This is not a remote attack. It requires physical possession of the device, which must be in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit finishes in under two seconds, before Apple's signed boot chain loads.
The problem in one line
Anyone with physical access to one of these devices, a USB cable, and a low-cost microcontroller board could, in under two seconds, execute their own code within the very first link of the secure boot chain. No prior jailbreak. No software exploits. No future update can ever reverse it.
That’s USBLiter8.
