Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips. SecureROM code is burned into the silicon at manufacture — no software update can ever reach it. Affected devices will carry this flaw for as long as they remain in use.
This is not a remote attack vector. It requires physical possession of the device in DFU mode, connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit completes in under two seconds, before Apple’s signed boot chain loads.
Affected Devices
The public proof-of-concept supports A12, A13, S4, and S5 SoCs. Device families in that range include:
- iPhone XS, XS Max, XR
- iPhone 11, 11 Pro, 11 Pro Max
- iPhone SE (2nd generation)
- iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen)
- Apple Watch Series 4, Series 5, and first-gen SE
- HomePod mini
A14 and later chips are not vulnerable for this specific exploit path. A11 is also not affected.
The Technical Breakdown
The root issue is a hardware flaw in the Synopsys DWC2 USB controller. The controller stores incoming USB Setup packets via DMA, buffers up to three, then resets its write pointer on the fourth — but also accepts smaller-than-standard packets. The mismatch accumulates into a repeatable buffer underflow, stepping the write pointer backwards through memory.
What makes this exploitable on A12 and A13 specifically is how Apple configures the USB DART (IOMMU) inside SecureROM: it runs in bypass mode, so the underflowing DMA pointer can reach and overwrite arbitrary SRAM. Post-exploitation, the attacker can boot unsigned iBoot images with no signature checks, stepping entirely outside Apple’s chain of trust.
Practical Risk
For most users the practical risk is low — an attacker needs physical possession, the right cable, and DFU mode access. But for high-security environments, this is now a hardware-retirement problem. Any A12/A13 device in a sensitive role should be inventoried and prioritized for replacement with A14 or newer hardware. No CVE, CVSS score, or CISA alert has been issued for this vulnerability as of publication.