Consumer Rights Wiki

Reverse engineering Bambu Connect: Difference between revisions

← Older edit
VisualWikitext
Abc (talk | contribs)
25 edits
examples for what key cannot be used for
Rudxain (talk | contribs)
confirmed, superconfirmed
890 edits
m relink Electron
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>
<noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>
Bambu Connect is an [[Help:Electron|Electron]] app with [[security through obscurity]], which makes it inherently insecure.<noinclude>
<noinclude>
{{GuideNotice}}
{{GuideNotice}}
The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
Bambu Connect is an [[wikipedia:Electron_(software_framework)|Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.


'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29</ref> is no longer obfuscated. You can skip all steps related to asarmor, <code>asarfix</code>, Ghidra, and string deobfuscation.
'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18 ([http://web.archive.org/web/20250708192738/https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe Archived])</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18 |archive-url=http://web.archive.org/web/20250708192736/https://electron-vite.org/guide/source-code-protection |archive-date=8 Jul 2025}}</ref>. The key can likely be obtained by dumping the process memory.
 
'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29 ([http://web.archive.org/web/20250708192737/https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg Archived])</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.


To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:
To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:


#Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).
#Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).
#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28 ([http://web.archive.org/web/20250708192750/https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg Archived])</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.
#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.
#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>
#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ "Bambu Firmware to impact use of OrchaSlicer"] - [https://web.archive.org/web/20250119182658/https://old.reddit.com/r/OrcaSlicer/comments/1i2t6l8/bambu_firmware_to_impact_use_of_orcaslicer/m7tuf2i/ Archived]</ref>
#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
Line 17: Line 19:
#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
#Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
#Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
#<code>./src/.vite/build/main.js</code> is minified. Use any [[JavaScript]] beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.


===Extracting certs and private key===
===Extracting certs and private key===
Line 89: Line 91:
What the key '''cannot''' be used for, contrary to many false claims on the internet:
What the key '''cannot''' be used for, contrary to many false claims on the internet:


* Decrypting HTTPS traffic to the cloud
*Decrypting HTTPS traffic to the cloud
* Decrypting any MQTTS or FTPS or video feed traffic
*Decrypting any MQTTS or FTPS or video feed traffic
* Bypassing cloud user authentication
*Bypassing cloud user authentication
* Bypassing local authentication (LAN access code)
*Bypassing local authentication (LAN access code)
* Getting access to other printers
*Getting access to other printers
* Signing custom firmware
*Signing custom firmware
* Signing custom filament NFC tags
*Signing custom filament NFC tags
* Jailbreaking
*Jailbreaking


===Purpose of the certificates===
===Purpose of the certificates===
The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, allowing it to verify the authenticity of the digital signature using the public key.
The private key corresponds to the public key contained in the app's certificate. This certificate is sent to the printer, allowing it to verify the authenticity of the digital signature using the public key.


Bambu Connect continues to work after these certificates expire. Because of how these certificates are used, it is also unlikely that it<sup>[''what?'']</sup> causes the printer to get "bricked", but this needs to be proven through experiments or firmware analysis.
Bambu Connect continues to work after these certificates expire. Because of how these certificates are used, it is also unlikely that expiry causes the printer to get "bricked", but this needs to be proven through experiments or firmware analysis.


===Additional security measures===
===Additional security measures===
Retrieved from "https://consumerrights.wiki/w/Reverse_engineering_Bambu_Connect"