diff --git a/source/exploit/dwc3.elf b/source/exploit/dwc3.elf
index ddd1232..9fb9c66 100755
Binary files a/source/exploit/dwc3.elf and b/source/exploit/dwc3.elf differ
diff --git a/source/exploit/dwc3.o b/source/exploit/dwc3.o
index 83c6d7f..6ecab74 100644
Binary files a/source/exploit/dwc3.o and b/source/exploit/dwc3.o differ
diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py
index e37507f..d6cbd79 100644
--- a/source/exploit/exploit.py
+++ b/source/exploit/exploit.py
@@ -277,9 +277,10 @@ def usb_debug():
     
     transferred = ctypes.c_int()
     # Send some data
+    count = 0
     def send_data():
         transferred.value = 0
-        p = b"\xaa" * 0x200
+        p = p32(count) + b"\xaa" * (0x200 - 4)
         res = libusb1.libusb_bulk_transfer(exynos.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
         assert res == 0, "Error sending data"
         
@@ -295,6 +296,7 @@ def usb_debug():
     while True:
         send_data()
         recv_data()
+        count += 1
     pass
     pass
 
diff --git a/source/exploit/test_dwc3.c b/source/exploit/test_dwc3.c
index 9488bb4..24acf4c 100644
--- a/source/exploit/test_dwc3.c
+++ b/source/exploit/test_dwc3.c
@@ -9,17 +9,18 @@ extern void sleep(int endpoint,uint32_t timeout);
 extern void usb_send(uint32_t address,uint32_t size);
 extern void rom_send();
 
-#define recv_buffer 0x02021800 + 0x2000
+#define recv_buffer 0x02021800 + 0x3000
 #define data_received 0x02021800 + 0x2004
 
 void recv_data_cb(uint32_t endpoint, uint32_t len){
-    void *rbuf;
-    void *dest_buf = (void *)recv_buffer;
+    // void *rbuf;
+    char *dest_buf = (char *)recv_buffer;
     volatile void *dref = (void *)data_received;
     
-    rbuf = get_endpoint_recv_buffer(endpoint);
+    void *rbuf = get_endpoint_recv_buffer(endpoint);
     for(int i= 0; i < len; i++){
-        *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
+        // *(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
+        dest_buf[i] = *(char *)(void *)((int)rbuf + i);
     }
     *(uint8_t *)dref = 1; // Mark as ready
 }
@@ -43,8 +44,8 @@ void recv_data(){
 }
 
 void send_data_cb(uint32_t endpoint, uint32_t len){
-    void *rbuf;
-    void *dest_buf = (void *)recv_buffer;
+    // void *rbuf;
+    // void *dest_buf = (void *)recv_buffer;
     volatile void *dref = (void *)data_received;
     
     // rbuf = get_endpoint_buffer(endpoint);
@@ -54,13 +55,13 @@ void send_data_cb(uint32_t endpoint, uint32_t len){
     *(uint8_t *)dref = 1; // Mark as ready
 }
 
-void send_data(void *address, uint32_t size){
+void send_data(uint32_t address, uint32_t size){
     volatile void *dref = (void *)data_received;
     *(uint8_t *)dref = 0;
     uint32_t val = 0x0;
     maybe_usb_setup_read(0x1, send_data_cb, 0x200);
     uint32_t rbuf = get_endpoint_recv_buffer(1);
-    dwc3_ep0_start_trans(1, (uint32_t)0x0, 0x200);
+    dwc3_ep0_start_trans(1, address, 0x200);
     while(1){
         usb_event_handler();
         if(*(uint8_t *)dref == 1){
@@ -76,7 +77,7 @@ int main() {
     while(1){
         recv_data();
         // rom_send();
-        send_data(0x0, 0x200);
+        send_data(recv_buffer, 0x200);
     }