It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[SDIO]

yes, that works.
to make things easier for you, you can also flash the defuse boot1 to slccmpt, then you can use any sdcard with defuse.

Post automatically merged: Nov 11, 2023

You could probably also getting away by just having the important titles there and then run a system update afterwards should install the the missing titles, but I never tried that.

 

[Ylzen]

You can


When I looked todays at the message agin I noticed that it's not the save that is corrupted but the file in the title, that it wants t copy to the save. The easiest is to just reinstall the title (Wii U menu)

Thank you so much , is alive i upgrade and erase everything and working flawless now

 

[some1ne]

to make things easier for you, you can also flash the defuse boot1 to slccmpt, then you can use any sdcard with defuse.

How would that work? Do I try to restore the SLCCMPT with the boot1_slccmpt.img file and then I don't need to use the rp2040 while it's installed?

Post automatically merged: Nov 15, 2023

Managed to install the NAND-AID and tried swapping the SD cards before selecting "Patch and boot IOS".
Got an error about running the SD card at a lower speed:

sdhc_bus_power(0x300000)
sdhc_bus_clock(25000, 0)
sdhc_bus_width(1)
CID: F30014C7C00080473830555344530300
CID: mid=03 name='SDSU08G' prv=128.0 psn=00c0c714 mdt=3/2015
CSD: 40400A807F373B0000595B32000E4000
sdcard: sdhc mode, c_size=15159, card size = 7761920k
sdcard_select: resp=700
sdhc_bus_width(4)
sdcard: enabling highspeed 52MHz clock (32)
sdhc_bus_clock(52000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 48MHz highspeed?
sdhc_bus_clock(48000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 25MHz highspeed?
sdhc_bus_clock(25000, 1)

And then it stopped outputting at this part:

Power LED stays purple.

Should I try another SD card or replacing the slccmpt?

EDIT: Tried booting with OSv10 as stated in this post: https://gbatemp.net/threads/wii-u-blinking-blue-light-no-image.640588/post-10259653

Made some progress but got stuck at:

00:00:01:191: FSA fsa_core_ops.c(1511): failed to issue command to FS (-196640)

I attached the log file to this post.

EDIT 2:
Tried running wafel_destroy_mlc but got this error:

we in here MCP 0x5202008
calling mcp_entry in plugin: 27f77000
stroopwafel mcp_main done
IOS-PAD: Built 02/04/21 16:02:14, Image Utilization 58%.
IOS-CRYPTO: Built 02/04/21 16:02:14, Image Utilization 72%.
CRYPTO Open, clientPid=1 nodeId 00000000 titleId 0000000000000000 perm=0xffffffff
IOSC Initialize -- IOSC library build time 09/27/12 19:28:40
IOS-USB: Built 02/04/21 16:02:14, Image Utilization 62%.
00:00:00:237: MMC(0): initializing Controller 0, Slot 0 base 0x0D070000
00:00:00:239: MMC(3): initializing Controller 2, Slot 0 base 0x0D100000
00:00:00:241: MMC(4): initializing Controller 3, Slot 0 base 0x0D110000
IOS-NET: Built 02/04/21 16:02:14, Image Utilization 92%.
USB Trace: Activating root hubs @ uptime 0.303 s with options 0x40000.
00:00:00:305: USB Trace: Activating root hubs @ uptime 0.303 s with options 0x40000.
UHS0 Trace: DevFsm(EHCI-0/L0/P0): Creating device, speed=HIGH.
00:00:00:319: UHS0 Trace: DevFsm(EHCI-0/L0/P0): Creating device, speed=HIGH.
UHS0 Trace: DevFsm(OHCI-0:0/L0/P0): Creating device, speed=FULL.
00:00:00:324: UHS0 Trace: DevFsm(OHCI-0:0/L0/P0): Creating device, speed=FULL.
USB Info: UhsServerAddHc 0 OK.
00:00:00:327: USB Info: UhsServerAddHc 0 OK.
UHS0 Trace: DevFsm(EHCI-1/L0/P0): Creating device, speed=HIGH.
00:00:00:339: UHS0 Trace: DevFsm(EHCI-1/L0/P0): Creating device, speed=HIGH.
UHS0 Trace: DevFsm(OHCI-1:0/L0/P0): Creating device, speed=FULL.
00:00:00:344: UHS0 Trace: DevFsm(OHCI-1:0/L0/P0): Creating device, speed=FULL.
USB Info: UhsServerAddHc 1 OK.
00:00:00:347: USB Info: UhsServerAddHc 1 OK.
IOS-TEST: Built 02/04/21 16:02:14, Image Utilization 76%.
TEST Info: localProcessHeap OK.
TEST Info: crossProcessHeap OK.
00:00:00:355: TEST Info: crossProcessHeap OK.
IOS-AUXIL: Built 02/04/21 16:02:14, Image Utilization 57%.
AUXIL Info: localProcessHeap OK.
AUXIL Info: crossProcessHeap OK.
00:00:00:360: AUXIL Info: crossProcessHeap OK.
UHS0 Trace: Powering on root hub group 0.
00:00:00:363: UHS0 Trace: Powering on root hub group 0.
IOS-NSEC: Built 02/04/21 16:02:14, Image UtilIOS-FPD: Built 02/04/21 16:02:14, Image Utilization 74%.
UHS0 Trace: Powering on root hub group 1.
00:00:00:380: UHS0 Trace: Powering on root hub group 1.
00:00:00:382: AHCI_MGR Trace: Turning on drive power.
00:00:00:384: AHCI_MGR Trace: Turning on drive power.
ization 96%.
00:00:00:389: AHCI_MGR Trace: Initializing phy.
00:00:00:391: AHCI_MGR Trace: Initializing phy.
00:00:00:392: AHCI_DRV Trace: Initiating cold open.
00:00:00:394: AHCI_DRV Trace: Initiating cold open.
00:00:00:395: AHCI_DRV Trace: Resetting HBA.
00:00:00:396: AHCI_DRV Trace: Resetting HBA.
AUXIL Info: Net OK.
00:00:00:399: AUXIL Info: Net OK.
IOS-ACP: Built 02/04/21 16:02:14, Image Utilization 86%.
IOS-NIM-BOSS: Built 02/04/21 16:02:14, Image Utilization 90%.
act_main.cpp,Start,174CRYPTO Open, clientPid=5 nodeId 00000000 titleId 00000000100000f1 perm=0xffffffff
00:00:00:448: AHCI_DRV Trace: HBA Reset OK.
00:00:00:449: AHCI_DRV Trace: HBA Reset OK.
00:00:00:518: ISFS: FAT INFO (ch WUP): slot 38 / seq 62346 (Each FAT slot has been updated 974 times in avr)
00:00:00:521: ISFS: fs_fat.c(545)FAT INFO (ch WUP): slot 38 / seq 62346 (Each FAT slot has been updated 974 times in avr)
00:00:00:524: FSA: [uptime 0.524 s]: Attached volume to slc01 (isfs): Capacity 511 MB, 262016 logical blocks of size 2048 B.
00:00:00:613: ISFS: FAT INFO (ch RVL Compat): slot 12 / seq 14574 (Each FAT slot has been updated 910 times in avr)
00:00:00:616: ISFS: fs_fat.c(545)FAT INFO (ch RVL Compat): slot 12 / seq 14574 (Each FAT slot has been updated 910 times in avr)
00:00:00:619: FSA: [uptime 0.619 s]: Attached volume to slccmpt01 (isfs): Capacity 511 MB, 261632 logical blocks of size 2048 B.
00:00:00:628: SCFM:Start init. BUILD_TIME:[16:02:03]
00:00:00:633: SCFM:FSAInit
00:00:00:634: SCFM:AddClient
00:00:00:635: SCFM:scfmMountSlc
00:00:00:636: SCFM:scfmLoad
00:00:00:637: SCFM:Done init.
00:00:00:638: PCFS: Disabled because we are in PROD mode.
00:00:00:640: MCP: booting from NAND
00:00:00:641: MCP: Boot PM flags - PON_COLDBOOT
00:00:00:661: MCP: Cafe OS SDK Version 2.13.01 Build 69088 Branch sdk_2_13
00:00:00:663: MCP: Booting on Espresso (0x0000700100000201), Latte (0x25100028), RTC (0x01)
00:00:00:665: MCP: Platform - boardType(CF), boardRevision(11), devicePresence(0x00000000), sataDevice(3), consoleType(1)
00:00:00:670: ISFS: FAT block entries check start
00:00:00:672: ISFS: fs_ops.c(2215)FAT block entries check start
00:00:00:677: ISFS: FAT block entries check finished.
00:00:00:679: ISFS: fs_ops.c(2292)FAT block entries check finished.
00:00:00:692: FSA: [uptime 0.692 s]: Attached volume to mlc01 (raw): Capacity 5088 MB, 10420225 logical blocks of size 512 B.
00:00:00:698: FSA: [uptime 0.698 s]: Attached volume to ramdisk01 (raw): Capacity 125 MB, 129022 logical blocks of size 1024 B.
00:00:00:702: MCP: Formatting Device ramdisk to wfs
00:00:00:854: FSA: [uptime 0.854 s]: Attached volume to sdcard01 (fat): Capacity 60350 MB, 123596800 logical blocks of size 512 B.
00:00:00:862: FSA: [uptime 0.862 s]: Attached volume to ramdisk01 (wfs): Capacity 125 MB, 129022 logical blocks of size 1024 B.
00:00:00:866: MCP: Format Complete
00:00:00:875: MCP: Formatting Device mlc to wfs
00:00:01:078: FSA: [uptime 1.078 s]: Attached volume to mlc01 (wfs): Capacity 5088 MB, 10420225 logical blocks of size 512 B.
00:00:01:081: MCP: Format Complete
iosPanic(): MCP: failure in PM(788)...

EDIT 3: Good news! The Wii U is working again! I ran the setup plugin after running the destroy plugin (both with the OSv10 running through the 2nd option) and it installed all titles successfully! The Wii U booted up and is working just fine, even without defuse! It shut down and a red light started blinking, but I suppose it happened due to overheating because the Wii U was burning hot. I'll reassemble it and test everything again. Huge thanks for everything @SDIO

 

[grandosegood]

hey all, i keep getting a garbled image/white noise or an error that the connection is unstable on my gamepad. i have tried many times but it just doesn't take. running the latest wii u firmware, and an SD card formatted correctly with just the recovery_menu on it. any ideas? thanks.

 

[SDIO]

Does the LED turn purple when trying udpih?
You probably have corrupted fonts because of MLC corruption.

 

[grandosegood]

Does the LED turn purple when trying udpih?
You probably have corrupted fonts because of MLC corruption.

thanks for all your hard work in the community. in true fashion, once i redid everything and slowly re-read the instructions, it worked! i had a parental control locked wii u, now we have disabled parental control, reset it and it's going great. ty.

 

[SDIO]

Oh you got the garbled image only in recovery?
Thought you were getting them on boot

 

[grandosegood]

Oh you got the garbled image only in recovery?

that's correct, the wii u had a nnid account and a normal account, but also had parental controls on. the wii u didn't appear to have any hardware issues, just needed help getting through that one issue. the problems i faced were during the udpih recovery portion only.

 

[Barracuda]

I have a problem when Udpih starts on the switch, it says that it has been executed but there is no sign of it starting on the screen and the lights do not change color, it is still blue.

 

[SDIO]

Try a little earlier. Also the blue and the purple it's sometimes hard to distinguish. Are you sure it didn't change?

 

[Barracuda]

I don't know if it could be an SD problem, but I have tried several of them. I have also tried without SD inserted in the slot and Udpih tells me successful although the Wii U does not turn off and the color LED does not change either.

Inténtalo un poco antes. También el azul y el morado a veces resulta difícil distinguirlos. ¿Estás seguro de que no cambió?

 

[SDIO]

Then either the Wii U is crashing too early, you or timing is wrong or the FW is too old.
What does the Wii U do without udpih? Does it show an error?

 

[Barracuda]

Then either the Wii U is crashing too early, you or timing is wrong or the FW is too old.
What does the Wii U do without udpih? Does it show an error?

Most likely the fw is too old, I have tried every time. I also have rpi, I will have to take the motherboard with the rpi to a shop to have it soldered using the guide you provided. Thank you very much, you are a genius!!

 

[SDIO]

Does it have a hynix emmc?

 

[Barracuda]

Does it have a hynix emmc?

most likely. They are from the first black 32GB unit, Premium Pack.
Although I would like to ask you if the best option would be Nand-aid?

 

[SDIO]

If the emmC is then problem then yes. You can ask @V10lator for a NAND-AID, if you want one, I think he still hase some.

 

[Barracuda]

If the emmC is then problem then yes. You can ask @V10lator for a NAND-AID, if you want one, I think he still hase some.

I had no luck in acquiring Voultar's Nand-aid because orders do not arrive in Europe. I am in Spain and I think it will be difficult to find an engineer here in Spain.

 

[SDIO]

Just get one from @V10lator for a tenth of the price. He is from Germany, so no overseas shipping to Spain and no customs.

 

[skawo]

Got a WiiU which:
Black Screens on HDMI, No signal on Component/Composite
Launching UDPIH with Recovery Menu goes to Black Screen with purple LED
Launching UDPIH DC_INIT shows me a garbled screen over HDMI
Managed to pair a GamePad to it, and it turns on with the WiiU, but then shows "Could not connect to console"

I can wupserver into it; is there a way to switch the video output over to Component/Composite using it?

Attached are the logs; there seems to be no MEDIA ERROR/DATA CORRUPTION in them.

 

[Barracuda]

Simplemente obtenga uno de @V10lator por una décima parte del precio. Es de Alemania, por lo que no hay envíos al extranjero a España ni aduanas.

Muchas gracias, dejé un MP para comprar Nand-Aid, espero tener suerte.