diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
index e8618b4..4a9b60a 100644
--- a/source/exploit/.vscode/launch.json
+++ b/source/exploit/.vscode/launch.json
@@ -37,7 +37,7 @@
             "program": "exploit.py",
             "console": "integratedTerminal",
             "justMyCode": false,
-            "args": ["--debugger-boot", "--MIB3"], //, "--MIB3"
+            "args": ["--debugger-boot", "--target", "MIB3"], //, "--MIB3"
         },
         {
             "name": "Debug current file",
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 6d42130..dfad5cc 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -98,7 +98,7 @@ class S7Exploit(ExynosDevice):
         bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
         bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
         bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
-        if args.MIB3:
+        if args.target == "MIB3":
             bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
             bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
             bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read()
@@ -577,7 +577,7 @@ class S7Exploit(ExynosDevice):
         bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read()
         bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read()
         bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read()
-        if args.MIB3:
+        if args.target == "MIB3":
             bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read()
             bl1 = open("../mib3/modified_boot/fwbl1_mod.bin", "rb").read()
             bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read()
@@ -627,7 +627,7 @@ class S7Exploit(ExynosDevice):
         self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31
 
         BL1_POINTER = 0x02021880
-        if args.MIB3:
+        if args.target == "MIB3":
             BL1_POINTER = 0x02021890
 
         self.cd.memwrite_region(BL1_POINTER, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br"))
@@ -680,7 +680,7 @@ class S7Exploit(ExynosDevice):
 
         # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
         MMU_CHECK = 0x0202a314
-        if not args.MIB3:
+        if not args.target == "MIB3":
             MMU_CHECK = 0x020244e8
         self.cd.memwrite_region(MMU_CHECK, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false
 
@@ -689,7 +689,7 @@ class S7Exploit(ExynosDevice):
 
         # Jump into BL31 and execute it
         BL31_POINTER = 0x02024010
-        if args.MIB3:
+        if args.target == "MIB3":
             BL31_POINTER = 0x0202a010
             self.cd.restore_stack_and_jump(BL31_POINTER) #BL31_RA_PTR
         else:
@@ -708,10 +708,10 @@ class S7Exploit(ExynosDevice):
 
         self.test_write_execute(0x11207010)
 
-        #if args.MIB3:
+        #if args.target == "MIB3":
         #    self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
 
-        if args.MIB3:
+        if args.target == "MIB3":
             self.cd.memwrite_region(0x020553e4, b"\x1f\x50\x00\x71")
             self.cd.memwrite_region(0x020553f8, b"\x1f\x50\x00\x71")
 
@@ -747,7 +747,7 @@ class S7Exploit(ExynosDevice):
         self.usb_read(0x200)
 
         # Change bootmode on S7 to SDCARD (allow normal booting, if pressing volume up)
-        if not args.MIB3:
+        if not args.target == "MIB3":
             self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035))
             self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))
 
@@ -758,7 +758,7 @@ class S7Exploit(ExynosDevice):
 
         # Jump into a different function that continues the boot flow (different than BL33_LR)
         BL33_AUTH = 0x02024e5c
-        if args.MIB3:
+        if args.target == "MIB3":
             self.cd.memwrite_region(0xcf08aa59, b"\x4c\x44\x46\x58") #58 was 57 in INIT print
             self.cd.memwrite_region(0xcf026b94, struct.pack('>I', 0x210000b4)) # Change bootmode to GPT
             BL33_AUTH = 0x202ae18 # BL33_LR
@@ -840,11 +840,14 @@ if __name__ == "__main__":
     arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
     arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
     arg.add_argument("--load_ga", action="store_true", help="Load Gupje debugger", default=False)
-    arg.add_argument("--MIB3", action="store_true", help="Whether boot is on a MIB3", default=False)
+    arg.add_argument("--target", type=str, help="Target device", default="s7", choices=["S7", "MIB3"])
 
     args = arg.parse_args()
     exynos = S7Exploit()
 
+    # Load json configs from config folder
+    # config = open(f"config/{args.target}.json", "r").read()
+
     if args.debug:
         shellcode = open("../dwc3_test/dwc3.bin", "rb").read()
         exynos.exploit(shellcode)
diff --git a/source/exploit/exynos.py b/source/exploit/exynos.py
index b02fa7b..bcbba5e 100644
--- a/source/exploit/exynos.py
+++ b/source/exploit/exynos.py
@@ -7,6 +7,9 @@ from ghidra_assistant.utils.debugger.debugger_archs.ga_arm64 import GA_arm64_deb
 from qiling.const import QL_ARCH
 import os, tqdm, datetime
 
+ENDPOINT_BULK_IN = 0x81
+ENDPOINT_BULK_OUT = 0x2
+
 def p32(x):
     return struct.pack("<I", x)
 
@@ -31,6 +34,7 @@ class ExynosDevice():
         self.target = "8890"  # TODO auto detect device
         self.connect_device()
 
+
     def connect_device(self):
         """Setup proper connection, and ensure the connection is alive"""
         self.context = usb1.USBContext()
@@ -58,12 +62,14 @@ class ExynosDevice():
         self.handle.claimInterface(0)
         print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
 
+
     def disconnect(self):
         """Disconnect the device"""
         self.handle.releaseInterface(0)
         self.handle.close()
         self.context.exit()
 
+
     def write(self, data):
         """Write data to the device"""
         transferred = ctypes.c_int()
@@ -71,6 +77,7 @@ class ExynosDevice():
         assert(res == 0), "Could not perform bulk transfer"
         return res
     
+    
     def usb_write(self, data):
         assert len(data) <= 0x200, "Data too big"
         transferred = ctypes.c_int()
@@ -79,7 +86,7 @@ class ExynosDevice():
         assert res == 0, f"Error sending data {res}"
         assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
         return transferred.value
-
+    
 
     def usb_read(self, size):
         transferred = ctypes.c_int()