Apple A12/A13 SecureROM Exploit Persists as Unpatchable Hardware Flaw

What just happened and why it matters

Security researchers have released a working exploit named usbliter8 that runs unsigned code inside the SecureROM of Apple A12 and A13 chips. SecureROM is the immutable boot code burned into the processor during manufacturing, so no iOS, iPadOS, watchOS or tvOS update can patch it. The only way to remove the flaw is to replace the chip or discard the device. Affected owners will carry this vulnerability for the life of the hardware.

The exploit is not remote; it requires physical possession of the device, which must be in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. Once triggered, the attack completes in under two seconds, before Apple’s signed boot chain loads. The public proof-of-concept and full technical write-up were published on June 18, 2026, following coordinated disclosure with Apple Product Security.

Which devices are affected and which are not

The public PoC targets A12, A13, S4, and S5 SoCs. Support for A12X and A12Z is described as theoretically possible but not yet implemented. Device families that fall into this range include the iPhone XS, XS Max, and XR; the iPhone 11, 11 Pro, and 11 Pro Max; the iPhone SE (2nd generation); the iPad Air (3rd generation), iPad mini (5th generation), and iPad (8th generation); Apple Watch Series 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and other Apple products built on those chips. A11 devices are not affected. A14 and later chips appear to be out of reach for this exploit path.

How the exploit works: a buffer underflow in USB DMA

The controller stores incoming USB Setup packets via DMA, buffering up to three packets. On the fourth packet it resets its write pointer by decrementing it by a fixed 24 bytes. It also accepts smaller-than-standard packets, incrementing the pointer only by the actual bytes written. That mismatch accumulates into a repeatable buffer underflow that steps the write pointer backward through memory 12 bytes at a time.

What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Device Address Resolution Table, the chip’s IOMMU) inside SecureROM. On affected devices, DART runs in bypass mode, so the underflowing DMA pointer can reach and overwrite arbitrary SRAM. A11 is not affected because its USB driver manually resets the DMA address after every packet, preventing the mismatch from accumulating. A14 and later appear to configure DART correctly, which researchers say makes the vulnerability unexploitable on newer hardware.

Memory layout differences between A12 and A13

On A12, the DMA buffer sits adjacent to the USB task’s stack on the heap. Overwriting a saved link register gives the attacker program-counter control on the next context switch. A13 is harder to exploit because it enables Pointer Authentication, a hardware feature that cryptographically signs return addresses and other pointers. Even so, the researchers found a way to defeat Pointer Authentication on A13 and regain control of execution.

What an attacker can do once inside SecureROM

Running code inside SecureROM grants the highest privilege level on the device. An attacker can bypass Secure Boot, install persistent malware in the boot chain, unlock the device for passcode brute-forcing, extract cryptographic keys, or disable hardware-based security features such as the Secure Enclave Processor’s anti-replay protections. Because the code runs before iOS loads, it is invisible to the operating system and cannot be removed by factory resets.

Why this is unpatchable and what owners can do

SecureROM resides in on-chip mask ROM and cannot be updated or replaced by software. Apple would need a new chip revision to close the flaw, which means affected devices will carry the vulnerability for as long as they remain in use. Owners can reduce risk by keeping devices updated to the latest iOS, iPadOS, watchOS, and tvOS versions, but those updates cannot remove the underlying flaw. Practically, owners should:

• Avoid lending devices to untrusted parties or leaving them unattended in public places. • Use strong passcodes and avoid storing sensitive data on devices that cannot be upgraded. • Consider replacing A12/A13 devices with A14 or later models if the security posture is critical. • Monitor device behavior for signs of tampering, such as unexpected reboots or prolonged DFU mode.

Supply-chain and secondhand market implications

Devices that change hands—especially refurbished iPhones, iPads, and Apple Watches from the affected generations—now carry a latent hardware-level risk. Buyers should assume any secondhand A12/A13 device could be compromised and may require professional inspection or replacement. Enterprises that issue these devices to employees should review their asset lifecycle policies and budget for replacements where security is a priority.

microcontroller board connected to laptop

Apple’s response and future hardware defenses

Apple was notified prior to public disclosure and has not issued a software patch because the flaw is in hardware. The company is likely evaluating chip revisions and may introduce stricter DART configurations or additional Pointer Authentication enhancements in future SoCs. In the meantime, Apple’s security updates will continue to harden the software stack above SecureROM, but they cannot eliminate the risk introduced by usbliter8.

What to watch next

Researchers have indicated that A12X/A12Z support is theoretically possible and may appear in future PoCs, expanding the affected device list. On the defensive side, expect new hardware-based mitigations in upcoming Apple silicon revisions, such as stricter DART defaults, randomized memory layouts, or hardware-enforced pointer signing. For now, the most immediate action for users is to assess exposure and plan hardware refreshes where necessary.

Bottom line

usbliter8 turns SecureROM on A12 and A13 into a persistent backdoor that cannot be closed by software. The only reliable mitigations are physical control of devices and hardware replacement. Affected users should treat these devices as untrusted and plan upgrades to A14 or later chips to restore full hardware-level security.