UDPIH: USB Host Stack exploit + Recovery Menu

It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!


Requirements​

  • A Wii U
  • One of the devices listed below
    Note: Any other linux device capable of USB device emulation should work as well.
    Prebuilt releases are only available for the Pico and Zero.
    I will add more devices below which are confirmed to work.

Supported devices:​

  • A Raspberry Pi Pico or Zero
  • A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

  • Download the latest udpih.uf2 from the releases page.
  • Hold down the BOOTSEL button on the board and connect the Pico to your PC.
    Your PC will detect the Pi as a storage device.
  • Copy the .uf2 file to the Pico. It will disconnect after a few seconds.
The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

  • Install the required dependencies:
    Bash:
    sudo apt install build-essential raspberrypi-kernel-headers
  • Clone the repo:
  • Bash:
    git clone https://github.com/GaryOderNichts/udpih.git
    cd udpih
  • Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
  • Now build the kernel module:
  • Bash:
    cd linux
    make
  • You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.
The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

warning
Important notes for this to work:
  • Make sure no other USB Devices are attached to the console.
  • Only use USB ports on the front of the console, the back ports will not work.
  • If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.
  • Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
  • Insert the SD Card into the console and power it on.
  • As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
    This timing is important. If you're already in the menu, the exploit won't work..
  • After a few seconds you should be in the recovery menu.
So what's this recovery menu? The recovery menu allows you to fix several bricks:
screenshot

Wii U Recovery Menu

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:
  • Wii U Menu (JPN) - 00050010-10040000
  • Wii U Menu (USA) - 00050010-10040100
  • Wii U Menu (EUR) - 00050010-10040200
On non-retail systems the following additional options are available:
  • System Config Tool - 00050010-1F700500
  • DEVMENU (pre-2.09) - 00050010-1F7001FF
  • Kiosk Menu - 00050010-1FA81000
Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:
Code:
type=eth

For using wifi:
Code:
type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!
 
Last edited by GaryOderNichts,

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
2,585
Trophies
1
Age
36
XP
5,366
Country
Germany

crazillo

Member
Newcomer
Joined
Jan 17, 2023
Messages
5
Trophies
0
Age
36
XP
23
Country
Germany
Do you have a NAND backup and some basic soldering skills? There is a mod to replace the eMMC with a simple SD card and it doesn't seem to be that hard to do (you don't even have to solder the eMMC out).

//EDIT: See LINK for more informations about this mod.
You mean the MLC? No, Unfortunately I don't think I have the NAND backup. Didn't know about the SD card solution though, that's actually slick...

What I find a bit surprising is that I didn't get any error codes on screen at all.

I really appreciate the attempt to help! But I guess I'll just have to go for a replacement unit then. Just sucks for the savefiles and activity logs mostly. A good friend always heavily criticized the way Nintendo handeled the account system on the Wii U, and I must say he was right in retrospect.
 
Last edited by crazillo,

GabCupim

Member
Newcomer
Joined
Sep 29, 2022
Messages
7
Trophies
0
Age
39
Location
Belo Horizonte
XP
82
Country
Brazil
Thanks. Now the bad news: There's definitely corruption on the MLC. Can't find a hint about a hardware defect through so this could just be filesystem corruption beyond repair. Normally I would suggest to flash back a NAND backup but

:(

Anyway, let's wait what others say about this.
Thank you anyway @V10lator! I'll just accept it's gone. It served me well! :bow:
 

Barracuda

Active Member
Newcomer
Joined
Jan 6, 2020
Messages
44
Trophies
0
Age
45
XP
731
Country
Spain
I have a problem with nintendo switch UDPIH not patched. In the last row they all give me 0x4 and I don't see the recovery menu.
 

viledisgorgement

New Member
Newbie
Joined
Nov 3, 2022
Messages
3
Trophies
0
Age
33
XP
45
Country
United States
I'm guessing my Wii U has some serious corruption since I can't get it to output video anywhere. I'm able to blindly load the recovery menu and was able to grab the logs. I tried setting the cold boot title a few times to no avail. It ends up just getting stuck infinitely on the Wii U logo on the gamepad. Tried a few SD cards, Raspberry Pi Pico and Hacked Switch. Anyone have any ideas based on these logs?
 

Attachments

  • logs.zip
    66.5 KB · Views: 20

Maschell

Well-Known Member
Member
Joined
Jun 14, 2008
Messages
1,090
Trophies
2
XP
4,634
Country
Germany
I'm guessing my Wii U has some serious corruption since I can't get it to output video anywhere. I'm able to blindly load the recovery menu and was able to grab the logs. I tried setting the cold boot title a few times to no avail. It ends up just getting stuck infinitely on the Wii U logo on the gamepad. Tried a few SD cards, Raspberry Pi Pico and Hacked Switch. Anyone have any ideas based on these logs?
Your NAND (HYNIX) is dead
0:00:05:188: mmc_core card err: idx=3, lba=55252992, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:228: mmc_core card err: idx=3, lba=55252992, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:228: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:05:288: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:11, pathnull)
00:00:05:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196673
00;00;05;168: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196673 on file "CafeCn.ttf".
00:00:05:618: NET: Change admin state (1 -> 2)(iface:0 link:2)
00:00:05:737: mmc_core card err: idx=3, lba=55283712, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:775: mmc_core card err: idx=3, lba=55283712, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:775: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:05:808: mmc_core card err: idx=3, lba=55284736, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:846: mmc_core card err: idx=3, lba=55284736, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:846: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:06:126: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:11, pathnull)
00:00:06:126: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeTw.ttf, err -196673
00;00;06;006: ***LoadShared - WaitLoadComplete(0,8229724) failed with error -196673 on file "CafeTw.ttf".
 
  • Like
Reactions: susi91

tryingtofixmywiiu

New Member
Newbie
Joined
Mar 26, 2023
Messages
2
Trophies
0
Age
29
XP
13
Country
Spain
Hey Gary, my Wii U is a black color model and the european region model (im in europe) and i copied the recovery menu into my sd card and plugged the sd card into the wii u, when i booted my wii u the recovery menu didn’t appear and it’s as if i never plugged an sd card. I have the error 0103 brick and the reason my wii u bricked is because back in my teen self thought it was a good idea to do haxchi coldboot without knowdlege and with a youtube tutorial because i was tired of launching homebrew through internet and not in a direct boot (dumb decision), when my wii u bricked i searched for solutions for years but nothing, yesterday i was looking into my old boxes and things then i found my wii u laying in one of my boxes, i tried to look again for a solution and came to this post but as i said the recovery menu did not appear in the wii u, it’s just the common wii u logo with the white background then the error displaying, do i need to put something else or something more in the sd card or is my wii u unfixable?? Also I don’t have the gamepad as i sold it years ago and neither a pico, but i do have a switch the issue is that it’s patched and its a 2017 model, i saw that you can interact with the recovery menu with the power and eject buttons so i hope i don’t need any pico or anything like that. what should i do?
 
Last edited by tryingtofixmywiiu,

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
2,585
Trophies
1
Age
36
XP
5,366
Country
Germany
can i use usb pendrive instead to do it?
No. UDPIH (the thing exploiting the Wii Us USB stack) is short for "USB Descriptor Parsing Is Hard" (cause Nintendo f***ed up USB descriptor parsing), so you need a device able to fake USB descriptors. Not only one of them but multiple in a row. A Pico can do this with ease, a unpatched Switch can do so, too. A RPI zero can do it also. A few other linux based SBCs can do so, too, and for all of them UDPIH is available.

//EDIT: Also the recovery menu needs to be on the SD card no matter what. UDPIH is just kind of a stage loader exploiting the Wii Us USB stack and loading the recovery menu from the SD card.
 
Last edited by V10lator,

dvdpenachio

New Member
Newbie
Joined
Mar 31, 2023
Messages
1
Trophies
0
Age
32
XP
13
Country
United States
Hoping to get some help.. I'm having a similar issue.. my Wii U is stuck on the "Delete and Erase All Content" screen after about 15secs. I was able to get logs, using the recovery_menu. If someone would be able to look at them it would be much appreciated!
 

Attachments

  • logs.zip
    5.9 KB · Views: 16
  • Like
Reactions: Augusta

Knot51

Member
Newcomer
Joined
Apr 2, 2023
Messages
9
Trophies
0
Age
36
XP
76
Country
Poland
Hello . i managed to enter the recovery menu with my switch . i have the error code 160-0101 , i did the coldboot title got a succes message restarted the console but it still goes to the error code 160-0101 , im attaching logs. before the brick console was on latest tiramisu, my sd card went corrupt so i used "deccafinator" app to restore my vWii and then it went into the error code above , i looked at the logs but couldnt find anything related "memory error" "corruption" etc


Edit: Sorry it was false alarm, the code showed because i had a WII game in the Drive . when i took out the game wiiu boots no problem

 

Attachments

  • logs.zip
    377.5 KB · Views: 14
Last edited by Knot51,

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
38,471
Trophies
3
XP
29,103
Country
United States

pankos

Member
Newcomer
Joined
Nov 29, 2022
Messages
15
Trophies
0
Age
41
XP
167
Country
Finland
you don't need to pair a gamepad with the recovery menu. it uses the controls on the system itself, eject and power iirc.
I can't understand you point. My wiiu doesn't have any tv output and it is not paired with any gamepad. Connecting gamepad would allow to play at least some games on it and maybe change tv output settings. Of course if console is still alive. I hope it is, as I am able to dump system logs navigating UDPIH blindly.
 

BaamAlex

UDE GA NARU ZE!
Member
Joined
Jul 23, 2018
Messages
6,010
Trophies
1
Age
28
Location
Lampukistan
Website
hmpg.net
XP
6,082
Country
Germany
I can't understand you point. My wiiu doesn't have any tv output and it is not paired with any gamepad. Connecting gamepad would allow to play at least some games on it and maybe change tv output settings. Of course if console is still alive. I hope it is, as I am able to dump system logs navigating UDPIH blindly.
He meant that you can use the recovery without the gamepad. For most of the games, a gamepad is required. That's right. But that's not the point here.
 

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
2,585
Trophies
1
Age
36
XP
5,366
Country
Germany
He meant that you can use the recovery without the gamepad. For most of the games, a gamepad is required.
The user in question said that HDMI isn't working, so impossible to pair a gamepad and as a result impossible to use the Wii U.

@pankos A version of the recovery menu which dumps the pairing code to the SD card is in the works. With this you should be able to pair the gamepad blindly.
 

pankos

Member
Newcomer
Joined
Nov 29, 2022
Messages
15
Trophies
0
Age
41
XP
167
Country
Finland
The user in question said that HDMI isn't working, so impossible to pair a gamepad and as a result impossible to use the Wii U.

@pankos A version of the recovery menu which dumps the pairing code to the SD card is in the works. With this you should be able to pair the gamepad blindly.

Exactly!
After reading commentary on GitHub I was only hoping that somebody here already compiled new version with ability to dump pairing pin to the SD card. Anyway looking forward to try a new version once it's released.
 

gorgyrip

Well-Known Member
Member
Joined
Aug 28, 2018
Messages
136
Trophies
0
XP
715
Country
Spain
I have a japanese console stuck in component video mode. I don't have the gamepad.
I'm using a pico and udpih isn't working on this console. (it works on many other consoles).
The drives makes 3 sounds: sound - pause - sound - pause - short sound. other consoles that i have and are working with udpih only make 2 sounds.
The usb port is working, because when i insert a usb stick, the console detects it.
The console has 2 users, one of them has an exclamation mark, i think it's something about internet.
There's no purple light and the console boots normally. I've tried different timings. What am I missing?
 
Last edited by gorgyrip,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Xdqwerty @ Xdqwerty: Good night