It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[N3311]

Hi,
I also have a special issue with my WiiU. When I press Power the WiiU boots and is stuck on the WiiU-Screen. The Gamepad boots into the Fast-Start-Menu and is then also Stuck in the WiiU-Screen.
I tried to access the Recovery-Menu, but the screen stays the same. The Power LED goes purple but the Menu is not shown. I tried to "blind navigate" with Power and Eject but it seems not to work.
Does somebody know a solution to this Problem?

EDIT: I was able to blind navigate to the Log-File-Dump to the SD-Card. This worked but I don't understand the meaning of the errors.

 

[stormlord]

Hi, will there be a new version with the option to dump MLC (32GB nand)? My Wii U cannot load the internet browser and it is necessary to back up the memory.

Thanks for you job.

 

[BaamAlex]

Hi, will there be a new version with the option to dump MLC (32GB nand)? My Wii U cannot load the internet browser and it is necessary to back up the memory.

Thanks for you job.

Dumping the nand is not possible. But instead of the browser, you can use the bluubomb exploit.

 

[stormlord]

Dumping the nand is not possible. But instead of the browser, you can use the bluubomb exploit.

Interesting, I'm going to look for information about that, thank you very much.

 

[OhHiNick]

I was fooling round in the home button menu files and i accedentally bricked my wii u. IDK how to use recovery menu or wupserver. please help me.

 

[Larrikkin]

Hey, I have been trying to set this up on my Rpi Zero, but continue to get a usb_gadget_probe_driver error. I'm using the latest version of Raspian that I flashed with the official imager, and I've made sure to update packages and everything. I suspect there is a simple step I am failing to complete, or maybe this is an incompatible model of RPI?. Thanks.

 

[GaryOderNichts]

Hey, I have been trying to set this up on my Rpi Zero, but continue to get a usb_gadget_probe_driver error. I'm using the latest version of Raspian that I flashed with the official imager, and I've made sure to update packages and everything. I suspect there is a simple step I am failing to complete, or maybe this is an incompatible model of RPI?. Thanks.

Uh yeah they changed it to usb_gadget_register_driver in one of the newer linux releases.
Will push an update real quick.

 

[Prince ofhell]

how i can fix an 160-1402 error on my wii u witch the dvd drive died

 

[godreborn]

how i can fix an 160-1402 error on my wii u witch the dvd drive died

from what I've been told, a failed dvd drive doesn't affect games booting at least. it's not like sony systems in that regard.

 

[Prince ofhell]

The system doesn't boot it stuck on the boot screen with an error

Post automatically merged: May 4, 2023

This is a picture of the screen

 

[Toschwil]

how i can fix an 160-1402 error on my wii u witch the dvd drive died

Error 1402 will shown, if the flatcable of the drive is rotated (rotate the cable with the edge right). If you then got error 160-1400 then are mostly two small smd items near the driver connector bad (on the Wii U Pcb) and had to be replaced.

Post automatically merged: May 4, 2023

from what I've been told, a failed dvd drive doesn't affect games booting at least. it's not like sony systems in that regard.

That is only true for a defective laser. The drive electronic ist part of the security system.

 

[Prince ofhell]

logs file

Post automatically merged: May 4, 2023

Error 1402 will shown, if the flatcable of the drive is rotated (rotate the cable with the edge right). If you then got error 160-1400 then are mostly two small smd items near the driver connector bad (on the Wii U Pcb) and had to be replaced.

Post automatically merged: May 4, 2023

That is only true for a defective laser. The drive electronic ist part of the security system.

bro i know for sour that my drive is faulty i took it to a repair service and they told me i have a bad daughter board on the drive

the system was on 5.5.2 when they updated the system to 5.5.3 it gave that error and since then the wii u is breaked

 

[Toschwil]

logs file

I dont need a log. Error 160-1400 is an Hardware defect on the Console PCB. Please rotate the drive cable to verify that error 1402 will be 1400.

 

[Prince ofhell]

I dont need a log. Error 160-1400 is an Hardware defect on the Console PCB. Please rotate the drive cable to verify that error 1402 will be 1400.

ok bro i will disasimble the console tomorrow and will tell you whats will happed

 

[Toschwil]

logs file

Post automatically merged: May 4, 2023

bro i know for sour that my drive is faulty i took it to a repair service and they told me i have a bad daughter board on the drive

the system was on 5.5.2 when they updated the system to 5.5.3 it gave that error and since then the wii u is breaked

This is the same as with the PS3. If the connection to the DVD drive does not work 100% during a firmware update, the drive will not be checked, updated and this will end in this error message. With the PS3 I would have to look for the error message, I don't have it in my head and it wasn't anywhere at the time. With the Ps3, however, there is the possibility of marrying another PCB, which is not yet possible with the Wii U as far as I know. You have to check your Wii U PCB !

Post automatically merged: May 4, 2023

ok bro i will disasimble the console tomorrow and will tell you whats will happed

Ok, if you got 1400 error, you have to check the red area. Mostly the first two tiny smd parts a gone.

 

[Prince ofhell]

This is the same as with the PS3. If the connection to the DVD drive does not work 100% during a firmware update, the drive will not be checked, updated and this will end in this error message. With the PS3 I would have to look for the error message, I don't have it in my head and it wasn't anywhere at the time. With the Ps3, however, there is the possibility of marrying another PCB, which is not yet possible with the Wii U as far as I know. You have to check your Wii U PCB !

Post automatically merged: May 4, 2023

i found the original thread error and the issue for 2019

https://gbatemp.net/threads/driver-error.554306

i got the motherboard without the daughter board

 

[Toschwil]

If you dont have the original Driver Board you could not solve the problem. There is no way yet

 

[Prince ofhell]

If you dont have the original Driver Board you could not solve the problem. There is no way yet

so you advice my to sold it or keep it for another year

 

[Toschwil]

The pure console cost nothing. The price depends on your location. Here in Germany you can get an 32 GB with power Supply for only about 35€. If there are not important data on it, i will prefer a new one.

 

[calvotron13]

Hi all,

Looking to get some help with this Wii U I purchased. I do not know the history of this console, so I have no NAND backup of it. It displays a 160-0101 error, however when I use a pi pico to load the udpih + recovery menu, I cant seem to set the coldboot title back to my correct region. It gives me an error telling me to make sure title is installed correctly. Going into debug system region, its telling me that it could not find a Wii U menu title on this console.

Can this be fixed?