baltobu/reverse-networking
31
5
Fork 6
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Implement authorization control system? #5

New issue
Open
opened 2026-05-28 20:28:58 +00:00 by j4k0xb · 0 comments
j4k0xb commented 2026-05-28 20:28:58 +00:00
Member
Copy link

The network plugin includes secrets - most notably an RSA private key - but it is not used as a conventional security measure. Instead, it serves as a proof-of-possession mechanism to indicate to the printer/cloud that the official plugin is in use, effectively functioning as an ecosystem control feature.
Of course, the term "proof-of-possession" feels a bit ironic in practice, given that the key is not actually secret in any meaningful sense and is shipped to every user through the network plugin installation.
Here's my more detailed research about the implementation: https://f.sfconservancy.org/j4k0xb/reverse-networking/src/branch/authorization-control/Authorization%20Control

In practice, any legitimate user with a valid account and printer can perform the relevant "critical operations" through Bambu Studio. However, without these cryptographic components, full compatibility with newer firmware versions and the associated cloud features is not achievable.
It should also be noted that developer mode does not provide full simultaneous LAN and cloud operation, nor cloud compatibility, since some features remain gated by authentication and attestation mechanisms.

Regarding the baltobu reverse-networking project:

  • Will this project aim for a minimal, clean-room reimplementation with partial functionality,
  • or leverage the distributed secrets - which would remain subject to AGPLv3 - to achieve full compatibility with printers and the cloud, while staying within legal and ethical boundaries?

I'm asking not only because of third-party slicers, but also regarding Bambu Studio itself:

SFC and our volunteers are within our rights to reverse-engineer these libraries for the purpose of creating our own Source Code that can function as a drop-in replacement in Bambu Studio.
https://sfconservancy.org/news/2026/may/18/bambu-studio-3d-printer-agpl-violation-response/

The network plugin includes secrets - most notably an RSA private key - but it is not used as a conventional security measure. Instead, it serves as a proof-of-possession mechanism to indicate to the printer/cloud that the official plugin is in use, effectively functioning as an ecosystem control feature. Of course, the term "proof-of-possession" feels a bit ironic in practice, given that the key is not actually secret in any meaningful sense and is shipped to every user through the network plugin installation. Here's my more detailed research about the implementation: https://f.sfconservancy.org/j4k0xb/reverse-networking/src/branch/authorization-control/Authorization%20Control In practice, any legitimate user with a valid account and printer can perform the relevant ["critical operations"](https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/) through Bambu Studio. However, without these cryptographic components, full compatibility with newer firmware versions and the associated cloud features is not achievable. It should also be noted that [developer mode](https://wiki.bambulab.com/en/knowledge-sharing/enable-developer-mode) does not provide full simultaneous LAN and cloud operation, nor cloud compatibility, since some features remain gated by authentication and attestation mechanisms. **Regarding the baltobu reverse-networking project:** - Will this project aim for a minimal, clean-room reimplementation with partial functionality, - or leverage the distributed secrets - which would remain subject to AGPLv3 - to achieve full compatibility with printers and the cloud, while staying within legal and ethical boundaries? I'm asking not only because of third-party slicers, but also regarding Bambu Studio itself: > SFC and our volunteers are within our rights to reverse-engineer these libraries for the purpose of creating our own Source Code that can function as a drop-in replacement in Bambu Studio. > https://sfconservancy.org/news/2026/may/18/bambu-studio-3d-printer-agpl-violation-response/
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
cluster_security
clusterm_main
cluster_no-tls-fallback
cluster_video-transcoding
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
baltobu/reverse-networking#5
No description provided.