Enterprise Objective-C++iOS InternalsKernelIOKitMach
iOS Jailbreak R&D Toolchain
Built at Handjoy Global Technology · 2017 – 2019
Built a dual-process injection system for iOS 10/11 that injects custom dylibs into backboardd and SpringBoard, enabling system-level touch simulation and controller input mapping.
Details
- • Designed a dual-process injection architecture: BBPayload (injected into backboardd) for system-level touch event synthesis via IOHIDEventSystemClientDispatchEvent, and SBPayload (injected into SpringBoard) for app lifecycle monitoring and controller UI overlay.
- • Implemented low-level IOHIDEvent touch synthesis (Touch.mm) that creates multi-finger digitizer events with IOHIDEventCreateDigitizerFingerEventWithQuality, supporting simultaneous TOUCH_DOWN / TOUCH_MOVE / TOUCH_UP with UUID-based finger tracking.
- • Built inter-process communication via TCP (GCDAsyncSocket) and UDP between BBPayload and SBPayload, with custom packet framing (<HEAD>length<CONTENT>data) for reliable bidirectional messaging.
- • Implemented runtime method swizzling to hook SpringBoard's frontDisplayDidChange: and SBHomeHardwareButton's initialButtonUp: for detecting app foreground/background transitions and triggering controller mapping activation.
- • Used jelbrekLib and qilin for kernel exploit primitives: kernel read/write via KernelRead_64bits/KernelWrite_64bits, ucred credential escalation (replacing process ucred with kernel/sysdiagnose ucred), trust cache injection via trustbin(), and dylib injection via inject_dylib().
- • Supported both iOS 10 (MeridianJB-based) and iOS 11 (Electra-based) jailbreak environments, with multiple Electra variants (electra, electra1131) and a custom HandJoyS module.
- • The toolchain directly powers the HJHelper SDK and PTFakeTouch open-source library, enabling precise touch simulation for 60+ game titles.