Reverse engineering Bambu Connect: Difference between revisions

Line 9:

#Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg

#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.

#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://~~www~~.~~reddit~~.~~com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/~~</ref>

#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>

#Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:

##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>

Line 85:

Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that attackers do not have access to the private key and thus cannot create valid signatures.

However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>https://~~blog~~.~~bambulab.com~~/~~firmware~~-~~update-introducing-new~~-~~authorization~~-~~control~~-~~system-2/~~</ref> are still not addressed by Bambu Lab.

However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>[https://archive.is/x7QjG "Firmware Update Introducing New Authorization Control System"] - archive.is - archived 2025-01-24</ref> are still not addressed by Bambu Lab.

===Purpose of the certificates===

@@ Line 9: / Line 9: @@
 #Use the MacOS .dmg file, not the exe. Finding the needed decryption code is easier in the .dmg
-#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
+#Extract ''bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref>, in there you can find the files of the underlying Electron app in <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
 #The app uses asarmor to prevent easy reading, the key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking app.asar without fixing it first will result in an encrypted main.js file and 100 GB of decoy files generated, don't try it.
-#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>https://www.reddit.com/r/OrcaSlicer/comments/1i2t6l8/comment/m7tuf2i/</ref>
+#Load main.node in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>
 #Write down the hex key. You will need to follow the previous steps to get the current key if the provided one does not work. As of 19 January 2025, they are:
 ##macOS: <code>B0AE6995063C191D2B404637FBC193AE10DAB86A6BC1B1DE67B5AEE6E03018A2</code>
@@ Line 85: / Line 85: @@
 Bambu Lab's authorization control system that is meant to increase security is entirely built on the assumption that attackers do not have access to the private key and thus cannot create valid signatures.
-However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/</ref> are still not addressed by Bambu Lab.
+However, since the private key has already been leaked, third-party software can now send print jobs and G-code commands again, while risks or dangerous situations<ref>[https://archive.is/x7QjG "Firmware Update Introducing New Authorization Control System"] - archive.is - archived 2025-01-24</ref> are still not addressed by Bambu Lab.
 ===Purpose of the certificates===