BBL Network dll replacement project.
- Python 45.5%
- Rust 34.5%
- JavaScript 10%
- C++ 7.6%
- PowerShell 2.4%
9682198eae
Some checks are pending
windows-readiness / verify (push) Waiting to run
The preset cache now has a non-consuming snapshot path so settings-list callbacks can report real cached preset metadata without draining the user-preset API state. This removes the hardcoded local-default row, keeps existing consume-on-read behavior for bambu_network_get_user_presets, and records the cleanup audit in plain language. The pass also clears strict clippy warnings in the touched Rust package so the cleanroom layer is easier to keep honest during future reverse-networking work. Constraint: CXX bridge method for model rating images still exposes &Vec<String>, so the clippy allow is kept narrowly on that ABI shim. Rejected: Keep emitting a local-default placeholder | it invents cloud state and hides missing cache data. Rejected: Run global cargo fmt across the repo | unrelated dirty crates would be swept into this commit. Confidence: high Scope-risk: moderate Directive: Do not reintroduce synthetic preset rows; prefer empty output over invented cloud metadata. Tested: cargo clippy -p bambu_networking_cpp -- -D warnings Tested: cargo test -p bambu_networking_cpp Tested: cargo check -p bambu_networking_cpp Tested: cargo fmt --check -p bambu_networking_cpp Tested: python tools/run_release_readiness.py --report-path build/release_readiness_report.json Not-tested: Live real-printer FTPS parity; readiness script deferred it because printer IP, device id, CA path, and access code were not supplied. |
||
|---|---|---|
| .github/workflows | ||
| bamboo_model/Fri_May_22/23_53_40#7160#88 | ||
| build | ||
| crates | ||
| docs | ||
| tools | ||
| .gitignore | ||
| Bambu.zip | ||
| Cargo.lock | ||
| Cargo.toml | ||
| README.md | ||
bambu_networking
A reverse-engineered implementation of Bambu Lab's
bambu_networking.dll — the network agent that ships with Bambu Studio
— plus a protocol reference for building Bambu printer
clients without the official DLL or app.
→ Read docs/reference/ first
That folder contains the protocol reference, LAN client guide, cloud client guide, capture playbook, implementation status, and ABI reference in one place.
The original DLL is VMProtect-packed, so static decompilation past
the export table is not practical. The repo instead provides a
drop-in replacement and a live-capture pipeline (Frida + SSLKEYLOGFILE +
offline TLS 1.3 decrypter + in-memory std::string dereference) that
recovers protocol payloads from running Bambu Studio sessions.
What's in this repo
docs/
reference/ ← START HERE
README.md ← reading order
01_protocol_reference.md ← every endpoint, MQTT command, auth flow
02_lan_client.md ← build a LAN-only client
03_cloud_client.md ← build a Bambu-cloud client
04_captured_findings.md ← what we observed live
05_cleanroom_status.md ← Rust crate status
06_capture_playbook.md ← run more captures
07_abi_canonical.hpp ← canonical C++ ABI header
08_abi_implications.md ← why C++ shell + Rust core
09_strategy.md ← phase-by-phase strategy
10_packer.md ← VMProtect characterization
RE/ ← research trail
api/<name>.md ← 128 per-export docs (one per export)
subsystems/<name>.md ← per-subsystem docs (auth, mqtt, http, camera, …)
inventory/<NN>_*.md ← per-finding investigation notes
captured_*.SANITIZED.md ← sanitized live captures
crates/
bambu_networking/ ← cleanroom shim (forwarder/tracing/native)
bambu_networking_cpp/ ← Phase 4 cleanroom runtime (C++ shell + Rust core)
exercise_all/ ← diagnostic 128-export exerciser
tools/ ← 19 helpers (capture, decrypt, sanitize, …)
external/ ← OrcaSlicer + OpenBambuAPI (clone separately)
Quick start: build the drop-in shim
git clone https://f.sfconservancy.org/lazerusrm/BB-Open.git
cd BB-Open
cargo build --release -p bambu_networking
# Output: target/release/bambu_networking.dll
Quick start: capture a live session
pwsh -File tools/capture_session.ps1 -MaxMinutes 15
# Drive Bambu Studio in the UI; when done:
New-Item $env:TEMP\bambu_stop_capture.flag
# Auto-tears-down, decrypts, writes raw outputs under %TEMP%\bambu_capture_<ts>
# and writes sanitized capture summaries under docs/RE/captured_*_<ts>.SANITIZED.md
External dependencies (clone separately)
These aren't vendored because they're large; clone next to the repo:
mkdir external; cd external
git clone --depth=1 --filter=blob:none --sparse https://github.com/SoftFever/OrcaSlicer.git
(cd OrcaSlicer; git sparse-checkout set src/slic3r/Utils)
git clone --depth=1 https://github.com/Doridian/OpenBambuAPI.git
The original bambu_networking.dll is also excluded (proprietary).
Copy locally from %APPDATA%\BambuStudio\plugins\bambu_networking.dll
if you need to open the Ghidra project or run tools/scan_blobs.py.
Build verification
cargo check --workspace
cargo build --release -p bambu_networking
cargo build --release -p bambu_networking --no-default-features --features tracing
cargo build --release -p bambu_networking --no-default-features --features native
cargo build --release -p bambu_networking_cpp
cargo build --release -p exercise_all
Run these locally to confirm your environment and current branch state.
Readiness checks
Use these scripts to check contract coverage and release-readiness signals:
# Contract consistency across abi.rs, export inventory, C++ shell, and API pages
python tools/verify_contract_surface_coverage.py --json
# Completion-audit checks (module wiring + capture/deploy safety markers)
python tools/verify_completion_audit.py --json
# Aggregate report (deferred live gate by default)
python tools/run_release_readiness.py --report-path build/release_readiness_report.json
For hardware-backed FTPS parity:
python tools/run_real_printer_parity.py `
--printer-ip <LAN_IP> `
--dev-id <SERIAL> `
--ca-path "C:\Program Files\Bambu Studio\resources\cert\slicer_base64.cer" `
--access-code <LAN_ACCESS_CODE>
Legacy FTPS fallback behavior:
BAMBU_STRICT_LAN_FTPS_TLS=1disables verify-none fallback entirely.- Verify-none fallback is fingerprint-pinned (TOFU on first fallback).
BAMBU_ALLOW_LEGACY_FTPS_REPIN=1allows explicit pin replacement if firmware rotates a legacy cert.
Current status (from repo checks)
The latest generated report at build/release_readiness_report.json shows:
| Check | Current result |
|---|---|
Contract surface coverage (verify_contract_surface_coverage.py) |
Pass |
Completion audit (verify_completion_audit.py) |
Pass |
| ABI/export inventory count | 128 symbols |
| API export docs expected/missing | 128 / 0 |
| Live printer parity gate in aggregate run | Deferred unless --require-live-parity is set |
For protocol details and captured behavior, use:
docs/reference/01_protocol_reference.mddocs/reference/04_captured_findings.mddocs/reference/05_cleanroom_status.md
Legal / ethical positioning
- No reverse engineering of code bodies. Behavior is observed at runtime via documented hooks; the packed binary's machine code is never lifted.
- Original implementation. All Rust/C++ is original; canonical signatures come from OrcaSlicer (open-source consumer).
- Secret-handling guidance. Sanitize captures before sharing
(for example with
tools/sanitize_capture.py), and keep raw captures plus TLS keylogs out (they are intended to stay local/ephemeral). - Telemetry is currently opt-out by default. The cleanroom never phones home.
Acknowledgements
- OrcaSlicer — canonical consumer-side typedefs (103 of 128)
- OpenBambuAPI — community documentation of MQTT/HTTP/FTP/cert protocols
- open-bamboo-networking (ClusterM) — reverse-engineered ABI snapshots and behavior notes that informed compatibility checks and filament-manager endpoint validation
- praveen/reverse-networking — contract-test symbol manifests and parity tooling patterns used for coverage audits
- baltobu/reverse-networking — clean-room contract verification framing and AGPL-focused audit context
- Bambu Connect cert+key extraction (Hackaday, Jan 2025)
- Frida, rumqttc, reqwest, rustls, cxx, suppaftp — building blocks
License
This project is released under the GNU Affero General Public License v3.0 (AGPL-3.0).