Paradigm Shift Publishes usbliter8 Exploit for Apple A12 and A13 BootROM Flaw

3 articles · Updated · MacRumors · Jun 18

A working proof-of-concept called usbliter8 now publicly demonstrates code execution against Apple’s A12 and A13 BootROM, extending BootROM exploitation beyond 2019’s checkm8 to iPhone XS through iPhone 11 devices.
The flaw stems from the chips’ USB controller: a crafted stream of tiny startup packets can force an internal pointer backward through memory and write data into protected locations.
A12 devices are easier to compromise, while A13 chips required a longer bypass of Pointer Authentication Codes before researchers could seize processor control.
Once triggered, the exploit can survive a reboot, lower security settings temporarily and boot unsigned software; Paradigm Shift said it disclosed the issue to Apple before releasing code at ps.tc.
Because BootROM code is fused into the chip, A12 and A13 devices remain vulnerable for life, though the Secure Enclave is not directly broken and A11 and A14-or-later chips are not affected.