ctipilot.ch

usbliter8

tool · tool:usbliter8-securerom-exploit

usbliter8 — permanent unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon (checkm8 successor)

Coverage timeline
2
first 2026-06-20 → last 2026-06-22
Entries
2
2 distinct days
Sources cited
4
4 hosts
Sections touched
2
research, weekly-research
Co-occurring entities
0
no co-occurrence
2026-06-202 appearances2026-06-22

Story timeline

  1. 2026-06-22Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon
    weekly-researchResearch: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon
  2. 2026-06-20usbliter8 — a permanent SecureROM boot-chain exploit for Apple A12/A13 silicon
    researchusbliter8 — a permanent SecureROM boot-chain exploit for Apple A12/A13 silicon

Where this entity is cited

  • research1
  • weekly-research1

Source distribution

  • 9to5mac.com1 (25%)
  • appleinsider.com1 (25%)
  • ps.tc1 (25%)
  • thehackernews.com1 (25%)

Entries about usbliter8 (2)

2026-06-22 · view entry permalink →

Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon

notable research discovered 2026-06-22 00:15 UTC

Paradigm Shift published usbliter8, a working SecureROM (burned-in, unpatchable boot code) exploit for Apple A12 and A13 SoCs via a hardware-level USB DMA buffer underflow combined with a firmware configuration flaw, achieving pre-boot arbitrary code execution in under two seconds (9to5Mac, 2026-06-18; daily 06-20). It requires physical possession in DFU mode with a dedicated RP2350 board; the Secure Enclave is not compromised, so passcodes and encrypted user data remain protected — the risk class is forensic/intelligence-collection on seized devices, not remote exploitation. For CH/EU public-sector MDM/BYOD fleets the operational consequence is a hardware-refresh planning input: affected devices (iPhone XR/XS/11 generations, several iPads, older Apple Watches and HomePod mini) cannot be patched, so high-sensitivity-role devices on A12/A13 silicon should be prioritised for replacement and protected with physical-custody controls.

mobile vulnerabilities no-patch global

2026-06-20 · view entry permalink →

usbliter8 — a permanent SecureROM boot-chain exploit for Apple A12/A13 silicon

high research discovered 2026-06-20 05:12 UTC

Paradigm Shift Technology published usbliter8 on 2026-06-18 with a full technical write-up and a working RP2350-based proof-of-concept: a software-unpatchable bootrom exploit for Apple A12 and A13 (and S4/S5) SoCs, conceptually the successor to 2019's checkm8 (Paradigm Shift, 2026-06-18). The root cause is a buffer underflow in the Synopsys DWC2 USB controller's DMA path that Apple's DART IOMMU does not block while the device is in DFU mode, allowing arbitrary SRAM overwrites; on A13 the chain additionally bypasses Pointer Authentication via heap corruption before booting unsigned iBoot images and fully subverting the chain of trust (The Hacker News, 2026-06-19). Exploitation requires physical access to a device in DFU mode connected over USB to the attacker's microcontroller and completes in under two seconds. Affected hardware spans iPhone XS/XR through the iPhone 11 line, several iPad and Apple Watch generations and the HomePod mini; A14 and later are unaffected. Because the flaw is in mask-ROM, no OS update can remediate it (MITRE ATT&CK T1542.003 Pre-OS Boot: Bootkit).

Why it matters to us: This is a physical-access risk, not a network threat, but it defeats every OS-level control — including Secure Enclave credential protections — on affected hardware. For high-security estates the practical questions are MDM supervised-mode enforcement (which can detect unmanaged DFU connections), physical custody of devices, and retiring A12/A13 hardware where physical control cannot be guaranteed.

vulnerabilities poc-public mobile global