FTDI Removes Driver From Windows Update That Bricked Cloned Chips

New submitter weilawei writes: Last night, FTDI, a Scottish manufacturer of USB-to-serial ICs, posted a response to the ongoing debacle over its allegedly intentional bricking of competitors' chips. In their statement, FTDI CEO Fred Dart said, "The recently release driver release has now been removed from Windows Update so that on-the-fly updating cannot occur. The driver is in the process of being updated and will be released next week. This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user's hardware being directly affected." This may have resulted from a discussion with Microsoft engineers about the implications of distributing potentially malicious driver software.

If you design hardware, what's your stance on this? Will you continue to integrate FTDI chips into your products? What alternatives are available to replace their functionality?

Computer Missues Act 1990

[jabuzz]

They are a Scottish firm subject to U.K. Law (specifically Scottish law). As such unauthorised modification of computer materials is a criminal offence punishable with a maximum sentence of six months in jail or a 5000GBP fine.

Stopping their device driver working with clone/counterfeit chips is fine. Making modifications to data help on such chips is outright illegal.

Re:Computer Missues Act 1990

[cdrudge]

Why would FTDI have to ensure their driver doesn't break chips that aren't theirs? There's no agreement, licensing, or goodwill.

FTDI doesn't have to ensure that their driver doesn't break chips. It sounds however that FTDI went out of their way to detect whether the chip was a counterfeit or not, and if it was, specifically write to it to disable it when it could have just as easily done nothing (as disabling the driver from functioning).

Re:Computer Missues Act 1990

[Andy+Dodd]

"The issue is that the FTDI driver is deliberately reprogramming a chip that is not theirs"

Except they're only doing this to their USB VID/PID - which IS THEIRS.

If you use FTDI's VID/PID, you're trying to pass yourself off as an FTDI chip, and it is YOUR FAULT ALONE if an operation that does not cause issues on genuine FTDI hardware does bad things to your own.

(If you look at the decompiled code, the driver attempts to write the EEPROM on all hardware. However, genuine FTDI hardware won't actually START the write operation until the driver does "additional stuff" - but clones will immediately write the new EEPROM value.)

Re:Computer Missues Act 1990

And that argument would absolve them if the bricking was accidental due to the VID/PID issue. Unfortunately their subsequent blog post on the topic has them admit it was intentional. This makes their actions illegal.

Re:Computer Missues Act 1990

[TheGratefulNet]

just yesterday, there was a linux kernel patch (on the usb drivers mailing list) that now allows a 0000 pid for ftdi devices.

also, there was a tool by mark lord that allows you to write back any pid value you want, for example, when I ran it, I got this output (and it 'fixed' the chip again, too):

% ./ft232r_prog --old-pid 0x0000 --new-pid 0x6001

ft232r_prog: version 1.24, by Mark Lord.
              eeprom_size = 128
                  vendor_id = 0x0403
                product_id = 0x0000
            self_powered = 0
          remote_wakeup = 1
suspend_pull_downs = 0
          max_bus_power = 90 mA
            manufacturer = FTDI
                      product = FT232R USB UART
                  serialnum = (elided...)
      high_current_io = 0
    load_d2xx_driver = 0
            txd_inverted = 0
            rxd_inverted = 0
            rts_inverted = 0
            cts_inverted = 0
            dtr_inverted = 0
            dsr_inverted = 0
            dcd_inverted = 0
              ri_inverted = 0
                      cbus[0] = TxLED
                      cbus[1] = RxLED
                      cbus[2] = TxDEN
                      cbus[3] = PwrEn
                      cbus[4] = Sleep
Rewriting eeprom with new contents.

Re:Computer Missues Act 1990

However, the counterfeit chips *chose* to use FTDI drivers by using FTDI's licenced (and payed for PID/VID). That's not FTDI's problem.

Actually, it's not theirs if it's a counterfeit chip. You can't use those numbers when you make a certified USB product, but this very likely wasn't a certified USB product, it just happened to work like a USB device if you plug it into a USB port. FTDI may have had an agreement with whoever owns the USB IP and keeps track of those numbers, but outside that agreement they have no rights to it. The makers of the counterfeit chips very likely have no contract with whoever licenses USB so they don't break any terms if they use a number already used by someone else.

And FTDI have moved those chips off their USB id.

The chips and device still work, just not with FTDI's drivers. Nothing was 'broken'.

No, that was exactly the problem. They rewrote the PID/VID to 0, which makes the device inaccessible because that's an invalid ID.

Re:Computer Missues Act 1990

[gweihir]

Actually, it is not. "Their" USB VID/PID can legally be used by anybody, it just means that the USB logo may not be used. AFAIK (and just checked on some FT232 I have), there is no USB logo on these chips.

Not a chance

My involvement with hardware is currently only as a hobbyist, but there's a hardware project I might get on soon at work. FTDI has shown that it is willing to punish both direct and indirect customers for a wrong committed by a third party, and has not even remotely recanted that view. Management apparently thinks that they merely went too far when the world is shouting at them that going in that direction at all is unacceptable.

The obvious alternatives for USB-to-serial are:

1) Prolific 220x
2) Build a soft UART with a suitable microcontroller (PIC, AVR, Cortex-M0, whatever); this is apparently how the fakes work anyhow. Conform to USB CDC and most operating systems should have a built-in driver.