Unpatchable Flaw in Apple Chips: A New Era for iPhone Jailbreaking

TL;DR

• Cybersecurity firm Paradigm Shift has disclosed an unpatchable BootROM vulnerability in Apple’s A12 and A13 chips, dubbed “usbliter8.”
• The exploit allows arbitrary code execution during the boot process, effectively enabling jailbreak-style access to older iPhones and other Apple devices.
• Because the flaw is etched into the silicon, it cannot be patched via software updates; the only definitive mitigation is upgrading to devices with A14 or newer chips.

Unpatchable Flaw in Apple Chips: A New Era for iPhone Jailbreaking

A new hardware-level exploit has shaken the security landscape for older Apple devices, revealing a vulnerability that cannot be fixed by any software update. The flaw, uncovered by Barcelona-based offensive cybersecurity company Paradigm Shift, targets Apple’s A12 and A13 system‑on‑chips and opens the door to jailbreak-style access for anyone with physical control of a device during the boot sequence.

The vulnerability, named “usbliter8,” attacks SecureROM—the immutable BootROM code that runs first when an Apple device powers on. Because this code lives in read‑only memory baked into the silicon during manufacturing, even Apple cannot rewrite it on already‑distributed chips. That makes the flaw effectively unpatchable on affected hardware.

A BootROM Exploit With Real‑World Impact

SecureROM plays a critical role in Apple’s secure boot chain. It checks the authenticity of the next stage in the boot process, ensuring that only Apple‑signed software is allowed to load. If SecureROM is compromised, the entire chain of trust can be bypassed.

usbliter8 achieves this by targeting a USB controller integrated into the A12 and A13 chips. The controller, based on a Synopsys design, mishandles certain undersized USB Setup packets. By sending three such malformed packets, an attacker can cause a memory pointer to move backward into restricted areas of memory, allowing them to write data into regions that should be off‑limits.

When triggered during the boot sequence, this manipulation lets an attacker execute arbitrary code inside SecureROM. That means an unsigned operating system or custom software can be loaded before iOS starts, effectively circumventing Apple’s normal security checks.

Devices Affected by usbliter8

The vulnerability affects all Apple devices powered by A12, A13, S4, and S5 chips. On the iPhone side, this includes:

• iPhone XS, XS Max, and XR
• iPhone 11, 11 Pro, and 11 Pro Max
• Second‑generation iPhone SE

Beyond iPhones, the flaw also impacts several iPads, Apple Watch Series 4 and 5, certain Apple TV models, and even the HomePod mini.

Because the exploit targets the USB controller used during the boot process, any of these devices can be vulnerable if an attacker can connect specialized hardware—such as a Raspberry Pi–like tool and a custom cable—to the device while it is booting.

Physical Access Required, But That’s Enough

The researchers emphasize that usbliter8 requires physical access to the target device. An attacker must be able to plug it into a malicious USB gadget and trigger the exploit during the boot sequence, which limits the scale of casual remote attacks.

However, in high‑risk scenarios—such as border crossings, law‑enforcement extraction, or targeted corporate espionage—this limitation is far less reassuring. Once physical access is granted, the exploit can be used to load unsigned firmware, extract data, or install persistent malware that survives normal software updates.

Paradigm Shift has already published a working proof‑of‑concept that supports A12, A13, S4, and S5 chips, underscoring that the exploit is not merely theoretical but practically usable by skilled attackers.

Why This Vulnerability Can’t Be Patched

The core issue with usbliter8 is that it resides in the BootROM, which is designed to be immutable. Unlike regular firmware or operating‑system components, SecureROM cannot be overwritten or updated after a chip leaves the factory. Any attempt to “patch” it would require redesigning the chip and producing new silicon.

As a result, Apple cannot push a software fix to devices already in users’ hands. Security patches, iOS updates, and even future versions of the operating system will not remove the underlying hardware flaw. The only complete mitigation is to move affected users onto newer hardware that uses A14 or later chips, which appear to implement the SecureROM and USB controller protections differently.

For many users, especially those on older iPhone models, this means the long‑term security of their device is now permanently diminished.

What It Means for iPhone Jailbreaking and Security

usbliter8 is being compared to the famous checkm8 exploit, which similarly targeted BootROM vulnerabilities in earlier Apple chips. Like checkm8, usbliter8 opens the door to persistent jailbreaks that cannot be neutralized by software updates.

For hobbyists and developers, this may mean easier access to low‑level system functions, custom firmware, and alternative operating systems on older iPhones. For malicious actors, it represents a powerful tool for extracting sensitive data or installing stealthy implants.

From a privacy standpoint, the exploit raises serious concerns for anyone who might lose physical control of their device, even briefly. Forensic tools that once relied on complex workarounds to bypass Apple’s security model may now be able to leverage usbliter8 to achieve deeper access more reliably.

How Users Can Protect Themselves

Because the flaw cannot be patched, the security community is unanimous on one point: the most effective defense is hardware replacement. Users who are at higher risk—journalists, activists, corporate executives, or anyone handling sensitive information—should consider upgrading to devices powered by A14 or later chips.

For those who must continue using A12 or A13‑based devices, the following precautions are recommended:

• Avoid leaving your device unattended during boot, especially in untrusted environments.
• Be cautious about connecting your iPhone to unknown or untrusted USB accessories.
• Keep your device updated with the latest iOS version to mitigate any additional software‑level vulnerabilities that could be chained with usbliter8.
• Use strong passcodes and biometric authentication to make post‑exploit data extraction more difficult.

Apple has not yet issued an official security advisory or CVE for usbliter8 as of the latest reports, and there is no public indication of active in‑the‑wild exploitation. However, the publication of a working proof‑of‑concept significantly increases the likelihood that forensic and offensive tools will eventually incorporate the exploit.

A New Chapter in Apple’s Security Story

The disclosure of usbliter8 marks a sobering reminder that even the most tightly controlled ecosystems are only as secure as their lowest‑level components. By attacking the immutable BootROM, Paradigm Shift has demonstrated that certain vulnerabilities can outlive every software update Apple releases.

For Apple, the challenge now is to reinforce SecureROM and USB controller designs in future chips, while managing the long‑tail risk of millions of devices that will remain permanently vulnerable. For users, it underscores the importance of staying informed about hardware‑level flaws and, when possible, moving to newer platforms that benefit from lessons learned from exploits like usbliter8.

In the world of mobile security, “unpatchable” is a word that sends chills down the spine. With usbliter8, that word has just become a permanent part of the story for a generation of older iPhones and Apple devices.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.