3D-printing specialist Bambu Lab has announced that it will offer a "one-way ticket" for users to install the third-party X1 Plus firmware on their Bambu Lab X1 printers — after closing a security hole which allowed installation in the first place.
"As many of our customers may have already noticed, there is a third-party firmware being developed by the X1 Plus team, which has become a hot topic in the community," Bambu Lab has announced, in a post attributed to pseudonymous staffer "Spaghetti Monster". "Initially, we were shocked to discover a loophole in the firmware that allowed the printer to be jailbroken, and we were uncertain about the intentions of those behind this hack."
Founded by former drone maker DJI staff, Bambu Lab produces a range of 3D printers built around a closed and proprietary platform. Despite not being open-source, the printers have attracted a range of hackers and tinkerers looking to customize or improve the devices — including a team of developers behind a replacement Bambu Lab X1 firmware dubbed X1 Plus.
For Bambu, the firmware represented a threat: the platform is, by choice, closed and should not allow the installation of third-party firmware. "We chose to build a closed and proprietary system, understanding this would bring its own set of challenges, including development difficulties and potentially disappointing customers in this DIY-spirited community," the company explains. "The entire ecosystem, including hardware and software, was designed under the assumption it would be closed, with Bambu Lab having full control over its evolution, except for the slicer, as it used open-source code."
While Bambu Lab's initial reaction was to see the existence of the firmware as a security issue, a discussion with the team behind it resulted in a change of heart. While the company is still planning to release an updated official firmware which will close the hole allowing X1 Plus to be installed, it has promised to provide a means for those who still want to use the third-party firmware to install it — with the understanding that it may be a one-way trip away from official firmware support.
"We will give customers the choice to install third party firmware and root system at their own risk," the company writes. "This choice comes with certain costs in the form of giving up the support of the official software ecosystem which we hope everyone understands. Installing non-official firmware means customers waive official support expectations and take full responsibility for their own printer's security and safety. We cannot guarantee nor intentionally block the use of the cloud service for printers with third-party firmware, as the firmware and cloud are closely coupled systems."
"We will release a new firmware (let's call it firmware R) to allow the installation of the X1 Plus firmware, similar to firmware prior to V22.214.171.124," the company continues. "A dedicated webpage will be set up for customers to sign a waiver of warranty and safety responsibility. Once signed, firmware R will become available to be installed on the printer, enabling third-party firmware installation even if you are already on V126.96.36.199. This basically gives everyone their freedom to choose between Bambu Lab firmware and third-party firmware. Future official Bambu Lab firmware releases after firmware R will have new security measures applied to prevent rooting, and we will no longer provide solutions for rooting the new versions of the firmware."
Describing the offer as "a one-way ticket for customers to choose between Bambu Lab OEM [Original Equipment Manufacturer] firmware and third-party firmware," the company admits its approach "isn't perfect" but argues that it makes sense — and can be deployed within weeks. The firmware will also solve a privacy issue highlighted by the X1 Plus developers, in which excessive information was logged and could be transmitted to Bambu Lab servers — something which the company says will be changed in "Firmware R" and subsequent official releases.
Bambu's full write-up on the situation is available on the company blog.