[Blabber] FTDIGate

James Carpino via Blabber blabber at list.hackmanhattan.com
Sat Oct 25 16:40:23 UTC 2014

They are already getting hammered and apparently caving in to the pressure.
      From: Guan Yang via Blabber <blabber at list.hackmanhattan.com>
 To: Hack Manhattan! <blabber at list.hackmanhattan.com> 
 Sent: Saturday, October 25, 2014 10:06 AM
 Subject: [Blabber] FTDIGate
Some of you may already have been following this. FTDI is a Scottish company that makes USB-to-serial chips. Every Arduino before the Arduino Uno used to have one, and they are still common in Arduino clones and many other devices, including mass-market consumer devices. They provide an interface between USB and the UART and other serial interfaces used by microcontrollers.

There are also many cloned FTDI chips. These are completely new implementations, that don't share any mask design with the original, but which are compatible with FTDI drivers and use their USB VID/PID. Some of these chips have an FTDI logo on top, which makes them counterfeit. It's also a violation of the FTDI driver license to use the driver with non-FTDI chips.

It's hard to avoid counterfeit chips. They show up everywhere, even with reputable suppliers, and even with official distributors. Sometimes official distributors are out of stock, so you try to get parts wherever you can.

In a recent update to the Windows drivers, which was pushed automatically to everyone who had automatic updates, FTDI added code that wrote the PID of non-FTDI FT232RL chips, but not real FTDI parts, to zero, thus making them unusable. It's possible to recover from this if you are on Linux. But FTDI chips (including counterfeits) are often in mass market products whose users don't know how to do that.

Among the many points raised on http://www.reddit.com/r/electronics/comments/2k7dsx/ftdi_responds_on_their_blog/cliyosr and elsewhere:

- FTDI could have just displayed a warning or disabled the driver when it detected counterfeit chips. Instead, they chose to brick them.

- They had language in the updated license about possible damage to counterfeit parts. It's very likely that doesn't cover them when they *intentionally* try to damage parts.

- The FTDI driver license prohibits using users from using the driver with non-FTDI parts. Setting aside the fact that most users don't have any way to know whether FTDI made the part, regular Windows users never see the FTDI license, and they certainly don't see the updated license when new driver versions come through Windows Update.

- This incident will make people afraid to leave automatic Windows Update on. Which threatens the security of the whole internet.

- It's not illegal to use FTDI's VID/PID. These are numbers that cannot be trademarked (see the Intel 386 trademark case). USB-IF will try to prevent you from using the USB logo if you don't follow their rules about VID/PID.

- There are several common types of USB serial device. FTDI's is proprietary, as is Prolific (often seen on cheaper Chinese devices, such as programming cables for handheld radios).

CDC is the standard which works on most operating systems without extra drivers. Except Windows, which will not register a COM port unless you have an INF file (basically a custom driver) that says, please associate this device with the CDC driver. This provides an incentive to try to emulate the behavior and VID/PID of a USB serial device that Windows already know about. (On Linux and Mac, CDC devices usually show up without special drivers.) This is also the opposite of how Windows handles hard drives, USB flash drives, mice and keyboards, which all work without a special INF file.

In conclusion, don't buy FTDI products. Some alternatives for USB-UART:

MCP2200 - basically a PIC with special firmware preloaded. Requires an external 12 MHz crystal. Supports CDC. $1.47 @100

CY7C65213. Built in clock. Supports CDC. $1.998 @100

There are now various guides circulating on how to tell a genuine FTDI part from a fake one. Ignore them. My solution: if it has the letters F, T, D and I on the package, don't buy it.

Blabber mailing list Blabber at list.hackmanhattan.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.hackmanhattan.com/pipermail/blabber/attachments/20141025/3e530d91/attachment.html>

More information about the Blabber mailing list