diff --git a/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VIDEO_TS.IFO b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VIDEO_TS.IFO
new file mode 100644
index 0000000..20c44ca
Binary files /dev/null and b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VIDEO_TS.IFO differ
diff --git a/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_01_0.IFO b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_01_0.IFO
new file mode 100644
index 0000000..0b6bed8
Binary files /dev/null and b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_01_0.IFO differ
diff --git a/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_02_0.IFO b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_02_0.IFO
new file mode 100644
index 0000000..d9f7983
Binary files /dev/null and b/Filesystems/3.10 + 3.11 hybrid 2 attempt to fix 9000 series/VIDEO_TS/VTS_02_0.IFO differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/build.sh b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/build.sh
new file mode 100644
index 0000000..7351010
--- /dev/null
+++ b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/build.sh	
@@ -0,0 +1,28 @@
+echo "Building payload"
+
+ee-gcc -Ttext=0x01FFF800 payload.c -o payload.elf -nostartfiles -nostdlib -ffreestanding -Os -Wl,-z,max-page-size=0x1 # 2048
+ee-objcopy -O binary payload.elf payload.bin -Wl,-z,max-page-size=0x1
+
+ENTRY=`ee-objdump -t payload.elf | grep " _start"`
+echo $ENTRY
+
+# Doesn't seem to work on MinGW toolchain, so set manually if you're using that:
+#ENTRY=0x`grep -o "^\S*" <<< $ENTRY`
+ENTRY=0x01fff99c
+
+echo $ENTRY
+
+echo "Building crt0 (3.10)"
+
+ee-gcc -Ttext=0x01500014 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x2986a0 crt0.S -o crt0_3.10.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1
+ee-objcopy -O binary crt0_3.10.elf crt0_3.10.bin -Wl,-z,max-page-size=0x1
+
+echo "Building crt0 (3.11)"
+
+ee-gcc -Ttext=0x01500014 -DENTRY=$ENTRY -DGETBUFFERINTERNAL=0x2952f0 crt0.S -o crt0_3.11.elf -nostartfiles -nostdlib -ffreestanding -Wl,-z,max-page-size=0x1
+ee-objcopy -O binary crt0_3.11.elf crt0_3.11.bin -Wl,-z,max-page-size=0x1
+
+echo "Done."
+echo "Insert crt0_3.10.bin into VIDEO_TS.IFO at offset 0x2bb4"
+echo "Insert crt0_3.11.bin into VIDEO_TS.IFO at offset 0x2954"
+echo "Insert payload.bin into VIDEO_TS.IFO at offset 0x3000"
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0.S b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0.S
new file mode 100644
index 0000000..9235502
--- /dev/null
+++ b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0.S	
@@ -0,0 +1,41 @@
+.set noreorder # If we're writing assembly, why would we want this?
+
+.section .text.startup
+
+.equ getBufferInternal, GETBUFFERINTERNAL
+.equ payload, (0x2000000 - 0x800) # End of RAM
+
+.global _start
+_start:
+	la $a0, load
+	la $a1, 0
+	la $a2, 0
+	la $a3, 0
+
+.global ExecPS2
+ExecPS2:
+	la $v1, 7
+	syscall 7 # ExecPS2
+
+load:
+	la $a0, 0
+	la $a1, 0 # 0 = VIDEO_TS.IFO, 1 = VTS_01_0.IFO
+	la $a2, 0x3000 / 0x800 # lba offset in file
+	la $a3, payload # Destination
+	la $t0, 0x800 / 0x800 # Count
+	la $t1, 0
+	la $v0, getBufferInternal
+	jalr $v0
+	nop
+
+boot:
+	la $v1, 0x64; la $a0, 0; syscall 0x64 # FlushCache data writeback
+	la $v1, 0x64; la $a0, 2; syscall 0x64 # FlushCache instruction invalidate
+
+	# Point stack to end of scratchpad RAM
+	la $sp, 0x70004000
+
+	# Execute from relocated place
+	la $v0, ENTRY
+	j $v0
+	nop
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.bin b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.bin
new file mode 100644
index 0000000..45b7f72
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.bin differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.elf b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.elf
new file mode 100644
index 0000000..211703e
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.10.elf differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.bin b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.bin
new file mode 100644
index 0000000..5fb3eff
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.bin differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.elf b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.elf
new file mode 100644
index 0000000..c054ce1
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/crt0_3.11.elf differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.bin b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.bin
new file mode 100644
index 0000000..adcaab8
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.bin differ
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.c b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.c
new file mode 100644
index 0000000..40c32ac
--- /dev/null
+++ b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.c	
@@ -0,0 +1,165 @@
+#include <stddef.h>
+
+// Pick one
+#define LOAD_FROM_VTS_02_0_IFO
+//#define LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO (151 - 138 - 7)
+
+#define min(a, b) (((a) < (b)) ? (a) : (b))
+
+void (*pointToIFO)(unsigned int index, unsigned int lba, unsigned int offset);
+void (*getDiscData)(unsigned int s, void *d);
+
+int (*getBufferInternal)(void *filename, int type, int currentSector, void *dest, unsigned int sectorsRemaining, int curReadPos);
+
+int (*SifIopReset)(char *, int);
+int (*SifIopSync)(void);
+void (*SifInitRpc)(int);
+void (*SifExitRpc)(void);
+
+#define ELF_PT_LOAD 1
+
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+typedef struct {
+	u8 ident[16];
+	u16 type;
+	u16 machine;
+	u32 version;
+	u32 entry;
+	u32 phoff;
+	u32 shoff;
+	u32 flags;
+	u16 ehsize;
+	u16 phentsize;
+	u16 phnum;
+	u16 shentsize;
+	u16 shnum;
+	u16 shstrndx;
+} elf_header_t;
+
+typedef struct {
+	u32 type;
+	u32 offset;
+	void *vaddr;
+	u32 paddr;
+	u32 filesz;
+	u32 memsz;
+	u32 flags;
+	u32 align;
+} elf_pheader_t;
+
+__attribute__((noreturn)) void ExecPS2(void *entry, void *gp, int argc, char **argv) {
+	asm volatile("la $v1, 7; syscall 7");
+	//__builtin_unreachable();
+}
+
+static void *memcpy_(void *dest, void *src, size_t n) { 
+   int i;
+   for(i = 0; i < n; i++) ((unsigned char *)dest)[i] = ((unsigned char *)src)[i];
+   return dest;
+}
+
+// Todo: maybe cache last sector to save 1 or 2 reads
+static void *memset(void *dest, int c, size_t n) {
+	int i;
+	for(i = 0; i < n; i++) ((unsigned char *)dest)[i] = c;
+	return dest;
+}
+
+static void readData(void *dest, unsigned int offset, size_t n) {
+	unsigned char buffer[0x800];
+
+	unsigned int copied = 0;
+	#define remaining (n - copied)
+
+	if(offset % 0x800) {
+		getBufferInternal("", 1, offset / 0x800, buffer, 1, 0);
+		memcpy_(dest, buffer + offset % 0x800, min(0x800 - (offset % 0x800), n));
+		copied += min(0x800 - (offset % 0x800), n);
+	}
+
+	if(remaining >= 0x800) {
+		getBufferInternal("", 1, (offset + copied) / 0x800, dest + copied, remaining / 0x800, 0);
+		copied += (remaining / 0x800) * 0x800;
+	}
+	
+	if(remaining > 0) {
+		getBufferInternal("", 1, (offset + copied) / 0x800, buffer, 1, 0);
+		memcpy_(dest + copied, buffer, remaining);
+	}
+}
+
+__attribute__((noreturn)) void _start(void) {
+	int i;
+
+	// Identify version based on jump target location
+	if((*(void **)0x5f1f38) == (void *)0x1500014) {
+		// 3.10
+		pointToIFO = (void *)0x25c880;
+		getDiscData = (void *)0x25c9f0;
+		
+		getBufferInternal = (void *)0x002986a0;
+
+		SifIopReset = (void *)0x84fe0;
+		SifIopSync = (void *)0x85110;
+		SifInitRpc = (void *)0x84180;
+		SifExitRpc = (void *)0x84310;
+	}
+	else if((*(void **)0x3EA438) == (void *)0x1500014) {
+		// 3.11
+		pointToIFO = (void *)0x258a28;
+		getDiscData = (void *) 0x258b98;
+
+		getBufferInternal = (void *)0x2952f0;
+
+		SifIopReset = (void *)0x20e7d8;
+		SifIopSync = (void *)0x20e958;
+		SifInitRpc = (void *)0x208d80;
+		SifExitRpc = (void *)0x208f20;
+	}
+
+	#ifdef LOAD_FROM_VTS_02_0_IFO
+		// point to VTS_02_0.IFO
+		pointToIFO(2, 0, 0);
+		
+		// Force a read from VTS_02_0.IFO
+		char head[64];
+		getDiscData(64, &head);
+
+		#define RELATIVE_SECTOR 0
+	#else
+		#define RELATIVE_SECTOR LOAD_FROM_SECTOR_RELATIVE_TO_VIDEO_TS_IFO
+	#endif
+
+	// Based on https://github.com/AKuHAK/uLaunchELF/blob/master/loader/loader.c
+	elf_header_t eh;
+	readData(&eh, RELATIVE_SECTOR * 0x800, sizeof(elf_header_t));
+
+	elf_pheader_t eph[eh.phnum];
+	readData(&eph, RELATIVE_SECTOR * 0x800 + eh.phoff, sizeof(elf_pheader_t) * eh.phnum);
+	
+	for (i = 0; i < eh.phnum; i++) {
+		if (eph[i].type != ELF_PT_LOAD)
+			continue;
+
+		readData(eph[i].vaddr, RELATIVE_SECTOR * 0x800 + eph[i].offset, eph[i].filesz);
+		if(eph[i].memsz > eph[i].filesz) memset(eph[i].vaddr + eph[i].filesz, 0, eph[i].memsz - eph[i].filesz);
+	}
+
+	asm volatile("la $v1, 0x64; la $a0, 0; syscall 0x64"); // FlushCache data writeback
+	asm volatile("la $v1, 0x64; la $a0, 2; syscall 0x64"); // FlushCache instruction invalidate
+
+	//while(!SifIopReset("", 0));
+	//while(!SifIopSync());
+
+	//while(!SifIopReset("rom0:UDNL rom0:EELOADCNF", 0));
+	SifIopReset("rom0:UDNL rom0:EELOADCNF", 0);
+	while(!SifIopSync());
+
+	SifInitRpc(0);
+	SifExitRpc();
+
+	ExecPS2((void *)eh.entry, 0, 0, 0);
+}
diff --git a/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.elf b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.elf
new file mode 100644
index 0000000..ef57781
Binary files /dev/null and b/PAYLOADS/PAYLOAD 3.10 + 3.11 hybrid - all slims/payload.elf differ
diff --git a/test/hybrid 3.10 + 3.11 attempt to fix 9000 series.iso b/test/hybrid 3.10 + 3.11 attempt to fix 9000 series.iso
new file mode 100644
index 0000000..0c52ecf
Binary files /dev/null and b/test/hybrid 3.10 + 3.11 attempt to fix 9000 series.iso differ