New usbliter8 BootROM exploit affects older Apple A12 and A13 devices

Security researchers at Paradigm Shift have disclosed usbliter8, a new BootROM exploit affecting Apple devices using A12, S4/S5, and A13 chips. The vulnerability targets the earliest stage of the device boot process, which makes it unusually difficult to address on affected hardware.

The exploit matters because Apple’s secure boot chain starts from immutable Boot ROM code that acts as the hardware root of trust. Once researchers gain code execution at that level, they can undermine parts of the application processor boot chain before iOS or iPadOS fully loads.

However, this is not a remote iPhone hack. The public usbliter8 repository describes a tethered exploit that requires DFU mode and dedicated USB hardware, which means an attacker would need physical control of the device.

What usbliter8 does

A MacRumors report describes usbliter8 as a new unpatchable exploit for Apple A12 and A13 chips, extending public BootROM exploitation beyond the older checkm8 era. The affected generation includes devices such as the iPhone XS, iPhone XR, and iPhone 11 family.

The technical issue combines a hardware-level flaw in the Synopsys DWC2 USB controller with a firmware configuration weakness. According to the research write-up, the controller mishandles consecutive USB Setup packets, creating a buffer underflow primitive that can be used to overwrite memory outside the intended buffer.

On vulnerable Apple chips, the researchers say the USB DART is configured in bypass mode inside SecureROM. That removes an important memory protection barrier and allows the USB controller’s DMA behavior to corrupt SRAM data during the early boot process.

Affected chips and likely device families

The exploit currently supports Apple A12, S4/S5, and A13 SoCs. A consumer-facing summary from MacRumors notes that the vulnerability covers the iPhone XS through the iPhone 11 generation, although the exact practical impact depends on the device and implementation.

Chip family	Examples of devices	Status in usbliter8
Apple A12	iPhone XS, iPhone XS Max, iPhone XR	Supported by the public exploit
Apple S4/S5	Apple Watch Series 4 and Series 5 families	Listed as supported SoCs
Apple A13	iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE 2nd generation	Supported, but exploitation is more complex
Apple A12X/Z	Some iPad Pro models	Theoretically possible, but not currently implemented
Apple A14 and later	Newer iPhone and iPad generations	Researchers say the issue appears unexploitable

Why BootROM bugs are so serious

Apple explains that when an iPhone or iPad turns on, the application processor immediately runs code from read-only memory. This Boot ROM code contains Apple’s root certificate authority public key and verifies that iBoot is signed by Apple before allowing it to load.

Because that code is placed into the chip during fabrication, Apple cannot replace it with a normal software update. That is why BootROM bugs can remain present for the lifetime of affected silicon, even when the operating system continues to receive security updates.

Apple’s Secure Enclave remains an important separate security boundary. Paradigm Shift says usbliter8 does not directly affect the Secure Enclave itself, although control over the application processor boot chain may create broader avenues for future research.

Why A13 exploitation is harder than A12

The A12 path is more direct because the DMA buffer sits near the USB task stack, allowing researchers to corrupt a saved link register and gain program counter control during a scheduler context switch.

A13 is harder because Apple introduced Pointer Authentication Codes, or PAC, which make simple stack link register corruption less useful. The researchers said they needed additional steps involving heap metadata, DART-related allocations, and other checks before gaining reliable control.

That distinction matters for real-world risk. The exploit shows a serious hardware flaw, but practical use still requires the right device, hands-on access, DFU mode, specialized hardware, and technical skill.

What users can do now

There is no normal iOS or iPadOS patch that can remove a BootROM flaw from affected chips. Still, Apple’s security releases remain important because updates continue to fix operating system, browser, kernel, and app-level vulnerabilities that attackers can use in other attack chains.

For most users, the main risk is device custody. A locked iPhone that never leaves your control faces a much lower risk from this class of exploit than a device handled by an attacker, an unknown repair shop, or an untrusted third party.

• Keep iOS, iPadOS, and watchOS updated when updates are available.
• Use a strong passcode instead of a short numeric code.
• Do not leave older affected devices unattended in untrusted environments.
• Avoid unknown repair services if the device contains sensitive data.
• Move sensitive workloads to newer hardware if you rely on A12 or A13 devices.

Why newer hardware reduces exposure

The researchers say A14 and later generations appear to configure DART correctly in SecureROM, which makes the specific attack path unexploitable on those chips. That makes newer hardware the most effective mitigation for users who need stronger protection against physical-access attacks.

Apple’s software update guidance still applies to all supported users. Updates cannot rewrite vulnerable BootROM silicon, but they can reduce exposure to other bugs that may help attackers before or after physical access.

The Secure Enclave documentation also explains why sensitive data protection does not depend on only one component. Apple uses separate hardware protections, cryptographic checks, and secure boot mechanisms to protect user data even when other parts of the system face compromise.

Researchers also published proof-of-concept code

The public proof-of-concept repository confirms that usbliter8 is a tethered BootROM exploit for Apple A12, S4/S5, and A13 SoCs. It also notes that A12X/Z could theoretically be supported, but that support is not implemented in the released version.

Paradigm Shift says it coordinated disclosure with Apple Product Security before publication. The release now gives security researchers a new public example of how subtle hardware behavior can affect even modern SecureROM generations.

For everyday iPhone users, the practical advice is less dramatic than the technical achievement. Keep the device updated, protect physical access, and consider newer hardware if the device handles sensitive personal, business, or government data.

FAQ