IPhone XS Through 11 Have Unfixable BootROM Vulnerability

Published by Robert Granstone on

IPhone XS Through 11 Have Unfixable BootROM Vulnerability — Security

What You Need to Know

  • Usbliter8 exploit targets Apple A12 and A13 chips’ BootROM, affecting iPhones XS through 11.
  • Physical device access required; vulnerability cannot be patched since BootROM is burned into chip at manufacture.
  • Exploit manipulates USB controller memory buffer by sending specific packet sequences during device startup.
  • A11 chips protected by manual pointer reset; A14+ chips have correct memory protection configuration.

Physical access to a device is required for usbliter8 to work, which the source article mentions only in passing. That constraint shapes what this vulnerability actually means in practice.

Paradigm Shift, a security research firm, has published a working exploit called “usbliter8” targeting the BootROM of Apple’s A12 and A13 chips, covering iPhones from the XS through the 11 series. Because the BootROM is burned into the chip at manufacture, no software update can close the hole. Every affected device stays vulnerable permanently.

The exploit targets a bug in the USB controller hardware itself. When an iPhone receives USB data during startup, the controller uses a memory buffer for incoming packets. By sending a specific sequence of unusually small packets, the researchers manipulated an internal hardware pointer into walking backwards through memory, writing data to locations it should never reach.

Why A12 and A13 sit in an awkward middle

The A11 chip, used in the iPhone X, escapes because its USB driver manually resets the pointer after each packet. A14 and later chips configure a memory protection feature correctly at the BootROM level. The A12 and A13 fall between those two fixes, which is why they are the only chips affected.

Getting code execution on A13 devices is considerably harder than on A12 hardware. Apple introduced Pointer Authentication Codes (PAC) on the A13, which detects and blocks certain types of memory tampering. Paradigm Shift says bypassing PAC required a lengthy multi-step process before the researchers could take control of the processor.

Once the exploit runs, it installs a custom handler that survives a device restart, lowers security settings, and allows unsigned software to boot without verification checks. It also injects the string “PWND” into the device’s USB serial number, a convention carried over from checkm8 and earlier exploits. Paradigm Shift reported its findings to Apple Product Security before publication and worked with Apple on coordinated disclosure. The full proof-of-concept code is published at ps.tc.

Source: Apple’s A12 and A13 Chips Facing New Unpatchable Exploit (macrumors.com)

Categories: News

Robert Granstone

Robert Granstone is the Editor-in-Chief of Guide4Mac. A veteran tech journalist with a decade of experience covering Apple, he specializes in making complex Mac and iPhone workflows accessible to everyone. Robert’s editorial philosophy is built on transparency and hands-on testing. Follow his latest insights into the Apple ecosystem here.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

IOS 26.5 Cuts Apple's Brazil Commission to 21%, Adds 5% Infrastructure Fee — Security
News

IOS 26.5 Cuts Apple’s Brazil Commission to 21%, Adds 5% Infrastructure Fee

Brazil's competition regulator forces Apple to open iOS to alternative app marketplaces and payment systems. The move introduces a tiered fee structure ranging from 5-21%, marking another chapter in Apple's global regulatory compliance fragmentation.

Find My Gets Landscape Mode, Hinting at Apple's Foldable Plans — iPhone
News

Find My Gets Landscape Mode, Hinting at Apple’s Foldable Plans

Apple's Find My app gains landscape mode support in iOS 27—a seemingly minor update that could signal infrastructure work for a rumored foldable iPhone Ultra. The expansion joins new location-sharing controls offering custom durations and a "Hide Location" feature for pausing visibility.

IPhone Mirroring Finally Plays DRM Video on Mac in macOS 27 — iPhone
News

IPhone Mirroring Finally Plays DRM Video on Mac in macOS 27

The black screen problem plaguing iPhone Mirroring since launch is finally fixed in macOS 27, which now supports DRM-protected video playback for streaming services and rented movies. The update also introduces resizable mirroring windows with multiple aspect ratios, sparking speculation about a potential foldable iPhone.