usbliter8 Brings Unpatchable BootROM Exploit to Apple A12 and A13 Devices
June 22, 2026 
usbliter8 is an unpatchable BootROM exploit affecting A12/A13 devices, enabling code execution and extending checkm8-like risks to newer iPhones.
Security researchers at Paradigm Shift published a working exploit on June 18, 2026, called usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips. SecureROM is the first code that runs when an Apple device boots. It’s burned into the silicon at manufacture and cannot be modified or patched after the fact. Every device carrying these chips will carry this vulnerability for its entire operational life.
“The usbliter8 exploit demonstrates that even on more recent SecureROM generations, including those protected by Pointer Authentication, subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust.” reads the report published by Paradigm Shift.
The attack is not remote. The experts pointed out that it requires physical access to the device, DFU mode, a USB connection, and a dedicated RP2350-based microcontroller board.
The researchers published a working proof of concept on June 18, following coordinated disclosure with Apple Product Security. No CVE and no Apple security advisory had been issued as of June 19.
The affected chip families include A12, A13, S4, and S5. In device terms, that means iPhone XS, XS Max, XR, iPhone 11 series, iPhone SE second generation, iPad Air third generation, iPad mini fifth generation, iPad eighth generation, Apple Watch Series 4 and 5, first-generation Apple Watch SE, and HomePod mini. A11 is not affected. A14 and later appear to be out of reach.
The experts described the A12X and A12Z support as theoretically possible but not yet implemented. That covers iPad Pro models from 2018 and 2020, meaning the vulnerability boundary may expand.
The root cause is a hardware flaw in the USB controller Synopsys DWC2 USB used by Apple in these chips. The controller stores incoming USB Setup packets via DMA, buffers up to three, then resets its write pointer on the fourth by decrementing it by a fixed 24 bytes. It also accepts smaller-than-standard packets and increments the pointer only by the actual bytes written. That mismatch accumulates into a repeatable buffer underflow, stepping the write pointer backwards through memory 12 bytes at a time.
“The DesignWare USB controller stores up to three consecutive Setup packets in memory. Upon receiving a fourth Setup transaction, the DMA base address gets reset to its starting position before writing, akin to a ring buffer mechanism.
After writing each received packet, the controller increments DOEPDMA by the size of data written. The reset operation is implemented by decrementing DOEPDMA by 24.” continues the report.
“The core issue arises because the controller also accepts smaller packets (though always stores in 4-byte chunks).”
What makes this dangerous on A12 and A13 specifically is how Apple configured the USB DART, the chip’s memory mapping unit, inside SecureROM. On these devices it runs in bypass mode, so the underflowing DMA pointer can reach and overwrite arbitrary SRAM. A11 avoids the problem because its USB driver manually resets the DMA address after every packet, preventing accumulation. A14 and later configure DART correctly, which Paradigm Shift says makes the same vulnerability unexploitable on newer hardware.
Getting to code execution differs between the two chips. On A12 devices, the DMA buffer is located next to the USB task stack in memory, allowing attackers to overwrite control data and gain code execution during a task switch.
A13 is harder because Pointer Authentication protects stack-stored return addresses. Paradigm Shift bypassed it in stages: corrupting DART-related heap structures to create limited write primitives, overwriting a panic depth counter to make the chip loop on errors instead of rebooting, and then overwriting the USB interrupt handler pointer in BSS so the next USB interrupt runs attacker-supplied code. Either path ends at EL1, the chip’s privileged execution mode, inside SecureROM.
Once there, usbliter8 injects a custom USB request handler and stamps PWND:[usbliter8] into the device’s USB serial string. From that position an attacker can temporarily demote the SoC’s production mode or boot a raw, unsigned iBoot image with no signature checks, stepping entirely outside Apple’s chain of trust. The Secure Enclave is not shown to be compromised in this research. Paradigm Shift warns that BootROM-level control may open new routes for attacking it, but that work hasn’t been demonstrated yet.
The newly disclosed usbliter8 exploit is being compared to checkm8, the landmark 2019 SecureROM vulnerability that permanently affected Apple A5–A11 devices and could not be patched through software updates. Like checkm8, usbliter8 requires physical access and DFU mode, but it extends the same unpatchable condition to newer A12 and A13 chips. Checkm8 enabled years of jailbreaking, forensic acquisition, and custom boot environments, and researchers believe usbliter8 could open similar possibilities for a new generation of Apple devices.
For most personal users the practical risk is limited: an attacker needs the physical device, the right cable, and the knowledge to force DFU mode, which is not a trivial barrier in everyday life. For enterprise security teams, government agencies, and anyone running sensitive operations on affected hardware, this is a different category of problem. Physical security boundaries that previously existed no longer do. Inventory every A12, A13, S4, and S5 device in sensitive roles, accelerate refresh cycles toward A14 or newer, establish strict policies around DFU mode and untrusted USB connections, and treat physical device custody as a security control rather than an administrative detail. The code is public, which is usually how a research demo becomes someone else’s operational tool.
“While newer generations have addressed the underlying issue, affected A12 and A13 devices will carry it for the remainder of their lifetime.” concludes the report. “For those who have followed the history of iPhone exploitation and jailbreaking, this research is a reminder that the BootROM still occasionally has a surprise left to give.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, usbliter8)
Stephan is the sports journalist for the Maple Grove Report.
