diff --git a/panda/include/panda/rr/rr_log.h b/panda/include/panda/rr/rr_log.h
index f82dd3a7cd2..5477cce8095 100644
--- a/panda/include/panda/rr/rr_log.h
+++ b/panda/include/panda/rr/rr_log.h
@@ -216,7 +216,7 @@ static inline uint64_t rr_num_instr_before_next_interrupt(void) {
 
 uint32_t rr_checksum_memory(void);
 uint32_t rr_checksum_regs(void);
-
+uint32_t rr_checksum_timers(int);
 bool rr_queue_empty(void);
 
 #endif
diff --git a/panda/scripts/diverge.py b/panda/scripts/diverge.py
index f9e684f9bd6..5d73a11289e 100755
--- a/panda/scripts/diverge.py
+++ b/panda/scripts/diverge.py
@@ -14,6 +14,7 @@
 from multiprocessing.pool import ThreadPool
 from os.path import join
 from subprocess import check_call, CalledProcessError
+from time import sleep
 
 from expect import Expect, TimeoutExpired
 from tempdir import TempDir
@@ -255,19 +256,19 @@ def display_commands(self):
     def ram_ptr(self):
         return self.get_value(
             "memory_region_find(" +
-                "get_system_memory(), 0x2000000, 1).mr->ram_block.host")
+                "get_system_memory(), 0x2000000, 1).mr->ram_block->host")
 
     def crc32_ram(self, low, size):
         step = 1 << 31 if size > (1 << 31) else size
         crc32s = 0
         for start in range(low, low + size, step):
-            crc32s ^= self.get_value("crc32(0, {} + {}, {})".format(
-                            hex(self.ram_ptr), hex(start), hex(step)))
+            crc32s ^= self.get_value("(unsigned long) crc32(0, {} +{}, {})".format(
+                        hex(self.ram_ptr), hex(start), hex(step)))
         return crc32s
 
     @cached_property
     def ram_size(self):
-        return self.get_value('ram_size')
+        return self.get_value('memory_region_find(get_system_memory(), 0x2000000, 1).mr->ram_block.used_length')
 
     @cached_property
     def reg_size(self):
@@ -670,11 +671,12 @@ def cleanup_error():
         self.both.gdb("set pagination off")
 
         check_call(['tmux', 'select-layout', 'even-horizontal'])
-
+        self.both.breakpoint("_start")
+        self.both.gdb("c")
+        sleep(1)
         self.both.breakpoint("rr_do_begin_record")
         self.both.breakpoint("rr_do_begin_replay")
         self.both.breakpoint("cpu_loop_exec_tb")
-
         try:
             self.both.breakpoint("debug_counter")
         except RuntimeError:
diff --git a/panda/src/rr/rr_log.c b/panda/src/rr/rr_log.c
index 47dfbf6c5c2..2ae49be3fa4 100644
--- a/panda/src/rr/rr_log.c
+++ b/panda/src/rr/rr_log.c
@@ -1951,6 +1951,14 @@ uint32_t rr_checksum_regs(void) {
 #endif
     return crc;
 }
+uint32_t rr_checksum_timers(int index) {
+    uint32_t crc = crc32(0, Z_NULL, 0);
+    #if defined(TARGET_ARM)
+    CPUARMState *env = (CPUArchState *)first_cpu->env_ptr;
+    crc = crc32(crc, (unsigned char *)&env->cp15.c14_timer[index], sizeof(env->cp15.c14_timer[index]));
+    #endif
+    return crc;
+}
 
 uint8_t rr_debug_readb(target_ulong addr);
 uint8_t rr_debug_readb(target_ulong addr) {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index d5995257bf7..8da2a03b86c 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -15,6 +15,10 @@
 #include <zlib.h> /* For crc32 */
 #include "exec/semihost.h"
 #include "sysemu/kvm.h"
+#ifdef CONFIG_SOFTMMU
+#include "panda/rr/rr_log_all.h"
+#include "panda/rr/rr_log.h"
+#endif
 
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
 
@@ -1701,6 +1705,15 @@ static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
 
 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
+        #ifdef CONFIG_SOFTMMU
+            uint64_t now;
+             RR_DO_RECORD_OR_REPLAY(
+                /*action*/ now = gt_get_countervalue(env) - env->cp15.cntvoff_el2,
+                /*record*/ rr_input_8(&now),
+                /*replay*/ rr_input_8(&now),
+                /*location*/RR_CALLSITE_READ_8);
+             return now;
+    #endif
     return gt_get_countervalue(env) - env->cp15.cntvoff_el2;
 }
 
@@ -1812,7 +1825,18 @@ static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     gt_ctl_write(env, ri, GTIMER_VIRT, value);
 }
-
+static uint64_t gt_virt_ctl_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    uint64_t ctl;
+            #ifdef CONFIG_SOFTMMU
+             RR_DO_RECORD_OR_REPLAY(
+                /*action*/ ctl = env->cp15.c14_timer[GTIMER_VIRT].ctl,
+                /*record*/ rr_input_8(&ctl),
+                /*replay*/ rr_input_8(&ctl),
+                /*location*/RR_CALLSITE_READ_8);
+        #endif
+    return ctl;
+}
 static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
                               uint64_t value)
 {
@@ -1961,6 +1985,7 @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
       .accessfn = gt_vtimer_access,
       .fieldoffset = offsetoflow32(CPUARMState,
                                    cp15.c14_timer[GTIMER_VIRT].ctl),
+      .readfn = gt_virt_ctl_read,
       .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
     },
     { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
@@ -1969,6 +1994,7 @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
       .accessfn = gt_vtimer_access,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
       .resetvalue = 0,
+      .readfn = gt_virt_ctl_read,
       .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
     },
     /* TimerValue views: a 32 bit downcounting view of the underlying state */