Skip to main content
TechnologyJun 19, 2026· 2 min read

iPhone XS, XS Max, XR and iPhone 11 have an unfixable security flaw

Paradigm Shift

Paradigm Shift has made public usbliter8, a vulnerability in the BootROM of the Apple A12 and A13 chips that cannot be corrected via software updates. The exploit affects the iPhone XS, XS Max, XR, and iPhone 11, as well as several models of iPad and Apple Watch with S4 and S5 chips: any defect in the BootROM is irreparable via patch, which makes these devices permanently vulnerable.

The mechanism: a USB pointer that moves backward

The flaw resides in the Synopsys DWC2 USB controller integrated into the affected chips. During boot-up, the controller uses a memory buffer to receive incoming USB packets. Paradigm Shift discovered that by sending a sequence of unusually small packets, it is possible to manipulate an internal hardware pointer, causing it to move backward in memory and write data to locations that should never be reached. The complete mechanism is documented in Paradigm Shift's technical blog, and the proof-of-concept is available on GitHub, where it has already accumulated over 280 stars in a few hours.

The A11 (iPhone X) is not vulnerable because its USB driver manually resets the pointer after each received packet. A14 and later chips are safe because they properly configure a memory protection feature at the BootROM level. usbliter8 operates on a specific range of Apple Silicon chips: A12, S4, S5, and A13.

On A12 devices, achieving code execution is relatively straightforward. On A13, the complexity increases significantly: Apple introduced Pointer Authentication Codes (PAC) on that chip, and circumventing them required a multi-stage process that corrupts sequences of memory parts before gaining control of the processor. Once control is established, the exploit installs a handler that survives a reboot and allows temporarily lowering security settings to launch unsigned software.

Risk perimeter and mitigations

The exploit does not act remotely: it requires physical access to the device and USB connectivity in DFU mode. The proof-of-concept uses microcontroller boards based on Raspberry Pi RP2350 with modified Lightning cables, because the standard USB stack of Mac and PC fails to reach the controller's bug level. usbliter8 does not directly compromise the Secure Enclave: encrypted data and passcodes remain secure. However, a compromise at the BootROM level opens up broader attack vectors potentially targeting the Secure Enclave itself. Paradigm Shift conducted responsible disclosure with Apple Product Security prior to publication. The exploit injects the string PWND into the USB serial number of the device as a signal of compromise, a convention inherited from checkm8.

checkm8, disclosed in 2019, covered A5-A11 chips, from iPhone 4S to iPhone X. With usbliter8, the two exploits together leave every iPhone from 4S to 11 exposed to a non-fixable jailbreak. The relevance is tangible: the iPhone 11, based on A13, is the oldest model supporting iOS 26 and will not be excluded from iOS 27 either. The only effective mitigation remains upgrading to hardware with A14 chips or above.

Intel Strengthens Foundry Division: Former SK hynix CEO to Lead Advanced PackagingLexar 2TB PCIe 4.0 on Amazon sale for €239: SSD up to 7,000 MB/s for gaming and extreme productivity