Apple A12 and A13 chips face a newly disclosed unpatchable BootROM vulnerability called usbliter8 that exploits a USB controller flaw to bypass Apple secure boot chain with no firmware fix possible on affected hardware.

Imagine that your old iPhone which still seems secure hiding a secret that even Apple itself cannot fix with software. This is not a story about a normal bug. This is a story about a vulnerability buried deep within the silicon that can directly compromise the hardware within the first second of boot. Security researchers have discovered a new hardware-level flaw called usbliter8 and this flaw directly targets Apple chain of trust.

iPhone BootROM Exploit Chain Explained

The issue begins with the Synopsys DWC2 USB controller which was installed in Apple A12 S4 S5 and A13 chips. When handling USB setup packets and this controller uses a ring buffer system in which three packets are stored in memory and then the DMA base address is reset to its starting position.

This is where a small but dangerous error occurs. The DOEPDMA register is incremented by a variable size every time data is written but it is always decremented by a fixed 24 bytes when reset. This difference gradually creates a buffer underflow that moves in 12 byte steps to a part of the memory where the attacker should not be working.

The real issue gets even more serious from here. In the A12 and A13 chips, the USB DART a type of address protection layer was left in bypass mode within SecureROM. This means that the IOMMU barrier that prevents DMA writes was not present there. Researchers suggest that this DART is correctly configured in the A14 and subsequent chips and making newer iPhones immune to this attack.

Exploitation on A12 and S4 S5 is relatively easy because the DMA buffer is located very close to the USB task stack. The attacker corrupts the saved Link Register gains control of the program counter, and then creates a short ROP chain to send DMA writes to the boot trampoline and after which their shellcode is executed via the SecureROM EL1 transition routine.

Apple has implemented Pointer Authentication (PAC) in the A13 chip which makes Direct Link Register corruption difficult. But researchers have developed a multi-step technique in which the DART heap metadata is overwritten by controlling and the panic counter overwritten with a special 0xF write to prevent reboot.

The most interesting thing is that only the IB key was enabled in the firmware due to which the PAC protection was bypassed through a gadget. After this entire process, the attacker achieves EL1 level code execution which is considered to be the worst security failure for any mobile chip.

Affected Apple Devices and Permanent Security Risk

The devices currently confirmed to be at risk include the iPhone XS iPhone XR 2018 iPad Pro, Apple Watch Series 4 and Series 5 and the iPhone 11 series. All of these run on the A12, S4, S5 or A13 chip. The real problem is that once the BootROM code is embedded in the chip, it can never be changed through a software update. This means that any device already at risk will always remain at risk.

Apple Secure Enclave processor still exists as a separate protection layer but researchers say that USBite8 can also be used to indirectly target the Secure Enclave. This practically means that even the screen lock or encryption on older iPhones may not be as secure as before.

Using a custom handler an attacker can perform SoC demotion and load unsigned iBoot images, which directly bypasses Apple entire secure boot system. This could be of greatest benefit to the jailbreaking community and forensic tools but it could also fall into the wrong hands.

Paradigm Shift researchers previously reported the issue to Apple Product Security via coordinated disclosure and the proof-of-concept exploit is now public in their research repository. However the issue is at the silicon level Apple has only one recourse. If someone is using an older affected device, the fastest and safest way is to migrate to A14 or later hardware.

This story is not just about a technical bug. Its a reminder that no chip is ever completely secure and that true power is always hidden in the layer we tend to hide the most from our sight.