usbliter8 DMA Underflow Achieves Permanent SecureROM Execution on A12/A13
A hardware DMA underflow in the Synopsys DWC2 controller combined with A12/A13 DART bypass grants unpatchable SecureROM control. Physical-access only, it permanently removes Apple's boot-chain authority on millions of devices. Parallels checkm8 but reaches newer silicon without touching the Secure Enclave.
The exploit requires physical possession, DFU mode, and an RP2350 microcontroller board. It completes in under two seconds by corrupting the DMA write pointer through repeated undersized Setup packets, bypassing the DART IOMMU that Apple left in bypass mode inside SecureROM on these chips. A11 avoids the issue through explicit DMA address resets after every packet; A14 and later configure DART correctly.
Affected devices span iPhone XS through SE (2nd gen), multiple iPads, Apple Watch Series 4/5, and HomePod mini. The public PoC already supports A12, A13, S4, and S5. Post-exploitation yields unsigned iBoot boot capability and production-mode demotion while leaving the Secure Enclave untouched so far.
This mirrors the 2019 checkm8 pattern but extends the hardware root-of-trust break two generations later. The DWC2 controller flaw itself is unfixable; only the IOMMU and driver configuration choices determined exploitability. No procurement or incident records indicate prior knowledge inside Apple supply-chain audits.
Future work will likely target remaining A12/A13 variants and probe secondary paths into the Secure Enclave. Affected devices will carry the permanent break for their operational lifetimes with no software remediation possible.
Paradigm Shift: Public bootrom jailbreak tools based on usbliter8 will appear within 120 days.
Sources (3)
- [1]Paradigm Shift usbliter8 Technical Report(https://paradigmshift.re/usbliter8)
- [2]checkm8 axi0mX Disclosure and Analysis(https://github.com/axi0mX/iboot)
- [3]Apple Security Updates Coordinated Disclosure Record(https://support.apple.com/en-us/HT201222)