Bambu Labs have been in the news lately. Not because of the machines themselves, but because they are proposing a firmware change that many in our community find restricts their freedom to use their own devices.
What can be done? [Joshua Wise] gave a standout talk on the Design Lab stage at the 2024 Hackaday Superconference where he told the tale of his custom firmware for the Bambu X1 Carbon. He wasn’t alone here; the X1 Plus tale involves a community of hackers working on opening up the printer, but it’s also a tale that hasn’t ended yet. Bambu is striking back.
Classics of Getting Root
But first, the hacks. It took three and a half attacks to get the job done. The Bambu looks like a Linux machine, and it does everything over HTTPS, so that’s a difficult path. But the Bambu slicer software speaks to the printer over a custom API, and since the slicer can print, it must be able to send files to the printer.
Another hacker named [Doridian] had started working on getting in between the slicer and the printer, and the attack starts as every attack does – typing some keywords from the API into the Internet and finding the “confidential” documentation. Since you can download files using this API, you can start to get some binary files off the system. Bambu patched this one. [Doridian] then tried symlinks on an SD card, which worked for a little while, but Bambu patched this one too. Finally, they tried the old Johnny Droptables trick with a filename of a 3D model. This was also quickly patched.
Then [Joshua] got a message on Superbowl Sunday from a total stranger, [Balosh], who claimed he had a bootrom vulnerability that completely hosed the device because it’s baked into the firmware, and that’s an uncloseable door. [Fabian Masterbroek] wrote a kexec loadable module that lets you boot a second kernel from a running one, but it was written for the wrong platform. [Joshua] wrote the platform driver stuff to enable the swapover, shut everything down, and then reboot into a custom kernel.
What To Do When You Get In?
So [Joshua] was in. Now what to do? What features would you add to your own custom Bambu X1 Carbon firmware? Since it’s a Linux device, you might want a modern kernel, with better WiFi support and USB Ethernet. Maybe some security? An improved filesystem?
Here is a reverse-engineering nugget: The original UI is written in QML, which [Joshua] claims is horrible. He then uses Unicorn Engine, which is a spinoff of QEMU that emulates the CPU and lets him know where all the function calls go, and shows him the way to, for instance, turn on and off the backlight. Now he could write his own system.
Winning the Battle, Not Yet the War
Word of the hacks got out on the Internets and [Joshua] got in touch with folks at Bambu Labs. They worked to a compromise that allowed Bambu to save face – they would allow people to upload their own firmware to the printers: a great victory for hackers that lets us FTP into the devices and print our own files without going through the cloud. All’s well that ends well?
The talk ends with foreshadowing: a cautionary note from back in November 2024. [Joshua] calls it “unusual” that Bambu would simply say “OK, run your own code”. Vendors gotta be vendors, and he predicts that the cat and mouse games will continue. How right he was! But it looks like the game is, for now at least, back in the mouse’s corner.
Bambu Labs needs to tread more carefully. They are in a weird hobbyist marketplace. Unlike commonplace hardware like inkjets and laser printers, 3D printing is still not “mainstream enough”. A significant number of people who buy 3D printers are also capable of modding them.
There are enough independent and open 3D printer drivers and boards on the market already that it won’t take someone long to post instructions for retrofitting the printers with better systems, completely shutting them out of the loop.
Bambu probably did the right thing by allowing custom firmware. That said, none of it matters. They’ve broken their customers’ trust, and that’s not as easily repaired as a printer.
bambu is interesting specifically because they’re at the cusp of it being mainstream enough. they’re at the cusp of the hackers being an insignificant part of their userbase. or, they might be, anyways. they certainly seem closer than anyone that came before. they’re making choices from the perspective of serving the market they want to serve, instead of the one that everyone could see when they started r&d a few years ago.
so i don’t know what they should do but i wouldn’t say that they need to do the same things previous entrants needed to do. if i wanted to cobble together a reprap like the printer i started with a decade ago, it’s only gotten easier…bambu doesn’t hurt me at all if i go my own way, and i don’t think i hurt bambu if i do go my own way. but instead i went with a mass-produced printer this time around, and artillery3d sold me a printer for $169 shipped. and i just have a hard time believing that artillery3d really gained anything by me doing that.
i’m saying it’s hard for me to even believe in the market right now haha
but there sure is a different odor to it when they’re consciously thwarting the efforts of actual end users. it’s one thing to evolve your firmware in response to your goals, but another thing to do it in response to a desire to screw over specific existing users. security-through-obscurity really is good enough for this sort of thing. they get 99% of their benefit from pressuring the ordinary user to follow a certain path…there’s no profit to be made harming the people who just won’t conform to that goal.
but predictions that they’ll lose their revenue if they win this battle against their users seem premature to me.
There is no cuslp and there is a gigantic leap from the current market to mas adoption
They are nice, they are a less of a pain in the ass to use but there’s a gigantic leap to be made before it hits the ink jet type of people
bambu isnt chasing the 3d printer hobbyists money.
They are chasing the 3d printing hobbyists money.
They arent catering to the customer who wants to tweak and mod and pwn their printer. They are trying to provide the “it just works experience”.
I think you meant “3d printer hobbyists market” in the first sentence, but anyway what they’ve done is also piss the small to mid size print farm people off with this one who are they’re real target market. They we’re loved because they just work, but when you can’t run 10~20 of them together as easily someone else will soon be stepping back into this market to take the crown. Breaking the bigtreetech panda touch controller in particular seems like a big mistake for this reason.
On a seperate note may I suggest we collectively rename them bumboo labs as so many people seem to be butt hurt by these new “security” measures.
Your correction was incorrect. I meant “bambu isnt chasing the 3d printer hobbyists money.” like I wrote. And while we are playing pedantic editor of one another. Im pretty sure you meant to write “who are THEIR real target market. ”
While bambu enjoys the small to medium printfarm sales, just as they enjoy selling machines to the printer hobbyists who are whining about their increasing walled garden, Theyre really chasing a potentially larger broader audience of people who ARENT able, capable, nor interested in tinkering around with their printer, people who just want to reliably, and easily PRINT objects.
As for the panda touch controller, They could offer the same sort of upgrade, IF they thought it was worth it to their intended audience. You cant be everything to everyone. While THIS community is upset with their BIG MISTAKE,
There are a ton of options for anyone out there that wants an open source knockoff to tinker and toy with.
Bambu isnt catering to people who want to hack their printers. Theyre trying to become the epson of 3d. Theyre willing to lose a few narrow sales channels for what they see as a potentially much larger audience thats growing every day.
I don’t know why everything has to go through an internet server 🤦🏼♂️. It’s why I don’t print from my phone.
So they can see what you are printing.
Same reason everyone else making anything wants to track & monitor everything you do these days.
It’s worth noting that there “firmware R” option (downgrading the X1C firmware to a version without the root exploit patched) is still explicitly provided by Bambu Lab: https://bambulab.com/third-party-firmware/plan
Basically, if you want to run X1Plus the proposed API changes will not even affect you, as you will be running from an even older firmware revision than the current one.
The real question is:
Who are they selling the user data to?
There is no point in sheep herding users across their servers if there is no serious money in it. And by serious I mean at least the profit on the sale of a printer but every year, again and again.
It is most likely a first step on the way to some kind of subscription model which is what all tech companies want today. They like a continuous revenue model that doesn’t follow the irregular cycle of software and hardware releases. Personally I don’t need a printer that is locked to anyone’s particular ecosystem. Some won’t care but there are too many instance recently of companies changing terms and services post purchase. Trying to put purchased hardware into the realm of licensed software does not sit well with me. I was on the fence about my next printer buy and Bambu just made the decision for me.
exactly this, in their press release they worded it very carefully to make sure people knew that the printers would not be subscription, however they made certain not to mention the cloud services which they eventually want everything to go through. Kind of a catch 22 I believe as well in the future technically you will be able to buy their printer and it will not cost extra, but to actually use it because of “security” reasons you must connect to their servers and to do that you must pay a monthly fee. So a bit of a word salad from them to cover a certain part of their anatomy.
I also believe they are scraping data, there is big $$$ in that so whenever these creepy companies see another line of income they will grab it. And do not think for one second it is just what you are printing, they want to know all your demographics, when you are printing and if they can scrape any data from the camera they will do that as well.
It’s about turning into a printer company that looks just like the 2D document printer companies.
Nice work jwise
Impressive work on the reverse engineering, but I do wonder what kind of problems he has with QML.
I’ve found it actually pleasant to work with. Of course it has some quirks (what doesn’t?) and it takes a bit getting used to, at least if you don’t want to butcher the whole declarative part. After that it “just works”