diff --git a/chips/a523_a527_t527.c b/chips/a523_a527_t527.c
index 6537612..daff596 100644
--- a/chips/a523_a527_t527.c
+++ b/chips/a523_a527_t527.c
@@ -43,6 +43,52 @@ static void payload_write32(struct xfel_ctx_t * ctx, uint32_t addr, uint32_t val
 	fel_exec(ctx, ctx->version.scratchpad);
 }
 
+static void payload_jmp_to_arm64(struct xfel_ctx_t * ctx, uint32_t addr)
+{
+	static const uint8_t payload[] = {
+		0x00, 0x00, 0xa0, 0xe3, 0x17, 0x0f, 0x08, 0xee, 0x15, 0x0f, 0x07, 0xee,
+		0xd5, 0x0f, 0x07, 0xee, 0x9a, 0x0f, 0x07, 0xee, 0x95, 0x0f, 0x07, 0xee,
+		0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, 0x40, 0x5c, 0x00, 0x9f, 0xe5,
+		0x00, 0xd0, 0x80, 0xe5, 0x04, 0xe0, 0x80, 0xe5, 0x00, 0xe0, 0x0f, 0xe1,
+		0x08, 0xe0, 0x80, 0xe5, 0x10, 0xef, 0x11, 0xee, 0x0c, 0xe0, 0x80, 0xe5,
+		0x10, 0xef, 0x1c, 0xee, 0x10, 0xe0, 0x80, 0xe5, 0x10, 0xef, 0x11, 0xee,
+		0x14, 0xe0, 0x80, 0xe5, 0x38, 0x00, 0x1f, 0xe5, 0x0c, 0x00, 0x00, 0xeb,
+		0x28, 0x00, 0x9f, 0xe5, 0x00, 0xd0, 0x90, 0xe5, 0x04, 0xe0, 0x90, 0xe5,
+		0x14, 0x10, 0x90, 0xe5, 0x10, 0x1f, 0x01, 0xee, 0x10, 0x10, 0x90, 0xe5,
+		0x10, 0x1f, 0x0c, 0xee, 0x0c, 0x10, 0x90, 0xe5, 0x10, 0x1f, 0x01, 0xee,
+		0x08, 0x10, 0x90, 0xe5, 0x01, 0xf0, 0x29, 0xe1, 0x1e, 0xff, 0x2f, 0xe1,
+		0xe0, 0x7f, 0x04, 0x00, 0x02, 0x23, 0xa0, 0xe3, 0x00, 0x10, 0xa0, 0xe3,
+		0x40, 0x00, 0x82, 0xe5, 0x44, 0x10, 0x82, 0xe5, 0x50, 0x2f, 0x1c, 0xee,
+		0x03, 0x20, 0x82, 0xe3, 0x4f, 0xf0, 0x7f, 0xf5, 0x50, 0x2f, 0x0c, 0xee,
+		0x6f, 0xf0, 0x7f, 0xf5, 0x03, 0xf0, 0x20, 0xe3, 0xfd, 0xff, 0xff, 0xea,
+		0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
+		0x47, 0x4e, 0x55, 0x00, 0xec, 0x31, 0xc0, 0x4b, 0x42, 0x7a, 0x23, 0x57,
+		0x32, 0xfa, 0xfc, 0xe1, 0x02, 0xe3, 0xc1, 0x18, 0x42, 0x45, 0x69, 0x4c,
+		0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x6c, 0x64, 0x2d, 0x6c, 0x69, 0x6e, 0x75,
+		0x78, 0x2d, 0x61, 0x72, 0x6d, 0x68, 0x66, 0x2e, 0x73, 0x6f, 0x2e, 0x33,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xf5, 0xfe, 0xff, 0x6f, 0x08, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+		0x04, 0x01, 0x02, 0x00, 0x06, 0x00, 0x00, 0x00, 0xf4, 0x00, 0x02, 0x00,
+		0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00,
+		0x10, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x1e, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0xfb, 0xff, 0xff, 0x6f,
+		0x01, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00
+	};
+	uint32_t adr = cpu_to_le32(addr);
+
+	fel_write(ctx, ctx->version.scratchpad, (void *)payload, sizeof(payload));
+	fel_write(ctx, ctx->version.scratchpad + 0x1c, (void *)&adr, sizeof(adr));
+	fel_exec(ctx, ctx->version.scratchpad);
+}
+
 static int chip_reset(struct xfel_ctx_t * ctx)
 {
 	return 0;
@@ -2911,6 +2957,20 @@ static int chip_extra(struct xfel_ctx_t * ctx, int argc, char * argv[])
 				printf("The device does not enabled the security boot.\r\n");
 			return 1;
 		}
+		else if(!strcmp(argv[0], "exec"))
+		{
+			argc -= 1;
+			argv += 1;
+			if(argc > 0)
+			{
+				if(!strcmp(argv[0], "arm64") && (argc == 2))
+				{
+					uint32_t addr = strtoul(argv[1], NULL, 0);
+					payload_jmp_to_arm64(ctx, addr);
+					return 1;
+				}
+			}
+		}
 	}
 	printf("usage:\r\n");
 	printf("    xfel extra efuse dump                     - Dump all of the efuse information\r\n");
@@ -2918,6 +2978,7 @@ static int chip_extra(struct xfel_ctx_t * ctx, int argc, char * argv[])
 	printf("    xfel extra efuse write32 <offset> <value> - Write 32-bits value to efuse\r\n");
 	printf("    xfel extra efuse write <offset> <file>    - Write file to efuse\r\n");
 	printf("    xfel extra checksboot                     - Check whether security boot is enabled on the device\r\n");
+	printf("    xfel extra exec arm64 <address>           - Boot arm64 and jump to address\r\n");
 	return 0;
 }
 
diff --git a/payloads/a523_a527_t527/jmp-arm64/.gitignore b/payloads/a523_a527_t527/jmp-arm64/.gitignore
new file mode 100644
index 0000000..88f9697
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/.gitignore
@@ -0,0 +1,10 @@
+#
+# Normal rules
+#
+*~
+
+#
+# Generated files
+#
+/.obj
+/output
diff --git a/payloads/a523_a527_t527/jmp-arm64/Makefile b/payloads/a523_a527_t527/jmp-arm64/Makefile
new file mode 100644
index 0000000..704ccb0
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/Makefile
@@ -0,0 +1,120 @@
+#
+# Top makefile
+#
+
+CROSS		?= arm-linux-gnueabihf-
+NAME		:= jmp-arm64
+
+#
+# System environment variable.
+#
+ifeq ($(OS), Windows_NT)
+	HOSTOS		:= windows
+else
+	ifneq (,$(findstring Linux, $(shell uname -a)))
+		HOSTOS	:= linux
+	endif
+endif
+
+#
+# Load default variables.
+#
+ASFLAGS		:= -g -ggdb -Wall -O3
+CFLAGS		:= -g -ggdb -Wall -O3
+CXXFLAGS	:= -g -ggdb -Wall -O3
+LDFLAGS		:= -T link.ld -nostdlib
+ARFLAGS		:= -rcs
+OCFLAGS		:= -v -O binary
+ODFLAGS		:=
+MCFLAGS		:= -march=armv7-a -mtune=cortex-a7 -mfpu=vfpv4 -mfloat-abi=hard -marm -mno-thumb-interwork -mno-unaligned-access -fno-stack-protector
+
+LIBDIRS		:=
+LIBS 		:=
+INCDIRS		:=
+SRCDIRS		:=
+
+#
+# Add external library
+#
+INCDIRS		+= include \
+			   include/external
+SRCDIRS		+= source \
+			   source/external
+
+#
+# You shouldn't need to change anything below this point.
+#
+AS			:= $(CROSS)gcc -x assembler-with-cpp
+CC			:= $(CROSS)gcc
+CXX			:= $(CROSS)g++
+LD			:= $(CROSS)ld
+AR			:= $(CROSS)ar
+OC			:= $(CROSS)objcopy
+OD			:= $(CROSS)objdump
+MKDIR		:= mkdir -p
+CP			:= cp -af
+RM			:= rm -fr
+CD			:= cd
+FIND		:= find
+
+#
+# X variables
+#
+X_ASFLAGS	:= $(MCFLAGS) $(ASFLAGS)
+X_CFLAGS	:= $(MCFLAGS) $(CFLAGS)
+X_CXXFLAGS	:= $(MCFLAGS) $(CXXFLAGS)
+X_LDFLAGS	:= $(LDFLAGS)
+X_OCFLAGS	:= $(OCFLAGS)
+X_LIBDIRS	:= $(LIBDIRS)
+X_LIBS		:= $(LIBS) -lgcc
+
+X_OUT		:= output
+X_NAME		:= $(patsubst %, $(X_OUT)/%, $(NAME))
+X_INCDIRS	:= $(patsubst %, -I %, $(INCDIRS))
+X_SRCDIRS	:= $(patsubst %, %, $(SRCDIRS))
+X_OBJDIRS	:= $(patsubst %, .obj/%, $(X_SRCDIRS))
+
+X_SFILES	:= $(foreach dir, $(X_SRCDIRS), $(wildcard $(dir)/*.S))
+X_CFILES	:= $(foreach dir, $(X_SRCDIRS), $(wildcard $(dir)/*.c))
+X_CPPFILES	:= $(foreach dir, $(X_SRCDIRS), $(wildcard $(dir)/*.cpp))
+
+X_SDEPS		:= $(patsubst %, .obj/%, $(X_SFILES:.S=.o.d))
+X_CDEPS		:= $(patsubst %, .obj/%, $(X_CFILES:.c=.o.d))
+X_CPPDEPS	:= $(patsubst %, .obj/%, $(X_CPPFILES:.cpp=.o.d))
+X_DEPS		:= $(X_SDEPS) $(X_CDEPS) $(X_CPPDEPS)
+
+X_SOBJS		:= $(patsubst %, .obj/%, $(X_SFILES:.S=.o))
+X_COBJS		:= $(patsubst %, .obj/%, $(X_CFILES:.c=.o))
+X_CPPOBJS	:= $(patsubst %, .obj/%, $(X_CPPFILES:.cpp=.o)) 
+X_OBJS		:= $(X_SOBJS) $(X_COBJS) $(X_CPPOBJS)
+
+VPATH		:= $(X_OBJDIRS)
+
+.PHONY:	all clean
+all : $(X_NAME)
+
+$(X_NAME) : $(X_OBJS)
+	@echo [LD] Linking $@.elf
+	@$(CC) $(X_LDFLAGS) $(X_LIBDIRS) -Wl,--cref,-Map=$@.map $^ -o $@.elf $(X_LIBS)
+	@echo [OC] Objcopying $@.bin
+	@$(OC) $(X_OCFLAGS) $@.elf $@.bin
+
+$(X_SOBJS) : .obj/%.o : %.S
+	@echo [AS] $<
+	@$(AS) $(X_ASFLAGS) -MD -MP -MF $@.d $(X_INCDIRS) -c $< -o $@
+
+$(X_COBJS) : .obj/%.o : %.c
+	@echo [CC] $<
+	@$(CC) $(X_CFLAGS) -MD -MP -MF $@.d $(X_INCDIRS) -c $< -o $@
+
+$(X_CPPOBJS) : .obj/%.o : %.cpp
+	@echo [CXX] $<
+	@$(CXX) $(X_CXXFLAGS) -MD -MP -MF $@.d $(X_INCDIRS) -c $< -o $@
+
+clean:
+	@$(RM) .obj $(X_OUT)
+
+#
+# Include the dependency files, should be place the last of makefile
+#
+sinclude $(shell $(MKDIR) $(X_OBJDIRS) $(X_OUT)) $(X_DEPS)
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/byteorder.h b/payloads/a523_a527_t527/jmp-arm64/include/byteorder.h
new file mode 100644
index 0000000..f1fcf7a
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/byteorder.h
@@ -0,0 +1,83 @@
+#ifndef __BYTEORDER_H__
+#define __BYTEORDER_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <types.h>
+
+static inline u16_t __swab16(u16_t x)
+{
+	return ( (x<<8) | (x>>8) );
+}
+
+static inline u32_t __swab32(u32_t x)
+{
+	return ( (x<<24) | (x>>24) | \
+		((x & (u32_t)0x0000ff00UL)<<8) | \
+		((x & (u32_t)0x00ff0000UL)>>8) );
+}
+
+static inline u64_t __swab64(u64_t x)
+{
+	return ( (x<<56) | (x>>56) | \
+		((x & (u64_t)0x000000000000ff00ULL)<<40) | \
+		((x & (u64_t)0x0000000000ff0000ULL)<<24) | \
+		((x & (u64_t)0x00000000ff000000ULL)<< 8) | \
+		((x & (u64_t)0x000000ff00000000ULL)>> 8) | \
+		((x & (u64_t)0x0000ff0000000000ULL)>>24) | \
+		((x & (u64_t)0x00ff000000000000ULL)>>40) );
+}
+
+/*
+ * swap bytes bizarrely.
+ * swahw32 - swap 16-bit half-words in a 32-bit word
+ */
+static inline u32_t __swahw32(u32_t x)
+{
+	return ( ((x & (u32_t)0x0000ffffUL)<<16) | ((x & (u32_t)0xffff0000UL)>>16) );
+}
+
+/*
+ * swap bytes bizarrely.
+ * swahb32 - swap 8-bit halves of each 16-bit half-word in a 32-bit word
+ */
+static inline u32_t __swahb32(u32_t x)
+{
+	return ( ((x & (u32_t)0x00ff00ffUL)<<8) | ((x & (u32_t)0xff00ff00UL)>>8) );
+}
+
+#if (BYTE_ORDER == BIG_ENDIAN)
+#define cpu_to_le64(x)	(__swab64((u64_t)(x)))
+#define le64_to_cpu(x)	(__swab64((u64_t)(x)))
+#define cpu_to_le32(x)	(__swab32((u32_t)(x)))
+#define le32_to_cpu(x)	(__swab32((u32_t)(x)))
+#define cpu_to_le16(x)	(__swab16((u16_t)(x)))
+#define le16_to_cpu(x)	(__swab16((u16_t)(x)))
+#define cpu_to_be64(x)	((u64_t)(x))
+#define be64_to_cpu(x)	((u64_t)(x))
+#define cpu_to_be32(x)	((u32_t)(x))
+#define be32_to_cpu(x)	((u32_t)(x))
+#define cpu_to_be16(x)	((u16_t)(x))
+#define be16_to_cpu(x)	((u16_t)(x))
+#else
+#define cpu_to_le64(x)	((u64_t)(x))
+#define le64_to_cpu(x)	((u64_t)(x))
+#define cpu_to_le32(x)	((u32_t)(x))
+#define le32_to_cpu(x)	((u32_t)(x))
+#define cpu_to_le16(x)	((u16_t)(x))
+#define le16_to_cpu(x)	((u16_t)(x))
+#define cpu_to_be64(x)	(__swab64((u64_t)(x)))
+#define be64_to_cpu(x)	(__swab64((u64_t)(x)))
+#define cpu_to_be32(x)	(__swab32((u32_t)(x)))
+#define be32_to_cpu(x)	(__swab32((u32_t)(x)))
+#define cpu_to_be16(x)	(__swab16((u16_t)(x)))
+#define be16_to_cpu(x)	(__swab16((u16_t)(x)))
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __BYTEORDER_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/endian.h b/payloads/a523_a527_t527/jmp-arm64/include/endian.h
new file mode 100644
index 0000000..7e74f43
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/endian.h
@@ -0,0 +1,27 @@
+#ifndef __ARM32_ENDIAN_H__
+#define __ARM32_ENDIAN_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define LITTLE_ENDIAN	(0x1234)
+#define BIG_ENDIAN		(0x4321)
+
+#if ( !defined(__LITTLE_ENDIAN) && !defined(__BIG_ENDIAN) )
+#define __LITTLE_ENDIAN
+#endif
+
+#if defined(__LITTLE_ENDIAN)
+#define BYTE_ORDER		LITTLE_ENDIAN
+#elif defined(__BIG_ENDIAN)
+#define BYTE_ORDER		BIG_ENDIAN
+#else
+#error "Unknown byte order!"
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __ARM32_ENDIAN_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/io.h b/payloads/a523_a527_t527/jmp-arm64/include/io.h
new file mode 100644
index 0000000..fbf2562
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/io.h
@@ -0,0 +1,54 @@
+#ifndef __IO_H__
+#define __IO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <types.h>
+
+static inline u8_t read8(virtual_addr_t addr)
+{
+	return( *((volatile u8_t *)(addr)) );
+}
+
+static inline u16_t read16(virtual_addr_t addr)
+{
+	return( *((volatile u16_t *)(addr)) );
+}
+
+static inline u32_t read32(virtual_addr_t addr)
+{
+	return( *((volatile u32_t *)(addr)) );
+}
+
+static inline u64_t read64(virtual_addr_t addr)
+{
+	return( *((volatile u64_t *)(addr)) );
+}
+
+static inline void write8(virtual_addr_t addr, u8_t value)
+{
+	*((volatile u8_t *)(addr)) = value;
+}
+
+static inline void write16(virtual_addr_t addr, u16_t value)
+{
+	*((volatile u16_t *)(addr)) = value;
+}
+
+static inline void write32(virtual_addr_t addr, u32_t value)
+{
+	*((volatile u32_t *)(addr)) = value;
+}
+
+static inline void write64(virtual_addr_t addr, u64_t value)
+{
+	*((volatile u64_t *)(addr)) = value;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __IO_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/stdarg.h b/payloads/a523_a527_t527/jmp-arm64/include/stdarg.h
new file mode 100644
index 0000000..074c489
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/stdarg.h
@@ -0,0 +1,34 @@
+#ifndef __STDARG_H__
+#define __STDARG_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef __builtin_va_list	va_list;
+
+/*
+ * prepare to access variable args
+ */
+#define va_start(v, l)		__builtin_va_start(v, l)
+
+/*
+ * the caller will get the value of current argument
+ */
+#define va_arg(v, l)		__builtin_va_arg(v, l)
+
+/*
+ * end for variable args
+ */
+#define va_end(v)			__builtin_va_end(v)
+
+/*
+ * copy variable args
+ */
+#define va_copy(d, s)		__builtin_va_copy(d, s)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __STDARG_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/stddef.h b/payloads/a523_a527_t527/jmp-arm64/include/stddef.h
new file mode 100644
index 0000000..ca3874c
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/stddef.h
@@ -0,0 +1,49 @@
+#ifndef __STDDEF_H__
+#define __STDDEF_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(__cplusplus)
+#define NULL			(0)
+#else
+#define NULL			((void *)0)
+#endif
+
+#if (defined(__GNUC__) && (__GNUC__ >= 4))
+#define offsetof(type, member)				__builtin_offsetof(type, member)
+#else
+#define offsetof(type, field)				((size_t)(&((type *)0)->field))
+#endif
+#define container_of(ptr, type, member)		({const typeof(((type *)0)->member) *__mptr = (ptr); (type *)((char *)__mptr - offsetof(type,member));})
+
+#if (defined(__GNUC__) && (__GNUC__ >= 3))
+#define likely(expr)	(__builtin_expect(!!(expr), 1))
+#define unlikely(expr)	(__builtin_expect(!!(expr), 0))
+#else
+#define likely(expr)	(!!(expr))
+#define unlikely(expr)	(!!(expr))
+#endif
+
+#define min(a, b)		({typeof(a) _amin = (a); typeof(b) _bmin = (b); (void)(&_amin == &_bmin); _amin < _bmin ? _amin : _bmin;})
+#define max(a, b)		({typeof(a) _amax = (a); typeof(b) _bmax = (b); (void)(&_amax == &_bmax); _amax > _bmax ? _amax : _bmax;})
+#define clamp(v, a, b)	min(max(a, v), b)
+
+#define ifloor(x)		((x) > 0 ? (int)(x) : (int)((x) - 0.9999999999))
+#define iround(x)		((x) > 0 ? (int)((x) + 0.5) : (int)((x) - 0.5))
+#define iceil(x)		((x) > 0 ? (int)((x) + 0.9999999999) : (int)(x))
+#define idiv255(x)		((((int)(x) + 1) * 257) >> 16)
+
+#define X(...)			("" #__VA_ARGS__ "")
+
+enum {
+	FALSE				= 0,
+	TRUE				= 1,
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __STDDEF_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/stdint.h b/payloads/a523_a527_t527/jmp-arm64/include/stdint.h
new file mode 100644
index 0000000..41c8de3
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/stdint.h
@@ -0,0 +1,31 @@
+#ifndef __STDINT_H__
+#define __STDINT_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <types.h>
+
+typedef s8_t			int8_t;
+typedef u8_t			uint8_t;
+
+typedef s16_t			int16_t;
+typedef u16_t			uint16_t;
+
+typedef s32_t			int32_t;
+typedef u32_t			uint32_t;
+
+typedef s64_t			int64_t;
+typedef u64_t			uint64_t;
+
+#define UINT8_MAX		(0xff)
+#define UINT16_MAX		(0xffff)
+#define UINT32_MAX		(0xffffffff)
+#define UINT64_MAX		(0xffffffffffffffffULL)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __STDINT_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/string.h b/payloads/a523_a527_t527/jmp-arm64/include/string.h
new file mode 100644
index 0000000..126d16e
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/string.h
@@ -0,0 +1,17 @@
+#ifndef __STRING_H__
+#define __STRING_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <types.h>
+
+void * memset(void * s, int c, size_t n);
+void * memcpy(void * dest, const void * src, size_t len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __STRING_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/t527/reg-ccu.h b/payloads/a523_a527_t527/jmp-arm64/include/t527/reg-ccu.h
new file mode 100644
index 0000000..9e7c634
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/t527/reg-ccu.h
@@ -0,0 +1,6 @@
+#ifndef __T527_REG_CCU_H__
+#define __T527_REG_CCU_H__
+
+#define T527_CCU_BASE			(0x02001000)
+
+#endif /* __T527_REG_CCU_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/types.h b/payloads/a523_a527_t527/jmp-arm64/include/types.h
new file mode 100644
index 0000000..599979d
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/types.h
@@ -0,0 +1,53 @@
+#ifndef __ARM32_TYPES_H__
+#define __ARM32_TYPES_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef signed char				s8_t;
+typedef unsigned char			u8_t;
+
+typedef signed short			s16_t;
+typedef unsigned short			u16_t;
+
+typedef signed int				s32_t;
+typedef unsigned int			u32_t;
+
+typedef signed long long		s64_t;
+typedef unsigned long long		u64_t;
+
+typedef signed long long		intmax_t;
+typedef unsigned long long		uintmax_t;
+
+typedef signed int				ptrdiff_t;
+typedef signed int				intptr_t;
+typedef unsigned int 			uintptr_t;
+
+typedef unsigned int			size_t;
+typedef signed int				ssize_t;
+
+typedef signed int				off_t;
+typedef signed long long		loff_t;
+
+typedef signed int				bool_t;
+typedef unsigned int			irq_flags_t;
+
+typedef unsigned int			virtual_addr_t;
+typedef unsigned int			virtual_size_t;
+typedef unsigned int			physical_addr_t;
+typedef unsigned int			physical_size_t;
+
+typedef struct {
+	volatile int counter;
+} atomic_t;
+
+typedef struct {
+	volatile int lock;
+} spinlock_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __ARM32_TYPES_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/include/xboot.h b/payloads/a523_a527_t527/jmp-arm64/include/xboot.h
new file mode 100644
index 0000000..d95c352
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/include/xboot.h
@@ -0,0 +1,21 @@
+#ifndef __XBOOT_H__
+#define __XBOOT_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <types.h>
+#include <io.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <endian.h>
+#include <byteorder.h>
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __XBOOT_H__ */
diff --git a/payloads/a523_a527_t527/jmp-arm64/link.ld b/payloads/a523_a527_t527/jmp-arm64/link.ld
new file mode 100644
index 0000000..25ae342
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/link.ld
@@ -0,0 +1,122 @@
+OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm")
+OUTPUT_ARCH(arm)
+ENTRY(_start)
+
+STACK_UND_SIZE = 0x010;
+STACK_ABT_SIZE = 0x010;
+STACK_IRQ_SIZE = 0x010;
+STACK_FIQ_SIZE = 0x010;
+STACK_SRV_SIZE = 0x400;
+
+MEMORY
+{
+	ram : org = 0x00020000, len = 0x00002000	/* 8 KB */
+}
+
+SECTIONS
+{
+	.text :
+	{
+		PROVIDE(__image_start = .);
+		PROVIDE(__text_start = .);
+		.obj/source/start.o (.text)
+		.obj/source/sys-jmp-arm64.o (.text*)
+		*(.text*)
+		*(.glue*)
+		*(.note.gnu.build-id)
+		PROVIDE(__text_end = .);
+	} > ram
+
+	.ARM.exidx ALIGN(8) :
+	{
+		PROVIDE (__exidx_start = .);
+		*(.ARM.exidx*)
+		PROVIDE (__exidx_end = .);
+	} > ram
+
+	.ARM.extab ALIGN(8) :
+	{
+		PROVIDE (__extab_start = .);
+		*(.ARM.extab*)
+		PROVIDE (__extab_end = .);
+	} > ram
+
+	.ksymtab ALIGN(16) :
+	{
+		PROVIDE(__ksymtab_start = .);
+		KEEP(*(.ksymtab.text))
+		PROVIDE(__ksymtab_end = .);
+	} > ram
+
+	.romdisk ALIGN(8) :
+	{
+		PROVIDE(__romdisk_start = .);
+		KEEP(*(.romdisk))
+		PROVIDE(__romdisk_end = .);
+	} > ram
+
+	.rodata ALIGN(8) :
+	{
+		PROVIDE(__rodata_start = .);
+		*(SORT_BY_ALIGNMENT(SORT_BY_NAME(.rodata*)))
+		PROVIDE(__rodata_end = .);
+	} > ram
+
+	.data ALIGN(8) :
+	{
+		PROVIDE(__data_start = .);
+		*(.data*)
+		. = ALIGN(8);
+  		PROVIDE(__data_end = .);
+		PROVIDE(__image_end = .);
+	} > ram
+
+	.bss ALIGN(8) (NOLOAD) :
+	{
+		PROVIDE(__bss_start = .);
+		*(.bss*)
+		*(.sbss*)
+		*(COMMON)
+		. = ALIGN(8);
+		PROVIDE(__bss_end = .);
+	} > ram
+
+	.stack ALIGN(8) (NOLOAD) :
+	{
+		PROVIDE(__stack_start = .);
+		PROVIDE(__stack_und_start = .);
+		. += STACK_UND_SIZE;
+		PROVIDE(__stack_und_end = .);
+		. = ALIGN(8);
+		PROVIDE(__stack_abt_start = .);
+		. += STACK_ABT_SIZE;
+		PROVIDE(__stack_abt_end = .);
+		. = ALIGN(8);
+		PROVIDE(__stack_irq_start = .);
+		. += STACK_IRQ_SIZE;
+		PROVIDE(__stack_irq_end = .);
+		. = ALIGN(8);
+		PROVIDE(__stack_fiq_start = .);
+		. += STACK_FIQ_SIZE;
+		PROVIDE(__stack_fiq_end = .);
+		. = ALIGN(8);
+		PROVIDE(__stack_srv_start = .);
+		. += STACK_SRV_SIZE;
+		PROVIDE(__stack_srv_end = .);
+		. = ALIGN(8);
+		PROVIDE(__stack_end = .);
+	} > ram
+
+	.stab 0 : { *(.stab) }
+	.stabstr 0 : { *(.stabstr) }
+	.stab.excl 0 : { *(.stab.excl) }
+	.stab.exclstr 0 : { *(.stab.exclstr) }
+	.stab.index 0 : { *(.stab.index) }
+	.stab.indexstr 0 : { *(.stab.indexstr) }
+	.comment 0 : { *(.comment) }
+	.debug_abbrev 0 : { *(.debug_abbrev) }
+	.debug_info 0 : { *(.debug_info) }
+	.debug_line 0 : { *(.debug_line) }
+	.debug_pubnames 0 : { *(.debug_pubnames) }
+	.debug_aranges 0 : { *(.debug_aranges) }
+}
diff --git a/payloads/a523_a527_t527/jmp-arm64/source/start.S b/payloads/a523_a527_t527/jmp-arm64/source/start.S
new file mode 100644
index 0000000..fa83516
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/source/start.S
@@ -0,0 +1,69 @@
+/*
+ * start.S
+ *
+ * Copyright(c) 2007-2021 Jianjun Jiang <8192542@qq.com>
+ * Official site: http://xboot.org
+ * Mobile phone: +86-18665388956
+ * QQ: 8192542
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
+	.global _start
+_start:
+	mov r0, #0
+	mcr p15, 0, r0, c8, c7, 0
+	mcr p15, 0, r0, c7, c5, 0
+	mcr p15, 0, r0, c7, c5, 6
+	mcr p15, 0, r0, c7, c10, 4
+	mcr p15, 0, r0, c7, c5, 4
+	b reset
+
+_adr:
+	.word 0x11223344
+
+reset:
+	ldr r0, =0x00047fe0
+	str sp, [r0, #0]
+	str lr, [r0, #4]
+	mrs lr, cpsr
+	str lr, [r0, #8]
+	mrc p15, 0, lr, c1, c0, 0
+	str lr, [r0, #12]
+	mrc p15, 0, lr, c12, c0, 0
+	str lr, [r0, #16]
+	mrc p15, 0, lr, c1, c0, 0
+	str lr, [r0, #20]
+
+	ldr r0, _adr
+	bl sys_jmp_to_arm64
+
+	ldr r0, =0x00047fe0
+	ldr sp, [r0, #0]
+	ldr lr, [r0, #4]
+	ldr r1, [r0, #20]
+	mcr p15, 0, r1, c1, c0, 0
+	ldr r1, [r0, #16]
+	mcr p15, 0, r1, c12, c0, 0
+	ldr r1, [r0, #12]
+	mcr p15, 0, r1, c1, c0, 0
+	ldr r1, [r0, #8]
+	msr cpsr, r1
+	bx lr
diff --git a/payloads/a523_a527_t527/jmp-arm64/source/sys-jmp-arm64.c b/payloads/a523_a527_t527/jmp-arm64/source/sys-jmp-arm64.c
new file mode 100644
index 0000000..af0a7d0
--- /dev/null
+++ b/payloads/a523_a527_t527/jmp-arm64/source/sys-jmp-arm64.c
@@ -0,0 +1,47 @@
+/*
+ * sys-uart.c
+ *
+ * Copyright(c) 2007-2021 Jianjun Jiang <8192542@qq.com>
+ * Official site: http://xboot.org
+ * Mobile phone: +86-18665388956
+ * QQ: 8192542
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
+#include <xboot.h>
+
+void sys_jmp_to_arm64(uint32_t val)
+{
+	virtual_addr_t addr = 0x08000000;
+
+    write32(addr + 0x40, val);
+    write32(addr + 0x44, 0x0);
+
+    __asm__ __volatile__("mrc p15, 0, r2, c12, c0, 2");
+    __asm__ __volatile__("orr r2, r2, #(0x3 << 0)");
+    __asm__ __volatile__("dsb");
+    __asm__ __volatile__("mcr p15, 0, r2, c12, c0, 2");
+    __asm__ __volatile__("isb");
+
+_loop:
+    __asm__ __volatile__("wfi");
+    goto _loop;
+}