FTDIgate 2.0?

[suicidaleggroll]

Everyone is so caught up in the temporary inconvenience and hardship experienced by users and designers RIGHT NOW, as FTDI rolls out these drivers.  Yes, it's hard, RIGHT NOW, but if FTDI keeps it up it will be very easy.
You keep saying there's no way to identify fakes.  THERE IS, NOW.  In fact it would be difficult to make it any easier.
You keep saying that you might develop a product, send it out, and it later gets bricked.  Not if they keep this up.  You'd brick your own board as soon as you started development, and all you have to do is plug the customer's board in, hit a character, and you'd know if it's genuine or not.  It would never get into the hands of your customers with a fake chip on it.

The reason it's such a pain is because FTDI did nothing for so long, and allowed the problem to get as bad as it is.  Had they been doing this from the beginning, it wouldn't be a problem, and if they keep it up it won't be a problem for much longer.  Again, end-users don't know enough to blame FTDI, the only thing they're going to do is blame the manufacturer, as they rightly should.  The manufacturer will be hurt, yes, but the build house who sourced these parts will be hurt worse in the long run, and the supplier who provided the parts will be hurt the worst in the end.  It's a war between FTDI and counterfeiters, and yes manufacturers and end-users are getting caught in the crossfire, but it had to be done.

Some people are saying this will hurt FTDI in the end.  It might, but that's their call to make.  They made a decision that the damage to their income and reputation caused by such a prolific infection of counterfeits in the supply chain was ultimately worse than the temporary damage to their reputation caused by this move.  They might be right, they might be wrong, but that's their call.

[suicidaleggroll]

Why?

well I cant talk for every country in the world, but where i live (italy) we have laws such as Articlo 575 Codice Penale (for murder) or Articolo 185 Codice Penale (for generic damages) which state that if someone kills a man he will be prosecuted and sentenced to jail (in normal cases),if to kill it's a company as in this case, there will be one of the dirigents (CEO probably) which will be charged of murder, the second one says that if someone ( either natural or legal person) causes damages to someone else they will have to be refunded for that, goodwill or not who caused the damages will be held responsible, and it's not a mutually exclusive thing, if two different persona's have contributed to the damages being made they will all be guilty, it's like Conspiracy to murder, if my i tie up someone with ropes and a friend of mine kills them, i am also charged with murder, i don't get away with it just because the physical killer was the friend of mine...

Your example situation is ridiculous to start with, it makes no sense to keep it going.

Yes the driver causes the chip to send out the wrong ascii character.  You know what else causes the chip to send out the wrong ascii character?  A typo, interference, a bad connection, etc., or how about the fact that it's a counterfeit part with unknown specs and unknown bugs?  Anybody who would walk up to a machine and start sending it data when a simple typo or miscommunication due to interference or a bad connection could cause it to KILL SOMEONE, deserves to be charged with involuntary manslaughter.

[suicidaleggroll]

If I were FTDI, here's what I'd do: I'd show a message like that and refuse to work with the device. I'd then offer to sell a version of the driver that worked with the counterfeit chip to the product designers affected, who would then pass it on to their end users. This way, I still make money for the time I put into the driver and the designer doesn't have to lose money recalling or replacing all the boards with counterfeit chips on them. (I'd sell the driver for perhaps 1/4 of what the chip sells for.)

You must be joking.  You actually think that would make things better?  If FTDI actually offered an inexpensive means to INTENTIONALLY SUPPORT counterfeits?  That would make the problem even worse.  Why would a supplier even bother to check if their source is legitimate when FTDI would actually offer to support it ANYWAY, for less than the price difference between the counterfeit and the real product???

Why would anybody even bother to buy the real thing at all?  That would legitimize the entire counterfeit operation!

[dannyf]

if someone kills a man he will be prosecuted

So if you drive over someone with a car, is it you or the CEO of Fiat that should be charged?

Take that example here, you bought a piece of gear off ebay, plugged it into your computer and as a result, you caused damages to others. You think the person who produced the driver, not you, is responsible?

Do you have ANY personal accountability in our society?

[amyk]

Don't think you can patch a signed driver, without all sort of grief booting windows.

A quick search shows that in Win10 it's even easier than Vista/7/8, just boot into "disable driver signing" mode to install the patched driver and then on the next boot it'll be back to the regular mode but unsigned drivers that were installed will continue to work.

They made a decision that the damage to their income and reputation caused by such a prolific infection

Pun intended?

[filssavi]

Yes the driver causes the chip to send out the wrong ascii character.  You know what else causes the chip to send out the wrong ascii character?  A typo, interference, a bad connection, etc.  Anybody who would walk up to a machine and start sending it data when a simple typo or miscommunication due to interference or a bad connection could cause it to KILL SOMEONE, deserves to be charged with involuntary manslaughter.

well there is a huge difference between interferance, bad connection and stuff and willingly send wrong data if you noticed...

interferance, bad connection and stuff are things that can happen just out of bad luck, and no one can be blamed for that, if Anybody walk up to the machine and sends data, and that data kills someone, well you can bet your ass that the anybody will be charged with manslaughter.

as I said, it is not a case of the microcontroller randomly accepting data at the input, it might be a case of CRC/HASH collision,  or more simply a firmware or silicon bug, is it unlikely? well yes very, the chances of it happening are extremely small, it doesn't need to be immediate it just need to be caused by the driver sent text...

then again if the equipment in question is poorly designed the manifacturer will be blamed, but FTDI will also be blamed, it's not that what they have done was necessary, they could have refused to comunicate with the device, if the ic is fake you tell the driver to shut the fuck up, no bricked device, no wrong data, nothing and it would have been al fine, but no they choose to be childish and do what the 5 year old at the kindergarden would have done...

no one is advocating for letting the fakes go, but doing this shit is totally unecessary,or else prove that sending fake data is more effective at fighting counterfeits than refusing to work(provvided you tell the user on the PC it has got the fake IC and all).Fakes will always be with us, be it IC, clothing or anything really, as long as there is an original part, there will be fakes the sooner they get on with it the better, it's like music/film piracy they can use all the DRM's they want they will not stop pirates form reverse engineering or even recording the screen with a camcoder, you will only make the life harder for real users

if someone kills a man he will be prosecuted

So if you drive over someone with a car, is it you or the CEO of Fiat that should be charged?

it's more like:

i buy a fake ferrari (fake fiat are hard to come by  )
i'm dumb enough  to take it to the autorized dealer to get the oil changed
the dealer notices that it's a fake ferrari and applies the company rule to flash to the Veichles control unit code that randomly modifies the throtle and brake signals just because they can
while speeding I run  over the poor guy crossing on the zebras because my car refused to brake/kept accellerating

would the ceo of ferrari that instated the rule to flash the modified firmware be held responsible? of course
will i be held responsible and go to jail? shure, i killed a man and i must go to jail

Do you have ANY personal accountability in our society?
[\quote]

as I already told (if you missed it)

responsibility it's not a mutually exclusive thing, if two different persona's have contributed to the damages being made they will all be guilty

so it can also be that both ferrari ceo and will be found co-responsible and we sill go to jail together (with love XD), since for him to be responsible does not mean that i'm not

[RFZ]

Everyone is so caught up in the temporary inconvenience and hardship experienced by users and designers RIGHT NOW, as FTDI rolls out these drivers.  Yes, it's hard, RIGHT NOW, but if FTDI keeps it up it will be very easy.
You keep saying there's no way to identify fakes.  THERE IS, NOW.  In fact it would be difficult to make it any easier.
You keep saying that you might develop a product, send it out, and it later gets bricked.  Not if they keep this up.  You'd brick your own board as soon as you started development, and all you have to do is plug the customer's board in, hit a character, and you'd know if it's genuine or not.  It would never get into the hands of your customers with a fake chip on it.

Wrong... your development board does not have the sam FTDI chip on it as the ones you send to ur customers. If you buy a few chips for development, u usually won't buy from the same seller where you buy thousands afterwards. And, depending on availability (and sure, also price) you will have to change sellers from time to time.

The reason it's such a pain is because FTDI did nothing for so long, and allowed the problem to get as bad as it is.  Had they been doing this from the beginning, it wouldn't be a problem, and if they keep it up it won't be a problem for much longer.  Again, end-users don't know enough to blame FTDI, the only thing they're going to do is blame the manufacturer, as they rightly should.  The manufacturer will be hurt, yes, but the build house who sourced these parts will be hurt worse in the long run, and the supplier who provided the parts will be hurt the worst in the end.  It's a war between FTDI and counterfeiters, and yes manufacturers and end-users are getting caught in the crossfire, but it had to be done.

You're sure it won't be a problem for longer? I'm pretty sure there will be (or are already) fake chips that aren't recognized by the driver now. In the future, FTDI will also find a way to identify these. What will they do then? The same again? This problem will stay around for long time...



Just for comparison. If Microsoft decided to shut down every PC with a fake licence just by a windows update, or even worse, write "THIS COPY OF MICROSOFT WINDOWS IS ILLEGAL!" to all your personal documents, what would have happened? If you think FTDI has the right to do what they did, Microsoft should have exactly the same right, right? That would be fun.
However, Microsoft is a good company, they just tell you that your licence isn't valid but let you still use your computer for limited time to backup your data.

[rich]

The reason it's such a pain is because FTDI did nothing for so long, and allowed the problem to get as bad as it is.  Had they been doing this from the beginning, it wouldn't be a problem, and if they keep it up it won't be a problem for much longer.

Yup. This is the part that a lot of instantaneous internet outrage seems to ignore. But to follow through, FTDI will need to close down all clones and quickly identify new ones. It sounds like a task that would require exponentially increasing resources as clones get more clone-y. So I'm not sure total eradication is possible, but all FTDI needs to do is move the cloners on to picking a different company to clone.

FTDI demonstrated that it has no consideration for anyone but themselves with the previous malicious bricking incident. Any end-users/design/manufacturers who did make reasonable due-dillegence efforts and still got caught out are simply collateral damage in FTDI's eyes. Hence why those outraged will rightfully choose to avoid FTDI.

[Ian.M]

The only stupidity in the idea to sell a licence to continue to use the FTDI driver, is the idea that it should be at a discount.   Take the average retail price of a FTDI chip, add on the cost of maintaining licence servers, staying current with crackers trying to break the node locking technology, transaction and support costs costs etc. and it will probably turn out to be in the $10 to $15 range.   That's still attractive to end users who have $expensive$ equipment down due to supply chain contamination, but would kill the cheap clone cable and module market stone dead and would gain FTDI data on what the non-genuine chips are being found in, and where. 

[rich]

That is a bit ransomware though - FTDI could deviously wait until a clone they already know about hits end users in large enough quantity, then release a new driver update which holds the unsuspecting end users exploited. I wouldn't put it past FTDI to already be sending clone data back over the internet from the driver, seem like something they wouldn't think was unethical.

[rrinker]

 timb pretty much summed up what I was going to say. You as the designer of a product may specify and use only genuine FTDI chips. Your prototypes all use only the genuine item. Your specifications all say only genuine FTDI.
 Then it goes into production. One week, your production house gets a new shipment of FTDI chips from the very same distributer they've always been getting them from. Only this time, they are fakes. The distributor ordered them from the same supplier they always have, and have gotten the genuine article. Except this time. Now a few thousand of your product are out there with fake FTDI chips, and along comes the drive update and renders them useless. Batches before and batches after don't have a problem. You, and your company, never ever set out to take the cheap way out and use fake FTDI chips - your spec even says FTDI, not some cheap fake or clone. FTDI then causing your product to fail is simply WRONG no matter how you look at it.
 I'm not sure what danny is missing here. How can you not think this is wrong? It does nothing to stop the fakes. It MIGHT stop someone from deliberately specifying fake chips, but the end user doesn't know or care, all they know is their Brand X widget stopped working, Brand X must be a bunch of dopes and I demand my money back. Yet Brand X specified only genuine FTDI chips in their design and to their manufacturing house. There's a HUGE difference between deliberately from the outset using counterfeit parts to save money, and getting stung later by something in the supply chain. Remember the capacitor problem a bunch of years back? The product suppliers weren't specifying cheap junk capacitors, they were specifying high quality known brands, and in manufacturing ended up getting crappy fakes labelled as the good stuff.
 What's the solution? As a designer, never use FTDI again, so that even if something out of your control happens later on in production, your customers won't be storming the HQ with torches and pitchforks demanding someone's head because their devices stopped working.
 Is there anyone with a brain at FTDI that can actually see how stupid this policy is?

[wraper]

It does nothing to stop the fakes.

Oh, yes it does. Just look how Chinese arduinos stopped to use fake FTDI chips and switched mostly to CH340. And I think in most cases they did know very well what they put in those arduinos, and had no intention to use genuine parts in the first place. This FTDIgate made this problem publicly known and now people think twice before getting them from dubious sources. Also it made the existing stock of the fake chips being useless junk.

[zapta]

I am reading this on Wikipedia's FTDI page

The company also stated that it was working to create an updated driver which would notify users of non-genuine FTDI products in a "non-invasive" manner.[9][6] The new driver was made available on 3 July 2015.[10] The "non-invasive" method has been found very confusing by some users.[11]

How does the driver "notify users of non-genuine FTDI products" ? 

[wraper]

interferance, bad connection and stuff are things that can happen just out of bad luck, and no one can be blamed for that

No, it is not a bad luck. It is poor design or poor implementation.

[RFZ]

How does the driver "notify users of non-genuine FTDI products" ?

It does it in the way that I discovered in my first two post. It substitutes all data sent via the RS232 by the characters "NON GENUINE DEVICE FOUND!" which, in fact, is the most invasive way I can think of. 

[Muxr]

It would have been a far more effective strategy from FTDI to just display a, "warning: non-genuine FTDI chip in the device" and continue operating as intended, than to brick people's devices.

I hate counterfeit parts as much as the next guy, but the cat's been out of the bag for a long time, this just makes me wary of using anything from FTDI, because they lack tact in dealing with the issue.

[zapta]

How does the driver "notify users of non-genuine FTDI products" ?

It does it in the way that I discovered in my first two post. It substitutes all data sent via the RS232 by the characters "NON GENUINE DEVICE FOUND!" which in fact ist the most invasive way I can think of. 

Does it assume that most appliances with FTDI display the serial communication to the end user? Doesn't make much sense to me.

Since it's a recent Windows update, I presume that got Microsoft's approval for this behavior.

[Ian.M]

That is a bit ransomware though - FTDI could deviously wait until a clone they already know about hits end users in large enough quantity, then release a new driver update which holds the unsuspecting end users exploited. I wouldn't put it past FTDI to already be sending clone data back over the internet from the driver, seem like something they wouldn't think was unethical.

Its no more ransomware than Microsoft's 'genuine advantage' program was.
It would also get the user to register, which gets details of the item containing the detected chip, to aid in tracing how the counterfeits got itnto the supply chain.   If could even, in some cases, be free to the end user if the manufacturer has detected a supply chain problem and bought a volume licence from FTDI so they can avoid a product recall.

If you have a product manufactured using a board assembly contractor, can you always be 100% certain that nobody 'borrowed' a reel of genuine FTDI chips you supplied because they were short on another order and then replaced them locally?  Unfortunately controlling supply chain contamination requires secure manufacturing which pushes up product cost to the point where cheaper items cannot compete effectively on the retail market.

[RFZ]

Does it assume that most appliances with FTDI display the serial communication to the end user? Doesn't make much sense to me.

Since it's a recent Windows update, I presume that got Microsoft's approval for this behavior.

It doesn't make sense at all...

Version 2.12.12 is a new Version that is delivered with windows update since beginning of January ... However, it looks like the previous version, also containing this fake detection behavior is available since July 2015 but I don't know if it was delivered via windows update... I guess I would have noticed it, if it had been deployed by windows update in July 2015 but I cannot know for sure. I don't exactly know why I had no problems since end of 2014 (after unbricking by devices from PID 0000) until yesterday...

[rrinker]

How does the driver "notify users of non-genuine FTDI products" ?

It does it in the way that I discovered in my first two post. It substitutes all data sent via the RS232 by the characters "NON GENUINE DEVICE FOUND!" which in fact ist the most invasive way I can think of. 

Does it assume that most appliances with FTDI display the serial communication to the end user? Doesn't make much sense to me.

Since it's a recent Windows update, I presume that got Microsoft's approval for this behavior.

The only approval Microsoft does for certified drivers is to validate that they come from who they say they are from, and maybe not break Windows. Since what FTDI did doesn't crash Windows or fail to install as a driver, that's as far as it goes. If the driver bricks a non-genuine FTDI chip in some downstream device, Microsoft doesn't really care, or really even have the means for testing that sort of thing.

[wraper]

Why don't FTDI drivers simply refuse to work with fake devices and display some warning message? That would be 100% fine and clear to everyone. Remember that FTDI drivers have SW capability to detect fakes by SW means - end user/supplier/vendor do not have this capability.

To do this, they would need to install same crappy app loading every time windows boots. No thanks, there is already enough of junk doing this.

[dannyf]

"Except this time. Now a few thousand of your product are out there with fake FTDI chips, ..."

Why is that it is ftdis faulty that you have lax production control? Just because you cannot assure that the real thing is used in your products, some one else has to support it?

Does it sound reasonable to you?

[RFZ]

Why is that it is ftdis faulty that you have lax production control? Just because you cannot assure that the real thing is used in your products, some one else has to support it?

They do not have to support it. But they have no right to manipulate it either.

[RFZ]

To do this, they would need to install same crappy app loading every time windows boots. No thanks, there is already enough of junk doing this.

I'm not much into programming device drivers but I'm sure there is a way of notifying the user without a permanently running application...

[miguelvp]

The solution is easy, people that have used fake FTDI chips should write their own driver, make it available to everyone so a new patch can be issued after forking the money for the new USB device and vendor ID.

Then FTDI is happy and so is the rest.

After all if its thousands of devices out there the cost amongst all of the developers would be minimal, and then you can still pay less for those counterfeit chips instead of the real deal.

Other vendors make FTDI pin compatible devices, but using their own design and drivers.

Also any manufacturer that developed a product that is tainted by the fake chip, has the means to test if the chip is fake or not and if it is fake, then support their product by providing a firmware patch with their own device driver with that new device and vendor ids.