Jump to content

Fix for matchless payloads not running


Recommended Posts

Hey all,

I found myself in the situation that any matchless payloads I wrote (e.g. payloads without a MATCH sequence) would not run on boot of the Key Croc. I tried many things, like setting ATTACKMODE HID with and without specific hardware properties, attaching a keyboard even though it should not be necessary etc. Nothing worked.

While debugging I found the matchless payload detection in the "croc_framework" file (/usr/local/croc/bin) being badly implemented. The grep would not reliably detect non-match payloads and also did not take into account commented lines (#) or whitespace. This can be found in line 538 in the function execute_non_match_payloads() in the original 06/2020 firmware. The original line 538 is:

for p in $(find /root/udisk/payloads -type f | xargs grep -c 'MATCH'|grep 0$|cut -d':' -f1)

Replace it with:

for p in $(find /root/udisk/payloads -type f | xargs grep -cHP '^(?=[\s]*+[^#])[^#]*(MATCH)' | grep 0$ | cut -d':' -f1)

... and now find yourself with working matchless payloads! For me, these are really important and provide great use cases.


Best regards,


Link to comment
Share on other sites

Hey lartsch,

do you have a minimal working example for a payload and / or can provide your config.txt?

While indeed the payload.txt/sh is now being run (e.g. LED cmds work now - thank you!) I still have the problem that every `QUACK` or `Q` command does not get executed.

I've tried it even interactively like `QUACK STRING hello` and run `ATTACKMODE HID` before but there won't be any keys typed.

However it worked combined with `MATCH`.

Do you have the same problem or an idea in how to fix this?

Thank you very much!



Link to comment
Share on other sites

Hey Konstantin,

I've found the following which may help you (provided you use the matchless fix):

  • For a matchless payload to run WITH a keyboard attached, OMIT the ATTACKMODE HID. Test it by writing a payload with only QUACK DELAY 10000 and QUACK STRING "test". Focus a text field, replug the Key Croc (with the keyboard attached) and (hopefully) see it working.
    • EDIT: THIS MIGHT NOT BE TRUE, as I just found that croc_framework runs the keyboard cloning init function AFTER starting matchless payload execution - since these run as background process it's kind of gamble if the cloning is done BEFORE the payload is actually run. I fixed it for me by initializing the keyboard cloning before running matchless and making the execute_non_match_payloads function run in foreground (key parser for match based payloads will start AFTER the matchless are finished, which is a behavior I prefer but probably not everybody)
  • For matchless payload to run WITHOUT a keyboard attached, include the ATTACKMODE HID, either with or without specifying VID and PID. Test it by adding ATTACKMODE HID before the other 2 lines from the test above.
  • For match based payloads, since you always have a keyboard attached in this case, you can OMIT the ATTACKMODE HID if you want to use the cloned keyboard properties. Or overwrite them using the ATTACKMODE options.

General notes:

  • always eject the Key Croc in a secure way
  • add delays if something does not work as intended, might help

Hope it helps!


Best regards, Lartsch

Link to comment
Share on other sites

43 minutes ago, Darren Kitchen said:

@lartschthank you for the invaluable feedback, bug report, and fix. We're investigating this issue further and testing the patch you've provided as we continue work on the next firmware release.

Hi Darren,

you're welcome. I got quite some more framework fixes and would love to contribute if there was a public repository (at least for everything in /usr/local/croc and for the documentation).

For your fix, please see my edit in my last post here in the thread.

Best regards, lartsch


// ... and great to hear you guys are working on an update - any chance you can release a tool / information on how to modify the kernel?

Link to comment
Share on other sites

Hi @lartsch,
I've only tried matchless without a keyboard but it works now - thank you very much 😉

@Darren Kitchen I would also love to see at least the /usr/local/croc/bin code available on e.g. GitHub. I've also changed some files in order to do things like a passive OS detection via DHCP or making it possible to mount custom images for the STORAGE gadget.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...