More actions
M88youngling (talk | contribs) Initial page (don't want to lose my changes |
M88youngling (talk | contribs) Added category 'software' |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Patchwork is a security plugin developed by Zaprit and other community contributors. It was first designed to mitigate the risk of the force join exploit in LittleBigPlanet 1, 2 and 3. It is expected to eventually support PlayStation Vita as well as blocking malicious scripts from being loaded in the client. | {{InaccessibleSources|Links to private LBP Union Discord server channels that need to be declassified.}} | ||
Patchwork is a security plugin independently developed by Zaprit and other community contributors. It was first designed to mitigate the risk of the force join exploit in LittleBigPlanet 1, 2 and 3. It is expected to eventually support PlayStation Vita as well as blocking malicious scripts from being loaded in the client. | |||
== History == | == History == | ||
| Line 5: | Line 7: | ||
=== Discovery of LittleBigPlanet Client-side Exploits === | === Discovery of LittleBigPlanet Client-side Exploits === | ||
On December 7, 2024, LBP Union published a security advisory detailing the risk of [[wikipedia:Arbitrary_code_execution|remote code execution]] (RCE) attacks when playing in LittleBigPlanet P2P lobbies. This resulted in LBP Union disabling Dive In features for Beacon to encourage players only to play with those that they trust.<ref>[https://www.lbpunion.com/post/security-advisory-about-littlebigplanet-online-play/ Security Advisory About LittleBigPlanet Online Play], ''LBP Union'', December 7, 2024 (Accessed May 29, 2026)</ref> However, LBP Union was concerned about the possibility of a malicious user forcibly joining another player's session as early as October 16, 2024, according to a discussion in a private Starguard Discord channel<ref>{{Cite discord|author=Spikel3t|date=October 16, 2024|channel= | On December 7, 2024, [[LittleBigPlanet Union|LBP Union]] published a security advisory detailing the risk of [[wikipedia:Arbitrary_code_execution|remote code execution]] (RCE) attacks when playing in LittleBigPlanet P2P lobbies. This resulted in LBP Union disabling [[Dive In]] features for [[Beacon]] to encourage players only to play with those that they trust.<ref>[https://www.lbpunion.com/post/security-advisory-about-littlebigplanet-online-play/ Security Advisory About LittleBigPlanet Online Play], ''LBP Union'', December 7, 2024 (Accessed May 29, 2026)</ref> However, LBP Union was concerned about the possibility of a malicious user forcibly joining another player's session as early as October 16, 2024, according to a discussion in a private [[LBP Union Starguard|Starguard]] Discord channel<ref>{{Cite discord|author=Spikel3t|date=October 16, 2024|channel=starguard|guild=LBP Union Discord Server|url=https://discord.com/channels/354122111503171586/1041748813163016282/1296022602783129682}}</ref>. | ||
Later, on May 7, 2025, LBP Union received code from an undisclosed source that was purported to enable force joining another user by creating a forged LittleBigInvite link. Since the exploit was made possible by a vulnerability in the game client, nothing could be done on the server to mitigate the risk; no custom server software by itself could ever make online play safe. Both Minister of Technology Zaprit and [[Union Space Corps]] Director Fetetra determined that the code was credible, and advised that Beacon's services be terminated until a solution could be developed. This situation was explained in a security advisory published on May 10<ref name=":0">[https://www.lbpunion.com/post/littlebigplanet-security-advisory-beacon-extended-downtime/ LittleBigPlanet Security Advisory: Force Join Exploit], ''LBP Union,'' May 10, 2025 (Accessed May 29, 2026)</ref>. | Later, on May 7, 2025, LBP Union received code from an undisclosed source that was purported to enable force joining another user by creating a forged LittleBigInvite link. Since the exploit was made possible by a vulnerability in the game client, nothing could be done on the server to mitigate the risk; no custom server software by itself could ever make online play safe. Both Minister of Technology Zaprit and [[Union Space Corps]] Director Fetetra determined that the code was credible, and advised that Beacon's services be terminated until a solution could be developed. This situation was explained in a security advisory published on May 10<ref name=":0">[https://www.lbpunion.com/post/littlebigplanet-security-advisory-beacon-extended-downtime/ LittleBigPlanet Security Advisory: Force Join Exploit], ''LBP Union,'' May 10, 2025 (Accessed May 29, 2026)</ref>. | ||
| Line 16: | Line 18: | ||
* '''Additional client-side software''': LBP Union proposed additional software that might be able to support LittleBigPlanet clients at runtime. | * '''Additional client-side software''': LBP Union proposed additional software that might be able to support LittleBigPlanet clients at runtime. | ||
The final proposal was pursued independently by Zaprit, creating the Patchwork GitHub repository soon thereafter. | The final proposal was pursued independently by Zaprit, creating the [https://github.com/HugeSpaceship/Patchwork Patchwork GitHub repository] soon thereafter. | ||
=== Developing Patchwork === | === Developing Patchwork === | ||
On May 18, Zaprit merged the first nine commits to the repository. He was initially assisted by Jvyden, who made eight commits between May and June that year. Toastbrot236 would contribute commits in July<ref>[https://github.com/HugeSpaceship/Patchwork/graphs/contributors?all=1 Patchwork Contributors Log], ''GitHub,'' Retrieved 5/29/2026</ref>. By May 25, Zaprit reported to the LBP Union Protectors that he and Jackcaver had successfully deployed the Patchwork security plugin on all three main LittleBigPlanet games with the PS3's [https://github.com/PS3Xploit/PS3HEN Homebrew Enabler (HEN)]. He proposed that UnionPatcher be discontinued in favor of Refresher as LBP Union's recommended Patching software, as Refresher was much more user friendly and implemented Patchwork when patching.<ref>{{Cite discord|author=Zaprit|date=May 25, 2025|channel= | On May 18, Zaprit merged the first nine commits to the repository. He was initially assisted by Jvyden, who made eight commits between May and June that year. Toastbrot236 would contribute commits in July<ref>[https://github.com/HugeSpaceship/Patchwork/graphs/contributors?all=1 Patchwork Contributors Log], ''GitHub,'' Retrieved 5/29/2026</ref>. By May 25, Zaprit reported to the LBP Union Protectors that he and Jackcaver had successfully deployed the Patchwork security plugin on all three main LittleBigPlanet games with the PS3's [https://github.com/PS3Xploit/PS3HEN Homebrew Enabler (HEN)]. He proposed that [[UnionPatcher]] be discontinued in favor of [[Refresher]] as LBP Union's recommended Patching software, as Refresher was much more user friendly and implemented Patchwork when patching.<ref>{{Cite discord|author=Zaprit|date=May 25, 2025|channel=protectors|guild=LBP Union Discord|url=https://discord.com/channels/354122111503171586/1145476353429356655/1376351416083415050}}</ref> | ||
=== Deploying Patchwork with Refresher === | === Deploying Patchwork with Refresher === | ||
On May 26, maintainers of the Refresher patching software repository on GitHub merged a pull request that began the process of incorporating Patchwork into Refresher. However, this first change only affected PS3 users<ref>[https://github.com/LittleBigRefresh/Refresher/pull/84 Refresher closed PR #84], GitHub, May 26, 2025, accessed May 29, 2026</ref> | On May 26, maintainers of the Refresher patching software repository on GitHub merged a pull request that began the process of incorporating Patchwork into Refresher. However, this first change only affected PS3 users<ref>[https://github.com/LittleBigRefresh/Refresher/pull/84 Refresher closed PR #84], GitHub, May 26, 2025, accessed May 29, 2026</ref>. It wasn't until June 18 that Refresher would support patching RPCS3 with Patchwork<ref>[https://github.com/LittleBigRefresh/Refresher/pull/92 Refresher closed PR #92], ''GitHub'', June 18, 2025, accessed May 29, 2026</ref>. LBP Union subsequently reopened Beacon on July 1, advising players to use Refresher to re-patch and install Patchwork<ref>[https://www.lbpunion.com/post/lbp-reconnected-2025-contest-beacon-is-back/ LBP Reconnected 2025 Contest: Beacon is Back!], ''LBP Union'', July 1, 2025, accessed May 29, 2026</ref>. | ||
=== Current Development === | |||
Patchwork is currently being developed to support PlayStation Vita as well as to block unrecognized scripts from being loaded by the game client. This effort is currently led by Zaprit and Fetetra. The last pull request to the Patchwork repository was merged on May 1, 2026<ref>[https://github.com/HugeSpaceship/Patchwork/pull/22 Patchwork closed PR #22 Toml Configurations], GitHub, May 1, 2026</ref>. | |||
== Other Development == | |||
=== Attempts to Incorporate into LittleBigPatcher === | |||
Refresher was not the only patching software to attempt to incorporate Patchwork's objectives. [[LittleBigPatcher]], developed by myegghead, attempts to provide the same client-side security methods that Patchwork does. The repository cites Patchwork for the concept of a join key:<blockquote>Patchwork 1.0 | |||
Implementation of "join keys" is based of, as well as user agent convention<ref>[https://github.com/LittleBigPatcherTeam/LittleBigPatcher-for-Custom-Servers-PS3-Homebrew README.md], LittleBigPatcher-for-Custom-Servers-PS3-Homebrew, ''GitHub,'' Accessed May 29, 2026</ref></blockquote>LittleBigPatcher does not implement Patchwork, but it attempts to achieve the same results. Consequently, users of LittleBigPatcher will be behind on future Patchwork security updates. The implementation of these features are also not guaranteed to work in the same way. Consequently, LBP Union only approves of using Refresher to patch clients to custom servers at this time, as other software may expose users to vulnerabilities.<ref>[https://www.lbpunion.com/beacon Beacon], ''LBP Union'', Accessed May 29, 2026</ref> myegghead has expressed willingness to port the official version of Patchwork to LittleBigPatcher. On July 17, 2025, they wrote<ref>{{Cite discord|author=myegghead|date=July 17, 2025|channel=community-dev|guild=LBP Union Discord|url=https://discord.com/channels/354122111503171586/1231665919395102750/1395511354407911464}}</ref>:<blockquote>if anyone could help or know anyone who can let me know, i just need to port <nowiki>https://github.com/NotNite/SPRXPatcher</nowiki> to c then i can add Patchwork plugin support for LittleBigPatcher (which will be nice for futures)</blockquote>However, the progress on this effort is unknown. | |||
== The Plugin == | == The Plugin == | ||
The repository describes Patchwork as follows:<blockquote>Patchwork is an SPRX module that patches the LittleBigPlanet series of games to fix some of the many security vulnerabilities the games have.</blockquote>As an [https://www.psdevwiki.com/ps3/SELF_-_SPRX SPRX] module, Patchwork can run on a PlayStation 3 or RPCS3 without any additional hardware or software after the patching process is complete. Once patched, Patchwork will start as soon as the game is booted so long as the console has syscalls enabled.{{Fact}} | The repository describes Patchwork as follows:<blockquote>Patchwork is an SPRX module that patches the LittleBigPlanet series of games to fix some of the many security vulnerabilities the games have.</blockquote>As an [https://www.psdevwiki.com/ps3/SELF_-_SPRX SPRX] module, Patchwork can run on a PlayStation 3 or RPCS3 without any additional hardware or software after the patching process is complete. Once patched, Patchwork will start as soon as the game is booted so long as the console has syscalls enabled.{{Fact}} | ||
=== Join Keys === | |||
The primary feature of Patchwork is the implementation of a 'join key' for the client', also known as a 'lobby password'. This password is selected when patching. After patching, only players with the same join key as you can connect to your P2P session in LittleBigPlanet. This join key can be changed at any time by re-patching with Refresher. | |||
<references /> | |||
[[Category:Software]] | |||
Latest revision as of 19:16, 29 May 2026
| It ought to be here...but it isn't. "Links to private LBP Union Discord server channels that need to be declassified." Please discuss this issue on its talk page or replace this tag with a more specific message. |
Patchwork is a security plugin independently developed by Zaprit and other community contributors. It was first designed to mitigate the risk of the force join exploit in LittleBigPlanet 1, 2 and 3. It is expected to eventually support PlayStation Vita as well as blocking malicious scripts from being loaded in the client.
History
Patchwork came from necessity following the discovery of several critical security vulnerabilities in the LittleBigPlanet client.
Discovery of LittleBigPlanet Client-side Exploits
On December 7, 2024, LBP Union published a security advisory detailing the risk of remote code execution (RCE) attacks when playing in LittleBigPlanet P2P lobbies. This resulted in LBP Union disabling Dive In features for Beacon to encourage players only to play with those that they trust.[1] However, LBP Union was concerned about the possibility of a malicious user forcibly joining another player's session as early as October 16, 2024, according to a discussion in a private Starguard Discord channel[2].
Later, on May 7, 2025, LBP Union received code from an undisclosed source that was purported to enable force joining another user by creating a forged LittleBigInvite link. Since the exploit was made possible by a vulnerability in the game client, nothing could be done on the server to mitigate the risk; no custom server software by itself could ever make online play safe. Both Minister of Technology Zaprit and Union Space Corps Director Fetetra determined that the code was credible, and advised that Beacon's services be terminated until a solution could be developed. This situation was explained in a security advisory published on May 10[3].
Seeking a Solution
The solutions proposed by LBP Union in this advisory were[3]:
- A game patch: the only lasting fix, but also the most challenging to achieve due to the closed source code of the game. A game patch would either mitigate force join, prevent malicious scripts from loading, or both.
- Custom RPCN network: would not fix the problem, but would allow LBP Union greater control over who could register an account. Would not help PS3 users.
- Additional client-side software: LBP Union proposed additional software that might be able to support LittleBigPlanet clients at runtime.
The final proposal was pursued independently by Zaprit, creating the Patchwork GitHub repository soon thereafter.
Developing Patchwork
On May 18, Zaprit merged the first nine commits to the repository. He was initially assisted by Jvyden, who made eight commits between May and June that year. Toastbrot236 would contribute commits in July[4]. By May 25, Zaprit reported to the LBP Union Protectors that he and Jackcaver had successfully deployed the Patchwork security plugin on all three main LittleBigPlanet games with the PS3's Homebrew Enabler (HEN). He proposed that UnionPatcher be discontinued in favor of Refresher as LBP Union's recommended Patching software, as Refresher was much more user friendly and implemented Patchwork when patching.[5]
Deploying Patchwork with Refresher
On May 26, maintainers of the Refresher patching software repository on GitHub merged a pull request that began the process of incorporating Patchwork into Refresher. However, this first change only affected PS3 users[6]. It wasn't until June 18 that Refresher would support patching RPCS3 with Patchwork[7]. LBP Union subsequently reopened Beacon on July 1, advising players to use Refresher to re-patch and install Patchwork[8].
Current Development
Patchwork is currently being developed to support PlayStation Vita as well as to block unrecognized scripts from being loaded by the game client. This effort is currently led by Zaprit and Fetetra. The last pull request to the Patchwork repository was merged on May 1, 2026[9].
Other Development
Attempts to Incorporate into LittleBigPatcher
Refresher was not the only patching software to attempt to incorporate Patchwork's objectives. LittleBigPatcher, developed by myegghead, attempts to provide the same client-side security methods that Patchwork does. The repository cites Patchwork for the concept of a join key:
Patchwork 1.0 Implementation of "join keys" is based of, as well as user agent convention[10]
LittleBigPatcher does not implement Patchwork, but it attempts to achieve the same results. Consequently, users of LittleBigPatcher will be behind on future Patchwork security updates. The implementation of these features are also not guaranteed to work in the same way. Consequently, LBP Union only approves of using Refresher to patch clients to custom servers at this time, as other software may expose users to vulnerabilities.[11] myegghead has expressed willingness to port the official version of Patchwork to LittleBigPatcher. On July 17, 2025, they wrote[12]:
if anyone could help or know anyone who can let me know, i just need to port https://github.com/NotNite/SPRXPatcher to c then i can add Patchwork plugin support for LittleBigPatcher (which will be nice for futures)
However, the progress on this effort is unknown.
The Plugin
The repository describes Patchwork as follows:
Patchwork is an SPRX module that patches the LittleBigPlanet series of games to fix some of the many security vulnerabilities the games have.
As an SPRX module, Patchwork can run on a PlayStation 3 or RPCS3 without any additional hardware or software after the patching process is complete. Once patched, Patchwork will start as soon as the game is booted so long as the console has syscalls enabled.[citation needed]
Join Keys
The primary feature of Patchwork is the implementation of a 'join key' for the client', also known as a 'lobby password'. This password is selected when patching. After patching, only players with the same join key as you can connect to your P2P session in LittleBigPlanet. This join key can be changed at any time by re-patching with Refresher.
- ↑ Security Advisory About LittleBigPlanet Online Play, LBP Union, December 7, 2024 (Accessed May 29, 2026)
- ↑ Spikel3t (October 16, 2024). Message posted in #starguard, on LBP Union Discord Server. View message .
- ↑ 3.0 3.1 LittleBigPlanet Security Advisory: Force Join Exploit, LBP Union, May 10, 2025 (Accessed May 29, 2026)
- ↑ Patchwork Contributors Log, GitHub, Retrieved 5/29/2026
- ↑ Zaprit (May 25, 2025). Message posted in #protectors, on LBP Union Discord. View message .
- ↑ Refresher closed PR #84, GitHub, May 26, 2025, accessed May 29, 2026
- ↑ Refresher closed PR #92, GitHub, June 18, 2025, accessed May 29, 2026
- ↑ LBP Reconnected 2025 Contest: Beacon is Back!, LBP Union, July 1, 2025, accessed May 29, 2026
- ↑ Patchwork closed PR #22 Toml Configurations, GitHub, May 1, 2026
- ↑ README.md, LittleBigPatcher-for-Custom-Servers-PS3-Homebrew, GitHub, Accessed May 29, 2026
- ↑ Beacon, LBP Union, Accessed May 29, 2026
- ↑ myegghead (July 17, 2025). Message posted in #community-dev, on LBP Union Discord. View message .