Slashdot Mirror
FTDI Driver Breaks Hardware Again (eevblog.com)
janoc writes: It seems that the infamous FTDI driver that got famous by intentionally bricking counterfeit chips [NOTE: that driver was later removed] has got a new update that injects garbage data ('NON GENUINE DEVICE FOUND!') into the serial data. This was apparently going on for a while, but only now is the driver being pushed as an automatic update through Windows Update, thus many more people stand to be affected by this.
Let's hope that nobody dies in an industrial accident when a tech connects their cheap USB-to-serial cable to a piece of machinery and the controller misinterprets the garbage data.
Let's hope that nobody dies in an industrial accident when a tech connects their cheap USB-to-serial cable to a piece of machinery and the controller misinterprets the garbage data.
...
I think I'll keep my Windows computers with updates disabled, as all the updates have been detrimental to the user, lately.
Checking the eevblog thread, though it seems it affects Windows 10, which I also elected not to touch.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Thanks to the reality of supply chains, companies intending to buy the real deal can accidentally buy the knockoffs. Anyone willing to do this(or their previous actions, like bricking devices) is someone I intend to never purchase from, real deal or not.
There are now plenty of competitors to FTDI. Don't buy FTDI- even if you think you're buying the real deal, reality can intervene.
What is Microsoft's responsibility here?
They are pushing out drivers that bricks hardware through their Windows Update service?
How the hell did this pass their WHQL?
Let's hope that nobody dies in an industrial accident when a tech connects their cheap USB-to-serial cable to a piece of machinery and the controller misinterprets the garbage data.
If a rogue USB to serial connector (on a windows box, with automatic updates no less) can endanger your workers, then your machinery wasn't safe in the first place.
I am Slashdot. Are you Slashdot as well?
For those of us who are unfamiliar with FTDI and/or their "infamous driver"
I've just thrown my reels of FTDI chips in the bin.
NEVER again FTDI.
Why is an FTDI serial driver needed? USB has had a serial port protocol as part of its base spec and Windows has a default driver for things declaring themselves to be a serial port. I have several devices that work in this manner.
Why would a vendor of a basic USB-Serial port converter bother writing a driver?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Here's the safe driver, in the form of source code so you could check it yourself if you want to.
http://lxr.free-electrons.com/...
This driver does require a non-crap operating system, of course. Linux, FreeBSD, OpenBSD, etc probably OSX will work too.
> Let's hope that nobody dies in an industrial accident when a tech connects their cheap USB-to-serial cable to a piece of machinery and the controller misinterprets the garbage data.
Lets hope that no dumb idiot would connect anything critical to a "cheap USB-to-serial cable".
I still have prolific and ftdi chips but I have moved on to the CP2102 models. The original reason was that the particular one I had was 3.3V, my FTDI one required soldering. But found that it works well with the Raspberry Pi, and ESP8266 without needing a logic level shifter. Also with short wires (less than 10 inches) I was able to power my raspberry pi as well. I've happily used it reading JTAG as well.
They will have liability for this: this is a reasonably foreseeable occurrence stemming from their action with no superseding intervening cause.
Also can be criminal negligence aswell.
Why can't FTDI realise that this kind of behaviour is only going to hurt innocent end users, rather than the people responsible for peddling counterfeit devices? I've bought hundreds of these devices in the past from reputable suppliers, and in precisely zero cases can I determine whether the chipset is genuine or not before purchase. If I can't tell what I'm buying, then why am I being punished when I've bought in good faith? Why can't FTDI instead use existing mechanisms and laws to find the people responsible?
Of course Linux drivers for these devices work every time, counterfeit or not. Perhaps a different approach might be for someone to take the Linux code and create a decent open-source Windows driver to replace the buggy (i.e. injecting unwanted serial data) FTDI code?
I'm glad to know who is selling me knock-off hardware.
Before some silly person jumps in, obviously that exact file is for Linux. The BSD versions are similar and also safe from the manufacturer's bullshit.
Son of a.... I spent, literally, 4 hours yesterday trying to troubleshoot a 3d Printer (Tinyboy 3D), with it not working. MProg from FTDI said the chip was fine (right vendor and product ID), but it just wouldn't work. I tried every driver I could find. Finally, I uninstalled the driver, disabled wifi, plugged it in, waited for Windows 7 to install the version it knew (2.4 something), used Mprog 3.5 to reprogram the chip as legit (as per: https://www.youtube.com/watch?...), unplugged, replugged (at which point windows reinstalled it again, with 2.4), and suddenly it started working! I can confirm this "Non Genuine" serial data, since I opened up the Arduino IDE and saw that on the serial console. You know, I sympathize with FTDI. They're having their tech ripped off. But, it's inappropriate to punish end users who don't have any say. Sure, we could not buy stuff that uses counterfeit chips, but many sellers aren't even going to know. FTDI should be pursuing the counterfeiters in China, and using what legal system China has to stop it. Either that, or create a version of the chip that has such a low price point, they put the cloners out of business by providing legit-working-alternatives for a price point. So annoying that I've lost time because FTDI does this crap, and apparently Microsoft is okay with it (I don't see how this should have passed WHQL).
I was using FTDI chips in several projects, both personal and professional, when the last round of bricked devices occurred. None of mine were bricked thankfully, but I thought to myself... nope. This behaviour is not becoming of a company I wish to see succeed or help make profitable. It is literally impossible for an end user to check a valid supply chain.
FTDI isn't even capable of keeping their distributors above board and said during the original fiasco that they could not guarantee chips were legit unless they were purchased directly from FTDI. They can't even guarantee legitimacy via their own distributors.
Related stories:
How's about it? Am I qualified to be a Slashdot editor? If hired, I promise to stop being an asshole all the time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Don't worry Timothy you'll soon be joining them!
Wait, you're actually surprised that Microsoft is okay with screwing users over something they already paid for?
Sure, we could not buy stuff that uses counterfeit chips, but many sellers aren't even going to know.
It's the JOB of the manufacturer to know, you moron. Demand a refund from whoever you bought if from.
FTDI should be pursuing the counterfeiters in China, and using what legal system China has to stop it.
What legal system? China's legal system is "Whoever pays the biggest bribe, wins."
Apparently Microsoft is okay with it
LOL. Microsoft has their own massive problems with counterfeit Windows licenses. Why wouldn't they?
My guess is that they have cash-flow problems and they now think pissing-off potential customers is the way to go. You know, like the music and movie industries.
On the side of solid engineering practices, they can refuse to talk to that counterfeit device by not detecting it or giving an out-of-band error on detection, but that is it. Breaking the hardware intentionally is sabotage and exceptionally unethical. Being willing to work with the device but then injecting data into the data-stream intentionally is the same. If anything bad happens as a result, this is the step that comes after gross negligence: It is called "intent".
While I do expect they will have had this cleared from a legal perspective and will be hard or impossible to attack, from an engineering perspective there is only one valid way to deal with this: To not ever use their products until they have credible sworn off their evil ways.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Seriously, if FTDI wants to use their drivers to push out counterfeits, there's ways to do that without pissing off your customers or doing something possibly illegal.
How about, if your driver detects it's not actual hardware, you just refuse to work? Pop up a message saying "This is not FTDI hardware. This driver is not compatible with this hardware." If you want to be nice, give them a click-through that says "we have no idea what this hardware actually does. We cannot guarantee that using this driver will not cause catastrophic problems, and by continuing you agree to hold FTDI blameless for any damages caused by this hardware" - and then treat it exactly the same way as your actual hardware.
As for the counterfeiters... is writing your own driver really that difficult? Hell, hack FTDI's driver to call it something else and use different device IDs, if you want to be lazy. I've read up on these counterfeits, they're actually more complex hardware than FTDI. They clearly don't lack for capability.
Are we talking about chips that are actually using unlicense patented technology, or just chips that have a compatible pinout and interface?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I'm a big consumer of the Arduino clones (and FYI - Arduinos are FREE to clone for everyone, it's a part of the concept).
The chip has now been replaced with the CH340 - which even though it lacks some of the FTDI features, is a bang up chip that gets the job done - even at really high Serial speeds, I've yet to see one of them fail on me (I use Linux, where CH340 runs right out of the box, windows needs a driver).
I've not even heard of the FTDI before all of this came up.
What this world is coming to - is for you and me to decide.
Pretty much this right here.
Enabling hardware updates just causes all kinds of problems.
Even exploitable hardware patches are not important enough if it means you have to deal with stupid glitches caused by new drivers and the headaches of figuring out what has been screwed over.
Following exploit and update blogs / news and then doing the updates manually is just far easier since then you can know 100% what the hell just happened when something hits the fan.
Hardware auto-updates are like firing a shotgun in to a fan.
Hell, to be honest, I would go as far as saying the same for software.
If you can get around to it, write your OS to a read-only drive and manually patch updates in to it when they are proven to work in a duplicate.
Rollbacks sometimes don't work too well. They are far better than they used to be in the days of pre-vista branch of Windows, but even then...
Far easier to stick a drive in, boot, if it fails, "yeah, no", put original drive in and give no fucks.
Those damned florists and their delivery vans!
Have gnu, will travel.
FTDI is malware.
Use Linux.
use MCP2221.
aaaaaaa
Perhaps a different approach might be for someone to take the Linux code and create a decent open-source Windows driver
"Open-source Windows driver" is a contradiction in terms.
Since Windows Vista 64-bit, Microsoft has placed a policy in Windows to require device drivers to be digitally signed with a kernel-mode code signing certificate from a commercial certificate authority. As of Windows 10, Microsoft has tightened this policy to require disclosure of the binary code of all drivers to Microsoft, and new drivers submitted since November 2015 must be signed with an Extended Validation (EV) certificate. An EV certificate is substantially more expensive than an ordinary code signing certificate (hundreds of USD per year according to digicert.com), and only an organization, not an individual developer, appears to qualify. It appears that Microsoft really wants the hardware manufacturer, not a third-party developer, to make and publish drivers.
I thought the problem before was that the driver was near-bricking counterfeit devices by uploading broken firmware.
The current driver sounds like it just doesn't work except with certain hardware, but isn't damaging the device.
FTDI doesn't pay microsoft. Why would Microsoft then allow FTDI to screw Microsoft's actual customers? MS might, in theory, argue that IP should be protected, but that is really an issue between FTDI and the people using alternative products.
To me this is classic MBA thinking thus I actively hate FTDI and wish them every failure possible in the future. If someone does suffer harm from this and sues FTDI I wish those guys every success and I hope that some jury brings ruinous hell down on FTDI.
Maybe FTDI should get into the marking up drugs 100,000%. There is good business which is adding value to people's lives. Then there is exploitive business where these bozos were hoping to weasel their product in wherever there was a USB and they were hoping to charge a USB tax.
I'm going to use a car analogy here, because it's traditional, and it's become a running gag.
Don't whine about the names used, at least it's recognized. Also, I'm not a car guy, so I don't care if I name the wrong parts.
Let's say you buy a Ford car. You've had a great time with that car, no problems at all. Then one day when you're getting gas, all of a sudden there's an explosion and your carburetor flies though the hood of your car and explodes a hundred feet up like fireworks!
After a bit of research, you find out that Ford has started doping that gas so if it's used in a Ford car with Non-Ford Official and Authorized parts, it causes the rather spectacular event you already witnessed.
Does Ford actually have the right to do that? Even if you bought it from an Authorized Ford Dealer? You bought it new?
Even if you didn't, how can they legally justify damaging YOUR property?
Trust me, if cars were shutting down unexpectedly because of an intentional act of sabotage, there would be hell to pay for the saboteurs.
Why does anyone think this situation should be any different?
lol. Fair enough.
yup. I don't see how they can possibly justify this to their customers, or MS for that matter. They could serialize their chips... though, nothing to prevent falsifying that. Nope, customers get screwed, and manufacturers get screwed because FTDI isn't going to get angry calls that they can't just answer with "you should have bought a legitimate product" *click*.
One problem these counterfeit chips pose is that all the sudden companies like FTDI end up with a lot of support costs for people who bought shoddy products with the fake chips, which often don't work nearly as well as the real thing. This is a way for FTDI to crack down on the counterfeit chips. While it sucks for the consumers that end up with the fake chips, it will also help put a stop to the counterfeit chips since any product that uses them will not work.
At my company we make a number of development boards using the quad FTDI chips for the serial interface. We use them because in addition to RS232 they also can talk I2C and JTAG, among other things. I can reliably run the FTDI chips at 10Mbps. I've used other USB to serial devices in the past but I've had lots of problems with them. Some cables I bought, for example, will just suddenly stop working and I have to periodically reset the baud rates.
Why should FTDI have to bear the burden and support costs of counterfeit chips? If somebody else slaps the FTDI manufacturer ID and product ID onto their USB device then they deserve whatever happens. Why should FTDI have to spend resources supporting fake chips? By doing what they are doing, it will drive the fake chips out of the system and prevent future ones.
I work for a chip manufacturer and while there's a very low risk that someone will make fake chips like ours (very complex network processors), we have had to add features to our chips so that our end customers can prevent counterfeit equipment which just copies their software. We have some large customers who have been battling Chinese made counterfeit equipment.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
I hope FTDI continues to block counterfeit devices.
This will alert buyers who then can demand refunds, or sue the vendors who sold them low quality fakes.
Want guaranteed genuine chips? FTDI runs an online shop, reasonably priced too.
http://www.ftdichip.com/
I for one was burned once with a fake Prolific PL2302 that crashes frequently and reproducibly. Never again.
When you have to do research and development ... and your chinese counter parts don't have to do anything other than run the fab process, you're going to have a non-trivial time lowering your price past those who are stealing your designs.
It passed WHQL because it works perfectly when using proper hardware, that it is intended for, that follows the USB spec appropriately.
There is no WHQL requirement that your driver perform properly with other hardware which violates the USB spec (using FTDI's VID/PIDs is an obvious violation of the spec).
You're trying to claim that its FTDI's responsibility to make other shitty hardware work right with their driver, which is absolutely nut job.
Stop buying cheap ass knock off crap.and you won't have this problem. How else do you stop people from producing knock off parts? You aren't going to stop them other than making them not work right? You aren't. People will stop buying from shitty vendors who sells these knock offs and eventually it will feed back and end.
Or ... FTDI can care that someone like you, who has never given them a dime, since you're using shitty knock off hardware, complains about them and complains that you won't use them.
HINT: YOU AREN'T USING THEM NOW. THEY AREN'T LOSING ANYTHING BY YOUR SILLY CLAIMS THAT YOU WON'T BUY THEM.
You're an idiot, much like the others who think that FTDI can out price the cloners.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Given that they've chosen to work with a vendor who has been known to transmit malware via windows update before (the bricking incident), is MS in any way liable at this point for not properly controlling their partner's access to Windows Update?
I hope no one gets hurt, but I actually hope someone big loses money and starts filing lawsuits over this. I'd love to see where they manage to pin the bill for damages.
Oh, and to anyone who doesn't think this kind of thing can be damaging: I know of at least one medical device (a thermal-management device that cools or heats the patient) which has a 'USB' output that consists of an embedded FTDI chip and a USB B port on the device.
Fortunately that data stream isn't generally used for making clinical decisions - it's mostly used by researchers trying to collect data. But one can imagine the havoc this kind of move is going to have on those data sets. Hopefully that device company didn't get any fake FTDIs in their supply chain.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
They have some good bridges too. Pick any other but FTDI.
I can see why FTDI has done this -- although I would rather they would track down the board builders who use the fake chips and those that sell their boards and sue them.
However, I'm trying to figure out what Microsoft's interest in pushing this. Did they just not test this case (surely, after the last time, they should be testing this)? Accepting such drivers will just discourage people from 'auto updating' and they seem bent on encouraging that behavior, not discouraging it.
(Although, in my case, Microsoft had already managed to get me to stop taking updates as I got tired of having to carefully check each one to see if it was another undocumented driveby update to nag me to upgrade to Windows 10 from 8.1).
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
The MCP2221 is just a PIC microprocessor with some embedded firmware that pretends to be a USB to serial bridge (among other things). One of it's weird behaviours is that it inserts pauses between each byte it transmits - so while it can talk at higher bit rates, once you factor the delays between each byte it transmits you never get the advertised baud rate.
Actually, here's the odd bit - the counterfeit chips aren't stolen designs. They implement the FTDI protocol in a completely new fashion!
FTDI's chips are controller-less - there's no microcontorller inside it handling USB to serial communications. The knockoffs use some generic 8051-class microcontroller that emulates an FTDI chip most of the way and do the same thing. But all in all, the clone chips someone had to go and reverse engineer the protocol and write all the custom firmware for it.
So the bigger question is... why? Someone has gone through a lot of work making their FTDI clones, which are completely different inside than a real FTDI chip.
It's not a case of stolen design. It's a case of reverse engineering to produce a knockoff. Someone put real time and effort making these knockoffs - time and effort that they could've done making their own stuff.
since they generally use a DOS based system or if Windows is absolutely essential for the controller software, usually an embedded solution rather than disk-based NT is called for. I've never actually come across a Windows NT based CNC mill.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
of course they cant guarantee third parties, how can they? they've no way to stop the distributer from mixing in fake chips with the real ones. I mean i doubt that someone like farnell or digikey would do that, but there's no way for FTDI to stop them if they did.
by providing us, buyers of USB-to-Serial converters, with a tool which can reliably detect the fakes. For my field of work, it's extremely important to use only the highest-quality, most reliable and most compatible chips, and the fakes have been bringing untold hours of headache to our technicians and developers over the years. Do yourself a favor, people, and demand the real deal from your suppliers, and return your fake cr@p ASAP. If the supplier doesn't listen, change them. Test all your new purchases with this driver and let the fakes burn!
Slashdot, have you lost your mind? This is neither a bug, nor a DRM.
So, you're saying that it's like if IBM had made Lotus 1-2-3 re-flash the BIOS (first FDTI story) or miscalculate (this one) when running on an IBM-compatible PC, rather than a genuine IBM PC.
I'm fairly sure you can self sign drivers as you need to.
With a big, ugly, always-on-top "Test mode" badge. Or what am I missing?
You're not FTDI's customer. You're not even legally allowed to use their drivers with non-FTDI chips. It's rather curious that everyone who whines about this in demonstrably not their customer. FTDI is not punishing anyone they deal with. It's your own choice to use fake chips and use FTDI drivers without legal right to do so.
Go talk to whoever sold you the device with the fake FTDI chip and ask for invoices or purchase orders from a reputable vendor like DigiKey/Mouser. My bet is that they got their chips from eBay or Alibaba. You should be raising a stink with them, not with FTDI.
A successful API design takes a mixture of software design and pedagogy.
why?
Because these retards couldn't even be bothered to get their own drivers out there...
A successful API design takes a mixture of software design and pedagogy.
End users have lots of say. It's up to the end user what to buy; buy from reputable companies and I doubt you'll have the problem. Buy from cheap-ass Chinese importers and deal with losing time from it. Where would you rather pony up, at purchase time or usage time?
No, you don't sympathize with FTDI. It's entirely appropriate for them to start using their device in ways the counterfeits can't handle, resulting in broken behavior from the counterfeits. Any other stand requires FTDI to test for "compatibility" with the knock-offs, and that's just insane. As long as the command sequence that causes the "troublesome" output is being sent to authentic FTDI chips as well, then don't blame them - blame whatever crappy company you bought your "FTDI" serial device from.
Am I the only person thinking that a kickstarter or other crows sourced alternative is required? Having an alternative driver that just works - with the ability to 'sniff' updates and warn/block of bad driver updates?
We are all Terrorists !! Cyber Terrorists !
aaaaaaa