It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[noizer]

Yes exactly

the light is changing color to purple (red and blue open)
so I am guessing I am able to get into it just no display on tv and gamepad

I think I have a exactly same problem with you.

udpih works fine, but recovery menu doesn’t working.

My Wii U is Japanese, my problem is no fonts on “/storage_mlc/sys/title/0005001b/10042400/content”. So it’s bricked.
When Wii U turns on Gamepad Turns on same time but Pad doesn’t recognize Wii U console and monitor shows up no signal.

 

[fadafwet]

Yes I have almost the same behavior, exept the gamepad does not pop any error like yours
I don't know why I would of lost those font you are talking about, maybe they got corrupted

I was able to navigate in the menu blindly following other video and get a debug log on my sd card

I wondering if anyone can help me to understand those and if it can tell me what is wrong with my console. What file I should read or upload because there are many of those on the sd card.

thank you

 

[Sombersnow]

Directly after you see the Wii u logo. That worked for me the whole time.

EDIT: See this or this for the "correct" timing.

Your links don't work anymore, so I could not check it.

 

[fadafwet]

For me it is about a half second after the DVD drive makes it's second eject noise

 

[godreborn]

I think I have a exactly same problem with you.

udpih works fine, but recovery menu doesn’t working.

My Wii U is Japanese, my problem is no fonts on “/storage_mlc/sys/title/0005001b/10042400/content”. So it’s bricked.
When Wii U turns on Gamepad Turns on same time but Pad doesn’t recognize Wii U console and monitor shows up no signal.

garbled image usually means that the timing was slightly off. it's happened to me in the past as well. just keep trying.

 

[BaamAlex]

Your links don't work anymore, so I could not check it.

Now i uploaded them here. Have fun and good luck.

 

[Sombersnow]

Now i uploaded them here. Have fun and good luck.

thanks.

Post automatically merged: Mar 1, 2023

Here's the problem I'm encountering. Sorry for the bad video quality

 

[Kakeen]

Question, I managed to get into the recovery menu on a bricked wii u I got a hold of, I set the cold boot title to US and when I restart it I keep getting the same error (Error Code - 160-0101), I won't boot up. Is there another option I have to choose in order to get it to boot up?

My guess is this wii u was soft modded and reset without knowing what would happen. Any help would be greatly appreciated.
I did attach the logs.

 

[gaijinsmash]

Thanks in advance for any help / insight any of the experts here could provide.

Wii U purchased with unknown brick off ebay - no NAND backup available.

With configured SD inserted: System boots and displays WiiU screen, followed by white screen with particles (I believe its the background of the system menu), but the system menu never loads.

With no SD card inserted: System boots to "Failed to load sd:/wiiu/payload.elf Starting the console without any modifications."

I was able to get UDPIH working - Reset ColdBoot menu to correct one with no effect (debug indicated no issue). Copied logs and have attached them here.

Only thing that jumps out as obvious is:

00:00:12:819: UHS0 Error: file uhs_main.c, function UhsAllocLocalEvent, line 339, status 33:-57, info 5242988(0x0050006c) 00:00:12:824: DRH using runtime generated WLAN data 00:00:12:824: Setting DRH to Normal mode 00:00:12:825: setting DRH system time to 23:59:19 00:00:12:826: sending DRC WOWL wake 00:00:12:827: ccr_admin_wowl_wake_drc() returned -1893541 00:00:12:853: UHS0 Error: file uhs_main.c, function UhsAllocLocalEvent, line 339, status 33:-57, info 5242988(0x0050006c) 00:00:12:878: CDC_SIGNAL_STA_ASSOCIATED_NOTIFY 00:00:12:888: UHS0 Error: file uhs_main.c, function UhsAllocLocalEvent, line 339, status 33:-57, info 5242988(0x0050006c)

Is this my problem? Red herring? I can find no discussion of this on these boards - is there some approach someone could recommend as an attempt to resolve?

Thanks in advance for any help!

 

[Frege]

Thanks in advance for any help / insight any of the experts here could provide.

Wii U purchased with unknown brick off ebay - no NAND backup available.

With configured SD inserted: System boots and displays WiiU screen, followed by white screen with particles (I believe its the background of the system menu), but the system menu never loads.

With no SD card inserted: System boots to "Failed to load sd:/wiiu/payload.elf Starting the console without any modifications."

I am having the same problem. Looks like I was turning on and off my console way too much and the NAND became corrupted somehow; The console loads the Environment Loader and Tiramisu or Aroma, then the Wii U Logo, then it shows the "select user" screen, but if I select a user it gets stuck in an indefinite loop of background objects and pre-menu music until I turn off my Gamepad in which case the console freezes (alteratively, it automatically freezes if I select "add a new user" or to connect one to the Nintendo Network). I'm buying a raspberry pi pico just for the possibility this might unbrick my console.

 

[BaamAlex]

I am having the same problem. Looks like I was turning on and off my console way too much and the NAND became corrupted somehow; The console loads the Environment Loader and Tiramisu or Aroma, then the Wii U Logo, then it shows the "select user" screen, but if I select a user it gets stuck in an indefinite loop of background objects and pre-menu music until I turn off my Gamepad in which case the console freezes (alteratively, it automatically freezes if I select "add a new user" or to connect one to the Nintendo Network). I'm buying a raspberry pi pico just for the possibility this might unbrick my console.

When your chip is dying, then is there no workaround iirc. I don't want to say the chip is dying, but if that's the case, then you're out of luck.

 

[Danook28]

If the wii u gamepad show secreen menu and console not show any things but led blue Meaning it is bricked or some thing wrong on motherbord. It was mode by game ds from store.

Post automatically merged: Mar 11, 2023

If the wii u gamepad show secreen menu and console not show any things but led blue Meaning it is bricked or some thing wrong on motherbord. It was mode by game ds from store.

 

[BaamAlex]

If the wii u gamepad show secreen menu and console not show any things but led blue Meaning it is bricked or some thing wrong on motherbord. It was mode by game ds from store.

Post automatically merged: Mar 11, 2023

If the wii u gamepad show secreen menu and console not show any things but led blue Meaning it is bricked or some thing wrong on motherbord. It was mode by game ds from store.

Do you get a 160-0103 error Screen? Did you even have cbhc installed? Were the ds title deleted?

 

[Danook28]

Same you bro. What this meaning dead

thanks.

Post automatically merged: Mar 1, 2023

Here's the problem I'm encountering. Sorry for the bad video quality

Mmc?????

Post automatically merged: Mar 11, 2023

My friend go online on wii u and buy sonic game and update it. And i was add game on wii u by use usb and chose nand memory. Wiiu stock frist in lgo same to be try to go normal but still in logo.and sd i was change config txt for what mode boot frist... Wiiu get black secreen.

Do you get a 160-0103 error Screen? Did you even have cbhc installed? Were the ds title deleted?

No bro also i think game pad or console wifi chip need replace coz say to keep game pad neer console when synec them to gother msg say in photo. And.my friend format hardisk that have backup. And sd card he use it in other wiiu console so can have files from it if also not delet.

 

[Sombersnow]

Mmc?????

i have no idea

 

[2tailedfox]

Hello.
Bought a used wiiu and did a factory reset.
It booted and wanted me to login.
No matter if I try to use an existing account or create a new one it gets the 160-0103 error when it goes to the part about registering a Mii.
I did a workaround manual system update from older to 5.5.6 U (I'm in usa) and this didn't fix it.
I tried the stuff in this recovery tool and thay didn't fix it either.

While I haven't looked through the logs yet, I would bet that whatever Wup is launched to handle Miis (miiverse?) Is corrupted or was used for a hack before the format. Not really sure as it was used and didn't seem to be hacked or modded so far as I knew before the format (factory reset).

I even made a new account on a 2ds with a mii and all and same thing.

I have other wiiu including modded ones.
Is there a way to backup their mii wup and install it to this one with the wup installer in this tool or some other thing I could try?

Thanks in advance and if in the wrong place I am sorry.

 

[Danook28]

Is

Hello.
Bought a used wiiu and did a factory reset.
It booted and wanted me to login.
No matter if I try to use an existing account or create a new one it gets the 160-0103 error when it goes to the part about registering a Mii.
I did a workaround manual system update from older to 5.5.6 U (I'm in usa) and this didn't fix it.
I tried the stuff in this recovery tool and thay didn't fix it either.

While I haven't looked through the logs yet, I would bet that whatever Wup is launched to handle Miis (miiverse?) Is corrupted or was used for a hack before the format. Not really sure as it was used and didn't seem to be hacked or modded so far as I knew before the format (factory reset).

I even made a new account on a 2ds with a mii and all and same thing.

I have other wiiu including modded ones.
Is there a way to backup their mii wup and install it to this one with the wup installer in this tool or some other thing I could try?

Thanks in advance and if in the wrong place I am sorry.

your wiiu logo boot show in secreen or gamepad?

 

[2tailedfox]

Is

your wiiu logo boot show in secreen or gamepad?

Um. Yes. Both. Why?

 

[Danook28]

Use this https://gbatemp.net/threads/cbhc-unbrick-guide-without-soldering.613371/

Um. Yes. Both.

 

[2tailedfox]

If you had read what I wrote, you should have hopefully concluded that I already tried that and it did not fix the issue.

Use this https/gbatemp.net/threads/cbhc-unbrick-guide-without-soldering.613371/