Microcontrollers

Bypass iPhone with Pi Pico 2: The New usbliter8 Exploit Explained

Posted by author-avatar
0

The hardware hacking and jailbreak communities have been rocked by the release of usbliter8. Discovered and published by the offensive security firm Paradigm Shift, this is the first public, unpatchable hardware-level exploit since checkm8.

By chaining a silicon-level USB flaw with a configuration oversight, researchers have achieved arbitrary code execution directly inside Apple’s SecureROM (BootROM). Because this code is permanently burned into the processor during manufacturing, Apple cannot patch this flaw with a software update. Affected devices will carry this vulnerability for their entire operational lifespan.

Here is the complete guide to the usbliter8 exploit: the supported chips, every compatible device model, the methodology, and the required hardware.

📱 Supported Chips & Device Model List

The usbliter8 vulnerability explicitly targets Apple A12, A13, S4, and S5 Systems-on-Chip (SoCs). Devices powered by A11 or older are not vulnerable, while A14 and newer chips have correctly hardened hardware boundaries.

iPhones

  • iPhone XR (A12)
  • iPhone XS & XS Max (A12)
  • iPhone 11 (A13)
  • iPhone 11 Pro & 11 Pro Max (A13)
  • iPhone SE (2nd Generation, 2020) (A13)

iPads

  • iPad Air (3rd Generation)
  • iPad mini (5th Generation)
  • iPad (8th & 9th Generation)
  • iPad Pro 11-inch (1st & 2nd Gen – A12X/A12Z)
  • iPad Pro 12.9-inch (3rd & 4th Gen – A12X/A12Z)

Apple Watches & Wearables

  • Apple Watch Series 4 (S4)
  • Apple Watch Series 5 (S5)
  • Apple Watch SE (1st Generation) (S5)
  • HomePod mini (S5)

Additional Displays & Apple TV

  • Apple TV 4K (2nd Generation)
  • Apple Studio Display

🛠️ The Method: How It Works

Hardware requirements

The exploit abuses a very low level bug of the USB controller. This means that default Mac/PC USB stack can’t normally reach it. So instead we use Raspberry Pi’s RP2350-based microcontroller boards.

The board we use is Raspberry Pi Pico 2/2w with Lightning to USB-A cable and R13 resistor optionally removed.

Other RP2350-based boards can be used as well if you cut a Lightning cable and solder it directly to corresponding pins.

wiring

Typically GPIO12 & 13 are used for D+ & D- signals respectively, but that’s configurable. Do NOT use USB-C cables, as those often have a very different pinout. And keep the remaining cable (with the Lightning end) relatively short.

Here is a list of the boards we tested the exploit on:

RP2040 can be theoretically used as well, but this is currently NOT very stable and Apple A13 SoC does NOT work at all.

Flashing firmware

Compiled UF2 images for the boards mentioned above are available in here(a zip file will be downloaded ). They can be flashed either via mass storage protocol of RP2350 bootrom or via picotool.

goto boards

select the untested or pipico 2

If your board is not among supported ones, you can create your own board configuaration file (in /boards folder) and refer to building instructions that come later in this README.

Exploiting

  1. Enter DFU mode. Do this while device is connected to your Mac/PC
    • Do NOT enter DFU by breaking LLB – this will not work
  2. Unplug it from Mac/PC and replug it into your RP2350 board (pi pico controller )
  3. In a few seconds, the exploit will finish

There are 2 ways you can watch the process:

  1. RP2350 appears as a virtual COM-port – the exploit logs will be printed there
  2. Via on-board LED

If LED is RGB:

  1. Blinking orange – RP2350 is booting (takes ~2 second)
  2. Steady orange – idle, ready to exploit
  3. Blue – exploit in progress
  4. Green – exploit succeeded!
  5. Red – exploit failed

If LED is single-color:

  1. Slow blinking (200ms period) – RP2350 is booting (takes ~2 second)
  2. Breathing – idle, ready to exploit
  3. Rapid blinking (100 ms) – exploit in progress
  4. Steady – exploit succeeded!
  5. Off – exploit failed

The exploit takes 0.7 – 1.2 seconds to run. After either success or failure, you need to reboot the microcontroller board – via on-board button, or via picotool, or just by replugging power.

After exploiting

Replug the device back to your Mac/PC.

In USB serial number you shall see PWND string in the end, for instance:

CPID:8020 CPRV:11 CPFM:03 SCEP:01 BDID:0E ECID:XXXXXXXXXXXXXXXX IBFL:3C SRTG:[iBoot-3865.0.0.4.7] PWND:[usbliter8]

There is a Python control tool (usbliter8ctl) in the repo which allows you to demote production mode or boot raw iBoot (“raw” as in decrypted and free of any container).

The control tool depends on pyusb that you can get from pip.

➜  usbliter8 git:(main) ✗ ./usbliter8ctl
usage: usbliter8ctl [-h] {boot,demote} ...

Love is Control

positional arguments:
  {boot,demote}
    boot         boot raw iBoot
    demote       demote production mode

options:
  -h, --help     show this help message and exit

The Architectural Difference (A12 vs. A13)

  • A12 Chipsets: The attack is straightforward. The memory corruption directly overwrites a saved link register on the stack to run custom payloads.
  • A13 Chipsets: Apple introduced Pointer Authentication Codes (PAC) on the A13 to prevent control-flow hijacking. Bypassing this requires a more complex, multi-stage layout to trick the hardware into executing unsigned iBoot images without triggering a PAC fault.

🍓 Why the Raspberry Pi Pico 2 (RP2350) is Required

You cannot run this exploit from a standard PC or standard microcontrollers like the ESP32 or STM32. Standard hardware USB engines have strict USB protocols burned directly into their physical layers, which automatically fix or block illegal packet structures.

The usbliter8 payload requires absolute, cycle-accurate control over the physical data lines to intentionally violate USB specifications.

The Raspberry Pi Pico 2, powered by the RP2350 chip, features unique Programmable I/O (PIO) blocks. These are ultra-fast, independent state machines that allow engineers to “bit-bang” their own software-defined communication engines. By bypassing rigid hardware USB limitations, the Pico 2 can fire off non-compliant, malformed data blocks at the exact microsecond intervals required to collapse the target SoC’s memory boundaries.

Once connected to a target device in DFU mode, the Pico 2 injects and successfully executes the payload in under two seconds.

🔐 What This Means for Security and Privacy

While usbliter8 completely breaks the early-stage boot chain of trust, it does not automatically grant access to user data.

User files, passcodes, and biometric profiles remain protected behind the physical security boundary of the Secure Enclave Processor (SEP), which runs on its own isolated hardware architecture and is unaffected by this exploit. However, because an investigator or researcher can now load custom kernels and disable low-level signatures, it dramatically opens up local attack surfaces to audit or reverse-engineer subsequent vulnerabilities.

🌐 Official Resources & Documentation

https://github.com/prdgmshift/usbliter8/blob/main/README.md

Back to list
Older Raspberry Pi Pico 2 W: The Tiny Powerhouse That’s Redefining Embedded Systems

Leave a Reply