Reverse engineering Bambu Connect

2025-01-29T01:12:05Z

Fooooo: no longer obfuscated

<noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>
Bambu Connect is an [[Help:Electron|Electron]] App with [[security through obscurity]], which makes it inherently insecure.<noinclude>
{{GuideNotice}}
The purpose of this guide is to demonstrate the trivial process of extracting the ''"private keys"'' used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

'''Update (January 29, 2024)''': Bambu Connect 1.1.3 is no longer obfuscated, you can skip all steps related to asarmor, asarfix, Ghidra and string deobfuscation.

To read the main.js for further analysis or extracting the private key stored by Bambu in the app:

#Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg
#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
#The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.
#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>
#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
##Windows: <code>D8BCE831F1284E1993D98EE807101F10F27AFF4E30BD4B420E057D02B8E9BD1B</code>
#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
#Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>
#<code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.

===Extracting certs and private key===
The private key and certs are further obfuscated, to get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption -> decodeURIComponent() -> final string.

Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in main.js and paste it here. After running, you have a private key from Bambu Lab.

<pre>
import urllib.parse

def cy():
t = [
# copy from main.js
]
return t

def ure(t, e):
# RC4 implementation
r = list(range(256))
n = 0
s = ""

# Key-scheduling algorithm (KSA)
for o in range(256):
n = (n + r[o] + ord(e[o % len(e)])) % 256
r[o], r[n] = r[n], r[o]

# Pseudo-random generation algorithm (PRGA)
o = n = 0
for byte in t:
o = (o + 1) % 256
n = (n + r[o]) % 256
r[o], r[n] = r[n], r[o]
k = r[(r[o] + r[n]) % 256]
s += chr(byte ^ k)

return s

def lt(t, e):
r = cy()
n = t - 106
s = r[n]
s = ure(s, e)
return urllib.parse.unquote(s)

def extract_certs_and_key():
try:
result = {}
result["Are"] = lt(106, "1o9B")
result["fre"] = lt(107, "FT2A")
result["private_key"] = lt(108, "Tlj0")
result["cert"] = lt(109, "NPub")
result["crl"] = lt(110, "x077")
except Exception as e:
print(f"Error extracting certs/key: {e}")

for key, value in result.items():
print(f"{key}:\n{value}\n")

if __name__ == "__main__":
extract_certs_and_key()
</pre>

===Purpose of the private key===
The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that attackers do not have access to the private key and thus cannot create valid signatures.

However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.

===Purpose of the certificates===
The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, allowing it to verify the authenticity of the digital signature using the public key.

Bambu Connect continues to work after these certificates expire. Due to how they are used, it is also unlikely that it causes the printer to get "bricked", but this needs to be proven through experiments or firmware analysis.

===Additional security measures===
Bambu Connect also encrypts G-code commands and file paths of print operations using the printer's public key. This ensures that only the intended printer can decrypt the data, rather than all authenticated MQTT clients and the cloud, adding another layer of security.

However, the potential security benefits are diminished because both the encrypted and plain text strings are sent at the same time, likely due to negligence or the need for backwards compatibility.

Note that network traffic is encrypted via TLS regardless of this, ensuring that no middleman can decrypt it.

==References==
{{reflist}}

[[Category:Bambu Lab]]
</noinclude>

Consumer Rights Wiki - User contributions [en]

Reverse engineering Bambu Connect