Reverse engineering Bambu Connect: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 2:

Bambu Connect is an [[~~Help:Electron|~~Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

Bambu Connect is an [[Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.

'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18}}</ref>. The key can likely be obtained by dumping the process memory.

'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18 ([http://web.archive.org/web/20250708192738/https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe Archived])</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18 |archive-url=http://web.archive.org/web/20250708192736/https://electron-vite.org/guide/source-code-protection |archive-date=8 Jul 2025}}</ref>. The key can likely be obtained by dumping the process memory.

'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.

'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29 ([http://web.archive.org/web/20250708192737/https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg Archived])</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.

To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:

#Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).

#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28 ([http://web.archive.org/web/20250708192750/https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg Archived])</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.

#The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.

#Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>

Line 19:

#Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>

#Now you can extract it in cleartext with <code>npx asar extract fixed.asar src</code>

#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.

#<code>./src/.vite/build/main.js</code> is minified. Use any [[JavaScript]] beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.

===Extracting certs and private key===

@@ Line 2: / Line 2: @@
 <noinclude>
 {{GuideNotice}}
-Bambu Connect is an [[Help:Electron|Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
+Bambu Connect is an [[Electron]] app with [[security through obscurity]], which makes it inherently insecure. The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with [[Bambu Lab|Bambu]] devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect.
-'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18}}</ref>. The key can likely be obtained by dumping the process memory.
+'''Update (March 11, 2025)''': Bambu Connect v1.2.1-beta.5<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe - public-cdn.bblmw.com - accessed 2025-03-18 ([http://web.archive.org/web/20250708192738/https://public-cdn.bblmw.com/upgrade/bambu-connect/updates/versions/1.2.1-beta.5/bambu-connect-v1.2.1-beta.5-win32-x64.exe Archived])</ref> obfuscated main.js with electron-vite's v8 bytecode plugin<ref>{{Cite web |title=electron-vite Source Code Protection |url=https://electron-vite.org/guide/source-code-protection#what-is-v8-bytecode |access-date=2025-03-18 |archive-url=http://web.archive.org/web/20250708192736/https://electron-vite.org/guide/source-code-protection |archive-date=8 Jul 2025}}</ref>. The key can likely be obtained by dumping the process memory.
-'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.
+'''Update (January 26, 2025)''': Bambu Connect v1.1.3<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg - public-cdn.bblmw.com - accessed 2025-01-29 ([http://web.archive.org/web/20250708192737/https://public-cdn.bblmw.com/upgrade/bambu-connect/v1.1.3/bambu-connect-beta-darwin-arm64-v1.1.3_2c73d82.dmg Archived])</ref> is no longer obfuscated and can be directly extracted: <code>npx asar extract app.asar src</code>.
 To read <code>main.js</code> for further analysis or extracting the private key stored by Bambu in the app:
 #Use the MacOS .dmg file, not the .exe (finding the needed decryption code is easier in the .dmg).
-#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
+#Extract <code>bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg</code>''.''<ref>https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg - public-cdn.bblmw.com - accessed 2025-01-28 ([http://web.archive.org/web/20250708192750/https://public-cdn.bblmw.com/upgrade/bambu-connect/bambu-connect-beta-darwin-arm64-v1.0.4_4bb9cf0.dmg Archived])</ref> In there you can find the files of the underlying Electron app in the <code>Bambu Connect (Beta).app/Contents/Resources</code> folder.
 #The app uses asarmor to prevent easy reading. The key is stored in the mach-o binary located here: <code>/Bambu Connect (Beta).app/Contents/Resources/app.asar.unpacked/.vite/build/main.node</code> and can be extracted. Unpacking <code>app.asar</code> without fixing it first will result in an encrypted <code>main.js</code> file and 100 GB of decoy files generated. Don't try it.
 #Load <code>main.node</code> in Ghidra and Auto-Analyze it. Then search for the GetKey function, or press G and go to <code>0000b67e</code><ref>[https://archive.is/RnFTu "Bambu Firmware to impact use of OrchaSlicer"] - archive.is - archived 2025-01-21</ref>
@@ Line 19: / Line 19: @@
 #Install the npm package <code>asarfix</code> and use it to fix the archive: <code>npx asarfix app.asar -k <KEY> -o fixed.asar</code>
 #Now you can extract it in cleartext with  <code>npx asar extract fixed.asar src</code>
-#<code>./src/.vite/build/main.js</code> is minified. Use any JavaScript beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
+#<code>./src/.vite/build/main.js</code> is minified. Use any [[JavaScript]] beautifier (for example <code>prettier</code>) to make it better readable. Interesting user code (including the private key) is at the end of the file.
 ===Extracting certs and private key===