diff --git a/source/crypto.c b/source/crypto.c
index 7d88376..f82f7a8 100755
--- a/source/crypto.c
+++ b/source/crypto.c
@@ -368,7 +368,7 @@ void arm9Loader(u8 *arm9Section, u32 mode)
                  key2[0x10] = {0x42, 0x3F, 0x81, 0x7A, 0x23, 0x52, 0x58, 0x31, 0x6E, 0x75, 0x8E, 0x3A, 0x39, 0x43, 0x2E, 0xD0};
         u8 keyX[0x10];
 
-        aes_setkey(0x11, mode == 1 ? key1 : key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
+        aes_setkey(0x11, mode == 1 ? key2 : key1, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
         aes_use_keyslot(0x11);
         aes(keyX, arm9Section + 0x60, 1, NULL, AES_ECB_DECRYPT_MODE, 0);
         aes_setkey(arm9BinSlot, keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
@@ -382,7 +382,7 @@ void arm9Loader(u8 *arm9Section, u32 mode)
     aes(arm9Section + 0x800, arm9Section + 0x800, arm9BinSize / AES_BLOCK_SIZE, arm9BinCTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
 
     //Set >=9.6 KeyXs
-    if(mode == 2)
+    if(mode == 1)
     {
         u8 keyData[0x10] = {0xDD, 0xDA, 0xA4, 0xC6, 0x2C, 0xC4, 0x50, 0xE9, 0xDA, 0xB6, 0x9B, 0x0D, 0x9D, 0x2A, 0x21, 0x98},
            decKey[0x10];
diff --git a/source/firm.c b/source/firm.c
index b6bab08..49280b3 100755
--- a/source/firm.c
+++ b/source/firm.c
@@ -68,9 +68,8 @@ void main(void)
         updatedSys,
         needConfig,
         newConfig,
-        emuHeader;
-
-    u64 chronoStarted = 0;
+        emuHeader,
+        chronoStarted = 0;
 
     //Detect the console being used
     console = PDN_MPCORE_CFG == 7;
@@ -111,9 +110,9 @@ void main(void)
             //Zero the last booted FIRM flag
             CFG_BOOTENV = 0;
 
-            chronoStarted = chrono();
-            while(chrono() - chronoStarted < 2 * TICKS_PER_SEC); //Wait for 2s
             chronoStarted = 1;
+            chrono(0);
+            chrono(2);
 
             //Update pressed buttons
             pressed = HID_PAD;
@@ -196,7 +195,10 @@ void main(void)
 
             //If screens are inited or the corresponding option is set, load splash screen
             if((PDN_GPU_CNT != 1 || CONFIG(8)) && loadSplash())
-                chronoStarted = chrono();
+            {
+                chronoStarted = 2;
+                chrono(0);
+            }
 
             //If R is pressed, boot the non-updated NAND with the FIRM of the opposite one
             if(pressed & BUTTON_R1)
@@ -264,7 +266,7 @@ void main(void)
 
     if(chronoStarted)
     {
-        while(chronoStarted > 1 && chrono() - chronoStarted < 3 * TICKS_PER_SEC);
+        if(chronoStarted == 2) chrono(3);
         stopChrono();
     }
 
@@ -323,10 +325,10 @@ static inline void patchNativeFirm(u32 nandType, u32 emuHeader, u32 a9lhMode)
                 nativeFirmType = 0;
                 break;
             case '1':
-                nativeFirmType = 1;
+                nativeFirmType = 2;
                 break;
             default:
-                nativeFirmType = 2;
+                nativeFirmType = 1;
                 break;
         }
 
@@ -341,10 +343,9 @@ static inline void patchNativeFirm(u32 nandType, u32 emuHeader, u32 a9lhMode)
         nativeFirmType = memcmp(section[2].hash, firm90Hash, 0x10) != 0;
     }
 
+    //Find the Process9 .code location, size and memory address
     u32 process9Size,
         process9MemAddr;
-
-    //Find the Process9 NCCH location
     u8 *process9Offset = getProcess9(arm9Section + 0x15000, section[2].size - 0x15000, &process9Size, &process9MemAddr);
 
     //Apply emuNAND patches
@@ -359,14 +360,13 @@ static inline void patchNativeFirm(u32 nandType, u32 emuHeader, u32 a9lhMode)
     //Apply signature checks patches
     u16 *sigOffset,
         *sigOffset2;
-
     getSigChecks(process9Offset, process9Size, &sigOffset, &sigOffset2);
     *sigOffset = sigPatch[0];
     sigOffset2[0] = sigPatch[0];
     sigOffset2[1] = sigPatch[1];
 
     //Does nothing if svcBackdoor is still there
-    reimplementSvcBackdoor();
+    if(nativeFirmType == 1) reimplementSvcBackdoor();
 
     if(CONFIG(5))
     {
@@ -422,9 +422,8 @@ static inline void patchEmuNAND(u8 *arm9Section, u8 *process9Offset, u32 process
 
 static inline void patchReboots(u8 *process9Offset, u32 process9Size, u32 process9MemAddr)
 {
+    //Calculate offset for the firmlaunch code and fOpen
     u32 fOpenOffset;
-
-    //Calculate offset for the firmlaunch code
     void *rebootOffset = getReboot(process9Offset, process9Size, process9MemAddr, &fOpenOffset);
 
     //Copy firmlaunch code
@@ -440,13 +439,11 @@ static inline void reimplementSvcBackdoor(void)
     u8 *arm11Section1 = (u8 *)firm + section[1].offset;
 
     u32 *exceptionsPage;
-
     u32 *svcTable = getSvcAndExceptions(arm11Section1, section[1].size, &exceptionsPage);
 
     if(!svcTable[0x7B])
     {
         u32 *freeSpace;
-
         for(freeSpace = exceptionsPage; *freeSpace != 0xFFFFFFFF; freeSpace++);
 
         memcpy(freeSpace, svcBackdoor, 40);
@@ -458,6 +455,7 @@ static inline void reimplementSvcBackdoor(void)
 static inline void copySection0AndInjectLoader(void)
 {
     u8 *arm11Section0 = (u8 *)firm + section[0].offset;
+
     u32 loaderSize;
     u32 loaderOffset = getLoader(arm11Section0, &loaderSize);
 
diff --git a/source/patches.c b/source/patches.c
index 1efa708..b588490 100644
--- a/source/patches.c
+++ b/source/patches.c
@@ -114,7 +114,7 @@ u32 *getSvcAndExceptions(u8 *pos, u32 size, u32 **exceptionsPage)
 {
     const u8 pattern[] = {0x00, 0xB0, 0x9C, 0xE5}; //cpsid aif
     
-    *exceptionsPage = (u32 *)(memsearch(pos, pattern, size, 4) - 0x2C);
+    *exceptionsPage = (u32 *)memsearch(pos, pattern, size, 4) - 0xB;
 
     u32 svcOffset = (-(((*exceptionsPage)[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch
     u32 *svcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
diff --git a/source/utils.c b/source/utils.c
index 5d565c6..e62c8dc 100644
--- a/source/utils.c
+++ b/source/utils.c
@@ -40,7 +40,7 @@ void mcuReboot(void)
 }
 
 //TODO: add support for TIMER IRQ
-static void startChrono(u64 initialTicks)
+static inline void startChrono(u64 initialTicks)
 {
     //Based on a NATIVE_FIRM disassembly
 
@@ -53,21 +53,22 @@ static void startChrono(u64 initialTicks)
     for(u32 i = 1; i < 4; i++) *(vu16 *)(0x10003002 + 4 * i) = 0x84; //Count-up; enabled
 }
 
-u64 chrono(void)
+void chrono(u32 seconds)
 {
-    static u32 chronoStarted = 0;
+    static u64 startingTicks = 0;
 
-    if(!chronoStarted)
+    if(!startingTicks) startChrono(0);
+
+    u64 res;
+
+    do
     {
-        startChrono(0);
-        chronoStarted++;
+        res = 0;
+        for(u32 i = 0; i < 4; i++) res |= *(vu16 *)(0x10003000 + 4 * i) << (16 * i);
     }
+    while(res - startingTicks < seconds * TICKS_PER_SEC);
 
-    u64 res = 0;
-
-    for(u32 i = 0; i < 4; i++) res |= *(vu16 *)(0x10003000 + 4 * i) << (16 * i);
-
-    return res;
+    if(!seconds) startingTicks = res;
 }
 
 void stopChrono(void)
diff --git a/source/utils.h b/source/utils.h
index b6c78ee..236b048 100644
--- a/source/utils.h
+++ b/source/utils.h
@@ -11,5 +11,5 @@ void mcuReboot(void);
 
 #define TICKS_PER_SEC   67027964ULL
 
-u64 chrono(void);
+void chrono(u32 seconds);
 void stopChrono(void);
\ No newline at end of file