WARNING! FTDI distributing malware in it's drivers again.
Heater.
Posts: 21,230
Certain recent driver updates for FTDI USB/serial chips are now inserting their own error message strings into your data stream. In both Tx and Rx directions.
Needless to say this is a shockingly stupid thing to do. Worse it is potentially dangerous for end users.
Advice is to reinforce one efforts to move away from FTDI devices. Which one should already be doing after the "FTDIgate" scandal a year or so ago. We cannot support a malware company.
Current scandal:
http://www.eevblog.com/forum/microcontrollers/ftdi-gate-2-0/
Previous scandal:
http://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/
Seems FTDI have been doing their best to block discussion of their latest malware.
Needless to say this is a shockingly stupid thing to do. Worse it is potentially dangerous for end users.
Advice is to reinforce one efforts to move away from FTDI devices. Which one should already be doing after the "FTDIgate" scandal a year or so ago. We cannot support a malware company.
Current scandal:
http://www.eevblog.com/forum/microcontrollers/ftdi-gate-2-0/
Previous scandal:
http://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/
Seems FTDI have been doing their best to block discussion of their latest malware.
Comments
I'm surprised MS did not give FTDI a severe talking to last time they pulled a stunt like this. It breaks the entire chain of trust MS has set up around it's driver updates, code signing etc etc.
What annoys me about this is that USB has something called class drivers which are shipped with the OS. If a USB device claims to be of a specific class it will use the built-in driver. In the case of serial devices there's usbser.sys which is supposed to allow serial conversion chips that don't require a driver. But I've only seen a few devices use it and e have custom drivers instead.
Even though it's obsolete, I still build my own projects with a DB9 rs232 port because I have a USB to serial cable that works, and I don't need to deal with this now.
I agree.The fact that we have not had working standardized serial port over USB since the beginning is kind of scandalous in itself.
Since it is a HID device I'm thinking that it may not without a special driver ?
Bean
Yes Bean, the CP2102 shows up in Windows as a com port. Windows 8 (and IIRC Win10) did not automatically install drivers, I had to go to Silabs to download the VCP drivers: https://www.silabs.com/products/mcu/Pages/USBtoUARTBridgeVCPDrivers.aspx
Naturally all the Parallax adapters are FTDI, and those are legit work perfectly well. Hopefully they never get duped into buying any counterfeit FTDI chips before manufacture. Quality control has its job cut out for them.
1. Expose true counterfeits of chips branded as FTDI. These are chips sold with the FTDI logo, and clearly infringe on their IP.
2. Cripple the competition of non-infringing chips by making FTDI driver software not work with them. This is a gray area legally, but possibly supported by various laws if the driver merely refuses to work, as opposed to bricking the non-FTDI device.
The best solution is for those makers of non-infringing compatible hardware to provide their own drivers. By now, everyone should be doing this, rather than relying on someone else's efforts to undercut the competition. (A true Arduino Nano should not be using a cloned FTDI chip. That'll be found in a knock-off made by someone trying to cut corners.)
I grant you, what FTDI does harms their image, but OTOH, people were forewarned they would take these kinds of measures. Fool me once, shame on you, fool me twice...
Maybe this one CP2104-MINIEK
: $4.61 1+ 231 in stock.
www.digikey.com/product-detail/en/CP2104-MINIEK/336-2613-ND
Bottom line is that one can have PC and a USB peripheral that works. Then get this driver update and it no longer works. Not because of regular every day bug, but by deliberate intent. This is intolerable behaviour.
@Gordon,
I'm not about to support people infringing copyrights and trade marks to sell any old junk.
On the other hand I don't see why users and developers of systems that have been infected with "fake" chips should be hosed all of a sudden. Punished for something the did not do.
The real problem to my mind is that we are talking about a stupid simple UART interface here. An interface that has been on computers since time immemorial. USB was supposed to encompass all those legacy interfaces, UART, parallel, PS/2 whatever. How come we don't have a standard for that today, with no special drivers in our OS from any vendor?
Or worse, as the previous approach was more direct cause and effect.
This new corruption of data is a risky dice-roll.
It depends entirely on the user design, as to
a) How long it take to appear
b) Just how severe the outcome is. Lawsuits anyone ?
Maybe they did this, because the Linux community quickly laughed at them last time ?
Microsoft will not be amused either.
It's a shame, because FTDI used to make some good devices.
If you add in a roll of duct tape, we just call that "good 'ole Redneck Engineerin.'"
.
If a board maker purchased what it thought were true FTDI chips, and got fakes, then this is what lawyers are for. But I'd bet 98% of the time the makers know the chips they got are not legit, typically because of the amazingly low price.
Go to eBay and you'll find "Arduino Nano" boards as low as $2. That's a far cry cheaper than the $35 an official Nano costs. Even those who aren't skeptical need to assume a $2 Nano may not contain anything legit; even the Atmel chip may be a fake. At the least, customers might opt for those boards that mention they use a CH340G (quick check: many of them). At some point, customers have to apply a bit of common sense.
It's greed that drives an OEM to opt for a non-FTDI chip, yet still rely on the FTDI driver. It's greed for users to buy these low-ball Chinese knockoffs, expecting 100% performance to the original. That's simply unrealistic.
I'm on record from before that FTDI handles this poorly. There are ways to couple a driver with support software to display a popup that tells users they are not using genuine parts. This at least gives them a chance to find a replacement driver. But pretending OEMs and users are totally faultless is unreasonable.
Let's just say I whole heartedly disagree with you.
It's quite possible that in all good faith one pays top dollar for genuine parts and still ends up with clones. Policing supply chains is not trivial. Then a lightning bolt comes out of the blue from Glasgow, or wherever FTDI are, using and abusing the trusted channel of MS update and sabotages ones product. Causing a lot of pain for the manufacturer and his customers. This is not good.
You are right, this is what lawyers are for. FTDI could be in for a lot legal grief for distributing malware. People have gone to prison for such offences.
Even gray-haired former rock stars have to show up on stage now-and-then. It's good for them. Beats drinking themselves into a stupor on residuals from a single studio session 50 years ago.
Not saying that Future Technology Devices International shouldn't care about schlock clones. But if they weren't milking ol' Bessy for all she's worth, perhaps clones wouldn't be so rampant. Fortunately, the whole matter is now irrelevant.
I'm aware, but I'd wager far more of the fakes are known to the OEMs. They thought they'd get the same thing for less, and now it's biting them on the rear. Now, they could swear they thought they were buying legit parts, and if that's true, there are lawyers who know how to sue in Chinese courts.
Put this into perspective. Someone (like the OP of the article you pointed to) buys a Chinese clone, happy to have saved so much money. But boo-hoo, now they're upset because software made for another product won't work with it. Well, that's just too bad. They got what they paid for. No reasonable person should expect 100% performance when paying a fraction for it. People should take responsibility for their choices.
When FTDI answered this by bricking hardware, that was clearly wrong -- and probably illegal. But rendering their driver inoperable is, in my view, fair game. It's *their* driver, intended for *their* hardware. As long as they don't harm anyone's else hardware, they are under absolutely no obligation to support a competitor's goods.
USB does do this with class drivers, but corporations hate making commodity components and want to brand their products. So they reinvent the wheel and write branded drivers and devices that require them. I hate when I plug a mouse into a computer and see it searching for drivers.
Even Linux users don't get away from this nonsense because many devices that could work with class drivers don't, and their manufacturer won't provide a Linux driver. Web cams, sound cards, and WiFi were a massive PITA when I switched to Linux for a two year period back in 08-09.
ebay.com/itm/6Pin-USB-2-0-to-TTL-UART-Module-Serial-Converter-CP2102-STC-Replace-Ft232-Module-/400565980256?hash=item5d4397cc60:g:XY0AAOSwrklU2vc5
Why we require specific drivers when a standard VCOM should work? Maybe because MS gets $$$ for validating drivers
We struck this issue in the 90's with modem drivers. We modified our code so that it worked with the Windows default Rockwell driver. No further problems and easiest for the customers!
As for FTDI...
They charge a fortune for their FT232RL !!!
* This has given other (legitimate) manufacturers the reason to produce their own - CP2012, CH340, etc. All are way cheaper and have drivers or work with the default driver.
* This also gave the crooks a reason to clone FTDI chips. But what is even worse, is they illegally print FTDI's trademark on the chip so you cannot tell the difference.
Prosecuting through the courts is a very expensive process that the crooks only know too well. At the end of the day, they will have nothing to pay you and even if they did, the court order for costs is rarely anything like what you paid out - believe me I know only too well!!!
But FTDI had to do something! No-one disagrees. It is how they went about it that is IMHO totally wrong. I would go as far as saying they are as bad as the crooks.
IMHO, they should just have made their drivers not work with the clone chips and return a message from their drivers to windows/Linux why they failed. This way, they inform users that their chips are fakes. But they don't brick their devices, and they don't corrupt data being sent out over the serial line, which could be extremely dangerous (as pointed out elsewhere).
An even nicer way to the users, would have been a "nag" message that their device was a fake, but then continue to work.
However, what they did a year ago meant I no longer support FTDI. I have some FTDI232RL chips left, but I won't buy any more.
FTDI should also modify what the screen on their chips so users can tell easier. Sure the crooks will copy that too, but it takes time. FTDI could easily change each batch with something special. Nothing like keeping the crooks on their toes. The screen is written by laser, so its easy to change the layout. BTW I don't mean changing their logo.
Nice unit, has extra lines as optional, which many forget and seems to have a thermal fuse.
Looks to lack USB ESD protection diodes, and does not have many decoupling caps.
SiLabs suggest 4.7uF//100nF on their circuits, but I think that is in case you use Tantalum or Aluminum caps.
A single MLC cap should do.
Here are two topical recent links :
http://www.ebay.com/itm/6Pin-USB-2-0-to-TTL-UART-Module-Serial-Converter-CP2102-STC-Replace-Ft232-Module-/400565980256?hash=item5d4397cc60:g:XY0AAOSwrklU2vc5
banner : Replace Ft232 Module
http://www.ebay.com/itm/USB-Nano-V3-0-ATmega328P-5V-16M-Microcontroller-CH340G-board-Fr-Arduino-Kit-SR1G-/151674313461?hash=item23507e5af5:g:BswAAOSwHnFVijM7&autorefresh=true
Banner: 1. CH340G REPLACE FT232RL
It seems FTDI have merely succeeded in making NOT having a FTDI part, a desirable selling feature.
CP2102 for $1.52 free ship: http://www.ebay.com/itm/NEW-CP2102-USB-2-0-to-UART-TTL-5PIN-Module-Serial-Converter-for-Arduino-YP-/151761367424?hash=item2355aeb180:g:XBMAAOSw9N1VuJNd
At those prices, nab one of each to experiment. I suggest staying clear of Prolific's pl2303, all of the cheap ones I've seen are -HX versions which are not compatible with Win8 & later.
It's not always a lost cause. In the US, selling and importing counterfeits comes under customs, which is now part of Homeland Security. So at the least, any counterfeiting can be dealt with on a criminal level. However, there are no automatic civil payouts from criminal seizures, and this still takes a good attorney to know where to find the money. In the case of imported goods from China, one source is the escrow accounts used by the counterfeiters. Secondly, there are not-too-expensive lawyers in China that deal exclusively with this.
To me, any OEM who buys from arbitrary suppliers in China is simply asking for trouble. Except for isolated events, I don't buy the "but I thought it was genuine!" excuse as a valid reason why FTDI should not take some protective measures. OEMs -- regardless of product -- have *always* had the responsibility of maintaining the integrity of the component parts used in their wares. Customers have *always* had the responsibility of recognizing a deal that's too good to be true, or at the least, being responsible for themselves when they get suckered in. The first hint is a $2 clone of a $35 board.
I agree that customers should not be going out of their way to buy fake parts to save a few bucks.
But even if they do it does not make FTDI's action acceptable. Breaking systems by distributing malware is just wrong.
What everyone should be doing is moving towards more standard solutions preferably with open source drivers.
No handshake lines ? - so the one linked above, by Cluso, looks better for testing.
If I were them and people were stealing from them, I might do what they did too.
If I were Google though and were raking in tons of cash, then I might "Don't be evil".
But if I had to lay off my employees because of outright theft, then I might have an evil mind...