diff --git a/source/emunand.c b/source/emunand.c
index 56e2260..c0fadca 100644
--- a/source/emunand.c
+++ b/source/emunand.c
@@ -184,12 +184,12 @@ static inline u32 patchMpu(u8 *pos, u32 size)
     return ret;
 }
 
-u32 patchEmuNand(u8 *arm9Section, u32 arm9SectionSize, u8 *process9Offset, u32 process9Size, u32 emuHeader, u8 *kernel9Address)
+u32 patchEmuNand(u8 *arm9Section, u32 kernel9Size, u8 *process9Offset, u32 process9Size, u32 emuHeader, u8 *kernel9Address)
 {
     u32 ret = 0;
 
     u8 *freeK9Space;
-    ret += getFreeK9Space(arm9Section, arm9SectionSize, &freeK9Space);
+    ret += getFreeK9Space(arm9Section, kernel9Size, &freeK9Space);
 
     if(!ret)
     {
@@ -213,7 +213,7 @@ u32 patchEmuNand(u8 *arm9Section, u32 arm9SectionSize, u8 *process9Offset, u32 p
         ret += patchNandRw(process9Offset, process9Size, branchOffset);
 
         //Set MPU
-        ret += patchMpu(arm9Section, arm9SectionSize);
+        ret += patchMpu(arm9Section, kernel9Size);
     }
 
     return ret;
diff --git a/source/emunand.h b/source/emunand.h
index bf1480a..f978d51 100644
--- a/source/emunand.h
+++ b/source/emunand.h
@@ -27,4 +27,4 @@
 #define ROUND_TO_4MB(a) (((a) + 0x2000 - 1) & (~(0x2000 - 1)))
 
 void locateEmuNand(u32 *emuHeader, FirmwareSource *nandType);
-u32 patchEmuNand(u8 *arm9Section, u32 arm9SectionSize, u8 *process9Offset, u32 process9Size, u32 emuHeader, u8 *kernel9Address);
\ No newline at end of file
+u32 patchEmuNand(u8 *arm9Section, u32 kernel9Size, u8 *process9Offset, u32 process9Size, u32 emuHeader, u8 *kernel9Address);
\ No newline at end of file
diff --git a/source/firm.c b/source/firm.c
index 3aeeea6..7728e31 100755
--- a/source/firm.c
+++ b/source/firm.c
@@ -134,13 +134,14 @@ u32 patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32 emuHeader, boo
         *arm11ExceptionsPage,
         *arm11SvcTable = getKernel11Info(arm11Section1, firm->section[1].size, &baseK11VA, &freeK11Space, &arm11SvcHandler, &arm11ExceptionsPage);
 
-    u32 ret = 0;
+    u32 kernel9Size = firm->section[2].size - (process9Size + sizeof(Cxi) + 0x200),
+        ret = 0;
 
     //Apply signature patches
     ret += patchSignatureChecks(process9Offset, process9Size);
 
     //Apply EmuNAND patches
-    if(nandType != FIRMWARE_SYSNAND) ret += patchEmuNand(arm9Section, firm->section[2].size, process9Offset, process9Size, emuHeader, firm->section[2].address);
+    if(nandType != FIRMWARE_SYSNAND) ret += patchEmuNand(arm9Section, kernel9Size, process9Offset, process9Size, emuHeader, firm->section[2].address);
 
     //Apply FIRM0/1 writes patches on sysNAND to protect A9LH
     else if(isA9lhInstalled) ret += patchFirmWrites(process9Offset, process9Size);
@@ -161,7 +162,7 @@ u32 patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32 emuHeader, boo
     ret += implementSvcGetCFWInfo(arm11Section1, arm11SvcTable, baseK11VA, &freeK11Space);
 
     //Apply UNITINFO patch
-    if(devMode == 2) ret += patchUnitInfoValueSet(arm9Section, firm->section[2].size);
+    if(devMode == 2) ret += patchUnitInfoValueSet(arm9Section, kernel9Size);
 
     if(devMode != 0 && isA9lhInstalled)
     {
@@ -173,9 +174,9 @@ u32 patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32 emuHeader, boo
         ret += patchKernel11Panic(arm11Section1, firm->section[1].size);
 
         //ARM9 exception handlers
-        ret += patchArm9ExceptionHandlersInstall(arm9Section, firm->section[2].size);
-        ret += patchSvcBreak9(arm9Section, firm->section[2].size, (u32)firm->section[2].address);
-        ret += patchKernel9Panic(arm9Section, firm->section[2].size);
+        ret += patchArm9ExceptionHandlersInstall(arm9Section, kernel9Size);
+        ret += patchSvcBreak9(arm9Section, kernel9Size, (u32)firm->section[2].address);
+        ret += patchKernel9Panic(arm9Section, kernel9Size);
     }
 
     if(CONFIG(PATCHACCESS))
diff --git a/source/patches.c b/source/patches.c
index 03b38e2..995e459 100644
--- a/source/patches.c
+++ b/source/patches.c
@@ -506,7 +506,7 @@ u32 patchK11ModuleChecks(u8 *pos, u32 size, u8 **freeK11Space)
 u32 patchUnitInfoValueSet(u8 *pos, u32 size)
 {
     //Look for UNITINFO value being set during kernel sync
-    const u8 pattern[] = {0xA0, 0x13, 0x01, 0x10};
+    const u8 pattern[] = {0x01, 0x10, 0xA0, 0x13};
     u32 ret;
 
     u8 *off = memsearch(pos, pattern, size, sizeof(pattern));
@@ -514,8 +514,6 @@ u32 patchUnitInfoValueSet(u8 *pos, u32 size)
     if(off == NULL) ret = 1;
     else
     {
-        off -= 2;
-
         off[0] = ISDEVUNIT ? 0 : 1;
         off[3] = 0xE3;