BluUBomb exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

Not to be confused with BlueBomb for the Wii and Wii Mini.

What does this mean?
This means you can get IOSU code execution by only pairing an emulated Wii Remote to the system.

This should be useful to fix a few softbricks on the Wii U side.
You don't need a working browser or Mii Maker.
if you've messed up with regionhax and can no longer access the browser, BluUBomb can fix this as well.

The BluUBomb repository contains a few different kernel binaries for different purposes:

loadrpx.bin
Launches a launch.rpx from the root of your SD card on the next application launch.

regionfree.bin
Applies IOSU patches to temporarily remove region restrictions.
This should be helpful if you've locked yourself out of your applications due to permanent region modifications.

wupserver.bin
Launches a wupserver instance directly after using bluubomb.
This gets you full system access remotely via wupclient (replace the IP in line 29 with the one of your Wii U).
This works without having to leave the controller pairing screen.

Check out the repository for additional instructions:
https://github.com/GaryOderNichts/bluubomb

The write-up and technical details can be found here:
https://github.com/GaryOderNichts/bluubomb/blob/master/WRITEUP.md

Credits

• GaryOderNichts - bluUbomb
• rnconrad for the WiimoteEmulator
• dimok789 and everyone else who made mocha possible

 

[banjo2]

cool I have a wiiu sitting in a draw somewhere that had a NNID and parental pin set and no wifi setup, so short of me trying 9999 pins it would be dead I assume this should be able to wipe the parental controls pin if such a homebred app exists, I had pretty much given up on the console when I couldn't get my arduino pin brute forcer to work as a USB keyboard on the wii u

Couldn't you use a key generator? https://mkey.salthax.org/

 

[gamesquest1]

Couldn't you use a key generator? https://mkey.salthax.org/

nope, thats what I originally thought when I was offered the console, but its kinda locked in a state of either knowing the password on the NNID account or the parental pin to access the settings as I cant even get to the Home Screen or settings screen to do anything on the console

 

[Vague Rant]

nope, thats what I originally thought when I was offered the console, but its kinda locked in a state of either knowing the password on the NNID account or the parental pin to access the settings as I cant even get to the Home Screen or settings screen to do anything on the console

You know, Maschell was in this exact situation after purchasing a preowned Wii U which had parental controls enabled. Something that's worth considering is that a lot of people use birthdates for pin codes like this. Entering 10,000 different pins would obviously be a drag, but there's only 365/366 days in a year, so that's how many possible date-based pins there are.

I don't know what region you're in or what date format is standard there (day-first or month-first), so depending on what's right for you, you'd just enter like ...

 US   EU
0101 0101
0102 0201
0103 0301
...  ...
0129 2901
0130 3001
0131 3101
0201 0102
0202 0202
0203 0302
...  ...
...  ...
...  ...
1231 3112

Maschell got their Wii U unlocked in about 250 tries and 30 minutes using this approach.

EDIT: If you really want to push your chances, you could try months that have the highest birth rates in your country first. e.g. In most countries where Christmas and New Year's are celebrated, September has the highest volume of births. Also, anything that falls nine months after winter in your locale is a solid bet for increased birth rates, so in the northern hemisphere you'd want to try September/October/November first, and in the southern hemisphere you'd look at March/April/May (but still after September if your country widely celebrates Christmas; Christmas babies > winter babies).

 

[gamesquest1]

You know, Maschell was in this exact situation after purchasing a preowned Wii U which had parental controls enabled. Something that's worth considering is that a lot of people use birthdates for pin codes like this. Entering 10,000 different pins would obviously be a drag, but there's only 365/366 days in a year, so that's how many possible date-based pins there are.

I don't know what region you're in or what date format is standard there (day-first or month-first), so depending on what's right for you, you'd just enter like ...

 US   EU
0101 0101
0102 0201
0103 0301
...  ...
0129 2901
0130 3001
0131 3101
0201 0102
0202 0202
0203 0302
...  ...
...  ...
...  ...
1231 3112

Maschell got their Wii U unlocked in about 250 tries and 30 minutes using this approach.

yeah I guess that might be worth a shot, but I would imagine that a solution using this exploit would be a great solution, I originally tried all the typical pins 1234,0000,1111 etc and years from 1950-2010, didn't think to try day/month, I was thinking to try get this setup on my raspberry pi and see if I can force launch the system setting rpx with it to bypass the parental controls lock, I guess I kinda want to just see if its possible to bypass by simply using this exploit to launch directly into the system settings app or parental controls app bypassing the trigger for the pin, if not I would guess a dev could make a home-brew specifically designed to wipe the pin or force a factory reset, always hate seeing usable hardware made useless junk because of pin locks etc partly why I kept the "junk" console just incase I ever got really bored and felt like guessing pins or a new exploit was found

 

[lolorlofl]

Wait for aroma. But who knows when it will be released.

I'd like to read more about this but all the pages I'm finding are in German. Is there an english write-up somewhere or do I have to use google translate?

 

[ploggy]

I'd like to read more about this but all the pages I'm finding are in German. Is there an english write-up somewhere or do I have to use google translate?

I used Google Translate, didn't have any issues understanding it.

 

[godreborn]

we have some beta testers of aroma on the forums. the one I know of said he hasn't had any problems with it. I think aroma can be installed to anything, but they recommend the health and safety title, then you won't have to buy anything and you'll be using something no one uses. it can be coldbooted, I believe, so it will be like cbhc. it will still be on the mlc partition like a ds game, just most, if not all, things that cause a brick with cbhc will be removed. I'm assuming the system.xml will be changed just like cbhc to coldboot into health and safety directly, but I'm not a beta tester and only have a mild understanding of what it does.

 

[BaamAlex]

I'd like to read more about this but all the pages I'm finding are in German. Is there an english write-up somewhere or do I have to use google translate?

Aroma makes use of FailST. Here is a write up about this. That's all i know.

 

[zekro94]

I also bought a used wii u with parental lock thinking: This will be easy. After a week of trying different combinations I finally found the pin but....the wii u couldn't add another user because it didn't have enough space and so it just took me back to the selecting account menu, unable to do anything. If I rename the homebrew launcher to launcher.rpx would I be able to launch it using bluubomb?

 

[GaryOderNichts]

I also bought a used wii u with parental lock thinking: This will be easy. After a week of trying different combinations I finally found the pin but....the wii u couldn't add another user because it didn't have enough space and so it just took me back to the selecting account menu, unable to do anything. If I rename the homebrew launcher to launcher.rpx would I be able to launch it using bluubomb?

Hmm the issue is that the launch.rpx will only be launched on the next title change, which probably isn't possible to do on that screen since everything is part of the system menu.
Can't you open one of the accounts and free up some space?

I might be able to create a binary that fixes this at some point.

 

[zekro94]

Hmm the issue is that the launch.rpx will only be launched on the next title change, which probably isn't possible to do on that screen since everything is part of the system menu.
Can't you open one of the accounts and free up some space?

I might be able to create a binary that fixes this at some point.

Unfortunately I can't since I bought it used, the guy told me he found it in the trash so I don't even know the password to any account linked to the console

 

[gamesquest1]

Hmm the issue is that the launch.rpx will only be launched on the next title change, which probably isn't possible to do on that screen since everything is part of the system menu.
Can't you open one of the accounts and free up some space?

I might be able to create a binary that fixes this at some point.

well I have been having a play about with bluubomb today and while most of the screen is indeed all part of the system menu, there is one exception where you can launch into another app, and I have an inkling than its actually better for the purposes of bypassing the pin if you try to sign into the NNID it will inform you that you have no internet connection and prompt you to set one up, this will then take you to system settings before requesting the parental pin, once it loads it requests the pin and when you enter it wrong a few times (or just hit back) it will kick you out of the app, but this give you the opportunity to launch a fw.img file from the SD card the only one I could find to test with was rednand which basically said "rednand isn't setup, insert a SD with it or system will reboot in 60 seconds" but it shows it is possible to launch a CFW img on a completely locked down system

its been a long time since I have done anything on Wii U consoles so I have forgotten what options exist as a fw.img but iirc a fw.img file has greater control over the actual system than an rpx file, so I wonder if its possible for someone to create a parental pin bypass fw.img to allow these systems to be recovered

 

[GaryOderNichts]

well I have been having a play about with bluubomb today and while most of the screen is indeed all part of the system menu, there is one exception where you can launch into another app, and I have an inkling than its actually better for the purposes of bypassing the pin if you try to sign into the NNID it will inform you that you have no internet connection and prompt you to set one up, this will then take you to system settings before requesting the parental pin, once it loads it requests the pin and when you enter it wrong a few times (or just hit back) it will kick you out of the app, but this give you the opportunity to launch a fw.img file from the SD card the only one I could find to test with was rednand which basically said "rednand isn't setup, insert a SD with it or system will reboot in 60 seconds" but it shows it is possible to launch a CFW img on a completely locked down system

its been a long time since I have done anything on Wii U consoles so I have forgotten what options exist as a fw.img but iirc a fw.img file has greater control over the actual system than an rpx file, so I wonder if its possible for someone to create a parental pin bypass fw.img to allow these systems to be recovered

Oh that's useful.
You should also be able to use the system settings launch to boot the launch.rpx.
I attached a custom mocha version that should work with bluubomb. Just make sure to disable os relaunch and boot system menu.
Then you can launch something like ftpiiu everywhere.

Another option would be to build HexFW which can be a bit complicated though. HexFW will come as a fw.img.
It has the option to launch wupserver which allows you to modify system files as well.

 

[gamesquest1]

Oh that's useful.
You should also be able to use the system settings launch to boot the launch.rpx.
I attached a custom mocha version that should work with bluubomb. Just make sure to disable os relaunch and boot system menu.
Then you can launch something like ftpiiu everywhere.

Another option would be to build HexFW which can be a bit complicated though. HexFW will come as a fw.img.
It has the option to launch wupserver which allows you to modify system files as well.

yeah when I tried to boot launch.rpx via that method it would always hang on the loading screen but then I thought to try the FW payload instead as the wifi setup screen would be in the system settings app and that worked fine, idk maybe it needs a slightly different patch to load a rpx when booting an app from that prompt instead of the Home Screen, ill give those a shot now and see if I can pull some files from the system, I'm guessing there is a file somewhere in there with the pin stored in it.

 

[V10lator]

I'd like to read more about this but all the pages I'm finding are in German. Is there an english write-up somewhere or do I have to use google translate?

I'm beta tester, so here a bit from my end:
Maschell says Aroma is just a set of tools. So there's failST, the Wii U plugin system, some selected plugins and so on. In my eyes Aroma is a new CFW.
Anyway, I was experiencing a lot of crashes with Aroma but Maschelll was like "nah, Aroma is pretty stable. Must be some other cause" so I did a blind test: A friend of mine has a Wii U, too, but no idea about the technical aspects (so he was afraid to bick his Wii U by installing Ninendont, for example). Now a few days ago I removed Haxchi from his console and installed Aroma instead. No more than 48 hours later I got this messages:

Could you revert the changes you made?
Had to reboot my Wii U 20 times today, that can't be real.
Now I can't even play my old games...
If I try to start a game the title screen and background music appears. At every game launch I have to hope that the conole won't show that loading screen forever while playing the background music in a endless loop.
It's one thing if such things happen with homebrews but these are legit games that worked without any issue before!
And when it works I get network connection drops all the time... I'm the only one using the WiFi.
Gaming isn't fun anymore.

What I try to say: Aroma is really nice but not ready for primetime.

 

[gamesquest1]

Oh that's useful.
You should also be able to use the system settings launch to boot the launch.rpx.
I attached a custom mocha version that should work with bluubomb. Just make sure to disable os relaunch and boot system menu.
Then you can launch something like ftpiiu everywhere.

Another option would be to build HexFW which can be a bit complicated though. HexFW will come as a fw.img.
It has the option to launch wupserver which allows you to modify system files as well.

sorry to pick your brain again, didn't have any luck finding a copy of hexfw on any of my old drives and it seems it wasn't relevant for long enough before mocha came out for people to build CFW packs including it, but I did find a copy of iosuhax that booted up and I assume enabled the normal wupserver but realised a flaw in my plan......I don't have a network connection to use wupserver etc

, I guess a usb ethernet adaptor would get around this, but alas I don't have one and don't feel the urge to buy one

but out of curiosity how would I launch the mocha elf file you attached was that assuming launching HBL would work to load it from there, and do you think its possible to adapt the rpx loader to work from the wifi setup system settings as currently it just hangs on the loading screen with the Wii U menu music playing, idk if maybe it would just need modifying to work when launched this way as opposed to launching an app from the homescreen, iirc there was a few developer tools that were leaked I would assume there would be something in there to perform a factory reset or wipe the parental pin if I was able to get them to launch

again, sorry for all the questions, and no worries if its simply beyond the scope of what you were looking to achieve, I appreciate that you have made a cool new exploit regardless, Im just hoping we can eliminate the issue of these systems not functioning due to the overzealous parental controls on the wiiu

 

[V10lator]

I guess a usb ethernet adaptor would get around this

Sadly the adapter isn't plug&play: You need to change from WiFi to LAN and for that you need to enter system settings.

 

[gamesquest1]

Sadly the adapter isn't plug&play: You need to change from WiFi to LAN and for that you need to enter system settings.

ahhh, okay , so that's that option blown out the water, glad I didn't just rush to go buy one at least, I guess the only options then are getting the rpx loader to work with the wifi setup launch or a cfw img created specifically with the intention of bypassing the pin (or at least enabling the forced load of a rpx file)

 

[GaryOderNichts]

but out of curiosity how would I launch the mocha elf file you attached was that assuming launching HBL would work to load it from there,

Ah yeah, that was just in case you got into the HBL somehow. Forgot to mention that.

If you can get to the wifi setup screen, can't you just set up a new connection?

I'll take a look at how an rpx could be loaded from there though.

 

[godreborn]

I actually still have wupserver on my pc. I remember it being unbelievably slow, but you could inject files while on the home menu without the homebrew launcher or ftpii u everywhere. for those who don't know, it used to be the way to install haxchi. as you can see, some haxchi files are still in there. I think it's also how to install a custom theme to the virtual wii based on the python scripts.: