FW 1.08.03.00 from Bambu WILL BREAK ORCASLICER for X, P and A series #8063
Comments
|
Yeah, this is scandalous...just read it this morning. You will have to export .3mf files from Orca to Bambu Connect (beta, that doesn't support live çamera view still) so another layer of crap to go through. I really like that in Orca I can send GCode to more than one brand of printer I own. |
|
It will be able to be called via a formatted URL but it's still annoying that's for sure, they're taking control over OUR printer |
I am curious to see how they are planning to prevent the usage of libnetworking.so in external software (like Orca), since with BambuStudio you don't require BambuConnect, so the .so definitely includes the whole binding implementation. This can be easily reverse engineered, same as the crappy encryption of log and config files. |
|
|
|
Excuse my ignorance but shouldn't we use this report to just implement the new formatted URL scheme? |
|
There's no real answer to that but complain on social media, email them , file a complaint support ticket...
Yes, but that doesn't fix the inherit bad move by bambu. They have no authority to lock down EVEN LAN MODE! |
This is one option, right. The other is to just build the functionality of the BambuConnect agent into Orca. I had a quick check and it looks like they started to use certificates (maybe x509) for message/payload encryption. The certificate used by the client (BambuStudio or BambuConnect) probably would have to be trusted there upfront (likely included in firmware update). Essentially, mTLS. The thing is, the certificate and it's key would have to be embedded both in BambuStudio and BambuConnect. It won't take long to reverse and obtain it. The "problem" Bambu Lab is trying to solve is rather complex and the abilities they have in "solving" it are limited. But of course, one could follow their wishes and implement the URL handler. |
I think there's space for both solutions. I would suggest as a community we should prioritize the URL handler to get unblocked, then pursue the direct implementation. The problem is the latter may end up being a cat & mouse situation which isn't great for the community at large. |
|
Either way @SoftFever has his work cut out unless someone else implements support in a pull request. I know 1 thing I ain't updating fw unless I have too anymore |
I agree with you.
Did anyone noticed that Bambu Lab states that @SoftFever was informed about this upront? Maybe there were already some thoughts how to continue.
https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/, section "FAQ" |
|
Also: Will Orca stay compatible with non-updated printers? |
|
I had the same thought as @gschintgen, but on a more time sensitive level... The PR containing the updates to the Bambu material presets (and the fix for TPU for AMS) has been merged but Orca hasn't posted a release with those fixes. In this case I can manage, but I'm also worried that future updates to material presets etc will become dependent on "playing nice" with whatever Bambu cooks up. So I definitely hope that @SoftFever will provide some clarity on their intentions for non-updated printers. eta: "also" in 2nd paragraph |
|
Bambu Lab released "bambu connect" which will fix this issue, you upload the .gcode.3mf file from orca and it will send it to the printer. |
|
Sure but will Orca be able to query the AMS for what filament is loaded so it knows how to slice and if Bambu introduces new filament types will Orca be able to recognize them? |
It doesn't fix anything until OrcaSlicer is updated to automatically send sliced files through BC. And they still limit what YOU can do with YOUR printer even in kan mode |
Supposedly the read of values (other than can) is not protected. |
Would be interesting to know expiration dates on those certs as those effectively become the day the printer died if not renewed. A true end of life date. |
|
For reference, Bambu has an option for "complaints" on their general inquiry form, here. I would encourage anyone who is concerned or opposes this change to use this. |
The only problem with reversing it from their code is it becomes a cat and mouse game with every software update to reverse the cert again. Not to mention it may put Orca at odds with Bambu with them labeling us as some kind of cracking group they can issue C&D legal threats to. Honestly Bambu Connect wouldn't be so bad if it wasn't still in a feature incomplete Beta state and offered a real API that 3rd party slicers can connect through to maintain current functionality, but right now its half @$$ed and feels like they're trying to push us back to Bambu Studio. In the mean time we don't seem to have a choice in the matter, implement a URL handler for printers on 1.08.xx+ and keep current functionality as legacy support for those of us who will stay on 1.07.xx. Until Bambu Connect becomes feature complete and obtains a Linux package I will be staying on 1.07.xx for the time being. |
|
Bambu informed me of this change two days before their announcement. |
Why would we have to go through hoops just to send a file to the printer? It works nicely now, i dont need to add another program in the middle to take care of file sending, it's just going to make things slower. |
Considering BS and OS are a fork of the other, can't you legally just reverse it? |
the "main program" is open source. no need to RE anything. their binary blobs, that the main program interfaces with, are not. whether or not it is legal to RE that has nothing to do with OS' license. |
|
I heard back from their development team; they are not going to greenlight OrcaSlicer to send prints directly to their machine. It has to be done through their Bambu Connect application. |
|
Well that just sucks. Definitely not updating fw now untill they kill legacy mode |
They use a closed-source network plugin to communicate with their printer. They are going to require authentication to use the plugin, so... |
|
@SoftFever Can you please keep the current functionality for all that go LAN Only mode and stop updates as it is now as a separate way of connecting addionally to whatever cloud connection they want to go for? |
|
If this was really about security and invalid costly usage of their APIs they would provide a key for usage of the networking plugin to Orca. They could literally review the usage/invocation in Orca and they'd have leverage to ensure it is used properly there. This is NOT about any of the above. This is about lock-in and control. I am no pessimist but you have to face the facts. All of you have correctly pointed out that obtaining certificates by reversing of the plugin is a cat and mouse game. But even if it's just about resistance to their malicious practice, I believe it's the right choice to pick the battle. Edit: this however shall not be affiliated in any way with Orca due to various reasons, including but not limited to legal concerns. |
|
https://public-cdn.bambulab.com/upgrade/studio/plugins/01.08.02.07/c720e2a898/linux_01.08.02.07.zip For using linux just change the mac to linux in the url. |
|
I received additional info in reply to a ticket. It is a mix of good and
bad news.
The biggest coal nugget is how certificates will indeed at some point
completely kill a lan only printer access except via SD.
They say that certs can somehow be updated via SD, I have asked for those
details. But in same sentence they mention using Studio.
It also seems like perhaps they are abondoning blocking reverting
firnwares. That is a big win if so.
The other giant thing that they do in every communication is to say they
are only talking about this beta and now add that this work around may not
make it to production.
Dear Customer,
Thank you for the reply.
We understand that there may be some misunderstandings and incorrect
information circulating in the community and online. Please allow us to
clarify the following:
- The information we provided is not limited to the current beta
version. If this mechanism or feature is officially introduced in the
future, the statements in the blog will remain valid. Therefore, our
clarifications regarding other false information remain valid.
- We do not force users to always connect to the *Cloud* to use the
printer. Users can still choose to operate the printer *offline* in *LAN
mode/LAN Developer Mode* or use methods such as *SD cards* for fully
offline printing infinitely.
- For certificates
- When the printer is connected to the network, the printer can update
the certificate before it expires.
- When the printer is in LAN mode, the certificate can be updated
through Bambu Studio; in the absence of a network connection, the
certificate can also be updated via an SD card.
- In a pure offline mode (PC and the printer don't connect to any
WLAN), even if the printer certificate expires, the printer can still
initiate printing via the SD card.
- We will *not force or automatically update* the printer firmware
without a notification. You also have the option to
*downgrade/rollback* your
printer's firmware to an older version if you wish at any time.
Please do not hesitate to contact us if you have any further questions or
concerns.
Best regards,
Bambu Lab Customer Support
…On Wed, Jan 22, 2025, 4:46 AM Icees ***@***.***> wrote:
Got some info from BambuLab support about certificates, maybe interesting
for others:
In the standard protocol of certificates, certificates must have a
validity period. For certificate authorities, different types of
certificates have varying validity periods. However, the following
information can be confirmed:
1. When the printer is connected to the cloud network, it can update
the certificate before it expires.
2. When the printer is in LAN mode, the certificate can be updated
through Bambu Studio; without a network connection, the certificate can
also be updated via an SD card.
3. In a pure offline mode (PC and printer don't connect to any WLAN),
even if the printer certificate expires, the printer can still initiate
printing via the SD card.
<<<
But still got no info on how long certificates are valid.
—
Reply to this email directly, view it on GitHub
<#8063 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHAZ24OHRDSOGYCWMHMUKV32L5SH3AVCNFSM6AAAAABVKKTCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBWG42TINJXG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I made Bambu a little Orca-themed present of Orcas jumping over walls of bamboo grown from their logo, for their "year of the snake" contest, seeing as how they're acting a little.. uh.. snake-like. https://makerworld.com/en/models/1026007#profileId-1008173
|
Note that right now, I'm not aware of a method to downgrade firmware offline - I hope this is coming in a future firmware update. AFAIK downgrading currently requires:
Offline firmware upgrades are supposed to be possible as of the current (non beta) X1C release, but there hasn't been a release since then to test it with. Both offline firmware upgrades and downgrades are extremely important, especially in many years time when there's no guarantee of Bambu Lab still hosting the firmware files, maintaining Bambu Handy or even existing. |
Could you add your original ticket text? The wording of that may have some interesting implications for the understanding of this response. |
There is an official wiki entry including a download link to an offline bundle of the current non beta firmware 1.08.02: https://wiki.bambulab.com/en/x1/manual/X1-firmware-update-from-SD-card |
|
It's not clear from the response if developer mode actually needs a certificate for the printer to continue operating? |
|
This is a amusing take on this fiasco… https://youtu.be/iA9dVMcRrhg
…
—
Reply to this email directly, view it on GitHub <#8063 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHDMP6J5KWUCKPKI3ETUA5T2MAAIJAVCNFSM6AAAAABVKKTCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBYGIZTQNBXG4>.
You are receiving this because you commented.
|
|
As I understand it, you will still need a certificate even in Developer Mode. |
|
As the channels are already TLS and dev mode is just a toggle to leave them
open it will need TLS certs. Moreover the fact they say that whenever cert
expires you can always use SD tells me they fully expect it to self isolate
at that time and since they don't support dev mode, you are done.
…On Wed, Jan 22, 2025, 5:08 PM rocket59 ***@***.***> wrote:
It's not clear from the response if developer mode actually needs a
certificate for the printer to continue operating?
—
Reply to this email directly, view it on GitHub
<#8063 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHAZ24L7OSWYCCMTUGO2Z7D2MAJFLAVCNFSM6AAAAABVKKTCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBYGM3TAOJSGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
At the end, this question/point is for me the most essential. |
|
Is the certificate expiry on dev mode a real problem? Would it be possible to create a new network plugin that does ignore the expiry? And for the printer, does the printer even know the time? If it does can we just set it to the past? |
|
Certs are placed on the printer. I've not heard back on how to use SD to
place new certs on printer, but their support has told me twice it can be
done. If so, it won't be an issue. Supposedly Bambu Slicer can also do it
on an internet blocked printer, so maybe Orca devs know if they can push
replacements.
…On Fri, Jan 24, 2025, 4:31 AM axhe ***@***.***> wrote:
Is the certificate expiry on dev mode a real problem? Would it be possible
to create a new network plugin that does ignore the expiry? And for the
printer, does the printer even know the time? If it does can we just set it
to the past?
—
Reply to this email directly, view it on GitHub
<#8063 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHAZ24IRX3SD67TUSZLL7U32MIB7FAVCNFSM6AAAAABVKKTCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJSGA3DGNZWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Forgot to mention. Expiry is set in cert, but the consumer of it (PC)
checksvthe validity. This happens at the protocol level I believe.
Unfamiliar with specifics of ftps, mqtts, etc.
…On Fri, Jan 24, 2025, 4:31 AM axhe ***@***.***> wrote:
Is the certificate expiry on dev mode a real problem? Would it be possible
to create a new network plugin that does ignore the expiry? And for the
printer, does the printer even know the time? If it does can we just set it
to the past?
—
Reply to this email directly, view it on GitHub
<#8063 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHAZ24IRX3SD67TUSZLL7U32MIB7FAVCNFSM6AAAAABVKKTCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJSGA3DGNZWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Well this just settles it. DO NOT update if you want to remain using orcaslicer #8103 (comment) or you'll be going sd card route (or bambu studio) |
|
If it works w/o internet access (offline / lan mode) - I'm a little unclear on why the exchange can't be reverse engineered. E.g. this means any signing certs must be local somewhere yeah? Or is this less a matter of technical feasibility and more a matter of what should be done, terms of service, principals, pain in the ass to do it and maintain, ...etc? |
|
Is version 01.04.00.00 safe? Or is it just version 01.08.03.00 |
|
You can safely update an X1C to the currently latest version 01.08.02.00. it's only 01.08.03.00 and above that will be affected, or flash 'X1Plus' |
This is the way. X1Plus frees you from worrying about this silliness for the X1 series. The P1/A1 series will not be so lucky. |
|
I hope they will bring an 1.08.02 rootable firmware. As this is the first version that supports offline flashing from SD card. |
|
They won't. The rooting requires fw 01.07.02.00 or lower it does NOT specifically require 01.06.58.00. Loading X1Plus makes use of an exploit in that version or earlier. That exploit was patched in 01.07.03.00 latest x1plus uses 01.08.00.00 |
I don't expect Bambu to produce another rootable version. But once you have v1.06 internally (to transfer control to the base firmware on the SDcard) the X1Plus installer downloads newer base firmware to an SDcard without putting the printer online. So v1.08.02 provides no benefit for X1Plus users over the current base v1.08.00. |
Right now, the controversial authorizations planned for v01.08.03 is only for the X1C, is only in beta, and will be "safe", if inconvenient and restrictive. I do not think you need to be concerned about 01.04 for whatever printer you have. |
Cant speak for 1.07.02, but regarding X1Plus doc you should downgrade to 1.06.xx which is official rootable with a button to get the root ssh password. So they intentionally embedded this option. Did it just last week to test if this version is still provided.
Actually true. Would open the possibility for X1Plus to adapt the official offline bundle as format as it's already available for 1.08.02. |
|
I'm still waiting on support staff go get back from Chinese new year so they can push the rootable firmware through handy. Right now I can only go to 07.05 and that's not far back enough |
|
Did work last week for me.. but in two steps... had first downgraded to a 1.07 ... and then to 1.06. worked perfect. Edit: sorry just realized you are waiting for the plan to be "accepted".... thought they have it automated meanwhile... as it was really fast in my case. |
As a user, I care far less about RFID tags than general use. If it's one or the other, I'd choose to ignore RFID altogether. I actually will not be buying any Bambu filament to protest their decisions. Anything that reduces their income can only help them realize their error. I like their ASA and PC but plenty of other options. I'd say the best work around for your scenario will be to allow the RFID reading to be ignored or altered by the user. Essentially, turn the "eyeball" into a "pencil" and treat new stuff as 3rd party. |
and others
Is there an existing issue for this feature request?
Is your feature request related to a problem?
Bambu is going to release a "security" firmware update that will essentiall break the current networking plugin, ALL functionality.
https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/
This includes
Another piece of proprietary blob "Bambu Connect" WILL BE REQUIRED
https://wiki.bambulab.com/en/software/bambu-connect?ref=blog.bambulab.com and will need to be called using an url scheme
ANY AND ALL BAMBU USERS should immediately complain to Bambu Lab as this virtually takes full control over what YOU can do with YOUR PRINTER! DO NOT UPDATE TO 1.08.03.00 if you rely (like myself) on orcaslicer until support for Bambu Connect has been added!
Which printers will be beneficial to this feature?
Others
Describe the solution you'd like
Implement support for Bambu Connect
Describe alternatives you've considered
There are no alternatives
Additional context
No response
The text was updated successfully, but these errors were encountered: