It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[MrPeach2]

My WiiU is crashing before it displays anything. Is there any hope for it?

 

[SDIO]

My WiiU is crashing before it displays anything. Is there any hope for it?

Thats probably a case for defuse https://gbatemp.net/threads/ultimat...reset-black-screen-after-stuck-update.642339/

 

[Dreamcasters]

As far as I understand, the recovery menu is not displayed due to corrupted font files (like in my case). Is it possible that it doesn't use internal fonts but its own? However, the minute menu is displayed correctly which probably uses different fonts?

 

[SDIO]

The recovery menu runs on top of IOSU.
Minute is it's own thing and runs in place of IOSU.
That's why the recovery menu needs the system fonts but minute doesn't

 

[DGP_Maluco]

Hey guys, I’m trying to follow this tutorial on a 32GB model, I’ve got a pi zero 2 w and installed raspbian os on it. Followed the tutorial and loaded the module over ssh. Now when the console shows the Wii U logo I plug it in and sometimes I get the error code 160-2215 or 160-0103 but I never get into the udpih. Am I doing something wrong? Haven’t open up the Wii u to check what memory I have. The console had the exploit CBHC and was years in storage

 

[SDIO]

What firmware does it show on the error screen? When using UDPIH look for the LED turning purple, not the TV output

 

[DGP_Maluco]

What firmware does it show on the error screen? When using UDPIH look for the LED turning purple, not the TV output

On the error screen 160-0103 it shows
1 -.-.- 2—————- 3 ———-4 XXXX-02X0-2375 sometimes 3375

On 160-2701 1 -.-.- 2—————- 3 ———- 4 HASJ-0210-2375

And right now not getting the 106-2215 one but the led is never purple always only blue

 

[SDIO]

Try UDPIH a little earlier, while the Disc drive makes it's sound. If that doesn't help, you probably have to defuse.

 

[DGP_Maluco]

Try UDPIH a little earlier, while the Disc drive makes it's sound. If that doesn't help, you probably have to defuse.

On 160-0103 I get

1 5.5.4 E 2 WUP101(03) 3 FEH101337265 4 XXXX-02X0-3375

So it doesn’t seem to work. Will look into what and how defuse works

 

[SDIO]

Then UDPIH should worke. 5.5.3 is new enough and since you see that error message the console also boots far enough for it to work

 

[DGP_Maluco]

Then UDPIH should worke. 5.5.3 is new enough and since you see that error message the console also boots far enough for it to work

Ok over the weekend I’ll give it a try again. Could I be doing something wrong? Is it correct to use the zero with raspbian?

 

[SDIO]

I never used the zero for that, always used the pico. Could be that you are doing something wrong but hard to tell without knowing what you are doing

 

[DGP_Maluco]

I never used the zero for that, always used the pico. Could be that you are doing something wrong but hard to tell without knowing what you are doing

I’ve ordered a pico it should arrive tomorrow I’ll test with the pico as well! Thanks for your help.

Edit: thanks! I’ve got in with the pico. Probably doing something wrong with the zero or maybe it’s not supposed to be run on raspbian

 

[skawo]

Hm you could solder a pico to the debug pads to get the syslog that way. Would be the same like defuse but you only need the debug ones (and GND) and not the other connectens that defuse would need (I think).

Else I don't have another id rn.

I have now tried this, and, sadly, doesn't work that way. You don't get a log unless TP176 and TP101 are connected.
All I got with them connected was error 00/C3.

i don't really understand the steps provided at the de_fuse release page for a full defuse, because they tell you to flash an image to an SD card and also to put files on the root of one...?

 

[SDIO]

That can probably be removed from the pico firmware, but I am not sure when I can do it, probably not today.

And for the SD: you flash the image, then reinsert it that the new partition table gets read and then you format the partition you see to FAT32 and place the files there

 

[skawo]

O h

Well, I guess ping me if you do.

 

[DGP_Maluco]

I never used the zero for that, always used the pico. Could be that you are doing something wrong but hard to tell without knowing what you are doing

So I set the title to EUR again but it didn't help.
Exporting the logs it shows on some log files DATA CORRUPTION but on SLC. Does this still mean I should proceed with the NAND-AID solution?

 

[SDIO]

There is a good chance the problem isn't even the MLC, so you might not need the NAND-AID.
First I would recommend to install ISFShax, to have a way in in case things get worse.
Then please send me the whole logs folder.
Did you check what manufacturer your eMMC is?
Also run the SLC checker, after you installed ISFShax

 

[DGP_Maluco]

There is a good chance the problem isn't even the MLC, so you might not need the NAND-AID.
First I would recommend to install ISFShax, to have a way in in case things get worse.
Then please send me the whole logs folder.
Did you check what manufacturer your eMMC is?
Also run the SLC checker, after you installed ISFShax

Yes it is HYNIX.
here are all the logs. will look into ISFShax

https://mega.nz/file/DFZVwDKI#E5ksSaSmg9xZh3K6KJ1qOEk1cMyURFCD9HYPBT2ltGE

 

[SDIO]

Yeah the only problem right now seems to be the scfm.img. Lets wait for the result of the slc checker to see what state the SLC is in.
After you installed redNAND you can also do a format redNAND in minute and look how many errors get reported durcing the SLC and the MLC dumping, That would also give us an idea what state the eMMC is in and if it makes sense to replace it.

Do you have any data on the console you want to recover? The most trouble free route would probably be to just delete scfm, erase mlc and then rebuild the MLC. But for that we also need ISFShax