FTDI driver kills fake FTDI FT232??

[nctnico]

Now my point is will it apply in this case?
A number of questions spring to mind,
How does it apply internationally?
I assume the actual devices aren't permanently damaged here, but like most of this stuff it is arguable.
How do you prove it was intentional to damage or inconvenience?
Or was the intention something else, like to stop other devices from using their driver? And the bricking was a side effect?
Was it rendered useless?

I dont know what the legal people of various countries would make of this, if it ever came to court.
If I had to guess I would say not much.
As a result I am far from sure that it was an illegal thing to do.

You are jumping the facts here. To take it to an extreme: It's like saying having sex with an underage girl is OK if she likes it. A crime is a crime.

[StuB]

I dont know what the legal people of various countries would make of this, if it ever came to court.

I rather doubt it's going to court anywhere.  The very big players either don't have counterfeit, or will simply rectify counterfeit in their products when/if detected.  Given that the driver's been rolled back for now, they even get a small reprieve.  The smaller players - especially individuals who may have a USB-serial cable modified - they're not going to start any lawsuit, they'll just complain about it on the internet, and then run whatever tool is needed to get it working again.

In the mean time, FTDI has said "sorry" somewhere: http://www.eetimes.com/author.asp?section_id=36&doc_id=1324420
Still more of a "sorry we got caught and the backlash was this severe, but" than a "sorry we used end-users as pawns, here's how we intend to make it right", but at least the word "sorry" is in there.

[XFDDesign]

If a question is flawed like asking if the users expectations are the same thing as what the intention of the driver is then yes I will automatically correct it.

Just because you say it's flawed, does not make it so. What you actually mean, is that you have no logical rebuttal to the essentials of the issue.

Device does work vs. the engine in your example doesn't that is the contradiction that is automatically fixed as well.

You've stated in response to the end user's experience, the device is broken. You can't keep your own answers straight. Both are broken for the end user's experience. They do not work. The only way your position works, is if the user possesses the required knowledge to undo the "damage." You have no grounds to refute that, so you just keep going with...

Your example states that the engine which is the chip doesn't work (it is physically broken) which is completely factually incorrect.

..styles of rewriting what was stated, in order to frame the issue to support your premises. In both cases, neither device has been "utterly disintegrated" - it merely requires the right tools and an appropriate fix. You've yet to rebut this, because you can't. You have to rewrite the statement in order to frame it in a way that confirms your broken position. This is verified by the fact you cannot keep your own answers straight.

So there it is spelled out for you.

...

The basic reality is the device works but the driver does not want to talk to it and that is intended. The user may not expect that to happen and should go after the seller and so on so that the fake chips can be rooted out.

Babbling justifications of trivial and irrelevant nonsense

It isn't physically broken or even non-functional that is the core problem with your engine example.

So as you're vomiting the technicolor word salad with this nonsense, you're spinning in place with your contradiction. You have neither an argument nor a compelling case. What you have is a belief which you have to load up with qualifiers and conditions in order to hide the fact, which you agreed with, that to the typical end user, there is no difference between one device which does not perform as they expect suddenly, and another device which suddenly does not perform as they expect. You have to refute this fact, before any of your drivel has a leg to stand on. Perhaps with your next response I'll just go back and refute you with your own statements, since you've made enough contradictions.

[mamalala]

How do you prove it was intentional to damage or inconvenience?

By looking at the code in the driver that did the bricking. The disassembly makes it very clear that this was an targetted attack. That code does nothing on original devices, so it is not needed for them. So the only purpose it could ever have is to tamper with non-FTDI devices. In this case it is really easy to prove/show.

It would be a completely different thing if, lets say, they use an init-sequence that these chips (original and "counterfeit") need, but would have found a sequence order that still works on the FTDI part but causes trouble on non-FTDI parts. Then it would be quite hard to prove intent. If they would then subsequently kept their mouth shut and did not brag on the web about it, like they did with this issue.

Greetings,

Chris

[mamalala]

In the mean time, FTDI has said "sorry" somewhere: http://www.eetimes.com/author.asp?section_id=36&doc_id=1324420

Yea, riiight. Reading stuff like:

... and a side effect is that counterfeit devices are putting themselves into a noncompatible state ...

only shows that theyy are fully aware that what they actually did is really not legal in many (most? all?) jusrisdictions. There was no "side effect". This was a targetted attack.

Man, they are so full of bullshit now...

Greetings,

Chris

[MikeGTN]

Well every campaign needs a driving style song.

Mine is from New Order Temptation.

Up down, turn around please don't let FTDI hit the ground. Never seen a serial port like you before.
After this update believe have lost some.  Just like a Microsoft update inside. Up down turn around please don't let FTDI hit the ground.
Tonight I think will work alone. Find myself a substitute. Each way I turn.
Oh you've got counterfeit chips, never seen anyone like you before.
When we package this all up have no place to go. Oh it's the last time. Oh you've got grey eyes, oh you've got blue eyes.

Thoughts from above piss off people down below. Oh it's the last time. Have never met a company quite like you before!

Mike.

[CrosseyeJack]

So I emailed FTDI because I wasn't happy with the "statement" they released over the matter.

Dear Daniel,

Thank you for your recent email regarding our recent driver release – we appreciate your feedback and your comments have been noted.

As you are probably aware, the semiconductor industry is increasingly blighted by the issue of counterfeit chips and all semiconductor vendors are taking measures to protect their IP and the investment they make in developing innovative new technology. FTDI will continue to follow an active approach to deterring the counterfeiting of our devices, in order to ensure that our customers receive genuine FTDI product. Though our intentions were honorable, we acknowledge that our recent driver update has caused concern amongst our genuine customer base.  I assure you, we value our customers highly and do not in any way wish to cause distress to them.

The recently release driver release has now been removed from Windows Update so that on-the-fly updating cannot occur. The driver is in the process of being updated and will be released next week. This will still uphold our stance against devices that are not genuine, but do so in a non-invasive way that means that there is no risk of end user’s hardware being directly affected.  We’ll try and flag some kind of message to alert users, but as the drivers reside at Kernel mode it’s not as straightforward as it seems.

Although in some parts of the media it has been implied that there was some form of counterfeit detection algorithm in the driver, this was in fact absolutely untrue. There was no mechanism of that description in place and hence no flagging up of a counterfeit device ever occurred. Exactly the same commands were sent to a genuine chip and a counterfeit chip. Some counterfeit devices simply failed to handle certain commands correctly and quarantined themselves.

Support1 email has been around for years – it sends it to a team rather than an individual – whoever is available will answer your enquiry, nothing sinister. I’m not sure what’s being going on with the Twitter thing but I’ll look into it.

Yours Sincerely

Fred Dart - CEO

The Email part was because their email address listed on the site was support1@ftdi... and it seemed odd to me to have support1@ instead of support@ and asked if the address was changed to curb a tide of incoming mail.

The Twitter part was me asking why twitter comments seemed to come across as a "Tough Shit" attitude towards customers.

Although in some parts of the media it has been implied that there was some form of counterfeit detection algorithm in the driver, this was in fact absolutely untrue... Exactly the same commands were sent to a genuine chip and a counterfeit chip.

While it is true that the commands were sent to both legit and fake chips it does make me wonder why FTDI were trying to set their legit chips to a PID of 0.

As for me personally, I went though all my FTDI equipped devices with the bad driver and "tested" them, thankfully not a single issue. I still do not like what happened, I did not like the statement they released, I do not like how they seem to be covering the issue up (But with the cover up thing, that is probably damage control and so they don't get sued over the issue) but as Mike pointed out in a earlier post...

Now that they appear to have realised the error of their ways, maybe the "I'll never use FTDI again" brigade should consider this :
Company F screws up, realises it and fixes it.
Company S hasn't (yet) screwed up.

Which of the two is more likely to do something stupid like this in the future?

"That guy's error cost me $x000"
"Why didn't you fire him"
"Why should I do that, I just spent $X000 training him..."

I'm not sure about discarding them just yet, but this whole issue has made (and probably will for some time) think twice about FTDI.

EDIT: Silly me I pushed submit on wrong tab and submitted the "unfinished" preview.

EDIT2: I checked the WayBack Machine and the support1@ address has been in use for a while so was no way a method to avoid email.

[Rufus]

The Dutch criminal law says 2 years in jail or a 20k euro fine if you render something which isn't yours useless:
http://wetten.overheid.nl/BWBR0001854/volledig/geldigheidsdatum_29-10-2014#TweedeBoek_TitelXXVII_Artikel350

Well if you want to press on with bullshit legal arguments I'll raise you with the DMCA. The VID and PID of a USB device could reasonably be considered to be an access control method for drivers which may be copyrighted.

Anyone using a non-genuine FTDI USB device with VID and PID causing access to copyrighted FTDI drivers without licence would be guilty of circumventing access controls and people selling such USB devices guilty of trafficking circumvention tools.

[eneuro]

It also features several additional I/O pins and functionality. And in a small, very convenient footprint compatible for breadboard use, etc. and sells for US$5.95

Yep, perfect guess it is was Pololu
However, on DigiKey in evaluation and demonstration boards and kits found also something like this for 6$: digikey: CP2104-MINIEK
Its schematics I've included earlier in this thread are there:
http://www.silabs.com/Support%20Documents/Software/CP2104-MINIEB_Board_Files.zip
Looks more compact than Pololu.

While need to make galvanic insulated USB <-> I2C PCB too, so I'm of couse more interested in CP2104 itself which is also available at DigiKey for less than $1.5.
Adding a few fast optocouplers to its 4 GPIO's will change this SIL2104 (CP2104) into a few kV insulated USB <-> I2C 

No need to play with FTDI I2C which is not galvanic insulated USB <-> I2C I guess, so simply useless in my project and even do not want look into its datasheet after all this mess with FT232 

[Rufus]

Maybe "fake" is a good word for a counterfeit chip, but a CLONE is NOT a "fake".

Completely irrelevant. The issue is the unlicensed use of copyright FTDI drivers with chips which were not manufactured by FTDI.

On top of that modification of a non-genuine FTDI chip so it no longer loads unlicensed drivers is not damage - the chip will work as well as it ever did if you get some other drivers.

[mikeselectricstuff]

"A month ago, we did an update to our driver, and a side effect is that counterfeit devices are putting themselves into a noncompatible state," Gordon Lunn, global customer engineer support manager at FTDI, told us. "The same API calls go out to all devices, whether genuine or nongenuine. The fake ones are not as compatible as you would expect.

Trying to imply that it wasn't deliberate..

However, the company has specifically said there is no "fake detection" algorithm in the driver.

Again, Twisting the truth to imply something other than their intention

There is also a potential security issue (which we highlighted last month) with microcontroller-based USB devices being reprogrammed with malware. "Our understanding is we think they are microcontroller based, so they are potentially more vulnerable," Lunn said. "You can't change what a genuine device actually does."

trying to spread FUD

[StuB]

Rufus, you would have to legally argue two things:
1. That a PID/VID is copyrightable - which only brings with it "who holds the copyright, FTDI or the USB-IF? And if the latter, was FTDI granted the right to effectively police that copyright on USB-IF's behalf?".  Though that is part of a larger discussion of whether VID/PID can be seen as intellectual property at all, and is of no consequence to..
2. ..it being used as an 'access control mechanism' under the DMCA; which doesn't apply in all countries in the first place*, and which I think you'll find is not necessarily as strong a defense as you might think; see Lexmark International, Inc. v. Static Control Components, Inc.  With that as precedent, you would then have to argue, somehow, that the duplication of PID/VID constitutes a new program if seen within the larger context of the device's entire workings - even though the PID/VID are all that are needed for the driver invocation.

* In Germany, for example, a legal analysis:
http://www.golem.de/news/ftdi-treiber-darf-keine-geraete-deaktivieren-1410-110161.html
( I do stress that this is Germany, and a legal analysis - not a court case.  In fact, they conclude that even though it may well break German law, FTDI being a Scottish company makes it a cross-border conflict that is not easily fought. )

In many ways I wish there were a lawsuit (preferably in the USA), because it would make for a very interesting court case on things like intent, ownership of (counterfeit) hardware, interoperability laws, intellectual property laws, manufacturer's rights, license agreements (both FTDI and MSFT) applicability both 'as is' and when implied (at best) through automatic update mechanisms, and many, many more.

[janoc]

On top of that modification of a non-genuine FTDI chip so it no longer loads unlicensed drivers is not damage - the chip will work as well as it ever did if you get some other drivers.

Rufus, are you still pushing this silly theory? 

I think the legal departments beg to differ about the "not damage" idea. What do you think, why did they pull the driver update? I somehow doubt it was because of the sudden charitable enlightenment towards the counterfeiters ...

Yeah, technically you are right - but law doesn't hinge on such USB technicalities when drawing the line between what is legal and what is not. Was the product intentionally sabotaged? Yes. Was it unauthorized by the user? Yes. That's alone sufficient for prosecution for criminal damage to property. Whether or not the damage is recoverable or not is *irrelevant* - for all intents or purposes the device is dead, because there is *no* alternative driver that its owner can use with the modified IDs. So why are you still pushing this BS?

And that is not even taking into account the dubious enforceability of the driver EULA in many places in the first place.

[pickle9000]

EE Times

http://www.eetimes.com/author.asp?section_id=36&doc_id=1324420

No comment

[janoc]

Rufus, you would have to legally argue two things:
1. That a PID/VID is copyrightable - which only brings with it "who holds the copyright, FTDI or the USB-IF? And if the latter, was FTDI granted the right to effectively police that copyright on USB-IF's behalf?".  Though that is part of a larger discussion of whether VID/PID can be seen as intellectual property at all, and is of no consequence to..

StuB, I think this is pretty much a red herring anyway - nobody is asserting that the VID/PID is copyrighted. The mechanism they were trying to use is that the *drivers* are and it is *their* EULA that forbids use with unauthorized products.

Whether this is enforceable or not is a different discussion - copyright license cannot normally be used to restrict *use*, only duplication of the work. That's why the typical EULAs are actually *contracts*, not licenses from the legal point of view, regardless of which word they use to describe it.

However, contract cannot be concluded without some explicit action of both parties (unlike providing a license), that's why many places require at least a click-through wrapper where you must explicitly accept the contract for it to be binding. Even that may not be sufficient - depends on the country, some require more than just clicking on some silly button for the contract to be considered valid. Bundling a contract somewhere on the hard drive with the work or having it on a website has no legal power - that's why if the license wasn't shown during the driver update, they could be in hot water over that as well.

[Rufus]

Whether or not the damage is recoverable or not is *irrelevant* - for all intents or purposes the device is dead, because there is *no* alternative driver that its owner can use with the modified IDs. So why are you still pushing this BS?

There being no alternative driver with any ID is a clear admission that the device was always dead. FTDI has no obligation to support chips they didn't manufacture. People had created zombies with the illegal use of FTDI drivers and now they can't.

[Rufus]

The VID/PID is only part of an "open" hardware interface, and it is actually the operating system that "decides" [through whatever mechanism, and VID/PID is only one of those available mechanisms] to "attach" a specific driver to a USB device.  So, in this case, the criterion for a violation of the DMCA is not met.

Because you say so or because you know it has been tested in a court?

There is no requirement in the DMCA for the access control method to be secret or challenging to circumvent.

[Rufus]

Rufus, you would have to legally argue two things:
1. That a PID/VID is copyrightable - which only brings with it "who holds the copyright, FTDI or the USB-IF? And if the latter, was FTDI granted the right to effectively police that copyright on USB-IF's behalf?".  Though that is part of a larger discussion of whether VID/PID can be seen as intellectual property at all, and is of no consequence to..

StuB, I think this is pretty much a red herring anyway - nobody is asserting that the VID/PID is copyrighted. The mechanism they were trying to use is that the *drivers* are and it is *their* EULA that forbids use with unauthorized products.

Whether this is enforceable or not is a different discussion - copyright license cannot normally be used to restrict *use*, only duplication of the work.

The DMCA has separate provisions for access control mechanisms and duplication of copyright works.

[abzman]

... illegal ...

I don't think that word means what you think it means. 


ESPECIALLY because most of the world doesn't recognize the DMCA as law, you know, not being in the US and all...

[StuB]

Rufus,

I largely agree with what you have written (although I disagree with FTDI's actions - they could have gone for a much more PR-positive approach and, with appropriate marketing, had a more meaningful debate about counterfeits and what to do about them, and eradily identified infringing parties  Though I recognize that may not have been their goal in the first place. )

However, you keep repeating this (or things along the same line such as "it was always a brick"):

There being no alternative driver with any ID is a clear admission that the device was always dead.

Is there any chance I can convince you to say "the device was always unsupported"?
To say "it was always dead", even though users had clearly been using them for many years, is absurd (if a bit Michelangeloic).  That's like suggesting that, upon its confiscation due to it having been stolen, a car that you've been driving around in for 15 years never actually moved a millimeter.

[nctnico]

Whether or not the damage is recoverable or not is *irrelevant* - for all intents or purposes the device is dead, because there is *no* alternative driver that its owner can use with the modified IDs. So why are you still pushing this BS?

There being no alternative driver with any ID is a clear admission that the device was always dead.

Wrong again. The functional equivalent also stops working on Linux and OSX (for which FTDI didn't provide the drivers).

[janoc]

Whether or not the damage is recoverable or not is *irrelevant* - for all intents or purposes the device is dead, because there is *no* alternative driver that its owner can use with the modified IDs. So why are you still pushing this BS?

There being no alternative driver with any ID is a clear admission that the device was always dead.

Wrong again. The functional equivalent also stops working on Linux and OSX (for which FTDI didn't provide the drivers).

Not to mention that I was actually talking about the *changed IDs*, not the original ones (for which there obviously is a driver!), whether one provided by FTDI or a third-party one (in Linux, for ex.).

And DMCA  Since when is DMCA applicable to a company in Scotland (UK) and laws broken e.g. in France, Germany or Netherlands? It probably wouldn't apply even in the US - there is a fairly clear procedure of what one has to do in order to obtain relief under it. Vigilantism and disabling of supposedly infringing (only a court could determine whether something infringes, btw) devices is certainly no part of that.

Rufus is obviously trolling, I don't think it is worth to keep debunking this nonsense.

[a210210200]

If a question is flawed like asking if the users expectations are the same thing as what the intention of the driver is then yes I will automatically correct it.

Just because you say it's flawed, does not make it so. What you actually mean, is that you have no logical rebuttal to the essentials of the issue.

Device does work vs. the engine in your example doesn't that is the contradiction that is automatically fixed as well.

You've stated in response to the end user's experience, the device is broken. You can't keep your own answers straight. Both are broken for the end user's experience. They do not work. The only way your position works, is if the user possesses the required knowledge to undo the "damage." You have no grounds to refute that, so you just keep going with...

Your example states that the engine which is the chip doesn't work (it is physically broken) which is completely factually incorrect.

..styles of rewriting what was stated, in order to frame the issue to support your premises. In both cases, neither device has been "utterly disintegrated" - it merely requires the right tools and an appropriate fix. You've yet to rebut this, because you can't. You have to rewrite the statement in order to frame it in a way that confirms your broken position. This is verified by the fact you cannot keep your own answers straight.

So there it is spelled out for you.

...

The basic reality is the device works but the driver does not want to talk to it and that is intended. The user may not expect that to happen and should go after the seller and so on so that the fake chips can be rooted out.

"Babbling justifications of the most critical and fundamental nature" (Automatically fixed that for you)

It isn't physically broken or even non-functional that is the core problem with your engine example.

So as you're vomiting the technicolor word salad with this nonsense, you're spinning in place with your contradiction. You have neither an argument nor a compelling case. What you have is a belief which you have to load up with qualifiers and conditions in order to hide the fact, which you agreed with, that to the typical end user, there is no difference between one device which does not perform as they expect suddenly, and another device which suddenly does not perform as they expect. You have to refute this fact, before any of your drivel has a leg to stand on. Perhaps with your next response I'll just go back and refute you with your own statements, since you've made enough contradictions.

The facts make your statement flawed. So instead of attempting to counter my statements you just keep saying the same thing that the device is physically dead when it isn't.

From the user perspective the device is fake the internet made that so abundantly clear. (Literally simple fact is the fake device is not broken)

A better example would be the car engine doesn't work and the person checks google and finds out he was scammed and the engine does "work" it just doesn't work with his car (FTDI's driver) because it is fake.

The fundamental difference is the car engine requires physical repair the fake chip does not. Rebut that please. One can even work with Linux after an automatic update and on windows probably not without a user installed bypass.

You don't need a 2 dollar bearing if you use linux you may not even have to do anything at all if you have automatic updates. On windows ignoring microsoft and using a 3rd party bypass will work as well. (This is the miles apart thing, if the chip was physically damaged as you so claim even slightly you would have to spend physical time/tools/money to fix it)


If you like simple questions then:

Is the device (Fake chip) physically damaged?
Is the device (Fake chip) not operable with other non-FTDI software?

What is the cost/time for replacing a bearing on an engine?
Can a physical bearing be downloaded into a broken engine automatically?

[Rufus]

There being no alternative driver with any ID is a clear admission that the device was always dead.

Is there any chance I can convince you to say "the device was always unsupported"?
To say "it was always dead", even though users had clearly been using them for many years, is absurd (if a bit Michelangeloic).  That's like suggesting that, upon its confiscation due to it having been stolen, a car that you've been driving around in for 15 years never actually moved a millimeter.

If you could convince other people not to keep saying the FTDI drivers killed, bricked, damaged, rendered inoperable, etc the device?

The devices were on life support provided by the illegal use of FTDI drivers, FTDI figured out how to and turned off the switch. I believe it was within their rights to do so. No one is stopping you resurrecting the corpses by writing some other drivers or using the legal ones on Linux.

[a210210200]

As for "word games", notice that the FTDI paid shills on this forum incessantly use the word "fake"-- over and over and over again to drive it into your brain that the problem is these "fake chips".

Maybe "fake" is a good word for a counterfeit chip, but a CLONE is NOT a "fake".

In "engineer lingo" ::

CLONE != FAKE

This is all a smoke screen to keep you off of the most important aspect of this case, and that is that *someone* inside of FTDI gave the order to write and distribute ILLEGAL MALWARE to damage [otherwise] innocent end-users products.  THAT ACT was a [so-called] "cyber-crime" and is a class-I felony in the USA, and will get you about 20 years in federal prison!  AND, since the act was [by FTDI's own admission] not an "honest mistake", but was actually a malicious act carried out with malice and forethought, and with full knowledge and intent, then the normal "corporate shield" that protects officers and directors of corporations from criminal prosecution and/or civil litigation does not apply in this case.  In other words, whomever gave the order at FTDI is subject to arrest, AND their personal assets can be attached and/or seized pending any civil litigation.  WAY TO GO FTDI!  {...idiots!...}

It would not surprise me greatly to learn that someone from the US department of Just-Us is investigating this matter, and arrests could be imminent.  It would also not surprise me to learn that somewhere out there is an "ambulance chasing" attorney that is looking at this case as his [or her] next "class-action cash cow".

CLEARLY, FTDI took this action without consulting their legal counsel first.

Another prediction:  This will open up the eyes of the Just-Us department, and I would not be surprised to learn that they are also investigating *other* companies that have engaged in similar activities-- [i.e. Prolific et. al.].

Question how many of the fake FTDI chips lack any FTDI markings. And how many of them enumerate using their own drivers. A proper legal clone has its own VCP driver, its own branding. People themselves have listed proper real clones which either don't have a USB stack or provide their own drivers free of any FTDI copyright/trademarks.

Microsoft distributed Windows Genuine Advantage and with windows Vista it was basically a time bomb type application and actually did have a ton of false positives but they never committed a cyber crime because their EULA said so and they technically do have many rights since the software (as is the FTDI driver) is not really "owned" by you it is just licensed for limited use.

I highly doubt the US is going to go after such companies as there are bigger fish to fry and anti-counterfeiting measures are technically allowed including disablement systems.

Part of the HDMI HDCP protocol is something called certificate revocation which any blu-ray can contain an updated list which all devices are required to update to NV memory and since every device must check the entire device chain for validity if your cheap knock off adapter gets revoked it would blank your screen and your system would stop working. (It is perfectly "legal" to disable a system permanently for copy protection, anti-counterfeiting) The HDCP protocol is adopted globally as well (basically everything runs it even DVI, Displayport, ... support it)