It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[SDIO]

I wonder which title it was.

 

[jacobsson]

The red wier GND????

No that'd be bad and would probably kill the SD card.
Maybe you've got your schematic mirrored? If I remember correctly it's Pin3 to GND and 4 to Vcc. Be careful

 

[Jehmyson]

My Wii U also won't boot, it freezes at the Wii U logo and crashes, I have to force the device to shut down every time. My RP Pico doesn't turn on any lights but it was programmed with the files correctly.

 

[Ysecond]

My Wii U also won't boot, it freezes at the Wii U logo and crashes, I have to force the device to shut down every time. My RP Pico doesn't turn on any lights but it was programmed with the files correctly.

What brand is MLC chip? Show some picture

 

[SDIO]

Does the led on the Wii U turn purple, when you try udpih?

 

[Jehmyson]

What brand is MLC chip? Show some picture

I don't know the model yet, I'd have to open the Wii U or make this method work. This week I'll open the device to be sure and post it here to get more information.

Post automatically merged: Oct 1, 2023

Does the led on the Wii U turn purple, when you try udpih?

It doesn't turn purple, just blue with the logo (Nintendo / Wii U) frozen and no buttons working (eject / power), just forcing the device to turn off.

 

[SDIO]

try aain with a different timings. If it doesn't turn purple (or the Wii U doesn't shut down, in case no SD is inserted) then the FW is probabyl too old for UDPIH and you would need to defuse

 

[some1ne]

I currently have a Wii U that's goes straight to the format screen after powering on, but never finishes formatting it. I tried using UDPIH a while ago, without luck in bringing the recovery menu up. LED stays blue. Screen still shows the format screen:

I also got another Wii U, this one without any hdmi or gamepad output. I tried following the same steps but used the dc_init version, without any luck either.

I'm using a 64gb SD card formatted as FAT32 with 32k cluster size and an RP2040 (the same ones used for modding the switch). I don't see any LEDs light up on the pico, is that ok?

I also tried using a switch instead of the rp2040, got the same results. This is the switch's screen:

 

[SDIO]

Then the firmware is probably too old. Your only option atm is defuse

 

[some1ne]

Then the firmware is probably too old. Your only option atm is defuse

Any guides, diagrams and other resources for defuse?

 

[SDIO]

For the wireing look here: https://github.com/jan-hofmeier/wii_u_modchip/blob/wiring-diagram/pico_defuse/README.md

For the instructions, files and everything else look here: https://github.com/shinyquagsire23/wii_u_modchip/releases/tag/v0.8

 

[some1ne]

For the wireing look here: https://github.com/jan-hofmeier/wii_u_modchip/blob/wiring-diagram/pico_defuse/README.md

For the instructions, files and everything else look here: https://github.com/shinyquagsire23/wii_u_modchip/releases/tag/v0.8

Thank you very much.

I have a few questions.

Can I use the 3V3 point on the RP2040 zero? On the wiring diagram, it says to use 3V3(OUT) for TP122, but I wanna make sure the 3V3 point on the RP2040 zero is the same as the one on the regular pico. I only have these boards with me right now.
Pinouts:

Spoiler: Pico

Spoiler: RP2040 Zero

After I get it up and running, what should I be looking for exactly? Can I do a NAND backup with it? Can I use the same recovery menu UDPIH uses or is the minute minute menu enough? Should I be following the equivalent to this guide after installing the modchip? https://gbatemp.net/threads/160-0103-error.636361/

 

[SDIO]

Don't connect up the 3V3, we don't need it as the pico is powered over USB anyway.

Once you have minute running, you need to dump otp via PRSHhax in the backup and restore menu

 

[fringle]

Thank you very much.

I have a few questions.

Can I use the 3V3 point on the RP2040 zero? On the wiring diagram, it says to use 3V3(OUT) for TP122, but I wanna make sure the 3V3 point on the RP2040 zero is the same as the one on the regular pico. I only have these boards with me right now.
Pinouts:

Spoiler: Pico

View attachment 397472

Spoiler: RP2040 Zero

View attachment 397468

After I get it up and running, what should I be looking for exactly? Can I do a NAND backup with it? Can I use the same recovery menu UDPIH uses or is the minute minute menu enough? Should I be following the equivalent to this guide after installing the modchip? https://gbatemp.net/threads/160-0103-error.636361/

Edit to remove unnecessary info. Was confusing GP#'s with pin numbers.

 

[V10lator]

other GND points

There is just one GND connection between the Pico and the Wii U, see https://github.com/shinyquagsire23/wii_u_modchip/tree/main/pico_defuse#wiring

RP2040 zero

I guess this has the same pinout than the tiny? If so havea look at https://github.com/shinyquagsire23/wii_u_modchip/pull/6 (note that you somehow have to define WAVESHARE_TINY so the changed pin layout gets used).

As SDIO said you don't need to connect the 3.3 V line but in case you decide to do it add a diode so current can flow from the Wii U to the zero board but not the other way around. Don't care about voltage drop, the RP2040 chip works between 1.8 and 3.3 V-

 

[fringle]

There is just one GND connection between the Pico and the Wii U, see https://github.com/shinyquagsire23/wii_u_modchip/tree/main/pico_defuse#wiring

I guess this has the same pinout than the tiny? If so havea look at https://github.com/shinyquagsire23/wii_u_modchip/pull/6 (note that you somehow have to define WAVESHARE_TINY so the changed pin layout gets used).

View attachment 397660
View attachment 397661

As SDIO said you don't need to connect the 3.3 V line but in case you decide to do it add a diode so current can flow from the Wii U to the zero board but not the other way around. Don't care about voltage drop, the RP2040 chip works between 1.8 and 3.3 V-

That makes sense. I was confusing gp#'s with pin numbers.

 

[Sukiyo]

does this work with a wii u that gets stuck on a black screen? (bricked from unplugging while doing the 2.0.0 update)

 

[SDIO]

does this work with a wii u that gets stuck on a black screen? (bricked from unplugging while doing the 2.0.0 update)

That should be fixable with defuse, but not udpih

 

[sirjman]

I have a console that is working, but it seems the HDMI output is dead. I can go blind and get it to dump the logs, but is there any way to get the Gamepad pin to be dumped? I'd like to be able to sync a pad to it and hopefully change to RCA output.

 

[YosMakii]

(Raspberry Pi pico) With Wupserver I did a process to restore the font Of the Console (My wii u got Brick Font) CafeStd.ttf and CafeKr.ttf
I follow this Steps Command

`python3 -i wupclient.py`


`w.ls("/vol/storage_mlc01/sys/title/0005001b/10042400/content/")`


`w.up("CafeKr.ttf" , "/vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf")`

`ios_reset()`

but it keeps freezing in the pure title that the Wii u has, it barely loads the menu a little and I get a crash

Please Help