start[];
+
+struct CLI_CMDS cmd_list[CLI_MAX_CMD] = {{.command = "load", .help = "load image via uart1"},
+                                         {.command = "help", .help = "print all available commands"},
+                                         {.command = "reboot", .help = "reboot the device"}};
+
+void cli_cmd_clear(char *buffer, int length)
+{
+    for (int i = 0; i < length; i++) {
+        buffer[i] = '\0';
+    }
+};
+
+void cli_cmd_read(char *buffer)
+{
+    char c = '\0';
+    int idx = 0;
+    while (1) {
+        if (idx >= CMD_MAX_LEN)
+            break;
+
+        c = uart_recv();
+        if (c == '\n') {
+            uart_puts("\r\n");
+            break;
+        }
+        if (c > 16 && c < 32)
+            continue;
+        if (c > 127)
+            continue;
+        buffer[idx++] = c;
+        uart_send(c);
+    }
+}
+
+void cli_cmd_exec(char *buffer)
+{
+    if (strcmp(buffer, "load") == 0) {
+        do_cmd_loadimg();
+    }
+    else if (strcmp(buffer, "help") == 0) {
+        do_cmd_help();
+    }
+    else if (strcmp(buffer, "reboot") == 0) {
+        do_cmd_reboot();
+    }
+    else if (*buffer) {
+        uart_puts(buffer);
+        uart_puts(": command not found\r\n");
+    }
+}
+
+void do_cmd_help()
+{
+    for (int i = 0; i < CLI_MAX_CMD; i++) {
+        uart_puts(cmd_list[i].command);
+        uart_puts("\t\t: ");
+        uart_puts(cmd_list[i].help);
+        uart_puts("\r\n");
+    }
+}
+
+/* Overwrite image file into _start,
+   Please make sure this current code has been relocated. */
+void do_cmd_loadimg()
+{
+    char *bak_dtb = _dtb;
+    char c;
+    unsigned long long kernel_size = 0;
+    char *kernel_start = (char *)(&_start);
+    uart_puts("Please upload the image file.\r\n");
+    for (int i = 0; i < 8; i++) {
+        c = uart_getc();
+        kernel_size += c << (i * 8);
+    }
+    for (int i = 0; i < kernel_size; i++) {
+        c = uart_getc();
+        kernel_start[i] = c;
+    }
+    uart_puts("Image file downloaded successfully.\r\n");
+    uart_puts("Point to new kernel ...\r\n");
+
+    ((void (*)(char *))kernel_start)(bak_dtb);
+}
+
+void do_cmd_reboot()
+{
+    uart_puts("Reboot in 5 seconds ...\r\n\r\n");
+    volatile unsigned int *rst_addr = (unsigned int *)PM_RSTC;
+    *rst_addr = PM_PASSWORD | 0x20;
+    volatile unsigned int *wdg_addr = (unsigned int *)PM_WDOG;
+    *wdg_addr = PM_PASSWORD | 5;
+}
diff --git a/lab6/bootloader/src/uart1.c b/lab6/bootloader/src/uart1.c
new file mode 100644
index 000000000..cf6dd9e85
--- /dev/null
+++ b/lab6/bootloader/src/uart1.c
@@ -0,0 +1,83 @@
+#include "bcm2837/rpi_gpio.h"
+#include "bcm2837/rpi_uart1.h"
+#include "uart1.h"
+#include "utils.h"
+
+void uart_init()
+{
+    register unsigned int r;
+
+    /* initialize UART */
+    *AUX_ENABLES     |= 1;       // enable UART1
+    *AUX_MU_CNTL_REG  = 0;       // disable TX/RX
+
+    /* configure UART */
+    *AUX_MU_IER_REG   = 0;       // disable interrupt
+    *AUX_MU_LCR_REG   = 3;       // 8 bit data size
+    *AUX_MU_MCR_REG   = 0;       // disable flow control
+    *AUX_MU_BAUD_REG  = 270;     // 115200 baud rate
+    *AUX_MU_IIR_REG   = 6;       // disable FIFO
+
+    /* map UART1 to GPIO pins */
+    r = *GPFSEL1;
+    r &= ~(7<<12);               // clean gpio14
+    r |= 2<<12;                  // set gpio14 to alt5
+    r &= ~(7<<15);               // clean gpio15
+    r |= 2<<15;                  // set gpio15 to alt5
+    *GPFSEL1 = r;
+
+    /* enable pin 14, 15 - ref: Page 101 */
+    *GPPUD = 0;
+    r=150; while(r--) { asm volatile("nop"); }
+    *GPPUDCLK0 = (1<<14)|(1<<15);
+    r=150; while(r--) { asm volatile("nop"); }
+    *GPPUDCLK0 = 0;
+
+    *AUX_MU_CNTL_REG = 3;      // enable TX/RX
+}
+
+char uart_getc() {
+    char r;
+    while(!(*AUX_MU_LSR_REG & 0x01)){};
+    r = (char)(*AUX_MU_IO_REG);
+    return r;
+}
+
+char uart_recv() {
+    char r;
+    while(!(*AUX_MU_LSR_REG & 0x01)){};
+    r = (char)(*AUX_MU_IO_REG);
+    return r=='\r'?'\n':r;
+}
+
+void uart_send(unsigned int c) {
+    while(!(*AUX_MU_LSR_REG & 0x20)){};
+    *AUX_MU_IO_REG = c;
+}
+
+int uart_puts(char *fmt, ...) {
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char*)buf;
+    int count = vsprintf(str,fmt,args);
+
+    while(*str) {
+        if(*str=='\n')
+            uart_send('\r');
+        uart_send(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+void uart_2hex(unsigned int d) {
+    unsigned int n;
+    int c;
+    for(c=28;c>=0;c-=4) {
+        n=(d>>c)&0xF;
+        n+=n>9?0x37:0x30;
+        uart_send(n);
+    }
+}
diff --git a/lab6/bootloader/src/utils.c b/lab6/bootloader/src/utils.c
new file mode 100644
index 000000000..03c51dd96
--- /dev/null
+++ b/lab6/bootloader/src/utils.c
@@ -0,0 +1,133 @@
+#include "utils.h"
+
+unsigned int vsprintf(char *dst, char* fmt, __builtin_va_list args)
+{
+    long int arg;
+    int len, sign, i;
+    char *p, *orig=dst, tmpstr[19];
+
+    // failsafes
+    if(dst==(void*)0 || fmt==(void*)0) {
+        return 0;
+    }
+
+    // main loop
+    arg = 0;
+    while(*fmt) {
+        if(dst-orig > VSPRINT_MAX_BUF_SIZE-0x10)
+        {
+            return -1;
+        }
+        // argument access
+        if(*fmt=='%') {
+            fmt++;
+            // literal %
+            if(*fmt=='%') {
+                goto put;
+            }
+            len=0;
+            // size modifier
+            while(*fmt>='0' && *fmt<='9') {
+                len *= 10;
+                len += *fmt-'0';
+                fmt++;
+            }
+            // skip long modifier
+            if(*fmt=='l') {
+                fmt++;
+            }
+            // character
+            if(*fmt=='c') {
+                arg = __builtin_va_arg(args, int);
+                *dst++ = (char)arg;
+                fmt++;
+                continue;
+            } else
+            // decimal number
+            if(*fmt=='d') {
+                arg = __builtin_va_arg(args, int);
+                // check input
+                sign=0;
+                if((int)arg<0) {
+                    arg*=-1;
+                    sign++;
+                }
+                if(arg>99999999999999999L) {
+                    arg=99999999999999999L;
+                }
+                // convert to string
+                i=18;
+                tmpstr[i]=0;
+                do {
+                    tmpstr[--i]='0'+(arg%10);
+                    arg/=10;
+                } while(arg!=0 && i>0);
+                if(sign) {
+                    tmpstr[--i]='-';
+                }
+                if(len>0 && len<18) {
+                    while(i>18-len) {
+                        tmpstr[--i]=' ';
+                    }
+                }
+                p=&tmpstr[i];
+                goto copystring;
+            } else
+            if(*fmt=='x') {
+                arg = __builtin_va_arg(args, long int);
+                i=16;
+                tmpstr[i]=0;
+                do {
+                    char n=arg & 0xf;
+                    tmpstr[--i]=n+(n>9?0x37:0x30);
+                    arg>>=4;
+                } while(arg!=0 && i>0);
+                if(len>0 && len<=16) {
+                    while(i>16-len) {
+                        tmpstr[--i]='0';
+                    }
+                }
+                p=&tmpstr[i];
+                goto copystring;
+            } else
+            if(*fmt=='s') {
+                p = __builtin_va_arg(args, char*);
+copystring:     if(p==(void*)0) {
+                    p="(null)";
+                }
+                while(*p) {
+                    *dst++ = *p++;
+                }
+            }
+        } else {
+put:        *dst++ = *fmt;
+        }
+        fmt++;
+    }
+    *dst=0;
+    return dst-orig;
+}
+
+unsigned int sprintf(char *dst, char* fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    unsigned int r = vsprintf(dst,fmt,args);
+    __builtin_va_end(args);
+    return r;
+}
+
+
+int strcmp(const char* p1, const char* p2)
+{
+    const unsigned char *s1 = (const unsigned char*) p1;
+    const unsigned char *s2 = (const unsigned char*) p2;
+    unsigned char c1, c2;
+
+    do {
+        c1 = (unsigned char) *s1++;
+        c2 = (unsigned char) *s2++;
+        if ( c1 == '\0' ) return c1 - c2;
+    } while ( c1 == c2 );
+    return c1 - c2;
+}
diff --git a/lab6/config.txt b/lab6/config.txt
new file mode 100644
index 000000000..96427bebe
--- /dev/null
+++ b/lab6/config.txt
@@ -0,0 +1,3 @@
+initramfs initramfs.cpio 0x20000000
+kernel=bootloader.img
+arm_64bit=1
\ No newline at end of file
diff --git a/lab6/include/bcm2837/rpi_base.h b/lab6/include/bcm2837/rpi_base.h
new file mode 100644
index 000000000..99b05f4fa
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_base.h
@@ -0,0 +1,7 @@
+#ifndef	_RPI_BASE_H_
+#define	_RPI_BASE_H_
+
+#include "rpi_mmu.h"
+#define PERIPHERAL_BASE PHYS_TO_VIRT(0x3F000000)
+
+#endif  /*_RPI_BASE_H_ */
diff --git a/lab6/include/bcm2837/rpi_gpio.h b/lab6/include/bcm2837/rpi_gpio.h
new file mode 100644
index 000000000..e5133708a
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_gpio.h
@@ -0,0 +1,25 @@
+#ifndef _RPI_GPIO_H_
+#define _RPI_GPIO_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define GPFSEL0         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200000))
+#define GPFSEL1         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200004))
+#define GPFSEL2         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200008))
+#define GPFSEL3         ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020000C))
+#define GPFSEL4         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200010))
+#define GPFSEL5         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200014))
+#define GPSET0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020001C))
+#define GPSET1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200020))
+#define GPCLR0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200028))
+#define GPLEV0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200034))
+#define GPLEV1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200038))
+#define GPEDS0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200040))
+#define GPEDS1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200044))
+#define GPHEN0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200064))
+#define GPHEN1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200068))
+#define GPPUD           ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200094))
+#define GPPUDCLK0       ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200098))
+#define GPPUDCLK1       ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020009C))
+
+#endif /*_RPI_GPIO_H_*/
diff --git a/lab6/include/bcm2837/rpi_irq.h b/lab6/include/bcm2837/rpi_irq.h
new file mode 100644
index 000000000..8423dfea0
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_irq.h
@@ -0,0 +1,24 @@
+#ifndef _RPI_IRQ_H_
+#define _RPI_IRQ_H_
+
+#include "bcm2837/rpi_base.h"
+
+/*
+The basic pending register shows which interrupt are pending. To speed up interrupts processing, a
+number of 'normal' interrupt status bits have been added to this register. This makes the 'IRQ
+pending base' register different from the other 'base' interrupt registers
+p112-115 https://cs140e.sergio.bz/docs/BCM2837-ARM-Peripherals.pdf
+*/
+
+#define IRQ_BASIC_PENDING	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B200))
+#define IRQ_PENDING_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B204))
+#define IRQ_PENDING_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B208))
+#define FIQ_CONTROL		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B20C))
+#define ENABLE_IRQS_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B210))
+#define ENABLE_IRQS_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B214))
+#define ENABLE_BASIC_IRQS	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B218))
+#define DISABLE_IRQS_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B21C))
+#define DISABLE_IRQS_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B220))
+#define DISABLE_BASIC_IRQS	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B224))
+
+#endif /*_RPI_IRQ_H_*/
diff --git a/lab6/include/bcm2837/rpi_mbox.h b/lab6/include/bcm2837/rpi_mbox.h
new file mode 100644
index 000000000..ba1001472
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_mbox.h
@@ -0,0 +1,17 @@
+#ifndef _RPI_MBOX_H_
+#define _RPI_MBOX_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define MBOX_BASE     (PERIPHERAL_BASE+0x0000B880)
+
+// The register access to a mailbox
+// https://jsandler18.github.io/extra/mailbox.html
+#define MBOX_READ     ((volatile unsigned int*)(MBOX_BASE+0x00))
+#define MBOX_POLL     ((volatile unsigned int*)(MBOX_BASE+0x10))
+#define MBOX_SENDER   ((volatile unsigned int*)(MBOX_BASE+0x14))
+#define MBOX_STATUS   ((volatile unsigned int*)(MBOX_BASE+0x18))
+#define MBOX_CONFIG   ((volatile unsigned int*)(MBOX_BASE+0x1C))
+#define MBOX_WRITE    ((volatile unsigned int*)(MBOX_BASE+0x20))
+
+#endif  /*_RPI_MBOX_H_ */
diff --git a/lab6/include/bcm2837/rpi_mmu.h b/lab6/include/bcm2837/rpi_mmu.h
new file mode 100644
index 000000000..0452ce6df
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_mmu.h
@@ -0,0 +1,8 @@
+#ifndef	_RPI_MMU_H_
+#define	_RPI_MMU_H_
+
+#define PHYS_TO_VIRT(x)   (x + 0xffff000000000000)
+#define VIRT_TO_PHYS(x)   (x - 0xffff000000000000)
+#define ENTRY_ADDR_MASK   0xfffffffff000L
+
+#endif  /*_RPI_MMU_H_ */
diff --git a/lab6/include/bcm2837/rpi_uart1.h b/lab6/include/bcm2837/rpi_uart1.h
new file mode 100644
index 000000000..959130656
--- /dev/null
+++ b/lab6/include/bcm2837/rpi_uart1.h
@@ -0,0 +1,19 @@
+#ifndef	_RPI_UART1_H_
+#define	_RPI_UART1_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define AUX_ENABLES     ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215004))
+#define AUX_MU_IO_REG   ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215040))
+#define AUX_MU_IER_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215044))
+#define AUX_MU_IIR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215048))
+#define AUX_MU_LCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021504C))
+#define AUX_MU_MCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215050))
+#define AUX_MU_LSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215054))
+#define AUX_MU_MSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215058))
+#define AUX_MU_SCRATCH  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021505C))
+#define AUX_MU_CNTL_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215060))
+#define AUX_MU_STAT_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215064))
+#define AUX_MU_BAUD_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215068))
+
+#endif  /*_RPI_UART1_H_ */
diff --git a/lab6/include/cpio.h b/lab6/include/cpio.h
new file mode 100644
index 000000000..e662bee51
--- /dev/null
+++ b/lab6/include/cpio.h
@@ -0,0 +1,41 @@
+#ifndef _CPIO_H_
+#define _CPIO_H_
+
+/*
+    cpio format : https://manpages.ubuntu.com/manpages/bionic/en/man5/cpio.5.html
+    We are using "newc" format
+    header, file path, file data, header  ......
+    header + file path (padding 4 bytes)
+    file data (padding 4 bytes)  (max size 4gb)
+*/
+
+#define CPIO_NEWC_HEADER_MAGIC "070701"    // big endian constant, to check whether it is big endian or little endian
+
+extern void* CPIO_DEFAULT_START;
+extern void* CPIO_DEFAULT_END;
+
+// Using newc archive format
+struct cpio_newc_header
+{
+    char c_magic[6];            // fixed, "070701".
+    char c_ino[8];
+    char c_mode[8];
+    char c_uid[8];
+    char c_gid[8];
+    char c_nlink[8];
+    char c_mtime[8];
+    char c_filesize[8];
+    char c_devmajor[8];
+    char c_devminor[8];
+    char c_rdevmajor[8];
+    char c_rdevminor[8];
+    char c_namesize[8];
+    char c_check[8];
+};
+
+/* write pathname, data, next header into corresponding parameter*/
+int cpio_newc_parse_header(struct cpio_newc_header *this_header_pointer,
+        char **pathname, unsigned int *filesize, char **data,
+        struct cpio_newc_header **next_header_pointer);
+
+#endif /* _CPIO_H_ */
diff --git a/lab6/include/dtb.h b/lab6/include/dtb.h
new file mode 100644
index 000000000..eabc2fa86
--- /dev/null
+++ b/lab6/include/dtb.h
@@ -0,0 +1,28 @@
+#ifndef _DTB_H_
+#define _DTB_H_
+
+#define uint32_t unsigned int
+#define uint64_t unsigned long long
+
+// manipulate device tree with dtb file format
+// linux kernel fdt.h
+#define FDT_BEGIN_NODE 0x00000001
+#define FDT_END_NODE 0x00000002
+#define FDT_PROP 0x00000003
+#define FDT_NOP 0x00000004
+#define FDT_END 0x00000009
+
+extern char *dtb_ptr;
+
+typedef void (*dtb_callback)(uint32_t node_type, char *name, void *value, uint32_t name_size);
+
+uint32_t uint32_endian_big2lttle(uint32_t data);
+uint64_t uint64_endian_big2lttle(uint64_t data);
+
+void traverse_device_tree(void *base, dtb_callback callback); // traverse dtb tree
+void dtb_callback_show_tree(uint32_t node_type, char *name, void *value, uint32_t name_size);
+void dtb_callback_initramfs(uint32_t node_type, char *name, void *value, uint32_t name_size);
+
+void dtb_find_and_store_reserved_memory();
+
+#endif
diff --git a/lab6/include/exception.h b/lab6/include/exception.h
new file mode 100644
index 000000000..4b8daa629
--- /dev/null
+++ b/lab6/include/exception.h
@@ -0,0 +1,59 @@
+#ifndef _EXCEPTION_H_
+#define _EXCEPTION_H_
+
+#include "bcm2837/rpi_irq.h"
+
+#define CORE0_INTERRUPT_SOURCE ((volatile unsigned int *)(PHYS_TO_VIRT(0x40000060)))
+
+#define IRQ_PENDING_1_AUX_INT (1 << 29)
+#define INTERRUPT_SOURCE_GPU (1 << 8)
+#define INTERRUPT_SOURCE_CNTPNSIRQ (1 << 1)
+
+typedef struct trapframe {
+    unsigned long x0;
+    unsigned long x1;
+    unsigned long x2;
+    unsigned long x3;
+    unsigned long x4;
+    unsigned long x5;
+    unsigned long x6;
+    unsigned long x7;
+    unsigned long x8;
+    unsigned long x9;
+    unsigned long x10;
+    unsigned long x11;
+    unsigned long x12;
+    unsigned long x13;
+    unsigned long x14;
+    unsigned long x15;
+    unsigned long x16;
+    unsigned long x17;
+    unsigned long x18;
+    unsigned long x19;
+    unsigned long x20;
+    unsigned long x21;
+    unsigned long x22;
+    unsigned long x23;
+    unsigned long x24;
+    unsigned long x25;
+    unsigned long x26;
+    unsigned long x27;
+    unsigned long x28;
+    unsigned long x29;
+    unsigned long x30;
+    unsigned long spsr_el1;
+    unsigned long elr_el1;
+    unsigned long sp_el0;
+} trapframe_t;
+
+void sync_64_router(trapframe_t *tpf);
+void irq_router(trapframe_t *tpf);
+
+static inline void el1_interrupt_enable() { __asm__ __volatile__("msr daifclr, 0xf"); }
+
+static inline void el1_interrupt_disable() { __asm__ __volatile__("msr daifset, 0xf"); }
+
+void lock();
+void unlock();
+
+#endif /* _EXCEPTION_H_ */
diff --git a/lab6/include/irqtask.h b/lab6/include/irqtask.h
new file mode 100644
index 000000000..395bea0b7
--- /dev/null
+++ b/lab6/include/irqtask.h
@@ -0,0 +1,22 @@
+#ifndef _IRQTASK_H_
+#define _IRQTASK_H_
+
+#include "list.h"
+
+// smaller is more preemptive
+#define UART_IRQ_PRIORITY  1
+#define TIMER_IRQ_PRIORITY 0
+
+typedef struct irqtask
+{
+    struct list_head listhead;
+    unsigned long long priority;
+    void *task_function;
+} irqtask_t;
+
+void irqtask_add(void *task_function, unsigned long long priority);
+void irqtask_run(irqtask_t *the_task);
+void irqtask_run_preemptive();
+void irqtask_init_list();
+
+#endif
diff --git a/lab6/include/list.h b/lab6/include/list.h
new file mode 100644
index 000000000..5794e63c1
--- /dev/null
+++ b/lab6/include/list.h
@@ -0,0 +1,137 @@
+#ifndef LIST_H
+#define LIST_H
+
+/*
+ * Circular doubly linked list implementation.
+ *
+ * Some of the internal functions ("__xxx") are useful when
+ * manipulating whole lists rather than single entries, as
+ * sometimes we already know the next/prev entries and we can
+ * generate better code by using them directly rather than
+ * using the generic single-entry routines.
+ *
+ * https://github.com/torvalds/linux/blob/master/include/linux/list.h
+ * https://elixir.bootlin.com/linux/latest/source/scripts/kconfig/list.h#L24
+ */
+
+typedef struct list_head {
+	struct list_head *next, *prev;
+}list_head_t;
+
+#define LIST_HEAD_INIT(name) { &(name), &(name) }
+
+#define LIST_HEAD(name) \
+	struct list_head name = LIST_HEAD_INIT(name)
+
+/**
+ * INIT_LIST_HEAD - Initialize a list_head structure
+ * @list: list_head structure to be initialized.
+ *
+ * Initializes the list_head to point to itself.  If it is a list header,
+ * the result is an empty list.
+ */
+static inline void INIT_LIST_HEAD(struct list_head *list)
+{
+	list->next = list;
+	list->prev = list;
+}
+
+static inline void __list_add(struct list_head *new,
+			      struct list_head *prev,
+			      struct list_head *next)
+{
+	next->prev = new;
+	new->next = next;
+	new->prev = prev;
+	prev->next = new;
+}
+
+/**
+ * list_add - add a new entry
+ * @new: new entry to be added
+ * @head: list head to add it after
+ *
+ * Insert a new entry after the specified head.
+ * This is good for implementing stacks.
+ */
+static inline void list_add(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head, head->next);
+}
+
+/**
+ * list_add_tail - add a new entry
+ * @new: new entry to be added
+ * @head: list head to add it before
+ *
+ * Insert a new entry before the specified head.
+ * This is useful for implementing queues.
+ */
+static inline void list_add_tail(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head->prev, head);
+}
+
+/*
+ * Delete a list entry by making the prev/next entries
+ * point to each other.
+ *
+ * This is only for internal list manipulation where we know
+ * the prev/next entries already!
+ */
+static inline void __list_del(struct list_head * prev, struct list_head * next)
+{
+	next->prev = prev;
+	prev->next = next;
+}
+
+static inline void list_del_entry(struct list_head *entry)
+{
+	__list_del(entry->prev, entry->next);
+}
+
+
+/**
+ * list_is_head - tests whether @list is the list @head
+ * @list: the entry to test
+ * @head: the head of the list
+ */
+static inline int list_is_head(const struct list_head *list, const struct list_head *head)
+{
+	return list == head;
+}
+
+
+/**
+ * list_empty - tests whether a list is empty
+ * @head: the list to test.
+ */
+static inline int list_empty(const struct list_head *head)
+{
+	return head->next == head;
+}
+
+/**
+ * list_for_each	-	iterate over a list
+ * @pos:	the &struct list_head to use as a loop cursor.
+ * @head:	the head for your list.
+ */
+#define list_for_each(pos, head) \
+	for (pos = (head)->next; !list_is_head(pos, (head)); pos = pos->next)
+
+/**
+ * list_empty - tests whether a list is empty
+ * @head: the list to test.
+ */
+static inline int list_size(const struct list_head *head)
+{
+	list_head_t *pos;
+	int i= 0;
+	list_for_each(pos, head)
+	{
+		i++;
+	}
+	return i;
+}
+
+#endif
\ No newline at end of file
diff --git a/lab6/include/mbox.h b/lab6/include/mbox.h
new file mode 100644
index 000000000..78d2cb7f3
--- /dev/null
+++ b/lab6/include/mbox.h
@@ -0,0 +1,63 @@
+#ifndef _MBOX_H_
+#define _MBOX_H_
+
+extern volatile unsigned int pt[64];
+
+// Mailbox Register MMIO
+// https://jsandler18.github.io/extra/mailbox.html
+// include/bcm2837/rpi_mbox.h
+
+// Mailbox Channels
+// https://github.com/raspberrypi/firmware/wiki/Mailboxes
+typedef enum {
+    MBOX_POWER_MANAGEMENT = 0,
+    MBOX_FRAMEBUFFER,
+    MBOX_VIRTUAL_UART,
+    MBOX_VCHIQ,
+    MBOX_LEDS,
+    MBOX_BUTTONS,
+    MBOX_TOUCHSCREEN,
+    MBOX_UNUSED,
+    MBOX_TAGS_ARM_TO_VC,
+    MBOX_TAGS_VC_TO_ARM,
+} mbox_channel_type;
+
+// Status Code from Broadcom Videocode Driver
+// brcm_usrlib/dag/vmcsx/vcinclude/bcm2708_chip/arm_control.h
+enum mbox_status_reg_bits {
+    BCM_ARM_VC_MS_FULL  = 0x80000000,
+    BCM_ARM_VC_MS_EMPTY = 0x40000000,
+    BCM_ARM_VC_MS_LEVEL = 0x400000FF,
+};
+
+enum mbox_buffer_status_code {
+    MBOX_REQUEST_PROCESS = 0x00000000,
+    MBOX_REQUEST_SUCCEED = 0x80000000,
+    MBOX_REQUEST_FAILED  = 0x80000001,
+};
+
+// Tag
+// https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface
+// Included partition only
+typedef enum {
+    /* Videocore */
+    MBOX_TAG_GET_FIRMWARE_VERSION = 0x1,
+
+    /* Hardware */
+    MBOX_TAG_GET_BOARD_MODEL = 0x10001,
+    MBOX_TAG_GET_BOARD_REVISION,
+    MBOX_TAG_GET_BOARD_MAC_ADDRESS,
+    MBOX_TAG_GET_BOARD_SERIAL,
+    MBOX_TAG_GET_ARM_MEMORY,
+    MBOX_TAG_GET_VC_MEMORY,
+    MBOX_TAG_GET_CLOCKS,
+
+} mbox_tag_type;
+
+
+#define MBOX_TAG_REQUEST_CODE 0x00000000
+#define MBOX_TAG_LAST_BYTE    0x00000000
+
+int mbox_call(mbox_channel_type, unsigned int);
+
+#endif /*_MBOX_H_*/
diff --git a/lab6/include/memory.h b/lab6/include/memory.h
new file mode 100644
index 000000000..6d4539abe
--- /dev/null
+++ b/lab6/include/memory.h
@@ -0,0 +1,70 @@
+#ifndef _MEMORY_H_
+#define _MEMORY_H_
+
+#include "bcm2837/rpi_mmu.h"
+#include "list.h"
+
+/* Lab2 */
+void* s_allocator(unsigned int size);
+void  s_free(void* ptr);
+
+/* Lab4 */
+#define BUDDY_MEMORY_BASE       PHYS_TO_VIRT(0x0)     // 0x10000000 - 0x20000000 (SPEC) -> Advanced #3 for all memory region
+#define BUDDY_MEMORY_PAGE_COUNT 0x3C000 // let BUDDY_MEMORY use 0x0 ~ 0x3C000000 (SPEC)
+#define PAGESIZE    0x1000     // 4KB
+#define MAX_PAGES   0x10000    // 65536 (Entries), PAGESIZE * MAX_PAGES = 0x10000000 (SPEC)
+
+typedef enum {
+    FRAME_FREE = -2,
+    FRAME_ALLOCATED,
+    FRAME_IDX_0 = 0,      //  0x1000
+    FRAME_IDX_1,          //  0x2000
+    FRAME_IDX_2,          //  0x4000
+    FRAME_IDX_3,          //  0x8000
+    FRAME_IDX_4,          // 0x10000
+    FRAME_IDX_5,          // 0x20000
+    FRAME_IDX_FINAL = 6,  // 0x40000
+    FRAME_MAX_IDX = 7
+} frame_value_type;
+
+typedef enum {
+    CACHE_NONE = -1,     // Cache not used
+    CACHE_IDX_0 = 0,     //  0x20
+    CACHE_IDX_1,         //  0x40
+    CACHE_IDX_2,         //  0x80
+    CACHE_IDX_3,         // 0x100
+    CACHE_IDX_4,         // 0x200
+    CACHE_IDX_5,         // 0x400
+    CACHE_IDX_FINAL = 6, // 0x800
+    CACHE_MAX_IDX = 7
+} cache_value_type;
+
+typedef struct frame
+{
+    struct list_head listhead; // store freelist
+    int val;                   // store order
+    int used;
+    int cache_order;
+    unsigned int idx;
+} frame_t;
+
+void     init_allocator();
+frame_t *release_redundant(frame_t *frame);
+frame_t *get_buddy(frame_t *frame);
+frame_t *coalesce(frame_t *frame_ptr);
+
+void dump_page_info();
+void dump_cache_info();
+
+//buddy system
+void* page_malloc(unsigned int size);
+void  page_free(void *ptr);
+void  page2caches(int order);
+void* cache_malloc(unsigned int size);
+void  cache_free(void* ptr);
+
+void* kmalloc(unsigned int size);
+void  kfree(void *ptr);
+void  memory_reserve(unsigned long long start, unsigned long long end);
+
+#endif /* _MEMORY_H_ */
diff --git a/lab6/include/mmu.h b/lab6/include/mmu.h
new file mode 100644
index 000000000..6a605cbc5
--- /dev/null
+++ b/lab6/include/mmu.h
@@ -0,0 +1,45 @@
+#ifndef _MMU_H_
+#define _MMU_H_
+
+#include "stddef.h"
+
+#define TCR_CONFIG_REGION_48bit (((64 - 48) << 0) | ((64 - 48) << 16))
+#define TCR_CONFIG_4KB ((0b00 << 14) | (0b10 << 30))
+#define TCR_CONFIG_DEFAULT (TCR_CONFIG_REGION_48bit | TCR_CONFIG_4KB)
+
+#define MAIR_DEVICE_nGnRnE 0b00000000
+#define MAIR_NORMAL_NOCACHE 0b01000100
+#define MAIR_IDX_DEVICE_nGnRnE 0
+#define MAIR_IDX_NORMAL_NOCACHE 1
+
+#define PD_TABLE 0b11L
+#define PD_BLOCK 0b01L
+#define PD_UNX (1L << 54)
+#define PD_ACCESS (1L << 10)
+#define PD_UK_ACCESS (1L << 6)
+
+#define PERIPHERAL_START 0x3c000000L
+#define PERIPHERAL_END 0x3f000000L
+#define USER_KERNEL_BASE 0x00000000L
+#define USER_STACK_BASE 0xfffffffff000L
+
+#define MMU_PGD_BASE 0x1000L
+#define MMU_PGD_ADDR (MMU_PGD_BASE + 0x0000L)
+#define MMU_PUD_ADDR (MMU_PGD_BASE + 0x1000L)
+#define MMU_PTE_ADDR (MMU_PGD_BASE + 0x2000L)
+
+#define BOOT_PGD_ATTR (PD_TABLE)
+#define BOOT_PUD_ATTR (PD_TABLE + PD_ACCESS + (MAIR_IDX_NORMAL_NOCACHE << 2))
+#define BOOT_PTE_ATTR_nGnRnE (PD_BLOCK + PD_ACCESS + PD_UK_ACCESS + (MAIR_DEVICE_nGnRnE << 2))
+#define BOOT_PTE_ATTR_NOCACHE (PD_BLOCK + PD_ACCESS + (MAIR_NORMAL_NOCACHE << 2))
+
+#ifndef __ASSEMBLER__
+
+void *set_2M_kernel_mmu(void *x0);
+void map_one_page(size_t *pgd_p, size_t va, size_t pa);
+void mappages(size_t *pgd_p, size_t va, size_t size, size_t pa);
+void free_page_tables(size_t *page_table, int level);
+
+#endif //__ASSEMBLER__
+
+#endif /* _MMU_H_ */
diff --git a/lab6/include/power.h b/lab6/include/power.h
new file mode 100644
index 000000000..3c044f3e1
--- /dev/null
+++ b/lab6/include/power.h
@@ -0,0 +1,9 @@
+#ifndef _POWER_H_
+#define _POWER_H_
+
+#include "bcm2837/rpi_mmu.h"
+#define PM_PASSWORD 0x5a000000
+#define PM_RSTC PHYS_TO_VIRT(0x3F10001c)
+#define PM_WDOG PHYS_TO_VIRT(0x3F100024)
+
+#endif /*_POWER_H_*/
diff --git a/lab6/include/sched.h b/lab6/include/sched.h
new file mode 100644
index 000000000..4f2a199d7
--- /dev/null
+++ b/lab6/include/sched.h
@@ -0,0 +1,64 @@
+#ifndef _SCHED_H_
+#define _SCHED_H_
+
+#include "list.h"
+
+#define PIDMAX 32768
+#define USTACK_SIZE 0x4000
+#define KSTACK_SIZE 0x4000
+#define SIGNAL_MAX 64
+
+extern void switch_to(void *curr_context, void *next_context);
+extern void store_context(void *curr_context);
+extern void load_context(void *curr_context);
+extern void *get_current();
+
+typedef struct thread_context {
+    unsigned long x19;
+    unsigned long x20;
+    unsigned long x21;
+    unsigned long x22;
+    unsigned long x23;
+    unsigned long x24;
+    unsigned long x25;
+    unsigned long x26;
+    unsigned long x27;
+    unsigned long x28;
+    unsigned long fp;
+    unsigned long lr;
+    unsigned long sp;
+    void *pgd; // use for MMU mapping (user space)
+} thread_context_t;
+
+typedef struct thread {
+    list_head_t listhead;
+    thread_context_t context;
+    char *data;
+    unsigned int datasize;
+    int iszombie;
+    int pid;
+    int isused;
+    char *stack_alloced_ptr;
+    char *kernel_stack_alloced_ptr;
+    void (*signal_handler[SIGNAL_MAX + 1])();
+    int sigcount[SIGNAL_MAX + 1];
+    void (*curr_signal_handler)();
+    int signal_is_checking;
+    thread_context_t signal_saved_context;
+} thread_t;
+
+extern thread_t *curr_thread;
+extern list_head_t *run_queue;
+extern list_head_t *wait_queue;
+extern thread_t threads[PIDMAX + 1];
+
+void schedule_timer(char *notuse);
+void init_thread_sched();
+void idle();
+void schedule();
+void kill_zombies();
+void thread_exit();
+thread_t *thread_create(void *start, unsigned int filesize);
+int thread_exec(char *data, unsigned int filesize);
+
+#endif /* _SCHED_H_ */
diff --git a/lab6/include/shell.h b/lab6/include/shell.h
new file mode 100644
index 000000000..257bfbdc4
--- /dev/null
+++ b/lab6/include/shell.h
@@ -0,0 +1,28 @@
+#ifndef _SHELL_H_
+#define _SHELL_H_
+
+#define CMD_MAX_LEN 0x100
+#define MSG_MAX_LEN 0x100
+
+typedef struct CLI_CMDS {
+    char command[CMD_MAX_LEN];
+    char help[MSG_MAX_LEN];
+} CLI_CMDS;
+
+int cli_cmd_strcmp(const char *, const char *);
+void cli_cmd_clear(char *, int);
+void cli_cmd_read(char *);
+void cli_cmd_exec(char *);
+void cli_print_banner();
+
+void do_cmd_cat(char *);
+void do_cmd_dtb();
+void do_cmd_exec(char *);
+void do_cmd_help();
+void do_cmd_hello();
+void do_cmd_info();
+void do_cmd_ls(char *);
+void do_cmd_setTimeout(char *msg, char *sec);
+void do_cmd_reboot();
+
+#endif /* _SHELL_H_ */
diff --git a/lab6/include/signal.h b/lab6/include/signal.h
new file mode 100644
index 000000000..828b38387
--- /dev/null
+++ b/lab6/include/signal.h
@@ -0,0 +1,11 @@
+#ifndef _SIGNAL_H_
+#define _SIGNAL_H_
+
+#include "exception.h"
+
+void signal_default_handler();
+void check_signal(trapframe_t *tpf);
+void run_signal(trapframe_t *tpf, int signal);
+void signal_handler_wrapper();
+
+#endif /* _SIGNAL_H_ */
diff --git a/lab6/include/stddef.h b/lab6/include/stddef.h
new file mode 100644
index 000000000..6352d8d40
--- /dev/null
+++ b/lab6/include/stddef.h
@@ -0,0 +1,6 @@
+#ifndef STDDEF_H
+#define STDDEF_H
+
+#define size_t unsigned long
+
+#endif
diff --git a/lab6/include/string.h b/lab6/include/string.h
new file mode 100644
index 000000000..c70417adb
--- /dev/null
+++ b/lab6/include/string.h
@@ -0,0 +1,21 @@
+#ifndef _STRING_H_
+#define _STRING_H_
+
+#include "stddef.h"
+#define VSPRINT_MAX_BUF_SIZE 0x100
+
+unsigned int sprintf(char *dst, char *fmt, ...);
+unsigned int vsprintf(char *dst, char *fmt, __builtin_va_list args);
+
+unsigned long long strlen(const char *str);
+int strcmp(const char *, const char *);
+int strncmp(const char *, const char *, unsigned long long);
+char *memcpy(void *dest, const void *src, unsigned long long len);
+char *strcpy(char *dest, const char *src);
+void *memset(void *s, int c, size_t n);
+char *strchr(register const char *s, int c);
+
+char *str_SepbySpace(char *head);
+int atoi(char *str);
+
+#endif /* _STRING_H_ */
diff --git a/lab6/include/syscall.h b/lab6/include/syscall.h
new file mode 100644
index 000000000..ff537fc05
--- /dev/null
+++ b/lab6/include/syscall.h
@@ -0,0 +1,23 @@
+#ifndef _SYSCALL_H_
+#define _SYSCALL_H_
+
+#include "exception.h"
+#include "stddef.h"
+
+int getpid(trapframe_t *tpf);
+size_t uartread(trapframe_t *tpf, char buf[], size_t size);
+size_t uartwrite(trapframe_t *tpf, const char buf[], size_t size);
+int exec(trapframe_t *tpf, const char *name, char *const argv[]);
+int fork(trapframe_t *tpf);
+void exit(trapframe_t *tpf, int status);
+int syscall_mbox_call(trapframe_t *tpf, unsigned char ch, unsigned int *mbox);
+void kill(trapframe_t *tpf, int pid);
+
+void signal_register(int signal, void (*handler)());
+void signal_kill(int pid, int signal);
+void sigreturn(trapframe_t *tpf);
+
+unsigned int get_file_size(char *thefilepath);
+char *get_file_start(char *thefilepath);
+
+#endif /* _SYSCALL_H_*/
diff --git a/lab6/include/timer.h b/lab6/include/timer.h
new file mode 100644
index 000000000..fd9e86742
--- /dev/null
+++ b/lab6/include/timer.h
@@ -0,0 +1,28 @@
+#ifndef _TIMER_H_
+#define _TIMER_H_
+
+#include "list.h"
+// https://github.com/Tekki/raspberrypi-documentation/blob/master/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf p13
+#define CORE0_TIMER_IRQ_CTRL PHYS_TO_VIRT(0x40000040)
+
+typedef struct timer_event {
+    struct list_head listhead;
+    unsigned long long interrupt_time;
+    void *callback;
+    char *args;
+} timer_event_t;
+
+extern struct list_head *timer_event_list;
+
+void core_timer_enable();
+void core_timer_disable();
+void core_timer_handler();
+
+void add_timer(void *callback, unsigned long long timeout, char *args, int bytick);
+unsigned long long get_tick_plus_s(unsigned long long second);
+void set_core_timer_interrupt(unsigned long long expired_time);
+void set_core_timer_interrupt_by_tick(unsigned long long tick);
+void timer_list_init();
+int timer_list_get_size();
+
+#endif /* _TIMER_H_ */
diff --git a/lab6/include/uart1.h b/lab6/include/uart1.h
new file mode 100644
index 000000000..ccbc67fa9
--- /dev/null
+++ b/lab6/include/uart1.h
@@ -0,0 +1,18 @@
+#ifndef _UART1_H_
+#define _UART1_H_
+
+void uart_init();
+char uart_recv();
+void uart_send(char c);
+int uart_printf(char *fmt, ...);
+char uart_async_getc();
+void uart_async_putc(char c);
+int uart_puts(char *fmt, ...);
+void uart_2hex(unsigned int d);
+
+void uart_interrupt_enable();
+void uart_interrupt_disable();
+void uart_r_irq_handler();
+void uart_w_irq_handler();
+
+#endif /*_UART1_H_*/
diff --git a/lab6/initramfs.cpio b/lab6/initramfs.cpio
new file mode 100644
index 000000000..ec1d1f22b
Binary files /dev/null and b/lab6/initramfs.cpio differ
diff --git a/lab6/rootfs/file1.txt b/lab6/rootfs/file1.txt
new file mode 100644
index 000000000..b57711b8a
--- /dev/null
+++ b/lab6/rootfs/file1.txt
@@ -0,0 +1,38 @@
+/***                                                                          
+ *          .,:,,,                                        .::,,,::.          
+ *        .::::,,;;,                                  .,;;:,,....:i:         
+ *        :i,.::::,;i:.      ....,,:::::::::,....   .;i:,.  ......;i.        
+ *        :;..:::;::::i;,,:::;:,,,,,,,,,,..,.,,:::iri:. .,:irsr:,.;i.        
+ *        ;;..,::::;;;;ri,,,.                    ..,,:;s1s1ssrr;,.;r,        
+ *        :;. ,::;ii;:,     . ...................     .;iirri;;;,,;i,        
+ *        ,i. .;ri:.   ... ............................  .,,:;:,,,;i:        
+ *        :s,.;r:... ....................................... .::;::s;        
+ *        ,1r::. .............,,,.,,:,,........................,;iir;        
+ *        ,s;...........     ..::.,;:,,.          ...............,;1s        
+ *       :i,..,.              .,:,,::,.          .......... .......;1,       
+ *      ir,....:rrssr;:,       ,,.,::.     .r5S9989398G95hr;. ....,.:s,      
+ *     ;r,..,s9855513XHAG3i   .,,,,,,,.  ,S931,.,,.;s;s&BHHA8s.,..,..:r:     
+ *    :r;..rGGh,  :SAG;;G@BS:.,,,,,,,,,.r83:      hHH1sXMBHHHM3..,,,,.ir.    
+ *   ,si,.1GS,   sBMAAX&MBMB5,,,,,,:,,.:&8       3@HXHBMBHBBH#X,.,,,,,,rr    
+ *   ;1:,,SH:   .A@&&B#&8H#BS,,,,,,,,,.,5XS,     3@MHABM&59M#As..,,,,:,is,   
+ *  .rr,,,;9&1   hBHHBB&8AMGr,,,,,,,,,,,:h&&9s;   r9&BMHBHMB9:  . .,,,,;ri.  
+ *  :1:....:5&XSi;r8BMBHHA9r:,......,,,,:ii19GG88899XHHH&GSr.      ...,:rs.  
+ *  ;s.     .:sS8G8GG889hi.        ....,,:;:,.:irssrriii:,.        ...,,i1,  
+ *  ;1,         ..,....,,isssi;,        .,,.                      ....,.i1,  
+ *  ;h:               i9HHBMBBHAX9:         .                     ...,,,rs,  
+ *  ,1i..            :A#MBBBBMHB##s                             ....,,,;si.  
+ *  .r1,..        ,..;3BMBBBHBB#Bh.     ..                    ....,,,,,i1;   
+ *   :h;..       .,..;,1XBMMMMBXs,.,, .. :: ,.               ....,,,,,,ss.   
+ *    ih: ..    .;;;, ;;:s58A3i,..    ,. ,.:,,.             ...,,,,,:,s1,    
+ *    .s1,....   .,;sh,  ,iSAXs;.    ,.  ,,.i85            ...,,,,,,:i1;     
+ *     .rh: ...     rXG9XBBM#M#MHAX3hss13&&HHXr         .....,,,,,,,ih;      
+ *      .s5: .....    i598X&&A&AAAAAA&XG851r:       ........,,,,:,,sh;       
+ *      . ihr, ...  .         ..                    ........,,,,,;11:.       
+ *         ,s1i. ...  ..,,,..,,,.,,.,,.,..       ........,,.,,.;s5i.         
+ *          .:s1r,......................       ..............;shs,           
+ *          . .:shr:.  ....                 ..............,ishs.             
+ *              .,issr;,... ...........................,is1s;.               
+ *                 .,is1si;:,....................,:;ir1sr;,                  
+ *                    ..:isssssrrii;::::::;;iirsssssr;:..                    
+ *                         .,::iiirsssssssssrri;;:.                      
+ */						 
\ No newline at end of file
diff --git a/lab6/rootfs/file2.txt b/lab6/rootfs/file2.txt
new file mode 100644
index 000000000..041d661b5
--- /dev/null
+++ b/lab6/rootfs/file2.txt
@@ -0,0 +1 @@
+This is file 2.
\ No newline at end of file
diff --git a/lab6/rootfs/file3 b/lab6/rootfs/file3
new file mode 100644
index 000000000..5ba12d305
--- /dev/null
+++ b/lab6/rootfs/file3
@@ -0,0 +1 @@
+OS Capstone is fun
\ No newline at end of file
diff --git a/lab6/rootfs/userprog b/lab6/rootfs/userprog
new file mode 100755
index 000000000..1adf648a4
Binary files /dev/null and b/lab6/rootfs/userprog differ
diff --git a/lab6/rootfs/vm.img b/lab6/rootfs/vm.img
new file mode 100644
index 000000000..8ba674e6c
Binary files /dev/null and b/lab6/rootfs/vm.img differ
diff --git a/lab6/src/boot.S b/lab6/src/boot.S
new file mode 100644
index 000000000..e416eb7cb
--- /dev/null
+++ b/lab6/src/boot.S
@@ -0,0 +1,83 @@
+#include "mmu.h"
+
+.section ".text.boot"
+
+.global _start
+
+_start:
+    bl from_el2_to_el1
+
+set_mmu_configuration:
+    ldr x4, = TCR_CONFIG_DEFAULT
+    msr tcr_el1, x4
+
+    ldr x4, =( \
+        (MAIR_DEVICE_nGnRnE << (MAIR_IDX_DEVICE_nGnRnE * 8)) | \
+        (MAIR_NORMAL_NOCACHE << (MAIR_IDX_NORMAL_NOCACHE * 8)) \
+    )
+    msr mair_el1, x4
+
+    // set and enable MMU
+    mov x4, 0x1000  // PGD's address
+    mov x5, 0x2000  // PUD's address
+
+    ldr x6, = BOOT_PGD_ATTR
+    orr x6, x5, x6
+    str x6, [x4]
+
+    ldr x6, = BOOT_PUD_ATTR
+    mov x7, 0x0
+    orr x7, x6, x7
+    str x7, [x5]
+    mov x7, 0x40000000
+    orr x7, x6, x7
+    str x7, [x5, #8]
+
+    msr ttbr0_el1, x4
+    msr ttbr1_el1, x4
+
+    mov sp, 0x3c000000
+    bl set_2M_kernel_mmu
+
+    mrs x6, sctlr_el1
+    orr x6, x6, #1
+    msr sctlr_el1, x6
+
+    // indirect branch to the next instruction
+    ldr x6, = boot_rest
+    br x6
+
+boot_rest:
+    adr x1, exception_vector_table
+    msr vbar_el1, x1
+
+setup_stack:
+    ldr x3, =_stack_top
+    mov sp, x3
+
+setup_bss:
+    ldr     x1, =__bss_start
+    ldr     w2, =__bss_size
+
+init_bss:
+    cbz     w2, kernel_main
+    str     xzr, [x1], #8
+    sub     w2, w2, #1
+    cbnz    w2, init_bss
+
+kernel_main:
+    ldr     x1, =dtb_ptr
+    str     x0, [x1], #8
+    bl      main                   // branch and update lr with "main"
+
+proc_hang:
+    wfe                            // waiting in low-power state
+    b       proc_hang
+
+from_el2_to_el1:
+    mov x20, (1 << 31)       // EL1 uses aarch64
+    msr hcr_el2, x20         // move x0 to the HCR_EL2 register
+    mov x20, 0x3c5           // EL1h (SPSel = 1) with interrupt disabled
+    msr spsr_el2, x20        // move x0 to the SPSR_EL2 register
+    msr elr_el2, lr         // move the link register to the ELR_EL2 register
+    eret                    // return to EL1
\ No newline at end of file
diff --git a/lab6/src/cpio.c b/lab6/src/cpio.c
new file mode 100644
index 000000000..22b1619d6
--- /dev/null
+++ b/lab6/src/cpio.c
@@ -0,0 +1,50 @@
+#include "cpio.h"
+#include "dtb.h"
+#include "string.h"
+
+void *CPIO_DEFAULT_START;
+void *CPIO_DEFAULT_END;
+
+static unsigned int parse_hex_str(char *s, unsigned int max_len)
+{
+    unsigned int r = 0;
+    for (unsigned int i = 0; i < max_len; i++) {
+        r *= 16;
+        if (s[i] >= '0' && s[i] <= '9')
+            r += s[i] - '0';
+        else if (s[i] >= 'a' && s[i] <= 'f')
+            r += s[i] - 'a' + 10;
+        else if (s[i] >= 'A' && s[i] <= 'F')
+            r += s[i] - 'A' + 10;
+        else
+            return r;
+    }
+    return r;
+}
+
+int cpio_newc_parse_header(struct cpio_newc_header *this_header_pointer, char **pathname, unsigned int *filesize, char **data,
+                           struct cpio_newc_header **next_header_pointer)
+{
+    if (strncmp(this_header_pointer->c_magic, CPIO_NEWC_HEADER_MAGIC, sizeof(this_header_pointer->c_magic)) != 0)
+        return -1;
+
+    *filesize = parse_hex_str(this_header_pointer->c_filesize, 8);
+    *pathname = ((char *)this_header_pointer) + sizeof(struct cpio_newc_header);
+
+    unsigned int pathname_length = parse_hex_str(this_header_pointer->c_namesize, 8);
+    unsigned int offset = pathname_length + sizeof(struct cpio_newc_header);
+    offset = offset % 4 == 0 ? offset : (offset + 4 - offset % 4);
+    *data = (char *)this_header_pointer + offset;
+
+    if (*filesize == 0) {
+        *next_header_pointer = (struct cpio_newc_header *)*data;
+    }
+    else {
+        offset = *filesize;
+        *next_header_pointer = (struct cpio_newc_header *)(*data + (offset % 4 == 0 ? offset : (offset + 4 - offset % 4)));
+    }
+    if (strncmp(*pathname, "TRAILER!!!", sizeof("TRAILER!!!")) == 0)
+        *next_header_pointer = 0;
+
+    return 0;
+}
diff --git a/lab6/src/dtb.c b/lab6/src/dtb.c
new file mode 100644
index 000000000..ca4c601bd
--- /dev/null
+++ b/lab6/src/dtb.c
@@ -0,0 +1,150 @@
+#include "dtb.h"
+#include "bcm2837/rpi_mmu.h"
+#include "cpio.h"
+#include "memory.h"
+#include "string.h"
+#include "uart1.h"
+
+char *dtb_ptr;
+
+// stored as big endian
+struct fdt_header {
+    uint32_t magic;
+    uint32_t totalsize;
+    uint32_t off_dt_struct;
+    uint32_t off_dt_strings;
+    uint32_t off_mem_rsvmap;
+    uint32_t version;
+    uint32_t last_comp_version;
+    uint32_t boot_cpuid_phys;
+    uint32_t size_dt_strings;
+    uint32_t size_dt_struct;
+};
+
+// memory reservation block - https://zhuanlan.zhihu.com/p/144863497
+struct fdt_reserve_entry {
+    uint64_t address;
+    uint64_t size;
+};
+
+uint32_t uint32_endian_big2lttle(uint32_t data)
+{
+    char *r = (char *)&data;
+    return (r[3] << 0) | (r[2] << 8) | (r[1] << 16) | (r[0] << 24);
+}
+
+uint64_t uint64_endian_big2lttle(uint64_t data)
+{
+    char *r = (char *)&data;
+    return ((unsigned long long)r[7] << 0) | ((unsigned long long)r[6] << 8) | ((unsigned long long)r[5] << 16) | ((unsigned long long)r[4] << 24) |
+           ((unsigned long long)r[3] << 32) | ((unsigned long long)r[2] << 40) | ((unsigned long long)r[1] << 48) | ((unsigned long long)r[0] << 56);
+}
+
+void traverse_device_tree(void *dtb_ptr, dtb_callback callback)
+{
+    struct fdt_header *header = dtb_ptr;
+    if (uint32_endian_big2lttle(header->magic) != 0xD00DFEED) {
+        uart_puts("traverse_device_tree : wrong magic in traverse_device_tree");
+        return;
+    }
+    // https://abcamus.github.io/2016/12/28/uboot%E8%AE%BE%E5%A4%87%E6%A0%91-%E8%A7%A3%E6%9E%90%E8%BF%87%E7%A8%8B/
+    // https://blog.csdn.net/wangdapao12138/article/details/82934127
+    uint32_t struct_size = uint32_endian_big2lttle(header->size_dt_struct);
+    char *dt_struct_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_dt_struct));
+    char *dt_strings_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_dt_strings));
+
+    char *end = (char *)dt_struct_ptr + struct_size;
+    char *pointer = dt_struct_ptr;
+
+    while (pointer < end) {
+        uint32_t token_type = uint32_endian_big2lttle(*(uint32_t *)pointer);
+
+        pointer += 4;
+        if (token_type == FDT_BEGIN_NODE) {
+            callback(token_type, pointer, 0, 0);
+            pointer += strlen(pointer);
+            pointer += 4 - (unsigned long long)pointer % 4; // alignment 4 byte
+        }
+        else if (token_type == FDT_END_NODE) {
+            callback(token_type, 0, 0, 0);
+        }
+        else if (token_type == FDT_PROP) {
+            uint32_t len = uint32_endian_big2lttle(*(uint32_t *)pointer);
+            pointer += 4;
+            char *name = (char *)dt_strings_ptr + uint32_endian_big2lttle(*(uint32_t *)pointer);
+            pointer += 4;
+            callback(token_type, name, pointer, len);
+            pointer += len;
+            if ((unsigned long long)pointer % 4 != 0)
+                pointer += 4 - (unsigned long long)pointer % 4; // alignment 4 byte
+        }
+        else if (token_type == FDT_NOP) {
+            callback(token_type, 0, 0, 0);
+        }
+        else if (token_type == FDT_END) {
+            callback(token_type, 0, 0, 0);
+        }
+        else {
+            uart_puts("error type:%x\n", token_type);
+            return;
+        }
+    }
+}
+
+void dtb_callback_show_tree(uint32_t node_type, char *name, void *data, uint32_t name_size)
+{
+    static int level = 0;
+    if (node_type == FDT_BEGIN_NODE) {
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("%s{\n", name);
+        level++;
+    }
+    else if (node_type == FDT_END_NODE) {
+        level--;
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("}\n");
+    }
+    else if (node_type == FDT_PROP) {
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("%s\n", name);
+    }
+}
+
+void dtb_callback_initramfs(uint32_t node_type, char *name, void *value, uint32_t name_size)
+{
+    // https://github.com/stweil/raspberrypi-documentation/blob/master/configuration/device-tree.md
+    // linux,initrd-start will be assigned by start.elf based on config.txt
+    if (node_type == FDT_PROP && strcmp(name, "linux,initrd-start") == 0) {
+        CPIO_DEFAULT_START = (void *)(unsigned long long)PHYS_TO_VIRT(uint32_endian_big2lttle(*(uint32_t *)value));
+    }
+    if (node_type == FDT_PROP && strcmp(name, "linux,initrd-end") == 0) {
+        CPIO_DEFAULT_END = (void *)(unsigned long long)PHYS_TO_VIRT(uint32_endian_big2lttle(*(uint32_t *)value));
+    }
+}
+
+void dtb_find_and_store_reserved_memory()
+{
+    struct fdt_header *header = (struct fdt_header *)dtb_ptr;
+    if (uint32_endian_big2lttle(header->magic) != 0xD00DFEED) {
+        uart_puts("traverse_device_tree : wrong magic in traverse_device_tree");
+        return;
+    }
+
+    // off_mem_rsvmap stores all of reserve memory map with address and size
+    char *dt_mem_rsvmap_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_mem_rsvmap));
+    struct fdt_reserve_entry *reverse_entry = (struct fdt_reserve_entry *)dt_mem_rsvmap_ptr;
+
+    // reserve memory which is defined by dtb
+    while (reverse_entry->address != 0 || reverse_entry->size != 0) {
+        unsigned long long start = PHYS_TO_VIRT(uint64_endian_big2lttle(reverse_entry->address));
+        unsigned long long end = uint64_endian_big2lttle(reverse_entry->size) + start;
+        memory_reserve(start, end);
+        reverse_entry++;
+    }
+
+    // reserve device tree itself
+    memory_reserve((unsigned long long)dtb_ptr, (unsigned long long)dtb_ptr + uint32_endian_big2lttle(header->totalsize));
+}
diff --git a/lab6/src/entry.S b/lab6/src/entry.S
new file mode 100644
index 000000000..1a39be150
--- /dev/null
+++ b/lab6/src/entry.S
@@ -0,0 +1,144 @@
+// save general registers to stack
+.macro save_all
+    sub sp, sp, 32 * 9
+    stp x0, x1, [sp ,16 * 0]
+    stp x2, x3, [sp ,16 * 1]
+    stp x4, x5, [sp ,16 * 2]
+    stp x6, x7, [sp ,16 * 3]
+    stp x8, x9, [sp ,16 * 4]
+    stp x10, x11, [sp ,16 * 5]
+    stp x12, x13, [sp ,16 * 6]
+    stp x14, x15, [sp ,16 * 7]
+    stp x16, x17, [sp ,16 * 8]
+    stp x18, x19, [sp ,16 * 9]
+    stp x20, x21, [sp ,16 * 10]
+    stp x22, x23, [sp ,16 * 11]
+    stp x24, x25, [sp ,16 * 12]
+    stp x26, x27, [sp ,16 * 13]
+    stp x28, x29, [sp ,16 * 14]
+    str x30, [sp, 16 * 15]
+
+/* 
+    // for nested interrupt
+    mrs x0, spsr_el1
+    str x0, [sp, 16 * 16]
+    mrs x0, elr_el1
+    str x0, [sp, 16 * 17]
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+*/
+
+    // for nested interrupt
+    mrs x0, spsr_el1
+    str x0, [sp, 16 * 15 + 8]
+    mrs x0, elr_el1
+    str x0, [sp, 16 * 16]
+    mrs x0, sp_el0
+    str x0, [sp, 16 * 16 + 8]
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+.endm
+
+// load general registers from stack
+.macro load_all
+    ldp x0, x1, [sp ,16 * 0]
+    ldp x2, x3, [sp ,16 * 1]
+    ldp x4, x5, [sp ,16 * 2]
+    ldp x6, x7, [sp ,16 * 3]
+    ldp x8, x9, [sp ,16 * 4]
+    ldp x10, x11, [sp ,16 * 5]
+    ldp x12, x13, [sp ,16 * 6]
+    ldp x14, x15, [sp ,16 * 7]
+    ldp x16, x17, [sp ,16 * 8]
+    ldp x18, x19, [sp ,16 * 9]
+    ldp x20, x21, [sp ,16 * 10]
+    ldp x22, x23, [sp ,16 * 11]
+    ldp x24, x25, [sp ,16 * 12]
+    ldp x26, x27, [sp ,16 * 13]
+    ldp x28, x29, [sp ,16 * 14]
+    ldr x30, [sp, 16 * 15]
+
+/* 
+    // for nested interrupt
+    ldr x0, [sp, 16 * 16]
+    msr spsr_el1, x0
+    ldr x0, [sp, 16 * 17]
+    msr elr_el1, x0
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+    add sp, sp, 32 * 9
+*/
+
+    // for nested interrupt
+    ldr x0, [sp, 16 * 15 + 8]
+    msr spsr_el1, x0
+    ldr x0, [sp, 16 * 16]
+    msr elr_el1, x0
+    ldr x0, [sp, 16 * 16 + 8]
+    msr sp_el0, x0
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+    add sp, sp, 32 * 9
+.endm
+
+.align 11         // vector table should be aligned to 0x800 (2^11)
+.global exception_vector_table
+exception_vector_table:
+    .align 7
+    b invalid_handler // branch to a handler function.
+    .align 7 // entry size is 0x80, .align will pad 0
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b invalid_handler
+    .align 7
+    b el1h_irq_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b el0_sync_handler
+    .align 7
+    b el0_irq_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+
+
+invalid_handler:
+    save_all
+    load_all
+    eret
+
+el1h_irq_handler:
+    save_all
+    mov x0, sp
+    bl irq_router
+    load_all
+    eret
+
+el0_sync_handler:
+    save_all
+    mov x0, sp
+    bl sync_64_router
+    load_all
+    eret
+
+el0_irq_handler:
+    save_all
+    mov x0, sp
+    bl irq_router
+    load_all
+    eret
\ No newline at end of file
diff --git a/lab6/src/exception.c b/lab6/src/exception.c
new file mode 100644
index 000000000..1b653a27f
--- /dev/null
+++ b/lab6/src/exception.c
@@ -0,0 +1,95 @@
+#include "exception.h"
+#include "bcm2837/rpi_uart1.h"
+#include "irqtask.h"
+#include "sched.h"
+#include "signal.h"
+#include "syscall.h"
+#include "timer.h"
+#include "uart1.h"
+
+void sync_64_router(trapframe_t *tpf)
+{
+    el1_interrupt_enable();
+    unsigned long long syscall_no = tpf->x8;
+    switch (syscall_no) {
+    case 0:
+        getpid(tpf);
+        break;
+    case 1:
+        uartread(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 2:
+        uartwrite(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 3:
+        exec(tpf, (char *)tpf->x0, (char **)tpf->x1);
+        break;
+    case 4:
+        fork(tpf);
+        break;
+    case 5:
+        exit(tpf, tpf->x0);
+        break;
+    case 6:
+        syscall_mbox_call(tpf, (unsigned char)tpf->x0, (unsigned int *)tpf->x1);
+        break;
+    case 7:
+        kill(tpf, (int)tpf->x0);
+        break;
+    case 8:
+        signal_register(tpf->x0, (void (*)())tpf->x1);
+        break;
+    case 9:
+        signal_kill(tpf->x0, tpf->x1);
+        break;
+    case 50:
+        sigreturn(tpf);
+        break;
+    default:
+        break;
+    }
+}
+
+void irq_router(trapframe_t *tpf)
+{
+    if (*IRQ_PENDING_1 & IRQ_PENDING_1_AUX_INT && *CORE0_INTERRUPT_SOURCE & INTERRUPT_SOURCE_GPU) {
+        if (*AUX_MU_IIR_REG & (1 << 1)) // can write
+        {
+            *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+            irqtask_add(uart_w_irq_handler, UART_IRQ_PRIORITY);
+            irqtask_run_preemptive();
+        }
+        else if (*AUX_MU_IIR_REG & (0b10 << 1)) // can read
+        {
+            *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+            irqtask_add(uart_r_irq_handler, UART_IRQ_PRIORITY);
+            irqtask_run_preemptive();
+        }
+    }
+    else if (*CORE0_INTERRUPT_SOURCE & INTERRUPT_SOURCE_CNTPNSIRQ) {
+        core_timer_disable();
+        irqtask_add(core_timer_handler, TIMER_IRQ_PRIORITY);
+        irqtask_run_preemptive();
+        core_timer_enable();
+
+        if (run_queue->next->next != run_queue)
+            schedule();
+    }
+    if ((tpf->spsr_el1 & 0b1100) == 0) {
+        check_signal(tpf);
+    }
+}
+
+static unsigned long long lock_count = 0;
+void lock()
+{
+    el1_interrupt_disable();
+    lock_count++;
+}
+
+void unlock()
+{
+    lock_count--;
+    if (lock_count == 0)
+        el1_interrupt_enable();
+}
diff --git a/lab6/src/irqtask.c b/lab6/src/irqtask.c
new file mode 100644
index 000000000..fb78201e6
--- /dev/null
+++ b/lab6/src/irqtask.c
@@ -0,0 +1,65 @@
+#include "irqtask.h"
+#include "exception.h"
+#include "memory.h"
+#include "uart1.h"
+
+int curr_task_priority = 9999;
+struct list_head *task_list;
+
+void irqtask_init_list()
+{
+    task_list = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(task_list);
+}
+
+void irqtask_add(void *task_function,unsigned long long priority){
+
+    irqtask_t *the_task = kmalloc(sizeof(irqtask_t)); //need to kfree by task runner
+    the_task->priority = priority;
+    the_task->task_function = task_function;
+
+    lock();
+    struct list_head *curr;
+    list_for_each(curr, task_list)
+    {
+        if (((irqtask_t *)curr)->priority > the_task->priority)
+        {
+            list_add(&the_task->listhead, curr->prev);
+            break;
+        }
+    }
+    if (list_is_head(curr, task_list)) list_add_tail(&(the_task->listhead), task_list); // for the time is the biggest
+    unlock();
+}
+
+void irqtask_run_preemptive(){
+    while (1)
+    {
+        lock();
+        if (list_empty(task_list))
+        {
+            unlock();
+            break;
+        }
+
+        irqtask_t *the_task = (irqtask_t *)task_list->next;
+        if (curr_task_priority <= the_task->priority)
+        {
+            unlock();
+            break;
+        }
+        list_del_entry((struct list_head *)the_task);
+        int prev_task_priority = curr_task_priority;
+        curr_task_priority = the_task->priority;
+
+        unlock();
+        irqtask_run(the_task);
+        curr_task_priority = prev_task_priority;
+        kfree(the_task);
+    }
+}
+
+void irqtask_run(irqtask_t *the_task)
+{
+    ((void (*)())the_task->task_function)();
+}
diff --git a/lab6/src/linker.ld b/lab6/src/linker.ld
new file mode 100644
index 000000000..ee5b2083e
--- /dev/null
+++ b/lab6/src/linker.ld
@@ -0,0 +1,27 @@
+SECTIONS
+{
+    . = 0xffff000000000000;
+    . += 0x80000;
+    _kernel_start = .;
+    .text : { KEEP(*(.text.boot)) *(.text .text.* .gnu.linkonce.t*) }
+    .rodata : { *(.rodata .rodata.* .gnu.linkonce.r*) }
+    PROVIDE(_data = .);
+    .data : { *(.data .data.* .gnu.linkonce.d*) }
+    .bss (NOLOAD) : {
+        . = ALIGN(16);
+        __bss_start = .;
+        *(.bss .bss.*)
+        *(COMMON)
+        __bss_end = .;
+    }
+    _kernel_end = .;
+    _heap_start = .;
+
+    . = 0xffff00002c000000;
+    _stack_end = .;
+    . = 0xffff00003c000000;
+    _stack_top = .;
+
+   /DISCARD/ : { *(.comment) *(.gnu*) *(.note*) *(.eh_frame*) }
+}
+__bss_size = (__bss_end - __bss_start) >> 3;
diff --git a/lab6/src/main.c b/lab6/src/main.c
new file mode 100644
index 000000000..2fb3efd03
--- /dev/null
+++ b/lab6/src/main.c
@@ -0,0 +1,41 @@
+#include "dtb.h"
+#include "shell.h"
+#include "uart1.h"
+
+#include "exception.h"
+#include "irqtask.h"
+#include "memory.h"
+#include "sched.h"
+#include "timer.h"
+
+void main(char *arg)
+{
+    char input_buffer[CMD_MAX_LEN];
+
+    dtb_ptr = PHYS_TO_VIRT(arg);
+    traverse_device_tree(dtb_ptr, dtb_callback_initramfs); // get initramfs location from dtb
+
+    init_allocator();
+
+    uart_init();
+    irqtask_init_list();
+    timer_list_init();
+
+    init_thread_sched();
+
+    uart_interrupt_enable();
+    el1_interrupt_enable(); // enable interrupt in EL1 -> EL1
+    core_timer_enable();
+
+#if DEBUG
+    cli_cmd_read(input_buffer); // Wait for input, Windows cannot attach to SERIAL from two processes.
+#endif
+
+    uart_puts("\n");
+    while (1) {
+        cli_cmd_clear(input_buffer, CMD_MAX_LEN);
+        uart_puts("# ");
+        cli_cmd_read(input_buffer);
+        cli_cmd_exec(input_buffer);
+    }
+}
diff --git a/lab6/src/mbox.c b/lab6/src/mbox.c
new file mode 100644
index 000000000..e59dee6ee
--- /dev/null
+++ b/lab6/src/mbox.c
@@ -0,0 +1,23 @@
+#include "bcm2837/rpi_mbox.h"
+#include "mbox.h"
+
+/* Aligned to 16-byte boundary while we have 28-bits for VC */
+volatile unsigned int  __attribute__((aligned(16))) pt[64];
+
+int mbox_call( mbox_channel_type channel, unsigned int value )
+{
+    // Add channel to lower 4 bit
+    value &= ~(0xF);
+    value |= channel;
+    while ( (*MBOX_STATUS & BCM_ARM_VC_MS_FULL) != 0 ) {}
+    // Write to Register
+    *MBOX_WRITE = value;
+    while(1) {
+        while ( *MBOX_STATUS & BCM_ARM_VC_MS_EMPTY ) {}
+        // Read from Register
+        if (value == *MBOX_READ)
+            return pt[1] == MBOX_REQUEST_SUCCEED;
+    }
+    return 0;
+}
+
diff --git a/lab6/src/memory.c b/lab6/src/memory.c
new file mode 100644
index 000000000..cd0677c81
--- /dev/null
+++ b/lab6/src/memory.c
@@ -0,0 +1,369 @@
+#include "memory.h"
+#include "cpio.h"
+#include "dtb.h"
+#include "exception.h"
+#include "list.h"
+#include "mmu.h"
+#include "uart1.h"
+
+extern char _heap_start;
+static char *htop_ptr = &_heap_start;
+
+extern char _kernel_start;
+extern char _kernel_end;
+extern char _stack_end;
+extern char _stack_top;
+
+#ifdef DEBUG
+#define memory_sendline(fmt, args...) uart_printf(fmt, ##args)
+#else
+#define memory_sendline(fmt, args...) (void)0
+#endif
+
+// ------ Lab2 ------
+void *s_allocator(unsigned int size)
+{
+    // -> htop_ptr
+    // htop_ptr + 0x02:  heap_block size
+    // htop_ptr + 0x10 ~ htop_ptr + 0x10 * k:
+    //            { heap_block }
+    // -> htop_ptr
+
+    // 0x10 for heap_block header
+    char *r = htop_ptr + 0x10;
+    // size paddling to multiple of 0x10
+    size = 0x10 + size - size % 0x10;
+    *(unsigned int *)(r - 0x8) = size;
+    htop_ptr += size;
+    return r;
+}
+
+void s_free(void *ptr)
+{
+    // TBD
+}
+
+// ------ Lab4 ------
+static frame_t *frame_array;                      // store memory's statement and page's corresponding index
+static list_head_t frame_freelist[FRAME_MAX_IDX]; // store available block for page
+static list_head_t cache_list[CACHE_MAX_IDX];     // store available block for cache
+
+void init_allocator()
+{
+    frame_array = s_allocator(BUDDY_MEMORY_PAGE_COUNT * sizeof(frame_t));
+
+    // init frame_array
+    for (int i = 0; i < BUDDY_MEMORY_PAGE_COUNT; i++) {
+        if (i % (1 << FRAME_IDX_FINAL) == 0) {
+            frame_array[i].val = FRAME_IDX_FINAL;
+            frame_array[i].used = FRAME_FREE;
+        }
+    }
+
+    // init frame freelist
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+        INIT_LIST_HEAD(&frame_freelist[i]);
+    }
+
+    // init cache list
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        INIT_LIST_HEAD(&cache_list[i]);
+    }
+
+    for (int i = 0; i < BUDDY_MEMORY_PAGE_COUNT; i++) {
+        // init listhead for each frame
+        INIT_LIST_HEAD(&frame_array[i].listhead);
+        frame_array[i].idx = i;
+        frame_array[i].cache_order = CACHE_NONE;
+
+        // add init frame (FRAME_IDX_FINAL) into freelist
+        if (i % (1 << FRAME_IDX_FINAL) == 0) {
+            list_add(&frame_array[i].listhead, &frame_freelist[FRAME_IDX_FINAL]);
+        }
+    }
+
+    /* Startup reserving the following region:
+    Spin tables for multicore boot (0x0000 - 0x1000)
+    Devicetree (Optional, if you have implement it)
+    Kernel image in the physical memory
+    Your simple allocator (startup allocator) (Stack + Heap in my case)
+    Initramfs
+    */
+    memory_sendline("\r\n* Startup Allocation *\r\n");
+    memory_sendline("buddy system: usable memory region: 0x%x ~ 0x%x\n", BUDDY_MEMORY_BASE, BUDDY_MEMORY_BASE + BUDDY_MEMORY_PAGE_COUNT * PAGESIZE);
+    // dtb_find_and_store_reserved_memory(); // find spin tables in dtb
+    memory_reserve(PHYS_TO_VIRT(MMU_PGD_ADDR),
+                   PHYS_TO_VIRT(MMU_PTE_ADDR + 0x2000)); // // PGD's page frame at 0x1000 // PUD's page frame at 0x2000 PMD 0x3000-0x5000
+    memory_reserve((unsigned long long)&_kernel_start, (unsigned long long)&_kernel_end); // kernel
+    memory_reserve((unsigned long long)&_stack_end, (unsigned long long)&_stack_top);     // heap & stack -> simple allocator
+    memory_reserve((unsigned long long)CPIO_DEFAULT_START, (unsigned long long)CPIO_DEFAULT_END);
+}
+
+void *page_malloc(unsigned int size)
+{
+    memory_sendline("    [+] Allocate page - size : %d(0x%x)\r\n", size, size);
+    memory_sendline("        Before\r\n");
+    dump_page_info();
+    int val;
+    // turn size into minimum 4KB * 2**val
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+
+        if (size <= (PAGESIZE << i)) {
+            val = i;
+            memory_sendline("        block size = 0x%x\n", PAGESIZE << i);
+            break;
+        }
+
+        if (i == FRAME_IDX_FINAL) {
+            memory_sendline("[!] request size exceeded for page_malloc!!!!\r\n");
+            return (void *)0;
+        }
+    }
+
+    // find the smallest larger frame in freelist
+    int target_val;
+    for (target_val = val; target_val <= FRAME_IDX_FINAL; target_val++) {
+        // freelist does not have 2**i order frame, going for next order
+        if (!list_empty(&frame_freelist[target_val]))
+            break;
+    }
+    if (target_val > FRAME_IDX_FINAL) {
+        memory_sendline("[!] No available frame in freelist, page_malloc ERROR!!!!\r\n");
+        return (void *)0;
+    }
+
+    // get the available frame from freelist
+    frame_t *target_frame_ptr = (frame_t *)frame_freelist[target_val].next;
+    list_del_entry((struct list_head *)target_frame_ptr);
+
+    // Release redundant memory block to separate into pieces
+    for (int j = target_val; j > val; j--) // ex: 10000 -> 01111
+    {
+        release_redundant(target_frame_ptr);
+    }
+
+    // Allocate it
+    target_frame_ptr->used = FRAME_ALLOCATED;
+    memory_sendline("        physical address : 0x%x\n", BUDDY_MEMORY_BASE + (PAGESIZE * (target_frame_ptr->idx)));
+    memory_sendline("        After\r\n");
+    dump_page_info();
+
+    return (void *)BUDDY_MEMORY_BASE + (PAGESIZE * (target_frame_ptr->idx));
+}
+
+void page_free(void *ptr)
+{
+    frame_t *target_frame_ptr =
+        &frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12]; // PAGESIZE * Available Region -> 0x1000 * 0x10000000 // SPEC #1, #2
+    memory_sendline("    [+] Free page: 0x%x, val = %d\r\n", ptr, target_frame_ptr->val);
+    memory_sendline("        Before\r\n");
+    dump_page_info();
+    target_frame_ptr->used = FRAME_FREE;
+    frame_t *temp;
+    while ((temp = coalesce(target_frame_ptr)) != (frame_t *)-1)
+        target_frame_ptr = temp;
+    list_add(&target_frame_ptr->listhead, &frame_freelist[target_frame_ptr->val]);
+    memory_sendline("        After\r\n");
+    dump_page_info();
+}
+
+frame_t *release_redundant(frame_t *frame)
+{
+    // order -1 -> add its buddy to free list (frame itself will be used in master function)
+    frame->val -= 1;
+    frame_t *buddyptr = get_buddy(frame);
+    buddyptr->val = frame->val;
+    list_add(&buddyptr->listhead, &frame_freelist[buddyptr->val]);
+    return frame;
+}
+
+frame_t *get_buddy(frame_t *frame)
+{
+    // XOR(idx, order)
+    return &frame_array[frame->idx ^ (1 << frame->val)];
+}
+
+frame_t *coalesce(frame_t *frame_ptr)
+{
+    frame_t *buddy = get_buddy(frame_ptr);
+    // frame is the boundary
+    if (frame_ptr->val == FRAME_IDX_FINAL)
+        return (frame_t *)-1;
+
+    // Order must be the same: 2**i + 2**i = 2**(i+1)
+    if (frame_ptr->val != buddy->val)
+        return (frame_t *)-1;
+
+    // buddy is in used
+    if (buddy->used == FRAME_ALLOCATED)
+        return (frame_t *)-1;
+
+    list_del_entry((struct list_head *)buddy);
+    frame_ptr->val += 1;
+    buddy->val += 1;
+    memory_sendline("    coalesce detected, merging 0x%x, 0x%x, -> val = %d\r\n", frame_ptr->idx, buddy->idx, frame_ptr->val);
+    return buddy < frame_ptr ? buddy : frame_ptr;
+}
+
+void dump_page_info()
+{
+    unsigned int exp2 = 1;
+    memory_sendline("        ----------------- [  Number of Available Page Blocks  ] -----------------\r\n        | ");
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+        memory_sendline("%4dKB(%1d) ", 4 * exp2, i);
+        exp2 *= 2;
+    }
+    memory_sendline("|\r\n        | ");
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++)
+        memory_sendline("     %4d ", list_size(&frame_freelist[i]));
+    memory_sendline("|\r\n");
+}
+
+void dump_cache_info()
+{
+    unsigned int exp2 = 1;
+    memory_sendline("    -- [  Number of Available Cache Blocks ] --\r\n    | ");
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        memory_sendline("%4dB(%1d) ", 32 * exp2, i);
+        exp2 *= 2;
+    }
+    memory_sendline("|\r\n    | ");
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++)
+        memory_sendline("   %5d ", list_size(&cache_list[i]));
+    memory_sendline("|\r\n");
+}
+
+void page2caches(int order)
+{
+    // make caches from a smallest-size page
+    char *page = page_malloc(PAGESIZE);
+    frame_t *pageframe_ptr = &frame_array[((unsigned long long)page - BUDDY_MEMORY_BASE) >> 12];
+    pageframe_ptr->cache_order = order;
+
+    // split page into a lot of caches and push them into cache_list
+    int cachesize = (32 << order);
+    for (int i = 0; i < PAGESIZE; i += cachesize) {
+        list_head_t *c = (list_head_t *)(page + i);
+        list_add(c, &cache_list[order]);
+    }
+}
+
+void *cache_malloc(unsigned int size)
+{
+    memory_sendline("[+] Allocate cache - size : %d(0x%x)\r\n", size, size);
+    memory_sendline("    Before\r\n");
+    dump_cache_info();
+
+    // turn size into cache order: 32B * 2**order
+    int order;
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        if (size <= (32 << i)) {
+            order = i;
+            break;
+        }
+    }
+
+    // if no available cache in list, assign one page for it
+    if (list_empty(&cache_list[order])) {
+        page2caches(order);
+    }
+
+    list_head_t *r = cache_list[order].next;
+    list_del_entry(r);
+    memory_sendline("    physical address : 0x%x\n", r);
+    memory_sendline("    After\r\n");
+    dump_cache_info();
+    return r;
+}
+
+void cache_free(void *ptr)
+{
+    list_head_t *c = (list_head_t *)ptr;
+    frame_t *pageframe_ptr = &frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12];
+    memory_sendline("[+] Free cache: 0x%x, val = %d\r\n", ptr, pageframe_ptr->cache_order);
+    memory_sendline("    Before\r\n");
+    dump_cache_info();
+    list_add(c, &cache_list[pageframe_ptr->cache_order]);
+    memory_sendline("    After\r\n");
+    dump_cache_info();
+}
+
+void *kmalloc(unsigned int size)
+{
+    lock();
+    memory_sendline("\n\n");
+    memory_sendline("================================\r\n");
+    memory_sendline("[+] Request kmalloc size: %d\r\n", size);
+    memory_sendline("================================\r\n");
+    // if size is larger than cache size, go for page
+    if (size > (32 << CACHE_IDX_FINAL)) {
+        void *r = page_malloc(size);
+        unlock();
+        return r;
+    }
+    // go for cache
+    void *r = cache_malloc(size);
+    unlock();
+    return r;
+}
+
+void kfree(void *ptr)
+{
+    lock();
+    memory_sendline("\n\n");
+    memory_sendline("==========================\r\n");
+    memory_sendline("[+] Request kfree 0x%x\r\n", ptr);
+    memory_sendline("==========================\r\n");
+    // If no cache assigned, go for page
+    if ((unsigned long long)ptr % PAGESIZE == 0 && frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12].cache_order == CACHE_NONE) {
+        page_free(ptr);
+        unlock();
+        return;
+    }
+    // go for cache
+    cache_free(ptr);
+    unlock();
+}
+
+void memory_reserve(unsigned long long start, unsigned long long end)
+{
+    start -= start % PAGESIZE;                                      // floor (align 0x1000)
+    end = end % PAGESIZE ? end + PAGESIZE - (end % PAGESIZE) : end; // ceiling (align 0x1000)
+
+    uart_printf("Reserved Memory: ");
+    uart_printf("start 0x%x ~ ", start);
+    uart_printf("end 0x%x\r\n", end);
+
+    // delete page from free list
+    for (int order = FRAME_IDX_FINAL; order >= 0; order--) {
+        list_head_t *pos;
+        list_for_each(pos, &frame_freelist[order])
+        {
+            unsigned long long pagestart = ((frame_t *)pos)->idx * PAGESIZE + BUDDY_MEMORY_BASE;
+            unsigned long long pageend = pagestart + (PAGESIZE << order);
+
+            if (start <= pagestart && end >= pageend) // if page all in reserved memory -> delete it from freelist
+            {
+                ((frame_t *)pos)->used = FRAME_ALLOCATED;
+                memory_sendline("    [!] Reserved page in 0x%x - 0x%x\n", pagestart, pageend);
+                memory_sendline("        Before\n");
+                dump_page_info();
+                list_del_entry(pos);
+                memory_sendline("        Remove usable block for reserved memory: order %d\r\n", order);
+                memory_sendline("        After\n");
+                dump_page_info();
+            }
+            else if (start >= pageend || end <= pagestart) // no intersection
+            {
+                continue;
+            }
+            else // partial intersection, separate the page into smaller size.
+            {
+                list_del_entry(pos);
+                list_head_t *temppos = pos->prev;
+                list_add(&release_redundant((frame_t *)pos)->listhead, &frame_freelist[order - 1]);
+                pos = temppos;
+            }
+        }
+    }
+}
diff --git a/lab6/src/mmu.c b/lab6/src/mmu.c
new file mode 100644
index 000000000..8a03e02cc
--- /dev/null
+++ b/lab6/src/mmu.c
@@ -0,0 +1,77 @@
+#include "mmu.h"
+#include "bcm2837/rpi_mmu.h"
+#include "memory.h"
+#include "string.h"
+
+void *set_2M_kernel_mmu(void *x0)
+{
+    // Turn
+    //   Two-level Translation (1GB) - in boot.S
+    // to
+    //   Three-level Translation (2MB) - set PUD point to new table
+    unsigned long *pud_table = (unsigned long *)MMU_PUD_ADDR;
+
+    unsigned long *pud_table1 = (unsigned long *)MMU_PTE_ADDR;
+    unsigned long *pud_table2 = (unsigned long *)(MMU_PTE_ADDR + 0x1000L);
+    for (int i = 0; i < 512; i++) {
+        unsigned long addr = 0x200000L * i; // 2MB
+        if (addr >= PERIPHERAL_END) {
+            pud_table1[i] = (0x00000000 + addr) + BOOT_PTE_ATTR_nGnRnE;
+            continue;
+        }
+        pud_table1[i] = (0x00000000 + addr) + BOOT_PTE_ATTR_NOCACHE; //   0 * 2MB
+        pud_table2[i] = (0x40000000 + addr) + BOOT_PTE_ATTR_NOCACHE; // 512 * 2MB
+    }
+
+    // set PUD
+    pud_table[0] = (unsigned long)pud_table1 + BOOT_PUD_ATTR;
+    pud_table[1] = (unsigned long)pud_table2 + BOOT_PUD_ATTR;
+
+    return x0;
+}
+
+void map_one_page(size_t *virt_pgd_p, size_t va, size_t pa)
+{
+    size_t *table_p = virt_pgd_p;
+    for (int level = 0; level < 4; level++) {
+        unsigned int idx = (va >> (39 - level * 9)) & 0x1ff; // this is the index of the page table entry
+
+        if (level == 3) {
+            table_p[idx] = pa;
+            table_p[idx] |= PD_ACCESS | PD_TABLE | (MAIR_IDX_NORMAL_NOCACHE << 2) | PD_UK_ACCESS;
+            return;
+        }
+
+        if (!table_p[idx]) {
+            size_t *newtable_p = kmalloc(0x1000);
+            memset(newtable_p, 0, 0x1000);
+            table_p[idx] = VIRT_TO_PHYS((size_t)newtable_p); // set the table entry to the new table
+            table_p[idx] |= PD_ACCESS | PD_TABLE | (MAIR_IDX_NORMAL_NOCACHE << 2) | PD_UK_ACCESS;
+        }
+
+        table_p = (size_t *)PHYS_TO_VIRT((size_t)(table_p[idx] & ENTRY_ADDR_MASK));
+    }
+}
+
+void mappages(size_t *virt_pgd_p, size_t va, size_t size, size_t pa)
+{
+    for (size_t s = 0; s < size; s += 0x1000) {
+        map_one_page(virt_pgd_p, va + s, pa + s);
+    }
+}
+
+void free_page_tables(size_t *page_table, int level)
+{
+    size_t *table_virt = (size_t *)PHYS_TO_VIRT((char *)page_table);
+    for (int i = 0; i < 512; i++) {
+        if (table_virt[i] != 0) {
+            size_t *next_table = (size_t *)(table_virt[i] & ENTRY_ADDR_MASK);
+            if (table_virt[i] & PD_TABLE) { // check if the entry is a table
+                if (level != 2)
+                    free_page_tables(next_table, level + 1);
+                table_virt[i] = 0L;
+                kfree(PHYS_TO_VIRT((char *)next_table));
+            }
+        }
+    }
+}
diff --git a/lab6/src/sched.S b/lab6/src/sched.S
new file mode 100644
index 000000000..ac513ecaa
--- /dev/null
+++ b/lab6/src/sched.S
@@ -0,0 +1,59 @@
+.global switch_to
+switch_to:
+    stp x19, x20, [x0, 16 * 0]
+    stp x21, x22, [x0, 16 * 1]
+    stp x23, x24, [x0, 16 * 2]
+    stp x25, x26, [x0, 16 * 3]
+    stp x27, x28, [x0, 16 * 4]
+    stp fp, lr, [x0, 16 * 5]
+    mov x9, sp
+    str x9, [x0, 16 * 6]
+    //mrs x9, ttbr0_el1
+    //str x9, [x0, 16 * 6 + 8]
+
+    ldp x19, x20, [x1, 16 * 0]
+    ldp x21, x22, [x1, 16 * 1]
+    ldp x23, x24, [x1, 16 * 2]
+    ldp x25, x26, [x1, 16 * 3]
+    ldp x27, x28, [x1, 16 * 4]
+    ldp fp, lr, [x1, 16 * 5]
+    ldp x9, x0, [x1, 16 * 6]
+    mov sp,  x9
+
+    dsb ish           // ensure write has completed, lock for context switch
+    msr ttbr0_el1, x0 // switch translation based address.
+    tlbi vmalle1is    // invalidate all TLB entries in stage 1, el1 and inner shareable
+    dsb ish           // ensure completion of TLB invalidatation
+    isb               // clear pipeline
+
+    msr tpidr_el1, x1
+    ret
+
+.global store_context
+store_context:
+    stp x19, x20, [x0, 16 * 0]
+    stp x21, x22, [x0, 16 * 1]
+    stp x23, x24, [x0, 16 * 2]
+    stp x25, x26, [x0, 16 * 3]
+    stp x27, x28, [x0, 16 * 4]
+    stp fp, lr, [x0, 16 * 5]
+    mov x9, sp
+    str x9, [x0, 16 * 6]
+    ret
+
+.global load_context
+load_context:
+    ldp x19, x20, [x0, 16 * 0]
+    ldp x21, x22, [x0, 16 * 1]
+    ldp x23, x24, [x0, 16 * 2]
+    ldp x25, x26, [x0, 16 * 3]
+    ldp x27, x28, [x0, 16 * 4]
+    ldp fp, lr, [x0, 16 * 5]
+    ldr x9, [x0, 16 * 6]
+    mov sp,  x9
+    ret
+
+.global get_current
+get_current:
+    mrs x0, tpidr_el1
+    ret
diff --git a/lab6/src/sched.c b/lab6/src/sched.c
new file mode 100644
index 000000000..6bb04b900
--- /dev/null
+++ b/lab6/src/sched.c
@@ -0,0 +1,153 @@
+#include "sched.h"
+#include "exception.h"
+#include "memory.h"
+#include "mmu.h"
+#include "signal.h"
+#include "string.h"
+#include "timer.h"
+#include "uart1.h"
+
+thread_t *curr_thread;
+list_head_t *run_queue;
+thread_t threads[PIDMAX + 1];
+
+void init_thread_sched()
+{
+    lock();
+    run_queue = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(run_queue);
+
+    // init pids
+    for (int i = 0; i <= PIDMAX; i++) {
+        threads[i].isused = 0;
+        threads[i].pid = i;
+        threads[i].iszombie = 0;
+    }
+
+    thread_t *idlethread = thread_create(idle, 0x1000);
+    curr_thread = idlethread;
+    asm volatile("msr tpidr_el1, %0" ::"r"(&idlethread->context));
+    unlock();
+}
+
+void idle()
+{
+    while (1) {
+        kill_zombies(); // reclaim threads marked as DEAD
+        schedule();     // switch to next thread in run queue
+    }
+}
+
+void schedule()
+{
+    lock();
+    do {
+        curr_thread = (thread_t *)curr_thread->listhead.next;
+    } while (list_is_head(&curr_thread->listhead, run_queue) || curr_thread->iszombie);
+    unlock();
+    switch_to(get_current(), &curr_thread->context);
+}
+
+void kill_zombies()
+{
+    lock();
+    list_head_t *curr;
+    list_for_each(curr, run_queue)
+    {
+        if (((thread_t *)curr)->iszombie) {
+            list_del_entry(curr);
+            kfree(((thread_t *)curr)->stack_alloced_ptr);        // free stack
+            kfree(((thread_t *)curr)->kernel_stack_alloced_ptr); // free stack
+            free_page_tables(((thread_t *)curr)->context.pgd, 0);
+            kfree(((thread_t *)curr)->data); // free data (don't free data because of fork)
+            ((thread_t *)curr)->iszombie = 0;
+            ((thread_t *)curr)->isused = 0;
+        }
+    }
+    unlock();
+}
+
+int thread_exec(char *data, unsigned int filesize)
+{
+    thread_t *t = thread_create(data, filesize);
+
+    mappages(t->context.pgd, USER_KERNEL_BASE, t->datasize, (size_t)VIRT_TO_PHYS(t->data));
+    mappages(t->context.pgd, USER_STACK_BASE - USTACK_SIZE, USTACK_SIZE, (size_t)VIRT_TO_PHYS(t->stack_alloced_ptr));
+    mappages(t->context.pgd, PERIPHERAL_START, PERIPHERAL_END - PERIPHERAL_START, PERIPHERAL_START);
+
+    t->context.pgd = VIRT_TO_PHYS(t->context.pgd);
+    t->context.sp = USER_STACK_BASE;
+    t->context.fp = USER_STACK_BASE;
+    t->context.lr = USER_KERNEL_BASE;
+
+    // copy file into data
+    for (int i = 0; i < filesize; i++) {
+        t->data[i] = data[i];
+    }
+
+    // disable echo when going to userspace
+    curr_thread = t;
+    add_timer(schedule_timer, 1, "", 0);
+    // eret to exception level 0
+    asm("msr tpidr_el1, %0\n\t"
+        "msr elr_el1, %1\n\t"
+        "msr spsr_el1, xzr\n\t" // enable interrupt in EL0. You can do it by setting spsr_el1 to 0 before returning to EL0.
+        "msr sp_el0, %2\n\t"
+        "mov sp, %3\n\t"
+        "msr ttbr0_el1, %4\n\t"
+        "eret\n\t" ::"r"(&t->context),
+        "r"(t->context.lr), "r"(t->context.sp), "r"(t->kernel_stack_alloced_ptr + KSTACK_SIZE), "r"(t->context.pgd));
+
+    return 0;
+}
+
+thread_t *thread_create(void *start, unsigned int filesize)
+{
+    lock();
+
+    thread_t *r;
+    for (int i = 0; i <= PIDMAX; i++) {
+        if (!threads[i].isused) {
+            r = &threads[i];
+            break;
+        }
+    }
+    r->iszombie = 0;
+    r->isused = 1;
+    r->context.lr = (unsigned long long)start;
+    r->stack_alloced_ptr = kmalloc(USTACK_SIZE);
+    r->kernel_stack_alloced_ptr = kmalloc(KSTACK_SIZE);
+    r->signal_is_checking = 0;
+    r->data = kmalloc(filesize);
+    r->datasize = filesize;
+    r->context.sp = (unsigned long long)r->kernel_stack_alloced_ptr + KSTACK_SIZE;
+    r->context.fp = r->context.sp;
+
+    r->context.pgd = kmalloc(0x1000);
+    memset(r->context.pgd, 0, 0x1000);
+
+    // initial signal handler with signal_default_handler (kill thread)
+    for (int i = 0; i < SIGNAL_MAX; i++) {
+        r->signal_handler[i] = signal_default_handler;
+        r->sigcount[i] = 0;
+    }
+
+    list_add(&r->listhead, run_queue);
+    unlock();
+    return r;
+}
+
+void thread_exit()
+{
+    lock();
+    curr_thread->iszombie = 1;
+    unlock();
+    schedule();
+}
+
+void schedule_timer(char *notuse)
+{
+    unsigned long long cntfrq_el0;
+    __asm__ __volatile__("mrs %0, cntfrq_el0\n\t" : "=r"(cntfrq_el0)); // tick frequency
+    add_timer(schedule_timer, cntfrq_el0 >> 5, "", 1);
+}
diff --git a/lab6/src/shell.c b/lab6/src/shell.c
new file mode 100644
index 000000000..ae3d3058f
--- /dev/null
+++ b/lab6/src/shell.c
@@ -0,0 +1,219 @@
+#include "shell.h"
+#include "cpio.h"
+#include "dtb.h"
+#include "mbox.h"
+#include "memory.h"
+#include "power.h"
+#include "sched.h"
+#include "string.h"
+#include "timer.h"
+#include "uart1.h"
+#include <stddef.h>
+
+#define CLI_MAX_CMD 10
+
+extern int uart_recv_echo_flag;
+extern char *dtb_ptr;
+extern void *CPIO_DEFAULT_START;
+
+struct CLI_CMDS cmd_list[CLI_MAX_CMD] = {{.command = "hello", .help = "print Hello World!"},
+                                         {.command = "cat", .help = "concatenate files and print on the standard output"},
+                                         {.command = "dtb", .help = "show device tree"},
+                                         {.command = "exec", .help = "execute a command, replacing current image with a new image"},
+                                         {.command = "help", .help = "print all available commands"},
+                                         {.command = "info", .help = "get device information via mailbox"},
+                                         {.command = "ls", .help = "list directory contents"},
+                                         {.command = "timeout", .help = "timeout [MESSAGE] [SECONDS]"},
+                                         {.command = "clear", .help = "clear the screen"},
+                                         {.command = "reboot", .help = "reboot the device"}};
+
+void cli_cmd_clear(char *buffer, int length)
+{
+    for (int i = 0; i < length; i++) {
+        buffer[i] = '\0';
+    }
+}
+
+void cli_cmd_read(char *buffer)
+{
+    char c = '\0';
+    int idx = 0;
+    while (1) {
+        if (idx >= CMD_MAX_LEN)
+            break;
+        c = uart_async_getc();
+        if (c == '\n')
+            break;
+        else if (c == 127) {
+            if (idx > 0) {
+                uart_send('\b');
+                uart_send(' ');
+                uart_send('\b');
+                idx--;
+            }
+        }
+        else
+            buffer[idx++] = c;
+    }
+}
+
+void cli_cmd_exec(char *buffer)
+{
+    if (!buffer)
+        return;
+
+    char *cmd = buffer;
+    char *argvs = str_SepbySpace(buffer);
+
+    if (strcmp(cmd, "cat") == 0) {
+        do_cmd_cat(argvs);
+    }
+    else if (strcmp(cmd, "clear") == 0) {
+        uart_puts("\033[2J\033[H");
+    }
+    else if (strcmp(cmd, "dtb") == 0) {
+        do_cmd_dtb();
+    }
+    else if (strcmp(cmd, "exec") == 0) {
+        do_cmd_exec(argvs);
+    }
+    else if (strcmp(cmd, "hello") == 0) {
+        do_cmd_hello();
+    }
+    else if (strcmp(cmd, "help") == 0) {
+        do_cmd_help();
+    }
+    else if (strcmp(cmd, "info") == 0) {
+        do_cmd_info();
+    }
+    else if (strcmp(cmd, "ls") == 0) {
+        do_cmd_ls(argvs);
+    }
+    else if (strcmp(cmd, "timeout") == 0) {
+        char *sec = str_SepbySpace(argvs);
+        do_cmd_setTimeout(argvs, sec);
+    }
+    else if (strcmp(cmd, "reboot") == 0) {
+        do_cmd_reboot();
+    }
+}
+
+void do_cmd_cat(char *filepath)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+        if (strcmp(c_filepath, filepath) == 0) {
+            uart_puts("%s", c_filedata);
+            break;
+        }
+        if (header_ptr == 0)
+            uart_puts("cat: %s: No such file or directory\n", filepath);
+    }
+}
+
+void do_cmd_dtb() { traverse_device_tree(dtb_ptr, dtb_callback_show_tree); }
+
+void do_cmd_help()
+{
+    for (int i = 0; i < CLI_MAX_CMD; i++) {
+        uart_puts(cmd_list[i].command);
+        uart_puts("\t\t: ");
+        uart_puts(cmd_list[i].help);
+        uart_puts("\r\n");
+    }
+}
+
+void do_cmd_exec(char *filepath)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+
+        if (strcmp(c_filepath, filepath) == 0) {
+            uart_recv_echo_flag = 0; // syscall.img has different mechanism on uart I/O.
+            thread_exec(c_filedata, c_filesize);
+        }
+        if (header_ptr == 0)
+            uart_puts("cat: %s: No such file or directory\n", filepath);
+    }
+}
+
+void do_cmd_hello() { uart_puts("Hello World!\r\n"); }
+
+void do_cmd_info()
+{
+    // print hw revision
+    pt[0] = 8 * 4;
+    pt[1] = MBOX_REQUEST_PROCESS;
+    pt[2] = MBOX_TAG_GET_BOARD_REVISION;
+    pt[3] = 4;
+    pt[4] = MBOX_TAG_REQUEST_CODE;
+    pt[5] = 0;
+    pt[6] = 0;
+    pt[7] = MBOX_TAG_LAST_BYTE;
+
+    if (mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt))) {
+        uart_puts("Hardware Revision\t: ");
+        uart_2hex(pt[6]);
+        uart_2hex(pt[5]);
+        uart_puts("\r\n");
+    }
+    // print arm memory
+    pt[0] = 8 * 4;
+    pt[1] = MBOX_REQUEST_PROCESS;
+    pt[2] = MBOX_TAG_GET_ARM_MEMORY;
+    pt[3] = 8;
+    pt[4] = MBOX_TAG_REQUEST_CODE;
+    pt[5] = 0;
+    pt[6] = 0;
+    pt[7] = MBOX_TAG_LAST_BYTE;
+
+    if (mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt))) {
+        uart_puts("ARM Memory Base Address\t: ");
+        uart_2hex(pt[5]);
+        uart_puts("\r\n");
+        uart_puts("ARM Memory Size\t\t: ");
+        uart_2hex(pt[6]);
+        uart_puts("\r\n");
+    }
+}
+
+void do_cmd_ls(char *workdir)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+        if (header_ptr != 0)
+            uart_puts("%s\n", c_filepath);
+    }
+}
+
+void do_cmd_setTimeout(char *msg, char *sec) { add_timer(uart_printf, atoi(sec), msg, 0); }
+
+void do_cmd_reboot()
+{
+    uart_puts("Reboot in 5 seconds ...\r\n\r\n");
+    volatile unsigned int *rst_addr = (unsigned int *)PM_RSTC;
+    *rst_addr = PM_PASSWORD | 0x20;
+    volatile unsigned int *wdg_addr = (unsigned int *)PM_WDOG;
+    *wdg_addr = PM_PASSWORD | 5;
+}
diff --git a/lab6/src/signal.c b/lab6/src/signal.c
new file mode 100644
index 000000000..52e36aefd
--- /dev/null
+++ b/lab6/src/signal.c
@@ -0,0 +1,65 @@
+#include "signal.h"
+#include "sched.h"
+#include "syscall.h"
+#include "memory.h"
+
+void check_signal(trapframe_t *tpf)
+{
+    lock();
+    if(curr_thread->signal_is_checking)
+    {
+        unlock();
+        return;
+    }
+    //prevent nested running signal handler
+    curr_thread->signal_is_checking = 1;
+    unlock();
+    for (int i = 0; i <= SIGNAL_MAX; i++)
+    {
+        store_context(&curr_thread->signal_saved_context);
+        if(curr_thread->sigcount[i]>0)
+        {
+            lock();
+            curr_thread->sigcount[i]--;
+            unlock();
+            run_signal(tpf,i);
+        }
+    }
+    lock();
+    curr_thread->signal_is_checking = 0;
+    unlock();
+}
+
+void run_signal(trapframe_t* tpf,int signal)
+{
+    curr_thread->curr_signal_handler = curr_thread->signal_handler[signal];
+
+    //run default handler in kernel
+    if (curr_thread->curr_signal_handler == signal_default_handler)
+    {
+        signal_default_handler();
+        return;
+    }
+
+    char *temp_signal_userstack = kmalloc(USTACK_SIZE);
+
+    asm("msr elr_el1, %0\n\t"
+        "msr sp_el0, %1\n\t"
+        "msr spsr_el1, %2\n\t"
+        "eret\n\t" ::"r"(signal_handler_wrapper),
+        "r"(temp_signal_userstack + USTACK_SIZE),
+        "r"(tpf->spsr_el1));
+}
+
+void signal_handler_wrapper()
+{
+    (curr_thread->curr_signal_handler)();
+    //system call sigreturn
+    asm("mov x8,50\n\t"
+        "svc 0\n\t");
+}
+
+void signal_default_handler()
+{
+    kill(0,curr_thread->pid);
+}
diff --git a/lab6/src/string.c b/lab6/src/string.c
new file mode 100644
index 000000000..225ac7e1b
--- /dev/null
+++ b/lab6/src/string.c
@@ -0,0 +1,252 @@
+#include "string.h"
+#include <stddef.h>
+
+unsigned int vsprintf(char *dst, char *fmt, __builtin_va_list args)
+{
+    long int arg;
+    int len, sign, i;
+    char *p, *orig = dst, tmpstr[19];
+
+    // failsafes
+    if (dst == (void *)0 || fmt == (void *)0) {
+        return 0;
+    }
+
+    // main loop
+    arg = 0;
+    while (*fmt) {
+        if (dst - orig > VSPRINT_MAX_BUF_SIZE - 0x10) {
+            return -1;
+        }
+        // argument access
+        if (*fmt == '%') {
+            fmt++;
+            // literal %
+            if (*fmt == '%') {
+                goto put;
+            }
+            len = 0;
+            // size modifier
+            while (*fmt >= '0' && *fmt <= '9') {
+                len *= 10;
+                len += *fmt - '0';
+                fmt++;
+            }
+            // skip long modifier
+            if (*fmt == 'l') {
+                fmt++;
+            }
+            // character
+            if (*fmt == 'c') {
+                arg = __builtin_va_arg(args, int);
+                *dst++ = (char)arg;
+                fmt++;
+                continue;
+            }
+            else
+                // decimal number
+                if (*fmt == 'd') {
+                    arg = __builtin_va_arg(args, int);
+                    // check input
+                    sign = 0;
+                    if ((int)arg < 0) {
+                        arg *= -1;
+                        sign++;
+                    }
+                    if (arg > 99999999999999999L) {
+                        arg = 99999999999999999L;
+                    }
+                    // convert to string
+                    i = 18;
+                    tmpstr[i] = 0;
+                    do {
+                        tmpstr[--i] = '0' + (arg % 10);
+                        arg /= 10;
+                    } while (arg != 0 && i > 0);
+                    if (sign) {
+                        tmpstr[--i] = '-';
+                    }
+                    if (len > 0 && len < 18) {
+                        while (i > 18 - len) {
+                            tmpstr[--i] = ' ';
+                        }
+                    }
+                    p = &tmpstr[i];
+                    goto copystring;
+                }
+                else if (*fmt == 'x') {
+                    arg = __builtin_va_arg(args, long int);
+                    i = 16;
+                    tmpstr[i] = 0;
+                    do {
+                        char n = arg & 0xf;
+                        tmpstr[--i] = n + (n > 9 ? 0x37 : 0x30);
+                        arg >>= 4;
+                    } while (arg != 0 && i > 0);
+                    if (len > 0 && len <= 16) {
+                        while (i > 16 - len) {
+                            tmpstr[--i] = '0';
+                        }
+                    }
+                    p = &tmpstr[i];
+                    goto copystring;
+                }
+                else if (*fmt == 's') {
+                    p = __builtin_va_arg(args, char *);
+                copystring:
+                    if (p == (void *)0) {
+                        p = "(null)";
+                    }
+                    while (*p) {
+                        *dst++ = *p++;
+                    }
+                }
+        }
+        else {
+        put:
+            *dst++ = *fmt;
+        }
+        fmt++;
+    }
+    *dst = 0;
+    return dst - orig;
+}
+
+unsigned int sprintf(char *dst, char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    unsigned int r = vsprintf(dst, fmt, args);
+    __builtin_va_end(args);
+    return r;
+}
+
+unsigned long long strlen(const char *str)
+{
+    size_t count = 0;
+    while ((unsigned char)*str++)
+        count++;
+    return count;
+}
+
+int strcmp(const char *p1, const char *p2)
+{
+    const unsigned char *s1 = (const unsigned char *)p1;
+    const unsigned char *s2 = (const unsigned char *)p2;
+    unsigned char c1, c2;
+
+    do {
+        c1 = (unsigned char)*s1++;
+        c2 = (unsigned char)*s2++;
+        if (c1 == '\0')
+            return c1 - c2;
+    } while (c1 == c2);
+    return c1 - c2;
+}
+
+int strncmp(const char *s1, const char *s2, unsigned long long n)
+{
+    unsigned char c1 = '\0';
+    unsigned char c2 = '\0';
+    if (n >= 4) {
+        size_t n4 = n >> 2;
+        do {
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+        } while (--n4 > 0);
+        n &= 3;
+    }
+    while (n > 0) {
+        c1 = (unsigned char)*s1++;
+        c2 = (unsigned char)*s2++;
+        if (c1 == '\0' || c1 != c2)
+            return c1 - c2;
+        n--;
+    }
+    return c1 - c2;
+}
+
+char *memcpy(void *dest, const void *src, unsigned long long len)
+{
+    char *d = dest;
+    const char *s = src;
+    while (len--)
+        *d++ = *s++;
+    return dest;
+}
+
+char *strcpy(char *dest, const char *src) { return memcpy(dest, src, strlen(src) + 1); }
+
+void *memset(void *s, int c, size_t n)
+{
+    char *start = s;
+    for (size_t i = 0; i < n; i++) {
+        start[i] = c;
+    }
+
+    return s;
+}
+
+char *strchr(register const char *s, int c)
+{
+    do {
+        if (*s == c) {
+            return (char *)s;
+        }
+    } while (*s++);
+    return (0);
+}
+
+char *str_SepbySpace(char *head)
+{
+    char *end;
+    while (1) {
+        if (*head == '\0') {
+            end = head;
+            break;
+        }
+        if (*head == ' ') {
+            *head = '\0';
+            end = head + 1;
+            break;
+        }
+        head++;
+    }
+    return end;
+}
+
+// A simple atoi() function
+int atoi(char *str)
+{
+    // Initialize result
+    int res = 0;
+
+    // Iterate through all characters
+    // of input string and update result
+    // take ASCII character of corresponding digit and
+    // subtract the code from '0' to get numerical
+    // value and multiply res by 10 to shuffle
+    // digits left to update running total
+    for (int i = 0; str[i] != '\0'; ++i) {
+        if (str[i] > '9' || str[i] < '0')
+            return res;
+        res = res * 10 + str[i] - '0';
+    }
+
+    // return result.
+    return res;
+}
diff --git a/lab6/src/syscall.c b/lab6/src/syscall.c
new file mode 100644
index 000000000..be42455a3
--- /dev/null
+++ b/lab6/src/syscall.c
@@ -0,0 +1,206 @@
+#include "syscall.h"
+#include "cpio.h"
+#include "exception.h"
+#include "mbox.h"
+#include "memory.h"
+#include "mmu.h"
+#include "sched.h"
+#include "signal.h"
+#include "stddef.h"
+#include "string.h"
+#include "uart1.h"
+
+int getpid(trapframe_t *tpf)
+{
+    tpf->x0 = curr_thread->pid;
+    return curr_thread->pid;
+}
+
+size_t uartread(trapframe_t *tpf, char buf[], size_t size)
+{
+    int i = 0;
+    for (int i = 0; i < size; i++) {
+        buf[i] = uart_async_getc();
+    }
+    tpf->x0 = i;
+    return i;
+}
+
+size_t uartwrite(trapframe_t *tpf, const char buf[], size_t size)
+{
+    int i = 0;
+    for (int i = 0; i < size; i++) {
+        uart_async_putc(buf[i]);
+    }
+    tpf->x0 = i;
+    return i;
+}
+
+// In this lab, you won’t have to deal with argument passing
+int exec(trapframe_t *tpf, const char *name, char *const argv[])
+{
+    kfree(curr_thread->data);
+    curr_thread->datasize = get_file_size((char *)name);
+    char *new_data = get_file_start((char *)name);
+    curr_thread->data = kmalloc(curr_thread->datasize);
+
+    for (unsigned int i = 0; i < curr_thread->datasize; i++) {
+        curr_thread->data[i] = new_data[i];
+    }
+
+    // clear signal handler
+    for (int i = 0; i <= SIGNAL_MAX; i++) {
+        curr_thread->signal_handler[i] = signal_default_handler;
+    }
+
+    tpf->elr_el1 = USER_KERNEL_BASE;
+    tpf->sp_el0 = USER_STACK_BASE;
+    tpf->x0 = 0;
+    return 0;
+}
+
+int fork(trapframe_t *tpf)
+{
+    lock();
+    thread_t *newt = thread_create(curr_thread->data, curr_thread->datasize);
+
+    // copy signal handler
+    for (int i = 0; i <= SIGNAL_MAX; i++) {
+        newt->signal_handler[i] = curr_thread->signal_handler[i];
+    }
+
+    // remap
+    mappages(newt->context.pgd, USER_KERNEL_BASE, newt->datasize, (size_t)VIRT_TO_PHYS(newt->data));
+    mappages(newt->context.pgd, USER_STACK_BASE - USTACK_SIZE, USTACK_SIZE, (size_t)VIRT_TO_PHYS(newt->stack_alloced_ptr));
+    mappages(newt->context.pgd, PERIPHERAL_START, PERIPHERAL_END - PERIPHERAL_START, PERIPHERAL_START);
+
+    int parent_pid = curr_thread->pid;
+
+    // copy data into new process
+    for (int i = 0; i < newt->datasize; i++) {
+        newt->data[i] = curr_thread->data[i];
+    }
+
+    // copy user stack into new process
+    for (int i = 0; i < USTACK_SIZE; i++) {
+        newt->stack_alloced_ptr[i] = curr_thread->stack_alloced_ptr[i];
+    }
+
+    // copy stack into new process
+    for (int i = 0; i < KSTACK_SIZE; i++) {
+        newt->kernel_stack_alloced_ptr[i] = curr_thread->kernel_stack_alloced_ptr[i];
+    }
+
+    store_context(get_current());
+
+    // for child
+    if (parent_pid != curr_thread->pid) {
+        goto child;
+    }
+
+    void *temp_pgd = newt->context.pgd;
+    newt->context = curr_thread->context;
+    newt->context.pgd = VIRT_TO_PHYS(temp_pgd);
+    newt->context.fp += newt->kernel_stack_alloced_ptr - curr_thread->kernel_stack_alloced_ptr; // move fp
+    newt->context.sp += newt->kernel_stack_alloced_ptr - curr_thread->kernel_stack_alloced_ptr; // move kernel sp
+
+    unlock();
+
+    tpf->x0 = newt->pid;
+    return newt->pid;
+
+child:
+    tpf->x0 = 0;
+    return 0;
+}
+
+void exit(trapframe_t *tpf, int status) { thread_exit(); }
+
+int syscall_mbox_call(trapframe_t *tpf, unsigned char ch, unsigned int *mbox_user)
+{
+    lock();
+
+    unsigned int size_of_mbox = mbox_user[0];
+    memcpy((char *)pt, mbox_user, size_of_mbox);
+    mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt));
+    memcpy(mbox_user, (char *)pt, size_of_mbox);
+
+    tpf->x0 = 8;
+    unlock();
+    return 0;
+}
+
+void kill(trapframe_t *tpf, int pid)
+{
+    lock();
+    if (pid >= PIDMAX || pid < 0 || !threads[pid].isused) {
+        unlock();
+        return;
+    }
+    threads[pid].iszombie = 1;
+    unlock();
+    schedule();
+}
+
+void signal_register(int signal, void (*handler)())
+{
+    if (signal > SIGNAL_MAX || signal < 0)
+        return;
+
+    curr_thread->signal_handler[signal] = handler;
+}
+
+void signal_kill(int pid, int signal)
+{
+    if (pid > PIDMAX || pid < 0 || !threads[pid].isused)
+        return;
+
+    lock();
+    threads[pid].sigcount[signal]++;
+    unlock();
+}
+
+void sigreturn(trapframe_t *tpf)
+{
+    unsigned long signal_ustack = tpf->sp_el0 % USTACK_SIZE == 0 ? tpf->sp_el0 - USTACK_SIZE : tpf->sp_el0 & (~(USTACK_SIZE - 1));
+    kfree((char *)signal_ustack);
+    load_context(&curr_thread->signal_saved_context);
+}
+
+char *get_file_start(char *thefilepath)
+{
+    char *filepath;
+    char *filedata;
+    unsigned int filesize;
+    struct cpio_newc_header *header_pointer = CPIO_DEFAULT_START;
+
+    while (header_pointer != 0) {
+        int error = cpio_newc_parse_header(header_pointer, &filepath, &filesize, &filedata, &header_pointer);
+        if (error)
+            break;
+        if (strcmp(thefilepath, filepath) == 0)
+            return filedata;
+        if (header_pointer == 0)
+            uart_puts("execfile: %s: No such file or directory\r\n", thefilepath);
+    }
+    return 0;
+}
+
+unsigned int get_file_size(char *thefilepath)
+{
+    char *filepath;
+    char *filedata;
+    unsigned int filesize;
+    struct cpio_newc_header *header_pointer = CPIO_DEFAULT_START;
+
+    while (header_pointer != 0) {
+        int error = cpio_newc_parse_header(header_pointer, &filepath, &filesize, &filedata, &header_pointer);
+        if (error)
+            break;
+        if (strcmp(thefilepath, filepath) == 0)
+            return filesize;
+        if (header_pointer == 0)
+            uart_puts("execfile: %s: No such file or directory\r\n", thefilepath);
+    }
+    return 0;
+}
diff --git a/lab6/src/timer.c b/lab6/src/timer.c
new file mode 100644
index 000000000..d5e369ff6
--- /dev/null
+++ b/lab6/src/timer.c
@@ -0,0 +1,163 @@
+#include "timer.h"
+#include "uart1.h"
+#include "memory.h"
+#include "string.h"
+#include "exception.h"
+
+#define STR(x) #x
+#define XSTR(s) STR(s)
+
+struct list_head *timer_event_list;
+
+void timer_list_init()
+{
+    unsigned long long tmp;
+    asm volatile("mrs %0, cntkctl_el1": "=r"(tmp));
+    tmp |= 1;
+    asm volatile("msr cntkctl_el1, %0":: "r"(tmp));
+
+    timer_event_list = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(timer_event_list);
+}
+
+void core_timer_enable()
+{
+    __asm__ __volatile__(
+        "mov x1, 1\n\t"
+        "msr cntp_ctl_el0, x1\n\t" // enable
+
+        "mov x2, 2\n\t"
+        "ldr x1, =" XSTR(CORE0_TIMER_IRQ_CTRL) "\n\t"
+        "str w2, [x1]\n\t" // unmask timer interrupt
+    :::"x1","x2");
+}
+
+void core_timer_disable()
+{
+    __asm__ __volatile__(
+        "mov x2, 0\n\t"
+        "ldr x1, =" XSTR(CORE0_TIMER_IRQ_CTRL) "\n\t"
+        "str w2, [x1]\n\t" // unmask timer interrupt
+    :::"x1","x2");
+}
+
+void timer_event_callback(timer_event_t *timer_event)
+{
+    ((void (*)(char *))timer_event->callback)(timer_event->args); // call the callback store in event
+    list_del_entry((struct list_head *)timer_event);              // delete the event
+    kfree(timer_event->args); // kfree the arg space
+    kfree(timer_event);
+
+    //set interrupt to next time_event if existing
+    if (!list_empty(timer_event_list))
+    {
+        set_core_timer_interrupt_by_tick(((timer_event_t *)timer_event_list->next)->interrupt_time);
+    }
+    else
+    {
+        set_core_timer_interrupt(10000); // disable timer interrupt (set a very big value)
+    }
+}
+
+void core_timer_handler()
+{
+    lock();
+    //disable_interrupt();
+    if (list_empty(timer_event_list))
+    {
+        set_core_timer_interrupt(10000); // disable timer interrupt (set a very big value)
+        unlock();
+        return;
+    }
+
+    timer_event_callback((timer_event_t *)timer_event_list->next); // do callback and set new interrupt
+    unlock();
+}
+
+// give a string argument to callback   timeout after seconds
+void add_timer(void *callback, unsigned long long timeout, char *args, int bytick)
+{
+    timer_event_t *the_timer_event = kmalloc(sizeof(timer_event_t)); //need to kfree by event handler
+
+    // store argument string into timer_event
+    the_timer_event->args = kmalloc(strlen(args) + 1);
+    strcpy(the_timer_event->args, args);
+
+    if(bytick == 0)
+    {
+        the_timer_event->interrupt_time = get_tick_plus_s(timeout); // store interrupt time into timer_event
+    }else
+    {
+        the_timer_event->interrupt_time = get_tick_plus_s(0) + timeout;
+    }
+
+    the_timer_event->callback = callback;
+
+    // add the timer_event into timer_event_list (sorted)
+    struct list_head *curr;
+
+    lock();
+    list_for_each(curr, timer_event_list)
+    {
+        if (((timer_event_t *)curr)->interrupt_time > the_timer_event->interrupt_time)
+        {
+            list_add(&the_timer_event->listhead, curr->prev); // add this timer at the place just before the bigger one (sorted)
+            break;
+        }
+    }
+
+    if (list_is_head(curr, timer_event_list))
+    {
+        list_add_tail(&the_timer_event->listhead, timer_event_list); // for the time is the biggest
+    }
+
+
+    // set interrupt to first event
+    set_core_timer_interrupt_by_tick(((timer_event_t *)timer_event_list->next)->interrupt_time);
+    unlock();
+}
+
+
+// get cpu tick add some second
+unsigned long long get_tick_plus_s(unsigned long long second)
+{
+
+    unsigned long long cntpct_el0 = 0;
+    __asm__ __volatile__("mrs %0, cntpct_el0\n\t"
+                         : "=r"(cntpct_el0)); //tick now
+
+    unsigned long long cntfrq_el0 = 0;
+    __asm__ __volatile__("mrs %0, cntfrq_el0\n\t"
+                         : "=r"(cntfrq_el0)); //tick frequency
+
+    return (cntpct_el0 + cntfrq_el0 * second);
+}
+
+// set timer interrupt time to [expired_time] seconds after now (relatively)
+void set_core_timer_interrupt(unsigned long long expired_time)
+{
+    __asm__ __volatile__(
+        "mrs x1, cntfrq_el0\n\t" //cntfrq_el0 -> relative time
+        "mul x1, x1, %0\n\t"
+        "msr cntp_tval_el0, x1\n\t" // set expired time
+        :: "r"(expired_time):"x1");
+}
+
+// directly set timer interrupt time to a cpu tick  (directly)
+void set_core_timer_interrupt_by_tick(unsigned long long tick)
+{
+    __asm__ __volatile__(
+        "msr cntp_cval_el0, %0\n\t" //cntp_cval_el0 -> absolute time
+        :: "r"(tick));
+}
+
+int timer_list_get_size()
+{
+    int r = 0;
+    struct list_head *curr;
+    list_for_each(curr, timer_event_list)
+    {
+        r++;
+    }
+    return r;
+}
diff --git a/lab6/src/uart1.c b/lab6/src/uart1.c
new file mode 100644
index 000000000..4d9d7e425
--- /dev/null
+++ b/lab6/src/uart1.c
@@ -0,0 +1,194 @@
+#include "uart1.h"
+#include "bcm2837/rpi_gpio.h"
+#include "bcm2837/rpi_irq.h"
+#include "bcm2837/rpi_uart1.h"
+#include "exception.h"
+#include "string.h"
+
+// implement first in first out buffer with a read index and a write index
+char uart_tx_buffer[VSPRINT_MAX_BUF_SIZE] = {};
+unsigned int uart_tx_buffer_widx = 0; // write index
+unsigned int uart_tx_buffer_ridx = 0; // read index
+char uart_rx_buffer[VSPRINT_MAX_BUF_SIZE] = {};
+unsigned int uart_rx_buffer_widx = 0;
+unsigned int uart_rx_buffer_ridx = 0;
+
+int uart_recv_echo_flag = 1;
+
+void uart_init()
+{
+    register unsigned int r;
+
+    /* initialize UART */
+    *AUX_ENABLES |= 1;    // enable UART1
+    *AUX_MU_CNTL_REG = 0; // disable TX/RX
+
+    /* configure UART */
+    *AUX_MU_IER_REG = 0;    // disable interrupt
+    *AUX_MU_LCR_REG = 3;    // 8 bit data size
+    *AUX_MU_MCR_REG = 0;    // disable flow control
+    *AUX_MU_BAUD_REG = 270; // 115200 baud rate
+    *AUX_MU_IIR_REG = 0xC6; // disable FIFO
+
+    /* map UART1 to GPIO pins */
+    r = *GPFSEL1;
+    r &= ~(7 << 12); // clean gpio14
+    r |= 2 << 12;    // set gpio14 to alt5
+    r &= ~(7 << 15); // clean gpio15
+    r |= 2 << 15;    // set gpio15 to alt5
+    *GPFSEL1 = r;
+
+    /* enable pin 14, 15 - ref: Page 101 */
+    *GPPUD = 0;
+    r = 150;
+    while (r--) {
+        asm volatile("nop");
+    }
+    *GPPUDCLK0 = (1 << 14) | (1 << 15);
+    r = 150;
+    while (r--) {
+        asm volatile("nop");
+    }
+    *GPPUDCLK0 = 0;
+
+    *AUX_MU_CNTL_REG = 3; // enable TX/RX
+}
+
+char uart_recv()
+{
+    char r;
+    while (!(*AUX_MU_LSR_REG & 0x01)) {
+    };
+    r = (char)(*AUX_MU_IO_REG);
+    if (uart_recv_echo_flag) {
+        uart_send(r);
+        if (r == '\r') {
+            uart_send('\r');
+            uart_send('\n');
+        }
+    }
+    return r == '\r' ? '\n' : r;
+}
+
+void uart_send(char c)
+{
+    while (!(*AUX_MU_LSR_REG & 0x20)) {
+    };
+    *AUX_MU_IO_REG = c;
+}
+
+void uart_2hex(unsigned int d)
+{
+    unsigned int n;
+    int c;
+    for (c = 28; c >= 0; c -= 4) {
+        n = (d >> c) & 0xF;
+        n += n > 9 ? 0x37 : 0x30;
+        uart_send(n);
+    }
+}
+
+int uart_printf(char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char *)buf;
+    int count = vsprintf(str, fmt, args);
+
+    while (*str) {
+        if (*str == '\n')
+            uart_send('\r');
+        uart_send(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+// uart_async_getc read from buffer
+// uart_r_irq_handler write to buffer then output
+char uart_async_getc()
+{
+    *AUX_MU_IER_REG |= 1; // enable read interrupt
+    // do while if buffer empty
+    while (uart_rx_buffer_ridx == uart_rx_buffer_widx)
+        *AUX_MU_IER_REG |= 1; // enable read interrupt
+    lock();
+    char r = uart_rx_buffer[uart_rx_buffer_ridx++];
+    if (uart_rx_buffer_ridx >= VSPRINT_MAX_BUF_SIZE)
+        uart_rx_buffer_ridx = 0;
+    unlock();
+    return r;
+}
+
+// uart_async_putc writes to buffer
+// uart_w_irq_handler read from buffer then output
+void uart_async_putc(char c)
+{
+    // if buffer full, wait for uart_w_irq_handler
+    while ((uart_tx_buffer_widx + 1) % VSPRINT_MAX_BUF_SIZE == uart_tx_buffer_ridx)
+        *AUX_MU_IER_REG |= 2; // enable write interrupt
+    lock();
+    uart_tx_buffer[uart_tx_buffer_widx++] = c;
+    if (uart_tx_buffer_widx >= VSPRINT_MAX_BUF_SIZE)
+        uart_tx_buffer_widx = 0; // cycle pointer
+    unlock();
+    *AUX_MU_IER_REG |= 2; // enable write interrupt
+}
+
+int uart_puts(char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char *)buf;
+    int count = vsprintf(str, fmt, args);
+
+    while (*str) {
+        if (*str == '\n')
+            uart_async_putc('\r');
+        uart_async_putc(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+// AUX_MU_IER_REG -> BCM2837-ARM-Peripherals.pdf - Pg.12
+void uart_interrupt_enable()
+{
+    *AUX_MU_IER_REG |= 1;      // enable read interrupt
+    *AUX_MU_IER_REG |= 2;      // enable write interrupt
+    *ENABLE_IRQS_1 |= 1 << 29; // Pg.112
+}
+
+void uart_interrupt_disable()
+{
+    *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+    *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+}
+
+void uart_r_irq_handler()
+{
+    if ((uart_rx_buffer_widx + 1) % VSPRINT_MAX_BUF_SIZE == uart_rx_buffer_ridx) {
+        *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+        return;
+    }
+    uart_rx_buffer[uart_rx_buffer_widx++] = uart_recv();
+    if (uart_rx_buffer_widx >= VSPRINT_MAX_BUF_SIZE)
+        uart_rx_buffer_widx = 0;
+    *AUX_MU_IER_REG |= 1;
+}
+
+void uart_w_irq_handler()
+{
+    if (uart_tx_buffer_ridx == uart_tx_buffer_widx) {
+        *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+        return;                  // buffer empty
+    }
+    uart_send(uart_tx_buffer[uart_tx_buffer_ridx++]);
+    if (uart_tx_buffer_ridx >= VSPRINT_MAX_BUF_SIZE)
+        uart_tx_buffer_ridx = 0;
+    *AUX_MU_IER_REG |= 2; // enable write interrupt
+}
diff --git a/lab6/upload.py b/lab6/upload.py
new file mode 100644
index 000000000..03fb2dc11
--- /dev/null
+++ b/lab6/upload.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+from serial import Serial
+from pwn import *
+import argparse
+from sys import platform
+
+if platform == "linux" or platform == "linux2":
+    parser = argparse.ArgumentParser(description="NYCU OSDI kernel sender")
+    parser.add_argument(
+        "--filename",
+        metavar="PATH",
+        default="img/kernel8.img",
+        type=str,
+        help="path to kernel8.img",
+    )
+    parser.add_argument(
+        "--device",
+        metavar="TTY",
+        default="/dev/ttyUSB0",
+        type=str,
+        help="path to UART device",
+    )
+    parser.add_argument(
+        "--baud", metavar="Hz", default=115200, type=int, help="baud rate"
+    )
+    args = parser.parse_args()
+
+    with open(args.filename, "rb") as fd:
+        with Serial(args.device, args.baud) as ser:
+
+            kernel_raw = fd.read()
+            length = len(kernel_raw)
+
+            print("Kernel image size : ", hex(length))
+            for i in range(8):
+                ser.write(p64(length)[i : i + 1])
+                ser.flush()
+
+            print("Start sending kernel image by uart1...")
+            for i in range(length):
+                # Use kernel_raw[i: i+1] is byte type. Instead of using kernel_raw[i] it will retrieve int type then cause error
+                ser.write(kernel_raw[i : i + 1])
+                ser.flush()
+                if i % 100 == 0:
+                    print("{:>6}/{:>6} bytes".format(i, length))
+            print("{:>6}/{:>6} bytes".format(length, length))
+            print("Transfer finished!")
+
+else:
+    parser = argparse.ArgumentParser(description="NYCU OSDI kernel sender")
+    parser.add_argument(
+        "--filename",
+        metavar="PATH",
+        default="kernel8.img",
+        type=str,
+        help="path to kernel8.img",
+    )
+    parser.add_argument(
+        "--device", metavar="COM", default="COM3", type=str, help="COM# to UART device"
+    )
+    parser.add_argument(
+        "--baud", metavar="Hz", default=115200, type=int, help="baud rate"
+    )
+    args = parser.parse_args()
+
+    with open(args.filename, "rb") as fd:
+        with Serial(args.device, args.baud) as ser:
+
+            kernel_raw = fd.read()
+            length = len(kernel_raw)
+
+            print("Kernel image size : ", hex(length))
+            for i in range(8):
+                ser.write(p64(length)[i : i + 1])
+                ser.flush()
+
+            print("Start sending kernel image by uart1...")
+            for i in range(length):
+                # Use kernel_raw[i: i+1] is byte type. Instead of using kernel_raw[i] it will retrieve int type then cause error
+                ser.write(kernel_raw[i : i + 1])
+                ser.flush()
+                if i % 100 == 0:
+                    print("{:>6}/{:>6} bytes".format(i, length))
+            print("{:>6}/{:>6} bytes".format(length, length))
+            print("Transfer finished!")
diff --git a/lab6/user_program/Makefile b/lab6/user_program/Makefile
new file mode 100644
index 000000000..3d1a93348
--- /dev/null
+++ b/lab6/user_program/Makefile
@@ -0,0 +1,24 @@
+CC = aarch64-linux-gnu
+CFLAGS = -ggdb -Wno-implicit -ffreestanding -nostdlib -nostartfiles -Iinclude
+
+BUILD_DIR = build
+ROOTFS_DIR = ../rootfs
+
+OBJECTS = $(patsubst %.S, $(BUILD_DIR)/%.o, $(wildcard *.S))
+
+USER_PROG = userprog
+
+all: $(OBJECTS)
+	$(CC)-ld -T linker.ld -o $(BUILD_DIR)/$(USER_PROG).elf $(OBJECTS)
+	$(CC)-objcopy -O binary $(BUILD_DIR)/$(USER_PROG).elf $(ROOTFS_DIR)/$(USER_PROG)
+
+$(BUILD_DIR)/%.o: %.S
+	@mkdir -p $(BUILD_DIR)
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR)
+	rm -f $(ROOTFS_DIR)/$(USER_PROG)
+
+run:
+	qemu-system-aarch64 -M raspi3b -kernel $(ROOTFS_DIR)/$(USER_PROG) -display none -serial null -serial stdio -s
diff --git a/lab6/user_program/linker.ld b/lab6/user_program/linker.ld
new file mode 100644
index 000000000..783ebe038
--- /dev/null
+++ b/lab6/user_program/linker.ld
@@ -0,0 +1,5 @@
+SECTIONS
+{
+  . = 0x80000;
+  .text : { *(.text) }
+}
\ No newline at end of file
diff --git a/lab6/user_program/userprog.S b/lab6/user_program/userprog.S
new file mode 100644
index 000000000..838323763
--- /dev/null
+++ b/lab6/user_program/userprog.S
@@ -0,0 +1,11 @@
+.section ".text"
+.global _start
+_start:
+    mov x0, 0
+1:
+    add x0, x0, 1
+    svc 0
+    cmp x0, 5
+    blt 1b
+1:
+    b 1b
\ No newline at end of file
diff --git a/lab7/.gitignore b/lab7/.gitignore
new file mode 100644
index 000000000..d558147b0
--- /dev/null
+++ b/lab7/.gitignore
@@ -0,0 +1,3 @@
+.vscode
+build/
+img/
\ No newline at end of file
diff --git a/lab7/Makefile b/lab7/Makefile
new file mode 100644
index 000000000..b64a14140
--- /dev/null
+++ b/lab7/Makefile
@@ -0,0 +1,57 @@
+CC = aarch64-linux-gnu
+CFLAGS = -Wall -nostdlib -nostartfiles -ffreestanding -Iinclude -mgeneral-regs-only
+
+SRC_DIR = src
+INCLUDE_DIR = include
+KERNEL_DIR = kernel
+LIB_DIR = lib
+BOOT_DIR = bootloader
+BUILD_DIR = build
+IMG_DIR = img
+
+OBJECTS = $(patsubst $(SRC_DIR)/%.c, $(BUILD_DIR)/%.o, $(wildcard $(SRC_DIR)/*.c))
+OBJECTS += $(patsubst $(SRC_DIR)/%.S, $(BUILD_DIR)/%_s.o, $(wildcard $(SRC_DIR)/*.S))
+
+HEADERS = $(wildcard $(INCLUDE_DIR)/*.h)
+
+ELF_NAME = kernel8.elf
+IMG_NAME = kernel8.img
+BOOT_ELF_NAME = bootloader.elf
+BOOT_IMG_NAME = bootloader.img
+CPIO_FILE = initramfs.cpio
+
+all: clean $(OBJECTS) $(HEADERS)
+	$(CC)-ld -T $(SRC_DIR)/linker.ld -o $(BUILD_DIR)/$(ELF_NAME) $(OBJECTS)
+	$(CC)-objcopy -O binary $(BUILD_DIR)/$(ELF_NAME) $(IMG_DIR)/$(IMG_NAME)
+
+$(BUILD_DIR)/%.o: $(SRC_DIR)/%.c
+	@mkdir -p $(BUILD_DIR)
+	@mkdir -p $(IMG_DIR)
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+$(BUILD_DIR)/%_s.o: $(SRC_DIR)/%.S
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR) $(IMG_DIR)
+
+dump:
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(IMG_NAME) -initrd $(CPIO_FILE) -display none -d in_asm -dtb bcm2710-rpi-3-b-plus.dtb
+
+run: all
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(IMG_NAME) -initrd $(CPIO_FILE) -display none -serial null -serial stdio -s -dtb bcm2710-rpi-3-b-plus.dtb
+
+tty:
+	qemu-system-aarch64 -M raspi3b -kernel $(IMG_DIR)/$(BOOT_IMG_NAME) -initrd $(CPIO_FILE) -display none -serial null -serial pty
+
+upload:
+	sudo python3 upload.py
+
+cpio:
+	cd rootfs && find . | cpio -o -H newc > ../$(CPIO_FILE)
+
+screen:
+	sudo screen /dev/ttyUSB0 115200
+
+userprog:
+	cd user_program && make clean && make
diff --git a/lab7/bcm2710-rpi-3-b-plus.dtb b/lab7/bcm2710-rpi-3-b-plus.dtb
new file mode 100644
index 000000000..38395a23f
Binary files /dev/null and b/lab7/bcm2710-rpi-3-b-plus.dtb differ
diff --git a/lab7/bootloader/bcm2710-rpi-3-b-plus.dtb b/lab7/bootloader/bcm2710-rpi-3-b-plus.dtb
new file mode 100644
index 000000000..38395a23f
Binary files /dev/null and b/lab7/bootloader/bcm2710-rpi-3-b-plus.dtb differ
diff --git a/lab7/bootloader/bootloader.img b/lab7/bootloader/bootloader.img
new file mode 100755
index 000000000..714047f83
Binary files /dev/null and b/lab7/bootloader/bootloader.img differ
diff --git a/lab7/bootloader/config.txt b/lab7/bootloader/config.txt
new file mode 100644
index 000000000..15654a481
--- /dev/null
+++ b/lab7/bootloader/config.txt
@@ -0,0 +1,3 @@
+kernel=bootloader.img
+arm_64bit=1
+initramfs initramfs.cpio 0x8000000
diff --git a/lab7/bootloader/include/bcm2837/rpi_base.h b/lab7/bootloader/include/bcm2837/rpi_base.h
new file mode 100644
index 000000000..e3259e8de
--- /dev/null
+++ b/lab7/bootloader/include/bcm2837/rpi_base.h
@@ -0,0 +1,6 @@
+#ifndef	_RPI_BASE_H_
+#define	_RPI_BASE_H_
+
+#define PERIPHERAL_BASE 0x3F000000
+
+#endif  /*_RPI_BASE_H_ */
diff --git a/lab7/bootloader/include/bcm2837/rpi_gpio.h b/lab7/bootloader/include/bcm2837/rpi_gpio.h
new file mode 100644
index 000000000..e5133708a
--- /dev/null
+++ b/lab7/bootloader/include/bcm2837/rpi_gpio.h
@@ -0,0 +1,25 @@
+#ifndef _RPI_GPIO_H_
+#define _RPI_GPIO_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define GPFSEL0         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200000))
+#define GPFSEL1         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200004))
+#define GPFSEL2         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200008))
+#define GPFSEL3         ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020000C))
+#define GPFSEL4         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200010))
+#define GPFSEL5         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200014))
+#define GPSET0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020001C))
+#define GPSET1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200020))
+#define GPCLR0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200028))
+#define GPLEV0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200034))
+#define GPLEV1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200038))
+#define GPEDS0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200040))
+#define GPEDS1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200044))
+#define GPHEN0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200064))
+#define GPHEN1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200068))
+#define GPPUD           ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200094))
+#define GPPUDCLK0       ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200098))
+#define GPPUDCLK1       ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020009C))
+
+#endif /*_RPI_GPIO_H_*/
diff --git a/lab7/bootloader/include/bcm2837/rpi_uart1.h b/lab7/bootloader/include/bcm2837/rpi_uart1.h
new file mode 100644
index 000000000..959130656
--- /dev/null
+++ b/lab7/bootloader/include/bcm2837/rpi_uart1.h
@@ -0,0 +1,19 @@
+#ifndef	_RPI_UART1_H_
+#define	_RPI_UART1_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define AUX_ENABLES     ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215004))
+#define AUX_MU_IO_REG   ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215040))
+#define AUX_MU_IER_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215044))
+#define AUX_MU_IIR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215048))
+#define AUX_MU_LCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021504C))
+#define AUX_MU_MCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215050))
+#define AUX_MU_LSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215054))
+#define AUX_MU_MSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215058))
+#define AUX_MU_SCRATCH  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021505C))
+#define AUX_MU_CNTL_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215060))
+#define AUX_MU_STAT_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215064))
+#define AUX_MU_BAUD_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215068))
+
+#endif  /*_RPI_UART1_H_ */
diff --git a/lab7/bootloader/include/power.h b/lab7/bootloader/include/power.h
new file mode 100644
index 000000000..baf990974
--- /dev/null
+++ b/lab7/bootloader/include/power.h
@@ -0,0 +1,8 @@
+#ifndef	_POWER_H_
+#define	_POWER_H_
+
+#define PM_PASSWORD 0x5a000000
+#define PM_RSTC     0x3F10001c
+#define PM_WDOG     0x3F100024
+
+#endif /*_POWER_H_*/
diff --git a/lab7/bootloader/include/shell.h b/lab7/bootloader/include/shell.h
new file mode 100644
index 000000000..702f5eb14
--- /dev/null
+++ b/lab7/bootloader/include/shell.h
@@ -0,0 +1,23 @@
+#ifndef _SHELL_H_
+#define _SHELL_H_
+
+#define CLI_MAX_CMD 3
+#define CMD_MAX_LEN 32
+#define MSG_MAX_LEN 128
+
+typedef struct CLI_CMDS
+{
+    char command[CMD_MAX_LEN];
+    char help[MSG_MAX_LEN];
+} CLI_CMDS;
+
+void cli_cmd_clear(char*, int);
+void cli_cmd_read(char*);
+void cli_cmd_exec(char*);
+void cli_print_banner();
+
+void do_cmd_help();
+void do_cmd_loadimg();
+void do_cmd_reboot();
+
+#endif /* _SHELL_H_ */
diff --git a/lab7/bootloader/include/uart1.h b/lab7/bootloader/include/uart1.h
new file mode 100644
index 000000000..329d25c81
--- /dev/null
+++ b/lab7/bootloader/include/uart1.h
@@ -0,0 +1,11 @@
+#ifndef	_UART1_H_
+#define	_UART1_H_
+
+void uart_init();
+char uart_getc();
+char uart_recv();
+void uart_send(unsigned int c);
+int  uart_puts(char* fmt, ...);
+void uart_2hex(unsigned int d);
+
+#endif /*_UART1_H_*/
diff --git a/lab7/bootloader/include/utils.h b/lab7/bootloader/include/utils.h
new file mode 100644
index 000000000..e65ece675
--- /dev/null
+++ b/lab7/bootloader/include/utils.h
@@ -0,0 +1,11 @@
+#ifndef _UTILS_H_
+#define _UTILS_H_
+
+#define VSPRINT_MAX_BUF_SIZE 128
+
+unsigned int sprintf(char *dst, char* fmt, ...);
+unsigned int vsprintf(char *dst,char* fmt, __builtin_va_list args);
+
+int  strcmp(const char*, const char*);
+
+#endif /* _UTILS_H_ */
diff --git a/lab7/bootloader/makefile b/lab7/bootloader/makefile
new file mode 100644
index 000000000..b81bad692
--- /dev/null
+++ b/lab7/bootloader/makefile
@@ -0,0 +1,42 @@
+ARMGNU ?= aarch64-linux-gnu
+
+CFLAGS = -Wall -nostdlib -nostartfiles -ffreestanding -Iinclude -mgeneral-regs-only
+ASMFLAGS = -Iinclude
+
+BUILD_DIR = build
+SRC_DIR = src
+#---------------------------------------------------------------------------------------
+
+C_FILES = $(wildcard $(SRC_DIR)/*.c)
+ASM_FILES = $(wildcard $(SRC_DIR)/*.S)
+OBJ_FILES = $(C_FILES:$(SRC_DIR)/%.c=$(BUILD_DIR)/%_c.o)
+OBJ_FILES += $(ASM_FILES:$(SRC_DIR)/%.S=$(BUILD_DIR)/%_s.o)
+
+DEP_FILES = $(OBJ_FILES:%.o=%.d)
+-include $(DEP_FILES)
+
+$(BUILD_DIR)/%_c.o: $(SRC_DIR)/%.c
+	@mkdir -p $(@D)
+	$(ARMGNU)-gcc $(CFLAGS) -MMD -c $< -o $@
+
+$(BUILD_DIR)/%_s.o: $(SRC_DIR)/%.S
+	$(ARMGNU)-gcc $(ASMFLAGS) -MMD -c $< -o $@
+
+bootloader.img: $(SRC_DIR)/link.ld $(OBJ_FILES)
+	$(ARMGNU)-ld -T $(SRC_DIR)/link.ld -o $(BUILD_DIR)/bootloader.elf  $(OBJ_FILES)
+	$(ARMGNU)-objcopy $(BUILD_DIR)/bootloader.elf -O binary bootloader.img
+
+all: bootloader.img
+
+clean:
+	rm -rf $(BUILD_DIR) *.img
+
+run_std:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -serial null -serial stdio -initrd initramfs.cpio -dtb bcm2710-rpi-3-b-plus.dtb
+
+run_pty:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -serial null -serial pty -initrd initramfs.cpio -dtb bcm2710-rpi-3-b-plus.dtb
+
+debug:
+	qemu-system-aarch64 -M raspi3b -kernel bootloader.img -display none -S -s
+
diff --git a/lab7/bootloader/src/boot.S b/lab7/bootloader/src/boot.S
new file mode 100644
index 000000000..c872f56a7
--- /dev/null
+++ b/lab7/bootloader/src/boot.S
@@ -0,0 +1,52 @@
+/* ARMv8 Assembly Instruction */
+/**
+
+mov x0, x1
+    sets: x0 = x1
+ldr x0, <addr>
+    load 32bits from <addr> to x0
+ldr w0, <addr>
+    load 64bits from <addr> to w0
+cbz x0, <label>
+    if x0 == 0, jump to <label>
+cbnz x0, <label>
+    if x0 != 0, jump to <label>
+str x0 [x1] #8
+    store x0 in addr<x1> then x1=x1+8
+b   <label>
+    jump to <label>
+bl  <label>
+    jump to <label> and copies bl's next instruction into link register
+wfe
+    Wait for event, core in low-power state (power on, clk off)
+
+**/
+
+// x0 is used for dtb physical address
+.section ".text.boot"
+
+.global _start
+
+_start:
+setup_stack:
+    ldr     x1, =_stack_top
+    mov     sp, x1
+
+setup_bss:
+    ldr     x1, =_bss_top
+    ldr     w2, =_bss_size
+
+init_bss:
+    cbz     w2, run_main
+    str     xzr, [x1], #8
+    sub     w2, w2, #1
+    cbnz    w2, init_bss
+
+run_main:
+    ldr     x1, =_dtb
+    str     x0, [x1], #8
+    bl      main
+
+proc_hang:
+    wfe
+    b       proc_hang
diff --git a/lab7/bootloader/src/link.ld b/lab7/bootloader/src/link.ld
new file mode 100644
index 000000000..a5a05ddaa
--- /dev/null
+++ b/lab7/bootloader/src/link.ld
@@ -0,0 +1,30 @@
+_heap_stack_size = 1M;  
+# heap_size 0x100000
+
+SECTIONS
+{
+    . = 0x80000;
+    _start = .;
+    .text : { *(.text.boot) *(.text) }
+    .rodata : { *(.rodata) }
+    .data : { *(.data) }
+    .bss : {
+        _bss_top = .;
+        *(.bss) 
+    }
+    _bss_size = SIZEOF(.bss) >> 3;
+    .heap : {
+        . = ALIGN(8);
+        _heap_top = .;
+    } 
+    . = . + _heap_stack_size;
+    .stack : {
+        . = ALIGN(8);
+        _stack_top = .;
+    }
+    _end = .;
+
+    . = 0x3000000;
+    _bootloader_relocated_addr = 0x3000000;
+}
+__code_size = (_end - _start);
diff --git a/lab7/bootloader/src/main.c b/lab7/bootloader/src/main.c
new file mode 100644
index 000000000..9681dcd7b
--- /dev/null
+++ b/lab7/bootloader/src/main.c
@@ -0,0 +1,46 @@
+#include "shell.h"
+#include "uart1.h"
+
+extern char *_bootloader_relocated_addr;
+extern unsigned long long __code_size;
+extern unsigned long long _start;
+char *_dtb;
+
+int relocated_flag = 1;
+
+/* Copies codeblock from _start to addr */
+void code_relocate(char *addr)
+{
+    unsigned long long size = (unsigned long long)&__code_size;
+    char *start = (char *)&_start;
+    for (unsigned long long i = 0; i < size; i++) {
+        addr[i] = start[i];
+    }
+
+    ((void (*)(char *))addr)(_dtb);
+}
+
+/* x0-x7 are argument registers.
+   x0 is now used for dtb */
+void main(char *arg)
+{
+    _dtb = arg;
+    char *relocated_ptr = (char *)&_bootloader_relocated_addr;
+
+    /* Relocate once only */
+    if (relocated_flag) {
+        relocated_flag = 0;
+        code_relocate(relocated_ptr);
+    }
+
+    char input_buffer[CMD_MAX_LEN];
+
+    uart_init();
+
+    while (1) {
+        cli_cmd_clear(input_buffer, CMD_MAX_LEN);
+        uart_puts("# ");
+        cli_cmd_read(input_buffer);
+        cli_cmd_exec(input_buffer);
+    }
+}
diff --git a/lab7/bootloader/src/shell.c b/lab7/bootloader/src/shell.c
new file mode 100644
index 000000000..b962e444c
--- /dev/null
+++ b/lab7/bootloader/src/shell.c
@@ -0,0 +1,101 @@
+#include "shell.h"
+#include "power.h"
+#include "uart1.h"
+#include "utils.h"
+
+#define SHIFT_ADDR 0x100000
+
+extern char *_dtb;
+extern char _start[];
+
+struct CLI_CMDS cmd_list[CLI_MAX_CMD] = {{.command = "load", .help = "load image via uart1"},
+                                         {.command = "help", .help = "print all available commands"},
+                                         {.command = "reboot", .help = "reboot the device"}};
+
+void cli_cmd_clear(char *buffer, int length)
+{
+    for (int i = 0; i < length; i++) {
+        buffer[i] = '\0';
+    }
+};
+
+void cli_cmd_read(char *buffer)
+{
+    char c = '\0';
+    int idx = 0;
+    while (1) {
+        if (idx >= CMD_MAX_LEN)
+            break;
+
+        c = uart_recv();
+        if (c == '\n') {
+            uart_puts("\r\n");
+            break;
+        }
+        if (c > 16 && c < 32)
+            continue;
+        if (c > 127)
+            continue;
+        buffer[idx++] = c;
+        uart_send(c);
+    }
+}
+
+void cli_cmd_exec(char *buffer)
+{
+    if (strcmp(buffer, "load") == 0) {
+        do_cmd_loadimg();
+    }
+    else if (strcmp(buffer, "help") == 0) {
+        do_cmd_help();
+    }
+    else if (strcmp(buffer, "reboot") == 0) {
+        do_cmd_reboot();
+    }
+    else if (*buffer) {
+        uart_puts(buffer);
+        uart_puts(": command not found\r\n");
+    }
+}
+
+void do_cmd_help()
+{
+    for (int i = 0; i < CLI_MAX_CMD; i++) {
+        uart_puts(cmd_list[i].command);
+        uart_puts("\t\t: ");
+        uart_puts(cmd_list[i].help);
+        uart_puts("\r\n");
+    }
+}
+
+/* Overwrite image file into _start,
+   Please make sure this current code has been relocated. */
+void do_cmd_loadimg()
+{
+    char *bak_dtb = _dtb;
+    char c;
+    unsigned long long kernel_size = 0;
+    char *kernel_start = (char *)(&_start);
+    uart_puts("Please upload the image file.\r\n");
+    for (int i = 0; i < 8; i++) {
+        c = uart_getc();
+        kernel_size += c << (i * 8);
+    }
+    for (int i = 0; i < kernel_size; i++) {
+        c = uart_getc();
+        kernel_start[i] = c;
+    }
+    uart_puts("Image file downloaded successfully.\r\n");
+    uart_puts("Point to new kernel ...\r\n");
+
+    ((void (*)(char *))kernel_start)(bak_dtb);
+}
+
+void do_cmd_reboot()
+{
+    uart_puts("Reboot in 5 seconds ...\r\n\r\n");
+    volatile unsigned int *rst_addr = (unsigned int *)PM_RSTC;
+    *rst_addr = PM_PASSWORD | 0x20;
+    volatile unsigned int *wdg_addr = (unsigned int *)PM_WDOG;
+    *wdg_addr = PM_PASSWORD | 5;
+}
diff --git a/lab7/bootloader/src/uart1.c b/lab7/bootloader/src/uart1.c
new file mode 100644
index 000000000..cf6dd9e85
--- /dev/null
+++ b/lab7/bootloader/src/uart1.c
@@ -0,0 +1,83 @@
+#include "bcm2837/rpi_gpio.h"
+#include "bcm2837/rpi_uart1.h"
+#include "uart1.h"
+#include "utils.h"
+
+void uart_init()
+{
+    register unsigned int r;
+
+    /* initialize UART */
+    *AUX_ENABLES     |= 1;       // enable UART1
+    *AUX_MU_CNTL_REG  = 0;       // disable TX/RX
+
+    /* configure UART */
+    *AUX_MU_IER_REG   = 0;       // disable interrupt
+    *AUX_MU_LCR_REG   = 3;       // 8 bit data size
+    *AUX_MU_MCR_REG   = 0;       // disable flow control
+    *AUX_MU_BAUD_REG  = 270;     // 115200 baud rate
+    *AUX_MU_IIR_REG   = 6;       // disable FIFO
+
+    /* map UART1 to GPIO pins */
+    r = *GPFSEL1;
+    r &= ~(7<<12);               // clean gpio14
+    r |= 2<<12;                  // set gpio14 to alt5
+    r &= ~(7<<15);               // clean gpio15
+    r |= 2<<15;                  // set gpio15 to alt5
+    *GPFSEL1 = r;
+
+    /* enable pin 14, 15 - ref: Page 101 */
+    *GPPUD = 0;
+    r=150; while(r--) { asm volatile("nop"); }
+    *GPPUDCLK0 = (1<<14)|(1<<15);
+    r=150; while(r--) { asm volatile("nop"); }
+    *GPPUDCLK0 = 0;
+
+    *AUX_MU_CNTL_REG = 3;      // enable TX/RX
+}
+
+char uart_getc() {
+    char r;
+    while(!(*AUX_MU_LSR_REG & 0x01)){};
+    r = (char)(*AUX_MU_IO_REG);
+    return r;
+}
+
+char uart_recv() {
+    char r;
+    while(!(*AUX_MU_LSR_REG & 0x01)){};
+    r = (char)(*AUX_MU_IO_REG);
+    return r=='\r'?'\n':r;
+}
+
+void uart_send(unsigned int c) {
+    while(!(*AUX_MU_LSR_REG & 0x20)){};
+    *AUX_MU_IO_REG = c;
+}
+
+int uart_puts(char *fmt, ...) {
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char*)buf;
+    int count = vsprintf(str,fmt,args);
+
+    while(*str) {
+        if(*str=='\n')
+            uart_send('\r');
+        uart_send(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+void uart_2hex(unsigned int d) {
+    unsigned int n;
+    int c;
+    for(c=28;c>=0;c-=4) {
+        n=(d>>c)&0xF;
+        n+=n>9?0x37:0x30;
+        uart_send(n);
+    }
+}
diff --git a/lab7/bootloader/src/utils.c b/lab7/bootloader/src/utils.c
new file mode 100644
index 000000000..03c51dd96
--- /dev/null
+++ b/lab7/bootloader/src/utils.c
@@ -0,0 +1,133 @@
+#include "utils.h"
+
+unsigned int vsprintf(char *dst, char* fmt, __builtin_va_list args)
+{
+    long int arg;
+    int len, sign, i;
+    char *p, *orig=dst, tmpstr[19];
+
+    // failsafes
+    if(dst==(void*)0 || fmt==(void*)0) {
+        return 0;
+    }
+
+    // main loop
+    arg = 0;
+    while(*fmt) {
+        if(dst-orig > VSPRINT_MAX_BUF_SIZE-0x10)
+        {
+            return -1;
+        }
+        // argument access
+        if(*fmt=='%') {
+            fmt++;
+            // literal %
+            if(*fmt=='%') {
+                goto put;
+            }
+            len=0;
+            // size modifier
+            while(*fmt>='0' && *fmt<='9') {
+                len *= 10;
+                len += *fmt-'0';
+                fmt++;
+            }
+            // skip long modifier
+            if(*fmt=='l') {
+                fmt++;
+            }
+            // character
+            if(*fmt=='c') {
+                arg = __builtin_va_arg(args, int);
+                *dst++ = (char)arg;
+                fmt++;
+                continue;
+            } else
+            // decimal number
+            if(*fmt=='d') {
+                arg = __builtin_va_arg(args, int);
+                // check input
+                sign=0;
+                if((int)arg<0) {
+                    arg*=-1;
+                    sign++;
+                }
+                if(arg>99999999999999999L) {
+                    arg=99999999999999999L;
+                }
+                // convert to string
+                i=18;
+                tmpstr[i]=0;
+                do {
+                    tmpstr[--i]='0'+(arg%10);
+                    arg/=10;
+                } while(arg!=0 && i>0);
+                if(sign) {
+                    tmpstr[--i]='-';
+                }
+                if(len>0 && len<18) {
+                    while(i>18-len) {
+                        tmpstr[--i]=' ';
+                    }
+                }
+                p=&tmpstr[i];
+                goto copystring;
+            } else
+            if(*fmt=='x') {
+                arg = __builtin_va_arg(args, long int);
+                i=16;
+                tmpstr[i]=0;
+                do {
+                    char n=arg & 0xf;
+                    tmpstr[--i]=n+(n>9?0x37:0x30);
+                    arg>>=4;
+                } while(arg!=0 && i>0);
+                if(len>0 && len<=16) {
+                    while(i>16-len) {
+                        tmpstr[--i]='0';
+                    }
+                }
+                p=&tmpstr[i];
+                goto copystring;
+            } else
+            if(*fmt=='s') {
+                p = __builtin_va_arg(args, char*);
+copystring:     if(p==(void*)0) {
+                    p="(null)";
+                }
+                while(*p) {
+                    *dst++ = *p++;
+                }
+            }
+        } else {
+put:        *dst++ = *fmt;
+        }
+        fmt++;
+    }
+    *dst=0;
+    return dst-orig;
+}
+
+unsigned int sprintf(char *dst, char* fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    unsigned int r = vsprintf(dst,fmt,args);
+    __builtin_va_end(args);
+    return r;
+}
+
+
+int strcmp(const char* p1, const char* p2)
+{
+    const unsigned char *s1 = (const unsigned char*) p1;
+    const unsigned char *s2 = (const unsigned char*) p2;
+    unsigned char c1, c2;
+
+    do {
+        c1 = (unsigned char) *s1++;
+        c2 = (unsigned char) *s2++;
+        if ( c1 == '\0' ) return c1 - c2;
+    } while ( c1 == c2 );
+    return c1 - c2;
+}
diff --git a/lab7/config.txt b/lab7/config.txt
new file mode 100644
index 000000000..96427bebe
--- /dev/null
+++ b/lab7/config.txt
@@ -0,0 +1,3 @@
+initramfs initramfs.cpio 0x20000000
+kernel=bootloader.img
+arm_64bit=1
\ No newline at end of file
diff --git a/lab7/include/bcm2837/rpi_base.h b/lab7/include/bcm2837/rpi_base.h
new file mode 100644
index 000000000..99b05f4fa
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_base.h
@@ -0,0 +1,7 @@
+#ifndef	_RPI_BASE_H_
+#define	_RPI_BASE_H_
+
+#include "rpi_mmu.h"
+#define PERIPHERAL_BASE PHYS_TO_VIRT(0x3F000000)
+
+#endif  /*_RPI_BASE_H_ */
diff --git a/lab7/include/bcm2837/rpi_gpio.h b/lab7/include/bcm2837/rpi_gpio.h
new file mode 100644
index 000000000..e5133708a
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_gpio.h
@@ -0,0 +1,25 @@
+#ifndef _RPI_GPIO_H_
+#define _RPI_GPIO_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define GPFSEL0         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200000))
+#define GPFSEL1         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200004))
+#define GPFSEL2         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200008))
+#define GPFSEL3         ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020000C))
+#define GPFSEL4         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200010))
+#define GPFSEL5         ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200014))
+#define GPSET0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020001C))
+#define GPSET1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200020))
+#define GPCLR0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200028))
+#define GPLEV0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200034))
+#define GPLEV1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200038))
+#define GPEDS0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200040))
+#define GPEDS1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200044))
+#define GPHEN0          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200064))
+#define GPHEN1          ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200068))
+#define GPPUD           ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200094))
+#define GPPUDCLK0       ((volatile unsigned int*)(PERIPHERAL_BASE+0x00200098))
+#define GPPUDCLK1       ((volatile unsigned int*)(PERIPHERAL_BASE+0x0020009C))
+
+#endif /*_RPI_GPIO_H_*/
diff --git a/lab7/include/bcm2837/rpi_irq.h b/lab7/include/bcm2837/rpi_irq.h
new file mode 100644
index 000000000..8423dfea0
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_irq.h
@@ -0,0 +1,24 @@
+#ifndef _RPI_IRQ_H_
+#define _RPI_IRQ_H_
+
+#include "bcm2837/rpi_base.h"
+
+/*
+The basic pending register shows which interrupt are pending. To speed up interrupts processing, a
+number of 'normal' interrupt status bits have been added to this register. This makes the 'IRQ
+pending base' register different from the other 'base' interrupt registers
+p112-115 https://cs140e.sergio.bz/docs/BCM2837-ARM-Peripherals.pdf
+*/
+
+#define IRQ_BASIC_PENDING	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B200))
+#define IRQ_PENDING_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B204))
+#define IRQ_PENDING_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B208))
+#define FIQ_CONTROL		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B20C))
+#define ENABLE_IRQS_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B210))
+#define ENABLE_IRQS_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B214))
+#define ENABLE_BASIC_IRQS	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B218))
+#define DISABLE_IRQS_1		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B21C))
+#define DISABLE_IRQS_2		((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B220))
+#define DISABLE_BASIC_IRQS	((volatile unsigned int*)(PERIPHERAL_BASE+0x0000B224))
+
+#endif /*_RPI_IRQ_H_*/
diff --git a/lab7/include/bcm2837/rpi_mbox.h b/lab7/include/bcm2837/rpi_mbox.h
new file mode 100644
index 000000000..ba1001472
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_mbox.h
@@ -0,0 +1,17 @@
+#ifndef _RPI_MBOX_H_
+#define _RPI_MBOX_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define MBOX_BASE     (PERIPHERAL_BASE+0x0000B880)
+
+// The register access to a mailbox
+// https://jsandler18.github.io/extra/mailbox.html
+#define MBOX_READ     ((volatile unsigned int*)(MBOX_BASE+0x00))
+#define MBOX_POLL     ((volatile unsigned int*)(MBOX_BASE+0x10))
+#define MBOX_SENDER   ((volatile unsigned int*)(MBOX_BASE+0x14))
+#define MBOX_STATUS   ((volatile unsigned int*)(MBOX_BASE+0x18))
+#define MBOX_CONFIG   ((volatile unsigned int*)(MBOX_BASE+0x1C))
+#define MBOX_WRITE    ((volatile unsigned int*)(MBOX_BASE+0x20))
+
+#endif  /*_RPI_MBOX_H_ */
diff --git a/lab7/include/bcm2837/rpi_mmu.h b/lab7/include/bcm2837/rpi_mmu.h
new file mode 100644
index 000000000..0452ce6df
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_mmu.h
@@ -0,0 +1,8 @@
+#ifndef	_RPI_MMU_H_
+#define	_RPI_MMU_H_
+
+#define PHYS_TO_VIRT(x)   (x + 0xffff000000000000)
+#define VIRT_TO_PHYS(x)   (x - 0xffff000000000000)
+#define ENTRY_ADDR_MASK   0xfffffffff000L
+
+#endif  /*_RPI_MMU_H_ */
diff --git a/lab7/include/bcm2837/rpi_uart1.h b/lab7/include/bcm2837/rpi_uart1.h
new file mode 100644
index 000000000..959130656
--- /dev/null
+++ b/lab7/include/bcm2837/rpi_uart1.h
@@ -0,0 +1,19 @@
+#ifndef	_RPI_UART1_H_
+#define	_RPI_UART1_H_
+
+#include "bcm2837/rpi_base.h"
+
+#define AUX_ENABLES     ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215004))
+#define AUX_MU_IO_REG   ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215040))
+#define AUX_MU_IER_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215044))
+#define AUX_MU_IIR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215048))
+#define AUX_MU_LCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021504C))
+#define AUX_MU_MCR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215050))
+#define AUX_MU_LSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215054))
+#define AUX_MU_MSR_REG  ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215058))
+#define AUX_MU_SCRATCH  ((volatile unsigned int*)(PERIPHERAL_BASE+0x0021505C))
+#define AUX_MU_CNTL_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215060))
+#define AUX_MU_STAT_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215064))
+#define AUX_MU_BAUD_REG ((volatile unsigned int*)(PERIPHERAL_BASE+0x00215068))
+
+#endif  /*_RPI_UART1_H_ */
diff --git a/lab7/include/cpio.h b/lab7/include/cpio.h
new file mode 100644
index 000000000..e662bee51
--- /dev/null
+++ b/lab7/include/cpio.h
@@ -0,0 +1,41 @@
+#ifndef _CPIO_H_
+#define _CPIO_H_
+
+/*
+    cpio format : https://manpages.ubuntu.com/manpages/bionic/en/man5/cpio.5.html
+    We are using "newc" format
+    header, file path, file data, header  ......
+    header + file path (padding 4 bytes)
+    file data (padding 4 bytes)  (max size 4gb)
+*/
+
+#define CPIO_NEWC_HEADER_MAGIC "070701"    // big endian constant, to check whether it is big endian or little endian
+
+extern void* CPIO_DEFAULT_START;
+extern void* CPIO_DEFAULT_END;
+
+// Using newc archive format
+struct cpio_newc_header
+{
+    char c_magic[6];            // fixed, "070701".
+    char c_ino[8];
+    char c_mode[8];
+    char c_uid[8];
+    char c_gid[8];
+    char c_nlink[8];
+    char c_mtime[8];
+    char c_filesize[8];
+    char c_devmajor[8];
+    char c_devminor[8];
+    char c_rdevmajor[8];
+    char c_rdevminor[8];
+    char c_namesize[8];
+    char c_check[8];
+};
+
+/* write pathname, data, next header into corresponding parameter*/
+int cpio_newc_parse_header(struct cpio_newc_header *this_header_pointer,
+        char **pathname, unsigned int *filesize, char **data,
+        struct cpio_newc_header **next_header_pointer);
+
+#endif /* _CPIO_H_ */
diff --git a/lab7/include/dev_framebuffer.h b/lab7/include/dev_framebuffer.h
new file mode 100644
index 000000000..340bf94e2
--- /dev/null
+++ b/lab7/include/dev_framebuffer.h
@@ -0,0 +1,21 @@
+#ifndef _DEV_FRAMEBUFFER_H_
+#define _DEV_FRAMEBUFFER_H_
+
+#include "stddef.h"
+#include "vfs.h"
+
+struct framebuffer_info {
+    unsigned int width, height;
+    unsigned int pitch;
+    unsigned int isrgb;
+};
+
+int init_dev_framebuffer();
+
+int dev_framebuffer_write(struct file *file, const void *buf, size_t len);
+int dev_framebuffer_open(struct vnode *file_node, struct file **target);
+int dev_framebuffer_close(struct file *file);
+long dev_framebuffer_lseek64(struct file *file, long offset, int whence);
+int dev_framebuffer_op_deny();
+
+#endif
\ No newline at end of file
diff --git a/lab7/include/dev_uart.h b/lab7/include/dev_uart.h
new file mode 100644
index 000000000..c28fd735c
--- /dev/null
+++ b/lab7/include/dev_uart.h
@@ -0,0 +1,14 @@
+#ifndef _DEV_UART_H_
+#define _DEV_UART_H_
+
+#include "stddef.h"
+#include "vfs.h"
+
+int init_dev_uart();
+
+int dev_uart_write(struct file *file, const void *buf, size_t len);
+int dev_uart_read(struct file *file, void *buf, size_t len);
+int dev_uart_open(struct vnode *file_node, struct file **target);
+int dev_uart_close(struct file *file);
+int op_deny();
+#endif
\ No newline at end of file
diff --git a/lab7/include/dtb.h b/lab7/include/dtb.h
new file mode 100644
index 000000000..eabc2fa86
--- /dev/null
+++ b/lab7/include/dtb.h
@@ -0,0 +1,28 @@
+#ifndef _DTB_H_
+#define _DTB_H_
+
+#define uint32_t unsigned int
+#define uint64_t unsigned long long
+
+// manipulate device tree with dtb file format
+// linux kernel fdt.h
+#define FDT_BEGIN_NODE 0x00000001
+#define FDT_END_NODE 0x00000002
+#define FDT_PROP 0x00000003
+#define FDT_NOP 0x00000004
+#define FDT_END 0x00000009
+
+extern char *dtb_ptr;
+
+typedef void (*dtb_callback)(uint32_t node_type, char *name, void *value, uint32_t name_size);
+
+uint32_t uint32_endian_big2lttle(uint32_t data);
+uint64_t uint64_endian_big2lttle(uint64_t data);
+
+void traverse_device_tree(void *base, dtb_callback callback); // traverse dtb tree
+void dtb_callback_show_tree(uint32_t node_type, char *name, void *value, uint32_t name_size);
+void dtb_callback_initramfs(uint32_t node_type, char *name, void *value, uint32_t name_size);
+
+void dtb_find_and_store_reserved_memory();
+
+#endif
diff --git a/lab7/include/exception.h b/lab7/include/exception.h
new file mode 100644
index 000000000..4b8daa629
--- /dev/null
+++ b/lab7/include/exception.h
@@ -0,0 +1,59 @@
+#ifndef _EXCEPTION_H_
+#define _EXCEPTION_H_
+
+#include "bcm2837/rpi_irq.h"
+
+#define CORE0_INTERRUPT_SOURCE ((volatile unsigned int *)(PHYS_TO_VIRT(0x40000060)))
+
+#define IRQ_PENDING_1_AUX_INT (1 << 29)
+#define INTERRUPT_SOURCE_GPU (1 << 8)
+#define INTERRUPT_SOURCE_CNTPNSIRQ (1 << 1)
+
+typedef struct trapframe {
+    unsigned long x0;
+    unsigned long x1;
+    unsigned long x2;
+    unsigned long x3;
+    unsigned long x4;
+    unsigned long x5;
+    unsigned long x6;
+    unsigned long x7;
+    unsigned long x8;
+    unsigned long x9;
+    unsigned long x10;
+    unsigned long x11;
+    unsigned long x12;
+    unsigned long x13;
+    unsigned long x14;
+    unsigned long x15;
+    unsigned long x16;
+    unsigned long x17;
+    unsigned long x18;
+    unsigned long x19;
+    unsigned long x20;
+    unsigned long x21;
+    unsigned long x22;
+    unsigned long x23;
+    unsigned long x24;
+    unsigned long x25;
+    unsigned long x26;
+    unsigned long x27;
+    unsigned long x28;
+    unsigned long x29;
+    unsigned long x30;
+    unsigned long spsr_el1;
+    unsigned long elr_el1;
+    unsigned long sp_el0;
+} trapframe_t;
+
+void sync_64_router(trapframe_t *tpf);
+void irq_router(trapframe_t *tpf);
+
+static inline void el1_interrupt_enable() { __asm__ __volatile__("msr daifclr, 0xf"); }
+
+static inline void el1_interrupt_disable() { __asm__ __volatile__("msr daifset, 0xf"); }
+
+void lock();
+void unlock();
+
+#endif /* _EXCEPTION_H_ */
diff --git a/lab7/include/initramfs.h b/lab7/include/initramfs.h
new file mode 100644
index 000000000..c9583aab9
--- /dev/null
+++ b/lab7/include/initramfs.h
@@ -0,0 +1,33 @@
+#ifndef _INITRAMFS_H_
+#define _INITRAMFS_H_
+
+#include "stddef.h"
+#include "vfs.h"
+
+#define INITRAMFS_MAX_DIR_ENTRIES 100
+
+struct initramfs_inode {
+    enum fsnode_type type;
+    char *name;
+    struct vnode *entry[INITRAMFS_MAX_DIR_ENTRIES];
+    char *data;
+    size_t datasize;
+};
+
+int register_initramfs();
+int initramfs_setup_mount(struct filesystem *fs, struct mount *_mount);
+
+int initramfs_write(struct file *file, const void *buf, size_t len);
+int initramfs_read(struct file *file, void *buf, size_t len);
+int initramfs_open(struct vnode *file_node, struct file **target);
+int initramfs_close(struct file *file);
+long initramfs_lseek64(struct file *file, long offset, int whence);
+long initramfs_getsize(struct vnode *vd);
+
+int initramfs_lookup(struct vnode *dir_node, struct vnode **target, const char *component_name);
+int initramfs_create(struct vnode *dir_node, struct vnode **target, const char *component_name);
+int initramfs_mkdir(struct vnode *dir_node, struct vnode **target, const char *component_name);
+
+struct vnode *initramfs_create_vnode(struct mount *_mount, enum fsnode_type type);
+
+#endif
\ No newline at end of file
diff --git a/lab7/include/irqtask.h b/lab7/include/irqtask.h
new file mode 100644
index 000000000..395bea0b7
--- /dev/null
+++ b/lab7/include/irqtask.h
@@ -0,0 +1,22 @@
+#ifndef _IRQTASK_H_
+#define _IRQTASK_H_
+
+#include "list.h"
+
+// smaller is more preemptive
+#define UART_IRQ_PRIORITY  1
+#define TIMER_IRQ_PRIORITY 0
+
+typedef struct irqtask
+{
+    struct list_head listhead;
+    unsigned long long priority;
+    void *task_function;
+} irqtask_t;
+
+void irqtask_add(void *task_function, unsigned long long priority);
+void irqtask_run(irqtask_t *the_task);
+void irqtask_run_preemptive();
+void irqtask_init_list();
+
+#endif
diff --git a/lab7/include/list.h b/lab7/include/list.h
new file mode 100644
index 000000000..5794e63c1
--- /dev/null
+++ b/lab7/include/list.h
@@ -0,0 +1,137 @@
+#ifndef LIST_H
+#define LIST_H
+
+/*
+ * Circular doubly linked list implementation.
+ *
+ * Some of the internal functions ("__xxx") are useful when
+ * manipulating whole lists rather than single entries, as
+ * sometimes we already know the next/prev entries and we can
+ * generate better code by using them directly rather than
+ * using the generic single-entry routines.
+ *
+ * https://github.com/torvalds/linux/blob/master/include/linux/list.h
+ * https://elixir.bootlin.com/linux/latest/source/scripts/kconfig/list.h#L24
+ */
+
+typedef struct list_head {
+	struct list_head *next, *prev;
+}list_head_t;
+
+#define LIST_HEAD_INIT(name) { &(name), &(name) }
+
+#define LIST_HEAD(name) \
+	struct list_head name = LIST_HEAD_INIT(name)
+
+/**
+ * INIT_LIST_HEAD - Initialize a list_head structure
+ * @list: list_head structure to be initialized.
+ *
+ * Initializes the list_head to point to itself.  If it is a list header,
+ * the result is an empty list.
+ */
+static inline void INIT_LIST_HEAD(struct list_head *list)
+{
+	list->next = list;
+	list->prev = list;
+}
+
+static inline void __list_add(struct list_head *new,
+			      struct list_head *prev,
+			      struct list_head *next)
+{
+	next->prev = new;
+	new->next = next;
+	new->prev = prev;
+	prev->next = new;
+}
+
+/**
+ * list_add - add a new entry
+ * @new: new entry to be added
+ * @head: list head to add it after
+ *
+ * Insert a new entry after the specified head.
+ * This is good for implementing stacks.
+ */
+static inline void list_add(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head, head->next);
+}
+
+/**
+ * list_add_tail - add a new entry
+ * @new: new entry to be added
+ * @head: list head to add it before
+ *
+ * Insert a new entry before the specified head.
+ * This is useful for implementing queues.
+ */
+static inline void list_add_tail(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head->prev, head);
+}
+
+/*
+ * Delete a list entry by making the prev/next entries
+ * point to each other.
+ *
+ * This is only for internal list manipulation where we know
+ * the prev/next entries already!
+ */
+static inline void __list_del(struct list_head * prev, struct list_head * next)
+{
+	next->prev = prev;
+	prev->next = next;
+}
+
+static inline void list_del_entry(struct list_head *entry)
+{
+	__list_del(entry->prev, entry->next);
+}
+
+
+/**
+ * list_is_head - tests whether @list is the list @head
+ * @list: the entry to test
+ * @head: the head of the list
+ */
+static inline int list_is_head(const struct list_head *list, const struct list_head *head)
+{
+	return list == head;
+}
+
+
+/**
+ * list_empty - tests whether a list is empty
+ * @head: the list to test.
+ */
+static inline int list_empty(const struct list_head *head)
+{
+	return head->next == head;
+}
+
+/**
+ * list_for_each	-	iterate over a list
+ * @pos:	the &struct list_head to use as a loop cursor.
+ * @head:	the head for your list.
+ */
+#define list_for_each(pos, head) \
+	for (pos = (head)->next; !list_is_head(pos, (head)); pos = pos->next)
+
+/**
+ * list_empty - tests whether a list is empty
+ * @head: the list to test.
+ */
+static inline int list_size(const struct list_head *head)
+{
+	list_head_t *pos;
+	int i= 0;
+	list_for_each(pos, head)
+	{
+		i++;
+	}
+	return i;
+}
+
+#endif
\ No newline at end of file
diff --git a/lab7/include/mbox.h b/lab7/include/mbox.h
new file mode 100644
index 000000000..cc84953f2
--- /dev/null
+++ b/lab7/include/mbox.h
@@ -0,0 +1,62 @@
+#ifndef _MBOX_H_
+#define _MBOX_H_
+
+extern volatile unsigned int pt[36];
+
+// Mailbox Register MMIO
+// https://jsandler18.github.io/extra/mailbox.html
+// include/bcm2837/rpi_mbox.h
+
+// Mailbox Channels
+// https://github.com/raspberrypi/firmware/wiki/Mailboxes
+typedef enum {
+    MBOX_POWER_MANAGEMENT = 0,
+    MBOX_FRAMEBUFFER,
+    MBOX_VIRTUAL_UART,
+    MBOX_VCHIQ,
+    MBOX_LEDS,
+    MBOX_BUTTONS,
+    MBOX_TOUCHSCREEN,
+    MBOX_UNUSED,
+    MBOX_TAGS_ARM_TO_VC,
+    MBOX_TAGS_VC_TO_ARM,
+} mbox_channel_type;
+
+// Status Code from Broadcom Videocode Driver
+// brcm_usrlib/dag/vmcsx/vcinclude/bcm2708_chip/arm_control.h
+enum mbox_status_reg_bits {
+    BCM_ARM_VC_MS_FULL = 0x80000000,
+    BCM_ARM_VC_MS_EMPTY = 0x40000000,
+    BCM_ARM_VC_MS_LEVEL = 0x400000FF,
+};
+
+enum mbox_buffer_status_code {
+    MBOX_REQUEST_PROCESS = 0x00000000,
+    MBOX_REQUEST_SUCCEED = 0x80000000,
+    MBOX_REQUEST_FAILED = 0x80000001,
+};
+
+// Tag
+// https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface
+// Included partition only
+typedef enum {
+    /* Videocore */
+    MBOX_TAG_GET_FIRMWARE_VERSION = 0x1,
+
+    /* Hardware */
+    MBOX_TAG_GET_BOARD_MODEL = 0x10001,
+    MBOX_TAG_GET_BOARD_REVISION,
+    MBOX_TAG_GET_BOARD_MAC_ADDRESS,
+    MBOX_TAG_GET_BOARD_SERIAL,
+    MBOX_TAG_GET_ARM_MEMORY,
+    MBOX_TAG_GET_VC_MEMORY,
+    MBOX_TAG_GET_CLOCKS,
+
+} mbox_tag_type;
+
+#define MBOX_TAG_REQUEST_CODE 0x00000000
+#define MBOX_TAG_LAST_BYTE 0x00000000
+
+int mbox_call(mbox_channel_type, unsigned int);
+
+#endif /*_MBOX_H_*/
diff --git a/lab7/include/memory.h b/lab7/include/memory.h
new file mode 100644
index 000000000..6442635d3
--- /dev/null
+++ b/lab7/include/memory.h
@@ -0,0 +1,70 @@
+#ifndef _MEMORY_H_
+#define _MEMORY_H_
+
+#include "bcm2837/rpi_mmu.h"
+#include "list.h"
+
+/* Lab2 */
+void *s_allocator(unsigned int size);
+void s_free(void *ptr);
+
+/* Lab4 */
+#define BUDDY_MEMORY_BASE PHYS_TO_VIRT(0x0) // 0x10000000 - 0x20000000 (SPEC) -> Advanced #3 for all memory region
+#define BUDDY_MEMORY_PAGE_COUNT 0x3C000     // let BUDDY_MEMORY use 0x0 ~ 0x3C000000 (SPEC)
+#define PAGESIZE 0x1000                     // 4KB
+#define MAX_PAGES 0x10000                   // 65536 (Entries), PAGESIZE * MAX_PAGES = 0x10000000 (SPEC)
+
+typedef enum {
+    FRAME_FREE = -2,
+    FRAME_ALLOCATED,
+    FRAME_IDX_0 = 0,     //  0x1000
+    FRAME_IDX_1,         //  0x2000
+    FRAME_IDX_2,         //  0x4000
+    FRAME_IDX_3,         //  0x8000
+    FRAME_IDX_4,         // 0x10000
+    FRAME_IDX_5,         // 0x20000
+    FRAME_IDX_6,         // 0x40000
+    FRAME_IDX_FINAL = 7, // 0x80000
+    FRAME_MAX_IDX = 8
+} frame_value_type;
+
+typedef enum {
+    CACHE_NONE = -1,     // Cache not used
+    CACHE_IDX_0 = 0,     //  0x20
+    CACHE_IDX_1,         //  0x40
+    CACHE_IDX_2,         //  0x80
+    CACHE_IDX_3,         // 0x100
+    CACHE_IDX_4,         // 0x200
+    CACHE_IDX_5,         // 0x400
+    CACHE_IDX_FINAL = 6, // 0x800
+    CACHE_MAX_IDX = 7
+} cache_value_type;
+
+typedef struct frame {
+    struct list_head listhead; // store freelist
+    int val;                   // store order
+    int used;
+    int cache_order;
+    unsigned int idx;
+} frame_t;
+
+void init_allocator();
+frame_t *release_redundant(frame_t *frame);
+frame_t *get_buddy(frame_t *frame);
+frame_t *coalesce(frame_t *frame_ptr);
+
+void dump_page_info();
+void dump_cache_info();
+
+// buddy system
+void *page_malloc(unsigned int size);
+void page_free(void *ptr);
+void page2caches(int order);
+void *cache_malloc(unsigned int size);
+void cache_free(void *ptr);
+
+void *kmalloc(unsigned int size);
+void kfree(void *ptr);
+void memory_reserve(unsigned long long start, unsigned long long end);
+
+#endif /* _MEMORY_H_ */
diff --git a/lab7/include/mmu.h b/lab7/include/mmu.h
new file mode 100644
index 000000000..6a605cbc5
--- /dev/null
+++ b/lab7/include/mmu.h
@@ -0,0 +1,45 @@
+#ifndef _MMU_H_
+#define _MMU_H_
+
+#include "stddef.h"
+
+#define TCR_CONFIG_REGION_48bit (((64 - 48) << 0) | ((64 - 48) << 16))
+#define TCR_CONFIG_4KB ((0b00 << 14) | (0b10 << 30))
+#define TCR_CONFIG_DEFAULT (TCR_CONFIG_REGION_48bit | TCR_CONFIG_4KB)
+
+#define MAIR_DEVICE_nGnRnE 0b00000000
+#define MAIR_NORMAL_NOCACHE 0b01000100
+#define MAIR_IDX_DEVICE_nGnRnE 0
+#define MAIR_IDX_NORMAL_NOCACHE 1
+
+#define PD_TABLE 0b11L
+#define PD_BLOCK 0b01L
+#define PD_UNX (1L << 54)
+#define PD_ACCESS (1L << 10)
+#define PD_UK_ACCESS (1L << 6)
+
+#define PERIPHERAL_START 0x3c000000L
+#define PERIPHERAL_END 0x3f000000L
+#define USER_KERNEL_BASE 0x00000000L
+#define USER_STACK_BASE 0xfffffffff000L
+
+#define MMU_PGD_BASE 0x1000L
+#define MMU_PGD_ADDR (MMU_PGD_BASE + 0x0000L)
+#define MMU_PUD_ADDR (MMU_PGD_BASE + 0x1000L)
+#define MMU_PTE_ADDR (MMU_PGD_BASE + 0x2000L)
+
+#define BOOT_PGD_ATTR (PD_TABLE)
+#define BOOT_PUD_ATTR (PD_TABLE + PD_ACCESS + (MAIR_IDX_NORMAL_NOCACHE << 2))
+#define BOOT_PTE_ATTR_nGnRnE (PD_BLOCK + PD_ACCESS + PD_UK_ACCESS + (MAIR_DEVICE_nGnRnE << 2))
+#define BOOT_PTE_ATTR_NOCACHE (PD_BLOCK + PD_ACCESS + (MAIR_NORMAL_NOCACHE << 2))
+
+#ifndef __ASSEMBLER__
+
+void *set_2M_kernel_mmu(void *x0);
+void map_one_page(size_t *pgd_p, size_t va, size_t pa);
+void mappages(size_t *pgd_p, size_t va, size_t size, size_t pa);
+void free_page_tables(size_t *page_table, int level);
+
+#endif //__ASSEMBLER__
+
+#endif /* _MMU_H_ */
diff --git a/lab7/include/power.h b/lab7/include/power.h
new file mode 100644
index 000000000..3c044f3e1
--- /dev/null
+++ b/lab7/include/power.h
@@ -0,0 +1,9 @@
+#ifndef _POWER_H_
+#define _POWER_H_
+
+#include "bcm2837/rpi_mmu.h"
+#define PM_PASSWORD 0x5a000000
+#define PM_RSTC PHYS_TO_VIRT(0x3F10001c)
+#define PM_WDOG PHYS_TO_VIRT(0x3F100024)
+
+#endif /*_POWER_H_*/
diff --git a/lab7/include/sched.h b/lab7/include/sched.h
new file mode 100644
index 000000000..b75634aca
--- /dev/null
+++ b/lab7/include/sched.h
@@ -0,0 +1,72 @@
+#ifndef _SCHED_H_
+#define _SCHED_H_
+
+#include "list.h"
+#include "vfs.h"
+
+#define PIDMAX 32768
+#define USTACK_SIZE 0x4000
+#define KSTACK_SIZE 0x4000
+#define SIGNAL_MAX 64
+
+extern void switch_to(void *curr_context, void *next_context);
+extern void store_context(void *curr_context);
+extern void load_context(void *curr_context);
+extern void *get_current();
+
+typedef struct thread_context {
+    unsigned long x19;
+    unsigned long x20;
+    unsigned long x21;
+    unsigned long x22;
+    unsigned long x23;
+    unsigned long x24;
+    unsigned long x25;
+    unsigned long x26;
+    unsigned long x27;
+    unsigned long x28;
+    unsigned long fp;
+    unsigned long lr;
+    unsigned long sp;
+    void *pgd; // use for MMU mapping (user space)
+} thread_context_t;
+
+typedef struct thread {
+    list_head_t listhead;
+    thread_context_t context;
+    char *data;
+    unsigned int datasize;
+    int iszombie;
+    int pid;
+    int isused;
+
+    char *stack_alloced_ptr;
+    char *kernel_stack_alloced_ptr;
+
+    // signal
+    void (*signal_handler[SIGNAL_MAX + 1])();
+    int sigcount[SIGNAL_MAX + 1];
+    void (*curr_signal_handler)();
+    int signal_is_checking;
+    thread_context_t signal_saved_context;
+
+    // vfs
+    char cur_working_dir[MAX_PATH_NAME + 1];
+    struct file *FDT[MAX_FD + 1]; // file descriptor table
+} thread_t;
+
+extern thread_t *curr_thread;
+extern list_head_t *run_queue;
+extern list_head_t *wait_queue;
+extern thread_t threads[PIDMAX + 1];
+
+void schedule_timer(char *notuse);
+void init_thread_sched();
+void idle();
+void schedule();
+void kill_zombies();
+void thread_exit();
+thread_t *thread_create(void *start, unsigned int filesize);
+int thread_exec(char *data, unsigned int filesize);
+
+#endif /* _SCHED_H_ */
diff --git a/lab7/include/shell.h b/lab7/include/shell.h
new file mode 100644
index 000000000..257bfbdc4
--- /dev/null
+++ b/lab7/include/shell.h
@@ -0,0 +1,28 @@
+#ifndef _SHELL_H_
+#define _SHELL_H_
+
+#define CMD_MAX_LEN 0x100
+#define MSG_MAX_LEN 0x100
+
+typedef struct CLI_CMDS {
+    char command[CMD_MAX_LEN];
+    char help[MSG_MAX_LEN];
+} CLI_CMDS;
+
+int cli_cmd_strcmp(const char *, const char *);
+void cli_cmd_clear(char *, int);
+void cli_cmd_read(char *);
+void cli_cmd_exec(char *);
+void cli_print_banner();
+
+void do_cmd_cat(char *);
+void do_cmd_dtb();
+void do_cmd_exec(char *);
+void do_cmd_help();
+void do_cmd_hello();
+void do_cmd_info();
+void do_cmd_ls(char *);
+void do_cmd_setTimeout(char *msg, char *sec);
+void do_cmd_reboot();
+
+#endif /* _SHELL_H_ */
diff --git a/lab7/include/signal.h b/lab7/include/signal.h
new file mode 100644
index 000000000..828b38387
--- /dev/null
+++ b/lab7/include/signal.h
@@ -0,0 +1,11 @@
+#ifndef _SIGNAL_H_
+#define _SIGNAL_H_
+
+#include "exception.h"
+
+void signal_default_handler();
+void check_signal(trapframe_t *tpf);
+void run_signal(trapframe_t *tpf, int signal);
+void signal_handler_wrapper();
+
+#endif /* _SIGNAL_H_ */
diff --git a/lab7/include/stddef.h b/lab7/include/stddef.h
new file mode 100644
index 000000000..6352d8d40
--- /dev/null
+++ b/lab7/include/stddef.h
@@ -0,0 +1,6 @@
+#ifndef STDDEF_H
+#define STDDEF_H
+
+#define size_t unsigned long
+
+#endif
diff --git a/lab7/include/string.h b/lab7/include/string.h
new file mode 100644
index 000000000..c9ebd3305
--- /dev/null
+++ b/lab7/include/string.h
@@ -0,0 +1,23 @@
+#ifndef _STRING_H_
+#define _STRING_H_
+
+#include "stddef.h"
+#define VSPRINT_MAX_BUF_SIZE 0x100
+
+unsigned int sprintf(char *dst, char *fmt, ...);
+unsigned int vsprintf(char *dst, char *fmt, __builtin_va_list args);
+
+unsigned long long strlen(const char *str);
+int strcmp(const char *, const char *);
+int strncmp(const char *, const char *, unsigned long long);
+char *memcpy(void *dest, const void *src, unsigned long long len);
+char *strcpy(char *dest, const char *src);
+void *memset(void *s, int c, size_t n);
+char *strchr(register const char *s, int c);
+
+char *str_SepbySpace(char *head);
+int atoi(char *str);
+
+char *strcat(char *dest, const char *src);
+
+#endif /* _STRING_H_ */
diff --git a/lab7/include/syscall.h b/lab7/include/syscall.h
new file mode 100644
index 000000000..bb2574ea8
--- /dev/null
+++ b/lab7/include/syscall.h
@@ -0,0 +1,33 @@
+#ifndef _SYSCALL_H_
+#define _SYSCALL_H_
+
+#include "exception.h"
+#include "stddef.h"
+
+int getpid(trapframe_t *tpf);
+size_t uartread(trapframe_t *tpf, char buf[], size_t size);
+size_t uartwrite(trapframe_t *tpf, const char buf[], size_t size);
+int exec(trapframe_t *tpf, const char *name, char *const argv[]);
+int fork(trapframe_t *tpf);
+void exit(trapframe_t *tpf, int status);
+int syscall_mbox_call(trapframe_t *tpf, unsigned char ch, unsigned int *mbox);
+void kill(trapframe_t *tpf, int pid);
+
+void signal_register(int signal, void (*handler)());
+void signal_kill(int pid, int signal);
+void sigreturn(trapframe_t *tpf);
+
+int open(trapframe_t *tpf, const char *pathname, int flags);
+int close(trapframe_t *tpf, int fd);
+long write(trapframe_t *tpf, int fd, const void *buf, unsigned long count);
+long read(trapframe_t *tpf, int fd, void *buf, unsigned long count);
+int mkdir(trapframe_t *tpf, const char *pathname, unsigned mode);
+int mount(trapframe_t *tpf, const char *src, const char *target, const char *filesystem, unsigned long flags, const void *data);
+int chdir(trapframe_t *tpf, const char *path);
+long lseek64(trapframe_t *tpf, int fd, long offset, int whence);
+int ioctl(trapframe_t *tpd, int fd, unsigned long request, void *info);
+
+unsigned int get_file_size(char *thefilepath);
+char *get_file_start(char *thefilepath);
+
+#endif /* _SYSCALL_H_*/
diff --git a/lab7/include/timer.h b/lab7/include/timer.h
new file mode 100644
index 000000000..fd9e86742
--- /dev/null
+++ b/lab7/include/timer.h
@@ -0,0 +1,28 @@
+#ifndef _TIMER_H_
+#define _TIMER_H_
+
+#include "list.h"
+// https://github.com/Tekki/raspberrypi-documentation/blob/master/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf p13
+#define CORE0_TIMER_IRQ_CTRL PHYS_TO_VIRT(0x40000040)
+
+typedef struct timer_event {
+    struct list_head listhead;
+    unsigned long long interrupt_time;
+    void *callback;
+    char *args;
+} timer_event_t;
+
+extern struct list_head *timer_event_list;
+
+void core_timer_enable();
+void core_timer_disable();
+void core_timer_handler();
+
+void add_timer(void *callback, unsigned long long timeout, char *args, int bytick);
+unsigned long long get_tick_plus_s(unsigned long long second);
+void set_core_timer_interrupt(unsigned long long expired_time);
+void set_core_timer_interrupt_by_tick(unsigned long long tick);
+void timer_list_init();
+int timer_list_get_size();
+
+#endif /* _TIMER_H_ */
diff --git a/lab7/include/tmpfs.h b/lab7/include/tmpfs.h
new file mode 100644
index 000000000..7cb6eabdc
--- /dev/null
+++ b/lab7/include/tmpfs.h
@@ -0,0 +1,35 @@
+#ifndef _TMPFS_H_
+#define _TMPFS_H_
+
+#include "stddef.h"
+#include "vfs.h"
+
+#define FILE_NAME_MAX 16
+#define MAX_DIR_ENTRY 17
+#define MAX_FILE_SIZE 4096
+
+struct tmpfs_inode {
+    enum fsnode_type type;
+    char name[FILE_NAME_MAX];
+    struct vnode *entry[MAX_DIR_ENTRY];
+    char *data;
+    size_t datasize;
+};
+
+int register_tmpfs();
+int tmpfs_setup_mount(struct filesystem *fs, struct mount *_mount);
+
+int tmpfs_write(struct file *file, const void *buf, size_t len);
+int tmpfs_read(struct file *file, void *buf, size_t len);
+int tmpfs_open(struct vnode *file_node, struct file **target);
+int tmpfs_close(struct file *file);
+long tmpfs_lseek64(struct file *file, long offset, int whence);
+long tmpfs_getsize(struct vnode *vd);
+
+int tmpfs_lookup(struct vnode *dir_node, struct vnode **target, const char *component_name);
+int tmpfs_create(struct vnode *dir_node, struct vnode **target, const char *component_name);
+int tmpfs_mkdir(struct vnode *dir_node, struct vnode **target, const char *component_name);
+
+struct vnode *tmpfs_create_vnode(struct mount *_mount, enum fsnode_type type);
+
+#endif /* _TMPFS_H_ */
diff --git a/lab7/include/uart1.h b/lab7/include/uart1.h
new file mode 100644
index 000000000..ccbc67fa9
--- /dev/null
+++ b/lab7/include/uart1.h
@@ -0,0 +1,18 @@
+#ifndef _UART1_H_
+#define _UART1_H_
+
+void uart_init();
+char uart_recv();
+void uart_send(char c);
+int uart_printf(char *fmt, ...);
+char uart_async_getc();
+void uart_async_putc(char c);
+int uart_puts(char *fmt, ...);
+void uart_2hex(unsigned int d);
+
+void uart_interrupt_enable();
+void uart_interrupt_disable();
+void uart_r_irq_handler();
+void uart_w_irq_handler();
+
+#endif /*_UART1_H_*/
diff --git a/lab7/include/vfs.h b/lab7/include/vfs.h
new file mode 100644
index 000000000..a6ba599eb
--- /dev/null
+++ b/lab7/include/vfs.h
@@ -0,0 +1,73 @@
+#ifndef _VFS_H_
+#define _VFS_H_
+
+#include "stddef.h"
+
+#define O_CREAT 00000100
+#define SEEK_SET 0
+
+#define MAX_PATH_NAME 255
+#define MAX_FD 16
+#define MAX_FS_REG 0x50
+#define MAX_DEV_REG 0x10
+
+enum fsnode_type { TMPFS_DIR, TMPFS_FILE };
+
+struct vnode {
+    struct mount *mount;
+    struct vnode_operations *v_ops;
+    struct file_operations *f_ops;
+    void *internal;
+};
+
+// file handle
+struct file {
+    struct vnode *vnode;
+    size_t f_pos; // RW position of this file handle
+    struct file_operations *f_ops;
+    int flags;
+};
+
+struct mount {
+    struct vnode *root;
+    struct filesystem *fs;
+};
+
+struct filesystem {
+    const char *name;
+    int (*setup_mount)(struct filesystem *fs, struct mount *mount);
+};
+
+struct file_operations {
+    int (*write)(struct file *file, const void *buf, size_t len);
+    int (*read)(struct file *file, void *buf, size_t len);
+    int (*open)(struct vnode *file_node, struct file **target);
+    int (*close)(struct file *file);
+    long (*lseek64)(struct file *file, long offset, int whence);
+    long (*getsize)(struct vnode *vd);
+};
+
+struct vnode_operations {
+    int (*lookup)(struct vnode *dir_node, struct vnode **target, const char *component_name);
+    int (*create)(struct vnode *dir_node, struct vnode **target, const char *component_name);
+    int (*mkdir)(struct vnode *dir_node, struct vnode **target, const char *component_name);
+};
+
+int register_filesystem(struct filesystem *fs);
+struct filesystem *find_filesystem(const char *fs_name);
+int vfs_open(const char *pathname, int flags, struct file **target);
+int vfs_close(struct file *file);
+int vfs_write(struct file *file, const void *buf, size_t len);
+int vfs_read(struct file *file, void *buf, size_t len);
+int vfs_mkdir(const char *pathname);
+int vfs_mount(const char *target, const char *filesystem);
+int vfs_lookup(const char *pathname, struct vnode **target);
+
+void init_rootfs();
+char *get_abs_path(char *path, char *curr_working_dir);
+
+// bonus 1
+int register_dev(struct file_operations *f_ops);
+int vfs_mknod(char *pathname, int id);
+
+#endif /* _VFS_H_ */
diff --git a/lab7/initramfs.cpio b/lab7/initramfs.cpio
new file mode 100644
index 000000000..a1794b9a3
Binary files /dev/null and b/lab7/initramfs.cpio differ
diff --git a/lab7/kernel8.img b/lab7/kernel8.img
new file mode 100755
index 000000000..a68e3b4d3
Binary files /dev/null and b/lab7/kernel8.img differ
diff --git a/lab7/rootfs/file1.txt b/lab7/rootfs/file1.txt
new file mode 100644
index 000000000..b57711b8a
--- /dev/null
+++ b/lab7/rootfs/file1.txt
@@ -0,0 +1,38 @@
+/***                                                                          
+ *          .,:,,,                                        .::,,,::.          
+ *        .::::,,;;,                                  .,;;:,,....:i:         
+ *        :i,.::::,;i:.      ....,,:::::::::,....   .;i:,.  ......;i.        
+ *        :;..:::;::::i;,,:::;:,,,,,,,,,,..,.,,:::iri:. .,:irsr:,.;i.        
+ *        ;;..,::::;;;;ri,,,.                    ..,,:;s1s1ssrr;,.;r,        
+ *        :;. ,::;ii;:,     . ...................     .;iirri;;;,,;i,        
+ *        ,i. .;ri:.   ... ............................  .,,:;:,,,;i:        
+ *        :s,.;r:... ....................................... .::;::s;        
+ *        ,1r::. .............,,,.,,:,,........................,;iir;        
+ *        ,s;...........     ..::.,;:,,.          ...............,;1s        
+ *       :i,..,.              .,:,,::,.          .......... .......;1,       
+ *      ir,....:rrssr;:,       ,,.,::.     .r5S9989398G95hr;. ....,.:s,      
+ *     ;r,..,s9855513XHAG3i   .,,,,,,,.  ,S931,.,,.;s;s&BHHA8s.,..,..:r:     
+ *    :r;..rGGh,  :SAG;;G@BS:.,,,,,,,,,.r83:      hHH1sXMBHHHM3..,,,,.ir.    
+ *   ,si,.1GS,   sBMAAX&MBMB5,,,,,,:,,.:&8       3@HXHBMBHBBH#X,.,,,,,,rr    
+ *   ;1:,,SH:   .A@&&B#&8H#BS,,,,,,,,,.,5XS,     3@MHABM&59M#As..,,,,:,is,   
+ *  .rr,,,;9&1   hBHHBB&8AMGr,,,,,,,,,,,:h&&9s;   r9&BMHBHMB9:  . .,,,,;ri.  
+ *  :1:....:5&XSi;r8BMBHHA9r:,......,,,,:ii19GG88899XHHH&GSr.      ...,:rs.  
+ *  ;s.     .:sS8G8GG889hi.        ....,,:;:,.:irssrriii:,.        ...,,i1,  
+ *  ;1,         ..,....,,isssi;,        .,,.                      ....,.i1,  
+ *  ;h:               i9HHBMBBHAX9:         .                     ...,,,rs,  
+ *  ,1i..            :A#MBBBBMHB##s                             ....,,,;si.  
+ *  .r1,..        ,..;3BMBBBHBB#Bh.     ..                    ....,,,,,i1;   
+ *   :h;..       .,..;,1XBMMMMBXs,.,, .. :: ,.               ....,,,,,,ss.   
+ *    ih: ..    .;;;, ;;:s58A3i,..    ,. ,.:,,.             ...,,,,,:,s1,    
+ *    .s1,....   .,;sh,  ,iSAXs;.    ,.  ,,.i85            ...,,,,,,:i1;     
+ *     .rh: ...     rXG9XBBM#M#MHAX3hss13&&HHXr         .....,,,,,,,ih;      
+ *      .s5: .....    i598X&&A&AAAAAA&XG851r:       ........,,,,:,,sh;       
+ *      . ihr, ...  .         ..                    ........,,,,,;11:.       
+ *         ,s1i. ...  ..,,,..,,,.,,.,,.,..       ........,,.,,.;s5i.         
+ *          .:s1r,......................       ..............;shs,           
+ *          . .:shr:.  ....                 ..............,ishs.             
+ *              .,issr;,... ...........................,is1s;.               
+ *                 .,is1si;:,....................,:;ir1sr;,                  
+ *                    ..:isssssrrii;::::::;;iirsssssr;:..                    
+ *                         .,::iiirsssssssssrri;;:.                      
+ */						 
\ No newline at end of file
diff --git a/lab7/rootfs/file2.txt b/lab7/rootfs/file2.txt
new file mode 100644
index 000000000..041d661b5
--- /dev/null
+++ b/lab7/rootfs/file2.txt
@@ -0,0 +1 @@
+This is file 2.
\ No newline at end of file
diff --git a/lab7/rootfs/file3 b/lab7/rootfs/file3
new file mode 100644
index 000000000..5ba12d305
--- /dev/null
+++ b/lab7/rootfs/file3
@@ -0,0 +1 @@
+OS Capstone is fun
\ No newline at end of file
diff --git a/lab7/rootfs/userprog b/lab7/rootfs/userprog
new file mode 100755
index 000000000..1adf648a4
Binary files /dev/null and b/lab7/rootfs/userprog differ
diff --git a/lab7/rootfs/vfs1.img b/lab7/rootfs/vfs1.img
new file mode 100644
index 000000000..2c41bd71a
Binary files /dev/null and b/lab7/rootfs/vfs1.img differ
diff --git a/lab7/rootfs/vm.img b/lab7/rootfs/vm.img
new file mode 100644
index 000000000..8ba674e6c
Binary files /dev/null and b/lab7/rootfs/vm.img differ
diff --git a/lab7/src/boot.S b/lab7/src/boot.S
new file mode 100644
index 000000000..e416eb7cb
--- /dev/null
+++ b/lab7/src/boot.S
@@ -0,0 +1,83 @@
+#include "mmu.h"
+
+.section ".text.boot"
+
+.global _start
+
+_start:
+    bl from_el2_to_el1
+
+set_mmu_configuration:
+    ldr x4, = TCR_CONFIG_DEFAULT
+    msr tcr_el1, x4
+
+    ldr x4, =( \
+        (MAIR_DEVICE_nGnRnE << (MAIR_IDX_DEVICE_nGnRnE * 8)) | \
+        (MAIR_NORMAL_NOCACHE << (MAIR_IDX_NORMAL_NOCACHE * 8)) \
+    )
+    msr mair_el1, x4
+
+    // set and enable MMU
+    mov x4, 0x1000  // PGD's address
+    mov x5, 0x2000  // PUD's address
+
+    ldr x6, = BOOT_PGD_ATTR
+    orr x6, x5, x6
+    str x6, [x4]
+
+    ldr x6, = BOOT_PUD_ATTR
+    mov x7, 0x0
+    orr x7, x6, x7
+    str x7, [x5]
+    mov x7, 0x40000000
+    orr x7, x6, x7
+    str x7, [x5, #8]
+
+    msr ttbr0_el1, x4
+    msr ttbr1_el1, x4
+
+    mov sp, 0x3c000000
+    bl set_2M_kernel_mmu
+
+    mrs x6, sctlr_el1
+    orr x6, x6, #1
+    msr sctlr_el1, x6
+
+    // indirect branch to the next instruction
+    ldr x6, = boot_rest
+    br x6
+
+boot_rest:
+    adr x1, exception_vector_table
+    msr vbar_el1, x1
+
+setup_stack:
+    ldr x3, =_stack_top
+    mov sp, x3
+
+setup_bss:
+    ldr     x1, =__bss_start
+    ldr     w2, =__bss_size
+
+init_bss:
+    cbz     w2, kernel_main
+    str     xzr, [x1], #8
+    sub     w2, w2, #1
+    cbnz    w2, init_bss
+
+kernel_main:
+    ldr     x1, =dtb_ptr
+    str     x0, [x1], #8
+    bl      main                   // branch and update lr with "main"
+
+proc_hang:
+    wfe                            // waiting in low-power state
+    b       proc_hang
+
+from_el2_to_el1:
+    mov x20, (1 << 31)       // EL1 uses aarch64
+    msr hcr_el2, x20         // move x0 to the HCR_EL2 register
+    mov x20, 0x3c5           // EL1h (SPSel = 1) with interrupt disabled
+    msr spsr_el2, x20        // move x0 to the SPSR_EL2 register
+    msr elr_el2, lr         // move the link register to the ELR_EL2 register
+    eret                    // return to EL1
\ No newline at end of file
diff --git a/lab7/src/cpio.c b/lab7/src/cpio.c
new file mode 100644
index 000000000..22b1619d6
--- /dev/null
+++ b/lab7/src/cpio.c
@@ -0,0 +1,50 @@
+#include "cpio.h"
+#include "dtb.h"
+#include "string.h"
+
+void *CPIO_DEFAULT_START;
+void *CPIO_DEFAULT_END;
+
+static unsigned int parse_hex_str(char *s, unsigned int max_len)
+{
+    unsigned int r = 0;
+    for (unsigned int i = 0; i < max_len; i++) {
+        r *= 16;
+        if (s[i] >= '0' && s[i] <= '9')
+            r += s[i] - '0';
+        else if (s[i] >= 'a' && s[i] <= 'f')
+            r += s[i] - 'a' + 10;
+        else if (s[i] >= 'A' && s[i] <= 'F')
+            r += s[i] - 'A' + 10;
+        else
+            return r;
+    }
+    return r;
+}
+
+int cpio_newc_parse_header(struct cpio_newc_header *this_header_pointer, char **pathname, unsigned int *filesize, char **data,
+                           struct cpio_newc_header **next_header_pointer)
+{
+    if (strncmp(this_header_pointer->c_magic, CPIO_NEWC_HEADER_MAGIC, sizeof(this_header_pointer->c_magic)) != 0)
+        return -1;
+
+    *filesize = parse_hex_str(this_header_pointer->c_filesize, 8);
+    *pathname = ((char *)this_header_pointer) + sizeof(struct cpio_newc_header);
+
+    unsigned int pathname_length = parse_hex_str(this_header_pointer->c_namesize, 8);
+    unsigned int offset = pathname_length + sizeof(struct cpio_newc_header);
+    offset = offset % 4 == 0 ? offset : (offset + 4 - offset % 4);
+    *data = (char *)this_header_pointer + offset;
+
+    if (*filesize == 0) {
+        *next_header_pointer = (struct cpio_newc_header *)*data;
+    }
+    else {
+        offset = *filesize;
+        *next_header_pointer = (struct cpio_newc_header *)(*data + (offset % 4 == 0 ? offset : (offset + 4 - offset % 4)));
+    }
+    if (strncmp(*pathname, "TRAILER!!!", sizeof("TRAILER!!!")) == 0)
+        *next_header_pointer = 0;
+
+    return 0;
+}
diff --git a/lab7/src/dev_framebuffer.c b/lab7/src/dev_framebuffer.c
new file mode 100644
index 000000000..b418785b9
--- /dev/null
+++ b/lab7/src/dev_framebuffer.c
@@ -0,0 +1,123 @@
+#include "dev_framebuffer.h"
+#include "exception.h"
+#include "mbox.h"
+#include "memory.h"
+#include "string.h"
+#include "uart1.h"
+#include "vfs.h"
+
+#define MBOX_CH_PROP 8 // property channel
+
+unsigned int width, height, pitch, isrgb; // dimensions and channel order
+unsigned char *lfb;                       // raw framebuffer address
+
+struct file_operations dev_framebuffer_ops = {
+    .read = (void *)dev_framebuffer_op_deny,
+    .write = dev_framebuffer_write,
+    .open = dev_framebuffer_open,
+    .close = dev_framebuffer_close,
+    .lseek64 = dev_framebuffer_lseek64,
+    .getsize = (void *)dev_framebuffer_op_deny,
+};
+
+int init_dev_framebuffer()
+{
+    pt[0] = 35 * 4;
+    pt[1] = MBOX_TAG_REQUEST_CODE;
+
+    pt[2] = 0x48003; // set phy wh
+    pt[3] = 8;
+    pt[4] = 8;
+    pt[5] = 1024; // FrameBufferInfo.width
+    pt[6] = 768;  // FrameBufferInfo.height
+
+    pt[7] = 0x48004; // set virt wh
+    pt[8] = 8;
+    pt[9] = 8;
+    pt[10] = 1024; // FrameBufferInfo.virtual_width
+    pt[11] = 768;  // FrameBufferInfo.virtual_height
+
+    pt[12] = 0x48009; // set virt offset
+    pt[13] = 8;
+    pt[14] = 8;
+    pt[15] = 0; // FrameBufferInfo.x_offset
+    pt[16] = 0; // FrameBufferInfo.y.offset
+
+    pt[17] = 0x48005; // set depth
+    pt[18] = 4;
+    pt[19] = 4;
+    pt[20] = 32; // FrameBufferInfo.depth
+
+    pt[21] = 0x48006; // set pixel order
+    pt[22] = 4;
+    pt[23] = 4;
+    pt[24] = 1; // RGB, not BGR preferably
+
+    pt[25] = 0x40001; // get framebuffer, gets alignment on request
+    pt[26] = 8;
+    pt[27] = 8;
+    pt[28] = 4096; // FrameBufferInfo.pointer
+    pt[29] = 0;    // FrameBufferInfo.size
+
+    pt[30] = 0x40008; // get pitch
+    pt[31] = 4;
+    pt[32] = 4;
+    pt[33] = 0; // FrameBufferInfo.pitch
+
+    pt[34] = MBOX_TAG_LAST_BYTE;
+
+    // this might not return exactly what we asked for, could be
+    // the closest supported resolution instead
+    if (mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt)) && pt[20] == 32 && pt[28] != 0) {
+        pt[28] &= 0x3FFFFFFF;                                // convert GPU address to ARM address
+        width = pt[5];                                       // get actual physical width
+        height = pt[6];                                      // get actual physical height
+        pitch = pt[33];                                      // get number of bytes per line
+        isrgb = pt[24];                                      // get the actual channel order
+        lfb = PHYS_TO_VIRT((void *)((unsigned long)pt[28])); // raw frame buffer address
+    }
+    else {
+        uart_puts("Unable to set screen resolution to 1024x768x32\n");
+    }
+
+    return register_dev(&dev_framebuffer_ops);
+}
+
+int dev_framebuffer_write(struct file *file, const void *buf, size_t len)
+{
+    lock();
+    if (len + file->f_pos > pitch * height) {
+        len = pitch * height - file->f_pos;
+    }
+
+    memcpy(lfb + file->f_pos, buf, len);
+    file->f_pos += len;
+    unlock();
+    return len;
+}
+
+int dev_framebuffer_open(struct vnode *vn, struct file **f)
+{
+    (*f)->f_ops = 0;
+    (*f)->vnode = vn;
+    (*f)->f_pos = 0;
+    return 0;
+}
+
+long dev_framebuffer_lseek64(struct file *file, long offset, int whence)
+{
+    if (whence == SEEK_SET) {
+        file->f_pos = offset;
+        return file->f_pos;
+    }
+
+    return -1;
+}
+
+int dev_framebuffer_op_deny() { return -1; }
+
+int dev_framebuffer_close(struct file *file)
+{
+    kfree(file);
+    return 0;
+}
\ No newline at end of file
diff --git a/lab7/src/dev_uart.c b/lab7/src/dev_uart.c
new file mode 100644
index 000000000..7d14ebae3
--- /dev/null
+++ b/lab7/src/dev_uart.c
@@ -0,0 +1,50 @@
+#include "dev_uart.h"
+#include "memory.h"
+#include "uart1.h"
+#include "vfs.h"
+
+struct file_operations dev_file_ops = {
+    .open = dev_uart_open,
+    .close = dev_uart_close,
+    .read = dev_uart_read,
+    .write = dev_uart_write,
+    .lseek64 = (void *)op_deny,
+    .getsize = (void *)op_deny,
+};
+
+int init_dev_uart() { return register_dev(&dev_file_ops); }
+
+int dev_uart_write(struct file *file, const void *buf, size_t len)
+{
+    const char *cbuf = buf;
+    for (int i = 0; i < len; i++)
+        // uart_send(cbuf[i]);
+        uart_async_putc(cbuf[i]);
+
+    return len;
+}
+
+int dev_uart_read(struct file *file, void *buf, size_t len)
+{
+    char *cbuf = buf;
+    for (int i = 0; i < len; i++)
+        // cbuf[i] = uart_recv();
+        cbuf[i] = uart_async_getc();
+
+    return len;
+}
+
+int dev_uart_open(struct vnode *file_node, struct file **target)
+{
+    (*target)->vnode = file_node;
+    (*target)->f_ops = &dev_file_ops;
+    return 0;
+}
+
+int dev_uart_close(struct file *file)
+{
+    kfree(file);
+    return 0;
+}
+
+int op_deny() { return -1; }
\ No newline at end of file
diff --git a/lab7/src/dtb.c b/lab7/src/dtb.c
new file mode 100644
index 000000000..ca4c601bd
--- /dev/null
+++ b/lab7/src/dtb.c
@@ -0,0 +1,150 @@
+#include "dtb.h"
+#include "bcm2837/rpi_mmu.h"
+#include "cpio.h"
+#include "memory.h"
+#include "string.h"
+#include "uart1.h"
+
+char *dtb_ptr;
+
+// stored as big endian
+struct fdt_header {
+    uint32_t magic;
+    uint32_t totalsize;
+    uint32_t off_dt_struct;
+    uint32_t off_dt_strings;
+    uint32_t off_mem_rsvmap;
+    uint32_t version;
+    uint32_t last_comp_version;
+    uint32_t boot_cpuid_phys;
+    uint32_t size_dt_strings;
+    uint32_t size_dt_struct;
+};
+
+// memory reservation block - https://zhuanlan.zhihu.com/p/144863497
+struct fdt_reserve_entry {
+    uint64_t address;
+    uint64_t size;
+};
+
+uint32_t uint32_endian_big2lttle(uint32_t data)
+{
+    char *r = (char *)&data;
+    return (r[3] << 0) | (r[2] << 8) | (r[1] << 16) | (r[0] << 24);
+}
+
+uint64_t uint64_endian_big2lttle(uint64_t data)
+{
+    char *r = (char *)&data;
+    return ((unsigned long long)r[7] << 0) | ((unsigned long long)r[6] << 8) | ((unsigned long long)r[5] << 16) | ((unsigned long long)r[4] << 24) |
+           ((unsigned long long)r[3] << 32) | ((unsigned long long)r[2] << 40) | ((unsigned long long)r[1] << 48) | ((unsigned long long)r[0] << 56);
+}
+
+void traverse_device_tree(void *dtb_ptr, dtb_callback callback)
+{
+    struct fdt_header *header = dtb_ptr;
+    if (uint32_endian_big2lttle(header->magic) != 0xD00DFEED) {
+        uart_puts("traverse_device_tree : wrong magic in traverse_device_tree");
+        return;
+    }
+    // https://abcamus.github.io/2016/12/28/uboot%E8%AE%BE%E5%A4%87%E6%A0%91-%E8%A7%A3%E6%9E%90%E8%BF%87%E7%A8%8B/
+    // https://blog.csdn.net/wangdapao12138/article/details/82934127
+    uint32_t struct_size = uint32_endian_big2lttle(header->size_dt_struct);
+    char *dt_struct_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_dt_struct));
+    char *dt_strings_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_dt_strings));
+
+    char *end = (char *)dt_struct_ptr + struct_size;
+    char *pointer = dt_struct_ptr;
+
+    while (pointer < end) {
+        uint32_t token_type = uint32_endian_big2lttle(*(uint32_t *)pointer);
+
+        pointer += 4;
+        if (token_type == FDT_BEGIN_NODE) {
+            callback(token_type, pointer, 0, 0);
+            pointer += strlen(pointer);
+            pointer += 4 - (unsigned long long)pointer % 4; // alignment 4 byte
+        }
+        else if (token_type == FDT_END_NODE) {
+            callback(token_type, 0, 0, 0);
+        }
+        else if (token_type == FDT_PROP) {
+            uint32_t len = uint32_endian_big2lttle(*(uint32_t *)pointer);
+            pointer += 4;
+            char *name = (char *)dt_strings_ptr + uint32_endian_big2lttle(*(uint32_t *)pointer);
+            pointer += 4;
+            callback(token_type, name, pointer, len);
+            pointer += len;
+            if ((unsigned long long)pointer % 4 != 0)
+                pointer += 4 - (unsigned long long)pointer % 4; // alignment 4 byte
+        }
+        else if (token_type == FDT_NOP) {
+            callback(token_type, 0, 0, 0);
+        }
+        else if (token_type == FDT_END) {
+            callback(token_type, 0, 0, 0);
+        }
+        else {
+            uart_puts("error type:%x\n", token_type);
+            return;
+        }
+    }
+}
+
+void dtb_callback_show_tree(uint32_t node_type, char *name, void *data, uint32_t name_size)
+{
+    static int level = 0;
+    if (node_type == FDT_BEGIN_NODE) {
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("%s{\n", name);
+        level++;
+    }
+    else if (node_type == FDT_END_NODE) {
+        level--;
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("}\n");
+    }
+    else if (node_type == FDT_PROP) {
+        for (int i = 0; i < level; i++)
+            uart_puts("   ");
+        uart_puts("%s\n", name);
+    }
+}
+
+void dtb_callback_initramfs(uint32_t node_type, char *name, void *value, uint32_t name_size)
+{
+    // https://github.com/stweil/raspberrypi-documentation/blob/master/configuration/device-tree.md
+    // linux,initrd-start will be assigned by start.elf based on config.txt
+    if (node_type == FDT_PROP && strcmp(name, "linux,initrd-start") == 0) {
+        CPIO_DEFAULT_START = (void *)(unsigned long long)PHYS_TO_VIRT(uint32_endian_big2lttle(*(uint32_t *)value));
+    }
+    if (node_type == FDT_PROP && strcmp(name, "linux,initrd-end") == 0) {
+        CPIO_DEFAULT_END = (void *)(unsigned long long)PHYS_TO_VIRT(uint32_endian_big2lttle(*(uint32_t *)value));
+    }
+}
+
+void dtb_find_and_store_reserved_memory()
+{
+    struct fdt_header *header = (struct fdt_header *)dtb_ptr;
+    if (uint32_endian_big2lttle(header->magic) != 0xD00DFEED) {
+        uart_puts("traverse_device_tree : wrong magic in traverse_device_tree");
+        return;
+    }
+
+    // off_mem_rsvmap stores all of reserve memory map with address and size
+    char *dt_mem_rsvmap_ptr = (char *)((char *)header + uint32_endian_big2lttle(header->off_mem_rsvmap));
+    struct fdt_reserve_entry *reverse_entry = (struct fdt_reserve_entry *)dt_mem_rsvmap_ptr;
+
+    // reserve memory which is defined by dtb
+    while (reverse_entry->address != 0 || reverse_entry->size != 0) {
+        unsigned long long start = PHYS_TO_VIRT(uint64_endian_big2lttle(reverse_entry->address));
+        unsigned long long end = uint64_endian_big2lttle(reverse_entry->size) + start;
+        memory_reserve(start, end);
+        reverse_entry++;
+    }
+
+    // reserve device tree itself
+    memory_reserve((unsigned long long)dtb_ptr, (unsigned long long)dtb_ptr + uint32_endian_big2lttle(header->totalsize));
+}
diff --git a/lab7/src/entry.S b/lab7/src/entry.S
new file mode 100644
index 000000000..1a39be150
--- /dev/null
+++ b/lab7/src/entry.S
@@ -0,0 +1,144 @@
+// save general registers to stack
+.macro save_all
+    sub sp, sp, 32 * 9
+    stp x0, x1, [sp ,16 * 0]
+    stp x2, x3, [sp ,16 * 1]
+    stp x4, x5, [sp ,16 * 2]
+    stp x6, x7, [sp ,16 * 3]
+    stp x8, x9, [sp ,16 * 4]
+    stp x10, x11, [sp ,16 * 5]
+    stp x12, x13, [sp ,16 * 6]
+    stp x14, x15, [sp ,16 * 7]
+    stp x16, x17, [sp ,16 * 8]
+    stp x18, x19, [sp ,16 * 9]
+    stp x20, x21, [sp ,16 * 10]
+    stp x22, x23, [sp ,16 * 11]
+    stp x24, x25, [sp ,16 * 12]
+    stp x26, x27, [sp ,16 * 13]
+    stp x28, x29, [sp ,16 * 14]
+    str x30, [sp, 16 * 15]
+
+/* 
+    // for nested interrupt
+    mrs x0, spsr_el1
+    str x0, [sp, 16 * 16]
+    mrs x0, elr_el1
+    str x0, [sp, 16 * 17]
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+*/
+
+    // for nested interrupt
+    mrs x0, spsr_el1
+    str x0, [sp, 16 * 15 + 8]
+    mrs x0, elr_el1
+    str x0, [sp, 16 * 16]
+    mrs x0, sp_el0
+    str x0, [sp, 16 * 16 + 8]
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+.endm
+
+// load general registers from stack
+.macro load_all
+    ldp x0, x1, [sp ,16 * 0]
+    ldp x2, x3, [sp ,16 * 1]
+    ldp x4, x5, [sp ,16 * 2]
+    ldp x6, x7, [sp ,16 * 3]
+    ldp x8, x9, [sp ,16 * 4]
+    ldp x10, x11, [sp ,16 * 5]
+    ldp x12, x13, [sp ,16 * 6]
+    ldp x14, x15, [sp ,16 * 7]
+    ldp x16, x17, [sp ,16 * 8]
+    ldp x18, x19, [sp ,16 * 9]
+    ldp x20, x21, [sp ,16 * 10]
+    ldp x22, x23, [sp ,16 * 11]
+    ldp x24, x25, [sp ,16 * 12]
+    ldp x26, x27, [sp ,16 * 13]
+    ldp x28, x29, [sp ,16 * 14]
+    ldr x30, [sp, 16 * 15]
+
+/* 
+    // for nested interrupt
+    ldr x0, [sp, 16 * 16]
+    msr spsr_el1, x0
+    ldr x0, [sp, 16 * 17]
+    msr elr_el1, x0
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+    add sp, sp, 32 * 9
+*/
+
+    // for nested interrupt
+    ldr x0, [sp, 16 * 15 + 8]
+    msr spsr_el1, x0
+    ldr x0, [sp, 16 * 16]
+    msr elr_el1, x0
+    ldr x0, [sp, 16 * 16 + 8]
+    msr sp_el0, x0
+    ldp x0, x1, [sp, 16 * 0] // restore x0, x1
+    add sp, sp, 32 * 9
+.endm
+
+.align 11         // vector table should be aligned to 0x800 (2^11)
+.global exception_vector_table
+exception_vector_table:
+    .align 7
+    b invalid_handler // branch to a handler function.
+    .align 7 // entry size is 0x80, .align will pad 0
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b invalid_handler
+    .align 7
+    b el1h_irq_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b el0_sync_handler
+    .align 7
+    b el0_irq_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+    .align 7
+    b invalid_handler
+
+
+invalid_handler:
+    save_all
+    load_all
+    eret
+
+el1h_irq_handler:
+    save_all
+    mov x0, sp
+    bl irq_router
+    load_all
+    eret
+
+el0_sync_handler:
+    save_all
+    mov x0, sp
+    bl sync_64_router
+    load_all
+    eret
+
+el0_irq_handler:
+    save_all
+    mov x0, sp
+    bl irq_router
+    load_all
+    eret
\ No newline at end of file
diff --git a/lab7/src/exception.c b/lab7/src/exception.c
new file mode 100644
index 000000000..5c37e06c1
--- /dev/null
+++ b/lab7/src/exception.c
@@ -0,0 +1,127 @@
+#include "exception.h"
+#include "bcm2837/rpi_uart1.h"
+#include "dev_framebuffer.h"
+#include "irqtask.h"
+#include "sched.h"
+#include "signal.h"
+#include "syscall.h"
+#include "timer.h"
+#include "uart1.h"
+
+void sync_64_router(trapframe_t *tpf)
+{
+    el1_interrupt_enable();
+    unsigned long long syscall_no = tpf->x8;
+    switch (syscall_no) {
+    case 0:
+        getpid(tpf);
+        break;
+    case 1:
+        uartread(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 2:
+        uartwrite(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 3:
+        exec(tpf, (char *)tpf->x0, (char **)tpf->x1);
+        break;
+    case 4:
+        fork(tpf);
+        break;
+    case 5:
+        exit(tpf, tpf->x0);
+        break;
+    case 6:
+        syscall_mbox_call(tpf, (unsigned char)tpf->x0, (unsigned int *)tpf->x1);
+        break;
+    case 7:
+        kill(tpf, (int)tpf->x0);
+        break;
+    case 8:
+        signal_register(tpf->x0, (void (*)())tpf->x1);
+        break;
+    case 9:
+        signal_kill(tpf->x0, tpf->x1);
+        break;
+    case 11:
+        open(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 12:
+        close(tpf, tpf->x0);
+        break;
+    case 13:
+        write(tpf, tpf->x0, (void *)tpf->x1, tpf->x2);
+        break;
+    case 14:
+        read(tpf, tpf->x0, (void *)tpf->x1, tpf->x2);
+        break;
+    case 15:
+        mkdir(tpf, (char *)tpf->x0, tpf->x1);
+        break;
+    case 16:
+        mount(tpf, (char *)tpf->x0, (char *)tpf->x1, (char *)tpf->x2, tpf->x3, (void *)tpf->x4);
+        break;
+    case 17:
+        chdir(tpf, (char *)tpf->x0);
+        break;
+    case 18:
+        lseek64(tpf, tpf->x0, tpf->x1, tpf->x2);
+        break;
+    case 19:
+        ioctl(tpf, tpf->x0, tpf->x1, (void *)tpf->x2);
+        break;
+    case 50:
+        sigreturn(tpf);
+        break;
+    default:
+        break;
+    }
+}
+
+void irq_router(trapframe_t *tpf)
+{
+    if (*IRQ_PENDING_1 & IRQ_PENDING_1_AUX_INT && *CORE0_INTERRUPT_SOURCE & INTERRUPT_SOURCE_GPU) {
+        if (*AUX_MU_IIR_REG & (1 << 1)) // can write
+        {
+            *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+            irqtask_add(uart_w_irq_handler, UART_IRQ_PRIORITY);
+            irqtask_run_preemptive();
+        }
+        else if (*AUX_MU_IIR_REG & (0b10 << 1)) // can read
+        {
+            *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+            irqtask_add(uart_r_irq_handler, UART_IRQ_PRIORITY);
+            irqtask_run_preemptive();
+        }
+    }
+    else if (*CORE0_INTERRUPT_SOURCE & INTERRUPT_SOURCE_CNTPNSIRQ) {
+        core_timer_disable();
+        irqtask_add(core_timer_handler, TIMER_IRQ_PRIORITY);
+        irqtask_run_preemptive();
+        core_timer_enable();
+
+        el1_interrupt_disable();
+
+        if (run_queue->next->next != run_queue)
+            schedule();
+    }
+    if ((tpf->spsr_el1 & 0b1100) == 0) {
+        check_signal(tpf);
+    }
+
+    el1_interrupt_disable();
+}
+
+static unsigned long long lock_count = 0;
+void lock()
+{
+    el1_interrupt_disable();
+    lock_count++;
+}
+
+void unlock()
+{
+    lock_count--;
+    if (lock_count == 0)
+        el1_interrupt_enable();
+}
diff --git a/lab7/src/initramfs.c b/lab7/src/initramfs.c
new file mode 100644
index 000000000..71f22b72a
--- /dev/null
+++ b/lab7/src/initramfs.c
@@ -0,0 +1,143 @@
+#include "initramfs.h"
+#include "cpio.h"
+#include "memory.h"
+#include "string.h"
+#include "uart1.h"
+#include "vfs.h"
+
+struct file_operations initramfs_file_ops = {
+    .write = initramfs_write,
+    .read = initramfs_read,
+    .open = initramfs_open,
+    .close = initramfs_close,
+    .lseek64 = initramfs_lseek64,
+    .getsize = initramfs_getsize,
+};
+struct vnode_operations initramfs_vnode_ops = {
+    .lookup = initramfs_lookup,
+    .create = initramfs_create,
+    .mkdir = initramfs_mkdir,
+};
+
+int register_initramfs()
+{
+    struct filesystem fs;
+    fs.name = "initramfs";
+    fs.setup_mount = initramfs_setup_mount;
+    return register_filesystem(&fs);
+}
+
+int initramfs_setup_mount(struct filesystem *fs, struct mount *_mount)
+{
+    _mount->fs = fs;
+    _mount->root = initramfs_create_vnode(0, TMPFS_DIR);
+
+    struct initramfs_inode *ramdir_inode = _mount->root->internal; // root inode
+
+    // add all files in initramfs to the root directory
+    int idx = 0;
+    unsigned int filesize;
+    char *filepath, *filedata;
+    struct cpio_newc_header *header = CPIO_DEFAULT_START;
+
+    while (header != 0) {
+        int error = cpio_newc_parse_header(header, &filepath, &filesize, &filedata, &header);
+        if (error) {
+            uart_printf("Error parsing cpio header\n");
+            break;
+        }
+
+        if (header) {
+            struct vnode *f_vnode = initramfs_create_vnode(0, TMPFS_FILE);
+            struct initramfs_inode *f_inode = f_vnode->internal;
+
+            f_inode->name = filepath;
+            f_inode->data = filedata;
+            f_inode->datasize = filesize;
+            ramdir_inode->entry[idx++] = f_vnode; // add file to root directory
+        }
+    }
+
+    return 0;
+}
+
+struct vnode *initramfs_create_vnode(struct mount *_mount, enum fsnode_type type)
+{
+    struct vnode *v = kmalloc(sizeof(struct vnode));
+    v->f_ops = &initramfs_file_ops;
+    v->v_ops = &initramfs_vnode_ops;
+    v->mount = _mount;
+
+    struct initramfs_inode *inode = kmalloc(sizeof(struct initramfs_inode));
+    memset(inode, 0, sizeof(struct initramfs_inode));
+    inode->type = type;
+    inode->data = kmalloc(0x1000);
+
+    v->internal = inode;
+    return v;
+}
+
+int initramfs_write(struct file *file, const void *buf, size_t len) { return -1; }
+
+int initramfs_read(struct file *file, void *buf, size_t len)
+{
+    struct initramfs_inode *inode = file->vnode->internal;
+    if (len + file->f_pos > inode->datasize)
+        len = inode->datasize - file->f_pos;
+
+    memcpy(buf, inode->data + file->f_pos, len);
+    file->f_pos += len;
+    return len;
+}
+
+int initramfs_open(struct vnode *file_node, struct file **target)
+{
+    (*target)->vnode = file_node;
+    (*target)->f_ops = file_node->f_ops;
+    (*target)->f_pos = 0;
+    return 0;
+}
+
+int initramfs_close(struct file *file)
+{
+    kfree(file);
+    return 0;
+}
+
+long initramfs_lseek64(struct file *file, long offset, int whence)
+{
+    if (whence == SEEK_SET) {
+        file->f_pos = offset;
+        return file->f_pos;
+    }
+    return -1;
+}
+
+long initramfs_getsize(struct vnode *vd)
+{
+    struct initramfs_inode *inode = vd->internal;
+    return inode->datasize;
+}
+
+int initramfs_lookup(struct vnode *dir_node, struct vnode **target, const char *component_name)
+{
+    struct initramfs_inode *dir_inode = dir_node->internal;
+    int child_idx = 0;
+    for (; child_idx < INITRAMFS_MAX_DIR_ENTRIES; child_idx++) {
+        struct vnode *vnode = dir_inode->entry[child_idx];
+        if (!vnode)
+            break;
+
+        struct initramfs_inode *inode = vnode->internal;
+        if (strcmp(inode->name, component_name) == 0) {
+            *target = vnode;
+            return 0;
+        }
+    }
+
+    return -1;
+}
+
+int initramfs_create(struct vnode *dir_node, struct vnode **target, const char *component_name) { return -1; }
+
+int initramfs_mkdir(struct vnode *dir_node, struct vnode **target, const char *component_name) { return -1; }
diff --git a/lab7/src/irqtask.c b/lab7/src/irqtask.c
new file mode 100644
index 000000000..fb78201e6
--- /dev/null
+++ b/lab7/src/irqtask.c
@@ -0,0 +1,65 @@
+#include "irqtask.h"
+#include "exception.h"
+#include "memory.h"
+#include "uart1.h"
+
+int curr_task_priority = 9999;
+struct list_head *task_list;
+
+void irqtask_init_list()
+{
+    task_list = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(task_list);
+}
+
+void irqtask_add(void *task_function,unsigned long long priority){
+
+    irqtask_t *the_task = kmalloc(sizeof(irqtask_t)); //need to kfree by task runner
+    the_task->priority = priority;
+    the_task->task_function = task_function;
+
+    lock();
+    struct list_head *curr;
+    list_for_each(curr, task_list)
+    {
+        if (((irqtask_t *)curr)->priority > the_task->priority)
+        {
+            list_add(&the_task->listhead, curr->prev);
+            break;
+        }
+    }
+    if (list_is_head(curr, task_list)) list_add_tail(&(the_task->listhead), task_list); // for the time is the biggest
+    unlock();
+}
+
+void irqtask_run_preemptive(){
+    while (1)
+    {
+        lock();
+        if (list_empty(task_list))
+        {
+            unlock();
+            break;
+        }
+
+        irqtask_t *the_task = (irqtask_t *)task_list->next;
+        if (curr_task_priority <= the_task->priority)
+        {
+            unlock();
+            break;
+        }
+        list_del_entry((struct list_head *)the_task);
+        int prev_task_priority = curr_task_priority;
+        curr_task_priority = the_task->priority;
+
+        unlock();
+        irqtask_run(the_task);
+        curr_task_priority = prev_task_priority;
+        kfree(the_task);
+    }
+}
+
+void irqtask_run(irqtask_t *the_task)
+{
+    ((void (*)())the_task->task_function)();
+}
diff --git a/lab7/src/linker.ld b/lab7/src/linker.ld
new file mode 100644
index 000000000..ee5b2083e
--- /dev/null
+++ b/lab7/src/linker.ld
@@ -0,0 +1,27 @@
+SECTIONS
+{
+    . = 0xffff000000000000;
+    . += 0x80000;
+    _kernel_start = .;
+    .text : { KEEP(*(.text.boot)) *(.text .text.* .gnu.linkonce.t*) }
+    .rodata : { *(.rodata .rodata.* .gnu.linkonce.r*) }
+    PROVIDE(_data = .);
+    .data : { *(.data .data.* .gnu.linkonce.d*) }
+    .bss (NOLOAD) : {
+        . = ALIGN(16);
+        __bss_start = .;
+        *(.bss .bss.*)
+        *(COMMON)
+        __bss_end = .;
+    }
+    _kernel_end = .;
+    _heap_start = .;
+
+    . = 0xffff00002c000000;
+    _stack_end = .;
+    . = 0xffff00003c000000;
+    _stack_top = .;
+
+   /DISCARD/ : { *(.comment) *(.gnu*) *(.note*) *(.eh_frame*) }
+}
+__bss_size = (__bss_end - __bss_start) >> 3;
diff --git a/lab7/src/main.c b/lab7/src/main.c
new file mode 100644
index 000000000..d170c09cd
--- /dev/null
+++ b/lab7/src/main.c
@@ -0,0 +1,40 @@
+#include "dtb.h"
+#include "exception.h"
+#include "irqtask.h"
+#include "memory.h"
+#include "sched.h"
+#include "shell.h"
+#include "timer.h"
+#include "uart1.h"
+#include "vfs.h"
+
+void main(char *arg)
+{
+    char input_buffer[CMD_MAX_LEN];
+
+    dtb_ptr = PHYS_TO_VIRT(arg);
+    traverse_device_tree(dtb_ptr, dtb_callback_initramfs); // get initramfs location from dtb
+
+    init_allocator();
+
+    uart_init();
+    irqtask_init_list();
+    timer_list_init();
+
+    init_thread_sched();
+
+    // Register filesystems
+    init_rootfs();
+
+    uart_interrupt_enable();
+    el1_interrupt_enable(); // enable interrupt in EL1 -> EL1
+    core_timer_enable();
+
+    uart_puts("\n");
+    while (1) {
+        cli_cmd_clear(input_buffer, CMD_MAX_LEN);
+        uart_puts("# ");
+        cli_cmd_read(input_buffer);
+        cli_cmd_exec(input_buffer);
+    }
+}
diff --git a/lab7/src/mbox.c b/lab7/src/mbox.c
new file mode 100644
index 000000000..148f36d3b
--- /dev/null
+++ b/lab7/src/mbox.c
@@ -0,0 +1,24 @@
+#include "mbox.h"
+#include "bcm2837/rpi_mbox.h"
+
+/* Aligned to 16-byte boundary while we have 28-bits for VC */
+volatile unsigned int __attribute__((aligned(16))) pt[36];
+
+int mbox_call(mbox_channel_type channel, unsigned int value)
+{
+    // Add channel to lower 4 bit
+    value &= ~(0xF);
+    value |= channel;
+    while ((*MBOX_STATUS & BCM_ARM_VC_MS_FULL) != 0) {
+    }
+    // Write to Register
+    *MBOX_WRITE = value;
+    while (1) {
+        while (*MBOX_STATUS & BCM_ARM_VC_MS_EMPTY) {
+        }
+        // Read from Register
+        if (value == *MBOX_READ)
+            return pt[1] == MBOX_REQUEST_SUCCEED;
+    }
+    return 0;
+}
diff --git a/lab7/src/memory.c b/lab7/src/memory.c
new file mode 100644
index 000000000..5e95de296
--- /dev/null
+++ b/lab7/src/memory.c
@@ -0,0 +1,369 @@
+#include "memory.h"
+#include "cpio.h"
+#include "dtb.h"
+#include "exception.h"
+#include "list.h"
+#include "mmu.h"
+#include "uart1.h"
+
+extern char _heap_start;
+static char *htop_ptr = &_heap_start;
+
+extern char _kernel_start;
+extern char _kernel_end;
+extern char _stack_end;
+extern char _stack_top;
+
+#ifdef DEBUG
+#define memory_sendline(fmt, args...) uart_printf(fmt, ##args)
+#else
+#define memory_sendline(fmt, args...) (void)0
+#endif
+
+// ------ Lab2 ------
+void *s_allocator(unsigned int size)
+{
+    // -> htop_ptr
+    // htop_ptr + 0x02:  heap_block size
+    // htop_ptr + 0x10 ~ htop_ptr + 0x10 * k:
+    //            { heap_block }
+    // -> htop_ptr
+
+    // 0x10 for heap_block header
+    char *r = htop_ptr + 0x10;
+    // size paddling to multiple of 0x10
+    size = 0x10 + size - size % 0x10;
+    *(unsigned int *)(r - 0x8) = size;
+    htop_ptr += size;
+    return r;
+}
+
+void s_free(void *ptr)
+{
+    // TBD
+}
+
+// ------ Lab4 ------
+static frame_t *frame_array;                      // store memory's statement and page's corresponding index
+static list_head_t frame_freelist[FRAME_MAX_IDX]; // store available block for page
+static list_head_t cache_list[CACHE_MAX_IDX];     // store available block for cache
+
+void init_allocator()
+{
+    frame_array = s_allocator(BUDDY_MEMORY_PAGE_COUNT * sizeof(frame_t));
+
+    // init frame_array
+    for (int i = 0; i < BUDDY_MEMORY_PAGE_COUNT; i++) {
+        if (i % (1 << FRAME_IDX_FINAL) == 0) {
+            frame_array[i].val = FRAME_IDX_FINAL;
+            frame_array[i].used = FRAME_FREE;
+        }
+    }
+
+    // init frame freelist
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+        INIT_LIST_HEAD(&frame_freelist[i]);
+    }
+
+    // init cache list
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        INIT_LIST_HEAD(&cache_list[i]);
+    }
+
+    for (int i = 0; i < BUDDY_MEMORY_PAGE_COUNT; i++) {
+        // init listhead for each frame
+        INIT_LIST_HEAD(&frame_array[i].listhead);
+        frame_array[i].idx = i;
+        frame_array[i].cache_order = CACHE_NONE;
+
+        // add init frame (FRAME_IDX_FINAL) into freelist
+        if (i % (1 << FRAME_IDX_FINAL) == 0) {
+            list_add(&frame_array[i].listhead, &frame_freelist[FRAME_IDX_FINAL]);
+        }
+    }
+
+    /* Startup reserving the following region:
+    Spin tables for multicore boot (0x0000 - 0x1000)
+    Devicetree (Optional, if you have implement it)
+    Kernel image in the physical memory
+    Your simple allocator (startup allocator) (Stack + Heap in my case)
+    Initramfs
+    */
+    memory_sendline("\r\n* Startup Allocation *\r\n");
+    memory_sendline("buddy system: usable memory region: 0x%x ~ 0x%x\n", BUDDY_MEMORY_BASE, BUDDY_MEMORY_BASE + BUDDY_MEMORY_PAGE_COUNT * PAGESIZE);
+    dtb_find_and_store_reserved_memory(); // find spin tables in dtb
+    memory_reserve(PHYS_TO_VIRT(MMU_PGD_ADDR),
+                   PHYS_TO_VIRT(MMU_PTE_ADDR + 0x2000)); // // PGD's page frame at 0x1000 // PUD's page frame at 0x2000 PMD 0x3000-0x5000
+    memory_reserve((unsigned long long)&_kernel_start, (unsigned long long)&_kernel_end); // kernel
+    memory_reserve((unsigned long long)&_stack_end, (unsigned long long)&_stack_top);     // heap & stack -> simple allocator
+    memory_reserve((unsigned long long)CPIO_DEFAULT_START, (unsigned long long)CPIO_DEFAULT_END);
+}
+
+void *page_malloc(unsigned int size)
+{
+    memory_sendline("    [+] Allocate page - size : %d(0x%x)\r\n", size, size);
+    memory_sendline("        Before\r\n");
+    dump_page_info();
+    int val;
+    // turn size into minimum 4KB * 2**val
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+
+        if (size <= (PAGESIZE << i)) {
+            val = i;
+            memory_sendline("        block size = 0x%x\n", PAGESIZE << i);
+            break;
+        }
+
+        if (i == FRAME_IDX_FINAL) {
+            memory_sendline("[!] request size exceeded for page_malloc!!!!\r\n");
+            return (void *)0;
+        }
+    }
+
+    // find the smallest larger frame in freelist
+    int target_val;
+    for (target_val = val; target_val <= FRAME_IDX_FINAL; target_val++) {
+        // freelist does not have 2**i order frame, going for next order
+        if (!list_empty(&frame_freelist[target_val]))
+            break;
+    }
+    if (target_val > FRAME_IDX_FINAL) {
+        memory_sendline("[!] No available frame in freelist, page_malloc ERROR!!!!\r\n");
+        return (void *)0;
+    }
+
+    // get the available frame from freelist
+    frame_t *target_frame_ptr = (frame_t *)frame_freelist[target_val].next;
+    list_del_entry((struct list_head *)target_frame_ptr);
+
+    // Release redundant memory block to separate into pieces
+    for (int j = target_val; j > val; j--) // ex: 10000 -> 01111
+    {
+        release_redundant(target_frame_ptr);
+    }
+
+    // Allocate it
+    target_frame_ptr->used = FRAME_ALLOCATED;
+    memory_sendline("        physical address : 0x%x\n", BUDDY_MEMORY_BASE + (PAGESIZE * (target_frame_ptr->idx)));
+    memory_sendline("        After\r\n");
+    dump_page_info();
+
+    return (void *)BUDDY_MEMORY_BASE + (PAGESIZE * (target_frame_ptr->idx));
+}
+
+void page_free(void *ptr)
+{
+    frame_t *target_frame_ptr =
+        &frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12]; // PAGESIZE * Available Region -> 0x1000 * 0x10000000 // SPEC #1, #2
+    memory_sendline("    [+] Free page: 0x%x, val = %d\r\n", ptr, target_frame_ptr->val);
+    memory_sendline("        Before\r\n");
+    dump_page_info();
+    target_frame_ptr->used = FRAME_FREE;
+    frame_t *temp;
+    while ((temp = coalesce(target_frame_ptr)) != (frame_t *)-1)
+        target_frame_ptr = temp;
+    list_add(&target_frame_ptr->listhead, &frame_freelist[target_frame_ptr->val]);
+    memory_sendline("        After\r\n");
+    dump_page_info();
+}
+
+frame_t *release_redundant(frame_t *frame)
+{
+    // order -1 -> add its buddy to free list (frame itself will be used in master function)
+    frame->val -= 1;
+    frame_t *buddyptr = get_buddy(frame);
+    buddyptr->val = frame->val;
+    list_add(&buddyptr->listhead, &frame_freelist[buddyptr->val]);
+    return frame;
+}
+
+frame_t *get_buddy(frame_t *frame)
+{
+    // XOR(idx, order)
+    return &frame_array[frame->idx ^ (1 << frame->val)];
+}
+
+frame_t *coalesce(frame_t *frame_ptr)
+{
+    frame_t *buddy = get_buddy(frame_ptr);
+    // frame is the boundary
+    if (frame_ptr->val == FRAME_IDX_FINAL)
+        return (frame_t *)-1;
+
+    // Order must be the same: 2**i + 2**i = 2**(i+1)
+    if (frame_ptr->val != buddy->val)
+        return (frame_t *)-1;
+
+    // buddy is in used
+    if (buddy->used == FRAME_ALLOCATED)
+        return (frame_t *)-1;
+
+    list_del_entry((struct list_head *)buddy);
+    frame_ptr->val += 1;
+    buddy->val += 1;
+    memory_sendline("    coalesce detected, merging 0x%x, 0x%x, -> val = %d\r\n", frame_ptr->idx, buddy->idx, frame_ptr->val);
+    return buddy < frame_ptr ? buddy : frame_ptr;
+}
+
+void dump_page_info()
+{
+    unsigned int exp2 = 1;
+    memory_sendline("        ----------------- [  Number of Available Page Blocks  ] -----------------\r\n        | ");
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++) {
+        memory_sendline("%4dKB(%1d) ", 4 * exp2, i);
+        exp2 *= 2;
+    }
+    memory_sendline("|\r\n        | ");
+    for (int i = FRAME_IDX_0; i <= FRAME_IDX_FINAL; i++)
+        memory_sendline("     %4d ", list_size(&frame_freelist[i]));
+    memory_sendline("|\r\n");
+}
+
+void dump_cache_info()
+{
+    unsigned int exp2 = 1;
+    memory_sendline("    -- [  Number of Available Cache Blocks ] --\r\n    | ");
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        memory_sendline("%4dB(%1d) ", 32 * exp2, i);
+        exp2 *= 2;
+    }
+    memory_sendline("|\r\n    | ");
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++)
+        memory_sendline("   %5d ", list_size(&cache_list[i]));
+    memory_sendline("|\r\n");
+}
+
+void page2caches(int order)
+{
+    // make caches from a smallest-size page
+    char *page = page_malloc(PAGESIZE);
+    frame_t *pageframe_ptr = &frame_array[((unsigned long long)page - BUDDY_MEMORY_BASE) >> 12];
+    pageframe_ptr->cache_order = order;
+
+    // split page into a lot of caches and push them into cache_list
+    int cachesize = (32 << order);
+    for (int i = 0; i < PAGESIZE; i += cachesize) {
+        list_head_t *c = (list_head_t *)(page + i);
+        list_add(c, &cache_list[order]);
+    }
+}
+
+void *cache_malloc(unsigned int size)
+{
+    memory_sendline("[+] Allocate cache - size : %d(0x%x)\r\n", size, size);
+    memory_sendline("    Before\r\n");
+    dump_cache_info();
+
+    // turn size into cache order: 32B * 2**order
+    int order;
+    for (int i = CACHE_IDX_0; i <= CACHE_IDX_FINAL; i++) {
+        if (size <= (32 << i)) {
+            order = i;
+            break;
+        }
+    }
+
+    // if no available cache in list, assign one page for it
+    if (list_empty(&cache_list[order])) {
+        page2caches(order);
+    }
+
+    list_head_t *r = cache_list[order].next;
+    list_del_entry(r);
+    memory_sendline("    physical address : 0x%x\n", r);
+    memory_sendline("    After\r\n");
+    dump_cache_info();
+    return r;
+}
+
+void cache_free(void *ptr)
+{
+    list_head_t *c = (list_head_t *)ptr;
+    frame_t *pageframe_ptr = &frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12];
+    memory_sendline("[+] Free cache: 0x%x, val = %d\r\n", ptr, pageframe_ptr->cache_order);
+    memory_sendline("    Before\r\n");
+    dump_cache_info();
+    list_add(c, &cache_list[pageframe_ptr->cache_order]);
+    memory_sendline("    After\r\n");
+    dump_cache_info();
+}
+
+void *kmalloc(unsigned int size)
+{
+    lock();
+    memory_sendline("\n\n");
+    memory_sendline("================================\r\n");
+    memory_sendline("[+] Request kmalloc size: %d\r\n", size);
+    memory_sendline("================================\r\n");
+    // if size is larger than cache size, go for page
+    if (size > (32 << CACHE_IDX_FINAL)) {
+        void *r = page_malloc(size);
+        unlock();
+        return r;
+    }
+    // go for cache
+    void *r = cache_malloc(size);
+    unlock();
+    return r;
+}
+
+void kfree(void *ptr)
+{
+    lock();
+    memory_sendline("\n\n");
+    memory_sendline("==========================\r\n");
+    memory_sendline("[+] Request kfree 0x%x\r\n", ptr);
+    memory_sendline("==========================\r\n");
+    // If no cache assigned, go for page
+    if ((unsigned long long)ptr % PAGESIZE == 0 && frame_array[((unsigned long long)ptr - BUDDY_MEMORY_BASE) >> 12].cache_order == CACHE_NONE) {
+        page_free(ptr);
+        unlock();
+        return;
+    }
+    // go for cache
+    cache_free(ptr);
+    unlock();
+}
+
+void memory_reserve(unsigned long long start, unsigned long long end)
+{
+    start -= start % PAGESIZE;                                      // floor (align 0x1000)
+    end = end % PAGESIZE ? end + PAGESIZE - (end % PAGESIZE) : end; // ceiling (align 0x1000)
+
+    uart_printf("Reserved Memory: ");
+    uart_printf("start 0x%x ~ ", start);
+    uart_printf("end 0x%x\r\n", end);
+
+    // delete page from free list
+    for (int order = FRAME_IDX_FINAL; order >= 0; order--) {
+        list_head_t *pos;
+        list_for_each(pos, &frame_freelist[order])
+        {
+            unsigned long long pagestart = ((frame_t *)pos)->idx * PAGESIZE + BUDDY_MEMORY_BASE;
+            unsigned long long pageend = pagestart + (PAGESIZE << order);
+
+            if (start <= pagestart && end >= pageend) // if page all in reserved memory -> delete it from freelist
+            {
+                ((frame_t *)pos)->used = FRAME_ALLOCATED;
+                memory_sendline("    [!] Reserved page in 0x%x - 0x%x\n", pagestart, pageend);
+                memory_sendline("        Before\n");
+                dump_page_info();
+                list_del_entry(pos);
+                memory_sendline("        Remove usable block for reserved memory: order %d\r\n", order);
+                memory_sendline("        After\n");
+                dump_page_info();
+            }
+            else if (start >= pageend || end <= pagestart) // no intersection
+            {
+                continue;
+            }
+            else // partial intersection, separate the page into smaller size.
+            {
+                list_del_entry(pos);
+                list_head_t *temppos = pos->prev;
+                list_add(&release_redundant((frame_t *)pos)->listhead, &frame_freelist[order - 1]);
+                pos = temppos;
+            }
+        }
+    }
+}
diff --git a/lab7/src/mmu.c b/lab7/src/mmu.c
new file mode 100644
index 000000000..1fe8440ff
--- /dev/null
+++ b/lab7/src/mmu.c
@@ -0,0 +1,77 @@
+#include "mmu.h"
+#include "bcm2837/rpi_mmu.h"
+#include "memory.h"
+#include "string.h"
+
+void *set_2M_kernel_mmu(void *x0)
+{
+    // Turn
+    //   Two-level Translation (1GB) - in boot.S
+    // to
+    //   Three-level Translation (2MB) - set PUD point to new table
+    unsigned long *pud_table = (unsigned long *)MMU_PUD_ADDR;
+
+    unsigned long *pud_table1 = (unsigned long *)MMU_PTE_ADDR;
+    unsigned long *pud_table2 = (unsigned long *)(MMU_PTE_ADDR + 0x1000L);
+    for (int i = 0; i < 512; i++) {
+        unsigned long addr = 0x200000L * i;
+        if (addr >= PERIPHERAL_END) {
+            pud_table1[i] = (0x00000000 + addr) + BOOT_PTE_ATTR_nGnRnE;
+            continue;
+        }
+        pud_table1[i] = (0x00000000 + addr) + BOOT_PTE_ATTR_NOCACHE; //   0 * 2MB
+        pud_table2[i] = (0x40000000 + addr) + BOOT_PTE_ATTR_NOCACHE; // 512 * 2MB
+    }
+
+    // set PUD
+    pud_table[0] = (unsigned long)pud_table1 + BOOT_PUD_ATTR;
+    pud_table[1] = (unsigned long)pud_table2 + BOOT_PUD_ATTR;
+
+    return x0;
+}
+
+void map_one_page(size_t *virt_pgd_p, size_t va, size_t pa)
+{
+    size_t *table_p = virt_pgd_p;
+    for (int level = 0; level < 4; level++) {
+        unsigned int idx = (va >> (39 - level * 9)) & 0x1ff;
+
+        if (level == 3) {
+            table_p[idx] = pa;
+            table_p[idx] |= PD_ACCESS | PD_TABLE | (MAIR_IDX_NORMAL_NOCACHE << 2) | (PD_UK_ACCESS);
+            return;
+        }
+
+        if (!table_p[idx]) {
+            size_t *newtable_p = kmalloc(0x1000);
+            memset(newtable_p, 0, 0x1000);
+            table_p[idx] = VIRT_TO_PHYS((size_t)newtable_p);
+            table_p[idx] |= PD_ACCESS | PD_TABLE | (MAIR_IDX_NORMAL_NOCACHE << 2) | PD_UK_ACCESS;
+        }
+
+        table_p = (size_t *)PHYS_TO_VIRT((size_t)(table_p[idx] & ENTRY_ADDR_MASK));
+    }
+}
+
+void mappages(size_t *virt_pgd_p, size_t va, size_t size, size_t pa)
+{
+    for (size_t s = 0; s < size; s += 0x1000) {
+        map_one_page(virt_pgd_p, va + s, pa + s);
+    }
+}
+
+void free_page_tables(size_t *page_table, int level)
+{
+    size_t *table_virt = (size_t *)PHYS_TO_VIRT((char *)page_table);
+    for (int i = 0; i < 512; i++) {
+        if (table_virt[i] != 0) {
+            size_t *next_table = (size_t *)(table_virt[i] & ENTRY_ADDR_MASK);
+            if (table_virt[i] & PD_TABLE) {
+                if (level != 2)
+                    free_page_tables(next_table, level + 1);
+                table_virt[i] = 0L;
+                kfree(PHYS_TO_VIRT((char *)next_table));
+            }
+        }
+    }
+}
diff --git a/lab7/src/sched.S b/lab7/src/sched.S
new file mode 100644
index 000000000..e3f75c565
--- /dev/null
+++ b/lab7/src/sched.S
@@ -0,0 +1,59 @@
+.global switch_to
+switch_to:
+    stp x19, x20, [x0, 16 * 0]
+    stp x21, x22, [x0, 16 * 1]
+    stp x23, x24, [x0, 16 * 2]
+    stp x25, x26, [x0, 16 * 3]
+    stp x27, x28, [x0, 16 * 4]
+    stp fp, lr, [x0, 16 * 5]
+    mov x9, sp
+    str x9, [x0, 16 * 6]
+    //mrs x9, ttbr0_el1
+    //str x9, [x0, 16 * 6 + 8]
+
+    ldp x19, x20, [x1, 16 * 0]
+    ldp x21, x22, [x1, 16 * 1]
+    ldp x23, x24, [x1, 16 * 2]
+    ldp x25, x26, [x1, 16 * 3]
+    ldp x27, x28, [x1, 16 * 4]
+    ldp fp, lr, [x1, 16 * 5]
+    ldp x9, x0, [x1, 16 * 6]
+    mov sp,  x9
+ 
+    dsb ish           // ensure write has completed, lock for context switch
+    msr ttbr0_el1, x0 // switch translation based address.
+    tlbi vmalle1is    // invalidate all TLB entries in stage 1, el1 and inner shareable
+    dsb ish           // ensure completion of TLB invalidatation
+    isb               // clear pipeline
+
+    msr tpidr_el1, x1
+    ret
+
+.global store_context
+store_context:
+    stp x19, x20, [x0, 16 * 0]
+    stp x21, x22, [x0, 16 * 1]
+    stp x23, x24, [x0, 16 * 2]
+    stp x25, x26, [x0, 16 * 3]
+    stp x27, x28, [x0, 16 * 4]
+    stp fp, lr, [x0, 16 * 5]
+    mov x9, sp
+    str x9, [x0, 16 * 6]
+    ret
+
+.global load_context
+load_context:
+    ldp x19, x20, [x0, 16 * 0]
+    ldp x21, x22, [x0, 16 * 1]
+    ldp x23, x24, [x0, 16 * 2]
+    ldp x25, x26, [x0, 16 * 3]
+    ldp x27, x28, [x0, 16 * 4]
+    ldp fp, lr, [x0, 16 * 5]
+    ldr x9, [x0, 16 * 6]
+    mov sp,  x9
+    ret
+
+.global get_current
+get_current:
+    mrs x0, tpidr_el1
+    ret
diff --git a/lab7/src/sched.c b/lab7/src/sched.c
new file mode 100644
index 000000000..8bbfd4874
--- /dev/null
+++ b/lab7/src/sched.c
@@ -0,0 +1,167 @@
+#include "sched.h"
+#include "exception.h"
+#include "memory.h"
+#include "mmu.h"
+#include "signal.h"
+#include "string.h"
+#include "timer.h"
+#include "uart1.h"
+
+thread_t *curr_thread;
+list_head_t *run_queue;
+thread_t threads[PIDMAX + 1];
+
+void init_thread_sched()
+{
+    lock();
+    run_queue = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(run_queue);
+
+    // init pids
+    for (int i = 0; i <= PIDMAX; i++) {
+        threads[i].isused = 0;
+        threads[i].pid = i;
+        threads[i].iszombie = 0;
+    }
+
+    thread_t *idlethread = thread_create(idle, 0x1000);
+    curr_thread = idlethread;
+    asm volatile("msr tpidr_el1, %0" ::"r"(&idlethread->context));
+    unlock();
+}
+
+void idle()
+{
+    while (1) {
+        kill_zombies(); // reclaim threads marked as DEAD
+        schedule();     // switch to next thread in run queue
+    }
+}
+
+void schedule()
+{
+    lock();
+    do {
+        curr_thread = (thread_t *)curr_thread->listhead.next;
+    } while (list_is_head(&curr_thread->listhead, run_queue) || curr_thread->iszombie);
+    unlock();
+    switch_to(get_current(), &curr_thread->context);
+}
+
+void kill_zombies()
+{
+    lock();
+    list_head_t *curr;
+    list_for_each(curr, run_queue)
+    {
+        if (((thread_t *)curr)->iszombie) {
+            list_del_entry(curr);
+            kfree(((thread_t *)curr)->stack_alloced_ptr);        // free stack
+            kfree(((thread_t *)curr)->kernel_stack_alloced_ptr); // free stack
+            free_page_tables(((thread_t *)curr)->context.pgd, 0);
+            kfree(((thread_t *)curr)->data); // free data (don't free data because of fork)
+
+            for (int i = 0; i < MAX_FD; i++) {
+                if (((thread_t *)curr)->FDT[i]) {
+                    vfs_close(((thread_t *)curr)->FDT[i]);
+                }
+            }
+
+            ((thread_t *)curr)->iszombie = 0;
+            ((thread_t *)curr)->isused = 0;
+        }
+    }
+    unlock();
+}
+
+int thread_exec(char *data, unsigned int filesize)
+{
+    thread_t *t = thread_create(data, filesize);
+
+    mappages(t->context.pgd, USER_KERNEL_BASE, t->datasize, (size_t)VIRT_TO_PHYS(t->data));
+    mappages(t->context.pgd, USER_STACK_BASE - USTACK_SIZE, USTACK_SIZE, (size_t)VIRT_TO_PHYS(t->stack_alloced_ptr));
+    mappages(t->context.pgd, PERIPHERAL_START, PERIPHERAL_END - PERIPHERAL_START, PERIPHERAL_START);
+
+    t->context.pgd = VIRT_TO_PHYS(t->context.pgd);
+    t->context.sp = USER_STACK_BASE;
+    t->context.fp = USER_STACK_BASE;
+    t->context.lr = USER_KERNEL_BASE;
+
+    // copy file into data
+    for (int i = 0; i < filesize; i++) {
+        t->data[i] = data[i];
+    }
+
+    // disable echo when going to userspace
+    curr_thread = t;
+    add_timer(schedule_timer, 1, "", 0);
+
+    vfs_open("/dev/uart", 0, &curr_thread->FDT[0]);
+    vfs_open("/dev/uart", 0, &curr_thread->FDT[1]);
+    vfs_open("/dev/uart", 0, &curr_thread->FDT[2]);
+
+    // eret to exception level 0
+    asm("msr tpidr_el1, %0\n\t"
+        "msr elr_el1, %1\n\t"
+        "msr spsr_el1, xzr\n\t" // enable interrupt in EL0. You can do it by setting spsr_el1 to 0 before returning to EL0.
+        "msr sp_el0, %2\n\t"
+        "mov sp, %3\n\t"
+        "dsb ish\n\t"
+        "msr ttbr0_el1, %4\n\t"
+        "eret\n\t" ::"r"(&t->context),
+        "r"(t->context.lr), "r"(t->context.sp), "r"(t->kernel_stack_alloced_ptr + KSTACK_SIZE), "r"(t->context.pgd));
+
+    return 0;
+}
+
+thread_t *thread_create(void *start, unsigned int filesize)
+{
+    lock();
+
+    thread_t *r;
+    for (int i = 0; i <= PIDMAX; i++) {
+        if (!threads[i].isused) {
+            r = &threads[i];
+            break;
+        }
+    }
+    r->iszombie = 0;
+    r->isused = 1;
+    r->context.lr = (unsigned long long)start;
+    r->stack_alloced_ptr = kmalloc(USTACK_SIZE);
+    r->kernel_stack_alloced_ptr = kmalloc(KSTACK_SIZE);
+    r->signal_is_checking = 0;
+    r->data = kmalloc(filesize);
+    r->datasize = filesize;
+    r->context.sp = (unsigned long long)r->kernel_stack_alloced_ptr + KSTACK_SIZE;
+    r->context.fp = r->context.sp;
+    strcpy(r->cur_working_dir, "/");
+
+    r->context.pgd = kmalloc(0x1000);
+    memset(r->context.pgd, 0, 0x1000);
+
+    // initial signal handler with signal_default_handler (kill thread)
+    for (int i = 0; i < SIGNAL_MAX; i++) {
+        r->signal_handler[i] = signal_default_handler;
+        r->sigcount[i] = 0;
+    }
+
+    list_add(&r->listhead, run_queue);
+    unlock();
+    return r;
+}
+
+void thread_exit()
+{
+    lock();
+    curr_thread->iszombie = 1;
+    unlock();
+    schedule();
+}
+
+void schedule_timer(char *notuse)
+{
+    unsigned long long cntfrq_el0;
+    __asm__ __volatile__("mrs %0, cntfrq_el0\n\t" : "=r"(cntfrq_el0)); // tick frequency
+    add_timer(schedule_timer, cntfrq_el0 >> 5, "", 1);
+}
diff --git a/lab7/src/shell.c b/lab7/src/shell.c
new file mode 100644
index 000000000..ae3d3058f
--- /dev/null
+++ b/lab7/src/shell.c
@@ -0,0 +1,219 @@
+#include "shell.h"
+#include "cpio.h"
+#include "dtb.h"
+#include "mbox.h"
+#include "memory.h"
+#include "power.h"
+#include "sched.h"
+#include "string.h"
+#include "timer.h"
+#include "uart1.h"
+#include <stddef.h>
+
+#define CLI_MAX_CMD 10
+
+extern int uart_recv_echo_flag;
+extern char *dtb_ptr;
+extern void *CPIO_DEFAULT_START;
+
+struct CLI_CMDS cmd_list[CLI_MAX_CMD] = {{.command = "hello", .help = "print Hello World!"},
+                                         {.command = "cat", .help = "concatenate files and print on the standard output"},
+                                         {.command = "dtb", .help = "show device tree"},
+                                         {.command = "exec", .help = "execute a command, replacing current image with a new image"},
+                                         {.command = "help", .help = "print all available commands"},
+                                         {.command = "info", .help = "get device information via mailbox"},
+                                         {.command = "ls", .help = "list directory contents"},
+                                         {.command = "timeout", .help = "timeout [MESSAGE] [SECONDS]"},
+                                         {.command = "clear", .help = "clear the screen"},
+                                         {.command = "reboot", .help = "reboot the device"}};
+
+void cli_cmd_clear(char *buffer, int length)
+{
+    for (int i = 0; i < length; i++) {
+        buffer[i] = '\0';
+    }
+}
+
+void cli_cmd_read(char *buffer)
+{
+    char c = '\0';
+    int idx = 0;
+    while (1) {
+        if (idx >= CMD_MAX_LEN)
+            break;
+        c = uart_async_getc();
+        if (c == '\n')
+            break;
+        else if (c == 127) {
+            if (idx > 0) {
+                uart_send('\b');
+                uart_send(' ');
+                uart_send('\b');
+                idx--;
+            }
+        }
+        else
+            buffer[idx++] = c;
+    }
+}
+
+void cli_cmd_exec(char *buffer)
+{
+    if (!buffer)
+        return;
+
+    char *cmd = buffer;
+    char *argvs = str_SepbySpace(buffer);
+
+    if (strcmp(cmd, "cat") == 0) {
+        do_cmd_cat(argvs);
+    }
+    else if (strcmp(cmd, "clear") == 0) {
+        uart_puts("\033[2J\033[H");
+    }
+    else if (strcmp(cmd, "dtb") == 0) {
+        do_cmd_dtb();
+    }
+    else if (strcmp(cmd, "exec") == 0) {
+        do_cmd_exec(argvs);
+    }
+    else if (strcmp(cmd, "hello") == 0) {
+        do_cmd_hello();
+    }
+    else if (strcmp(cmd, "help") == 0) {
+        do_cmd_help();
+    }
+    else if (strcmp(cmd, "info") == 0) {
+        do_cmd_info();
+    }
+    else if (strcmp(cmd, "ls") == 0) {
+        do_cmd_ls(argvs);
+    }
+    else if (strcmp(cmd, "timeout") == 0) {
+        char *sec = str_SepbySpace(argvs);
+        do_cmd_setTimeout(argvs, sec);
+    }
+    else if (strcmp(cmd, "reboot") == 0) {
+        do_cmd_reboot();
+    }
+}
+
+void do_cmd_cat(char *filepath)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+        if (strcmp(c_filepath, filepath) == 0) {
+            uart_puts("%s", c_filedata);
+            break;
+        }
+        if (header_ptr == 0)
+            uart_puts("cat: %s: No such file or directory\n", filepath);
+    }
+}
+
+void do_cmd_dtb() { traverse_device_tree(dtb_ptr, dtb_callback_show_tree); }
+
+void do_cmd_help()
+{
+    for (int i = 0; i < CLI_MAX_CMD; i++) {
+        uart_puts(cmd_list[i].command);
+        uart_puts("\t\t: ");
+        uart_puts(cmd_list[i].help);
+        uart_puts("\r\n");
+    }
+}
+
+void do_cmd_exec(char *filepath)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+
+        if (strcmp(c_filepath, filepath) == 0) {
+            uart_recv_echo_flag = 0; // syscall.img has different mechanism on uart I/O.
+            thread_exec(c_filedata, c_filesize);
+        }
+        if (header_ptr == 0)
+            uart_puts("cat: %s: No such file or directory\n", filepath);
+    }
+}
+
+void do_cmd_hello() { uart_puts("Hello World!\r\n"); }
+
+void do_cmd_info()
+{
+    // print hw revision
+    pt[0] = 8 * 4;
+    pt[1] = MBOX_REQUEST_PROCESS;
+    pt[2] = MBOX_TAG_GET_BOARD_REVISION;
+    pt[3] = 4;
+    pt[4] = MBOX_TAG_REQUEST_CODE;
+    pt[5] = 0;
+    pt[6] = 0;
+    pt[7] = MBOX_TAG_LAST_BYTE;
+
+    if (mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt))) {
+        uart_puts("Hardware Revision\t: ");
+        uart_2hex(pt[6]);
+        uart_2hex(pt[5]);
+        uart_puts("\r\n");
+    }
+    // print arm memory
+    pt[0] = 8 * 4;
+    pt[1] = MBOX_REQUEST_PROCESS;
+    pt[2] = MBOX_TAG_GET_ARM_MEMORY;
+    pt[3] = 8;
+    pt[4] = MBOX_TAG_REQUEST_CODE;
+    pt[5] = 0;
+    pt[6] = 0;
+    pt[7] = MBOX_TAG_LAST_BYTE;
+
+    if (mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt))) {
+        uart_puts("ARM Memory Base Address\t: ");
+        uart_2hex(pt[5]);
+        uart_puts("\r\n");
+        uart_puts("ARM Memory Size\t\t: ");
+        uart_2hex(pt[6]);
+        uart_puts("\r\n");
+    }
+}
+
+void do_cmd_ls(char *workdir)
+{
+    char *c_filepath;
+    char *c_filedata;
+    unsigned int c_filesize;
+    struct cpio_newc_header *header_ptr = CPIO_DEFAULT_START;
+
+    while (header_ptr != 0) {
+        int error = cpio_newc_parse_header(header_ptr, &c_filepath, &c_filesize, &c_filedata, &header_ptr);
+        if (error)
+            break;
+        if (header_ptr != 0)
+            uart_puts("%s\n", c_filepath);
+    }
+}
+
+void do_cmd_setTimeout(char *msg, char *sec) { add_timer(uart_printf, atoi(sec), msg, 0); }
+
+void do_cmd_reboot()
+{
+    uart_puts("Reboot in 5 seconds ...\r\n\r\n");
+    volatile unsigned int *rst_addr = (unsigned int *)PM_RSTC;
+    *rst_addr = PM_PASSWORD | 0x20;
+    volatile unsigned int *wdg_addr = (unsigned int *)PM_WDOG;
+    *wdg_addr = PM_PASSWORD | 5;
+}
diff --git a/lab7/src/signal.c b/lab7/src/signal.c
new file mode 100644
index 000000000..52e36aefd
--- /dev/null
+++ b/lab7/src/signal.c
@@ -0,0 +1,65 @@
+#include "signal.h"
+#include "sched.h"
+#include "syscall.h"
+#include "memory.h"
+
+void check_signal(trapframe_t *tpf)
+{
+    lock();
+    if(curr_thread->signal_is_checking)
+    {
+        unlock();
+        return;
+    }
+    //prevent nested running signal handler
+    curr_thread->signal_is_checking = 1;
+    unlock();
+    for (int i = 0; i <= SIGNAL_MAX; i++)
+    {
+        store_context(&curr_thread->signal_saved_context);
+        if(curr_thread->sigcount[i]>0)
+        {
+            lock();
+            curr_thread->sigcount[i]--;
+            unlock();
+            run_signal(tpf,i);
+        }
+    }
+    lock();
+    curr_thread->signal_is_checking = 0;
+    unlock();
+}
+
+void run_signal(trapframe_t* tpf,int signal)
+{
+    curr_thread->curr_signal_handler = curr_thread->signal_handler[signal];
+
+    //run default handler in kernel
+    if (curr_thread->curr_signal_handler == signal_default_handler)
+    {
+        signal_default_handler();
+        return;
+    }
+
+    char *temp_signal_userstack = kmalloc(USTACK_SIZE);
+
+    asm("msr elr_el1, %0\n\t"
+        "msr sp_el0, %1\n\t"
+        "msr spsr_el1, %2\n\t"
+        "eret\n\t" ::"r"(signal_handler_wrapper),
+        "r"(temp_signal_userstack + USTACK_SIZE),
+        "r"(tpf->spsr_el1));
+}
+
+void signal_handler_wrapper()
+{
+    (curr_thread->curr_signal_handler)();
+    //system call sigreturn
+    asm("mov x8,50\n\t"
+        "svc 0\n\t");
+}
+
+void signal_default_handler()
+{
+    kill(0,curr_thread->pid);
+}
diff --git a/lab7/src/string.c b/lab7/src/string.c
new file mode 100644
index 000000000..3696e335b
--- /dev/null
+++ b/lab7/src/string.c
@@ -0,0 +1,258 @@
+#include "string.h"
+#include <stddef.h>
+
+unsigned int vsprintf(char *dst, char *fmt, __builtin_va_list args)
+{
+    long int arg;
+    int len, sign, i;
+    char *p, *orig = dst, tmpstr[19];
+
+    // failsafes
+    if (dst == (void *)0 || fmt == (void *)0) {
+        return 0;
+    }
+
+    // main loop
+    arg = 0;
+    while (*fmt) {
+        if (dst - orig > VSPRINT_MAX_BUF_SIZE - 0x10) {
+            return -1;
+        }
+        // argument access
+        if (*fmt == '%') {
+            fmt++;
+            // literal %
+            if (*fmt == '%') {
+                goto put;
+            }
+            len = 0;
+            // size modifier
+            while (*fmt >= '0' && *fmt <= '9') {
+                len *= 10;
+                len += *fmt - '0';
+                fmt++;
+            }
+            // skip long modifier
+            if (*fmt == 'l') {
+                fmt++;
+            }
+            // character
+            if (*fmt == 'c') {
+                arg = __builtin_va_arg(args, int);
+                *dst++ = (char)arg;
+                fmt++;
+                continue;
+            }
+            else
+                // decimal number
+                if (*fmt == 'd') {
+                    arg = __builtin_va_arg(args, int);
+                    // check input
+                    sign = 0;
+                    if ((int)arg < 0) {
+                        arg *= -1;
+                        sign++;
+                    }
+                    if (arg > 99999999999999999L) {
+                        arg = 99999999999999999L;
+                    }
+                    // convert to string
+                    i = 18;
+                    tmpstr[i] = 0;
+                    do {
+                        tmpstr[--i] = '0' + (arg % 10);
+                        arg /= 10;
+                    } while (arg != 0 && i > 0);
+                    if (sign) {
+                        tmpstr[--i] = '-';
+                    }
+                    if (len > 0 && len < 18) {
+                        while (i > 18 - len) {
+                            tmpstr[--i] = ' ';
+                        }
+                    }
+                    p = &tmpstr[i];
+                    goto copystring;
+                }
+                else if (*fmt == 'x') {
+                    arg = __builtin_va_arg(args, long int);
+                    i = 16;
+                    tmpstr[i] = 0;
+                    do {
+                        char n = arg & 0xf;
+                        tmpstr[--i] = n + (n > 9 ? 0x37 : 0x30);
+                        arg >>= 4;
+                    } while (arg != 0 && i > 0);
+                    if (len > 0 && len <= 16) {
+                        while (i > 16 - len) {
+                            tmpstr[--i] = '0';
+                        }
+                    }
+                    p = &tmpstr[i];
+                    goto copystring;
+                }
+                else if (*fmt == 's') {
+                    p = __builtin_va_arg(args, char *);
+                copystring:
+                    if (p == (void *)0) {
+                        p = "(null)";
+                    }
+                    while (*p) {
+                        *dst++ = *p++;
+                    }
+                }
+        }
+        else {
+        put:
+            *dst++ = *fmt;
+        }
+        fmt++;
+    }
+    *dst = 0;
+    return dst - orig;
+}
+
+unsigned int sprintf(char *dst, char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    unsigned int r = vsprintf(dst, fmt, args);
+    __builtin_va_end(args);
+    return r;
+}
+
+unsigned long long strlen(const char *str)
+{
+    size_t count = 0;
+    while ((unsigned char)*str++)
+        count++;
+    return count;
+}
+
+int strcmp(const char *p1, const char *p2)
+{
+    const unsigned char *s1 = (const unsigned char *)p1;
+    const unsigned char *s2 = (const unsigned char *)p2;
+    unsigned char c1, c2;
+
+    do {
+        c1 = (unsigned char)*s1++;
+        c2 = (unsigned char)*s2++;
+        if (c1 == '\0')
+            return c1 - c2;
+    } while (c1 == c2);
+    return c1 - c2; // return 0 if equal
+}
+
+int strncmp(const char *s1, const char *s2, unsigned long long n)
+{
+    unsigned char c1 = '\0';
+    unsigned char c2 = '\0';
+    if (n >= 4) {
+        size_t n4 = n >> 2;
+        do {
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+            c1 = (unsigned char)*s1++;
+            c2 = (unsigned char)*s2++;
+            if (c1 == '\0' || c1 != c2)
+                return c1 - c2;
+        } while (--n4 > 0);
+        n &= 3;
+    }
+    while (n > 0) {
+        c1 = (unsigned char)*s1++;
+        c2 = (unsigned char)*s2++;
+        if (c1 == '\0' || c1 != c2)
+            return c1 - c2;
+        n--;
+    }
+    return c1 - c2;
+}
+
+char *memcpy(void *dest, const void *src, unsigned long long len)
+{
+    char *d = dest;
+    const char *s = src;
+    while (len--)
+        *d++ = *s++;
+    return dest;
+}
+
+char *strcpy(char *dest, const char *src) { return memcpy(dest, src, strlen(src) + 1); }
+
+void *memset(void *s, int c, size_t n)
+{
+    char *start = s;
+    for (size_t i = 0; i < n; i++) {
+        start[i] = c;
+    }
+
+    return s;
+}
+
+char *strchr(register const char *s, int c)
+{
+    do {
+        if (*s == c) {
+            return (char *)s;
+        }
+    } while (*s++);
+    return (0);
+}
+
+char *str_SepbySpace(char *head)
+{
+    char *end;
+    while (1) {
+        if (*head == '\0') {
+            end = head;
+            break;
+        }
+        if (*head == ' ') {
+            *head = '\0';
+            end = head + 1;
+            break;
+        }
+        head++;
+    }
+    return end;
+}
+
+// A simple atoi() function
+int atoi(char *str)
+{
+    // Initialize result
+    int res = 0;
+
+    // Iterate through all characters
+    // of input string and update result
+    // take ASCII character of corresponding digit and
+    // subtract the code from '0' to get numerical
+    // value and multiply res by 10 to shuffle
+    // digits left to update running total
+    for (int i = 0; str[i] != '\0'; ++i) {
+        if (str[i] > '9' || str[i] < '0')
+            return res;
+        res = res * 10 + str[i] - '0';
+    }
+
+    // return result.
+    return res;
+}
+
+char *strcat(char *dest, const char *src)
+{
+    strcpy(dest + strlen(dest), src);
+    return dest;
+}
\ No newline at end of file
diff --git a/lab7/src/syscall.c b/lab7/src/syscall.c
new file mode 100644
index 000000000..15fe8ba63
--- /dev/null
+++ b/lab7/src/syscall.c
@@ -0,0 +1,328 @@
+#include "syscall.h"
+#include "cpio.h"
+#include "dev_framebuffer.h"
+#include "exception.h"
+#include "mbox.h"
+#include "memory.h"
+#include "mmu.h"
+#include "sched.h"
+#include "signal.h"
+#include "stddef.h"
+#include "string.h"
+#include "uart1.h"
+#include "vfs.h"
+
+int getpid(trapframe_t *tpf)
+{
+    tpf->x0 = curr_thread->pid;
+    return curr_thread->pid;
+}
+
+size_t uartread(trapframe_t *tpf, char buf[], size_t size)
+{
+    int i = 0;
+    for (int i = 0; i < size; i++) {
+        buf[i] = uart_async_getc();
+    }
+    tpf->x0 = i;
+    return i;
+}
+
+size_t uartwrite(trapframe_t *tpf, const char buf[], size_t size)
+{
+    int i = 0;
+    for (int i = 0; i < size; i++) {
+        uart_async_putc(buf[i]);
+    }
+    tpf->x0 = i;
+    return i;
+}
+
+// In this lab, you won’t have to deal with argument passing
+int exec(trapframe_t *tpf, const char *name, char *const argv[])
+{
+    kfree(curr_thread->data);
+
+    curr_thread->datasize = get_file_size((char *)name);
+    char *new_data = get_file_start((char *)name);
+    curr_thread->data = kmalloc(curr_thread->datasize);
+
+    for (unsigned int i = 0; i < curr_thread->datasize; i++) {
+        curr_thread->data[i] = new_data[i];
+    }
+
+    // clear signal handler
+    for (int i = 0; i <= SIGNAL_MAX; i++) {
+        curr_thread->signal_handler[i] = signal_default_handler;
+    }
+
+    tpf->elr_el1 = USER_KERNEL_BASE;
+    tpf->sp_el0 = USER_STACK_BASE;
+    tpf->x0 = 0;
+    return 0;
+}
+
+int fork(trapframe_t *tpf)
+{
+    lock();
+    thread_t *newt = thread_create(curr_thread->data, curr_thread->datasize);
+
+    // copy signal handler
+    for (int i = 0; i <= SIGNAL_MAX; i++) {
+        newt->signal_handler[i] = curr_thread->signal_handler[i];
+    }
+
+    // remap
+    mappages(newt->context.pgd, USER_KERNEL_BASE, newt->datasize, (size_t)VIRT_TO_PHYS(newt->data));
+    mappages(newt->context.pgd, USER_STACK_BASE - USTACK_SIZE, USTACK_SIZE, (size_t)VIRT_TO_PHYS(newt->stack_alloced_ptr));
+    mappages(newt->context.pgd, PERIPHERAL_START, PERIPHERAL_END - PERIPHERAL_START, PERIPHERAL_START);
+
+    int parent_pid = curr_thread->pid;
+
+    // copy data into new process
+    for (int i = 0; i < newt->datasize; i++) {
+        newt->data[i] = curr_thread->data[i];
+    }
+
+    // copy user stack into new process
+    for (int i = 0; i < USTACK_SIZE; i++) {
+        newt->stack_alloced_ptr[i] = curr_thread->stack_alloced_ptr[i];
+    }
+
+    // copy stack into new process
+    for (int i = 0; i < KSTACK_SIZE; i++) {
+        newt->kernel_stack_alloced_ptr[i] = curr_thread->kernel_stack_alloced_ptr[i];
+    }
+
+    store_context(get_current());
+
+    // for child
+    if (parent_pid != curr_thread->pid) {
+        goto child;
+    }
+
+    void *temp_pgd = newt->context.pgd;
+    newt->context = curr_thread->context;
+    newt->context.pgd = VIRT_TO_PHYS(temp_pgd);
+    newt->context.fp += newt->kernel_stack_alloced_ptr - curr_thread->kernel_stack_alloced_ptr; // move fp
+    newt->context.sp += newt->kernel_stack_alloced_ptr - curr_thread->kernel_stack_alloced_ptr; // move kernel sp
+
+    unlock();
+
+    tpf->x0 = newt->pid;
+    return newt->pid;
+
+child:
+    tpf->x0 = 0;
+    return 0;
+}
+
+void exit(trapframe_t *tpf, int status) { thread_exit(); }
+
+int syscall_mbox_call(trapframe_t *tpf, unsigned char ch, unsigned int *mbox_user)
+{
+    lock();
+
+    unsigned int size_of_mbox = mbox_user[0];
+    memcpy((char *)pt, mbox_user, size_of_mbox);
+    mbox_call(MBOX_TAGS_ARM_TO_VC, (unsigned int)((unsigned long)&pt));
+    memcpy(mbox_user, (char *)pt, size_of_mbox);
+
+    tpf->x0 = 8;
+    unlock();
+    return 0;
+}
+
+void kill(trapframe_t *tpf, int pid)
+{
+    lock();
+    if (pid >= PIDMAX || pid < 0 || !threads[pid].isused) {
+        unlock();
+        return;
+    }
+    threads[pid].iszombie = 1;
+    unlock();
+    schedule();
+}
+
+void signal_register(int signal, void (*handler)())
+{
+    if (signal > SIGNAL_MAX || signal < 0)
+        return;
+
+    curr_thread->signal_handler[signal] = handler;
+}
+
+void signal_kill(int pid, int signal)
+{
+    if (pid > PIDMAX || pid < 0 || !threads[pid].isused)
+        return;
+
+    lock();
+    threads[pid].sigcount[signal]++;
+    unlock();
+}
+
+void sigreturn(trapframe_t *tpf)
+{
+    unsigned long signal_ustack = tpf->sp_el0 % USTACK_SIZE == 0 ? tpf->sp_el0 - USTACK_SIZE : tpf->sp_el0 & (~(USTACK_SIZE - 1));
+    kfree((char *)signal_ustack);
+    load_context(&curr_thread->signal_saved_context);
+}
+
+char *get_file_start(char *thefilepath)
+{
+    char *filepath;
+    char *filedata;
+    unsigned int filesize;
+    struct cpio_newc_header *header_pointer = CPIO_DEFAULT_START;
+
+    while (header_pointer != 0) {
+        int error = cpio_newc_parse_header(header_pointer, &filepath, &filesize, &filedata, &header_pointer);
+        if (error)
+            break;
+        if (strcmp(thefilepath, filepath) == 0)
+            return filedata;
+        if (header_pointer == 0)
+            uart_puts("execfile: %s: No such file or directory\r\n", thefilepath);
+    }
+    return 0;
+}
+
+unsigned int get_file_size(char *thefilepath)
+{
+    char *filepath;
+    char *filedata;
+    unsigned int filesize;
+    struct cpio_newc_header *header_pointer = CPIO_DEFAULT_START;
+
+    while (header_pointer != 0) {
+        int error = cpio_newc_parse_header(header_pointer, &filepath, &filesize, &filedata, &header_pointer);
+        if (error)
+            break;
+        if (strcmp(thefilepath, filepath) == 0)
+            return filesize;
+        if (header_pointer == 0)
+            uart_puts("execfile: %s: No such file or directory\r\n", thefilepath);
+    }
+    return 0;
+}
+
+int open(trapframe_t *tpf, const char *pathname, int flags)
+{
+    char abs_path[MAX_PATH_NAME];
+    strcpy(abs_path, pathname);
+    get_abs_path(abs_path, curr_thread->cur_working_dir);
+    uart_printf("[SYSCALL OPEN absolute path]: '%s' + '%s' = '%s'\n", curr_thread->cur_working_dir, pathname, abs_path);
+
+    for (int i = 0; i < MAX_FD; i++) {
+        if (!curr_thread->FDT[i]) {
+            if (vfs_open(abs_path, flags, &curr_thread->FDT[i]) != 0)
+                break; // open failed
+
+            tpf->x0 = i;
+            return i;
+        }
+    }
+
+    tpf->x0 = -1;
+    return -1;
+}
+
+int close(trapframe_t *tpf, int fd)
+{
+    if (curr_thread->FDT[fd]) {
+        vfs_close(curr_thread->FDT[fd]);
+        curr_thread->FDT[fd] = 0;
+        tpf->x0 = 0;
+        return 0;
+    }
+
+    tpf->x0 = -1;
+    return -1; // fd not found
+}
+
+long write(trapframe_t *tpf, int fd, const void *buf, unsigned long count)
+{
+    if (curr_thread->FDT[fd]) {
+        tpf->x0 = vfs_write(curr_thread->FDT[fd], buf, count);
+        return tpf->x0;
+    }
+
+    tpf->x0 = -1;
+    return -1; // fd not found
+}
+
+long read(trapframe_t *tpf, int fd, void *buf, unsigned long count)
+{
+    if (curr_thread->FDT[fd]) {
+        tpf->x0 = vfs_read(curr_thread->FDT[fd], buf, count);
+        return tpf->x0;
+    }
+
+    tpf->x0 = -1;
+    return -1; // fd not found
+}
+
+int mkdir(trapframe_t *tpf, const char *pathname, unsigned mode)
+{
+    // get absolute path
+    char abs_path[MAX_PATH_NAME];
+    strcpy(abs_path, pathname);
+    get_abs_path(abs_path, curr_thread->cur_working_dir);
+
+    tpf->x0 = vfs_mkdir(abs_path);
+    return tpf->x0;
+}
+
+int mount(trapframe_t *tpf, const char *src, const char *target, const char *filesystem, unsigned long flags, const void *data)
+{
+    char abs_path[MAX_PATH_NAME];
+    strcpy(abs_path, target);
+    get_abs_path(abs_path, curr_thread->cur_working_dir);
+
+    tpf->x0 = vfs_mount(abs_path, filesystem);
+    return tpf->x0;
+}
+
+int chdir(trapframe_t *tpf, const char *path)
+{
+    char abs_path[MAX_PATH_NAME];
+    strcpy(abs_path, path);
+    get_abs_path(abs_path, curr_thread->cur_working_dir);
+    strcpy(curr_thread->cur_working_dir, abs_path);
+
+    // tpf->x0 = 0;
+    return 0;
+}
+
+long lseek64(trapframe_t *tpf, int fd, long offset, int whence)
+{
+    if (whence == SEEK_SET) {
+        curr_thread->FDT[fd]->f_pos = offset;
+        tpf->x0 = offset;
+    }
+    else {
+        tpf->x0 = -1;
+    }
+
+    return tpf->x0;
+}
+
+extern unsigned int height;
+extern unsigned int isrgb;
+extern unsigned int pitch;
+extern unsigned int width;
+int ioctl(trapframe_t *tpf, int fb, unsigned long request, void *info)
+{
+    if (request == 0) {
+        struct framebuffer_info *fb_info = info;
+        fb_info->height = height;
+        fb_info->isrgb = isrgb;
+        fb_info->pitch = pitch;
+        fb_info->width = width;
+    }
+
+    tpf->x0 = 0;
+    return tpf->x0;
+}
\ No newline at end of file
diff --git a/lab7/src/timer.c b/lab7/src/timer.c
new file mode 100644
index 000000000..d5e369ff6
--- /dev/null
+++ b/lab7/src/timer.c
@@ -0,0 +1,163 @@
+#include "timer.h"
+#include "uart1.h"
+#include "memory.h"
+#include "string.h"
+#include "exception.h"
+
+#define STR(x) #x
+#define XSTR(s) STR(s)
+
+struct list_head *timer_event_list;
+
+void timer_list_init()
+{
+    unsigned long long tmp;
+    asm volatile("mrs %0, cntkctl_el1": "=r"(tmp));
+    tmp |= 1;
+    asm volatile("msr cntkctl_el1, %0":: "r"(tmp));
+
+    timer_event_list = kmalloc(sizeof(list_head_t));
+    INIT_LIST_HEAD(timer_event_list);
+}
+
+void core_timer_enable()
+{
+    __asm__ __volatile__(
+        "mov x1, 1\n\t"
+        "msr cntp_ctl_el0, x1\n\t" // enable
+
+        "mov x2, 2\n\t"
+        "ldr x1, =" XSTR(CORE0_TIMER_IRQ_CTRL) "\n\t"
+        "str w2, [x1]\n\t" // unmask timer interrupt
+    :::"x1","x2");
+}
+
+void core_timer_disable()
+{
+    __asm__ __volatile__(
+        "mov x2, 0\n\t"
+        "ldr x1, =" XSTR(CORE0_TIMER_IRQ_CTRL) "\n\t"
+        "str w2, [x1]\n\t" // unmask timer interrupt
+    :::"x1","x2");
+}
+
+void timer_event_callback(timer_event_t *timer_event)
+{
+    ((void (*)(char *))timer_event->callback)(timer_event->args); // call the callback store in event
+    list_del_entry((struct list_head *)timer_event);              // delete the event
+    kfree(timer_event->args); // kfree the arg space
+    kfree(timer_event);
+
+    //set interrupt to next time_event if existing
+    if (!list_empty(timer_event_list))
+    {
+        set_core_timer_interrupt_by_tick(((timer_event_t *)timer_event_list->next)->interrupt_time);
+    }
+    else
+    {
+        set_core_timer_interrupt(10000); // disable timer interrupt (set a very big value)
+    }
+}
+
+void core_timer_handler()
+{
+    lock();
+    //disable_interrupt();
+    if (list_empty(timer_event_list))
+    {
+        set_core_timer_interrupt(10000); // disable timer interrupt (set a very big value)
+        unlock();
+        return;
+    }
+
+    timer_event_callback((timer_event_t *)timer_event_list->next); // do callback and set new interrupt
+    unlock();
+}
+
+// give a string argument to callback   timeout after seconds
+void add_timer(void *callback, unsigned long long timeout, char *args, int bytick)
+{
+    timer_event_t *the_timer_event = kmalloc(sizeof(timer_event_t)); //need to kfree by event handler
+
+    // store argument string into timer_event
+    the_timer_event->args = kmalloc(strlen(args) + 1);
+    strcpy(the_timer_event->args, args);
+
+    if(bytick == 0)
+    {
+        the_timer_event->interrupt_time = get_tick_plus_s(timeout); // store interrupt time into timer_event
+    }else
+    {
+        the_timer_event->interrupt_time = get_tick_plus_s(0) + timeout;
+    }
+
+    the_timer_event->callback = callback;
+
+    // add the timer_event into timer_event_list (sorted)
+    struct list_head *curr;
+
+    lock();
+    list_for_each(curr, timer_event_list)
+    {
+        if (((timer_event_t *)curr)->interrupt_time > the_timer_event->interrupt_time)
+        {
+            list_add(&the_timer_event->listhead, curr->prev); // add this timer at the place just before the bigger one (sorted)
+            break;
+        }
+    }
+
+    if (list_is_head(curr, timer_event_list))
+    {
+        list_add_tail(&the_timer_event->listhead, timer_event_list); // for the time is the biggest
+    }
+
+
+    // set interrupt to first event
+    set_core_timer_interrupt_by_tick(((timer_event_t *)timer_event_list->next)->interrupt_time);
+    unlock();
+}
+
+
+// get cpu tick add some second
+unsigned long long get_tick_plus_s(unsigned long long second)
+{
+
+    unsigned long long cntpct_el0 = 0;
+    __asm__ __volatile__("mrs %0, cntpct_el0\n\t"
+                         : "=r"(cntpct_el0)); //tick now
+
+    unsigned long long cntfrq_el0 = 0;
+    __asm__ __volatile__("mrs %0, cntfrq_el0\n\t"
+                         : "=r"(cntfrq_el0)); //tick frequency
+
+    return (cntpct_el0 + cntfrq_el0 * second);
+}
+
+// set timer interrupt time to [expired_time] seconds after now (relatively)
+void set_core_timer_interrupt(unsigned long long expired_time)
+{
+    __asm__ __volatile__(
+        "mrs x1, cntfrq_el0\n\t" //cntfrq_el0 -> relative time
+        "mul x1, x1, %0\n\t"
+        "msr cntp_tval_el0, x1\n\t" // set expired time
+        :: "r"(expired_time):"x1");
+}
+
+// directly set timer interrupt time to a cpu tick  (directly)
+void set_core_timer_interrupt_by_tick(unsigned long long tick)
+{
+    __asm__ __volatile__(
+        "msr cntp_cval_el0, %0\n\t" //cntp_cval_el0 -> absolute time
+        :: "r"(tick));
+}
+
+int timer_list_get_size()
+{
+    int r = 0;
+    struct list_head *curr;
+    list_for_each(curr, timer_event_list)
+    {
+        r++;
+    }
+    return r;
+}
diff --git a/lab7/src/tmpfs.c b/lab7/src/tmpfs.c
new file mode 100644
index 000000000..20f7fad8f
--- /dev/null
+++ b/lab7/src/tmpfs.c
@@ -0,0 +1,187 @@
+#include "tmpfs.h"
+#include "memory.h"
+#include "string.h"
+#include "uart1.h"
+#include "vfs.h"
+
+struct file_operations tmpfs_file_ops = {
+    .write = tmpfs_write,
+    .read = tmpfs_read,
+    .open = tmpfs_open,
+    .close = tmpfs_close,
+    .lseek64 = tmpfs_lseek64,
+    .getsize = tmpfs_getsize,
+};
+struct vnode_operations tmpfs_vnode_ops = {
+    .lookup = tmpfs_lookup,
+    .create = tmpfs_create,
+    .mkdir = tmpfs_mkdir,
+};
+
+int register_tmpfs()
+{
+    struct filesystem fs;
+    fs.name = "tmpfs";
+    fs.setup_mount = tmpfs_setup_mount;
+    return register_filesystem(&fs);
+}
+
+int tmpfs_setup_mount(struct filesystem *fs, struct mount *_mount)
+{
+    _mount->fs = fs;
+    _mount->root = tmpfs_create_vnode(0, TMPFS_DIR);
+    return 0;
+}
+
+struct vnode *tmpfs_create_vnode(struct mount *_mount, enum fsnode_type type)
+{
+    struct vnode *v = kmalloc(sizeof(struct vnode));
+    v->f_ops = &tmpfs_file_ops;
+    v->v_ops = &tmpfs_vnode_ops;
+    v->mount = 0; // tmpfs does not support multiple mount points
+
+    struct tmpfs_inode *inode = kmalloc(sizeof(struct tmpfs_inode));
+    memset(inode, 0, sizeof(struct tmpfs_inode));
+    inode->type = type;
+    inode->data = kmalloc(0x1000);
+
+    v->internal = inode;
+    return v;
+}
+
+int tmpfs_write(struct file *file, const void *buf, size_t len)
+{
+    struct tmpfs_inode *inode = file->vnode->internal;
+
+    memcpy(inode->data + file->f_pos, buf, len);
+    file->f_pos += len;
+
+    if (file->f_pos > inode->datasize) {
+        inode->datasize = file->f_pos;
+    }
+
+    return len;
+}
+
+int tmpfs_read(struct file *file, void *buf, size_t len)
+{
+    struct tmpfs_inode *inode = file->vnode->internal;
+
+    // when len + file->f_pos > inode->datasize, return the remaining data
+    if (len + file->f_pos > inode->datasize)
+        len = inode->datasize - file->f_pos;
+
+    memcpy(buf, inode->data + file->f_pos, len);
+    file->f_pos += len;
+    return len;
+}
+
+int tmpfs_open(struct vnode *file_node, struct file **target)
+{
+    (*target)->vnode = file_node;
+    (*target)->f_ops = file_node->f_ops;
+    (*target)->f_pos = 0;
+    return 0;
+}
+
+int tmpfs_close(struct file *file)
+{
+    kfree(file);
+    return 0;
+}
+
+long tmpfs_lseek64(struct file *file, long offset, int whence)
+{
+    if (whence == SEEK_SET) {
+        file->f_pos = offset;
+        return file->f_pos;
+    }
+    return -1; // if whence is not SEEK_SET
+}
+
+long tmpfs_getsize(struct vnode *vd)
+{
+    struct tmpfs_inode *inode = vd->internal;
+    return inode->datasize;
+}
+
+int tmpfs_lookup(struct vnode *dir_node, struct vnode **target, const char *component_name)
+{
+    struct tmpfs_inode *dir_inode = dir_node->internal;
+    int child_idx = 0;
+    for (; child_idx < MAX_DIR_ENTRY; child_idx++) {
+        struct vnode *vnode = dir_inode->entry[child_idx];
+        if (!vnode)
+            break;
+
+        struct tmpfs_inode *inode = vnode->internal;
+        if (strcmp(component_name, inode->name) == 0) {
+            *target = vnode;
+            return 0;
+        }
+    }
+
+    return -1;
+}
+
+int tmpfs_create(struct vnode *dir_node, struct vnode **target, const char *component_name)
+{
+    struct tmpfs_inode *inode = dir_node->internal;
+    if (inode->type != TMPFS_DIR)
+        return -1; // not a directory
+
+    int child_idx = 0;
+    for (; child_idx < MAX_DIR_ENTRY; child_idx++) {
+        if (!inode->entry[child_idx])
+            break; // found an empty slot
+
+        struct tmpfs_inode *child_inode = inode->entry[child_idx]->internal;
+        if (strcmp(child_inode->name, component_name) == 0) {
+            // uart_printf("tmpfs create file exists\n");
+            return -1; // file exists
+        }
+    }
+
+    if (child_idx == MAX_DIR_ENTRY)
+        return -1; // directory full
+
+    struct vnode *_vnode = tmpfs_create_vnode(0, TMPFS_FILE);
+    inode->entry[child_idx] = _vnode;
+
+    if (strlen(component_name) > FILE_NAME_MAX)
+        return -1; // name too long
+
+    struct tmpfs_inode *new_inode = _vnode->internal;
+    strcpy(new_inode->name, component_name);
+
+    *target = _vnode;
+    return 0;
+}
+
+int tmpfs_mkdir(struct vnode *dir_node, struct vnode **target, const char *component_name)
+{
+    struct tmpfs_inode *inode = dir_node->internal;
+    if (inode->type != TMPFS_DIR)
+        return -1; // not a directory
+
+    int child_idx = 0;
+    for (; child_idx < MAX_DIR_ENTRY; child_idx++) {
+        if (!inode->entry[child_idx])
+            break; // found an empty slot
+    }
+
+    if (child_idx == MAX_DIR_ENTRY)
+        return -1; // directory full
+
+    if (strlen(component_name) > FILE_NAME_MAX)
+        return -1; // name too long
+
+    struct vnode *_vnode = tmpfs_create_vnode(dir_node->mount, TMPFS_DIR);
+    inode->entry[child_idx] = _vnode;
+
+    struct tmpfs_inode *new_inode = _vnode->internal;
+    strcpy(new_inode->name, component_name);
+
+    *target = _vnode;
+    return 0;
+}
diff --git a/lab7/src/uart1.c b/lab7/src/uart1.c
new file mode 100644
index 000000000..4d9d7e425
--- /dev/null
+++ b/lab7/src/uart1.c
@@ -0,0 +1,194 @@
+#include "uart1.h"
+#include "bcm2837/rpi_gpio.h"
+#include "bcm2837/rpi_irq.h"
+#include "bcm2837/rpi_uart1.h"
+#include "exception.h"
+#include "string.h"
+
+// implement first in first out buffer with a read index and a write index
+char uart_tx_buffer[VSPRINT_MAX_BUF_SIZE] = {};
+unsigned int uart_tx_buffer_widx = 0; // write index
+unsigned int uart_tx_buffer_ridx = 0; // read index
+char uart_rx_buffer[VSPRINT_MAX_BUF_SIZE] = {};
+unsigned int uart_rx_buffer_widx = 0;
+unsigned int uart_rx_buffer_ridx = 0;
+
+int uart_recv_echo_flag = 1;
+
+void uart_init()
+{
+    register unsigned int r;
+
+    /* initialize UART */
+    *AUX_ENABLES |= 1;    // enable UART1
+    *AUX_MU_CNTL_REG = 0; // disable TX/RX
+
+    /* configure UART */
+    *AUX_MU_IER_REG = 0;    // disable interrupt
+    *AUX_MU_LCR_REG = 3;    // 8 bit data size
+    *AUX_MU_MCR_REG = 0;    // disable flow control
+    *AUX_MU_BAUD_REG = 270; // 115200 baud rate
+    *AUX_MU_IIR_REG = 0xC6; // disable FIFO
+
+    /* map UART1 to GPIO pins */
+    r = *GPFSEL1;
+    r &= ~(7 << 12); // clean gpio14
+    r |= 2 << 12;    // set gpio14 to alt5
+    r &= ~(7 << 15); // clean gpio15
+    r |= 2 << 15;    // set gpio15 to alt5
+    *GPFSEL1 = r;
+
+    /* enable pin 14, 15 - ref: Page 101 */
+    *GPPUD = 0;
+    r = 150;
+    while (r--) {
+        asm volatile("nop");
+    }
+    *GPPUDCLK0 = (1 << 14) | (1 << 15);
+    r = 150;
+    while (r--) {
+        asm volatile("nop");
+    }
+    *GPPUDCLK0 = 0;
+
+    *AUX_MU_CNTL_REG = 3; // enable TX/RX
+}
+
+char uart_recv()
+{
+    char r;
+    while (!(*AUX_MU_LSR_REG & 0x01)) {
+    };
+    r = (char)(*AUX_MU_IO_REG);
+    if (uart_recv_echo_flag) {
+        uart_send(r);
+        if (r == '\r') {
+            uart_send('\r');
+            uart_send('\n');
+        }
+    }
+    return r == '\r' ? '\n' : r;
+}
+
+void uart_send(char c)
+{
+    while (!(*AUX_MU_LSR_REG & 0x20)) {
+    };
+    *AUX_MU_IO_REG = c;
+}
+
+void uart_2hex(unsigned int d)
+{
+    unsigned int n;
+    int c;
+    for (c = 28; c >= 0; c -= 4) {
+        n = (d >> c) & 0xF;
+        n += n > 9 ? 0x37 : 0x30;
+        uart_send(n);
+    }
+}
+
+int uart_printf(char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char *)buf;
+    int count = vsprintf(str, fmt, args);
+
+    while (*str) {
+        if (*str == '\n')
+            uart_send('\r');
+        uart_send(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+// uart_async_getc read from buffer
+// uart_r_irq_handler write to buffer then output
+char uart_async_getc()
+{
+    *AUX_MU_IER_REG |= 1; // enable read interrupt
+    // do while if buffer empty
+    while (uart_rx_buffer_ridx == uart_rx_buffer_widx)
+        *AUX_MU_IER_REG |= 1; // enable read interrupt
+    lock();
+    char r = uart_rx_buffer[uart_rx_buffer_ridx++];
+    if (uart_rx_buffer_ridx >= VSPRINT_MAX_BUF_SIZE)
+        uart_rx_buffer_ridx = 0;
+    unlock();
+    return r;
+}
+
+// uart_async_putc writes to buffer
+// uart_w_irq_handler read from buffer then output
+void uart_async_putc(char c)
+{
+    // if buffer full, wait for uart_w_irq_handler
+    while ((uart_tx_buffer_widx + 1) % VSPRINT_MAX_BUF_SIZE == uart_tx_buffer_ridx)
+        *AUX_MU_IER_REG |= 2; // enable write interrupt
+    lock();
+    uart_tx_buffer[uart_tx_buffer_widx++] = c;
+    if (uart_tx_buffer_widx >= VSPRINT_MAX_BUF_SIZE)
+        uart_tx_buffer_widx = 0; // cycle pointer
+    unlock();
+    *AUX_MU_IER_REG |= 2; // enable write interrupt
+}
+
+int uart_puts(char *fmt, ...)
+{
+    __builtin_va_list args;
+    __builtin_va_start(args, fmt);
+    char buf[VSPRINT_MAX_BUF_SIZE];
+
+    char *str = (char *)buf;
+    int count = vsprintf(str, fmt, args);
+
+    while (*str) {
+        if (*str == '\n')
+            uart_async_putc('\r');
+        uart_async_putc(*str++);
+    }
+    __builtin_va_end(args);
+    return count;
+}
+
+// AUX_MU_IER_REG -> BCM2837-ARM-Peripherals.pdf - Pg.12
+void uart_interrupt_enable()
+{
+    *AUX_MU_IER_REG |= 1;      // enable read interrupt
+    *AUX_MU_IER_REG |= 2;      // enable write interrupt
+    *ENABLE_IRQS_1 |= 1 << 29; // Pg.112
+}
+
+void uart_interrupt_disable()
+{
+    *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+    *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+}
+
+void uart_r_irq_handler()
+{
+    if ((uart_rx_buffer_widx + 1) % VSPRINT_MAX_BUF_SIZE == uart_rx_buffer_ridx) {
+        *AUX_MU_IER_REG &= ~(1); // disable read interrupt
+        return;
+    }
+    uart_rx_buffer[uart_rx_buffer_widx++] = uart_recv();
+    if (uart_rx_buffer_widx >= VSPRINT_MAX_BUF_SIZE)
+        uart_rx_buffer_widx = 0;
+    *AUX_MU_IER_REG |= 1;
+}
+
+void uart_w_irq_handler()
+{
+    if (uart_tx_buffer_ridx == uart_tx_buffer_widx) {
+        *AUX_MU_IER_REG &= ~(2); // disable write interrupt
+        return;                  // buffer empty
+    }
+    uart_send(uart_tx_buffer[uart_tx_buffer_ridx++]);
+    if (uart_tx_buffer_ridx >= VSPRINT_MAX_BUF_SIZE)
+        uart_tx_buffer_ridx = 0;
+    *AUX_MU_IER_REG |= 2; // enable write interrupt
+}
diff --git a/lab7/src/vfs.c b/lab7/src/vfs.c
new file mode 100644
index 000000000..9d08b59de
--- /dev/null
+++ b/lab7/src/vfs.c
@@ -0,0 +1,247 @@
+#include "vfs.h"
+#include "dev_framebuffer.h"
+#include "dev_uart.h"
+#include "initramfs.h"
+#include "memory.h"
+#include "string.h"
+#include "tmpfs.h"
+#include "uart1.h"
+
+struct mount *rootfs;
+struct filesystem fs_reg[MAX_FS_REG];
+struct file_operations reg_dev[MAX_DEV_REG];
+
+int register_filesystem(struct filesystem *fs)
+{
+    for (int i = 0; i < MAX_FS_REG; i++) {
+        if (!fs_reg[i].name) {
+            fs_reg[i].name = fs->name;
+            fs_reg[i].setup_mount = fs->setup_mount;
+            return i;
+        }
+    }
+    return -1;
+}
+
+struct filesystem *find_filesystem(const char *fs_name)
+{
+    for (int i = 0; i < MAX_FS_REG; i++) {
+        if (!strcmp(fs_reg[i].name, fs_name)) {
+            return &fs_reg[i];
+        }
+    }
+    return 0;
+}
+
+int vfs_open(const char *pathname, int flags, struct file **target)
+{
+    struct vnode *node;
+    // uart_printf("vfs_open: %s\n", pathname);
+    if (vfs_lookup(pathname, &node) != 0 && (flags & O_CREAT)) { // if not found and O_CREAT flag is set
+        // find parent dir
+        // uart_printf("vfs_open: %s\n", pathname);
+        int last_slash_idx = 0;
+        for (int i = 0; i < strlen(pathname); i++) {
+            if (pathname[i] == '/') {
+                last_slash_idx = i;
+            }
+        }
+
+        char dir_name[MAX_PATH_NAME + 1] = {};
+        strcpy(dir_name, pathname);
+        dir_name[last_slash_idx] = '\0';
+
+        if (vfs_lookup(dir_name, &node) != 0) {
+            // uart_printf("cannot ocreate \n");
+            return -1; // non-exist parent dir
+        }
+
+        node->v_ops->create(node, &node, pathname + last_slash_idx + 1);
+        *target = kmalloc(sizeof(struct file));
+        node->f_ops->open(node, target);
+        (*target)->flags = flags;
+        return 0;
+    }
+    else {
+        // uart_printf("vfs_open: %s\n", pathname);
+        *target = kmalloc(sizeof(struct file));
+        node->f_ops->open(node, target);
+        (*target)->flags = flags;
+        return 0;
+    }
+
+    return -1; // failed
+}
+
+int vfs_close(struct file *file)
+{
+    file->f_ops->close(file);
+    return 0;
+}
+
+int vfs_write(struct file *file, const void *buf, size_t len) { return file->f_ops->write(file, buf, len); }
+
+int vfs_read(struct file *file, void *buf, size_t len) { return file->f_ops->read(file, buf, len); }
+
+int vfs_mkdir(const char *pathname)
+{
+    char dir_name[MAX_PATH_NAME] = {};
+    char new_dir_name[MAX_PATH_NAME] = {};
+    int last_slash_idx = 0;
+
+    for (int i = 0; i < strlen(pathname); i++) {
+        if (pathname[i] == '/') {
+            last_slash_idx = i;
+        }
+    }
+
+    memcpy(dir_name, pathname, last_slash_idx);
+    strcpy(new_dir_name, pathname + last_slash_idx + 1);
+
+    struct vnode *node;
+    if (vfs_lookup(dir_name, &node) == 0) {
+        node->v_ops->mkdir(node, &node, new_dir_name);
+        return 0;
+    }
+
+    return -1;
+}
+
+int vfs_mount(const char *target, const char *filesystem)
+{
+    struct vnode *dirnode;
+    struct filesystem *fs = find_filesystem(filesystem);
+    if (fs == 0) {
+        return -1; // filesystem not found
+    }
+    if (vfs_lookup(target, &dirnode) == -1) {
+        return -1; // target not found
+    }
+
+    dirnode->mount = kmalloc(sizeof(struct mount));
+    fs->setup_mount(fs, dirnode->mount);
+
+    return 0;
+}
+
+int vfs_lookup(const char *pathname, struct vnode **target)
+{
+    // uart_printf("vfs_lookup: %s\n", pathname);
+    if (strlen(pathname) == 0) {
+        *target = rootfs->root;
+        return 0;
+    }
+
+    struct vnode *dirnode = rootfs->root;
+    char component_name[FILE_NAME_MAX + 1] = {};
+    int c_idx = 0;
+    for (int i = 1; i < strlen(pathname); i++) {
+        if (pathname[i] == '/') {
+            component_name[c_idx++] = 0;
+            c_idx = 0;
+
+            if (dirnode->v_ops->lookup(dirnode, &dirnode, component_name) != 0)
+                return -1;
+
+            // redirect to new mounted filesystem
+            while (dirnode->mount)
+                dirnode = dirnode->mount->root;
+        }
+        else {
+            component_name[c_idx++] = pathname[i];
+        }
+    }
+
+    // uart_printf("component_name: %s\n", component_name);
+    component_name[c_idx++] = 0;
+    if (dirnode->v_ops->lookup(dirnode, &dirnode, component_name) != 0)
+        return -1;
+
+    // redirect to new mounted filesystem
+    while (dirnode->mount)
+        dirnode = dirnode->mount->root;
+
+    *target = dirnode;
+    return 0;
+}
+
+void init_rootfs()
+{
+    // tmpfs
+    int idx = register_tmpfs();
+    rootfs = kmalloc(sizeof(struct mount));
+    fs_reg[idx].setup_mount(&fs_reg[idx], rootfs);
+
+    // initramfs
+    vfs_mkdir("/initramfs");
+    register_initramfs();
+    vfs_mount("/initramfs", "initramfs");
+
+    // dev
+    vfs_mkdir("/dev");
+    int uart_id = init_dev_uart();
+    vfs_mknod("/dev/uart", uart_id);
+
+    // framebuffer
+    int fb_id = init_dev_framebuffer();
+    vfs_mknod("/dev/framebuffer", fb_id);
+}
+
+char *get_abs_path(char *path, char *cur_working_dir)
+{
+    if (path[0] != '/') { // relative path
+        char tmp[MAX_PATH_NAME];
+        strcpy(tmp, cur_working_dir);
+        if (strcmp(cur_working_dir, "/") != 0)
+            strcat(tmp, "/");
+        strcat(tmp, path);
+        strcpy(path, tmp);
+    }
+
+    char abs_path[MAX_PATH_NAME + 1] = {};
+    int idx = 0;
+    for (int i = 0; i < strlen(path); i++) {
+        if (path[i] == '/' && path[i + 1] == '.' && path[i + 2] == '.') {
+            for (int j = idx; j >= 0; j--) {
+                if (abs_path[j] == '/') {
+                    abs_path[j] = 0;
+                    idx = j;
+                }
+            }
+            i += 2;
+            continue;
+        }
+
+        if (path[i] == '/' && path[i + 1] == '.') {
+            i++;
+            continue;
+        }
+
+        abs_path[idx++] = path[i];
+    }
+    abs_path[idx] = 0;
+    return strcpy(path, abs_path);
+}
+
+int register_dev(struct file_operations *f_ops)
+{
+    for (int i = 0; i < MAX_FS_REG; i++) {
+        if (!reg_dev[i].open) {
+            reg_dev[i] = *f_ops;
+            return i;
+        }
+    }
+
+    return -1;
+}
+
+int vfs_mknod(char *pathname, int id)
+{
+    // this function is used to create device file
+    struct file *f = kmalloc(sizeof(struct file));
+
+    vfs_open(pathname, O_CREAT, &f);
+    f->vnode->f_ops = &reg_dev[id];
+    vfs_close(f);
+    return 0;
+}
\ No newline at end of file
diff --git a/lab7/upload.py b/lab7/upload.py
new file mode 100644
index 000000000..03fb2dc11
--- /dev/null
+++ b/lab7/upload.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+from serial import Serial
+from pwn import *
+import argparse
+from sys import platform
+
+if platform == "linux" or platform == "linux2":
+    parser = argparse.ArgumentParser(description="NYCU OSDI kernel sender")
+    parser.add_argument(
+        "--filename",
+        metavar="PATH",
+        default="img/kernel8.img",
+        type=str,
+        help="path to kernel8.img",
+    )
+    parser.add_argument(
+        "--device",
+        metavar="TTY",
+        default="/dev/ttyUSB0",
+        type=str,
+        help="path to UART device",
+    )
+    parser.add_argument(
+        "--baud", metavar="Hz", default=115200, type=int, help="baud rate"
+    )
+    args = parser.parse_args()
+
+    with open(args.filename, "rb") as fd:
+        with Serial(args.device, args.baud) as ser:
+
+            kernel_raw = fd.read()
+            length = len(kernel_raw)
+
+            print("Kernel image size : ", hex(length))
+            for i in range(8):
+                ser.write(p64(length)[i : i + 1])
+                ser.flush()
+
+            print("Start sending kernel image by uart1...")
+            for i in range(length):
+                # Use kernel_raw[i: i+1] is byte type. Instead of using kernel_raw[i] it will retrieve int type then cause error
+                ser.write(kernel_raw[i : i + 1])
+                ser.flush()
+                if i % 100 == 0:
+                    print("{:>6}/{:>6} bytes".format(i, length))
+            print("{:>6}/{:>6} bytes".format(length, length))
+            print("Transfer finished!")
+
+else:
+    parser = argparse.ArgumentParser(description="NYCU OSDI kernel sender")
+    parser.add_argument(
+        "--filename",
+        metavar="PATH",
+        default="kernel8.img",
+        type=str,
+        help="path to kernel8.img",
+    )
+    parser.add_argument(
+        "--device", metavar="COM", default="COM3", type=str, help="COM# to UART device"
+    )
+    parser.add_argument(
+        "--baud", metavar="Hz", default=115200, type=int, help="baud rate"
+    )
+    args = parser.parse_args()
+
+    with open(args.filename, "rb") as fd:
+        with Serial(args.device, args.baud) as ser:
+
+            kernel_raw = fd.read()
+            length = len(kernel_raw)
+
+            print("Kernel image size : ", hex(length))
+            for i in range(8):
+                ser.write(p64(length)[i : i + 1])
+                ser.flush()
+
+            print("Start sending kernel image by uart1...")
+            for i in range(length):
+                # Use kernel_raw[i: i+1] is byte type. Instead of using kernel_raw[i] it will retrieve int type then cause error
+                ser.write(kernel_raw[i : i + 1])
+                ser.flush()
+                if i % 100 == 0:
+                    print("{:>6}/{:>6} bytes".format(i, length))
+            print("{:>6}/{:>6} bytes".format(length, length))
+            print("Transfer finished!")
diff --git a/lab7/user_program/Makefile b/lab7/user_program/Makefile
new file mode 100644
index 000000000..3d1a93348
--- /dev/null
+++ b/lab7/user_program/Makefile
@@ -0,0 +1,24 @@
+CC = aarch64-linux-gnu
+CFLAGS = -ggdb -Wno-implicit -ffreestanding -nostdlib -nostartfiles -Iinclude
+
+BUILD_DIR = build
+ROOTFS_DIR = ../rootfs
+
+OBJECTS = $(patsubst %.S, $(BUILD_DIR)/%.o, $(wildcard *.S))
+
+USER_PROG = userprog
+
+all: $(OBJECTS)
+	$(CC)-ld -T linker.ld -o $(BUILD_DIR)/$(USER_PROG).elf $(OBJECTS)
+	$(CC)-objcopy -O binary $(BUILD_DIR)/$(USER_PROG).elf $(ROOTFS_DIR)/$(USER_PROG)
+
+$(BUILD_DIR)/%.o: %.S
+	@mkdir -p $(BUILD_DIR)
+	$(CC)-gcc $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR)
+	rm -f $(ROOTFS_DIR)/$(USER_PROG)
+
+run:
+	qemu-system-aarch64 -M raspi3b -kernel $(ROOTFS_DIR)/$(USER_PROG) -display none -serial null -serial stdio -s
diff --git a/lab7/user_program/linker.ld b/lab7/user_program/linker.ld
new file mode 100644
index 000000000..783ebe038
--- /dev/null
+++ b/lab7/user_program/linker.ld
@@ -0,0 +1,5 @@
+SECTIONS
+{
+  . = 0x80000;
+  .text : { *(.text) }
+}
\ No newline at end of file
diff --git a/lab7/user_program/userprog.S b/lab7/user_program/userprog.S
new file mode 100644
index 000000000..838323763
--- /dev/null
+++ b/lab7/user_program/userprog.S
@@ -0,0 +1,11 @@
+.section ".text"
+.global _start
+_start:
+    mov x0, 0
+1:
+    add x0, x0, 1
+    svc 0
+    cmp x0, 5
+    blt 1b
+1:
+    b 1b
\ No newline at end of file