It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[Portal2038]

Try installing the other title I gave you the ID of. (The system menu)

I tried.

1. java -jar JNUSTool.jar 0005001010040000 -dlEncrypted -> downloaded files (pic1) ~64.3Mb
2. put files to /install folder (pic2)
3. insert SD to WiiU, go to recovery mode (purple LED, no screen)
4. pressed on Eject 6 times, pressed on Power 1 time
5. waited for 10 minutes
6. reboot console

Nothing new for me

BTW, i have got otp.bin and seeprom.bin files (attached3). Can this help?

 

[SDIO]

Then I would suggest you try to get wupserver / wupclient working, then we can try the install via that and see if it fails

 

[V10lator]

Perhaps I pressed the buttons incorrectly because I was doing it blindly.

This nightly should help you in navigating blindly: https://github.com/GaryOderNichts/recovery_menu/actions/runs/6234668024 (you need a GitHub account to be able to download it)

The power LED on the console should turn off for a split second when you press a button, indicating that the button press worked, and it should blink red while installing (turning back to purple when finished). Also it should turn solid red in case of errors.

I'll try gary and jan-hofmeier recovery menu.

Note that the menu options on both are different, so the Install WUP option is at a different line for each.

I would suggest you try to get wupserver / wupclient working, then we can try the install via that and see if it fails

IIRC installing via wupclient didn't work for some reason when we tried that in the past.

 

[Portal2038]

then we can try the install via that and see if it fails

I connected to wupserver (pic1,pic2), but I don't know how to use it and install something with it Can you help me, please?

The power LED on the console should turn off for a split second when you press a button, indicating that the button press worked, and it should blink red while installing (turning back to purple when finished). Also it should turn solid red in case of errors.

Cool, thanks! It's much more convenient

Note that the menu options on both are different, so the Install WUP option is at a different line for each.

Yes, I thought about that, so I only used gary's recovery.

Also, now when I have new "nightly" recovery I tried to reinstall both 000500301001000A and 0005001010040000. There was blinked red LED and purple LED, so I guess I did everything right. But it doesn't help me.

UPD:
When I tried to change the language to English, there was also a JAP TO ENG folder (attached3) in the archive. Could this help with recovery in any way?

UPD2:
Today i tried this:

1. java -jar JNUSTool.jar 0005001010040000 and java -jar JNUSTool.jar 000500301001000A
2. connect to wupserver
3. exec this commands:

Spoiler: code

w.cd("sys/title/00050030/1001000a")
w.up("000500301001000A/meta/meta.xml", "meta/meta.xml")
w.up("000500301001000A/content/Common/Package/Hbm.pack", "content/Common/Package/Hbm.pack")

w.cd("sys/title/00050010/10040000")
w.up("0005001010040000/meta/meta.xml", "meta/meta.xml")
w.up("0005001010040000/content/JpJapanese/Message/AllMessage.szs", "content/JpJapanese/Message/AllMessage.szs")

These are some files I replaced before my console broke. By the way, there were no errors when I uploaded these files.
There haven't been any new logs.
And of course it didn't help me

 

[SDIO]

I assume you used ftp when you initially tried to change the language. Did you make sure you were in binary mode, before you uploaded the files?

For installing packages with the wupclient, you first need to adapt the wupclient a little bit: you need to replace

/vol/storage_sdcard/

with

/vol/storage_recovsd/

Then you can call the install_title function with the path to the install package on the SD.
For example if you copied the files directly to the install folde rit would be:

install_title('install')

If you have multiple titles there, each in it's subfolder, it would be for example:

install_title('install/tmp_000500301001000A')

Assuming the files in the zip are all correct, you could also try just uploading all of them with the wupserver. Just make sure to not upload these .DS_Store files.
I think the wupclient can only upload single files, so you would need a little scripting to upload all of them.

 

[Portal2038]

Thanks for the answer!

I assume you used ftp when you initially tried to change the language. Did you make sure you were in binary mode, before you uploaded the files?

Yes, I used cyberduck FTP-client. And I didn't make sure. I just drug and drop files from here (JAP TO Englis) to ftp://192.168.0.148/storage_mlc/sys/title
Also, I remember, that I have some problems.
1 - I made a mistake with the folder (/sys instead of /sys/title) (pic1)
2 - There were some errors (Don't remember what type of errors)
3 - success

/vol/storage_recovsd

/vol/storage_recovsd

I don't get it. Isn't this the same line?

 

[SDIO]

I don't get it. Isn't this the same line?

sorry, my mistake, I corrected it in the post

 

[Portal2038]

Installation using wupclient does not work for me.
1. Changed all string /vol/storage_sdcard -> /vol/storage_recovsd
2. Copy tmp_000500301001000A and tmp_0005001010040000 to SD /install
3.

install_title('install/tmp_0005001010040000')
install_title('install/tmp_000500301001000A')

Spoiler: errors

0x128044
install info : 0x0 ['0x50030', '0x1001000a', '0xb4d000', '0x40005', '0x101000', '0x400a']
install set target device : 0x0
install set target usb : 0x0
install : 0x0
0x0


0x129044
install info : 0x0 ['0x50010', '0x10040000', '0xe29000', '0x10005', '0x101000', '0x400a']
install set target device : 0x0
install set target usb : 0x0
install : 0x0
0x0

I'll try to re-upload all the files that I originally changed, one by one. I hope I don't make it worse.

By the way, are the files I got from java -jar JNUSTool.jar 0005001010040000 correct for re-uploading with wupclient?

 

[SDIO]

The installs worked, they returned a 0 error code, they seemingly just didn't fix you problem.

I would suggest you download the other titles of which you replaced files, and reinstall them too. You get the title ID by combining the names of the subfolders in /sys/title.
For example storage_mlc/sys/title/00050010/10040000/meta/meta.xml would be 0005001010040000

 

[Portal2038]

The installs worked, they returned a 0 error code, they seemingly just didn't fix you problem.

I would suggest you download the other titles of which you replaced files, and reinstall them too. You get the title ID by combining the names of the subfolders in /sys/title.
For example storage_mlc/sys/title/00050010/10040000/meta/meta.xml would be 0005001010040000

installed all titles. Still doesn't help

But I have new log file #68!

This error is repeated since 66.log:

Spoiler: error1

00:00:12:944: UHS0 Trace: DevFsm(OHCI-1:0/L1/P1/A01): Final teardown.
00:00:12:944: UHS0 Error: UhsFreeMem(pMem=0x102c0480) failed with error -4.
00:00:12:944: UHS0 Error: file uhs_device.c, function UhsDeviceHandleTeardown, line 432, status 0:-4, info 271320192(0x102c0480)
00:00:12:944: UHS0 Error: UhsFreeMem(pMem=0x102c0540) failed with error -4.
00:00:12:944: UHS0 Error: file uhs_device.c, function UhsDeviceHandleTeardown, line 432, status 0:-4, info 271320384(0x102c0540)
00:00:12:944: UHS0 Error: UhsFreeMem(pMem=0x102c0680) failed with error -4.
00:00:12:945: UHS0 Error: file uhs_device.c, function UhsDeviceHandleTeardown, line 432, status 0:-4, info 271320704(0x102c0680)

There is an error about installing 00050010-1004e00 (Health and Safety Information):

Spoiler: error2

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Installation Failure detected
 - Error value: -262178
 - Package:
   </vol/mcp_rawpkg/install/tmp_000500101004E000>
 - Title:       00050010-1004e000 (0x0081)
 - AppType:     90000020
 - Platform:    Cafe
 - Target dev:  mlcsys01
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Installation failure log will be stored with error code '162-0000'
00:03:01:689: MCP: life time number of fatal errors - 67

Spoiler: Error3

00:00:15:913: ODM odm_methods.c(779): failed with rval=-1049092, senseKey=0x88
00:00:15:982: ODM odm_methods.c(497): Error handler result: rval=-1049092, nextState=ODM_STATE_FATAL(12)
00:00:16:079: ODM odm_fsm.c(401): stop unit failed rval=-104909200:00:16:133: ODM odm_methods.c(779): failed with rval=-1049092, senseKey=0x00
00:00:16:202: ODM odm_methods.c(497): Error handler result: rval=-1049092, nextState=ODM_STATE_FATAL(12)
00:00:16:298: ODM odm_fsm.c(401): stop unit failed rval=-104909200:00:16:352: FSA: [uptime 16.352 s]: Attached volume to odd01 (raw)

Can it help somehow?

UPD:
after reboot got 69.log. Re-uploaded archive
UPD2:
try reinstall 00050010-1004e000 -> same problem as 68.log. Re-uploaded archive again

 

[SDIO]

The logs are probably just from when you run the recovery, there is nothing useful in them.
I am not sure why the install of the H&S app fails, but it isn't required for the console to boot. Just in case you can try to move it away:

w.mv('/vol/storage_mlc01/sys/title/00050010/1004e000', '/vol/storage_mlc01/sys/corrupted')

You can try to reinstall 0005001B10042400 (Fonts) and see if that fixes the recovery menu display output

 

[Portal2038]

Just in case you can try to move it away:

Unfortunately, Isn't work:

AttributeError: 'wupclient' object has no attribute 'mv'

(pic1)

I am not sure why the install of the H&S app fails, but it isn't required for the console to boot.

Isn't PayloadLoader launched through this application? https://wiiu.hacks.guide/#/tiramisu/installing-payloadloader
And maybe it couldn't be installed because I have extra files on my WiiU title.fst and title.tmd in 00050010/1004e000/code..

You can try to reinstall 0005001B10042400 (Fonts) and see if that fixes the recovery menu display output

Installed (pic2), but nothing new. Just WiiU logo. I use this recovery_menu: https://github.com/GaryOderNichts/recovery_menu/actions/runs/6234668024

 

[SDIO]

Which wupclient are you using? The one from @V10lator?

 

[Portal2038]

Which wupclient are you using? The one from @V10lator?

this one
UPD:
Oh. sorry. It's look like actually not this one

 

[SDIO]

Are you sure? Because that one has the mv.

Isn't PayloadLoader launched through this application?

Yes, but that isn't our problem right now. Since you changed the CB title back and reinstalled the Wi U Menu, it is not launched.

 

[Portal2038]

Thank you, reinstalled wupclient.
Tried this:

w.mv('/vol/storage_mlc01/sys/title/00050010/1004e000', '/vol/storage_mlc01/sys/corrupted')
install_title('install/tmp_000500101004E000')

In any case, an error occurred when trying to install (see logs). Do you have any idea what's going on?

 

[SDIO]

Then maybe the wup you downloaded is broken. You can try downloading it again.
Did the move give any error?

 

[Portal2038]

Did the move give any error?

0 error (pic1)

Then maybe the wup you downloaded is broken. You can try downloading it again.

Yes, after download, move and install again the problem with installation of H&S (00050010-1004E000) disappeared. Thank you! Btw this time I installed right after moved (without closing console): maybe this helped. Idk.

But this doesn't help with the WiiU. No new symptoms.

 

[SDIO]

I don't see what else could be broken, if you really just replaced these files. Or did you do something else too?

1. The options I see we have left are:
   Just reinstall all mlc system titles, not just the ones you replaced, in case you somehow messed up another one. For convinience you can download all of them with: https://github.com/Xpl0itU/MLCRestorerDownloader/releases
2. Use PRSHhax in my fork of the recovery to load minute and then boot stroopwafel with that, so we get a wupserver on a normally running system without recovery and can dump the current syslog of that, maybe that would give us a hint.
3. Trigger a factory reset, maybe you messed up something in usr
4. Install isfshax and then completely rebuild the mlc from scratch. We could also do a complete region change in the process

Post automatically merged: Sep 24, 2023

Oh I forgot, how do you turn off the console, after doing something in the recovery? Do you do flush_mlc() before?

 

[Portal2038]

1. The options I see we have left are:
   Just reinstall all mlc system titles, not just the ones you replaced, in case you somehow messed up another one. For convinience you can download all of them with: https://github.com/Xpl0itU/MLCRestorerDownloader/releases

That helped! You are a hero for me! Thank you!!

I wonder what I did wrong when I initially uploaded the files... And what application caused the brick?
Btw, I can finally see the recovery menu! Driving it blindly was a pain

> Oh I forgot, how do you turn off the console, after doing something in the recovery? Do you do flush_mlc() before?​

no, I just clicked CTRL+D. I didn't know about flush_mlc(), sorry