Reverse engineering Bambu Connect: Difference between revisions

(19 intermediate revisions by 6 users not shown)

Line 1:

<noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>

Bambu Connect is an [[Help:Electron|Electron]] ~~App~~ with [[security through obscurity]], which makes it inherently insecure.<noinclude>

Bambu Connect is an [[Help:Electron|Electron]] app with [[security through obscurity]], which makes it inherently insecure.<noinclude>

The purpose of this guide is to demonstrate the trivial process of extracting the ''"private keys"'' used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

~~To read the~~ main.js ~~for further analysis or extracting the private~~ key ~~stored~~ by ~~Bambu in~~ the ~~app:~~

'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18}}</ref>. The key can likely be obtained by dumping the process memory.

#Use the MacOS .dmg file, not the exe~~. Finding~~ the needed decryption code is easier in the .dmg

'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.

#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>~~, in~~ there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#The app uses asarmor to prevent easy reading~~, the~~ key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated~~, don~~'t try it.

To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:

#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://~~www~~.~~reddit~~.~~com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/~~</ref>

#Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).

#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.

#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>

#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:

##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>

Line 15:

Line 19:

#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>

#Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>

#<code>./src/.vite/build/main.js</code> is minified~~, use~~ any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.

#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.

===Extracting certs and private key===

The private key and certs are further obfuscated~~, to~~ get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption -> decodeURIComponent() -> final string.

The private key and certs are further obfuscated. To get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption -> decodeURIComponent() -> final string.

Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in main.js and paste it here. After running, you have a private key from Bambu Lab.

Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in <code>main.js</code> and paste it here. After running, you have a private key from Bambu Lab.

<pre>

Line 78:

Line 82:

</pre>

=== Purpose of the private key ===

===Purpose of the private key===

~~This~~ private key is used ~~for attaching a digital signature~~ to critical operations, such as print jobs and G-code commands. The printer can validate if received MQTT commands are signed by Bambu Connect, and ~~decide~~ to ~~reject them otherwise~~.

The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that others do not have access to the private key and thus cannot create valid signatures.

Since the private key has already been leaked, however, third-party software can now regain access to the lost functionality, and it is clear that the overall security characteristics have neither improved nor worsened compared to previous updates.

What the key '''cannot''' be used for, contrary to many false claims on the internet:

*Decrypting HTTPS traffic to the cloud

*Decrypting any MQTTS or FTPS or video feed traffic

*Bypassing cloud user authentication

*Bypassing local authentication (LAN access code)

*Getting access to other printers

*Signing custom firmware

*Signing custom filament NFC tags

*Jailbreaking

===Purpose of the certificates===

The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, allowing it to verify the authenticity of the digital signature using the public key.

Bambu ~~Lab's thought~~ is that ~~third party software can not generate a valid signature because it does not possess~~ this ~~key. These practices are comparable~~ to ~~DRM and can almost always~~ be ~~bypassed due to Bambu Connect running on the user's PC~~.

Bambu Connect continues to work after these certificates expire. Because of how these certificates are used, it is also unlikely that expiry causes the printer to get "bricked", but this needs to be proven through experiments or firmware analysis.

~~The impact~~ of ~~this~~ key ~~being leaked is~~ that ~~third party software~~ can ~~now access critical operations again~~.

===Additional security measures===

Bambu Connect also encrypts G-code commands and file paths of print operations using the printer's public key. This ensures that only the intended printer can decrypt the data, rather than all authenticated MQTT clients and the cloud. This adds another layer of security.

~~=== Purpose of the certificates ===~~

The potential security benefits are diminished, however, because both the encrypted and plain-text strings are sent at the same time, likely because of negligence or the need for backwards compatibility.

The ~~private key corresponds to~~ the ~~public key contained in the app's certificate. This certificate is~~ sent to the ~~printer~~, ~~enabling it to validate~~ the ~~signature~~.

~~Bambu Connect additionally encrypts G-code commands and the file path~~ of ~~print operations using the printer's certificate. This appears to be an attempt of actually increasing security by~~ ensuring that no ~~other devices~~ can decrypt it~~. However, the potential benefits are negated as the command still includes the plain text G-code command or file path, most likely due to negligence or backwards compatibility~~.

Note that network traffic is encrypted by TLS regardless of this, ensuring that no middleman can decrypt it.

==References==

Line 94:

Line 116:

[[Category:Bambu Lab]]

[[Category:User guides]]

</noinclude>

@@ Line 1: / Line 1: @@
 <noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>
-Bambu Connect is an [[Help:Electron|Electron]] App with [[security through obscurity]], which makes it inherently insecure.<noinclude>
+Bambu Connect is an [[Help:Electron|Electron]] app with [[security through obscurity]], which makes it inherently insecure.<noinclude>
 {{GuideNotice}}
-The purpose of this guide is to demonstrate the trivial process of extracting the ''"private keys"'' used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
+The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
-To read the main.js for further analysis or extracting the private key stored by Bambu in the app:
+'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18}}</ref>. The key can likely be obtained by dumping the process memory.
-#Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg
+'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.
-#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
-#The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.
+To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:
-#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>
+#Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).
+#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
+#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.
+#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>
 #Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
 ##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
@@ Line 15: / Line 19: @@
 #Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
 #Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
-#<code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.
+#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
 ===Extracting certs and private key===
-The private key and certs are further obfuscated, to get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption ->  decodeURIComponent() -> final string.
+The private key and certs are further obfuscated. To get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption ->  decodeURIComponent() -> final string.
-Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in main.js and paste it here. After running, you have a private key from Bambu Lab.
+Example Python reimplementation to extract the secrets, easy to run. Copy the content of t from function cy() in <code>main.js</code> and paste it here. After running, you have a private key from Bambu Lab.
 <pre>
@@ Line 78: / Line 82: @@
 </pre>
-=== Purpose of the private key ===
+===Purpose of the private key===
-This private key is used for attaching a digital signature to critical operations, such as print jobs and G-code commands. The printer can validate if received MQTT commands are signed by Bambu Connect, and decide to reject them otherwise.
+The private key is used to digitally sign critical operations, such as print jobs and G-code commands. The printer can validate whether received MQTT commands are signed by Bambu Connect using the app's public key, rejecting any unsigned or improperly signed commands.
+Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that others do not have access to the private key and thus cannot create valid signatures.
+Since the private key has already been leaked, however, third-party software can now regain access to the lost functionality, and it is clear that the overall security characteristics have neither improved nor worsened compared to previous updates.
+What the key '''cannot''' be used for, contrary to many false claims on the internet:
+*Decrypting HTTPS traffic to the cloud
+*Decrypting any MQTTS or FTPS or video feed traffic
+*Bypassing cloud user authentication
+*Bypassing local authentication (LAN access code)
+*Getting access to other printers
+*Signing custom firmware
+*Signing custom filament NFC tags
+*Jailbreaking
+===Purpose of the certificates===
+The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, allowing it to verify the authenticity of the digital signature using the public key.
-Bambu Lab's thought is that third party software can not generate a valid signature because it does not possess this key. These practices are comparable to DRM and can almost always be bypassed due to Bambu Connect running on the user's PC.
+Bambu Connect continues to work after these certificates expire. Because of how these certificates are used, it is also unlikely that expiry causes the printer to get "bricked", but this needs to be proven through experiments or firmware analysis.
-The impact of this key being leaked is that third party software can now access critical operations again.
+===Additional security measures===
+Bambu Connect also encrypts G-code commands and file paths of print operations using the printer's public key. This ensures that only the intended printer can decrypt the data, rather than all authenticated MQTT clients and the cloud. This adds another layer of security.
-=== Purpose of the certificates ===
+The potential security benefits are diminished, however, because both the encrypted and plain-text strings are sent at the same time, likely because of negligence or the need for backwards compatibility.
-The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, enabling it to validate the signature.
-Bambu Connect additionally encrypts G-code commands and the file path of print operations using the printer's certificate. This appears to be an attempt of actually increasing security by ensuring that no other devices can decrypt it. However, the potential benefits are negated as the command still includes the plain text G-code command or file path, most likely due to negligence or backwards compatibility.
+Note that network traffic is encrypted by TLS regardless of this, ensuring that no middleman can decrypt it.
 ==References==
@@ Line 94: / Line 116: @@
 [[Category:Bambu Lab]]
+[[Category:User guides]]
 </noinclude>