Unpatchable BootROM Exploit 'usbliter8' Released for iPhone XS Through iPhone 11

Security research firm Paradigm Shift has disclosed an unpatchable BootROM vulnerability affecting Apple's A12 and A13 devices. The team released a working proof-of-concept exploit called "usbliter8." Because the vulnerability resides in immutable BootROM code burned into the chip during manufacturing, Apple cannot fully eliminate the flaw through a software update. Affected devices include the iPhone XS, XS Max, XR, second-generation iPhone SE, and the entire iPhone 11 lineup.



The discovery marks the first publicly documented BootROM flaw since 2019's "checkm8," which targeted iPhones up to the iPhone X. Paradigm Shift detailed the exploit in a technical write-up and also released the full proof-of-concept. The attack requires physical USB access to a device placed into Device Firmware Update (DFU) mode and is not a remote vulnerability.


The root cause lies in the Synopsys DWC2 USB controller integrated into Apple's SoCs. During startup, the controller stores up to three USB setup packets in a memory buffer. Researchers can send a carefully crafted sequence of unusually small packets to manipulate the controller's internal address pointer, walking backward through memory and writing data into protected regions that are normally off-limits. Paradigm Shift believes this is a hardware bug in the USB controller itself, not a firmware mistake by Apple.

The A11 chip manually resets the pointer after every packet, and A14 or newer chips correctly enable DART, a memory-protection feature, at the BootROM level. The A12 and A13 sit in a vulnerable middle ground. That means the attack works on the iPhone XS, XS Max, XR, iPhone 11, 11 Pro, 11 Pro Max, the second-generation iPhone SE, and several A12- and A13-powered iPads.

On A12 devices, gaining code execution is relatively straightforward: an attacker overwrites a saved return address on the stack and hijacks program flow. Apple's Pointer Authentication Codes (PAC) complicate the attack on A13 by signing stack-stored return addresses. Paradigm Shift had to develop a multi-step technique that manipulates heap metadata, overwrites a panic counter to prevent a reboot, times DMA writes to preserve the USB task's context, and finally overwrites the global interrupt handler pointer to seize control.

Once the exploit gains control, it patches DFU mode to add a custom USB request handler that remains active until the device is rebooted. The handler can temporarily lower the device's production security mode and boot unsigned iBoot images without signature verification, effectively bypassing Apple's normal boot-chain checks. It also injects the traditional "PWND" string into the USB serial number, a convention carried over from earlier BootROM exploits. The researchers describe the result as a compromise of the application processor's boot chain, allowing unsigned boot components to be loaded on affected devices. While usbliter8 does not directly compromise the Secure Enclave, the researchers note that BootROM access can provide additional avenues for security research targeting SEP.


Although usbliter8 demonstrates low-level control over affected devices, Paradigm Shift has released it as a proof-of-concept exploit rather than a jailbreak. Historically, BootROM vulnerabilities such as checkm8 have served as the foundation for jailbreak development and security research, though Paradigm Shift has not released a jailbreak based on usbliter8.

Paradigm Shift reported its findings to Apple Product Security before publication and coordinated disclosure with the company. Because the vulnerability is rooted in hardware, affected A12 and A13 devices will remain vulnerable at the BootROM level for their entire lifespan. The researchers say newer hardware remains the most effective mitigation.

Please download the iClarified app or follow iClarified on X, Facebook, YouTube, and RSS for more updates.