A newly discovered BootROM vulnerability, named ‘usbliter8,’ has been identified in Apple devices utilizing A12, S4/S5, and A13 system-on-chips (SoCs). This exploit combines a hardware flaw in the Synopsys DWC2 USB controller with a firmware configuration issue, allowing attackers to fully compromise the application processor boot chain. Due to the immutable nature of BootROM code, this vulnerability cannot be addressed through software updates.
Technical Details of the Vulnerability
Researchers from Paradigm Shift have pinpointed the root cause of ‘usbliter8’ in the handling of consecutive USB Setup packets by the DWC2 USB controller. The controller is designed to store up to three Setup packets in memory before resetting the Direct Memory Access (DMA) base address, stored in the ‘DOEPDMA’ register, to its initial position, effectively functioning as a ring buffer.
The critical flaw arises because, after each write operation, the controller increments ‘DOEPDMA’ by the size of the data written. However, the reset operation consistently decrements it by a fixed 24 bytes. This discrepancy leads to a buffer underflow in 12-byte steps, enabling controlled writes to memory regions beyond the intended buffer.
On A12 and A13 SoCs, the USB Device Address Resolution Table (DART) is configured in bypass mode within SecureROM. This configuration means there is no Input-Output Memory Management Unit (IOMMU) barrier to prevent the DMA from overwriting arbitrary Static Random-Access Memory (SRAM) data. In contrast, A14 and later generations have correctly configured DART, rendering the vulnerability unexploitable on newer hardware.
Exploitation Techniques: A12 vs. A13
Exploitation methods differ between A12 and A13 SoCs:
- A12 and S4/S5 SoCs: The DMA buffer is located adjacent to the USB task’s stack on the heap. Attackers can corrupt a saved Link Register (LR), gaining Program Counter (PC) control during a scheduler context switch. A compact Return-Oriented Programming (ROP) chain then redirects DMA writes into the boot trampoline, which is typically non-writable from Exception Level 0 (EL0). This process allows the execution of attacker shellcode with full privileges.
- A13 SoCs: The introduction of Pointer Authentication (PAC) complicates direct LR corruption. Researchers developed a multi-step technique involving controlled overwrites of DART heap metadata, neutralizing heap checksum protections, and suppressing reboots on panic by overwriting a global panic counter. Execution is ultimately rerouted through a gadget that loads a function pointer from attacker-controlled memory, bypassing PAC due to an oversight where only the Instruction Branch (IB) key is enabled in the firmware.
Upon achieving Exception Level 1 (EL1) code execution, the exploit injects a custom USB request handler into unused boot trampoline space, patches the USB serial number to include the “PWND” identifier, and restores corrupted heap allocations to maintain device stability.
Implications and Mitigation
The ‘usbliter8’ vulnerability poses a significant threat to the security of affected Apple devices, as it allows attackers to bypass the entire Secure Boot chain. Devices confirmed to be vulnerable include those powered by A12, S4/S5, and A13 SoCs. Given the hardware-based nature of this flaw, software patches cannot remediate the issue. Users of affected devices should exercise heightened caution, particularly when connecting to untrusted USB devices, and remain vigilant for any security advisories from Apple regarding potential hardware mitigations or device replacements.
This discovery underscores the critical importance of rigorous hardware and firmware security practices. As attackers increasingly target low-level system components, manufacturers must prioritize comprehensive security measures throughout the entire hardware and software stack to safeguard user devices against such sophisticated exploits.
