diff --git a/mshal/hal.go b/mshal/hal.go
index 9b84d7b..b209bbe 100644
--- a/mshal/hal.go
+++ b/mshal/hal.go
@@ -11,8 +11,9 @@ type HAL struct {
 	deviceTypeExtra int
 	eepromSize      int
 
-	patchAllocAddr int
-	patchCallAddrs []int
+	patchAllocAddr              int
+	patchCallAddrsExternalStart int
+	patchCallAddrs              []int
 
 	patchInstalled bool
 
@@ -27,6 +28,7 @@ type HALConfig struct {
 	PatchTryInstall         bool
 	PatchIgnoreUserFirmware bool
 	PatchProbeEEPROM        bool
+	PatchBlobs              []CodeBlob
 
 	LogFunc LogFunc
 }
diff --git a/mshal/hal_patch_call.go b/mshal/hal_patch_call.go
index 51d0f80..a42df08 100644
--- a/mshal/hal_patch_call.go
+++ b/mshal/hal_patch_call.go
@@ -17,7 +17,7 @@ func (h *HAL) patchExchangeReport(out [9]byte) ([9]byte, error) {
 		return in, err
 	}
 
-	timeout := time.Now().Add(time.Second)
+	timeout := time.Now().Add(3 * time.Second)
 
 	for time.Now().Before(timeout) {
 		_, err := h.dev.GetFeatureReport(in[:])
@@ -37,7 +37,7 @@ func (h *HAL) patchExchangeReport(out [9]byte) ([9]byte, error) {
 	return in, ErrorTimeout
 }
 
-type patchExecFuncResponse struct {
+type PatchExecFuncResponse struct {
 	A  byte
 	R2 byte
 	R3 byte
@@ -48,7 +48,7 @@ type patchExecFuncResponse struct {
 	C  bool
 }
 
-type patchExecFuncRequest struct {
+type PatchExecFuncRequest struct {
 	DPTR uint16
 	R3   byte
 	R4   byte
@@ -57,8 +57,8 @@ type patchExecFuncRequest struct {
 	R7_A byte
 }
 
-func (h *HAL) patchExecFunc(inIRQ bool, addr int, req patchExecFuncRequest) (patchExecFuncResponse, error) {
-	var response patchExecFuncResponse
+func (h *HAL) PatchExecFunc(inIRQ bool, addr int, req PatchExecFuncRequest) (PatchExecFuncResponse, error) {
+	var response PatchExecFuncResponse
 
 	if !h.patchInstalled {
 		return response, ErrorMissingFunction
@@ -101,3 +101,16 @@ func (h *HAL) patchExecFunc(inIRQ bool, addr int, req patchExecFuncRequest) (pat
 	response.C = in[1]&1 > 0
 	return response, nil
 }
+
+func (h *HAL) PatchCodeBlobGetAddress(index int) int {
+	if index < 0 {
+		return 0
+	}
+
+	index += h.patchCallAddrsExternalStart
+	if index >= len(h.patchCallAddrs) {
+		return 0
+	}
+
+	return h.patchCallAddrs[index]
+}
diff --git a/mshal/hal_patch_gpio.go b/mshal/hal_patch_gpio.go
index 5dd7e93..387d9b1 100644
--- a/mshal/hal_patch_gpio.go
+++ b/mshal/hal_patch_gpio.go
@@ -5,12 +5,12 @@ func (h *HAL) GPIOUpdate(stateSet byte, stateClear byte, outputSet byte, outputC
 		return 0, 0, ErrorMissingFunction
 	}
 
-	var req patchExecFuncRequest
+	var req PatchExecFuncRequest
 	req.R4 = stateSet
 	req.R5 = ^stateClear
 	req.R6 = outputClear
 	req.R7_A = ^outputSet
-	resp, err := h.patchExecFunc(true, h.patchCallAddrs[1], req)
+	resp, err := h.PatchExecFunc(true, h.patchCallAddrs[1], req)
 
 	return resp.R2, ^resp.R3, err
 }
diff --git a/mshal/hal_patch_i2c.go b/mshal/hal_patch_i2c.go
index 12763df..04f267e 100644
--- a/mshal/hal_patch_i2c.go
+++ b/mshal/hal_patch_i2c.go
@@ -6,7 +6,7 @@ func (h *HAL) patchI2CStart() error {
 		addr = 0x6a8c
 	}
 
-	_, err := h.patchExecFunc(true, addr, patchExecFuncRequest{})
+	_, err := h.PatchExecFunc(true, addr, PatchExecFuncRequest{})
 	return err
 }
 
@@ -15,7 +15,7 @@ func (h *HAL) patchI2CStop() error {
 	if h.deviceType == 2109 {
 		addr = 0x6aba
 	}
-	_, err := h.patchExecFunc(true, addr, patchExecFuncRequest{})
+	_, err := h.PatchExecFunc(true, addr, PatchExecFuncRequest{})
 	return err
 }
 
@@ -28,7 +28,7 @@ func (h *HAL) patchI2CRead(ack bool) (uint8, error) {
 	if ack {
 		r7 = 0
 	}
-	resp, err := h.patchExecFunc(true, addr, patchExecFuncRequest{R7_A: r7})
+	resp, err := h.PatchExecFunc(true, addr, PatchExecFuncRequest{R7_A: r7})
 	return resp.R7, err
 }
 
@@ -37,7 +37,7 @@ func (h *HAL) patchI2CWrite(value uint8) (bool, error) {
 	if h.deviceType == 2109 {
 		addr = 0x4648
 	}
-	resp, err := h.patchExecFunc(true, addr, patchExecFuncRequest{R7_A: value})
+	resp, err := h.PatchExecFunc(true, addr, PatchExecFuncRequest{R7_A: value})
 	if h.deviceType == 2109 {
 		return resp.C, err
 	}
diff --git a/mshal/hal_patch_install.go b/mshal/hal_patch_install.go
index 73bcdff..e0c0673 100644
--- a/mshal/hal_patch_install.go
+++ b/mshal/hal_patch_install.go
@@ -103,9 +103,9 @@ func (h *HAL) patchTrampolineInstall(ram MemoryRegion, replaceCode bool, addr in
 	return h.patchWriteWithRET(ram, addr, []byte{0x02, byte(trampolineAddr >> 8), byte(trampolineAddr)})
 }
 
-type blob struct {
-	data  []byte
-	reloc func(dataCopy []byte, addr int) (int, []byte)
+type CodeBlob struct {
+	Data     []byte
+	Relocate func(dataCopy []byte, addr int) (int, []byte)
 }
 
 //go:embed asm/hook_2106.bin
@@ -135,26 +135,26 @@ var codeMOVC []byte
 //go:embed asm/i2cRead2109.bin
 var codei2cRead []byte
 
-var installBlobs2106 = []blob{
+var installBlobs2106 = []CodeBlob{
 	{
-		data:  codeCallgate2106,
-		reloc: relocateCallgate,
+		Data:     codeCallgate2106,
+		Relocate: relocateCallgate,
 	}, {
-		data: codeGpio,
+		Data: codeGpio,
 	}, {
-		data: codeMOVC,
+		Data: codeMOVC,
 	}}
 
-var installBlobs2109 = []blob{
+var installBlobs2109 = []CodeBlob{
 	{
-		data:  codeCallgate2109,
-		reloc: relocateCallgate,
+		Data:     codeCallgate2109,
+		Relocate: relocateCallgate,
 	}, {
-		data: codeGpio,
+		Data: codeGpio,
 	}, {
-		data: codeMOVC,
+		Data: codeMOVC,
 	}, {
-		data: codei2cRead,
+		Data: codei2cRead,
 	},
 }
 
@@ -308,6 +308,9 @@ func (h *HAL) patchInstall() (bool, error) {
 		installBlobs = installBlobs2109
 	}
 
+	h.patchCallAddrsExternalStart = len(installBlobs)
+	installBlobs = append(installBlobs, h.config.PatchBlobs...)
+
 	ram := h.MemoryRegionGet(MemoryRegionRAM)
 	userConfig := h.MemoryRegionGet(MemoryRegionUserConfig)
 
@@ -316,7 +319,7 @@ func (h *HAL) patchInstall() (bool, error) {
 	/* Calculate checksum of blobs */
 	crc := crc32.New(crc32.IEEETable)
 	for _, m := range installBlobs {
-		crc.Write(m.data)
+		crc.Write(m.Data)
 	}
 	sum := crc.Sum(nil)
 
@@ -369,15 +372,15 @@ func (h *HAL) patchInstall() (bool, error) {
 
 	/* Install all blobs */
 	for i, m := range installBlobs {
-		data := m.data
+		data := m.Data
 
 		loadAddr := h.patchAlloc(len(data))
 		callAddr := loadAddr
 
-		if m.reloc != nil {
+		if m.Relocate != nil {
 			dataCopy := make([]byte, len(data))
 			copy(dataCopy, data)
-			callAddr, data = m.reloc(dataCopy, loadAddr)
+			callAddr, data = m.Relocate(dataCopy, loadAddr)
 		}
 
 		if h.config.LogFunc != nil {
diff --git a/mshal/hal_patch_movc.go b/mshal/hal_patch_movc.go
index 5310f04..46b76f8 100644
--- a/mshal/hal_patch_movc.go
+++ b/mshal/hal_patch_movc.go
@@ -1,7 +1,7 @@
 package mshal
 
 func (h *HAL) patchReadCode(addr int) (byte, error) {
-	resp, err := h.patchExecFunc(true, h.patchCallAddrs[2], patchExecFuncRequest{DPTR: uint16(addr)})
+	resp, err := h.PatchExecFunc(true, h.patchCallAddrs[2], PatchExecFuncRequest{DPTR: uint16(addr)})
 	if err != nil {
 		return 0, err
 	}