IP Is No Excuse: Even If Someone Is Using Fake Chips, It's Not Okay To Kill Their Devices
from the that's-not-how-it's-supposed-to-work dept
Not this again. For years, we were perplexed by the war on mod chips, which could be used to allow people to play pirated games, but also had plenty of legitimate uses as well, especially for developers and hackers. The same was true of the war on smart card readers. Yes, they could be used to get pirated TV, but they were also useful for lots of other, perfectly legitimate projects as well. The latest, however, appears to be a Microsoft update with some new drivers that were completely destroying devices that have fake FTDI chips. People started noticing that right after the Windows update devices using those chips were suddenly dead. Bricked. It's not that they wouldn't connect any more -- it's that the software update actively bricked the devices and you can't get them back.FTDI chips are quite popular with hackers and there are plenty of them out there -- both real and fake. And, quite frequently, developers/hackers have no idea if their FTDI chips are legit or not, because they just buy devices that include them, and they assume they're legit. But the drivers in that Windows update didn't care and bricked any one using a fake FTDI chip. As Ars Technica notes, this really sucks for a bunch of hackers who never even did anything wrong.
The result of this is that well-meaning hardware developers updated their systems through Windows Update and then found that the serial controllers they used stopped working. Worse, it's not simply that the drivers refuse to work with the chips; the chips also stopped working with Linux systems. This has happened even to developers who thought that they had bought legitimate FTDI parts. It can be difficult to tell, and stories of OEMs and ODMs quietly ignoring design specs and using knock-offs instead of official parts are not uncommon. As such, even hardware that was designed and specified as using proper FTDI chips could be affected.It's not entirely clear if this is something FTDI did on purpose or not (though, their comments below suggest they did), but it is worrisome, and it's simply not okay -- whether it was on purpose (in which case it's potentially illegal) or not (in which case it's just bad).
Every USB device has a pair of IDs. One, the Vendor ID (VID), is allocated by the USB group. Each vendor has its own unique VID and uses that VID on every USB device it makes. The second is the Product ID (PID), allocated by the vendor, with each distinct chip type having its own PID. Windows uses the VID/PID pair to figure out which driver a given piece of hardware needs. The counterfeit chips use FTDI's VID and set the PID to the PID of whichever chip it is they're cloning (FTDI has a range of similar parts, each with their own PIDs).
The new driver reprograms the PID of counterfeit chips to 0000. Because this PID does not match any real FTDI part, it means that FTDI drivers no longer recognize the chips and, hence, no longer provide access to them. This PID is stored in persistent memory, so once a chip has been reprogrammed it will continue to show this 0000 PID even when used with older drivers, or even when used with Linux.
Sherwin Siy, over at Public Knowledge does a nice job explaining why copyright (or other IP laws) are never a legitimate reason to break a device -- even if a contract warns it might happen (as is apparently the case with FTDI).
Unfortunately, in this era of intellectual property maxmalism, people seem to forget these things. They assume that if you have a "fake" chip then obviously it's "okay" to break the device, because they falsely seem to believe that copyrights and trademarks and the like give the holder "all the rights over everything," rather than a limited set of rights over certain things. FTDI's response to all of this (including removing the driver from the latest Windows update) suggests (but does not outright claim) that it did this on purpose:The fact that disabling countless devices without warning can harm millions of innocent users and manufacturers should be a screaming sign that this is the wrong thing to do. And if they’re doing this deliberately, this is wrong not just in the sense of being unethical, but illegal, too.
This is something that people seem to forget in the IP space, and also in the technology space, which makes it unsurprising that we see it here. It’s the same impulse that leads people to ask if they can shotgun a drone that strays onto their property (No, no more than you can torch a car that parks in your driveway), or whether you can destroy the computers of people who have illegally downloaded your song.
So whether or not FTDI has any trademark rights, copyrights, or other rights in whatever the knockoff chips are copying, the actual physical chips themselves are the property of their users, and FTDI doesn’t have the right to break them. A French vintner can’t stroll down the aisles of an American wine store with a hammer, shattering bottles of “California Champagne.” Roving gangs of Nike enforcers can’t rip fake Jordans off the feet of passing kids. And we don’t have Givenchy shock troops marching down Canal Street taking flamethrowers to fake handbags. If your IP rights are being infringed, the proper course of action is to go to court, not take the law into your own hands.
As you are probably aware, the semiconductor industry is increasingly blighted by the issue of counterfeit chips and all semiconductor vendors are taking measures to protect their IP and the investment they make in developing innovative new technology. FTDI will continue to follow an active approach to deterring the counterfeiting of our devices, in order to ensure that our customers receive genuine FTDI product. Though our intentions were honourable, we acknowledge that our recent driver update has caused concern amongst our genuine customer base. I assure you, we value our customers highly and do not in any way wish to cause distress to them.Honorable intentions or not, counterfeit products or not, actively going in and breaking the property of others is not an acceptable response.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bricking, copyright, counterfeit, drivers, ftdi chips, microsoft update, property, property rights, trademark, update
Companies: ftdi, microsoft
Reader Comments
The First Word
“How about dangerous? How does the manufacturer know their chips aren't being used in medical devices or safety equipment? What about mission critical applications? it's not just unethical, it's negligent.
Subscribe: RSS
View by: Time | Thread
Yet another reason
[ link to this | view in thread ]
Uh-oh...a "cyber Pearl Harbor"!
If they're done playing with their new underwear, that is.
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
Re:
It is just simply not possible for the vast majority of people to even know or be able to determine if the hardware they just purchased is legit or not. And neither should that be "actively" PUNISHED for it.
And most important of all... when you buy a piece of hardware you are supposed to own it... not freaking Microsoft, Sony, or Apple. And it should be considered criminal for them to brick any device because they did not like it! They have a solution... deny access to their networks.
[ link to this | view in thread ]
[ link to this | view in thread ]
Just know what you are buying. Why do you think it should be different in the digital world?
[ link to this | view in thread ]
Need to stop it before it spreads...
You wouldn't have the PC's you have today if it weren't for "modders". Turtle Beach - Hayes - NVidia - all started with boards to "mod" the PC you bought.
So... when did this lunacy start? And who needs to be shot to stop it?
[ link to this | view in thread ]
Downstream responsibility
Passing on counterfeit currency as real money is fraud, and even without a specific ban on counterfeit money the act of obtaining anything of value by false pretenses should with appropriate limitations and caveats still be illegal.
However, what does use in a transaction mean regarding downstream responsibility for all actors?
If I haven't paid for a counterfeit watch but gotten it as a gift, I haven't deceived anyone or disturbed the legal market in any way.
The only plausible argument for downstream responsibility for the enduser whom may not even be synonymous with the original buyer is third or fourth party liability which is really troubling given the multiplicity of possible IP claims.
If one chip in my computer is counterfeit, or the embedded software in my pacemaker is subject to a valid IP claim, am I liable after being aware of the illegality, and I continue to use the product?
It's really a logic that ain't far from reality and drives me to the IP abolition camp.
[ link to this | view in thread ]
Re: Re: Yet another reason
"Honorable intentions or not.." FTDI's reputation is now shot.
[ link to this | view in thread ]
Re: Re: Re: Yet another reason
[ link to this | view in thread ]
Re: Re: Yet another reason
In Linux, manufacturer-provided binary blobs are only accepted in a small number of special cases (NVIDA chipsets, certain almost-network chipsets, and certain RAID controllers.) In pretty much every other case, the drivers aren't provided by the manufacturer at all, and manufacturer-provided or not, there is full source code available. Also, even with the binary blobs, someone other than the manufacturer has actually tested the driver before it gets included in a distro.
[ link to this | view in thread ]
Re:
In both of those cases, the police can confiscate the items.
The manufacturer who's IP rights MAY have been violated CANNOT confiscate them. When the police confiscate them - they become evidence in a trial, then people can argue and someone can mount a defense - none of that due process is happening here, the manufacturer is simply detecting and disabling something someone else owns.
[ link to this | view in thread ]
Re: Re: Yet another reason
[ link to this | view in thread ]
Re:
I have no way to identify fake chips inside equipment.
The retailer has no way of identifying fake chips inside equipment.
The manufacturer *may* know that there are fake chips in the equipment, or they may have been duped by a supplier.
The supplier probably knows that the chips are fakes.
So I'm expected to dig three levels deep into the supply chain just so I don't have to worry about some software update bricking my $20 cable?
[ link to this | view in thread ]
Re: Need to stop it before it spreads...
[ link to this | view in thread ]
Re:
If by "initial purchaser" you mean the OEM, then I agree totally. But that still doesn't excuse destroying the chip for the end user. If you mean the end user, then I disagree as there is no reasonable way that the end user can know if the chip is counterfeit or not.
[ link to this | view in thread ]
Re:
Not in Canada, Take it to the nearest bank.
[ link to this | view in thread ]
Re: Re: Yet another reason
The really good news is, that is changing. With Steam supporting Linux and many major game makers moving to support Linux as well. I think the end of Microsoft's reign is within sight. As kids who grew up using Linux move into the workforce Windows will start to loose a hold there pretty quickly. After all, it is an easy decision between at least $200 a copy and FREE. Only thing holding people back is lack of qualified users. Linux gaming takes care of the linux training part....
[ link to this | view in thread ]
Open Source
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Uh-oh...a "cyber Pearl Harbor"!
[ link to this | view in thread ]
How about dangerous? How does the manufacturer know their chips aren't being used in medical devices or safety equipment? What about mission critical applications? it's not just unethical, it's negligent.
[ link to this | view in thread ]
then look at things in the other light. what is actively happening when a web site is accused of selling counterfeit and/or copyrighted items? the web sites are closed, almost instantly. when something like this issue happens, there is never a damn thing done in retaliation by the courts. they all seem to be waiting for it to happen and are thinking of ways what has happened can be twisted round so the perpetrators, the genuine maker/seller, can be let off, scot free!!
[ link to this | view in thread ]
Re: Re: Re: Re: Yet another reason
As far as I know, there is currently no automated repair mechanism, so you need a computer which can reflash the damaged chip, you need to know what PID it had before FTDI broke it, and you need to explicitly run the reflashing program with the right inputs.
[ link to this | view in thread ]
Re:
So you are seriously arguing that the police could forcibly remove the pacemaker or medical equipment from anyone if there was an infringement of IP?
Let's consider a hypothetical, I buy a knock off medical device from China because I suffer from a disability or a cronic disease and the counterfeit works.
Whether I am aware of the infringement is an issue but let's assume I am not aware at the time of purchase.
Suddently the IP owner files a lawsuit and requests a seizure order and gets my address.
Are you seriously arguing that (1) my medical device should be confiscated regardless of the consequences for my life or health, and/or (2) there should be a viable legal claim against me for infringement of IP if I was aware of the infringement?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Yet another reason
Disclaimer: I avoid binary blobs on Linux, but I am not particularly aggressive at pushing others to do the same.
[ link to this | view in thread ]
Re:
Kill a few people and maybe others will learn proper respect for copyrights.
/s
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Under copyright law, you don't even have to be aware in order to be liable.
[ link to this | view in thread ]
Re: Need to stop it before it spreads...
Congress.
[ link to this | view in thread ]
Re: Re: Re: Re: Yet another reason
Yes, this is my stance. With a single exception, I don't use binary blobs on my Linux systems at all. I don't trust them. The single exception is my smartphone -- where the binary blob is the software that implements the actual cellphone functionality and there is no alternative.
[ link to this | view in thread ]
They did it on purpose
There's no doubt they did it on purpose. Someone reverse-engineered the bricking routine from the driver. It unconditionally writes 0 to the PID and a matching value to the checksum, but does so in a specific way that fails to write on genuine parts*.
There's no legitimate purpose for the bricking routine. It's a no-operation on genuine parts. It's not "something useful the driver does which happens to do the wrong thing on non-genuine parts". The only possible explanation for the existence of that routine is to zero the PID on counterfeit or compatible parts**.
* From what I could understand, the genuine parts can only write to the EEPROM in 32-bit units, sent as a pair of 16-bit units. The bricking code sent only one of the 16-bit units, so the write never happened. The compatible parts write each 16-bit unit as it's received, so the write happened.
** My guess as to why they only erased the PID, and not the VID: due to word alignment, if they erased the VID it would happen even on genuine parts. Luckly, this makes it easier to recover: if the VID is FTDI and the PID is zero, it's a part which used to have a PID of 6001 but was bricked. The Linux driver has been patched to recognize a bricked part as a valid FTDI part.
[ link to this | view in thread ]
re:
Then I propose a new business method:
Sue the owners of cheap medical devices i.e the blind, deaf, or parapletic but be kind and offer them a settlement of $100 to settle the claim.
If you do not have to be aware of the infringing nature of your hardware, or if one algorithm violates a patent, you should be happy that the generous IP owner will offer you a
settlement in exchange for continued enjoyment of his property.
Downstream responsibility for IP claims is really a ticking timebomb.
[ link to this | view in thread ]
I wonder if this is related to FTDI's cyber attack. I'm glad I run GNU/Linux and don't have to worry about cyber sabotage operations being carried out by rogue chip manufactures.
[ link to this | view in thread ]
Re: Re: Yet another reason
[ link to this | view in thread ]
Re: Downstream responsibility
Well crap! Guess that means no more sex for me.
[ link to this | view in thread ]
Re: Re: Uh-oh...a "cyber Pearl Harbor"!
So why isn't a SWAT team kicking down their door at this very moment and beating, tasering, pepper-spraying, and tear-gassing the employees of that company? (And arresting any survivors.) You know damn well that if this had been done by J. Random Hacker that this is exactly the sort of response that would ensue, so why not in this case? Do they get a pass because they're a corporation? Or do they get one because they're waving the "IP" banner?
[ link to this | view in thread ]
Won't this drive business away from FTDI?
So won't the result have people shying away from any of their chips in the future?
Seems like another reason why killing the devices is a bad move.
[ link to this | view in thread ]
Re: Downstream responsibility
Some states have considered if not enacted such legislation.
But what I meant by value in this context was only economic value.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
there is a place to work this out...
And let us not forget what paragon of reliability is deciding what property to respect and what to trash: Microsoft. As others have mentioned, this is one of many reasons to avoid Windows. Are there any reasons left to stay? My luck has been that even wireless cards work smoother now with Linux now than with Windows 7.
Last night, my youngest son was happydancing over Counterstrike having been ported over to Linux, but he said that my computer probably would have trouble, since it is a few years old with an outdated video card. Nah, it runs rings around a fresh Windows 7 box.
I'm afraid I've become somewhat hardened, though. For those people losing hardware because they plugged into a device running Windows, they may have been truly wronged, but they were also asking for it. ... and NO, do not try to compare this to any other 'asking for it' analogies. Recovering a lost electronic device is nothing like assault or other injury. For that matter, I would say that a case of critical medical device failure should lie with the hospital or doctor involved. If a patient dies because someone plugged an FTDI device into a Windows box, then the plugger should be charged, as well as the IT 'professionals' that allowed Windows in as a spec.
[ link to this | view in thread ]
Re: Need to stop it before it spreads...
There was indeed a huge fight, starting in the 1960s hot-rod era, when Detroits' Big Three automakers tried to kill off the aftermarket parts industry, basically by saying that if a car owner put a single non-OEM part on his car, then the entire warrantee was null and void. And not just for things directly related to the part (say like a leaking oil gasket causing clutch failure) but anything and everything on the car completely unrelated to that part. So taking your new Ford to the dealer to have the air conditioner fixed, and they see it has non-factory wheels and tires, then they could flatly refuse to do warantee work on the A/C (at least in theory) despite that the two things have absolutely nothing to do with each other. It was not just a matter of whether the automakers carried through with their threats or not, since most people believed they would, as that's what the dealers would (unsurprisingly) tell them all the time.
The early '70s Magnuson–Moss Warranty Act put a stop to that practice by forcing automakers to accept owner-installed parts made by aftermarket companies. Ironically, the automakers ended up buying up many of the companies (and incorporating their products and operations) that they had earlier argued were making dangerously defective products, when they were trying to shut them out and kill them off.
But that was an entirely different era, individualism was in fashion, the Cold War was at its height, monopolies were still being broken up by the government, and anthing with a whif of top-down control smacked of communism or corporatism. It was an era when small private companies flourished, and the US government tended to side with small upstart innovators --and especially consumers-- rather than being bowled over by the "too big to fail" behemoth corporations, which as we're all painfully aware is the government's operating environment today.
[ link to this | view in thread ]
Re:
Yes to both, barring outright bribery which is rare, the legal system and government have difficulty stopping inherently bad actors exploiting corporate status and enforcement of intellectual property for their own ends.
The courts were happy to nail Prenda, but they were only able to do so after a long time because Prenda made a lot of other obvious stupid missteps which weren't germane to the legality of their copyright trolling operations.
Prenda waged a dirty pay up or else campaign against alleged file sharers, but RIAA did exactly the same but in a more 'legal' manner and got away only with a bloody nose.
[ link to this | view in thread ]
Re: Re: Re: Uh-oh...a "cyber Pearl Harbor"!
Too busy collecting the credit card info, names and addresses of people buying infringing underwear. They'll be right along after raiding houses, tumble-dryers, washing machines, underwear drawers, and forcibly stripping the real criminals. Priorities man, priorities.
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
Right to the family jewels.
[ link to this | view in thread ]
Ignoring the important point
This reveals that it is possible to permanently brick any USB device by software command.
This is a lovely target for both malware and planned obsolescence.
[ link to this | view in thread ]
Re: Yet another reason
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Your friend can do two things: if he just wants to check if the mouse and keyboard have been affected by this, have him plug them into your Linux machine and see if they work there. If they do, then the problem is something else.
In the end, your friend will need to roll the update back out. The lack of HID devices is a problem, of course. He'll probably have to use some sort of recovery disk to do it (unless he's lucky and has an old-timy serial port and a serial keyboard. If so, that might work.)
This might be worth a call to Microsoft.
[ link to this | view in thread ]
Re: Re: Yet another reason
Microsoft has the clout to demand that third-party vendors supply the (compiled) drivers and the source code for them. They also have the personnel and financial resources to review those in depth before releasing them. So why don't they?
[ link to this | view in thread ]
Re: Ignoring the important point
This isn't really news. There are hundreds of ways to subvert USB devices like this, but no single technique will work on all devices. For even more fun, it's also possible to put malware into many USB devices and subvert machines that they plug into. There have been a few viruses that have spread through keyboards and mice this way.
[ link to this | view in thread ]
I smell an opportunity
perhaps they could kickstart and create an authentication system using those development kits to help IT/service departments around the world verify components, their authenticity and their applicable license.
Heck governments, companies alike could add their use into purchasing contracts.
Someone with the know-how go make some money and make this happen.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: '
rights holder, why not rail against the seller who sold the product to the customer? '
Two wrongs do not make a right.
Do you know that the actual user affected is the same person who is responsible for buying the product alleged to be counterfeit?
Even assuming that the product is counterfeit, the rights holder is not the government and has no authority to stop the end user from enjoying any product prior to a judicial ruling.
Do you know whether possession or use of a counterfeit product is illegal in all nations affected by the action?
Do you know whether the fact that a product is counterfeit bars all tort actions for incidental destruction of property?
[ link to this | view in thread ]
Well, it was before the DMCA came around. Now, though, between the DMCA Takedown system and the protection of DRM, IP vigiliantism on digital devices is firmly enshrined in law.
This is what I've been saying for years: unless the DMCA is repealed and replaced by something that affirmatively protects the rights of computer owners as the first priority, acts like this will inevitably continue. This isn't the first time it's happened (multiple gaming DRM systems have broken CD/DVD burners in the past) and it won't be the last, unless we get rid of the DMCA.
This update bricked one specific chip. But a lot of computers these days are being sold with a TPM, an incredibly sinister chip that integrates DRM into the entire system. Just imagine the ramifications! Some people worry about the government of Iran getting nuclear weapons. I worry about them infiltrating a single engineer into the right division at Microsoft.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
how is this extremely different than
DHS revoking the DNS entries of stores selling counterfeit products, (https://www.techdirt.com/articles/20140701/17420627752/feds-seize-domain-social-network-sex-workers .shtml), or legitimate products thru unauthorized channels (https://www.techdirt.com/articles/20101213/09353512255/supreme-court-ruling-you-may-not-be-able-to- legally-sell-product-first-made-outside-us.shtml)
or todays Aereo ruling: https://www.techdirt.com/articles/20130927/14101224679/comcasts-ceo-as-long-as-i-keep-saying-aereo-i s-illegal-sooner-later-someone-will-believe-me-right.shtml
haven't we established that it is legal to (cripple, disable, break) services or equipment that you just don't like?
[ link to this | view in thread ]
Re: Re: Re:
Don't you use fiat money? Then your Government is obligated to honor it. It isn't your fault if it is easily copied.
[ link to this | view in thread ]
Re:
This.
Everyone who thinks that the Iranians, Russians, Chinese, Israelis, French, Germans, Japanese, Turks, and everyone else haven't already had a serious discussion about trying this...or haven't already done it...raise your hands.
Implausible? Feh. The intelligence agencies of every major nation routinely infiltrate each other. Getting an engineer into Microsoft or Google or Twitter or Oracle or wherever is child's play by comparison. It's such an obvious, cheap, low-risk, high-reward strategy that there is no way they've all passed it up.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re:
Not if the government is the US. If you get a counterfeit bill, you lose. You're supposed to turn the bill in to authorities, but the only thing you'll get from doing that is a thank you.
That said, I have never seen or possessed a counterfeit bill to the best of my knowledge. By the same token, I don't exactly examine the currency in my possession to find the fakes. The law is that you aren't committing a crime when spending counterfeit money unless you are aware the money is counterfeit. If I find a counterfeit bill in my wallet, I suffer an immediate financial loss, so it's in my best interest to not look too hard.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Ignoring the important point
The FTDI devices have an EEPROM (a small amount of nonvolatile memory, a few hundred bytes) which stores configuration parameters. The "bricking" in this case is overwriting a few of these bytes with an invalid value.
Other USB devices have firmware in nonvolatile memory, and most of these are updateable via USB. Send an invalid firmware to them, and they are bricked.
A few USB devices might have invalid states which can cause physical damage to the device (for instance, setting an output GPIO to "high" while the device's board has it tied to ground).
But if none of these cases apply? Then the device cannot be permanently (or even temporarily) bricked by software command. I don't know how common these resilient devices are (updateable firmware can pop up in the most surprising places), but they do exist.
[ link to this | view in thread ]
Where are these chips used?
- Equipment at police departments and fire departments for emergency response purposes?
- 911 systems?
- Building alarm systems?
- Medical devices in hospitals' emergency rooms, operating rooms, intensive care rooms where failure could cause death?
and the list goes on.
I'm not sure widows operates some of these devices and would be connected to the Internet for update. Both producers of the fake devices, if they could be discovered, and the company writing the stupid dll should be in deep trouble if serious problems resulted form their actions.
[ link to this | view in thread ]
Counterfeit is irrelevant.
Cops can seize your money, wallet, penguins, whatever regardless of whether it's counterfeit.
[ link to this | view in thread ]
Quality Assurance is not one of the sector's strong points.
[ link to this | view in thread ]
Planned Obsolescence
Remember Zune?
[ link to this | view in thread ]
Re: Re: Downstream responsibility
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Yet another reason
Add in the fact that the newer drivers for the real chip were already breaking the fake ones without changing the hardware PID of the fakes. All that changing the Hardware PID of the fake chip does is let the FTDI's support staff see that the non functional chip is a fake.
Does it suck? Yes. Could FTDI have done something else to identify the fakes? Maybe. But these chips are buggy as hell even when they were semi-functional with FTDI's drivers (they were not a counterfeit with the exact design of the original, but a cheap hack pretending to be something that it is not). This will hopefully stop shoddy manufacturers from using the fake chips just to shave a couple of cents off of manufacturing costs.
[ link to this | view in thread ]
Re: Where are these chips used?
[ link to this | view in thread ]
Re: Re: Yet another reason
Microsoft signed the off on the driver, certified it and then distributed it. If they didn't check it, they shouldn't have claimed that they did.
[ link to this | view in thread ]
Re: Ignoring the important point
[ link to this | view in thread ]
Re: Re: Re: Re: Yet another reason
Not maybe. FTDI has withdrawn their malicious drivers and replaced them with drivers that detect the fakes and refuse to work with them without breaking them. These drivers also warn you that you have a fake chip.
Which is precisely how they should have handled this situation in the first place.
[ link to this | view in thread ]
Re: Re: Re: Yet another reason
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Ignoring the important point
Not as common as they should be. This problem with USB controllers is commonly discussed in security circles and is considered a "hard problem" because of how common it is, how difficult it is to get hardware manufacturers to take it seriously, and how hard it is to convince people to throw away their perfectly functional devices and replace them with ones that are more secure.
[ link to this | view in thread ]
counterfeit electronics are the real problem
Could someone explain to me why FTDI should be foreced to support counterfeit chips in their drivers? Why they shouldn't attempt to detect fakes and lock them out? After all, it is their business and their reputation on the line with the counterfeit chips, even though they had nothing to do with them.
To BentFranklin: I would hope that people who build safety critical and medical electronics verify their supply chains. They're required to for certification.
Anyway, if you want to see the difference between a real FTDI chip and a fake FTDI chip, there's an interesting teardown (with die photos) here: http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal
[ link to this | view in thread ]
Re: counterfeit electronics are the real problem
No one says they should be required to have the driver make the counterfeit work as well as the original. Everyone is saying that FTDI has an obligation not to knowingly damage or destroy hardware, whether legitimate or counterfeit. Detecting a fake and refusing to use it is fine. Detecting a fake and actively modifying it to ensure it cannot be used elsewhere is not fine.
Yes, their reputation is on the line with this. They have seriously harmed their reputation by pulling such a braindead stunt.
[ link to this | view in thread ]
Re: counterfeit electronics are the real problem
[ link to this | view in thread ]
Re: counterfeit electronics are the real problem
resetting the PID to all zeros is annoying, but it's not fatal. If you know what you're doing, you can get by the solf lock and, using teh old FTDI drivers, still use the device.
My point still stands, though. Would you have FTDI just sit aside and do nothing while their business is eroded by Chinese counterfeiters and companies that don't want to pay the few extra cents to buy a genuine chip? There's nothing stopping the manufacturers of products with the fake chips in them from releasing their own drivers that continue to use the chip, or use the bricked chips with the zeroed PID. They just want to use the money that FTDI is investing in developing their own drivers while not paying FTDI for the chips. That seems underhanded to me.
[ link to this | view in thread ]
Re: counterfeit electronics are the real problem
Nobody is saying that they should be. And they aren't.
"Why they shouldn't attempt to detect fakes and lock them out?"
If by "lock them out" you mean to FTDI making their drivers so they won't work with counterfeit chips (just like they're now doing since they got caught), then there's no issue with that at all.
If by "lock them out" you mean altering them so that they no longer function properly at all, then the reason they shouldn't do that is because those chips are not their property. They have no right to break equipment they don't own.
[ link to this | view in thread ]
Re: Re: counterfeit electronics are the real problem
But if, like the majority of people, you don't know what you're doing, then they have effectively destroyed your device.
"Would you have FTDI just sit aside and do nothing while their business is eroded by Chinese counterfeiters and companies that don't want to pay the few extra cents to buy a genuine chip?"
No. But if the choice is between doing nothing and damaging other people's property (which it's not), then doing nothing is the only ethical and legal option. Why do you think that FTDI has any right whatsoever to break stuff they don't own?
[ link to this | view in thread ]
Re: Re: Yet another reason
They have no obligation to support something they did not make.
[ link to this | view in thread ]
Re: Re:
You don't have any right to demand support from someone who did not make it.
[ link to this | view in thread ]
Re: Re:
Don't ask someone who did not sell you anything to help you out.
[ link to this | view in thread ]
Re: Where are these chips used?
If important services buy defective devices, that is their fault for doing so in the first place.
[ link to this | view in thread ]
Re: Re: Re: counterfeit electronics are the real problem
If you are stupid, and a thief, that's your problem.
You should go to the crooks that sold you the fraudlent equipment, since the legitimate owner owes you nothing.
[ link to this | view in thread ]
Re: Re: counterfeit electronics are the real problem
Whether they do or not I do not know.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: counterfeit electronics are the real problem
[ link to this | view in thread ]
Re: Re: Re: counterfeit electronics are the real problem
However, that doesn't get them legally in the clear. That's a disclaimer that the software was not certified for use on such components and may damage them as a result. It is not a statement that gives them any kind of right to intentionally damage your equipment. I'm also interested in the first part, about how the license only gives you the right to use the driver with genuine FTDI components. That seems like it would render the clause void because it's asking users to accomplish the impossible. How is an end user supposed to know if their device contains a counterfeit chip?
This action by FTDI was so egregious, malicious, and disdainful of end users that I am hoping they get slapped hard in a court of law.
[ link to this | view in thread ]
Re: Re: Re: Re: counterfeit electronics are the real problem
[ link to this | view in thread ]
Re: Re: Re: Yet another reason
Is the device working after the update? No.
They absolutely 'made it stop functioning'.
As others have noted, no, they don't have an obligation to offer support for something they didn't make. However, they do have an obligation not to intentionally brick things that they didn't make.
If they've got a problem with forgeries, take it up with the people selling the fake chips, don't screw over the customers who had no way of knowing, or checking, the validity of their purchases.
[ link to this | view in thread ]
Re: Re: Re: Re: counterfeit electronics are the real problem
FTDI cannot possibly know how each of the counterfeits is made. In a good design, the VID and PID should not be able to be changed post manufacture. The genuine FTDI chips have this stored in a bit of EEPROM either located in the package (As in teh FT232) or external (as in the FT2232). I'd have to check my programming manuals, but i don't think this is modifiable from the USB interface. It should not be capable of being modified from USB. In fact, it should not be capable of being modified at all.
FTDI's setting the PID to 0000 is questionable, but I think it was done as a matter of something that worked to prevent communications with the counterfeits, and they couldn't possibly test it with all variants of the counterfeits to ensure that there were no problems in the wild (such as soft locking some of the counterfeits).
With the BadUSB exploit coming onto the market here recently, I think that the emphasis is not on USB manufacturers to do some of their own housecleaning to prevent counterfeit products masquerading as legitimate from becoming an attack vector in the wild. This means 1. being able to detect the counterfeit and 2. stopping communications with the counterfeit.
This is the second attempt that FTDI has issued to prevent comms with the counterfeit chips. The first round, released several months ago, simply sent all zeros along the serial channel. This variant attempted to shut down all USB communications when it detected a fake. Granted, ti was done in a haphazard manner, but that strikes me as just sloppy coding.
I just think that this is representative of the points of view of some people. Companies put fake chips into products on teh market masquerading as a legitimate communication chip. Then, when the manufacturer of the legitimate chip decides to put out an update that, as a side effect, bricks a number of the fakes, everyone goes after the legitimate manufacturer? That just seems damn entitled to me. You're in effect saying that the legitimate company must test each new driver with potentially hundreds of variants of the fake to ensure that the new drivers don't do anything catastrophic when used with the sloppily put together fakes. Nobody's going to do that, and it has nothing to do with IP.
[ link to this | view in thread ]
Second, the VID and PID are not free, FTDI has to pay for them. They should have the right to stop hardware from using their IDs without their permission. That this bricks counterfeit devices is not their problem. People should be mad at the vendors who sold the counterfeit chips. The shear number of soft-bricked devices shows how little component vendors actually policy the products they sell.
[ link to this | view in thread ]
Re: Re: Re: Re: Yet another reason
Wrong, they have an obligation to limit who uses their IDs. If hardware needs an ID to function they the manufacture had better get a legitimate ID. Using another vendor's ID give them control over that device. All FTDI did was take back their ID. FTDI can't issue a new ID so it just put in zeros which is not a valid ID.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: counterfeit electronics are the real problem
They were never functioning properly, they relied on using an ID that doesn't belong to them. FTDI has the right to remove their ID's from counterfeit hardware. The only ID they could replace their ID with is 0000 since that doesn't belong to anyone. If that causes the device not to function that is not FTDI's problem.
[ link to this | view in thread ]
Re: they provided the driver to Microsoft
In other words, there was effectively a message on the end: “I am Microsoft, and I approve this driver”.
[ link to this | view in thread ]
Re: Re:
Then again, who does a chip-level inspection of a new device before purchase? That involves opening the thing up and possibly voiding the warranty. I certainly don't.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: counterfeit electronics are the real problem
The intended use is for the designer to be able to use their own VID/PID instead of FTDI's default, so the device will bind to the designer's driver instead of FTDI's generic serial driver. Being able to change the VID/PID is quite common in USB device chips.
As to being modifiable from the USB interface, it's the most convenient way to do the manufacturing, since the USB interface is usually exposed (the serial interface is usually routed elsewhere within the same device). Simply solder everything, plug the USB from the device into a computer (which is something you have to do anyway to run the QA tests), and run the programmer to write into the EEPROM. No need to route pins out from the chip to be used exclusively for programming, no need for dedicated programming pins or multiplexing programming into other pins.
To prevent it from being changed post manufacture, you could have lock bits; I don't know if the FTDI has them, but even if it has, lazy manufacturers won't set them, since they make it harder to fix any mistakes later.
> This variant attempted to shut down all USB communications when it detected a fake. Granted, ti was done in a haphazard manner, but that strikes me as just sloppy coding.
Did you read the reverse engineering of the bricking routine? It's not sloppy coding, it very purposefully overwrites the PID field, in a way that does nothing on a genuine FTDI. It takes care to calculate the correct checksum so the chip does not go back to its defaults. There is no legitimate reason for that routine, it is explicitly trying to zero the PID.
From what I have read, it doesn't even stop the communications. I have read at least one person being able to write an Arduino sketch to his board only once, and then it stopped working. It seems there is no other check for a genuine part; it works until the USB is disconnect, and then it won't bind to the driver anymore (due to the zeroed PID).
> Then, when the manufacturer of the legitimate chip decides to put out an update that, as a side effect, bricks a number of the fakes, everyone goes after the legitimate manufacturer?
If it were just a side effect, there would be much less controversy. But, as the reverse engineering showed, it was not a side effect; the bricking was deliberate.
[ link to this | view in thread ]
Re: Re: Re:
We don't know if:
a) There are fakes which are laser etched;
b) There are legitimate chips which are not laser etched.
Manufacturing isn't static, designs change. One genuine chip might be made on a factory which laser etches the label, while another genuine chip (with the same design, perhaps even with wafers from the same factory) is made on a different factory which prints the label.
[ link to this | view in thread ]
Re: Yet another reason
This hardware-bricking driver "update" is entirely on FTDI.
I'm even sympathetic to their resentment of counterfeiters. In some sense I'm even sympathetic to their resentment of clones and "freeloaders". But I'm NOT sympathetic to FTDI designating any and all "unapproved" clones as "counterfeit" -- clones and "freeloaders" are the inevitable consequence of being a market front-runner. They might not like it, but that doesn't give them the right to play judge, jury, and vigilante.
FTDI knowingly and maliciously designed this driver to behave this way, and passed it on to Microsoft. Windows was merely the mechanism to deliver this malware to end-users, and in this case Windows Update was behaving precisely as designed, and as it should.
Now then, I've been using Linux for nearly 15 years, and I've despised Windows (and especially Microsoft) for longer than that... So I would most cheerfully take advantage of a legitimate opportunity to trash Microsoft -- unfortunately :( this is not that opportunity. This is all on FTDI.
[ link to this | view in thread ]
Re: there is a place to work this out...
Epitaph: "It ain't so bad... The IT guy had to take a pay cut."
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Yet another reason
They have no such obligation, although their desire to do so is understandable.
"Using another vendor's ID give them control over that device. All FTDI did was take back their ID. "
What does that even mean? The counterfeiters weren't taking control of anyone else's device, and FTDI wasn't "taking back" anything.
But regardless, none of that excuses damaging the property that belongs to other people.
[ link to this | view in thread ]
Re: Re: Re: Re: counterfeit electronics are the real problem
"the legitimate owner owes you nothing"
The people who bought the equipment are the legitimate owners. I'm not so sure why this is so difficult to understand. It's not a matter of people I assume you mean, FTDI, owing anything to the customers, it's a matter of FTDI not intentionally destroying things they don't even own.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: counterfeit electronics are the real problem
This is provably a case of malice. FTDI's driver has been reverse engineered, and the code makes it clear this was an intentional operation aimed at a particular counterfeit.
"It should not be capable of being modified from USB. In fact, it should not be capable of being modified at all. "
True, it should not be modifiable, but in nearly every USB controller (including FTDI's chips), it is.
"FTDI's setting the PID to 0000 is questionable, but I think it was done as a matter of something that worked to prevent communications with the counterfeits"
You know what works just as well? Their driver simply refusing to talk with the counterfeit, perhaps while also warning the cuser of the counterfeit's existence. There's no need to damage the device. In fact, now that FTDI has been caught, this is exactly what their replacement drivers do. And even if that wasn't an alternative, it's still very much the wrong thing to intentionally damage other people's equipment.
"I just think that this is representative of the points of view of some people."
And those are people whose equipment and software can't be trusted.
"when the manufacturer of the legitimate chip decides to put out an update that, as a side effect, bricks a number of the fakes, everyone goes after the legitimate manufacturer?"
yes indeed, because it wasn't a side-effect. It was absolutely an intentional effect. Going after them for this is entirely appropriate.
"That just seems damn entitled to me."
So, expecting that nobody is going to come onto my property and smash things up now considered "damn entitled"?
"You're in effect saying that the legitimate company must test each new driver with potentially hundreds of variants of the fake"
Not at all. Where do you get that from? Again, this wasn't some kind of incompatibility or accident. This was an intentional act.
[ link to this | view in thread ]
Re: Re: Re: counterfeit electronics are the real problem
No, they emphatically do not have that right. It's not their hardware, and they have no right to modify it. What they have a right to do is to sue the companies that are using counterfeit chips and to have their driver refuse to talk to counterfeit chips.
They don't have the right to damage other people's property.
I am utterly amazed that anyone supports a company breaking other people's things. Would you be so cavalier if Firestone discovered that you had counterfeit tires on your car and slashed them in response? It's exactly the same thing.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: counterfeit electronics are the real problem
This was shocking news back in the 1990s, but maybe other software companies have done similar things since then.
[ link to this | view in thread ]
Re: Re: Re:
The driver did not say "I'm not going to recognize this device." It said "I'm going to reprogram this device so no driver can recognize it."
Not allowing someone to stay in your hotel because you suspect they're using the room to have an affair is not the same thing as forcibly putting them in a chastity belt.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
Since that logic is pretty sound, that's exactly what FTDI did- after they spent the original time and money. They could have saved resources and avoided uproar.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
How's that for the creation of a patriotic society? Thanks, government friends!
[ link to this | view in thread ]
Re: They did it on purpose
[ link to this | view in thread ]
Re: Re: Where are these chips used?
[ link to this | view in thread ]
Re: Re: counterfeit electronics are the real problem
That used to be the way science progressed. All the time.
[ link to this | view in thread ]
Re:
This goes for both hardware and software. If you don't want to do business with me that's your problem. I'm free to go do business with someone else- even if they're not licensed to give me the authority to use said infinitely reproducible results.
[ link to this | view in thread ]
Re: Re: Re:
So long as it is not buried in plastic, or in a difficult to open enclosure. Even then, they have to know which chip it is on the the board, and if it is a surface mount chip, they probably need a magnifying glass to read the bloody label, and maybe a movable light source to get the contrast up to where the label is readable.
[ link to this | view in thread ]
Same things to make clear!!
Bricked chips cease to work on linux and osx where the drivers aren't provided from ftdi.
There are multiple makers of fake ftdi chips; most fakes work well, same not.
The final customer has no way to know if the chip he buy is legit or not, even the marks on the chips can vary a lot.
Often even builder inplementing ftdi on their equipment can have no idea from where the chips come form.
Before the bricking fake issue, the only way to discover a fake that work fine was to dismantel the chip and observe with electronic microscope, so you can't compare with fake moneys or goodies.
This is their biggest mistake: Ftdi did never provided a tool or a method to detect fakes.
Ftdi drivers never told users that the chip that was installed in their equipment was a fake, they just bricked it.
I can understand if they took another approach like telling "you're using a fake chip, we gave you 30 day for fix it then the driver will cease to wok every 10 minutes".
Eula can't apply at all even if the laws allow their action; windows update deployment are silent so no you can't read them unless they're already installed.
[ link to this | view in thread ]
Re:
When you agree to, or allow the powerful, to take control of the property that is the mainstay of your life, and exercise arbitrary control, you become a serf. In olden times it was the land, and it seizure by warriors that created serfs. Nowadays it is computers, and the rich and powerful are trying to seize total control over your devices, which will give them control over the information you can obtain, which also helps in reducing people to being serfs.
[ link to this | view in thread ]
Re: Same things to make clear!!
That would be acceptable only if they also offered to reimburse anyone who suddenly had to replace the affected part, given I'm sure the vast majority of people using the fake chips had no idea(and no way to know) that they were fake when they made the original purchase of the hardware.
[ link to this | view in thread ]
Re: Yet another reason
The code there shows the bricking is deliberate - write something that the real chip will ignore, but fakes will act on.
At the very least FTDI employees have committed criminal acts under the UK's Computer Misuse Act and a more likely result will be FTDI's exit from the usb-serial market entirely.
[ link to this | view in thread ]
Teapot Tempest
[ link to this | view in thread ]
Re: Microsoft only checks drivers for compatibility
[ link to this | view in thread ]
Planned Obsolescence
The mouse loads and seems to work fine until one moves the mouse with some speed and then it literally disconnects itself and seconds later, reconnects itself.
Every single mouse I have - dating back many years - now does this, with one exception. A Razor Gaming mouse that I have to put taped protectors on to prevent pushing the buttons the silly idiots placed on both sides where you hold the mouse. I would never use this mouse if it were not the only one that works.
I would buy a new mouse, but the chances that it will fail seems high and means I will simply be stuck with another dead mouse.
Could this be due to this FTDI chip thing.
---
[ link to this | view in thread ]
Re: Re: Where are these chips used?
Who cares if it kills people, so long as IP is not abused?
Disgusting.
[ link to this | view in thread ]
Re: Re: Microsoft only checks drivers for compatibility
[ link to this | view in thread ]
Are these devices real or fake devices?
I have two boards that may have these devices. There is no way for anyone except for FT to know. Did they check where these devices may be. Were they in medical equipment that may fail because of premeditated murder. If someone dies because of failure does Microsoft / FT answer the charges? How in the world can a consumer or designer know for sure that this companies parts are in their products. In my opinion it will be safer to design with parts that cannot be by designed to be shut off at the discretion of the manufacture. Many of the Arduino boards now use another Atmel device programmed to handle USB. The include a program header to re-flash the device. Is there any reason not to go this route in the design of new devices? Is FT the only company that makes USB interface drivers? Since the underlying IO is actually TTL RS232 why not get a new interface and use it. It is really hard to hack this system. It makes no since to use devices that can at will be sabotaged.
[ link to this | view in thread ]
What have the courts said?
[ link to this | view in thread ]