Critical BootROM Vulnerability "usbliter8" Exposes Apple A12/A13 Devices to Unpatchable Exploits Researchers at Paradigm Shift have uncovered a severe BootROM vulnerability, dubbed usbliter8, affecting Apple devices powered by A12, S4/S5, and A13 system-on-chips (SoCs). The flaw stems from a hardware-level bug in the Synopsys DWC2 USB controller, combined with a firmware misconfiguration, enabling attackers to achieve full application processor boot-chain compromise. Due to the immutable nature of BootROM code, no software patch can address the issue. The vulnerability arises from a mismatch in how the DWC2 USB controller handles USB Setup packets. The controller stores up to three packets in memory before resetting the DMA base address (DOEPDMA register) to its starting position. However, while the controller increments the address by the size of written data after each operation, the reset always decrements it by a fixed 24 bytes. This discrepancy creates a buffer underflow, allowing controlled writes to unintended memory regions in 12-byte steps. Exploitation varies by SoC generation. On A12 and S4/S5 devices, the DMA buffer’s proximity to the USB task’s stack enables direct corruption of a saved Link Register (LR), granting attackers program counter (PC) control during a scheduler context switch. A return-oriented programming (ROP) chain then redirects DMA writes into the boot trampoline, bypassing write protections and executing shellcode with full privileges. The A13 SoC introduces additional hurdles, including Pointer Authentication (PAC), but researchers bypassed these protections through a multi-stage attack. By overwriting DART heap metadata, neutralizing checksum protections, and suppressing reboots via a panic counter overwrite, they achieved arbitrary code execution. The exploit leverages a firmware oversight only the IB key is enabled for PAC allowing attackers to load function pointers from controlled memory. Once EL1 execution is achieved, the exploit injects a custom USB request handler, patches the device’s serial number with a “PWND” identifier, and maintains stability by restoring corrupted heap allocations. On A13 devices, the attack’s memory corruption necessitates a full SecureROM restart. Researchers achieve this by copying the ROM into SRAM, remapping it via custom MMU tables, and hooking ROM page table entry generation to preserve address space consistency. The custom handler enables two privileged operations: SoC demotion (temporarily lowering production mode) and unsigned iBoot booting, effectively bypassing Apple’s Secure Boot chain. Affected Devices: - Apple A12 (iPhone XS, XR, iPad Pro 2018) - Apple S4/S5 (Apple Watch Series 4/5) - Apple A13 (iPhone 11 series) As the vulnerability resides in immutable silicon, the only mitigation is migrating to A14 or later hardware. While Apple’s Secure Enclave Processor (SEP) provides an additional security layer, usbliter8 expands potential attack vectors against it. Paradigm Shift coordinated disclosure with Apple Product Security, and the full proof-of-concept exploit is publicly available in their research repository.