Yeah the wii mote method is really unlikely.
I wanna try something like you described with the usb devices but unfortunately I don't know of any emulator for IOS.
I use dolphin for everything on the PPC side.
The only thing I can think of is using an existing IOS exploit to inject some kind of debugger into IOS in an unused memory region and hook the exception vectors.
Then at least you can get some kind of crash dump of it if you can actually find any usb crashes.
I haven't look at IOS at all so I'm not sure how hard static analysis is for it (fuck all the bctr instructions that the PPC side loves so much, they make static analysis annoying) but I hope it's as buggy as the rest of IOS
Unfortunately I have NO experience with ARM so I would both be learning ARM and doing blind injection with no debugger so I really just don't have the experience to pull anything like that off right now.
I have always been curious as to how Team Twizzers (now Fail0verflow) did this in the first place. How do you blindly exploit something like that?!?!
I can't imagine doing any of the work I have done without dolphin and its debugging stuff. And even then I had to add more debugging goodies (conditional breakpoints were a must for looping stuff) and it still took me months.
These guys pulled it off with such precision and in such a short amount of time it still amazes me.
As a side note no I'm not dead and I hope to have something new to show you guys soon.(TM)
ETA of maybe a week or so I nothing else goes wrong.