I am angry at the bait-and-switch Bambu is pulling. I bought one of their printers in the Black Friday sale on the understanding it was reasonably hackable and open. Now they're trying to lock it down so I can't print on my own printer without using their approved software and DRM chain. It's outrageous.
bait-and-switch? We, those who advocate for open source 3D printers, saw it coming from miles away. This has very very clearly been their plan all along, they themselves said as much (e.g. they are doing the "apple model"). They have been very transparent about this, yet people still fell for it.
I don’t understand why you think it was hackable or open?
Since the launch of the X1, it’s been closed firmware and tightly controlled. That’s always been the compromise people make to get one.
I’d really like to understand what bait and switch you think has happened, and what you could do before with officially sanctioned methods that you can’t now?
You can print of an SD card without any special software or online services, the same as you can on Prusa printers. It's just the server/internet stuff that's locked down. Which I wish was open too, but it's still has fully unrestricted local printing functionality.
What I don't get...BambuSlicer is open source. And, not only is it open source, it's a fork of PrussaSlicer, so Bambu doesn't have the ability to re-license it.
It's licensed under the Affero GPL which is very strict about the licensing of derived works. That license requires Bambu to include the source code to any additions they make, including all of the logic, keys, etc. that they're baking into any binary distributions. If they don't, they're violating the copyright rights of Prussa and many others.
So, either Bambu has to open source all of this, which defeats the purpose (given that it's already leaked, that's gonna happen anyway) or they have to route everything through a separate program for their own slicer.
I was very against Bambu in the beginning for their lack of proper network (not cloud!) support. Then they added LAN mode and I actually considered getting one. Luckily I was lazy and never got around to it. What the fuck Bambu?? Security, really? Not even HP dares to make that excuse...
Bambu Lab have been quite explicit about this. Their consumer-grade printers rely on a cloud service; for people who want or need printing over a private LAN, they offer the X1E.
I mean, I technically see why authentication may be something they want to consider, especially for the less technically inclined users that Bambu is very obviously targeting.
However, this can be easily achieved without bricking every single third party integration. That should simple be a toggle in the settings that works entirely local
I wish Prusa weren't asleep at the wheel, then we would have bought a core one (that is, the hypothetical variant with large build volume and same quality as bambulab).
Instead, we bought a P1S, which is, technically speaking, a fantastic machine.
Not really asleep at the wheel. More like they invented the wheel, produced the open source slicer (a fork of the original slicer but vastly improved), which was then used by Bambu who could manufacture a printer for less in China rather than in the EU.
Prusa themselves run 600 printers. They are commercial grade. If I was using a printer for commercial design or prototyping I would go with Prusa. Not only because I would prefer my designs were not sent overseas by an always cloud connected printer.
I've been following along with a lot of this, because having picked up one of their printers about a month ago, I was immediately very nonplussed with the security. It took some work to get it running isolated on an IoT VLAN, yet still usable from my main machine.
Thus, on first blush, I welcome security improvements from them, but I'm also anxious to see what they hold.
I do wonder where this is going with the keys, because I've seen a lot of "OH LOOK WE HAVE THE KEYS" but nothing about what the keys are used for or how they are useful. Or if they are even useful.
Hopefully there'll be more interesting news about this soon and some solid, technical info.
My understanding is that if I want to print via LAN, I have to auth against Bambu's internet servers, which is most definitely something I don't want.
Actually for my use case this doesn't work at all -- my printers are region locked to China, but I'm not currently in China so I can't connect to those servers -- meaning (I think!) if I upgrade their firmware, I can't print via LAN on my own local network... which just leaves a bad taste in my mouth.
These are great printers, but there's no need for that.
It's vendor lock-in (or DRM), not security. Security would be a protocol based on a user specific secret that doesn't inherently require locking down anything to Bambu Lab only software (think username/password). Vendor lock-in is about locking the user into using Bambu Lab software, which is what we see here.
You would never allow your bank account to be secured with something akin to Bambu Lab's "security fix".
Honestly, the response is not that great. Right off the bat they're just going on the defensive, enumerating "false claims" that printer will require subscription etc. But the concern wasn't that Bambu _will_ do that, but that they _could_ do that, and generally that inserting Bambu's infrastructure as a mandatory step in the printing pipeline is _not great_.
Then, the first point in their `truth about the update` section:
> This is NOT about limiting third-party software. We're creating Bambu Connect specifically to ensure continued third-party integration while enhancing security. We're actively working with developers like Orca Slicer to implement this integration.
The `we're actively working` with Orca was already addressed by the OrcaSlicer developer [0]
> Bambu informed me of this change two days before their announcement.
and Bambu's idea of "working with" is helping to implement redirect from Orca to their own software that would actually start the print. Seems like limiting third-party software to me.
> This is beta testing, not a forced update. The choice is yours.
This is bizarre, surely beta firmware is intended to be release firmware at some point? If anything, the community outrage proved beta track to work as intended.
> About Panda Touch. We reached out to BTT as soon as we became aware of their product. We warned them that using exploited MQTT protocols...
Also addressed by BQ in [1], tl;dr they tried to work with Bambu but didn't get much response, only a warning that the MQTT might stop working in a future update. So technically Bambu _reached out_, but only to say "don't improve our product". In the end, Bambu is screwing over their customers more than BQ
Further down they still go and defend their decision
> When using third-party slicing software like Orca Slicer, the difference in users experience is not much.
and proceed to demonstrate that Orca Slicer will _easily_ open the new app which will be able to start the printing. Which is exactly what the community complained about, and doesn't address things like missing Linux support.
Finally, they're presenting a diagram showing how the new flow looks like. Except the diagram is missing any details about what the new software does — it doesn't show how, when and why the new software communicates with the cloud.
For someone with even cursory understanding of security, the changes just don't make much sense, and Bambu is not doing much to explain the security protocols they're trying to implement. For all I know they just slapped a private certificate somewhere in the Bambu Connect app and started signing requests to the printer, which doesn't improve security at all if the private key is already public
Bambu should be working on scaling their consumables and customer service, it takes weeks to resolve any tickets, 8 days to a first response has been normal for them.
I'm kinda curious what will this lockdown do to the efforts to replace their controller and/or firmware with something more open. Something like [1]
It's nice to have a private key to their cloud authentication, but ultimately it's the printers firmware that's the issue. While Bambu owns and updates that, they can change the keys basically anytime they decide that they had enough of the alternative Bambu Connect servers that people will inevitably create with the current keys.
I can't imagine the printers being open source or not mattering for that, nor can I see any reasonable government banning printing of specific things. If something is illegal to own or manufacture, that already applies to 3D printers just as much as it did to CNC machines or any other method.
I’m not familiar with the 3D printing space, but seems like this reverse engineering was inspired by the companies move to clamp down on security of these devices. [1]
From what I understand, this new auth system would make third party integrations (ie, “OrcaSlicer”) obsolete and users would be limited to controlling the device via Bambu Connect. This update impacts users who control the device via HomeAssistant and “print farm management” users. I guess first party support for users with fleets of these printers is dogshit, thus the need for third party software.
Seems after 3 days of community feedback/outrage, the company is backtracking on the Bambu Connect only route. Instead offering a “Developer Mode” option in firmware which on the surface seems to be what the impacted users need. [2]
> In response, we’ve made the decision to implement an optional LAN mode feature, to provide advanced users with more control and flexibility.
> Standard Mode (Default): By default, LAN mode will include an authorization process that ensures robust security
> Developer Mode (Optional): For advanced users of the X1, P1, A1, and A1 Mini who prefer full control over their network security, an option will be available to leave the MQTT channel, live stream, and FTP open. This feature must be manually enabled on the printer, and users who select this option will assume full responsibility for securing their local network environment. Please note that Bambu Lab will not be able to provide customer support for this mode, as the communication protocols are not officially supported.
Seems this resolves the community concerns. Or am I missing something?
As a precaution, I've blocked my A1 mini from Internet access on the router, and will not apply any firmware updates anymore. I will also not update Bambu Studio anymore (or completely switch to Orcaslicer). I was already using LAN mode exclusively.
Kind of annoying, but I'm not desperately waiting for Firmware updates, everything works fine so far.
Maybe I'm the exception here, but I slice my files and then load them to an SD card and walk them over to my printer. It's not high tech, but since you can't clear the build plate without physically being there, I don't see much of a change. If I really wanted to monitor the build I suppose I could just point a webcam at it rather than use the existing one. But since it prints flawlessly most of the time it seems unnecessary.
I got an A1 mini about a month ago and so far it’s been decent as a beginners printer. I transfer models to the printer via the microSD card and refused to install their networking software on my machine because I don’t trust it’s safe enough. Im also very reluctant to get updates whenever they’re pushed. Maybe im spooked by past bricked devices so I keep all my devices dumb and offline as much as I can.
I have Bambu, Qidi and Creality printers.
Qidi is a good compromise between open and 'print-quality-out-of-the-box'. My Q1 pro is easy to hack, but I have not done anything to it because it prints pretty much as well as Bambu.
They disrupted the 3d printer market with printers that just work out-of-the-box at at price points where you typically only get enthusiast products that require a lot of tinkering.
A lot of their business model is seemingly based on making long-term sales from consumables. Their solution for multi-color printing is more convenient to use with filament sold by them because they embed information about the filament on proprietary RFID tags.
A couple days ago they announced locking down the API for their most expensive line of printers, locking most API calls to only their own software because of "security". Users are obviously upset.
Rumours for the reasons range from protecting themselves from user mods that replicate the RFID functionality on any filament by configuring the printer via API calls, to Bambu Labs wanting to launch some kind of subscription service for print farms.
[+] [-] NelsonMinar|1 year ago|reply
More info on the hacking (the first in what may be a long stupid fight): https://hackaday.com/2025/01/19/bambu-connects-authenticatio...
[+] [-] nialv7|1 year ago|reply
[+] [-] dagmx|1 year ago|reply
Since the launch of the X1, it’s been closed firmware and tightly controlled. That’s always been the compromise people make to get one.
I’d really like to understand what bait and switch you think has happened, and what you could do before with officially sanctioned methods that you can’t now?
[+] [-] Gigachad|1 year ago|reply
[+] [-] dlgeek|1 year ago|reply
It's licensed under the Affero GPL which is very strict about the licensing of derived works. That license requires Bambu to include the source code to any additions they make, including all of the logic, keys, etc. that they're baking into any binary distributions. If they don't, they're violating the copyright rights of Prussa and many others.
So, either Bambu has to open source all of this, which defeats the purpose (given that it's already leaked, that's gonna happen anyway) or they have to route everything through a separate program for their own slicer.
[+] [-] whatsthatabout|1 year ago|reply
The current implementation (the Bambu network plugin thingy) isn't a part of it either, it's downloaded by the client when BambuStudio is opened.
[+] [-] franga2000|1 year ago|reply
[+] [-] jdietrich|1 year ago|reply
https://store.bambulab.com/products/x1e
[+] [-] iamsaitam|1 year ago|reply
[+] [-] moooo99|1 year ago|reply
However, this can be easily achieved without bricking every single third party integration. That should simple be a toggle in the settings that works entirely local
[+] [-] ThouYS|1 year ago|reply
Instead, we bought a P1S, which is, technically speaking, a fantastic machine.
[+] [-] teruakohatu|1 year ago|reply
Prusa themselves run 600 printers. They are commercial grade. If I was using a printer for commercial design or prototyping I would go with Prusa. Not only because I would prefer my designs were not sent overseas by an always cloud connected printer.
[+] [-] mikelovenotwar|1 year ago|reply
[+] [-] c0nsumer|1 year ago|reply
Thus, on first blush, I welcome security improvements from them, but I'm also anxious to see what they hold.
I do wonder where this is going with the keys, because I've seen a lot of "OH LOOK WE HAVE THE KEYS" but nothing about what the keys are used for or how they are useful. Or if they are even useful.
Hopefully there'll be more interesting news about this soon and some solid, technical info.
[+] [-] lvturner|1 year ago|reply
Actually for my use case this doesn't work at all -- my printers are region locked to China, but I'm not currently in China so I can't connect to those servers -- meaning (I think!) if I upgrade their firmware, I can't print via LAN on my own local network... which just leaves a bad taste in my mouth.
These are great printers, but there's no need for that.
[+] [-] ipv6ipv4|1 year ago|reply
You would never allow your bank account to be secured with something akin to Bambu Lab's "security fix".
[+] [-] hWuxH|1 year ago|reply
- what the firmware does: verify these operations, meaning it can reject MQTT messages with an invalid/missing signature from third party software
- the big flaw with that approach: by extracting the key, third party software can get full access again
- improvement to security: none (that obfuscation layer doesn't prevent anything if the printer/cloud were vulnerable)
authentication stays the same as before: https://git.devminer.xyz/archive/bambu-connect/src/commit/47...
[+] [-] asah|1 year ago|reply
https://blog.bambulab.com/updates-and-third-party-integratio...
[+] [-] hn8726|1 year ago|reply
Then, the first point in their `truth about the update` section:
> This is NOT about limiting third-party software. We're creating Bambu Connect specifically to ensure continued third-party integration while enhancing security. We're actively working with developers like Orca Slicer to implement this integration.
The `we're actively working` with Orca was already addressed by the OrcaSlicer developer [0]
> Bambu informed me of this change two days before their announcement.
and Bambu's idea of "working with" is helping to implement redirect from Orca to their own software that would actually start the print. Seems like limiting third-party software to me.
> This is beta testing, not a forced update. The choice is yours.
This is bizarre, surely beta firmware is intended to be release firmware at some point? If anything, the community outrage proved beta track to work as intended.
> About Panda Touch. We reached out to BTT as soon as we became aware of their product. We warned them that using exploited MQTT protocols...
Also addressed by BQ in [1], tl;dr they tried to work with Bambu but didn't get much response, only a warning that the MQTT might stop working in a future update. So technically Bambu _reached out_, but only to say "don't improve our product". In the end, Bambu is screwing over their customers more than BQ
Further down they still go and defend their decision
> When using third-party slicing software like Orca Slicer, the difference in users experience is not much.
and proceed to demonstrate that Orca Slicer will _easily_ open the new app which will be able to start the printing. Which is exactly what the community complained about, and doesn't address things like missing Linux support.
Finally, they're presenting a diagram showing how the new flow looks like. Except the diagram is missing any details about what the new software does — it doesn't show how, when and why the new software communicates with the cloud.
For someone with even cursory understanding of security, the changes just don't make much sense, and Bambu is not doing much to explain the security protocols they're trying to implement. For all I know they just slapped a private certificate somewhere in the Bambu Connect app and started signing requests to the printer, which doesn't improve security at all if the private key is already public
[0] https://github.com/SoftFever/OrcaSlicer/issues/8063#issuecom...
[1] https://old.reddit.com/r/BIGTREETECH/comments/1i5lzzf/latest...
[+] [-] KennyBlanken|1 year ago|reply
I know it's not exactly a zip bomb, but it's kinda close, and goddamn, that's obnoxious.
[+] [-] spaceguillotine|1 year ago|reply
[+] [-] userbinator|1 year ago|reply
[+] [-] MezzoDelCammin|1 year ago|reply
It's nice to have a private key to their cloud authentication, but ultimately it's the printers firmware that's the issue. While Bambu owns and updates that, they can change the keys basically anytime they decide that they had enough of the alternative Bambu Connect servers that people will inevitably create with the current keys.
[1] https://github.com/ChazLayyd/Bambu-Lab-Klipper-Conversion
[+] [-] DoctorOetker|1 year ago|reply
I suggest we collectively print Tiananmen Square Tank Man scenes.
[0] https://www.reddit.com/r/BambuLab/comments/1i548m9/comment/m...
[+] [-] buckle8017|1 year ago|reply
[+] [-] bigiain|1 year ago|reply
Anyone got a link to a good .stl?
[+] [-] throwaway48476|1 year ago|reply
[+] [-] franga2000|1 year ago|reply
[+] [-] s0rce|1 year ago|reply
[+] [-] dymk|1 year ago|reply
[+] [-] arduinomancer|1 year ago|reply
2D printers are not open source and you can still print pretty much anything
[+] [-] xyst|1 year ago|reply
From what I understand, this new auth system would make third party integrations (ie, “OrcaSlicer”) obsolete and users would be limited to controlling the device via Bambu Connect. This update impacts users who control the device via HomeAssistant and “print farm management” users. I guess first party support for users with fleets of these printers is dogshit, thus the need for third party software.
Seems after 3 days of community feedback/outrage, the company is backtracking on the Bambu Connect only route. Instead offering a “Developer Mode” option in firmware which on the surface seems to be what the impacted users need. [2]
> In response, we’ve made the decision to implement an optional LAN mode feature, to provide advanced users with more control and flexibility.
> Standard Mode (Default): By default, LAN mode will include an authorization process that ensures robust security
> Developer Mode (Optional): For advanced users of the X1, P1, A1, and A1 Mini who prefer full control over their network security, an option will be available to leave the MQTT channel, live stream, and FTP open. This feature must be manually enabled on the printer, and users who select this option will assume full responsibility for securing their local network environment. Please note that Bambu Lab will not be able to provide customer support for this mode, as the communication protocols are not officially supported.
Seems this resolves the community concerns. Or am I missing something?
[1] https://blog.bambulab.com/firmware-update-introducing-new-au...
[2] https://blog.bambulab.com/updates-and-third-party-integratio...
[+] [-] elcapitan|1 year ago|reply
Kind of annoying, but I'm not desperately waiting for Firmware updates, everything works fine so far.
[+] [-] whatevermang|1 year ago|reply
[+] [-] onemoresoop|1 year ago|reply
[+] [-] hamandcheese|1 year ago|reply
[+] [-] dgrabla|1 year ago|reply
[+] [-] ChrisArchitect|1 year ago|reply
https://en.wikipedia.org/wiki/Bambu_Lab
[+] [-] wongarsu|1 year ago|reply
A lot of their business model is seemingly based on making long-term sales from consumables. Their solution for multi-color printing is more convenient to use with filament sold by them because they embed information about the filament on proprietary RFID tags.
A couple days ago they announced locking down the API for their most expensive line of printers, locking most API calls to only their own software because of "security". Users are obviously upset.
Rumours for the reasons range from protecting themselves from user mods that replicate the RFID functionality on any filament by configuring the printer via API calls, to Bambu Labs wanting to launch some kind of subscription service for print farms.