Reverse Engineering Bambu Connect
https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_ConnectMore info on the hacking (the first in what may be a long stupid fight): https://hackaday.com/2025/01/19/bambu-connects-authenticatio...
Selling a walled garden is one thing, building walls around a garden you already bought is another thing entirely
But for 3D printers that worked out of the box under $1000, Prusa had no real competition itself.
The Mk3 came out in 2017 and I swear Prusa just sat on their laurels. I was a Mk3s+ owner (well, still am) and was pretty disappointed how little improved with the Mk4.
Bambu’s competition was Prusa and they clearly strived to improve over what Prusa had accomplished.
Well, Open Source did compete on one quality very well: being open, hackable and staying that way. With this being removed from Bambu lab printers it seems as if this is a very much valued aspect for many 3D printing enthusiasts, yet few people were willing to compromise for this aspect.
Apparently it is true, you don’t know how much you value something until you don’t have it anymore
The Bambu has been ideal for that reason. Every material pretty much just works, and the quality is excellent. The cloud integration and janky LAN mode is the downside, and this current topic even moreso.
No. None of this crap. I want to 3D print. I don't want to service industrial machinery in my spare time. Why should 3D printing require spending weekends troubleshooting machines just to keep the thing working? I want to print models not play repair technician.
Vorons are fantastic printers and a fantastic kit if 3D printing itself is your hobby. 3D printing is a fantastic hobby. There's tons of fun to be had building up and dialing in a printer kit. A well tuned voron can be up with the best of the best 3D printers. If that's what you want to do go for it!
But for heaven's sake I want to print models, parts and other practical things. I have other things to do and problems to solve. My 3D printer is a tool. If I have to spend just as much time working on the machine as I do using to actually print things then I'm not interested.
Bambu is still the best game in town for a turn-key, just works printer. Prusa can deliver the same experience at double to triple the ticket price. A voron is not a replacement for a Bambu printer no matter how good the printers actually are.
I’m sympathetic to your POV but the reason you should is that’s the price to keep things open.
Obviously many people don’t care about that. Fair enough. But then you should be prepared to deal with their shenanigans.
Prusa also does things like maintain and develop printables.com and PrusaSlicer (itself forked) which many of these closed printers fork with minimal changes.
People don’t care about this either. So again, get ready to deal with garbage when Prusa goes under.
I think it’s sad since the whole domestic 3D printer thing started as open source.
Comparing Bambu to Voron is an absurd comparison
the whole process is basically cnc but with z hops and extruding instead of removing material.
we do not even have conical slicing yet.
Entirely this. I bought my A1 mini over the Christmas holidays and couldn't be happier with it, it's my first 3D printer. Searching for models on Makerworld, adjusting tiny bits here and there if needed and print. It just works and I don't really care about anything else, much like my Brother printer.
Where did this understanding come from? I'm pretty happy with my Bambu printer, but I was never under any understanding that it was hackable, let alone open. Since the beginning I was slightly frustrated at the RFID fillament spools not being open-enough for others.
I, honestly, have no idea why you thought that. Bambulab has been under fire from the very beginning about not being open at all and not contributing back to the open source community they're build on.
I bought one of their printers during black friday too, it took me a long time to get over the fact that it isn't an open printer, and I never want to go back to tinkering for hours to get meh quality prints.
If so one could get a refund :)
Not sure where you got this idea from. Despite the hacking, print from SD Card remains an option, and the device does not need an internet connection for initial setup. Version 01.08.02.00 is the first firmware version that supports offline updating, even if it is also the latest version.
Instead, we bought a P1S, which is, technically speaking, a fantastic machine.
Prusa themselves run 600 printers. They are commercial grade. If I was using a printer for commercial design or prototyping I would go with Prusa. Not only because I would prefer my designs were not sent overseas by an always cloud connected printer.
A lot of 3D printer companies have tried to go this route. It is not a strategy that tends to succeed.
I don't know their sales numbers, but I would be willing to bet that the ROI on those printers is nowhere near their bread-and-butter, high volume, mass market models.
I think their priority should have been to build something like the Core One (a P1S killer) rather than these expensive and risky forays into pro/prosumer land. The Core one is, realistically speaking, at least 24 months late to market. This was avoidable.
Everyone who operates a 3D printing farm, and who isn't a complete muppet, knows that closed down products like those of Bambu Labs are risky. Both because some 3D printer manufacturers kind of have a history of being dickish, and because the big boys are coming after Bambu labs with their patent lawsuits and whatnot. There are clear risks in dealing with companies like Bambu.
Dealing with Prusa involves significantly less risk. This reduced risk has value. You can charge a bit more for Prusa products due to the reputation of the company.
Most people I know who own 3D printers would rather have done business with Prusa. But Prusa only had the MK4 on offer and were burning cash on, let's be frank, irrelevant vanity projects.
Yes, Prusa were very much asleep at the wheel. Or at least, they had some strategic lapses in judgement. Let's hope they understand their customer base better now. I'd be happy to be a bit patient with them if it means we can get something that performs like Bambu printers, but from Prusa.
I'll even be willing to pay perhaps as much as 20% more just because I trust Prusa more than Bambu.
I'm not at all convinced that Prusa's main issue is the cost. Yes, cost is a huge part of it, but the other one is also just usability. When the X1C launched and later the A1, there was a huge difference in usability between what Prusa and Bambu had. Prusa is catching up and that is good. But they will have to do more on that front still, and the higher cost is less of a concern. It becomes a problem when the more expensive printer is worse too.
And it definitely worked! I got the kit and built it within 10h or so (very enjoyable time actually, like building LEGO as a kid) and have printed lots of stuff ever since. During that entire year I only had a clogged extruder one time and had to take that apart a bit. Any other issues I've had were either due to bad filaments or my own errors (not taking long overhangs or low adhesion seriously while slicing).
And all this time I have been using it completely offline with OctoPrint on an RPi.
It's nice to have a private key to their cloud authentication, but ultimately it's the printers firmware that's the issue. While Bambu owns and updates that, they can change the keys basically anytime they decide that they had enough of the alternative Bambu Connect servers that people will inevitably create with the current keys.
[1] https://github.com/ChazLayyd/Bambu-Lab-Klipper-Conversion
Thus, on first blush, I welcome security improvements from them, but I'm also anxious to see what they hold.
I do wonder where this is going with the keys, because I've seen a lot of "OH LOOK WE HAVE THE KEYS" but nothing about what the keys are used for or how they are useful. Or if they are even useful.
Hopefully there'll be more interesting news about this soon and some solid, technical info.
This is a thing. Obviously.
https://urish.medium.com/how-to-turn-your-3d-printer-into-a-...
Only a randomly selected tutorial.
> I'm really shocked the overpriced ink monopolies weren't attacked in this manner,
Inkjet and laser printers easily print whole page 300 DPI raster images in seconds. Plotters need vectorial data and their printing speed depends on how complicated what you are printing. These things simply don’t serve the same use case. You can do nice art and heart warming cards with a plotter, but you can’t hit print on your boarding card / dhl label / word document and expect your plotter to give you what you see on your screen.
> None of this is remotely new.
I agree that none of this is remotely new. Plenty of people tinker with plotters for fun and profit. There are even pre-packaged consumer centric solutions where you pay the price of convenience with lack of freedoms. (See the similar debacle around the Cricut plotters.)
If the printing stacks within operating systems are trash, who knows what horrors your network-connected printer firmware has. (Locking down 3rd party ink cartridges in the name of security - what’s an ink cartridge going to do? Buffer overflow the data it sends to the printer? Oh wait, maybe the printer is that dumb and we’re overthinking this, and it’s more inexcusable than first glance suggests.)
Kind of annoying, but I'm not desperately waiting for Firmware updates, everything works fine so far.
Question to those more familiar with the bambu software ecosystem - do these recent changes to authentication require a constant online connection to print anything from a machine on the LAN? I'm assuming printing via microSD will still be possible?
A lot of their business model is seemingly based on making long-term sales from consumables. Their solution for multi-color printing is more convenient to use with filament sold by them because they embed information about the filament on proprietary RFID tags.
A couple days ago they announced locking down the API for their most expensive line of printers, locking most API calls to only their own software because of "security". Users are obviously upset.
Rumours for the reasons range from protecting themselves from user mods that replicate the RFID functionality on any filament by configuring the printer via API calls, to Bambu Labs wanting to launch some kind of subscription service for print farms.
I know it's not exactly a zip bomb, but it's kinda close, and goddamn, that's obnoxious.
They are proposing requiring a secret signed certificate to carry out any actions beyond monitoring for both the cloud and local (on printer) MQTT servers. These certificates would be issued at the discretion of Bambu by their CSR, currently only for "Bambu Studio" their slicer, Bambu Handy (their mobile app) and "Bambu Connect" which will enable upload G-Code generated by third party slicer (a workaround for existing functionality being removed). This "secret" certificate has already been extracted from the Bambu Connect application as per the article as their new security model requires embedded this certificate into desktop applications.
The current design:
https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md
Connecting to their cloud MQTT requires a username and token already. These details are obtained via a HTTPS request to their login server using your bambu account (which requires a valid email & possibly captcha) to obtain a token. The cloud MQTT is TLS secured, although this is just to encrypt the traffic (aka HTTPS), it is not mutual authentication.
Connecting to the MQTT server hosted on the printer (aka LAN mode) requires a fixed username and a local access token (a random 8 digit number). This can be found via the physical display of the printer in a menu (or apparently cloud MQTT!?). This access token can be refreshed via a menu option again physically at the printer. To be clear, this token only allows to you connect directly to the local MQTT server running on the IP address of the printer, so in most environments this should only be the local network. This is also the password for the FTP server that can be used to upload/download sliced 3mf/gcode files.
Personally - this design seems ok to me? With an MQTT service properly configured to isolate user accounts from each other, this is a pattern widely deployed for embedded devices (Azure IoT, AWS IoT etc).
I don't see how the "DDOS" related issues they are claiming would be related to this specific design. If the issue is in the login server - well, that's prior to authentication anyway so nothing they are doing here will fix that.
If it's problems with your cloud MQTT service not being properly isolated - maybe fix that? If the DDOS is at L2, auth isn't going to help. You require logins tied to an email, you can block clients that misbehave once they are logged in.
Nobody is brute forcing the local MQTT server via XSS or something, because JS doesn't allow for raw TCP connections. Are they concerned about malicious software already on the network? Then rate limiting on the printer side or switch to a random length alphanum LAN token to increase keyspace.
I'm curious what more qualified people think, I cannot see any justications for their proposed design improving security. So either;
a) They've decided they are incapable of properly securing their MQTT cloud stuff and instead of fixing that just want to assume every client connected to their cloud MQTT servers is fully trusted. I'm sure that'll work great. Doesn't justify adding this to the local MQTT servers on the printers - if anything that reduces security, as to roll certificates you now have a long tail of printer firmware updates.
b) It's not about security
From what I understand, this new auth system would make third party integrations (ie, “OrcaSlicer”) obsolete and users would be limited to controlling the device via Bambu Connect. This update impacts users who control the device via HomeAssistant and “print farm management” users. I guess first party support for users with fleets of these printers is dogshit, thus the need for third party software.
Seems after 3 days of community feedback/outrage, the company is backtracking on the Bambu Connect only route. Instead offering a “Developer Mode” option in firmware which on the surface seems to be what the impacted users need. [2]
> In response, we’ve made the decision to implement an optional LAN mode feature, to provide advanced users with more control and flexibility.
> Standard Mode (Default): By default, LAN mode will include an authorization process that ensures robust security
> Developer Mode (Optional): For advanced users of the X1, P1, A1, and A1 Mini who prefer full control over their network security, an option will be available to leave the MQTT channel, live stream, and FTP open. This feature must be manually enabled on the printer, and users who select this option will assume full responsibility for securing their local network environment. Please note that Bambu Lab will not be able to provide customer support for this mode, as the communication protocols are not officially supported.
Seems this resolves the community concerns. Or am I missing something?
[1] https://blog.bambulab.com/firmware-update-introducing-new-au...
[2] https://blog.bambulab.com/updates-and-third-party-integratio...
In general people are just scared of change and on top of that are playing telephone on the details of the change, assuming the worst intentions from Bambu like they're trying to be the next HP.
I have seen a lot of misinformation on this topic, and I think that in that sense it's a good idea to read the actual announcement details to get a better read on Bambu's intentions: https://blog.bambulab.com/firmware-update-introducing-new-au...
A voice in Bambu's defense on this issue would say:
1. The new firmware isn't out, it's still in beta, and the new connect software is also in beta. This stuff isn't done and nobody has been forced to use it or even had it presented as an OTA update yet. The problems highlighted in this wiki page are very possibly problems that Bambu is aware of and intends to fix before release.
2. Bambu in their blog article stated that they are working on integration code so that third party slicers like Orca Slicer can more directly interface with Bambu Connect (see the FAQ section)
3. There are multiple statements on this blog page where Bambu acknowledges the workflow disruption and emphasizes the things they intend to do and do not intend to do, such as "It’s important to note that this update is not intended to restrict third-party software use. In fact, we’ve actively collaborated with third-party print farm management software providers in the past and continue to support such partnerships. To further improve the user experience, we are introducing a new software solution that will address these limitations and enhance overall print farm management capabilities."
4. People who don't run huge print farms don't seem to be impacted by this. Remember that Bambu claims to be a consumer tech company, right there in the "About Us" section. They are trying to make printers that are easy to use and require minimal tinkering. For a normal person, sending a slice file from Orca Slicer to a separate app (adding literally one step) is not a big deal, you're doing that once per print in a world where typical prints take hours to complete. And with that in mind, Bambu is still saying they intend to provide an integration solution to Orca Slicer in the future to streamline that process.
Whether not the software design is a good architecture is an entirely different issue, and as a beta product I'm not sure we can judge that quite yet. Perhaps they should have hardened their network API more rather than introducing a new app? Perhaps they shouldn't have announced this so publicly before they had a solution for third-party integrations ready?
Bambu is patching a security issue. Personally I don't want any device or application to send any old G-code to my printer. Like say command the printer to basically destroy itself.
Could this lead to completely locking it down in the future? Yes. But they could do that anyways.
I think this is a way to stop getting their pants sued off.
If they really wanted to lock it down they could just make it so everything has to go through their servers and require files to be signed before being read from SD cards.
But instead we really have a half ass attempt.