Found area where 02035600 becomes unaccessible. Trying to patch it.

source/exploit/exploit.py

@@ -744,11 +744,13 @@ class ExynosDevice():
         # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?)
         # self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1)) # Change check to always false
 
-        # Write jump backs from BL31 at different levels
-        # self.cd.memwrite_region(0x02030a28, p64(DEBUGGER_ADDR))
-
         # Overwrite jump back at 0202f810
-        # self.cd.memwrite_region(0x0202f818, struct.pack('>I', 0xfa610091))
+        # self.cd.memwrite_region(0x020242a8, struct.pack('>I', 0x568f0094)) # Last succesful jump back to debugger, while still having access to 0x02035600
+
+        # self.cd.memwrite_region(0x02032008, struct.pack('>I', 0x1f2003d5)) # Overwrite MAIR to NOP
+        # self.cd.memwrite_region(0x0203203c, struct.pack('>I', 0xf1570094)) # Return to debugger. (not working, it continues booting..)
+
+        # self.cd.memwrite_region(0x0203200c, struct.pack('>I', 0xfd570094)) # -> X1=0x18800, X30=0x20241a0. Device crashes when writing here.
 
         # Jump into BL31 and execute it
         self.cd.restore_stack_and_jump(0x02024010)