Security researchers at Paradigm Shift have disclosed usbliter8, a new SecureROM exploit affecting Apple's A12 and A13 chipsets.
The proof-of-concept exploit achieves BootROM compromise through a combination of a USB controller hardware bug and a firmware configuration weakness, ultimately enabling code execution during the earliest stages of the device boot process.
According to Paradigm Shift researchers, the exploit impacts devices based on Apple's A12 and A13 system-on-chips, as well as S4 and S5 Apple Watch chips. Although support for A12X and A12Z processors is technically possible, it has not yet been implemented in their proof-of-concept exploit.
Paradigm Shift is a security research organization focused on low-level platform security and hardware exploitation. The group's work often examines trust boundaries in modern computing systems, including bootloaders, firmware, and silicon-level security protections.
At the center of the attack is a flaw in the Synopsys DesignWare USB 2.0 (DWC2) controller used by Apple. The researchers discovered that the controller's Direct Memory Access (DMA) mechanism mishandles certain USB Setup packets. While the controller is designed to store up to three Setup packets before resetting its DMA pointer, malformed packets of unexpected sizes can cause the DMA address to underflow. This creates a memory corruption primitive that allows attackers to overwrite sensitive data structures in memory.
The researchers found that exploitation depends heavily on how SecureROM configures the USB subsystem. On A12 and A13 devices, Apple's Device Address Resolution Table (DART) is configured in a bypass mode during SecureROM execution, allowing DMA writes to reach sensitive SRAM regions. Earlier A11 devices are not vulnerable because their USB driver manually resets DMA addresses after each packet, while newer A14 and later platforms appear to configure DART correctly, preventing practical exploitation.
Achieving code execution differs significantly between generations. On A12 devices, attackers can overwrite a saved link register in the USB task's stack and gain direct control of the program counter during a context switch. A13 devices present a greater challenge due to Pointer Authentication Codes (PAC) protections, which cryptographically protect return addresses and other control-flow data.
To bypass these protections, Paradigm Shift developed a multi-stage attack chain involving corruption of DART-related heap structures, manipulation of panic-handling routines, carefully timed DMA writes, and eventual overwriting of interrupt-handler structures stored in memory. By replacing a USB interrupt handler pointer with attacker-controlled values, the exploit gains arbitrary code execution within SecureROM.
Once code execution is achieved, the researchers leverage SecureROM's transition from unprivileged EL0 to privileged EL1 to gain broader system control. On A12 devices, this involves a Return-Oriented Programming (ROP) chain that redirects execution into a boot trampoline. For A13 systems, the exploit uses authenticated branch instructions and a specially selected gadget that enables execution despite PAC protections.
After compromising SecureROM, usbliter8 modifies the Device Firmware Update (DFU) environment by installing a custom USB request handler. The handler introduces new capabilities, including:
- Temporarily lowering the SoC's production security mode
- Booting arbitrary iBoot images without signature verification
- Adding a “PWND” marker to USB device identifiers
- Maintaining persistence within the current DFU session
For A13 devices, researchers opted to restart SecureROM from SRAM after patching a copied version of the ROM. This allows the exploit's modifications to survive reinitialization while avoiding instability caused by widespread memory corruption during exploitation.
Although the attack compromises the application processor boot chain and undermines Apple's hardware root of trust, Paradigm Shift notes that the Secure Enclave Processor (SEP) remains a separate security boundary. However, gaining SecureROM-level access significantly expands the attack surface available to advanced attackers and researchers.
Because SecureROM code is permanently embedded in hardware, affected devices cannot be fully patched through software updates. Apple addressed the underlying conditions in later generations, but existing A12 and A13 hardware will remain vulnerable for the lifetime of the devices.
Paradigm Shift said it privately reported the findings to Apple Product Security before publication and coordinated disclosure with the company. For users concerned about long-term exposure to BootROM vulnerabilities, the researchers recommend migrating to newer hardware platforms unaffected by the flaw. Organizations should also restrict physical access to devices, as exploitation requires USB connectivity and direct interaction with DFU mode.
Leave a Reply