"BootROM-level control may open new routes for attacking it," Paradigm Shift warned after publishing a working exploit that reaches Apple's SecureROM on A12- and A13-based chips.
Paradigm Shift: public PoC released June 18, 2026
Security researchers at Paradigm Shift published a full technical write-up and a working proof-of-concept (PoC) for an exploit named usbliter8 on June 18, 2026, following coordinated disclosure with Apple Product Security. The PoC went public the same day. As of June 19, 2026, no CVE, CVSS score, Apple security advisory, or CISA alert had been issued, and no in-the-wild exploitation had been publicly reported.
How usbliter8 achieves SecureROM code execution
usbliter8 exploits a hardware flaw in the Synopsys DWC2 USB controller. The controller uses DMA to store incoming USB Setup packets, buffering up to three and then resetting its write pointer on the fourth packet by decrementing it by a fixed 24 bytes. The controller also accepts smaller-than-standard packets and increments the pointer only by the actual bytes written. That mismatch produces a repeatable buffer underflow that steps the write pointer backwards through memory 12 bytes at a time.
On affected A12 and A13 devices, Apple configures the USB DART (Device Address Resolution Table, the SoC's IOMMU) in SecureROM to run in bypass mode. That bypass allows the underflowing DMA pointer to reach and overwrite arbitrary SRAM, creating the primitive the researchers used to gain code execution before Apple's signed boot chain loads.
The exploit path differs by chip generation: on A12 the DMA buffer sits adjacent to the USB task's stack on the heap, so overwriting a saved link register gives program-counter control at the next context switch. A13 protections such as Pointer Authentication (PAC) required staged bypasses: corrupting DART-related heap structures to create limited write primitives, forcing the chip to loop on errors by overwriting a panic depth counter, and then overwriting the USB interrupt handler pointer in BSS so a subsequent interrupt runs attacker-supplied code. Both approaches culminate in execution at EL1 inside SecureROM.
Devices built on A12, A13, S4 and S5: who is affected
Paradigm Shift's public PoC supports A12, A13, S4, and S5 systems-on-chip. Device families in that range named by the researchers include the iPhone XS, XS Max, and XR; iPhone 11, 11 Pro, and 11 Pro Max; iPhone SE (2nd generation); iPad Air 3rd generation, iPad mini 5th generation, and iPad 8th generation; Apple Watch Series 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and other Apple products built on those chips. A12X and A12Z support are described as theoretically possible but not implemented in the public code. A11 is not affected; A14 and later appear to be out of reach for this exploit path.
Operational constraints, consequences, and mitigations
usbliter8 is not a remote, software-only attack. It requires physical possession of the target device, placement into DFU (Device Firmware Update) mode, and connection via USB to a dedicated RP2350‑based microcontroller board. With that setup, Paradigm Shift reports the exploit completes in under two seconds—before the signed boot chain runs—making it impossible to close with a firmware update because the vulnerable SecureROM code is burned into the silicon at manufacture.
Post-exploitation behavior demonstrated in the PoC includes injecting a custom USB request handler and stamping PWND:[usbliter8] into the device's USB serial string. From there an attacker can temporarily demote the SoC's production mode or boot a raw, unsigned iBoot image without signature checks, effectively stepping outside Apple's chain of trust. The research did not demonstrate a compromise of the Secure Enclave; Paradigm Shift notes the Secure Enclave is designed as a separate protection boundary but warns that BootROM-level control may open new routes for attacking it.
Because the vulnerability is hardware-rooted, the closest public precedent is checkm8 (the 2019 SecureROM exploit) in effect: a Permanent inability to patch SecureROM vulnerabilities by software update. Paradigm Shift cautions that once code is public, exploit research often moves from demonstration to tool.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Inventory hardware that uses A12, A13, S4, and S5 SoCs in sensitive roles. Treat device custody and physical access controls as the primary mitigation; avoid connecting such devices in DFU mode to untrusted USB hosts or cables.
- Procurement leaders and asset owners: Prioritize refreshes toward A14 or newer silicon where possible; devices built on affected chips carry this flaw for the remainder of their service life and cannot be fixed with a software update.
- End users and administrators of high-security environments: The practical risk to most users is low because physical access, DFU mode, and a specific microcontroller board are required, but the physical boundary that protected these devices is permanently gone for affected chips—custody and physical plugging policies now determine safety.
usbliter8 is a reminder that not all security problems can be patched from the outside. Where SecureROM is mutable only at manufacture, the levers left to defenders are inventory, custody, and hardware refresh selection. The exploit is public; whether it remains a research milestone or becomes an operational tool depends now on who picks it up next.
