It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[SDIO]

That means it can't read the recovery_menu from the SD. Make sure you setup the SD correctly

 

[Keylogger]

That means it can't read the recovery_menu from the SD. Make sure you setup the SD correctly

I have attached a small video of how it goes

It seems to boot into the recovery menu (purple led) but after the console led is blinking in orange

 

[SDIO]

Can you try another SD? It seems the boot1 can't read the fw.img from the SD. Also make sure the SD card is FAT32 and not FAT16

 

[Keylogger]

Can you try another SD? It seems the boot1 can't read the fw.img from the SD. Also make sure the SD card is FAT32 and not FAT16

It's a FAT32 SD card
I have tried with 5 diffents cards and all cards are working with my others Wii U

I have also tried to rename the boot1now.img to boot1.img and tried to load it manually (I have no screen but with recovery menu 0.6 by pressing 11x EJECT + 1x POWER) and it went to that blinking orange led too so yeah it seems it can't read the boot1.img file but i don't understand why, I have tried with SANDISK and SAMSUNG SD cards and micro SD cards with adapters too

If the SD CARD is detected for the recovery menu, why it's not for the boot1 image??

 

[SDIO]

Rename the ios.img to boot1now.img. that will skip the boot1 and minute, but you won't see anything. The LED should be blinking blue. And then just follow the instructions for the ISFShax installer (skipping the minute menu)

 

[Keylogger]

Rename the ios.img to boot1now.img. that will skip the boot1 and minute, but you won't see anything. The LED should be blinking blue. And then just follow the instructions for the ISFShax installer (skipping the minute menu)

Very smart
Thanks now I think I am at the isfhax installer (blinking blue led and black screen on TV)
So I pressed 3x eject, 1x power and 3x eject slowly but it does nothing, the blue led still continue blinking

Is it the correct buttons combo ?

 

[SDIO]

Did you leave enough time between the presses? The installer takes a few seconds to load.

 

[Keylogger]

Did you leave enough time between the presses? The installer takes a few seconds to load.

I waited 30sec/40sec between each button press

 

[SDIO]

Then try to rename the fw.img to boot1now.img. That should make it load into the minute menu skipping the boot1 and see if that shows up.

 

[Keylogger]

Then try to rename the fw.img to boot1now.img. That should make it load into the minute menu skipping the boot1 and see if that shows up.

My Wii U must have another big problem because whatever I boot IOS.img renamed to boot1now.img OR fw.img renamed to boot1now.img, I only have a blinking blue LED but never have display after Wii U logo and even by pressing eject/power buttons it does absolutly nothing (staying on the blinking bleu led)

Tried to rename ios.img to boot1now.img
It booted to ISFHAX installer (i guess) because I have blinking blue LED after the purple LED shows for 5 sec
Tried then to 3x Eject, 1x Power, 3x Eject but it does nothing and i have the same blinking blue led

Tried to rename fw.img to boot1now.img
It booted to minute menu (i guess) because I have blinking blue LED after the purple LED shows for 5 sec
Tried then to 6x Power, 1x Eject but it does nothing and i have the same blinking blue led


It must be something else, I guess my console isn't fixable

 

[SDIO]

It not showing the Wii u logo is normal when doing UDPIH.

try this renamed to boot1now.img. This should always try to turn on the display

 

[Keylogger]

It not showing the Wii u logo is normal when doing UDPIH.

try this renamed to boot1now.img. This should always try to turn on the display

Finally I got the display ! Thanks
Where did you found this one ?

Now I know why it doesn’t work
I have an error when I boot iOS.img from minute

Post automatically merged: Jun 15, 2025

I also have an error to setup rednand

 

[SDIO]

Where did you found this one ?

I just made it, but the older minute versions which always inited the screen should do the same.

It looks like it reads garbage from the SD. But interestingly it seems it wa sable to rea dthe rednand.ini and the header of the ancast images also seems to be correct else it would have complained about that. So maybe it fails only on multi sector reads or something like that. I hope it's not bad dram.

Please don't try to setup rednand until we have ISFShax installed else that might things worse. Also do NOT have the setup plugin in the ios_plugins for now, we don't want to accidentally mess up the system more until we have ISFShax.

Could you try the "Patch ISFShax and boot IOS (slc)". That doesn't load anything from SD and should just boot normal again. If that works then minute has a problem reading the sdcard correctly but f that fails in a similar way too, then something else is wrong.

Post automatically merged: Jun 15, 2025

I made a minute version which forces the fallback mod efor multi block sd access. See if that works better.

EDIT: just updated the zip to also reinit the display

 

[Keylogger]

I just made it, but the older minute versions which always inited the screen should do the same.

It looks like it reads garbage from the SD. But interestingly it seems it wa sable to rea dthe rednand.ini and the header of the ancast images also seems to be correct else it would have complained about that. So maybe it fails only on multi sector reads or something like that. I hope it's not bad dram.

Please don't try to setup rednand until we have ISFShax installed else that might things worse. Also do NOT have the setup plugin in the ios_plugins for now, we don't want to accidentally mess up the system more until we have ISFShax.

Could you try the "Patch ISFShax and boot IOS (slc)". That doesn't load anything from SD and should just boot normal again. If that works then minute has a problem reading the sdcard correctly but f that fails in a similar way too, then something else is wrong.

Post automatically merged: Jun 15, 2025

I made a minute version which forces the fallback mod efor multi block sd access. See if that works better.

EDIT: just updated the zip to also reinit the display

Thank you very much for your help
I finally managed to boot the ISFhax installer using the fw.img_multiple_fallback

I will be able to continue with redNAND setup now
Thanks

 

[SDIO]

And ISFShax works and loads minute now automatically when you turn it on?
Does the normal minute now work for you?

 

[Keylogger]

And ISFShax works and loads minute now automatically when you turn it on?
Does the normal minute now work for you?

Yes minute now loads automatically
But not the normal minute, it works if I use the one you sent me

So now I have a full Wii U system running from SD Card.
Just wondering if I can backup my redNAND and restore it to the real NAND? Because it's slower from the SD card

 

[SDIO]

That's strange, since ISFShax uses the same code as minute to load minute from the SD. So if ISFShax can load minute then the normal minute should also be able to use the SD correctly

 

[Keylogger]

That's strange, since ISFShax uses the same code as minute to load minute from the SD. So if ISFShax can load minute then the normal minute should also be able to use the SD correctly

Sorry
Yeah it works with normal minute
I had wrong fw.img file on my SD card since I have installed aroma too on my redNAND
After cleaning files and put normal minute on SD card, it just auto boot to it normally

 

[Jan_Niek]

I wanted to fix my Wii U that crashes with code 160-0103 during setup when it tries to open Mii Maker after I've selected the nintendo network option. I used my switch, but it keeps getting stuck at stage 1 connecting after stage 0. ONE TIME it got stuck on stage 2 connecting instead, but it has never completed in the ~25 times I've tried. What to do?

 

[SDIO]

why would you use UDPIH, if it just crashes on the Mii Maker? If the Browser still works you can just use the browser exploit for installing ISFShax.