BB-Open

BBL Network dll replacement project.

Python 46.8%
Rust 36.1%
JavaScript 8.5%
C++ 6.5%
PowerShell 2.1%

Find a file

lazerusrm 01e14880bd Some checks failed windows-readiness / verify (push) Has been cancelled Details Update README.md		2026-05-27 01:42:22 +00:00
.claude	G1 handoff: Mergen fully characterized + Path-1 dynamic capture built	2026-05-25 21:28:20 -06:00
.github/workflows	Establish BB-Open baseline on Conservancy remote	2026-05-23 01:31:41 -06:00
build	Sync active RE artifacts and tooling into mainline history	2026-05-25 23:45:28 -06:00
captures/g1	Add captures/g1/ — gitignored area for live RE artifacts	2026-05-23 02:34:29 -06:00
crates	E phase 2: wire native cdylib LAN print upload to ftps + MQTT	2026-05-26 01:35:20 -06:00
docs	handoff: ftps wire DONE; reframe http wire (dedup, not a gap); URL-bug findings	2026-05-26 01:37:25 -06:00
tools	Sync active RE artifacts and tooling into mainline history	2026-05-25 23:45:28 -06:00
.gitignore	Ignore local control markdown files from versioned history	2026-05-26 15:32:19 -06:00
Bambu.zip	Establish BB-Open baseline on Conservancy remote	2026-05-23 01:31:41 -06:00
Cargo.lock	chore: lock bambu_net_core dep for native cdylib	2026-05-26 01:21:47 -06:00
Cargo.toml	E phase 1: extract validated subsystems into shared bambu_net_core rlib	2026-05-26 00:55:47 -06:00
LICENSE	Sync active RE artifacts and tooling into mainline history	2026-05-25 23:45:28 -06:00
README.md	Update README.md	2026-05-27 01:42:22 +00:00

README.md

5/26/2026 Login and printer communication achieved in orcaslicer with this .dll dropped in. It is very close to being done.

A Cleanroom implementation of Bambu Lab's bambu_networking.dll — the network agent that ships with Bambu Studio — plus a protocol reference for building Bambu printer clients without the official DLL or app.

→ Read docs/reference/ first

That folder contains the protocol reference, LAN client guide, cloud client guide, capture playbook, implementation status, and ABI reference in one place.

The original DLL is VMProtect-packed, so static decompilation past the export table is not practical. The repo instead provides a drop-in replacement and a live-capture pipeline (Frida + SSLKEYLOGFILE + offline TLS 1.3 decrypter + in-memory std::string dereference) that recovers protocol payloads from running Bambu Studio sessions.

What's in this repo

docs/
  reference/                  ← START HERE
    README.md                 ← reading order
    01_protocol_reference.md  ← every endpoint, MQTT command, auth flow
    02_lan_client.md          ← build a LAN-only client
    03_cloud_client.md        ← build a Bambu-cloud client
    04_captured_findings.md   ← what we observed live
    05_cleanroom_status.md    ← Rust crate status
    06_capture_playbook.md    ← run more captures
    07_abi_canonical.hpp      ← canonical C++ ABI header
    08_abi_implications.md    ← why C++ shell + Rust core
    09_strategy.md            ← phase-by-phase strategy
    10_packer.md              ← VMProtect characterization

  RE/                         ← research trail
    api/<name>.md             ← 128 per-export docs (one per export)
    subsystems/<name>.md      ← per-subsystem docs (auth, mqtt, http, camera, …)
    inventory/<NN>_*.md       ← per-finding investigation notes
    captured_*.SANITIZED.md   ← sanitized live captures

crates/
  bambu_networking/           ← cleanroom shim (forwarder/tracing/native)
  bambu_networking_cpp/       ← Phase 4 cleanroom runtime (C++ shell + Rust core)
  exercise_all/               ← diagnostic 128-export exerciser

tools/                        ← 19 helpers (capture, decrypt, sanitize, …)
external/                     ← OrcaSlicer + OpenBambuAPI (clone separately)

Quick start: build the drop-in shim

git clone https://f.sfconservancy.org/lazerusrm/BB-Open.git
cd BB-Open
cargo build --release -p bambu_networking
# Output: target/release/bambu_networking.dll

Quick start: capture a live session

pwsh -File tools/capture_session.ps1 -MaxMinutes 15
# Drive Bambu Studio in the UI; when done:
New-Item $env:TEMP\bambu_stop_capture.flag
# Auto-tears-down, decrypts, writes raw outputs under %TEMP%\bambu_capture_<ts>
# and writes sanitized capture summaries under docs/RE/captured_*_<ts>.SANITIZED.md

External dependencies (clone separately)

These aren't vendored because they're large; clone next to the repo:

mkdir external; cd external
git clone --depth=1 --filter=blob:none --sparse https://github.com/SoftFever/OrcaSlicer.git
(cd OrcaSlicer; git sparse-checkout set src/slic3r/Utils)
git clone --depth=1 https://github.com/Doridian/OpenBambuAPI.git

The original bambu_networking.dll is also excluded (proprietary). Copy locally from %APPDATA%\BambuStudio\plugins\bambu_networking.dll if you need to open the Ghidra project or run tools/scan_blobs.py.

Build verification

cargo check --workspace
cargo build --release -p bambu_networking
cargo build --release -p bambu_networking --no-default-features --features tracing
cargo build --release -p bambu_networking --no-default-features --features native
cargo build --release -p bambu_networking_cpp
cargo build --release -p exercise_all

Run these locally to confirm your environment and current branch state.

Readiness checks

Use these scripts to check contract coverage and release-readiness signals:

# Contract consistency across abi.rs, export inventory, C++ shell, and API pages
python tools/verify_contract_surface_coverage.py --json

# Completion-audit checks (module wiring + capture/deploy safety markers)
python tools/verify_completion_audit.py --json

# Aggregate report (deferred live gate by default)
python tools/run_release_readiness.py --report-path build/release_readiness_report.json

For hardware-backed FTPS parity:

python tools/run_real_printer_parity.py `
  --printer-ip <LAN_IP> `
  --dev-id <SERIAL> `
  --ca-path "C:\Program Files\Bambu Studio\resources\cert\slicer_base64.cer" `
  --access-code <LAN_ACCESS_CODE>

Legacy FTPS fallback behavior:

BAMBU_STRICT_LAN_FTPS_TLS=1 disables verify-none fallback entirely.
Verify-none fallback is fingerprint-pinned (TOFU on first fallback).
BAMBU_ALLOW_LEGACY_FTPS_REPIN=1 allows explicit pin replacement if firmware rotates a legacy cert.

Current status (from repo checks)

The latest generated report at build/release_readiness_report.json shows:

Check	Current result
Contract surface coverage (`verify_contract_surface_coverage.py`)	Pass
Completion audit (`verify_completion_audit.py`)	Pass
ABI/export inventory count	128 symbols
API export docs expected/missing	128 / 0
Live printer parity gate in aggregate run	Deferred unless `--require-live-parity` is set

For protocol details and captured behavior, use:

docs/reference/01_protocol_reference.md
docs/reference/04_captured_findings.md
docs/reference/05_cleanroom_status.md

Legal / ethical positioning

No reverse engineering of code bodies. Behavior is observed at runtime via documented hooks; the packed binary's machine code is never lifted.
Original implementation. All Rust/C++ is original; canonical signatures come from OrcaSlicer (open-source consumer).
Secret-handling guidance. Sanitize captures before sharing (for example with tools/sanitize_capture.py), and keep raw captures plus TLS keylogs out (they are intended to stay local/ephemeral).
Telemetry is currently opt-out by default. The cleanroom never phones home.

Acknowledgements

OrcaSlicer — canonical consumer-side typedefs (103 of 128)
OpenBambuAPI — community documentation of MQTT/HTTP/FTP/cert protocols
open-bamboo-networking (ClusterM) — reverse-engineered ABI snapshots and behavior notes that informed compatibility checks and filament-manager endpoint validation
praveen/reverse-networking — contract-test symbol manifests and parity tooling patterns used for coverage audits
baltobu/reverse-networking — clean-room contract verification framing and AGPL-focused audit context
Bambu Connect cert+key extraction (Hackaday, Jan 2025)
Frida, rumqttc, reqwest, rustls, cxx, suppaftp — building blocks

License

This project is released under the GNU Affero General Public License v3.0 (AGPL-3.0).