Author Topic: FTDIgate 2.0?  (Read 248157 times)

0 Members and 1 Guest are viewing this topic.

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6541
Re: FTDIgate 2.0?
« Reply #700 on: February 10, 2016, 12:22:43 pm »
Quote
Except using your driver (and your VID/PID) is not illegal.
I'm pretty sure that this is in violation of assorted pieces of business, contract, and Intellectual property law.  The license terms of the FTDI driver only allow it to be used with FTDI chips.

Business/contract law:

I don't think it's ever been tested, but I find it hard to believe that a sane legal system would grant a fiat monopoly on a 16-bit integer (VID) to an organization. USB-IF is self-proclaimed and has no legal authority over the use of VIDs other than contracts their members may have signed and their USB trademarks. I don't know if the cloners are infringing on the USB trademarks, but I think that is an entirely unrelated matter to the use of VIDs they did not register with a standards body. IP law has gone sort of insane in North America in the past couple of decades, but reverse engineering and interoperability are still somewhat protected. IANAL, but in the spirit of the IP law and other judgements about protocol reversing and the like, I would think that VID use for interop purposes is probably allowed, and my personal opinion is that it should be. Reverse engineering and compatible products are an important part of a healthy competitive market IMHO.

Copyright:

The license terms of the FTDI driver are irrelevant to the cloners, even if EULAs were worth the bits they were stored with. The chip makers don't need to ever agree to them, in principle. It is the end user that uses the driver (though they don't need to agree to them either, since it's silently installed by Windows). Nor do the clone companies need to "copy" the driver such that copyright would be invoked, since the user can get it directly from FTDI, who is obviously licensed to copy their own code.


Legally my take is that both sides are mostly in the clear. If there are counterfeit chips with FTDI markings there might be a trademark case, but that doesn't mean the existence of clones is not allowed. I do not believe there would be a strong copyright or trade secret case. There may be patents involved, but since the CEO himself admits they have implemented the design in a completely different way, I doubt they are in play.
Further reading... I posted these links before but they may have gotten lost in all the posts:

https://en.wikipedia.org/wiki/Semiconductor_Chip_Protection_Act_of_1984
https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc.
https://en.wikipedia.org/wiki/Sega_v._Accolade
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
Re: FTDIgate 2.0?
« Reply #701 on: February 10, 2016, 01:20:01 pm »
Quote
Pretty sure most of the Arduino UNO clones use FTDI clones.
Quote
  Wrong. Not a single one.
http://osepp.com/products/arduino-compatible-boards/uno-r3-plus/ Used (uses?) an FTDI.  I think a fake one too.  They weren't particularly cheap, and were sold via some retail chains (Fry's Electronics, in particular), indicating a substantial marketing effort, rather than a mom&pop eBay store.
http://osepp.com/products/arduino-compatible-boards/uno-r3-plus/

That is not a genuine Arduino, but a clone/compatible board.

The old Arduinos did use FTDI chips, though:


That is a genuine Arduino NG I bought directly from Italy, years ago. It is the first board that had USB (the original Arduino had an RS232 serial port). The FTDI chip is well recognizable. The Dueminalove and Diecimila that followed had FTDI as well:

https://www.arduino.cc/en/Main/Boards

Uno an onwards had the ATMega8u2.

They have also sold USB-UART adapters for the boards without them (Pro Mini, for ex.) using the FTDI chips :
https://www.arduino.cc/en/Main/MiniUSB

That's not an UNO.  That's a NG. There are no UNO clones using an FTDI, and my previous statement was directed specifically at the UNOs.

The UNO necessarily uses a 16U2. If it features anything other than that, it's not a clone, but a derivative.

I have a clone of the UNO, with a 16U2. It has all the right silk screens, except for the "Made In Italy". That's what gives away the fact that it's not a genuine Arduino.
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 1921
  • Country: us
Re: FTDIgate 2.0?
« Reply #702 on: February 10, 2016, 05:48:03 pm »
 The Uno clone I have uses a CH340g. I was surprised to see that. That makes it not a total clone, as there would be some things that can't be done without that second Atmel. But it so far works with anything I've tried, including serial comms.

 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2954
  • Country: fr
Re: FTDIgate 2.0?
« Reply #703 on: February 10, 2016, 07:39:40 pm »
That's not an UNO.  That's a NG. There are no UNO clones using an FTDI, and my previous statement was directed specifically at the UNOs.

The UNO necessarily uses a 16U2. If it features anything other than that, it's not a clone, but a derivative.

Clones (as in exact copies) no, because there cannot be such a thing without using the Atmega16u2/8u2. Code needing that wouldn't work (like the various USB HID hacks).

However, that is pretty much nitpicking, IMO. When people speak about "UNO", they are usually referring to anything from NG, Leonardo to real UNO and their copies/derivatives - i.e. the form factor (as opposed to e.g. Mega, Pro mini, Nano, etc), not the exact parts on the boards.



« Last Edit: February 10, 2016, 07:45:43 pm by janoc »
 

Offline C

  • Super Contributor
  • ***
  • Posts: 1345
  • Country: us
Re: FTDIgate 2.0?
« Reply #704 on: February 10, 2016, 08:53:42 pm »

Unless there is some new tech that I have not seen

Software drivers do not have EYEs, they can not read what is written on a chip.

Marcan found one chip that works better than FTDI in bitbang mode?

Anyone find a Fred Dart bad chip?
How chip is labeled does not count as driver can not see that.
One that acts in a bad way on the outputs of chip for example?
 
 

Offline mtdoc

  • Super Contributor
  • ***
  • Posts: 3582
  • Country: us
Re: FTDIgate 2.0?
« Reply #705 on: February 10, 2016, 09:27:18 pm »
It's pretty clear that while there may have been some early Arduino's using FTDI chips, currently (and in the past few years I believe) the vast majority have not.  In fact I think one would be hard pressed to find an Arduino clone or derivative on eBay or AliExpress using an "FTDI" chip - though as others have pointed out there are still a few around.

Therefore I find Mr. Dart's statement very curious:
Quote
Basically, what we discovered was that 90% of the problem were Arduino “bargain” copy/clone related, mainly sold on EBay, Alibaba, Amazon Marketplace by anonymous sellers.
.
Is he just out of touch with the end user market for his chips or what?
 

Offline dadler

  • Supporter
  • ****
  • Posts: 851
  • Country: us
Re: FTDIgate 2.0?
« Reply #706 on: February 10, 2016, 09:27:37 pm »
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
Re: FTDIgate 2.0?
« Reply #707 on: February 15, 2016, 01:13:07 pm »
That's not an UNO.  That's a NG.

 There are no UNO clones using an FTDI, and my previous statement was directed specifically at the UNOs.

The UNO necessarily uses a 16U2. If it features anything other than that, it's not a clone, but a derivative.

Clones (as in exact copies) no, because there cannot be such a thing without using the Atmega16u2/8u2. Code needing that wouldn't work (like the various USB HID hacks).

However, that is pretty much nitpicking, IMO. When people speak about "UNO", they are usually referring to anything from NG, Leonardo to real UNO and their copies/derivatives - i.e. the form factor (as opposed to e.g. Mega, Pro mini, Nano, etc), not the exact parts on the boards.

Really? People say UNO when they mean a Leonardo ? Ouch. That is like saying I have a Fiat 500 when in reality I have a Mini Cooper.

An UNO is one thing (uses a 16U2, has 3V3 regulator), and a NG is an entirely different thing (uses FTDI, only 5V). They were even shipped with different bootloaders.

C'mon, people, "UNO" is not a generic name for an Arduino. It is a specific model. 
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Offline retrolefty

  • Super Contributor
  • ***
  • Posts: 1606
  • Country: us
  • measurement changes behavior
Re: FTDIgate 2.0?
« Reply #708 on: February 15, 2016, 02:21:06 pm »
That's not an UNO.  That's a NG.

 There are no UNO clones using an FTDI, and my previous statement was directed specifically at the UNOs.

The UNO necessarily uses a 16U2. If it features anything other than that, it's not a clone, but a derivative.

Clones (as in exact copies) no, because there cannot be such a thing without using the Atmega16u2/8u2. Code needing that wouldn't work (like the various USB HID hacks).

However, that is pretty much nitpicking, IMO. When people speak about "UNO", they are usually referring to anything from NG, Leonardo to real UNO and their copies/derivatives - i.e. the form factor (as opposed to e.g. Mega, Pro mini, Nano, etc), not the exact parts on the boards.

Really? People say UNO when they mean a Leonardo ? Ouch. That is like saying I have a Fiat 500 when in reality I have a Mini Cooper.

An UNO is one thing (uses a 16U2, has 3V3 regulator), and a NG is an entirely different thing (uses FTDI, only 5V). They were even shipped with different bootloaders.

C'mon, people, "UNO" is not a generic name for an Arduino. It is a specific model.

 Well not totally specific. Even the 'UNO' model is currently at hardware revision 3. My first arduino was a 'cloned bare PCB with RS-232 nine pin connector model with a 168 chip but could be upgraded to the 328 when they first were released. But the need to be specific to many questions one has to keep in mind that the term arduino board can even be a 32 bit ARM based board that the IDE supports.
 

Offline Kilrah

  • Supporter
  • ****
  • Posts: 1767
  • Country: ch
Re: FTDIgate 2.0?
« Reply #709 on: February 15, 2016, 02:30:13 pm »
C'mon, people, "UNO" is not a generic name for an Arduino. It is a specific model.

The UNO necessarily uses a 16U2. If it features anything other than that, it's not a clone, but a derivative.
No the "UNO" uses an atmega328 ;)
The "UNO R3" uses a 16u2.

They sure haven't helped make it less confusing when reusing model names.
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
Re: FTDIgate 2.0?
« Reply #710 on: February 15, 2016, 04:13:32 pm »
No the "UNO" uses an atmega328 ;)
The "UNO R3" uses a 16u2.

I think you're mixing the chips.

Both use the Atmega328 as the main microcontroller.

The original UNO uses the Atmel  8U2 as the USB-to-UART brigdge. The current version of the UNO, R3, uses the Atmel 16U2 as the USB-to-UART bridge.

This is the reason the UNO has 2 ICSP pots: one for the 328 microcontroller, and one for the 8U2/16U2 microcontroller being used for USB bridge.
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 18027
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #711 on: February 15, 2016, 05:01:50 pm »
And now this thread has turned into discussing what should be on a pepperoni pizza...  :palm:
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Kilrah

  • Supporter
  • ****
  • Posts: 1767
  • Country: ch
Re: FTDIgate 2.0?
« Reply #712 on: February 15, 2016, 05:28:55 pm »
Oh yep, sorry...
 

Offline os40la

  • Regular Contributor
  • *
  • Posts: 120
  • Country: us
Re: FTDIgate 2.0?
« Reply #713 on: February 15, 2016, 10:57:48 pm »
cheese and pepperoni at least...  ;D  Sorry I couldn't resist.

Why don't we start a open source crowd/fund for a nice driver from the clones. If we put as much effort into writing the driver as we spend talking about it then this could top the FTDI driver..   >:D
"No, but I did stay at a Holiday Inn Express"
 

Offline blueskull

  • Supporter
  • ****
  • Posts: 12479
  • Country: cn
  • Power Electronics Guy
Re: FTDIgate 2.0?
« Reply #714 on: February 15, 2016, 11:50:51 pm »
cheese and pepperoni at least...  ;D  Sorry I couldn't resist.

Why don't we start a open source crowd/fund for a nice driver from the clones. If we put as much effort into writing the driver as we spend talking about it then this could top the FTDI driver..   >:D

You can use FTDI's official Linux driver (GPL2) as protocol reference, then couple it with DDK and a virtual COM driver, such as com0com.
I estimate the total amount of work for a proficient Windows driver engineer is <20hrs. Even paying $50/hr, it is less than $1k.
 

Offline f4eru

  • Frequent Contributor
  • **
  • Posts: 557
Re: FTDIgate 2.0?
« Reply #715 on: February 16, 2016, 10:47:13 pm »
And how much do you have to pay microsoft for the right to install it on production PCs ? (get a cert)
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2954
  • Country: fr
Re: FTDIgate 2.0?
« Reply #716 on: February 16, 2016, 10:55:46 pm »
And how much do you have to pay microsoft for the right to install it on production PCs ? (get a cert)

A driver signing cert is AFAIK few hundred USD.
https://www.digicert.com/code-signing/driver-signing-certificates.htm

$178/year, the signed code remains valid even after the year - you just can't sign any more code until you pay the fee again. They aren't exactly making a killing on these - the prices are similar for other types of certs elsewhere (e.g. for SSL for a website).

 

Offline marcan

  • Regular Contributor
  • *
  • Posts: 80
  • If it ain't broke I'll fix it anyway.
    • My blog
Re: FTDIgate 2.0?
« Reply #717 on: February 17, 2016, 06:43:48 am »
Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

They aren't exactly making a killing on these - the prices are similar for other types of certs elsewhere (e.g. for SSL for a website).
SSL certificates for websites (or any other kind of Internet server) are free for everybody.
« Last Edit: February 17, 2016, 06:47:04 am by marcan »
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6541
Re: FTDIgate 2.0?
« Reply #718 on: February 17, 2016, 11:12:16 am »
I believe it's actually much easier to install unsigned drivers on the newer versions of Windows - just boot into "unsigned driver mode" by pressing a key at the boot screen, install the driver, then reboot and it'll keep working.
 

Offline gmb42

  • Regular Contributor
  • *
  • Posts: 174
  • Country: gb
Re: FTDIgate 2.0?
« Reply #719 on: February 17, 2016, 12:21:25 pm »
Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

OT, but needs to be clarified.

This isn't exactly correct, although MS haven't been as precise as possible when enumerating what you do need and when.

If your driver isn't required for boot, i.e. actually need to boot the OS so some sort of filesystem driver, then you don't need an EV cert, even for Windows 10.

What you do need is a code-signing cert that has a valid cross signing chain back to the MS Code Verification Root (MS CVR) certificate, which has always been the case for signing kernel mode drivers for XP x64 onwards.

Signatures with such certificates will be valid until the MS CVR certs expire, which for my companies cert (issued in Nov 2015) is Nov 1st 2025 for the MS CVR, and Apr 15th 2021 for the corresponding CA cert.

This is assuming is that MS don't revoke the MS CVR and they don't change the rules to enforce use of an EV certificate and attestation signing for non-boot drivers.
 

Offline timb

  • Super Contributor
  • ***
  • Posts: 2528
  • Country: us
  • Pretentiously Posting Polysyllabic Prose
    • timb.us
Re: FTDIgate 2.0?
« Reply #720 on: February 17, 2016, 10:58:24 pm »

Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

OT, but needs to be clarified.

This isn't exactly correct, although MS haven't been as precise as possible when enumerating what you do need and when.

If your driver isn't required for boot, i.e. actually need to boot the OS so some sort of filesystem driver, then you don't need an EV cert, even for Windows 10.

What you do need is a code-signing cert that has a valid cross signing chain back to the MS Code Verification Root (MS CVR) certificate, which has always been the case for signing kernel mode drivers for XP x64 onwards.

Signatures with such certificates will be valid until the MS CVR certs expire, which for my companies cert (issued in Nov 2015) is Nov 1st 2025 for the MS CVR, and Apr 15th 2021 for the corresponding CA cert.

This is assuming is that MS don't revoke the MS CVR and they don't change the rules to enforce use of an EV certificate and attestation signing for non-boot drivers.

Jesus... And people say OS X is a "Walled Garden"!
Any sufficiently advanced technology is indistinguishable from magic; e.g., Cheez Whiz, Hot Dogs and RF.
 

Offline gmb42

  • Regular Contributor
  • *
  • Posts: 174
  • Country: gb
Re: FTDIgate 2.0?
« Reply #721 on: February 18, 2016, 12:20:40 am »

Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

OT, but needs to be clarified.

This isn't exactly correct, although MS haven't been as precise as possible when enumerating what you do need and when.

If your driver isn't required for boot, i.e. actually need to boot the OS so some sort of filesystem driver, then you don't need an EV cert, even for Windows 10.

What you do need is a code-signing cert that has a valid cross signing chain back to the MS Code Verification Root (MS CVR) certificate, which has always been the case for signing kernel mode drivers for XP x64 onwards.

Signatures with such certificates will be valid until the MS CVR certs expire, which for my companies cert (issued in Nov 2015) is Nov 1st 2025 for the MS CVR, and Apr 15th 2021 for the corresponding CA cert.

This is assuming is that MS don't revoke the MS CVR and they don't change the rules to enforce use of an EV certificate and attestation signing for non-boot drivers.

Jesus... And people say OS X is a "Walled Garden"!

On the contrary, what's wrong with having drivers signed by a method that can be validated by the kernel loader that they are the same files that the vendor released?  Anyone can create them, the price of entry (for a non-boot driver) is the cost of a code signing cert as above.  A code signing cert is "High assurance", i.e. the issuing CA checks that the company exists and will answer questions about the cert request.
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 671
  • Country: ca
    • VE7XEN Blog
Re: FTDIgate 2.0?
« Reply #722 on: February 18, 2016, 02:50:52 am »

Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

OT, but needs to be clarified.

This isn't exactly correct, although MS haven't been as precise as possible when enumerating what you do need and when.

If your driver isn't required for boot, i.e. actually need to boot the OS so some sort of filesystem driver, then you don't need an EV cert, even for Windows 10.

What you do need is a code-signing cert that has a valid cross signing chain back to the MS Code Verification Root (MS CVR) certificate, which has always been the case for signing kernel mode drivers for XP x64 onwards.

Signatures with such certificates will be valid until the MS CVR certs expire, which for my companies cert (issued in Nov 2015) is Nov 1st 2025 for the MS CVR, and Apr 15th 2021 for the corresponding CA cert.

This is assuming is that MS don't revoke the MS CVR and they don't change the rules to enforce use of an EV certificate and attestation signing for non-boot drivers.

Jesus... And people say OS X is a "Walled Garden"!

On the contrary, what's wrong with having drivers signed by a method that can be validated by the kernel loader that they are the same files that the vendor released?  Anyone can create them, the price of entry (for a non-boot driver) is the cost of a code signing cert as above.  A code signing cert is "High assurance", i.e. the issuing CA checks that the company exists and will answer questions about the cert request.
This is getting wildly off-topic, but the problem with most of these code-signing is required things is that 'can be validated' is actually 'must be validated', and what 'validated' means is not under the end user's (ie machine owner's) control. I have no issue with cryptographically validating the entire boot process, and all code that runs subsequently, but I have a major problem with not being in control of the trust chain, which most such schemes require. Why the hell does Microsoft or Apple get to decide what code runs on my machine  :bullshit: :bullshit:? It's bad enough not being able to control the trust chain, but not even being able to disable the signature checks is unacceptable IMO.
73 de VE7XEN
 

Online FrankBuss

  • Supporter
  • ****
  • Posts: 2304
  • Country: de
    • Frank Buss
Re: FTDIgate 2.0?
« Reply #723 on: February 18, 2016, 07:20:09 am »
A code signing cert is "High assurance", i.e. the issuing CA checks that the company exists and will answer questions about the cert request.
I bought a code signing cert from Comodo and all they required was that your name is in (the German equivalent) of Yellow pages or even White pages (in my case) and then their system calls your phone number and says a number which you have to enter on their website.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2954
  • Country: fr
Re: FTDIgate 2.0?
« Reply #724 on: February 19, 2016, 09:55:28 am »
Starting with Windows 10 you need an EV certificate for code signing drivers, which is more expensive (and a bureaucratic hassle - needs real identity/address verification, private key is on a USB token, etc).

So they are now bad for actually enforcing good security practices?

Yes, it is a hassle. But a compromised signing key for a driver that has elevated privileges in Windows would be worth a lot of money on the black market. And private keys were compromised in the past - e.g. that joke of a Dutch certification authority that was used to issue bogus (but valid!) certs for major websites used in attacks and malware later.

If one is going to do it, then it should be at least done right, otherwise it is a pointless waste of time.

They aren't exactly making a killing on these - the prices are similar for other types of certs elsewhere (e.g. for SSL for a website).
SSL certificates for websites (or any other kind of Internet server) are free for everybody.

Right. Try to use one of those certs for corporate website. You know, the cert is not only about encryption but also establishing trust. A cert from an obscure CA and changing every few weeks is not helpful there. But you get what you pay for. (that the "real" CAs often don't do due diligence and don't actually check that you are who you claim you are is another issue).

I don't see webshops and others exactly running replace their existing (paid for) certs with these.

On the other hand, it is a great service for a personal website or a small comunity forum or something like that.
« Last Edit: February 19, 2016, 01:58:20 pm by janoc »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf