Usbliter8: A Hardware Bug in Apple's SecureROM
A team of researchers has published a proof-of-concept exploit for a novel BootROM vulnerability affecting Apple A12, S4/S5, and A13 SoCs. The bug resides in the DWC2 USB controller's DMA implementation, allowing an attacker with physical USB access to overwrite SRAM and hijack the application processor's boot chain. The exploit, named Usbliter8, is detailed in a write-up with full technical analysis and working PoC.
The Bug: DMA Ring Buffer Underflow
The DWC2 controller stores up to three consecutive USB Setup packets in a DMA buffer. On receiving a fourth, it resets the DMA address by decrementing by 24 bytes (3 packets × 8 bytes). However, the controller also accepts packets smaller than 8 bytes, storing them in 4-byte chunks. The pointer increment does not match the fixed decrement, creating a buffer underflow in 12-byte steps. This allows writing data before the intended buffer.
Exploitation on A12: Direct PC Control
On A12, the DMA buffer is allocated on the heap adjacent to the USB task's stack. By overwriting the saved link register (LR) on the stack, the attacker gains PC control when the scheduler switches back to the USB task. No additional mitigations are present.
Exploitation on A13: Bypassing PAC and Heap Checksums
A13 introduces Pointer Authentication Codes (PAC) on stack-stored LRs, preventing direct stack corruption. The researchers developed a multi-step technique:
- Overwrite DART metadata: Using a limited write primitive from
dart_stop(), they zero out the global pointer to the DART allocation, preventing a panic during cleanup. - Disable panic reboot: A 0xF write primitive overwrites the global panic counter, causing the next panic to enter an infinite loop instead of rebooting.
- Avoid breaking USB task context: Timing DMA writes while the USB task is awake ensures correct LR/SP values overwrite corrupted ones.
- Trigger panic with IRQs enabled: Corrupting the critical-section depth field causes a panic with IRQs enabled, entering the infinite loop while allowing ISRs to run.
- Overwrite USB IRQ handler: With memory access, the attacker overwrites the USB IRQ handler pointer in BSS, gaining PC control when the next USB interrupt fires.
Post-Exploitation and Mitigation
The exploit achieves full boot-chain compromise. Since the vulnerability is in immutable SecureROM code, the only effective mitigation is migrating to newer hardware. A14 and later configure USB DART correctly, making the bug unexploitable. The researchers note that A11 is not vulnerable because its USB driver manually resets the DMA address after each packet.
Impact and Disclosure
The vulnerability affects a significant installed base of devices with A12/A13 chips, including iPhone XS, XR, 11, and 2020 SE, as well as Apple Watch Series 4/5. The PoC is publicly available, and the researchers emphasize that this class of hardware bugs remains relevant even in recent SecureROM generations.
Code Example: Triggering the DMA Underflow
// Simplified pseudo-code for triggering the bug
void send_setup_packet(uint8_t *data, size_t len) {
// Send a Setup packet with length < 8 bytes
// The controller stores it as 4-byte chunks
// After 3 packets, the DMA address decrements by 24
// But increments by len (rounded up to 4)
// Repeated sends create a buffer underflow
}
Why It Matters
This exploit demonstrates that hardware-level bugs in immutable boot ROMs remain a real threat even with modern mitigations like PAC. For developers, it underscores the importance of hardware-software co-design and the value of DART configuration in preventing DMA attacks. The write-up provides a detailed case study for security researchers working on embedded systems.
