Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.
The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated main.js file can be found here (archived), with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.
As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.
We await Bambu Lab’s response with bated breath.
So they tied access to a single, publicly distributed, private key and called it a ‘security’ feature?
That’s honestly repulsive. Just blatantly not bothering with authentication is a step above being both useless and controlling.
“publicly distributed private key”
I’m pretty sure there are two kinds of employees at Bambu: those who understand the oxymoron, and those with decision-making authority. The Venn diagram is two disjoint circles.
It’s only a security feature in terms of preventing pirates from accessing soon to be subscription only features :)
This was not a security update, it was a preemptive marketing move. When some “omg remote printer haxx” story blows up;
It was likely to target Bambu, because they are the hotness right now.
Now they can claim they locked their system down, and the hack is “insert marketing speak for please forget about it”
Not surprising it was a low effort affair.
Can they get back to making easy to use printers now, so I can get back to printing without futzing with the printer?
the omg printer haxx story blew up last year and this change absolutely addresses the mqtt security issues that the 2024 hack exposed.
Very much so! I was on the verge of buying one of their printers… I’ll go back to Prusa.
When these companies REQUIRE tethering of devices to the company’s cloud, bad things happen. For now, it’s Bamboo, but GloForge and Sonos are right on their heels. When will we learn that this is a bad practice with a huge amount of risk for the consumers?
Who would be foolish enough to buy anything from them after recent publicity? They effectively wrote themselves off the market. Their further statements and even reverting the vendor lock-in will not matter as nobody will trust them anymore. Bambulab is effectively a dead company now. And they deserved it.
They said the same about Microsoft after Windows 8 debacle.
Decades have passed and the Year Of Linux is still not there. In fact modern Linux is in many ways less usable than a humble Windows 98 😂
You obviously don’t know anything about linux.
Given that Linux’ market share keeps growing, this isn’t the ‘burn’ you might imagine. Your car likely runs Linux, most phones, steam decks, tens of millions of chromebooks, etc.
I hate to defend the argument but they did specify Linux Desktop, of which cars, Steamdecks and phones are bad examples since they’re mostly embedded devices not built to run a desktop experience, even Chromebooks are a stretch since they’re mostly about just bringing you Chrome
Its really the Desktop portion everyone complains about. The old “x11 server/client” architecture make it clunky and slow to program games for. Don’t get me started on the decade long sound driver issues. Its not that Desktop Linux isn’t posable its just itself AND the apps never got to a place to start maturing till now.
Even something like Steam is not making desktop slightly more viable not because its use but because people are slowly wanting to do more with it.
Just picture this. Can you imagine what would of happened if somone like Steve Jobs and his UI development team worked on X11 at the start back in the 60’s. Windows would of never been a thing.
I’ve been using Linux almost exclusively for 15 years or so, so arguably I know at least something about it. And as much as I hate Windows, on an almost daily basis I swear at Linux for something or other that old versions of Windows did better.
Disagreement with a settled opinion != lack of knowledge, experience, or wisdom.
I’ve been using Linux almost exclusively for 15 years or so, so arguably I know at least something about it. And as much as I hate Windows, on an almost daily basis I swear at Linux for something or other that old versions of Windows did better.
Disagreement with a settled opinion != lack of knowledge, experience, or wisdom.
What are you talking about? I can tell you know next to nothing by the way you talk about Linux lol.
Aside from the ridiculous statements about Linux (which is everywhere, and even steadily increasing in consumer hardware in bot aldulterated and purer forms), Windows and MS in general is a LOT more ubiquitous than Bambu and their printers are. Also, Bambulabs are actively using the work done by other 3DP pioneers. It would be the same if Windows had a tenth of the marketshare in the 90s, and was actually mostly Linux underneath. It’s not even close to comparable.
Look at that poor soul who bought bambu printer and trying to lie to himself it`s gonna be all right kek
As an owner of a Bambu printer I feel no need to defend them, I’ll keep using my current one in LAN mode without an update and stick with other vendors for future printers. It’s really not that hard to avoid the extra software
I highly recommend Creality K1 series. I have a K1 Max and it prints wonderfully. I mean, they give you root access right in the menu. The K2 is adding the multicolor support, and they are going to sell an upgrade kit for thr k1 series owners.
Ditto on K1. Switching from Creality’s shaved down version of Klipper firmware to the full open public release is a breeze, they make it easy, and you don’t lose support or your warranty for doing so. My K1C works just as well and is just as reliable with as few failed prints as a Bambu (cuz I know some Bambu owners). And I can tweak it to make it even better. And it’s cheaper.
The most popular OS in the world is powered by Linux, with nearly twice as many installs as Windows.
By “popular” you mean built into products, with back doors to Alphabet and various governments?
The same accusations apply to Microsoft.
That said, at least with Android we have other options (Calyxos, Lineage, and others). If you don’t like the terms of service, what other options are they for Windows?
Android is as much “operating system” as QNX running UI on a CNC machine control panel.
Can you use it to access LPT port directly? Yeah nah mate, not allowed by Google because “security”.
Just executing exes in the spoolfolder to install Stuxnet was a much smarter move, right?
So root your phone? Google doesnt deny anything, vendors sometimes do. Vote with your wallet. My pixel has root acces and can drive its lpt just fine, if it had one :p
So your analogy doesn’t quite work Im affraid.
Also, afaik you can do debian (etc) installs without root even (with reduced capabilities, because indeed, security:()
You can’t directly access hardware under WinNT or it’s derivatives either. You have to go through the HAL.
Ermm, how do you say “I don’t know anything about operating systems” without actually saying “I don’t know anything about operating systems”?
Your statements are ridiculous. Android and QNX are definitely operating systems. In fact they are way more of an operating system than Windows 9x (a veneer over MS-DOS with a poorly thought out security model and next to no multi-user capability).
And you biggest complain is accessing the parallel port under Android?… Thanks for the laugh.
MacOS us unix based, windows 11(yuck) has Windows Subsystem for Linux (WSL) which allows users to run Linux applications. It may have some Linuxifications and there will be more cross pollination.
There’s no competition in the desktop ecosystem and on top of that to change to the two out of a competitives give God to completely claw yourself out of a world garden and then claw yourself into a new one
Good thing that there is a a ton of different competitors within the printer market while they have clawed a dozen people into their wall garden no additional people are going to get back into it and if they’re considered a new printer they’re not going to consider anything additionally
Your right ;) . No competition. Linux is the cat’s meow. Not a windows machine in sight here. From desktops, to servers, to laptops, to SBCs … All happily running Linux. Those that use windows are just not with it :) :D .
The biggest thing holding back Linux on the desktop is Microsoft’s near monopoly over the space (desktop Linux isn’t exactly perfect but Windows isn’t exactly easy to use). Bambu doesn’t have a monopoly in the 3D printing space, their ecosystem features are somewhat thin and easy to work around and there’s plenty of strong competition in the space that is if anything more established. Bambu will surely keep selling printers but I’m willing to bet there will be a noticeable drop from this in a market where people already find their software frustrating even before adding more layers of nonsense
At some point I came to a realization that if I had a market share representation, it would be the equivalent of two stale cheetos and a wet fart. However, my wants are still wants.
The Linux desktop, and really any open source OS satisfies those wants. The market share is irrelevant to me, and anyone who has needs that have nothing to do with profit.
That’s what the ‘F’ in FOSS is for. Freedom. Sacrificing that freedom for someone else’s convenience, or… or some freakin’ market share is beyond ridiculous.
You don’t worry yourself about how ‘convenient’ my life is. I make it work. My year of the Linux Desktop is every year.
I do like a humble Windows 98. I think there are architectural hurdles to fix. But You said “98”, not “Windows 11”. Microsoft and its ‘market share’ isn’t coming to save you now.
Actually I stopped using Windows 98 and moved to Linux 20-odd years ago, ’cause it could record .wav files bigger than 4GB, among other things Win98 couldn’t do.
Ability to record 4 GB .wav was certainly crucial in an era where average hard disk was 100 MB.
You are such a laugh. Most people had 100+GB harddrives 20 years ago!
That Windows 8 debacle caused me to finally go to Apple as the final straw, think about that.
” Bambulab is effectively a dead company now. And they deserved it.” Really? They are one of the best printers on the market, and don’t gouge you with crazy prices if you need parts.
There are similar offering from other companies i.e. Creality with their line of XY printers that are open source and cheaper. I have a K1C and it worked out of the box and is extremely reliable. It was also about $100 cheaper than the Bambu offering. I considered Bambu but decided against it simply because it was a proprietary system and I could see the subscription model coming.
And the K1 SE is even cheaper at 280e and same base.
creality is nowhere near as reliable, though their newer models are getting much better
Had some prints made by my son on his enclosed Creality 3D Printer. Fast and does an excellent job as far as I can tell.
open source? creality – check again – they closed source all the bits they added to klipper – so they run a klipper fork and there is no way to run mainline that goes for the sonic pad (although that may be doable now via a long winded way) the ender KE and all the KX series.. – they havent released the source for their additions so there is no way to make their hardware work with mainline – that breaks the licensing… and therefore deems them not to be open source. Qidi and sovol do the same thing – but are a bit more tolerant to you putting mainline on the machines
False. Mainline Klipper works perfectly on the K1 series. And Creality has opened up their fork– where they just stripped things out to make it less confusing for beginners.
But they are obviously gearing up to gouge you with crazy prices on services (that are not needed or even wanted by many users). They are forcing all access to their printers to go through their cloud in the name of security (which is kind of a lie anyway, it seems), and the only reasonable explanation for that is that they plan to monetize access to their cloud and that hey now need to build a user base for that cloud. The real screw up is trying to do that build up with a pretty transparent, and terribly implemented, bait & switch. They should be off everyone’s purchase list: unless it’s the physically best printer by a couple few magnitudes, their lies and obvious new business plan are not worth dealing with.
The other explanation is that it is for security and they are going for the enterprise market and are working to fix gaps in whatever a security audit has shown are vulnerabilities.
I what “security” or “enterprise market” would ANYONE want something like a 3D printer connecting to the internet? Let me guess, HP nuking your inkjet printer if you install a printer cartridge other than “genuine HP” is a “security” and “enterprise market” desirable feature too?
They have already done this though, with the X1E. Promises improved security, though I won’t pretend to know what that entails
you really should wait until you understand the announcement to comment on the announcement.
Yeah, I don’t get this take either. I have one of their printers (X1C), it’s damn near perfect for what I need. I’m thinking about buying 3 more for my business so I can print faster.
The app kind of sucks, that’s an issue I suppose, but I can run it on my linux machine without any heartache and it just sort of… works? I appreciate that.
The taking the Uber approach when it comes to printer marketing sell the printer for a minimal or even a loss profit proceed to build up a massive market share pile on the subscription services extra fees bills lock it down controller replacement parts restrict filament control and ruin the service for people who refuse to pay additionally
Everyone has been chucked into the wall garden and congratulations you can’t leave you have been corned and now you’ve must pay
lmao
Nobody puts baby in the corn
It has the JUICE
I’m in the market for a new printer right now and honestly their products have such excellent value that it’s hard to ignore them, regardless of how much I hate proprietary stuff and closed ecosystems. BambuLab is the Apple of 3D printers, except unlike Apple, their products are vastly cheaper than the open ecosystem stuff. I would absolutely prefer having a Voron 2.4 or Trident over a X1C, but choosing the Voron means I have to pay significantly more for a product that not only requires more parts to be printed, but tens of hours of assembly.
I threw my toys out the pram at my current 3dp over Xmas, and was also considering a P1S. I’m hoping the Anycubic S1 reviews well, otherwise I’ll just have to swallow the Bambu pill.
We’re all different. I enjoyed building my 2.4, and I paid less for the Formbot kit plus PIF parts than I would have paid for a Bambu at the time.
Not that Bambu was ever an option because of the closed nature of it. But again, we all have different priorities and interests.
It is possible to use their printers “off-grid”. They have a micro-SD card and will print off that without connectitng to Wi-Fi. Their slicer is derived from Prusa’s slicer and is available as source code. Mechanically I find their printer (P1S) to be excellent; fast, well built and fantastic print quality, but wouldn’t trust their products in terms of privicy.
I agree that their connectivity attitude is awful and the product of a different culture to the majority of home 3D printing culture that grew out of RepRap. Firmware updates can be performed using the SD card, but few will trust firmware updates from them now.
Sovol SV08 is Voron 2.4-adjacent, and much cheaper than a Bambu and even cheaper than Reality K1 Max. Seems like a good value.
Hot air. This won’t be a visible blip on their sales data.
It wasn’t a good thing, mind. No matter what their goal, it seems the implementation was poor.
But the way posters here confidently and constantly proclaim mainstream users share the same thoughts as HAD readers is hilarious.
Won’t be a blip on their sales?
Louis Rossman just posted a video about this and it’s had 278K views in less than 24 hours.
Louis Rossman has been making videos about how bad Apple is since he’s been on the youtube platform.
If the product works, and is priced at its projected value point, Louis Rossmans video wont move the needle (much).
People like me and you will absolutely be put off Bambu, but this basically wont matter.
Apple is mainstream and caters to everyone under the sun.
Bambulabs caters to 3d printer users, who largely are involved in this information and base their decision making off it. I don’t think Apple is a good comparison here.
Businesses will that do not care about these things and just want a no hassle 3d print experience. More power to Bambu if that’s what they want. The crowd here should boycott them though. This type of subscription tied to hardware functionality is bogus.
The cricut market
haha all the other replies started arguing about what the generic user ought to do but you got right to it and answered the question. who would buy one of these things? and the answer isn’t hard if you ponder it for a second. lots of people don’t care, or actively appreciate the cloud integration.
Don’t be so obviously and publicly naive. People buy and will buy Bambu printers quite simply because they work and do what a 3d printer should do.
If your into endlessly fiddling with your printer and solving problems then buy one of the others, if you want to actually print things then buy a Bambu.
It’s that simple and that’s what will drive purchasing decisions, not concerns over security software that won’t affect the vast majority of users.
Yeup. The just became the new Bud Light in the 3D printer / maker world. They queered their good name forever with this latest face tatt. I am now considering the new CoreXY printer from Prusa to upgrade from my Chinese Ender 3 Pro…..JUST SAY NO TO CHINA-MADE STUFF.
I was completely unaware of these shenanigans – I was considering buying a Bambu printer once I’ve got some more free time to play with it, but I didn’t expect it to be locked down like that.
As a single owner/user of an A1 I am not worried about my future with Bambu. A future where I have to pay them a monthly fee? I don’t think so.
The link to the main.js is already gone. Waiting for the T-shirts with the key to emerge pretty soon.
QR-code, colors or base64 encoded? ;-)
I have a feeling that whoever reported that, haven’t heard of Streisand effect :) https://archive.ph/9HJd4
Thanks!
https://archive.ph/ has it.
Well, that didn’t take long.
Odd timing to leak the key if it gives Bambu time to fix the issue.
They should have learnt a trick from console hackers and delay any disclosure until it’s necessary.
Maybe I’m giving someone at Bambu too much credit; but this seems like a situation where the weakness would have been known from the moment the lockout system was designed: if you are reusing the same cert across all devices and distributing the key(not just using it so the printers can verify that they are talking to your servers rather than DNS trickery); that key is not going to stay private.
A lightly obfuscated Electron phone-in is a comparatively soft target; but when extracting a single private key gets you in to all devices even attacks that would otherwise probably not be worth the trouble(decapping and physical inspection of/tampering with smartcard or ‘secure element’ IC, say) are realistic concerns.
Not sure if they were just looking for a low-effort speedbump with none of the key management hassle associated with per-device certs; or if the hope is to get a legal hook that they can use to dissuade anyone who makes working around their locks too easy(the way that CSS on DVDs fell fairly quickly; but did ensure that DVD ripping never got the sort of ubiquitous commercial support that CD ripping did; since, while pitifully weak vs. people who just didn’t care, the DRM was just enough that outfits big enough to sue mostly didn’t want to touch it).
cert = public key being signed by an CA. that’s a completely normal thing to reuse. literally how every browser works.
the main false claim in the article is that this private key is used for “encrypting HTTP traffic” or in any way related to these certs
This reminds me a bit of Sony with the PS3 and when they removed the “OterOs” functionality, This resulted in a class action lawsuit, and a settlement of either USD 55 or USD65 for each affected user, depending to which website you look.
I have not bought Sony stuff ever since they started placing rootkits on CD’s don’t have a PS3 and am not familiar with further details.
Sony: I believe the only company that has a publishing arm (ie: Sony Pictures) and an electronics manufacturing arm – and they use it to push ‘standards’ onto everyone (eg: SPDIF) and sneak rootkits onto users computers without their knowledge.
Essentially another Apple: trying to create a closed ecosystem (which Apple has done, and continues to do).
Even though their stuff is usually good, I stopped buying Sony back in the early 90s. And I’m proud to say I’ve never bought an Apple product.
I agree with you that walled gardens are bad, but they come with benefits. I used to HATE Apple because they lock everything down, but I learned that I don’t need all that control back. I used to get angry because I had an IPhone and I could change the look of the interface. I went to android and quickly became overwhelmed at all the options. I then became overwhelmed at all the useless software that is half baked or broken. When a feature is implemented on Apple hardware, it’s typically fully fleshed out, the software experience is refined,.and only what I need is what I can use. I’m going back to IPhone this summer because I bought a Macbook Air and an IPad Pro, and loved how simple it is, and the software ecosystem has matured since 2009 when I left for Android. If you want that control, there will always be options. I just got tired of bugs, crap UI,.and useless features.
Can I haz bambu lab collorcoded key t-shirt?
Yes it’s been a while since the Perl DeCSS Dolphin t-shirt 🤣🐬
Waiting for the keys to be posted in a maker world print
The hastebin code is no longer public.
If anyone would link to a copy of the code, that would be nice
I mean… Why not just put a new brain in the bambu printers? The days of making money by making compelling products that people want to buy is drawing to a close. Now it’s rent-seeking and finding other clever and stupid ways of artificially increasing the cost of “ownership” see: countless other industries.
Replace the brain for what purpose? Why not just use the open source Bambu Slicer or the open source Orca Slicer?
Cory Doctorow rants often about this https://pluralistic.net/
There is project intending to do just that. Kind of a waste of a good controller board though… https://github.com/ChazLayyd/Bambu-Lab-Klipper-Conversion
That is an option but that is directly against the main reason people buy bambu lab printers, their ease of use. You are then just taking your printer and turning it into another klipper printer with everything that comes with that.
It may come to having to do that but avoiding that was why I bought a bambu lab printer in the first place.
Exactly, I’ve been seriously considering buying one of these for a bit now, and the reason is that I don’t have to set it up, I don’t have to fiddle with it, it Just Works.
Hacking things is fun, I get a lot of enjoyment out of it. But I want a 3D printer where I don’t spend more time trying to get it started and dealing with failures, than I do waiting for it to finish.
If I want to play around with OctoPrint, Marlin, Klipper, changing out controllers, or anything else, I’ve got two Sidewinder X1s in varying conditions. I’ve installed BL-Touches, played around with various cooling fans, installed LCDs, built Marlin over and over as I tweaked this or that, messed with the firmware on the fancy touchscreen, dealt with warped beds, experimented with Klipper. To my brain, this all fits well under “Hobbies”.
I want a 3D printer that is a tool, not a hobby. So I can print something without worrying about “the printer is in pieces because I ran out of spoons fixing it.” So I don’t have to spend an hour trying to deal with the latest bed adhesion issue every time I go to print something. A reliable tool I can use when the only energy I have is “I want to print this cool thing I found/designed.”
Adam Savage offers the advice “If you’re not sure a tool will be useful to you, buy the cheapest possible version of it, and if it IS useful to you, then buy the best version you can afford.”
I feel like the printer(s) I’ve got have done a good job of introducing me to 3D printers, and ensuring that I know I want one (and done a pretty good job of printing most of the things I’ve asked of them). But now I’m ready to move up to something that Just Works.
Not one single person has ever been forced to pay for the Bambu slicer or the mobile app. Nobody has ever had to subscribe to a pay-per-play service to use their printer. They don’t have to be networked, and they will take a file sliced by almost any other run of the mill slicer.
This is all snobbery and fear mongering from dorks who consider themselves protectors of the realm.
Meanwhile, those who just want to print, are printing on their P1s and enjoying not having to dig into code to make the damn printer work. I tossed all my old bed slinger POSs from Creality into the rubbish pile and have ever missed them, not even once.
It seems to me they are trying to push the X1 into the pro user realm by adding more security, but their heart is not in it – probably worried about the US TikToking them.
Found the Bambu owner moving the goalposts in order to reconcile his poor purchase decision.
it seems to me like the goalpost has always been trouble-free printing?
This am stupids. Unbelievably stupids. But funny because it’s one of many areas of life that doesn’t involve me. I very much enjoyed this article. Thank you!
I like my p1s and it got me back into printing after 7 years of fooling around with creality and anet printer issues. Dialing into settings to achieve a print that would fail 6 hours in was no longer fun so I put down my 3d printer dreams and gave up. Then Bambu came around and it reinvigorated me, suddenly I could actually spend time focusing on what I wanted printed vs. trying to configure my printer to print correctly. But I get it, I would be pissed if I bought into this ecosystem to make a print farm and then they locked down key features in the name of “security”.
definitely watching this as it develops. it seems to affect print farm work flow much more than it does individual users. but you’d think the print farms work flow would matter most, given that most print farms are purchasing/repairing 10-50 printers at a time, which is maximizing bambu’s time/effort per-product-per-user.
i was planning on a 3d printer within the next year as a shop tool upgrade, and had been planning on a bambu printer. but this paints a bad arc for a level of corporate control that i’m not comfortable with. i might need to consider alternatives if this continues poorly. they still have space to turn the disaster around though.
I just recently got back into printing. Went Bambu for the ease of use. But still like using orca for the ease of calibration. Hope I’m not out money if this soon turns into paywalled BS. I would love to see full steam ahead on the project for the custom hardware. 3rd party main boards and Bambu gets to sit and watch as their printers are transformed into something they can’t control.
Has been 10 years since buying my first 3D printer, Bambu X1C was the 8th purchase. Days (actually months) of fiddling around has ended using the Bambu. I no longer have to tweak, modify, recompile, adjust, readjust, level again any more. I’ll give Bambu some slack because I am getting great prints and ok with their schemes as long as they don’t screw it up or introduce a subscription model.
I’ve given BL a lot of slack, but they keep yanking on it.
Legit question by a total know-nothing: can I just buy one of the printers and use it in the garage hooked up to a laptop or something? And not be affected by this at all? Or would it require a cloud and internet and stuff? And authentication and logging in all the time?
I bought a meat thermometer that you needed to log in to an app and stuff. It’s annoying AF. No way would that fly for me with a printer too annoying.
They have a LAN mode and you can just use an SD card to print from but it’s unclear just now exactly what this new authentication process will involve. I would imagine it is just for anything that communicates with the printer wirelessly so just using the printers through their built in physical controls will probably be unaffected.
It may require the cloud for initial set up, I am unsure about this though as it has been a long time since I set mine up.
See https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2Fl7nt2xscnzde1.png
If i understand correctly, the major downside of using LAN is all the SD card manual transfer? Could an esp32(anything with wifi, really?) make a SD card interface to fake a SD card accessible by wifi? Add a webcam if supported and you have got a standalone board that you just plug into the BLX1?
You can print and send files to the printer over wifi in lan mode, just not browse files on the card, at least not through bambu slicer/the app. You can access the printer as an ftp server and move around files on the card that way. You can also view the camera if equipped, see filament status, print status, errors, etc in lan mode.
Not disagreeing but I would point out that the details are a little more awkward than your comments suggest – it’s not true ftp and there’s no command-line access to it with standard commands like you would get from the linux ftp command. Mostly the existing utilities to access it are gui-style which is no help to someone whose main machine is command-line only and who would rather automate backup and mirroring with a script anyway. I had to write python scripts to list the directory contents and fetch the files, and I hate writing python. So yes, one of those esp-based wireless uSD interfaces (eg BTT-TF) would probably be a solution if they were reliable in use… but my experience has been that the SD side works OK but in conjunction with the remote mounting side (which is the half-assed WebDav filing system on Windows) it’s somewhat unreliable. I guess while I’m here I should chip in on the Bambu discussion: I’ve been through this before with Cricut and other products that I will no longer buy. Now as long as I’m still at a beginner level of only printing other people’s designs that come from public sites I’m not too bothered but when I get to designing my own objects I won’t be too happy with them going offsite. It’s all well and good having a local mode but not if the local mode doesn’t have access to all the features that make these machines so easy to use. And I was not at all happy at the initial setup and installation procedure where it was impossible to set the machine up without running their software at least once. I had to buy a used $40 Windows portable off Woot to install it on and set up a walled-off wifi network for marginally more security :-( So to BambuLabs: be aware that you have customers who expect full local control of the machines and with all the facilities available that make them convenient to use. I didn’t sell my Cricut when they locked out third-party drivers but I’ve bought two vinyl cutters since and they have not been Cricuts. So I’ve no intentions of selling my Bambu just to make a point, but if the access becomes locked down I won’t be buying any more of them – if I had been aware of these issues before I bought this machine I would probably have opted for a Creality instead just in case.
Time for homebrew firmware again?
when do these businesses ever learn lol
Hackaday Supercon Pasadena folks — In light of these new Bambu shenanigans, we may need you to publish Joshua Wise’s Supercon talk from this year (design lab stage) to help rally the troops and put Bambu back in their place. I know this isn’t exactly what Joshua and his compatriots were working on, but they are the right people to change tack momentarily in order to lay the smackdown.
Your wish!
https://hackaday.com/2025/01/29/supercon-2024-joshua-wise-hacks-the-bambu-x1-carbon/
The provided link at the text “The de-obfuscated main.js file can be found here” has been removed as we at hastebin.skyra.pw do not want to be a host for content that violates the terms of service of third parties.
Sincerely,
Creator of hastebin.skyra.pw
If all that’s needed to communicate with the printer is the X.509 certificate and the private key which are embedded in the app, then there’s supposedly no cloud authentication involved. Because otherwise the private key would have been in the cloud and out of reach.
But there are other simple ways to protect the printer from malware… Let the user set a password on the printer and require some kind of authentication with a matching password for the client to be able to connect (OAuth? Even HTTP authentication would be better than nothing, I suppose). This could easily be supported by third parties and given that each printer has a different password, provide a much better protection from viruses than just leaving the API fully open.
Probably a management and marketing decision all of this. This does not take away anything from the excellent engineering of Bambu printers. Excellent price / performance ratio. This is my personal opinion, but I started with Creality ENder 3, Ender 5 Pro and now A1 from Bambu. Now i design and print and it works. 95% of the time i just print. On the case of the subscription service, nobody knows what will happen. We will see, then the user and market responds and when the number are not what they expect whing will change. Self-correcting. In the meantime I just print with my A1, and 99% of the time it is a perfect print.
junior level programmer mistake. They might benefit from googling “key distribution problem”, but it’s also pretty bad since it suggests the plaintext private key is also in their code repository.
I had been seriously considering a Bambu for several reasons but the attempts at a gated environment had me hesitating for a while and the filament ID feature just seemed very close to becoming one step away from being locked in to their filaments. This update made the final decision for me to look elsewhere.
There has been a response from Bambu Lab: https://blog.bambulab.com/updates-and-third-party-integration-with-bambu-connect/
Taking an actual look at the app, while there is a key pair embedded, it looks like it’s only used as additional signing for the cloud API’s print call and for retrieving updated key pairs. I doubt it’s passed through directly to the printer. The LAN printing still uses password protected MQTT and no additional signing. So using this key pair would let you post jobs to Bambu’s cloud service without going through the app, but you are still going through their cloud service.
What the private key is actually used for: signing a few MQTT messages (“critical operations”) that are sent from Bambu Connect to the printer. Happens for both LAN and cloud connections.
I’ll go with my sole rule of purchase as usual.
Never buy any device that needs cloud access to use fully.