https://consumerrights.wiki/api.php?action=feedcontributions&feedformat=atom&user=VaurConsumer Rights Wiki - User contributions [en]2026-04-30T15:45:36ZUser contributionsMediaWiki 1.44.0https://consumerrights.wiki/index.php?title=Reverse_engineering_Bambu_Connect&diff=2897Reverse engineering Bambu Connect2025-01-19T18:50:36Z<p>Vaur: fixed misspell in word principles</p>
<hr />
<div>Bambu Connect is an Electron App with Security through Obscurity principles, hence it is inherently insecure.<noinclude><br />
<br />
To read the main.js for further analysis or extracting the private key stored by Bambu in the app:<br />
<br />
# Use the MacOs .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg<br />
# Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in ''Bambu Connect (Beta).app/Contents/Resources'' folder<br />
# The app uses asarmor to prevent easy reading, the key is stored in ./app.asar.unpacked/.vite/build/main.node and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.<br />
# Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to 0000b67e<ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref><br />
# Write down the hex key, for this build it's B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2<br />
# Install the npm package asarfix and use it to fix the archive: <code>npx asarfix app.asar -k B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2 -o fixed.asar</code><br />
# Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code><br />
# ./src/.vite/build/main.js is minified, use any JavaScript beautifier to make it better readable. Interesting user code including the private key is at the end of the file.<br />
<br />
=== Extracting certs and private key ===<br />
The private key and certs are further obfuscated, to get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption -> decodeURIComponent() -> final string.<br />
<br />
Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in main.js and paste it here. After running, you have a private key from Bambu Lab.<br />
<br />
<pre><br />
import urllib.parse<br />
<br />
def cy():<br />
t = [<br />
# copy from main.js<br />
]<br />
return t<br />
<br />
def ure(t, e):<br />
# RC4 implementation<br />
r = list(range(256))<br />
n = 0<br />
s = ""<br />
<br />
# Key-scheduling algorithm (KSA)<br />
for o in range(256):<br />
n = (n + r[o] + ord(e[o % len(e)])) % 256<br />
r[o], r[n] = r[n], r[o]<br />
<br />
# Pseudo-random generation algorithm (PRGA)<br />
o = n = 0<br />
for byte in t:<br />
o = (o + 1) % 256<br />
n = (n + r[o]) % 256<br />
r[o], r[n] = r[n], r[o]<br />
k = r[(r[o] + r[n]) % 256]<br />
s += chr(byte ^ k)<br />
<br />
return s<br />
<br />
def lt(t, e):<br />
r = cy()<br />
n = t - 106<br />
s = r[n]<br />
s = ure(s, e)<br />
return urllib.parse.unquote(s)<br />
<br />
def extract_certs_and_key():<br />
try:<br />
result = {}<br />
result["Are"] = lt(106, "1o9B")<br />
result["fre"] = lt(107, "FT2A")<br />
result["private_key"] = lt(108, "Tlj0")<br />
result["cert"] = lt(109, "NPub")<br />
result["crl"] = lt(110, "x077")<br />
except Exception as e:<br />
print(f"Error extracting certs/key: {e}")<br />
<br />
for key, value in result.items():<br />
print(f"{key}:\n{value}\n")<br />
<br />
if __name__ == "__main__":<br />
extract_certs_and_key()<br />
</pre><br />
</noinclude></div>Vaur