Provide actual codebase which exposes all connections

[bengalih]

Is there an existing issue for this problem?

• I have searched the existing issues

OrcaSlicer Version

1.5.1

Operating System (OS)

Windows

OS Version

All

Additional system information

The code provided here does not appear to be the code which you compile and provide as downloads to your customers. This observation is made by noting the apparently hard-coded DNS and other network requests that Orca-FF makes to a variety of servers to send information.

Customers using your product, especially one that uses the license Orca-FF claims, should have full insight into the code which controls network connectivity and transmission of user data. Analysis of network connections made by Orca-FF show, at a minimum, the following hostnames are queried, presumably for connections from the client:

api.auth.flashforge.com
api.fdmcloud.flashforge.com
auth.flashforge.com
www.flashforge.com
link.netease.im
update.cn.sz3dp.com
www.baidu.com
api.bambulab.com
www.ishare3d.com
statistic.live.126.net
abt-online.netease.im
httpdns.yunxinfw.com
link-ga-sg.yunxinfw.com
wannos.127.net
flashforge.oss-us-east-1.aliyuncs.com
lbs.netease.im
wanproxy.127.net
statistic-overseas.yunxinfw.com
link-sg.netease.im

While some of these would seem to be legitimate services used to authorize the client account, check for updates, or connect to services, it is unclear what most of these do. The majority of these DNS hostnames do not appear within the codebase, nor do they appear to be delivered dynamically via open calls in the software.

Some connection information tracked from the software:

And actual HTTPS data transferred:

The connections above and associated calls in this case show:
update.cn.sz3dp.com (3.19.2.223)
update.bambulab.com (104.18.35.41)
api.auth.flashforge.com (47.89.185.61)
www.ishare3d.com (3.19.2.223)
api.fdmcloud.flashforge.com (47.90.164.204)
abt-online.netease.im (34.49.191.111)
wannos.127.net (128.1.157.227)
wanproxy.127.net (128.1.157.228)
static-overseas.yunxinfw.com (47.253.106.231)
flashforge.oss-us-east-1.aliyuncs.com (47.253.30.144)
103.129.255.21 - 127.net ???????
47.253.106.231 - yunxinfw.com ???????????
128.1.157.228 - 127.net ???????????

Additionally, a non-HTTPS session is apparently made to the following "mystery" IP over 443:
34.126.79.182
This IP may alternatively be one of these IPs:
20.247.221.143
47.251.86.28
47.254.67.39

If connections cannot be made to one of these "mystery" IPs, account login will fail. These all appear to communicate via 443, but not utilizing HTTPS. They appear to be services hosted on various cloud providers including Microsoft, Google, and Alibaba. However the point of these endpoints and the data transferred is unknown.

Again, out of all of these addresses the client makes contact with, the only one with traces in the code base are:
sz3dp.com - https://github.com/search?q=repo%3AFlashForge%2FOrca-Flashforge%20sz3dp&type=code
bambulab.com - https://github.com/search?q=repo%3AFlashForge%2FOrca-Flashforge+bambulab.com&type=code
auth.flashforge.com (but not the API!) - https://github.com/search?q=repo%3AFlashForge%2FOrca-Flashforge+auth.flashforge.com+&type=code
www.ishare3d.com - https://github.com/search?q=repo%3AFlashForge%2FOrca-Flashforge+ishare3d&type=code

That means the majority of established and continuing connections are made to sites which do not appear to be listed in the code base. Analysis of the API and other https data streams above do not show this information being delivered dynamically to the clients. The best hypothesis therefore is that these addresses (either DNS or direct IPs) are hardcoded in the compiled software and therefore that pre-compiled software contains code that is not made public in this repo.

Please explain the nature of these connections and why the code which controls them is not included in this repo which is advertised as the code base for your compiled end-user software.

EDIT: Additional evidence may point that the code loads other libraries which themselves have the embedded information to make these connections. In any event, it would be beneficial for FF to publish what their connections are used for, both for transparency and to allow users to properly configure their firewalls since allowing open access to CN is not usually considered safe.

Printer

Adventurer Series

How to reproduce

Simply open Orca-FF and login with an account.
Data gathered with wireshark, proxifier, mitmproxy, etc.

Actual results

The observed connections above.

Expected results

Connections only to addresses which are either present in the code-base, or delivered dynamically to the client via other API calls.

Project file & Debug log uploads

N/A

Checklist of files to include

• Log file
• Project file

Anything else?

No response

[KevinLWorthington]

I'm a total amateur and this may not be of any help, but I've been very curious as to what's actually going on here and I've made a small discovery and hopefully someone smarter than me can take it further or FF can give some answers. I started by simply checking what was different between the Orca FF and regular Orca installation folders. There's a FLASHNETWORK2.DAT file that I haven't really had much luck with, but what's really interesting (to me) is the nim.dll file that exists in the FF installation folder. This appears to be a library for NetEase IM which seems to be an instant messaging platform. I ran the file through Ghidra, which I'm extremely novice in, but found references to vchat (gaming video/voice chat) and qchat (I think maybe part of the SDK, from what I can quickly gather from Google). When searching for "nim vchat" a ton of results come from yunxin.com. Below are some screenshots from Ghidra. My question is, why does the slicer need a voice/video messaging API in it?