Security researchers at Paradigm Shift have unveiled ‘usbliter8,’ an exploit that achieves arbitrary code execution within the SecureROM of Apple’s A12 and A13 chips. SecureROM, embedded directly into the silicon during manufacturing, is immutable through software updates, rendering this vulnerability permanent for affected devices.
The exploit necessitates physical access to the device, which must be placed in Device Firmware Update (DFU) mode and connected via USB to a dedicated RP2350-based microcontroller board. Under these conditions, ‘usbliter8’ executes in under two seconds, preceding the loading of Apple’s signed boot chain.
Affected Devices
The public proof of concept supports A12, A13, S4, and S5 System on Chips (SoCs). Devices utilizing these chips include:
- iPhone XS, XS Max, XR
- iPhone 11, 11 Pro, 11 Pro Max
- iPhone SE (2nd generation)
- iPad Air (3rd generation)
- iPad mini (5th generation)
- iPad (8th generation)
- Apple Watch Series 4 and 5
- Apple Watch SE (1st generation)
- HomePod mini
Notably, A11 chips are unaffected, and A14 and later chips appear resistant to this exploit.
Technical Details
The vulnerability originates from a hardware flaw in the Synopsys DWC2 USB controller. This controller handles incoming USB Setup packets via Direct Memory Access (DMA), buffering up to three packets before resetting its write pointer by decrementing it by 24 bytes upon receiving a fourth packet. Additionally, it accepts packets smaller than the standard size, adjusting the pointer only by the actual bytes written. This discrepancy leads to a cumulative buffer underflow, moving the write pointer backward through memory in 12-byte increments.
Exploitation on A12 and A13 chips is feasible due to Apple’s configuration of the USB Device Address Resolution Table (DART), the chip’s Input-Output Memory Management Unit (IOMMU), within SecureROM. On these devices, DART operates in bypass mode, allowing the underflowing DMA pointer to access and overwrite arbitrary Static Random-Access Memory (SRAM).
A11 chips remain unaffected because their USB drivers manually reset the DMA address after each packet, preventing the accumulation of the mismatch. A14 and later chips appear to configure DART correctly, rendering the vulnerability unexploitable on newer hardware.
Achieving Code Execution
On A12 chips, the DMA buffer is adjacent to the USB task’s stack on the heap. Overwriting a saved link register grants the attacker control over the program counter during the next context switch.
Exploiting A13 chips is more complex due to Pointer Authentication (PAC) protecting stack-stored return addresses. Paradigm Shift circumvented this in stages: corrupting DART-related heap structures to create limited write primitives, overwriting the panic depth counter to induce error loops instead of reboots, and carefully timing DMA writes to avoid corrupting the USB task’s saved registers. The final step involved overwriting the USB interrupt handler pointer in the Block Started by Symbol (BSS) segment, causing the next USB interrupt to execute attacker-supplied code. Both methods culminate in execution at Exception Level 1 (EL1), the chip’s privileged mode, within SecureROM.
Potential Impact
Post-exploitation, ‘usbliter8’ injects a custom USB request handler and modifies the device’s USB serial string to indicate compromise. This allows an attacker to temporarily demote the SoC’s production mode or boot an unsigned iBoot image without signature checks, effectively bypassing Apple’s chain of trust.
While the research does not demonstrate a compromise of the Secure Enclave, Paradigm Shift cautions that the Secure Enclave is designed as a separate protection boundary, isolated from the application processor. However, the exploit’s ability to execute arbitrary code within SecureROM raises significant security concerns.
The discovery of ‘usbliter8’ underscores the persistent challenges in hardware security. Unlike software vulnerabilities, hardware flaws embedded during manufacturing are often unpatchable, leaving devices permanently exposed. This exploit highlights the critical importance of rigorous hardware design and testing to prevent such vulnerabilities. Users of affected devices should be aware of the physical access requirement for this exploit and take appropriate measures to secure their devices against unauthorized access.
