A newly discovered BootROM vulnerability, named usbliter8, has been identified in Apple devices using A12, S4/S5, and A13 System-on-Chips (SoCs). This exploit leverages a hardware bug within the Synopsys DWC2 USB controller, coupled with a firmware configuration flaw, allowing a complete compromise of the application processor’s boot chain. Due to the unchangeable nature of BootROM code, no software patch can rectify this issue.
Understanding the Vulnerability
Researchers from Paradigm Shift attribute the vulnerability to the handling of consecutive USB Setup packets by the DWC2 USB controller. The controller can store up to three Setup packets in memory before it resets the Direct Memory Access (DMA) base address, kept in the DOEPDMA register, to its initial position, thus functioning as a ring buffer.
The core issue arises because, after each data write, the controller increases the DOEPDMA by the size of the data. However, the reset operation decreases it by a fixed 24 bytes. This discrepancy leads to a buffer underflow condition in 12-byte steps, enabling unauthorized writes to memory areas beyond the intended buffer.
Exploitation Differences Across SoCs
On the A12 and A13 models, the USB DART (Device Address Resolution Table) is set to bypass mode within SecureROM, leaving no IOMMU barrier to prevent DMA from altering arbitrary SRAM data. While A14 and later models correctly configure DART, making them immune to this exploit, earlier models remain vulnerable.
Exploiting the A12 and S4/S5 is relatively simple, as the DMA buffer is adjacent to the USB task’s stack on the heap. By corrupting a saved Link Register (LR), attackers can gain control of the Program Counter during a scheduler context switch. A compact ROP chain then redirects DMA writes into the boot trampoline, enabling execution of attacker shellcode with full privileges.
A13 SoC Exploitation Complexity
The A13 SoC introduces Pointer Authentication (PAC), complicating direct LR corruption. To circumvent this, researchers employed a multi-step method that involves controlled overwrites of DART heap metadata, neutralizing heap checksum protections, and preventing reboots during panic situations by overwriting a global panic counter.
Execution is rerouted using a gadget that loads a function pointer from memory controlled by the attacker, bypassing PAC due to a firmware oversight. Once EL1 code execution is achieved, the exploit injects a custom USB request handler, patches the USB serial number, and restores heap allocations to ensure device stability.
Affected Devices and Mitigation Strategies
The vulnerable SoCs include the Apple A12 in devices like the iPhone XS, XR, and iPad Pro 2018, as well as the A13 in the iPhone 11 series, and the S4/S5 in Apple Watch Series 4/5. Given the immutable nature of BootROM vulnerabilities, no software update can resolve this issue. Upgrading to A14 or newer hardware is the only effective countermeasure.
While Apple’s Secure Enclave Processor (SEP) provides an additional layer of security, usbliter8 potentially opens new avenues for indirect attacks on the Secure Enclave. Paradigm Shift coordinated with Apple Product Security before publicly disclosing their findings, and the complete proof-of-concept is accessible in their research repository.
