Reverse engineering Bambu Connect: Difference between revisions

Line 1:

<noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>

Bambu Connect is an [[Help:Electron|Electron]] App with [[~~Security Through Obscurity~~]] ~~principles~~, ~~hence~~ it is inherently insecure.<noinclude>

Bambu Connect is an [[Help:Electron|Electron]] App with [[security through obscurity]], which makes it inherently insecure.<noinclude>

The purpose of this guide is to demonstrate the trivial process of extracting the ''"private keys"'' used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

Line 6:

To read the main.js for further analysis or extracting the private key stored by Bambu in the app:

# Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg

#Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg

# Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

# The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.

#The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.

# Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>

#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>

# Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:

#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:

## macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>

##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>

## Windows: <code>D8BCE831F1284E1993D98EE807101F10F27AFF4E30BD4B420E057D02B8E9BD1B</code>

##Windows: <code>D8BCE831F1284E1993D98EE807101F10F27AFF4E30BD4B420E057D02B8E9BD1B</code>

# Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>

#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>

# Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>

#Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>

# <code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.

#<code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.

=== Extracting certs and private key ===

===Extracting certs and private key===

The private key and certs are further obfuscated, to get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption -> decodeURIComponent() -> final string.

Line 78:

</pre>

== References ==

==References==

[[Category:Bambu Lab]]

</noinclude>

@@ Line 1: / Line 1: @@
 <noinclude><div style="padding-left:1.6rem;margin-bottom:0.5rem;">''This is part of the [[Bambu Lab Authorization Control System]] article.''</div></noinclude>
-Bambu Connect is an [[Help:Electron|Electron]] App with [[Security Through Obscurity]] principles, hence it is inherently insecure.<noinclude>
+Bambu Connect is an [[Help:Electron|Electron]] App with [[security through obscurity]], which makes it inherently insecure.<noinclude>
 {{GuideNotice}}
 The purpose of this guide is to demonstrate the trivial process of extracting the ''"private keys"'' used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
@@ Line 6: / Line 6: @@
 To read the main.js for further analysis or extracting the private key stored by Bambu in the app:
-# Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg
+#Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg
-# Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
+#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
-# The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.
+#The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.
-# Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>
+#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>
-# Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
+#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
-## macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
+##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
-## Windows: <code>D8BCE831F1284E1993D98EE807101F10F27AFF4E30BD4B420E057D02B8E9BD1B</code>
+##Windows: <code>D8BCE831F1284E1993D98EE807101F10F27AFF4E30BD4B420E057D02B8E9BD1B</code>
-# Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
+#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
-# Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
+#Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
-# <code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.
+#<code>./src/.vite/build/main.js</code> is minified, use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code including the private key is at the end of the file.
-=== Extracting certs and private key ===
+===Extracting certs and private key===
 The private key and certs are further obfuscated, to get cleartext you need to do: Encrypted string from cy() -> ure(string, key) -> RC4 decryption ->  decodeURIComponent() -> final string.
@@ Line 78: / Line 78: @@
 </pre>
-== References ==
+==References==
 {{reflist}}
 [[Category:Bambu Lab]]
 </noinclude>