Security researchers at Paradigm Shift have disclosed a critical hardware-level vulnerability, dubbed usbliter8, that affects Apple devices powered by A12, S4/S5, and A13 system-on-chips (SoCs). The flaw resides in the device’s immutable BootROM — the first code executed when an Apple device powers on — and enables a complete compromise of Apple’s chain-of-trust security architecture. Because BootROM code is permanently burned into silicon at the manufacturing stage, no software patch can address this vulnerability.
Understanding the BootROM and Why It Matters
The BootROM is the foundation of Apple’s Secure Boot chain. It is the first code that executes on an Apple SoC, and it is responsible for verifying the cryptographic signatures of every subsequent piece of software that loads during the boot process. If the BootROM is compromised, an attacker can bypass all of Apple’s downstream security protections — including signature verification for iOS, iBoot, and the Secure Enclave — effectively nullifying the entire security model of the device.
Previous notable BootROM exploits, such as checkm8 (affecting A5 through A11 SoCs), have been widely used in the jailbreaking community and demonstrated that hardware-level flaws can persist indefinitely once discovered.
The Technical Root Cause: A USB Controller Flaw
The usbliter8 vulnerability originates in how the Synopsys DWC2 USB controller handles consecutive USB Setup packets. The controller is designed to store up to three Setup packets in memory before resetting its DMA base address register (DOEPDMA) to its starting position, functioning as a ring buffer.
The critical flaw lies in the pointer arithmetic: after each write, the controller increments the DOEPDMA register by the size of data written — which can vary. However, the reset operation always decrements the pointer by a fixed 24 bytes. When smaller packets are involved (stored in 4-byte chunks), the mismatch between the variable increment and the fixed decrement produces a buffer underflow primitive in 12-byte steps, allowing controlled writes to memory regions outside the intended buffer.
On A12 and A13 devices, the USB DART (Device Address Resolution Table) is configured in bypass mode within SecureROM, meaning there is no IOMMU barrier to prevent DMA from overwriting arbitrary SRAM data. Apple corrected this misconfiguration on A14 and later SoCs, rendering those devices immune to this specific attack chain.
Exploitation Differences Between A12 and A13
On A12 and S4/S5 devices, exploitation is relatively straightforward. The DMA buffer sits adjacent to the USB task’s stack on the heap. Attackers corrupt a saved Link Register (LR), gaining program counter (PC) control during a scheduler context switch. A compact ROP chain then redirects DMA writes into the boot trampoline, which is normally non-writable from EL0, before jumping into SecureROM’s EL1 transition routine to execute attacker shellcode with full privileges.
On A13, Apple introduced Pointer Authentication (PAC), complicating direct LR corruption. Researchers developed a multi-step technique involving:
- Controlled overwrites of DART heap metadata
- Neutralizing heap checksum protections
- Suppressing reboots on panic by overwriting a global panic counter
- Routing execution through a gadget that loads a function pointer from attacker-controlled memory, bypassing PAC due to only the IB key being enabled — an oversight that proves fatal
What Attackers Can Do With This Exploit
With EL1 code execution achieved, the exploit enables:
- Injection of a custom USB request handler into unused boot trampoline space
- Patching the USB serial number to include the “PWND” identifier (as seen in previous jailbreak tools)
- SoC demotion (temporarily lowering production mode)
- Unsigned iBoot booting — bypassing all cryptographic signature verification on raw iBoot images, effectively defeating Apple’s Secure Boot chain entirely
Affected Devices
The confirmed vulnerable hardware includes:
- Apple A12: iPhone XS, iPhone XR, iPad Pro (2018)
- Apple S4/S5: Apple Watch Series 4 and Series 5
- Apple A13: iPhone 11, 11 Pro, and 11 Pro Max
Devices running A14 Bionic and newer (iPhone 12 and later) are not affected due to corrected DART configuration.
Mitigation: No Software Fix Available
Because BootROM vulnerabilities reside in immutable silicon, no software or firmware update can remediate the issue. The only effective mitigation is migrating to A14 or later hardware. Users who rely on affected devices for sensitive workloads — particularly in enterprise, government, or high-security contexts — should consider upgrading their hardware.
Paradigm Shift conducted coordinated disclosure with Apple Product Security prior to publication. The full proof-of-concept exploit has been made publicly available in their research repository.