Debugging a Pi Zero 2W BadUSB with Claude Code: Fixing an 'Impossible' Bug

About 10 months ago, a developer built a Pi Zero 2W BadUSB toolkit but one feature — "fully resets between attacks" — never worked. Marked as WIP, it was abandoned. This week, they rebuilt the project end-to-end with Claude Code as a pair-programmer. The result: the "impossible" feature now works, and the session uncovered several subtle bugs.

What Claude Code Did

• Diagnosed root cause in one read: The listener watched /dev/hidg0 existence — true from boot — so it fired payloads on power-up regardless of host attachment. The correct signal is /sys/class/udc/<udc>/state == "configured".
• Empirically confirmed hardware limitation: When the first fix didn't fully work, Claude SSHed in, asked the dev to plug/unplug while it polled sysfs and the dwc2 debugfs regdump register. It found the GOTGCTL register freezes at 0x000d0000 regardless of cable state — the Pi Zero 2W has no VBUS sense wired to the SoC's OTG block. It pivoted to an active-unbind workaround with cooldown + rate-limit safeguard.
• Caught a silent Python bug: open(udc_path, "w").write("") doesn't invoke write(2) with zero bytes — CPython's TextIOWrapper elides the call. The unbind was a no-op for an hour of testing. Fixed to os.write(fd, b"\n") to force a syscall.
• Fixed forbidden-on-configfs teardown: rm -rf was failing because configfs forbids unlinking kernel-managed attribute files. Proper sequence is rmdir-only, leaf-to-root.
• Wrote a 34-test pytest suite against a mock HID engine, enabling parser testing on any host without a Pi.
• Updated AI memory: The developer uses Postgres as long-term memory for Claude — those bug entries are now referenced in similar configfs/USB-gadget projects.

The entire working session took about 4 hours, mostly waiting for physical plug/unplug. The PR had six well-scoped commits with proper co-author tags and a test plan. The project (Pi-Zero-2W-Bad-USB) is MIT licensed, with Ducky-Script-style payload language, variables, IF/WHILE, HOLD/RELEASE, INJECT MOD, RANDOM *, US/UK keymaps, optional RO mass-storage gadget, systemd integration, and idempotent installer.

For developers doing hardware-in-the-loop workflows with Claude Code, this is a compelling case study in AI-assisted debugging at the sysfs and register level.