Paradigm Shift, a security research group, has published working proof-of-concept code for the usbliter8 exploit, which achieves arbitrary code execution inside Apple’s SecureROM on A12 and A13 chips. The code is burned into silicon at manufacture. No software update can reach it. Affected devices will carry this vulnerability as long as they stay in service.
SecureROM is the first code a device runs at power-on. It verifies the chain of trust that leads to iOS loading. Compromise it, and an attacker can run unsigned code before iOS loads. Apple’s signature checks are bypassed, and that access persists through reboots and full restores. The usbliter8 exploit achieves exactly that on a broad range of iPhone, iPad and Apple Watch hardware still in active use.
Root Cause: A DWC2 USB Controller DMA Underflow
The flaw sits in the Synopsys DWC2 USB controller, a widely deployed component in embedded and mobile silicon. When a device enters DFU (Device Firmware Update) mode, the controller buffers incoming USB Setup packets in a DMA region. The bug is in how it manages that buffer.
The controller increments its DOEPDMA register dynamically based on incoming packet size. After four packets, it resets the buffer by decrementing the base address by a fixed 24 bytes. The decrement ignores how much data was actually written. Smaller packets, stored as four-byte chunks, trigger a 12-byte-step underflow. An attacker who controls packet timing can push DMA writes into adjacent SRAM.
On A12 and A13 silicon, Apple’s DART (Device Address Resolution Table) runs in bypass mode during SecureROM execution. No IOMMU stands between those DMA writes and physical memory. Apple corrected this on A14 and later. A11 and earlier chips handle pointer resets differently and avoid the underflow entirely.
Two Chips, Two Exploitation Paths
On A12 devices, the DMA buffer sits adjacent to the USB task’s stack. Overflowing into that region overwrites a saved link register. The next context switch passes program counter control to the attacker. A compact ROP chain then redirects execution to privileged boot trampoline code.
A13 is more complex. Apple added Pointer Authentication (PAC) to A13’s SecureROM, protecting stack return addresses against direct overwrites. Paradigm Shift’s technical write-up outlines the multi-stage bypass: first corrupt DART metadata on the heap before the DMA buffer, then weaponise cleanup routines as additional write primitives. Triggering panics with interrupts enabled exposes global IRQ handler pointers in the BSS section, which the exploit overwrites to seize execution.
A compiler quirk in A13’s SecureROM assists the attacker: the address validation check uses different registers than intended, leaving a bypass open. The exploit then copies SecureROM to high SRAM and remaps the MMU accordingly. This lets the code patch ROM content while keeping PC-relative addressing intact.
Affected Devices
The exploit covers every device whose SecureROM runs on A12, S4, S5 or A13 silicon. That list includes:
- A12: iPhone XR, iPhone XS and XS Max, iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen), Apple TV 4K (2nd gen)
- S4/S5: Apple Watch Series 4 and 5, Apple Watch SE (1st gen), HomePod mini
- A13: iPhone 11, 11 Pro and 11 Pro Max, iPhone SE (2nd gen), iPad (9th gen), Studio Display
A12X and A12Z devices, including iPad Pro models from 2018 and 2019, share the same core silicon. The exploit has not yet been implemented for them, but Paradigm Shift considers them theoretically reachable. A14 and later are not affected.
Capabilities and Limits
After gaining EL1 privilege, an attacker can boot unsigned iBoot images, demote production mode, and inject custom USB handlers. Like checkm8, which covered A11 and earlier chips, usbliter8 marks the device with a “PWND” USB serial number.
The Secure Enclave Processor is not directly compromised. Passcodes and encrypted user data remain protected. Paradigm Shift flags that compromising application processor trust opens broader attack paths toward the SEP, even without a direct breach.
Physical access is required throughout. The attack needs the device in DFU mode and a connection to an RP2350-based microcontroller. Execution completes in under two seconds. There is no remote exploitation path.
Disclosure and What Comes Next
Paradigm Shift coordinated with Apple Product Security before releasing the proof-of-concept. Apple’s team engaged throughout disclosure. No CVE has been assigned as of 19 June 2026, and no Apple advisory exists. The flaw is in silicon and cannot be patched through software.
Hardware replacement is the only fix. Security teams with A12 or A13 devices in high-trust environments should audit their inventory and prioritise replacement with A14 or newer. Physical access controls carry most of the weight here. Limit who can put a device into DFU mode, monitor USB connections, and treat unattended affected hardware as a potential vector.
With the usbliter8 exploit code now public, adoption by the jailbreak community and mobile forensics vendors is certain. The more pressing question, for anyone managing a corporate or government device fleet, is how many iPhones and iPads from 2018 to 2020 are still active. Equally important: how well is their physical access controlled? That inventory is overdue.
