diff --git a/src/drivers/xnu/xnu.c b/src/drivers/xnu/xnu.c
index eb78c7a0..b107964c 100644
--- a/src/drivers/xnu/xnu.c
+++ b/src/drivers/xnu/xnu.c
@@ -1127,7 +1127,6 @@ void xnu_boot(void)
     {
         panic("Cannot boot XNU with TZ0 unlocked");
     }*/
-    gBootArgs->topOfKernelData = gTopOfKernelData;
 }
 
 void xnu_init(void)
diff --git a/src/kernel/entry.c b/src/kernel/entry.c
index ea345473..b3361ec2 100644
--- a/src/kernel/entry.c
+++ b/src/kernel/entry.c
@@ -284,6 +284,8 @@ __attribute__((noinline)) void pongo_entry_cached(void)
         screen_fill_basecolor();
 }
 
+extern uint64_t gM1N1Base;
+
 /*
 
     Name: pongo_entry
@@ -309,25 +311,28 @@ _Noreturn void pongo_entry(uint64_t *kernel_args, void *entryp, void (*exit_to_e
     set_exception_stack_core0();
     gFramebuffer = (uint32_t*)gBootArgs->Video.v_baseAddr;
     lowlevel_cleanup();
+    gBootArgs->topOfKernelData = gTopOfKernelData;
 
     // Unused space above kernel static area
     void *boot_tramp = (void*)((gTopOfKernelData + 0x3fffULL) & ~0x3fffULL);
     if(gBootFlag == BOOT_FLAG_RAW || gBootFlag == BOOT_FLAG_M1N1)
     {
+        uint64_t entry;
         // We're in EL1 here, but we might need to go back to EL3
         if((__builtin_arm_rsr64("id_aa64pfr0_el1") & 0xf000) != 0)
         {
             __asm__ volatile("smc 0"); // elevate to EL3
         }
-        uint64_t entryOff = 0x800;
         if(gBootFlag == BOOT_FLAG_RAW)
         {
+            entry = (uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000;
             boot_tramp = NULL;
-            entryOff = 0;
         }
-        // XXX: We should really replace loader_xfer_recv_data with something dedicated here.
-        void *image = (void*)((uint64_t)loader_xfer_recv_data - kCacheableView + 0x800000000 + entryOff);
-        jump_to_image_extended(image, gBootArgs, boot_tramp, gEntryPoint);
+        else
+        {
+            entry = gM1N1Base + 0x800;
+        }
+        jump_to_image_extended((void*)entry, gBootArgs, boot_tramp, gEntryPoint);
     }
     else
     {
diff --git a/src/shell/main.c b/src/shell/main.c
index 9947cd4c..9c386015 100644
--- a/src/shell/main.c
+++ b/src/shell/main.c
@@ -46,6 +46,7 @@ void pongo_boot_raw(const char *cmd, char *args) {
     task_yield();
 }
 
+uint64_t gM1N1Base;
 extern char gFWVersion[256];
 void pongo_boot_m1n1(const char *cmd, char *args) {
     if (!loader_xfer_recv_count) {
@@ -53,10 +54,14 @@ void pongo_boot_m1n1(const char *cmd, char *args) {
         return;
     }
 
-    loader_xfer_recv_count = 0;
     char *fwversion = dt_get_prop("/chosen", "firmware-version", NULL);
     strlcpy(fwversion, gFWVersion, 256);
 
+    void *m1n1 = alloc_static(loader_xfer_recv_count);
+    memmove(m1n1, loader_xfer_recv_data, loader_xfer_recv_count);
+    loader_xfer_recv_count = 0;
+    gM1N1Base = vatophys_static(m1n1);
+
     gBootFlag = BOOT_FLAG_M1N1;
     task_yield();
 }