It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[Getuliooliveira]

Nice! I'll get the BT replaced and come back here to say if it worked! Thank you so much guys!

Hi guys! I would like to say that the problem was the bluetooth itself, many thanks to everyone who helped, Wii U back to life! =)

 

[SDIO]

The log files mention a lot of errors but during the dumping process on screen it said there were 0 bad sectors. Any suggestions what I can do to recover it? Can I somehow load a fresh Wii-U 5.5.5E onto it?

Can you upload the logs? If the errors were during the slc dump: thats expected and a problem of the dumper and not the slc.

 

[V10lator]

The log files mention a lot of errors

These are error logs, so it would be weird for them not showing errors... The more important question is: What errors do they show exactly?

 

[scize]

Thanks for the replies I've done a lot more reading of forum posts and have dumped and extracted the mlc and have a list of all corrupted files. I've downloaded all the corrupted titles via JNUSTool so I can reinstall those but if I understood everything correctly I have a Hynix eMMC (mid 90) so I guess the way to go is replace it with a SD card and then repair the mlc after?

I'm a bit new to fixing bricked WiiUs so bear with me if I use incorrect terminology

 

[SDIO]

Looks like a bad eMMC to me, even without the MEDIA ERRORs in the log. But the Read Errors during the MLC dump basically mean the same thing. I hope you didn't turn on the Wii U again after the dump, so that the dump is still consistent with the slc cache.
To fix that you need to replace the eMMC.

 

[scize]

Looks like a bad eMMC to me, even without the MEDIA ERRORs in the log. But the Read Errors during the MLC dump basically mean the same thing. I hope you didn't turn on the Wii U again after the dump, so that the dump is still consistent with the slc cache.
To fix that you need to replace the eMMC.

Thanks for confirming. Guess it wouldn't hurt to take an extra mlc dump just to be safe (I may have started it once more after taking the dump but it doesn't get past the 160-1710 error message so it's not like I can do anything with it at the moment anyway).
Do you perhaps know of any services for replacing the eMMC with a SD card? (or where I can purchase a NAND-AID kit so I can find someone who can install that?).

 

[SDIO]

I sold through all the NAD-AIDs, that I ordered, but you can get the NAND-AID PCBs made at any PCB service, like JLCPCB, PCBWay, elecrow, OSH Park. The smallest number you can order is usually 5. Yu can sell the excess PCBs to other users here, wo are looking for one like @CMDreamer.

Even if the Wii U didn't boot up all the way, there could still be some write access to the mlc.

 

[fringle]

I sold through all the NAD-AIDs, that I ordered, but you can get the NAND-AID PCBs made at any PCB service, like JLCPCB, PCBWay, elecrow, OSH Park. The smallest number you can order is usually 5. Yu can sell the excess PCBs to other users here, wo are looking for one like @CMDreamer.

Even if the Wii U didn't boot up all the way, there could still be some write access to the mlc.

I decided to check out JLCPCB and was expecting the cost to be pretty high but less than 5 dollars for 5 pcb's is pretty damn good in my opinion so put in the order. They must be having some kind of promotion for new customers or something. Not exactly sure if I'll have a need for them yet but I feel they will be good to have kicking around just in case.

Edit:
Whoops, forgot to get them assembled but at least 5 microsd ports were also under 5 dollars on aliexpress. About 9 bucks and a little bit of soldering is still a pretty good deal. And it turns out I needed some capacitors. I should really learn to read things before jumping in. Didn't realize there was a parts list in the zip file. Ah well, live and learn.

 

[SDIO]

How did you get it that cheap? Are you sure you selected the right options? I remember the castalated holes making it much more expensive

 

[alexh]

Looking forward to trying this and seeing if I can restore one of my bricked WiiUs. I think they have corrupted eMMC having been left switched off for too long but you never know. Unfortunately they came to me like that so I have no backups and so no idea if they can be restored. They do boot to the WiiU logo.

 

[fringle]

How did you get it that cheap? Are you sure you selected the right options? I remember the castalated holes making it much more expensive

It doesn't look like I did. I'm new to ordering fabricated pcb's and didn't read about that until after the fact. What exactly does it mean if they are not castellated and will it still work with some modifications?

Think I can make it work without just a little more to it. Adding the castellated holes does drive the price up quite a bit.

 

[SDIO]

@alexh If udpih works should be fixable. But you would need to replace the bad eMMC if that's really the problem. But if they go to the logo, it should be far enough for udpih to work. Probably corrupted fonts, which prevent the error message from showing

What exactly does it mean if they are not castellated and will it still work with some modifications?

The castlated holes or VIAs are these vias at the edge of the board, which got cout through so you can solder them to the Wii U MB. I am not sure what happens if you don't select it. Maybe I was wrong and it isn't really needed. I would have expected that they would reject your order. I think we have to see how they turn out

Adding the castellated holes does drive the price up quite a bit.

Yes that's what made me choose elecrow (but they had problems with the CLK on the eMMC side).
I used JLCPCB fore for other stuff, because it was the cheaber there.

 

[scize]

How did you get it that cheap? Are you sure you selected the right options? I remember the castalated holes making it much more expensive

I uploaded the "Wii-U NAND-AID EVAL V2" to OSH Park and selected the "2 oz copper, 0.8mm thickness" option. Price came to $5.05 per 3 boards. Hopefully that sounds about right? Also what Voltage should the 0805 10uF capacitor be?

 

[SDIO]

I think you also need to select the castalated holes, but maybe wait how the ones from @fringle turn out. The cap needs to be able to handle 3,3V,so everything above that is fine.

 

[scize]

I think you also need to select the castalated holes, but maybe wait how the ones from @fringle turn out. The cap needs to be able to handle 3,3V,so everything above that is fine.

I had to look up what that was (docs dot oshpark dot com / tips+tricks / castellation) but looking at where the drill holes are I'm guessing they will automatically be drilled. I already ordered them last night (12 in total) so hope they're ok

 

[fringle]

@alexh If udpih works should be fixable. But you would need to replace the bad eMMC if that's really the problem. But if they go to the logo, it should be far enough for udpih to work. Probably corrupted fonts, which prevent the error message from showing


The castlated holes or VIAs are these vias at the edge of the board, which got cout through so you can solder them to the Wii U MB. I am not sure what happens if you don't select it. Maybe I was wrong and it isn't really needed. I would have expected that they would reject your order. I think we have to see how they turn out


Yes that's what made me choose elecrow (but they had problems with the CLK on the eMMC side).
I used JLCPCB fore for other stuff, because it was the cheaber there.

I think castellated holes just makes it so the connection to the solder points doesn't have to be as accurate. I feel like it should still work as long as the connection to the pad is good. From what I've read it's only really required with soldering a pcb on top of another pcb to more easily make the connection. If all else fails I'll run a small wire from the top side pad to the underside pad for each which I feel should work. Although I could be wrong. They were cheap so I don't mind a few experiments. The sd ports and capacitors may take a while to be delivered so it might be a month or so before I can get a chance to play with it.

 

[fringle]

I think you also need to select the castalated holes, but maybe wait how the ones from @fringle turn out. The cap needs to be able to handle 3,3V,so everything above that is fine.

So these are what I got with out specifying castalated holes from JLCPCB. They look fine to me and think I can make it work without any modification. Not to bad for 5 dollars for 5 of them. I also ordered 3 more from OSHPARK for 6 dollars just to see what the difference might be. They didn't have an option for castalated holes so will see what I get from them in a couple of weeks.

Won't have a chance to install one of these till I get my capacitors next week. They are the last of the items to arrive.

 

[V10lator]

@fringle I'm not the one you requested an answer from but could you maybe try to get a sharper picture of this area?

(try with 2x zoom, this sometimes helps to get such small things sharper)

In case you can't that's fine, I think it's all good (might be a bit more hard to solder than with castellated holes but that's minor, just apply enough flux), but want to get really sure.

//EDIT: And in case it seems too hard to solder there's a small trick I stole from @Lazr1026 - Add a bit of copper wire, then cut off the excess:

(see the blank copper sticking out at the CLK connection? I know it's not the best picture, too, sry about that)

 

[fringle]

@fringle I'm not the one you requested an answer from but could you maybe try to get a sharper picture of this area?
View attachment 385581
(try with 2x zoom, this sometimes helps to get such small things sharper)

In case you can't that's fine, I think it's all good (might be a bit more hard to solder than with castellated holes but that's minor, just apply enough flux), but want to get really sure.

//EDIT: And in case it seems to hard to solder there's a small trick I stole from @Lazr1026 - Add a bit of copper wire, then cut off the excess:
View attachment 385582
(see the blank copper sticking out at the CLK connection? I know it's not the best picture, too, sry about that)

Here's zoomed from a different angle. I was thinking the same thing with the copper wire.

 

[V10lator]

@fringle Thanks for the new pictures. It would be really more clean with castellated holes but the copper goes completely from one side of the PCB to the other, so should give a good connection and be easy to solder.