Front-page Hacking  Updated

UDPIH: USB Host Stack exploit + Recovery Menu

It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!


Requirements​

  • A Wii U
  • One of the devices listed below
    Note: Any other linux device capable of USB device emulation should work as well.
    Prebuilt releases are only available for the Pico and Zero.
    I will add more devices below which are confirmed to work.

Supported devices:​

  • A Raspberry Pi Pico or Zero
  • A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

  • Download the latest udpih.uf2 from the releases page.
  • Hold down the BOOTSEL button on the board and connect the Pico to your PC.
    Your PC will detect the Pi as a storage device.
  • Copy the .uf2 file to the Pico. It will disconnect after a few seconds.
The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

  • Install the required dependencies:
    Bash: 
    sudo apt install build-essential raspberrypi-kernel-headers
  • Clone the repo:
  • Bash: 
    git clone https://github.com/GaryOderNichts/udpih.git
cd udpih
  • Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
  • Now build the kernel module:
  • Bash: 
    cd linux
make
  • You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.
The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

warning
Important notes for this to work:
  • Make sure no other USB Devices are attached to the console.
  • Only use USB ports on the front of the console, the back ports will not work.
  • If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.
Click to expand...
  • Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
  • Insert the SD Card into the console and power it on.
  • As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
    This timing is important. If you're already in the menu, the exploit won't work..
  • After a few seconds you should be in the recovery menu.
So what's this recovery menu? The recovery menu allows you to fix several bricks:
screenshot

Wii U Recovery Menu

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:
  • Wii U Menu (JPN) - 00050010-10040000
  • Wii U Menu (USA) - 00050010-10040100
  • Wii U Menu (EUR) - 00050010-10040200
On non-retail systems the following additional options are available:
  • System Config Tool - 00050010-1F700500
  • DEVMENU (pre-2.09) - 00050010-1F7001FF
  • Kiosk Menu - 00050010-1FA81000
Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:
Code: 
type=eth

For using wifi:
Code: 
type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!
 
Last edited by GaryOderNichts,
  • Like
  • Love
  • Wow
Reactions: johsam, rommy667, 3EGaming and 173 others
Click to expand...
GaryOderNichts

GaryOderNichts

Well-Known Member
OP
Member
Level 16
Joined
Aug 9, 2018
Messages
792
Trophies
1
XP
5,487
Country
Germany
agiese394 said:
Hello,
I am having some issues with a Wiiu I have recently purchased. It was bricked, and stuck on wii U logo. I don(t know if someone tried to hack it.
I was able to enter the recovery menu using udpih, but unfortunately I have no display. I do have the purple light and was able to dump the syslogs and the OTP.bin file by navigating blindly. I have tried to set the coldboot title, but the wii is still stuck on wii logo. I have also tried the recovery menu_dc_init with no success. The wii is trying to display something but the display is messed up.
Here are my logs. can anyone tell me what's wrong? Any help would be appreciated.
Click to expand...
Code: 
00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".
Code: 
00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
This unfortunately looks like a dead eMMC.
 
agiese394

agiese394

New Member
Newbie
Level 1
Joined
Nov 27, 2022
Messages
2
Trophies
0
Age
42
XP
22
Country
France
GaryOderNichts said:
Code: 
00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".
Code: 
00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
This unfortunately looks like a dead eMMC.
Click to expand...
Thanks! It sounds like I am out of luck. Any hope in the future to fix this?
 
VinicimJF

VinicimJF

Member
Newcomer
Level 1
Joined
Dec 27, 2021
Messages
12
Trophies
0
Age
24
XP
85
Country
Brazil
CrazySquid said:
OMG, I MANAGED TO UNBRICK MY CONSOLE. After more than 1 month of trying... I did it.


...And I can't believe it, but the problem was on Mii Maker. The folder had the app, but the .rpx was gone, alongside the meta folder... which is pretty weird because NOT in my sane juice I would mess with it, this app is not useless like, say, Nintendo TVii. Plus I know that the app was used for HBL.


I honestly don't know what happened because I'm fairly sure I didn't mess with Mii Maker, and even if somehow I choose that folder instead of TVii or Wii U Chat, I would have deleted the whole thing without leaving any file behind.

If you ask how the heck I figured out the problem was on Mii Maker, it's because I had a NAND backup from 2018 and other from 2020. I dumped my current state NAND using wupserver (was a pain in the ass, the transfer speeds were terribly slow, also a lot of crashes), then I decrypted my backuped MLC, and finally I compared both my current NAND files and the old backup, using WinMerge to check files integrity. After installing Mii Maker again... bom, console booted again.

Man, I can't believe I finally have my console working again, I was a freaking month and half thinking on this that I even dreamed with my Wii U lmao.

Just a warning, I think this happened because I used WiiUFtpServer by Laf111, while I can't say for sure his app was the culprit or not, this NEVER happened to me before... which makes me believe it might had been.
I messed with FTP a lot of times, plus, I never touched Mii Maker on my own, I'm fairly sure I deleted the WHOLE TVii and Wii U Chat folders. Nothing more.
So yeah, at least on my side, I'm back to using FTPiiU and WinSCP, I have never got issues with those two aside from having to reconnect from time to time. Besides I'm trying Aroma and has a native FTPiiU plugin maintended by Maschell :)

Thanks a lot Gary for this app, my Wii U would be in the trash bin if it weren't by you and your recovery menu, really, thanks a lot!

Wish someday the Wii U scene to advance to the point of having a Wii-like brick protection, ala BootMii as boot2 where you could just restore your NAND and everything is dandy again.

That's my experience, hope it helps someone out there.
Click to expand...
Where you get miimaker files to reinstall?
I have tha same problem of you, but in my case is The wiiu menu files The problem.
 
C

CrazySquid

Well-Known Member
Member
Level 6
Joined
May 27, 2017
Messages
213
Trophies
0
XP
831
Country
GaryOderNichts said:
Code: 
00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".
Code: 
00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
This unfortunately looks like a dead eMMC.
Click to expand...

All Hynix units, I wonder why the hell those are breaking up, didn't Nintendo at least tried to make those NAND's specs to match the other ones like Samsung or Toshiba units?
Also not sure if that could also happen by not powering them up in a very long time...

VinicimJF said:
Where you get miimaker files to reinstall?
I have tha same problem of you, but in my case is The wiiu menu files The problem.
Click to expand...
https://gbatemp.net/threads/relase-...tive-to-wii-u-usb-helper.621432/#post-9988710

Try that app, maybe you can try to get the files from there.
In my case I downloaded them using Cemu and WUPDownloader, but that was because I didn't figure out that other apps where available, without the need to use my weird combination to get the files.
 
xxMAGRAOxx

xxMAGRAOxx

Member
Newcomer
Level 2
Joined
Mar 23, 2019
Messages
11
Trophies
0
Age
36
XP
168
Country
Brazil
Awesome job. Please anyone help me if this work in my case. Stucks in 80% and the genius here shutdown while system 5.5.6 update. Now, when I turn it on, the gamepad doesn’t sync, the disc drive makes booting noises twice and there’s just a black screen.
 
kcmortis39

kcmortis39

New Member
Newbie
Level 1
Joined
Dec 5, 2022
Messages
1
Trophies
0
Age
42
XP
13
Country
United States
So i've tried the installing the pico at the right time, screen either gets stuck at wii u logo or wii u itself shuts off after i put the pico in the usb port. Any idea what i could be doing wrong?
 
xxMAGRAOxx

xxMAGRAOxx

Member
Newcomer
Level 2
Joined
Mar 23, 2019
Messages
11
Trophies
0
Age
36
XP
168
Country
Brazil
netsurf012 said:
I have fixed my Wii U today. I've updated both system.xml and sys_prod.xml for regionhax experiment. Stuck at Wii U logo. Loaded UDPIH but no recovery menu but the power LED turned purple. This signal meant the recovery menu thread was loaded. Tried following blind operation to enable WUP server based on the latest 0.4 recovery menu.

Copy recovery_menu and prepare your network config as described in this repo: https://github.com/GaryOderNichts/recovery_menu

- Press EJECT 4 times to go to Load Network Configuration menu.
- Press POWER to enter.
- Press EJECT to exit to main menu.
- Press EJECT 10 times to go to Start wupserver menu.
- Press POWER to enter.

Use wupclient.py to restore your original files or update system files.
Click to expand...
@netsurf012 help me with a little question. How manny seconds you wait to put the raspaberry in usb? I'm try many times here and nothing. Try in another wii u and successfully loaded.
 
T

tiger1234

Active Member
Newcomer
Level 1
Joined
Nov 30, 2022
Messages
29
Trophies
0
Age
32
XP
73
Country
India
can anyone help about this?? Will this unbricking method by recovery mode will work in wii u black screen of death???...(for those unknown to wii u black screen of death it happens when wii u is shut down manually during updates it corrupts os of wii u and system dosent boots after powering on due to missing or corrupt os files inspite led turns blue and fan also works . no screen comes on tv only black screen gamepad dosent sync as well...its obviously a software issue if somehow we can enter recovery menu in this scenario the console can be unbricked any suggesion or help will be highly appretiated regards
 
T

tiger1234

Active Member
Newcomer
Level 1
Joined
Nov 30, 2022
Messages
29
Trophies
0
Age
32
XP
73
Country
India
BaamAlex said:
Why the hell do you turn off the console during an update? Then it makes sense that you make a mess inside your wii u.
Click to expand...
@BaamAlex you are right but its not me who did it it was former owner i received the unit as broken for couple of dollars ..since nothing to lose i want to know if there is a way to enter recovery mode in wii u blacl screen of death scenario
 
xxMAGRAOxx

xxMAGRAOxx

Member
Newcomer
Level 2
Joined
Mar 23, 2019
Messages
11
Trophies
0
Age
36
XP
168
Country
Brazil
BaamAlex said:
Why the hell do you turn off the console during an update? Then it makes sense that you make a mess inside your wii u.
Click to expand...
Becouse the update stucks for HOURS without progress?? Or Maybe the power down of home? By the way. Thanks for your contribution :sleep:
 
T

tiger1234

Active Member
Newcomer
Level 1
Joined
Nov 30, 2022
Messages
29
Trophies
0
Age
32
XP
73
Country
India
xxMAGRAOxx said:
Becouse the update stucks for HOURS without progress?? Or Maybe the power down of home? By the way. Thanks for your contribution :sleep:
Click to expand...
i think its only software issue some files missing in os ...if these guys can guide to get into recovery mode its v much possible to unbrick the black screen of death issue in the wii u ...only access to recovery menu is required somehow like gary discovered the cbhc unbrick method


by the way buddy you got that lan adaptor have u tried ??? lan adaptor recovery? ??i tried but no success i doubt about the success of this process itself
 
xxMAGRAOxx

xxMAGRAOxx

Member
Newcomer
Level 2
Joined
Mar 23, 2019
Messages
11
Trophies
0
Age
36
XP
168
Country
Brazil
tiger1234 said:
by the way buddy you got that lan adaptor have u tried ??? lan adaptor recovery? ??i tried but no success i doubt about the success of this process itself
Click to expand...
I'm still waiting for. I have tried the method recovery menu, but without success. My idea is to upload by wupserver the "missing files OS". But i have no idea what i'm doing
 
omdenix

omdenix

New Member
Newbie
Level 1
Joined
Dec 14, 2022
Messages
4
Trophies
0
Age
24
XP
33
Country
Turkey
I have bricked wii u with 0103 error code(non moded 32 gb ver.) I am assuming that it is a hardware failiure. I used to be access to vWii but I changed setting in the account menu and cannot access to anything. It shows profile selection and then if I click to a profile, my system gives me a 160-0103 error. I am working everyday to come up with a fix. Its been a week now. I read every reply in here. It is quite exciting actually 😀. I am thinking about can we get a v0.5 update for with fixing corrupted system titles ( mii maker, system preferences, wii u menu..) like fixing coldboot title. Because I am trying to install those corrupted titles using WUP installer but I got theese errors. I know it could be hardware related. The voice inside of me still says it is going to be fixed somehow. So I am trying my best. I hope someone would reply to this. Rednand might be a hard thing to fix but I believe that there is a people out there waiting and hoping to be fixed. Also I am very excited about homebrew stuff in recovery on the next versions.
 

Attachments

  • FF2BC05F-6673-4D79-A8B5-0F95C423F02A.jpeg
    FF2BC05F-6673-4D79-A8B5-0F95C423F02A.jpeg
    1.4 MB · Views: 53
  • 6099C541-FFDA-4E03-AFB3-9D11489B1073.jpeg
    6099C541-FFDA-4E03-AFB3-9D11489B1073.jpeg
    1.3 MB · Views: 48
J

jedi23

Member
Newcomer
Level 2
Joined
Oct 15, 2020
Messages
22
Trophies
0
Age
39
XP
148
Country
Germany
I tried to run the recovery on a japanese Wii U to bypasses any region checks and pair my gamepad with it. However, I was not successful to get into the recovery menu. I tried different FAT32 formatted SD cards, I reflashed the pico again, changed my timing to plug in the pico many times, ... in all my attempts the console just boots normally...
Does this recovery menu also works with jap. consoles or what did I do wrong?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hardware Tutorial  MLC2SD - A Wii U NAND (eMMC) Replacement Interposer

A really, REALLY old browser exploit (for 5.3.2)?

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Wii U after try to change region has no video signal, and no game pad synced

Hacking Hardware  Wii U No Display (Logs dumped)

Simpson's Hit & Run Wiiu

Homebrew  Huevo's Vault | Wii U Themes

Watch videos on Wii U, offline, saved on SD?

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/@legolambs