A novel iPhone BootROM vulnerability has been discovered by researchers that gives attackers with physical access a route to compromise the boot chain on Apple A12, S4/S5 and Apple A13 systems-on-chips (SoCs).
Paradigm Shift’s new analysis shared how the bug, which the firm dubbed usbliter8, could be exploited by combining a hardware vulnerability in the USB controller with a firmware configuration flaw in SecureROM.
The finding matters because BootROM code is immutable after manufacture. Unlike recent Apple software flaws, this class of issue cannot be fully corrected through an operating system update.
Exploitation is not remote. The proof-of-concept (PoC) shared by Paradigm Shift requires Device Firmware Update (DFU) mode and RP2350-based microcontroller hardware, limiting broad abuse but increasing the risk for seized, stolen or unattended devices.
Read more: Apple Mitigates “Extremely Sophisticated” Zero-Day Exploit
How the USB Bug Reaches SecureROM
Paradigm Shift traced the issue to how the Synopsys DesignWare USB controller stores setup data. The controller can hold three setup packets, then resets its direct memory access (DMA) pointer by a fixed amount when a fourth transaction arrives.
The controller also accepts undersized packets and stores them in 4-byte chunks. That mismatch allows the pointer to move backward, causing an underflow primitive that can overwrite static random-access memory (SRAM) used by SecureROM.
On Apple A12 and Apple A13 SecureROMs, the researchers said the Data Address Resolution Table (DART) configuration allowed this DMA behavior to break the application processor boot chain. A11 is not affected in the same way because its USB driver resets the DMA address after each packet.
Why the Impact Varies by Chip
The path to code execution differs by generation. On A12 and S4/S5, where SecureROM does not use Pointer Authentication, the exploit gains code execution by corrupting the link register on the stack. The researchers then used that access to patch the boot process and return to DFU mode with a custom USB request handler.
Apple A13 required a more complex route because Pointer Authentication protects stack-stored return addresses. Paradigm Shift said it bypassed that constraint through heap manipulation, task-state tampering and an interrupt handler overwrite.
The proof of concept currently supports:
-
Apple A12 devices using the targeted SecureROM path
-
Apple S4/S5 systems covered by the same exploit strategy
-
Apple A13 devices after Pointer Authentication bypass work
-
DFU mode features including demotion and raw iBoot booting
A14 and later chips appear to configure DART correctly in SecureROM, making the same route unexploitable. Paradigm Shift said usbliter8 does not directly compromise the Secure Enclave, but warned that BootROM-level control can open wider attack paths.
The firm said affected A12 and A13 devices will carry the issue for their lifetime, making migration to newer hardware the most effective mitigation.
