search

opensourcemanufacturing / OpenBL

Exploration of Bambu Lab Printer Hardware and Firmware
14 stars 1 forks source link

Firmware Extraction #1

Open kelchm opened 9 months ago

kelchm commented 9 months ago

Like many others, I'm very interested in extracting the firmware(s) of the Bambu Labs printers (and in my case, particularly the P1S).

Has anyone made any progress in gaining access to the firmware so we can begin analyzing it?

From some preliminary investigation, it looks like Bambu Labs is using mTLS (not confirmed yet), so using a MITM proxy to capture a firmware download is likely out.

Assuming that nothing too esoteric is being used for communication between the AP board and MC/TH boards, maybe we can look and capturing comms between the boards during a firmware update?

I plan to do some poking around with a logic analyzer to see what I can find here in the coming week -- has anyone else made any progress on this to date?

kelchm commented 9 months ago

Update -- It appears that firmware binaries are publicly available via the same CDN that is used to serve Bambu Studio installers (among other things). For those who are curious, the Bambu Handy app on Android provides some very helpful log output via logcat, such as MQTT messages.

Each update has a metadata file which contains a JSON payload with a md5 checksum (sig), version and url for device-specific firmware binaries.

v01.04.00.00

ota-p003_v01.04.00.00-20230807120305.json.sig

{
    "ap04": {
        "sig": "c14cb08000da457b5b74183a217507b6",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.00.00/product/ap-es3_rev4-v01.05.16.47-20230801174146_product.bin.sig",
        "version": "01.05.16.47"
    },
    "mc07": {
        "sig": "c712d610795e7269cba6e6767b538ada",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.00.00/product/mc_rev7-firmware-v00.00.16.49-20230727173433_product.bin.sig",
        "version": "00.00.16.49"
    },
    "th09": {
        "sig": "60495ede4036360ef3324b16bb03efa1",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.00.00/product/th_rev9-firmware-v00.00.05.83-20230704151711_product.bin.sig",
        "version": "00.00.05.83"
    },
    "version": "01.04.00.00"
}

v01.04.01.00

ota-p003_v01.04.01.00-20230926153532.json.sig

{
    "ap04": {
        "sig": "50f52796ae062b0757fd136a785f5cfc",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.01.00/product/ap-es3_rev4-v01.05.16.81-20230925123215_product.bin.sig",
        "version": "01.05.16.81"
    },
    "mc07": {
        "sig": "c712d610795e7269cba6e6767b538ada",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.01.00/product/mc_rev7-firmware-v00.00.16.49-20230727173433_product.bin.sig",
        "version": "00.00.16.49"
    },
    "th09": {
        "sig": "60495ede4036360ef3324b16bb03efa1",
        "url": "https://public-cdn.bambulab.com/upgrade/device/C12/01.04.01.00/product/th_rev9-firmware-v00.00.05.83-20230704151711_product.bin.sig",
        "version": "00.00.05.83"
    },
    "version": "01.04.01.00"
}

Additional Notes

Only the AP firmware differs between v01.04.00.00 and v01.04.01.00. In diffing these files, it is apparent that there while significant portions are different, there are also ~246788 bytes that are identical. At the same time, the entropy for these files is quite high. I'm not exactly sure what to make of the randomly interspersed bytes that do match.

Here are archives (containing all four files) of each update , should they become unavailable at some point in the future: ota-p003_v01.04.00.00.zip ota-p003_v01.04.01.00.zip

timfischbach commented 9 months ago

Good work! Can you logcat the X1 update files as well? Or did it only work, because you own a P1P?

timfischbach commented 9 months ago

I managed to download the X1 firmware. Sadly it got a very high entropy (encrypted probably), which means we only got a chance extracting the linux, by dumping it from an AP board.

kelchm commented 9 months ago

I managed to download the X1 firmware. Sadly it got a very high entropy (encrypted probably), which means we only got a chance extracting the linux, by dumping it from an AP board.

Agreed on the high entropy. I think there may still be some value in further analysis of firmware binaries -- specifically looking at the diff between versions.

I found the distribution of matching bytes between the two AP firmwares to be surprising. Perhaps this is something that wouldn't be surprising to someone that is more well-versed in reverse engineering and cryptography, but it definitely same as a surprise to me.

EX: ap-es3_rev4-v01.05.16.47 (left) vs ap-es3_rev4-v01.05.16.81 (right)

Screenshot 2023-12-23 at 11 40 01 AM
timfischbach commented 9 months ago

It's definitively a strange pattern. BTW: A friendly guy on Reddit will send me his AP board with a broken LED for almost nothing. Will post my findings here, when I found something interesting in the Linux image or via UART. Maybe they use the same decryption key for all Firmware files. And maybe we'll find out the decryption / encryption key for the Logfiles :) (I pray, that it's a symmetrical encryption)

timfischbach commented 9 months ago

I experimented a little bit with it. We got: A locked down U-Boot, even always switching to fastboot, if I glitched the board. And the UART get's deactivated, when the Board booted. I attached the entire UART log from the boot. data.log

lunDreame commented 8 months ago

I'm also using P1S and I'm interested in software. I have a version for domestic use in China. I want to replace this with a global room. If Bambu manages it with cereal, my project will be over, but based on MQTT reporting the ota information, cn / comurl is divided. I sent the global link through MQTT update repuest, but it was installed with cn. If only decoding is possible for software or if you only find out esp32 flash information, global room replacement seems possible. Please share helpful information

Amorph commented 8 months ago

@lunDreame Have same issue(P1S from China) TS recommended to find China Mobile Phone and use VPN :) Currently got P1P AP board from official store but it SN is not registered so no cloud connection, communication with TS still in progress, no results yet. @kelchm do you have a fresh firmware binaries(with noise cancellation) , just in case?

Further, after TS resolution, I'll have spare board and plan to dig into it

lunDreame commented 8 months ago

@Amorph

I disposed of China's P1S within about two weeks ago and am using it very easily when purchasing global P1P. If the regional division disappears, I would like to use it to the extent that I want to sell P1P and purchase P1Scombo directly from China. ㅠㅠ

https://cafe.naver.com/bambulab/3353?tc=shared_link

It's my post. Here's the P1 Siridge. You can download the latest perm's vial

Amorph commented 8 months ago

@lunDreame Got an update, Thank you! BTW, I found that region lock comes from serial number, because new AP board can't be used before it registered via Technical Support

lunDreame commented 8 months ago

@Amorph If I analyze the firmware, please analyze the logic related to the camera frame limitation. Lol I think I can upload it by connecting to another esp

Amorph commented 8 months ago

@lunDreame I'm sure that frame limitation is based on esp32 hardware limitation, which is based on network speed and ability do encode jpg frames into data

Amorph commented 7 months ago

No luck yet with firmware extraction, JTAG in some way is locked, ESP secure boot is enabled, UART printing only boot information Currently, Working on running AP board without printer and MC board

Amorph commented 7 months ago

@lavachemist On AP Board Connector 2 is USB connector. Pins from left to right: GND, D+, D-, VCC(not connected) Also Button below connector 2 is Boot mode selector (GPIO0)