Slashdot Mirror
FTDI Reportedly Bricking Devices Using Competitors' Chips.
janoc writes It seems that chipmaker FTDI has started an outright war on cloners of their popular USB bridge chips. At first the clones stopped working with the official drivers, and now they are being intentionally bricked, rendering the device useless. The problem? These chips are incredibly popular and used in many consumer products. Are you sure yours doesn't contain a counterfeit one before you plug it in? Hackaday says, "It’s very hard to tell the difference between the real and fake versions by looking at the package, but a look at the silicon reveals vast differences. The new driver for the FT232 exploits these differences, reprogramming it so it won’t work with existing drivers. It’s a bold strategy to cut down on silicon counterfeiters on the part of FTDI. A reasonable company would go after the manufacturers of fake chips, not the consumers who are most likely unaware they have a fake chip."
Update: 10/24 02:53 GMT by S : In a series of Twitter posts, FTDI has admitted to doing this.
Now consumers are becoming aware that there's a massive counterfeiting problem and can be better educated to ask their vendors "Hey, is my device legit?" I certainly had no idea that this was going on.
If you were me, you'd be good lookin'. - six string samurai
A component manufacturer is unhappy that someone else is using his product id so he puts code in a driver that sets the product id to zero. This prevents the fake component being recognized by his driver or any other driver. The license for the driver explicitly states that using the driver with a fake component may irretrievably damage the component.
If the component manufacturer doesn't want the fake product to work with his driver he can code his driver to ignore the fake. Modifying the product id to brick the component is another matter entirely.
This doesn't hurt the people who created the fake, or even the people who purchased the fake and used them in their manufacturing. It only hurts end users who have done nothing except purchase a product in retail channels. Deliberately destroying equipment because it uses a fake component goes to a whole new level of nastiness.
Why should they let people ride their coattails for no compensation? To be fair, bricking a device is a little overkill, and simply refusing to recognize a fake device may have been a better approach.
It looks like they are trying to hide behind their EULA, which says that "Use of the Software as a driver for a component that is not a Genuine FTDI Component MAY IRRETRIEVABLY DAMAGE THAT COMPONENT." But there are reports that this new driver is being delivered via Windows Update, which presumably doesn't show you this EULA.
Microsoft would be wise to pull this update.
Now that we know it's happening we can all join the class action lawsuit which will utterly bankrupt FTDI because what they are doing is illegal and they can be held liable for damages, which could easily run into the billions.
Is it just my observation, or are there way too many stupid people in the world?
Most people won't have any technical knowhow to understand why their device bricked, just that it bricked. Bricked devices will be blamed on the device manufacturer not the chip supplier.
I've used FTDI products for *years* and with just a very few exceptions have had zero issues with compatibility and performance. They are my number one supplier of USB to serial chips, and I still don't have any issues recommending them. Their drivers are very stable, and they work hard to make them for every platform. If they want to go after the counterfeiters, more power to them. Filing a lawsuit against a small shell company selling back-room chips pretending to be FTDI chips won't do any good. Brick a thousand shitty chips and things might change.
LOAD "SIG",8,1
LOADING...
READY.
RUN
Device manufacturing companies may just avoid FTDI chips outright. This is especially true if some suppliers are mixing the real chips with the counterfeit chips.
Worse, since it's coming through Windows Update, the engineers working on Windows Update might outright blacklist FTDI. And Microsoft would be at least partially liable for any bricked device, which would make their lawyers a bit uncomfortable. I wouldn't be surprised to see Microsoft release a patch in the future to automatically unbrick the affected devices.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Intentional and willful destruction of another person's property for the base reason that he didn't buy with you but with your competitor? I don't know about your country, but over here in socialist Europe we have consumer protection laws that deserve that name.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Tortuous interference and trespass to chattels with an identifiable, numerous class with commonality of injury, and an easily identifiable tortfeasor acting with clearly malicious intent?
I hope no one is paying you to be their lawyer, since the suit practically writes itself.
Unless the non-FTDI chips are using some patented technology without permission, or are using FTDI trademark, they are doing no wrong. Second-sourcing of integrated circuits has been going on for at least 45 years, and it's completely legal. The fact that their silicon looks completely different indicates that the copiers are not violating copyright as far as the chip is concerned. Unless I'm missing something, FTDI is engaging in willful destruction of private property and should suffer immense fines.
Contribute to civilization: ari.aynrand.org/donate
And if the slick salesperson lies and says "yes, they are legit"?
It's a mistake in my opinion to dump this problem onto the consumer; it's not realistic for them to police all the parts of gizmos they buy.
Table-ized A.I.
Wait - "FTDI has started an outright war?"
Ok, so the cloners copy the design (that FTDI paid for), steal the VID (that FTDI paid for), and then by clear intention, use the FTDI driver (that FTDI paid for), and you say FTDI started a war?
Really? Good for FTDI. The supply chain will get purged of the counterfeit material faster this way then any lawsuit could.
Seems like a clever solution to me.
> By buying a knockoff product
Are you talking about an unattributed result of a purchase event, or are you pretending that's a deliberate action every buyer knowingly made?
It's not your aunt's fault that Christmas sucked. Please don't harbor the idea that she intentionally wanted to ruin it. She thought you'd be delighted! It said 1,000 games on the box! 1,000 games!
I'm not some victim-villain blame-game SJW, but c'mon, don't blame your Nana.
My $3 generic eBay FTDI clone USB->Serial cable (that I bought to program my Baofeng radio via Chirp) came with no drivers and Windows pulled down the real FTDI driver. Over the summer, it only worked sporadically. Usually didn't work. Swapping out the cable for a $12 legit cable from Trendnet solved all issues. It isn't just that these chinese places are making a clone, it's that they are making a crappy sort-of compatible clone and passing it off as the real thing, and directing you to use the FTDI drivers. It totally makes FTDI look bad. I didn't find out until after researching with some guys from chirp that my cable was a knock off. I thought I was buying a supported chipset. Might not be legal or ethical, but I'm all for anything that stops these crappy chinese cloners in their tracks. I spent way too much time and hassle on a problem they caused.
Are there alternatives to this tech? I would happily buy from a competitor if one is available and boycott a company who would fuck over consumers like this. Is there even a way to choose or tell the difference between fakes or competitor products?
Where are they used? Who uses them? What alternatives are there?
Some people say they're going to "avoid FTDI chips in the future". Good luck with that because FTDI makes the most reliable Serial-to-USB ICs on the planet. Going with anything else is just asking for trouble.
Get free satoshi (Bitcoin) and Dogecoins
Moral issues aside, this seems like a bad business move. If you are a device manufacturer choosing between chip A and chip B, and the vendor for chip B bricks their clones, then you would prefer chip A.
This is because if you accidentally get a bad shipment of clone chips, and put them into your devices, your devices will be subject to bricking, creating returns and bad PR.
Plus, having some cloners around gives you a spare option if the main company bellies up.
Table-ized A.I.
They are using the same VID, but not the same design. images of real and fake FTDI silicon.
OpenBSD would never have let a vendor do something like this.
Fine, I'll just come out and say it, it's what we're all secretly thinking anyhow.
This is just another nail in the coffin pushed by none other than then N S A.
They want to be able have a documented chain of custody for every component in every piece of your equipment so the cyberpolice can backtrace any illegal encryption and punish scapegoats to justify their exponentially growing budgets. This way they can automatically tell if you done goofed and make sure the consequences will never be the same.
WARNING : may contain MKPUPPET triggers. Processed on machinery that may have also been used to process peanuts. Oops, maybe we should have put that up front.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Intentional and willful destruction of another person's property for the base reason that he didn't buy with you but with your competitor? I don't know about your country, but over here in socialist Europe we have consumer protection laws that deserve that name.
I would say that modifying the PID on the chip is pretty far from "intentional and willful destruction." From one of the comments in the support board posting masquerading as TFA:
And
While it is rather underhanded, had FTDI done this the *correct* way and just interrogated the chip and refused to work with a fake, this would be a non-story. At the same time, just modifying the PID is far from "destroying" the device. If FTDI's driver did something that actually did damage to the hardware, I might be more sympathetic. That's not to say that I think FTDI did the right thing, just that the did not actually damage or "brick" anything. The device isn't broken, it just needs to have its PID reset. Once that happens (and I guess that's what FTDI was trying to do), the end user will be painfully aware that they have a counterfeit chip.
As I said, poorly executed and likely to cause some backlash, but no hardware is damaged or destroyed. Unless you're an idiot.
No, no, you're not thinking; you're just being logical. --Niels Bohr
Can you tell, by merely looking at it, whether a given device is using GenuineFTDI(TM)(R)(C)(BFD) chips, or whether it's a counterfeit? Can you tell by using whatever the Windows equivalent of lsusb is? No? Then there is a random, non-trivial chance that plugging in your serial-ish device will either:
Thus, in the mind of the user, FTDI == Flaky. And Flaky == Avoid.
Congratulations, FTDI. Ten points for avoiding your feet, but minus several million for shooting yourself straight in the head.
Editor, A1-AAA AmeriCaptions
Bricked implies that the change is irreversible. This is simply a change to the PID, which can be undone or set to some other PID pretty easily. So no, not bricked, not destroyed, just fake detected and it's fakery undone as a matter of configuration.
So FTDI is pissed that counterfeiters are using FTDI PIDs in their counterfeit chips so that the counterfeit chips get the benefit of FTDI drivers. I certainly sympathize with their gripe there. So FTDI is saying, "Don't use our PID" and setting the PIDs to 0 in counterfeit chips.
My guess is that FTDI didn't really think through the implications of that, that setting a PDI of 0 would brick the chip. What they should have done is just set the PID to some generic USB CDC serial port so that the counterfeit chips would no longer use the FTDI driver and would no longer show ups as FTDI chips to the OS.
This very could have been more of an "oops, sorry about that dude" than an "I KILL YOUR CHIP NOW! MOOHAHAHHA!"
Except the chip wasn't, as you put it, "killed." The chip is still fully functional with a driver that will support it. That FTDI doesn't want to support counterfeited chips with the driver it developed for the real article is reasonable.
Why should FTDI support chips it didn't make?
No, no, you're not thinking; you're just being logical. --Niels Bohr
I actually ship a device that implements FTDI's protocol in an MCU, and simply glue an otherwise unused FTDI chip to the board as a physical "license token". It's more reliable that way, and I can offer way better buffering and sync than the FTDI chip would allow. As long as they don't use real crypto in their chip, I'm not worried - an afternoon with a protocol analyzer should solve any issues. And if they do use crypto, then I'll probably have my buddy decap the chip and look for the private key bits on the die.
A successful API design takes a mixture of software design and pedagogy.
For the vast majority of consumers, changing the PID to 0 is absolutely damaging the product. Product works one day, plug it into the computer with the new driver and it stops working. It's broken. Yes it can be fixed, but it's well beyond the comfort zone of the average consumer, which means they need to either pay someone to fix it, go begging for help, or buy a new one.
Except the chip wasn't, as you put it, "killed." The chip is still fully functional with a driver that will support it.
The chip was pretty killed. With a PID of 0, Windows, Mac OS, and Linux wouldn't recognize it. It's theoretically possible to fix the PID, but most end users wouldn't really know how to do that.
Why should FTDI support chips it didn't make?
They shouldn't have to support chips that they didn't make, but at the same time, they shouldn't brick* chips that they didn't manufacture.
What FTDI really should have done is to set a generic PID for the chip type. That way, the chip would no longer use the FTDI driver, and they wouldn't have to support it.
*I use "brick" in the sense that using their Windows driver to set the PID to 0 makes the chip no longer function in other OSs, either. I am aware that an unbricking procedure is available.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Great idea. Will do. Just ... umm... how do I find out just WHICH controller chip is used in the USB stick I plan to buy?
I may not be the best example, considering that I have rather intimate knowledge of USB controller chips due to the nature of my work. I may actually be able to find out what controller chip is used in USB sticks. But because of this I can inform you that it is anything but trivial to find out just what controller is being used in a stick. Let's put it that way: Quite often finding it out involves ordering one and a good magnifying glass...
Even assuming that an average consumer knows what a controller chip is (quite unlikely), that one is used in an USB stick (it gets more unlikely) and he knows where to look for it and what to look for on it (now we're getting into the land of fairy tales), it's nearly impossible for him to even know whether he buys something with a "good" or forged chip. And the only way to find out involves disassembling the USB stick in a way that voids the warranty.
The real kicker is that I, someone who could actually find out whether he buys good or forged sticks, i.e. someone who might be at least somehow blamed for using forged goods, could actually maybe even recover the stick from its "bricked" status. Whereas someone who buys a stick in good faith because he has no other option would really now lose his data.
That's fair, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I've had issues with many non-FTDI USB to serial adapters but the real FTDI ones have been rock solid. I pushed for integrating a quad FTDI USB to serial chip into one of our products since the FTDI chip can also do i2c and JTAG. I'm sure a knock-off chip would have a lot of problems. I've had the FTDI serial chip reliably running at 10Mbps.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
and here we have very first attack of BadUsb. Computer malware infecting and destroying USB connected peripherals, possible because USB device had no firmware signing/authentication and was build to let anyone update it.
Who logs in to gdm? Not I, said the duck.
Nobody could complain if they simply went and made their driver incompatible with the forged chips. If there is no working driver, then the customer would have to complain with the original maker of the hardware and demand a working driver. That's quite within FTDI's rights.
The point is that they attack the firmware of the device involved, which is by no accounts ok anymore. This isn't locking out a competitor, it's destruction of a competitor's hardware. Yes, that competitor didn't act correctly by trying to get a free ride. No doubt about that. By that logic, though, it's just a-ok for any printer maker to trash the printer (e.g. by hosing it with printer ink) should they detect that you use anything but their overpriced original stuff.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
However, when you find a contract manufacturer and ask them to make 100,000. You require an XYZ, Inc. ABC123 chip and ask the manufacturing contractor to source it. Unbeknown to you, they obtain a counterfeit source. The chip is virtually identical externally, and functionally very similar, so that your product passes validation testing.
You as the device designer and seller may have no idea that you have fake chips on your device. Perhaps, your RMA rate is higher than you expected due to chip failures, or perhaps you are getting a lot of bug reports from the field which are not reproducible on your prototypes, but are on production devices.
This isn't the first time a USB->UART vendor has taken vigilante action against fakes. The vendor Prolific had major problems with low-quality, buggy and slow fake chips, causing major support headaches for customers and themselves. I believe they ended up discontinuing their main product and replacing it with an incompatible version, while poisoning the drivers so that they would BSOD/Kernel panic if they detected a fake chip.
FTDI has .... interesting level of support, they THINK they are the only ones in the universe with a USB to various serial devices, but they are not, prolific chips are easier to design with since they are pretty much a drop n go part, TI and Microchip have some good ones, and any yahoo can take a cheap usb device capable micro and make their own which is what arduino did years ago.
so I applaud you FTDI for taking a stand, DONT make it a pain in the ass for me, the guy who has no problems using someone else's chip in my design
Nobody could complain if they simply went and made their driver incompatible with the forged chips. If there is no working driver, then the customer would have to complain with the original maker of the hardware and demand a working driver. That's quite within FTDI's rights.
The point is that they attack the firmware of the device involved, which is by no accounts ok anymore. This isn't locking out a competitor, it's destruction of a competitor's hardware. Yes, that competitor didn't act correctly by trying to get a free ride. No doubt about that. By that logic, though, it's just a-ok for any printer maker to trash the printer (e.g. by hosing it with printer ink) should they detect that you use anything but their overpriced original stuff.
We are clearly in agreement here except on a single point: changing the PID is neither attacking the firmware nor damaging the hardware. After a PID change, the hardware (and firmware) is still functional -- as long as either some driver can recognize it or the PID is reset to a valid ID.
It may be that FTDI was unable (or unwilling) to find a way for their driver to stop supporting the counterfeited chips, so they just removed the mask (the PID) on the chip that claimed the counterfeits were genuine. That's not damaging the hardware or the firmware, merely modifying an embedded setting.
All that said, FTDI's actions were not appropriate -- and they will likely end up paying for it in the court of public opinion. However, FTDI's driver did not damage or harm the chips themselves -- and they certainly weren't (as some here have claimed) "bricked."
Regardless of whether they were permanently 'bricked' or not, your initial comment was about 'technologically ignorant users' somehow 'requiring' them to support the fake product - the driver can simply refuse to work with the device.
Now, however, you take that 'technically ignorant user' who went out and bought say 3 x 4GB USB dongles that happened to have fake FTDI chips in them, unaware of that fact of course, who then copies his business critical data, say 3 years worth of work, onto all 3 of them (for safe keeping)... then his machine auto-updates his driver (because, again, he's a technically ignorant user) and suddenly he can't get to his data... in fact, again, technically ignorant, he tries all 3 dongles (if the first one fails, try the backup(s) right?).
Now, he can't even take them to another machine that maybe didn't get the driver update, or a Linux machine without the proprietary FTDI driver... sure, it's 'fixable' by him say paying an IT geek (a non-technically-ignorant person) to reprogram the USB ID, but that's a cost he is incurring because of what FTDI did to his devices. And that isn't to mention that perhaps he needed that data to bid on a potential $million contract with someone, on a deadline that he's now missed because of what FTDI did to 'damage' his devices.
He most certainly, if it can be proven that FTDI is *deliberately* breaking (even temporarily) the devices in question, has a good case for damages from FTDI.
One difference I've noticed between Windows and Linux...
* in Linux, plug in a USB key, or hard drive, or other USB device, and if you have the appropriate driver, "it just works". One USB "mass storage device" driver works for all USB keys and hard drives
* in Windows...
--- plug in a brand X USB key the first time, and Windws goes off onto the internet and installs a special driver
--- plug in a brand Y USB key the first time, and Windws goes off onto the internet and installs a special driver
--- plug in a brand Z USB key the first time, and Windws goes off onto the internet and installs a special driver
Come on guys, a USB key is a USB key, is a USB key. If it has some esoteric functionality, OK, otherwise don't clog up the registry and the hard drive with drivers for every USB key model that has ever been inserted into the machine..
I have a USRobotics USR5637 http://www.usr.com/en/products... USB CDC "56K" dialup modem for backup on the rare occasions my broadband goes down. It's a hardware modem that works in Windows, Mac, Linux, DOS, etc. Once I set up the kernel options in linux "it just works", without constantly downloading updates. WTF is Windows always updating?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user