Apple's Continuity features make up a big part of their walled garden. From AirDrop and Handoff to AirPlay, they all connect macOS and iOS devices wirelessly. In recent years, security researchers have opened up several of these features showing that the Apple ecosystem is technically compatible with third-party devices.

In this talk, we present the internal workings of Low-Latency WiFi (LLW) – Apple's link-layer protocol for several real-time Continuity features like Continuity Camera and Sidecar Display. We talk about the concepts behind LLW, how it achieves its low-latency requirement and how we got there in the reverse engineering process.

We also present the tooling we built to enable more kernel-level tracing and logging on iOS through a reimplementation of cctool from macOS and the source code of trace that was buried deep inside of Apple’s open-source repository system_cmds. We build a log aggregator that combines various kernel- and user-space traces, log messages and pcap files from both iOS and macOS into a single file and finally investigate the network stack on Apple platforms that is implemented in both user- and kernel space. There we find interesting configuration values of LLW that make it the go-to link-layer protocol for Apple's proprietary real-time Continuity applications.