A novel BootROM vulnerability, dubbed usbliter8, affects Apple devices powered by A12, S4/S5, and A13 SoCs. The exploit chains a hardware-level bug in the Synopsys DWC2 USB controller with a firmware configuration flaw, enabling full application processor boot-chain compromise with no software patch possible due to the immutable nature of BootROM code.
According to Paradigm Shift researchers, the vulnerability originates in how the DWC2 USB controller handles consecutive USB Setup packets.
The controller stores up to three Setup packets in memory before resetting the DMA base address (stored in the DOEPDMA register) to its starting position, functioning like a ring buffer.
The critical flaw: after each write, the controller increments DOEPDMA by the size of data written, but the reset operation always decrements it by a fixed 24 bytes.
Since the controller also accepts smaller packets stored in 4-byte chunks, the pointer arithmetic breaks down. The mismatch between the variable increment and the fixed decrement produces a buffer underflow primitive in 12-byte steps, allowing controlled writes to memory regions outside the intended buffer.
On A12 and A13, the USB DART (Device Address Resolution Table) is configured in bypass mode within SecureROM, meaning there is no IOMMU barrier to stop the DMA from overwriting arbitrary SRAM data. A14 and later generations configure DART correctly, rendering the vulnerability unexploitable on newer hardware.
Exploitation Differences: A12 vs. A13
On A12 and S4/S5, exploitation is relatively straightforward. The DMA buffer sits adjacent to the USB task’s stack on the heap. Attackers corrupt a saved Link Register (LR), gaining PC control during a scheduler context switch.
A compact ROP chain then redirects DMA writes into the boot trampoline normally non-writable from EL0 before jumping into SecureROM’s EL1 transition routine to execute attacker shellcode with full privileges.
A13 introduces Pointer Authentication (PAC), complicating direct LR corruption. Researchers developed a multi-step technique involving controlled overwrites of DART heap metadata, neutralizing heap checksum protections, and suppressing reboots on panic by overwriting a global panic counter with a 0xF write primitive.
Execution is ultimately rerouted through a gadget that loads a function pointer from attacker-controlled memory, bypassing PAC because only the IB key is enabled in the firmware an oversight that proves fatal.
With EL1 code execution achieved, the exploit injects a custom USB request handler into unused boot trampoline space, patches the USB serial number to include the “PWND” identifier, and restores corrupted heap allocations to maintain device stability.
On A13, the extent of memory corruption requires a full SecureROM restart researchers copy the ROM into SRAM, remap it via custom MMU translation tables, and hook ROM PTE generation to maintain address space consistency through the restart.
The custom handler supports two privileged operations: SoC demotion (temporarily lowering production mode) and unsigned iBoot booting (bypassing all signature verification on raw iBoot images), effectively nullifying Apple’s Secure Boot chain.
Affected Devices and Mitigations
Confirmed vulnerable SoCs include:
- Apple A12 (iPhone XS, XR, iPad Pro 2018)
- Apple S4/S5 (Apple Watch Series 4/5)
- Apple A13 (iPhone 11 series)
Because BootROM vulnerabilities reside in immutable silicon, no software or firmware update can remediate the issue. Migrating to A14 or later hardware remains the only effective mitigation. Researchers note that Apple’s Secure Enclave Processor (SEP) provides an additional security boundary, though usbliter8 opens broader vectors to attack the Secure Enclave indirectly.
Paradigm Shift coordinated disclosure with Apple Product Security prior to publication. The full proof-of-concept exploit is publicly available in their research repository.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
