From dcedcb38eac739b270abecce20f92e4fa02840db Mon Sep 17 00:00:00 2001
From: fgsfds <pvt.fgsfds@gmail.com>
Date: Sat, 4 Aug 2018 04:03:42 +0300
Subject: [PATCH 01/35] enable nogc by default; slightly better way to filter
 nogc out

---
 src/firmware.c   |  8 +++++++-
 src/kippatches.c | 45 ++++++++++++++++++++-------------------------
 2 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index 7ca3470..22b4523 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -159,7 +159,13 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     }
 
     u8 kipHash[0x20];
-    char *patchFilter[] = { "nogc", "nosigchk", "nocmac", NULL };
+    char *patchFilter[] = { "nosigchk", "nocmac", "nogc", NULL };
+
+    // disable nogc if there's a file called "disable_nogc" in /ReiNX/
+    if (fopen("/ReiNX/disable_nogc", "rb")) {
+        patchFilter[2] = NULL;
+        fclose();
+    }
 
     //Patch FS module (truly not my proudest code TODO cleanup)
     LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki, kips, link) {        
diff --git a/src/kippatches.c b/src/kippatches.c
index 46de8e4..724fd06 100644
--- a/src/kippatches.c
+++ b/src/kippatches.c
@@ -24,25 +24,25 @@
 // TODO: get full hashes somewhere and not just the first 16 bytes
 // every second one is the exfat version
 kippatchset_t kip_patches[] = {
-  { "FS", "\xde\x9f\xdd\xa4\x08\x5d\xd5\xfe\x68\xdc\xb2\x0b\x41\x09\x5b\xb4", fs_kip_patches_100 },
-  { "FS", "\xfc\x3e\x80\x99\x1d\xca\x17\x96\x4a\x12\x1f\x04\xb6\x1b\x17\x5e", fs_kip_patches_100 },
-  { "FS", "\xcd\x7b\xbe\x18\xd6\x13\x0b\x28\xf6\x2f\x19\xfa\x79\x45\x53\x5b", fs_kip_patches_200 },
-  { "FS", "\xe7\x66\x92\xdf\xaa\x04\x20\xe9\xfd\xd6\x8e\x43\x63\x16\x18\x18", fs_kip_patches_200 },
-  { "FS", "\x0d\x70\x05\x62\x7b\x07\x76\x7c\x0b\x96\x3f\x9a\xff\xdd\xe5\x66", fs_kip_patches_210 },
-  { "FS", "\xdb\xd8\x5f\xca\xcc\x19\x3d\xa8\x30\x51\xc6\x64\xe6\x45\x2d\x32", fs_kip_patches_210 },
-  { "FS", "\xa8\x6d\xa5\xe8\x7e\xf1\x09\x7b\x23\xda\xb5\xb4\xdb\xba\xef\xe7", fs_kip_patches_300 },
-  { "FS", "\x98\x1c\x57\xe7\xf0\x2f\x70\xf7\xbc\xde\x75\x31\x81\xd9\x01\xa6", fs_kip_patches_300 },
-  { "FS", "\x57\x39\x7c\x06\x3f\x10\xb6\x31\x3f\x4d\x83\x76\x53\xcc\xc3\x71", fs_kip_patches_301 },
-  { "FS", "\x07\x30\x99\xd7\xc6\xad\x7d\x89\x83\xbc\x7a\xdd\x93\x2b\xe3\xd1", fs_kip_patches_301 },
-  { "FS", "\x06\xe9\x07\x19\x59\x5a\x01\x0c\x62\x46\xff\x70\x94\x6f\x10\xfb", fs_kip_patches_401 },
-  { "FS", "\x54\x9b\x0f\x8d\x6f\x72\xc4\xe9\xf3\xfd\x1f\x19\xea\xce\x4a\x5a", fs_kip_patches_401 },
-  { "FS", "\x80\x96\xaf\x7c\x6a\x35\xaa\x82\x71\xf3\x91\x69\x95\x41\x3b\x0b", fs_kip_patches_410 },
-  { "FS", "\x02\xd5\xab\xaa\xfd\x20\xc8\xb0\x63\x3a\xa0\xdb\xae\xe0\x37\x7e", fs_kip_patches_410 },
-  { "FS", "\xa6\xf2\x7a\xd9\xac\x7c\x73\xad\x41\x9b\x63\xb2\x3e\x78\x5a\x0c", fs_kip_patches_500 },
-  { "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
-  { "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
-  { "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
-  { NULL, NULL, NULL },
+    { "FS", "\xde\x9f\xdd\xa4\x08\x5d\xd5\xfe\x68\xdc\xb2\x0b\x41\x09\x5b\xb4", fs_kip_patches_100 },
+    { "FS", "\xfc\x3e\x80\x99\x1d\xca\x17\x96\x4a\x12\x1f\x04\xb6\x1b\x17\x5e", fs_kip_patches_100 },
+    { "FS", "\xcd\x7b\xbe\x18\xd6\x13\x0b\x28\xf6\x2f\x19\xfa\x79\x45\x53\x5b", fs_kip_patches_200 },
+    { "FS", "\xe7\x66\x92\xdf\xaa\x04\x20\xe9\xfd\xd6\x8e\x43\x63\x16\x18\x18", fs_kip_patches_200 },
+    { "FS", "\x0d\x70\x05\x62\x7b\x07\x76\x7c\x0b\x96\x3f\x9a\xff\xdd\xe5\x66", fs_kip_patches_210 },
+    { "FS", "\xdb\xd8\x5f\xca\xcc\x19\x3d\xa8\x30\x51\xc6\x64\xe6\x45\x2d\x32", fs_kip_patches_210 },
+    { "FS", "\xa8\x6d\xa5\xe8\x7e\xf1\x09\x7b\x23\xda\xb5\xb4\xdb\xba\xef\xe7", fs_kip_patches_300 },
+    { "FS", "\x98\x1c\x57\xe7\xf0\x2f\x70\xf7\xbc\xde\x75\x31\x81\xd9\x01\xa6", fs_kip_patches_300 },
+    { "FS", "\x57\x39\x7c\x06\x3f\x10\xb6\x31\x3f\x4d\x83\x76\x53\xcc\xc3\x71", fs_kip_patches_301 },
+    { "FS", "\x07\x30\x99\xd7\xc6\xad\x7d\x89\x83\xbc\x7a\xdd\x93\x2b\xe3\xd1", fs_kip_patches_301 },
+    { "FS", "\x06\xe9\x07\x19\x59\x5a\x01\x0c\x62\x46\xff\x70\x94\x6f\x10\xfb", fs_kip_patches_401 },
+    { "FS", "\x54\x9b\x0f\x8d\x6f\x72\xc4\xe9\xf3\xfd\x1f\x19\xea\xce\x4a\x5a", fs_kip_patches_401 },
+    { "FS", "\x80\x96\xaf\x7c\x6a\x35\xaa\x82\x71\xf3\x91\x69\x95\x41\x3b\x0b", fs_kip_patches_410 },
+    { "FS", "\x02\xd5\xab\xaa\xfd\x20\xc8\xb0\x63\x3a\xa0\xdb\xae\xe0\x37\x7e", fs_kip_patches_410 },
+    { "FS", "\xa6\xf2\x7a\xd9\xac\x7c\x73\xad\x41\x9b\x63\xb2\x3e\x78\x5a\x0c", fs_kip_patches_500 },
+    { "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
+    { "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
+    { "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
+    { NULL, NULL, NULL },
 };
 
 int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
@@ -70,12 +70,7 @@ int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset, ch
                 break;
             }
         }
-        if (!strcmp(p->name, "nogc")){
-            if(!fopen("/ReiNX/nogc", "rb")) {
-                fclose();
-                continue;
-            }
-        }
+
         if (filter && !found) continue;
 
         int r = kippatch_apply(kipdata, kipdata_len, p);

From ca5deee16a30ff41f64a150a085e0028224bedb3 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Fri, 3 Aug 2018 22:47:54 -0400
Subject: [PATCH 02/35] screw the 1%!

---
 src/firmware.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index 22b4523..26ab77d 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -161,8 +161,9 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     u8 kipHash[0x20];
     char *patchFilter[] = { "nosigchk", "nocmac", "nogc", NULL };
 
-    // disable nogc if there's a file called "disable_nogc" in /ReiNX/
-    if (fopen("/ReiNX/disable_nogc", "rb")) {
+    // enable nogc if there's a file called "nogc" in /ReiNX/ 
+    //(I expect the 1% of people this effects can read the guide)
+    if (!fopen("/ReiNX/nogc", "rb")) {
         patchFilter[2] = NULL;
         fclose();
     }

From 58e3867d0b70dc745fba013f46c04d54c01ae5b9 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sun, 5 Aug 2018 13:25:12 -0400
Subject: [PATCH 03/35] Update sysmod link to support hid override

---
 NX_Sysmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 27a2632..cbdf1f2 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 27a263272d3c44e6521046737dce90e29eca00ae
+Subproject commit cbdf1f263166aa54235dc46abbc2d3cb270b4a07

From a8c6525f8c00a7ab553aa0e459b6cee84dc5a73e Mon Sep 17 00:00:00 2001
From: Seddigirl <creeperlwd@gmail.com>
Date: Sun, 5 Aug 2018 23:52:34 +0200
Subject: [PATCH 04/35] shoutouts to simpleflips

---
 src/kippatches/fs.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/kippatches/fs.inc b/src/kippatches/fs.inc
index db34fc5..af17442 100644
--- a/src/kippatches/fs.inc
+++ b/src/kippatches/fs.inc
@@ -89,13 +89,13 @@ static kipdiff_t fs_diffs_401_nocmac[6] = {
 
 static kipdiff_t fs_diffs_401_nogc[3] = {
   { 0xA3458, 4, "\x14\x40\x80\x72", "\x14\x80\x80\x72" },
-  { 0xAAC98, 8, "\x80\x02\xA0\x52\x40\x40\x91\x72", "\xE0\x03\x1F\x2A\x1F\x20\x03\xD5" },
+  { 0xAAB44, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
   { 0, 0, NULL, NULL },
 };
 
 static kipdiff_t fs_diffs_410_nogc[3] = {
   { 0xA34BC, 4, "\x14\x40\x80\x72", "\x14\x80\x80\x72" },
-  { 0xAACFC, 8, "\x80\x02\xA0\x52\x40\x40\x91\x72", "\xE0\x03\x1F\x2A\x1F\x20\x03\xD5" },
+  { 0xAABA8, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
   { 0, 0, NULL, NULL },
 };
 
@@ -118,7 +118,7 @@ static kipdiff_t fs_diffs_500_nocmac[8] = {
 
 static kipdiff_t fs_diffs_500_nogc[3] = {
   { 0xCF3C4, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
-  { 0xD74FC, 8, "\x40\x40\x91\x52\x80\x02\xA0\x72", "\xE0\x03\x1F\x2A\x1F\x20\x03\xD5" },
+  { 0xD73A0, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
   { 0, 0, NULL, NULL },
 };
 
@@ -141,7 +141,7 @@ static kipdiff_t fs_diffs_510_nocmac[8] = {
 
 static kipdiff_t fs_diffs_510_nogc[3] = {
   { 0xCF794, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
-  { 0xD78CC, 8, "\x40\x40\x91\x52\x80\x02\xA0\x72", "\xE0\x03\x1F\x2A\x1F\x20\x03\xD5" },
+  { 0xD7770, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
   { 0, 0, NULL, NULL },
 };
 

From d1b86168a5ed7e23d85353d2f0ee012d084eb1a0 Mon Sep 17 00:00:00 2001
From: Ave <ave@ave.zone>
Date: Tue, 7 Aug 2018 13:51:22 +0300
Subject: [PATCH 05/35] Bump up version displayed on bootloader to right one

---
 src/firmware.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/firmware.c b/src/firmware.c
index 26ab77d..7578040 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -25,7 +25,7 @@
 #include "firmware.h"
 #include "kippatches.h"
 
-#define VERSION "v0.1"
+#define VERSION "v1.0"
 
 static pk11_offs *pk11Offs = NULL;
 

From b00ff79fec93b38a90461733832686dcb6e528f8 Mon Sep 17 00:00:00 2001
From: calypso <li5up6@gmail.com>
Date: Thu, 9 Aug 2018 20:02:15 -0400
Subject: [PATCH 06/35] Calypso: added nca/nsp FS patches all firmwares

---
 src/kippatches.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/kippatches.c b/src/kippatches.c
index 724fd06..45d810b 100644
--- a/src/kippatches.c
+++ b/src/kippatches.c
@@ -17,10 +17,14 @@
 #include <string.h>
 
 #include "hwinit/types.h"
+#include "hwinit/util.h"
 #include "kippatches.h"
 #include "fs.h"
 #include "kippatches/fs.inc"
 
+#define NOP 0xD503201F
+
+
 // TODO: get full hashes somewhere and not just the first 16 bytes
 // every second one is the exfat version
 kippatchset_t kip_patches[] = {
@@ -61,6 +65,25 @@ int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
     return 0;
 }
 
+
+int nca_patch(u8 * kipdata, u64 kipdata_len) {
+	char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
+	char buf[0x10];
+	memcpy(buf, kipdata+0x1C450, 0x10);
+	u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
+	int ret=0;
+	int max_dist = 0x10;
+	for(int i=0; i<max_dist; i++) {
+		u32 op = addr[i];
+		if((op & 0xFC000000)==0x94000000) { //is a BL op
+			addr[i] = NOP;
+			ret=1;
+			break;
+		}
+	}
+	return ret;
+}
+
 int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset, char **filter) {
     for (kippatch_t *p = patchset->patches; p && p->name; ++p) {
         int found = 0;
@@ -76,7 +99,8 @@ int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset, ch
         int r = kippatch_apply(kipdata, kipdata_len, p);
         if (r) return r;
     }
-
+	if(!strncmp("FS", patchset->kip_name, 2))
+		nca_patch(kipdata, kipdata_len);
     return 0;
 }
 

From 16d834d7652890c55c1a2be35fcaab23880e9041 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Fri, 10 Aug 2018 18:47:04 -0400
Subject: [PATCH 07/35] file cleanup

---
 src/bootloader.c |  2 +-
 src/firmware.c   | 22 +++-------------------
 src/firmware.h   | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 src/fs.c         |  1 -
 src/fs.h         | 16 ++++++++++++++++
 src/hwinit.h     | 18 +-----------------
 src/package.h    | 16 ++++++++++++++++
 7 files changed, 81 insertions(+), 39 deletions(-)

diff --git a/src/bootloader.c b/src/bootloader.c
index 8a16e90..8afa02e 100644
--- a/src/bootloader.c
+++ b/src/bootloader.c
@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 Reisyukaku
+* Copyright (c) 2018 Reisyukaku, naehrwert
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
diff --git a/src/firmware.c b/src/firmware.c
index 7578040..4ff48cc 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -29,18 +29,6 @@
 
 static pk11_offs *pk11Offs = NULL;
 
-// TODO: Maybe find these with memsearch
-static const pk11_offs _pk11_offs[] = {
-    //{ "20161121183008", 0, 0x1900, 0x3FE0, { 2, 1, 0 }, 0x4002B020, 0x8000D000, 1 }, //TODO: relocator patch for 1.0.0
-    { "20161121183008", 0, 0x1900, 0x3FE0, { 2, 1, 0 }, 0x40014020, 0x8000D000, 1 }, //1.0.0
-    { "20170210155124", 0, 0x1900, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //2.0.0 - 2.3.0
-    { "20170519101410", 1, 0x1A00, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //3.0.0
-    { "20170710161758", 2, 0x1A00, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //3.0.1 - 3.0.2
-    { "20170921172629", 3, 0x1800, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //4.0.0 - 4.1.0
-    { "20180220163747", 4, 0x1900, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //5.0.0 - 5.0.2
-    { NULL, 0, 0, 0, 0 } // End.
-};
-
 static void SE_lock() {
     for (u32 i = 0; i < 16; i++)
         se_key_acc_ctrl(i, 0x15);
@@ -173,13 +161,9 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
         //Patch FS
         if(ki->kip1->tid == 0x0100000000000000) {
             print("Patching FS\n");
-
-            // calc hash of source kip
-            se_calc_sha256(kipHash, ki->kip1, ki->size);
-            // HACK: for some reason it doesn't always compute correct hash the first time,
-            //       but seems to always do it correctly on the second try. maybe there's some
-            //       init code missing to make this work? I don't even
-            se_calc_sha256(kipHash, ki->kip1, ki->size);
+            
+            se_calc_sha256(&kipHash, ki->kip1, ki->size);
+            se_calc_sha256(&kipHash, ki->kip1, ki->size);
 
             //Create header
             size_t sizeDiff = ki->kip1->sections[0].size_decomp - ki->kip1->sections[0].size_comp;
diff --git a/src/firmware.h b/src/firmware.h
index 8535f38..a40e0fd 100644
--- a/src/firmware.h
+++ b/src/firmware.h
@@ -1,3 +1,18 @@
+/*
+* Copyright (c) 2018 Reisyukaku, naehrwert
+*
+* This program is free software; you can redistribute it and/or modify it
+* under the terms and conditions of the GNU General Public License,
+* version 2, as published by the Free Software Foundation.
+*
+* This program is distributed in the hope it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+* more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
 #pragma once
 
 #include "hwinit/types.h"
@@ -15,4 +30,32 @@
 #define NOP 0xD503201F
 #define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
 
-void firmware();
+// TODO: Maybe find these with memsearch
+static const pk11_offs _pk11_offs[] = {
+    //{ "20161121183008", 0, 0x1900, 0x3FE0, { 2, 1, 0 }, 0x4002B020, 0x8000D000, 1 }, //TODO: relocator patch for 1.0.0
+    { "20161121183008", 0, 0x1900, 0x3FE0, { 2, 1, 0 }, 0x40014020, 0x8000D000, 1 }, //1.0.0
+    { "20170210155124", 0, 0x1900, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //2.0.0 - 2.3.0
+    { "20170519101410", 1, 0x1A00, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //3.0.0
+    { "20170710161758", 2, 0x1A00, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //3.0.1 - 3.0.2
+    { "20170921172629", 3, 0x1800, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //4.0.0 - 4.1.0
+    { "20180220163747", 4, 0x1900, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //5.0.0 - 5.0.2
+    { NULL, 0, 0, 0, 0 } // End.
+};
+
+#define NUM_KEYBLOB_KEYS 5
+static const u8 keyblob_keyseeds[NUM_KEYBLOB_KEYS][0x10] = {
+    { 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, //1.0.0
+    { 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, //3.0.0
+    { 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, //3.0.1
+    { 0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE }, //4.0.0
+    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }  //5.0.0
+};
+
+static const u8 cmac_keyseed[0x10] = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
+static const u8 master_keyseed_retail[0x10] = { 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
+static const u8 console_keyseed[0x10] = { 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
+static const u8 key8_keyseed[] = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
+static const u8 master_keyseed_4xx[0x10] = { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
+static const u8 console_keyseed_4xx[0x10] = { 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
+
+void firmware();
\ No newline at end of file
diff --git a/src/fs.c b/src/fs.c
index 9abacf9..24f588d 100644
--- a/src/fs.c
+++ b/src/fs.c
@@ -1,5 +1,4 @@
 /*
-* Copyright (c) 2018 naehrwert
 * Copyright (c) 2018 Reisyukaku
 *
 * This program is free software; you can redistribute it and/or modify it
diff --git a/src/fs.h b/src/fs.h
index d3f9681..8b4f394 100644
--- a/src/fs.h
+++ b/src/fs.h
@@ -1,3 +1,19 @@
+/*
+* Copyright (c) 2018 Reisyukaku
+*
+* This program is free software; you can redistribute it and/or modify it
+* under the terms and conditions of the GNU General Public License,
+* version 2, as published by the Free Software Foundation.
+*
+* This program is distributed in the hope it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+* more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
 #pragma once
 
 u32 sd_mount();
diff --git a/src/hwinit.h b/src/hwinit.h
index f30cf30..ce641ca 100644
--- a/src/hwinit.h
+++ b/src/hwinit.h
@@ -41,20 +41,4 @@
 #include "hwinit/nx_emmc.h"
 #include "hwinit/se.h"
 #include "hwinit/se_t210.h"
-#include "hwinit/mmc.h"
-
-#define NUM_KEYBLOB_KEYS 5
-static const u8 keyblob_keyseeds[NUM_KEYBLOB_KEYS][0x10] = {
-    { 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, //1.0.0
-    { 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, //3.0.0
-    { 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, //3.0.1
-    { 0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE }, //4.0.0
-    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }  //5.0.0
-};
-
-static const u8 cmac_keyseed[0x10] = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
-static const u8 master_keyseed_retail[0x10] = { 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
-static const u8 console_keyseed[0x10] = { 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
-static const u8 key8_keyseed[] = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
-static const u8 master_keyseed_4xx[0x10] = { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
-static const u8 console_keyseed_4xx[0x10] = { 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
\ No newline at end of file
+#include "hwinit/mmc.h"
\ No newline at end of file
diff --git a/src/package.h b/src/package.h
index 211f3e3..22a4ca9 100644
--- a/src/package.h
+++ b/src/package.h
@@ -1,3 +1,19 @@
+/*
+* Copyright (c) 2018 naehrwert, CTCaer, Reisyukaku
+*
+* This program is free software; you can redistribute it and/or modify it
+* under the terms and conditions of the GNU General Public License,
+* version 2, as published by the Free Software Foundation.
+*
+* This program is distributed in the hope it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+* more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
 #pragma once
 #include "hwinit.h"
 #include "hwinit/arm64.h"

From d4703254b40eeb5f0be23cdf1db544683eef856c Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Fri, 10 Aug 2018 19:41:33 -0400
Subject: [PATCH 08/35] update sysmods

---
 NX_Sysmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index cbdf1f2..503a419 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit cbdf1f263166aa54235dc46abbc2d3cb270b4a07
+Subproject commit 503a419f68e984af07670d0fac0af8c8a15d2d9c

From d334a38ab4061be4324c5aeaa1bcebf68b099fd3 Mon Sep 17 00:00:00 2001
From: Rasmus Moorats <me@neonsea.uk>
Date: Tue, 14 Aug 2018 14:21:12 +0300
Subject: [PATCH 09/35] Fix hang when SD card fails to init

---
 src/firmware.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/firmware.c b/src/firmware.c
index 4ff48cc..dd9864b 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -400,7 +400,9 @@ void firmware() {
 
     if (!sd_mount()) {
         error("Failed to init SD card!\n");
-        return;
+        print("Press any key to power off\n");
+        btn_wait();
+        i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
     }
 
     print("Welcome to ReiNX %s!\n", VERSION);

From 611ef44fad273a4d0e75cb4841622954804218df Mon Sep 17 00:00:00 2001
From: Rasmus Moorats <me@neonsea.uk>
Date: Tue, 14 Aug 2018 16:30:21 +0300
Subject: [PATCH 10/35] Added choice to instantly retry SD init or power off

Furthermore, fix invalid usage of strcat() in error.c
---
 src/error.c    | 2 +-
 src/firmware.c | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/error.c b/src/error.c
index 6debbe8..669bab4 100644
--- a/src/error.c
+++ b/src/error.c
@@ -31,6 +31,6 @@ void panic() {
 
 void error(char *errStr) {
     gfx_con_setcol(&gfx_con, RED, 0, 0);
-    print(strcat("Error: ", errStr));
+    print("Error: %s", errStr);
     gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
 }
\ No newline at end of file
diff --git a/src/firmware.c b/src/firmware.c
index dd9864b..109e4ff 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -398,11 +398,12 @@ void firmware() {
     gfx_con_init(&gfx_con, &gfx_ctxt);
     gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
 
-    if (!sd_mount()) {
+    while (!sd_mount()) {
         error("Failed to init SD card!\n");
-        print("Press any key to power off\n");
+        print("Press POWER to power off, any other key to retry\n");
+        if (btn_wait() & BTN_POWER)
+            i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
         btn_wait();
-        i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
     }
 
     print("Welcome to ReiNX %s!\n", VERSION);

From c05a5f196e36307f298a9e81795eb4457e301d5b Mon Sep 17 00:00:00 2001
From: elephantp <elephantp@elephantp.blog>
Date: Wed, 15 Aug 2018 14:09:42 +0800
Subject: [PATCH 11/35] rewrite docker script

fix
---
 Dockerfile      | 13 +++++++++----
 README.md       | 10 +++++-----
 docker-build.sh | 31 ++++++++++++++++++-------------
 3 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1304e77..19c003b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,11 @@
-FROM devkitpro/devkitarm:latest
-MAINTAINER jski "jski185@gmail.com"
+FROM devkitpro/devkita64
+MAINTAINER elelphatp "elephantp@elephantp.blog"
 
-ADD . /
+RUN dkp-pacman -Syyu --noconfirm devkitARM && \
+    dkp-pacman -Scc --noconfirm
 
-ENTRYPOINT ["make"]
\ No newline at end of file
+ENV DEVKITARM=${DEVKITPRO}/devkitARM
+
+WORKDIR /developer
+
+ENTRYPOINT ["make"]
diff --git a/README.md b/README.md
index f51ecc6..9ec7326 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Put `ReiNX` folder on the root of your switch's SD card and run `ReiNX.bin` with
 
 You'll need devkitpro with devkitARM and run `make`
 
-To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./docker-build.sh`. This will compile without requiring installation of DevKit* dependencies.
+To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./docker-build.sh`. After that, just check `out` dir. This will compile without requiring installation of DevKit* dependencies.
 
 
 **Features:**
@@ -29,11 +29,11 @@ To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./d
 [HERE](https://gbatemp.net/threads/official-reinx-thread.512203/)
 
 **Credits:**
- 
+
  Naehrwert for hardware init code and generally being helpful!
- 
+
  CTCaer and st4rk for their contribution to the hardware code aswell!
- 
+
  SciresM for sysmodules!
- 
+
  The community for your support!
diff --git a/docker-build.sh b/docker-build.sh
index baeb3c6..0695d86 100755
--- a/docker-build.sh
+++ b/docker-build.sh
@@ -1,16 +1,21 @@
 #!/usr/bin/env bash
-ECHO ""
-ECHO "Emptying out /build and /out folders..."
-ECHO ""
-rm -rf ./build
-rm -rf ./out
+echo "Checking reinx-builder image..."
 
-ECHO ""
-ECHO "Building docker image locally..."
-ECHO ""
-docker build . -t reinx-builder:latest
+IMAGE=`docker image ls|grep reinx-builder -c`
+if [[ "$IMAGE" == 1 ]]; then
+  echo "Reinx-builder image is exist"
+else
+  echo ""
+  echo "Building docker image locally..."
+  echo ""
+  docker build . -t reinx-builder
+fi
 
-ECHO ""
-ECHO "Running image and generating build..."
-ECHO ""
-docker run -v $(pwd)/build:/build -v $(pwd)/out:/out reinx-builder:latest
\ No newline at end of file
+echo "Checking container...."
+CONTAINER=`docker ps -a|grep reinx-builder -c`
+echo "Building..."
+if [[ "$CONTAINER" == 1 ]]; then
+  docker start -a reinx-builder
+else
+  docker run -a stdout -a stderr --name reinx-builder -v $(pwd):/developer reinx-builder
+fi

From ab5803c3cd88ba5006e54f89d7fe2a361c5aa385 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Thu, 16 Aug 2018 23:07:14 -0400
Subject: [PATCH 12/35] cleaned up linker; update sysmod [anti-telemetry]

---
 NX_Sysmodules |  2 +-
 src/reloc.s   | 34 ----------------------------------
 src/start.s   | 33 ++++++++++++---------------------
 3 files changed, 13 insertions(+), 56 deletions(-)
 delete mode 100644 src/reloc.s

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 503a419..480f55a 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 503a419f68e984af07670d0fac0af8c8a15d2d9c
+Subproject commit 480f55a76df942587813b78f9faa969cde74515a
diff --git a/src/reloc.s b/src/reloc.s
deleted file mode 100644
index d89a414..0000000
--- a/src/reloc.s
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
-* Copyright (c) 2018 naehrwert
-*
-* This program is free software; you can redistribute it and/or modify it
-* under the terms and conditions of the GNU General Public License,
-* version 2, as published by the Free Software Foundation.
-*
-* This program is distributed in the hope it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-* more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-/*
-* TODO: the placement of the relocator is a bit fragile atm, maybe we 
-*       should include it in start.S and copy it to some known good 
-*       place in IRAM instead. Basically we want it as far back atm 
-*       as it might be overwritten during relocation.
-*/
-
-.section .text.reloc
-.arm
-
-.globl _reloc_ipl
-.type _reloc_ipl, %function
-_reloc_ipl:
-	LDMIA R0!, {R4-R7}
-	STMIA R1!, {R4-R7}
-	SUBS R2, #0x10
-	BNE _reloc_ipl
-	BX R3
diff --git a/src/start.s b/src/start.s
index 006f818..f04811a 100644
--- a/src/start.s
+++ b/src/start.s
@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 naehrwert
+* Copyright (c) 2018 naehrwert, Reisyukaku
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -17,14 +17,20 @@
 .section .text.start
 .arm
 
-.extern _reloc_ipl
-.type _reloc_ipl, %function
-
 .extern memset
 .type memset, %function
 
-.extern ipl_main
-.type ipl_main, %function
+.extern heap_init
+.type heap_init, %function
+
+.extern bootrom
+.type bootrom, %function
+
+.extern bootloader
+.type bootloader, %function
+
+.extern firmware
+.type firmware, %function
 
 .globl _start
 .type _start, %function
@@ -73,18 +79,3 @@ _real_start:
 	BL bootloader
 	BL firmware
 	B .
-
-.globl rebootRCM
-.type rebootRCM, %function
-rebootRCM:
-	MOVS    R3, #2
-	LDR     R2, =0x7000E450
-	LDR     R1, [R2]
-	ORRS    R3, R1
-	STR     R3, [R2]
-	MOVS    R3, #0x10
-	LDR     R2, =0x7000E400
-	LDR     R1, [R2]
-	ORRS    R3, R1
-	MOVS    R0, #0
-	STR     R3, [R2]

From 0a3f3054439ab1053e93ee89b7ee822c8294ab60 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sat, 25 Aug 2018 19:32:21 -0400
Subject: [PATCH 13/35] fs_mitm not in by default

---
 Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile b/Makefile
index c2282d7..705882c 100644
--- a/Makefile
+++ b/Makefile
@@ -53,7 +53,6 @@ $(dir_out)/$(name).bin: $(dir_build)/$(name).elf
 	@mkdir -p "$(dir_out)/ReiNX/patches"
 	@cp $(dir_sysmod)/loader/loader.kip $(dir_out)/ReiNX/sysmodules/
 	@cp $(dir_sysmod)/sm/sm.kip $(dir_out)/ReiNX/sysmodules/
-	@cp $(dir_sysmod)/fs_mitm/fs_mitm.kip $(dir_out)/ReiNX/sysmodules/
 	@cp -R $(dir_data)/*.bin $(dir_out)/ReiNX/
 	@cp -R $(dir_data)/*.rxp $(dir_out)/ReiNX/patches
 	$(OBJCOPY) -S -O binary $< $@

From 1cf800308e672fd4894e37a12d9cc82976028412 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Tue, 28 Aug 2018 22:22:11 -0400
Subject: [PATCH 14/35] added self chainloading

---
 src/bootrom.c  |  2 +-
 src/firmware.c | 15 +++++++++++++--
 src/firmware.h |  2 ++
 src/fs.c       |  9 ++++++++-
 src/fs.h       |  3 ++-
 5 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/src/bootrom.c b/src/bootrom.c
index 7f6b760..7e6b109 100644
--- a/src/bootrom.c
+++ b/src/bootrom.c
@@ -36,5 +36,5 @@ void bootrom(void) {
     // Clear the boot reason to avoid problems later
     PMC(APBDEV_PMC_SCRATCH200) = 0x0;
     PMC(APBDEV_PMC_RST_STATUS_0) = 0x0;
-    PMC(APBDEV_PMC_SCRATCH49_0) = 0x0;
+    //PMC(APBDEV_PMC_SCRATCH49_0) = 0x0;
 }
\ No newline at end of file
diff --git a/src/firmware.c b/src/firmware.c
index 109e4ff..6c46115 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -398,14 +398,25 @@ void firmware() {
     gfx_con_init(&gfx_con, &gfx_ctxt);
     gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
 
-    while (!sd_mount()) {
+    while (!sdMount()) {
         error("Failed to init SD card!\n");
         print("Press POWER to power off, any other key to retry\n");
         if (btn_wait() & BTN_POWER)
             i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
         btn_wait();
     }
-
+    
+    if(PMC(APBDEV_PMC_SCRATCH49_0) != 69 && fopen("/ReiNX.bin", "rb")) {
+        fread((void*)PAYLOAD_ADDR, fsize(), 1);
+        fclose();
+        sdUnmount();
+        display_end();
+        CLOCK(CLK_RST_CONTROLLER_CLK_OUT_ENB_V) |= 0x400; // Enable AHUB clock.
+        CLOCK(CLK_RST_CONTROLLER_CLK_OUT_ENB_Y) |= 0x40;  // Enable APE clock.
+        PMC(APBDEV_PMC_SCRATCH49_0) = 69;
+        ((void (*)())PAYLOAD_ADDR)();
+    }
+    
     print("Welcome to ReiNX %s!\n", VERSION);
     loadFirm();
     drawSplash();
diff --git a/src/firmware.h b/src/firmware.h
index a40e0fd..525e142 100644
--- a/src/firmware.h
+++ b/src/firmware.h
@@ -26,6 +26,8 @@
 #define BOOT_PKG2_LOADED_4X 3
 #define BOOT_DONE_4X 4
 
+#define PAYLOAD_ADDR 0xCFF00000
+
 //Instructions
 #define NOP 0xD503201F
 #define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
diff --git a/src/fs.c b/src/fs.c
index 24f588d..3e762c3 100644
--- a/src/fs.c
+++ b/src/fs.c
@@ -28,7 +28,7 @@ FATFS sd_fs;
 int sd_mounted;
 FIL fp;
 
-u32 sd_mount() {
+u32 sdMount() {
     if (sd_mounted) return 1;
 
     if (sdmmc_storage_init_sd(&sd_storage, &sd_sdmmc, SDMMC_1, SDMMC_BUS_WIDTH_4, 11) && f_mount(&sd_fs, "", 1) == FR_OK) {
@@ -39,6 +39,13 @@ u32 sd_mount() {
     return 0;
 }
 
+void sdUnmount() {
+    f_mount(NULL, "", 1);
+    sdmmc_storage_end(&sd_storage);
+    sd_mounted = 0;
+
+}
+
 u32 fopen(const char *path, const char *mode) {
     u32 m = (mode[0] == 0x77 ? (FA_WRITE|FA_CREATE_NEW) : FA_READ);
     if (f_open(&fp, path, m) != FR_OK) 
diff --git a/src/fs.h b/src/fs.h
index 8b4f394..9135c76 100644
--- a/src/fs.h
+++ b/src/fs.h
@@ -16,7 +16,8 @@
 
 #pragma once
 
-u32 sd_mount();
+u32 sdMount();
+void sdUnmount();
 u32 fopen(const char *path, const char *mode);
 u32 fread(void *buf, size_t size, size_t ntimes);
 u32 fwrite(void *buf, size_t size, size_t ntimes);

From cab780de8adcd9151b4d3f952b06cc4a6a795b4e Mon Sep 17 00:00:00 2001
From: br4z0rf <br4z0rf>
Date: Sun, 2 Sep 2018 04:30:39 +0200
Subject: [PATCH 15/35] add ES patches for 6.0.0.

---
 data/es_patch.rxp | Bin 208 -> 228 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/es_patch.rxp b/data/es_patch.rxp
index 4e23aaba4d974b3fb6129e7842315a7e3b05a7a6..76e540a383f58aa1d76f461bcc1aaf54539997d4 100644
GIT binary patch
delta 41
rcmcb>_=J%sC?dd^0Sp*9Ch{B+;ox9oIKaqYB0quAkdJ{u1VjS>t)mB6

delta 20
YcmaFDc!7~8C?dd^0Sp+~C-NKt05mEDSpWb4


From 017e620dc6d317e550f0da38728249b63aa6dda3 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sun, 2 Sep 2018 02:20:16 -0400
Subject: [PATCH 16/35] massive refactor; partial 6.0 support

---
 Makefile              |   3 +-
 link.ld               |   6 +-
 src/bootloader.c      |  26 +++++++-
 src/bootrom.c         |   1 -
 src/error.c           |   2 +-
 src/error.h           |   1 -
 src/firmware.c        | 115 +++++++++++++----------------------
 src/firmware.h        |  11 ++--
 src/fs.c              |   3 +-
 src/fuse.c            |  47 ---------------
 src/fuse.h            |  21 -------
 src/hwinit.h          |   5 +-
 src/hwinit/pmc.h      |   2 +-
 src/hwinit/types.h    |   1 +
 src/hwinit/util.c     |  13 ++++
 src/hwinit/util.h     |   1 +
 src/kippatches.c      | 112 ----------------------------------
 src/kippatches.h      |  31 ----------
 src/kippatches/fs.inc |  61 +++++++++++++++++++
 src/package.c         | 136 +++++++++++++++++++++++++++++++++++++++++-
 src/package.h         |  60 +++++++++++++++++++
 src/start.s           |  12 ++--
 22 files changed, 358 insertions(+), 312 deletions(-)
 delete mode 100644 src/fuse.c
 delete mode 100644 src/fuse.h
 delete mode 100644 src/kippatches.c
 delete mode 100644 src/kippatches.h

diff --git a/Makefile b/Makefile
index 705882c..853f98c 100644
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,7 @@ LD = $(DEVKITARM)/bin/arm-none-eabi-ld
 OBJCOPY = $(DEVKITARM)/bin/arm-none-eabi-objcopy
 
 name := ReiNX
+ver  := 1.6
 
 dir_source := src
 dir_data := data
@@ -17,7 +18,7 @@ dir_out := out
 dir_sysmod := NX_Sysmodules
 
 ARCH := -march=armv4t -mtune=arm7tdmi -mthumb -mthumb-interwork
-CFLAGS = $(ARCH) -Os -nostdlib -ffunction-sections -fdata-sections -fomit-frame-pointer -fno-inline -fno-builtin -std=gnu11# -Wall
+CFLAGS = $(ARCH) -DVERSION='"$(ver)"' -Os -nostdlib -ffunction-sections -fdata-sections -fomit-frame-pointer -fno-inline -fno-builtin -std=gnu11# -Wall
 LDFLAGS = $(ARCH) -nostartfiles -lgcc -Wl,--nmagic,--gc-sections
 
 objects =	$(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \
diff --git a/link.ld b/link.ld
index 10f17ee..e49cdc7 100644
--- a/link.ld
+++ b/link.ld
@@ -2,8 +2,8 @@ ENTRY(_start)
 
 SECTIONS 
 {
-	PROVIDE(__ipl_start = 0x40003000);
-	. = __ipl_start;
+	PROVIDE(payload_start = 0x40003000);
+	. = payload_start;
 	.text.start : 
 	{ 
 		*(.text.start)
@@ -18,7 +18,7 @@ SECTIONS
 		*(.rodata*);
 	}
 	. = ALIGN(0x10);
-	__ipl_end = .;
+	payload_end = .;
 	.bss : 
 	{
 		__bss_start = .;
diff --git a/src/bootloader.c b/src/bootloader.c
index 8afa02e..afb8ad8 100644
--- a/src/bootloader.c
+++ b/src/bootloader.c
@@ -15,7 +15,6 @@
 */
 
 #include "hwinit.h"
-#include "fuse.h"
 #include "error.h"
 #include "bootloader.h"
 
@@ -24,6 +23,31 @@ void check_sku() {
         panic();
 }
 
+u32 get_unknown_config() {
+    u32 res = 0;
+    u32 deviceInfo = FUSE(FUSE_RESERVED_ODMX(4));
+    u32 config = ((deviceInfo & 4u) >> 2) | 2 * ((deviceInfo & 0x100u) >> 8);
+    
+    if(config == 1)
+        return 0;
+    if(config == 2)
+        return 1;
+    if(config || (res = FUSE(FUSE_SPARE_BIT_5)) != 0)
+        res = 3;
+    return res;
+}
+
+u32 get_unit_type() {
+    u32 deviceInfo = FUSE(FUSE_RESERVED_ODMX(4));
+    u32 deviceType = deviceInfo & 3 | 4 * ((deviceInfo & 0x200u) >> 9);
+    
+    if(deviceType == 3)
+        return 0;
+    if(deviceType == 4)
+        return 1;
+    return 2;
+}
+
 void check_config_fuses() {
     u32 config = get_unknown_config();
     u32 unitType = get_unit_type();
diff --git a/src/bootrom.c b/src/bootrom.c
index 7e6b109..01d4c07 100644
--- a/src/bootrom.c
+++ b/src/bootrom.c
@@ -36,5 +36,4 @@ void bootrom(void) {
     // Clear the boot reason to avoid problems later
     PMC(APBDEV_PMC_SCRATCH200) = 0x0;
     PMC(APBDEV_PMC_RST_STATUS_0) = 0x0;
-    //PMC(APBDEV_PMC_SCRATCH49_0) = 0x0;
 }
\ No newline at end of file
diff --git a/src/error.c b/src/error.c
index 669bab4..6dcd62b 100644
--- a/src/error.c
+++ b/src/error.c
@@ -32,5 +32,5 @@ void panic() {
 void error(char *errStr) {
     gfx_con_setcol(&gfx_con, RED, 0, 0);
     print("Error: %s", errStr);
-    gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
+    gfx_con_setcol(&gfx_con, DEFAULT_TEXT_COL, 0, 0);
 }
\ No newline at end of file
diff --git a/src/error.h b/src/error.h
index 63fabe5..297d55d 100644
--- a/src/error.h
+++ b/src/error.h
@@ -17,7 +17,6 @@
 #pragma once
 
 #include "hwinit/types.h"
-#include "hwinit/gfx.h"
 
 void panic();
 void error(char *errStr);
\ No newline at end of file
diff --git a/src/firmware.c b/src/firmware.c
index 6c46115..0bb3acc 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -17,31 +17,13 @@
 #include <string.h>
 #include <stddef.h>
 #include "hwinit.h"
-#include "hwinit/gfx.h"
 #include "fs.h"
-#include "fuse.h"
 #include "package.h"
 #include "error.h"
 #include "firmware.h"
-#include "kippatches.h"
-
-#define VERSION "v1.0"
 
 static pk11_offs *pk11Offs = NULL;
 
-static void SE_lock() {
-    for (u32 i = 0; i < 16; i++)
-        se_key_acc_ctrl(i, 0x15);
-
-    for (u32 i = 0; i < 2; i++)
-        se_rsa_acc_ctrl(i, 1);
-
-    SE(0x4) = 0; // Make this reg secure only.
-    SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = 0; // Make all key access regs secure only.
-    SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = 0; // Make all rsa access regs secure only.
-    SE(SE_SECURITY_0) &= 0xFFFFFFFB; // Make access lock regs secure only.
-}
-
 void drawSplash() {
     // Draw splashscreen to framebuffer.
     if(fopen("/ReiNX/splash.bin", "rb") != 0) {
@@ -68,7 +50,6 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
         uPtr *sha2_ptr = NULL;
         switch(pk11->kb) {
             case KB_FIRMWARE_VERSION_100_200: {
-                //u8 rlcPattern[] = {0xE0, 0xFF, 0x1D, 0xF0, 0x00, 0x00, 0x00, 0x91}; //TODO: relocator patch for 1.0.0
                 u8 verPattern[] = {0x19, 0x00, 0x36, 0xE0, 0x03, 0x08, 0x91};
                 u8 hdrSigPattern[] = {0xFF, 0x97, 0xC0, 0x00, 0x00, 0x34, 0xA1, 0xFF, 0xFF};
                 u8 sha2Pattern[] = {0xE0, 0x03, 0x08, 0x91, 0xE1, 0x03, 0x13, 0xAA};
@@ -103,7 +84,7 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
                 sha2_ptr = (uPtr*)memsearch((void *)pk11->secmon_base, 0x10000, sha2Pattern, sizeof(sha2Pattern));
                 break;
             }
-            default: {
+            case KB_FIRMWARE_VERSION_500: {
                 u8 verPattern[] = {0x00, 0x01, 0x00, 0x36, 0xFD, 0x7B, 0x41, 0xA9};
                 u8 hdrSigPattern[] = {0x86, 0xFE, 0xFF, 0x97, 0x80, 0x00, 0x00, 0x36};
                 u8 sha2Pattern[] = {0xF2, 0xFB, 0xFF, 0x97, 0xE0, 0x03};
@@ -111,13 +92,22 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
                 ver_ptr = (uPtr*)memsearch((void *)pk11->secmon_base, 0x10000, verPattern, sizeof(verPattern));
                 pk21_ptr = (uPtr*)((u32)ver_ptr - 0xC);
                 hdrsig_ptr = (uPtr*)(memsearch((void *)pk11->secmon_base, 0x10000, hdrSigPattern, sizeof(hdrSigPattern)) + 0x4);
-                sha2_ptr = (uPtr*)memsearch((void *)pk11->secmon_base, 0x10000, sha2Pattern, sizeof(sha2Pattern));
+                sha2_ptr = (uPtr*)(memsearch((void *)pk11->secmon_base, 0x10000, sha2Pattern, sizeof(sha2Pattern)));
+                break;
+            }
+            default: {
+                u8 verPattern[] = {0x00, 0x01, 0x00, 0x36, 0xFD, 0x7B, 0x41, 0xA9};
+                u8 hdrSigPattern[] = { 0x9A, 0xFF, 0xFF, 0x97, 0x80, 0x00, 0x00, 0x36};
+                u8 sha2Pattern[] = {0x81, 0x00, 0x80, 0x72, 0xB5, 0xFB, 0xFF, 0x97};
+
+                ver_ptr = (uPtr*)memsearch((void *)pk11->secmon_base, 0x10000, verPattern, sizeof(verPattern));
+                pk21_ptr = (uPtr*)((u32)ver_ptr - 0xC);
+                hdrsig_ptr = (uPtr*)(memsearch((void *)pk11->secmon_base, 0x10000, hdrSigPattern, sizeof(hdrSigPattern)) + 0x4);
+                sha2_ptr = (uPtr*)(memsearch((void *)pk11->secmon_base, 0x10000, sha2Pattern, sizeof(sha2Pattern)) + 0x4);
                 break;
             }
         }
-        /*if (pre2x) { //TODO: relocator patch for 1.0.0
-            *rlc_ptr = ADRP(0, 0x3BFE8020);
-        };*/
+        
         if (pk11->kb != KB_FIRMWARE_VERSION_100_200) {
             *pk21_ptr = NOP;
         };
@@ -147,15 +137,7 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     }
 
     u8 kipHash[0x20];
-    char *patchFilter[] = { "nosigchk", "nocmac", "nogc", NULL };
-
-    // enable nogc if there's a file called "nogc" in /ReiNX/ 
-    //(I expect the 1% of people this effects can read the guide)
-    if (!fopen("/ReiNX/nogc", "rb")) {
-        patchFilter[2] = NULL;
-        fclose();
-    }
-
+    
     //Patch FS module (truly not my proudest code TODO cleanup)
     LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki, kips, link) {        
         //Patch FS
@@ -180,12 +162,8 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
                     if (!pset) {
                       print("  could not find patchset with matching hash\n");
                     } else {
-                      int res = kippatch_apply_set(kipDecompText, moddedKip->sections[i].size_decomp, pset, patchFilter);
-                      if (res) {
-                          gfx_con_setcol(&gfx_con, RED, 0, 0);
-                          print("Error: kippatch_apply_set() returned %d\n", res);
-                          gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
-                      }
+                      int res = kippatch_apply_set(kipDecompText, moddedKip->sections[i].size_decomp, pset);
+                      if (res) error("kippatch_apply_set() failed\n");
                     }
 
                     moddedKip->flags &= ~1;
@@ -255,6 +233,7 @@ int keygen(u8 *keyblob, u32 fwVer, void *tsec_fw) {
         break;
 
         case KB_FIRMWARE_VERSION_500:
+        case KB_FIRMWARE_VERSION_600:
         default:
             se_aes_unwrap_key(0x0A, 0x0F, console_keyseed_4xx);
             se_aes_unwrap_key(0x0F, 0x0F, console_keyseed);
@@ -271,15 +250,13 @@ int keygen(u8 *keyblob, u32 fwVer, void *tsec_fw) {
 u8 loadFirm() {
     sdmmc_storage_t storage;
     sdmmc_t sdmmc;
-    u32 ret = 0;
 
+    //Init nand
     sdmmc_storage_init_mmc(&storage, &sdmmc, SDMMC_4, SDMMC_BUS_WIDTH_8, 4);
     sdmmc_storage_set_mmc_partition(&storage, 1);
 
     // Read package1.
-    print("Reading Package1...\n");
-    u8 *package1 = (u8 *)malloc(0x40000);
-    sdmmc_storage_read(&storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, package1);
+    u8 *package1 = ReadPackage1(&storage);
 
     // Setup firmware specific data.
     pk11Offs = pkg11_offsentify(package1);
@@ -297,33 +274,8 @@ u8 loadFirm() {
     PMC(APBDEV_PMC_SCRATCH1) = pk11Offs->warmboot_base;
     free(package1);
 
-    // Read GPT partition.
-    LIST_INIT(gpt);
-    sdmmc_storage_set_mmc_partition(&storage, 0);
-    print("Parsing GPT...\n");
-    nx_emmc_gpt_parse(&gpt, &storage);
-    emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "BCPKG2-1-Normal-Main");
-    nx_emmc_gpt_free(&gpt);
-    if (!pkg2_part) {
-        error("Failed to read GPT!\n");
-        return 1;
-    }
-
-    // Read Package2.
-    u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
-    print("Reading Package2 size...\n");
-    nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, 1, tmp);
-    u32 *hdr = (u32 *)(tmp + 0x100);
-    u32 pkg2_size = hdr[0] ^ hdr[2] ^ hdr[3];
-    free(tmp);
-    u8 *pkg2 = malloc(ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE));
-    print("Reading Package2...\n");
-    ret = nx_emmc_part_read(&storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE) / NX_EMMC_BLOCKSIZE, pkg2);
-    sdmmc_storage_end(&storage);
-    if (!ret) {
-        error("Failed to read Package2!\n");
-        return 1;
-    }
+    //Read package2
+    u8 *pkg2 = ReadPackage2(&storage);
 
     // Unpack Package2.
     print("Unpacking package2...\n");
@@ -339,7 +291,7 @@ u8 loadFirm() {
     char **sysmods = NULL;
     size_t cnt = enumerateDir(&sysmods, "/ReiNX/sysmodules", "*.kip");
     for (u32 i = 0; i < cnt ; i++) {
-        print("%kLoading %s\n%k", YELLOW, sysmods[i], ORANGE);
+        print("%kLoading %s\n%k", YELLOW, sysmods[i], DEFAULT_TEXT_COL);
         loadKip(&kip1_info, sysmods[i]);
         free(sysmods[i]);
     }
@@ -349,6 +301,19 @@ u8 loadFirm() {
     buildFirmwarePackage(dec_pkg2->data, dec_pkg2->sec_size[PKG2_SEC_KERNEL], &kip1_info);
 }
 
+static void SE_lock() {
+    for (u32 i = 0; i < 16; i++)
+        se_key_acc_ctrl(i, 0x15);
+
+    for (u32 i = 0; i < 2; i++)
+        se_rsa_acc_ctrl(i, 1);
+
+    SE(0x4) = 0; // Make this reg secure only.
+    SE(SE_KEY_TABLE_ACCESS_LOCK_OFFSET) = 0; // Make all key access regs secure only.
+    SE(SE_RSA_KEYTABLE_ACCESS_LOCK_OFFSET) = 0; // Make all rsa access regs secure only.
+    SE(SE_SECURITY_0) &= 0xFFFFFFFB; // Make access lock regs secure only.
+}
+
 void launch() {
     u8 pre4x = pk11Offs->kb < KB_FIRMWARE_VERSION_400;
 
@@ -396,7 +361,7 @@ void firmware() {
     gfx_init_ctxt(&gfx_ctxt, display_init_framebuffer(), 720, 1280, 768);
     gfx_clear_color(&gfx_ctxt, 0xFF000000);
     gfx_con_init(&gfx_con, &gfx_ctxt);
-    gfx_con_setcol(&gfx_con, ORANGE, 0, 0);
+    gfx_con_setcol(&gfx_con, DEFAULT_TEXT_COL, 0, 0);
 
     while (!sdMount()) {
         error("Failed to init SD card!\n");
@@ -406,16 +371,18 @@ void firmware() {
         btn_wait();
     }
     
-    if(PMC(APBDEV_PMC_SCRATCH49_0) != 69 && fopen("/ReiNX.bin", "rb")) {
+    if(PMC(APBDEV_PMC_SCRATCH49) != 69 && fopen("/ReiNX.bin", "rb")) {
         fread((void*)PAYLOAD_ADDR, fsize(), 1);
         fclose();
         sdUnmount();
         display_end();
         CLOCK(CLK_RST_CONTROLLER_CLK_OUT_ENB_V) |= 0x400; // Enable AHUB clock.
         CLOCK(CLK_RST_CONTROLLER_CLK_OUT_ENB_Y) |= 0x40;  // Enable APE clock.
-        PMC(APBDEV_PMC_SCRATCH49_0) = 69;
+        PMC(APBDEV_PMC_SCRATCH49) = 69;
         ((void (*)())PAYLOAD_ADDR)();
     }
+    SYSREG(AHB_AHB_SPARE_REG) = (volatile vu32)0xFFFFFF9F;
+	PMC(APBDEV_PMC_SCRATCH49) = 0;
     
     print("Welcome to ReiNX %s!\n", VERSION);
     loadFirm();
diff --git a/src/firmware.h b/src/firmware.h
index 525e142..3ca6143 100644
--- a/src/firmware.h
+++ b/src/firmware.h
@@ -28,10 +28,6 @@
 
 #define PAYLOAD_ADDR 0xCFF00000
 
-//Instructions
-#define NOP 0xD503201F
-#define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
-
 // TODO: Maybe find these with memsearch
 static const pk11_offs _pk11_offs[] = {
     //{ "20161121183008", 0, 0x1900, 0x3FE0, { 2, 1, 0 }, 0x4002B020, 0x8000D000, 1 }, //TODO: relocator patch for 1.0.0
@@ -41,16 +37,17 @@ static const pk11_offs _pk11_offs[] = {
     { "20170710161758", 2, 0x1A00, 0x3FE0, { 0, 1, 2 }, 0x4002D000, 0x8000D000, 1 }, //3.0.1 - 3.0.2
     { "20170921172629", 3, 0x1800, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //4.0.0 - 4.1.0
     { "20180220163747", 4, 0x1900, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003B000, 0 }, //5.0.0 - 5.0.2
+    { "20180802162753", 5, 0x1900, 0x3FE0, { 1, 2, 0 }, 0x4002B000, 0x4003D800, 0 }, //6.0.0
     { NULL, 0, 0, 0, 0 } // End.
 };
 
-#define NUM_KEYBLOB_KEYS 5
-static const u8 keyblob_keyseeds[NUM_KEYBLOB_KEYS][0x10] = {
+static const u8 keyblob_keyseeds[][0x10] = {
     { 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, //1.0.0
     { 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, //3.0.0
     { 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, //3.0.1
     { 0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE }, //4.0.0
-    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }  //5.0.0
+    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }, //5.0.0
+    { 0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0 }  //6.0.0
 };
 
 static const u8 cmac_keyseed[0x10] = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
diff --git a/src/fs.c b/src/fs.c
index 3e762c3..112e2ec 100644
--- a/src/fs.c
+++ b/src/fs.c
@@ -17,7 +17,6 @@
 #include <stddef.h>
 #include <string.h>
 #include "hwinit.h"
-#include "hwinit/gfx.h"
 #include "hwinit/ff.h"
 #include "error.h"
 #include "fs.h"
@@ -40,10 +39,10 @@ u32 sdMount() {
 }
 
 void sdUnmount() {
+    if (!sd_mounted) return;
     f_mount(NULL, "", 1);
     sdmmc_storage_end(&sd_storage);
     sd_mounted = 0;
-
 }
 
 u32 fopen(const char *path, const char *mode) {
diff --git a/src/fuse.c b/src/fuse.c
deleted file mode 100644
index 0239048..0000000
--- a/src/fuse.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
-* Copyright (c) 2018 Reisyukaku
-*
-* This program is free software; you can redistribute it and/or modify it
-* under the terms and conditions of the GNU General Public License,
-* version 2, as published by the Free Software Foundation.
-*
-* This program is distributed in the hope it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-* more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "hwinit/t210.h"
-#include "fuse.h"
-
-u32 get_unknown_config() {
-    u32 res = 0;
-    u32 deviceInfo = FUSE(FUSE_RESERVED_ODMX(4));
-    u32 config = ((deviceInfo & 4u) >> 2) | 2 * ((deviceInfo & 0x100u) >> 8);
-    
-    if(config == 1)
-        return 0;
-    if(config == 2)
-        return 1;
-    if(config || (res = FUSE(FUSE_SPARE_BIT_5)) != 0)
-        res = 3;
-    return res;
-}
-
-u32 get_unit_type() {
-    u32 deviceInfo = FUSE(FUSE_RESERVED_ODMX(4));
-    u32 deviceType = deviceInfo & 3 | 4 * ((deviceInfo & 0x200u) >> 9);
-    
-    if(deviceType == 3)
-        return 0;
-    if(deviceType == 4)
-        return 1;
-    return 2;
-}
-
-u32 master_key_ver() {
-    return FUSE(FUSE_SPARE_BIT_5) & 1;
-}
\ No newline at end of file
diff --git a/src/fuse.h b/src/fuse.h
deleted file mode 100644
index 0d3640e..0000000
--- a/src/fuse.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
-* Copyright (c) 2018 Reisyukaku
-*
-* This program is free software; you can redistribute it and/or modify it
-* under the terms and conditions of the GNU General Public License,
-* version 2, as published by the Free Software Foundation.
-*
-* This program is distributed in the hope it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-* more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#pragma once
-
-u32 get_unknown_config();
-u32 get_unit_type();
-u32 master_key_ver();
\ No newline at end of file
diff --git a/src/hwinit.h b/src/hwinit.h
index ce641ca..b4d1ef7 100644
--- a/src/hwinit.h
+++ b/src/hwinit.h
@@ -41,4 +41,7 @@
 #include "hwinit/nx_emmc.h"
 #include "hwinit/se.h"
 #include "hwinit/se_t210.h"
-#include "hwinit/mmc.h"
\ No newline at end of file
+#include "hwinit/mmc.h"
+#include "hwinit/gfx.h"
+
+#define DEFAULT_TEXT_COL ORANGE
\ No newline at end of file
diff --git a/src/hwinit/pmc.h b/src/hwinit/pmc.h
index 1c62f5e..de4deb8 100644
--- a/src/hwinit/pmc.h
+++ b/src/hwinit/pmc.h
@@ -45,6 +45,6 @@
 #define APBDEV_PMC_SCRATCH200 0x840
 #define APBDEV_PMC_RST_STATUS_0 0x1B4
 #define APBDEV_PMC_SECURE_SCRATCH49_0 0x3A4
-#define APBDEV_PMC_SCRATCH49_0 0x244
+#define APBDEV_PMC_SCRATCH49 0x244
 
 #endif
diff --git a/src/hwinit/types.h b/src/hwinit/types.h
index 6282cbe..bde691c 100644
--- a/src/hwinit/types.h
+++ b/src/hwinit/types.h
@@ -52,6 +52,7 @@ enum KB_FIRMWARE_VERSION {
 	KB_FIRMWARE_VERSION_301 = 2,
 	KB_FIRMWARE_VERSION_400 = 3,
 	KB_FIRMWARE_VERSION_500 = 4,
+    KB_FIRMWARE_VERSION_600 = 5,
 	KB_FIRMWARE_VERSION_MAX
 };
 
diff --git a/src/hwinit/util.c b/src/hwinit/util.c
index 2bcd12a..0c5003c 100644
--- a/src/hwinit/util.c
+++ b/src/hwinit/util.c
@@ -64,6 +64,19 @@ uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patt
     return 0;
 }
 
+//probably could be more optimized :<
+uPtr getFreeSpace(void *start, size_t space, size_t searchSize) {
+    for(int i = 0; i < searchSize; i++) {
+        if(*(u8*)(start+i) == 0) {
+            for(int j=0;j<space;j++) {
+                if(*(u8*)(start+i+j) != 0) break;
+                if(j==space-1) return (uintptr_t)(start+i);
+            }
+        }
+    }
+    return 0;
+}
+
 #define CRC32C_POLY 0x82F63B78
 u32 crc32c(const void *buf, u32 len)
 {
diff --git a/src/hwinit/util.h b/src/hwinit/util.h
index a7b333c..36d2cc0 100644
--- a/src/hwinit/util.h
+++ b/src/hwinit/util.h
@@ -35,6 +35,7 @@ void musleep(u32 milliseconds);
 void usleep(u32 microseconds);
 void exec_cfg(u32 *base, const cfg_op_t *ops, u32 num_ops);
 uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patternSize);
+uPtr getFreeSpace(void *start, size_t space, size_t searchSize);
 u32 crc32c(const void *buf, u32 len);
 
 #endif
\ No newline at end of file
diff --git a/src/kippatches.c b/src/kippatches.c
deleted file mode 100644
index 45d810b..0000000
--- a/src/kippatches.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
-* Copyright (c) 2018 Reisyukaku
-*
-* This program is free software; you can redistribute it and/or modify it
-* under the terms and conditions of the GNU General Public License,
-* version 2, as published by the Free Software Foundation.
-*
-* This program is distributed in the hope it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-* more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include <string.h>
-
-#include "hwinit/types.h"
-#include "hwinit/util.h"
-#include "kippatches.h"
-#include "fs.h"
-#include "kippatches/fs.inc"
-
-#define NOP 0xD503201F
-
-
-// TODO: get full hashes somewhere and not just the first 16 bytes
-// every second one is the exfat version
-kippatchset_t kip_patches[] = {
-    { "FS", "\xde\x9f\xdd\xa4\x08\x5d\xd5\xfe\x68\xdc\xb2\x0b\x41\x09\x5b\xb4", fs_kip_patches_100 },
-    { "FS", "\xfc\x3e\x80\x99\x1d\xca\x17\x96\x4a\x12\x1f\x04\xb6\x1b\x17\x5e", fs_kip_patches_100 },
-    { "FS", "\xcd\x7b\xbe\x18\xd6\x13\x0b\x28\xf6\x2f\x19\xfa\x79\x45\x53\x5b", fs_kip_patches_200 },
-    { "FS", "\xe7\x66\x92\xdf\xaa\x04\x20\xe9\xfd\xd6\x8e\x43\x63\x16\x18\x18", fs_kip_patches_200 },
-    { "FS", "\x0d\x70\x05\x62\x7b\x07\x76\x7c\x0b\x96\x3f\x9a\xff\xdd\xe5\x66", fs_kip_patches_210 },
-    { "FS", "\xdb\xd8\x5f\xca\xcc\x19\x3d\xa8\x30\x51\xc6\x64\xe6\x45\x2d\x32", fs_kip_patches_210 },
-    { "FS", "\xa8\x6d\xa5\xe8\x7e\xf1\x09\x7b\x23\xda\xb5\xb4\xdb\xba\xef\xe7", fs_kip_patches_300 },
-    { "FS", "\x98\x1c\x57\xe7\xf0\x2f\x70\xf7\xbc\xde\x75\x31\x81\xd9\x01\xa6", fs_kip_patches_300 },
-    { "FS", "\x57\x39\x7c\x06\x3f\x10\xb6\x31\x3f\x4d\x83\x76\x53\xcc\xc3\x71", fs_kip_patches_301 },
-    { "FS", "\x07\x30\x99\xd7\xc6\xad\x7d\x89\x83\xbc\x7a\xdd\x93\x2b\xe3\xd1", fs_kip_patches_301 },
-    { "FS", "\x06\xe9\x07\x19\x59\x5a\x01\x0c\x62\x46\xff\x70\x94\x6f\x10\xfb", fs_kip_patches_401 },
-    { "FS", "\x54\x9b\x0f\x8d\x6f\x72\xc4\xe9\xf3\xfd\x1f\x19\xea\xce\x4a\x5a", fs_kip_patches_401 },
-    { "FS", "\x80\x96\xaf\x7c\x6a\x35\xaa\x82\x71\xf3\x91\x69\x95\x41\x3b\x0b", fs_kip_patches_410 },
-    { "FS", "\x02\xd5\xab\xaa\xfd\x20\xc8\xb0\x63\x3a\xa0\xdb\xae\xe0\x37\x7e", fs_kip_patches_410 },
-    { "FS", "\xa6\xf2\x7a\xd9\xac\x7c\x73\xad\x41\x9b\x63\xb2\x3e\x78\x5a\x0c", fs_kip_patches_500 },
-    { "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
-    { "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
-    { "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
-    { NULL, NULL, NULL },
-};
-
-int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
-    if (!patch || !patch->diffs) return -1;
-
-    for (kipdiff_t *diff = patch->diffs; diff->len; ++diff) {
-        if (!diff->len || diff->offset + diff->len > kipdata_len)
-            return 1 + (int)(diff - patch->diffs);
-        u8 *start = kipdata + diff->offset;
-        if (memcmp(start, diff->orig_bytes, diff->len))
-            return 1 + (int)(diff - patch->diffs);
-        // TODO: maybe start copying after every diff has been verified?
-        memcpy(start, diff->patch_bytes, diff->len);
-    }
-
-    return 0;
-}
-
-
-int nca_patch(u8 * kipdata, u64 kipdata_len) {
-	char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
-	char buf[0x10];
-	memcpy(buf, kipdata+0x1C450, 0x10);
-	u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
-	int ret=0;
-	int max_dist = 0x10;
-	for(int i=0; i<max_dist; i++) {
-		u32 op = addr[i];
-		if((op & 0xFC000000)==0x94000000) { //is a BL op
-			addr[i] = NOP;
-			ret=1;
-			break;
-		}
-	}
-	return ret;
-}
-
-int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset, char **filter) {
-    for (kippatch_t *p = patchset->patches; p && p->name; ++p) {
-        int found = 0;
-        for (char **filtname = filter; filtname && *filtname; ++filtname) {
-            if (!strcmp(p->name, *filtname)) {
-                found = 1;
-                break;
-            }
-        }
-
-        if (filter && !found) continue;
-
-        int r = kippatch_apply(kipdata, kipdata_len, p);
-        if (r) return r;
-    }
-	if(!strncmp("FS", patchset->kip_name, 2))
-		nca_patch(kipdata, kipdata_len);
-    return 0;
-}
-
-kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets) {
-    for (kippatchset_t *ps = patchsets; ps && ps->kip_name; ++ps) {
-        if (!memcmp(kiphash, ps->kip_hash, 0x10)) return ps;
-    }
-    return NULL;
-}
diff --git a/src/kippatches.h b/src/kippatches.h
deleted file mode 100644
index 277f93b..0000000
--- a/src/kippatches.h
+++ /dev/null
@@ -1,31 +0,0 @@
-#pragma once
-
-#include "hwinit/types.h"
-
-typedef struct kipdiff_s {
-  u64 offset;              // offset from start of kip's .text segment
-  u32 len;                 // length of below strings, NULL signifies end of patch
-  const char *orig_bytes;  // original byte string (this must match exactly)
-  const char *patch_bytes; // replacement byte string (same length)
-} kipdiff_t;
-
-// a single patch for a particular kip version
-typedef struct kippatch_s {
-  const char *name;        // name/id of the patch, NULL signifies end of patchset
-  kipdiff_t *diffs;        // array of kipdiff_t's to apply
-} kippatch_t;
-
-// a group of patches that patch several different things in a particular kip version
-typedef struct kippatchset_s {
-  const char *kip_name;    // name/id of the kip, NULL signifies end of patchset list
-  const char *kip_hash;    // sha256 of the right version of the kip
-  kippatch_t *patches;     // set of patches for this version of the kip
-} kippatchset_t;
-
-// fs
-
-extern kippatchset_t kip_patches[];
-
-int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch);
-int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset, char **filter);
-kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets);
diff --git a/src/kippatches/fs.inc b/src/kippatches/fs.inc
index af17442..1128c51 100644
--- a/src/kippatches/fs.inc
+++ b/src/kippatches/fs.inc
@@ -139,12 +139,59 @@ static kipdiff_t fs_diffs_510_nocmac[8] = {
   { 0, 0, NULL, NULL },
 };
 
+static kipdiff_t fs_diffs_600_exfat_nocmac[8] = {
+  { 0x10B7F4, 4, "\x20\x0A\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x10BCF8, 4, "\xA0\x03\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x113934, 4, "\x60\x14\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x11429C, 4, "\x60\x06\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x1143DC, 4, "\x20\x07\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x11B128, 4, "\xC0\x05\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x11B254, 4, "\xC0\x06\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0, 0, NULL, NULL },
+};
+
+//exfat offsets are simply shifted by + 0xB700
+static kipdiff_t fs_diffs_600_nocmac[8] = {
+  { 0x1000F4, 4, "\x20\x0A\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x1005F8, 4, "\xA0\x03\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x108234, 4, "\x60\x14\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x108B9C, 4, "\x60\x06\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x108CDC, 4, "\x20\x07\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x10FA28, 4, "\xC0\x05\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0x10FB54, 4, "\xC0\x06\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0, 0, NULL, NULL },
+};
+
 static kipdiff_t fs_diffs_510_nogc[3] = {
   { 0xCF794, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
   { 0xD7770, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
   { 0, 0, NULL, NULL },
 };
 
+static kipdiff_t fs_diffs_600_exfat_nogc[3] = {
+  { 0x15EFF4, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
+  { 0x138320, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
+  { 0, 0, NULL, NULL },
+};
+
+static kipdiff_t fs_diffs_600_nogc[3] = {
+  { 0x1538F4, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
+  { 0x12CC20, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
+  { 0, 0, NULL, NULL },
+};
+
+static kipdiff_t fs_diffs_600_exfat_nosigchk[3] = {
+  { 0x7C9A8, 4, "\x8E\x3E\x00\x94", "\xE0\x03\x1F\x2A" },
+  { 0xF678C, 4, "\xC0\x03\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0, 0, NULL, NULL },
+};
+
+static kipdiff_t fs_diffs_600_nosigchk[3] = {
+  { 0x712A8, 4, "\x8E\x3E\x00\x94", "\xE0\x03\x1F\x2A" },
+  { 0xEB08C, 4, "\xC0\x03\x00\x36", "\x1F\x20\x03\xD5" },
+  { 0, 0, NULL, NULL },
+};
+
 /* patches */
 
 static kippatch_t fs_kip_patches_100[] = {
@@ -204,3 +251,17 @@ static kippatch_t fs_kip_patches_510[] = {
   { "nogc", fs_diffs_510_nogc },
   { NULL, NULL }
 };
+
+static kippatch_t fs_kip_patches_600[] = {
+  { "nosigchk", fs_diffs_600_nosigchk },
+  { "nocmac", fs_diffs_600_nocmac },
+  { "nogc", fs_diffs_600_nogc },
+  { NULL, NULL }
+};
+
+static kippatch_t fs_kip_patches_600_exfat[] = {
+  { "nosigchk", fs_diffs_600_exfat_nosigchk },
+  { "nocmac", fs_diffs_600_exfat_nocmac },
+  { "nogc", fs_diffs_600_exfat_nogc },
+  { NULL, NULL }
+};
\ No newline at end of file
diff --git a/src/package.c b/src/package.c
index 61b4972..02ccd61 100644
--- a/src/package.c
+++ b/src/package.c
@@ -14,11 +14,48 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#include "hwinit/gfx.h"
-#include "hwinit/list.h"
+#include "hwinit.h"
 #include "error.h"
 #include "fs.h"
 #include "package.h"
+#include "kippatches/fs.inc"
+
+u8 *ReadPackage1(sdmmc_storage_t *storage) {
+    u8 *pk11 = malloc(0x40000);
+    sdmmc_storage_read(storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, pk11);
+    return pk11;
+}
+
+u8 *ReadPackage2(sdmmc_storage_t *storage) {
+    // Read GPT partition.
+    LIST_INIT(gpt);
+    sdmmc_storage_set_mmc_partition(storage, 0);
+    print("Parsing GPT...\n");
+    nx_emmc_gpt_parse(&gpt, storage);
+    emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "BCPKG2-1-Normal-Main");
+    nx_emmc_gpt_free(&gpt);
+    if (!pkg2_part) {
+        error("Failed to read GPT!\n");
+        return 0;
+    }
+
+    // Read Package2.
+    u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
+    print("Reading Package2 size...\n");
+    nx_emmc_part_read(storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, 1, tmp);
+    u32 *hdr = (u32 *)(tmp + 0x100);
+    u32 pkg2_size = hdr[0] ^ hdr[2] ^ hdr[3];
+    free(tmp);
+    u8 *pkg2 = malloc(ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE));
+    print("Reading Package2...\n");
+    u32 ret = nx_emmc_part_read(storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE) / NX_EMMC_BLOCKSIZE, pkg2);
+    sdmmc_storage_end(storage);
+    if (!ret) {
+        error("Failed to read Package2!\n");
+        return 0;
+    }
+    return pkg2;
+}
 
 pkg2_hdr_t *unpackFirmwarePackage(u8 *data) {
     print("Unpacking firmware...\n");
@@ -189,4 +226,99 @@ void loadKip(link_t *info, char *path) {
     ki->kip1 = ckip;
     ki->size = calcKipSize(ckip);
     list_append(info, &ki->link);
+}
+
+// TODO: get full hashes somewhere and not just the first 16 bytes
+// every second one is the exfat version
+kippatchset_t kip_patches[] = {
+    { "FS", "\xde\x9f\xdd\xa4\x08\x5d\xd5\xfe\x68\xdc\xb2\x0b\x41\x09\x5b\xb4", fs_kip_patches_100 },
+    { "FS", "\xfc\x3e\x80\x99\x1d\xca\x17\x96\x4a\x12\x1f\x04\xb6\x1b\x17\x5e", fs_kip_patches_100 },
+    { "FS", "\xcd\x7b\xbe\x18\xd6\x13\x0b\x28\xf6\x2f\x19\xfa\x79\x45\x53\x5b", fs_kip_patches_200 },
+    { "FS", "\xe7\x66\x92\xdf\xaa\x04\x20\xe9\xfd\xd6\x8e\x43\x63\x16\x18\x18", fs_kip_patches_200 },
+    { "FS", "\x0d\x70\x05\x62\x7b\x07\x76\x7c\x0b\x96\x3f\x9a\xff\xdd\xe5\x66", fs_kip_patches_210 },
+    { "FS", "\xdb\xd8\x5f\xca\xcc\x19\x3d\xa8\x30\x51\xc6\x64\xe6\x45\x2d\x32", fs_kip_patches_210 },
+    { "FS", "\xa8\x6d\xa5\xe8\x7e\xf1\x09\x7b\x23\xda\xb5\xb4\xdb\xba\xef\xe7", fs_kip_patches_300 },
+    { "FS", "\x98\x1c\x57\xe7\xf0\x2f\x70\xf7\xbc\xde\x75\x31\x81\xd9\x01\xa6", fs_kip_patches_300 },
+    { "FS", "\x57\x39\x7c\x06\x3f\x10\xb6\x31\x3f\x4d\x83\x76\x53\xcc\xc3\x71", fs_kip_patches_301 },
+    { "FS", "\x07\x30\x99\xd7\xc6\xad\x7d\x89\x83\xbc\x7a\xdd\x93\x2b\xe3\xd1", fs_kip_patches_301 },
+    { "FS", "\x06\xe9\x07\x19\x59\x5a\x01\x0c\x62\x46\xff\x70\x94\x6f\x10\xfb", fs_kip_patches_401 },
+    { "FS", "\x54\x9b\x0f\x8d\x6f\x72\xc4\xe9\xf3\xfd\x1f\x19\xea\xce\x4a\x5a", fs_kip_patches_401 },
+    { "FS", "\x80\x96\xaf\x7c\x6a\x35\xaa\x82\x71\xf3\x91\x69\x95\x41\x3b\x0b", fs_kip_patches_410 },
+    { "FS", "\x02\xd5\xab\xaa\xfd\x20\xc8\xb0\x63\x3a\xa0\xdb\xae\xe0\x37\x7e", fs_kip_patches_410 },
+    { "FS", "\xa6\xf2\x7a\xd9\xac\x7c\x73\xad\x41\x9b\x63\xb2\x3e\x78\x5a\x0c", fs_kip_patches_500 },
+    { "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
+    { "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
+    { "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
+    { "FS", "\x1b\x82\xcb\x22\x18\x67\xcb\x52\xc4\x4a\x86\x9e\xa9\x1a\x1a\xdd", fs_kip_patches_600 },
+    { "FS", "\x96\x6a\xdd\x3d\x20\xb6\x27\x13\x2c\x5a\x8d\xa4\x9a\xc9\xd8\xdd", fs_kip_patches_600_exfat },
+    { NULL, NULL, NULL },
+};
+
+int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
+    if (!patch || !patch->diffs) return -1;
+
+    for (kipdiff_t *diff = patch->diffs; diff->len; ++diff) {
+        if (!diff->len || diff->offset + diff->len > kipdata_len)
+            return 1 + (int)(diff - patch->diffs);
+        u8 *start = kipdata + diff->offset;
+        if (memcmp(start, diff->orig_bytes, diff->len))
+            continue;
+        // TODO: maybe start copying after every diff has been verified?
+        memcpy(start, diff->patch_bytes, diff->len);
+    }
+
+    return 0;
+}
+
+
+int nca_patch(u8 * kipdata, u64 kipdata_len) {
+	char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
+	char buf[0x10];
+	memcpy(buf, kipdata+0x1C450, 0x10);
+	u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
+	int ret=0;
+	int max_dist = 0x10;
+	for(int i=0; i<max_dist; i++) {
+		u32 op = addr[i];
+		if((op & 0xFC000000)==0x94000000) { //is a BL op
+			addr[i] = NOP;
+			ret=1;
+			break;
+		}
+	}
+	return ret;
+}
+
+int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
+    char *patchFilter[] = { "nosigchk", "nocmac", "nogc", NULL };
+    
+    if (!fopen("/ReiNX/nogc", "rb")) {
+        patchFilter[2] = NULL;
+        fclose();
+    }
+    
+    for (kippatch_t *p = patchset->patches; p && p->name; ++p) {
+        int found = 0;
+        for (char **filtname = patchFilter; filtname && *filtname; ++filtname) {
+            if (!strcmp(p->name, *filtname)) {
+                found = 1;
+                break;
+            }
+        }
+
+        if (patchFilter && !found) continue;
+
+        int r = kippatch_apply(kipdata, kipdata_len, p);
+        if (r) return r;
+    }
+	if(!strncmp("FS", patchset->kip_name, 2))
+		nca_patch(kipdata, kipdata_len);
+    return 0;
+}
+
+kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets) {
+    for (kippatchset_t *ps = patchsets; ps && ps->kip_name; ++ps) {
+        if (!memcmp(kiphash, ps->kip_hash, 0x10)) return ps;
+    }
+    return NULL;
 }
\ No newline at end of file
diff --git a/src/package.h b/src/package.h
index 22a4ca9..18f3137 100644
--- a/src/package.h
+++ b/src/package.h
@@ -31,6 +31,7 @@
 #define FREE_CODE_OFF_1ST_302 0x494BC
 #define FREE_CODE_OFF_1ST_400 0x52890
 #define FREE_CODE_OFF_1ST_500 0x5C020
+#define FREE_CODE_OFF_1ST_600 0x5EE00
 
 #define ID_SND_OFF_100 0x23CC0
 #define ID_SND_OFF_200 0x3F134
@@ -38,6 +39,7 @@
 #define ID_SND_OFF_302 0x26080
 #define ID_SND_OFF_400 0x2AF64
 #define ID_SND_OFF_500 0x2AD34
+#define ID_SND_OFF_600 0x2BB88
 
 #define ID_RCV_OFF_100 0x219F0
 #define ID_RCV_OFF_200 0x3D1A8
@@ -45,7 +47,10 @@
 #define ID_RCV_OFF_302 0x240F0
 #define ID_RCV_OFF_400 0x28F6C
 #define ID_RCV_OFF_500 0x28DAC
+#define ID_RCV_OFF_600 0x29B6C
 
+#define NOP 0xD503201F
+#define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
 
 static u8 customSecmon = 0;
 static u8 customWarmboot = 0;
@@ -225,6 +230,18 @@ static u32 PRC_ID_RCV_500[] =
 	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
 };
 
+static u32 PRC_ID_SND_600[] =
+{
+	0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
+	0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
+};
+#define FREE_CODE_OFF_2ND_600 (FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600) + 4)
+static u32 PRC_ID_RCV_600[] =
+{
+	0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
+	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
+};
+
 
 static kernel_patch_t kern1[] = {
 	{ SVC_VERIFY_DS, 0x3764C, _NOP(), NULL },          // Disable SVC verifications
@@ -313,6 +330,21 @@ static kernel_patch_t kern5[] = {
 	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
 };
 
+static kernel_patch_t kern6[] = {
+	{ SVC_VERIFY_DS, 0x47E98, _NOP(), NULL },          // Disable SVC verifications
+	{ DEBUG_MODE_EN, 0x52D40, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
+	// Atmosphère kernel patches.
+	{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
+	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.
+	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600),                      // Branch back and skip 2 instructions.
+		_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 8), NULL},
+	{ ATM_GEN_PATCH, ID_RCV_OFF_600, _B(ID_RCV_OFF_600, FREE_CODE_OFF_2ND_600), NULL},    // Receive process id branch.
+	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_600, sizeof(PRC_ID_RCV_600) >> 2, PRC_ID_RCV_600}, // Receive process id code.
+	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600),                      // Branch back and skip 2 instructions.
+		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 8), NULL},
+	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
+};
+
 static const pkg2_kernel_id_t _pkg2_kernel_ids[] =
 {
 	{ 0x427f2647, kern1 },   //1.0.0
@@ -321,9 +353,37 @@ static const pkg2_kernel_id_t _pkg2_kernel_ids[] =
 	{ 0xe0e8cdc4, kern302 }, //3.0.2
 	{ 0x485d0157, kern4 },   //4.0.0 - 4.1.0
 	{ 0xf3c363f2, kern5 },   //5.0.0 - 5.1.0
+    { 0x64ce1a44, kern6 },   //6.0.0
 	{ 0, 0 }                              //End.
 };
 
+typedef struct kipdiff_s {
+  u64 offset;              // offset from start of kip's .text segment
+  u32 len;                 // length of below strings, NULL signifies end of patch
+  const char *orig_bytes;  // original byte string (this must match exactly)
+  const char *patch_bytes; // replacement byte string (same length)
+} kipdiff_t;
+
+// a single patch for a particular kip version
+typedef struct kippatch_s {
+  const char *name;        // name/id of the patch, NULL signifies end of patchset
+  kipdiff_t *diffs;        // array of kipdiff_t's to apply
+} kippatch_t;
+
+// a group of patches that patch several different things in a particular kip version
+typedef struct kippatchset_s {
+  const char *kip_name;    // name/id of the kip, NULL signifies end of patchset list
+  const char *kip_hash;    // sha256 of the right version of the kip
+  kippatch_t *patches;     // set of patches for this version of the kip
+} kippatchset_t;
+
+
+extern kippatchset_t kip_patches[];
+u8 *ReadPackage1(sdmmc_storage_t *storage);
+u8 *ReadPackage2(sdmmc_storage_t *storage);
+int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch);
+int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset);
+kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets);
 pkg2_hdr_t *unpackFirmwarePackage(u8 *data);
 void pkg1_unpack(pk11_offs *offs, u8 *pkg1);
 void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info);
diff --git a/src/start.s b/src/start.s
index f04811a..30786b1 100644
--- a/src/start.s
+++ b/src/start.s
@@ -36,14 +36,14 @@
 .type _start, %function
 _start:
 	ADR R0, _start
-	LDR R1, =__ipl_start
+	LDR R1, =payload_start
 	CMP R0, R1
 	BEQ _real_start
 
 	/* If we are not in the right location already, copy a relocator to upper IRAM. */
-	ADR R2, _reloc_ipl
+	ADR R2, reloc_payload
 	LDR R3, =0x4003FF00
-	MOV R4, #(_real_start - _reloc_ipl)
+	MOV R4, #(_real_start - reloc_payload)
 _copy_loop:
 	LDMIA R2!, {R5}
 	STMIA R3!, {R5}
@@ -51,17 +51,17 @@ _copy_loop:
 	BNE _copy_loop
 
 	/* Use the relocator to copy ourselves into the right place. */
-	LDR R2, =__ipl_end
+	LDR R2, =payload_end
 	SUB R2, R2, R1
 	LDR R3, =_real_start
 	LDR R4, =0x4003FF00
 	BX R4
 
-_reloc_ipl:
+reloc_payload:
 	LDMIA R0!, {R4-R7}
 	STMIA R1!, {R4-R7}
 	SUBS R2, #0x10
-	BNE _reloc_ipl
+	BNE reloc_payload
 	/* Jump to the relocated entry. */
 	BX R3
 

From 45d3dc865f9a7fd954bcfbec7b2fd0d1fed2bef9 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sun, 2 Sep 2018 14:09:17 -0400
Subject: [PATCH 17/35] Update READMEs

---
 NX_Sysmodules | 2 +-
 README.md     | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 185057c..98aa1c7 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 185057cd0e6ac5bc85dd1c6ce938fed5254b8499
+Subproject commit 98aa1c76fca699c4120dce244a241882e3523edf
diff --git a/README.md b/README.md
index 9ec7326..e1bdab3 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./d
 
 
 **Features:**
+* Modularity (doesnt rely on or require any SD files to run; customize SD files to your liking)
 
 * Loads all KIPs from `/ReiNX/sysmodules/` directory
 
@@ -22,7 +23,9 @@ To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./d
 
 * FS patches on the fly (NCA verify/cmac and optional nogc)
 
-* Exclusive ReiNX sysmodules with built in ES patches
+* Exclusive ReiNX sysmodules
+
+* ES patch in RXP patch format (used with custom loader.kip)
 
 **Official thread:**
 

From 71e9ae4bbc1bc64e9cdd64ae1f76eb17f8e5f140 Mon Sep 17 00:00:00 2001
From: Arthur <avaleeva52@gmail.com>
Date: Sun, 2 Sep 2018 23:51:57 -0400
Subject: [PATCH 18/35] added an apostrophe to 'doesnt'

REI PLEASE ACCEPT THIS PR SO I CAN HAVE MY NAME IN THIS
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e1bdab3..bcb4191 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./d
 
 
 **Features:**
-* Modularity (doesnt rely on or require any SD files to run; customize SD files to your liking)
+* Modularity (doesn't rely on or require any SD files to run; customize SD files to your liking)
 
 * Loads all KIPs from `/ReiNX/sysmodules/` directory
 

From 14101dca2784cb85c8b88808a3366c0e863e3e23 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Mon, 3 Sep 2018 18:05:30 -0400
Subject: [PATCH 19/35] 'fix' 6.0; update sysmods; refactor

---
 NX_Sysmodules     | 2 +-
 src/hwinit/util.c | 6 +++---
 src/package.h     | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 98aa1c7..ed82a52 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 98aa1c76fca699c4120dce244a241882e3523edf
+Subproject commit ed82a52ccff9d7b04a111e0510de73cc9f003e43
diff --git a/src/hwinit/util.c b/src/hwinit/util.c
index 0c5003c..016a7c9 100644
--- a/src/hwinit/util.c
+++ b/src/hwinit/util.c
@@ -56,9 +56,9 @@ void exec_cfg(u32 *base, const cfg_op_t *ops, u32 num_ops)
 		base[ops[i].off] = ops[i].val;
 }
 
-uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patternSize) {
+uPtr memsearch(void *startPos, size_t searchSize, void *pattern, size_t patternSize) {
     if(!searchSize) return 0;
-    for (u8 *pos = (u8 *)startPos; pos <= startPos + searchSize - patternSize; pos++) {
+    for (u8 *pos = (u8*)startPos; pos <= (u8*)startPos + searchSize - patternSize; pos++) {
         if (memcmp(pos, pattern, patternSize) == 0) return (uPtr)pos;
     }
     return 0;
@@ -70,7 +70,7 @@ uPtr getFreeSpace(void *start, size_t space, size_t searchSize) {
         if(*(u8*)(start+i) == 0) {
             for(int j=0;j<space;j++) {
                 if(*(u8*)(start+i+j) != 0) break;
-                if(j==space-1) return (uintptr_t)(start+i);
+                if(j==space-1) return (uPtr)(start+i);
             }
         }
     }
diff --git a/src/package.h b/src/package.h
index 18f3137..f944970 100644
--- a/src/package.h
+++ b/src/package.h
@@ -331,17 +331,17 @@ static kernel_patch_t kern5[] = {
 };
 
 static kernel_patch_t kern6[] = {
-	{ SVC_VERIFY_DS, 0x47E98, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x52D40, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
+	{ SVC_VERIFY_DS, 0x47EA0, _NOP(), NULL },          // Disable SVC verifications
+	{ DEBUG_MODE_EN, 0x57548, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
 	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
+	/*{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
 	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.
 	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600),                      // Branch back and skip 2 instructions.
 		_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 8), NULL},
 	{ ATM_GEN_PATCH, ID_RCV_OFF_600, _B(ID_RCV_OFF_600, FREE_CODE_OFF_2ND_600), NULL},    // Receive process id branch.
 	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_600, sizeof(PRC_ID_RCV_600) >> 2, PRC_ID_RCV_600}, // Receive process id code.
 	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 8), NULL},
+		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 8), NULL},*/
 	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
 };
 

From 83b5794839d330840bc67493bf5d3dd364c98d9d Mon Sep 17 00:00:00 2001
From: Ave <ave@ave.zone>
Date: Tue, 4 Sep 2018 02:58:23 +0300
Subject: [PATCH 20/35] fix build issues

---
 src/hwinit/util.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/hwinit/util.h b/src/hwinit/util.h
index 36d2cc0..4717a2a 100644
--- a/src/hwinit/util.h
+++ b/src/hwinit/util.h
@@ -34,8 +34,8 @@ u32 get_tmr_us();
 void musleep(u32 milliseconds);
 void usleep(u32 microseconds);
 void exec_cfg(u32 *base, const cfg_op_t *ops, u32 num_ops);
-uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patternSize);
+uPtr memsearch(void *startPos, size_t searchSize, void *pattern, size_t patternSize);
 uPtr getFreeSpace(void *start, size_t space, size_t searchSize);
 u32 crc32c(const void *buf, u32 len);
 
-#endif
\ No newline at end of file
+#endif

From 42a4a5f9d5b0152099dba980c36b9560131db913 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Fri, 7 Sep 2018 21:33:24 -0400
Subject: [PATCH 21/35] more 6.0 memes, other

---
 NX_Sysmodules     |  2 +-
 src/bootloader.c  | 62 ++++++++++++++++++++++++++++++++++++++++++++++
 src/bootloader.h  | 18 ++++++++++++++
 src/bootrom.c     |  2 +-
 src/firmware.c    | 63 +----------------------------------------------
 src/firmware.h    | 15 -----------
 src/hwinit/util.h |  2 +-
 7 files changed, 84 insertions(+), 80 deletions(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index ed82a52..281c052 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit ed82a52ccff9d7b04a111e0510de73cc9f003e43
+Subproject commit 281c0521dd09ec6c5af6cfef75f505602dd0888c
diff --git a/src/bootloader.c b/src/bootloader.c
index afb8ad8..7e4da12 100644
--- a/src/bootloader.c
+++ b/src/bootloader.c
@@ -57,6 +57,68 @@ void check_config_fuses() {
         panic();
 }
 
+int keygen(u8 *keyblob, u32 fwVer, void *tsec_fw) {
+    u8 tmp[0x10];
+
+    se_key_acc_ctrl(0x0D, 0x15);
+    se_key_acc_ctrl(0x0E, 0x15);
+
+    // Get TSEC key.
+    if (tsec_query(tmp, 1, tsec_fw) < 0)
+        return 0;
+
+    se_aes_key_set(0x0D, tmp, 0x10);
+
+    // Derive keyblob keys from TSEC+SBK.
+    se_aes_crypt_block_ecb(0x0D, 0x00, tmp, keyblob_keyseeds[0]);
+    se_aes_unwrap_key(0x0F, 0x0E, tmp);
+    se_aes_crypt_block_ecb(0xD, 0x00, tmp, keyblob_keyseeds[fwVer]);
+    se_aes_unwrap_key(0x0D, 0x0E, tmp);
+
+    // Clear SBK
+    se_aes_key_clear(0x0E);
+
+    se_aes_crypt_block_ecb(0x0D, 0, tmp, cmac_keyseed);
+    se_aes_unwrap_key(0x0B, 0x0D, cmac_keyseed);
+
+    // Decrypt keyblob and set keyslots.
+    se_aes_crypt_ctr(0x0D, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
+    se_aes_key_set(0x0B, keyblob + 0x20 + 0x80, 0x10); // Package1 key
+    se_aes_key_set(0x0C, keyblob + 0x20, 0x10);
+    se_aes_key_set(0x0D, keyblob + 0x20, 0x10);
+
+    se_aes_crypt_block_ecb(0x0C, 0, tmp, master_keyseed_retail);
+
+    switch (fwVer) {
+        case KB_FIRMWARE_VERSION_100_200:
+        case KB_FIRMWARE_VERSION_300:
+        case KB_FIRMWARE_VERSION_301:
+            se_aes_unwrap_key(0x0D, 0x0F, console_keyseed);
+            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
+        break;
+
+        case KB_FIRMWARE_VERSION_400:
+            se_aes_unwrap_key(0x0D, 0x0F, console_keyseed_4xx);
+            se_aes_unwrap_key(0x0F, 0x0F, console_keyseed);
+            se_aes_unwrap_key(0x0E, 0x0C, master_keyseed_4xx);
+            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
+        break;
+
+        case KB_FIRMWARE_VERSION_500:
+        case KB_FIRMWARE_VERSION_600:
+        default:
+            se_aes_unwrap_key(0x0A, 0x0F, console_keyseed_4xx);
+            se_aes_unwrap_key(0x0F, 0x0F, console_keyseed);
+            se_aes_unwrap_key(0x0E, 0x0C, master_keyseed_4xx);
+            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
+        break;
+    }
+
+    // Package2 key
+    se_key_acc_ctrl(0x08, 0x15);
+    se_aes_unwrap_key(0x08, 0x0C, key8_keyseed);
+}
+
 void mbist_workaround() {
     CLOCK(0x410) = (CLOCK(0x410) | 0x8000) & 0xFFFFBFFF;
     CLOCK(0xD0) |= 0x40800000u;
diff --git a/src/bootloader.h b/src/bootloader.h
index 7aafd4e..5fc050a 100644
--- a/src/bootloader.h
+++ b/src/bootloader.h
@@ -16,4 +16,22 @@
 
 #pragma once
 
+static const u8 keyblob_keyseeds[][0x10] = {
+    { 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, //1.0.0
+    { 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, //3.0.0
+    { 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, //3.0.1
+    { 0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE }, //4.0.0
+    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }, //5.0.0
+    { 0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0 }  //6.0.0
+};
+
+static const u8 cmac_keyseed[0x10] = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
+static const u8 master_keyseed_retail[0x10] = { 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
+static const u8 console_keyseed[0x10] = { 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
+static const u8 key8_keyseed[] = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
+static const u8 master_keyseed_4xx[0x10] = { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
+static const u8 console_keyseed_4xx[0x10] = { 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
+
+
+int keygen(u8 *keyblob, u32 fwVer, void *tsec_fw);
 void bootloader();
\ No newline at end of file
diff --git a/src/bootrom.c b/src/bootrom.c
index 01d4c07..3f7013b 100644
--- a/src/bootrom.c
+++ b/src/bootrom.c
@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 Reisyukaku
+* Copyright (c) 2018 Reisyukaku, naehrwert
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
diff --git a/src/firmware.c b/src/firmware.c
index 0bb3acc..0a2eac1 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -20,6 +20,7 @@
 #include "fs.h"
 #include "package.h"
 #include "error.h"
+#include "bootloader.h"
 #include "firmware.h"
 
 static pk11_offs *pk11Offs = NULL;
@@ -185,68 +186,6 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     }
 }
 
-int keygen(u8 *keyblob, u32 fwVer, void *tsec_fw) {
-    u8 tmp[0x10];
-
-    se_key_acc_ctrl(0x0D, 0x15);
-    se_key_acc_ctrl(0x0E, 0x15);
-
-    // Get TSEC key.
-    if (tsec_query(tmp, 1, tsec_fw) < 0)
-        return 0;
-
-    se_aes_key_set(0x0D, tmp, 0x10);
-
-    // Derive keyblob keys from TSEC+SBK.
-    se_aes_crypt_block_ecb(0x0D, 0x00, tmp, keyblob_keyseeds[0]);
-    se_aes_unwrap_key(0x0F, 0x0E, tmp);
-    se_aes_crypt_block_ecb(0xD, 0x00, tmp, keyblob_keyseeds[fwVer]);
-    se_aes_unwrap_key(0x0D, 0x0E, tmp);
-
-    // Clear SBK
-    se_aes_key_clear(0x0E);
-
-    se_aes_crypt_block_ecb(0x0D, 0, tmp, cmac_keyseed);
-    se_aes_unwrap_key(0x0B, 0x0D, cmac_keyseed);
-
-    // Decrypt keyblob and set keyslots.
-    se_aes_crypt_ctr(0x0D, keyblob + 0x20, 0x90, keyblob + 0x20, 0x90, keyblob + 0x10);
-    se_aes_key_set(0x0B, keyblob + 0x20 + 0x80, 0x10); // Package1 key
-    se_aes_key_set(0x0C, keyblob + 0x20, 0x10);
-    se_aes_key_set(0x0D, keyblob + 0x20, 0x10);
-
-    se_aes_crypt_block_ecb(0x0C, 0, tmp, master_keyseed_retail);
-
-    switch (fwVer) {
-        case KB_FIRMWARE_VERSION_100_200:
-        case KB_FIRMWARE_VERSION_300:
-        case KB_FIRMWARE_VERSION_301:
-            se_aes_unwrap_key(0x0D, 0x0F, console_keyseed);
-            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
-        break;
-
-        case KB_FIRMWARE_VERSION_400:
-            se_aes_unwrap_key(0x0D, 0x0F, console_keyseed_4xx);
-            se_aes_unwrap_key(0x0F, 0x0F, console_keyseed);
-            se_aes_unwrap_key(0x0E, 0x0C, master_keyseed_4xx);
-            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
-        break;
-
-        case KB_FIRMWARE_VERSION_500:
-        case KB_FIRMWARE_VERSION_600:
-        default:
-            se_aes_unwrap_key(0x0A, 0x0F, console_keyseed_4xx);
-            se_aes_unwrap_key(0x0F, 0x0F, console_keyseed);
-            se_aes_unwrap_key(0x0E, 0x0C, master_keyseed_4xx);
-            se_aes_unwrap_key(0x0C, 0x0C, master_keyseed_retail);
-        break;
-    }
-
-    // Package2 key
-    se_key_acc_ctrl(0x08, 0x15);
-    se_aes_unwrap_key(0x08, 0x0C, key8_keyseed);
-}
-
 u8 loadFirm() {
     sdmmc_storage_t storage;
     sdmmc_t sdmmc;
diff --git a/src/firmware.h b/src/firmware.h
index 3ca6143..ab2d2ee 100644
--- a/src/firmware.h
+++ b/src/firmware.h
@@ -41,20 +41,5 @@ static const pk11_offs _pk11_offs[] = {
     { NULL, 0, 0, 0, 0 } // End.
 };
 
-static const u8 keyblob_keyseeds[][0x10] = {
-    { 0xDF, 0x20, 0x6F, 0x59, 0x44, 0x54, 0xEF, 0xDC, 0x70, 0x74, 0x48, 0x3B, 0x0D, 0xED, 0x9F, 0xD3 }, //1.0.0
-    { 0x0C, 0x25, 0x61, 0x5D, 0x68, 0x4C, 0xEB, 0x42, 0x1C, 0x23, 0x79, 0xEA, 0x82, 0x25, 0x12, 0xAC }, //3.0.0
-    { 0x33, 0x76, 0x85, 0xEE, 0x88, 0x4A, 0xAE, 0x0A, 0xC2, 0x8A, 0xFD, 0x7D, 0x63, 0xC0, 0x43, 0x3B }, //3.0.1
-    { 0x2D, 0x1F, 0x48, 0x80, 0xED, 0xEC, 0xED, 0x3E, 0x3C, 0xF2, 0x48, 0xB5, 0x65, 0x7D, 0xF7, 0xBE }, //4.0.0
-    { 0xBB, 0x5A, 0x01, 0xF9, 0x88, 0xAF, 0xF5, 0xFC, 0x6C, 0xFF, 0x07, 0x9E, 0x13, 0x3C, 0x39, 0x80 }, //5.0.0
-    { 0xD8, 0xCC, 0xE1, 0x26, 0x6A, 0x35, 0x3F, 0xCC, 0x20, 0xF3, 0x2D, 0x3B, 0x51, 0x7D, 0xE9, 0xC0 }  //6.0.0
-};
-
-static const u8 cmac_keyseed[0x10] = { 0x59, 0xC7, 0xFB, 0x6F, 0xBE, 0x9B, 0xBE, 0x87, 0x65, 0x6B, 0x15, 0xC0, 0x53, 0x73, 0x36, 0xA5 };
-static const u8 master_keyseed_retail[0x10] = { 0xD8, 0xA2, 0x41, 0x0A, 0xC6, 0xC5, 0x90, 0x01, 0xC6, 0x1D, 0x6A, 0x26, 0x7C, 0x51, 0x3F, 0x3C };
-static const u8 console_keyseed[0x10] = { 0x4F, 0x02, 0x5F, 0x0E, 0xB6, 0x6D, 0x11, 0x0E, 0xDC, 0x32, 0x7D, 0x41, 0x86, 0xC2, 0xF4, 0x78 };
-static const u8 key8_keyseed[] = { 0xFB, 0x8B, 0x6A, 0x9C, 0x79, 0x00, 0xC8, 0x49, 0xEF, 0xD2, 0x4D, 0x85, 0x4D, 0x30, 0xA0, 0xC7 };
-static const u8 master_keyseed_4xx[0x10] = { 0x2D, 0xC1, 0xF4, 0x8D, 0xF3, 0x5B, 0x69, 0x33, 0x42, 0x10, 0xAC, 0x65, 0xDA, 0x90, 0x46, 0x66 };
-static const u8 console_keyseed_4xx[0x10] = { 0x0C, 0x91, 0x09, 0xDB, 0x93, 0x93, 0x07, 0x81, 0x07, 0x3C, 0xC4, 0x16, 0x22, 0x7C, 0x6C, 0x28 };
 
 void firmware();
\ No newline at end of file
diff --git a/src/hwinit/util.h b/src/hwinit/util.h
index 36d2cc0..4e5b31f 100644
--- a/src/hwinit/util.h
+++ b/src/hwinit/util.h
@@ -34,7 +34,7 @@ u32 get_tmr_us();
 void musleep(u32 milliseconds);
 void usleep(u32 microseconds);
 void exec_cfg(u32 *base, const cfg_op_t *ops, u32 num_ops);
-uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patternSize);
+uPtr memsearch(void *startPos, size_t searchSize, void *pattern, size_t patternSize);
 uPtr getFreeSpace(void *start, size_t space, size_t searchSize);
 u32 crc32c(const void *buf, u32 len);
 

From 2cc51b5cfe3d85fbbee3b79ba9f5cf4bc660f40c Mon Sep 17 00:00:00 2001
From: Rasmus Moorats <me@neonsea.uk>
Date: Sat, 8 Sep 2018 14:08:25 +0300
Subject: [PATCH 22/35] Display splash before loading firmware

Removes 3 second delay for booting into Horizon, and mutes the console. Errors unmute.
---
 src/error.c    |  1 +
 src/firmware.c | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/error.c b/src/error.c
index 6dcd62b..e790cc6 100644
--- a/src/error.c
+++ b/src/error.c
@@ -30,6 +30,7 @@ void panic() {
 }
 
 void error(char *errStr) {
+    gfx_con.mute = 0;
     gfx_con_setcol(&gfx_con, RED, 0, 0);
     print("Error: %s", errStr);
     gfx_con_setcol(&gfx_con, DEFAULT_TEXT_COL, 0, 0);
diff --git a/src/firmware.c b/src/firmware.c
index 0a2eac1..f2f50ab 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -25,13 +25,14 @@
 
 static pk11_offs *pk11Offs = NULL;
 
-void drawSplash() {
+int drawSplash() {
     // Draw splashscreen to framebuffer.
     if(fopen("/ReiNX/splash.bin", "rb") != 0) {
         fread((void*)0xC0000000, fsize(), 1);
         fclose();
-        usleep(3000000);
+        return 1;
     }
+    return 0;
 }
 
 pk11_offs *pkg11_offsentify(u8 *pkg1) {
@@ -309,7 +310,7 @@ void firmware() {
             i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
         btn_wait();
     }
-    
+
     if(PMC(APBDEV_PMC_SCRATCH49) != 69 && fopen("/ReiNX.bin", "rb")) {
         fread((void*)PAYLOAD_ADDR, fsize(), 1);
         fclose();
@@ -322,9 +323,14 @@ void firmware() {
     }
     SYSREG(AHB_AHB_SPARE_REG) = (volatile vu32)0xFFFFFF9F;
 	PMC(APBDEV_PMC_SCRATCH49) = 0;
-    
+
+    if (btn_read() & BTN_VOL_DOWN) {
+        print("Booting verbosely\n");
+    } else if (drawSplash()) {
+        gfx_con.mute = 1;
+    }
+
     print("Welcome to ReiNX %s!\n", VERSION);
     loadFirm();
-    drawSplash();
     launch();
 }

From d5064a2135775e7030668dd8cbfaab68f8d7669c Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sat, 8 Sep 2018 19:02:42 -0400
Subject: [PATCH 23/35] memes

---
 NX_Sysmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 281c052..3320a30 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 281c0521dd09ec6c5af6cfef75f505602dd0888c
+Subproject commit 3320a30dd28951f657635c51bcc6d3f7aafd1ed4

From 5eb0a07dacbb7f9a07dc28bddd99c75bff3f47d6 Mon Sep 17 00:00:00 2001
From: shchmue <shchmue@gmail.com>
Date: Sun, 9 Sep 2018 13:52:28 -0400
Subject: [PATCH 24/35] Fix build on Windows

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 853f98c..e7a5d0e 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ ifeq ($(strip $(DEVKITARM)),)
 $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 endif
 
-CC = $(DEVKITARM)/bin/arm-none-eabi-gcc
+include $(DEVKITARM)/base_tools
 LD = $(DEVKITARM)/bin/arm-none-eabi-ld
 OBJCOPY = $(DEVKITARM)/bin/arm-none-eabi-objcopy
 

From ac48b75f10b900532609cfbc3bab3d8370b80091 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sun, 9 Sep 2018 14:49:57 -0400
Subject: [PATCH 25/35] sysmod update

---
 NX_Sysmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 3320a30..7c92325 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 3320a30dd28951f657635c51bcc6d3f7aafd1ed4
+Subproject commit 7c9232535fb356a7f3d4afccab869f3608d44a68

From 8367cf2f2935ebb17f8c4c1870ef87ab3edc0546 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sun, 9 Sep 2018 23:15:06 -0400
Subject: [PATCH 26/35] fix version string for 6.x

---
 NX_Sysmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NX_Sysmodules b/NX_Sysmodules
index 7c92325..610cdd3 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 7c9232535fb356a7f3d4afccab869f3608d44a68
+Subproject commit 610cdd34c34ebd23797db54e8170a166c2f64d98

From c6234528213eb62fbbecca710d05f2abad40418b Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Mon, 10 Sep 2018 21:19:54 -0400
Subject: [PATCH 27/35] fixed kern hooks to add full 6.0 support [thanks Mike
 ;^) ]

---
 src/package.h | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/package.h b/src/package.h
index f944970..2a1605f 100644
--- a/src/package.h
+++ b/src/package.h
@@ -39,7 +39,7 @@
 #define ID_SND_OFF_302 0x26080
 #define ID_SND_OFF_400 0x2AF64
 #define ID_SND_OFF_500 0x2AD34
-#define ID_SND_OFF_600 0x2BB88
+#define ID_SND_OFF_600 0x2BB8C
 
 #define ID_RCV_OFF_100 0x219F0
 #define ID_RCV_OFF_200 0x3D1A8
@@ -232,14 +232,12 @@ static u32 PRC_ID_RCV_500[] =
 
 static u32 PRC_ID_SND_600[] =
 {
-	0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
-	0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
+    0xA9BF2FEA, 0xF94037EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
 };
 #define FREE_CODE_OFF_2ND_600 (FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600) + 4)
 static u32 PRC_ID_RCV_600[] =
 {
-	0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
-	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
+	0xA9BF2FEA, 0xF94043EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
 };
 
 
@@ -334,14 +332,14 @@ static kernel_patch_t kern6[] = {
 	{ SVC_VERIFY_DS, 0x47EA0, _NOP(), NULL },          // Disable SVC verifications
 	{ DEBUG_MODE_EN, 0x57548, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
 	// Atmosphère kernel patches.
-	/*{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
+	{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
 	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.
 	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 8), NULL},
+		_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 0x10), NULL},
 	{ ATM_GEN_PATCH, ID_RCV_OFF_600, _B(ID_RCV_OFF_600, FREE_CODE_OFF_2ND_600), NULL},    // Receive process id branch.
 	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_600, sizeof(PRC_ID_RCV_600) >> 2, PRC_ID_RCV_600}, // Receive process id code.
 	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 8), NULL},*/
+		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 0x10), NULL},
 	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
 };
 

From a4f171dcd975a7cba296f51c77bc41ae87d36e98 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Wed, 19 Sep 2018 21:59:57 -0400
Subject: [PATCH 28/35] allow booting without SD; quick temp fix for sleepmode
 bug

---
 src/firmware.c | 4 ++--
 src/package.h  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index f2f50ab..5af7833 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -303,9 +303,9 @@ void firmware() {
     gfx_con_init(&gfx_con, &gfx_ctxt);
     gfx_con_setcol(&gfx_con, DEFAULT_TEXT_COL, 0, 0);
 
-    while (!sdMount()) {
+    if (!sdMount()) {
         error("Failed to init SD card!\n");
-        print("Press POWER to power off, any other key to retry\n");
+        print("Press POWER to power off, or any other key to continue without SD.\n");
         if (btn_wait() & BTN_POWER)
             i2c_send_byte(I2C_5, 0x3C, MAX77620_REG_ONOFFCNFG1, MAX77620_ONOFFCNFG1_PWR_OFF);
         btn_wait();
diff --git a/src/package.h b/src/package.h
index 2a1605f..a5dce52 100644
--- a/src/package.h
+++ b/src/package.h
@@ -330,7 +330,7 @@ static kernel_patch_t kern5[] = {
 
 static kernel_patch_t kern6[] = {
 	{ SVC_VERIFY_DS, 0x47EA0, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x57548, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
+	//{ DEBUG_MODE_EN, 0x57548, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
 	// Atmosphère kernel patches.
 	{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
 	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.

From 76d77f6526ad4c637741f8ac9bf8f2cfb15aa531 Mon Sep 17 00:00:00 2001
From: The-4n <as.mail2007@gmail.com>
Date: Fri, 21 Sep 2018 12:51:57 +0430
Subject: [PATCH 29/35] Added FS hashes for 6.0.0-5.0

---
 src/kippatches/fs.inc | 18 ++++++++++++++++--
 src/package.c         |  6 ++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/kippatches/fs.inc b/src/kippatches/fs.inc
index 1128c51..7a41e55 100644
--- a/src/kippatches/fs.inc
+++ b/src/kippatches/fs.inc
@@ -252,14 +252,28 @@ static kippatch_t fs_kip_patches_510[] = {
   { NULL, NULL }
 };
 
-static kippatch_t fs_kip_patches_600[] = {
+static kippatch_t fs_kip_patches_600_40[] = {
   { "nosigchk", fs_diffs_600_nosigchk },
   { "nocmac", fs_diffs_600_nocmac },
   { "nogc", fs_diffs_600_nogc },
   { NULL, NULL }
 };
 
-static kippatch_t fs_kip_patches_600_exfat[] = {
+static kippatch_t fs_kip_patches_600_40_exfat[] = {
+  { "nosigchk", fs_diffs_600_exfat_nosigchk },
+  { "nocmac", fs_diffs_600_exfat_nocmac },
+  { "nogc", fs_diffs_600_exfat_nogc },
+  { NULL, NULL }
+};
+
+static kippatch_t fs_kip_patches_600_50[] = {
+  { "nosigchk", fs_diffs_600_nosigchk },
+  { "nocmac", fs_diffs_600_nocmac },
+  { "nogc", fs_diffs_600_nogc },
+  { NULL, NULL }
+};
+
+static kippatch_t fs_kip_patches_600_50_exfat[] = {
   { "nosigchk", fs_diffs_600_exfat_nosigchk },
   { "nocmac", fs_diffs_600_exfat_nocmac },
   { "nogc", fs_diffs_600_exfat_nogc },
diff --git a/src/package.c b/src/package.c
index 02ccd61..2952c62 100644
--- a/src/package.c
+++ b/src/package.c
@@ -249,8 +249,10 @@ kippatchset_t kip_patches[] = {
     { "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
     { "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
     { "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
-    { "FS", "\x1b\x82\xcb\x22\x18\x67\xcb\x52\xc4\x4a\x86\x9e\xa9\x1a\x1a\xdd", fs_kip_patches_600 },
-    { "FS", "\x96\x6a\xdd\x3d\x20\xb6\x27\x13\x2c\x5a\x8d\xa4\x9a\xc9\xd8\xdd", fs_kip_patches_600_exfat },
+    { "FS", "\x1b\x82\xcb\x22\x18\x67\xcb\x52\xc4\x4a\x86\x9e\xa9\x1a\x1a\xdd", fs_kip_patches_600_40 },
+    { "FS", "\x96\x6a\xdd\x3d\x20\xb6\x27\x13\x2c\x5a\x8d\xa4\x9a\xc9\xd8\xdd", fs_kip_patches_600_40_exfat },
+    { "FS", "\x3a\x57\x4d\x43\x61\x86\x19\x1d\x17\x88\xeb\x2c\x0f\x07\x6b\x11", fs_kip_patches_600_50 },
+    { "FS", "\x33\x05\x53\xf6\xb5\xfb\x55\xc4\xc2\xd7\xb7\x36\x24\x02\x76\xb3", fs_kip_patches_600_50_exfat },
     { NULL, NULL, NULL },
 };
 

From 315dfad74d8f9a77fd938da2566eb3d66f692387 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Fri, 21 Sep 2018 05:54:13 -0400
Subject: [PATCH 30/35] add default disabled kips :wheelchair:

---
 Makefile      | 3 +++
 NX_Sysmodules | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index e7a5d0e..6d632a8 100644
--- a/Makefile
+++ b/Makefile
@@ -51,9 +51,12 @@ $(dir_out)/sysmodules: $(dir_sysmod)
 $(dir_out)/$(name).bin: $(dir_build)/$(name).elf
 	@mkdir -p "$(@D)"
 	@mkdir -p "$(dir_out)/ReiNX/sysmodules"
+	@mkdir -p "$(dir_out)/ReiNX/sysmodules.dis"
 	@mkdir -p "$(dir_out)/ReiNX/patches"
 	@cp $(dir_sysmod)/loader/loader.kip $(dir_out)/ReiNX/sysmodules/
 	@cp $(dir_sysmod)/sm/sm.kip $(dir_out)/ReiNX/sysmodules/
+	@cp $(dir_sysmod)/pm/pm.kip $(dir_out)/ReiNX/sysmodules.dis/
+	@cp $(dir_sysmod)/fs_mitm/fs_mitm.kip $(dir_out)/ReiNX/sysmodules.dis/
 	@cp -R $(dir_data)/*.bin $(dir_out)/ReiNX/
 	@cp -R $(dir_data)/*.rxp $(dir_out)/ReiNX/patches
 	$(OBJCOPY) -S -O binary $< $@
diff --git a/NX_Sysmodules b/NX_Sysmodules
index 610cdd3..3c12add 160000
--- a/NX_Sysmodules
+++ b/NX_Sysmodules
@@ -1 +1 @@
-Subproject commit 610cdd34c34ebd23797db54e8170a166c2f64d98
+Subproject commit 3c12add04883b893698cfa04451c834e34bcbe66

From cefc17432c593e8f749342bfbe0708b562eb2051 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sat, 22 Sep 2018 16:12:03 -0400
Subject: [PATCH 31/35] Rewrite kernel patching system

---
 README.md         |   2 +
 src/firmware.c    | 108 +++++++++++++++++++++++----
 src/hwinit/util.c |   2 +-
 src/package.c     |   8 --
 src/package.h     | 181 ++--------------------------------------------
 5 files changed, 104 insertions(+), 197 deletions(-)

diff --git a/README.md b/README.md
index bcb4191..cf43cbf 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,8 @@ To compile with Docker, `chmod +x docker-build.sh` and run the shell script `./d
 
 * FS patches on the fly (NCA verify/cmac and optional nogc)
 
+* Kernel patches on the fly (optional debug mode)
+
 * Exclusive ReiNX sysmodules
 
 * ES patch in RXP patch format (used with custom loader.kip)
diff --git a/src/firmware.c b/src/firmware.c
index 5af7833..242dcf6 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -121,21 +121,99 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     //Patch Kernel
     if(!customKern) {
         u32 crc = crc32c(pkg2->data, pkg2->sec_size[PKG2_SEC_KERNEL]);
-		const pkg2_kernel_id_t * id = pkg2_identify(crc);
-		
-		kernel_patch_t * kpatch = id->kernel_patchset;
-		if(kpatch!=NULL) {
-			for(int i=0; kpatch[i].id!=-1; i++) {
-				if(kpatch[i].id != ATM_ARR_PATCH)
-					*(vu32 *)(pkg2->data + kpatch[i].off) = kpatch[i].val;
-				else {
-					u32 * temp = (u32 *)kpatch[i].ptr;
-					for(int j=0; j< kpatch[i].val; j++) {
-						*(vu32*)(pkg2->data + kpatch[i].off + j*4) = temp[j];
-					}
-				}
-			}
-		}
+        uPtr kern = (uPtr)&pkg2->data;
+        uPtr sendOff, recvOff, codeRcvOff, codeSndOff, svcVerifOff, svcDebugOff;
+        switch(crc){
+            case 0x427f2647:{
+                svcVerifOff = 0x3764C;
+                svcDebugOff = 0x44074;
+                sendOff = 0x23CC0;
+                recvOff = 0x219F0;
+                codeSndOff = 4;
+                codeRcvOff = 4;
+                break;
+            }
+            case 0xae19cf1b:{
+                svcVerifOff = 0x54834;
+                svcDebugOff = 0x6086C;
+                sendOff = 0x3F134;
+                recvOff = 0x3D1A8;
+                codeSndOff = 4;
+                codeRcvOff = 4;
+                break;
+            }
+            case 0x73c9e274:{
+                svcVerifOff = 0x3BD24;
+                svcDebugOff = 0x483FC;
+                sendOff = 0x26080;
+                recvOff = 0x240F0;
+                codeSndOff = 4;
+                codeRcvOff = 4;
+                break;
+            }
+            case 0xe0e8cdc4:{
+                svcVerifOff = 0x3BD24;
+                svcDebugOff = 0x48414;
+                sendOff = 0x26080;
+                recvOff = 0x240F0;
+                codeSndOff = 4;
+                codeRcvOff = 4;
+                break;
+            }
+            case 0x485d0157:{
+                svcVerifOff = 0x41EB4;
+                svcDebugOff = 0x4EBFC;
+                sendOff = 0x2AF64;
+                recvOff = 0x28F6C;
+                codeSndOff = 8;
+                codeRcvOff = 4;
+                break;
+            }
+            case 0xf3c363f2:{
+                svcVerifOff = 0x45E6C;
+                svcDebugOff = 0x5513C;
+                sendOff = 0x2AD34;
+                recvOff = 0x28DAC;
+                codeSndOff = 8;
+                codeRcvOff = 8;
+                break;
+            }
+            case 0x64ce1a44:{
+                svcVerifOff = 0x47EA0;
+                svcDebugOff = 0x57548;
+                sendOff = 0x2BB8C;
+                recvOff = 0x29B6C;
+                codeSndOff = 0x10;
+                codeRcvOff = 0x10;
+                break;
+            }
+            default:
+                error("Kernel not supported");
+                goto end;
+        }
+        
+        //ID Send
+		uPtr freeSpace = getFreeSpace((void*)pkg2->data, 0x200, pkg2->sec_size[PKG2_SEC_KERNEL]);      //Find area to write payload
+        size_t payloadSize = sizeof(PRC_ID_SND_600);
+        *(vu32*)(kern + sendOff) = _B(sendOff, freeSpace);                                             //write hook to payload
+        memcpy((void*)(kern + freeSpace), (void*)PRC_ID_SND_600, payloadSize);                         //Copy payload to free space
+        *(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, sendOff + codeSndOff);  //Jump back skipping the hook
+        
+        //ID Receive
+        freeSpace += (payloadSize+4);
+        payloadSize = sizeof(PRC_ID_RCV_600);
+        *(vu32*)(kern + recvOff) = _B(recvOff, freeSpace);
+        memcpy((void*)(kern + freeSpace), (void*)PRC_ID_RCV_600, payloadSize);
+        *(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, recvOff + codeRcvOff);
+        
+        //SVC patches
+        *(vu32*)(kern + svcVerifOff) = NOP;
+        if (fopen("/ReiNX/debug", "rb")) {
+            fclose();
+            *(vu32*)(kern + svcDebugOff) = _MOVZX(8, 1, 0);
+        }
+        
+        end:;
     }
 
     u8 kipHash[0x20];
diff --git a/src/hwinit/util.c b/src/hwinit/util.c
index 016a7c9..375f6e2 100644
--- a/src/hwinit/util.c
+++ b/src/hwinit/util.c
@@ -70,7 +70,7 @@ uPtr getFreeSpace(void *start, size_t space, size_t searchSize) {
         if(*(u8*)(start+i) == 0) {
             for(int j=0;j<space;j++) {
                 if(*(u8*)(start+i+j) != 0) break;
-                if(j==space-1) return (uPtr)(start+i);
+                if(j==space-1) return (uPtr)i;
             }
         }
     }
diff --git a/src/package.c b/src/package.c
index 2952c62..149c16b 100644
--- a/src/package.c
+++ b/src/package.c
@@ -124,14 +124,6 @@ void pkg1_unpack(pk11_offs *offs, u8 *pkg1) {
     }
 }
 
-const pkg2_kernel_id_t *pkg2_identify(u32 id)
-{
-	for (u32 i = 0; _pkg2_kernel_ids[i].crc32c_id; i++)
-		if (id == _pkg2_kernel_ids[i].crc32c_id)
-			return &_pkg2_kernel_ids[i];
-	return NULL;
-}
-
 void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
     u8 *pdst = (u8 *)0xA9800000;
 
diff --git a/src/package.h b/src/package.h
index a5dce52..6179524 100644
--- a/src/package.h
+++ b/src/package.h
@@ -25,30 +25,6 @@
 
 #define INI1_MAGIC 0x31494E49
 
-#define FREE_CODE_OFF_1ST_100 0x4797C
-#define FREE_CODE_OFF_1ST_200 0x6486C
-#define FREE_CODE_OFF_1ST_300 0x494A4
-#define FREE_CODE_OFF_1ST_302 0x494BC
-#define FREE_CODE_OFF_1ST_400 0x52890
-#define FREE_CODE_OFF_1ST_500 0x5C020
-#define FREE_CODE_OFF_1ST_600 0x5EE00
-
-#define ID_SND_OFF_100 0x23CC0
-#define ID_SND_OFF_200 0x3F134
-#define ID_SND_OFF_300 0x26080
-#define ID_SND_OFF_302 0x26080
-#define ID_SND_OFF_400 0x2AF64
-#define ID_SND_OFF_500 0x2AD34
-#define ID_SND_OFF_600 0x2BB8C
-
-#define ID_RCV_OFF_100 0x219F0
-#define ID_RCV_OFF_200 0x3D1A8
-#define ID_RCV_OFF_300 0x240F0
-#define ID_RCV_OFF_302 0x240F0
-#define ID_RCV_OFF_400 0x28F6C
-#define ID_RCV_OFF_500 0x28DAC
-#define ID_RCV_OFF_600 0x29B6C
-
 #define NOP 0xD503201F
 #define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
 
@@ -133,37 +109,12 @@ typedef struct {
 	u32 sm_off;
 } pk11_header;
 
-enum
-{
-	// Generic instruction patches
-	SVC_VERIFY_DS = 0x10, // 0x0-0xF are RESERVED.
-	DEBUG_MODE_EN,
-	ATM_GEN_PATCH,
-	// >4 bytes patches. Value is a pointer of a u32 array.
-	ATM_ARR_PATCH,
-};
-
-typedef struct _kernel_patch_t
-{
-	u32 id;
-	u32 off;
-	u32 val;
-	u32 *ptr;
-} kernel_patch_t;
-
-typedef struct _pkg2_kernel_id_t
-{
-	u32 crc32c_id;
-	kernel_patch_t *kernel_patchset;
-} pkg2_kernel_id_t;
-
-
 static u32 PRC_ID_SND_100[] =
 {
 	0xA9BF2FEA, 0x2A0E03EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
 	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9412948,	0xA8C12FEA
 };
-#define FREE_CODE_OFF_2ND_100 (FREE_CODE_OFF_1ST_100 + sizeof(PRC_ID_SND_100) + 4)
+
 static u32 PRC_ID_RCV_100[] =
 {
 	0xA9BF2FEA, 0x2A1C03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
@@ -175,7 +126,7 @@ static u32 PRC_ID_SND_200[] =
 	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
 	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9413148, 0xA8C12FEA
 };
-#define FREE_CODE_OFF_2ND_200 (FREE_CODE_OFF_1ST_200 + sizeof(PRC_ID_SND_200) + 4)
+
 static u32 PRC_ID_RCV_200[] =
 {
 	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
@@ -187,7 +138,7 @@ static u32 PRC_ID_SND_300[] =
 	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
 	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
 };
-#define FREE_CODE_OFF_2ND_300 (FREE_CODE_OFF_1ST_300 + sizeof(PRC_ID_SND_300) + 4)
+
 static u32 PRC_ID_RCV_300[] =
 {
 	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
@@ -199,7 +150,7 @@ static u32 PRC_ID_SND_302[] =
 	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
 	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
 };
-#define FREE_CODE_OFF_2ND_302 (FREE_CODE_OFF_1ST_302 + sizeof(PRC_ID_SND_302) + 4)
+
 static u32 PRC_ID_RCV_302[] =
 {
 	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
@@ -211,7 +162,7 @@ static u32 PRC_ID_SND_400[] =
 	0x2A1703EA, 0xD37EF54A, 0xF86A6B8A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
 	0xEB09015F, 0x54000060, 0xF94053EA, 0xF9415948, 0xF94053EA
 };
-#define FREE_CODE_OFF_2ND_400 (FREE_CODE_OFF_1ST_400 + sizeof(PRC_ID_SND_400) + 4)
+
 static u32 PRC_ID_RCV_400[] =
 {
 	0xF9403BED, 0x2A0E03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
@@ -223,7 +174,7 @@ static u32 PRC_ID_SND_500[] =
 	0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
 	0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
 };
-#define FREE_CODE_OFF_2ND_500 (FREE_CODE_OFF_1ST_500 + sizeof(PRC_ID_SND_500) + 4)
+
 static u32 PRC_ID_RCV_500[] =
 {
 	0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
@@ -234,127 +185,12 @@ static u32 PRC_ID_SND_600[] =
 {
     0xA9BF2FEA, 0xF94037EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
 };
-#define FREE_CODE_OFF_2ND_600 (FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600) + 4)
+
 static u32 PRC_ID_RCV_600[] =
 {
 	0xA9BF2FEA, 0xF94043EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
 };
 
-
-static kernel_patch_t kern1[] = {
-	{ SVC_VERIFY_DS, 0x3764C, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x44074, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_100, _B(ID_SND_OFF_100, FREE_CODE_OFF_1ST_100), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_100, sizeof(PRC_ID_SND_100) >> 2, PRC_ID_SND_100}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_100 + sizeof(PRC_ID_SND_100),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_1ST_100 + sizeof(PRC_ID_SND_100), ID_SND_OFF_100 + 4), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_100, _B(ID_RCV_OFF_100, FREE_CODE_OFF_2ND_100), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_100, sizeof(PRC_ID_RCV_100) >> 2, PRC_ID_RCV_100}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_100 + sizeof(PRC_ID_RCV_100),                      // Branch back and skip 1 instruction.
-	_B(FREE_CODE_OFF_2ND_100 + sizeof(PRC_ID_RCV_100), ID_RCV_OFF_100 + 4), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-
-static kernel_patch_t kern2[] = {
-	{ SVC_VERIFY_DS, 0x54834, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x6086C, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_200, _B(ID_SND_OFF_200, FREE_CODE_OFF_1ST_200), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_200, sizeof(PRC_ID_SND_200) >> 2, PRC_ID_SND_200}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_200 + sizeof(PRC_ID_SND_200),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_1ST_200 + sizeof(PRC_ID_SND_200), ID_SND_OFF_200 + 4), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_200, _B(ID_RCV_OFF_200, FREE_CODE_OFF_2ND_200), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_200, sizeof(PRC_ID_RCV_200) >> 2, PRC_ID_RCV_200}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_200 + sizeof(PRC_ID_RCV_200),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_2ND_200 + sizeof(PRC_ID_RCV_200), ID_RCV_OFF_200 + 4), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-static kernel_patch_t kern3[] = {
-	{ SVC_VERIFY_DS, 0x3BD24, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x483FC, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_300, _B(ID_SND_OFF_300, FREE_CODE_OFF_1ST_300), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_300, sizeof(PRC_ID_SND_300) >> 2, PRC_ID_SND_300}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_300 + sizeof(PRC_ID_SND_300),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_1ST_300 + sizeof(PRC_ID_SND_300), ID_SND_OFF_300 + 4), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_300, _B(ID_RCV_OFF_300, FREE_CODE_OFF_2ND_300), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_300, sizeof(PRC_ID_RCV_300) >> 2, PRC_ID_RCV_300}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_300 + sizeof(PRC_ID_RCV_300),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_2ND_300 + sizeof(PRC_ID_RCV_300), ID_RCV_OFF_300 + 4), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-static kernel_patch_t kern302[] = {
-	{ SVC_VERIFY_DS, 0x3BD24, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x48414, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_302, _B(ID_SND_OFF_302, FREE_CODE_OFF_1ST_302), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_302, sizeof(PRC_ID_SND_302) >> 2, PRC_ID_SND_302}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_302 + sizeof(PRC_ID_SND_302),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_1ST_302 + sizeof(PRC_ID_SND_302), ID_SND_OFF_302 + 4), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_302, _B(ID_RCV_OFF_302, FREE_CODE_OFF_2ND_302), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_302, sizeof(PRC_ID_RCV_302) >> 2, PRC_ID_RCV_302}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_302 + sizeof(PRC_ID_RCV_302),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_2ND_302 + sizeof(PRC_ID_RCV_302), ID_RCV_OFF_302 + 4), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-static kernel_patch_t kern4[] = {
-	{ SVC_VERIFY_DS, 0x41EB4, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x4EBFC, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_400, _B(ID_SND_OFF_400, FREE_CODE_OFF_1ST_400), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_400, sizeof(PRC_ID_SND_400) >> 2, PRC_ID_SND_400}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_400 + sizeof(PRC_ID_SND_400),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_1ST_400 + sizeof(PRC_ID_SND_400), ID_SND_OFF_400 + 8), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_400, _B(ID_RCV_OFF_400, FREE_CODE_OFF_2ND_400), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_400, sizeof(PRC_ID_RCV_400) >> 2, PRC_ID_RCV_400}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_400 + sizeof(PRC_ID_RCV_400),                      // Branch back and skip 1 instruction.
-		_B(FREE_CODE_OFF_2ND_400 + sizeof(PRC_ID_RCV_400), ID_RCV_OFF_400 + 4), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-
-static kernel_patch_t kern5[] = {
-	{ SVC_VERIFY_DS, 0x45E6C, _NOP(), NULL },          // Disable SVC verifications
-	{ DEBUG_MODE_EN, 0x5513C, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_500, _B(ID_SND_OFF_500, FREE_CODE_OFF_1ST_500), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_500, sizeof(PRC_ID_SND_500) >> 2, PRC_ID_SND_500}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_500 + sizeof(PRC_ID_SND_500),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_1ST_500 + sizeof(PRC_ID_SND_500), ID_SND_OFF_500 + 8), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_500, _B(ID_RCV_OFF_500, FREE_CODE_OFF_2ND_500), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_500, sizeof(PRC_ID_RCV_500) >> 2, PRC_ID_RCV_500}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_500 + sizeof(PRC_ID_RCV_500),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_2ND_500 + sizeof(PRC_ID_RCV_500), ID_RCV_OFF_500 + 8), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-
-static kernel_patch_t kern6[] = {
-	{ SVC_VERIFY_DS, 0x47EA0, _NOP(), NULL },          // Disable SVC verifications
-	//{ DEBUG_MODE_EN, 0x57548, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
-	// Atmosphère kernel patches.
-	{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL},    // Send process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 0x10), NULL},
-	{ ATM_GEN_PATCH, ID_RCV_OFF_600, _B(ID_RCV_OFF_600, FREE_CODE_OFF_2ND_600), NULL},    // Receive process id branch.
-	{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_600, sizeof(PRC_ID_RCV_600) >> 2, PRC_ID_RCV_600}, // Receive process id code.
-	{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600),                      // Branch back and skip 2 instructions.
-		_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 0x10), NULL},
-	{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
-};
-
-static const pkg2_kernel_id_t _pkg2_kernel_ids[] =
-{
-	{ 0x427f2647, kern1 },   //1.0.0
-	{ 0xae19cf1b, kern2 },   //2.0.0 - 2.3.0
-	{ 0x73c9e274, kern3 },   //3.0.0 - 3.0.1
-	{ 0xe0e8cdc4, kern302 }, //3.0.2
-	{ 0x485d0157, kern4 },   //4.0.0 - 4.1.0
-	{ 0xf3c363f2, kern5 },   //5.0.0 - 5.1.0
-    { 0x64ce1a44, kern6 },   //6.0.0
-	{ 0, 0 }                              //End.
-};
-
 typedef struct kipdiff_s {
   u64 offset;              // offset from start of kip's .text segment
   u32 len;                 // length of below strings, NULL signifies end of patch
@@ -387,5 +223,4 @@ void pkg1_unpack(pk11_offs *offs, u8 *pkg1);
 void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info);
 size_t calcKipSize(pkg2_kip1_t *kip1);
 void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2);
-void loadKip(link_t *info, char *path);
-const pkg2_kernel_id_t *pkg2_identify(u32 id);
\ No newline at end of file
+void loadKip(link_t *info, char *path);
\ No newline at end of file

From 746fded2d0b423c02e8b8f5f17036828f4ac1c34 Mon Sep 17 00:00:00 2001
From: Rei <asterma@yahoo.com>
Date: Sat, 22 Sep 2018 18:50:27 -0400
Subject: [PATCH 32/35] fix last commit + TAB->SPACE

---
 src/firmware.c |  37 +++++++-----
 src/package.c  | 103 +++++++++++++++++++++++++++------
 src/package.h  | 152 +++++++++++++++++++++++++------------------------
 3 files changed, 186 insertions(+), 106 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index 242dcf6..9d0f935 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -122,69 +122,76 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     if(!customKern) {
         u32 crc = crc32c(pkg2->data, pkg2->sec_size[PKG2_SEC_KERNEL]);
         uPtr kern = (uPtr)&pkg2->data;
-        uPtr sendOff, recvOff, codeRcvOff, codeSndOff, svcVerifOff, svcDebugOff;
+        uPtr sendOff, recvOff, codeRcvOff, codeSndOff, svcVerifOff, svcDebugOff, ver;
         switch(crc){
-            case 0x427f2647:{
+            case 0x427f2647:{   //1.0.0
                 svcVerifOff = 0x3764C;
                 svcDebugOff = 0x44074;
                 sendOff = 0x23CC0;
                 recvOff = 0x219F0;
                 codeSndOff = 4;
                 codeRcvOff = 4;
+                ver = 0;
                 break;
             }
-            case 0xae19cf1b:{
+            case 0xae19cf1b:{   //2.0.0
                 svcVerifOff = 0x54834;
                 svcDebugOff = 0x6086C;
                 sendOff = 0x3F134;
                 recvOff = 0x3D1A8;
                 codeSndOff = 4;
                 codeRcvOff = 4;
+                ver = 1;
                 break;
             }
-            case 0x73c9e274:{
+            case 0x73c9e274:{   //3.0.0
                 svcVerifOff = 0x3BD24;
                 svcDebugOff = 0x483FC;
                 sendOff = 0x26080;
                 recvOff = 0x240F0;
                 codeSndOff = 4;
                 codeRcvOff = 4;
+                ver = 2;
                 break;
             }
-            case 0xe0e8cdc4:{
+            case 0xe0e8cdc4:{   //3.0.2
                 svcVerifOff = 0x3BD24;
                 svcDebugOff = 0x48414;
                 sendOff = 0x26080;
                 recvOff = 0x240F0;
                 codeSndOff = 4;
                 codeRcvOff = 4;
+                ver = 3;
                 break;
             }
-            case 0x485d0157:{
+            case 0x485d0157:{   //4.0.0
                 svcVerifOff = 0x41EB4;
                 svcDebugOff = 0x4EBFC;
                 sendOff = 0x2AF64;
                 recvOff = 0x28F6C;
                 codeSndOff = 8;
                 codeRcvOff = 4;
+                ver = 4;
                 break;
             }
-            case 0xf3c363f2:{
+            case 0xf3c363f2:{   //5.0.0
                 svcVerifOff = 0x45E6C;
                 svcDebugOff = 0x5513C;
                 sendOff = 0x2AD34;
                 recvOff = 0x28DAC;
                 codeSndOff = 8;
                 codeRcvOff = 8;
+                ver = 5;
                 break;
             }
-            case 0x64ce1a44:{
+            case 0x64ce1a44:{   //6.0.0
                 svcVerifOff = 0x47EA0;
                 svcDebugOff = 0x57548;
                 sendOff = 0x2BB8C;
                 recvOff = 0x29B6C;
                 codeSndOff = 0x10;
                 codeRcvOff = 0x10;
+                ver = 6;
                 break;
             }
             default:
@@ -193,17 +200,19 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
         }
         
         //ID Send
-		uPtr freeSpace = getFreeSpace((void*)pkg2->data, 0x200, pkg2->sec_size[PKG2_SEC_KERNEL]);      //Find area to write payload
-        size_t payloadSize = sizeof(PRC_ID_SND_600);
+        uPtr freeSpace = getFreeSpace((void*)(kern+0x45000), 0x200, 0x20000) + 0x45000;      //Find area to write payload
+        print("Kernel Freespace: 0x%08X\n", freeSpace);
+        size_t payloadSize;
+        u32 *sndPayload = getSndPayload(ver, &payloadSize);
         *(vu32*)(kern + sendOff) = _B(sendOff, freeSpace);                                             //write hook to payload
-        memcpy((void*)(kern + freeSpace), (void*)PRC_ID_SND_600, payloadSize);                         //Copy payload to free space
+        memcpy((void*)(kern + freeSpace), sndPayload, payloadSize);                             //Copy payload to free space
         *(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, sendOff + codeSndOff);  //Jump back skipping the hook
         
         //ID Receive
         freeSpace += (payloadSize+4);
-        payloadSize = sizeof(PRC_ID_RCV_600);
+        u32 *rcvPayload = getRcvPayload(ver, &payloadSize);
         *(vu32*)(kern + recvOff) = _B(recvOff, freeSpace);
-        memcpy((void*)(kern + freeSpace), (void*)PRC_ID_RCV_600, payloadSize);
+        memcpy((void*)(kern + freeSpace), rcvPayload, payloadSize);
         *(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, recvOff + codeRcvOff);
         
         //SVC patches
@@ -400,7 +409,7 @@ void firmware() {
         ((void (*)())PAYLOAD_ADDR)();
     }
     SYSREG(AHB_AHB_SPARE_REG) = (volatile vu32)0xFFFFFF9F;
-	PMC(APBDEV_PMC_SCRATCH49) = 0;
+    PMC(APBDEV_PMC_SCRATCH49) = 0;
 
     if (btn_read() & BTN_VOL_DOWN) {
         print("Booting verbosely\n");
diff --git a/src/package.c b/src/package.c
index 149c16b..7a1284e 100644
--- a/src/package.c
+++ b/src/package.c
@@ -264,23 +264,92 @@ int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
     return 0;
 }
 
+u32 *getSndPayload(u32 id, size_t *size) {
+    u32 *ret;
+    switch(id){
+        case 0:
+            *size = sizeof(PRC_ID_SND_100);
+            ret = PRC_ID_SND_100;
+            break;
+        case 1:
+            *size = sizeof(PRC_ID_SND_200);
+            ret = PRC_ID_SND_200;
+            break;
+        case 2:
+            *size = sizeof(PRC_ID_SND_300);
+            ret = PRC_ID_SND_300;
+            break;
+        case 3:
+            *size = sizeof(PRC_ID_SND_302);
+            ret = PRC_ID_SND_302;
+            break;
+        case 4:
+            *size = sizeof(PRC_ID_SND_400);
+            ret = PRC_ID_SND_400;
+            break;
+        case 5:
+            *size = sizeof(PRC_ID_SND_500);
+            ret = PRC_ID_SND_500;
+            break;
+        case 6:
+            *size = sizeof(PRC_ID_SND_600);
+            ret = PRC_ID_SND_600;
+            break;
+    }
+    return ret;
+}
+
+u32 *getRcvPayload(u32 id, size_t *size) {
+    u32 *ret;
+    switch(id){
+        case 0:
+            *size = sizeof(PRC_ID_RCV_100);
+            ret = PRC_ID_RCV_100;
+            break;
+        case 1:
+            *size = sizeof(PRC_ID_RCV_200);
+            ret = PRC_ID_RCV_200;
+            break;
+        case 2:
+            *size = sizeof(PRC_ID_RCV_300);
+            ret = PRC_ID_RCV_300;
+            break;
+        case 3:
+            *size = sizeof(PRC_ID_RCV_302);
+            ret = PRC_ID_RCV_302;
+            break;
+        case 4:
+            *size = sizeof(PRC_ID_RCV_400);
+            ret = PRC_ID_RCV_400;
+            break;
+        case 5:
+            *size = sizeof(PRC_ID_RCV_500);
+            ret = PRC_ID_RCV_500;
+            break;
+        case 6:
+            *size = sizeof(PRC_ID_RCV_600);
+            ret = PRC_ID_RCV_600;
+            break;
+    }
+    return ret;
+}
 
 int nca_patch(u8 * kipdata, u64 kipdata_len) {
-	char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
-	char buf[0x10];
-	memcpy(buf, kipdata+0x1C450, 0x10);
-	u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
-	int ret=0;
-	int max_dist = 0x10;
-	for(int i=0; i<max_dist; i++) {
-		u32 op = addr[i];
-		if((op & 0xFC000000)==0x94000000) { //is a BL op
-			addr[i] = NOP;
-			ret=1;
-			break;
-		}
-	}
-	return ret;
+    char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
+    char buf[0x10];
+    memcpy(buf, kipdata+0x1C450, 0x10);
+    u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
+    int ret=0;
+    int max_dist = 0x10;
+    for(int i=0; i<max_dist; i++) {
+        u32 op = addr[i];
+        if((op & 0xFC000000)==0x94000000) { //is a BL op
+            addr[i] = NOP;
+            ret=1;
+            break;
+        }
+    }
+    return ret;
 }
 
 int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
@@ -305,8 +374,8 @@ int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
         int r = kippatch_apply(kipdata, kipdata_len, p);
         if (r) return r;
     }
-	if(!strncmp("FS", patchset->kip_name, 2))
-		nca_patch(kipdata, kipdata_len);
+    if(!strncmp("FS", patchset->kip_name, 2))
+        nca_patch(kipdata, kipdata_len);
     return 0;
 }
 
diff --git a/src/package.h b/src/package.h
index 6179524..c6f3bd0 100644
--- a/src/package.h
+++ b/src/package.h
@@ -34,151 +34,151 @@ static u8 customKern = 0;
 
 typedef struct _pkg2_hdr_t
 {
-	u8 ctr[0x10];
-	u8 sec_ctr[0x40];
-	u32 magic;
-	u32 base;
-	u32 pad0;
-	u16 version;
-	u16 pad1;
-	u32 sec_size[4];
-	u32 sec_off[4];
-	u8 sec_sha256[0x80];
-	u8 data[];
+    u8 ctr[0x10];
+    u8 sec_ctr[0x40];
+    u32 magic;
+    u32 base;
+    u32 pad0;
+    u16 version;
+    u16 pad1;
+    u32 sec_size[4];
+    u32 sec_off[4];
+    u8 sec_sha256[0x80];
+    u8 data[];
 } pkg2_hdr_t;
 
 typedef struct _pkg2_ini1_t
 {
-	u32 magic;
-	u32 size;
-	u32 num_procs;
-	u32 pad;
+    u32 magic;
+    u32 size;
+    u32 num_procs;
+    u32 pad;
 } pkg2_ini1_t;
 
 typedef struct _pkg2_kip1_sec_t
 {
-	u32 offset;
-	u32 size_decomp;
-	u32 size_comp;
-	u32 attrib;
+    u32 offset;
+    u32 size_decomp;
+    u32 size_comp;
+    u32 attrib;
 } pkg2_kip1_sec_t;
 
 #define KIP1_NUM_SECTIONS 6
 
 typedef struct _pkg2_kip1_t
 {
-	u32 magic;
-	char name[12];
-	u64 tid;
-	u32 proc_cat;
-	u8 main_thrd_prio;
-	u8 def_cpu_core;
-	u8 res;
-	u8 flags;
-	pkg2_kip1_sec_t sections[KIP1_NUM_SECTIONS];
-	u32 caps[0x20];
-	u8 data[];
+    u32 magic;
+    char name[12];
+    u64 tid;
+    u32 proc_cat;
+    u8 main_thrd_prio;
+    u8 def_cpu_core;
+    u8 res;
+    u8 flags;
+    pkg2_kip1_sec_t sections[KIP1_NUM_SECTIONS];
+    u32 caps[0x20];
+    u8 data[];
 } pkg2_kip1_t;
 
 typedef struct _pkg2_kip1_info_t
 {
-	pkg2_kip1_t *kip1;
-	u32 size;
-	link_t link;
+    pkg2_kip1_t *kip1;
+    u32 size;
+    link_t link;
 } pkg2_kip1_info_t;
 
 typedef struct {
-	const char *id;
-	u32 kb;
-	u32 tsec_off;
-	u32 pkg11_off;
-	u32 sec_map[3];
-	u32 secmon_base;
-	u32 warmboot_base;
-	int set_warmboot;
+    const char *id;
+    u32 kb;
+    u32 tsec_off;
+    u32 pkg11_off;
+    u32 sec_map[3];
+    u32 secmon_base;
+    u32 warmboot_base;
+    int set_warmboot;
 } pk11_offs;
 
 typedef struct {
-	u32 magic;
-	u32 wb_size;
-	u32 wb_off;
-	u32 pad;
-	u32 ldr_size;
-	u32 ldr_off;
-	u32 sm_size;
-	u32 sm_off;
+    u32 magic;
+    u32 wb_size;
+    u32 wb_off;
+    u32 pad;
+    u32 ldr_size;
+    u32 ldr_off;
+    u32 sm_size;
+    u32 sm_off;
 } pk11_header;
 
 static u32 PRC_ID_SND_100[] =
 {
-	0xA9BF2FEA, 0x2A0E03EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
-	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9412948,	0xA8C12FEA
+    0xA9BF2FEA, 0x2A0E03EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
+    0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9412948, 0xA8C12FEA
 };
 
 static u32 PRC_ID_RCV_100[] =
 {
-	0xA9BF2FEA, 0x2A1C03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
-	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9412968, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A1C03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
+    0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9412968, 0xA8C12FEA
 };
 
 static u32 PRC_ID_SND_200[] =
 {
-	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
-	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9413148, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
+    0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9413148, 0xA8C12FEA
 };
 
 static u32 PRC_ID_RCV_200[] =
 {
-	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
-	0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9413168, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
+    0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9413168, 0xA8C12FEA
 };
 
 static u32 PRC_ID_SND_300[] =
 {
-	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
-	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
+    0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
 };
 
 static u32 PRC_ID_RCV_300[] =
 {
-	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
-	0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415568, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
+    0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415568, 0xA8C12FEA
 };
 
 static u32 PRC_ID_SND_302[] =
 {
-	0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
-	0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A1803EB, 0xD37EF56B, 0xF86B6B8B, 0x92FFFFE9, 0x8A090168, 0xD2FFFFE9, 0x8A09016B,
+    0xD2FFFFC9, 0xEB09017F, 0x54000040, 0xF9415548, 0xA8C12FEA
 };
 
 static u32 PRC_ID_RCV_302[] =
 {
-	0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
-	0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415568, 0xA8C12FEA
+    0xA9BF2FEA, 0x2A0F03EA, 0xD37EF54A, 0xF9405FEB, 0xF86A696A, 0xF9407BEB, 0x92FFFFE9, 0x8A090148,
+    0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415568, 0xA8C12FEA
 };
 
 static u32 PRC_ID_SND_400[] =
 {
-	0x2A1703EA, 0xD37EF54A, 0xF86A6B8A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
-	0xEB09015F, 0x54000060, 0xF94053EA, 0xF9415948, 0xF94053EA
+    0x2A1703EA, 0xD37EF54A, 0xF86A6B8A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
+    0xEB09015F, 0x54000060, 0xF94053EA, 0xF9415948, 0xF94053EA
 };
 
 static u32 PRC_ID_RCV_400[] =
 {
-	0xF9403BED, 0x2A0E03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
-	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B28, 0xD503201F
+    0xF9403BED, 0x2A0E03EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
+    0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B28, 0xD503201F
 };
 
 static u32 PRC_ID_SND_500[] =
 {
-	0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
-	0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
+    0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
+    0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
 };
 
 static u32 PRC_ID_RCV_500[] =
 {
-	0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
-	0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
+    0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
+    0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
 };
 
 static u32 PRC_ID_SND_600[] =
@@ -188,7 +188,7 @@ static u32 PRC_ID_SND_600[] =
 
 static u32 PRC_ID_RCV_600[] =
 {
-	0xA9BF2FEA, 0xF94043EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
+    0xA9BF2FEA, 0xF94043EB, 0x2A1503EA, 0xD37EF54A, 0xF86A696A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9, 0xEB09015F, 0x54000100, 0xA9BF27E8, 0xF9400308, 0xF9401D08, 0xAA1803E0, 0xD63F0100, 0xA8C127E8, 0xAA0003E8, 0xA8C12FEA, 0xAA0803E0
 };
 
 typedef struct kipdiff_s {
@@ -223,4 +223,6 @@ void pkg1_unpack(pk11_offs *offs, u8 *pkg1);
 void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info);
 size_t calcKipSize(pkg2_kip1_t *kip1);
 void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2);
-void loadKip(link_t *info, char *path);
\ No newline at end of file
+void loadKip(link_t *info, char *path);
+u32 *getSndPayload(u32 id, size_t *size);
+u32 *getRcvPayload(u32 id, size_t *size);
\ No newline at end of file

From f88fe95e36c1f9abda8c7f782f7a96b25bcfaf53 Mon Sep 17 00:00:00 2001
From: Guillem Orellana Trullols <guillem.orellana@gmail.com>
Date: Thu, 27 Sep 2018 17:35:27 +0200
Subject: [PATCH 33/35] Clean up of FS module patch

---
 src/firmware.c | 103 +++++++++++++++++++++++++++----------------------
 1 file changed, 57 insertions(+), 46 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index 9d0f935..2ccf664 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -42,6 +42,58 @@ pk11_offs *pkg11_offsentify(u8 *pkg1) {
     return NULL;
 }
 
+void patchFS(pkg2_kip1_info_t* ki) {
+    u8 kipHash[0x20];
+
+    print("Patching FS\n");
+          
+    se_calc_sha256(&kipHash, ki->kip1, ki->size);
+    se_calc_sha256(&kipHash, ki->kip1, ki->size);
+
+    //Create header
+    size_t sizeDiff = ki->kip1->sections[0].size_decomp - ki->kip1->sections[0].size_comp;
+    size_t newSize = ki->size + sizeDiff;
+    pkg2_kip1_t *moddedKip = malloc(newSize);
+    memcpy(moddedKip, ki->kip1, newSize);
+    u32 pos = 0;
+    for(int i = 0; i < KIP1_NUM_SECTIONS; i++) {
+        if(!i) {
+            //Get decomp .text segment
+            u8 *kipDecompText = blz_decompress(moddedKip->data, moddedKip->sections[i].size_comp);
+
+            kippatchset_t *pset = kippatch_find_set(kipHash, kip_patches);
+            if (!pset) {
+              print("  could not find patchset with matching hash\n");
+            } else {
+              int res = kippatch_apply_set(kipDecompText, moddedKip->sections[i].size_decomp, pset);
+              if (res) error("kippatch_apply_set() failed\n");
+            }
+
+            moddedKip->flags &= ~1;
+            memcpy((void*)moddedKip->data, kipDecompText, moddedKip->sections[i].size_decomp);
+            free(kipDecompText);
+            pos += moddedKip->sections[i].size_comp;
+            moddedKip->sections[i].size_comp = moddedKip->sections[i].size_decomp;
+        } else {
+            if(moddedKip->sections[i].offset == 0) continue;
+            memcpy((void*)moddedKip->data + pos + sizeDiff, (void*)ki->kip1->data + pos, moddedKip->sections[i].size_comp);
+            pos += moddedKip->sections[i].size_comp;
+        }
+    }
+    
+    free(ki->kip1);
+    ki->size = newSize;
+    ki->kip1 = moddedKip;
+}
+
+pkg2_kip1_info_t* find_by_tid(link_t* kip_list, u64 tid) {
+    LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki, kip_list, link) { 
+        if(ki->kip1->tid == 0x0100000000000000)
+            return ki;
+    }
+    return NULL;
+}
+
 void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
     //Patch Secmon
     if(!customSecmon){
@@ -224,53 +276,12 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
         
         end:;
     }
-
-    u8 kipHash[0x20];
     
-    //Patch FS module (truly not my proudest code TODO cleanup)
-    LIST_FOREACH_ENTRY(pkg2_kip1_info_t, ki, kips, link) {        
-        //Patch FS
-        if(ki->kip1->tid == 0x0100000000000000) {
-            print("Patching FS\n");
-            
-            se_calc_sha256(&kipHash, ki->kip1, ki->size);
-            se_calc_sha256(&kipHash, ki->kip1, ki->size);
-
-            //Create header
-            size_t sizeDiff = ki->kip1->sections[0].size_decomp - ki->kip1->sections[0].size_comp;
-            size_t newSize = ki->size + sizeDiff;
-            pkg2_kip1_t *moddedKip = malloc(newSize);
-            memcpy(moddedKip, ki->kip1, newSize);
-            u32 pos = 0;
-            for(int i = 0; i < KIP1_NUM_SECTIONS; i++) {
-                if(!i) {
-                    //Get decomp .text segment
-                    u8 *kipDecompText = blz_decompress(moddedKip->data, moddedKip->sections[i].size_comp);
-
-                    kippatchset_t *pset = kippatch_find_set(kipHash, kip_patches);
-                    if (!pset) {
-                      print("  could not find patchset with matching hash\n");
-                    } else {
-                      int res = kippatch_apply_set(kipDecompText, moddedKip->sections[i].size_decomp, pset);
-                      if (res) error("kippatch_apply_set() failed\n");
-                    }
-
-                    moddedKip->flags &= ~1;
-                    memcpy((void*)moddedKip->data, kipDecompText, moddedKip->sections[i].size_decomp);
-                    free(kipDecompText);
-                    pos += moddedKip->sections[i].size_comp;
-                    moddedKip->sections[i].size_comp = moddedKip->sections[i].size_decomp;
-                } else {
-                    if(moddedKip->sections[i].offset == 0) continue;
-                    memcpy((void*)moddedKip->data + pos + sizeDiff, (void*)ki->kip1->data + pos, moddedKip->sections[i].size_comp);
-                    pos += moddedKip->sections[i].size_comp;
-                }
-            }
-            
-            free(ki->kip1);
-            ki->size = newSize;
-            ki->kip1 = moddedKip;
-        }
+    pkg2_kip1_info_t* FS_module = find_by_tid(kips, 0x0100000000000000);
+    if(FS_module == NULL) {
+        error("Could not find FS Module.\n");
+    } else {
+        patchFS(FS_module);
     }
 }
 

From 6fae934ca7dbfea06c7c8e8381fe8640906828e6 Mon Sep 17 00:00:00 2001
From: Guillem Orellana <guillem.orellana@gmail.com>
Date: Thu, 27 Sep 2018 21:23:38 +0200
Subject: [PATCH 34/35] Delete useless if inside for loop

---
 src/firmware.c | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/src/firmware.c b/src/firmware.c
index 2ccf664..b7ac7b2 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -52,30 +52,31 @@ void patchFS(pkg2_kip1_info_t* ki) {
 
     //Create header
     size_t sizeDiff = ki->kip1->sections[0].size_decomp - ki->kip1->sections[0].size_comp;
+
     size_t newSize = ki->size + sizeDiff;
     pkg2_kip1_t *moddedKip = malloc(newSize);
     memcpy(moddedKip, ki->kip1, newSize);
+
     u32 pos = 0;
-    for(int i = 0; i < KIP1_NUM_SECTIONS; i++) {
-        if(!i) {
-            //Get decomp .text segment
-            u8 *kipDecompText = blz_decompress(moddedKip->data, moddedKip->sections[i].size_comp);
-
-            kippatchset_t *pset = kippatch_find_set(kipHash, kip_patches);
-            if (!pset) {
-              print("  could not find patchset with matching hash\n");
-            } else {
-              int res = kippatch_apply_set(kipDecompText, moddedKip->sections[i].size_decomp, pset);
-              if (res) error("kippatch_apply_set() failed\n");
-            }
+    //Get decomp .text segment
+    u8 *kipDecompText = blz_decompress(moddedKip->data, moddedKip->sections[0].size_comp);
 
-            moddedKip->flags &= ~1;
-            memcpy((void*)moddedKip->data, kipDecompText, moddedKip->sections[i].size_decomp);
-            free(kipDecompText);
-            pos += moddedKip->sections[i].size_comp;
-            moddedKip->sections[i].size_comp = moddedKip->sections[i].size_decomp;
-        } else {
-            if(moddedKip->sections[i].offset == 0) continue;
+    kippatchset_t *pset = kippatch_find_set(kipHash, kip_patches);
+    if (!pset) {
+      print("  could not find patchset with matching hash\n");
+    } else {
+      int res = kippatch_apply_set(kipDecompText, moddedKip->sections[0].size_decomp, pset);
+      if (res) error("kippatch_apply_set() failed\n");
+    }
+
+    moddedKip->flags &= ~1;
+    memcpy((void*)moddedKip->data, kipDecompText, moddedKip->sections[0].size_decomp);
+    free(kipDecompText);
+    pos += moddedKip->sections[0].size_comp;
+    moddedKip->sections[0].size_comp = moddedKip->sections[0].size_decomp;
+
+    for(int i = 0; i < KIP1_NUM_SECTIONS; i++) {
+        if(moddedKip->sections[i].offset != 0) {
             memcpy((void*)moddedKip->data + pos + sizeDiff, (void*)ki->kip1->data + pos, moddedKip->sections[i].size_comp);
             pos += moddedKip->sections[i].size_comp;
         }

From c5850b2a5de77cf53feec8cdd0be12d1477db96b Mon Sep 17 00:00:00 2001
From: Guillem Orellana <guillem.orellana@gmail.com>
Date: Thu, 27 Sep 2018 21:25:20 +0200
Subject: [PATCH 35/35] Loop shoud start with i = 1 now

---
 src/firmware.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/firmware.c b/src/firmware.c
index b7ac7b2..fd9daff 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -75,7 +75,7 @@ void patchFS(pkg2_kip1_info_t* ki) {
     pos += moddedKip->sections[0].size_comp;
     moddedKip->sections[0].size_comp = moddedKip->sections[0].size_decomp;
 
-    for(int i = 0; i < KIP1_NUM_SECTIONS; i++) {
+    for(int i = 1; i < KIP1_NUM_SECTIONS; i++) {
         if(moddedKip->sections[i].offset != 0) {
             memcpy((void*)moddedKip->data + pos + sizeDiff, (void*)ki->kip1->data + pos, moddedKip->sections[i].size_comp);
             pos += moddedKip->sections[i].size_comp;