It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[viledisgorgement]

Try a different SD. Make sure there is no dirt in the SD Card slot.

Thanks, trying a new SD card got me to at least the purple light, but seems to be having the same problem as a few others with no actual video. Tried renaming the DC_INIT file to no success. Trying to navigate blindly but no luck so far. Is there a video on the procedure and all the menus so I can try matching them up? I tried with the screenshots but seem to be missing a step.

 

[flynnz]

Hey all. I tried searching through this thread before asking this question and found nothing. But I apologize in advance if it has already been discussed and I missed it.

My issue is, I ran the recovery menu and picked the USA menu and it worked. (awesome to those who made these tools BTW). But the issue I am having is I am presented with the Wii U System Settings screen and I have no way of syncing the gamepad to continue. It blindly let me sync a pro controller, but I can't use that to progress.

I also tried to get back into the recovery menu to try again but it just locks up and the power light turns solid purple.

I am not sure if there is something else wrong with this Wii U that is causing this issue (I'm not the owner and it was reset not knowing what mods were performed on it in the past)

So any tips that could help (or if I am missing something really stupid) let me know, thanks!

 

[uklee28]

Thanks, trying a new SD card got me to at least the purple light, but seems to be having the same problem as a few others with no actual video. Tried renaming the DC_INIT file to no success. Trying to navigate blindly but no luck so far. Is there a video on the procedure and all the menus so I can try matching them up? I tried with the screenshots but seem to be missing a step.

is it showing on the gamepad? if not try using component/composite cables? swapping them around seemed to work for me and for whatever reason it just works through HDMI every time now.

what is the problem with your wii u? i could possibly give you blind steps to fix your problem

 

[flynnz]

Hey all. I tried searching through this thread before asking this question and found nothing. But I apologize in advance if it has already been discussed and I missed it.

My issue is, I ran the recovery menu and picked the USA menu and it worked. (awesome to those who made these tools BTW). But the issue I am having is I am presented with the Wii U System Settings screen and I have no way of syncing the gamepad to continue. It blindly let me sync a pro controller, but I can't use that to progress.

I also tried to get back into the recovery menu to try again but it just locks up and the power light turns solid purple.

I am not sure if there is something else wrong with this Wii U that is causing this issue (I'm not the owner and it was reset not knowing what mods were performed on it in the past)

So any tips that could help (or if I am missing something really stupid) let me know, thanks!
View attachment 336676

Update....to myself .
Just in case someone else runs into something similar, I was able to get back into the reset menu by plugging in the Pico way before the Wii U logo. Once in, I used the connect controller option and was able to get that synced and working. From there, I was able to go back into the official menu and have full control again.

 

[pumpkinpies]

Update....to myself .
Just in case someone else runs into something similar, I was able to get back into the reset menu by plugging in the Pico way before the Wii U logo. Once in, I used the connect controller option and was able to get that synced and working. From there, I was able to go back into the official menu and have full control again.

does the led still turn purple ? how soon after starting the wiiu did you plug it in ?

i have run into a similar problem that you had and just cant get anything to show up

 

[godreborn]

does the led still turn purple ? how soon after starting the wiiu did you plug it in ?

i have run into a similar problem that you had and just cant get anything to show up

it's very finicky as to when you plug the device in. I think it's right when it says Nintendo on the gamepad, but before it says WiiU on the tv.

 

[pumpkinpies]

it's very finicky as to when you plug the device in. I think it's right when it says Nintendo on the gamepad, but before it says WiiU on the tv.

i dont have the gamepad synced to this unit so i only get the display on my tv. i dont even see the early screen that just says 'nintendo', tv comes on and it is already on the 'wiiu' screen so i am plugging the pico in blind

 

[instanoodless]

Thanks for your work on the utility GaryOderNichts.

I was able to at least get the menu up on my wii U that wouldn't boot. I checked the startup title and it was fine so I dumped the logs. I am not entirely sure what I am looking for in the logs but the only error I could find was this

00:00:07:073: MCP: Titles scanned (dev_state 0004) on device /dev/mlc01 (wfs) @ uptime 7.073 s. 00:00:07:087: FCA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null) 00:00:07:098: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null) 00:00:07:109: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:11, path:(null) 00:00:07:154: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:25, path:/usr/title/0005000e/10144d00/code/app.xml 00:00:07:156: MCP: Titles scanned (dev_state 000c) on device /dev/mlc01 (wfs) @ uptime 7.156 s.

It looks like a corrupt file for Wii Sports Club, I dont know if that would stop the system from booting but couldnt find anything else. Just to try I downloaded the WUP for the game and tried to install it from the recovery menu but got an error when installing.

I attached my logs and I am wondering if anyone could take a look at them and see if there is something I missed.

Thanks.

 

[V10lator]

@instanoodless Every single .log file you uploaded is a crash log containing error messages. Anyway, the latest 3 logs look like you tried to install something from the disc drive but that failed cause the disc itself is corrupted... The weird thing is that this failed install happens after just 16 seconds of uptime and there should be no way to install directly from a disc.

Do you have any disc inside of the drive? If so try to eject it. Else wait for someone who's better at reading these logs.

//EDIT: Also this Wii U crashing just 18 times in its whole lifetime is almost unbelievable.

//EDIT²: Checked the timestamps on the logs and the last one is from 2012... Did you really upload your whole log folder?

 

[instanoodless]

@instanoodless Every single .log file you uploaded is a crash log containing error messages. Anyway, the latest 3 logs look like you tried to install something from the disc drive but that failed cause the disc itself is corrupted... The weird thing is that this failed install happens after just 16 seconds of uptime and there should be no way to install directly from a disc.

Do you have any disc inside of the drive? If so try to eject it. Else wait for someone who's better at reading these logs.

//EDIT: Also this Wii U crashing just 18 times in its whole lifetime is almost unbelievable.

//EDIT²: Checked the timestamps on the logs and the last one is from 2012... Did you really upload your whole log folder?

No disc is in the drive and at least personally there has been no way to install anything from the disc. I got my hands on this machine because it bricked itself when the previous owner tried to factory reset it and right now it just sits at the Wii U splash screen. I did try to install the Wii Sports Club twice from the recovery menu and it was on the SD card. My guess on the log dates is the clock was reset when I removed the battery, log #10 has a 2021 date on it.

I'm going to go back and look closer at the logs if everyone one is crash log, try to figure out what they mean.

Thanks.

 

[V10lator]

@instanoodless A clock reset makes sense, thanks for the information.
Anyway, the issue in the latest log seems to be:

00:00:58:267: FSA: ### DATA CORRUPTION ERROR ###, dev:mlc01, err:-1245211, cmd:10, path:/usr/title/00050000/10144d00/content/System/Font/debug_font.gsh

Still no direct line of NAND corruption, I'm really unsure what's going on here. So let's wait for others to chime in.

//EDIT: @Maschell and @GaryOderNichts just another shoot into the blue but could it be that the Wii U tries to find a scpecial disc, some kind of recovery disc, to fix the failed firmware update? So the ODM errors we see are just cause it can't find that special recovery disc?

 

[godreborn]

Iirc, the 00050000 folder won't cause a brick. It's 00050010 and 00050030 that may, so if you have aroma or cbhc you have a safety net.

 

[flynnz]

does the led still turn purple ? how soon after starting the wiiu did you plug it in ?

i have run into a similar problem that you had and just cant get anything to show up

To initially get into the recovery menu, I had to plug it in right when I saw the Wii U logo. But to get back in after I reset it I had to plug in the PICO way BEFORE the Wii U logo displayed. Odd, but it worked.

 

[PCR25]

Please does anyone know why I can't install the menu in wup? I put wup in install in no subfolder and of course it still gives this error.

 

[hauntedmound]

hi guys i was wondering how can you put files with wup client i want to put the font on the wiiu back into their place
path: /storage_mlc/sys/title/0005001b/10042400/content/
files: just search wiiu font
thanks and have a good day! (eur console)

 

[V10lator]

@14bastardo Why not use FTP? Also in case this is the original font copyrighted by Nintendo remove that link as it's warez.

 

[hauntedmound]

@14bastardo Why not use FTP? Also in case this is the original font copyrighted by Nintendo remove that link as it's warez.

the problem is that i dont have the font on the nand of the wiiu so i cant boot normal

 

[likethehat]

I can get to a purple light but the screen hangs on the wii u logo. I tried doing the second file but the screen instead hangs on a garbled image. My gamepad is not connected, and since I can't see the menu, I can't pair it.

I was able to dump the logs though. Is this fixable or is it dunzo?

 

[JediAviator]

Got it to work after attempting for a few hours. I used the switch as the loader. I also used a formatted 4gb SD card to fat 32. I also mis read that you have to fully power off the wii U. I tried a few times and, timing is key! I didn't have a gamepad set up with the switch. Going in blind was difficult. I waited for the disc drive to make 2 noises and then injected the payload and it worked! Don't wait for the wii U logo to show up, by then it's too late.

 

[agiese394]

Hello,
I am having some issues with a Wiiu I have recently purchased. It was bricked, and stuck on wii U logo. I don(t know if someone tried to hack it.
I was able to enter the recovery menu using udpih, but unfortunately I have no display. I do have the purple light and was able to dump the syslogs and the OTP.bin file by navigating blindly. I have tried to set the coldboot title, but the wii is still stuck on wii logo. I have also tried the recovery menu_dc_init with no success. The wii is trying to display something but the display is messed up.
Here are my logs. can anyone tell me what's wrong? Any help would be appreciated.