Reverse engineering Bambu Connect: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 2:

Bambu Connect is an [[Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

Bambu Connect is an [[wikipedia:Electron_(software_framework)|Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18 ([http://web.archive.org/web/20250708192738/https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe Archived])</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18 |archive-url=http://web.archive.org/web/20250708192736/https://electron-vite.org/guide/source-code-protection |archive-date=8 Jul 2025}}</ref>. The key can likely be obtained by dumping the process memory.

Line 13:

#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28 ([http://web.archive.org/web/20250708192750/https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg Archived])</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.

#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://~~archive~~.is/~~RnFTu~~ "Bambu Firmware to impact use of OrchaSlicer"] - archive.~~is - archived 2025-01-21~~</ref>

#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ "Bambu Firmware to impact use of OrchaSlicer"] - [https://web.archive.org/web/20250119182658/https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ Archived]</ref>

#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:

##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>

Line 19:

#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>

#Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>

#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.

#<code>./src/.vite/build/main.js</code> is minified. Use any [[JavaScript]] beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.

===Extracting certs and private key===

@@ Line 2: / Line 2: @@
 <noinclude>
 {{GuideNotice}}
-Bambu Connect is an [[Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
+Bambu Connect is an [[wikipedia:Electron_(software_framework)|Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
 '''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18 ([http://web.archive.org/web/20250708192738/https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe Archived])</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18 |archive-url=http://web.archive.org/web/20250708192736/https://electron-vite.org/guide/source-code-protection |archive-date=8 Jul 2025}}</ref>. The key can likely be obtained by dumping the process memory.
@@ Line 13: / Line 13: @@
 #Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28 ([http://web.archive.org/web/20250708192750/https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg Archived])</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
 #The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.
-#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>
+#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ "Bambu Firmware to impact use of OrchaSlicer"] - [https://web.archive.org/web/20250119182658/https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ Archived]</ref>
 #Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
 ##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
@@ Line 19: / Line 19: @@
 #Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
 #Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
-#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
+#<code>./src/.vite/build/main.js</code> is minified. Use any [[JavaScript]] beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
 ===Extracting certs and private key===