New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise

Researchers from Paradigm Shift have disclosed a critical BootROM vulnerability, dubbed usbliter8, that affects Apple devices powered by A12, S4/S5, and A13 SoCs. The flaw resides in the Synopsys DWC2 USB controller and, when combined with a misconfigured DART (Device Address Resolution Table) in SecureROM, enables full application processor boot-chain compromise. Because BootROM code is immutable in silicon, no software or firmware patch can remediate the issue; only migrating to A14 or later hardware mitigates the flaw.

The vulnerability originates in how the DWC2 USB controller handles consecutive USB Setup packets. The controller stores up to three packets in memory before resetting the DMA base address (stored in the DOEPDMA register) to its starting position, functioning like a ring buffer. After each write, the controller increments DOEPDMA by the size of data written, but the reset operation always decrements it by a fixed 24 bytes. Since the controller also accepts smaller packets stored in 4-byte chunks, the pointer arithmetic breaks down. The mismatch between the variable increment and the fixed decrement produces a buffer underflow primitive in 12-byte steps, allowing controlled writes to memory regions outside the intended buffer.

On A12 and S4/S5, exploitation is relatively straightforward. The DMA buffer sits adjacent to the USB task's stack on the heap. Attackers corrupt a saved Link Register (LR), gaining PC control during a scheduler context switch. A compact ROP chain then redirects DMA writes into the boot trampoline normally non-writable from EL0 before jumping into SecureROM's EL1 transition routine to execute attacker shellcode with full privileges. A13 introduces Pointer Authentication (PAC), complicating direct LR corruption. Researchers developed a multi-step technique involving controlled overwrites of DART heap metadata, neutralizing heap checksum protections, and suppressing reboots on panic by overwriting a global panic counter with a 0xF write primitive. Execution is ultimately rerouted through a gadget that loads a function pointer from attacker-controlled memory, bypassing PAC because only the IB key is enabled in the firmware—an oversight that proves fatal.

With EL1 code execution achieved, the exploit injects a custom USB request handler into unused boot trampoline space, patches the USB serial number to include the "PWND" identifier, and restores corrupted heap allocations to maintain device stability. On A13, the extent of memory corruption requires a full SecureROM restart: researchers copy the ROM into SRAM, remap it via custom MMU translation tables, and hook ROM PTE generation to maintain address space consistency through the restart. The custom handler supports two privileged operations: SoC demotion (temporarily lowering production mode) and unsigned iBoot booting (bypassing all signature verification on raw iBoot images), effectively nullifying Apple's Secure Boot chain.

Confirmed vulnerable SoCs include: Apple A12 (iPhone XS, XR, iPad Pro 2018), Apple S4/S5 (Apple Watch Series 4/5), and Apple A13 (iPhone 11 series). Because BootROM vulnerabilities reside in immutable silicon, no software or firmware update can remediate the issue. Migrating to A14 or later hardware remains the only effective mitigation. Researchers note that Apple's Secure Enclave Processor (SEP) provides an additional security boundary, though usbliter8 opens broader vectors to attack the Secure Enclave indirectly.

Paradigm Shift coordinated disclosure with Apple Product Security prior to publication. The full proof-of-concept exploit is publicly available in their research repository. This discovery underscores the growing challenge of securing hardware-level trust chains, where a single silicon flaw can render even the most sophisticated software defenses powerless.