Slashdot Mirror
FTDI Removes Driver From Windows Update That Bricked Cloned Chips
New submitter weilawei writes: Last night, FTDI, a Scottish manufacturer of USB-to-serial ICs, posted a response to the ongoing debacle over its allegedly intentional bricking of competitors' chips. In their statement, FTDI CEO Fred Dart said, "The recently release driver release has now been removed from Windows Update so that on-the-fly updating cannot occur. The driver is in the process of being updated and will be released next week. This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user's hardware being directly affected." This may have resulted from a discussion with Microsoft engineers about the implications of distributing potentially malicious driver software.
If you design hardware, what's your stance on this? Will you continue to integrate FTDI chips into your products? What alternatives are available to replace their functionality?
If you design hardware, what's your stance on this? Will you continue to integrate FTDI chips into your products? What alternatives are available to replace their functionality?
This is why I love PICs
They are a Scottish firm subject to U.K. Law (specifically Scottish law). As such unauthorised modification of computer materials is a criminal offence punishable with a maximum sentence of six months in jail or a 5000GBP fine.
Stopping their device driver working with clone/counterfeit chips is fine. Making modifications to data help on such chips is outright illegal.
I can only imagine that the lucky guy who picked up the call from Redmond about 'so, we understand that you...made a few changes...to the behavior of your WHQL drivers that frankly don't make Windows Update look very good...' got quite an earful.
Even if MS thinks FTDI is on the crusade of the righteous, it certainly isn't to their advantage to have Windows Update involuntarily pulled into the fiasco.
"competitors' chips" is a little unfair. It also doesn't brick anything, although a non-technical user won't know the difference. It reversibly disables counterfeit chips.
I'd say it was a grey area, simply because it's so hard to tell if a chip embedded in 3rd party hardware is genuine or not.
For those who knew they were using rip-off chips, screw 'em. It reminds me of the days when I'd get emails from people using pirated copies of my software bitching about bugs. If I could have been bothered, I'd have released a free update that deliberately screwed up those installations.
-----
FTDI's chip is popular, and heavily counterfeited. Right or wrong they felt they had to go to these lengths to protect their business, and it has had the effect of bringing counterfeited chips into the public consciousness.
The problem however, is that switching to another chipset won't eliminate the counterfeiters and the people who slip these chips into the supply chain to save a few bucks.
So the better question is how can we improve the system to ensure that counterfeit chips aren't being secretly swapped into our products.
... that make me so happy to run Linux Mint and CyanogenMod exclusively as my OS's ...
We should learn what we need to know about issues, before we decide what we need to feel about them.
If I was a hardware manufacturer, this would make me MORE likely to use FTDI chips. It means I have greater confidence that what I'm getting is "real", because I know that they are actively trying to make counterfeiting their product more difficult.
Is there a way to detect a counterfeit chip without bricking it? If that's the case, they could have just added a System Log message "FTDI device attached to system is not genuine! Driver will not start." Then the driver would return an error and Control Panel would show a yellow exclamation mark for the device.
My involvement with hardware is currently only as a hobbyist, but there's a hardware project I might get on soon at work. FTDI has shown that it is willing to punish both direct and indirect customers for a wrong committed by a third party, and has not even remotely recanted that view. Management apparently thinks that they merely went too far when the world is shouting at them that going in that direction at all is unacceptable.
The obvious alternatives for USB-to-serial are:
1) Prolific 220x
2) Build a soft UART with a suitable microcontroller (PIC, AVR, Cortex-M0, whatever); this is apparently how the fakes work anyhow. Conform to USB CDC and most operating systems should have a built-in driver.
We don't use any of the serial only chips, but on the higher end with JTAG and SPI the FTDI parts work great and aren't too expensive. If any "clone" chips get into our supply chain we would be very pissed at whoever did it. We specify actual FDTI parts for a reason. The "clones" have very hit or miss quality. We don't use them under windows either.
As a "maker" who sells small runs of boards that I have manufactured in China by an assembly house, I trust that they will build the board to spec. But I do not have the wherewithal to manage and secure my supply chain from start to finish. If I specify a part, I trust that the assembly house uses genuine parts. If they do not, I don't know what sort of recourse I have if, two years, later, all of my parts start being bricked. But I certainly see it from FTDI's perspective (and Prolific, another serial chip manufacturer with the same problem). It's a really tough problem. I don't know what the right answer is. Maybe create a standard for USB serial interfaces that everyone can use? I think that already exists (the CDC).
the growth in cynicism and rebellion has not been without cause
Edit: Last night, FTDI, a Scottish manufacturer of USB-to-serial ICs, posted a response to the ongoing debacle over its allegedly intentional bricking of competitors' chips. Replace "competitors' chips" with "chips made by illegal scum sucking counterfeiters who bear no costs of driver development or warranty that unscrupulous manufacturers use to make a few more points of margin at the expense of FTDI and customers".
I don't like counterfeiters, but to be fair it is not like FTDI developed the secret to nuclear fusion or anything. You can emulate the function of one of their cables/chips pretty easily using almost any micro with a usb peripheral. Here is one example I just googled:
http://www.silabs.com/Support%20Documents/TechnicalDocs/AN758.pdf
Now that the CDC device class driver is better supported they don't offer much beyond a valid VID (previously their driver ip was a pretty useful).
It would be great if a company like microchip/atmel allocated a VID/PID for this. Then we could all have a free and open source solution and avoid having to pay the FTDI tax.
Silicon Labs in Austin,TX has a pretty good lineup of USB-UART bridges also.
The cheap knockoffs often don't work very well for anything but the most basic uses.
Worse, often it's entirely impossible to see on the outside whether it's the real thing or an impostor. Neither the chip packaging nor the USB VID/PID will tell.
Even so, bricking may be a bit drastic. But it may be that this is now the only way to be sure, even if it hits the customer in the pocket in a nasty way.
Thus, while I have no obvious solution, we do have problems here. Fake chips, but also the incentive to make it so: The convoluted and insulting redmondian signed driver process as well as the USB ass.'s refusal to cater to small manufacturers* makes it easier to reimplement an incomplete subset of an existing chip's functionality than to come up with your own interface and driver.
* Those that need but a few product identifiers. It's an expensive VID (from a 16bit set) for the full 16bits of PID, or nothing. Most small manufacturers would be far better off with buying blocks of 16 PIDs for a small fraction.
Section 3 "unauthorised modification of computer material" being the relevant element. There isn't, I think, an existing case which exactly mirrors this, but it is similar to the matter of "time locks" in software (where a program disabled itself after a given time). For a long time after the passage of the act, lawyers theorised that such locks might be illegal in some circumstances; the prosecution of Alfred Whittaker in Scunthorpe Magistrates Court in 1993 showed that it could be. But crucially in Whittaker, the locks were unknown to the customer (the company on whose computer the software was installed) - I don't think anyone thinks that time-limited trialware ("this software will stop working in 28 days unless activated") is illegal.
So whether FDTI are in trouble will depend on what expectation someone might have when installing the new driver (where the court assumes they actually read the licence screed). If the expectation was solely that it would improve their system or do nothing, they weren't giving consent, and FDTI may be found to have breached section 3. If the licence unambiguously said "this update will detect and disable fake or work-alike products without further interaction", they're probably fine. Likely the wording is much less clear, which is what keeps lawyers in jobs.
If all the bricked chips are counterfeits (that is, they have fake FDTI markings and have been passed of as real FDTI products), the Fiscal is probably going to say that a prosecution isn't in the public interest. The authorities, often working with trademark owners, have routinely seized counterfeit goods from unknowing individuals, with no compensation; they may argue this is an analogous case (sweeping analogies is what keeps judges in jobs). But if someone has been making FDTI workalike clones that aren't pretending (to consumers) that they're the FDTI product, their customers would have a better chance of twisting the Fiscal's arm.
## W.Finlay McWalter ## http://www.mcwalter.org ##
Any BOM that passes through my hands will get FTDI crossed off. I'm sorry they have a counterfeit problem. They need to improve anti counterfeiting measures instead of inflicting collateral damage. Their abrupt decision is smelly no matter how you look at it.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
The FTDI driver license states "The license only allows use of the Software with, and the Software will only work with Genuine FTDI Components. Use of the Software as a driver for a component that is not a Genuine FTDI Component may irretrievably damage that component. It is your responsibility to make sure that all chips you use the Software as a driver for are Genuine FTDI Components." Surely they neglected to share this with their lawyer. You can't punish users because the manufacturers are breaking the law. How is my mother going to know if she has a genuine FTDI chip or not? That's just asinine.
Given that their OS X driver for years caused kernel panics an they could not be bothered to update it, they have been on my black list for years. Any company that ignores their users like that deserves to be ignored.
Anyone old enough to remember that Microsoft message?
"Eve of Destruction", it's not just for old hippies anymore...
We had a similar situation come up with one of our older products. People copied our initial hardware designs some 12 years ago, built (crappy) knock offs and sold them as their own along with copies of our chips to go along with it. The black market was clearly going to run us out of business and I despised the idea of having to basically compete with ourselves just to keep handing new features over to leeches. It was infuriating to the point that I had seriously considered just shutting the business down and moving on to other things.
Instead, we spent a LOT of time redesigning our stuff to prevent anyone from (reasonably) being able to do that again. We basically wasted an entire year just dealing with counterfeit issue rather than improving our core product.
Luckily it paid off and we were able to shut that whole black market segment down. But at one point we had to consider the same option FTDI did. We gave thought to effectively bricking devices that we were able to identify as counterfeit or, worse, someone would send us one of these counterfeit packages asking us for support or service on the item. We had to basically return to them a chip and adapter we knew, without a doubt, was a bogus copy of our stuff.
It was hard, but we knew full well we could not possibly damage or keep something they had purchased through what they considered legitimate channels. FTDI should have realized this as well. They royally screwed up on this one.
It's a little strange, though, because if you buy something somewhere and it ends up being a stolen item, you're obligated to give it back to the original owner. I mean the police trail leads to your doorstep, you're out the item you bought whether you knew it was stolen or not. I guess the same concept doesn't applied to IP somehow. I'm not even sure how it would. I guess IP isn't really "property" after all.
There's a huge difference between breaking "competitor's" equipment and breaking "counterfeit" equipment. Were any of the targeted chips legitimately not-counterfeit?
I work somewhere (a large chip manufacturer) where we use USB serial adapter cables all over our testing lab to interface things like thermal controllers. Since these are COTS items we have no control over what chip is in them. If this update had bricked our entire lab, it would have been a disaster and a total show-stopper for our testing schedule until we located (and understood!) the problem and fixed it. Personally I think it was a childish way for them to handle this situation and I'm glad they saw reason and yanked it back before it created a total disaster.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Today Atmel, Microchip and others make inexpensive microcontrollers with native USB peripherals. The Atmel "8u2" chip, for example, is less expensive than even most of the FTDI clones, and certainly a LOT less than a genuine FTDI chip.
For years, I've published a very simple and easy-to-use USB code for those chips.
http://www.pjrc.com/teensy/usb...
I also publish a signed INF installer that works with ALL USB Serial based on this standard protocol (called Communications Device Class, Abstract Control Model, or CDC-ACM). All 3 operating systems have the necessary driver built in. Mac OS-X and Linux load it automatically. Windows needs the user to add a INF.
http://www.pjrc.com/teensy/ser...
Sadly, the CDC-ACM driver in Windows (called USBSER.SYS) is buggy. About a year ago, I sent Microsoft this reproducible bug report.
https://www.youtube.com/watch?...
In a follow up email a few months ago, they were supposedly testing a fix. I'm hopeful that Windows 10 may be the first version of Windows to ever ship with a good quality USB Serial driver (as Linux has done for many years, and Apple as done since releasing Lion a few years ago).
PJRC: Electronic Projects, 8051 Microcontroller Tools
This reminds me of how the cable/satellite companies nuke counterfeit smart cards. My favorite part is how DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".
http://slashdot.org/story/01/01/25/1343218/directvs-secret-war-on-hackers
http://www.securityfocus.com/news/143
http://news.bbc.co.uk/2/hi/science/nature/1138550.stm
These are old articles but still begs the question about what a company should be allowed to do to protect itself. I’m all for it. But a popup notice would be nice so people could have some time to get non-counterfeit hardware. Or keep using the knockoff and not update the driver. However your moral compass points.
I know the main difference is the poor users who may or may not have known about the counterfeit chips vs those who clearly should have known their Satellite card was a fake or maybe they didn’t...
That's not the question (and not the solution).
1) The end user has bought a system (maybe years ago) (by all probability neither directly from FTDI nor from directly from the counterfiyer). It is absolutely unacceptable for MS to distribute software via Windows Update to anyone which intentionally bricks a working system (which normally disrupts businesses and cost worst case thousands of times more to repair than the damned chip was ever worth). This even holds true if the driver just stops working. We have to trust MS with there updates, so it can't be for any reason that they disable a working system.
2) There are counterfeit chips in the market which are labeled wrongly as FTDI. That's counterfeit .But what about compatible chips? Even the counterfeit chips you can find in some blogs are clearly independent implementations (the idea of doing a usb to serial converter is not protectable, only the specific implementation in silicon).
Seems like FTDI has admitted they were bricking counterfeit parts on purpose. How would someone go about determining if their device quit working because it was bricked by FTDIs bricking driver? Is there a lawyer out there who would want to do a class action against FTDI for damaging peoples equipment? Also I do not see why FTDI would take this approach I would think they would stand to make a lot of money and gain some good will if instead they had their driver pop up a message to the user that his device had a counterfeit FTDI chip in it and offer the owner the option to join a class action suite against the equipment manufacturer by entering certain info (name address equipment make model and manufacturer ) and in return they would allow their driver to work with the counterfeit chip and share in a settlement over the counterfeit parts or they could purchase a right to use their driver for a fee equal to the chip cost ($2-$10 depending on chip) or they could choose to do neither in which case the driver would no longer work with the counterfeit chip. This strategy would help them eliminate counterfeiters or at least pay them for the right to use their software.
If you steal my IP... and the government doesn't do their job and nail your butt to the wall... then I don't feel so bad about doing something nasty that screws up whomever is profiting from ripping me off.
I know this is going to be an unpopular opinion. But consider that we give the government a monopoly on violence in return for it agreeing to maintain justice and order. If it fails in either of those tasks then the contract is broken. Consider the wild west... government was not able to provide either justice or order. So you occasionally had to sort things out on your own when someone stole from you or threatened your life.
Likewise, a lot of this digital stuff is just beyond the government's ability or will to correct. So be it... wild west time. What people do is on their own conscience. You do it and own it.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Microchip & sillabs and a few others have competing products.
Why would I care I someone trying to under cut me with counterfeit parts has problems.
FTDI has always made good parts and has good drivers.
The comma might recieve a pardon, but the first period and capital B on "But" will be tried, found guilty, and executed immediately.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
FTDI tried to also get the "brick-patch" to Linux, but Greg Kroah-Hartman blocked it with this response:
Funny patch, you should have saved it for April 1, otherwise people might have actually taken this seriously :)
Patches as performance art, now I've seen everything...
greg k-h
As a potential end-user (i.e.: I bought an Arduino to explore a hobby, and own a device with an embedded Ardino), I would point out that FTDI's statement isn't an apology but an excuse for their behavior:
As you are probably aware, the semiconductor industry is increasingly blighted by the issue of counterfeit chips and all semiconductor vendors are taking measures to protect their IP and the investment they make in developing innovative new technology. FTDI will continue to follow an active approach to deterring the counterfeiting of our devices, in order to ensure that our customers receive genuine FTDI product. Though our intentions were honourable, we acknowledge that our recent driver update has caused concern amongst our genuine customer base. I assure you, we value our customers highly and do not in any way wish to cause distress to them.
As such, if you specify FTDI products but your supply chain can't guarantee or hasn't guaranteed genuine FTDI products, or has specified or equivalent products, you're still vulnerable to their drivers suddenly causing your products to fail. You're customers won't love you for that! You still have every reason to evade FTDI at this point as they're still threatening an existing product base.
As an end-user, the issue of counterfeit chips doesn't rise to the level of probably aware.
This perspective is not terribly fair to FTDI's product line being subverted by counterfeits, or the general problem of counterfeit devices. All I can suggest is some form of planned obsolescence implemented by FTDI's drivers (which is just a fig-leaf of protection from irritated end-users.)
Since you support FTDI blocking/bricking non genuine chips I'm curious about how would feel if your favorite printer manufacturer decided to block or brick non-genuine or refilled ink/toner cartridges. The printer manufacturers would use the same language as FTDI. These refilled/knock off ink/toner cartriges violate their EULA and their intellectual property and therefore damage their business model. The toner cartridge for many laser printers simply is a piece of plastic full of toner and a chip with a serial number and a counter. Would refilling the plastic box and replacing the chip with a hacked version be a violation of the printer manufacturer's intellectual property as the hacked chip is falsely representing itself by containing the same magic signature that allows the printer to recognize it and enable it to function?
What about the intel X86 compatible clones that were common in the 1980's and 1990's? Intel didn't give permission for other companies to use their instruction set. What if intel made a deal with Microsoft to push a kill switch into the OS to detect non intel CPU's and refuse to function? Would that be ethical and justifieable? Computing history would certainly be different if they did.
Do you also think that emulating an API is also a intellectual property violation? If you have an android phone that phone is a violation of Sun/Oracle's intellectual property of the Java API.
"Bricked" means that it is no longer useful, ever, under any circumstances. It's dead, and not recoverable.
In this case the end user is temporarily inconvenienced until they load up some software to restore the PID, or use software that can make use of the device even with a PID of 0.
As I understand it, FTDI doesn't actually have legal ownership of the PID:VID combo. usb.org handles the PID:VID registry, but if a chip manufacturer hasn't registered with them there is no legal reason preventing them from using any PID:VID numbers that they feel like.
Yesterday a number of my clients called me to say they wanted me to design out the FTDI FT232R from current designs and replace it with an alternative (I settled on the Microchip MCP2200). Today, after this news, I called each of them to explain FTDI's change in policy and see if they still wanted to make this change. All of them said yes.
The feedback was essentially this: FTDI's actions left a bad taste in their mouth and they didn't appreciate this action being taken without any real attempt to notify resellers and manufacturers; and now that they know the alternate chip I proposed was about half the price as FTDI's offering they are happy to change. Now none of these people are high volume manufacturers, so it will unclear if FTDI will even notice.
The reason I have found for most clients wanting FTDI is confidence in the brand more than anything else. This move will affect it a little, but people's memories are short, and FTDI responded quickly enough that they won't suffer too much damage. My prediction is that FTDI will take a dip in sales for a quarter , and then things will return to more or less normal; but companies like Microchip will likely see an uptick, because manufacturers more aware of the alternatives.
What do you know I wrote a novel
It would be great if a company like microchip/atmel allocated a VID/PID for this. Then we could all have a free and open source solution and avoid having to pay the FTDI tax.
VID 03eb Atmel Corp
SID 204b LUFA USB to Serial Adapter Project
How do we know the @)#$*)@^& driver isn't buggy?
Hardware drivers routinely are shitty.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Counterfeit components are much more of an issue than you might imagine. Counterfeit and reclaimed components are very common in the component supply chain, and there's almost no way for a manufacturer to determine whether they've bought a dud or the genuine article. Most electronics companies contract out circuit board manufacture and component procurement - unless you're making a huge number of boards, it simply isn't economical to run this kind of operation in-house. At the end of the day it comes down to trust and supplier vetting - but you can only really vet the first link in what can be a very long supply chain. All it takes is for one supplier in the chain to be slightly dishonest, and you end up with a counterfeit device on your board.
Now - there are companies who will specify forged parts - but equally there are companies who specify the genuine article, and don't get it. How would they ever know? FTDI's approach is (was?) to stop the end-user's device from functioning. This device could have been supplied by a legitimate supplier (and not a dodgy eBay import) - yet this company was (until now) completely unaware until faulty units start piling up on their doorstep. Let's also remember that not all electronics companies are the size of Cisco - and a product recall to replace what they believed to be a genuine part could prove so expensive as to put someone out of business.
Realistically, it's an almost impossible problem to solve - semiconductor manufacturers deal in massive quantities through distributors - and the smaller the quantity that you require, the more distributors are involved in the sale. Some may advocate buying direct - but realistically, no semiconductor manufacturer is equipped to do this at present. Manufacturers need to find ways to prove that their components are authentic, rather than telling end users that they have bought a fake.
Have a look at this blog - a small supplier of a very nice series of logic analysers who were hit with exactly this kind of problem. They procured components in good faith, yet had to carry the costs of their supplier's dishonesty. Not what a small business needs when they're just getting going.
Instead, we spent a LOT of time redesigning our stuff to prevent anyone from (reasonably) being able to do that again.
Any pointers you care to share? Or would that be proprietary IP?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Thanks for finding that for us.
MODS : mod parent up, plzokthx!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The reason the most manufactures use the FTDI driver is because most windows systems already have it installed. This makes it easier for consumers because they don't have to track down a driver from some unknown source. But it is well within FTDIs right to change their driver as it fits their needs. The solution would be for their to be a standard driver that manufacturers could use for usb to serial communication just as there is a standard mouse and keyboard driver for usb devices.
Two wrongs don't make a right, was hopefully something that your parents taught you when you where quite small.
The issue is that the FTDI driver is deliberately reprogramming a chip that is not theirs and for which they have no authorisation to do so. This is an unauthorised modification and illegal.
You cannot stick something in a license agreement that allows you to break the law, because the courts will hold that part of the license agreement null and void.
As many many people have said the right and legal thing was to simply stop working and post a message to the user that the chip is a counterfeit/clone.
Why put this down to malice and not down to a programming/QA issue?
If I am developing something, then my general approach is to test it against know factors and some edge cases I can think about. Counterfeit stuff screws with the whole programming and QA cycle, since they say they are the same as something I developed, act as something I developed, but fail in subtle ways I wouldn't have considered or tested for.
Maybe FTDI did do something intentionally, but I suspect it was an oversight, especially considering they pulled the update once reports were coming in.
FTDI will probably have to do three things:
- Test for the known limitations of counterfeit hardware (they can't test for the unknowns).
- Update the EULA to be clear of risk/
- Update the installer to warn against cloned chips and impact it may have.
Jumpstart the tartan drive.
"No control" my ass. You control where you buy your "COTS" items from, and you know what they typically cost from various different suppliers. If you purchase counterfeit goods, you deal with the consequences, and if necessary, sue the shady company you bought them from, if they're even still around.
That's not to say FTDI deliberately removing their paid-for-and-assigned ID from the counterfeit device is necessarily the "right" thing for them to do, but it would be EXACTLY the same type of self-made disaster for you if their driver tried to update the device to fix a bug and the counterfeit device couldn't deal with that change and bricked itself. In fact, that sort of thing is actually fairly likely to occur with counterfeit devices so if you don't have measures in place to ensure your're buying genuine products, you're the one setting yourself up for failure, period. This is similar to a poster above discussing accepting stolen goods. It may not be fair, and it may technically be the thief's fault but it's still your problem for accepting the item from a potentially untrustworthy source. There's simply no reasonable alternative way to handle such things, so you've got to take the responsibility to be careful.
Also blindly rolling out Windows Updates to a whole testing lab without initial testing/verification that it doesn't cause problems would be a HUGE error on your part, so any ensuing crisis would, once again, be on you.
Its "funny" how people keep throwing around the "counterfeit" term when there is no real indication that most of these chips are presenting themselves as genuine FTDI chips. It sounds like they're simply using FTDI's PID and drivers so they don't have to register a separate driver/PID for each and every manufacturer of USB-to-serial devices. I'd liken it to a tire manufacturer making a tire that can fit on a competitors rim. If they have a big "FTDI" logo on the chip or pass the device specs off as it being a genuine FTDI chip you'd have a point, if not its like FTDI going around slashing the tires of anyone who has their competitors tires on their rims.
They seem to be the only vendor of USB serial chips whose products seem to "just work" under the majority of use cases, on both Windows and Linux. Every time I have had a weird USB serial problem (on either OS), the solution has been to get a FTDI-based device. Problem solved.
If 3rd party vendors are illegally appropriating their IP, then they can go after those vendors in court. I also have no problem with them rigging their driver so that it does not work with "clone" products. But intentionally damaging devices they do not own steps over the line.
I do not think a boycott is the answer. Yes, they made a mistake with this driver update; but do you really want to (potentially) drive the designer of the best existing USB serial chip out of business? If we go that route, everyone loses.
.
You can't go destroying hardware owned by consumers, no matter what the reason.
They explicitly wrote code that intentionally bricks the connected device. It takes advantage of a bug/ implementation detail such that it does NOTHING on a FTDI device. Because it doesn't do anything at all on a genuine FTDI device, there is no innocent reason for FTDI to put it in their driver.
If the code did something useful on an FTDI device but broke counterfeit devices, that could be accidental. That's not the case, though - the code never does anything good, it only breaks things.
The Chinese Govt doesn't give a rat's ass about this; they're filling their pockets too.
I have at least one counterfeit problem a year, and our supply chain is as locked down as it gets.
If a medical device fails, and someone dies because of their driver, they'll all be in prison, from the ceo to the guy that sent it to M$.
Truth isn't Truth - Guliani
Do what MS does.... Have the driver pop-up a message every 5 mins that requires a click to dispose of it that displays "The "(Serial) Device you are using is made with counterfeit chipset that infringes FTDI intellectual property..
Reading the article now (shame on me for not doing so), I suspect there is malice or 'good intentions' resulted in failed risk analysis and fallout prediction.
Jumpstart the tartan drive.
It's a shame that USB has UMS for storage and UVC for video, but there isn't a similar standard for COM ports.
With that said, it's a serial port. Come on guys!! Just make a pin compatible part and write your own driver. It would probably take about the same amount of time to reverse engineer FTDI. Can you even copyright an IC footprint?
> It's not the fault of the driver if ... the driver tells the hardware to do a write, and the hardware does
How do you figure that what the driver does isn't the fault of the driver?
The driver gives instructions that tell the hardware to self destruct. The hardware faithfully follows the instructions.
It would be different if the instructions were to do something useful, but the clone instead destroyed itself. There is no innocent purpose for this sequence of instructions.
Actually, it is not. "Their" USB VID/PID can legally be used by anybody, it just means that the USB logo may not be used. AFAIK (and just checked on some FT232 I have), there is no USB logo on these chips.
Oh really? Not according to this FAQ:
Regardless of the fact that it may be legal for others to do so, it's unethical and clearly misrepresentation. It's like when Palm tried to use the USB VID of Apple so iTunes would think the Palm Pre was an iPhone - great for Pre users until that causes crashes or data corruption for users and Apple could be held liable.
Rightly so, Palm was slapped down for their "reuse" of Apple's VID.
Make sure everyone's vote counts: Verified Voting
I will no longer put any FTDI parts for two reasons :
No more money for you FTDI. Try to innovate instead of trying to brick people's hardware.
uski
The makers of counterfeit chips are in the wrong here, not FTDI. They used FTDI's PCI vendor ID (presumably without authorization).
Everyone who had a bricked chip should go to the manufacturer and demand a replacement or a firmware flash. Maybe then those guys would use their own device identifiers and supply their own drivers.
But most people are probably just cutting corners to get something cheap. And then they blame everyone else for their problems.
Bottom line: This driver would never install on a system with a counterfeit chip if the vendor did not use FTDI's identifier. There is a standard, and it was violated by each and every knock-off chip that bricked.
Maybe FTDI deserves some heat for sticking it to their non-customers, but I have little sympathy for anyone in this snafu.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
If you design hardware, what's your stance on this? Will you continue to integrate FTDI chips into your products? What alternatives are available to replace their functionality?
Nope i wont i was already leaning towards the atmega avr's with this functionality built in this was the final nail in the FTDI over priced serial chip-set coffin
A big advantage of running Windows and requiring signed drivers!
Oh, wait, no, that's the opposite. LOL.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Alright, regardless of your take on FTDI's actions. Isn't the real problem here trying to fix a broken market with a regulatory or software solution?
I mean why is the FTDI chip so routinely copied, or cloned? It all comes down to price and availability. We saw this with online music, and we are seeing a corollary here. In this case the end users aren't the market though, they are collateral damage in the dispute between FTDI and hardware manufacturers. FTDI has a product the market wants, but they are asking for a price that the market doesn't want to pay. So people are stepping in with drop in replacements for the parts that the market doesn't want to spend money on, or can't get access to. The best way for FTDI to fight clone makers is to lower their prices and raise their production until the market decides that taking the risk with a clone chip isn't worth it.
And this doesn't just apply to FTDI. This applies to anyone making a commodity part that is widely used by the electronics industry. Sure high quality part manufacturers will never be able to bring their cost down the exact same level as cheap knockoffs, but if they get closer they will recapture some of the market. In the case of the FTDI chip we are discussing right now, the part has been on the market long enough that they have probably made up their manufacturing and tooling costs at this point and could lower the price to meet market demand if they wanted to.
Maybe we just need to push for a "generic" chip industry similar to the US drug market, though the protected window for the original designer would have to be much shorter to factor in the shorter dev/test/to market lifecycle of electronic components. By this time would could have authorized FTDI usb to serial clones, and FTDI would be banking a fraction of a cent per unit while working on the next faster or more power efficient model.
inb4u... really?
Prolific had some counterfeiting problems too, and while they didn't brick devices by changing them they did release a never ending stream of updates with the only improvement being that they no longer worked with counterfeits.
The real alternative is to stop working with USB bridges. With so many microcontrollers come with native USB support and excess memory to implement it. They only real problem then is you need a VIN, something you got automatically when using a bridging chip.
FTDI's download page says:
"FTDI drivers may be distributed in any form as long as license information is not modified."
The owner of the device simply plugs it in. Windows then automatically loads the FTDI driver based on the information that _FTDI_ gave them. Microsoft and FTDI decided to load the FTDI driver for that device. So how exactly is the user "using unlicensed software illegally"?
The manufacturer of the comms chip did precisely the same thing FTDI did - manufacture a chip with a compatible USB ID. Exactly which law gives FTDI exclusive use of that number, and makes it illegal to build a compatible device?
So whether FDTI are in trouble will depend on what expectation someone might have when installing the new driver (where the court assumes they actually read the licence screed).
Which they won't. They would almost certainly follow the logic put forward by Lord Denning in the famous decision of Thornton vs. Shoe Lane Parking Ltd:
As such a term is unlikely to have had attention drawn to it in such an obvious way, it would probably be held to not be incorporated into the contract.
Also, whether properly incorporated or not, it is quite likely to be found to be unfair at therefore not enforceable under the remit of the Unfair Terms in Consumer Contracts Regulations; it is a bad-faith term inserted into a non-negotiated contract with the intent of creating an imbalance in the rights of the parties to the detriment of the consumer (i.e. that FTDI can destroy his property without sufficient notice that a reasonable person would expect it to happen and without compensation).
But if someone has been making FDTI workalike clones that aren't pretending (to consumers) that they're the FDTI product
I have such a device on my desk right now. It's a USB/serial adapter cable, sold without any vendor's branding visible at all (it has a USB logo, but no other kind of branding is visible). The version of FTDI's Windows 7 drivers that were current when I purchased it rejected it as a clone, but their XP and Linux drivers work OK with it. Devices like these are sold by the thousand on ebay and at computer fairs all over the place, and I strongly suspect that until FTDI started pulling this kind of shit with their drivers (which they've been doing for a while -- not bricking devices, but just refusing to work with devices that actually would work OK if the driver didn't specifically set out to test their compatibility) almost nobody was aware there was any kind of problem.
What does your hate of FTDI have to do with your love of PICs?
Here's a list of microcontroller brands which include built in USB in their lineup:
PIC
AVR 90, mega and xmega
AVR32 UC3
STM32
MSP
Actually the only standout I really could find was Parallax Propeller series. They don't seem to produce one with USB support built in.
Counterfeiting what? Clones are not counterfeit nor are selling anyone's work. These chips are made functionally compatible with the software.
How can you defend FTDI's malicious behavior distributing malware to attack unsuspecting end users through an automated windows update that killed other's people property to solve a supply chain issue?
These aren't clones.
The devices in question are internally completely different, but mimic the FTDI command set. They're workalikes, not clones, nightshift runs or factory rejects.
The "sin" comes from marking device packages as FTDI (trademark violation) and presenting a USB Vendor ID of FTDI (unlicensed use of the ID)
Analysis shows that the IP which went into creating the workalikes is at least as expensive as the FTDI devices and the die costs are about the same. What this really exposes is how much FTDI is making from their brand name for what is a generic serial device and what lengths they will go to to protect that brand name.
It's because the profit margin exists over generic, that unscrupulous vendors badge the workalines as FTDI - and the fakes are so good that they're hard to detect visually. The price differential on fake branding is almost nonexistant - 3-5% or less (sometimes no difference), which is within the margin of error on supply chains, so it's no wonder these appeared in production runs.
As others have said, FTDI has burned a shedload of goodwill in a mantter of days. If they wanted to flag attention to the fakes they could have done so in a far less destructive manner (which amounts to arbitrary seizure and destruction of property, something which requires a court order in most countries even for trademark piracy)
Thankfully, there are a bunch of pin-compatible replacements for the device from various makers The FTDI device itself was a pin-compatible replacement for first-generation usb-serial chips.
Workalike makers now know how to make their devices even better mimics of FTDI - plus how to resist VID reprogramming - and a lot of people in the design and build sphere now know that many of the pin-compatible devices are significantly cheaper, use less power and run faster.
The ironic thing out of all this is that the workalikes are significantly faster devices which draw less power and could easily stand on their own 2 feet as a properly branded item. They were sold as FTDI because of resistance to buying other brands by western designers.
End result: Own Goal by FTDI. Did they do this as a prelude to getting out of the serial chip market?
If a branded DVD player updated its firmware from the MPAA so that they could detect pirated discs, and programmed the laser to etch the disc in a destructive manner, would the owner of the pirated DVD have recourse?
This update appears to have bricked four POS terminals that I support.
Thanks guys
What FTDI did was like someone who gets hit by a bully, and then turns around and hits the smaller boy standing on the other side of them. They punished the wrong people, and are themselves now the criminal. 8-(
I have several Genuine and several fake FTDI on Arduino derivative boards.
The fakes have laser etched labels that are quite well done. BUT the “Pin 1” dot in the plastic is just a little different.
Genuine is large dot, not very shiny
Fake is slightly smaller dot and quite shiny
You can see this clearly on this photo: http://s.zeptobars.ru/ftdi-FT2...
Regards, Terry King
What FTDI might technically be considered causing damage (or disabling) to something that did not belong to them, there is really no recourse for the end user with the disable USB port. Because if they sue FTDI for damages to a USB port, FTDI can sue back for copyright infringement (using FTDI software with out permission or license). And I'm guessing FTDI will make a lot more money of a copyright lawsuit, then the end user might get for a disabled USB port. And any manufacturer the sues FTDI for disabling the product's USB port will be exposed as using FTDI product ID and vender ID and also might be considered committing some form of counterfeit? Any government agency that takes FTDI to court will need to produce witness to testify about damages (to the USB port), but also at the same time will the witness will be confessing to downloading any trying to use software they had no license or permission to use and therefore in violation of copyright law and subject to paying damages to FTDI, any fines or damages FTDI might have to pay will be a small price to pay for all the cash they make from people paying them for copyright violation.
IÃm avoiding FTDI products from now... being them original or conterfait (as myself as a hobbyist just can tell the difference)... it was a very bad move from them, very unfair and criminal