Hacker News new | past | comments | ask | show | jobs | submit login
Your DS18B20 temperature sensor is likely a fake, counterfeit, clone (github.com)
450 points by 0x402DF854 26 days ago | hide | past | favorite | 230 comments



Trust in hardware supply chains when manufactring a PCB for a product can be quite fragile: when one component operates outside of spec, the entire device could be rendered useless. In the case of the DS18B20, the author states in the 'Warning' section that the primary way of determining counterfeit sensors is to check the ROM output compared to a known format. When counterfeit parts like this are added, it creates vulnerabilities in the entire system due to the ability for a bad actor to leverage this vulnerability and cause one part in an entire system to fail.

For example, the company FTDI snuck in code that was in a series of Windows updates that was able to detect counterfeit FTDI and brick them via software to send back all 0's.[0][1] This anti-consumer behavior on behalf of comapnies can a be a headache for end-users and programmers alike.

[0] https://hackaday.com/2014/10/22/watch-that-windows-update-ft...

[1] https://hackaday.com/2016/02/01/ftdi-drivers-break-fake-chip...


If I recall correctly, FTDI took some well deserved heat, but quickly discontinued this practice.


The really sad thing is that the FTDI clones worked better than the original ones.

The original FT232R chips have a clocking bug that makes bitbang mode unusable for many applications, with no workaround (their errata sheet suggests a bullshit workaround of setting the clock speed to max, that is unusable in practice because USB can't keep up). It's supposedly fixed in a revision that I've never seen, and I believe they never manufactured it.

The clones... work perfectly fine: https://twitter.com/marcan42/status/695292366639378433

In fact, I reverse engineered FTDI's bricker, and it works by exploiting the fact that their own chips violate their own interface design by requiring EEPROM words to be written back to back - even word writes alone are staged and ignored without an odd word write. The clones honor the writes independently, like FTDI's other chips. Their bricker code only writes even EEPROM words and preimage attacks their own checksum algorithm (since the real checksum is at an odd word they can't touch) to make it work, so it has no effect on the real chips (which get sent the same commands). It's hilarious.

Don't buy FTDI. They're just bad.


We too found that the FT232R is unusable in bitbang mode. After much to-and-froing, FTDI support eventually acknowledged that even their later hardware revision "C" is still buggy, despite what the errata sheet implied.

We switched to the FT230X, which works great.

Our detailed investigation: https://stb-tester.com/blog/2016/05/26/ir-post-mortem


I've been using FTDI for, I don't know, twenty years. No problems at all. Also using USB solutions from other vendors (not FTDI clones).

> The original FT232R chips have a clocking bug that makes bitbang mode unusable for many applications, with no workaround

One of the problems with this situation is that if clones are allowed to permeate the market unencumbered the manufacturer of the genuine device might not have the financial capability to address problems and continue to innovate. Every single fake chip takes revenue away from the legitimate supplier.

Not arguing that your technical point isn't valid. It is. My point is that causing damage to the legitimate manufacturer by substituting their chips with clones has a non-zero non-trivial effect. Clone chip makers have zero interest and expend zero effort, time and money supporting the ecosystem they infect. All they care about is pushing their hardware and nothing else.

This also causes damage to consumers because it is impossible to know what issues fake chips might bring to the table across a wide range of vectors, safety and reliability being just two of them.

The better path is to take design wins away from FTDI and adopt hardware from legitimate part suppliers with solutions that meet your requirements. That's fine and that's how a healthy market works. Choosing fakes over legitimate parts hurts everyone. Today it's FTDI, tomorrow it could be your own products. Having experienced the "attack of the clones" myself, I can tell you this is not pleasant at all and it can, quite literally, destroy your company, costing jobs and your future.

Not a simple problem.


Wait so the bricker wouldn't even work on the clones? Or it only works on the clone because they don't have the FTDI checksum algorithm bug?


If I’m reading marcan_42’s comment correctly, the FTDI chip defers any EEPROM write request to an even address until it receives the next write request to the subsequent, odd, location. If the next write is somewhere else, it discards the original data.

The 3rd-party chips, on the other hand, perform each write immedately per the official documentation. The malicious driver uses this difference to overwrite the firmware of the 3rd-party chips with carefully-crafted nonsense that has the same checksum as the legitimate firmware.


Both FTDI and Prolific have done this kind of thing. I switched to the CH340 a while back without any issues.


If I remember rightly, what Prolific did was worse in some ways because it rendered genuine but older-revision chips that they'd actually made non-functional with current drivers. (Also, some of the CH340 clones are genuinely really badly done and can't understand register writes that differ even slightly from what a particular version of the official driver sent.)


how about cp2102? I prefer it to ch340, for no reason though ))


I found both cp2102 and ch340 seem to use less power too than ft232r. At least there are some boards I can power with the 3.3V output of the cp2102 and ch340 dongles, but which will brown-out with the old ft232r ones.


It's my go-to part for this purpose also (and I don't believe I've encountered any clones so far, knock on wood). Another part I've used in a high-volume application is the Holtek HT42B534 which is great because it's CDC class and hence doesn't need a driver for Win/Mac/Linux. It's EOL sadly. There's HT42B564 which is a HID-class replacement. The other alternative is using a cheap micro with USB interface.


Aha, I didn't know about the CP2102. Looks like I'll have to give one a whirl, and there's even a breakout board at Adafruit. I've used relatively few VCP adapters since I've been using microcontrollers with built-in VCP.

I was nervous about the CH340 because the Windows drivers seemed to come from some weird place in China, but maybe US sourced drivers aren't any more of a comfort in these times.


If someone wants to quote me for a full reverse engineering of those drivers then I'd be interested in (crowd)funding it. But in terms of risks to worry about, it's pretty low down on the list IMO.


That's a lot of fancy words for essentially restating that old adage about three million parts being required to launch a rocket, all of them being delivered by the cheapest bidder.

And yet, these rockets (mostly) got off the ground quite safely!

Because these statistical vulnerabilities are rather obvious, and it isn't quite just the "cheapest bidder", and because their parts are tested, and because people took care to allow for 2 million of those 3 million parts to fail without disaster being inevitable.

The risks of remote-bricking counterfeits are rather obvious, indeed.

But it's just as trivially obvious that it is intended to protect the supply chain. Or, for the cynical: that its intend to protect these companies' profits is aligned with protecting the supply chain.

It's a trade-off, unlikely to have a single, generic best answer.


> This anti-consumer behavior on behalf of companies

I strongly disagree with this. I see no way to rationalize that a company should be responsible for ensuring that counterfeit devices work correctly by releasing drivers that are tolerant of them or do not stop them from functioning. FTDI's products are the combination of their hardware with their drivers. Both are required in order to delivery functionality and reliability to meet their specifications.

Imagine your drivers are used in some sort of a critical application and a counterfeit device causes a failure that, in turn, causes harm to someone. An example might be a wired remote control for an industrial machine. It seems to met that bricking that device as soon as possible before harm is done is what we would want from a company that delivers a quality product.

Another way to put it is: Let the counterfeiters engineer a real product and be responsible for their own drivers, quality and safety.

The way to see clearly through some of these problems is to extend the definition towards extremes. Let's forget FTDI for a moment and generalize the problem to a microprocessor and a vendor-provided RTOS used to run the flight system of an airliner. This is a contrived hypothetical, forgive me for taking artistic license.

Imagine counterfeit processor make it into the supply chain. Should the avionics OS do its best to work with every possible fake or should it brick it on power-up before that potentially dangerous aircraft gets off the ground?

Another hypothetical could be one where we eliminate hardware completely. Imagine someone creates a fake Amazon, Facebook, NY Times or online brokerage site. Imagine proposing that the real companies would be anti-consumer if they created software that revealed the impostors. I could not imagine anyone who would propose they allow the fakes to continue to deceive consumers.

From my perspective this isn't anti-consumer at all. It's as pro-consumer as you can get: You work hard to ensure quality, consistency, performance and reliability.

The real anti-consumers are the counterfeit manufacturers. They, quite literally, could not care less. All they care about is tricking engineers and consumers into thinking they are designing and buying a quality product when, in reality, they might be dealing with dangerous junk.


I agree that anyone who built a device and knowingly used a counterfeit FTDI chip deserved to be punished.

However, the FTDI debacle didn't punish those people, they're not the consumers. It punished end users who have no idea what an FTDI chip is or does or that one exists in the products they buy.

In your airliner microcontroller example, you have much more informed consumers. They could reasonably be expected to know what processor is in their hardware, and to want to validate it. That's not the same.

It would be more like a good packaging manufacturer finding that their packaging was being counterfeited and their proprietary plastic blend was somehow being leaked up the supply chain. If they changed their recipe to something toxic, but using good plastic internally, and when people started dying said "they should have bought potato chips packaged in genuine FoodSafeStuff bags". People don't know what their packaging is made from or who it's made by. They have no way to verify it prior to purchase, and even after purchase, it would take an expert to identify. And there's no customer loyalty based on the plastic bag, after the food manufacturer switches away from the counterfeit they won't be significantly harmed. But everyone who innocently bought those bags and got poisoned suffered real harm.


>People don't know what their packaging is made from or who it's made by. They have no way to verify it prior to purchase, and even after purchase, it would take an expert to identify.

For food, you can't change the game without prior notice, but if it is clear that faked goods are toxic, people would start buying from trusted providers themselves. For electronics, I don't see a problem. If a device is bricked, go to your dealer and let him replace it. He will do the same for his supplier, etc.

Somebody in the chain will discover that his supplier is a fraud. He will have to swallow the costs, but has learned a valuable lesson.

If people have brought the product from some unstable source, then they most likely got it cheaper and they are now paying the price for the increased risk they took. It doesn't feel good but I don't think that it is unfair.


The counterfeit FTDIs are ok. How drivers are created is a much bigger problem, the windows model specifically where hardware takes a long time, if ever, to be included in the default installation.

Getting hardware to just work on windows was a mess (not sure if they have corrected this).


@LeifCarrotson

You are making the mistake of taking a hypothetical and arguing against it. These are contrived examples designed to communicate a concept rather than an absolute reality that one should argue against.

I'll just say that it is very common to see comments relating to hardware issues on HN from people who obviously don't have experience building hardware at scale. And so, it is hard to discuss these things due to the asymmetry of knowledge and experience.

Any non-trivial hardware development and manufacturing operation has or should have professional supply chain management. It is their responsibility to ensure they build product as designed by engineers. If the hardware engineer specified an FTDI chip he or she did not mean "anything that is labeled similarly to FTDI". No, they meant to design in an FTDI chip. Anything else could fail or perform differently at any time.

Blame for the bricking of devices given a change of driver code isn't with FTDI, it is with whoever manufactured the product that was supposed to use FTDI chips and did not.

Let's also mention the very real potential for someone knowingly using clone chips in order to save money.

It is preposterous to charge the chip manufacturer with this responsibility.

There could be many tentacles to this kind of an issue, but the manufacturer ensuring that their drivers only work correctly with their chips isn't anti-consumer at all, quite to the contrary.

Yet another angle: The crappy clone manufacturer --who could not care less about the consumer-- make a bad chip and it is the responsibility of the legitimate manufacturer to write the drivers and ensure it works well? In what alternate reality is that reasonable or required?


You are talking about compatibility but the FTDI case was a case of the company intentionally shipping malicious code used to brick the clones, no? Quote from article: "the latest driver bricks the fake chips, rendering them inoperable with any computer"


Well done. They have the absolute right to create drivers that only work with their products in order to assure quality, performance and function.

Fault is at the feet of the clone makers and those who used clone chips, not the legitimate manufacturer.

I am actually astounded by some of these responses. However, I do understand that they likely come from a lack of experience delivering hardware products at scale, and so I can't fault people for getting it wrong. Hence my favorite quote:

"A man holding a cat by the tail learns something he can learn in no other way" --Mark Twain


No one is disputing that "they have the absolute right to create drivers that only work with their products in order to assure quality, performance and function." - that's a given.

Would you say that they also have "the absolute right to create drivers that sabotage counterfeits of their products"?

That's a different argument. You could argue that they should have the right given that (elsewhere you have argued) their governments have abrogated their responsibility to protect their IP. And that would be an interesting and compelling argument. But it's entirely different to "[having] the absolute right to create drivers that only work with their products in order to assure quality, performance and function." - and it would be disingenuous to keep arguing that.


What part of:

> the FTDI case was a case of the company intentionally shipping malicious code used to brick the clones

don't you understand? FTDI does indeed have the absolute right to create drivers that only work with their products, but to intentionally damage a third party product so that it no longer works anywhere else, including with that third party's drivers, seems egregious.


There are two issues here, and they are separable.

One is the issue of intellectual property theft and what a company has a right to do in order to protect itself.

FTDI invested massive amounts of money to produce excellent solutions for a number of problems. I have personally been using their chips in my designs for over twenty years. I don't even remember when I started, it's possible it was at the very start of their history.

The fake chip makers --mostly in China-- steal intellectual property with impunity, hurting companies, ecosystems and costing job. In some cases they have completely imploded companies in the West.

We can either accept this at our peril or take a stand against it. The only people who are OK with intellectual property theft are those who don't understand the subject or haven't lived it.

My experience? I've had the experience of mortgaging my home to fund a business and then watch a company out of China clone my product and bring it into the US and European markets at half my price. I can't even begin to describe what this did do my business, the people who worked for me, my family and my health. I didn't lose it all because I am a resilient SOB, but it put me in the hospital twice in four years due to the stress.

It's really easy to voice opinions from behind a keyboard when the consequences of said opinions carry no personal consequences.

A company like FTDI and their products did not materialize from nothing. There are people, families, investment and hard work behind such offerings. Clones are not a victimless crime.

The other issue, of the two that I said were separable, is the damage to consumers due to fake chips being bricked by FTDI.

That, in my mind, is a separate matter and a very complex one at that.

There are at least two angles to this one. The first is that the hardware they were using was intentionally made with fake FTDI chips. This is likely the case for most cheap hardware coming out of China. If that garbage doesn't work it is 100% the responsibility of the designers of the hardware. They are thieves. Plain and simple.

If, on the other hand, the designers of the hardware had no idea and fake chips got into the supply chain, the problem is far more complex. At that point it is a question of tracing the supply chain in order to understand, if possible, how it happened. I won't go into the many permutations this could put on the table. Suffice it to say that anyone dealing with China knows full-well what they could be in for. Caveat emptor applies in the case of the OEM.

This is where the problem becomes far more complex and it becomes political. It is our politicians (US/Europe) who allowed us to come to a moment in time where an entire country is openly stealing intellectual property at almost every layer in industry as well as freely distributing it across the world with impunity. This is a far larger problem than a bunch of USB devices getting bricked because a company in Europe decides to defend themselves from what must be a massive loss of revenue of unimaginable scale. I can only imagine what FTDI could be, the people they could employ and the technologies they could develop if fakes could not exist in the market.

Counterfeit products have real and non-trivial consequences to entire societies and their existence should not be taken lightly.

I don't have the solution to this problem. Sadly, it's political. What I do know is that I'll be damned if I am going to blame the victim.


> The only people who are OK with intellectual property theft are those who don't understand the subject or haven't lived it. //

Perhaps you think it strengthens your argument to use a miscategorisation that both you and most of your readers know to be a false equivalence. It does not. It shows you're happy to ignore the truth in order to cast those you disagree with as criminals; or, you're ignorant, which I doubt.

You don't need to be happy with IP infringement in order to be not-happy with corporate (group A) [criminal] destruction of the property of others (group C) based on tortuous infringement of a third party (group B).

Not to mention that IPR goes against an established culture in the country of some of the infringers (group B).

TRIPS Art.35 requires IC circuit layouts to be protected for 10 years (as in 17USC S.904), IIRC. I don't know Chinese law though, perhaps IC related IPR has lapsed for the chips in question?

The OP headline chip is 20 years old (edit: I had the date wrong). Counterfeit, trademark infringement, is wrong of course.

>What I do know is that I'll be damned if I am going to blame the victim. //

You seem happy that one of the victims, the unwitting purchaser of an item having an copied FTDI chip in it, gets punished? In preparation of the sui generis IC mask rights the USA senate committees apparently were careful to ensure that users - "innocent purchasers" they're referred as - could only be punished by paying a royalty and that devices would not be destroyed or confiscated. That seems balanced and avoids punishing victims beyond what is reasonable.


Thanks for posting a constructive fact-based comment.

The question of who the victim is under the FTDI scenario is a really interesting one and likely one that is difficult to resolve with absolute certainty. By this I mean that the consequences of various permutations of potential and actual actions require the benefit of time in order to fully grasp. All we can do is attempt predict outcomes based on experience, knowledge of technology, markets, and, of course, the bias every human being brings to the table.

It is important to note that FTDI devices don't just exist in Windows PC's. They are part of a wide range of products covering an unimaginable range of applications. Defects in clones, therefore, can have an equally large and unknowable range of consequences.

In my case I see two scenarios.

The first is what took place: FTDI was forced to retreat, effectively allowing millions of clones to exist unencumbered and without suffering any financial or legal consequences.

On first inspection forcing FTDI to back off was a pro-consumer stance. The victim, in this line of argument, was the consumer and FTDI --to be dramatic-- was the evil greedy corporate actor wanting it all. How dare they!

It is interesting to note that in this narrative the true criminals, the counterfeiters, never seem to be characterized as the culprit, when in fact, they are. It is easy to demonstrate that the marketplace would be safer without fakes.

This, BTW, applies to any product category, not just chips. Simple example: Fake dog food that could potentially kill your dog because the producers don't really care and have no responsibility or accountability to society, whether it be legal or moral.

And yet, if you analyze this scenario, it is also easy to demonstrate that the actual long term outcome is precisely opposite to the desired outcome (protecting the consumer).

How?

By forcing a retreat at such a high level (FTDI devices are everywhere) the message was clear: Counterfeit chips got away with it, will get away with it. Legal and market forces only care about the here and now and will force legitimate companies to not interfere with counterfeiters.

One might say "Nobody issued a statement even remotely resembling what you just said".

True. Nobody ever does. We are defined by our actions. Society and individuals. In this case society cared more about immediate effects rather than the promotion and maintenance of a healthy ecosystem based on laws and regulations that, among other things, respect intellectual property and ownership rights.

The net result of taking this path is easy to predict: Nobody is ever going to challenge counterfeits because of the way the marketplace --due to shortsightedness-- pushed back on FTDI. Nobody wants to be the focus of a mob.

And so we are now in a situation where consumers, because of this path, will remain the victims for decades to come. Today, they, quite literally, have no idea what's inside the devices they purchase and legitimate hardware manufacturers dare not challenge counterfeits for fear of what the mob might do.

This is, at least to me, a clear case of good intentions not thought through to completion actually causing more damage to consumers in the long term in exchange for a short term benefit. This is why I think it was a terrible decision not to take the pain, support FTDI, repair/replace devices and send a strong message to counterfeiters that they risk going bankrupt rather than the opposite.

Part of that encapsulates the second scenario, one where counterfeiters are not allowed to derive financial gains from their operations. That would have been the true pro-consumer stance. And one that would have delivered a future where consumers could have a reasonable certainty of quality, safety and performance from the products they purchase.

I am not going to lay the entire responsibility of the counterfeit problem on the FTDI event, that would be preposterous. However, this was a very clear cause-and-effect case where one choice was to punish counterfeit makers (and the companies who knowingly use their products to increase profits) and the other was to think consumers were being protected by pounding down the legitimate manufacturer when, in reality, the outcome was precisely the opposite when a long term view is taken.

I can't imagine anyone making an argument proposing the unencumbered proliferation of counterfeits (anything, not just chips) is good for consumers. I think what was done with the FTDI case was extremely shortsighted and damaging.


I too thank you for your greater elucidation of your position. I disagree in some key areas.

In brief, that products are necessarily worse if they're fake; that societies approach should conform more to your model rather than being more liberal (in all except trademark infringement).


I don't think it's productive to go around saying "an entire country is openly stealing intellectual property" here any more than citizens of other countries saying the same thing about US as a nation and personal data. IPR is a contentious field of intl agreements band there are no moral absolutes. But damaging physical property is pretty clearly unlawful in most jurisdictions.


[flagged]


breadth*

Wouldn't have corrected you if you didn't make the gasping for air pun with the typo.


Since you are blindly defending FDTI and blaming the designers, let me add another crucial detail that might change your mind:

A lot of fakes were distributed through reputable sources as originals. So you could for example build a medical device using expensive original components from digikey, only to see it breaking in the hospital for no apparent reason.

I bet people have _died_ due to FTDIs actions.


> A lot of fakes were distributed through reputable sources as originals. So you could for example build a medical device using expensive original components from digikey

Medical device manufacturers would want both certificates of conformity and traceable parts. They'd want these if they built the product themself; they'd specify this if they got a sub-contract manufacturer. If the component supplier can't offer traceability back to the real manufacturer you'd probably want to buy from someone else.

https://www.jjsmanufacturing.com/blog/traceability-in-electr...

I don't think bricking the devices is the right thing for FTDI to do. The consumer friendly thing to do is give warning and an FDTI contact email to report the product so FDTI can talk to the manufacturer.


The problem is that these devices came from legitimate sources with the right paperwork.


I find it hard to believe that anyone got traceability information with these fake devices.

I can't understand how a component supplier would comingle their traceable stock.

EDIT: since this is getting downvotes.

A component supplier would destroy customer trust if they supplied fakes with traceability certificates. It would mean anyone building for aerospace or military or medical or mining or etc etc (all large, multibillion dollar industries) would have to avoid that supplier. So what's in it for the component supplier?

I accept the fakes are common. I accept people bought fakes from reputable suppliers. What I don't accept is that people bought fakes when they asked for traceable components. I don't accept that companies buyign direct from FTDI got fake components.


You are getting down votes because of the disconnect between those posting comments of voting and experience in the domain. The gap is massive and very visible. I have yet to see anyone come online to say "I make a million widgets per year and fake chips are not a problem at all". Easy for keyboard warriors to have an opinion without ever having had skin in the game.

They raise truly legitimate first approximation concerns about damage to consumers without understanding the long term damage to, again, consumers is far greater when a hard stance isn't adopted on fake hardware. It's the satisfaction of "doing the right thing" in the one case (FTDI) at the expense of never again being able to protect consumers from fake devices by disabling them if identified.

Counterfeiters continue to exist because they are allowed to make money. Stop their ability to profit and they will evaporate as quickly as they popped up. That's what everyone is missing, it's this feeling that the consumer was actually protected by forcing FTDI to pull back when, in reality, the mob created lasting damage to the safety, security and quality of consumer electronics products until someone else has the intestinal fortitude to make a stand, which, given the ferociousness of what is social media today could easily take decades.

Not only is it it a lack of understanding of how the electronics supply chain works, it also represents a lack of understanding of how the economics of fraudulent products works and how it is affecting people, companies and jobs globally.

We need to get very serious about intellectual property protection or Europe, the US and the world will be converted into nothing more than service and agrarian economies in a matter of decades.


> I bet people have _died_ due to FTDIs actions.

I'll bet that's an exaggeration. If you are going to say something like that you have to back it up with data.

I could just as easily make the claim that people have died due to fakes. We can do that and go round and round a silly pointless circle.

The problem of fakes is real. And it is likely very much political (addressed in another comment). What is is NOT is the legitimate manufacturer's fault, even if they defend their existence by refusing to allow fakes to function with their drivers.

Fake chip manufacturers are perfectly free to do the required R&D, issue and support their own drivers. However, they are thieves, and prefer to steal rather than do the hard work and take the risks their victims undertake.


> if they defend their existence by refusing to allow fakes to function with their drivers.

I don’t think anyone is arguing that FTDI has to let those chips be supported by FTDI drivers. I believe that intentionally sabotaging devices that have clone chips in them (such that they won’t work even once disconnected from the computer running their driver or that the device will be damaged simply by plugging it into a computer with that driver) goes well beyond simply “refusing to allow fakes to function with their drivers.”

That’s not OK, IMO.


> I strongly disagree with this. I see no way to rationalize that a company should be responsible for ensuring that counterfeit devices work correctly by releasing drivers that are tolerant of them or do not stop them from functioning.

There's a difference between not taking steps to ensure counterfeit devices function, and purposefully causing hardware to fail on a remote system. For example, I'm pretty sure purposefully causing the problem is illegal, if the user didn't request it, as it seems the same as hacking to me.

> Imagine counterfeit processor make it into the supply chain. Should the avionics OS do its best to work with every possible fake or should it brick it on power-up before that potentially dangerous aircraft gets off the ground?

Refusing to function is acceptable. Bricking the hardware is not.


>Refusing to function is acceptable. Bricking the hardware is not.

In some/most cases there is no difference.


Intend is 99% of the law (and commonly understood ethics).

That's why you can kill someone and be either glorified as a war hero, hanged by a jury of your peers, or ordered to retake your driving exam.


> I strongly disagree with this. I see no way to rationalize that a company should be responsible for ensuring that counterfeit devices work correctly

They destroyed devices that worked perfectly well, but maybe (or maybe not) had a fake FTDI branding on a chip inside the device.

Even the manufacturer may have been a victim of commingled inventory. For this reason I stopped buying anything with FTDI in it, because I didn't want to take the chance it would be bricked because the smalltime seller on Tindie.com bought from a bad supplier.

I would hate to think what you would have Apple do to Hackintosh hardware.


> I would hate to think what you would have Apple do to Hackintosh hardware.

You are looking at it precisely backwards. The key question here goes something like this:

Is Apple responsible for ensuring that fakes function correctly as it issues software updates for its own hardware?

In other words, just because someone decided to make a Hackintosh or a fake iPhone is Apple now instantly saddled with having to support this hardware for the lifetime of the fake products? And this is the case whether there's just one clone or 100 different variants?

As I have asked others, in what alternate reality does this make any sense?

My guess is that none of you have ever designed or manufactured hardware products at scale and don't fully comprehend the implications of what you so vehemently believe. No hardware manufacturer would ever take the side of having to ensure fakes work correctly; this would be sheer insanity.


Nobody's complaining that FTDI didn't make their drivers compatible with counterfeit hardware. They're complaining that FTDI deliberately took actions in their driver code to damage any supposedly counterfeit devices that were plugged into a system.

To use your example, imagine if Apple released an update to iOS that would scan any jailbroken iPhones on the same network, and if it detected one, would use a backdoor to send it malware that wipes the device's bootloader.


One bad example after another. Why is this so hard for folks to grasp.

The proper example would be fake iPhones made in Switzerland sold in the US as through they were real iPhones. If that's the case, then, YES, Apple would be right to brick them with an update. Absolutely.

I ask again: In what alternate reality would Apple be required to allow fake iPhones, look the other way and just let them be?


Your example is also off, because we’re talking about an internal component rather than an entire device. If a repair shop doesn’t use a Genuine Apple replacement screen, does Apple have to support it? No. Is going out of their way to physically destroy these replacement screens anti-consumer behavior? Yes.

A key point here is that it’s impossible for the malicious driver to know what representation the seller made to the consumer— the presence of a nonoriginal part doesn’t necessarily mean there was any fraud involved.

Edit to add:

> ... fake iPhones made in Switzerland sold in the US as through they were real iPhones. If that's the case, then, YES, Apple would be right to brick them with an update. Absolutely.

Only after obtaining a court order to that effect. Destroying someone else’s property without due process is generally not acceptable, regardless of how right you are. To step away from technology for a moment, is it ok for a glassmaker to go around town breaking windows because they’re allegedly made with counterfeit glass?


Read my comment about how there are at least two separable problems in this issue. Perhaps then my position will make sense to you. Continuing to argue through hypothetical examples is pointless, it's getting sillier and sillier and farther away from key issues.

Counterfeit goods is not a victimless crime. It costs jobs. It costs progress. It costs entire industries. Don't blame the victim. Consumers just happen to be caught in the middle of what, at the end of the day, is a political mess.

One could argue consumers are the victims of politicians and their terrible policies. That's where this gets complicated and we could end-up understanding that the FTDI problem has its genesis a decade or two ago.

I mean, what's FTDI supposed to do? Shut down and let the fakes take the market? What would happen to quality, reliability and support then? A business like FTDI doesn't run on pink unicorns. If fakes destroy their market they are out, a bunch of people lose their jobs and good luck with support for any chip or predictable performance and quality from anyone.

The choices we make have consequences in the short and long term. This is just a microcosm of what the world has allowed China to get away with.


> I mean, what's FTDI supposed to do?

I’m not saying that FTDI or a similar company should sit idly by, but the vigilante justice you’re advocating leads to bad places. We have customs enforcement to stop goods at the border and a court system to deal with internal disputes; use them.


> I ask again: In what alternate reality

In that alternative reality where, for example, mobile phone carriers are required to allow 911 calls even if your account is otherwise locked because you fraudulently paid with someone else's credit card.


[flagged]


In this entire thread, you seem to be misinterpreting "fake chips are bad, but FTDI shouldn't brick them on purpose" as "fake chips are good, and FTDI is bad".

That is why you are struggling to understand what everyone else is saying.


No, I think his point is that fake chips win by default if nothing can be done to disincentivize their manufacture and use. Law enforcement isn't cracking down on fake chips. So what else is FTDI to do if they're to survive as a business? You are fixated on what's best for the consumer in the short term, but the long term consequence of that could be that FTDI goes out of business and can't support any chips, fake or not.


I have no problem with FTDI making their Windows driver not work with clone devices, but leaving that device undamaged and working once removed and plugged into a different machine.

That is a reasonable action and would be enough to cause at least one more round of cat and mouse with the clone makers, putting a massive dent into their economics.

If they’d done that, it might have given FTDI a positive reputation (like the top brands of Taiwanese capacitors) instead of this self-inflicted punch-in-the-face.

I’m just a hobbyist (50-100 boards/year) and so don’t matter to FTDI economics, but CH340s go in my devices now because I don’t trust FTDI at all.


You don't have to like it. Just because you don't like it doesn't mean that it isn't ok for FTDI to do it, or that it's a bad business decision for them.


It seems that FTDI might agree it was a bad business decision, given they reversed their bricking driver in favor of one which returned “NON GENUINE DEVICE FOUND!” as output (which is totally fair play, IMO.)


Let's work through this example. You're a manufacturer of devices using FTDI chips. You make an emergency system for airplanes which e.g. releases breathing equipment, or life rafts, or similar. Or a backup avionics system. Due to a supply chain slip-up, a small number of counterfeit devices slipped in.

An emergency comes up, and the instant the emergency system comes up, it turns out to have been bricked. People die. Is this a good outcome?

If I were a manufacturer, I'd want to know about this ASAP. Would I want devices to stop working? Especially the examples you gave where people's lives are on the line? Absolutely not. I'd want them to work as well as possible until a replacement can go out.

Pro-consumer would be a pop-up letting the user know they received a counterfeit devices. I can then contact whoever sold me the device, and ask for a replacement. During cross-shipping, I can keep working. Anti-consumer is having my business trip and fall on its face when all the pen tablets which allow people to work from home are bricked during a pandemic.

Of course the counterfeit manufacturers are the bad guys. But FTDI is a company I'd never do business with either. If I'm an FTDI partner, and I got the wrong product, we were both cheated. I'm no more at fault than FTDI.

Should FTDI smack me and my customers upside the head for it? Well, that means we're not really partners.


You are making the mistake of arguing against a hypothetical. It's just a fabricated example to convey an idea, not something to argue against. As an aerospace engineer I assure you that sourcing components for aerospace isn't as simple as your hypothetical to my hypothetical.

> Pro-consumer would be a pop-up letting the user know they received a counterfeit devices.

This from driver code?

The party at fault here is whoever sourced the devices. If the design engineer called for FTDI and they put in FunTDI instead, well, they didn't build what they were contracted to build. Period.

Something as simple as a driver revision to, for example, improve performance, could break a fake chip. Is the legitimate manufacturer supposed to now be aware of every fake and design their drivers forever more to ensure fakes work perfectly? C'mon, that's preposterous.

If I design a board and someone decides to use a cloned version in their machine and somebody gets killed because of a software update I can assure you that the case wouldn't even get to court. The instant it is discovered that the board was a fake the entire thing would be thrown out. There is no way anyone is going to hold the manufacturer responsible for ensuring that clones work property. That is not what they are in business to do.


About 7 or 8 years ago I built an internal testing system used to test a satellite payload which used a microcontroller board from a reputable manufacturer, purchased through a reputable electronics supplier.

When we updated the ftdi driver, the board was bricked. Fortunately the system was still in development so we found a different board - it was only a bit of pain.

However, if that system had been shipped (as it was 6 months later), that board being bricked could have had much more significant ramifications. It would have caused a slipped schedule and tangible costs.

What should I have done differently?


You would have to explain the degree to which parts were traced, certified, tested, etc. If you simply trust the supplier and distributor anything could happen.

I mentioned in another thread that we had one of the top two US electronics distributors knowingly ship us low "B" grade components many, many years ago. These components were in allocation and an enterprising young man at the distributor thought he would be smart and ship us a lower qualified component instead of what we ordered. That was twenty years ago or so. It cost our company dearly, nearly took us out of business.

This was that learning moment for me and it changed my approach to sourcing as well as the level of trust I grant anyone providing us with components. I will never put anything into a design where an illegitimate or lower grade component could jeopardize the safety, reliability or operation of the system.

At some level this is what engineering is about, isn't it? It's that old "Trust but verify?" concept.

We are working on industrial, flight (aircraft) and space (lunar) projects at the moment. No component will go into any of these systems without full knowledge and verification of its origins. This is true for individual components or contracted sub-assemblies.

BTW, this issue of failures being caused by not verifying components isn't anything new. The history of engineering is full of examples. One reasonably recent example of this happened to SpaceX a number of years ago:

https://www.space.com/29994-spacex-rocket-explosion-cause-fa...


No. This is not what engineering is about. Engineering is about making reasonable design trade-offs. Simply throwing dollars at a wall without doing an ROI estimate is called overengineering, and overengineering is bad engineering.

For reliability, where that trade-off sits depends on the application. Aerospace, medical, consumer electronics, and disposable toys will sit in different places. If I lose a mission to Mars saving $100 on part which had a 5% chance of failure within a year, that's very poor engineering. If I include that same part in a $3 toy, bringing the price to $103, that's equally poor engineering.

Whether I trust or trust-and-verify depends on how much the "verify" part costs, how strong my trust is, and what the costs of failure are. Normally, the ROI calculation is easy; capitalist markets work well for this. I can ballpark expected costs.

When working with a customer like the government, the boundaries might be a little bit distorted, since the customer is process-oriented. The government might have a hard salary cap which makes it impossible to bring in qualified engineers, and I might take 3 years with a team of 5 people at $100k to do what one person at $300k could do in 6 months. At the same time, I might have hard requirements on process, such as origin-tracing every part.

The danger is when that becomes in-cultured and spills over to other places. If I'm working for the government, I'll follow government processes, and I understand why those are there. But I won't confuse those processes with good engineering. Once people do, they become poor engineers.

If I've shipped a toy which unwittingly has thousands of fake parts which I thought you made, we'll both have been cheated, and I'll expect you to solve that with me cooperatively. If you hack into my product and brick it, even if you were legally in the right (and you're not), you've lost a customer. That's bad business too.


Your hypothetical was lousy, I agree, but if you're going to hinge your argument on a lousy hypothetical, I'll push back on that hypothetical.

To answer your questions:

(1) Yes, driver code can do things like this. If you don't believe me, buy an HP printer, and see the driver code pop up all sorts of advertisements, deals, and other crap. Driver code has access to your system's low-level internals. From there, it can do whatever it likes.

(2) The parties at fault here are multiple. One of the keys to building robust systems is to understand failures can take place anywhere in the system. In medical device, the terminology is "single point of failure." If one failure can kill a person, a medical device won't be certified by the FDA. In the same way you want the hardware to be tolerant of a single-point-of-failure, you want your organizational processes, logistics, etc. to also be tolerant. Mistakes will happen, and when they do, people shouldn't die.

(3) No one would hold FTDI responsible for making sure clones work properly. Plenty of people would hold FTDI responsible for intentionally attacking my hardware because I had a clone, if things go wrong. Two wrongs don't make a right. There is plenty of case law around this. Here's a nice chain for you to go down to get you started:

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

https://www.cs.uaf.edu/~cs393/CACHE/Wired_RIAA.pdf

If FTDI's drivers stop working with my device incidentally, they're not responsible. If they intentionally brick a piece of hardware I own, for any reason, including believing I violated or contributed to a violation of their IP, that's a pretty clearly digital trespass under CFAA.

Would I pursue FTDI for breaking a cheap consumer device? That's not worth anyone's time. Had it, as in your example, killed someone or took down a planeload of people, you can bet your butt there would be both civil and criminal prosecutions for stuff like that.

(4) Any regarding supply chains, whenever I've done this, I've worked for small companies that wanted to keep logistics simple. We'd try to make sure complete designs could be sourced from one distributor (usually Newark, sometimes Digikey). And no one had resources to do any kind of tracing of parts. I understand that's done in aerospace, but that's not done in hardly anything else.

If there's some mixup in the supply chain, and I've shipped a thousand consumer widgets with a bad FTDI chip, FTDI should go after the parties responsible: my distributor, and the pirate company. Not me. Not my customer. And it should do it properly through the legal system and pursue damages, not break devices vigilante-style.


You're presenting this as a binary choice:

a) > company should be responsible for ensuring that counterfeit devices work correctly

or

b) > bricking [the counterfeit] device as soon as possible

The answer is almost always c) let it be, if it works fine, if not, not your problem.

Adding any kind of bricking code anywhere, unnecessarily introduces the possibility that it will be unintentionally (or maliciously) activated. Personally I don't have that kind of confidence in software or the people that write it (and I am one of those people)


Here's another choice:

Go ask the manufacturer of the fake chip to support it with their own driver.

Really. As a hardware manufacturer, if you use a fake version of my product and demand that my software work with it you will hear the loud sound of the phone being hung up forcefully.

The legitimate manufacturer can do anything it wants with the software and their hardware. If someone wants support for fakes they can provide it themselves.

We are talking about encouraging or tolerating theft of intellectual property here. Having been the victim of this I am quite sensitive to the idea.


Your last comment brings this quote to mind:

> It is difficult to get a man to understand something when his salary depends upon his not understanding it.

No one is suggesting encouraging or tolerating theft of intellectual property. People are _discouraging_ vigilante justice against IP thieves.

In this instance, because it harms consumers (an innocent party).

You're arguing against strawmen when you claim that people are arguing for FTDI to support these chips. Instead what people are arguing for is for FTDI to not brick them _intentionally_.


If you really take the time to think it through you should conclude that the forcing FTDI to back off is actually as anti-consumer as you can get. It guarantees long-lasting harm to consumers as counterfeiters now know they can continue to push their devices --of any kind, not just FTDI-- without suffering any consequences.

In other words, when viewed with a long term perspective the mob actually succeeded at protecting the counterfeiters rather than consumers.

That's what people disagreeing with my perspective are missing in this argument.

Show me a legitimate scenario where giving counterfeiters a free pass leads to long term (decades) protections for consumers and there might be something to argue about.

My quote is far better, BTW:

"A man holding a cat by the tail learns something he can learn in no other way" --Mark Twain

Most everyone voicing opinions on this thread has zero experience manufacturing products at scale and perhaps even running a non-trivial company. Nobody has held any of these cats by the tail and yet everyone seems to think they understand market and business dynamics.

As my wife puts it (she is a doctor): A google search isn't a medical degree.


Why are the two options you present either to a) fully engineer and qa the driver to work with every possible counterfeit, or b) to insert malicious code to brick counterfeits? Seems like kind of a false dilemma.


There are a bunch of permutations, sure.

What you are calling "malicious code" could --and likely is-- quality control code.

The fact that fakes fail isn't the responsibility of the legitimate manufacturer.

I don't know how many hypothetical examples I have to concoct to drive the point home.

OK, here's another one. Fake Tesla. The real Tesla writes code that bricks the entire fake car. This is 100% pro-consumer. The fake Tesla could literally kill people.

What you guys are arguing for is that Tesla should ensure that fakes are able to function. And, at the extremes, that Tesla is responsible for their proper function and safety.

Think about that for a moment.


Sure, and fake Tesla just happens to be bricked while it's driving in the fast lane of a motorway, or is accidentally bricked because a bug triggered the kill switch. Think about that for a moment.


...and it never occurred to you that a hypothetical is just a thinking tool rather than an absolute.

OK, I'll play your game. The car would not turn on after being parked somewhere for four hours. Only an idiot software developer would brick it at high speed on the Autobahn.


That's what FTDI did though. They pushed the malicious bricking driver through an automatic Windows Update to systems already running in production, no? That's pretty much the equivalent of going at high speed on the Autobahn.


I really don't know how Windows' automatic upgrades work, but I would be baffled if an UART driver was updated on-the-fly while it's being used.

If I receive constant 1Mbps stream, the PLL doesn't even have time to stop/start? Or drivers are supposed to handle upgrade hand-off? Sounds crazy complicated, and I don't see the point of such a feature


Even if a reboot is involved, we're talking systems in production hooked up to live equipment.


It is impossible for the FTDI driver to reliably determine if a chip is counterfeit. The difference between a counterfeit and a compatible part is trademark violation, and that can only be detected by looking at the physical packaging and the marketing materials.


You are advocating willful destruction of property. Property that is neither yours nor FTDI's. This is illegal, and broadly considered bad taste.

A counterfeiter commiting crimes against FTDI does not excuse FTDI committing crimes against a third party (i.e. the consumer). The world being safer without the counterfeit products also does not excuse the FTDI destroying things that aren't theirs. The justice system being ineffective at addressing counterfeiters is also no excuse for FTDI to take matters into their own hands. Vigilante justice is usually illegal.

Programmers make mistakes. A bug in your counterfeit detection code may end up destroying legit products. In addition, you can not be sure destroying a product will be safe - if the chip is in a medical device, you might be killing someone. The entire idea of destroying a product without explicitly being told to do so is fraught with peril.

You deal in false binaries. The third, imo correct, option is for FTDI to design software that works correctly with their own product, and spend no effort on the counterfeits - neither to get them to work correctly, nor to brick them on purpose.

A fourth option, if you want to spend some effort on something other than destruction of property, is to take option three, and also alert the user that they are using a counterfeit chip with unpredictable behaviour, and in your airplane example, advise the user they should probably not take off. If you want to be pro-consumer, this is a better way to go about it than smashing their stuff.

From the consumer's perspective, they had a working device, and a firmware update bricked it on purpose. It is possibly out of warranty, in which case they end up footing the bill (or experiencing frustration) for replacement and downtime. It takes Olympic levels of mental gymnastics to view that as 'pro-consumer', imo.


Some hours later, reviewing all responses...

The primary counter argument to mine requires an inversion of responsibilities and ascribes criminality to the victim.

Devices got bricked because counterfeiters committed a crime in the first place.

Along the same lines, there are supply chain questions that are impossible to answer:

How many of these device manufacturers knowingly used fake chips because they cost less?

How many distributors knowingly shipped fake components because, again, they cost less and delivered higher margins?

How many device manufacturers were true innocent victims who did not know fake devices had been substituted for the real thing?

How many failures of import controls led to consumers receiving devices with fake chips?

I have had the experience of having major US electronics parts distributors knowingly substitute defective --yet genuine-- parts instead of the top grade parts we ordered. The effect was what the hardware sector generally refers to as "infant mortality", where your hardware fails early or becomes unreliable due to substandard components.

It took months for these effects to come out into the open and for the major US distributor to own up to this against the threat on our part of legal action. Not only did they replace all components with legitimate top grade parts, they also paid the costs involved in replacing the affected systems for our customers.

My guess is that the context lacking most, if not all, who disagree with my position perspective that comes from having "skin in the game" in the domain we are discussing.

The knee-jerk reaction is to think bricking these devices is bad for consumers, as if that would have been the end of the story. No, in a properly functioning economy and legal system this would and should lead to tracing through levels of responsibility as far as possible, with consumers being made whole with properly engineered and manufactured devices.

The end result of forcing FTDI to not protect their product from counterfeiters is that not one consumer today can be assured the devices they purchase has quality reliable parts that will function according to specifications. A chip can, quite literally, go up in flames (I had this happen to me with a cheap Chinese device) because we did not support FTDI in disallowing fake chips from the market.

Sure, there would have been short term pain and a bunch of companies and suppliers fixing their pipelines and designs. Yet, we would have emerged with an above-average guarantee of quality and performance and counterfeiters thinking real hard before doing what they do.

Instead the feedback we gave counterfeiters is "you win".

And the result we obtained for consumers is "you lose, forever".

This incident extends well past FTDI. Because the mob won and forced FTDI to accept fakes it now means nobody is going to take similar steps towards protecting their products. Which, in turn, means counterfeiters know they won and know they can get away with it. Consumers, once more, lose, big and in unknown ways.

We are swimming in a sea of fake products. The only way to stop this is if fake products become losing propositions for producers, suppliers, manufacturers and consumers.

I mentioned I had a chip go up in flames. A while back I bought a little humanoid robot directly from a vendor in China. One of these things with 15 to 20 servos and, typically, a mobile phone class processor powering it and the touch screen on the chest. I bought several of them as part of a business venture.

A couple of days after receiving them one of my kids was working with it on the table in the garage. As the robot walked, it failed to take a step and fell. It just planked onto the table, a 90 degree rotation from the toes, nothing too dramatic.

In an instant flames were shooting out of the chest. Flames, not smoke. Since we were in the garage it was an easy matter to open the door and toss the thing onto the driveway.

Upon inspection we found a crater at the center of the ARM processor on the main board. It failed and took a bunch of other parts with it.

I contacted the company and very specifically asked about the source of this processor. We were actually considering importing and modifying this robot in quantity for educational purposes. In other words, we had established an engineering relationship with this company, this wasn't a case of just another consumer buying their product.

They pretty much told me they bought the cheapest ARM processor clone they could source in China.

This was and was not a revelation to me. Having done business with China for some time, as well as having a number of friends and business acquaintances doing business in China, nothing surprises me any more.

The degree of supervision and cross checking you have to engage in when doing business with China is impossible for someone outside of manufacturing to grasp. It takes a lot of work to ensure safe products are landed in Europe and the US. When you deal with European or US companies this requirement almost disappears because you can generally trust they will deliver what they agreed to supply at the required level of quality.

Taking the case of this real product, this robot, as an example, it would have been far better if --through whatever mechanism-- the thing had been bricked by the processor manufacturer before it got into the hands of any consumer.

I cringe to think that this company likely sold tens of thousands of these units into homes and schools that could, due to fake chip issues and low component quality, go up in flames any time. We got lucky in that the robot ignited while we were there and under circumstances that were easy to control. This could have happened in the middle of the night and the story would have been potentially horrific.

Be careful to think that allowing consumers to be fed fake products of unknown quality and traceability equates to having a pro-consumer stance.

Due to this FTDI event it is likely consumers today have no clue what quality and safety has gone into the products they are using. This is not a good outcome. The right path would have been to take the pain of fixing the real problem and make consumers whole through both corporate responsibility and the legal system.

In other words, FTDI is a victim and consumers are now even larger victims because the fake chip content of their devices is likely to go well beyond a little USB chip. No way to know how far and wide this has gone. A clear case of good intentions actually causing more damage to consumers.

OK, I'm done. I don't expect to change anyone's mind. Just stating a perspective I think many don't have because they don't have practical experience at scale in the world of hardware manufacturing and support. If it makes even one person think this through, research and perhaps understand, I am satisfied.

Be tolerant of contrasting perspectives...you might just be wrong and not know it...or, even worse, one day you will be correct and the mob will dismiss you just as you have to others when you think you are right.

Tolerance is important. Don't punish, dismiss and ignore those who you do not agree with because one day that person could be you.


This affects temperature sensors/parts bought from un-official distributors like ebay or AliExpress, not digikey, farnel, etc. Perhaps I've been too lucky in my career and practiced EE for work, but who would you ever go to ebay instead of digikey?? <mind blown>

Digikey certainly has a premium, but their speciality is small numbers/cut tape/etc and they have a small order size which makes them ok for hobby work, and I've used them for small production runs when I didn't want to end up with a ton of excess materials.

Makes you wonder what other junk is out there, and what purchasing guy figured he'd save $10 and get it from ebay...?


I live outside the US.

Both Digikey and Mouser will charge me $20+ to ship anything (tried with a small capacitor). Farnell will let me put stuff in the shopping cart, then when I select "individual" as the customer type, tells me that they only ship to companies and redirects me to a "partner site" for individuals, which promptly fails to load (things like this have conditioned me to avoid official distributors). RS will gladly sell me 4000 of those capacitors.

For a hobbyist outside of the US, AliExpress is often the only realistic source aside from the local RadioShack equivalent which probably doesn't have what you need.


I hear you, and even in the US it is a problem in Hawaii and Alaska. I live in the former and just yesterday was look at a part that was 8oz total and the site added a $100 HI, AK surcharge on shipping!!! This is mostly a UPS problem as for many suppliers they give great 48 state rates but anything else is horrible.

Now I wouldn't mind this nearly as much if I could get the shipping rate upfront but it seems 80%+ of sites won't give you a real rate until you have almost completed check out which takes a lot of time. The funny thing is if they have a phone number you sometimes can get them to ship it more reasonably if their system has the flexibility to do that.

This is where ebay is a godsend as a lot of sellers will have the odd part around and work at having cheap shipping. But it is caveat emptor.


Somewhat unrelated, but how do you like living in Hawaii? I visited once and it was beautiful, but I'm not sure what it would be like living there long term.


A lot of the time, these struggles are invisible to those living in the US. It's similar with McMaster-Carr; typically an American hobbyist will ask why one would look anywhere else for hardware parts, not knowing that (at least for many years) they would only ship to corporate partners for orders outside the US.


Depends on the country of course.

Last time I made heavy use of Digikey was in Australia and it worked really well. I'd order on Thursday and it would arrive by ~Monday, which was pretty awesome. You're right shipping, I remember correctly, was $20-$30, but on $200 of parts it was a small cost.

But as I said, this was done in my professional life, so I didn't blink an eye at it. Hobby world I get is different, but also the cost is frustration as opposed to 1000s, 10,000s of badly built boards.


This is the situation https://raptorsupplies.com specializes in, Getting high quality parts at relatively small order sizes shipped easily overseas at reasonable prices


I am not sure what you suggest - I tried finding something random and trivial: a decent 100uf, 400v capacitor (needed for a switching power supply primary) - zero. z0107 (low powered triac, 600v, 0.8A) - nothing. bt134 (another popular triac) - nothing. BQ24735 (Battery charger control chip) - nothing. 2n7002 (N-ch mosfet)...

I can safely say the site is not usable for electronics. It returned valves, pipes,nuts - pretty much useless for anything in Europe, being non-metric.


I think they were talking about the McMaster-Carr situation, since that is what they generally supply.


Digikey has free shipping for any order over (I think) $50. If you're trying to buy an individual capacitor then of course they're going to ping you for the extra time taken to ship. No-one can make a profit sending a $0.20 part individually.

I've never had any trouble getting individual parts from RS either.


At least they're willing to ship to you. I can't order anything at all from these larger suppliers, most of them decided that my country does not exist (you can't find it in their lists). Of course, one can always order through an intermediary, with their 80$+ shipping.


Hmm don't know where you are but farnell has at least an european site and european warehouses that ship individual items locally.

Disclaimer: I only ordered full boards from them so shipping seemed reasonable. No idea about ordering one small capacitor.


> tells me that they only ship to companies

You often just need to fill that form entry, and not have any sort of official company. Things like Self, or your name again will work just fine. I have a fake company name that one day I'll need to actually register, but in the mean time is used whenever someone is willing to take my money, but not provide service without a company name.


Pretty much not applicable, as "company" requires a valid registration number for the invoice. Selling to individuals in the EU, outside the member state the company has been registered, is somewhat problematic. Currently it does require VAT to be charged at the recipient's country - unless the total yearly revenue from the said member state is low enough (say 35k euro). I have heard there are some 'discussions' (some EU commission) to ease the process but for now that's just rumors.

Flip note: US companies selling to customers in the EU do require EU VAT number as well.

Overall living in the US and applying the same rules/advice to people not living there tends to be wrong.


For someone in a country with VAT (e.g. Europe) this trick typically does not work since billing is different for companies vs. individuals.


I'd never expect to find these in official products from trusted brands, but off-brand crap? Oh yeah. DIY kits? Absolutely. The parts drawer at the makerspace? One hundred percent.

So much stuff on eBay is free shipping, that's huge when you only need a few dollars worth of stuff. If I could convince Digi-Key to lick a 55-cent stamp when I need ten of something, instead of charging me $7 for shipping, I'd have a lot fewer counterfeit parts around.


These show up in "trusted" Chinese brands too. Whenever you see a teardown where the markings are ground off a chip with obvious, non-trade secret function (USB serial converter for instance), its most likely a counterfeit that needs to have its fake markings removed to get past first world customs inspectors.



There will be no licking of 55 cent stamps. US stamps have been 100% self-adhesive since 2016ish.

The envelope is of course another matter.


Not to mention the obvious, but that glue isn't necessarily that great* for you either.

* allegedly of course.


Is this a Seinfeld reference, or something else I’m not understanding correctly? :)


the old fashioned glue is gum arabic... gum arabic sees more uses these days in food than outside it


I think this is about to change. The Chinese shipping will go up. A couple weeks ago, there was an article posted here about why shipping from China is so cheap, epacket[1]. Because of epacket, it was cheaper to ship from China than it was to ship to even within the same state for small packages.

A recent change allows the USPS to increase rates for epacket. It looks like the new rates will go up slowly, so shipping from China will still be cheaper for packages under 3 ounces for a few years.

[1] https://www.ecomcrew.com/why-china-post-and-usps-are-killing...


This. I buy a decent amount of hobby electronics from eBay and AliExpress because yes it is cheaper. When I need quality, Mouser, DigiKey, and McMaster-Carr are there for me. But the minimum $7-9 shipping is the main reason is forego them. I’d gladly pay 2x for small electronic components (vs directly from China options) if shipping wasn’t a problem.


For any serious person trying to develop a little bit beyond hobby projects: Think about an hourly rate of $80/hour for yourself. If you have to spend an hour trying to fiddle with subpar shady parts, you've already paid for the shipping 8 times over.

Also, it is painful to wait for these packages from China. Digikey ships same day and its at your door step in the morning (I overnight it) and if you use $7, it is usually 2-3 days.

Plus, you're supporting legit businesses and not the shenzhen market.

I can understand total hobbyist who cannot afford $7 shipping often. But even then, you can bundle all your parts and order once.

Any engineer who earns a salary can afford $7 shipping. If you're a business, there is absolutely no excuse to penny pinch here. You're losing money by using unreliable parts, if not now, at some point in the future.


> But even then, you can bundle all your parts and order once.

I fall for this trap every. single. time.

_HOURS_ spent racking my brain to think of all the things I might need in different scenarios, so I can be absolutely, positively, 100% sure that I have everything in that one single order.

... and end up placing 2 to 3 more orders before the project is done.


Hahaha I can totally relate. Always ends up being a few packages.


> If you're a business, there is absolutely no excuse to penny pinch here.

Most of these sites offer free shipping to trade accounts with no MOQ as well.

But also you want that customer service as a business. Mouser once sent me a replacement camera at work (university) because they supplied one with the wrong interface. No doubt we have a big order book, but I've had similar experiences with RS as a hobbyist customer - ordered tools which are not up to scratch or slightly out of tolerance - "just keep it, we'll send a replacement".


> I can understand total hobbyist who cannot afford $7 shipping often. But even then, you can bundle all your parts and order once.

Or, like me, pretty much go "Meh, its counterfeits all the way down!" and frequently tack on a buck or twos worth of other "That's interesting looking, I might want one of those one day, I'll grab a few on this order" stuff when you're buying things you need for a current (hobby grade) project, so you've got a few boxes full of (hopefully sufficiently well enough labelled and documented" junk on-hand for the next random project idea... I bet I have a dozen or so "DS18b20"s here from that approach. I _think_ I could probably find then in under 10 minutes if I had an idea that needed one right now. Maybe... (Actually, I do have that idea. I want to put temp logging on a little LiPo battery that sits under a small solar panel to run an ESP32. I _think_ it's probably failing early because the whole thing gets too hot in the du5rect sunlight. Logging will confirm/deny that, and let me measure changes with insulation and/or fan cooling. Maybe I'll go hunt for one tonight...)


But why can't digikey just charge for what it costs them to send the items?

Now it feels like I'm paying some kind of tax.


Because the cost of someone picking up a reel of 10000 resistors, from a warehouse that has to be rented heated/cooled etc etc doesn't scale down to that 1 resistor, even if the shipping cost might... I know, it sucks! - I have seen many suppliers that cater for hobbyists around the world and will mail you a resistor in an envelope. But I'm sure that they don't make enough money to send you a certification and guarantee of authenticity with it, which is why real industrial users won't mind paying $50 for a handful of components because those guarantees are worth far more...


> Because the cost of someone picking up a reel of 10000 resistors, from a warehouse that has to be rented heated/cooled etc etc doesn't scale down to that 1 resistor

I understand that. But please charge me for what it costs. Don't let people with small orders pay the price for people with large orders. They already get discount for their order size!

Or if this is not possible at least call it an order-picking fee, don't lump it in the shipping costs.


Shipping costs are actually transparent at Digikey. It is exactly what they pay to USPS.


Same. I read through this thinking "What, my team sensor on the data logger for my coffee grinder might be more than half a degree out? You know what? I totally don't care, and wouldn't have spent an extra 50 cents to get that much accuracy..."

I do have ethical qualms about supporting/funding "stolen IP", but then I've kinda got ethical qualms about the whole concept of IP anyway, and if you wanted to go hardline on IP compliance you'd probably have to avoid everything out of China (and everything that contains components out of China)... I wonder how often Apple get counterfeit components slipping through on Foxconn production lines, and how much effort they put into stopping it beyond extensive QA - which only ensures any counterfeits that make it through need to be close-enough to functionally equivalent to pass all the tests? The "test after" approach kinda pushes towards more IP infringement rather than less, since it's likely parts built from stolen designs would pass more often that parts reimplemented according to the spec?


If you don't need that accuracy, why would you use a DS18B20 in the first place. You can use a dirt cheap NTC.


Maybe you want to save on the A/D hardware?


That's actually how much it costs to ship stuff when it's not being exceptionally heavily subsidized by the utterly broken Universal Postal Treaty.


Orders with DHL across the EU are pretty much $4, without any other company ever handling it. Deliveries don't have to be that expensive.

Going further, if I'm in Germany, and order from a local place (e.g. a local ebay seller), I pay like $0.80 for postage on a delivery.

If I order from a reputable store... it's like 2 weeks waiting time with $15 on delivery.

In the past there used to be small stores everywhere selling every tiny part, but nowadays...


Digikey would be charging more then $5, but competition forces them to not charge outlandish shipping rates!

It didn't used to be that way -- mail order suppliers used to charge high fake "Shipping & Handling" fees.

That's why Amazon introduced 'free' shipping.


Hmm, I was going to say that digikey has 3 or 4 dollar shipping, but I checked and it's $5 for a first class mail. Maybe they've changed it, or maybe it's COVID-related. I recall that they had a low price for shipping of a small maximum weight, which was good for little orders of just a few components. I generally just suck it up and place the order regardless of the shipping cost, it's not great to spend as much on shipping as you did on parts, but it's still cheaper than buying parts locally. Remember buying the assorted resistor packs at Radio Shack? Ugh.


I've got this soft spot in my heart for digikey, they've always shipped so quickly and called on the smallest issue and offered to help. When ever they call I always do that "why is someone from Minnesota calling me?" It's interesting how some vendors can build trust easily.

But $5 doesn't feel bad for shipping to get good parts quickly from a company I trust. But your point is taken. Sucks to put a $0.30 temp sesnor and pay $5 to ship it. =)


I pad my order by adding expendables, stuff I know I'll use a lot of. There's a certain kind of end-fed SMA pcb connector I use a lot of. Solder. Flux. Certain JST-type connectors.

I also keep a "gift list" for myself of things I've always meant to experiment with but haven't gotten around to ordering. I ended up playing with MSP430 controllers this way.


I've made a few orders over the past few months. The $5 is for less than 14 ounces (which is surprisingly heavy, I just had a big heatsink and a bunch of other components shipped in that weight); after that it's $9 for any of UPS/FedEx/USPS. I guess it's just USPS price inflation? I remember when stamps used to be 42 cents.


I wonder how do you organize parts? Do you keep your "possibly fake" parts strictly separated from the real parts? I already have trouble keeping resistors with the same value but different power rating separated.


I’ve read there’s some financial scheme that you get >100% kickbacks for untracked packets from China through Singapore to destinations. Certain mail containers are going at regular intervals carrying much as possible by volume, paid by governments as investments to build nations might, or something like that.

So sellers pay for shipping, which is cheap, then gets subsidy, then there’s delay between Buy Now and actual transfers and financing to compensate it, those supposedly all add up and turn profits.

Digi-Key on the other hand probably has employee pension plans and that would be as far they go in terms of global financial investment techniques, so...


When I bought stuff from DigiKey this year, the shipping was $5.


Another professional EE here.

I never expect random chips bought off AliExpress/eBay/Amazon/etc to work, much less be genuine. I do expect breakout modules and the like to work, though I don't expect them to contain genuine parts. (That implies I'd never source from these places when it's a critical function.)

I'm always surprised when people expect grey-market crud to perform just as well as top-dollar stuff....


I do electronics as a hobby. I sometimes buy chips from very dubious shops in China for fun. Some of these sources are sketchy even by Taobao/Aliexpress standards. Then I decap the chip by boiling the package in acid and inspect the die under a microscope. More than half of them are genuine. I get some nice surprises because even the chips that I expect to be absolutely fake can turn out to be genuine.

So far I've seen a ton of fake audio op-amps.

For discrete parts like transistors things are much simpler. Just build a simple test rig and test a few parameters. If they fall within the specs they're probably good enough. Of course it's not worth it to do this for jellybeans like 2N3904, but when some parts get obsoleted without a replacement (or they're too pricey) there isn't much else a lone hobbyist can do.


Not so with power transistors, you don't need a microscope to see that the dies found in off-brand power transistors are suspiciously small compared to equivalents from proper manufacturers.


they also may be refurbished ie unsoldered off a board. that happened to me a few years back for a bunch of soic op-amps I was having difficulty sourcing.. they worked ok though.


> Some of these sources are sketchy even by Taobao/Aliexpress standards.

Links? That sounds fun...


I've bought hundreds of electronic parts on eBay and rarely had issues. I discovered LED strips were a thing by shopping on eBay, years ago, much before they were trendy, I was buying them at one fifth the cost American retailers were charging. Bought Arduino clones for a quarter the price of the "real" thing when I was a broke student. ATMega MCUs for a dollar a piece, free shipping. They worked perfectly fine. Could not have afforded them without eBay.

I'm Canadian, and last I checked, the shipping costs to get parts from places like digikey was just ridiculous.


I didn't say they don't work, just that I don't expect them to work. The prices are such that you can, and should, buy three items from three different vendors and cross your fingers that one works.

In professional engineering, where time is money, Digi-Key or Mouser is always more efficient, if they've got what you need. For personal stuff, where the value of your time is ~zero, the opposite can be true.


99%+ of my hobbyist electronics bits n' bobs are ali express/banggood specials, and they have all worked fine, from arduino clones to sensors and ESP8266's.

If I were working on something more important that dinking around for fun, sure, I might care a bit more about what's actually on the board. But as it is, the clones are more than adequate for my needs, particularly at their price point.


In the case of the ESP8266, the parts were available through channels like eBay and AliExpress long before they showed up through any of the typical electronics distributors. Same thing goes for other first-in-China parts like the GD32 series (STM32 clone) and WCH340 series (USB/serial).


You might not buy em from eBay/Alibaba - but the guy your contract manufacturer goes to might end up getting them from the same source as the eBay/Alibaba vendors do - either knowingly or unwittingly.

We ended up with 3 spools of counterfeit WS2812Bs that had cheapskated out on some data line capacitors on the die. Totally fucked the emitted RF noise levels compared to the same thing build with genuine ones, and intermittently flaked out when trying to run high speed data updates long-ish distance - the lights 6-7m and 40-50 leds from the controller weren't reliable...

Manufacturer and their supplier were very good at fixing things for us once the problem was discovered and attributed to bad components, but it was a very stressful lead to the xmas supply chain back then. (Then the entire company fell apart for different reasons, but the stress and expense of that incident was quite likely a strong contributor to those the triggering of those company-ending reasons... :shrug:)


Yeah, that's what scares me. On the other hand...I do have to trust my CM for so much already. Trust is an interesting thing in business.


I've often bought parts from aliexpress because they're available for <$2 with shipping, and can be somewhat vetted easily with an example arduino sketch that comes with the library. (IMO, the goal in designing a board for your problem is getting someone to clone it and sell it for cheaper than you could hope to build it. Ideally, better too)

Sparkfun and adafruit deserve commendation here, as their designs are open enough to even have low effort clones work reasonably well. (I'd buy a legit version if I was doing something professional, but prototyping for the sake of research is a different story)

I'm a special case though, since deliveries from the local AVNET subsidiary to my employer are often comped due to volume/location.


I’m sure these things have made it into a lot of those Arduino beginner kits and stuff like that. It really makes me mad because the various incompatibilities with the datasheet might frustrate a beginner or mislead them to think they are doing something wrong.


The DS18B20 clones are very popularly assembled into a waterproofed probe with a cable and metal cap. It's a very useful item which as far as I know is difficult to obtain from one of the official distributors (and would cost significantly more than the eBay specials).


You can buy those metal sensor sheaths separately. Search for something like "rtd sheath metal" e.g. ebay #162885663706. $2-3 for a set of 5.

Then you pot the sensor with something thermally conductive and waterproof - waterproof potting compound is cheap (e.g. "RS PRO White Epoxy Potting Compound"). Finally heatshrink the outside.

You will never beat China prices, but this is one of those parts that's relatively easy to make yourself and shouldn't cost a fortune. The most expensive stuff is the epoxy, but it will last for a while.

Purely on performance, does it matter? If it doesn't matter if you're off by a degree or two, then the cheap versions will be OK. If you need the guarantee of a genuine sensor, or a different cable length, or whatever, it'll cost about $20 for five.


How else can you get anything from Maxim besides samples? (joke may be a decade out of date)


I understood that joke to mean, "Maxim components are so expensive that the grey market is about the only place the layman can afford them in more than 1-off prototype quantities."

At least that was my experience 8 or so years ago when I made the mistake of purchasing a lot of 100 MAX7219 off eBay for $100 shipped from China...$1/ea was such a tempting deal to a younger, more naive self when these chips were selling for upwards of $7/ea from ECIA-authorized distributors at the time.

Never fell for that trap again.


No... there was a time when Maxim parts weren't really available through the major distributors. They had one of the most generous sample programs, but apart from that they seemingly wanted to draw you into some heavyweight direct sales process based around millions of parts per year. As the things I was designing were mostly aiming for quantities in the thousands, it made me not even bother considering their parts.


I'm wondering when that was. I remember basically always being able to get parts through normal distribution.

Motorola microcontrollers on the other hand.


Around 10-15 years ago. Perhaps our different experiences were due to types of parts we wanted. Eventually I just avoided looking anywhere besides Digikey because the others' parametric searches were so terrible.

(Of course these days Digikey hassles customers by pointlessly firewalling arbitrary netblocks, so maybe the convenience tides are changing)


Makes sense, 10-15 years ago I was on walk about.

Digikey got it's opening when the mainline distributors decided that didn't want to deal with piddly little orders and imposed $250 minimums. Digikey swiped a bunch of their customers.

Now days ordering off Digikey is easy. But the cost of shipping is murder unless you want to wait a week plus for ground. Same time if you know what you want places like Allied will ship small orders for not much. And Jameco Electronics if they have it you can will call from their warehouse in Belmont.


>I made the mistake of purchasing a lot of 100 MAX7219 off eBay

Why was it a mistake? I've used the 'fake' ones. Did not have any problem with them.


The fundamental problem with counterfeits is that they aren't held to any published spec, so comparing your experience to mine isn't really meaningful...other than being not genuine, you can't generalize anything about counterfeits.

It was so long ago, I had to dig up notes.

On the performance side, the counterfeits I received couldn't be clocked anywhere near the 10 MHz limit specified by a genuine MAX7219; one package pin that should be tied to GND was floating internally (contributing to poor thermal performance); but the real showstopper was that intensity control didn't work for shit.

My records reflect nigelectronics on eBay as the counterfeit seller. This is the address I was instructed to return the counterfeits to when I called them out on it for a refund (I eventually got the refund, but threw these counterfeits in the trash where they belong):

  Cheng Kwok Hang
  15F, BLK 1, Aldrich Garden, 2 Oi Lai Street, Shau Kei Wan, Hong Kong
On the business side, I effectively wasted 10 days lead time in a tight pipeline just waiting for this garbage to arrive + more time/frustration isolating why the chips were failing initial tests; swallowed ~$700 out of pocket + expedited shipping for a single BOM line item to purchase genuine replacements from an authorized distributor; and looked like a complete hobbyist amateur to a collaborator in NYC (who was working on the mechanical side) as I had to explain why my stupid decisions meant he'll have to wait another 2 weeks before receiving the pre-production prototypes I had promised (which meant his clients ultimately had to bear that burden). Then there was all the manual rework which I didn't even keep track of.

This was my first semi-pro side gig out of college, and juggling all the unexpected curve balls with a fulltime day job was quite stressful.


From what I've seen recently on r/ece or r/electronics, can't remember which, that's still a huge issue.


Lots of hobbiests will buy things off ebay, Amazon, or Alibaba. It is extremely common and if you go into forums it is even encouraged. I'm not saying you should go to those places, but that lots of people do.


We've spoiled ourselves with CCP subsidy. It wasn't like that about 20 years ago.

You'd pay a pretty penny for things and support local/national businesses. Now, you're funneling fuel into the dragon's mouth. For what? A hobby project? Just spend the $7 shipping and get it from Digikey.


Just went to my local Digikey site. Shipping is $20 USD or $26 NZD.


I presume you’re in NZ: You also live in the Southern Hemisphere, way south. YMMV. I presume ordering literally anything besides AliExpress/eBay us expensive in New Zealand.


Shipping fee is not supported by CCP subsidy but by Universal Postal Convention.


Shipping cost is the biggest downer for a hobbyist just wanting a couple chips from Digikey or Mouser.


So I ordered a ds18b20 sensor last year from ebay. paid AUD $1.88 for it (including shipping). Digikey looks to be $7 plus $20 shipping (and I'm not certain if those are USD or AUD)

As someone who doesn't do this for work - I've never seen/heard of digikey or farnel before. Maybe if I was ordering enough to hit the $60 free shipping limit - but I don't think I've spent that on electrical bits in the last year.


In Oz, you could try Element14 (which is Farnell rebranded). $50 for free shipping, or $15 under. The DS18B20's are about $7 on there too, so that's the correct AUD price.

Also check out RS Components Australia. They often offer free shipping with no minimums. https://au.rs-online.com/web/p/temperature-sensors-humidity-...

RS is also a good place to buy decent mechanical bits and pieces (bearings, drill bits, etc) if you don't want to play the lottery on Amazon. They even do their own 3D printing filament which I've had some good results with.

If you need small quantities (like one-of), you should look at sample requests. This is still alive and well - almost all the big manufacturers still honour them. I've gotten some $40 RTD digitising chips from Analog, micro-coax cables from Samtec and lots of random bits over the years. You may need a non-generic email address, but that's easy to sort.

For example you can sample the DS18B20 straight from Maxim: https://www.maximintegrated.com/en/products/sensors/DS18B20....


> who would you ever go to ebay instead of digikey

In addition to the shipping price for DigiKey which means batching up stuff is essential, one reason I buy stuff on AliExpress is that there are tons of ready-made breakout modules for easier prototyping.

Adafruit and SpakFun do make some, but there are quite a lot of interesting modules you cannot get from those sources.


I live in Russia. Some time ago it was possible to buy from these distributors (and pay additional $20 - $50 for shipping). Nowadays they ship only to companies, not domestic addresses, so it is not only cost-prohibitive for cheap orders, but outright impossible for a hobbyist or individual person.


Hah, first company I worked for involved the development of embedded systems and the boss wasn't shy about buying parts from AliExpress (thankfully most of it was still DigiKey). Some stuff had a significant cost difference: Official Omron rotary encoders vs copies, for example.

Of course they usually worked about 70% as well as the real thing.


This affects many suppliers where they see a cheaper source for their component and go for it.

You may be subject to it if you send your designs and BOMs to a PCB house who also source and populate the components, then you're at the mercy of their procurement process


It does seem like the headline is misleading, as surely the unit-weighted average authenticity of these parts leans towards 1.0. Surely nobody would buy these by the 1000's from unofficial channels?


I've got one genuine one that I bought from Sparkfun near the end of 2015 and 10 more I got from Amazon in the middle of last year.

I haven't gotten around to doing anything with the 10, but the genuine one has been hooked up to an RPi for a while, which is controlling a space heater.

That was still using a solderless breadboard, so it was an easy matter to swap in the 10 one by one and check if they were genuine. As was probably to be expected, they are all counterfeit.

They all seemed to be fairly consistent with each other and with the genuine one, although it turns out that these things are really sensitive to body heat--just holding one pinched between two fingers while slightly spreading the leads to fit the breadboard would heat it up 2-3 C. This made comparing different ones a bit confusing.

The genuine one seems to cool back down to room temperature noticeably faster than the counterfeits. I wonder if the genuine ones take more care to ensure that the die is not too insulated from the outside world so it will be more responsive?

Anyway, since I'm still using a solderless breadboard, and then things are designed to chain, it was not hard to rig it up so all 11 are hooked up at once [1]. (And yes, the resister is hooked up correctly. It is just a really bad angle in the photo that makes it look like it is off by one).

I've got a program running now that checks them all periodically and logs all the readings. Here are results after it has been running about 20 minutes:

  22.437 [22.375, 22.25, 22.187, 22.312, 22.375, 22.187, 22.25, 22.25, 22.375, 22.25]
The first one is the genuine one, and the array are the counterfeits.

[1] https://imgur.com/a/jPBTrvJ


I remember reading somewhere that genuine ones have a sensing element anchored to the ground pin, so it might explain why it cools down faster when inserted into a breadboard


Very cool analysis. Thanks for doing that and providing data. I also got one of these from eBay for my RPi a few years back. I haven't played with it in years but I remember being frustrated because the temperature reading did not match my home thermostat.


There's so much fake stuff on eBay in the IC world. As someone who was looking to get into the retro electronics hobby, I'm bumped into a ton of fakes on eBay. I'm amazed that there are sellers in China who find it worth their while to fake "ancient" chips like the Intel 286 and Motorola 68040 and 68060. In the former case, they took lower speed parts and rebadged them as higher speed components and in the latter case, some are downright fakes that don't function.


A lot of chips are harvested (in horrifying conditions for the workers and the chips) from old electronics and then retopped.


Once I was working for a company having single Motorola 68K based design. They were selling their ancient design without changes for decades. Motorola 68K disappeared from market, they moved to Coldfire, but then peripheral chips got obsolete. It was a big problem. Junior boss started buying everything he could find in Chinese Internet stores. Everything was fake!!! Sometimes parts were empty shells, no silicon inside, some parts were rebadged modern parts, some parts had silicon inside, but weren’t functional. Solution was found using some shady brokers. They delivered parts at 50x price. Ancient real time clocks were bought for 100$ a piece. It was still better than not delivering products to final customers. Re-Design was started porting the design to Xilinx ZynQ, but I left. Lesson number 1: no Aliexpress parts in final products! Lesson number 2: obsolescence of parts is a big deal, it comes more often than one is prepared for. Lesson number 3: even for hobbyist Digikey or Mouser is a place to go. Free shipping to Germany buying for at least 50€. All parts worked as expected.


How is it even possible to sell products with these parts if you are unlikely going to get RoHS certificates? That's like asking to go bankrupt.


These guys did other shady things balancing between unethical and criminal. I guess they would just deliver products with fake parts expecting to replaced them by redesigned ones in the future.


I've bought ~100 of these sensors from ali and ebay and 9/10 had troubles reporting temperatures in passive mode reliably. However simply repeating requests until sensor reports a valid value (!=+85C and !=-127C) works fine. Rarely I've seen sensors not working in passive mode at all.

Still, I always recommend running an extra +VDC wire (3 wires vs 2 wires isn't a big inconvenience). When running large 1-wire buses (>100m long, dozens of sensors each), a dedicated power line is always a must.

Another funny use for these sensors is a source of nonce/id. Weirdly, every single DS18B20 I've bought had a unique ROM address, even when I got large batches. I still PTSD about that batch of PCIE network cards with identical MAC addresses...

metaphor 26 days ago [flagged]

> However simply repeating requests until sensor reports a valid value (!=+85C and !=-127C) works fine.

You know you're dealing with counterfeits and you know they're unreliable, but you've somehow convinced yourself that despite all the uncovered variance sitting on the table, if you keep poking long enough until the component returns some non-edge-case value, then it "works fine".

I must have hopped on the sanity train quicker than I should have because it seems like I'm missing something critical in the narrative here.


> You know you're dealing with counterfeits and you know they're unreliable, but you've somehow convinced yourself that despite all the uncovered variance sitting on the table, if you keep poking long enough until the component returns some non-edge-case value, then it "works fine".

Yes? Because it usually does? If you test a bunch of fakes and they tend to be either basically accurate xor really inaccurate, and your project isn't super critical, why not? It's like unit testing; if you trust your tests, then any function which passes is probably fine to use. I wouldn't do it for something mission-critical, but for fun hobby stuff I probably would.


Are these SMT components that have to be soldered for testing? Hardware is not as trivial as software to test and replace.


"usually"..."basically"..."probably"...that's a lot of handwaving. Your usecase is both your prerogative and your folly to embrace; that's not the point.

I poke fun at the OP because his qualifier for "works fine" is an indeterminate definition of eventually establishing some semblance of compliant 1-wire communication with a counterfeit component without even so much as batting an eye to question the accuracy of the sensor measurement being read in, let alone:

  a) environmental constraints
  b) electrical constraints
  c) timing constraints
  d) system integration considerations
  e) counterfeit variance/unpredicability
No, this is not even remotely asymptotic to the implications of software unit testing. This is physical hardware which manifests real variance "vetted" by some half-baked functional "test" that completely ignores every parametric spec without discrimination. Without questioning implementation merits, your software unit tests operate on hash-replicable code...at the silicon level, such a luxury doesn't exist.


I think the difference here is that you're taking this from the perspective of an actual engineer, and I'm a hobbyist (and I assumed the same of OP; I hope Real Engineers aren't getting parts off eBay). Which means that, yeah, I'm happy to handwave a lot. By software analogy, I write a lot of shell scripts and python, which is passable but hardly rigorous; if I wanted it to be Correct, I'd break out coq or write in Ada or something, but I just want something that usually works because the stakes are so low. Of course counterfeit parts aren't reliable, but if failure is an option then they're good enough.


You are indeed missing something here :)

Long 1-wire networks are notoriously unreliable [1]. Something that works fine today can stop working tomorrow. That doesn't mean that they shouldn't be used anywhere. They have their niche.

If I want my heating system monitor to report temperatures once per hour and it takes me 5 tries and 10 seconds to read a sensor, I call it good enough. If monitor doesn't succeed after 20 retries, it sends an alert to replace the sensor (so far that only happened due to damaged wiring, not the sensor itself).

It is possible (and quite fun) to build reliable systems using somewhat reliable components :)

[1] https://www.maximintegrated.com/en/design/technical-document...


Thanks for the perspective. 2 points in which I disagree: on design and on reliability.

First, on design. In your cited app note, Maxim explicitly denotes from the onset:

> Operating a 1-Wire network beyond the limits or disregarding advice given in this document may result in unreliable network performance.

The key operator that I see here is "beyond the limits", to which Maxim engineers appear to have done a fair job of specifying. Indeed, there's a lot of fine print in the published datasheet[1] alone on "parasite power mode", but a first pass suggests this is nothing more than a nuanced design challenge, not one of questionable reliability. If your long 1-wire network works today but not tomorrow, then it's difficult to swallow attribution of the issue to a singular authentic component constrained by documented performance specs rather than the system's overarching design.

Second, on reliability. Since practicing engineers don't have the leisure of independently validating every bit of specified electrical minutae, we generally have to extend some level of trust to what the component vendors specify in datasheets unless presented with evidence to the contrary (because bugs). I poke fun at your "works fine" remark above because it reads like what you care about is some semblance of establishing trivial, intermittent communication while handwaving the accuracy of the reported temperature measurement, especially given all the effort to demonstrate and document that the physical implementations of these counterfeits are clearly different...which renders the reference datasheet null and void in its entirety...which I therefore conclude nothing about these counterfeit sensors can be trusted in any application with meaningful skin in the game. To describe these counterfeits as "somewhat reliable" strikes me as somewhere between naively optimistic and outright delusional.

But hey, your hardware, your problems...just saying. :)

[1] https://datasheets.maximintegrated.com/en/ds/DS18B20.pdf


I am having troubles understanding your reply. You're saying that these counterfeit sensors cannot be used for anything critical with "meaningful skin in the game", which is an obvious statement. In fact, depending on definition of "critical" and "skin in the game", one can make an argument that authentic DS18B20 sensors also aren't good enough. So what?

This whole story about not using things where they shouldn't be used is like saying "don't use an arduino on a chemical plant". Thanks, we get it.

> The key operator that I see here is "beyond the limits", to which Maxim engineers appear to have done a fair job of specifying

Except that limits are not well specified since they depend on too many factors (ambient temperature, parasitic cable capacitance, noise pickup, etc). These are recommendations on improving reliability, not hard guarantees. I'd recommend actually reading that note.

> If your long 1-wire network works today but not tomorrow, then it's difficult to swallow attribution of the issue to a singular authentic component constrained by documented performance specs rather than the system's overarching design.

This is again a trivial statement. Where did I claim the opposite?

If a weather monitor equipped with 1-wire devices has intermittent communication issues, do you immediately replace the entire system? Good luck with that proposal :)

If you replace your 1-wire driver on the above mentioned system to the one with active pullup and issues go away, do you still scrap the system because it's "out of spec" according to recommendations?

> Since practicing engineers don't have the leisure of independently validating every bit of specified electrical minutae, we generally have to extend some level of trust to what the component vendors specify in datasheets unless presented with evidence to the contrary (because bugs).

Again not sure what's the point of this trivial statement. Yes, bugs. I, "practicing engineer", have the leisure to independently validate datasheets when required. I also rely on them when I can. So what?

> especially given all the effort to demonstrate and document that the physical implementations of these counterfeits are clearly different...which renders the reference datasheet null and void in its entirety...

I invite you to research re. FDTI-gate and its widespread use, including medical devices.

Are you comfortable using light bulbs purchased from amazon in your kitchen without looking at the reference datasheet?

If I need an accuracy of +/- 5 degrees for not critical monitoring purposes, can I use "counterfeit" DS18B20 sensors?

If I need an accuracy of +/- 0.1 degrees for critical monitoring purposes, can I use "authentic" DS18B20 sensors?

Answers are as obvious as your statement.

> which I therefore conclude nothing about these counterfeit sensors can be trusted in any application with meaningful skin in the game

Your subjective "meaningful skin in the game" doesn't tell much. What sensors do you trust? Do you require calibration certificates traceable to a secondary standard for each component for them to be blessed for "application with meaningful skin in the game"?


"If a straight line fit is required, only sample two points."


Some medical equipment works the same way in my experience. A nurse or I will routinely ask to redo a reading because the value "didn't seem right"

And sure enough that happens about 1/3 of the time regardless of equipment or facility.

So "just doesn't feel right" is something that absolutely happens in the real world. Not taking that into account is sloppy engineering


Wow, I am pretty sure I had some of these, parasitic power would NOT work, I had it on a scope and everything. What a pain in the butt that was! Why not just give these mostly cloned parts their own honest name and part number?


> Why not just give these mostly cloned parts their own honest name and part number?

Would you have bought it, at the same price, if they had?


To put that another way: the reason they go the fraud route is to easily profit from the good reputation of an established brand.


Why not just give these mostly cloned parts their own honest name and part number?

Judging by what the page says, they do --- but someone down the line from the manufacturer remarks them to DS18B20s.


Because even if a part is marketed as compatible with a well-known part, most buyers won't add a new, allegedly compatible part to the AVL (approved vendor list) without some level of engineering review. This guards against the kinds of incompatibilities that the article notes. Depending on the buyer, that review might be "yeah, [vendor] seems legit, fine", or a complete test build and evaluation; but by marketing their part as a counterfeit instead of a second source, the vendor bypasses that hurdle entirely.


I buy from AliExpress and eBay not because of the shipping fee but because most of the time digikey/mouser doesn't sell hobbyist friendly form factors (like breakout boards) and some of this ic come in really tiny package (like tssop) which for an amateur are difficult to solder. Sometimes they need a resistor or a capacitor or a transistor easier to buy a board with everything on it that you stick to another board and that's it.


That, or they slap huge markups for these otherwise unpopular products.

Try to find a popular 16-bit ADS1115 ADC on digikey. They offer SMD 10X2QFN chip for $8, 10VSSOP for $10, assembled adafruit board for $22 (!!!) or DFRobot board for $15 (exact same board is half the price on ebay).

In comparison, ADS1115 boards from aliexpress are $2.


Counterfeit chips are a huge problem, these days.

I suspect that a significant number of Bluetooth chips are fake; even in very expensive kit.

I got tired of having expensive headsets croak after less than a year, while my cheap 20-dollar exercise headsets lasted for four years.


Chips have a higher value on a BOM, and as such have more financial incentives to be reverse-engineered and counterfeited. This is a bit more interesting since it's a sensor that has several operating parameters that "sort-of" send expected data back, but depending on the operational characteristics could need to be recalled entirely.


Especially if they are to be used for something like monitoring for excessive heat in some kit that could catch fire.


If this was used in a BMS with a lithium battery, a counterfeit sensor's behavior could result in the total loss of a device. Let's say the device's PCB is designed such that the sensor is connected to a rail that requires parasitic power, and you were unexpectedly shipped the D1 variant that outputs garbage data back to the onboard firmwre instead the proper temperature. Your company would have to recall every device in that manufacturing run at great expense, if it weren't caught early enough by QA.


This particular sensor isn't used in mass produced devices AFAIK. NTC thermistors are cheaper and easier to design for using cheap analog components. Reading DS18B20 is quite an exercise when it comes to $0.05 microcontrollers used in e.g. household appliances.


That's true in an analog design, I recently took apart a generic computer power supply that failed and noticed it used NTC thermistors. In a hobbyist kit I purchased that came with with various cheap sensors, the temperature one has a Dallas 18B20 on a board to be interfaced with an Arduino. It's probable that some people would just duplicate exactly what they used on a quick-and-dirty design to be deployed on a small scale.


I don't get it. Why bother faking something that is very cheap to make genuine? I mean you pay peanuts for real deal, and you want to make something even cheaper then that?...why? Where is the profit?


First, when you make millions of a thing, then saving even fractions of a cent add up to a lot of money. Chinese manufacturers favor high volume, low margin products. Second, Maxim parts are not cheap, in fact they are among the most expensive in the IC industry. A single DS18B20+ goes for 3.47€ on Mouser right now. That's a juicy target for counterfeiters.


I don't know where you are, but in my country I paid the equivalent of 4 cents for DS18B20. I hook it up to my multipurpose Raspberry Pi and I use it to measure my room temperature. I bought 2 of them, for redundancy reasons when lockdown started. The other one is still in original package.


Well I guess when you invest in purchasing fab you want it utilized as much as possible, so you might want to add batch here and there when you dont have contract work.


I buy all sorts of fine parts off ebay/aliexpress. A lot from China. No issues so far. All work within expectations. But I'd never base a product on any of them. Nor go fine tolerance / high expectation either. Not without very high trust. There is such a thing as a savvy* buyer who has a suspicious and not naive mind.

Then again, hardware is a hobby for me. My level of "buyer beware" means a slew of parts cannot be purchased from ebay so maybe that is a factor?

I can't fathom anyone using ebay for serious products that would be sold to a supported customer with any kind of actual warranty. The mind boggles. I have, however, dabbled with alixpress and found speaking Chinese useful to the extent I made a short run of my own gadgets with humble success. No I'm not a hardware company. Just had an issue that needed a gadget so I made it happen.

* No flash memory or any similar memory devices. No FTDI gadgetry. No battery of any kind. Nothing that involves oddball power supplies. I parts bin any power supply "ebay-direct-from-China" as I don't trust any of them.


>If the ROM does not follow the pattern 28-xx-xx-xx-xx-00-00-xx then the DS18B20 sensor is a clone

Darn, my sensor from usbtemp.com has 28 FF EC C5 21 17 04 99


Ethics aside, are they accurate enough for e.g. home brewing or fishtank usage, compared to parellax reading error on a traditional mercury/alcohol thermometer?


depends on what fake you get, based on the linked article. seems like for the most part yes


Off topic but... how do you do IO on a chip that only has 3 pins? I assume you need one pin for V+ and one pin for Ground and then there's only one pin left for both I and O?


As exmadscientist noted, these use the 1wire bus.

The general mechanism (to use 1 io pin as both an input and an output) though is to have the io-pin operate in "open collector" mode. Essentially: it assumes that there is something external "pulling up" the io _line_ (normally a resistor attached to the positive logic level), and all devices attached to the io-line only "pull down" (ie: output the 0 logic level, normally 0v) on their io-pin. The io-pins, thus, have 2 states: low (ie: 0v), and hi-z (high impedance, ie: not driving the output in any direction)

This ensures that no device on the io-line will directly push/pull against the level being driven by the other device (because all devices only drive 0v, and none drive the the logic 1 level, they rely on the pull up).

Then to allow communication to occur reasonably (without both ends pulling the io-line low all the time), buses like 1wire specify how the devices decide which one "wins" (ie: gets to transmit it's data), or which one goes first, or which one directs the other devices to "talk".


You only need one data wire for 1-Wire buses, but it's even better than that: you'll note that the page talks about a "parasitic power mode". This chip (and other 1-Wire devices) operates in a mode where you only need two wires: DQ and GND; it uses an internal capacitor to draw power from the data bus.


Dallas/Maxim usually likes their 1-Wire bus for that: https://en.wikipedia.org/wiki/1-Wire

The DS18B20 is, indeed, a 1-Wire device.


Same as most USB to serial adapters, Prolific (PL2303) and FTDI FT232RL.

What's fun is one of them updated a driver, which bricks counterfeits.

https://hackaday.com/2016/02/01/ftdi-drivers-break-fake-chip...


I sort of understand how the FTDI thing happened. They were charging an arm and a leg for an ancient IC, so China cloning it was really a no brainer.

Thankfully, 1-2 companies came up with their own competing solutions which you now can buy for cents. If you are still using FTDI chips (fake or original) you might want to update your designs.


There's the same issue with nRF24L01+ radios that are very widespread. Unfortunately, the fakes also have errata and cause problems when people try to use them.


I am a bit disappointed about that a lot of his claims how to identify clones are referenced with [5] own research. I mean doesnt one need confirmation from the IP holder?


I mean, the entire article is basically documentation of that research.

This isn't a peer-reviewed piece of work, it's a writeup of someone's fairly exhaustive research into a problem they encountered.

I don't see why you'd need confirmation from another person that something you bought doesn't do what it's part number claims it should.


Maybe I didnt read it carefully enough but to me he does not research it but just states it. I mean some (non counterfeit) production runs might not have the expected quality isnt this possible? If the rom signature is not garanteed by the ip holder than it still might be legit.

Probably he is right though, but to me it reads like the conclusion is the premise. (Might be due to the writeup though)

Edit: here is my bone: it says: how do I know? If the ROM does not follow the pattern 28-xx-xx-xx-xx-00-00-xx then the DS18B20 sensor is a clone [5]. And here I would have expected [5] to be the datasheet or something, but not 'own research'. The idea of citations is also to make your claims more verifiable.

Now, if we look at the Datasheet: https://datasheets.maximintegrated.com/en/ds/DS18B20.pdf it actually says:"The least significant 8 bits of the ROM code contain the DS18B20’s 1-Wire family code: 28h. The next 48 bits contain a unique serial number. The most significant 8 bits contain a cyclic redundancy check (CRC) byte that is calculated from the first 56 bits of the ROM code. A detailed explanation of the CRC bits is provided in the CRC Generation section." So the 28 is required. The '00-00' part is ust the higher bits of the unique serial number.

I wouldnt be surprised if different factories get different higher bits.


Well, the original components costs 1-2 dollar when bought directly from Dallas but you can buy 10 PCBs (with additional supporting components) for $3 on AliExpress. It was extremely obvious to everyone that these were fakes.

But... while I fully understand the ethical issues, there is also an interesting engineering challenge here were you can sometimes get your design to work even with crappy fake components.

Btw, if you think this is bad, try ordering some jfets from China...


Not an excuse, but when you compare the relative simplicity of these sensors compared to their retail price 2$+, I can see why they would be cloned


In the old days if you wanted sweepings from the factory floor you shopped at Radio Shack. Usually worked well enough anyway. Just like ebay or amazon today, usually.

I've had worse luck with assemblies than components; switching supply modules from ebay / amazon don't come with decoupling caps or RFI inductors or RFI chokes.


Only slightly related but why do manufacturers have so much trouble printing the type and or value of the component onto the package? Often it's not even readable with a magnifying glass unless the lighting is from exactly the right direction.


I just ordered a bunch of these, yesterday, from Farnell.

I've received fake electronics from 3rd party Amazon sellers and eBay.

For testing a PoC I will buy knowing there is a risk it's likely fake - but once I've validated a design I'll go to Farnell.


I have one of these, purchased from Adafruit - they're not an authorized distributor but they're certainly reputable. My unit works fine but I haven't tested it yet... anyone else bought from them?


Anyone have an idea what these are used in? I originally thought they might be used for 3D printing, but that doesn’t seem to be the case - except, perhaps for chamber temperature.


Indoor/outdoor temp sensors. Anything that needs a cheap temp sensor. Really handy since they just steal power from the bus (parasitic) so you don't need to run extra wires for power.


For me, I was using them as environmental sensors for an aquaponic setup (water more often when it’s hotter)


I put together some low effort esp8266 temperature/humidity probes. I used DHT chips cause they were cheaper/bundled with a board, but the tutorials said the DS chips were better.


I have several for homebrewing - monitoring mash, sparge, and fermentation temps.


I have a bunch for a related process. I don’t need them to be super accurate but they should be consistent and repeatable and the ones i have definitely are that.


I just bought a bunch of cheap indoor/outdoor weather sensors, I'd imagine they might apply.


May I ask what you bought? I've been looking for something like this but everything I've found has been pricey.


Ecowitt everything. They whitebox for Ambientweather and others, there's a whole rundown on wxforum:

https://www.wxforum.net/index.php?board=111.0


I never knew about wxforum. Awesome. Thank you!


I use a waterproofed version as a water temperature sensor (in the lake).


Any cached version of this page since Github is down?


These acerbic comments make me feel like on Hackaday instead of Hacker News.


[flagged]


Not related to this case, but GitHub is a rare "social network" in western world that also available for mainland Chinese people.


That’s because it contains code rather than blog content - let’s keep it that way!


The two .ino files in the repository are Arduino programs for testing the sensors. So it does contain 700-800 lines of code.


? Being on github didn't restrict me from reading it in the least. Not sure what the heck it being on github has to do with anything.


Literally any blogging platform is worse than GitHub tho?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: