diff --git a/.gitignore b/.gitignore
index 3707677..65bdbc0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,11 @@
-build.bat
-data/firmware.bin
 out
 CakeHax
 CakeBrah
-rnInstaller
 build
 *.bin
 *.3dsx
 *.smdh
 *.o
 *.d
-*.elf
\ No newline at end of file
+*.elf
+*.bat
\ No newline at end of file
diff --git a/README.md b/README.md
index 8a82026..28c0c94 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,14 @@
 # ReiNand
-The original open source N3DS CFW!
+*The original open source N3DS CFW!*
 
 
 **Compiling:**
 
-First you'll need the firmware file that I didnt include because reasons. Get that [HERE](https://www.dropbox.com/s/782eyz22lkmh434/firmware.bin?dl=0)
-
-Secondly, You'll need armips added to your Path. [HERE](https://www.dropbox.com/s/ceuv2qeqp38lpah/armips.exe?dl=0) is a pre-compiled version.
+You'll need armips added to your Path. [HERE](https://www.dropbox.com/s/ceuv2qeqp38lpah/armips.exe?dl=0) is a pre-compiled version.
 
 Lastly, just run Make and everything should work!
 
-Pre-compiled version can still be found on my [pastebin](http://pastebin.com/c5AW3TJp)
+Copy everything in 'out' folder to SD root and run!
 
 
 **Features:**
@@ -19,11 +17,9 @@ Pre-compiled version can still be found on my [pastebin](http://pastebin.com/c5A
 
 * Sig checks disabled
 
-* screenshots (set for pokemon game  offsets currently) [Select Button + X]
+* RAM dump (edit RAM.txt with a base 10 number for offset) [Start Button + X]
 
-* RAM dump (currently set for FCRAM) [Start Button + X]
-
-* emunand (with 'Rei' version string)
+* Emunand (with 'Rei' version string)
  
 
 **Credits:**
diff --git a/data/firmware.bin b/data/firmware.bin
new file mode 100644
index 0000000..c478972
Binary files /dev/null and b/data/firmware.bin differ
diff --git a/source/crypto.c b/source/crypto.c
index 0168e4c..ec9b8b1 100644
--- a/source/crypto.c
+++ b/source/crypto.c
@@ -353,21 +353,32 @@ int rsa_verify(const void* data, u32 size, const void* sig, u32 mode)
 	return memcmp(dataHash, decSig + (sigSize - SHA_256_HASH_SIZE), SHA_256_HASH_SIZE) == 0;
 }
 
+void xor(u8 *dest, u8 *data1, u8 *data2, u32 size){
+    int i; for(i = 0; i < size; i++) *(dest+i) = *(data1+i) ^ *(data2+i);
+}
+
 /****************************************************************
 *                   Nand/FIRM Crypto stuff
 ****************************************************************/
+const u8 memeKey[0x10] = {
+    0x52, 0x65, 0x69, 0x20, 0x69, 0x73, 0x20, 0x62, 0x65, 0x73, 0x74, 0x20, 0x67, 0x69, 0x72, 0x6C
+};
 
 //Emulates the Arm9loader process
-void arm9loader(void *armHdr){
-    //Set Nand key#2  here (decrypted from 0x12C10)
-    u8 key2[0x10] = {0x42, 0x3F, 0x81, 0x7A, 0x23, 0x52, 0x58, 0x31, 0x6E, 0x75, 0x8E, 0x3A, 0x39, 0x43, 0x2E, 0xD0};
-    
+void arm9loader(void *armHdr){    
+    //Nand key#2 (0x12C10)
+    u8 key2[0x10] = {
+        0x10, 0x5A, 0xE8, 0x5A, 0x4A, 0x21, 0x78, 0x53, 0x0B, 0x06, 0xFA, 0x1A, 0x5E, 0x2A, 0x5C, 0xBC
+    };
+  
+    //Firm keys
     u8 keyX[0x10];
     u8 keyY[0x10];
     u8 CTR[0x10];
     u32 slot = 0x16;
     
-    //Setupkeys needed for arm9bin decryption
+    //Setup keys needed for arm9bin decryption
+    xor(key2, key2, memeKey, 0x10);
     memcpy((u8*)keyY, (void *)((uintptr_t)armHdr+0x10), 0x10);
     memcpy((u8*)CTR, (void *)((uintptr_t)armHdr+0x20), 0x10);
     u32 size = atoi((void *)((uintptr_t)armHdr+0x30));
diff --git a/source/crypto.h b/source/crypto.h
index 5a807f6..ce49bbe 100644
--- a/source/crypto.h
+++ b/source/crypto.h
@@ -129,8 +129,10 @@ void sha(void* res, const void* src, u32 size, u32 mode);
 void rsa_setkey(u32 keyslot, const void* mod, const void* exp, u32 mode);
 void rsa_use_keyslot(u32 keyslot);
 int rsa_verify(const void* data, u32 size, const void* sig, u32 mode);
+void xor(u8 *dest, u8 *data1, u8 *data2, u32 size);
 
 //NAND/FIRM stuff
+extern const u8 memeKey[0x10];
 void arm9loader(void *armHdr);
 
 #endif /*__CRYPTO_H*/
diff --git a/source/emunand.c b/source/emunand.c
index 9b62b13..81841a8 100644
--- a/source/emunand.c
+++ b/source/emunand.c
@@ -21,10 +21,10 @@ void getEmunandSect(u32 *off, u32 *head){
     }
 }
 
-void getSDMMC(void *offset, u32 *off, u32 size){
+void getSDMMC(void *pos, u32 *off, u32 size){
     //Look for struct code
     unsigned char pattern[] = {0x01, 0x21, 0x20, 0x18, 0x20, 0x30};
-    *off = memsearch(offset, pattern, size, 6);
+    *off = memsearch(pos, pattern, size, 4);
     
     //Get DCD values
     unsigned char buf[4];
@@ -43,6 +43,14 @@ void getSDMMC(void *offset, u32 *off, u32 size){
 void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff){
     //Look for read/write code
     unsigned char pattern[] = {0x04, 0x00, 0x0D, 0x00, 0x17, 0x00, 0x1E, 0x00, 0xC8, 0x05};
-    *writeOff = memsearch(pos, pattern, size, 10);
-    *readOff = *writeOff - 0x40; //TODO: Maybe make memsearch work properly for this.
+    
+    *readOff = memsearch(pos, pattern, size, 4);
+    *writeOff = memsearch(readOff, pattern, 0x1000, 4);
+	//fileWrite(readOff, "/readoff.bin", 4);
+    *readOff = 0x240CEC40;
+    *writeOff = 0x240CEC80;
+}
+
+void getMPU(void *pos, u32 *off){
+    *off = 0x2407D7D4; 
 }
\ No newline at end of file
diff --git a/source/emunand.h b/source/emunand.h
index 098fee1..0856046 100644
--- a/source/emunand.h
+++ b/source/emunand.h
@@ -12,7 +12,8 @@
 #define NCSD_MAGIC (0x4453434E)
 
 void getEmunandSect(u32 *off, u32 *head);
-void getSDMMC(void *offset, u32 *off, u32 size);
+void getSDMMC(void *pos, u32 *off, u32 size);
 void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff);
+void getMPU(void *pos, u32 *off);
 
 #endif
\ No newline at end of file
diff --git a/source/firm.c b/source/firm.c
index 278697f..eef6c7c 100644
--- a/source/firm.c
+++ b/source/firm.c
@@ -18,14 +18,23 @@ u32 emuOffset = 0,
     emuRead = 0,
     emuWrite = 0,
     sdmmcOffset = 0, 
-    firmSize = 0;
+    firmSize = 0,
+    mpuOffset = 0;
 
 //Load firm into FCRAM
 void loadFirm(void){
     //Read FIRM from SD card and write to FCRAM
-    const char firmPath[] = "/rei/firmware.bin";
-    firmSize = fileSize(firmPath);
+	const char firmPath[] = "/rei/firmware.bin";
+	firmSize = fileSize(firmPath);
     fileRead((u8*)firmLocation, firmPath, firmSize);
+    
+    //Decrypt firmware blob
+    u8 firmIV[0x10] = {0};
+    aes_setkey(0x16, memeKey, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
+    aes_use_keyslot(0x16);
+    aes((u8*)firmLocation, (u8*)firmLocation, firmSize / AES_BLOCK_SIZE, firmIV, AES_CBC_DECRYPT_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
+    
+    //Parse firmware
     section = firmLocation->section;
     arm9loader((u8*)firmLocation + section[2].offset);
 }
@@ -35,30 +44,32 @@ void loadEmu(void){
     
     //Read emunand code from SD
     u32 code = emuCode();
-    const char path[] = "/rei/emunand/emunand.bin";
-    u32 size = fileSize(path);
-    fileRead(code, path, size);
+	const char path[] = "/rei/emunand/emunand.bin";
+	u32 size = fileSize(path);
+    fileRead((u8*)code, path, size);
     
     //Find and patch emunand related offsets
-    u32 *pos_sdmmc = memsearch(code, "SDMC", size, 4);
+	u32 *pos_sdmmc = memsearch(code, "SDMC", size, 4);
     u32 *pos_offset = memsearch(code, "NAND", size, 4);
     u32 *pos_header = memsearch(code, "NCSD", size, 4);
-    getSDMMC(firmLocation, &sdmmcOffset, firmSize);
+	getSDMMC(firmLocation, &sdmmcOffset, firmSize);
     getEmunandSect(&emuOffset, &emuHeader);
     getEmuRW(firmLocation, firmSize, &emuRead, &emuWrite);
-    *pos_sdmmc = sdmmcOffset;
-    *pos_offset = emuOffset;
-    *pos_header = emuHeader;
-    
+    getMPU(firmLocation, &mpuOffset);
+	*pos_sdmmc = sdmmcOffset;
+	*pos_offset = emuOffset;
+	*pos_header = emuHeader;
+	
     //Add emunand hooks
     memcpy((u8*)emuRead, nandRedir, sizeof(nandRedir));
     memcpy((u8*)emuWrite, nandRedir, sizeof(nandRedir));
-    memcpy((u8*)mpuCode(), mpu, sizeof(mpu));
+    
+    //Set MPU for emu code region
+    memcpy((u8*)mpuOffset, mpu, sizeof(mpu));
 }
 
 //Patches
 void patchFirm(){
-    
     //Disable signature checks
     memcpy((u8*)sigPatch(1), sigPat1, sizeof(sigPat1));
     memcpy((u8*)sigPatch(2), sigPat2, sizeof(sigPat2));
diff --git a/source/patches.c b/source/patches.c
index d8e367d..f91cf33 100644
--- a/source/patches.c
+++ b/source/patches.c
@@ -56,11 +56,6 @@ u32 threadCode(void){
     return KERNEL9 + (0x08006070 - K9_ADDR);
 }
 
-//Area of MPU setting code
-u32 mpuCode(void){
-    return KERNEL9 + (0x0801B3D4 - K9_ADDR);
-}
-
 //Offsets to redirect to thread code
 u32 threadHook(u8 val){
     return val == 1 ? 
diff --git a/thread/source/thread.c b/thread/source/thread.c
index 4e790ec..9a3616a 100644
--- a/thread/source/thread.c
+++ b/thread/source/thread.c
@@ -39,7 +39,7 @@ void patches(void){
     //Change version string
     for(int i = 0; i < 0x600000; i+=4){
         if(strcomp((void*)0x27B00000  - i, (void*)L"Ver.", 4)){
-            if(strcomp((void*)0x27B00000  - i + 0x0A, (void*)L"%d.%d.%d-%d", 11)) strcopy((void*)0x27B00000 - i, (void*)L"\uE024Rei", 4);
+            if(strcomp((void*)0x27B00000  - i + 0x28, (void*)"T_ver_00", 4)) strcopy((void*)0x27B00000 - i, (void*)L"\uE024Rei", 4);
         }
 	}
 }
@@ -51,7 +51,7 @@ void thread(void){
             int loc = 0;
             fileReadWrite(buf, L"sdmc:/rei/RAM.txt", 0x20, READ);
             loc = atoi(buf);
-            memdump(L"sdmc:/RAMdmp.bin", (void*)loc, 0x500000);
+            memdump(L"sdmc:/RAMdmp.bin", (void*)loc, 0x10000);
         }
         patches();
 	}