gum-graft

Purpose

gum-graft pre-patches Mach-O binaries so that Frida’s Interceptor can instrument them in environments where runtime code modification is blocked by strict code-signing enforcement.

Primary use case: Jailed Apple mobile devices (iOS/iPadOS) running an app without a debugger attached.

Prerequisites

• Target: Mach-O binary (Apple mobile platforms)
• Required Gadget configuration: set code_signing option to required in the Frida Gadget config
• Download gum-graft from: https://github.com/frida/frida/releases

When to Use

CLI Reference

Usage: gum-graft [OPTION?] BINARY - graft instrumentation into Mach-O binaries

Help Options

Application Options

Usage Notes

• -i / --instrument: Use when you know the exact offset(s) to instrument (e.g., a specific function address within the binary).
• -s / --ingest-function-starts: Instruments every function recorded in the LC_FUNCTION_STARTS Mach-O load command — broadest coverage, largest overhead.
• -m / --ingest-imports: Instruments all imported functions at the boundary, useful for tracing library calls.
• -z / --transform-lazy-binds: Converts lazily-bound imports to eagerly-bound; experimental — may affect startup behavior.

Workflow

1. Build and sign the target binary with Frida Gadget embedded.
2. Set Gadget code_signing to required in its JSON config.
3. Run gum-graft against the binary with the desired instrumentation options.
4. Re-sign the patched binary with your provisioning profile.
5. Deploy to the jailed device — Interceptor hooks will fire at the pre-patched sites.