More info on the hacking (the first in what may be a long stupid fight): https://hackaday.com/2025/01/19/bambu-connects-authenticatio...
https://hackaday.com/2024/11/20/with-core-one-prusas-open-so...
It says:
Operations That Do Not Require Authorization The following actions will remain unaffected by the authorization mechanism:
Sending status information from the printer (e.g., MQTT status push for tools like HomeAssistant).
Starting a print job using SD cards.
General operations outside the listed authorization controls.
https://blog.bambulab.com/firmware-update-introducing-new-au...
"Officially support" printing without internet connection?
Was this explicitly documented as a feature or did this just "happen to work" as you expected?
A lawsuit may have some leverage to find that something could have been "reasonably expected" to work in a certain way, but that's quite uncertain territory.
i.e. I would expect an Apple Watch to also work with Android Devices, but this was never officially supported by Apple and it's arguable whether it was reasonable for me to even expect this.
Had the new requires phone app workflow and it was so buggy had to just resort to UPS/Fedex
Leading to obvious speculation as to why they have stuck themselves processing megabyte g-code streams between your desktop and the printer on the same network...
But since cloud use is optional anyone with the security/reliability/longevity concerns just don't have to use it.
Personally I don't see the cloud stuff as providing any value at all though I know people whose kids print stuff from their makerworld site via their phone app that consider it useful.
Selling a walled garden is one thing, building walls around a garden you already bought is another thing entirely
I've not ran into any banking applications which won't run on a non-google build of android (as then they would only run on a pixel). That being said, I refuse to seriously bank with any bank which doesn't offer a functioning website. My main bank offers an app but you have to wholesale switch to it.
- Danish national identity app (MitID). I had to get a hardware token that generates one-time passwords.
- My banking app (still works in the browser though).
- The de facto payment app used for peer-to-peer payments and as a credit card alternative all over Denmark (MobilePay).
- The app for controlling the heating system in my car.
- Revolut.
- The app for showing a digital version of my government issued health insurance card. It's literally just a barcode and a number, so I can get by using a photo of the card instead. This underlines the ridiculousness of requiring Play Integrity attestion.
- The app for showing a digital version of my driver's license. As a bonus this app also doesn't work if you have set your default browser to Firefox instead of Chrome, even on a non-rooted phone.
On top of this, one app for scanning goods in the supermarket stopped working, but without explicitly saying why. I suppose it just silently depends on some Google service, but I have not way of knowing that.
I also cannot get Chromecast to work, but that is perhaps to be expected when replacing the Google services with microg, and not strictly a result of DRM. It is a major inconvenience though.
Denmark is one of the most digitized countries, and in many ways that is good. However, it also means that you are increasingly coerced into the whole Google/Apple ecosystem and that it is very hard to get out. Luckily there are alternatives to all of the above apps, but it is a major inconvenience to have to use them.
If LineageOS did support those APIs (which it can support if it wanted to, without any blessing from Google) then presumably most if not all of those should also work.
Try GOS and see if it's broken there. If it works on GOS then you can shout at google for ever exposing the attestation APIs but the apps you're complaining about aren't actually abusing attestation in the way you claim, LineageOS is simply choosing not to implement the features they rely on.
That said, the recommendation I always give, and personally follow: keep a spare phone in a drawer somewhere, with official Android installed, a Google account, and use it exclusively for business purposes - banking, government services, and the email account you use for those (separate from the one you use for everything else). Nothing else, no messaging, socials, browsing, or games.
Then you're free to keep your personal phone FOSS and as private as you like, without fear of getting locked out of important stuff due to a crappy Google® SafetyNet® upgrade.
Anything which doesn't support an alternative method (not involving a proprietary blessed google phone) of management should be illegal if it's government related and should be boycotted if it's not.
Nevertheless, for living in this world while preserving your privacy, my advice stands. Separate the devices that you control, which you will use for personal and private purposes, from the devices that global corporations and institutions control, which you will use to access the services those institutions provide - services which, by definition, you would not control anyway.
It is far, far simpler than having to get proprietary, frequently-updated software to play nice inside a secure sandbox. If they do, great, but separate devices ensures it isn't a capital-P Problem for you if they stop.
(FWIW, I lived in three different European countries over the past decade and so far the governments all offered TOTP-based web alternatives to their apps. When it comes to private banking, only one (Lunar) was available only via app, but it was also the only one that ran without Play Services.)
What I am saying (and what I do) is that it's far simpler still to just not rely on anything where this might be the case.
If my bank turned around tomorrow and said I can't use their website to manage my account, I would not attempt to get their app working on my phone, I would switch bank.
Thanks for the recommendation tho - you reminded me that I have some old Xiaomi phone that should be able to run it still!
It works on GrapehenOS with their own keys (or you can, if you want, probably use your own keys).
If I'm on a custom ROM, the notification never pops up.
It's like Trusted HDCP pipeline. Every part has to be signed properly, and no open distribution of Android can do that, period.
There was one missing file (which I don't remember its name now, it's long gone), but I always carried over that one from the official ROM (same Android version, mind you), but while everything still worked, this was not enabling me to use the secure element based SIM services (namely e-signature).
The problem was not "not being able to access secure element", it was visible, but making it do (secure/verifiable) things, which require an "operator message" to trigger the right process on the phone. Even if the system which I'm trying to login said that the process should start, the phone just didn't respond/started the e-signature process. In my country, if your SIM is blocked for any reason from using these services (e.g. when you change your SIM and not-activate e-sig again), you SHALL and WILL (in RFC sense) get a message detailing what went wrong.
Again, the moment I flashed the original image, secure element based SIM services started working, I didn't need to do anything on the other side. Different ROM, it's working. Flash the custom one, reboot, it's gone. Add the required files back, no luck. That simple.
BTW, I was not mad that it was not working. It's a legally binding wet signature equivalent. I don't want that pipeline to be peek/poke enabled.
But have you checked if GrapheneOS handles it?
Yes, but see my other comment in the thread. It's not something trivial. It's not I didn't dig.
> But have you checked if GrapheneOS handles it?
I jumped the platform soon after, so I don't have the hardware anymore, so I can't.
- Battery Management (iPhone 6, 6s, and SE): In 2017, Apple introduced a battery management feature in iOS 10.2.1 to prevent unexpected shutdowns by throttling the performance of iPhones with degraded batteries. This led to slower device performance without informing users, which is a removal of expected performance functionality.
- 32-bit App Support: With the release of iOS 11 in 2017, Apple dropped support for 32-bit apps. This meant users could no longer use older apps that had not been updated to 64-bit, effectively removing access to those apps on updated devices = You want the new OS? -> you have less functionality.
- Pulse oximetry features were recently removed from new Apple Watches due to Masimo's patent infringement claim.
As opposed to the device unexpectedly shutting down due to a degraded battery not being able to push enough energy to support the CPU? They didn't remove expected performance, they prevented crashes which are by definition 0 performance. All Li-ion batteries degrade over time. That's not removing a feature...
This whole thing was totally overblown.
Previously you could directly upload the 360 videos do youtube, now you need to download the film locally on the phone, then host a converted version and only after those loops you are permitted to upload.
Or you can now buy a monthly subscription and get back the feature that was already there before. Quite disappointed with this kind of behavior.
the problem is that user got no choice. Some might prefer degraded performance, others might prefer to charge their devices more often.
Also seller should have no business touching anything that they've already sold - they do might offer support, but it should be up to user to accept it or not.
Source: had two 6S's in the family. In the cold it could just suddenly shut down mid-call from 60% battery.
The root problem was not the throttling, it was the phone's inability to run at expected speed after a couple years.
USER should chose that. not apple.
not all of them shut down, someone might get a battery replacement.
What apple should've do is to introduce a toggle, give a warning in notification. and in case of crash, display it again.
After the massive hissy fit the Internet threw (along with lawsuits), they added a switch. Now you can choose to have your phone suddenly die.
But the legend lives on that "Appple slowed down phones permanently!!" - even though the fix for that is a 40€ battery swap that takes 30 minutes in any mall phone repair shop.
Maybe i want to use the device in a way that's 100% connected to the charger and repurpose it.
It's not apple's business what I'm doing with it
I like a toggle for features like this, but it was a pretty standard user experience / reliability choice imho.
what if you replace battery AFTER the fix was applied? you can't rollback.
again, it's about user's choice. it's not apple's device, but whoever bought it. they shouldn't be even allowed to DECIDE which option is better. user should be able to pick whichever they want to go with.
I get it, but if you’re going to accept binary blob updates from a manufacturer at all, this one wasn’t bad.
If there was a toggle, Would you really run your phone in “reckless disregard for battery condition” mode?
Because that is what this fixed, a flaw in the firmware where the power management subsystem made incorrect assumptions about the battery condition. All new phones come with this baked in and working properly, so your phone doesn’t randomly die in the middle of calls when your battery gets old.
People pitchforked over this update without understanding what it was designed to do. If your phone has a good battery, it does not throttle the cpu. It just adjusts the power management profiles to reflect battery aging.
But the way they did it was far from malicious. It only affected users who were actually in danger of an emergency shutdown, during times when the shutdown was imminent. While I don’t want anybody diddling my firmware without giving me a choice, this particular issue was really a nothing burger in the end.
It was discovered when it became apparent that replacing a defective battery made the phone faster. Seems like a standard reliability / user experience fix to me. Not Many people would choose the “don’t adjust system power consumption to prevent unplanned shutdowns when the battery is about to fail” toggle.
Apple's actions in this case were even worse than Bambu's. At least Bambu documented what the update did and offered the option of declining it.
No, it isn't. If the battery was broken and they knew the battery was broken, they should have informed the user the phone could be fixed with a new battery. They decided to gimp the device and not tell the user so they would be more likely to purchase a new device rather than simply fixing the old one.
So they know this yet they refuse to let users swap the battery?
1) open phone
2) remove battery
3) replace battery
4) close phone
People don't go telling that Ford "refuses users to let their change their oil".
It's all perfectly doable, but you do need the tools and an ability to follow a step by step guide with pictures.
Yet there are always people justifying these type of awful practices as better for users. These aren't, the measures are only good for business.
Many cars enter limp mode for when the ECU senses a possibly damaging condition. This limits the performance and capabilities until someone with a diagnostic computer can plug it in. Many times these diagnostic computers are entirely proprietary.
I'm not saying it is justified, but to pretend that other businesses don't do this is silly.
And even for that case there would be a warning on the console and a mechanic would be able to inform what is happening. On this iphone case, there was no warning at all on the device nor there was any disclosure that they would be doing this to the phones.
You know this. In either case, thank you for the ECU info.
It reduces your speed by much more than that. Varies depending on the model, but limp mode often won't get you go past 2nd gear.
It does actually. It limits your top speed, and your engines rev range to approximately half of redline or less. Typically you end up limited to under 45. Also, accessories and other options, like A/C are disabled. The only indication that you will get is the reduced performance and the check engine/service light (sort of how you might get a 'service battery' warning and reduced performance on a phone).
Again, not defending it, but pointing out that Apple hardly invented artificially limiting performance behind opaque warnings to prevent unwanted outcomes. Cars have had limp mode since before the iPhone was invented.
Not even that hard.
For me, the firmware fix helped me limp through the 2 months before I finally got around to replacing the battery.
It made my phone that was flaky and unreliable below 40percent battery into a phone that worked slightly slower once the battery got low, but didn’t just randomly shut off during calls anymore.
I’d have preferred a toggle, but to be honest I doubt I’d have ever used “reckless disregard for remaining battery capacity” mode.
They are SO LOUD if you don't service them at regular intervals. They're even doing fancy tricks to make sure you're not faking the service.
Regular service is indeed a bother. You know what I hate the most? In my oldish Mercedes it isn't even possible to change/update the hour without using a proprietary tool only available at official Mercedes mechanics. Since I refuse to pay premium cost for attending their mechanics, the clock on my car is always with wrong time.
And let's not even get into new business models like charging you a subscription to unlock the car to move faster or to unblock the heated seats. Indeed they also have quite "creative" ways to squeeze money and force to get new models.
- Battery management was to handle an issue that was encountered as batteries aged
- 32 bit support: Apple is well known for being one of the more aggressive companies when it comes to forcing users (and especially people coding apps for their platforms) to adopt required tech changes. But again, not directly profit-driven.
- Pulse oximetry: probably the closest to a profit-driven-decision, as this was driven by a patent issue, and presumably they calculated less of a hit from removing the feature than paying feed to the patent owner? Not great, but still not directly part of a user-unfriendly Apple-derived strategy, as with Bambu.
New firmware upgrades made older devices slower and painfully unusable: https://www.techradar.com/news/apple-might-be-slowing-down-y...
And they have plenty of experience building walls around a garden. Ask anyone using OSX for the past 15 years and you will see how difficult it has become to write or publish software for Apple.
They did nerf speed. But they did it for a reason. I get being mad about your phone being slowed down, but i don’t get being mad about it once you understand why.
That reason was to incentivize people to replace their old "slow" phones with faster new phones. If Apple actually cared about the problem of older phones having limited battery life they'd have made the batteries in their phones replaceable.
For instance did an OS update ever prevent you from doing something that you could before ?
Yes. Countless times. OS updates have breaking changes, older apps lose support etc.
And for iOS these updates are irreversible under supported ways, while the very nature of the "there's an app for this" paradigm means losing a third party app equals losing that functionality for your device when you upgrade (you won't get a translation layer or virtualization to help the transition)
You may like Apple more and feel they communicate better, but fundamentally it's the same situation.
But for 3D printers that worked out of the box under $1000, Prusa had no real competition itself.
The Mk3 came out in 2017 and I swear Prusa just sat on their laurels. I was a Mk3s+ owner (well, still am) and was pretty disappointed how little improved with the Mk4.
Bambu’s competition was Prusa and they clearly strived to improve over what Prusa had accomplished.
I hadn’t had any experience with the new platform prior to this upgrade and I skipped over the MK4, but the 4S upgrade is a significant step up over the 3S/3S+. I wouldn’t necessarily recommend the upgrade kit — that took much longer than expected to complete (about two days) and I regret not buying a new printer instead. But, I have a 3S I plan to upgrade to 3.5 just to get the new electronics; that upgrade is far less intensive.
If you haven’t tried out a 4S you might be pleasantly surprised by how much nicer it is than the 3S+.
I went for the 3.5 upgrade as the upgrade from 3S+ to 4 was almost as much as outright buying a new 4. I'm glad I did it this way because now I'm thinking of getting the CORE One and then I'll have 2 excellent printers.
They still seem to be thinking the primary audience of 3d printers is people who tinker. It's not been that way for a long time. People just want to be able to unbox, plug it in and print. The second you add in the "oh just spend 5 hours tweaking this spaghetti mess of an MMU" you've lost them.
I think they just screwed up the design of the MMU but they never went back to the drawing board.
Sure, it is a better printer, but it is clear that they are going for scale, and most of what makes them better is in the software rather than in using premium hardware.
Well, Open Source did compete on one quality very well: being open, hackable and staying that way. With this being removed from Bambu lab printers it seems as if this is a very much valued aspect for many 3D printing enthusiasts, yet few people were willing to compromise for this aspect.
Apparently it is true, you don’t know how much you value something until you don’t have it anymore
The Bambu has been ideal for that reason. Every material pretty much just works, and the quality is excellent. The cloud integration and janky LAN mode is the downside, and this current topic even moreso.
No. None of this crap. I want to 3D print. I don't want to service industrial machinery in my spare time. Why should 3D printing require spending weekends troubleshooting machines just to keep the thing working? I want to print models not play repair technician.
Vorons are fantastic printers and a fantastic kit if 3D printing itself is your hobby. 3D printing is a fantastic hobby. There's tons of fun to be had building up and dialing in a printer kit. A well tuned voron can be up with the best of the best 3D printers. If that's what you want to do go for it!
But for heaven's sake I want to print models, parts and other practical things. I have other things to do and problems to solve. My 3D printer is a tool. If I have to spend just as much time working on the machine as I do using to actually print things then I'm not interested.
Bambu is still the best game in town for a turn-key, just works printer. Prusa can deliver the same experience at double to triple the ticket price. A voron is not a replacement for a Bambu printer no matter how good the printers actually are.
I’m sympathetic to your POV but the reason you should is that’s the price to keep things open.
Obviously many people don’t care about that. Fair enough. But then you should be prepared to deal with their shenanigans.
Prusa also does things like maintain and develop printables.com and PrusaSlicer (itself forked) which many of these closed printers fork with minimal changes.
People don’t care about this either. So again, get ready to deal with garbage when Prusa goes under.
I think it’s sad since the whole domestic 3D printer thing started as open source.
No, it's not, and the perception that it is hurts the cause of openness.
Open Source has every ability to be better, to Just Work, to not require constant debugging. Good Open Source systems manage this. The fact that 3D printers apparently have not is the fault of those printers, not any inherent quality of openness.
Comparing Bambu to Voron is an absurd comparison
I politely disagree. I was in the market for a more modern printer, and it boiled down to either a BL or a Voron - in the end I decided against ease of use and in favor of an open ecosystem. I agree in that they are not universally interchangeable, but for some people either can be an option, each with distinctive advantages and disadvantages.
the whole process is basically cnc but with z hops and extruding instead of removing material.
we do not even have conical slicing yet.
Ya, it is, and it’s been there for quite a while now thanks to Bambu.
The X1 just works. Coming up on a year of frequent use, I can count the number of failed prints on one hand. It’s incredible.
It's all just much less tinkering then 5 years ago.
Tell me you don’t anything about 3d printing without telling me you don’t know anything about 3d printing.
Also, subtractive manufacturing is much harder than additive manufacturing, because you need to position the machine around an existing piece of stock and sequence your operations manually, instead of letting a generic slicing algorithm slice from bottom to top with an offset vs the intended printing location only being a problem if you accidentally print over the edge of the build plate, which is usually not possible mechanically.
also there are so much stuff that are in open prs and issues for years that are not implemented for slicers.
"take a load" - I don't know what kind of load, do you mean the fact that PLA is creeping under sustained load?
If that is YOUR usecase that is fine, but that does not mean that set and forget works just fine for others. Btw gun people use PLA plus just fine.
Don't get me wrong here. PLA is a great polymer, However you can't really expect parts made with it to hold up when compared to other "engineering grade" polymers.
Not many people use 3d printing for applications that require extreme strength though, that's really not the goal many people are aiming for.
I do this for a living and people are always looking for more parts to run through the process and better filaments to see those parts end up performant.
CF-PETG is strong! For a bit more toughness and temp resistance, PA12CF35 is seeing a lot of use. Some companies out there have service departments to keep machinery running. They apply FDM more than you might expect. Alloy 910 for gears, Cf of various kinds for abrasive scenarios, like cardboard handling, in one scenario.
It can be a fantastic material for some functional parts.
But even if not, I don't see how it's invalidates that there are printers out there that are more or less set and forget.
It is a great machine though it does not always make the strongest parts, and single material builds is geometry limiting. Lack of chamber heat and one nozzle makes some things easy, but does not entirely avoid the trouble with higher performing polymers.
I've owned or used probably every major (and some minor) printer released in the last 8 years and for most people Bambu really will just be "plug and play" (and even if something goes wrong they'll hold hands as much as needed)
Entirely this. I bought my A1 mini over the Christmas holidays and couldn't be happier with it, it's my first 3D printer. Searching for models on Makerworld, adjusting tiny bits here and there if needed and print. It just works and I don't really care about anything else, much like my Brother printer.
But the fanboyism and shilling in the 3d printing community is intense. If you mentioned these misgivings you'd get flamed. If you bought or enjoyed another printer people would advise you to sell it and buy Bambu. Lots of people in various threads seemed to defer to that kind of expert advice.
I think there is/was a similar fanaticism for Prusa going on, but it seems a little less at the forefront since Bambu.
The 3d printing community just slapped down heygears for similar BS to what bambu is pulling right now. Once Bambu hire some better software devs and sort out their issues, open access will return, I bet.
I'm not saying I wouldn't love for an fully open source printer company to have the quality and velocity of development that the bambu has (AMS-compatible TPU, delicious), I'm saying people who are making "It's clearly X... You should have known Y" aren't providing useful perspective nor are they accurate. Looking at your post history shows this.
Since the launch of the X1, it’s been closed firmware and tightly controlled. That’s always been the compromise people make to get one.
I’d really like to understand what bait and switch you think has happened, and what you could do before with officially sanctioned methods that you can’t now?
Looks like it's not true?
My other comment on this thread contains the rest of my thoughts. Overall, I think this outrage is overblown.
Printing directly from SD cards via the little touch screen is unchanged since networked computers can’t do that.
This is inaccurate, the printer already required authentication using an 8 digit code. What they're trying to do now is verify that the print has been started using official Bambu software, i.e. software-only DRM.
Was it actually? Is there a source for this?
I'm not so upset about this change (it doesn't affect me, so far), but I'm skeptical this was a widespread problem.
https://www.notebookcheck.net/Bambu-3D-printers-start-printi...
I have owned one since November 2023 - and it has never been hacked or powned by an outside actor.
Once the update actually rolls out to the P1S obviously. Which may not even happen with the current backlash
For now. They're putting themselves in the middleman position where they get the final say over what we can print on the printers that we supposedly "own".
It's naive to think that they won't try to extract revenue from that privileged position, they wouldn't have spent R&D resources on it otherwise.
Imagine if this limitation existed with Bambu's first-party slicer. It would obviously be considered a pretty big downside.
Where did this understanding come from? I'm pretty happy with my Bambu printer, but I was never under any understanding that it was hackable, let alone open. Since the beginning I was slightly frustrated at the RFID fillament spools not being open-enough for others.
I, honestly, have no idea why you thought that. Bambulab has been under fire from the very beginning about not being open at all and not contributing back to the open source community they're build on.
I bought one of their printers during black friday too, it took me a long time to get over the fact that it isn't an open printer, and I never want to go back to tinkering for hours to get meh quality prints.
Not sure where you got this idea from. Despite the hacking, print from SD Card remains an option, and the device does not need an internet connection for initial setup. Version 01.08.02.00 is the first firmware version that supports offline updating, even if it is also the latest version.
Despite an initial issue with the hot end (which was easy and fast enough to fix with help from support). I’ve been really happy with it
It prints pretty much anything. Fast, reliable and very cheap compared to equivalent printers in the market
They're good products, and they are clearly selling at a low enough price point to push for market capture.
The pricing, special features tied into their own AMS + filaments, special features tied into their own slicer. These all indicate that they were building towards this sort of behaviour.
I dove into 3D printing a year ago. I settled on the P1S because its reputation for "just working" and good for beginners. I wasn't interested in attaching a Pi to it, run Klipper on it, I wasn't interested in steep learning curves and choosing from a myriad of slicers. I wasn't interested in "calibrating more than printing" with the Enders that one friend warned me about. I needed it for one simple, but big project and it worked great.
Since then I expanded to getting the enclosure, AMS, and messing around with Orca. The Bambu is very accomodating to learn and grow more and I don't regret the decision at all.
If so one could get a refund :)
That people can hack the Bambu printers is a bonus.
While this lock down doesn't seem right it is far from unexpected, I question the amount of research done prior to your Black Friday purchase (BF and well-thought-out-decisions often do not go hang-in-hand!)…
I bought one (an A1 with the multi-material add-on) some months before that in full knowledge that the company would prefer to funnel people into a walled garden because if you look anywhere you'll find proponents of other makes warning that exactly this is possible & likely, with the "must take many steps to print without talking to their servers" being the key evidence in those warnings.
Good reasons to buy a BBL machine (at least my reasoning when I did):
* They work out of the box more so than many of the competition (many will say "X is better or better value, if you spend Y amount of time tuning" which while often correct, I wasn't looking to spend that time tuning), certainly more so than others at similar prices.
* QoL features (good auto leveling, dynamic flow control) that weren't exactly ubiquitous on similarly priced or cheaper machines.
* Certainly in the case of the newest A1/A1-Mini line: a working MMU option cheaper than you find in other ranges (some manufacturers have started addressing this and the out-of-box experience, in their product lines, 2025 could be an interesting year), and very easy nozzle changes (useful if you want to both do detailed minis (without going resin) and mostly larger items).
* For me, the handling of the A1 issues early last year (quickly acknowledging a potential safety issue and publishing mitigation guidelines, full recall or fix-at-home options when it became clear the issue was more significant) was a point in their favour wrt after-sales giving-a-shit. Obviously not a point against others as we don't know how they'd react until it happens, of course. There are regular complaints of slow support response more generally, but there are for other printer manufacturers too and, well, pretty much all consumer facing industry these days.
* The official documentation & videos, maintenance & troubleshooting guides etc, seemed to me to be more coherent than some other offerings (though searching for "<my problem> reddit" is still a thing!).
Absolutely terrible reasons to buy into BBL, long before this storm:
* Openness (software). From the get go their offering has the trappings of a more controlled garden than the 3D printing community were used to.
* Openness (hardware). While there are some compatible 3rd party after-market parts, there isn't the able-to-build-your-own feel you see elsewhere with people using different extruder nozzles, cooling options, and so on.
--------
This isn't a great analogy, but: BBL is an Apple (though not quite on price) to the rest of the 3D printing industry's Linux and it only takes a small amount of information to see that before buying.
If I upgrade (or have to replace, or just decide to get a second) then maybe I'll go elsewhere. I'm more confident I could get other others working well, manufacturers are addressing the points that have allowed BBL to take so much of the market & mindshare in a short time, but the key thing against BBL (not being open like much of the rest of 3D printing) is something I was well aware of when buying (it did make me think twice) so I can't be too mad about it.
Now if they try stop people using 3rd party filament, like the traditional printing industry with ink & toner, which is far from impossible, then I'll feel they've conned me.
There might be some question as to whether anything like the connectivity layer that sits between BS and the printer that currently isn't open, should also be AGPL. I'll leave discussion of how AGPL and losly linked components do/n't work together to people with more experience in the area…
It's licensed under the Affero GPL which is very strict about the licensing of derived works. That license requires Bambu to include the source code to any additions they make, including all of the logic, keys, etc. that they're baking into any binary distributions. If they don't, they're violating the copyright rights of Prussa and many others.
So, either Bambu has to open source all of this, which defeats the purpose (given that it's already leaked, that's gonna happen anyway) or they have to route everything through a separate program for their own slicer.
The current implementation (the Bambu network plugin thingy) isn't a part of it either, it's downloaded by the client when BambuStudio is opened.
I don't know AGPL well enough to know if a plugin is considered a derived work but it sure seems to imply it:
> For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
However, this can be easily achieved without bricking every single third party integration. That should simple be a toggle in the settings that works entirely local
Instead, we bought a P1S, which is, technically speaking, a fantastic machine.
Prusa themselves run 600 printers. They are commercial grade. If I was using a printer for commercial design or prototyping I would go with Prusa. Not only because I would prefer my designs were not sent overseas by an always cloud connected printer.
A lot of 3D printer companies have tried to go this route. It is not a strategy that tends to succeed.
I don't know their sales numbers, but I would be willing to bet that the ROI on those printers is nowhere near their bread-and-butter, high volume, mass market models.
I think their priority should have been to build something like the Core One (a P1S killer) rather than these expensive and risky forays into pro/prosumer land. The Core one is, realistically speaking, at least 24 months late to market. This was avoidable.
Everyone who operates a 3D printing farm, and who isn't a complete muppet, knows that closed down products like those of Bambu Labs are risky. Both because some 3D printer manufacturers kind of have a history of being dickish, and because the big boys are coming after Bambu labs with their patent lawsuits and whatnot. There are clear risks in dealing with companies like Bambu.
Dealing with Prusa involves significantly less risk. This reduced risk has value. You can charge a bit more for Prusa products due to the reputation of the company.
Most people I know who own 3D printers would rather have done business with Prusa. But Prusa only had the MK4 on offer and were burning cash on, let's be frank, irrelevant vanity projects.
Yes, Prusa were very much asleep at the wheel. Or at least, they had some strategic lapses in judgement. Let's hope they understand their customer base better now. I'd be happy to be a bit patient with them if it means we can get something that performs like Bambu printers, but from Prusa.
I'll even be willing to pay perhaps as much as 20% more just because I trust Prusa more than Bambu.
It costs more than the P1S - which lets fact it, thats what it should be compared to, not the X1C as the Core one doesn't have the stronger nozzle, nor any features that would make it a 'pro' level product.
They also still dont have an answer to the AMS, which is a big selling point for the Bambu's. The MMU3 may be better than the previous one but its just like putting lipstick on a pig - it's a mess, with tubes all over the place, spools dotted around, and then you've got to constantly babysit it and tune it.
Side by side the P1S with an AMS is still significantly cheaper and from a marketing perspective a much more visually pleasing offering.
Also worth mentioning that whilst the core one is about to come out, the MMU isnt actually even supported yet, and theres no timeline for when it will be.
Prusa are so far behind at this point and really shouldn't be. Chances are the core one is going to come out and just like the XL and MK4 will be extremely buggy for a good 6 months. How people still accept this is bonkers.
Swapping nozzles makes the machine worth double?
It's what makes me completely baffled how much Prusa have fumbled the Core One release. It should've had an enclosed AMS style product to go along side it. The MMU is utter junk in comparison to the AMS, god knows why they are still burrying their head in the sand over this.
And before people say that Prusa and Bambu printers are for the home market: sure. But I have seen consumer grade 3D printers in a lot of different industries. Prusa, Bambu lab and RatRig are the most common consumer grade printers I tend to see in industrial companies. (I don't think RatRigs are that common, but in a few companies that do mechanical design and they need larger volumes I've seen them being used)
Consumer grade FDM printers are cheap to buy, very cheap to run, reliable and produce decent quality prints. Also, they are far, far better than the FDM printers that you used to be able to get from the likes of Stratasys. For the price of one of the more upscale industrial machines you can buy a sizeable print farm of FDM printers.
When you do a lot of rough prototyping it is better to have a lot of cheap printers than just one advanced printer. Having lots of printers means more people can make more prototypes per day. And it reduces the need for buying more of the expensive printers and then have people have to wait for their turn.
This is why it would be interesting to know the sales figures for multi-material systems. I think the professional market might be less visible online, but they certainly buy a lot of printers.
I'm not at all convinced that Prusa's main issue is the cost. Yes, cost is a huge part of it, but the other one is also just usability. When the X1C launched and later the A1, there was a huge difference in usability between what Prusa and Bambu had. Prusa is catching up and that is good. But they will have to do more on that front still, and the higher cost is less of a concern. It becomes a problem when the more expensive printer is worse too.
And it definitely worked! I got the kit and built it within 10h or so (very enjoyable time actually, like building LEGO as a kid) and have printed lots of stuff ever since. During that entire year I only had a clogged extruder one time and had to take that apart a bit. Any other issues I've had were either due to bad filaments or my own errors (not taking long overhangs or low adhesion seriously while slicing).
And all this time I have been using it completely offline with OctoPrint on an RPi.
Eventually the print head crashed into a failed print overnight, fusing nearly the entire head inside a ball of PLA filament that formed after the printer happily carried on shoving out molten plastic.
I didn't have another 3d printer to print the replacement parts. I was so frustrated with it at that point I just got rid of it.
Until I can treat a 3d printer like a Brother laser printer (forget about it for 9 months at a time and then have it work perfectly when I need it with zero maintenance), I don't think I'll invest in another one.
Thus, on first blush, I welcome security improvements from them, but I'm also anxious to see what they hold.
I do wonder where this is going with the keys, because I've seen a lot of "OH LOOK WE HAVE THE KEYS" but nothing about what the keys are used for or how they are useful. Or if they are even useful.
Hopefully there'll be more interesting news about this soon and some solid, technical info.
Actually for my use case this doesn't work at all -- my printers are region locked to China, but I'm not currently in China so I can't connect to those servers -- meaning (I think!) if I upgrade their firmware, I can't print via LAN on my own local network... which just leaves a bad taste in my mouth.
These are great printers, but there's no need for that.
I have a P1S which currently can print completely isolated from the internet. Unfortunately (or maybe not?) the new firmware isn't available for my printer, so I can't dig into it myself yet.
But I'd really like to see some sort of "when I try to do X it tries to connect to Y" or "I used to be able to do X, and now Y is required as demonstrated here".
Something more than the current hearsay and pitchforks echo chamber.
"Critical Operations That Require Authorization
The following printer operations will require authorization controls:
Binding and unbinding the printer.
Initiating remote video access.
Performing firmware upgrades.
Initiating a print job (via LAN or cloud mode).
Controlling motion system, temperature, fans, AMS settings, calibrations, etc."
And keep in mind that OrcaSlicer already used Bambu Network Plugin to communicate with their printers. (It prompted you to download this on install of OrcaSlicer if you picked one of their printers.)
The move to Connect means that OrcaSlicer needs to send the print data to Connect via a protocol handler instead of to the plugin. Connect will then send it on to the printer itself, and from what I've seen it'll do that over LAN. (But I can't test because my printer doesn't support this yet.) I see this as akin to a print driver vs. printer-specific support built into an app. Not a bad thing at all, if done right.
The plugin already did (very minimal) auth via the Access Code and can do it with the printer and Bambu Network Plugin completely isolated from the internet. (I've done this.) So I'd like to know specifics of what's changing here.
Start by logging in to the Bambu Lab account or click Discover to find LAN mode printers."
https://wiki.bambulab.com/en/software/bambu-connect
At the very least - it looks like you'd need to log-in to the cloud account to print on the LAN, which really begs the question.... why?
The text you quoted directly contradicts what you are saying. It says login OR discover to find LAN mode printers.
I don't want to hypothesize about what it could be doing, I want to see what it's actually doing (or see some actual info from folks about what they've seen) so I can decide if I'm comfortable with that or not.
So your blessed Bambu Studio instance connects to Bambu Cloud and requests a certificate, the server issues the certificate to you (or not), and then Bambu Studio may use it to connect to the printer on your LAN.
The certificates have an expiration time of 1 year, meaning that the printer functionality would severely degraded (missing network connectivity), at most 1 year after they take the servers offline or stop issuing certificates for any reason.
Not a definitive source for what I said, but it contains some information: https://hackaday.com/2025/01/19/bambu-connects-authenticatio...
But where I disagree is with that cert stuff.
1) That cert is on the /client/ side, not in the printer. It has nothing to do with printer functionality, only with talking to the printer.
2) Expired certs do not mean things automatically get rejected. Using and allowing expired or self-signed certs is routine in the IoT world where certs on devices can't readily be updated. But again, that cert isn't from the printer.
3) Expired certs, just like the self-signed certs that are so commonly used, still result in things being encrypted on the wire. And often that's the point.
It seems to me that someone found/exported the cert, and is trying to make all sorts of WHAT-IF or THIS-COULD-MEAN-THE-WORST claims but are lacking some significant understanding. Without understanding the architecture and the rest of the code, and perhaps seeing that cert be used, this is just an artifact found in the distributed beta application.
What do you mean, if my software can't talk to the printer then that affects printing functionality.
Even if it is used to sign some communications, it doesn't matter if it's expired or not on the server side (the printer side), unless the server chooses not to accept it. And then updating it would be a matter of updating Connect; the client.
There's no reason -- other than hyperbole -- to infer that a certificate which expires on the client side will cause the printer to stop doing anything.
For a web-y example, think of how a website which needs a client cert for auth -- like lots of gov't stuff -- would handle a client cert expiring. It'd either accept it anyway, or reject it. But it wouldn't mean the website breaks. And thus claims of that client certificate's expiration being a killswitch for printers is simply wrong.
You would never allow your bank account to be secured with something akin to Bambu Lab's "security fix".
- what the firmware does: verify these operations, meaning it can reject MQTT messages with an invalid/missing signature from third party software
- the big flaw with that approach: by extracting the key, third party software can get full access again
- improvement to security: none (that obfuscation layer doesn't prevent anything if the printer/cloud were vulnerable)
authentication stays the same as before: https://git.devminer.xyz/archive/bambu-connect/src/commit/47...
Then, the first point in their `truth about the update` section:
> This is NOT about limiting third-party software. We're creating Bambu Connect specifically to ensure continued third-party integration while enhancing security. We're actively working with developers like Orca Slicer to implement this integration.
The `we're actively working` with Orca was already addressed by the OrcaSlicer developer [0]
> Bambu informed me of this change two days before their announcement.
and Bambu's idea of "working with" is helping to implement redirect from Orca to their own software that would actually start the print. Seems like limiting third-party software to me.
> This is beta testing, not a forced update. The choice is yours.
This is bizarre, surely beta firmware is intended to be release firmware at some point? If anything, the community outrage proved beta track to work as intended.
> About Panda Touch. We reached out to BTT as soon as we became aware of their product. We warned them that using exploited MQTT protocols...
Also addressed by BQ in [1], tl;dr they tried to work with Bambu but didn't get much response, only a warning that the MQTT might stop working in a future update. So technically Bambu _reached out_, but only to say "don't improve our product". In the end, Bambu is screwing over their customers more than BQ
Further down they still go and defend their decision
> When using third-party slicing software like Orca Slicer, the difference in users experience is not much.
and proceed to demonstrate that Orca Slicer will _easily_ open the new app which will be able to start the printing. Which is exactly what the community complained about, and doesn't address things like missing Linux support.
Finally, they're presenting a diagram showing how the new flow looks like. Except the diagram is missing any details about what the new software does — it doesn't show how, when and why the new software communicates with the cloud.
For someone with even cursory understanding of security, the changes just don't make much sense, and Bambu is not doing much to explain the security protocols they're trying to implement. For all I know they just slapped a private certificate somewhere in the Bambu Connect app and started signing requests to the printer, which doesn't improve security at all if the private key is already public
[0] https://github.com/SoftFever/OrcaSlicer/issues/8063#issuecom...
[1] https://old.reddit.com/r/BIGTREETECH/comments/1i5lzzf/latest...
I know it's not exactly a zip bomb, but it's kinda close, and goddamn, that's obnoxious.
I bought a B/W laser printer and have been generally impressed with the lack of BS that came a long with it.
It did ask for toner once, so I bought something from a third-party.
No direct experience, but I recently read[1] Brother HL-L3220CW counts printed pages, and refuses to print after a set number of pages, even if there's still toner in the cartridge. Some models have a way to reset the page count but this one apparently does not.
[1] https://spicausis-lv.translate.goog/2025/01-brother/?_x_tr_s...
(I also use a Brother B/W laser printer, got it second hand for almost nothing, works fine)
The post did mention the other toners that came with the printer also locked, but I think I remember reading elsewhere that those printers are cheaper precisely because they come with EcoPro-only toners in the box.
Factory setting is to stop printing. It can be changed to basically print anyway.
That worked, delivering increasingly crappy prints until replacement toner cartridges arrived.
Swapped one in and the machine is back to printing fine.
I did buy aftermarket, cheap as I could find for replacement.
The factory cart still had 5 percent or so, when compared to the new ones, of toner in it.
Haven't had the sam
All said and done I am pretty happy. Toner got well used, replacement was cheap.
The bad reputation is just from HP's tactic to sell printers cheaper than everyone else, in more stores than anyone else, then make the money back with the scummiest tactics imaginable.
This is a thing. Obviously.
https://urish.medium.com/how-to-turn-your-3d-printer-into-a-...
Only a randomly selected tutorial.
> I'm really shocked the overpriced ink monopolies weren't attacked in this manner,
Inkjet and laser printers easily print whole page 300 DPI raster images in seconds. Plotters need vectorial data and their printing speed depends on how complicated what you are printing. These things simply don’t serve the same use case. You can do nice art and heart warming cards with a plotter, but you can’t hit print on your boarding card / dhl label / word document and expect your plotter to give you what you see on your screen.
> None of this is remotely new.
I agree that none of this is remotely new. Plenty of people tinker with plotters for fun and profit. There are even pre-packaged consumer centric solutions where you pay the price of convenience with lack of freedoms. (See the similar debacle around the Cricut plotters.)
Because those of us who understand mostly don't care. Those who know bought a Brother laser printer and got on with life.
When those who understand need genuine inkjet prints, we go to a store that owns a printer that is several orders of magnitude better than we will ever need and pay them a pittance to get it printed.
That having been said, I really do wish we had an open source laser printer because, at some point, Brother is going to pull this same bullshit.
If the printing stacks within operating systems are trash, who knows what horrors your network-connected printer firmware has. (Locking down 3rd party ink cartridges in the name of security - what’s an ink cartridge going to do? Buffer overflow the data it sends to the printer? Oh wait, maybe the printer is that dumb and we’re overthinking this, and it’s more inexcusable than first glance suggests.)
It's nice to have a private key to their cloud authentication, but ultimately it's the printers firmware that's the issue. While Bambu owns and updates that, they can change the keys basically anytime they decide that they had enough of the alternative Bambu Connect servers that people will inevitably create with the current keys.
[1] https://github.com/ChazLayyd/Bambu-Lab-Klipper-Conversion
I suggest we collectively print Tiananmen Square Tank Man scenes.
[0] https://www.reddit.com/r/BambuLab/comments/1i548m9/comment/m...
Anyone got a link to a good .stl?
https://www.nysenate.gov/legislation/bills/2025/A2228?utm_ca...
Not quite the same, and hopefully likely to fail if it hasn't already, but it shows that interest exists in regulating 3D printers. When enough interest exists, things will happen.
JMHO.
Applying to all brands equally doesn't make it okay.
If they are going to regulate this, then why not CNC machines? Lathes? Drill presses? Pipes and lumber?
2D printers are not open source and you can still print pretty much anything
From what I understand, this new auth system would make third party integrations (ie, “OrcaSlicer”) obsolete and users would be limited to controlling the device via Bambu Connect. This update impacts users who control the device via HomeAssistant and “print farm management” users. I guess first party support for users with fleets of these printers is dogshit, thus the need for third party software.
Seems after 3 days of community feedback/outrage, the company is backtracking on the Bambu Connect only route. Instead offering a “Developer Mode” option in firmware which on the surface seems to be what the impacted users need. [2]
> In response, we’ve made the decision to implement an optional LAN mode feature, to provide advanced users with more control and flexibility.
> Standard Mode (Default): By default, LAN mode will include an authorization process that ensures robust security
> Developer Mode (Optional): For advanced users of the X1, P1, A1, and A1 Mini who prefer full control over their network security, an option will be available to leave the MQTT channel, live stream, and FTP open. This feature must be manually enabled on the printer, and users who select this option will assume full responsibility for securing their local network environment. Please note that Bambu Lab will not be able to provide customer support for this mode, as the communication protocols are not officially supported.
Seems this resolves the community concerns. Or am I missing something?
[1] https://blog.bambulab.com/firmware-update-introducing-new-au...
[2] https://blog.bambulab.com/updates-and-third-party-integratio...
Why haven't they implemented rudimentary access control with printer-side Basic Auth (or the equivalents auth for MQTT and FTP). Add optional SSL support to prevent tampering/MITM on a potentially hostile network, and the unauthenticated access concerns listed in [1] should disappear.
Any problems related to potentially damaging instructions should be best-effort mitigated by the firmware and otherwise indemnified by a "your own fault for using a third-party slicer" clause in the EULA.
Bambu Labs shouldn't need to be in the authentication/authorization path, unless we're actively using their cloud environment.
Kind of annoying, but I'm not desperately waiting for Firmware updates, everything works fine so far.
BambuLabs printers may not support this but some people do it. The idea is to use the print head to knock the part out of the bed and into a bin. Probably not worth the hassle for personal use and you may need to design the part a certain way to make it possible, but it is useful for mass production.
A lot of their business model is seemingly based on making long-term sales from consumables. Their solution for multi-color printing is more convenient to use with filament sold by them because they embed information about the filament on proprietary RFID tags.
A couple days ago they announced locking down the API for their most expensive line of printers, locking most API calls to only their own software because of "security". Users are obviously upset.
Rumours for the reasons range from protecting themselves from user mods that replicate the RFID functionality on any filament by configuring the printer via API calls, to Bambu Labs wanting to launch some kind of subscription service for print farms.
> The only thing that really helps them make more money is wasteful multi-color printing.
They're slow to make improvements in this area, but they recently introduced some options to reduce the waste, like longer retraction before the color change. Plus as a user you can reduce the waste further by tuning flushing amounts, and you're left with the waste inherent to single-extruder multicolor printing.
Overall yes multicolor can be wasteful, but to me it's impressive that it exists in the first place
Question to those more familiar with the bambu software ecosystem - do these recent changes to authentication require a constant online connection to print anything from a machine on the LAN? I'm assuming printing via microSD will still be possible?
They are proposing requiring a secret signed certificate to carry out any actions beyond monitoring for both the cloud and local (on printer) MQTT servers. These certificates would be issued at the discretion of Bambu by their CSR, currently only for "Bambu Studio" their slicer, Bambu Handy (their mobile app) and "Bambu Connect" which will enable upload G-Code generated by third party slicer (a workaround for existing functionality being removed). This "secret" certificate has already been extracted from the Bambu Connect application as per the article as their new security model requires embedded this certificate into desktop applications.
The current design:
https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md
Connecting to their cloud MQTT requires a username and token already. These details are obtained via a HTTPS request to their login server using your bambu account (which requires a valid email & possibly captcha) to obtain a token. The cloud MQTT is TLS secured, although this is just to encrypt the traffic (aka HTTPS), it is not mutual authentication.
Connecting to the MQTT server hosted on the printer (aka LAN mode) requires a fixed username and a local access token (a random 8 digit number). This can be found via the physical display of the printer in a menu (or apparently cloud MQTT!?). This access token can be refreshed via a menu option again physically at the printer. To be clear, this token only allows to you connect directly to the local MQTT server running on the IP address of the printer, so in most environments this should only be the local network. This is also the password for the FTP server that can be used to upload/download sliced 3mf/gcode files.
Personally - this design seems ok to me? With an MQTT service properly configured to isolate user accounts from each other, this is a pattern widely deployed for embedded devices (Azure IoT, AWS IoT etc).
I don't see how the "DDOS" related issues they are claiming would be related to this specific design. If the issue is in the login server - well, that's prior to authentication anyway so nothing they are doing here will fix that.
If it's problems with your cloud MQTT service not being properly isolated - maybe fix that? If the DDOS is at L2, auth isn't going to help. You require logins tied to an email, you can block clients that misbehave once they are logged in.
Nobody is brute forcing the local MQTT server via XSS or something, because JS doesn't allow for raw TCP connections. Are they concerned about malicious software already on the network? Then rate limiting on the printer side or switch to a random length alphanum LAN token to increase keyspace.
I'm curious what more qualified people think, I cannot see any justications for their proposed design improving security. So either;
a) They've decided they are incapable of properly securing their MQTT cloud stuff and instead of fixing that just want to assume every client connected to their cloud MQTT servers is fully trusted. I'm sure that'll work great. Doesn't justify adding this to the local MQTT servers on the printers - if anything that reduces security, as to roll certificates you now have a long tail of printer firmware updates.
b) It's not about security
It also means that Connect could act as a farm / queueing system as well, more like a print driver vs. individual printer support within the app.
Getting info from the printer or AMS? MQTT still works. They specifically said they are not touching that.
Sadly the usual groups of people are screaming, and the open printer people are laughing. But at worst.. this is just friction.
Anyone pointing this out seems to get downvoted. But its all there in the bambu press statement and subsequent pages. Those that are upset seemed to have not read those, and instead just read or watched something inflammatory.
Today it's just one extra button press. In 5-10 years when they shut down the servers for Bambu Connect nobody would be able to print anything at all. It's only because people were vocal in their complaints that their unsupported dev mode was made an option that would let people continue to use what they paid for
And yeah, I'm realizing that about the downvotes. It's sad the state of things, but SKY-IS-FALLING-GET-PITCHFORKS wins the day over technical analysis, even on purportedly technical forums. But alas, that's an aside.
I'm really looking forward to this rolling out, as I want to monitor my printer with Home Assistant but I /really/ don't like how much control the current (non-beta, non-future) state gives HA. I /want/ auth of some sort when submitting jobs, and it looks like I'll have that.
(I also really want the slicer decoupled from the print management stuff, because I tend to keep a few slicers open and experiment.)
Is there another brand that is idiot proof?
A recent review coming to a similar conclusion was Maker Muse' review of bedslingers.
It's a channel I respect a lot, because he has over the years relentlessly disclosed emails of companies trying to bribe or lean on him, or threaten him, and refused to play along.
Most other 3D printing content is essentially paid advertising -- including, I suspect, the carefully constructed brand narrative of Bambu as the first "fire and forget" printers, as if they somehow elevated the art form, when really the user experience is not substantially different.
You do not need to tinker or problem-solve with other modern well-reviewing printers, nor do they fail more prints. My MK4 hasn't failed a single print in a year (i.e. since I bought it), and I haven't had to do any sort of maintenance.
I agree with this
> and more reliable
I emphatically disagree with this.
> while generally achieving somewhat better results
I agree with this.
I'd also like to add that my Prusa Mk3s+ is significantly slower than my P1S. Also, without the MMU it still cost more than my P1S with AMS. Choosing a Prusa is making a philosophical choice, because it's certainly not about convenience, speed, versatility (considering you need to buy a separate enclosure and pricey MMU), bed size, or price. It's a choice you make because you're okay with spending a lot more to support an open platform where you can flash your own firmware without voiding your warranty, not because you want a better experience.
They also have no multimaterial support at launch, the MMU3 will not work with the Core One until they release an update, which they've not yet given a timeline for.
Not to mention its just a messy product. Heck the new Core One doesn't even have support for it at launch which is pretty unforgivable.
Everyone complains about enshittification (YouTube ads, subscription models etc..), but then refuse to pay the real price premium goods and services cost. You get what you pay for.
If you think they care about security, let me remind you that this company used to connect to their cloud in plaintext. The only security they really care about is that of their revenue.
If they actually cared about security, they would let us disconnect these printers from the cloud completely and allow us to manage our own mTLS certificates.
But yeah, the enshitification economy has made people justifiably paranoid that if a product starts exhibiting new capabilities or features that would seem to support or enable a move towards subscriptions, it’s a good bet that that is in fact the trajectory of the platform.
But afaik Bambu has neither confirmed nor denied that this is in the works.
I had a little bit of trouble with it maybe six months ago (repeatedly tripped offline during prints from a thermal issue) but Prusa's online support talked me through recalibrating it and it's been trouble-free since then.
Eventually I'll get a used FormLabs setup. Once I have a shop space set up.
The whole situation reminds me of drones. DJI is (maybe) questionable but their products are without competition when you look at price and quality. Bambu products are also fantastic.
On second thought TP-Link fits too. My TP-Link mesh network just works perfectly. So do their smart plugs.
it is running klipper internally and there are mods to run a completely open source stack (with blobs)
I have simply not had a failed print, it's incredible. I have so much confidence in the unit that I now keep two rolls of the same colour loaded and if I find a cool model while out and about, I just print it with full trust it'll be waiting for me by the time I get home. Amazing progress.
Obviously, hingsight is 20:20, but it's just a reminder: your cynicism is warranted. Don't trust anyone any more than you absolutely have to.
In general people are just scared of change and on top of that are playing telephone on the details of the change, assuming the worst intentions from Bambu like they're trying to be the next HP.
I have seen a lot of misinformation on this topic, and I think that in that sense it's a good idea to read the actual announcement details to get a better read on Bambu's intentions: https://blog.bambulab.com/firmware-update-introducing-new-au...
A voice in Bambu's defense on this issue would say:
1. The new firmware isn't out, it's still in beta, and the new connect software is also in beta. This stuff isn't done and nobody has been forced to use it or even had it presented as an OTA update yet. The problems highlighted in this wiki page are very possibly problems that Bambu is aware of and intends to fix before release.
2. Bambu in their blog article stated that they are working on integration code so that third party slicers like Orca Slicer can more directly interface with Bambu Connect (see the FAQ section)
3. There are multiple statements on this blog page where Bambu acknowledges the workflow disruption and emphasizes the things they intend to do and do not intend to do, such as "It’s important to note that this update is not intended to restrict third-party software use. In fact, we’ve actively collaborated with third-party print farm management software providers in the past and continue to support such partnerships. To further improve the user experience, we are introducing a new software solution that will address these limitations and enhance overall print farm management capabilities."
4. People who don't run huge print farms don't seem to be impacted by this. Remember that Bambu claims to be a consumer tech company, right there in the "About Us" section. They are trying to make printers that are easy to use and require minimal tinkering. For a normal person, sending a slice file from Orca Slicer to a separate app (adding literally one step) is not a big deal, you're doing that once per print in a world where typical prints take hours to complete. And with that in mind, Bambu is still saying they intend to provide an integration solution to Orca Slicer in the future to streamline that process.
Whether not the software design is a good architecture is an entirely different issue, and as a beta product I'm not sure we can judge that quite yet. Perhaps they should have hardened their network API more rather than introducing a new app? Perhaps they shouldn't have announced this so publicly before they had a solution for third-party integrations ready?
blocking printing from sdcard in Lan mode basically deny any claims that this change was poorly communicated improvement
LAN mode didn’t exist when this product was first sold, and it was never implemented through the SD card. It was meant to be used through Bambu Studio over your local network.
“Not implemented/not yet implemented” != “blocked”
Someone who bought a Bambu Lab printer early on actually has more ability to use it without a cloud service now than they did when the product was new. Just about everyone who owns a Bambu Lab printer already signed up for a cloud-connected printer.
https://wiki.bambulab.com/en/p1/manual/p1p-firmware-release-...
"Starting January 17th, users will have access to the beta firmware"
"Launching first for X Series printers, with P and A Series updates planned for future release"
Their idea of "working with" the people impacted by this change is just give them a couple of days notice that they are about to be fucked over.
Also the whole "it's just a beta" is such a stupid point I don't even want to respond to it. Truly idiotic.
They are positioning themselves to build a proper walled garden.
That entire blog post could be sumed up as "We know we are doing a shit thing but We. Don't. Care. So it would be great if y'all could just shut up about it until it's more ready."
You can read the blog post that way if you want and insinuate the most negative possible interpretation, but I'm just going through why I choose not to do that.
For one thing, I'm failing to see how this supposed "walled garden" is going to magically materialize and benefit them financially. The best answer I get from all the alarmed people surrounding this subject is that they'll want to charge monthly fees for premium features in the software, especially to print farm owners.
But they don't operate in a competitive vacuum and that would instantly shift users to their competition. Print farm users pay off their equipment very quickly. I've seen cost breakdowns done by actual print farm operators online and the initial and ongoing machine cost is essentially the smallest part of the cost of doing business. Print farmers would pretty much switch away to other brands instantly if Bambu started charging fees for print farm scale.
If they charge even a Netflix-like fee of someting like $20/month, that essentially pays for a $1000 Prusa printer minus the cost of a Bambu printer in only 3 years. They have no room to charge monthly fees against comptetition.
Bambu is patching a security issue. Personally I don't want any device or application to send any old G-code to my printer. Like say command the printer to basically destroy itself.
Could this lead to completely locking it down in the future? Yes. But they could do that anyways.
I think this is a way to stop getting their pants sued off.
If they really wanted to lock it down they could just make it so everything has to go through their servers and require files to be signed before being read from SD cards.
But instead we really have a half ass attempt.
This is basically the equivalent to having passwords on a MySQL database or redis server.
Why on earth would they add a subscription? That makes absolutely no sense business wise. No one would buy their printers, and they don't have a captured market to strong arm anyone.
I personally do not want my printer connected to any vendor's server in any way...IMHO, there is no reason for it.
[1] https://www.reddit.com/r/3Dprinting/comments/15sfisq/bambula...
This isn't a security fix. As a security protocol, it wouldn't pass any kind of security audit. A security fix would be something based on a per user credential, not on obscurity.
> Personally I don't want any device or application to send any old G-code to my printer.
Username/password over TLS would do that better than what Bambu Lab is proposing, as an extremely simplistic example.
Already works that way and isn't affected by this update: https://wiki.bambulab.com/en/security-incidents-cloud-traffi..., https://github.com/Doridian/OpenBambuAPI/blob/main/mqtt.md#l...
Why not implement some kind of open authentication? One that other slicers can implement.