It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[Augusta]

I have one that does the same thing, but hangs quicker than that. However it doesn't create a log file that I can grab from Recovery Menu. Not sure if there's something I'm doing wrong but I thought it was odd.

Very odd.
Just experienced the same thing.

Able to boot into recovery menu and took into account @V10lator recent post to wait a few minutes but log folder remains empty.

Unable to retrieve logs.
Thanks @lolorlofl for your update.

Post automatically merged: Mar 15, 2023

Hey, dumb question. Flashed the file to the rasperry pico and put the recovery on the SD Card.
After starting the wii u and instantly inserting the rasperry to the wii u, the wii u turns off .
Any solutions?

Post automatically merged: Mar 14, 2023

Nevermind it worked! Thank you!

What was the solution here?

 

[BanjoKazooieFan]

Very odd.
Just experienced the same thing.

Able to boot into recovery menu and took into account @V10lator recent post to wait a few minutes but log folder remains empty.

Unable to retrieve logs.
Thanks @lolorlofl for your update.

Post automatically merged: Mar 15, 2023

What was the solution here?

Well, I plugged in the rasperry pico too early (at the nintendo logo). After plugging it in at the wii u logo it worked!

 

[abal1000x]

@GaryOderNichts
Do you know that Nintendo open developer now like Android
https://developer.nintendo.com
This is great if i could create application in wiiu using official ecosystem.

 

[GaryOderNichts]

@GaryOderNichts
Do you know that Nintendo open developer now like Android
https://developer.nintendo.com
This is great if i could create application in wiiu using official ecosystem.

Not sure what you're trying to say with that message, but I have zero interests in joining the official developer program.

 

[GabCupim]

Greetings! Great topic.

Managed to get a Pico, successfully loaded Recovery Menu, tried a few options including set Coldboot to USA, but still getting 160-0103 after the logo.

What else can I try from the Recovery Menu? (saw on youtube a guy pairing his gamepad, tried and it paired, but still goes to 160-0103 after the Wii U logo, now also on the gamepad )

 

[V10lator]

@GabCupim Dump the logs, then zip and upload them.

 

[GabCupim]

@GabCupim Dump the logs, then zip and upload them.

Done! Thanks in advance

Read in some other topic that it might be corrupted EMMC, which I don't have a backup (it was a stock non-hacked 32Gb black model)
Read about a guy who physically swapped the EMMC for a 32GB SD card. Amazing, truly, but too much for me I guess

Gone?

 

[abal1000x]

Not sure what you're trying to say with that message, but I have zero interests in joining the official developer program.

Theres a lot of resources in download section for wiiu, that i think it might be usefull.

 

[V10lator]

Done!

Thanks. Now the bad news: There's definitely corruption on the MLC. Can't find a hint about a hardware defect through so this could just be filesystem corruption beyond repair. Normally I would suggest to flash back a NAND backup but

I don't have a backup

Anyway, let's wait what others say about this.

 

[LinkPlay]

Does this work for consoles that are bricked because they have been unused too long?

I've bought a used Wii U and I can open the menu, but when I open System settings or Mii-Maker I get 160-0103 Error. From the activity logs, I can tell the console was last used in 2021 and appears unmodded to me.

Should I buy a Pico to give it a shot, or is there no hope?

 

[mrmagicm]

LinkPlay, I think the "bricked because they have been unused too long?" is just a myth....one of my 4 wiiu was under Haxchi and didn't use it for 3 years, I read this myth, it was in 5.3 , so I tried to renew the console before it was too late....Well I was thinking that​

I did manage to update it to tiramisu, but I must admit, it was "harder" , It was harder than I tought, I did have the error 160-0103 Error but It wasn't the main problem, the main problem was that the system of my wiiU wouldn't update because I think the wiiU didn't want to update anymore from bloody european nintendo site To system 5.5.4
I asked for help here but no one knew......The solution was to launch environnement loader from Homebrew launcher, then réinstall latest tiramisu exploit, then I was able to erase the system, then switch the loader to wiiU Menu, then then I was able to update., so it wasn't easy.

 

[CrazySquid]

Does this work for consoles that are bricked because they have been unused too long?

I've bought a used Wii U and I can open the menu, but when I open System settings or Mii-Maker I get 160-0103 Error. From the activity logs, I can tell the console was last used in 2021 and appears unmodded to me.

Should I buy a Pico to give it a shot, or is there no hope?

If you have access to homebrew, then you can reinstall those titles using NUSSpli and it should be fixed.
However, NANDs start losing content after they have surpassed their read-write limit, after that they can retain data for up to 1 year, so I think that NAND will start failing in a greater extend sooner rather than later.

 

[crazillo]

I posted on my unsuccessful attempt to start the recovery process a while ago. No display of the recovery menu, but I now found some time and managed to extract my logs blindly. As I'm really not an expert, I would appreciate feedback and help as to what's up with my Wii U. A friend set up Homebrew for me years ago (I think it’s an older exploit with with .elf boot file using HackMii) and I'm stuck on the eternal Wii U screen (no matter if with the SD card inserted or not). I have BlueDump files though.

 

[GaryOderNichts]

I posted on my unsuccessful attempt to start the recovery process a while ago. No display of the recovery menu, but I now found some time and managed to extract my logs blindly. As I'm really not an expert, I would appreciate feedback and help as to what's up with my Wii U. A friend set up Homebrew for me years ago (I think it’s an older exploit with with .elf boot file using HackMii) and I'm stuck on the eternal Wii U screen (no matter if with the SD card inserted or not). I have BlueDump files though.

00:00:29:083: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:094: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:095: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:10, path:/usr/title/00050000/101b4300/meta/iconTex.tga
00:00:29:111: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:111: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:10, path:/usr/title/00050000/101b4300/meta/iconTex.tga
00;00;28;991: FS: OPEN_FILE      upid:[ 2] sts:[MEDIA_ERROR] hnd:[0xffffffff] path:[/vol/storage_mlc01/usr/title/00050000/101b4300/meta/iconTex.tga] mode:[r] perm:[0x660] flag:[0x0] append:[0]
00;00;28;993: SystemFatal(core1)

This is one of the bad hynix EMMCs.

 

[crazillo]

00:00:29:083: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:094: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:095: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:10, path:/usr/title/00050000/101b4300/meta/iconTex.tga
00:00:29:111: mdblk: err=-131090, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:29:111: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:10, path:/usr/title/00050000/101b4300/meta/iconTex.tga
00;00;28;991: FS: OPEN_FILE      upid:[ 2] sts:[MEDIA_ERROR] hnd:[0xffffffff] path:[/vol/storage_mlc01/usr/title/00050000/101b4300/meta/iconTex.tga] mode:[r] perm:[0x660] flag:[0x0] append:[0]
00;00;28;993: SystemFatal(core1)

This is one of the bad hynix EMMCs.

Sucks to read it. Did this happen because I didn‘t hook the system up for many years? So I suppose I‘m out of luck then. Might go for a replacement unit in any case, the Gamepad still works well and I have so many retail games.

 

[Brawl345]

Did this happen because I didn‘t hook the system up for many years?

No has nothing to do with it (this was wrongly reported in the media). It's a defect in a few Hynix eMMCs that happens regardless of usage.

 

[crazillo]

No has nothing to do with it (this was wrongly reported in the media). It's a defect in a few Hynix eMMCs that happens regardless of usage.

I did read that the Hynix units have a higher failure rate than the other two manufacturers. But good to know that media report wasn‘t accurate.

That being said, the Wii U really is archaic in so many ways. Transferring accounts, save game management - ugh. I‘ll just get a replacement then just to be able to play all of my discs, even if it sucks. I suppose there‘s nothing else to be done by someone like me, right?

 

[Scresho]

Couldn't get it to work with the zero, but with my switch it worked directly..

Buuuut I now changed the coldboot title but cannot start the WiiU, its just the same error.. :/
Guess its dead then? Can I maybe do something else?

Thanks for your great work!

 

[2tailedfox]

Sorry for the long wait. I finally had the time to go through all the logs today. Here you go:

</menu>00:00:23:836: "00:00:23:836: [ACP]ERROR:LoadMetaXmlFromPath:1179: Unsupported meta.xml. Failed to load meta.xml from /vol/storage_mlc01/sys/title/00050010/10040000/meta/meta.xml.
00:00:23:836: [ACP]ERROR:CreateSaveDirInternalEx:2077: Cannot load meta.xml

The meta.xml from your Wii U menu is corrupted, make sure to reinstall it or restore the original meta files.

00:00:14:060: mmc_core card err: idx=3, lba=30609920, blks=256, xfer=0x1, ret=0x00200b40
00:00:14:114: mmc_core card err: idx=3, lba=30609920, blks=256, xfer=0x1, ret=0x00200b40
00:00:14:114: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:14:156: mmc_core card err: idx=3, lba=30609920, blks=256, xfer=0x1, ret=0x00200b40
00:00:14:204: mmc_core card err: idx=3, lba=30609920, blks=256, xfer=0x1, ret=0x00200b40
00:00:14:204: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:14:204: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:26, path:/usr/boss
00:00:14:205: [ACP]ERROR:FlushQuota:770: Failed to flush quota "/vol/storage_mlc01/usr/boss/" (status: -196673)

Unfortunately this looks like eMMC failure. Not much you can do there as of now.

Hmm don't see anything wrong here, what is the issue you were having? Also make sure that all the logs have been dumped.

00;00;11;633: [barista-Process] Product {:program=>37529, :message=>42751, :programProj=>38946, :root=>38946, :sead=>37528, :resource=>38945}
00;00;11;633: [barista-Process] Cafe OS SDK Version 2.12.11 Build 66642 Branch

00;00;11;721: WPAD: Application Init
00;00;12;069:
OSPanic in "D:/home/Cafe/Barista_SdkUpdate/Library/Sead/engine/library/modules/src/basis/cafe/seadAssertCafe.cpp" at line 23 o

Your Wii U menu is failing an assert. Did you do any modifications to the system before that?


Your logs also aren't complete. The only thing out of the ordinary would be this though:

00;00;10;149: Read SysConfig Error code: category:32,code:-21
00;00;10;149: TVEReadRawEDID fail returns -17

Did you modify any xml files on the SLC?

Hopefully 3rd time is the charm.
From my first post "
Bought a used wiiu and did a factory reset.
It booted and wanted me to login.
No matter if I try to use an existing account or create a new one it gets the 160-0103 error when it goes to the part about registering a Mii.
I did a workaround manual system update from older to 5.5.6 U (I'm in usa) and this didn't fix it.
I tried the stuff in this recovery tool and that didn't fix it either."

Attached are another try at the logs.
Last time there were 13 logs plus their dsc files and a meta. This time there are 15 plus dscs plus meta.
If you expect more, I imagine it is because after the factory reset they were erased and because it never actually booted into the normal menu not all logs you'd expect were created. I did wait quite a long time as recommended.

I am not sure how you concluded nothing is wrong when even in the old logs I recall reading errors coming up in one or 2 of then at least which seemed to start when it tried to generate the eula. Originally I suspected the mii maker was corrupted, because it goes to the 0103 error screen at the step where you make a mii, but the logs seem to indicate it is not that but the eula.

Please let me know if anyone can help.
I imagine it shouldn't be super hard to fix if it is just replacing one corrupted file, I just don't know what file or how especially with no main menu access.

I can solder, just not bga chips, if that helps.

Thanks in advance

 

[GaryOderNichts]

Hopefully 3rd time is the charm.
From my first post "
Bought a used wiiu and did a factory reset.
It booted and wanted me to login.
No matter if I try to use an existing account or create a new one it gets the 160-0103 error when it goes to the part about registering a Mii.
I did a workaround manual system update from older to 5.5.6 U (I'm in usa) and this didn't fix it.
I tried the stuff in this recovery tool and that didn't fix it either."

Attached are another try at the logs.
Last time there were 13 logs plus their dsc files and a meta. This time there are 15 plus dscs plus meta.
If you expect more, I imagine it is because after the factory reset they were erased and because it never actually booted into the normal menu not all logs you'd expect were created. I did wait quite a long time as recommended.

I am not sure how you concluded nothing is wrong when even in the old logs I recall reading errors coming up in one or 2 of then at least which seemed to start when it tried to generate the eula. Originally I suspected the mii maker was corrupted, because it goes to the 0103 error screen at the step where you make a mii, but the logs seem to indicate it is not that but the eula.

Please let me know if anyone can help.
I imagine it shouldn't be super hard to fix if it is just replacing one corrupted file, I just don't know what file or how especially with no main menu access.

I can solder, just not bga chips, if that helps.

Thanks in advance

I assume you mean the ErrEula errors in the logs?
ErrEula is the error library of the Wii U used to display non-fatal errors and has nothing to do with the fatal errors like 160-0103. In this case the error in the logs was 102-2613, which seems to be an older NNID related error in the logs.

Logs 13 and onward show the following errors causing a fatal error though:

00:00:45:156: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:45:215: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:45:275: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:45:333: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:45:393: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00;00;45;274: FS: READ_FILE      upid:[15] sts:[DATA_CORRUPTED] hnd:[0x3b606bc] dst:[0x2253a980] size:[1] cnt:[1048576] pos:[0]

I don't see any additional details though, which I was hoping for in the new logs, so this could either be a bad EMMC or just random corruption of the MLC.
Logs also don't show which file it is trying to read.