It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[DGP_Maluco]

orange LED is probably the ISFShax not finding your SD card

That is weird then, what should I do? this is how the SD Card looks like:

and it has two partitions now

 

[SDIO]

You need to put the fw.img back on. You formatted it for redNAND which deleted everything and created the other partitions.

 

[DGP_Maluco]

You need to put the fw.img back on. You formatted it for redNAND which deleted everything and created the other partitions.

Ok only with fw.img it was giving me a purple led and no image. I copied the boot1.img as well and now I'm back into minute.
Was that correct?
What should I do know? I a little confused to what I should be achiving now?

 

[SDIO]

no, the boot1.img isn't needed. It seems more like your SD isn't making good contact.

Create a minute folder with the rednand.ini in it and then boot the redNAND option in minute and see what happens

 

[DGP_Maluco]

no, the boot1.img isn't needed. It seems more like your SD isn't making good contact.

Create a minute folder with the rednand.ini in it and then boot the redNAND option in minute and see what happens

Not seeing a boot redNAND option

 

[SDIO]

it's the second one

 

[DGP_Maluco]

it's the second one

All the files that I’ve downloaded for the installation are now gone. Should I have added them again?

 

[SDIO]

you need to have the wafel_core.ipx and the wafel_isfshax_patch.ipx in the ios_plugins folder

 

[DGP_Maluco]

you need to have the wafel_core.ipx and the wafel_isfshax_patch.ipx in the ios_plugins folder

It booted, started restoring the Wii u, then rebooted into minute. Is that the expected behaviour?

 

[SDIO]

What do you mean by restoring?
Try booting again

 

[DGP_Maluco]

What do you mean by restoring?
Try booting again

Ok it’s asking to sync the gamepad and set the language. Should this mean it will work now?

 

[SDIO]

Ok that means there isn't anything interesting on it, because it was factory reset.

Then I would suggest you go into minute, delete scfm.img, erase the mlc and follow the instructions on how to rebuild the mlc with the wafel_install. Then you have a 100% clean system. Also get the SLC titles, since your firmware is a little bit outdated.

You might want to restore slccmpt. Maybe you are lucky and it has WiiWare on it (it was erased by the Factory reset you saw when you booted the redNAND.)

 

[DGP_Maluco]

Ok that means there isn't anything interesting on it, because it was factory reset.

Then I would suggest you go into minute, delete scfm.img, erase the mlc and follow the instructions on how to rebuild the mlc with the wafel_install. Then you have a 100% clean system. Also get the SLC titles, since your firmware is a little bit outdated.

You might want to restore slccmpt. Maybe you are lucky and it has WiiWare on it (it was erased by the Factory reset you saw when you booted the redNAND.)

Ok I will have to proceed tomorrow and I will get back to you on it. Thank you very much!

Post automatically merged: Jan 15, 2024

Ok that means there isn't anything interesting on it, because it was factory reset.

Then I would suggest you go into minute, delete scfm.img, erase the mlc and follow the instructions on how to rebuild the mlc with the wafel_install. Then you have a 100% clean system. Also get the SLC titles, since your firmware is a little bit outdated.

You might want to restore slccmpt. Maybe you are lucky and it has WiiWare on it (it was erased by the Factory reset you saw when you booted the redNAND.)

Hey there, so next step is to follow this correct?

https://gbatemp.net/threads/fixing-...-soldering-using-rednand-with-isfshax.642268/

EDIT 2:

Post automatically merged: Jan 15, 2024

After running trough the process and deleting wafel_setup_mlc.ipx the Wii u freezes in the mii avatar setup process

Post automatically merged: Jan 15, 2024

Ok redid most of the steps and now I'm the main menu! is there something I should consider doing? I'm not understanding the part where "Booting without sd" where do I find FTPiiU?

 

[SDIO]

https://gbatemp.net/threads/fixing-...-soldering-using-rednand-with-isfshax.642268/

No that sets up a redNAND. You don't need that, you just want to reinstall to the eMMC.
After deleting scfm.img and erasing the mlc, just follow the rebuilding steps here: https://gbatemp.net/threads/how-to-upgrading-rebuilding-wii-u-internal-memory-mlc.636309/ don't select any redNAND option while rebuilding.

You don't need to install the files to the slc for SD less boot, if you plan to remove ISFShax again after rebuilding. But before removing ISFShax, make really sure the sysnand is working.

 

[DGP_Maluco]

So I will keep it this way. Everything seems to be working. I was able to go trough the whole setup process and even got Tiramisu exploit working. Event found out how to install FTPiiU. I will still have to test a game but for now I'm quite happy with the result

 

[SDIO]

But now it is running from the SD card. Your internal memory is fine, you can just do the setup again, but this time to the internal memory

 

[DGP_Maluco]

But now it is running from the SD card. Your internal memory is fine, you can just do the setup again, but this time to the internal memory

You mean after deleting scfm.img and erasing the mlc I should reinstall the mlc and slc titles but instead of choosing sd rednand I should choose sd .. slc? That way it installs to slc and not the SD?

 

[SDIO]

Exactly it would install to your real SLC and real mlc

 

[DGP_Maluco]

Thanks I will try that!

 

[km_feih2rohv]

hello, I was bricked by the unofficial wii u menu korean language patch.
so I tried a wii u recovery menu, but I failed to unbrick it.
I tried to enter 'Load Network Configuration', Then It doesn't works.
It says just "FAILED TO OPEN NETWORK.CFG: fffcffe9"
So, I tried to dump syslogs, OTP + SEEPROM, dang.. It doesn't works either..
FAILED TO CREATE DIRECTORY : fffcffbe
FAILED TO CREATE OTP.BIN : fffcffbe
how can I solve this problem? I just use the wupserver to remove korean language patch, and insert japanese language..
is there anyone can help?