
FTDI removes counterfeit-bricking driver from Windows Update - joezydeco
http://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/msg536298/#msg536298
======
Someone1234
Good for them. I mean that.

If they want to redesign their driver so it fails to work with non-genuine
FTDI chips, go for it. Nobody will judge them. Heck if they want to show a
message that informs the user they're using a fake, that's fine too.

I think most people seemed to agree that bricking fakes was too far (and also
could be considered illegal in some countries/areas). It also negatively
impacted innocent parties (e.g. consumers who purchased generic goods, which
happened to contain fake FTDI chips).

Plus if you're in the business of bricking things, it is too easy to make a
mistake and brick your OWN stuff. I mean software bugs are common, and it is
best to stay away from a set of them which indefinitely makes chips
malfunction.

PS - I wonder if Microsoft got in touch and essentially told them "we will
pull your driver from Windows Update unless you do it first. It won't return
until it is fixed." We know from the previous thread that Microsoft was
looking into this.

~~~
bri3d
What I don't understand is why they don't make the messaging more clear. In
their pre-bricking drivers, FDTI caused the counterfeits to fail in confusing
and counterintuitive ways, rather than just telling the user that the chip is
fake.

As a user, if my device stops working randomly, my first thought is certainly
not "there was a counterfeit chip in the supply chain for this hardware and
the drivers must be rejecting it!"

A little bit more user notification around "you have a counterfeit FTDI" or,
even better, a tool to find out if your FTDI is fake would be a lot better
than "oh, you can tell if the chip is fake because it will only work properly
with drivers before 2.08.14, otherwise it will randomly crash!"

Prolific do the same thing, but their drivers at least fail to start with a
common error code which is easy to Google.

~~~
DigitalJack
I don't think that is very straight forward. It's easy to know how your device
will operate in various conditions. counterfeits can fail in a million
unpredictable ways.

~~~
bri3d
FTDI have code which can tell with some high degree of certainty (at least
enough that they trusted it to brick devices!) that a chip is fake.

They've used this code to make counterfeits _intentionally unpredictable_ in
the last few versions of their driver, rather than simply stopping the device
with an error code (like Prolific do) or notifying the user or client library
(like all of these vendors should be doing).

So, for FTDI at least, it should be _very_ straightforward to do something
other than _intentionally_ making fakes of their devices behave unpredictably.

~~~
robostac
They might not have the ability to do that - I could quite easily see the bit
of code that can tell if its fake being the same code that bricks the device.
Maybe all the real ftdi chips will reject a PID of 0 (as it's invalid), while
the fake ones accept it.

~~~
bri3d
Their drivers _prior_ to the bricking drivers (everything after 2.08.14)
caused the fake devices to fail, where previously they hadn't.

Whether or not that behavior was intentional, there is clearly an exploitable
property of the fake devices which can determine that they are fake _without_
bricking the device.

FTDI should use it rather than playing these games. Their reaction to the
discovery of the bricking issue on Twitter and elsewhere yesterday strongly
suggests that it was anything but an "oh shit, our driver bricks some of those
crappy fakes" moment.

------
userbinator
It's also important to keep in mind that the driver bricked not only
counterfeits that were illegally marked with FTDI's name, but legal clones
(reverse-engineered reimplementations which are not marked as being from FTDI)
that had the same slight difference in behaviour from the original.

~~~
bri3d
The reverse-engineered reimplementations / clones would have to have been
programmed with an FTDI VID (or included modified FTDI drivers) in order for
the FTDI drivers to claim them, so I'm not so sure about the "not marked as
being from FTDI" bit.

~~~
welterde
As far as I know that's perfectly legal.. you are just not allowed to put the
USB logo onto the device if you clone the VID from another vendor.

And you seemingly can buy FTDI clones that are not marked as FTDI on the
casing.

~~~
wpietri
That's an interesting question. Is the VID a signal of protocol compatibility?
Or a brand name?

In a way it's both, but since end users almost never see the VID, I suspect a
lawyer would have an easy time that under the law it's more the former than
the latter, and therefore not covered under trademark and related laws.

~~~
welterde
Especially since it's the only way to be compatible as far as I know (since
(VID,PID) determines the driver that will get loaded for proprietary
protocols).

Also.. Can you even claim any special rights to a non-government registered
trademark/brand name (one that is registered at a non-government entity - the
USB Implementers Forum in this case)?

~~~
jessaustin
It seems like trademark would be really difficult to attach to (VID, PID) if
no one in the supply chain actually used any USB-IF logos. Basically FTDI
assumed a right to destroy property based on a violation of a contract neither
the property owner, nor any of the chain of vendors that produced the
property, had been a party to.

------
nraynaud
That's a good lesson for people always wanting the famous brands. FTDI chips
are more expensive and not better than the other ones, they need a special
driver and they are subject to counterfeiting. You take a no-name one, and you
have a standard stuff.

It's a stupid USB to RS232, not a rocket control system, there should be no
famous brand, it's the lowest of the commodities.

That said, I do have an FTDI USB to serial adapter (no idea of the
authenticity), because I didn't know better or care, I needed to plug my MCU
board to my computer and I bought the first one I found (and it's just used
for debug, I never ever use serial in real life).

~~~
jws
The FTDI chips and drivers also have the ability to toggle a few extra pins.
If you are making a device this can be important enough to lure you away from
just being a generic USB Communications Device Class profile. (Think a 'reset'
function or a 'enter firmware update mode' function.)

Given that as a consumer/purchaser I have no way of knowing if I have a
counterfeit chip or if the next batch produced by a manufacturer will have
them… I now have an incentive to avoid FTDI entirely when given a choice.

~~~
nraynaud
Good remark. I didn't think about that, because I use a real USB chip for USB,
I don't try to convert it to serial (I like the idea of having various
communications going at once, the stall, etc.)

~~~
sliverstorm
serial is your bread-and-butter on tiny low pin count underpowered IC's.

The V8's of the micro-controller world are great, but sometimes you have just
2000mAh to get you through a year of operation.

------
Igglyboo
Good, destroying a device you legally purchased is unacceptable, whether you
knew it was a counterfeit or not. It's not their job to police that kind of
stuff.

Failing to work with counterfeit devices is completely fine and would have
been a much better approach than straight up bricking them.

~~~
chrisBob
In the US there isn't a legal way to purchase counterfeit goods. It may be
different in other countries. Similar to stolen property, the person left
holding the bag gets in trouble too.

Edit: after actually looking up the issue instead of guessing it turns out
that in most places (other than France and Italy) there isn't much at stake
for the end user, and almost all of the laws are written to stop the sale or
manufacture of counterfeit items.

~~~
the_ancient
It is however perfectly legal to make a hardware device that could make use of
the Same API and driver i.e a clone. Provided it is not branded as a FTDI
chip, but rather "FTDI Driver compatible"

Now that may violate the terms and lic of the driver software on windows (not
on linux because it is GPLv2) but that would not make it illegal to buy nor
would it give them (FTDI) the legal right to modify that hardware

~~~
chrisBob
Using the FTDI vendor ID is branding it as an FTDI product. I would argue that
it is even more important than the text printed on the chip since that is the
part of the brand that the average end user is exposed to.

~~~
welterde
There doesn't appear to be any legal protection on USB vendor IDs though. It's
just important if you want to follow the rules of the USB-IF, but that's no
legal requirement.

------
mwill
It's interesting watching this play out with reputable, legal companies.

Something similar happened earlier in the year with Nintendo 3DS flashcards,
however the software was not just disabling the flashcard, but would brick the
users 3DS.

Their response was essentially, "Yeah? What are you going to do about it?" and
promising to replace the 3DS of anyone who could prove they were using a
legitimate card.

~~~
nnnnni
...which is a really great way to get budding hobbyist programmers to move to
a different piece of hardware.

~~~
sliverstorm
Honestly I doubt Nintendo cares about selling consoles to game pirates. They,
like everyone else in that business, make their money on game sales.

------
Karunamon
There should be lawsuits. I really hope a class action gets started with
people who were bitten by this.

I'm serious. This kind of behavior needs to be nipped in the bud and made a
massive example of, or else we will see it in the future.

~~~
jerf
We do not want to set a precedent whereby a company responds to customer
feedback, and then gets hit by a huge lawsuit anyhow. That just incentivizes
companies to dig their heels in, because it means there's no change in outcome
between speedily responding and trying to stay the course, at which point
staying the course is the only sensible choice.

There's a time and a place for mercy, and giving positive feedback to the
company for rapidly reversing course. They ate their crow; save the nuclear
escalation for a company that refuses to.

~~~
drzaiusapelord
They have already damaged my equipment. I don't give two shits about hurting a
corporation's feelings. They've already hurt my physical items. Once they've
gone down that path, it's now an actionable tort. I can't believe their legal
team approved of this.

They need to be made an example of.

~~~
jameshart
What specific piece of equipment was affected? (not doubting - just curious,
as I've not come across specific examples of people being affected by this
driver)

~~~
drzaiusapelord
This guy in /r/sysadmin claims 35 devices nuked:

[http://www.reddit.com/r/sysadmin/comments/2k6wjk/fyi_ftdi_de...](http://www.reddit.com/r/sysadmin/comments/2k6wjk/fyi_ftdi_deployed_a_driver_update_through_windows/)

~~~
jameshart
35 devices put together by students doing EE projects... well, that's
annoying, but they are at least direct consumers/users of the counterfeit
components - presumably they have the option/ability to replace the chip with
a genuine one once they source one. I've yet to hear of any end user finding
that a commercially purchased peripheral has been bricked by this driver
because its manufacturer used counterfeit parts, though. Would be fascinated
to hear about such an example.

------
kabdib
Their best course of action:

\- unbrick devices they bricked, so the chips will at least work with drivers
other than theirs

\- log something to the windows event log about a clone device being detected

It's their choice whether they should work with the clone device or not; I
would hope they would choose to. I understand their reluctance, but people are
going to be only slightly less mad about a device not working than a bricked
device.

It would be bad for their driver to pop UI warning about a clone device.
Drivers that do this make life very, very difficult for devices attached to
headless servers (also, I believe it's against the MS WHQL rules).

~~~
spc476
How would they unbrick a device? By definition, to "brick" is to render the
device inoperable.

A friend of mine, in the course of his work, bricked a BMW [1]. It took an
engineer, flown in [2] to fix the issue.

[1] He worked at a company making automobile diagnostic tools for mechanics.
He was reflashing the BMW when the power went out. That scrambled the on-board
computer system enough to brick the car.

[2] South Florida (Miami/Ft. Lauderdale area) I'm sure the German engineer
wasn't all that upset.

~~~
kabdib
To misquote The Princess Bride: "This device isn't bricked. It's just _mostly_
bricked. There's a difference."

The device is still there, and it will talk, there's just no matching driver
in the system for it now.

So you add PID=0x0000 to your existing driver (I think this is just an edit to
the INF file on Windows) and sniff the device to see if it's one you've likely
(semi) bricked, and make the attempt. You own the VID, so this operation
should be safe in your namespace.

Brickness is a measure of the user's ability and motivation to restore a
device. I've worked on systems where you have to unsolder really tiny devices
in order to unbrick. It's a continuum of inconvenience, really. To most users,
the evil FTDI driver made a brick because it was beyond their skill to do the
repair (hey, you can write a driver for PID=0x0000 any time you want to,
oaky?)

------
poslathian
For those of you with bricked FTDI chips, there is hope on linux:

[https://lkml.org/lkml/2014/10/24/44](https://lkml.org/lkml/2014/10/24/44)

~~~
isopede
This is a counter patch which restores the broken PID. The original proposed
patch is actually a parody Linux version which bricks FTDI chips.

The real Linux patch which adds support for broken clones is here:
[https://git.kernel.org/cgit/linux/kernel/git/johan/usb-
seria...](https://git.kernel.org/cgit/linux/kernel/git/johan/usb-
serial.git/commit/?h=usb-linus)

~~~
duskwuff
Making the parody even funnier: It uses the exact same procedure to "brick"
counterfeit devices as the Windows drivers did.

------
muyuu
Looks like their boards have been HN-ed.

------
wpietri
Is this an opportunity for someone to make an open-source driver that just
works?

~~~
isopede
This exists:
[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux....](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/serial/ftdi_sio.c?id=refs/tags/v3.18-rc1)

------
hippich
It mentions Windows, what about other OSes? Does linux/mac need driver? If no
- why it works without driver on these OSes?

~~~
Vendan
Cause Linux has drivers that support it already, that are a part of the
kernel. Not likely that FTDI'd manage to get the kernel devs to add bricking
code like this. Kernel devs already added code to handle devices that had been
messed up by the drivers, actually.

~~~
hippich
Then why there is no open source driver for windows which works with non-
genuine chips?

~~~
Vendan
Because windows drivers need non-trivial amounts of support in the form of
driver development kit and driver signing. Then you run into issues with which
driver to pull for the chip, cause now you are conflicting with FTDI's driver.
Other chips that aren't clones do have their own drivers.

------
Alupis
Seems a lot of the posts on that thread are from HN visitors, many may not
even have the equipment/chip in discussion.

While it's great FTI reversed their decision (I'd hate to see this sort of
thing become wide-spread), it's a little off-putting that so many non-users of
the chip could force a company into something.

~~~
smilekzs
Were we to wait for the real users to notice, it would have been too late.

~~~
Alupis
No, but suppose this was another scenario, such as automatic product
bagger/sealers and some counterfeit part was being bricked by the original
manufacturer. I doubt anyone outside of the warehouse/manufacturing industry
would care, nor would anyone outside that industry have any real right to
care.

In the FTI situation, I'm indifferent, but I just don't like the "crowd
mentality" thing where people get stirred up about things that only a few
hours ago, they had no idea even existed.

~~~
HeyLaughingBoy
The company I work for uses (genuine) FTDI USB-Serial converters in our
$500,000 medical instruments. I have full confidence in our Supply Chain
Management people, but mistakes happen. If we were to send out a field upgrade
to the instruments, as happens periodically, and some of them had the
counterfeit chips, then suddenly there are patients all over the world, many
in Emergency Rooms or Intensive Care, that can't get their test results
because instruments are down.

This can affect many, many people not in a particular industry, depending on
where the device is embedded.

As soon as I heard about this, I notified our senior design EE so he could
pass the information on if necessary. This is not to be taken lightly.

~~~
Alupis
The scenario you present is a little "doomsday". You'd have to replace all of
your deployed product's chips with cheap counterfeit ones for this to happen
-- and you say you have complete confidence in your supply chain.

My warehouse has a couple Sharp Max baggers w/ counter and sorter, which are
just as expensive as your medical instruments. The electronics check to ensure
you are using only the Sharp brand parts, otherwise the machine refuses to
work.

Most printer cartridges won't work in printers unless they are the name-brand
cartridge (printers read the chip on the cartridge).

Neither permanently damage the counterfeit parts, but it doesn't matter much
if you can't use the counterfeit part you just bought (thinking you were going
to save a buck or two).

Frankly, I don't buy the argument that a lot of users didn't know they had
bought counterfeit. For a device that retails for $15 and you got it new for
$1.50, well, something is up.

Perhaps a better way for FTI to go would be to detect the counterfeit when
it's plugged in, then just refuse to do anything with it. (although this would
allow someone to get a non-FTI driver to work)

~~~
JoeAltmaier
Steep discounts for volume are the norm. Its arguable that the consumer
doesn't know nor care why the discount; as long as the vendor/product passes a
qualification test.

~~~
HeyLaughingBoy
Not to mention that he's assuming the cost was different. Many companies have
to deal with counterfeit parts (we have) and often the only difference is that
they either outright refuse to work (good!!) or fail early (very bad).

------
expr-
I disagree with the consensus.

It's their driver, it operates in a specific way, perhaps responding to
possible device output. Using it with non-compatible parts advertising
themselves as compatible and any resulting behaviour, including unwanted, is
the responsibility of the user. To play it safe, don't use any drivers with
incompatible hardware.

~~~
JoeAltmaier
That's reasonable, until they start deliberately destroying my property. Then
its a civil case. Do we have any evidence either way, deliberate or
accidental?

~~~
Alupis
Just playing devil's advocate:

Do you have any evidence specifically that their driver destroyed your chip,
or could there be reasonable doubt that your counterfeit chip died? For a
class-action suit that a lot of people seem to be talking about, you would
have to have evidence that this was what did your chip in. And getting enough
people (who appear to be mostly end-users) to submit the necessary evidence
could be quite the task (most probably will just assume the device croaked one
day and toss it out).

~~~
serf
It's very easy to spot, as the driver 'bricks' the chip by resetting it's PID.

~~~
Alupis
well, the PID is not a physical thing. So for the average user, "the board
just died on my one day". Getting wide-spread testing and evidence submitting
would be challenging I think.

~~~
wpietri
I don't see why that would be more challenging than any other class-action
suit. Indeed, this looks easier, in that you have widespread media coverage
and plenty of experts speaking out publicly. It's not a question of trying to
find experts qualified to testify; here, you can pick from a bunch. The
technology here is also much more straightforward than, say, an automobile,
and there are successful class-action suits involving those all the time.

~~~
Alupis
there isn't really any media coverage, other than the forum posts and HN.
Also, using your automobile example, an average-joe consumer can take their
car into a mechanic and have it tested for a recall/defect. The average-joe
with an arduino is far more likely to toss the defective unit out, rather than
try to spend a while troubleshooting a $40 board.

I just don't see a class-action really able to take off. Especially since
we're talking about otherwise illegal counterfeit chips in the first place.

~~~
wpietri
Ok. This looks like media coverage to me: [http://www.zdnet.com/ftdi-admits-
to-bricking-innocent-users-...](http://www.zdnet.com/ftdi-admits-to-bricking-
innocent-users-chips-in-silent-update-7000035019/)

The line of argument "I, as some random anonymous person on the internet,
can't see X" doesn't do much for me. Lots of people can't see lots of things,
but most of the time that turns out to be about failures of knowledge or
imagination, not evidence that that what they're talking about is impossible.

Further, I don't think it's really my job to make people see things. (Well,
actually, it is, but I charge by the day for that.) If you don't see it, I can
live with that.

~~~
Alupis
Not entirely sure what your argument was here, you sort of drifted into the
weeds a bit.

I think you meant to argue:

"There is one source of media coverage, although it's largely just twitter
comments. And just because something is difficult to prove doesn't mean it's
not provable."

Both are valid arguments.

I don't count ZDnet as a very credible source of news, and in this case, some
googling seems to show they are practically the only "news site" running this
story. Although, as pointed out, it's mostly just a paragraph followed by
several twitter posts.

Secondly, the evidence thing is important if a case like this were to proceed.
In order to sign onto the class action, you would have to prove you purchased
an effected chip/board, and that this driver is what killed your product.

Two problems here:

1) You bought a counterfeit chip/board. It's unlikely any award will be levied
for illegal/infringing products.

2) Users would have to show evidence they were effected. Even in the RedBull
class action case that is settling now, you must prove you bought a RedBull
during the time period the case covers (receipt or whatever). Again, you have
a counterfeit product, which was illegal to sell/buy in the first place. Not
to mention, getting average-joe to test his device, even if someone made a
testing utility and freely distributed it, will be close to impossible. People
who are technical and care may do it, but average-joe will assume his arduino
went belly-up one day, and likely toss it in the garbage.

Let's be realistic. A handful of people in-the-know will care passionately,
and do everything they can to further a claim. Several handfuls of people will
care enough to do something if they believe they will get something in return
(a payout). The rest will have no clue this is even a thing, and will simply
throw away their "defective" device.

What FTI did was wrong. But there is no real recourse here.

~~~
nitrogen
Check other posts on this HN story; others have proven the drivers were
deliberately malicious by analyzing either a USB stream or a driver
disassembly (I haven't read enough to know which).

~~~
Alupis
It was USB stream.

The problem isn't knowing the driver itself can cause a bricked chip and
therefore bricked device.

The problem is Joe-Average isn't going to be able to prove it was this driver
and not just a defective device/chip for another reason. Even with a free
"testing" tool someone can make to check for the flipped PID bit, Joe-Average
has no clue this is even going on, and is likely to just throw away his
bricked device.

