Unpatchable BootROM Flaw Hits iPhone XS, XR, and iPhone 11 Models

Security firm Paradigm Shift has disclosed a new BootROM vulnerability affecting Apple's A12 and A13 processors. Dubbed usbliter8, the exploit chains a hardware bug in the USB controller with a firmware configuration flaw to achieve full application processor boot chain compromise—and Apple cannot fix it through software updates.

The affected devices include iPhone XS, XS Max, XR, and the entire iPhone 11 lineup, along with several iPad models and Apple Watch generations. Millions of devices will carry this vulnerability for their remaining operational lifetime.

How usbliter8 Works

The exploit targets devices in DFU (Device Firmware Update) mode, sending specially crafted USB data that confuses the Synopsys DWC2 USB controller. According to 9to5Mac's reporting, this causes the controller to write data to incorrect memory locations, giving attackers control over the startup process.

Once the boot chain is compromised, attackers can bypass signature verification and run unsigned code before iOS loads. This is the same class of vulnerability as checkm8, which affected A5 through A11 chips and spawned the checkra1n jailbreak.

BootROM code is burned into silicon during manufacturing. Unlike firmware that can be updated, the SecureROM is immutable—any flaw present when the chip leaves the factory remains present forever.

Affected Devices

A12 Bionic:

• iPhone XS, XS Max, XR
• iPad Air (3rd generation)
• iPad mini (5th generation)
• iPad (8th generation)
• Apple TV 4K (2nd generation)

A13 Bionic:

• iPhone 11, 11 Pro, 11 Pro Max
• iPhone SE (2nd generation)
• iPad (9th generation)
• Studio Display

S4/S5 (Apple Watch):

• Apple Watch Series 4 and 5
• Apple Watch SE (1st generation)
• HomePod mini

A12X and A12Z variants in iPad Pro (2018, 2020) models may also be vulnerable.

Limitations and Real-World Impact

The exploit requires physical USB access while the device is in DFU mode. Remote exploitation isn't possible. The Secure Enclave—which protects passcodes, Face ID data, and encryption keys—remains uncompromised. Attackers cannot directly access encrypted user data through usbliter8 alone.

That said, Paradigm Shift notes the exploit "opens up wider attack vectors to compromise the Secure Enclave" through chained exploits. Boot chain control is a powerful primitive.

For most users, the practical risk is limited. Physical access requirements mean targeted attacks against specific individuals rather than mass exploitation. However, high-value targets—executives, journalists, activists, government officials—should consider device refresh cycles.

The Bigger Picture

Apple's A11 and earlier chips remain vulnerable to checkm8. Now A12 and A13 join that list. Only A14 and newer generations appear unaffected, which means devices from 2020 onward (iPhone 12 series and later) are the safe bet for security-conscious users.

Organizations with compliance requirements should assess whether affected devices meet their risk tolerance. The jailbreak community views this as liberation; security teams see it as attack surface that persists until hardware retirement.

Unlike software vulnerabilities that vendors can patch, hardware flaws force difficult decisions about device lifecycle. Apple hasn't commented publicly on usbliter8, but no statement can change the underlying reality: these chips will remain exploitable.