FTDI driver kills fake FTDI FT232??

[mikeselectricstuff]

Now that they appear to have realised the error of their ways, maybe the "I'll never use FTDI again" brigade should consider this :
Company F screws up, realises it and fixes it.
Company S hasn't (yet) screwed up.

Which of the two is more likely to do something stupid like this in the future?

"That guy's error cost me $x000"
"Why didn't you fire him"
"Why should I do that, I just spent $X000 training him..."

[Richard Crowley]

A quick check of FTDI's website doesn't appear to offer any resources for manufacturers to test their parts to see whether they are genuine.

They seem to have the same attitude as Rufus, simply telling people to "do the right thing" without offering any help to actually do that.
They would have some sympathy from me if they were offering useful resources for people to confirm they were getting the "real thing".

[dr.diesel]

Which of the two is more likely to do something stupid like this in the future?

I dunno, you can't usually fix stupid.  I've met lots of these type of people, they never learn.

[nsayer]

Now that they appear to have realised the error of their ways, maybe the "I'll never use FTDI again" brigade should consider this :
Company F screws up, realises it and fixes it.
Company S hasn't (yet) screwed up.

Which of the two is more likely to do something stupid like this in the future?

"That guy's error cost me $x000"
"Why didn't you fire him"
"Why should I do that, I just spent $X000 training him..."

No, no, no. This wasn't a mistake. This was an unbelievably unethical decision deliberately made. There is a difference. I will still avoid FTDI Chips henceforth. Fool me once, shame on you. Fool me twice, shame on me.

Cypress Semi has a pin-compatible replacement. I've got a few on order already to test.

[all_repair]

As a bit of an oddity, I'll ask the folks here for a similar thing I asked of FTDI support:

Can someone create a tool to reproduce the "kill" operation of the 2.12 driver? If this is a "thing" that can happen, I'd prefer to add a few seconds of production test time to screen parts that might cause the end-user grief down the road. This is, in essence, a vulnerability without a clear way to patch it - so the easiest route I can do is attempt to brick any devices that might get a non genuine part in the lot. (I buy all my parts from Mouser and Digikey, but they're not omnipotent or flawless).

A better way is to do a VI characteristics comparison of all permutation of pin combinations with a known good sample.

Yu may be stuck with FTDI chip , but with the latest reply, they still look like a hidden time bomb that may explode anytime.  The only way for FTDI to gain back some trust is stopped their trolls online immediately, and then do a public "execution" of those responsible to show that the cancer is removed totaly, and then give some online tool for supporters to verify their purchases.  They do not need 100% check.  A few percent of people doing that, and having the ability to do that shall help to keep the supply chain clean.  It is MAD MAD MAD to go after the end users, but they still have not given up the ideas of nuclear-bombing the end-users in their wars against the other chip makers. 

[nctnico]

Seems I have higher moral standards than most here -

No you are just making a complete fool out of yourself. It is childishly naive to think that you can get a 100% guarantee you won't get functional equivalent chips in mass production or in a product you buy from a third party. It makes me think you have no experience at all with mass producing electronics.

Nobody says that they want to buy funtional equivalent chips on purpose (I wouldn't). But if devices manage to slip through then people would like a warning so they can remedy the situation instead of getting cornered.

[amyk]

Incidentally, the current difference that they are exploiting is quite easy to fix and in a few months we will see clones that are invulnerable to the current destructive clone counterfeit test.

Few months? More like a few weeks... look how long it took for the Chinese to clone Apple's Lightning cable - and that was RE from scratch, not in this case where all they have to do is update a mask ROM and start producing new chips.

In fact I think the moment that driver update was released, they saw the problem and were working on fixing it. I'm almost willing to bet they've already fixed it and are just waiting for the wafer fab.

And in all of this remember that the only thing different between an illegal counterfeit and legal clone is the marking on the outside of the package. It is completely legal to reverse-engineer and reimplement an IC - look here for the relevant US law, the EU also has similar provisions. Based on the die markings of one "Supereal SR1107" clone, and how different it is from the real one, I think this is what happened, and then someone else (illegally, in violation of trademark law) put FTDI's name on it. FTDI hasn't mentioned any patent rights either, so they can't go after them that way. The driver has no way of knowing whether a differently-behaving chip has been branded "FTDI", or is a generic compatible clone, so adding code with the intent of rendering unusable those chips is anti-competitive and could be illegal under the various other laws people have mentioned here.

Also agree with the others that this would be a great time to move to a non-proprietary standard protocol like CDC - for which source code is available for both AVRs, PICs, and several other common MCU families.

[Simon]

. The lawyers will certainly make some money here.

Regardless of what you think of FTDI's decision, it is the counterfeiters that are the criminals and it is the responsibility of the goods manufacturer to sell products containing authentic parts. As a manufacturer, if you cannot control your buyers then you should change how you operate. Some people on this topic appear to be sympathising with the manufacturer who has inserted the counterfeit product into a design. Perhaps a minority deserve sympathy but not the majority.

If a designer or budgeter within a company creates a cost list with the price of a component listed as it would be supplied from the grey (risky) market, and not a price from the chip manufacturer’s franchised dealer, and the company goes onto source that component from the grey market then does that company really deserve sympathy? No.

I think most poeple on here are concerned about the END USER that gets shafted, correct if a manufacturer uses a bad part it's their fault and they are the first responsible, if people go back to them and tell them they are wankers because their stuff is fake they may be able to go back up their supply chain to find out what happened or inform FTDI and help them find the counterfeiters. but just rendering end user equipment useless is not helping anyone and won't help them track down fakes. They have made this a huge public thing by what they did. they could have been more subtle about it so that their ability to detect and not work with fakes did not become so public and they could have worked on modifications to their future chips to make checks. Any security can be overcome, but you have to know about it first. What they did let the cat right out of the bag and now they have lost this method of detecting fakes, what a bunch of wollys.

[nctnico]

Now that they appear to have realised the error of their ways, maybe the "I'll never use FTDI again" brigade should consider this :
Company F screws up, realises it and fixes it.
Company S hasn't (yet) screwed up.

That thought has crossed my mind as well. The thing is that the rat race between the competition and FTDI has now begun. The competition will change their design to mimic the original devices closer so the current driver can't tell the difference. Then FTDI will look for different ways to make a new driver tell their devices and those from the competition apart. This vicious circle will soon lead to false positives due to silicon aging defects in FTDI devices. The only solution for FTDI is to beat the competition at their own game: lower their prices and let the volume make up for the lower price. Maybe even do a die shrink to get more chips from a wafer. The competition uses a 500nm process where FTDI is still on a >600nm process (http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal)

[tggzzz]

I think most poeple on here are concerned about the END USER that gets shafted

Curiously I'm also worried that FTDI have shafted themselves by this "Sony rootkit" moment. I'll never put any Sony software on my machines (and by implication would never put a Sony SmartTV on my network) because I can't trust Sony not to brick my equipment.

FTDI produces good stuff AFAIK - but can they be trusted in the future? Such doubt is corrosive, and is a godsend for competitors in the long term.

I hope (and expect that it is a low probability) they have not bricked any equipment that could be regarded as being "of national importance". The risk: the criminal (not civil) law could descend on the individual programmers.

[linux-works]

I've been thinking about how this could be done, in terms of working with vendors.  you have adafruit, sparkfun and even amazon selling chips that may have questionable sourced chips in their products.  and being able to return a product is usually limited to a short time period and you may even have to have kept your receipt.  I know I have bought arduino nano clones from amazon and they probably have 'fake' chips in them.  but they are long after the 30 day return period.

does ftdi want to work with the vendors and somehow allow exceptions so that anyone with old hardware that is not genuine can still return it?  is that even possible?  I can't see any practical way to get this process to work.  some sellers are temporary; they 'sell and run' and so even if amazon took the chips back, who do THEY yell at?  even worse with ebay and its 100% useless to try to put pressure on direct china ebay sellers.  you can't even return products to them (if you are not local) at an affordable price.  what costs them a fraction of a dollar to ship to you costs 10x or even 100x that to return the item to them; again, they may not even exist anymore (typical of ebay china sellers; they change usernames and come and go all the time).

it would take a team of fulltime people to scout out all the sellers who have fake chips in their inventory and to serve them court notices.  even if you tried that, many are in countries that will just rip up said court notice and laugh at it.

face it, there is NO WAY to go after companies who use fake chips.  this is the modern world of manufacturing and unless you are a mega corp, you simply cannot punish all the vendors using fake parts.  and, as seen here, its morally wrong to punish consumers and end-users who posess those chips in products they bought.

there is no solution here.  some have suggested that the new driver update should refuse to init the fake chips.  even that is going too far.  it punishes the user and there will be no real pushback that punishes the sellers.

ftdi is just going to have to realize that they have created too good of a product and, as they say, 'imitation is the most sincere form of flattery' (lol).

what do companies do when in this situation?  show the users how much better THEIR real chips are (and I'm sure the real chips ARE better in many ways) - but to disable the use of fake chips is just not the way forward on this problem.

I hope that the next driver update flashes a message to the user, informs them that, in the future, they should run this 'checker' app against all NEW purchases and demand a return to the seller if the test fails.  provide a link in the message popup to download a checker app but do NOT disable the chip that is plugged in and do NOT refuse to enable/init it.  simply educate the user and give him a tool so that, next time he buys a device with this chip, he can test it and at least have 30 days return window to 'punish' the seller.

items that are over 30 days old can't usually be returned and there is no practical way to do a 'buy back' that I'm aware of.

[XFDDesign]

A better way is to do a VI characteristics comparison of all permutation of pin combinations with a known good sample.

Yu may be stuck with FTDI chip , but with the latest reply, they still look like a hidden time bomb that may explode anytime.  The only way for FTDI to gain back some trust is stopped their trolls online immediately, and then do a public "execution" of those responsible to show that the cancer is removed totaly, and then give some online tool for supporters to verify their purchases.  They do not need 100% check.  A few percent of people doing that, and having the ability to do that shall help to keep the supply chain clean.  It is MAD MAD MAD to go after the end users, but they still have not given up the ideas of nuclear-bombing the end-users in their wars against the other chip makers.

Redesigning existing products would require both a PCN and a lot of headaches. Adding an EOL production test requires neither of those at the expense of a few seconds. Once you hit a certain size, products become beasts that must be fed. I don't even have the capacity to care about Blame Theater at this point.

Additionally, doing curve traces on every part will take much longer than running a simple chunk of code.

[Leonelf]

FTDI just tweeted, that they removed the update from WinUpdate and are working on a less invasive option:
http://www.ftdichipblog.com/?p=1053

[free_electron]

The simplest solution would be to have the driver pop up a message that says :
" This device attempted to load the wrong driver. Please contact the device manufacturer to get an updated driver."

And that's it. Then someone who has bought something with the fake part can go bombard the seller with requests for the right driver , or ask for his money back.

[nctnico]

even worse with ebay and its 100% useless to try to put pressure on direct china ebay sellers.  you can't even return products to them (if you are not local) at an affordable price.  what costs them a fraction of a dollar to ship to you costs

That is not quite right. A Paypal claim is a strong tool to get your money back and Ebay isn't kind to sellers who sell counterfeit brands. The Chinese seller I got my boards from has nearly 4000 feedbacks so may have sold 10k to 20k devices totalling to a $100k to $500k turnover. I would not call that a hit&run operation.

[linux-works]

you think ebay is going to even LISTEN to you after 30 or perhaps 90 days?

are they going to reimburse you for the high cost of shipping back to china?

I once bought a laptop battery from a china ebay seller and it was a fake (the chip in the battery reported the wrong data and the charger never charged it well, plus it had fit/size issues with its cheap plastic casing).  ebay told me to send  it back and I did, but at the time I didn't realize it had to be the most expensive form of shipping (with tracking).  I asked the post office when I was there if this form of mailing was trackable and they (incorrectly) told me it was.  well, it was a half lie: you could see it left the US and 'entered china' but that was all.  OF COURSE, the seller denied ever getting the battery back and the cost of 'cheap' shipping was $20, as it was!  I ended up being out $20 AND the battery; the seller got the battery back (I'm pretty sure) and laughed at the whole thing.

ebay is not going to help here unless they simply refund you outright OR foot the bill for prepaid return shipping to the seller.  you think they'll do that?  HA!  I seriously doubt it.

amazon might; they are a high-service vendor.  they have done things like that, in the past, for me.  but ebay/paypal?  they are thieves, themselves, and they now exist to protect their cash cows, the 'power sellers'.  and most of the power sellers are in china and 99% of them could care less about IP rights.

[Leonelf]

The simplest solution would be to have the driver pop up a message that says :
" This device attempted to load the wrong driver. Please contact the device manufacturer to get an updated driver."

And that's it. Then someone who has bought something with the fake part can go bombard the seller with requests for the right driver , or ask for his money back.

I think they should rather give us a non-cryptic message like "The product you are attempting to use is using a faked FTDI chip. Please contact the manufacturer"
Then it should just not work (not support it, but not kill it). Then everyone has a share: End-users know what's wrong (kinda), people w/ skill can just use an older driver and FTDI does something against fraud.
That was my main problem w/ the pid=0 driver thing: The enduser didn't know what's wrong

[Kjelt]

The simplest solution would be to have the driver pop up a message that says :
" This device attempted to load the wrong driver. Please contact the device manufacturer to get an updated driver."

Indeed except that at the moment the driver is unable to tell the difference.
There should be a cryptographic handshake in the protocol before the driver activates. Only drivers AND chips with the correct PSK and secret protocol should accept eachother.
It is always difficult if not impossible to secure hw and sw afterwards, you have to design it in from the beginning.
And the next disaster is already lurking in the shadows: car electronics with CAN bus are not secure either and everybody that has a bit of security knowledge is already 

[linux-works]

The simplest solution would be to have the driver pop up a message that says :
" This device attempted to load the wrong driver. Please contact the device manufacturer to get an updated driver."

And that's it. Then someone who has bought something with the fake part can go bombard the seller with requests for the right driver , or ask for his money back.

and if its beyond the return period, often which could be as little as 7 days or as much as 30 or 90 days?  if its outside the window OR if the seller left the business or changed  names; how do you propose this actually work, in the Real World(tm)?

like I said in my previous post, a download link to a 'tester' app would help and a message that informs the user that NEXT TIME he buys, he should run this tester while still in the 30 days return window.  that's fair and do-able.  anything else is just plain wrong.

[SydB]

just rendering end user equipment useless is not helping anyone and won't help them track down fakes

Well, this has raised the awareness of counterfeit components and caused problems for those supply lines using the fakes. The problem is that a lot of people have been upset. Also it is not a bad thing that a few more people will have learned not to blindly accept Windows updates (or unnecessary driver updates for that matter).

their ability to detect and not work with fakes did not become so public and they could have worked on modifications to their future chips to make checks

I agree the sensible thing would have been for the driver update to simply not work with the fake chips, and not actually alter them, if possible. Not sure what you mean by 'modifications to their future chips to make checks' as modifications just get copied.

[nctnico]

you think ebay is going to even LISTEN to you after 30 or perhaps 90 days?

You are barking to the wrong tree. Open a Paypal claim. It has worked for me several times.

[nsayer]

Cypress Semi has a pin-compatible replacement. I've got a few on order already to test.

Are you sure they are genuine? Seems like the cloners would do well to switch to stamping a Cypress logo on their ICs and using Cypress' VID/PID in future, now they know that FTDI is actively trying to stop their drivers working with fake parts.

I buy from DigiKey and Mouser, so my chances are good I'm getting legit product. Furthermore, I believe the Cypress chip follows the CDC standard, so there's no vendor specific driver they can mess with (I may be wrong - I'll know when the chips get here and I test them).

[nsayer]

FTDI just tweeted, that they removed the update from WinUpdate and are working on a less invasive option:
http://www.ftdichipblog.com/?p=1053

That's not quite accurate. Microsoft removed the update and bitch-slapped them.


EDIT: It has been pointed out to me that I presented this as fact, where I have no basis to state as such. It should read:

That's likely not quite accurate. Microsoft probably removed the update and bitch-slapped them.

[Kjelt]

That's not quite accurate. Microsoft removed the update and bitch-slapped them.

Thats what you said numerous times and probbably like to believe but there is 0 evidence to back it up so it is pure speculation from your side?

[limbo]

FTDI Official statement about driver removal: http://www.ftdichipblog.com/?p=1053