It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[GaryOderNichts]

Hello,
I am having some issues with a Wiiu I have recently purchased. It was bricked, and stuck on wii U logo. I don(t know if someone tried to hack it.
I was able to enter the recovery menu using udpih, but unfortunately I have no display. I do have the purple light and was able to dump the syslogs and the OTP.bin file by navigating blindly. I have tried to set the coldboot title, but the wii is still stuck on wii logo. I have also tried the recovery menu_dc_init with no success. The wii is trying to display something but the display is messed up.
Here are my logs. can anyone tell me what's wrong? Any help would be appreciated.

00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".

00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]

This unfortunately looks like a dead eMMC.

 

[agiese394]

00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".

00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]

This unfortunately looks like a dead eMMC.

Thanks! It sounds like I am out of luck. Any hope in the future to fix this?

 

[GaryOderNichts]

Thanks! It sounds like I am out of luck. Any hope in the future to fix this?

If there is coldboot redNAND in the future, maybe.

 

[VinicimJF]

OMG, I MANAGED TO UNBRICK MY CONSOLE. After more than 1 month of trying... I did it.


...And I can't believe it, but the problem was on Mii Maker. The folder had the app, but the .rpx was gone, alongside the meta folder... which is pretty weird because NOT in my sane juice I would mess with it, this app is not useless like, say, Nintendo TVii. Plus I know that the app was used for HBL.


I honestly don't know what happened because I'm fairly sure I didn't mess with Mii Maker, and even if somehow I choose that folder instead of TVii or Wii U Chat, I would have deleted the whole thing without leaving any file behind.

If you ask how the heck I figured out the problem was on Mii Maker, it's because I had a NAND backup from 2018 and other from 2020. I dumped my current state NAND using wupserver (was a pain in the ass, the transfer speeds were terribly slow, also a lot of crashes), then I decrypted my backuped MLC, and finally I compared both my current NAND files and the old backup, using WinMerge to check files integrity. After installing Mii Maker again... bom, console booted again.

Man, I can't believe I finally have my console working again, I was a freaking month and half thinking on this that I even dreamed with my Wii U lmao.

Just a warning, I think this happened because I used WiiUFtpServer by Laf111, while I can't say for sure his app was the culprit or not, this NEVER happened to me before... which makes me believe it might had been.
I messed with FTP a lot of times, plus, I never touched Mii Maker on my own, I'm fairly sure I deleted the WHOLE TVii and Wii U Chat folders. Nothing more.
So yeah, at least on my side, I'm back to using FTPiiU and WinSCP, I have never got issues with those two aside from having to reconnect from time to time. Besides I'm trying Aroma and has a native FTPiiU plugin maintended by Maschell

Thanks a lot Gary for this app, my Wii U would be in the trash bin if it weren't by you and your recovery menu, really, thanks a lot!

Wish someday the Wii U scene to advance to the point of having a Wii-like brick protection, ala BootMii as boot2 where you could just restore your NAND and everything is dandy again.

That's my experience, hope it helps someone out there.

Where you get miimaker files to reinstall?
I have tha same problem of you, but in my case is The wiiu menu files The problem.

 

[CrazySquid]

00:00:08:288: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196635
00;00;08;174: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196635 on file "CafeCn.ttf".
00:00:08:421: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null)
00:00:08:421: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf, err -196635
00;00;08;301: ***LoadShared - WaitLoadComplete(0,2260660) failed with error -196635 on file "CafeKr.ttf".

00:00:25:417: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:471: mmc_core card err: idx=3, lba=55083264, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:472: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:25:535: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mmc_core card err: idx=3, lba=55083520, blks=256, xfer=0x1, ret=0x00200b40
00:00:25:606: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]

This unfortunately looks like a dead eMMC.

All Hynix units, I wonder why the hell those are breaking up, didn't Nintendo at least tried to make those NAND's specs to match the other ones like Samsung or Toshiba units?
Also not sure if that could also happen by not powering them up in a very long time...

Where you get miimaker files to reinstall?
I have tha same problem of you, but in my case is The wiiu menu files The problem.

https://gbatemp.net/threads/relase-...tive-to-wii-u-usb-helper.621432/#post-9988710

Try that app, maybe you can try to get the files from there.
In my case I downloaded them using Cemu and WUPDownloader, but that was because I didn't figure out that other apps where available, without the need to use my weird combination to get the files.

 

[xxMAGRAOxx]

Awesome job. Please anyone help me if this work in my case. Stucks in 80% and the genius here shutdown while system 5.5.6 update. Now, when I turn it on, the gamepad doesn’t sync, the disc drive makes booting noises twice and there’s just a black screen.

 

[kcmortis39]

So i've tried the installing the pico at the right time, screen either gets stuck at wii u logo or wii u itself shuts off after i put the pico in the usb port. Any idea what i could be doing wrong?

 

[xxMAGRAOxx]

I have fixed my Wii U today. I've updated both system.xml and sys_prod.xml for regionhax experiment. Stuck at Wii U logo. Loaded UDPIH but no recovery menu but the power LED turned purple. This signal meant the recovery menu thread was loaded. Tried following blind operation to enable WUP server based on the latest 0.4 recovery menu.

Copy recovery_menu and prepare your network config as described in this repo: https://github.com/GaryOderNichts/recovery_menu

- Press EJECT 4 times to go to Load Network Configuration menu.
- Press POWER to enter.
- Press EJECT to exit to main menu.
- Press EJECT 10 times to go to Start wupserver menu.
- Press POWER to enter.

Use wupclient.py to restore your original files or update system files.

@netsurf012 help me with a little question. How manny seconds you wait to put the raspaberry in usb? I'm try many times here and nothing. Try in another wii u and successfully loaded.

 

[tiger1234]

can anyone help about this?? Will this unbricking method by recovery mode will work in wii u black screen of death???...(for those unknown to wii u black screen of death it happens when wii u is shut down manually during updates it corrupts os of wii u and system dosent boots after powering on due to missing or corrupt os files inspite led turns blue and fan also works . no screen comes on tv only black screen gamepad dosent sync as well...its obviously a software issue if somehow we can enter recovery menu in this scenario the console can be unbricked any suggesion or help will be highly appretiated regards

 

[BaamAlex]

when wii u is shut down manually during updates

Why the hell do you turn off the console during an update? Then it makes sense that you make a mess inside your wii u.

 

[tiger1234]

Why the hell do you turn off the console during an update? Then it makes sense that you make a mess inside your wii u.

@BaamAlex you are right but its not me who did it it was former owner i received the unit as broken for couple of dollars ..since nothing to lose i want to know if there is a way to enter recovery mode in wii u blacl screen of death scenario

 

[xxMAGRAOxx]

Why the hell do you turn off the console during an update? Then it makes sense that you make a mess inside your wii u.

Becouse the update stucks for HOURS without progress?? Or Maybe the power down of home? By the way. Thanks for your contribution

 

[tiger1234]

Becouse the update stucks for HOURS without progress?? Or Maybe the power down of home? By the way. Thanks for your contribution

i think its only software issue some files missing in os ...if these guys can guide to get into recovery mode its v much possible to unbrick the black screen of death issue in the wii u ...only access to recovery menu is required somehow like gary discovered the cbhc unbrick method


by the way buddy you got that lan adaptor have u tried ??? lan adaptor recovery? ??i tried but no success i doubt about the success of this process itself

 

[xxMAGRAOxx]

by the way buddy you got that lan adaptor have u tried ??? lan adaptor recovery? ??i tried but no success i doubt about the success of this process itself

I'm still waiting for. I have tried the method recovery menu, but without success. My idea is to upload by wupserver the "missing files OS". But i have no idea what i'm doing

 

[tiger1234]

I'm still waiting for. I have tried the method recovery menu, but without success. My idea is to upload by wupserver the "missing files OS". But i have no idea what i'm doing


okkk pls update if you get any breakthrough in this process of unbricking

 

[omdenix]

I have bricked wii u with 0103 error code(non moded 32 gb ver.) I am assuming that it is a hardware failiure. I used to be access to vWii but I changed setting in the account menu and cannot access to anything. It shows profile selection and then if I click to a profile, my system gives me a 160-0103 error. I am working everyday to come up with a fix. Its been a week now. I read every reply in here. It is quite exciting actually . I am thinking about can we get a v0.5 update for with fixing corrupted system titles ( mii maker, system preferences, wii u menu..) like fixing coldboot title. Because I am trying to install those corrupted titles using WUP installer but I got theese errors. I know it could be hardware related. The voice inside of me still says it is going to be fixed somehow. So I am trying my best. I hope someone would reply to this. Rednand might be a hard thing to fix but I believe that there is a people out there waiting and hoping to be fixed. Also I am very excited about homebrew stuff in recovery on the next versions.

 

[jedi23]

I tried to run the recovery on a japanese Wii U to bypasses any region checks and pair my gamepad with it. However, I was not successful to get into the recovery menu. I tried different FAT32 formatted SD cards, I reflashed the pico again, changed my timing to plug in the pico many times, ... in all my attempts the console just boots normally...
Does this recovery menu also works with jap. consoles or what did I do wrong?

 

[BaamAlex]

Does this recovery menu also works with jap. consoles or what did I do wrong?

Are your usb devices unplugged?

 

[jedi23]

Are your usb devices unplugged?

Yes, everything else is unplugged.

 

[BaamAlex]

Then it can be just your timing i would say. Here and here are videos for the "correct" timing. Maybe it helps you a bit. Both videos show the process with the pico and the switch.