FTDIgate 2.0?

[rich]

FTDI could have just written a driver which randomly drops approximately one byte in N if a non-genuine chip is detected.  Start off with N fairly high and decrease it towards 1 in 1000 over time.   Result: fakes and clones get a reputation for being flaky.

No, FTDI would get a reputation of being flaky. Before FTDI, the most popular were Prolific chips. Counterfeits worked unreliably with the new drivers computer could even catch a BSOD with them. Needless to say, for most of the people it appeared that Prolific chips were crap, not that they have bought a counterfeit.

Well, the Prolific driver shouldn't have caused a BSOD, I'd say they got the reputation they deserved.

[0xdeadbeef]

Yeah, this sounds like a cheap excuse. Prolific drivers were crap and FTDI drivers just worked - that's why FTDI USB/UART bridges became so successful.
That's also why I still stay with FTDI if I need a USB/UART interface. Of course I prefer micros with USB where possible.

[wraper]

Yeah, this sounds like a cheap excuse. Prolific drivers were crap and FTDI drivers just worked - that's why FTDI USB/UART bridges became so successful.
That's also why I still stay with FTDI if I need a USB/UART interface. Of course I prefer micros with USB where possible.

This is not an excuse but a constatation of the fact what would be the result if such bright idea would be implemented by FTDI.

[C]

Some here like cars in the mix
FTDI gave out keys to the door lock for cars using it's lock.

Old way was open door and get in.

New FTDI test for clones is to Open door and run window down and up with door open. This should take 30 sec.

Now to make it personal, with clones.

Your car has the real thing.
Daughter's car which has a clone tales 28 sec.
Mom's car which has a non clone but same key code takes one minute.
Wife/girlfriend has a clone or real thing that takes 30 sec.

The Wife/girlfriend has a problem finding her car in large parking lots. Her cure is to close the window on a streamer so she can find the car.

If you run your simple safe test what is the results?
It just happens to be raining cats & dogs when you make your test.

Think you should see is what looks to be a safe test harms everyone in this case.
Any change in a driver can have a side effect.


 

[dannyf]

Does it sound reasonable to you that someone's device is ruined by the driver? ***The buyer*** had no clue a fake FTDI chip was used.

Don't you think you answered your question eloquently? emphasis mine.

Who do you think is responsible for a moron running his car off a cliff? The car CEO or the moronic driver?

[suicidaleggroll]

Does it sound reasonable to you that someone's device is ruined by the driver?

No, it was ruined by a counterfeit device making its way into the supply chain.

The buyer had no clue a fake FTDI chip was used.

Doesn't matter.  It's a problem that they received a counterfeit part, and they should take it up with the person who sold them the board/chip.  Run the blame up the chain until the person who made the decision to INTENTIONALLY sell counterfeit devices as legitimate ones gets what they have coming.

For all we know, THIS HAS ALREADY HAPPENED!  Remember, this entire thread is based around a person who intentionally bought a knockoff device that they KNEW had counterfeit parts.  We have NO reason to believe there are ANY counterfeit FTDI chips still in legitimate supply chains.  The last "FTDI-gate" shined a spotlight on the problem and forced distributors to re-examine their supply chains.  We have no reason to believe it didn't work, do we?

[nctnico]

Everyone is so caught up in the temporary inconvenience and hardship experienced by users and designers RIGHT NOW, as FTDI rolls out these drivers.  Yes, it's hard, RIGHT NOW, but if FTDI keeps it up it will be very easy.
You keep saying there's no way to identify fakes.  THERE IS, NOW.  In fact it would be difficult to make it any easier.
You keep saying that you might develop a product, send it out, and it later gets bricked.  Not if they keep this up.  You'd brick your own board as soon as you started development, and all you have to do is plug the customer's board in, hit a character, and you'd know if it's genuine or not.  It would never get into the hands of your customers with a fake chip on it.

This is rather short sighted... The cloners already have a better chip rolling from the production lines so in a few months FTDI has to find a different way of identifying fakes. There is no way of telling that won't affect boards with real FTDI chips but what is certain is that when the differences between the clones and the real ones get smaller the detection algorithm has to be close to the edge so it is very likely that a real chip will be identified as a fake one. Worse, if they use timing related tests then it may fail every now and then leaving the end user with a device which doesn't work every now and then.

[suicidaleggroll]

Everyone is so caught up in the temporary inconvenience and hardship experienced by users and designers RIGHT NOW, as FTDI rolls out these drivers.  Yes, it's hard, RIGHT NOW, but if FTDI keeps it up it will be very easy.
You keep saying there's no way to identify fakes.  THERE IS, NOW.  In fact it would be difficult to make it any easier.
You keep saying that you might develop a product, send it out, and it later gets bricked.  Not if they keep this up.  You'd brick your own board as soon as you started development, and all you have to do is plug the customer's board in, hit a character, and you'd know if it's genuine or not.  It would never get into the hands of your customers with a fake chip on it.

This is rather short sighted... The cloners already have a better chip rolling from the production lines so in a few months FTDI has to find a different way of identifying fakes. There is no way of telling that won't affect boards with real FTDI chips but what is certain is that when the differences between the clones and the real ones get smaller the detection algorithm has to be close to the edge so it is very likely that a real chip will be identified as a fake one. Worse, if they use timing related tests then it may fail every now and then leaving the end user with a device which doesn't work every now and then.

FTDI doesn't have to make it impossible to clone, they just have to make it difficult enough that the counterfeiters move on to another target.  They've already forced the arduino knockoff makers to switch from FTDI fakes to another manufacturer, and if the legitimate distribution channels have closed the holes in their supply chains, who are the counterfeiters going to sell to?  Where is the market, and why would they spend more and more time fighting FTDI when they could just move to another chip?

[timb]

Does it sound reasonable to you that someone's device is ruined by the driver? ***The buyer*** had no clue a fake FTDI chip was used.

Don't you think you answered your question eloquently? emphasis mine.

Who do you think is responsible for a moron running his car off a cliff? The car CEO or the moronic driver?

You and eggroll seem to have reading comprehension problems.

I don't care about people like the OP who intentionally buy cheap Chinese Arduino clones.

What I care about are small shops like myself and others on here. People who design products for their own small companies or are consultants that help other small companies do the same.

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

We're not big enough to have an entire team on the ground 24/7 in China, which is why we have to use contract manufacturers in the first place! We might not be able to afford buying 100,000 chips directly from FTDI, which is why we use DigiKey et al.

If an entire batch of products get out into the wild and 6 months later FTDI decides to brick them, it's a disaster. Not only is our reputation gone, but it could cause us to go bankrupt.

A counterfeit 74-series logic chip or LM317 has never caused anyone to go bankrupt.

So, to remove that risk I won't use FTDI parts. That solves the problem for me. If FTDI goes out of business as a result, it's a shame, but they made the choice to alienate their customers and, as a result, lost their free ride.

The real problem at FTDI was precisely that free ride. They relied far too much on sales of a USB to Serial converter. Something most MCUs have built in these days and tons of other manufacturers make.

I suppose they tried, with things like that absolutely terrible GPU chip, but there was no real innovation there. It was nothing Chinese LCD chipset vendors and 4D Systems hadn't been doing for years, only less powerful and far too expensive. There was no innovation.

I think that sums up FTDI's biggest problem: Lack of innovation and vision.

[rs20]

They've already forced the arduino knockoff makers to switch from FTDI fakes to another manufacturer...

I think the most hilarious and beautiful thing is that even genuine Arduinos* have switched from FTDI to another manufacturer. Not due to FTDIgate, but due to simple obsolescence.  It does make me dream about that parallel universe where they used a second Atmel part instead of FTDI from day one**, and implemented a proper debugger rather than the obscene bootloader hack that we're stuck with today. But I'm getting offtopic.

* as listed on their current site, the Uno, Leonardo, Zero etc
** presumably USB AVRs didn't even exist back then?

[pickle9000]

Does it sound reasonable to you that someone's device is ruined by the driver? ***The buyer*** had no clue a fake FTDI chip was used.

Don't you think you answered your question eloquently? emphasis mine.

Who do you think is responsible for a moron running his car off a cliff? The car CEO or the moronic driver?

You and eggroll seem to have reading comprehension problems.

I don't care about people like the OP who intentionally buy cheap Chinese Arduino clones.

What I care about are small shops like myself and others on here. People who design products for their own small companies or are consultants that help other small companies do the same.

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

We're not big enough to have an entire team on the ground 24/7 in China, which is why we have to use contract manufacturers in the first place! We might not be able to afford buying 100,000 chips directly from FTDI, which is why we use DigiKey et al.

If an entire batch of products get out into the wild and 6 months later FTDI decides to brick them, it's a disaster. Not only is our reputation gone, but it could cause us to go bankrupt.

A counterfeit 74-series logic chip or LM317 has never caused anyone to go bankrupt.

So, to remove that risk I won't use FTDI parts. That solves the problem for me. If FTDI goes out of business as a result, it's a shame, but they made the choice to alienate their customers and, as a result, lost their free ride.

The real problem at FTDI was precisely that free ride. They relied far too much on sales of a USB to Serial converter. Something most MCUs have built in these days and tons of other manufacturers make.

I suppose they tried, with things like that absolutely terrible GPU chip, but there was no real innovation there. It was nothing Chinese LCD chipset vendors and 4D Systems hadn't been doing for years, only less powerful and far too expensive. There was no innovation.

I think that sums up FTDI's biggest problem: Lack of innovation and vision.

Nailed it.

[zapta]

Nailed it.

Like this?

[C]

FT232R data sheet
http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232R.pdf

Page 46
First data sheet release August 2005

So the question is when the first chip from FTDI was released
When was the first clone?

Someone with something that was using a RS-232 hardware serial port shifts to using it's USB port via windows.
Someone with something that was using a Linux USB port shifts to using it's USB port via windows.

In both cases FTDI caused the damage, harm and cost owner time.
And as many have stated the repair costs are HUGE and should be paid for by FTDI.

The source for the something could no longer be in business.

I think it has been stated that you can make a chip that talks USB with out being a member of USB-IF.
Two 16-bit numbers does not grant FTDI any rights to damage third party hardware if someone can use the number legally.

ASYNC serial was a big problems back in the 70's. There is no safe way to identify what is on the other end. Any auto configure that a computer could do needed a way to disable auto configure.

The cure is any end user sending back anything that identifies it's self as a USB to serial device with one exception! That it is intended to talk to very old serial devices.

Nailed it.

Think you missed

Lack of innovation and vision of the users of USB to serial chips.

[rrinker]

Does it sound reasonable to you that someone's device is ruined by the driver? ***The buyer*** had no clue a fake FTDI chip was used.

Don't you think you answered your question eloquently? emphasis mine.

Who do you think is responsible for a moron running his car off a cliff? The car CEO or the moronic driver?

 So the common consumer buyer of a piece of consumer gear should know the details of the internal circuitry and know if there is a real or fake FTDI chip in there? You are confusing electronic experimenters and professionals with the general public who in no way would have the slightest clue nor the knowledge/skill to determine if the product they are buying has a real FTDI chip or some counterfeit one. WE (meaning participants in this forum) may in general know about the details of the hardware - and may like Dave tear things down and look before even turning it on for the first time - that is not a realistic expectation of a consumer.
 That still does not excuse FTDI from destroying the device. Again - if it simply did not work, I'd find it hard for anyone to say FTDI wouldn't be within their rights. Deliberately damaging things is just wrong. This is like if you had a fake iPhone and an Apple rep saw you with it on the street and came over and smashed it.

[rs20]

This is like if you had a fake iPhone and an Apple rep saw you with it on the street and came over and smashed it.

Your example doesn't go far enough, because in your example the person knowingly bought the fake iPhone, and the reason that the phone is smashed is clear to the person.

It's more like if you got given an iPhone by your telephone company (not knowing that the telephone company has dodgy supply chain), and then six months later an Apple rep comes along, carefully opens up your iPhone and cuts the battery wires, and puts it back together without you noticing.

[miguelvp]

If the common consumer purchases a piece of equipment with fake parts and suddenly it stops working, they should take it on the manufacturer of that piece of equipment to get it back into working condition.

The manufacturer should know by now how to detect if the FTDI chip they used is fake or not, since there is plenty of information regarding that. They (the manufacturer) are the ones letting their customers down, not FTDI.

On this new iteration of FTDI combating fake chips, they are not modifying the chip nor rendering useless, they just refuse to talk to the counterfeit chips. Nothing to do with the first FTDIGate when they actually bricked the device on purpose.

[FrankBuss]

It is impossible to show a message box from a Windows driver without some extra work, like a custom user mode application (see e.g. here). And I guess there are limitations what the automatic Windows driver update installs, like no user mode apps, only drivers. So they were lazy and added the TX message.

Of course, not a good solution. I think it is ok when the driver stops working, but it must not send anything unintended. They could release a press release that the driver stops working and provide a link to a user mode application, which checks the device and tells the user that it is a fake chip, instead again such covert actions. And I think the driver can add messages to the Windows event log, which would show the fake chip without installing a test program (@RFZ: can you see anything in the Windows event log?). Seems to be very easy for me: You have a FTDI chip, look in the event log if it is genuine. All manufacturers, users etc. would know it after some time, no big problem. Why do they do such dangerous things again? Microsoft should ban the driver from the update and don't certify it, problem solved, everyone switches to Prolific.

BTW: if you don't need the extra features of the FTDI chip, just the serial port, it should be possible to modify the VID and PID with FT_Prog, and then use an INF file with the standard Microsoft USB serial port driver, like this one.

[Someone]

Where is the evidence that fakes make it into the supply chain of FTDI authorised distributors? (which as of now is: Arrow, Digikey, Farnell/Element14, Mouser, and RS)

Good on them for continuing the push back against fakes. And to the people questioning what happens to life critical or dangerous equipment when there is a failure of a part, the result should be safe as required by all the various international standards. The manufacturer is on the hook for not testing their parts and keeping the supply chain in check, its usually as simple as checking date codes match on the board to the same ones on the parts you sent.

[Tomorokoshi]

So let's say we have this sequence:

1. A device is designed in the USA and an FTDI part is specified. No "equivalent" in the BOM.
2. The device is produced by a contract manufacturer in the USA for a couple years using the FTDI part.
3. The contract manufacturer purchasing department inadvertently gets hold of the counterfeit but otherwise apparently functional parts.
4. The units pass the test fixture because it is not regularly updated with the drivers that either disable or transmit bogus data.
5. Some number of units are distributed to the field.
6. Some of the units fail early because the computer already has the updated driver.
7. Other units work for a while and fail when the driver is updated.
8. The designer of the device has long since worked on another project.
9. The now non-functional units go back through the warranty department, instead of the engineering department.
10. It takes some amount of time before the failure rate is noticed and turned over to engineering.
11. Another engineer is assigned to look at the problem. He is otherwise quite skilled, but not experienced with the FTDI products or issues.
12. The contract manufacturer has since sourced legitimate parts.
13. The devices with the counterfeit parts are written off as containing unreliable FTDI parts.

Unless a very long, multi-week, very expensive investigation is pursued by the designer of the device, the inevitable conclusion is that FTDI produces unreliable parts. Perhaps after two or three rounds of this the expense would be made to find out exactly what happened. If there is a wide variety of designs produced, the failure rate might considered relatively low priority.

With FTDI gaining a reputation for not being reliable, it would not get used for future designs.

Now try to explain all this to the manager who does not understand all the intricacies of the electronics industry.

[miguelvp]

When the original IBM came out, IBM did develop some applications for it and then the clones started to pop-up.

IBM programs would actually check if the rom bios was an original IBM bios and refused to work on clones.

Sure, IBM will sell you the software, but you couldn't ask them to make it work on your clone, regardless if you paid for the software.

As for a life support equipment, well, the manufacturer of that equipment would be liable and of course the practitioner that hooks an untested piece of equipment to a patient before testing if it's in working condition.

And as Frank mentions, you can use the standard winusb driver and provide your own vendor and product id, but you are out of luck using software that expects an FTDI driver with their specific vendor and product id.

Say I go to a well known jewelry store and purchase what I think it's a real Tag Heuer watch. Later to find out it was a fake. I think the jewelry store that sold it to me is liable not Tag.

[rs20]

...its usually as simple as checking date codes match on the board to the same ones on the parts you sent.

You cannot be serious. Nobody does that.

BTW: if you don't need the extra features of the FTDI chip, just the serial port, it should be possible to modify the VID and PID with FT_Prog, and then use an INF file with the standard Microsoft USB serial port driver, like this one.

Really? I thought FTDI did not use the normal serial port protocol (in order to support all those extra features nobody uses ).

[miguelvp]

@Tomorokoshi

If I do buy parts from a well known distributor and end up with fake parts I would expect them to rectify the situation.

Someone mentioned they got fakes from Mouser, well, what was Mouser's response when approached about the fakes?
Or didn't they get notified of the problem?

If your distributor is the one selling you fakes, it's their responsibility and they will have to fix it, if I pay for some brand name and got a fake I will be raising hell with who sold the fake to me.

[suicidaleggroll]

So let's say we have this sequence:

1. A device is designed in the USA and an FTDI part is specified. No "equivalent" in the BOM.
2. The device is produced by a contract manufacturer in the USA for a couple years using the FTDI part.
3. The contract manufacturer purchasing department inadvertently gets hold of the counterfeit but otherwise apparently functional parts.
4. The units pass the test fixture because it is not regularly updated with the drivers that either disable or transmit bogus data.
5. Some number of units are distributed to the field.
6. Some of the units fail early because the computer already has the updated driver.
7. Other units work for a while and fail when the driver is updated.
8. The designer of the device has long since worked on another project.
9. The now non-functional units go back through the warranty department, instead of the engineering department.
10. It takes some amount of time before the failure rate is noticed and turned over to engineering.
11. Another engineer is assigned to look at the problem. He is otherwise quite skilled, but not experienced with the FTDI products or issues.
12. The contract manufacturer has since sourced legitimate parts.
13. The devices with the counterfeit parts are written off as containing unreliable FTDI parts.

11-alternate - the engineer plugs the device into a computer, types a character, sees a message saying the device isn't genuine, all questions answered.  The company contacts the build house, who investigates their supply chain, identifies the cause, and fixes it.

Why are you pretending the problem is so much more mysterious than it actually is?

And why is everybody here pretending it's once again some wide-spread infection, when there is zero evidence to support that?  Again, a year ago it was a problem, FTDI exposed it, distributors were forced to investigate their supply chains, and [hopefully] fix the problem.  A year later, somebody who KNOWINGLY bought a KNOWN COUNTERFEIT device on eBay runs into a similar issue.  So what?  He had it coming.  There is no reason to believe the counterfeiters have infiltrated the legitimate supply chains again as they did a year ago.

[rs20]

A year later, somebody who KNOWINGLY bought a KNOWN COUNTERFEIT device on eBay runs into a similar issue.  So what?  He had it coming.  There is no reason to believe the counterfeiters have infiltrated the legitimate supply chains again as they did a year ago.

Why would FTDI bother doing this to just annoy some hobbyists? Approximately 0.00% of their business is with hobbyists; if that's not the case, then they're already going out of business.

[Someone]

...its usually as simple as checking date codes match on the board to the same ones on the parts you sent.

You cannot be serious. Nobody does that.

On high value products with expensive parts this is not uncommon, if you want to protect against substitute parts you need to be responsible and do some verification of the process.