It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[GaryOderNichts]

recovery_menu version 0.2​

Changelog:

• Added "Edit Parental Controls" options
• Support Windows (CRLF) line endings in network.cfg
• Added experimental display controller initialization build

Some Wii U's don't show any TV output, if it hasn't been configured properly before.
If that's the case download the recovery_menu_dc_init file and rename it to recovery_menu.
This build does display controller initialization and might fix the issue.
Note that this build only outputs 480p and has no GamePad output!

 

[Young_Thugs_Cup_of_Water]

You sould make it so that you can plug a usbc cable into a android phone (might have to be rooted tho) and unbrick with that you can even make it a Terminal app if you use the Termux Terminal.

 

[V10lator]

You sould make it so that you can plug a usbc cable into a android phone (might have to be rooted tho) and unbrick with that

If your phone is able to handle that it should work, see:

Note: Any other linux device capable of USB device emulation should work as well.

(Android is just a heavily modified Linux)

 

[christianacqua]

it would be nice to add an option to the recovery mode that allows you to restore a nand backup (mlc and slc)

 

[Young_Thugs_Cup_of_Water]

If your phone is able to handle that it should work, see:

(Android is just a heavily modified Linux)

How would i build it for Android, Termux would probably be the best way to run it. is there a way to just build a terminal Executable for aarch64?

 

[V10lator]

How would i build it for Android

Contact your phone manufacturer and ask for kernel sources (or look on the website. The Linux kernels license says they must give the sources). Then compile the kernel module like any other kernel module.

is there a way to just build a terminal Executable for aarch64?

No. It needs low-level hardware access and this is doable from kernel space only.

//EDIT: In case you're not deeply experienced with Linux buying a RPI zero/pico is the most userfriendly way. As told above: This can't be made more userfriendly cause of the low-level hardware access needed. @GaryOderNichts compiling this for every phone model on the planet isn't realistic... You want to have it for your specific hardware? Then you're on your own.

 

[Young_Thugs_Cup_of_Water]

Contact your phone manufacturer and ask for kernel sources (or look on the website. The Linux kernels license says they must give the sources). Then compile the kernel module like any other kernel module.

No. It needs low-level hardware access and this is doable from kernel space only.

//EDIT: In case you're not deeply experienced with Linux buying a RPI zero/pico is the most userfriendly way. As told above: This can't be made more userfriendly cause of the low-level hardware access needed.

Well I'm on Lineage OS so the Kernel is open source and I would be able to download the Kernel, I can use the SU command to get Root access. would this requiter you to get the Kernel and build it every time with that different Kernel ever time your phone updated the Kernel? and if so then its probly not a good thing since the amount of people that have a Rooted Android phone with a diffrent rom and are running Linux on the Desktop and know how to build programs and have a bricked WiiU is very low.

 

[V10lator]

@Young_Thugs_Cup_of_Water Yes, it would need to get updated every time they update the kernel. You start to get a feeling why there are no precompiled builds from @GaryOderNichts available. You could ask LineageOS devs to include this through. Still keep in mind that even when you have the module it's unsure if this will work as the hardware (USB chip inside of the phone) itself has to support it, too.

 

[Young_Thugs_Cup_of_Water]

@Young_Thugs_Cup_of_Water Yes, it would need to get updated every time they update the kernel. You start to get a feeling why there are no precompiled builds from @GaryOderNichts available. You could ask LineageOS devs to include this through. Still keep in mind that even when you have the module it's unsure if this will work as the hardware (USB chip inside of the phone) itself has to support it, too.

I don't think The Lineage OS devs would add a kernel module for this but maybe you could build this into a Magisk module but i doubt there is a guy who knows how to make Magisk modules and likes the WiiU (I don't know how to do this and its not worth it to even do)

 

[V10lator]

I know how to make Magisk modules and I'm sure there are more people in this forum... Still this is more something the OS should support, not something you should hack in with Magisk (even if it could work it still would mean to update it with every LineageOS kernel update and stuff).

 

[PABLO_CUNHA]

Hello Gary! Installing WUP doesn't work for me, I enter the menu normally but the option to install wup only gives failed, I put the wup home menu in none under the folder in SD/INSTALL .

 

[Blavla]

It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title​

Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

Dump Syslogs​

Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM​

Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver​

Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration​

Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Displays DRC Pin​

Displays the Gamepad Pin used for pairing the gamepad.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.

Install WUP​

Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

Can it unlock the 4 digit parental PIN where the Account has an unknown password?

 

[BaamAlex]

Can it unlock the 4 digit parental PIN where the Account has an unknown password?

The pin from the console and the account password are two different things i guess. I would say it can't.

 

[GaryOderNichts]

Can it unlock the 4 digit parental PIN where the Account has an unknown password?

The recovery menu has an option to display the 4 digit parental controls pin and disable parental controls.

 

[Fabioperez]

Hi Gary, thanks for this new tool to save the wii u. my wii u has the following error, try to transfer the data from my wii to my wii u the process stayed and never finished, turn off the wii u, start it and the process does not finish, after time I deleted the ninintendo account, my question is if in the future it will be possible to include in the recovery menu an option to restart or format the wii u or how could I do to recover my wii u, thank you very much

 

[marmaliser]

The recovery menu has an option to display the 4 digit parental controls pin and disable parental controls.

Amazing work. I jut got a wii u that needs Nintendo password to logon but wont create a new user without parental code and there is no forgot pin option to use other methods. Got a Pi Pico at work so tomorrow I will give it a try. Do you have a donation link? - Found it

 

[hauntedmound]

It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title​

Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

Dump Syslogs​

Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM​

Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver​

Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration​

Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Displays DRC Pin​

Displays the Gamepad Pin used for pairing the gamepad.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.

Install WUP​

Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

is it possible that you can add a factory reset feature....

 

[marmaliser]

Remove parental lock feature worked perfectly

 

[NinaHack]

Can you ever make it so that you can overwrite the NAND that you copied recently?

 

[Shanez1215]

Hey Gary, apparently there's some Wii U's that do not output picture due to their video settings being set incorrectly. Would it be possible to have UDPIE write the gamepad pin to the SD card?

It'd be nice to know if the image isn't displaying due to a hardware or software issue.