Counterfit FTDI chips?
cavelamb
Posts: 720
FTDI develops drivers for its chips. The drivers can be obtained directly from FTDI, or they can be downloaded
by Windows automatically, through Windows Update. This latter feature is a great convenience for most people,
as it enables plug-and-play operation. The latest version of FTDI's driver, released in August, contains some new
language in its EULA and a feature that has caught people off-guard: it reprograms counterfeit chips rendering
them largely unusable, and its license notes that:
looking for it.
<http://arstechnica.com/information-technology/2014/10/windows-update-drivers-bricking-usb-serial-chips-beloved-of-hardware-hackers/>
by Windows automatically, through Windows Update. This latter feature is a great convenience for most people,
as it enables plug-and-play operation. The latest version of FTDI's driver, released in August, contains some new
language in its EULA and a feature that has caught people off-guard: it reprograms counterfeit chips rendering
them largely unusable, and its license notes that:
Use of the Software as a driver for, or installation of the Software onto, a component that is not a Genuine
FTDI Component, including without limitation counterfeit components,
MAY IRRETRIEVABLY DAMAGE THAT COMPONENT
The license is tucked away inside the driver files; normally nobody would ever see this unless they were explicitlyFTDI Component, including without limitation counterfeit components,
MAY IRRETRIEVABLY DAMAGE THAT COMPONENT
looking for it.
<http://arstechnica.com/information-technology/2014/10/windows-update-drivers-bricking-usb-serial-chips-beloved-of-hardware-hackers/>
Comments
My conclusion is that FTDI are shooting themselves in the foot here.
If their driver breaks my machine I want blood.
No matter if I happen to knowingly or unknowingly using a real or fake FTDI chip.
Just to clarify, does the driver break your computer? I thought it only rendered the FTDI copycat bridge circuit useless.
Ken Gracey
Admittedly I was talking out of my butt there. This issue has not broken any computer I have.
But, I have systems with PC's and connected devices. If one day I find that an FTDI driver update has broken those systems for no good reason other than it has detected clone chip that would make me heartily angry at FTDI.
On a deeper level, why do we ever even need a driver from FTDI? I thought the idea behind USB was to abstract serial ports, parallel ports, mice, joysticks, block file devices, network adapters, etc away. You know, into a "Universal" bus. There are profiles for all these things.
My computer should not be able to tell if I have a serial port adapter made by FTDI or any other company.
Thanks, Heater. Your message implied [to me] that the driver could intentionally wreck your machine, but I think it's the hardware containing the counterfeit FTDI device that would become useless.
Ken Gracey
Something that reprograms an external device, is NOT a 'USB driver' anymore...
Wow, so they also admit here that this could damage parts that are NOT counterfeit components ??
I have a great many USB drivers installed on this PC, and in the great buried allocation that windows does, Windows decides what Drivers to use on what peripheral.
End Users have no control over that decision.
The risk of a 'driver' that may decide to flip itself into 'a hunt and destroy Programmer' was not on my radar before, and it certainly has moved FTDI down the selection list of vendors.
I suspect they may get some memos from other industry players because if this breaks the wrong thing at the wrong time it's likely to spark a lawsuit, and that lawsuit will hinge heavily on whether that TOS agreement has any validity. And a lot of companies much bigger than FTDI do NOT want that to get into court, because it's never really been tested and if a court comes down on what a lot of people would call the side of common sense and says no, it's not a legally binding agreement if you "agree" to it by accepting an update you're told you need or opening a package you just paid for, then a lot of peoples' business models collapse into dust.
There's currently no evidence that they're deliberately inserting code in their drivers to break counterfeit ftdi chips. All that warning means is that the drive could damage other non-ftdi components. I don't know that I blame them for the warning. My guess is that while they test the drivers with their chips, they don't test them with competitors chips and are assuming no responsibility for what their drivers do to other non-ftdi chips. Do you think that they should be testing their drivers with every "clone" chip?
The PID value is stored in non-volatile memory, so the chip would disappear forever. Obviously, the chip's PID could be reprogrammed, but there's no generally available utility that would do this. A counterfeit chip is illegal to make and a case could be made that it's even illegal to possess. Big problem if FTDI's method for detecting a genuine chip is flawed.
[" Update: Microsoft has given us a statement:
Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update. "]
So they will not misdetect a genuine device, because they aren't detecting anything.
FTDI pretty much came out and said that this was intentional. They were not expecting that kind of backlash.
I'm worried for the end-user more than the rogue supplier. As someone who has been burned by supply-chain tainting, unless you are a major player it's difficult to have full control of every aspect of every component of your BOM.
The Linux kernel immediately added support for these "bricked" devices. A device that initialized with a USB ID of 0x0000 will now be detected as an ftdi device :-)
That's a pretty strong indicator to show how the Open Source community thinks of this behavior.
The statement they issued could arguably be used as evidence in a criminal case against the Scottish company under the Computer Misuse act.