diff --git a/documentation/source/BootROM_8890/boot_chain.rst b/documentation/source/BootROM_8890/boot_chain.rst
index 88103f3..fbc0212 100644
--- a/documentation/source/BootROM_8890/boot_chain.rst
+++ b/documentation/source/BootROM_8890/boot_chain.rst
@@ -77,24 +77,71 @@ With a modified bl1
             X21 : 0x0 | X22 : 0x0 | X23 : 0x0 | X24 : 0x0 | X25 : 0x0 | X26 : 0x0 | X27 : 0x1 |
             X28 : 0x0 | X29 : 0x2020f00 | LR/X30 : 0x20c0000 | SP/X31 : 0x2020ef0
 
+I relocated the debugger to ``0x20c0000`` to prevent overwriting it.
+
+.. code-block:: python 
+
+    self.cd.arch_dbg.state.auto_sync = False
+    self.cd.arch_dbg.state.auto_sync_special = False
+    self.cd.arch_dbg.state.print_ctx()
+    
+    def relocate_debugger():
+        # Seems to be cleared upon cache clearing??
+        debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
+        self.cd.memwrite_region(0x020c0000, debugger_reloc)
+        self.usb_write(b"FLSH") # Flush cache
+        self.cd.restore_stack_and_jump(0x020c0000)
+        assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
+        self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
+    relocate_debugger()
+
+
+
+
 bl1
 ===
+BL1 needs to be authenticated.
 Loads at address ``0x02024000`` and contains some form of header (ramdump).
 There seems to be a samsung header format, where the first 4 bytes define the entry point of the binary. 
 In this case this entry is ``+0x10`` so we jump to ``0x02024010``.
 
 .. code-block:: python
 
-    fwbl1 = open("../S7/bl1.bin", "rb").read()
-    self.cd.memwrite_region(0x02024000, fwbl1)
+    # Try loading bl1
+    bl1 = open("../S7/bl1.bin", "rb").read()
+    self.cd.memwrite_region(0x02021800, bl1)
+    # self.usb_write(b"FLSH")
+    AUTH_BL1 = 0x00012848
+    def auth_bl1(lr=0x2069000):
+        # Load the firmware
+        self.cd.arch_dbg.state.W0 = 1
+        self.cd.arch_dbg.state.X1 = 1
+        self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
+        self.cd.restore_stack_and_jump(AUTH_BL1)
+        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+        assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
+        
+    auth_bl1(0x020c0000)
 
-    def jump_fwbl1():
-            self.cd.arch_dbg.state.LR = 0x2069000
-            self.cd.restore_stack_and_jump(0x02024010)
+After authentication the bootROM jumps to it, we can execute this function with the debugger.
+
+.. code-block:: python
+
+    self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) 
+        BOOT_BL1 = 0x00019310
+        def jump_bl1(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(BOOT_BL1)
+        
+        jump_bl1(0x020c0000)
 
     jump_fwbl1()
 
-However, this does not result in a jump back to the debugger.
+BL1 is laoded at the download buffer and self copies to ``0x02024000`` and resumes execution there(``0x02024010``).
+
+However, this does not result in a jump back to the debugger. But the ROM still receives data from the host
+
+TODO TODO TODO 
 The reason for this is the following code in bl1:
 
 .. code-block:: c
diff --git a/reven/SamsungS7_2024_08_12.gar b/reven/SamsungS7_2024_08_12.gar
new file mode 100644
index 0000000..b322ab4
Binary files /dev/null and b/reven/SamsungS7_2024_08_12.gar differ
diff --git a/source/exploit/.gitignore b/source/exploit/.gitignore
index a782873..3e64b67 100644
--- a/source/exploit/.gitignore
+++ b/source/exploit/.gitignore
@@ -1,4 +1,5 @@
 *.elf
 *.o
 *.bin
-venv/
\ No newline at end of file
+venv/
+dump/
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index dc7f979..3dbbae1 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -338,6 +338,15 @@ class ExynosDevice():
             self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
         relocate_debugger()
         
+        def memdump_imem():
+            dumped = b""
+            for block in range(0x2020000, 0x2070000, 0x200):
+                # print(hex(block))
+                dumped += self.cd.memdump_region(block, 0x200)
+            return dumped
+        
+        # dump1 = memdump_imem()
+        
         # Try loading bl1
         bl1 = open("../S7/bl1.bin", "rb").read()
         self.cd.memwrite_region(0x02021800, bl1)
@@ -350,19 +359,28 @@ class ExynosDevice():
             self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
             self.cd.restore_stack_and_jump(AUTH_BL1)
             assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+            assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
             
         auth_bl1(0x020c0000)
+        # dump2 = memdump_imem()
         
-        # Works until here
+        # Works until here TODO hijack future control flow
+        # self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
+        self.cd.memwrite_region(0x02020f60, p32(0x020c0000)) 
+        BOOT_BL1 = 0x00019310
+        def jump_bl1(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(BOOT_BL1)
         
+        jump_bl1(0x020c0000)
         pass
         
         
         
         # Overwrite jump back
-        self.cd.memwrite_region(0x02020108, p32(0x2069000))
         self.cd.memwrite_region(0x020200e8, p32(0x2069000))
         
+        
         def memdump_try():
             self.cd.arch_dbg.state.LR = 0x020200e8
             self.cd.restore_stack_and_jump(0x02021810)
@@ -376,9 +394,7 @@ class ExynosDevice():
                 
         
             
-        def jump_bl1():
-            self.cd.arch_dbg.state.LR = 0x2069000
-            self.cd.restore_stack_and_jump(0x02024010)
+        
             # self.cd.restore_stack_and_jump(0x02021810)
             
         #000125b4