diff --git a/loader/linker.ld b/loader/linker.ld
index 0d9ae60..a3a699a 100644
--- a/loader/linker.ld
+++ b/loader/linker.ld
@@ -4,7 +4,7 @@ OUTPUT_ARCH(arm)
 ENTRY(_start)
 SECTIONS
 {
-    . = 0x24FFFE00;
+    . = 0x27FFE000;
 
     .text   : ALIGN(4) { *(.text.start) *(.text*); . = ALIGN(4); }
     .rodata : ALIGN(4) { *(.rodata*); . = ALIGN(4); }
diff --git a/loader/source/start.s b/loader/source/start.s
index 8dd5747..4dd90e5 100644
--- a/loader/source/start.s
+++ b/loader/source/start.s
@@ -22,6 +22,7 @@
 .align 4
 .global _start
 _start:
+    ldr sp, =0x27ffe000
     b main
 
 .global payloadSize
diff --git a/source/crypto.c b/source/crypto.c
index 08a1526..b0bd86d 100755
--- a/source/crypto.c
+++ b/source/crypto.c
@@ -484,21 +484,26 @@ void kernel9Loader(Arm9Bin *arm9Section)
 {
     //Determine the kernel9loader version
     u32 k9lVersion;
-    switch(arm9Section->magic[3])
+    if(arm9Section == NULL)
+        k9lVersion = 2;
+    else
     {
-        case 0xFF:
-            k9lVersion = 0;
-            break;
-        case '1':
-            k9lVersion = 1;
-            break;
-        default:
-            k9lVersion = 2;
-            break;
+        switch(arm9Section->magic[3])
+        {
+            case 0xFF:
+                k9lVersion = 0;
+                break;
+            case '1':
+                k9lVersion = 1;
+                break;
+            default:
+                k9lVersion = 2;
+                break;
+        }
     }
 
     u32 *startOfArm9Bin = (u32 *)((u8 *)arm9Section + 0x800);
-    bool needToDecrypt = *startOfArm9Bin != 0x47704770 && *startOfArm9Bin != 0xB0862000;
+    bool needToDecrypt = arm9Section != NULL && *startOfArm9Bin != 0x47704770 && *startOfArm9Bin != 0xB0862000;
 
     //Set 0x11 keyslot
     __attribute__((aligned(4))) const u8 key1s[2][AES_BLOCK_SIZE] = {
@@ -564,10 +569,6 @@ void kernel9Loader(Arm9Bin *arm9Section)
         aes_setkey(slot, decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
     }
 
-    if(!ISSIGHAX) return;
-
-    twlConsoleInfoInit();
-
     if(k9lVersion == 2)
     {
         aes_setkey(0x11, key1s[ISDEVUNIT ? 1 : 0], AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
@@ -575,6 +576,9 @@ void kernel9Loader(Arm9Bin *arm9Section)
         aes(decKey, keyBlocks[0], 1, NULL, AES_ECB_DECRYPT_MODE, 0);
         aes_setkey(0x18, decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
     }
+
+    if(ISSIGHAX)
+        twlConsoleInfoInit();
 }
 
 void computePinHash(u8 *outbuf, const u8 *inbuf)
diff --git a/source/firm.c b/source/firm.c
index 310b7ed..d8b01b8 100755
--- a/source/firm.c
+++ b/source/firm.c
@@ -128,6 +128,9 @@ u32 patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32 emuHeader, boo
     //Sets the 7.x NCCH KeyX and the 6.x gamecard save data KeyY on >= 6.0 O3DS FIRMs, if not using A9LH
     else if(!ISA9LH && !ISFIRMLAUNCH && firmVersion >= 0x29) set6x7xKeys();
 
+    if(!ISN3DS)
+        kernel9Loader(NULL); //Just set the N3DS 9.6+ keys even on O3DS
+    
     //Find the Process9 .code location, size and memory address
     u32 process9Size,
         process9MemAddr;
@@ -227,6 +230,8 @@ u32 patchTwlFirm(u32 firmVersion, bool doUnitinfoPatch)
         kernel9Loader((Arm9Bin *)arm9Section);
         firm->arm9Entry = (u8 *)0x801301C;
     }
+    else
+        kernel9Loader(NULL); //Just set the keys
 
     //Find the Process9 .code location, size and memory address
     u32 process9Size,
@@ -260,6 +265,8 @@ u32 patchAgbFirm(bool doUnitinfoPatch)
         kernel9Loader((Arm9Bin *)arm9Section);
         firm->arm9Entry = (u8 *)0x801301C;
     }
+    else
+        kernel9Loader(NULL); //Just set the keys
 
     //Find the Process9 .code location, size and memory address
     u32 process9Size,
@@ -288,6 +295,8 @@ u32 patch1x2xNativeAndSafeFirm(bool enableExceptionHandlers)
         kernel9Loader((Arm9Bin *)arm9Section);
         firm->arm9Entry = (u8 *)0x801B01C;
     }
+    else
+        kernel9Loader(NULL); //Just set the keys
 
     //Find the Process9 .code location, size and memory address
     u32 process9Size,
@@ -381,17 +390,13 @@ void launchFirm(FirmwareType firmType, bool loadFromStorage)
     for(; sectionNum < 4 && firm->section[sectionNum].size != 0; sectionNum++)
         memcpy(firm->section[sectionNum].address, (u8 *)firm + firm->section[sectionNum].offset, firm->section[sectionNum].size);
 
-    //Determine the ARM11 entry to use
-    vu32 *arm11;
-    if(ISFIRMLAUNCH) arm11 = (vu32 *)0x1FFFFFFC;
-    else
-    {
-        deinitScreens();
-        arm11 = (vu32 *)BRAHMA_ARM11_ENTRY;
-    }
-
+    if(!ISFIRMLAUNCH) deinitScreens();
+    
     //Set ARM11 kernel entrypoint
-    *arm11 = (u32)firm->arm11Entry;
+    if(ISFIRMLAUNCH | ISSIGHAX)
+        ARM11_CORE0_MAILBOX_ENTRYPOINT = (u32)firm->arm11Entry;
+    else
+        BRAHMA_ARM11_ENTRYPOINT = (u32)firm->arm11Entry;
 
     //Ensure that all memory transfers have completed and that the caches have been flushed
     flushEntireDCache();
diff --git a/source/fs.c b/source/fs.c
index 2dd6fd8..8e4eceb 100644
--- a/source/fs.c
+++ b/source/fs.c
@@ -119,7 +119,7 @@ void fileDelete(const char *path)
 void loadPayload(u32 pressed, const char *payloadPath)
 {
     u32 *loaderAddress = (u32 *)0x24FFFE00;
-    u8 *payloadAddress = (u8 *)0x24F00000;
+    u8 *payloadAddress = (u8 *)0x27FFE000;
     u32 payloadSize = 0,
         maxPayloadSize = (u32)((u8 *)loaderAddress - payloadAddress);
 
diff --git a/source/main.c b/source/main.c
index a5514e1..1c0d3e6 100644
--- a/source/main.c
+++ b/source/main.c
@@ -164,7 +164,11 @@ void main(void)
         pressed = HID_PAD;
     }
     else if(((pressed & SINGLE_PAYLOAD_BUTTONS) && !(pressed & (BUTTON_L1 | BUTTON_R1 | BUTTON_A))) ||
-            ((pressed & L_PAYLOAD_BUTTONS) && (pressed & BUTTON_L1))) loadPayload(pressed, NULL);
+            ((pressed & L_PAYLOAD_BUTTONS) && (pressed & BUTTON_L1)))
+    {
+        kernel9Loader(NULL);
+        loadPayload(pressed, NULL);
+    }
 
     if(splashMode == 2) loadSplash();
 
diff --git a/source/screen.c b/source/screen.c
index 2537297..69e5d07 100644
--- a/source/screen.c
+++ b/source/screen.c
@@ -42,7 +42,8 @@
 #include "i2c.h"
 #include "utils.h"
 
-vu32 *arm11Entry = (vu32 *)BRAHMA_ARM11_ENTRY;
+static vu32 *arm11Entry;
+
 static const u32 brightness[4] = {0x5F, 0x4C, 0x39, 0x26};
 
 void  __attribute__((naked)) arm11Stub(void)
@@ -56,6 +57,7 @@ static void invokeArm11Function(void (*func)())
 
     if(!hasCopiedStub)
     {
+        arm11Entry = (vu32 *)((ISFIRMLAUNCH | ISSIGHAX) ? 0x1FFFFFFC : 0x1FFFFFF8);
         memcpy((void *)ARM11_STUB_ADDRESS, arm11Stub, 0x2C);
         hasCopiedStub = true;
     }
diff --git a/source/types.h b/source/types.h
index 5173104..9f636a8 100644
--- a/source/types.h
+++ b/source/types.h
@@ -47,7 +47,8 @@ typedef volatile s64 vs64;
 
 #include "3dsheaders.h"
 
-#define BRAHMA_ARM11_ENTRY 0x1FFFFFF8
+#define BRAHMA_ARM11_ENTRYPOINT         *(vu32 *)0x1FFFFFF8
+#define ARM11_CORE0_MAILBOX_ENTRYPOINT  *(vu32 *)0x1FFFFFFC
 
 #define CFG_SYSPROT9        (*(vu8  *)0x10000000)
 #define CFG_BOOTENV         (*(vu32 *)0x10010000)
@@ -61,7 +62,7 @@ typedef volatile s64 vs64;
 #define ISN3DS       (PDN_MPCORE_CFG == 7)
 #define ISDEVUNIT    (CFG_UNITINFO != 0)
 #define ISA9LH       (!PDN_SPI_CNT)
-#define ISSIGHAX     (!(CFG_SYSPROT9 & 2))
+#define ISSIGHAX     (!PDN_SPI_CNT && !(CFG_SYSPROT9 & 2))
 #define ISFIRMLAUNCH (launchedFirmTidLow[5] != 0)
 
 typedef struct __attribute__((packed))