FTDIgate 2.0?

[onlooker]

Where is the evidence that fakes make it into the supply chain of FTDI authorised distributors? (which as of now is: Arrow, Digikey, Farnell/Element14, Mouser, and RS)

Apparently, in general, counterfeit components got into even more stricly controlled supply chains was not news anymore. This is a quote from a BBC report in 2012 ,

" Vast numbers of counterfeit Chinese electronic parts are being used in US military equipment, a key Senate committee has reported."

[Tomorokoshi]

So let's say we have this sequence:

1. A device is designed in the USA and an FTDI part is specified. No "equivalent" in the BOM.
2. The device is produced by a contract manufacturer in the USA for a couple years using the FTDI part.
3. The contract manufacturer purchasing department inadvertently gets hold of the counterfeit but otherwise apparently functional parts.
4. The units pass the test fixture because it is not regularly updated with the drivers that either disable or transmit bogus data.
5. Some number of units are distributed to the field.
6. Some of the units fail early because the computer already has the updated driver.
7. Other units work for a while and fail when the driver is updated.
8. The designer of the device has long since worked on another project.
9. The now non-functional units go back through the warranty department, instead of the engineering department.
10. It takes some amount of time before the failure rate is noticed and turned over to engineering.
11. Another engineer is assigned to look at the problem. He is otherwise quite skilled, but not experienced with the FTDI products or issues.
12. The contract manufacturer has since sourced legitimate parts.
13. The devices with the counterfeit parts are written off as containing unreliable FTDI parts.

11-alternate - the engineer plugs the device into a computer, types a character, sees a message saying the device isn't genuine, all questions answered.  The company contacts the build house, who investigates their supply chain, identifies the cause, and fixes it.

Why are you pretending the problem is so much more mysterious than it actually is?

And why is everybody here pretending it's once again some wide-spread infection, when there is zero evidence to support that?  Again, a year ago it was a problem, FTDI exposed it, distributors were forced to investigate their supply chains, and [hopefully] fix the problem.  A year later, somebody who KNOWINGLY bought a KNOWN COUNTERFEIT device on eBay runs into a similar issue.  So what?  He had it coming.  There is no reason to believe the counterfeiters have infiltrated the legitimate supply chains again as they did a year ago.

You know how it is - a board comes back from the field, and you're lucky to get two words more than "bad" on the tag. It might take several months before enough work through to get to an engineer who can identify the problem. Meanwhile another copy gets sent out along with two other boards in the system because the field installer doesn't have the debug cable to crack inbetween two embedded systems.

If the driver on a PC can identify the problem, it can pop up a DOS window with a text message. That gets everyone on the same page faster and cheaper.

It's FTDI that is making this complicated.

[janekm]

I would have a little bit less of a problem if FTDI weren't to up their own asses about their distribution in the first place. They literally do not have a single distributor that holds stock in mainland China, meaning that to source their chips from their approved suppliers is at minimum a multi-day affair and bureaucracy hassle. And in fact FTDI forces their approved distributors to not sell to other distributors. Meaning the odds of fakes making it into products is increased. Great strategy guys...

[Tomorokoshi]

@Tomorokoshi

If I do buy parts from a well known distributor and end up with fake parts I would expect them to rectify the situation.

Someone mentioned they got fakes from Mouser, well, what was Mouser's response when approached about the fakes?
Or didn't they get notified of the problem?

If your distributor is the one selling you fakes, it's their responsibility and they will have to fix it, if I pay for some brand name and got a fake I will be raising hell with who sold the fake to me.

Absolutely. You are correct. And they'll cover to the extent of the boards that had the fake installed.

Meanwhile, what about the boards that were replaced that don't have their chip? Reputation and all sorts of other intangibles? There is an awful lot that won't be able to be accounted for in a simple expense ledger.

[C]

Meanwhile, what about the boards that were replaced that don't have their chip? Reputation and all sorts of other intangibles? There is an awful lot that won't be able to be accounted for in a simple expense ledger.

Like the designer that used the chip after the first driver caused damage.

[janekm]

Actually the whole situation is stupid beyond belief. What FTDI should have done, in the first instance, is provide a tool that can be used in a test setup to verify that a chip is a valid FTDI part. That would be a move that would actually reduce the number of clones going into products, while giving designers more confidence in using FTDI parts. What they are doing, like others pointed out, simply leads to FTDI parts being replaced by other parts...

[FrankBuss]

BTW: if you don't need the extra features of the FTDI chip, just the serial port, it should be possible to modify the VID and PID with FT_Prog, and then use an INF file with the standard Microsoft USB serial port driver, like this one.

Really? I thought FTDI did not use the normal serial port protocol (in order to support all those extra features nobody uses ).

Looks like you are right. I just changed the VID and PID with FT_Prog to a generic usbser.sys device driver file (the mbed inf file doesn't work anymore on Window 10, because it is not signed, a temporary solution is to use this signed inf file from Microchip, with VID 04D8 and PID 000A, which just uses the standard usbser.sys) and it says "code 10" in the Windows device manager, device not working. Tested with a FT2232H.

PS: To reset it to the factory programmed VID and PID I shorted CS and VCC (pin 1 and 8 ) of the EEPROM with a tweezer while connecting it to the USB port (you really shouldn't do this if you are not an electronics hacker ), because otherwise FT_Prog doesn't detect it and the ft232r_prog on Linux doesn't support the CRC of the more modern FT2232H chip. But if no EEPROM is detected, the factory programmed VID 0403 and PID 6010 will be used and you can then read the EEPROM again and restore the factory programmed VID and PID.

[filssavi]

Where is the evidence that fakes make it into the supply chain of FTDI authorised distributors? (which as of now is: Arrow, Digikey, Farnell/Element14, Mouser, and RS)

Good on them for continuing the push back against fakes. And to the people questioning what happens to life critical or dangerous equipment when there is a failure of a part, the result should be safe as required by all the various international standards. The manufacturer is on the hook for not testing their parts and keeping the supply chain in check, its usually as simple as checking date codes match on the board to the same ones on the parts you sent.

Get out of your hobbist bubble, do you really think that a company like Apple producono tens of millions of pices a year can check the source of each single IC (let alone each component pasdives include) in their phones?

This is beyond stupid...

Your solution is doable for hobbists doing runs of tens or low hundreds or for extremely expensive stuff (think very high end oscilloscopi) where again few 10's get made each year but for general ewuipment it would be way too much work

[miguelvp]

You can bet that Apple does procure the parts well before going into production and their distribution chains are going to be well defined.

Chances for fakes slipping in is for short runs.

[FrankBuss]

Get out of your hobbist bubble, do you really think that a company like Apple producono tens of millions of pices a year can check the source of each single IC (let alone each component pasdives include) in their phones?

Apple don't need to check the source, because they buy directly some containers from the manufaturers, no middle men who can fake it. But for lower volumes a test program would be feasible, if it can be integrated in an automated production environment (=command line program).

[filssavi]

Get out of your hobbist bubble, do you really think that a company like Apple producono tens of millions of pices a year can check the source of each single IC (let alone each component pasdives include) in their phones?

Apple don't need to check the source, because they buy directly some containers from the manufaturers, no middle men who can fake it. But for lower volumes a test program would be feasible, if it can be integrated in an automated production environment (=command line program).

Well even then, there are some applications (white goods) where the manifacturers work hard at shaving off each unnecessary reaistor/capacitor to have higher margins and you call for a custom testing jig that is more expensive(or at least in the same ballpark) than the entire production run (after alla even if it's something to design test end deploy) do you really think that anyone will suck un such bug NRE cost? (I'd shurely change IC)

[Karel]

I don't think anyone here would have a problem if it simply did not work if a fake FTDI chip was detected. No writing back to the device in a way that destroys it, no altering the communications. Just - doesn't work unless a genuine FTDI chip is used. That's entirely within FTDI's rights. Intentionally damaging a device is over the line.

It is fine to refuse working. It is not fine to dump garbage data.

This I don't understand. For the end user there's no difference. In both cases it effectively bricks the device.

Or are you hypocrite and would you like to rollback to an old driver and, as a result, keep on using the fake chip?

[Karel]

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

It's not the fault of FTDI that you want to do business with shady contract manufacturers in China.
You take the risk, you take the blame.

[pickle9000]

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

It's not the fault of FTDI that you want to do business with shady contract manufacturers in China.
You take the risk, you take the blame.

FTDI is at fault for putting doubt in the minds of designers, regardless of the intention that was the result. That lowers sales of their chips and that is bad for business.

[timb]

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

It's not the fault of FTDI that you want to do business with shady contract manufacturers in China.
You take the risk, you take the blame.

It could happen with any contract manufacturer, even US ones. The Chinese manufacturer might not be shady. My reel could be mislabeled and used for another job, so they scramble to replace it. There's a number of ways, malicious or not, that the authenticity of my parts could be compromised. All of that is even assuming I can guarantee the provenance of the parts before I send them out in the first place.

There are a lot of companies that can't make 5000 boards themselves but still can't afford a pick and place machine and reflow oven. Economics and the free market dictate the price of our goods, which is why contract manufacturers exists. Even large companies use them! Ever hear of Foxconn?

Since you have all the answers though, please, suggest an alternative.

Get out of your hobbist bubble, do you really think that a company like Apple producono tens of millions of pices a year can check the source of each single IC (let alone each component pasdives include) in their phones?

Apple don't need to check the source, because they buy directly some containers from the manufaturers, no middle men who can fake it. But for lower volumes a test program would be feasible, if it can be integrated in an automated production environment (=command line program).

Bingo. This is the solution. But they don't.

The big problem with this whole fiasco isn't even the fact FTDI "bricks" the devices. That's bad, for sure, but the fact they silently slipped the driver into Windows update is even worse.

That means potentially thousands of devices could stop working months or years after I have manufactured and sold them to customers. So, in essence FTDI is turning their problem into my problem.

Punishing end users and product creators for supply chain issues only ensures nobody uses your product.

Counterfeit ICs are a big problem, that's for sure. But what FTDI is doing isn't the solution.

On a more general note, in this and my past two posts I've provided clear, concise reasons as to why FTDI's actions are wrong. The few people who agree with them don't seem to be be capable of properly articulating why or to provide any evidence that FTDI's current course is even effective in stopping counterfeits. So, I'll make your argument for you: I posit that it *is* effective in stopping counterfeits, at the expense of the company itself and their product line. If people stop using their parts, they lose sales, ergo they won't be targets for counterfeiters. This seems like a great solution, but they'll go out of business as a result.

[Karel]

We have every intention of using genuine parts, however, being small companies we might get bit by a shady contract manufacturer in China who "borrowed" our reel of genuine FTDI chips and replaced them with clones, or a supply chain problem with DigiKey.

It's not the fault of FTDI that you want to do business with shady contract manufacturers in China.
You take the risk, you take the blame.

It could happen with any contract manufacturer, even US ones. The Chinese manufacturer might not be shady. My reel could be mislabeled and used for another job, so they scramble to replace it. There's a number of ways, malicious or not, that the authenticity of my parts could be compromised. All of that is even assuming I can guarantee the provenance of the parts before I send them out in the first place.

There are a lot of companies that can't make 5000 boards themselves but still can't afford a pick and place machine and reflow oven. Economics and the free market dictate the price of our goods, which is why contract manufacturers exists. Even large companies use them! Ever hear of Foxconn?

Since you have all the answers though, please, suggest an alternative.

I do understand that you are willing to take those risks in order to keep the production cost low and in order to be able to compete.
I have no problem with that. Just don't blame FTDI when your manufacturer screws up. It's the risk you are willing to take to keep
your business alive. I also understand that you want to "lower" your risk by avoiding FTDI chips.
We don't have this problem because we don't produce our products in the far-east/Asia.
So, we happily continue to use FTDI chips. But it seems that this thread is full of people who think that avoiding FTDI is the only sane
choice... I just don't get it.

FTDI wants to protect their business. And for an enduser, there is no difference between a driver that refuses to work or bricks the
chip or make it send garbage data. In all cases, the device doesn't work.
Also, bricking the chip is more effective because it makes it harder to keep on using the fake chip with an older FTDI driver.
Imho, FTDI is doing the only smart thing here.

[rs20]

We don't have this problem because we don't produce our products in the far-east/Asia.

Who are your customers? Consumer? Commercial? Industrial? Medical? Military?

[Someone]

Where is the evidence that fakes make it into the supply chain of FTDI authorised distributors? (which as of now is: Arrow, Digikey, Farnell/Element14, Mouser, and RS)

Good on them for continuing the push back against fakes. And to the people questioning what happens to life critical or dangerous equipment when there is a failure of a part, the result should be safe as required by all the various international standards. The manufacturer is on the hook for not testing their parts and keeping the supply chain in check, its usually as simple as checking date codes match on the board to the same ones on the parts you sent.

Get out of your hobbist bubble, do you really think that a company like Apple producono tens of millions of pices a year can check the source of each single IC (let alone each component pasdives include) in their phones?

This is beyond stupid...

Your solution is doable for hobbists doing runs of tens or low hundreds or for extremely expensive stuff (think very high end oscilloscopi) where again few 10's get made each year but for general ewuipment it would be way too much work

Hobbyist bubble is not where I work, even medium sized players will negotiate directly with the supplier for pricing and delivery but may still make the transaction through a sales agent/organisation. Supply chain assurance is something the big players do seriously, and having dedicated lines at the fab house can separate the parts to your organisation (who are very professional and wouldn't risk losing the contract to save a few dollars).

I'm still waiting to see the quotes where these fake parts made their way into the authorised distributor network.

[RFZ]

It is impossible to show a message box from a Windows driver without some extra work, like a custom user mode application (see e.g. here). And I guess there are limitations what the automatic Windows driver update installs, like no user mode apps, only drivers. So they were lazy and added the TX message.

Of course, not a good solution. I think it is ok when the driver stops working, but it must not send anything unintended. They could release a press release that the driver stops working and provide a link to a user mode application, which checks the device and tells the user that it is a fake chip, instead again such covert actions. And I think the driver can add messages to the Windows event log, which would show the fake chip without installing a test program (@RFZ: can you see anything in the Windows event log?). Seems to be very easy for me: You have a FTDI chip, look in the event log if it is genuine. All manufacturers, users etc. would know it after some time, no big problem. Why do they do such dangerous things again? Microsoft should ban the driver from the update and don't certify it, problem solved, everyone switches to Prolific.

Hmm, I cannot see a message from the driver in the eventlog. If FTDI wanted to show a message to the users, there would be a way, pretty sure.
If there really is NO WAY for a driver to show a message, FTDI could still reserve a PID for a device called "Fake FTDI Chip, please visit ftdi.com/fake" and change the PID of these fakes to this one. Displaying a different device name might also be possible without actually changing the PID... There are ways...

[wraper]

It is impossible to show a message box from a Windows driver without some extra work, like a custom user mode application (see e.g. here). And I guess there are limitations what the automatic Windows driver update installs, like no user mode apps, only drivers. So they were lazy and added the TX message.

As I said before, this is a big no, at least for me. I don't want any apps loading when windows starts. You are suggesting loading crapware on every genuine customer computer instead of punishing only those who use counterfeits. As of windows update, applications coming together with drivers are possible. Don't look further than Nvidia or AMD GPU drivers.

[nctnico]

Everyone is so caught up in the temporary inconvenience and hardship experienced by users and designers RIGHT NOW, as FTDI rolls out these drivers.  Yes, it's hard, RIGHT NOW, but if FTDI keeps it up it will be very easy.
You keep saying there's no way to identify fakes.  THERE IS, NOW.  In fact it would be difficult to make it any easier.
You keep saying that you might develop a product, send it out, and it later gets bricked.  Not if they keep this up.  You'd brick your own board as soon as you started development, and all you have to do is plug the customer's board in, hit a character, and you'd know if it's genuine or not.  It would never get into the hands of your customers with a fake chip on it.

This is rather short sighted... The cloners already have a better chip rolling from the production lines so in a few months FTDI has to find a different way of identifying fakes. There is no way of telling that won't affect boards with real FTDI chips but what is certain is that when the differences between the clones and the real ones get smaller the detection algorithm has to be close to the edge so it is very likely that a real chip will be identified as a fake one. Worse, if they use timing related tests then it may fail every now and then leaving the end user with a device which doesn't work every now and then.

FTDI doesn't have to make it impossible to clone, they just have to make it difficult enough that the counterfeiters move on to another target.  They've already forced the arduino knockoff makers to switch from FTDI fakes to another manufacturer, and if the legitimate distribution channels have closed the holes in their supply chains, who are the counterfeiters going to sell to?  Where is the market, and why would they spend more and more time fighting FTDI when they could just move to another chip?

The distribution channels will never close their holes. For starters AFAIK the FTDI chips are made in Indonesia. If there is one country where money talks and a fake batch can be introduced into the official supply line it is there!
Then again you'll also need installed base for a product to be recognisable as being used often. If you have a certain chip on a development board you are likely to use that chip again. It has also happened to me many times that a customer has seen a chip on a board and specifically asked to use that chip in a new design. Now think again about Arduino clones using a different chip... that chip will end up in many design requirements instead of the FTDI chips. Following your reasoning FTDI now has shrunk their market share and more importantly: less design-in chances.

[C]

Google "ftdi ft232 pinout compatible"
Only bit-bang mode prevents a chip swap.
The smart big manufacturers are probably asking are we still using FTDI? WHY?

Look at what is possible today for same or less cost.
If the usb device did not receive some commutations from the os side driver, it could reattach as a usb flash drive.  One small HTML formated file on the drive and it is very easy for the end user to get what is needed.

When is FTDI going to start bricking other VID/PID that use it's windows driver?
You don't harm or change someone else's property!!
The first time FTDI's actions is it's end.
This second time just nailed the coffin shut.

FTDI has caused more harm then IBM did with it's PS2 line of computers. IBM lost on the PS2.
If Microsoft does not reverse this windows update driver change then Microsoft is also a responsible party to damages.

[Karel]

When is FTDI going to start bricking other VID/PID that use it's windows driver?

A driver is tied to a particular VID. As long as you don't mess with your system,
a driver will only be used for the devices which presents themselves with that particular VID.
If a chip is presenting itself with a VID that doesn't belong to that brand and if it is doing so without permission,
it's asking for to be bricked.
So, you don't need to worry as long as you don't use fake chips.
If you do use fake chips, you should be worried and for a good reason.

[janoc]

So, you don't need to worry as long as you don't use fake chips.
If you do use fake chips, you should be worried and for a good reason.

I hope you understand the difference between "bricked accidentally because it is incompatible" and "bricked because of an explicit, malicious action". The first one should get an engineer who designed the widget fired for incompetence, the second will get your company sued. There is a fine line between these two cases and I think the wide consensus is that what FTDI is doing cannot really be considered accidental damage anymore.

I do wonder why did FTDI and Microsoft backtrack so quickly when the first FTDIgate broke out, if this sort of thing is considered acceptable - the cost of that step was certainly non-negligible. Could it be that some company lawyer got a heart attack from the idea that some large vendor could sue the bejeezus out of them for damaged equipment and the costs for dealing with the fallout of their stupid actions,  perchance?

Do we really have to go through the 70+ pages long thread from start, rehashing these thoroughly debunked arguments all over again? This is seriously ridiculous.

[eugenenine]

I suppose Microsoft's "Genuine Advantage" system should be renamed into Microsoft-gate too?

Bad example since Microsoft's "Genuine Advantage" has crippled so many legal installs of the Windows over the years.