It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[SDIO]

I wonder which title it was.

 

[jacobsson]

The red wier GND????

No that'd be bad and would probably kill the SD card.
Maybe you've got your schematic mirrored? If I remember correctly it's Pin3 to GND and 4 to Vcc. Be careful

 

[Jehmyson]

My Wii U also won't boot, it freezes at the Wii U logo and crashes, I have to force the device to shut down every time. My RP Pico doesn't turn on any lights but it was programmed with the files correctly.

 

[Ysecond]

My Wii U also won't boot, it freezes at the Wii U logo and crashes, I have to force the device to shut down every time. My RP Pico doesn't turn on any lights but it was programmed with the files correctly.

What brand is MLC chip? Show some picture

 

[SDIO]

Does the led on the Wii U turn purple, when you try udpih?

 

[Jehmyson]

What brand is MLC chip? Show some picture

I don't know the model yet, I'd have to open the Wii U or make this method work. This week I'll open the device to be sure and post it here to get more information.

Post automatically merged: Oct 1, 2023

Does the led on the Wii U turn purple, when you try udpih?

It doesn't turn purple, just blue with the logo (Nintendo / Wii U) frozen and no buttons working (eject / power), just forcing the device to turn off.

 

[SDIO]

try aain with a different timings. If it doesn't turn purple (or the Wii U doesn't shut down, in case no SD is inserted) then the FW is probabyl too old for UDPIH and you would need to defuse

 

[some1ne]

I currently have a Wii U that's goes straight to the format screen after powering on, but never finishes formatting it. I tried using UDPIH a while ago, without luck in bringing the recovery menu up. LED stays blue. Screen still shows the format screen:

I also got another Wii U, this one without any hdmi or gamepad output. I tried following the same steps but used the dc_init version, without any luck either.

I'm using a 64gb SD card formatted as FAT32 with 32k cluster size and an RP2040 (the same ones used for modding the switch). I don't see any LEDs light up on the pico, is that ok?

I also tried using a switch instead of the rp2040, got the same results. This is the switch's screen:

 

[SDIO]

Then the firmware is probably too old. Your only option atm is defuse

 

[some1ne]

Then the firmware is probably too old. Your only option atm is defuse

Any guides, diagrams and other resources for defuse?

 

[SDIO]

For the wireing look here: https://github.com/jan-hofmeier/wii_u_modchip/blob/wiring-diagram/pico_defuse/README.md

For the instructions, files and everything else look here: https://github.com/shinyquagsire23/wii_u_modchip/releases/tag/v0.8

 

[some1ne]

For the wireing look here: https://github.com/jan-hofmeier/wii_u_modchip/blob/wiring-diagram/pico_defuse/README.md

For the instructions, files and everything else look here: https://github.com/shinyquagsire23/wii_u_modchip/releases/tag/v0.8

Thank you very much.

I have a few questions.

Can I use the 3V3 point on the RP2040 zero? On the wiring diagram, it says to use 3V3(OUT) for TP122, but I wanna make sure the 3V3 point on the RP2040 zero is the same as the one on the regular pico. I only have these boards with me right now.
Pinouts:

Spoiler: Pico

Spoiler: RP2040 Zero

After I get it up and running, what should I be looking for exactly? Can I do a NAND backup with it? Can I use the same recovery menu UDPIH uses or is the minute minute menu enough? Should I be following the equivalent to this guide after installing the modchip? https://gbatemp.net/threads/160-0103-error.636361/

 

[SDIO]

Don't connect up the 3V3, we don't need it as the pico is powered over USB anyway.

Once you have minute running, you need to dump otp via PRSHhax in the backup and restore menu

 

[fringle]

Thank you very much.

I have a few questions.

Can I use the 3V3 point on the RP2040 zero? On the wiring diagram, it says to use 3V3(OUT) for TP122, but I wanna make sure the 3V3 point on the RP2040 zero is the same as the one on the regular pico. I only have these boards with me right now.
Pinouts:

Spoiler: Pico

View attachment 397472

Spoiler: RP2040 Zero

View attachment 397468

After I get it up and running, what should I be looking for exactly? Can I do a NAND backup with it? Can I use the same recovery menu UDPIH uses or is the minute minute menu enough? Should I be following the equivalent to this guide after installing the modchip? https://gbatemp.net/threads/160-0103-error.636361/

Edit to remove unnecessary info. Was confusing GP#'s with pin numbers.

 

[V10lator]

other GND points

There is just one GND connection between the Pico and the Wii U, see https://github.com/shinyquagsire23/wii_u_modchip/tree/main/pico_defuse#wiring

RP2040 zero

I guess this has the same pinout than the tiny? If so havea look at https://github.com/shinyquagsire23/wii_u_modchip/pull/6 (note that you somehow have to define WAVESHARE_TINY so the changed pin layout gets used).

As SDIO said you don't need to connect the 3.3 V line but in case you decide to do it add a diode so current can flow from the Wii U to the zero board but not the other way around. Don't care about voltage drop, the RP2040 chip works between 1.8 and 3.3 V-

 

[fringle]

There is just one GND connection between the Pico and the Wii U, see https://github.com/shinyquagsire23/wii_u_modchip/tree/main/pico_defuse#wiring

I guess this has the same pinout than the tiny? If so havea look at https://github.com/shinyquagsire23/wii_u_modchip/pull/6 (note that you somehow have to define WAVESHARE_TINY so the changed pin layout gets used).

View attachment 397660
View attachment 397661

As SDIO said you don't need to connect the 3.3 V line but in case you decide to do it add a diode so current can flow from the Wii U to the zero board but not the other way around. Don't care about voltage drop, the RP2040 chip works between 1.8 and 3.3 V-

That makes sense. I was confusing gp#'s with pin numbers.

 

[Pyoro_]

does this work with a wii u that gets stuck on a black screen? (bricked from unplugging while doing the 2.0.0 update)

 

[SDIO]

does this work with a wii u that gets stuck on a black screen? (bricked from unplugging while doing the 2.0.0 update)

That should be fixable with defuse, but not udpih

 

[sirjman]

I have a console that is working, but it seems the HDMI output is dead. I can go blind and get it to dump the logs, but is there any way to get the Gamepad pin to be dumped? I'd like to be able to sync a pad to it and hopefully change to RCA output.

 

[YosMakii]

(Raspberry Pi pico) With Wupserver I did a process to restore the font Of the Console (My wii u got Brick Font) CafeStd.ttf and CafeKr.ttf
I follow this Steps Command

`python3 -i wupclient.py`


`w.ls("/vol/storage_mlc01/sys/title/0005001b/10042400/content/")`


`w.up("CafeKr.ttf" , "/vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeKr.ttf")`

`ios_reset()`

but it keeps freezing in the pure title that the Wii u has, it barely loads the menu a little and I get a crash

Please Help