Unprintable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain

Security researchers at Paradigm Shift have published a working exploit, called usbliter8which accomplishes arbitrary code execution within the SecureROM of Apple’s A12 and A13 chips.

That code is burned into the silicon at manufacturing. There is no software update we can access. Affected devices will carry this error as long as they are in use.

This is not a remote attack. It requires physical management of the device, which must be in DFU mode and connected via USB to a dedicated micro-board based on the RP2350. With that setup, the exploit lasts less than two seconds, before Apple’s signed boot chain is loaded.

The full technical documentation and working proof of concept appeared publicly on June 18, 2026, following a planned disclosure with Apple Product Security.

Affected Devices

The public PoC supports A12, A13, S4, and S5 SoCs. A12X and A12Z support is described as theoretically possible but not yet implemented.

Device families in that range include the iPhone XS, XS Max, and XR; iPhone 11, 11 Pro, 11 Pro Max; iPhone SE (second generation); iPad Air 3rd gen, iPad mini 5th gen, and iPad 8th gen; Apple Watch Series 4 and 5; first-generation Apple Watch SE; HomePod mini; and other Apple products built on those chips. A11 is not affected. A14 and later seem to be inaccessible to this exploit.

A bug

The root problem is a hardware error in the Synopsys DWC2 USB controller.

The controller stores incoming USB setup packets via DMA, buffers up to three buffers, and resets its write pointer to the fourth by decrementing it by a constant 24 bytes. It also accepts smaller packets than usual, increasing the pointer only by the actual bytes written. That mismatch accumulates in the overflow buffer, stepping the write pointer back in memory 12 bytes at a time.

What makes this useful on the A12 and A13 is how Apple configures the USB DART (Device Address Resolution Table, the chip’s IOMMU) within SecureROM. On affected devices, it operates in pass-through mode, so that the DMA pointer flows to access and overwrite the invalid SRAM.

The A11 is not affected because its USB driver manually resets the DMA address after each packet, so mismatches do not accumulate. A14 and later appear to configure DART correctly, which Paradigm Shift says makes the vulnerability exploitable on newer hardware.

Finding Code Execution

On the A12, the DMA buffer sits next to the USB work stack on the stack. Overwriting the saved link register gives the attacker program control over the next context switch.

A13 is difficult. Pointer Authentication (PAC) secures return addresses stored on the stack. The Paradigm Shift has gone through phases. Destructive mass properties associated with DART have generated limited initial documentation. Overwriting the shock depth counter caused the chip loop to error instead of restarting. Realizing the timing of DMA writes avoids merging the saved registers for the USB operation.

The last step is overwriting the USB interrupt handler pointer to the BSS. The next USB interception then uses the code provided by the attacker. Either method ends with the use of EL1, the chip’s privileged mode, within SecureROM.

What the Attacker Gets

After exploitation, usbliter8 injects a custom USB request handler and PWND stamps:[usbliter8] in the device’s USB string. From there, an attacker can temporarily bring down the SoC’s production mode or boot a raw, unsigned iBoot image without a signature check, going outside Apple’s chain of trust entirely.

Research shows no compromise of Secure Enclave’s security. Apple’s Secure Enclave is designed as a separate security perimeter, separated from the application processor. Paradigm Shift warns that controlling the level of BootROM may open up new avenues of attack.

No Software Patch

The immediate public precursor to checkm8, the 2019 SecureROM exploit permanently puts A5-through-A11 devices outside of Apple’s patch authorization.

Like checkm8, usbliter8 requires physical access and DFU mode and cannot be disabled with a firmware update. usbliter8 extends that status to the next chip generation.

As of June 19, 2026, no CVE score, CVSS, Apple security advisory, or CISA warning has been issued, and no wild exploit has been publicly reported.

For most users, the operational risk is low: an attacker needs a mobile device, the right cable, and the knowledge to force DFU mode. In more secure environments, this is now a hardware retirement and device maintenance issue.

If the device uses one of the affected chips, the virtual border is gone forever; security depends on controlling when and where a device can be connected. Inventory A12, A13, S4, and S5 hardware in critical roles, prioritize updating to A14 or newer, and avoid DFU mode over untrusted USB cables or hosts.

The code is public. That’s usually how exploit research stops being a demo and starts being someone else’s tool.