It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Requirements​

• A Wii U
• One of the devices listed below
  Note: Any other linux device capable of USB device emulation should work as well.
  Prebuilt releases are only available for the Pico and Zero.
  I will add more devices below which are confirmed to work.

Supported devices:​

• A Raspberry Pi Pico or Zero
• A Nintendo Switch capable of running udpih_nxpayload

Instructions​

Pico​

• Download the latest udpih.uf2 from the releases page.
• Hold down the BOOTSEL button on the board and connect the Pico to your PC.
  Your PC will detect the Pi as a storage device.
• Copy the .uf2 file to the Pico. It will disconnect after a few seconds.

The Pico is now flashed and can be used for udpih. Continue with "Booting the recovery_menu" below.

Raspberry Pi Zero (Linux)​

• Install the required dependencies:
  

  sudo apt install build-essential raspberrypi-kernel-headers

• Clone the repo:

• git clone https://github.com/GaryOderNichts/udpih.git
  cd udpih

• Download the latest arm_kernel.bin.h from the releases page and copy it to the arm_kernel directory.
• Now build the kernel module:

• cd linux
  make

• You can now run sudo insmod udpih.ko to insert the kernel module into the kernel.

The Zero is now ready to be used for udpih.
Note that you'll need to insert the module again after rebooting the Zero. You will need 2 USB cables, one for powering the Zero and one which can be connected to the Wii U.

Continue with "Booting the recovery_menu" below.

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB Devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your Zero/Pico.
  This timing is important. If you're already in the menu, the exploit won't work..
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[SDIO]

Maybe there is a problem with the user settings app (because thats the one crashing), lets first try to reinstall that and see if that help.

You can download the package with JNUSTool:

java -jar JNUSTool.jar 0005001010049200 -dlEncrypted

For anyone else who has a similar looking problem, this is the title for a EU Wii U. A US or Japanese Wii U need a different title. Also you shouldn't just install this title without knowing the problem. This is very specific to this problem seen in the logs.

This should create a tmp_0005001010049200. Make sure there is no install folder on your SD card and then copy this folder to the SD and rename it to install.

Then run the install WUP option in the recovery menu.


--------------------
If that doesn't help, here are the instructions for aborting the factory reset.


Create the network configuration file on the SD card according to: https://github.com/GaryOderNichts/recovery_menu
On the Wii U you will then first load the network config and then start the wupserver. It should show the IP address of the Wii U.

Then you download the wupclient:

Spoiler

and change the ip address in the wupclient to the one shown in the Wii U.

Then you start the wupclient on the commandline with

python -i wupclient.py

. It should drop you to a shell.

>>>

There you can use the command

w.dl('/vol/system/proc/prefs/cafe.xml')

This downloads the file to your pc. Make a copy of that file and then edit it and change the inital launch value to 0.
When you are done editing you can upload it with

w.up('cafe.xml','/vol/system/proc/prefs/cafe.xml')

Then you shutdown and start again. It should now launch the inital setup

 

[Ysecond]

I see the crash in the logs, but I am not sure whats causing it. Did you have problems before or why are you doing a factory reset?

If no one else has a better Idea, I would suggest to use the wupclient to change inital_launch in /vol/system/proc/prefs/cafe.xml from 255 to 0, this will cancel the factory reset and launch the initial setup.

Can i change inital_launch from 0 to 255, to start factory reset?
the wiiu has so much more NNID, but we have no password. when we make a new id, it telling us "no more memory", so we want to reset the wiiu.

 

[Getuliooliveira]

@Getuliooliveira do you mean the internal memory, when you said SD? do you remember what you moved?

Sorry for the delay, I was travelling. No, when I speak I am referring to external memory, the sd card.

 

[SDIO]

Can i change inital_launch from 0 to 255, to start factory reset?
the wiiu has so much more NNID, but we have no password. when we make a new id, it telling us "no more memory", so we want to reset the wiiu.

Yes

Post automatically merged: Jun 14, 2023

Sorry for the delay, I was travelling. No, when I speak I am referring to external memory, the sd card.

That shouldn't brick anything. Maybe try reinstalling the system menu through the recovery. But take care to download the right version for firmware 5.5.1

 

[Getuliooliveira]

Yes

Post automatically merged: Jun 14, 2023

That shouldn't brick anything. Maybe try reinstalling the system menu through the recovery. But take care to download the right version for firmware 5.5.1

I reinstalled the menu and it gave a message that the menu was successfully installed, but it didn't solve the problem. How do I know which menu is correct for firmware 5.5.1? I thought I only needed to worry about the region. Thanks a lot for the help

Post automatically merged: Jun 16, 2023

@Nuser I suggest giving de_Fuse a try, it's easier to install and gives you more control on the console.

Post automatically merged: May 30, 2023

You might also want to try and make a MLC dump to see what's wrong, doesn't look like the situation is too bad. Can you still run the homebrew channel, via haxchi or the browser exploit?

Sorry, I didn't see that my answer was pending. The console turns on but I can't run anything on it, I even thought of doing that exploit of injecting the bomb via the web browser, but because of the console's settings it's not working, I can't configure a network to access the site.

 

[SDIO]

Try removing the SD card and USB devices before turning it on. If that doesn't help please post the latest logs, so we can see if something changed.
Best would be if you dump logs, save them to the PC, then trigger the freez, wait a bit, turn it off by holding power and then dump logs again. Then we could see if it even writes logs for that bug or if it just freezes without writing logs. Just to make sure we don't chase the wrong thing.

Post automatically merged: Jun 16, 2023

@Getuliooliveira I went through your logs again and discussed with @Lazr1026 we think your bluetooth module might be broken and that could stop the apps from wroking. It could be replaced without soldering. Or maybe you could try reseating it first, maybe it's just a bad connection

 

[Getuliooliveira]

Try removing the SD card and USB devices before turning it on. If that doesn't help please post the latest logs, so we can see if something changed.
Best would be if you dump logs, save them to the PC, then trigger the freez, wait a bit, turn it off by holding power and then dump logs again. Then we could see if it even writes logs for that bug or if it just freezes without writing logs. Just to make sure we don't chase the wrong thing.

Post automatically merged: Jun 16, 2023

@Getuliooliveira I went through your logs again and discussed with @Lazr1026 we think your bluetooth module might be broken and that could stop the apps from wroking. It could be replaced without soldering. Or maybe you could try reseating it first, maybe it's just a bad connection

Hmm...that might make sense, as I can't pair any Wiimote, the only thing that works is the gamepad. Anyway I generated the logs before and after the freeze. Do I dare to change the bluetooth module to see if this is really it?

 

[Lazr1026]

i have had a console that had the same symptoms as yours and the root cause was the bluetooth module.

 

[SDIO]

Do I dare to change the bluetooth module to see if this is really it?

Thats what I would suggest

 

[Augusta]

Maybe there is a problem with the user settings app (because thats the one crashing), lets first try to reinstall that and see if that help.

You can download the package with JNUSTool:

java -jar JNUSTool.jar 0005001010049200 -dlEncrypted

For anyone else who has a similar looking problem, this is the title for a EU Wii U. A US or Japanese Wii U need a different title. Also you shouldn't just install this title without knowing the problem. This is very specific to this problem seen in the logs.

This should create a tmp_0005001010049200. Make sure there is no install folder on your SD card and then copy this folder to the SD and rename it to install.

Then run the install WUP option in the recovery menu.


--------------------
If that doesn't help, here are the instructions for aborting the factory reset.


Create the network configuration file on the SD card according to: https://github.com/GaryOderNichts/recovery_menu
On the Wii U you will then first load the network config and then start the wupserver. It should show the IP address of the Wii U.

Then you download the wupclient:

Spoiler

and change the ip address in the wupclient to the one shown in the Wii U.

Then you start the wupclient on the commandline with

python -i wupclient.py

. It should drop you to a shell.

>>>

There you can use the command

w.dl('/vol/system/proc/prefs/cafe.xml')

This downloads the file to your pc. Make a copy of that file and then edit it and change the inital launch value to 0.
When you are done editing you can upload it with

w.up('cafe.xml','/vol/system/proc/prefs/cafe.xml')

Then you shutdown and start again. It should now launch the inital setup

This is incredible.
I won't have time to try this out for another week or so but looking forward to giving this a shot.

Thanks SDIO!

I won't ask for too much but just curious if you've put out a video by any chance going through this step by step?
I know there have been a few circulating already spoonfeeding which is wonderful, just curious?

Thanks for this!

 

[V10lator]

I won't ask for too much but just curious if you've put out a video by any chance going through this step by step?

That would mean to make a video for each case. If you re-read what SDIO wrote:

Also you shouldn't just install this title without knowing the problem. This is very specific to this problem seen in the logs.

See, what we tell the users to do isn't a universal fix but fine tuned to the problem this specific Wii U has, so a common guide won't work and as a result making video guides would be a nightmare.

 

[Augusta]

That would mean to make a video for each case. If you re-read what SDIO wrote:

See, what we tell the users to do isn't a universal fix but fine tuned to the problem this specific Wii U has, so a common guide won't work and as a result making video guides would be a nightmare.

Thanks for this @V10lator. Just wondering as well below:

SDIO:
For anyone else who has a similar looking problem, this is the title for a EU Wii U. A US or Japanese Wii U need a different title. Also you shouldn't just install this title without knowing the problem. This is very specific to this problem seen in the logs.

Where would one find the title for a US Wii U?

 

[V10lator]

Where would one find the title for a US Wii U?

http://wiiubrew.org/wiki/Title_database but do NOT install out of region system titles, this is a sure way to brick.

 

[Augusta]

http://wiiubrew.org/wiki/Title_database but do NOT install out of region system titles, this is a sure way to brick.

Huge.
Thank you both so much.
Will report back when I get around to this

 

[r4izuk0]

I tried to do this and noticed once I plug the USB, it always shuts the system down.Before this method, it would just freeze on the Wii U logo. It never went to any error messages? Any ideas?

 

[SDIO]

This means your SD isn't prepared right. Make sure it is fat32 and has the recovery_menu in the root

 

[Getuliooliveira]

Thats what I would suggest

I was researching how to change the bluetooth card, and then a doubt came to me: If the problem is in the bluetooth card on the motherboard, how is the Gamepad working? I'm thinking that the problem may not be the bluetooth card. Is there any way to analyze the logs I sent or debug to know exactly what the problem is? Thank you very much.

 

[GaryOderNichts]

I was researching how to change the bluetooth card, and then a doubt came to me: If the problem is in the bluetooth card on the motherboard, how is the Gamepad working? I'm thinking that the problem may not be the bluetooth card. Is there any way to analyze the logs I sent or debug to know exactly what the problem is? Thank you very much.

The gamepad does not use bluetooth. It's connected using a separate WiFi card.

 

[Getuliooliveira]

The gamepad does not use bluetooth. It's connected using a separate WiFi card.

Nice! I'll get the BT replaced and come back here to say if it worked! Thank you so much guys!

 

[scize]

Hi I have a Wii-U that is displaying error code 160-1710 and won't start. I've got udpih up and running and have been able to dump the slc and mlc. The log files mention a lot of errors but during the dumping process on screen it said there were 0 bad sectors. Any suggestions what I can do to recover it? Can I somehow load a fresh Wii-U 5.5.5E onto it?