Security researchers have disclosed a previously unknown iPhone BootROM vulnerability that allows attackers to compromise the boot chain on several Apple devices, including systems powered by A12 and A13 processors as well as Apple Watch S4 and S5 chipsets. The flaw, demonstrated through a proof-of-concept exploit dubbed “usbliter8,” combines a hardware weakness in a USB controller with a firmware configuration issue that affects BootROM security.
According to the researchers, the iPhone BootROM vulnerability impacts Apple A12, A13, and Apple Watch S4/S5 platforms. While support for A12X and A12Z chips may be technically feasible, those devices were not included in the released implementation. The team said successful testing across the affected hardware was sufficient to validate both the vulnerability and the exploitation method.
Because the flaw resides in immutable SecureROM code, software updates cannot fully eliminate the risk. Researchers noted that upgrading to newer hardware remains the most effective mitigation.
USB Controller Flaw Triggers iPhone BootROM vulnerability
The vulnerability originates in the Synopsys DesignWare USB 2 (DWC2) controller used in affected Apple devices. During USB communications, Setup transactions are transferred into memory using Direct Memory Access (DMA). Researchers discovered that the controller continuously updates the DMA address stored in the DOEPDMA register as data is received.
The issue emerges when the controller processes multiple Setup packets. While it can store three consecutive packets normally, a fourth packet causes the DMA pointer to reset. However, because the controller also accepts smaller packets while still processing data in four-byte chunks, a mismatch occurs between pointer increments and resets.
This design flaw creates a buffer underflow condition that enables controlled memory corruption in 12-byte increments. Researchers believe the weakness exists within the USB controller architecture itself rather than Apple’s software implementation.
Testing showed that A12 and A13 SecureROM code is vulnerable, whereas A11 devices are not. The difference stems from the A11 USB driver, which manually restores the DMA address after each packet. Researchers also found that USB DART operates in bypass mode on A12 and A13 devices, enabling arbitrary SRAM overwrites. Newer A14 and later platforms appear to configure DART correctly, making practical exploitation significantly harder.
SecureROM Code Execution Achieved Despite Protections
Exploitation methods differed between hardware generations. On A12 and Apple Watch S4/S5 devices, researchers achieved program counter control by overwriting a saved link register located near the USB DMA buffer. This allowed them to redirect execution and build a return-oriented programming (ROP) chain.
The A13 platform introduced Pointer Authentication Codes (PAC), making direct stack corruption ineffective. To overcome this protection, researchers developed a multi-stage attack involving heap corruption, interrupt handler manipulation, and controlled execution of function pointers stored in memory.
The team ultimately gained privileged EL1 execution within SecureROM code, enabling them to modify Device Firmware Update (DFU) mode, inject custom USB request handlers, and boot unsigned iBoot images.
To preserve their changes, the researchers copied BootROM code into SRAM, modified memory mappings through the MMU, and forced devices back into DFU mode after restarting SecureROM.
The researchers concluded that the iPhone BootROM vulnerability demonstrates how subtle hardware flaws can undermine modern security protections. Although newer Apple devices appear unaffected, vulnerable A12, A13, and Apple Watch models will remain exposed for their operational lifetime because the flaw exists within immutable BootROM and SecureROM code. The findings were disclosed to Apple’s Product Security team before publication.
