FTDI driver kills fake FTDI FT232??

[a210210200]

I'm getting their new driver marked as a "critical" update in Windows Update now. Microsoft must be pretty pissed off that FTDI made them distribute a malicious, hardware-bricking driver.

In some ways it's good that FTDI was the first to do it and can easily be sued for any resulting damage. The possibility of a black hat getting a malicious driver signed and on to Windows Update has existed for a long time, and this just shows that whatever checks they do are inadequate.

Stuxnet used multiple stolen certs. and I believed used signed drivers and multiple real valid certificates from various companies to worm its way towards its target. Certificate based systems and even just drivers are based on trust. You should always check your root certificate trust because that being compromised can lead to all manner of bad things. (HTTPS decrypt with no warning, MITM, ...) It is probable that there are other valid signed "drivers" out there right now and long ago we just won't hear about them because it takes a lot of resources to crack the certificate trust model without being detected.

[a210210200]

For the most part, I actually agree with ya HFM...
It's all a very contentious set of circumstances.
The remainder of this post is merely me 'taking the piss' in a quasi light-hearted fashion...  It's intent is PURELY to provoke a smirk.

I'd like to take this opportunity to lay claim to the numbers 7 and 823543 (being 7^7).
From this point forward, anyone making use of those numbers shall be considered to have STOLEN them from me and I'd suggest that any use of them (whether for identification purposes or otherwise), is technically in breach of the EULA that I privately posted onto my bathroom wall.  (ANYONE can request to come and view this EULA, but I'm not expecting a queue of people).
Anyone wishing to arrange an 'EULA viewing opportunity' may have some difficulty.  All my phone numbers contain references to MY digit (7) and I'm actively seeking that all Telco equipment manufacturers around the world strike off this number from their devices.  Furthermore, both my street address _AND_ postcode (that's ZIPcode for you yanks) also contain numerous instances of MY '7' so I am afraid 'snail mail' is out.  My HAM radio license?  Equally affected!  I guess you could try 'smoke signals'?  (I'd prefer people used GENUINE FTDI smoke, but I will grudgingly accept FAKE smoke too on a 'calm day').

P.S.
I would strongly expect that A210210200 will shortly lay claim to the decimal number 696,055,300,608 (since that's what A210210200 equates to after converting back from hex to decimal).  Thank GOODNESS is doesn't include a '7'!!!  I'd have been FORCED to sue!

There are countless "illegal" numbers anything in reality can be represented by a number. Everything from your DNA to the Disney's latest movie can be represent by a number of numbers depending on the encoding and base you choose. (Also are you sure you converted my user name properly?, also you failing horribly at copyright law)

And as a good example try making the exact same user name here the exact collision of handles wouldn't be allowed. So locally I do retain limited rights to the handle as do you to yours within the framework of this forum.

Technically speaking cryptographic secrets are also special numbers the only problem is that since they are secret you don't know if someone is using them.

People and governments can successfully prosecute in certain cases of just pure numbers being released and while the number itself isn't property the meaning and use of the number is what is usually being protected.

People own domain names these are also numbers if you could not then everyone could take over any website.

Numbers are merely a medium to represent things you cannot own a number just for the purposes of a number but you can own the meaning/use of a number. Say your DNA can be protected information, a your literary work can be protected, medical data can converted into a number and has countless laws protecting such numbers, and so on.

Math is really neat like that it basically can encode the universe and more. (Nothing in reality owns math because math is probably the closest we will get to the very basics of reality itself)

[a210210200]

About the paid FTDI shills [and unpaid trolls]:
If it looks like a duck, and it walks like a duck, and it quacks like a duck...well...it's probably a duck.

This thread is 103 pages long, and I think everything that needs to be said has been said, and that people have formed their opinions.  So, I am leaving this thread, and I'm not coming back.  Enjoy!

Certainly looks like confirmation bias here, I'll just quote this in,

@a210210200:
You know, not once have I ever mentioned your online "handle" when accusing the FTDI "fixer" of hiring "shills" to inundate this forum with false propaganda and diversions from the real truth about FTDI's driver that contains a trojan malware.  Yet, every time I did broach this subject, for some reason you felt the need to chime in, and proudly declare that you were not such person.  So, since I didn't ever name names, why did you feel the need to defend yourself every time I did this?

Ok you didn't mention my handle but do you know what a pronoun means. Read below its a good example of how to follow pronouns in referencing nouns (in this case a user's handle)

[My TLDR response to you goes here] Followed by you saying the pronoun shown below.

You are obviously a "shill" for FTDI.  AND, you are *WRONG*.  Your use of the phrase "faking the VID/PID" shows a lack of understanding in how USB works.  There are many other signatures that an O/S can use to determine what the device is-- not just the VID/PID, and your [FTDI's] MALWARE driver proves this-- as it has no problem identifying a chip that was not made by FTDI.

It is pretty unambiguous who you were replying to because you replied to me directly.

I don't think I need to even respond to anything else other than pointing out that you just demonstrably lied outright under the assumption no one reading your post (including me) would bother to verify your claim.

Also ( http://xkcd.com/1357/ ), bye.

[TheRevva]

Also are you sure you converted my user name properly?

Yep, I'm sure...  I'm normally pretty good at numbers and my C&P skills aren't too shabby either... <Grins>

also you failing horribly at copyright law

I have to freely admit... IANAL...  However, I'm beginning to wonder.  Whom is it that's being ANAL???
I'm also normally quite good at performing at least a rough 'proof reading' of what I've typed before bashing on that "Post" button.
Some users don't bother and that's THEIR choice.

P.S.  This 'response' post is NOT intended to be interpreted as anything more than just 'poking more fun' at the continuing pointlessness of this thread.
If '696,055,300,608' (Copyright 1914) or any other reader chooses to interpret it differently, that's THEIR issue to contend with.

[a210210200]

@TheRevva,

Tell them they are better off getting real RS232 PCIe boards, they are only about $30 for 2 ports.

Also some motherboards have RS232 headers, you just need the external connector on one of the external slots on the back side external slots.

You can even get mini-PCI express serial cards if you have a very compact case or even want to use a laptop in a very odd way.

http://ca.startech.com/Cards-Adapters/Serial-Cards-Adapters/4-Port-RS232-Mini-PCI-Express-Serial-Card-16650-UART~MPEX4S552

[a210210200]

This isn't a kid forum, or is it? ?

Probably piece of cake for Dave to run sql statement like this on its own database, so let creative people learn fast keyboard typing

Code: [Select]

DELETE FROM eevblog_forum
WHERE user='Rufus ' OR user='a210210200' OR .... etc


It would more kid like to just delete people's accounts you don't agree with instead of actually saying words that mean things.

[TheRevva]

My (totally worthless) $0.02...

I would have surmised from the slightly sketchy SQL code that the intent was to delete from the table containing all your postings and not to delete you altogether as a forum user.  (The question revolves around the schema of this 'hypothetical' eevblog_forum table - is it a table of users or is it a table of posts made by the users?)

Having said that...

While it's pretty darned plain to almost everyone here that I strongly disagree with much of what you've posted, I will equally strongly DEFEND your right to have posted it in the first place.  (No matter HOW 'wrong' you may have been... <Grins>)

[dannyf]

I am completely against a210210200's position on this matter. However, s/he has been very consistent in presenting facts and logic (however I disagree with it).

About the paid FTDI shills [and unpaid trolls]:

Other than smearing your opponents, you have made no rational arguments backed up by verifiable facts and added nothing positive to this discussion.

I'm not coming back.

Thank you.

[Rufus]

The hardware bricked itself because it didn't correctly emulate the hardware it was claiming to be. The FTDI driver treats all hardware the same and could easily claim the operations which fakes brick themselves on may be required by future revisions of their silicon.

I guess you were not paying attention. The code they used is designed specifically to do an EEPROM write that will fail on their hardware

It does not fail on their hardware it is ignored - the design authority for FTDI silicon isn't you it is someone who works for FTDI.

[zapta]

I guess you were not paying attention. The code they used is designed specifically to do an EEPROM write that will fail on their hardware

It does not fail on their hardware it is ignored - the design authority for FTDI silicon isn't you it is someone who works for FTDI.
[/quote]

Rofus you are dodging his argument. He says that they did it specifically to reconfigure non FTDI chips.

[Batang]

I don't know if it has already been suggested (104 pages, yikes) but you could use the EEPROM tool from FTDI to reprogram the VID = 0403 and PID = 6001

Cheers

[free_electron]

on the 'ownership of numbers'

the VID / PID pair is handed out by the USB consortium. it is assigned to one 'entity'. you cannot willy-nilly use someone else's number.
the numbers are used to match the device to the driver.

anyone stepping on someone else's number creates a problem.

there was a case w hile ago with some DAB driver that used the default cypress VID/PId for their USB-FX2 chips. the problem was , once that driver got on your system all your devices using an FX2 were recognised as a dab player. since the FX2 , on power up , enumerates using the cypress vid/pid to get it's firmware : nothing worked.  this cause a big stink and microsoft already had to pull a driver from their whcl base.

let's all play by the rules for once ok . they ain't that hard.
Wanna make usb product? then either :
- use standard chip with manufacturer provided driver and be done with it. no need to buy a vid/pid
- get your own VID from USB.org and write your own driver.

don't mix and match. and certainly don't use anyone else's vid/pid pair.

[Batang]

RE: on the 'ownership of numbers'

The PID/VID numbers I posted belong to FDTI

http://www.ftdichip.com/Support/Utilities.htm

Cheers.

[AJ]

Just my comments, Looking back...
A few years I had a problem with IOGear RS232/USB converters causing BSODs in Windows in one of my projects.  The following is the URL to my trouble ticket:  http://gridtrak.codeplex.com/workitem/9604
At the time, the only RS232/USB converter I could get to work reliably was FTDI based.  From then on, I was a loyal FTDI customer!

It took me several months of testing and learning the hard way to trust FTDI.  However, if at the time I was testing the RS232/USB converters, had I discovered any completely failed devices After testing FTDI devices - and I suspected FTDI drivers as the cause for the failures in the other devices, I would have abandoned FTDI products as being fatally unreliable. 

My point is:  I agree with the majority that bricking devices on PCs is a bad idea.  And, if it ever happened to me, I would never use products from that company again.

I'm only a little concerned that all of the GearMo FTDI based RS232/USB devices I deployed to the field might start failing - because they did not come with any certificate of conformity and I bought them on Amazon.com; which may not be a FTDI distributor.

//AJ

[Rufus]

It does not fail on their hardware it is ignored - the design authority for FTDI silicon isn't you it is someone who works for FTDI.

Rofus you are dodging his argument. He says that they did it specifically to reconfigure non FTDI chips.

I'm sure they did but what they do they do to all hardware. They make no distinction between genuine and non-genuine chips - the chips themselves make that distinction. They may well have chosen to do it that way because of legal implications despite it not allowing owners of non-genuine chips to be better informed.

[Bloch]

It is very expensive you need to buy them.

"The annual membership fee is US$4,000" from http://www.usb.org/developers/vendor/


http://hackaday.com/2013/10/22/usb-implementers-forum-says-no-to-open-source/


There was also a great talk about then big usb problem but i cant find the link.




Quote from: free_electron on Today at 02:59:05 AM

- get your own VID from USB.org and write your own driver.

[edavid]

on the 'ownership of numbers'

the VID / PID pair is handed out by the USB consortium. it is assigned to one 'entity'. you cannot willy-nilly use someone else's number.
the numbers are used to match the device to the driver.

If you make a device that's compatible with an existing driver, it's much better to use the same VID/PID.  It doesn't benefit anyone to have duplicate drivers with different VID/PIDs.

anyone stepping on someone else's number creates a problem.

Using someone else's number doesn't create a problem if the devices are compatible, in fact it's better.

there was a case w hile ago with some DAB driver that used the default cypress VID/PId for their USB-FX2 chips. the problem was , once that driver got on your system all your devices using an FX2 were recognised as a dab player. since the FX2 , on power up , enumerates using the cypress vid/pid to get it's firmware : nothing worked.  this cause a big stink and microsoft already had to pull a driver from their whcl base.

Nice story, but not relevant to the FTDI situation.

let's all play by the rules for once ok . they ain't that hard.
Wanna make usb product? then either :
- use standard chip with manufacturer provided driver and be done with it. no need to buy a vid/pid
- get your own VID from USB.org and write your own driver.

don't mix and match. and certainly don't use anyone else's vid/pid pair.

Too bad those rules don't cover the FTDI situation:  make a chip that's compatible with a standard chip... then do what?  USB doesn't have an answer for that.

[SeanB]

Yep, the thread has (quite rightly IMNSHO), become somewhat of a joke...  (In fact, for some of us, it was somewhat of a joke right from the outset)
That 'joke' status is exactly the reason why I've elected to 'claim ownership' of the numbers '7' and '823543'.  (I hope it put a smile on at least SOME faces?)
BTW, if anyone is willing to pay me US$5000.00, they can 'claim ownership' of any other numbers.  (I'm tempted to put dibs on numbers like PI and 'e' since they're bound to be worth a 'premium price'.  Perhaps I should also claim 22/7 for those 'rationalists' amongst us?).

Each of us will make our own decisions based upon what we have seen and read (in combination with our own unique 'personalities') and life will go on irrespectively.

If nothing else, I'd suggest that FTDI management will think VERY hard of the ramifications of any such future 'releases'.

If you look into pi long enough ( or e for that matter) you will find a section that is every imaginable number. Are they going to ban these 2 numbers?  Legislate it is equal to 3? Very hard to patent or copyright a number, which is why we have the Pentium, as I am looking at an IBM 6x86 processor on the shelf next to me. Intel lost that legal battle big time to big Blue and AMD.

[edavid]

If you look into pi long enough ( or e for that matter) you will find a section that is every imaginable number.

It is not known if pi and e are normal.

http://en.wikipedia.org/wiki/Normal_number

[miguelvp]

Doesn't FTDI provide their customers PIDs while still using their VID?
So you can still do your own driver and get your PID gratis.

http://www.ftdichip.com/Support/Knowledgebase/index.html?caniuseftdisvidformypr.htm

[Rufus]

Too bad those rules don't cover the FTDI situation:  make a chip that's compatible with a standard chip... then do what?  USB doesn't have an answer for that.

The answer is don't. How do you control unique serial numbers on compatible chips? If you plug in two devices with the same serial number Win XP immediately BSOD's for example.

[nctnico]

It doesn't (been there, done that). It just enumerates both devices. Remember each USB port has a unique address within the USB device tree as well.

[Rufus]

It doesn't (been there, done that). It just enumerates both devices. Remember each USB port has a unique address within the USB device tree as well.

http://blogs.msdn.com/b/oldnewthing/archive/2004/11/10/255047.aspx

In my experience "Exciting things happened" = BSOD.

[a210210200]

It is very expensive you need to buy them.

"The annual membership fee is US$4,000" from http://www.usb.org/developers/vendor/

You can get PIDs from other companies either for free (if you use their products) for small scale use or get a PID for yourself (without the blessing of the official USB group)

http://www.mcselec.com/index.php?page=shop.product_details&flypage=shop.flypage&product_id=92&option=com_phpshop&Itemid=1

But making a device which may be compatible now under the exact same VID/PID is not a good thing to do for the entire ecosystem since conceivably a non-DRM type change could break compatibility and cause system instability (BSODs) creating all sorts of problems which would be difficult to figure out. Finger pointing will result and in theory in a opposite day world a mistake of a "compatible" chip could cause a host computer to BSOD.

If your a company wants to do it properly so users get a plug and play experience you want to have control over both VID/PID and have a WHQL driver and so on your going to have to pony up the fees anyways otherwise Microsoft is just going to take your money. (Testing per os is non-refundable $250, probably adds up quick if you want the entire range and you need your own certificate for Microsoft software verification as well for an additional cost as well)

[a210210200]

on the 'ownership of numbers'

the VID / PID pair is handed out by the USB consortium. it is assigned to one 'entity'. you cannot willy-nilly use someone else's number.
the numbers are used to match the device to the driver.

If you make a device that's compatible with an existing driver, it's much better to use the same VID/PID.  It doesn't benefit anyone to have duplicate drivers with different VID/PIDs.

anyone stepping on someone else's number creates a problem.

Using someone else's number doesn't create a problem if the devices are compatible, in fact it's better.

there was a case w hile ago with some DAB driver that used the default cypress VID/PId for their USB-FX2 chips. the problem was , once that driver got on your system all your devices using an FX2 were recognised as a dab player. since the FX2 , on power up , enumerates using the cypress vid/pid to get it's firmware : nothing worked.  this cause a big stink and microsoft already had to pull a driver from their whcl base.

Nice story, but not relevant to the FTDI situation.

let's all play by the rules for once ok . they ain't that hard.
Wanna make usb product? then either :
- use standard chip with manufacturer provided driver and be done with it. no need to buy a vid/pid
- get your own VID from USB.org and write your own driver.

don't mix and match. and certainly don't use anyone else's vid/pid pair.

Too bad those rules don't cover the FTDI situation:  make a chip that's compatible with a standard chip... then do what?  USB doesn't have an answer for that.

The problem with a compatible chip is who determines if it is certifiably compatible. Using a different VID/PID prevents problems like that even if they are using the same driver just one that is verified to work with the compatible chip. Example, Racepak (Racing Engine Diagnostics) and Bayer (Medical Devices) in two totally different industries distribute FTDI drivers but use their own VID/PID combination to maintain control over what driver users get as well as the device name and vendor information so that no consumer would be confused to think it is an FTDI device since windows reports it as whatever the mfg wants. An added bonus is that even if FTDI screws up or does something intentionally insane they still won't affect your product because windows has it locked in with your own WHQL driver with its own security cert and so on.

Even those this incident is clearly an action from FTDI there is nothing in reality that stops a "compatible" chip from getting a bad revision done that causes instability in windows without a driver update. Even though no one really owns the VID/PID space it technically should be respected to maintain a functional PnP ecosystem for USB devices in general. (There are plenty of numbers to go around)