Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Permanently

atadmin
By
atadmin
3 Min Read

Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips. SecureROM code is burned into the silicon at manufacture — no software update can ever reach it. Affected devices will carry this flaw for as long as they remain in use.

This is not a remote attack vector. It requires physical possession of the device in DFU mode, connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit completes in under two seconds, before Apple’s signed boot chain loads.

Affected Devices

The public proof-of-concept supports A12, A13, S4, and S5 SoCs. Device families in that range include:

  • iPhone XS, XS Max, XR
  • iPhone 11, 11 Pro, 11 Pro Max
  • iPhone SE (2nd generation)
  • iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen)
  • Apple Watch Series 4, Series 5, and first-gen SE
  • HomePod mini

A14 and later chips are not vulnerable for this specific exploit path. A11 is also not affected.

The Technical Breakdown

The root issue is a hardware flaw in the Synopsys DWC2 USB controller. The controller stores incoming USB Setup packets via DMA, buffers up to three, then resets its write pointer on the fourth — but also accepts smaller-than-standard packets. The mismatch accumulates into a repeatable buffer underflow, stepping the write pointer backwards through memory.

What makes this exploitable on A12 and A13 specifically is how Apple configures the USB DART (IOMMU) inside SecureROM: it runs in bypass mode, so the underflowing DMA pointer can reach and overwrite arbitrary SRAM. Post-exploitation, the attacker can boot unsigned iBoot images with no signature checks, stepping entirely outside Apple’s chain of trust.

Practical Risk

For most users the practical risk is low — an attacker needs physical possession, the right cable, and DFU mode access. But for high-security environments, this is now a hardware-retirement problem. Any A12/A13 device in a sensitive role should be inventoried and prioritized for replacement with A14 or newer hardware. No CVE, CVSS score, or CISA alert has been issued for this vulnerability as of publication.

Source: The Hacker News → | Technical Write-up →

Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *