diff --git a/bootloader/config/config.c b/bootloader/config/config.c
index 23dd8d6..850eca3 100644
--- a/bootloader/config/config.c
+++ b/bootloader/config/config.c
@@ -280,7 +280,7 @@ void config_autoboot()
 
 			ments[1].type = MENT_CHGLINE;
 
-			ments[2].type = MENT_CHOICE;
+			ments[2].type = MENT_DATA;
 			if (!h_cfg.autoboot)
 				ments[2].caption = "*Disable";
 			else
@@ -395,7 +395,7 @@ void config_bootdelay()
 
 	ments[1].type = MENT_CHGLINE;
 
-	ments[2].type = MENT_CHOICE;
+	ments[2].type = MENT_DATA;
 	if (h_cfg.bootwait)
 		ments[2].caption = " 0 seconds (Bootlogo disabled)";
 	else
@@ -412,7 +412,7 @@ void config_bootdelay()
 		delay_text[i * 32 + 1] = i + '0';
 		memcpy(delay_text + i * 32 + 2, " seconds", 9);
 
-		ments[i + 2].type = MENT_CHOICE;
+		ments[i + 2].type = MENT_DATA;
 		ments[i + 2].caption = delay_text + i * 32;
 		ments[i + 2].data = &delay_values[i];
 	}
@@ -455,7 +455,7 @@ void config_customlogo()
 	for (u32 j = 0; j < 2; j++)
 	{
 		cb_values[j] = j;
-		ments[j + 2].type = MENT_CHOICE;
+		ments[j + 2].type = MENT_DATA;
 		ments[j + 2].data = &cb_values[j];
 	}
 
@@ -514,7 +514,7 @@ void config_verification()
 	for (u32 j = 0; j < 3; j++)
 	{
 		vr_values[j] = j;
-		ments[j + 2].type = MENT_CHOICE;
+		ments[j + 2].type = MENT_DATA;
 		ments[j + 2].data = &vr_values[j];
 	}
 
@@ -604,7 +604,7 @@ void config_backlight()
 		else
 			memcpy(bri_text + i * 32 + 1, "100%", 5);
 
-		ments[i + 1].type = MENT_CHOICE;
+		ments[i + 1].type = MENT_DATA;
 		ments[i + 1].caption = bri_text + i * 32;
 		ments[i + 1].data = &bri_values[i];
 	}
diff --git a/bootloader/config/config.h b/bootloader/config/config.h
index 74fd646..45b7778 100644
--- a/bootloader/config/config.h
+++ b/bootloader/config/config.h
@@ -21,16 +21,17 @@
 
 typedef struct _hekate_config
 {
+	// Non-volatile config.
 	u32 autoboot;
 	u32 autoboot_list;
 	u32 bootwait;
 	u32 customlogo;
 	u32 verification;
+	u32 backlight;
+	u32 errors;
 	// Global temporary config.
 	int se_keygen_done;
 	u32 sbar_time_keeping;
-	u32 backlight;
-	u32 errors;
 } hekate_config;
 
 typedef enum
diff --git a/bootloader/gfx/tui.c b/bootloader/gfx/tui.c
index 1e7a238..2ab3ec1 100644
--- a/bootloader/gfx/tui.c
+++ b/bootloader/gfx/tui.c
@@ -177,11 +177,17 @@ void *tui_do_menu(gfx_con_t *con, menu_t *menu)
 		if (btn & BTN_VOL_DOWN && idx < (cnt - 1))
 			idx++;
 		else if (btn & BTN_VOL_DOWN && idx == (cnt - 1))
+		{
 			idx = 0;
+			prev_idx = -1;
+		}
 		if (btn & BTN_VOL_UP && idx > 0)
 			idx--;
 		else if (btn & BTN_VOL_UP && idx == 0)
+		{
 			idx = cnt - 1;
+			prev_idx = cnt;
+		}
 		if (btn & BTN_POWER)
 		{
 			ment_t *ent = &menu->ents[idx];
@@ -193,7 +199,7 @@ void *tui_do_menu(gfx_con_t *con, menu_t *menu)
 			case MENT_MENU:
 				return tui_do_menu(con, ent->menu);
 				break;
-			case MENT_CHOICE:
+			case MENT_DATA:
 				return ent->data;
 				break;
 			case MENT_BACK:
diff --git a/bootloader/gfx/tui.h b/bootloader/gfx/tui.h
index 40eff42..3148ba3 100644
--- a/bootloader/gfx/tui.h
+++ b/bootloader/gfx/tui.h
@@ -24,7 +24,7 @@
 #define MENT_END     0
 #define MENT_HANDLER 1
 #define MENT_MENU    2
-#define MENT_CHOICE  3
+#define MENT_DATA    3
 #define MENT_BACK    4
 #define MENT_CAPTION 5
 #define MENT_CHGLINE 6
diff --git a/bootloader/hos/hos.c b/bootloader/hos/hos.c
index bd5bd39..3e29593 100644
--- a/bootloader/hos/hos.c
+++ b/bootloader/hos/hos.c
@@ -149,6 +149,36 @@ static void _se_lock()
 	gfx_hexdump(&gfx_con, SE_BASE, (void *)SE_BASE, 0x400);*/
 }
 
+void _pmc_scratch_lock(u32 kb)
+{
+	switch (kb)
+	{
+	case KB_FIRMWARE_VERSION_100_200:
+	case KB_FIRMWARE_VERSION_300:
+	case KB_FIRMWARE_VERSION_301:
+		PMC(APBDEV_PMC_SEC_DISABLE) = 0x7FFFF3;
+		PMC(APBDEV_PMC_SEC_DISABLE2) = 0xFFFFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE3) = 0xFFAFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE4) = 0xFFFFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE5) = 0xFFFFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE6) = 0xFFFFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE7) = 0xFFFFFFFF;
+		PMC(APBDEV_PMC_SEC_DISABLE8) = 0xFFAAFFFF;
+		break;
+	case KB_FIRMWARE_VERSION_400:
+	case KB_FIRMWARE_VERSION_500:
+	case KB_FIRMWARE_VERSION_600:
+	default:
+		PMC(APBDEV_PMC_SEC_DISABLE2) |= 0x3FCFFFF;
+	    PMC(APBDEV_PMC_SEC_DISABLE4) |= 0x3F3FFFFF;
+	    PMC(APBDEV_PMC_SEC_DISABLE5)  = 0xFFFFFFFF;
+	    PMC(APBDEV_PMC_SEC_DISABLE6) |= 0xF3FFC00F;
+	    PMC(APBDEV_PMC_SEC_DISABLE7) |= 0x3FFFFF;
+	    PMC(APBDEV_PMC_SEC_DISABLE8) |= 0xFF;
+		break;
+	}
+}
+
 int keygen(u8 *keyblob, u32 kb, void *tsec_fw)
 {
 	u8 tmp[0x10];
@@ -604,9 +634,9 @@ int hos_launch(ini_sec_t *cfg)
 	case KB_FIRMWARE_VERSION_300:
 	case KB_FIRMWARE_VERSION_301:
 		if (ctxt.pkg1_id->kb == KB_FIRMWARE_VERSION_300)
-			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0xE3;  // Warmboot 3.0.0 security check.
+			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0xE3;  // Warmboot 3.0.0 PA address id.
 		else if (ctxt.pkg1_id->kb == KB_FIRMWARE_VERSION_301)
-			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0x104; // Warmboot 3.0.1/.2 security check.
+			PMC(APBDEV_PMC_SECURE_SCRATCH32) = 0x104; // Warmboot 3.0.1/.2 PA address id.
 		se_key_acc_ctrl(12, 0xFF);
 		se_key_acc_ctrl(13, 0xFF);
 		bootStateDramPkg2 = 2;
@@ -664,6 +694,9 @@ int hos_launch(ini_sec_t *cfg)
 	mc_config_carveout_finalize();
 	_se_lock();
 
+	//TODO: pkg1.1 locks PMC scratches, we can do that too at some point. For <4.0.0 after secmon?
+	//_pmc_scratch_lock(ctxt.pkg1_id->kb);
+
 	//  < 4.0.0 Signals - 0: Nothing ready, 1: BCT ready, 2: DRAM and pkg2 ready, 3: Continue boot.
 	// >= 4.0.0 Signals - 0: Nothing ready, 1: BCT ready, 2: DRAM ready, 4: pkg2 ready and continue boot.
 	vu32 *mb_in = (vu32 *)0x40002EF8;
@@ -682,16 +715,6 @@ int hos_launch(ini_sec_t *cfg)
 	while (!*mb_out)
 		usleep(1); // This only works when in IRAM or with a trained DRAM.
 
-	//TODO: pkg1.1 locks PMC scratches, we can do that too at some point.
-	/*PMC(0x4) = 0x7FFFF3;
-	PMC(0x2C4) = 0xFFFFFFFF;
-	PMC(0x2D8) = 0xFFAFFFFF;
-	PMC(0x5B0) = 0xFFFFFFFF;
-	PMC(0x5B4) = 0xFFFFFFFF;
-	PMC(0x5B8) = 0xFFFFFFFF;
-	PMC(0x5BC) = 0xFFFFFFFF;
-	PMC(0x5C0) = 0xFFAAFFFF;*/
-
 	// Signal pkg2 ready and continue boot.
 	*mb_in = bootStatePkg2Continue;
 
diff --git a/bootloader/main.c b/bootloader/main.c
index c3cdb4f..4edb02f 100644
--- a/bootloader/main.c
+++ b/bootloader/main.c
@@ -476,8 +476,9 @@ void reconfig_hw_workaround(bool extra_reconfig, u32 magic)
 	{
 		CLOCK(CLK_RST_CONTROLLER_CLK_OUT_ENB_L) |= (1 << 22);
 		sdmmc_init(&sd_sdmmc, SDMMC_1, SDMMC_POWER_3_3, SDMMC_BUS_WIDTH_1, 5, 0);
+		clock_disable_cl_dvfs();
 
-		msleep(500);
+		msleep(200);
 	}
 }
 
@@ -1236,7 +1237,7 @@ int dump_emmc_part(char *sd_path, sdmmc_storage_t *storage, emmc_part_t *part)
 		{
 			gfx_con.fntsz = 16;
 			WPRINTF("\n\nThe backup was cancelled!");
-			EPRINTF("\nPress any key and try again...\n");
+			EPRINTF("\nPress any key...\n");
 			msleep(1500);
 
 			free(buf);
@@ -1891,7 +1892,11 @@ int launch_payload(char *path, bool update)
 				*(vu32 *)BOOTLOADER_UPDATED_MAGIC_ADDR = BOOTLOADER_UPDATED_MAGIC;
 			}
 			else
+			{
+				free(update_ft);
 				return 1;
+			}
+				
 			free(update_ft);
 		}
 		sd_unmount();
@@ -2503,6 +2508,8 @@ void toggle_autorcm(bool enable)
 	sdmmc_storage_t storage;
 	sdmmc_t sdmmc;
 
+	u8 randomXor = 0;
+
 	gfx_clear_partial_grey(&gfx_ctxt, 0x1B, 0, 1256);
 	gfx_con_setpos(&gfx_con, 0, 0);
 
@@ -2520,8 +2527,16 @@ void toggle_autorcm(bool enable)
 	{
 		sect = (0x200 + (0x4000 * i)) / NX_EMMC_BLOCKSIZE;
 		sdmmc_storage_read(&storage, sect, 1, tempbuf);
+
 		if (enable)
-			tempbuf[0x10] ^= get_tmr_us() & 0xFF; // Bricmii style of bricking.
+		{
+			do
+			{
+				randomXor = get_tmr_us() & 0xFF; // Bricmii style of bricking.
+			} while (!randomXor); // Avoid the lottery.
+
+			tempbuf[0x10] ^= randomXor;
+		}
 		else
 			tempbuf[0x10] = 0xF7;
 		sdmmc_storage_write(&storage, sect, 1, tempbuf);
@@ -3003,6 +3018,8 @@ void bootrom_ipatches_info()
 {
 	gfx_clear_partial_grey(&gfx_ctxt, 0x1B, 0, 1256);
 	gfx_con_setpos(&gfx_con, 0, 0);
+
+	static const u32 BOOTROM_SIZE = 0x18000;
 	
 	u32 res = fuse_read_ipatch(ipatch_process);
 	if (res != 0)
diff --git a/bootloader/soc/pmc.h b/bootloader/soc/pmc.h
index a8ae8a9..f319287 100644
--- a/bootloader/soc/pmc.h
+++ b/bootloader/soc/pmc.h
@@ -19,6 +19,7 @@
 #define _PMC_H_
 
 /*! PMC registers. */
+#define APBDEV_PMC_SEC_DISABLE 0x4
 #define APBDEV_PMC_PWRGATE_TOGGLE 0x30
 #define APBDEV_PMC_PWRGATE_STATUS 0x38
 #define APBDEV_PMC_NO_IOPOWER 0x44
@@ -35,8 +36,10 @@
 #define APBDEV_PMC_VDDP_SEL 0x1CC
 #define APBDEV_PMC_SCRATCH49 0x244
 #define APBDEV_PMC_TSC_MULT 0x2B4
-#define APBDEV_PMC_REG_SHORT 0x2CC
+#define APBDEV_PMC_SEC_DISABLE2 0x2C4
 #define APBDEV_PMC_WEAK_BIAS 0x2C8
+#define APBDEV_PMC_REG_SHORT 0x2CC
+#define APBDEV_PMC_SEC_DISABLE3 0x2D8
 #define APBDEV_PMC_SECURE_SCRATCH21 0x334
 #define APBDEV_PMC_SECURE_SCRATCH32 0x360
 #define APBDEV_PMC_SECURE_SCRATCH49 0x3A4
@@ -45,6 +48,11 @@
 #define APBDEV_PMC_UTMIP_PAD_CFG1 0x4C4
 #define APBDEV_PMC_UTMIP_PAD_CFG3 0x4CC
 #define APBDEV_PMC_DDR_CNTRL 0x4E4
+#define APBDEV_PMC_SEC_DISABLE4 0x5B0
+#define APBDEV_PMC_SEC_DISABLE5 0x5B4
+#define APBDEV_PMC_SEC_DISABLE6 0x5B8
+#define APBDEV_PMC_SEC_DISABLE7 0x5BC
+#define APBDEV_PMC_SEC_DISABLE8 0x5C0
 #define APBDEV_PMC_SCRATCH188 0x810
 #define APBDEV_PMC_SCRATCH190 0x818
 #define APBDEV_PMC_SCRATCH200 0x840
diff --git a/bootloader/soc/t210.h b/bootloader/soc/t210.h
index 5c45907..fe662cf 100644
--- a/bootloader/soc/t210.h
+++ b/bootloader/soc/t210.h
@@ -19,7 +19,6 @@
 
 #include "../utils/types.h"
 
-#define BOOTROM_SIZE 0x18000
 #define BOOTROM_BASE 0x100000
 #define HOST1X_BASE 0x50000000
 #define BPMP_CACHE_BASE 0x50040000