The IOSU kernel and the Cafe-Kernel exploits are still working, only the browser entrypoint got patched.
There is another userland entrypoint: haxchi, but it needs the ability to modify the "content" directory, inside an exploitable DS game installation directory, on the mass storage (MLC) NAND chip OR on the USB external hard disk. On 5.5.1 browserhax+kernel exploits made this job very easy, but now...
Theoretically, you can access the MLC/USB drive physically, decrypt it, change the content of the "content" directory (sorry for the joke
, encrypt the drive and use the hacked DS tile as an entrypoint equivalent to browserhax (and offline).
But guess what? The drives are encrypted with the keys inside the OTP and the SEEPROM memory! Dx And even if some of the keys are the same for every console, the one that we needs are generate different for every console...
I'm not sure, but maybe there is a way to recover your usb key, knowing how is generated...I've read some positive hints Online
More on Haxchi:
https://github.com/smealum/haxchi
https://github.com/FIX94/haxchi
More on the crypto:
http://wiiubrew.org/wiki/Hardware/SEEPROM
Discussion with useful links:
https://gbatemp.net/threads/dev-wii-u-file-system.454637/
https://github.com/yellows8/wiiu_wfsmount