Really? Somebody got busy looking at Connect code, and guess what he discovered hidden in it? Have a look below:
// Bambu Connect extracted main.js by https://www.reddit.com/user/hWuxH
async function are(t) {
const {
encAppKey: e,
aes256: r
} = process.report.certManager.encryptAppKey();
const n = new URL(t.url.replace(jL, e));
n.searchParams.set("aes256", r);
return new Request(n, t);
}
async function cre(t) {
if (t.status !== 200) {
return t;
}
const e = await t.json();
process.report.certManager.updateAppCert(e);
return new Response(JSON.stringify({
code: e.code
}), {
headers: t.headers
});
}
async function lre(t) {
t.headers.set("x-bbl-app-certification-id", process.report.certManager.getSignCertId());
t.headers.set("x-bbl-device-security-sign", process.report.certManager.privateEncrypt(`${new Date().getTime()}`));
return t;
}
const Are = 'GLOF3813734089-524a37c80000c6a6a274a47b3281'
const fre = '-----BEGIN CERTIFICATE-----\nMIIDeTCCAmGgAwIBAgIUGpX26HEycYnaaCUFwJr8F/UPCZIwDQYJKoZIhvcNAQEL\nBQAwKDEmMCQGA1UEAwwdYXBwbGljYXRpb25fcm9vdC5iYW1idWxhYi5jb20wHhcN\nMjQwNzI2MDE1MjI3WhcNMzQwNzI0MDE1MjI3WjAfMR0wGwYDVQQDDBRzZXJ2aWNl\nLmJhbWJ1bGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2z\nwQvNAjA9lQe06o/Vv6JULHLn25NK706myDa4i9lmb3wqARNVi6aSWfxO3Cz9NklC\n4dYAdFbgcEUXuJIcJBBZdgPO2GhnaeCUVWz/ucW2GCdPaBAkXZNDK56aPqfYwltI\nsNJcUIvq0OmbFsI90l8zKTQzd8/zJcfm8lOBpAberwbEeHCQfDxUWpNyrAuGJlkD\ncmxraAjzBXQjAyMT+kK+KPOqhJICu5SXP87WGlzw8sfrdLl7J2vhtXpzRC67vtv6\nuD6aqq5f2OaRxHRUyqeDY/adiWE9Qeb9amkRMcQiUJ0IQJZ4wDSMNpZe0guXLkl5\nLPdPU249Bu86H5eDf5ECAwEAAaOBozCBoDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID\nuDAdBgNVHQ4EFgQUb/FHYnyT++aiAcbhmQsDIMw/C+kwZwYDVR0jBGAwXqFGpEQw\nQjELMAkGA1UEBhMCQ04xIjAgBgNVBAoMGUJCTCBUZWNobm9sb2dpZXMgQ28uLCBM\ndGQxDzANBgNVBAMMBkJCTCBDQYIUGpX26HEycYnaaCUFwJr8F/UPCYgwDQYJKoZI\nhvcNAQELBQADggEBAK3n3LsRPiT9dEKrteCvBhaO/nAhc3Ogpi5iw4yiSB6abIHy\na36oGCA7RDMaMizDxbmWqooasA3xWnWLaf83FPt8KTnG72hmRb/usjc8sqFQQPPX\n/VZf8ITAILx7Nrh1yLKI31UtYLMgeGNA8sifQUVJFOLqcwEpqUvII5ZK1YZ/27lM\ngmscseUC5s4MTVf+aT5Gxg/v8MI0kgzNKCUELx7HuMfz/Og7+BSS58piZ1vt8Mgq\nVvhUVmCS9SnCnvkM57zOumHHlvoSf7u6eq7YQd6spdJBYS1Yf2KGxKG2uooT9VlX\nGq8Fcpo0F9pzYXX3kKeBJo1vl1/R54eAgd82rNg=\n-----END CERTIFICATE-----'
const j_ = {
privateKey: '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQNp2NfkajwcWH\nPIqosa08P1ZwETPr1veZCMqieQxWtYw97wp+JCxX4yBrBcAwid7o7PHI9KQVzPRM\nf0uXspaDUdSljrfJ/YwGEz7+GJz4+ml1UbWXBePyzXW1+N2hIGGn7BcNuA0v8rMY\nuvVgiIIQNjLErgGcCWmMHLwsMMQ7LNprUZZKsSNB4HaQDH7cQZmYBN/O45np6l+K\nVuLdzXdDpZcOM7bNO6smev822WPGDuKBo1iVfQbUe10X4dCNwkBR3QGpScVvg8gg\ntRYZDYue/qc4Xaj806RZPttknWfxdvfZgoOmAiwnyQ5K3+mzNYHgQZAOC2ydkK4J\ns+ZizK3lAgMBAAECggEAKwEcyXyrWmdLRQNcIDuSbD8ouzzSXIOp4BHQyH337nDQ\n5nnY0PTns79VksU9TMktIS7PQZJF0brjOmmQU2SvcbAVG5y+mRmlMhwHhrPOuB4A\nahrWRrsQubV1+n/MRttJUEWS/WJmVuDp3NHAnI+VTYPkOHs4GeJXynik5PutjAr3\ntYmr3kaw0Wo/hYAXTKsI/R5aenC7jH8ZSyVcZ/j+bOSH5sT5/JY122AYmkQOFE7s\nJA0EfYJaJEwiuBWKOfRLQVEHhOFodUBZdGQcWeW3uFb88aYKN8QcKTO8/f6e4r8w\nQojgK3QMj1zmfS7xid6XCOVa17ary2hZHAEPnjcigQKBgQDQnm4TlbVTsM+CbFUS\n1rOIJRzPdnH3Y7x3IcmVKZt81eNktsdu56A4U6NEkFQqk4tVTT4TYja/hwgXmm6w\nJ+w0WwZd445Bxj8PmaEr6Z/NSMYbCsi8pRelKWmlIMwD2YhtY/1xXD37zpOgN8oQ\nryTKZR2gljbPxdfhKS7YerLp2wKBgQD/gJt3Ds69j1gMDLnnPctjmhsPRXh7PQ0e\nE9lqgFkx/vNuCuyRs6ymic2rBZmkdlpjsTJFmz1bwOzIvSRoH6kp0Mfyo6why5kr\nupDf7zz+hlvaFewme8aDeV3ex9Wvt73D66nwAy5ABOgn+66vZJeo0Iq/tnCwK3a/\nevTL9BOzPwKBgEUi7AnziEc3Bl4Lttnqa08INZcPgs9grzmv6dVUF6J0Y8qhxFAd\n1Pw1w5raVfpSMU/QrGzSFKC+iFECLgKVCHOFYwPEgQWNRKLP4BjkcMAgiP63QTU7\nZS2oHsnJp7Ly6YKPK5Pg5O3JVSU4t+91i7TDc+EfRwTuZQ/KjSrS5u4XAoGBAP06\nv9reSDVELuWyb0Yqzrxm7k7ScbjjJ28aCTAvCTguEaKNHS7DP2jHx5mrMT35N1j7\nNHIcjFG2AnhqTf0M9CJHlQR9B4tvON5ISHJJsNAq5jpd4/G4V2XTEiBNOxKvL1tQ\n5NrGrD4zHs0R+25GarGcDwg3j7RrP4REHv9NZ4ENAoGAY7Nuz6xKu2XUwuZtJP7O\nkjsoDS7bjP95ddrtsRq5vcVjJ04avnjsr+Se9WDA//t7+eSeHjm5eXD7u0NtdqZo\nWtSm8pmWySOPXMn9QQmdzKHg1NOxer//f1KySVunX1vftTStjsZH7dRCtBEePcqg\nz5Av6MmEFDojtwTqvEZuhBM=\n-----END PRIVATE KEY-----\n',
cert: '-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIRAO48rAcSzurNqLf7xC50uiwwDQYJKoZIhvcNAQELBQAw\nJjEkMCIGA1UEAwwbR0xPRjM4MTM3MzQwODkuYmFtYnVsYWIuY29tMB4XDTI0MTIx\nMTA5MjkyMFoXDTI1MTIxMjA5MjkyMFowTDEkMCIGA1UEChMbR0xPRjM4MTM3MzQw\nODktNTI0YTM3YzgwMDAwMSQwIgYDVQQDExtHTE9GMzgxMzczNDA4OS01MjRhMzdj\nODAwMDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQNp2NfkajwcWH\nPIqosa08P1ZwETPr1veZCMqieQxWtYw97wp+JCxX4yBrBcAwid7o7PHI9KQVzPRM\nf0uXspaDUdSljrfJ/YwGEz7+GJz4+ml1UbWXBePyzXW1+N2hIGGn7BcNuA0v8rMY\nuvVgiIIQNjLErgGcCWmMHLwsMMQ7LNprUZZKsSNB4HaQDH7cQZmYBN/O45np6l+K\nVuLdzXdDpZcOM7bNO6smev822WPGDuKBo1iVfQbUe10X4dCNwkBR3QGpScVvg8gg\ntRYZDYue/qc4Xaj806RZPttknWfxdvfZgoOmAiwnyQ5K3+mzNYHgQZAOC2ydkK4J\ns+ZizK3lAgMBAAGjYDBeMA4GA1UdDwEB/wQEAwIDuDAMBgNVHRMBAf8EAjAAMB0G\nA1UdDgQWBBTbM6dbfGu7o6o1IU59QyDzMcexjzAfBgNVHSMEGDAWgBTCydEtLumS\n2pknAxmjOizTHKwImzANBgkqhkiG9w0BAQsFAAOCAQEAmmD3Fu37vgw4qr/Dgr15\nFSdoCuVAZPD7I5FwcBlPH98TJ0hNUtnDVxkJ0pde8ZcQdYFkfYFNnX+7f06ps/TY\nCtchEAlx9cXBfBnImO4mB2Y89uRh7HRA2BiUmme4Xjy5P3qyvOnx2lIiH2hFyXJ0\n6N8UcBEviZTZd+D6FR5TJ8aNOhCwktutsrwKeSj4jrIWSD0vPlkQTbxUrm6x+7/i\nJBwOsMNA5UB+SZxAn8BtcvzpxHaj1l3WRddZcykTfz6k8fuQfJCdp1aN47guLXWt\nHTDvXeOlXpDStOlIwwMvh2i42ZaLas2C2B8rrX6pMmzazJLZcth8ZIyhfuB1WcMv\nAQ==\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nMIIDjDCCAnSgAwIBAgIUGpX26HEycYnaaCUFwJr8F/UPCZQwDQYJKoZIhvcNAQEL\nBQAwKDEmMCQGA1UEAwwdYXBwbGljYXRpb25fcm9vdC5iYW1idWxhYi5jb20wHhcN\nMjQwODAyMDkwNTIwWhcNMzQwNzMxMDkwNTIwWjAmMSQwIgYDVQQDDBtHTE9GMzgx\nMzczNDA4OS5iYW1idWxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQDNLcdi86lRDBbYOmXGEX2TiRSxDJUzXe/ruNmXCYKq/fkilTPt5SbtXItl\nbflG4FpdzaJoay3iXBRB93E7AHwugAHWHvBvg+X0SEpgHc4wJVevYU4Mruyhq80C\nSKURdpfFG4jLKHOe+s4Hos7glPB5cXcQ4O8rgRNP+S8UDS3PwoUcKKKNTkDVatb4\nz+19AVxnwzxznL2scRcoyuOOjuzGlX1jdWE6uNey9TpO30DMsGLeDsn9oju0uKKl\ntoeE0osKVpE/DKuvixUxFEGbL1oOb3OrNih1C0B/uwwhZo3H8G+afaEYUwUVF8m0\nYVB1zSakL4vBLuIRabqpWh8aETCDAgMBAAGjga8wgawwEgYDVR0TAQH/BAgwBgEB\n/wIBATAOBgNVHQ8BAf8EBAMCAb4wHQYDVR0OBBYEFMLJ0S0u6ZLamScDGaM6LNMc\nrAibMGcGA1UdIwRgMF6hRqREMEIxCzAJBgNVBAYTAkNOMSIwIAYDVQQKDBlCQkwg\nVGVjaG5vbG9naWVzIENvLiwgTHRkMQ8wDQYDVQQDDAZCQkwgQ0GCFBqV9uhxMnGJ\n2mglBcCa/Bf1DwmIMA0GCSqGSIb3DQEBCwUAA4IBAQApce6+U+HHCRkvcGeRwMcE\nFvd8MBzxmQSoDBRA+dEoIQfWoE8eo5mWDKF+prklxnmm4MWemB95ACRfDC3jDrqh\nfNacLnX4jfhhBQI20OD1s9swvE1SCONGpNeyDjNOcDqHN/WCRh5XAc1MWcAH2enY\nq79XhTF+oVQits59yoIes5CWRxGU1uEchUzU/YLHqIcqEL1pcTd/hcMv7cmAt5QU\nuK5JOhq9lwHy723AZHrNTSPzWUeLCqC51ObpjFM03+icj1A9VFmS/3DOlZRv6B55\nbwY7NtZI5p+B9Q14X0+z0fCjsU5yLtjOledFqHjqXh8jHdw1gOh7x4/j5m9Heaub\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDHjCCAgagAwIBAgIUGpX26HEycYnaaCUFwJr8F/UPCYgwDQYJKoZIhvcNAQEL\nBQAwQjELMAkGA1UEBhMCQ04xIjAgBgNVBAoMGUJCTCBUZWNobm9sb2dpZXMgQ28u\nLCBMdGQxDzANBgNVBAMMBkJCTCBDQTAeFw0yNDA1MjkwMjU0NTdaFw0zNDA1Mjcw\nMjU0NTdaMCgxJjAkBgNVBAMMHWFwcGxpY2F0aW9uX3Jvb3QuYmFtYnVsYWIuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4dwG7fhJRGVQ1RTxthzv\nl6nEtHkNGj5c1Z81pDRCB8ZHj3kx2W+eMrvwvONIyTl5nErQz2YGCsqPVGqOao2s\nCLSxEkq2pEXgHnatlOd02/Z6msWBMSUEYUqg2A3uPgijmHFSbAZFf9/0tO21O7wm\n+ldfg9ZSdBKkRcJFK92dgfyXVXfyBzcTMDmOUCG8YyS+/tFBWPzlCgEJadzlFUmm\nayZp5Msk+7CDEm60cUrWgiFfoIezsfcyDrI0S6Vhl0G3sbv886mjPbEZdnPmzGvU\nOTvFJeYvATbY2g43/as0pVguWd5hZJRTUcCvFUFZIOhtRxFLbwPt5ce0ASmtrOVC\n2QIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBvjAN\nBgkqhkiG9w0BAQsFAAOCAQEAeq9eICO82sj4YKVqAlk/lDqFV0DgdrfzVJYwjJsD\n4qvQzLhmdny3Q27yufztqCYQqy6VnoIw2kTHNYbvpCaU0lzZHjJPH3FX+MPL2wm4\n/cKvAPQi+aGPcCmSJYmizNC4bGZ0O+7pFl9SZKRW9tehWUQYyAOaq4bK3hqHJchj\nnFEpgVBl6erlbAvOOXeuLvQvgpQAKLysz2AnfMx5/9HJzf9rlWCjgVplCJgvudT7\nf7gnmmCFCz0KQY4AXmtmUinn+G/RTBU/YiWp7P92UcFHRs6NWOb11daHjl0lz1YO\nHwWFH7i/Q45bIcfftUW4IuF6aGQ7g0/ti8XEvXjXJhPzew==\n-----END CERTIFICATE-----',
crl: ['-----BEGIN X509 CRL-----\nMIIB6jCB0wIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtHTE9GMzgxMzcz\nNDA4OS5iYW1idWxhYi5jb20XDTI0MTIyODAzNDkyMloXDTI1MDEyODA0NDkyMlow\nSDAiAhEAwKnG9y7waEObyjeMvq6AsRcNMjQxMjIwMDczODQ0WjAiAhEA8Nae8vkm\nxTtjKidwSnzKexcNMjQxMjE5MDgwMjQ1WqAvMC0wHwYDVR0jBBgwFoAUwsnRLS7p\nktqZJwMZozos0xysCJswCgYDVR0UBAMCAXswDQYJKoZIhvcNAQELBQADggEBAIV+\njSqHblK7ZEH6eb8T7zFsFBPTrr4DKmwcBarCq9OLUtN/FSCcGXnVP6dWU06+RhE0\nmSwh6ER6LDQEupYXpOerZPE0zGQOa5q/CsfTAtpBndMsKM9jKFTh0+Gr7V46fkuM\nkJ7UeO17FddDtfCDqxIvheo/RPvZPoiNuCpUQuGAI59O3kFqNkv6VsZlk+7E/D1Q\naSiKr+bk6+hWslSLtenA4rxZNcL8cq7AYijLPlE2HTN6ASCMx/bBZXzm28KHDyeR\nFtfnJsmWXBbeOqHmR9/JpSbJdXRD6jvXF2nQVgQcAqv3DZcOhov0ah+31foAe2/e\naRANWl5wMJ5nUd5UFCk=\n-----END X509 CRL-----\n']
};
class dre {
constructor() {
Ee(this, "store");
Ee(this, "randomKey");
Ee(this, "mainBridge");
Ee(this, "crypto");
Ee(this, "deviceCerts", new Map());
this.crypto = process.report.sec.crypto;
this.randomKey = this.crypto.randomBytes(32);
this.mainBridge = process.report.sec.mainBridge;
const e = process.report.sec.Store;
this.store = new e({
name: "store",
defaults: {
serverCertificate: fre,
embedAppCert: j_,
appCert: j_
},
encryptionKey: 'DvyI8DTMqidJ+rH6w+wYg8LzD747kdW+bj8O8wDOczNMgHK93yOJqepuH3197qLS'
});
this.mainBridge.handle('isAppCertInstalled', r => ({
installed: r.certIds.includes(this.getCertId())
}));
}
addDeviceCert(e, r) {
this.deviceCerts.set(e, r);
}
signMessage(e, r) {
if (!this.deviceCerts.get(e)) {
return r;
}
const i = JSON.stringify(r);
const s = this.crypto.sign('RSA-SHA256', Buffer.from(i), this.store.get('appCert').privateKey).toString('base64');
return {
...r,
header: {
sign_ver: "v1.0",
sign_alg: 'RSA_SHA256',
sign_string: s,
cert_id: this.getCertId(),
payload_len: new TextEncoder().encode(i).length
}
};
}
devicePublicEncrypt(e, r) {
const n = this.deviceCerts.get(e);
if (!n) {
return r;
}
console.log({
deviceCert: n
});
const i = new this.crypto.X509Certificate(n);
return this.crypto.publicEncrypt({
key: i.publicKey,
padding: this.crypto.constants.RSA_PKCS1_PADDING
}, r).toString("base64");
}
updateAppCert(e) {
const r = e.key;
const n = Buffer.from(r, "base64");
const i = n.subarray(0, 12);
const s = n.subarray(-16);
const o = n.subarray(12, -16);
const l = this.crypto.createDecipheriv('aes-256-gcm', this.randomKey, i);
l.setAuthTag(s);
const a = Buffer.concat([l.update(o), l.final()]);
this.store.set("appCert", {
privateKey: a.toString("utf-8"),
cert: e.cert,
crl: e.crl
});
}
privateEncrypt(e) {
return this.crypto.privateEncrypt({
key: this.store.get("appCert").privateKey
}, e).toString("base64");
}
getCert() {
return this.store.get("appCert").cert;
}
getCertId() {
const e = new this.crypto.X509Certificate(this.store.get("appCert").cert);
return `${e.serialNumber.toLowerCase()}${e.issuer}`;
}
getSignCertId() {
const e = new this.crypto.X509Certificate(this.store.get("appCert").cert);
return `${e.issuer}:${e.serialNumber.toLowerCase()}`;
}
getFirstCrl() {
return this.store.get("appCert").crl[0];
}
encryptAppKey() {
const e = this.crypto.randomBytes(12);
const r = this.crypto.createCipheriv('aes-256-gcm', this.randomKey, e);
const n = Buffer.concat([e, r.update(Are), r.final(), r.getAuthTag()]);
const i = Y_(n);
const s = new this.crypto.X509Certificate(this.store.get('serverCertificate'));
const o = this.crypto.publicEncrypt({
key: s.publicKey,
padding: this.crypto.constants.RSA_PKCS1_PADDING
}, this.randomKey);
const l = Y_(o);
return {
encAppKey: i,
aes256: l
};
}
}
function Y_(t) {
return (Buffer.isBuffer(t) ? t : Buffer.from(t)).toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
}
function hre() {
process.report.certManager = new dre();
}
function pre() {
process.report.sec = {
crypto: JN,
mainBridge: vt,
Store: UV
};
hre();
Oe.protocol.handle("https", ore);
const t = new HW();
t.connect();
const e = new JO();
e.start();
ZW();
vt.handle("openFileDialog", async () => {
const {
canceled: r,
filePaths: n
} = await Oe.dialog.showOpenDialog({});
return {
path: r ? undefined : n[0]
};
});
vt.handle("readFile", async r => ({
file: await WN.readFile(r.path)
}));
return () => {
e.destroy();
t.destroy();
};
}
function gre(t) {
Oe.Menu.setApplicationMenu(null);
if (ML) {
Oe.app.quit();
}
if (process.defaultApp) {
if (process.argv.length >= 2) {
Oe.app.setAsDefaultProtocolClient("bambu-connect", process.execPath, [fn.resolve(process.argv[1])]);
}
} else {
Oe.app.setAsDefaultProtocolClient("bambu-connect");
}
if (Oe.app.requestSingleInstanceLock()) {
Oe.app.on("second-instance", (i, s, o) => {
if (r) {
if (r.isMinimized()) {
r.restore();
}
r.focus();
const l = [...s].pop();
if (l) {
r.webContents.send(Uu, l);
}
}
});
Oe.app.on(Ny, (i, s) => {
const o = s;
if (r) {
r.show();
r.focus();
r.webContents.send(Uu, o);
} else {
n(o);
}
});
} else {
Oe.app.quit();
}
let r = null;
const n = async i => {
console.log("create window");
r = new Oe.BrowserWindow({
width: 1000,
height: 800,
minWidth: 1000,
minHeight: 800,
webPreferences: {
sandbox: false,
webSecurity: false,
preload: fn.join(__dirname, "preload.js"),
devTools: !GL
}
});
vt.connect(Oe.ipcMain, r);
const s = pre();
r.loadFile(fn.join(__dirname, "../renderer/main_window/index.html"));
r.webContents.openDevTools();
LL(r);
r.on("closed", () => {
r = null;
vt.removeAllHandlers();
vt.disconnect();
UL();
Oe.protocol.unhandle("https");
s();
});
r.webContents.once("did-finish-load", () => {
setTimeout(() => {
if (i) {
if (r != null) {
r.webContents.send(Uu, i);
}
}
}, 1000);
});
r.webContents.setWindowOpenHandler(o => {
if (r != null) {
r.loadURL(o.url);
}
return {
action: "deny"
};
});
};
Oe.app.on("ready", () => {
n();
const i = process.argv.find(s => s.startsWith("bambu-connect://"));
if (i) {
if (r != null) {
r.webContents.once("did-finish-load", () => {
setTimeout(() => {
if (r != null) {
r.webContents.send(Uu, i);
}
}, 1000);
});
}
}
});
Oe.app.on("window-all-closed", () => {
if (process.platform !== "darwin") {
Oe.app.quit();
}
});
Oe.app.on("activate", () => {
if (Oe.BrowserWindow.getAllWindows().length === 0) {
n();
}
});
}
module.exports = gre;
I’m not asking of you (or anyone else) to trust me on this. Check it out by yourselves.