Overview
- Researchers at Paradigm Shift published a working proof-of-concept for usbliter8 on June 18 that achieves arbitrary code execution inside SecureROM on A12 and A13 silicon.
- The exploit abuses a hardware bug in the Synopsys DesignWare (DWC2) USB controller that creates a repeatable DMA buffer underflow and enables out-of-bounds writes into SecureROM SRAM.
- Exploitation requires physical possession, forcing a device into DFU mode and connecting a small microcontroller (for example a Pico-class RP2350) to send crafted USB setup packets.
- Once inside SecureROM the attacker can bypass Apple’s boot signature checks to load unsigned iBoot images or lower SoC production mode, though researchers have not demonstrated direct Secure Enclave compromise.
- Because BootROM is immutable, the recommended defenses are non-software: inventory and replace A12/A13/S4/S5 devices in sensitive roles, enforce strict custody and USB policies, and isolate vulnerable hardware until upgraded.