Trendshift - Ask AI

base on Instructions on how to read out the bambulab nfc tags # Bambu Lab RFID Tag Guide This guide gives you a basic overview how you can decrypt and read your tags. [View Collection of Tags](https://github.com/queengooborg/Bambu-Lab-RFID-Library) [![Link to Discord](https://img.shields.io/badge/Discord-join_now-blue?style=flat-square&logo=discord&logoColor=white&label=Discord&color=blue)](https://discord.gg/zVfCVubwr7) # Table of contents  * [Project Summary](#project-summary) * [FAQs](#faqs) * [How to contribute](#how-to-contribute) * [Todos/Timeline/Next steps](#todostimelinenext-steps) * [Requirements](#requirements) * [Proxmark3 compatible readers](#proxmark3-compatible-readers) * [Proxmark3 Easy](#proxmark3-easy) * [Hacking a Bambu Lab Tag and readout of its data](#hacking-a-bambu-lab-tag-and-readout-of-its-data) * [Deriving the keys](#deriving-the-keys) * [Proxmark3 fm11rf08s recovery script](#proxmark3-fm11rf08s-recovery-script) * [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) * [Tag Documentation](#tag-documentation) * [How do RFID tags work?](#how-do-rfid-tags-work) * [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) * [Reverse engineering RFID Board](#reverse-engineering-rfid-board)  ## Project Summary This is a research group dedicated to documenting the data structures used by Bambu Lab 3D printers to identify filament data. ### FAQs - **Can I create custom tags?** - No, tags are digitally signed. Even if you modify the contents, the printer will reject any tags without a valid RSA signature - An [Open Source RFID Tag](OpenSourceRfid.md) has been proposed to allow anyone to create / modify their own tags. This must be adopted by printer manufacturers, or you can mod your own printer for support - **Can I clone tags?** - Yes, you can read and clone tags using a tool such as a Proxmark3. Check out our [collection of scanned tags](https://github.com/queengooborg/Bambu-Lab-RFID-Library) - **What are the next steps for this project?** - Decyphering the rest of the unknown tag content - Custom AMS firmware that allows custom tags to be read while ignoring the signature - See [Todos/Timeline/Next steps](#todostimelinenext-steps) for more info ### How to contribute If you have a Proxmark3 (or other RFID debugging tool), you can decrypt the contents of your Bambu Lab RFID tags and submit them via [Discord](https://discord.gg/zVfCVubwr7). A lot of the contents have been deciphered, but the more data we have, the easier it is to compare differences to learn what each byte represents and double-check our answers. ### Todos/Timeline/Next steps - [ ] Tool for automatic trace analysis - [x] Tag content analysis - [x] Generate keys based on an arbitrary UID ## Requirements - A computer running macOS or Linux, or a Windows computer with a WSL installation - Python 3.6 or higher - Bambu Lab Filament spool **or** the related tags - An NFC/RFID reader that can read encrypted tags, such as... - A Proxmark3-compatible RFID reader (recommended) - The [proxmark3 (Iceman fork) software](https://github.com/RfidResearchGroup/proxmark3) - Requires v4.18994 (codename "Backdoor") or higher - You MUST use the Iceman fork as the original version of the software is unmaintained; all instructions and scripts are written for the Iceman fork and will not work on the original version - A Flipper Zero ### Proxmark3 compatible readers #### Proxmark3 Easy ![](images/Proxmark3_easy.png) A Proxmark3 Easy is sufficient for all the tasks that need to be done. You can buy a clone from Alixepress, Amazon or Dangerous Things. ## Hacking a Bambu Lab Tag and readout of its data We document here the most simple approach to get all required A-Keys and the data of the tag. The easiest way is to derive the keys using the Python script in this repository. ### Deriving the keys A way to derive the keys from the UID of an RFID tag was discovered, which unlocked the ability to scan and scrape RFID tag data without sniffing, as well as with other devices like the Flipper Zero. A script is included in the repository to derive the keys from the UID of a tag. First, obtain the tag's UID: - Proxmark3 1. Run the Proxmark3 software by running `pm3` in the terminal 2. Place the Proxmark3 device on the RFID tag of the spool 3. Run `hf mf info` and look for the UID line item - Flipper Zero 1. Open the NFC app and scan the tag 2. The Flipper will attempt to decrypt the tag, but you can skip the "Nested Dictionary (Backdoor)" step for speed 3. The UID of the tag will appear on-screen - Bambu Lab AMS 1. Load the spool into an AMS slot and wait for it to finish loading 2. View the spool's details on the printer's touchscreen, Bambu Studio or Bambu Handy 3. The UID is the first eight characters of the spool's serial number Next, run the key derivation script and pipe its output to a file by running `python3 deriveKeys.py [UID] > ./keys.dic`. Then, use the keys file to extract the data from the RFID tag: - Proxmark3 1. Run the Proxmark3 software by running `pm3` in the terminal 2. Place the Proxmark3 device on the RFID tag of the spool 3. Run `hf mf dump -k ./keys.dic` to dump the RFID tag's contents - Flipper Zero 1. Open the qFlipper program and connect your Flipper to your computer - You may also connect the SD card directly to your computer 2. Navigate to `SD Card/nfc/assets/` 3. Copy the `mf_classic_dict_user.nfc` file to your computer 4. Copy the contents of `keys.dic` to `mf_classic_dict_user.nfc` 5. Copy `mf_classic_dict_user.nfc` back onto your Flipper 6. Use the NFC app to scan your tag ### Proxmark3 fm11rf08s recovery script In 2024, a new backdoor[^rfid-backdoor] was found that makes it much easier to obtain the data from the RFID tags. A script is included in the proxmark3 software since v4.18994 (nicknamed "Backdoor"), which allows us to utilize this backdoor. Before this script was implemented, the tag had to be sniffed by placing the spool in the AMS and sniffing the packets transferred between the tag and the AMS. Place your reader on the tag, start proxmark3 (run `pm3`) and run the following command: `script run fm11rf08s_recovery` This script takes about 15-20 minutes to complete. Once it has finished, you will receive a binary key file and a dump. To visualize the data on the tag, run the following: `script run fm11rf08_full -b` ### Sniffing the tag data with a Proxmark3 (legacy method) Before the above methods were developed, tag data had to be obtained by sniffing the data between the RFID tag and the AMS using a Proxmark3-compatible device. To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./TagSniffing.md). ## Tag Documentation For a description of the blocks of a Bambu Lab RFID tag, see [BambuLabRfid.md](./BambuLabRfid.md). For a description of the blocks of a Creality RFID tag, see [CrealityRfid.md](./CrealityRfid.md). An open-source standard proposal, Open 3D-RFID, is being incubated in this repository. For a description of the standard, see [OpenSourceRfid.md](./OpenSourceRfid.md). ## How do RFID tags work? Here's a high-level summary of how everything works: - Bambu Lab printers use MiFare 13.56MHZ RFID tags - These tags contain a unique ID that is not encrypted (called the UID) - In most cases UID is fixed (not-changable). Some "hackable" RFID tags allow you to set the UID to anything you want - Blocks (Encrypted) - MiFare tags also contain "Blocks" of data. Each block contains info about the spool, such as Material, Color, Manufacturing Date, etc. - The blocks are encrypted, meaning that you need to have a KEY to decipher them - Each block is encrypted with a different key - Encryption Keys - Keys are unique to each RFID tag. Even if you discover the key for one tag, that doesn't mean you can use that same key to unlock a different tag. - As of 11/19/24, keys can be derived from the UID. After reading the UID from the tag, the KDF (key derivation function) can be used to derive the 16 keys. - (Outdated, sniffing is no longer required now that the KDF is known) Keys can be sniffed by using a device (such as a ProxMark 3) to listen in on the communication between the AMS and the rfid tag. - Once the keys have been sniffed, they can be saved and used to read the contents of the tag directly (without an AMS). (Reminder, the saved keys will ONLY work for the tag they were sniffed from) - RSA Signature - One of the blocks contains a 2048-bit RSA Signature - RSA signatures are a way to digitally sign / certify authenticity of content, and they are effectively un-breakable (this is how things like cryptocurrency remain secure) - RSA signatures encompass all of the data of the RFID tag. Changing a single byte somewhere else in the tag would require a completely different signature to be considered genuine - Bambu printers check the content of the tag and then check if the signature is valid. If the signature is invalid, it rejects the tag - Cloning Tags - Even though there is a signature, a tag can be cloned - To clone a tag, it must have the same UID, identical content from the data blocks, and the identical RSA signature - Changing even one byte will cause the signature to be invalid, and the tag will be rejected - Custom Tags - This is very unlikely to happen, mostly due to the RSA signature. Only Bambu Lab has their "Private Key" which is used to digitally sign these tags. - To create a custom key, you need to know the following info: - RSA Signature Private Key. You'd have to get this from bambu, good luck - Since Bambu Lab will likely not remove the signature requirement, you would need custom AMS firmware to read tags and ignore the signature ## Compatible RFID tags - By generation There are tags known as "Magic Tags" which allow functionality that's not part of the classic MIFARE spec. One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. Magic tags are often refered to by their "generation", eg "Magic Gen 1". Each newer generation increases the functionality, but tends to also be more expensive) Gen 1 --> **Not compatible**(due to AMS checking if tag is unlockable with command 0x40) Gen 2 --> **Works** Gen 2 OTW --> **Not tested** Gen 3 --> **Not tested** Gen 4 --> **Not tested**(The best option but pricey and hard to source in small chip formfactor) FUID --> **Works** "Fused UID" aka "write-once UID". Once a UID is written, it cannot be changed ## Reverse engineering RFID Board For ease of debugging and lowering the cost of failures, the RFID board is reverse-engineered. You can find complete production-ready gerber files and a bill of materials in [rfid-board](./rfid-board) folder. [^rfid-backdoor]: https://eprint.iacr.org/2024/1275.pdf ", Assign "at most 3 tags" to the expected json: {"id":"12306","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"

AI prompts

AI prompts