{"id":276387,"date":"2026-06-19T14:37:00","date_gmt":"2026-06-19T18:37:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/19\/unpatchable-usbliter8-exploit-breaks-apple-a12-and-a13-securerom-boot-chain\/"},"modified":"2026-06-19T17:05:16","modified_gmt":"2026-06-19T21:05:16","slug":"unpatchable-usbliter8-exploit-breaks-apple-a12-and-a13-securerom-boot-chain","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/19\/unpatchable-usbliter8-exploit-breaks-apple-a12-and-a13-securerom-boot-chain\/","title":{"rendered":"Unpatchable &#8216;usbliter8&#8217; Exploit Breaks Apple A12 and A13 SecureROM Boot Chain"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/unpatchable-usbliter8-exploit-breaks.html\">Unpatchable &#8216;usbliter8&#8217; Exploit Breaks Apple A12 and A13 SecureROM Boot Chain<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/unpatchable-usbliter8-exploit-breaks.html\">https:\/\/thehackernews.com\/2026\/06\/unpatchable-usbliter8-exploit-breaks.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-19 14:37:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Security researchers at\u00a0Paradigm Shift\u00a0have published a working exploit, dubbed\u00a0usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple&#8217;s A12 and A13 chips.<\/p>\n<p>That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use.<\/p>\n<p>This is not a remote attack. It requires physical possession of the device, which must be in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit finishes in under two seconds, before Apple&#8217;s signed boot chain loads.<\/p>\n<p>The full\u00a0technical write-up\u00a0and a working\u00a0proof of concept\u00a0went public on June 18, 2026, following coordinated disclosure with Apple Product Security.<\/p>\n<h2>Affected Devices<\/h2>\n<p>The public PoC supports A12, A13, S4, and S5 SoCs. A12X and A12Z support is described as theoretically possible but not yet implemented.<\/p>\n<p>Device families in that range include the iPhone XS, XS Max, and XR; the iPhone 11, 11 Pro, 11 Pro Max; the iPhone SE (2nd generation); the iPad Air 3rd gen, iPad mini 5th gen, and iPad 8th gen; Apple Watch Series 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and other Apple products built on those chips. A11 is not affected. A14 and later appear to be out of reach for this exploit path.<\/p>\n<h2>The Bug<\/h2>\n<p>The root issue is a hardware flaw in the Synopsys DWC2 USB controller.<\/p>\n<p>The controller stores incoming USB Setup packets via DMA, buffers up to three, then resets its write pointer on the fourth by decrementing it by a fixed 24 bytes. It also accepts smaller-than-standard packets, incrementing the pointer only by the actual bytes written. That mismatch accumulates into a repeatable buffer underflow, stepping the write pointer backwards through memory 12 bytes at a time.<\/p>\n<p>What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Device Address Resolution Table, the chip&#8217;s IOMMU) inside SecureROM. On affected devices,&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/unpatchable-usbliter8-exploit-breaks.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unpatchable &#8216;usbliter8&#8217; Exploit Breaks Apple A12 and A13 SecureROM Boot Chain https:\/\/thehackernews.com\/2026\/06\/unpatchable-usbliter8-exploit-breaks.html Publish Date: 2026-06-19&#8230;<\/p>\n","protected":false},"author":1,"featured_media":276390,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgIM725Ni41-PBwM_6zXNdsydP1eZO7oSsWIlAqpwdOu9dOcZM6ZI1iaqwSsL3yZKT4lbFRM-eZVq3ARKDbLRnid1pJ0Us3XX135nD0tV71gb1lnADzig_vE9c6CAiJdlJ-Wco11InBKUyGX9V5nRFn9qZxuxeJKCzsCV4tQTfFIgU3F05Wnp2VfsxyTPs\/s1600\/apple-chip.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31],"class_list":["post-276387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/276387"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=276387"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/276387\/revisions"}],"predecessor-version":[{"id":276391,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/276387\/revisions\/276391"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/276390"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=276387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=276387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=276387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}