It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[raxadian]

Can i paybass the wiiu gamepad
Usa gamepad
Japan gamepad
On (03) eruop console????

Can use picofly fly chip same raspierry pico????

Is a pain to use a different "tablet" unless you have a Japanese Wii U because Nintendo only sold spare tablets in Japan.

Now if you are asking how to hack the Wii U...

https://wiiu.hacks.guide/#/

That guide may be outdated, be warned.

 

[Danook28]

Is a pain to use a different "tablet" unless you have a Japanese Wii U because Nintendo only sold spare tablets in Japan.

Now if you are asking how to hack the Wii U...

https://wiiu.hacks.guide/#/

That guide may be outdated, be warned.

The console update is 5.5.3 E need eruop gamepad cant go on satting but only controlled with wiiu controll the gamepad i have only one region Japan and one is usa region.. The console i have is, wup 101 (03)

 

[HaseoArmahem]

The console update is 5.5.3 E need eruop gamepad cant go on satting but only controlled with wiiu controll the gamepad i have only one region Japan and one is usa region.. The console i have is, wup 101 (03)

You can add ignore the region for this tablet on this console via original old manual - https://lazr1026.github.io/regionchange/#/?id=removing-the-gamepad-update-nag - you need Pico. After this step the message about region missmatch disapear and you can use tablet as always. No need cfw at all. But if you re-pair gamepad again - you need to somplete the steps again(download file, change value, upload file).
If you use CFW - there is plagin for ignore gamepad region.

 

[Danook28]

You can add ignore the region for this tablet on this console via original old manual - https://lazr1026.github.io/regionchange/#/?id=removing-the-gamepad-update-nag - you need Pico. After this step the message about region missmatch disapear and you can use tablet as always. No need cfw at all. But if you re-pair gamepad again - you need to somplete the steps again(download file, change value, upload file).
If you use CFW - there is plagin for ignore gamepad region.

Yes bro i use picofly chip that mod nintendo switch to inter my console recovery menu i use int type file that use for wiiu not display on tv and yes it is working now i use my usa gamepad on wiiu and mod wiiu aroma cfw 5.5.5E and backup full nand clean... I need plagin link

 

[HaseoArmahem]

Yes bro i use picofly chip that mod nintendo switch to inter my console recovery menu i use int type file that use for wiiu not display on tv and yes it is working now i use my usa gamepad on wiiu and mod wiiu aroma cfw 5.5.5E and backup full nand clean... I need plagin link

https://github.com/wiiu-env/drc_region_free_plugin
sorry for very long reply

 

[Danook28]

https://github.com/wiiu-env/drc_region_free_plugin
sorry for very long reply

Thanks bro...

 

[GaryOderNichts]

UDPIH Release 3
Changelog:

• Linux:
  • Fixes compatibility with linux v5.19 (info).
  • Fixes compatibility with DWC3.
  • Fixes compatibility with devices reporting the ep0 max packet size as 0.
• Pico:
  • No pico specific changes
• Common:
  • Changed custom request to 0x50 to avoid issues with DWC3.
• Improved documentation.

→ The Steam Deck is now supported!

 

[buckchow]

UDPIH Release 3
Changelog:

It's great to see this project still getting some love and attention. By any chance is adding compatibility for older system software being considered at all? Thanks!

 

[XpertXP1]

I have a WiiU here that doesnt output any video at all, and lucky me, the gamepad is not synced. I tried recovery_menu_drcpin where it supposed to put a log file with the information to sync the gamepad but there is no log file on the SD card when i plug it back into my PC......is this wiiu bricked??

 

[bialasik]

It's great to see this project still getting some love and attention. By any chance is adding compatibility for older system software being considered at all? Thanks!

Same question from my side.
Or any tips how can I help? The mechanism of exploit will be same but with other memory addresses accordingly to the older OS?
If so, is it somehow possible to use a nand dump with CEMU and find the memory addresses from there?

 

[SDIO]

I have a WiiU here that doesnt output any video at all, and lucky me, the gamepad is not synced. I tried recovery_menu_drcpin where it supposed to put a log file with the information to sync the gamepad but there is no log file on the SD card when i plug it back into my PC......is this wiiu bricked??

Don't look at the screen, look at the LED: does it turn pruple? You might need a few tries. If you get the LED to turn pruple it's probably best to install ISFShax and then work from there.

Same question from my side.
Or any tips how can I help? The mechanism of exploit will be same but with other memory addresses accordingly to the older OS?
If so, is it somehow possible to use a nand dump with CEMU and find the memory addresses from there?

To my knowledge CEMU doesn't emulate the ARM side. You would probably use the Wii U Firmware Emulator which is better suited for that task.

 

[XpertXP1]

Don't look at the screen, look at the LED: does it turn pruple? You might need a few tries. If you get the LED to turn pruple it's probably best to install ISFShax and then work from there.

The WiiU LED stays Blue the entire time. no change. it does the single flash at startup, then just stays blue. I hear the drive being accessed as well.

how long would it take for the LED to go from blue to purple?

I also get no video output from the HDMI port or the analog out as well.

Post automatically merged: Jul 25, 2024

This is

Post automatically merged: Jul 25, 2024

I have also gotten the script to complete successfully, where at the end it says finished with no errors, but i still get nothing on the tv screen, and no log files generated. The front LED never turns purple, only stays Blue.

 

[GaryOderNichts]

recovery_menu version 0.6
Changelog:

• Added a new "Load BOOT1 payload" option.
  • Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
  • If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.
  • This allows booting minute_minute.
• Improved the "Install WUP" option.
  • Installing a WUP now needs to be confirmed.
  • Progress is shown while installing.
• The recovery_menu now shows button and error feedback over the LED (Thanks @V10lator).
• Moved "Load Network Configuration" above "Start wupserver", to allow loading a network configuration and starting wupserver without navigating over the entire menu again.

 

[jason05]

Wii U 领域已经有一段时间没有出现任何重大进展了，因此我向你介绍：

USB 描述符解析很难（UDPIH）​

Wii U USB 主机堆栈漏洞。发音类似“mud pie”，但不带 M。

您可以在这里找到该文章！

这意味着什么？​

由于 USB 堆栈在 Wii U 的 PPC 端启动之前就已经运行，因此无需任何焊接即可解开 CBHC 砖之类的东西！
[媒体=youtube]BcQdSugrKxI[/媒体]
[媒体=youtube]GHusV2eDnGQ[/媒体]

支持的设备：​

• 树莓派 Pico
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• 蒸汽甲板
• Nintendo Switch 能够运行udpih_nxpayload

指示​

设备设置​

请遵循以下您要使用的设备的设置指南：

• 树莓派 Pico
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• 蒸汽甲板
• 任天堂 Switch

启动恢复菜单​

• 将最新版本的recovery_menu复制到 FAT32 格式的 SD 卡的根目录。
• 将 SD 卡插入控制台并打开电源。
• 当你在电视或游戏手柄上看到“Wii U”标志时，立即插入你准备好的 UDPIH 设备。
  这个时机很重要。如果你已经在菜单中，漏洞将不起作用。
  根据设备的不同，你可能迟早要插入它。这可能需要多次尝试。
  如果你没有视频输出或屏幕扭曲，那么你的时机很可能是错误的。
• 几秒钟后您将进入恢复菜单。

那么这个恢复菜单是什么？恢复菜单允许您修复几个问题：

Wii U 恢复菜单​

在 IOSU 上运行的用于解砖的简单恢复菜单。

选项​

设置冷启动标题
允许更改控制台启动到的当前标题。
有助于拆除 CBHC 砖。
可能的选择有：

• Wii U 菜单 (日本) - 00050010-10040000
• Wii U 菜单（美国）- 00050010-10040100
• Wii U 菜单（欧元）- 00050010-10040200

在非零售系统上，有以下附加选项可用：

• 系统配置工具 - 00050010-1F700500
• DEVMENU (2.09 之前) - 00050010-1F7001FF
• 自助服务终端菜单 - 00050010-1FA81000

转储系统日志
将所有系统日志复制到 SD 卡根目录的日志文件夹中。

转储 OTP + SEEPROM
将 OTP 和 SEEPROM 转储到 SD 卡根目录下的 otp.bin 和 seeprom.bin。

启动 wupserver
启动 wupserver，它允许使用wupclient从 PC 连接到控制台。

加载网络配置
从 SD 加载网络配置，并临时应用于使用 wupserver。
配置将从 SD 根目录上的 network.cfg 文件加载。
要使用以太网适配器，该文件应如下所示：
[代码]type=eth[/代码]

使用 wifi 时：

类型=wifi
ssid=ssid此处
密钥=wifikeyhere
密钥类型=WPA2_PSK_AES

配对游戏手柄
显示游戏手柄 PIN 码并允许将游戏手柄与系统配对。配对时还可绕过任何区域检查。
数值代表以下符号：♠ = 0，♥ = 1，♦ = 2，♣ = 3。
请注意，可能需要重新启动系统才能使用新配对的游戏手柄。

安装 WUP
从 SD 卡根目录的安装文件夹中安装有效签名的 WUP。
不要将 WUP 放入任何子文件夹中。

编辑家长控制
显示当前家长控制密码配置。
允许禁用家长控制。

调试系统区域
修复了将 productArea 和/或 gameRegion 设置为无效值导致的崩溃。症状包括无法启动系统设置或其他区域内游戏。

系统信息
显示有关系统几个部分的信息。
包括序列号、制造日期、控制台类型、区域、存储设备……

加载 BOOT1 有效载荷
从 SD 卡的根目录加载名为 boot1.img 的有效负载并从 boot1 内部执行它。
如果文件名为 boot1now.img，则会在 5 秒超时后启动 recovery_menu 时自动加载。

致谢​

• @Maschell表示网络配置类型
• @dimok789为摩卡
• @hexkyz为hexFW
• @rw-rr-0644为 lolserial 代码

特别感谢 Maschell、rw-rr-0644、QuarkTheAwesome、vgmoose、exjam、dimok789 以及所有为 Wii U 场景做出贡献的人！

UDPIH doesn't work on verision 2.1.0J ?​

 

[SDIO]

UDPIH needs a 5.5.x IOSU

 

[jason05]

UDPIH needs a 5.5.x IOSU

so when my console is verision 2.1.0J ,what should i do ? i have tried the method of mkey generator ,it dosn't work too .(the key generated is wrong)

Post automatically merged: Sep 4, 2024

UDPIH needs a 5.5.x IOSU

I forgot to mention I'm trying to disable parental controls

 

[GaryOderNichts]

so when my console is verision 2.1.0J ,what should i do ? i have tried the method of mkey generator ,it dosn't work too .(the key generated is wrong)

Hmm interesting I wonder if early versions use a different key. Can you post the data you entered into the site here?

Edit: Nevermind the old algorithm should be supported.

Edit 2: The old v0 algorithm is supported, but has the wrong values for Wii U. I'll fix this in a bit. In the meanwhile can you join this discord server so we can figure out the correct keys for your console?

 

[jason05]

Hmm interesting I wonder if early versions use a different key. Can you post the data you entered into the site here?

Edit: Nevermind the old algorithm should be supported.

Edit 2: The old v0 algorithm is supported, but has the wrong values for Wii U. I'll fix this in a bit. In the meanwhile can you join this discord server so we can figure out the correct keys for your console?

the Inquiry number is 96815872, and i can set any time if needed such as 2024-09-5 . I have joined the discord server but not allow to sent message(kiidami is me)

 

[GaryOderNichts]

the Inquiry number is 96815872, and i can set any time if needed such as 2024-09-5 . I have joined the discord server but not allow to sent message(kiidami is me)

Turns out there was an issue with how the mkey was calculated for older Wii U versions. I've submitted a PR to https://mkey.nintendohomebrew.com/ (the other site seems to be no longer maintained) to fix this.
For you the correct master key should be 18145.

 

[jason05]

Turns out there was an issue with how the mkey was calculated for older Wii U versions. I've submitted a PR to https://mkey.nintendohomebrew.com/ (the other site seems to be no longer maintained) to fix this.
For you the correct master key should be 18145.

Great job. You were amazing. Thank you so much. I've successfully disabled the parental controls