36 comments

[ 2.7 ms ] story [ 83.9 ms ] thread
A friend of mine just ran into this, and after investigation it seems it is quite the thing. Don't buy your chips on Ebay or Alibaba I guess.
Its worse than that. Don't buy a board from Ebay or Alibaba.
Its worse than that. Don't buy generic electrical goods w/USB from East Asia (they might be tainted by this, unbeknownst to you).
"Don't buy generic electrical goods from East Asia" is pretty good advice in general, given that some people have been literally electrocuted by faulty low-cost equipment sourced from the region.
“Only buy electronical goods from East Asia that passed VDE, TÜV Nord, GS and CE specifications and tests”.

(Interestingly, a lot of the US–produced products do not pass these tests either. The German standards for product quality are some of the highest existing and they have actually the ability to test all the imported stuff. Just don’t ever trust the TÜV Süd)

This might have just been rumor, but I've heard tell of devices with fake CE stickers.
It reminds me a bit of the great 'bad electrolytic capacitor' debacle that cost companies millions.
Except in this case, the quality of the fake is fine.
It's hard to know if that's true or not - as if the fakes caused a bunch of problems, they'd be complaining about FTDI rather than the fakes.
Nope. It has the wrong VID/PID programmed in to it.
Supply chain integrity is hard, especially when you're building things on a schedule, especially when you're building <50k in a batch, and when you're not super well known.

I wish we'd bring back an electronics manufacturing industry to the US just for that reason alone, even at 2x the cost. Right now it seems the "safest" way to make boards in 5k units is in Mexico -- NAFTA rules plus cheaper labor and compliance.

Supposedly select parts are coming back, as big companies lose faith. (But not all of it will come back)
the thing is that building a work alike chip - one that speaks the same protocols, has the same pinout, (but a different USBID/part number)is perfectly OK - price competition is good right?

The vendors would have to write their own drivers but compared with the cost of spinning a chip that shouldn't be a big deal, if they'd come out and sold their chips on the open market as a clone they'd probably get a lot of business.

Of course one of the weird things about ft232s is that they're non-standard USB devices (don't meet the ACM spec). If the cloners made ACM compatible chips they wouldn't need to write drivers since all OSs have them built in these days.

Disclaimer: I build and sell open source USB boards, including serial devices (ACM, not ft232 compatible)

Price competition is great! The shady thing about the imitations is trying to insert themselves into someone else's supply & support chain, IMO.

Which is probably tied to the reason they didn't implement the ACM spec- from my limited hobbyist view, FTDI is the dominant player, so of course they would chose to mimic the non-standard ft232 instead of some underdog ACM player.

Oh, and as for costs, you're totally right that spinning a chip costs way more than a driver. But:

- A theme as I learn about fly-by-night companies is they piggyback on other operations. As the article observes, this knockoff required only 1 mask layer, because the rest is probably a standard microcontroller.

- Marketing & marketshare are probably the real reason, not getting out of writing drivers. Again, FTDI seems to be the entrenched player.

(comment deleted)
Pretty typical HN over-reaction. Why not wait to hear from FTDI before joining the lynching mob? If the driver broke clones without the express intention to cause damage, well, tough for the clones. If, on the other hand, they set out to actually cause damage they are out of business or will suffer greatly.

There's another angle here. I'll use a hypothetical. Say your chips are being used on MRI machines, cars, planes, glucose meters, ATM machines and a whole host of other mission critical systems. And you know clones are dangerous because they are unreliable, failure prone and nondeterministic in some way. What do you do? What should you do? Bricking these devices without warning would be a bit extreme, agreed. What if you figure out a way to ensure that legitimate chips work and others fail in whatever way based on the nature of the cloning design. Is that OK. What if people could die? Not trying to be dramatic at all. Just saying that sometimes you need to be in someone else's shoes in order to understand their ecosystem and have context from which to understand their decisions.

I've been using FTDI chips since they came out. I have designed products that could kill people and burn down buildings if they were to fail in certain ways. We bought these chips through proper distribution channels. Had we not or in the case of our distributors being duped by clone makers I'd much rather our devices be bricked than risk someone getting hurt. So, yeah, this is very real for me.

>And you know clones are dangerous because they are unreliable, failure prone and nondeterministic in some way.

Is there any evidence of this?

Say your chips are being used on MRI machines, cars, planes, glucose meters, ATM machines and a whole host of other mission critical systems.

First, that's a red herring because most of those machines aren't running Windows, let alone with automatic updates.

Second, you're essentially advocating vigilantism by corporations. If FTDI was actually concerned about the lives of people due to faulty chips - and I find this supposition laughable, but let's go with it - they could have (1) warned the users, (2) disable the driver and/or (3) contact the appropriate official institutions.

A supposition that someone, somewhere might die does not justify unlawful destruction of property, and if proven that FTDI intended to brick those chips, I hope they get sued hard.

> First, that's a red herring because most of those machines aren't running Windows, let alone with automatic updates.

Are people on HN wound up so tight that all imagination is lost? These are HYPOTHETICAL EXAMPLES used to illustrate mission critical applications. And be careful about making assumptions about critical systems not running Windows. You'd be surprised. Sometimes vendors don't have a choice. If you are working under a contractual obligation to use Windows, well, that's what you use. For example, what do you think you might find in a huge array of military Command and Control centers? Yup.

You also seem to be ignoring the fact that FTDI chips typically go on all kinds of embedded systems that are attached to a computer for tasks that have nothing to do with their mission critical nature.

For example, we built a dedicated FPGA-based target tracking system used in such places as White Sands Missile Test Range that was entirely self contained. It has an FTDI-driven serial port for firmware updates and configuration. Don't assume that everything related to USB requires full time connectivity like a keyboard or a mouse.

Another example is an extremely high power LED system with over 1,500 W of LEDs (much more, but that's all I can say). FTDI-powered USB is used to control it in real time. And, yes, a Windows application is at the other end. That was the spec. And, yes, it has error correction code and a dedicated communications protocol that ensures a certain degree of safety. If that chip is a fake there is no way to know what other "features" it may have.

Again, the HN mob is quick to be judge, jury and executioner. That's to be expected. Until most of the HN crowd has another decade or two under their belt emotion will drive a lot of the thought processes. I get it.

If FTDI truly intended to cause harm, of course they deserve to be sued out of existence. What kind of a moron would not agree with that. If, on the other hand, the issues are a side effect of code that is so fine-tuned to their devices that bad clones fail, well, that's not their fault. I need to go dig-up the official FTDI position on this, everything else is bullshit and conjecture.

(comment deleted)
To be clear, I wasn't accusing FTDI themselves of anything. I was purely arguing to your hypothetical example, in which they did intend to brick chips. If you didn't want to argue that position, you shouldn't have made a post arguing it.

Kindly redirect your anger against the "HN mob" somewhere else.

Not angry at the HN mob, they provide daily comic relief. They also remind me that some of the opinions I had when I was younger must have sounded just as moronic to the more experienced engineers and business people I worked with.

I mean, we are all pretty stupid and impressionable until somewhere around 30 years of age. By that time life has generaly done a pretty good job realigning young idealist thinking and opinions borne out of indoctrination.

Life experience is also a huge factor in this. For example opposite poles are found in people who spent twenty years working a government job (can't get fired, insane pension) vs. a bootstrapped entrepreneur (self reliance, responsible for own success and failure, no pension). These people reach 40-something years of age with vastly different views of reality. You come across these and other extremes here on HN.

For the record, I have nothing but contempt for people who live a life where they are not responsible and accountable for their actions and future. I think it degrades the human condition.

So, no, not angry at HN mobs or any other internet mobs.

If your stuff is really that critical, wouldn't you rather they tell you that you have a fake, rather than just brick it mysteriously and leave you to figure out the reason on your own?
In order to understand this you have to take a deep dive into the sometimes-murky world of electronic component sourcing. Even when buying from top tier distributors in the US there's potential for getting less-than-wholesome product. The legitimate product manufacturer would have no way of knowing who got what. The best anyone can do is issue a notice like auto manufacturers do for recalls advising you that fake chips may have gotten into the system.

Now think about how you might react to that.

Externally the chips look exactly the same. Depending on the nature of the organization you might choose to scrap your entire inventory or setup a testing system or. In the case of larger scale production you could very well have 100,000 units of your product manufactured before you can even consider reacting to the news.

Once the product is in the market your choices are greatly reduced. Scale is a huge factor. We can send engineers to every single one of our installations to manually swap chips. I did the math, it would probably cost somewhere in the order of five million dollars to do so (travel, time, tools, loss of business, etc.). Well, we can't do that. Few businesses can burn cash like that. And, of course, there's the issue that we might waste millions of dollars swapping out good chips. In this context it is far easier if devices with fake chips stop working and a normal process is used to fix them. You remove liability and quickly identify the clones.

In consumer land things are different. There is no sensible way to deal with 100,000 or 1,000,000 units of a product that may have some bad chips. Yes, you probably don't want those devices bricked on purpose. However, if you are operating at that scale you are also responsible for ensuring that your supply chain is not shoving fake or out-of-spec parts into your products. Easier said than done. This isn't the only fake electronic component made by crafty Chinese manufacturers. In that regard this isn't a revelation at all.

I'm not sure I understand how this makes bricking better than simply detecting the problem. The advantage you discuss seems to boil down to the ability to identify bad units, but disabling them isn't necessary to identify them, so I don't really understand what's useful there.
It depends on the market you serve and the kinds of products you sell and support. In some cases it doesn't make sense.
I'd much rather our devices be bricked than risk someone getting hurt.

The idea that these are mutually exclusive options is almost comically naive, particularly coming from somebody who claims to have designed critical systems.

You have obviously never experienced a situation where a signal is perfectly good at one end of a PCB trace and bad at the other with no apparent reason for the difference.

Make fun of my statement all you want. Give it a decade or two and you might understand. And, of course, if you don't design hardware and the software that runs it you lack a huge layer of context. Perhaps you do. Don't know.

It's like you didn't even read my post! Of course many of us who have worked in hardware have had issues with bad parts. The idea that this justifies bricking a piece of hardware when the driver on the controller system is upgraded is ludicrous and dangerous. Your decades of experience seem to have blinded you to basic risk mitigation.
No, I read it. You thought my position was comical. And this revealed you simply don't have enough experience to fully comprehend it. And that's OK. My opinions thirty years ago were based on a very different version of reality. I get it. Don't worry about it.

Of course this does not mean we WANT our devices bricked. We immediately issued a tech notice to our customers advising to avoid driver upgrades until further notice.

We are OK with devices being bricked under a supervised upgrade.

We don't want ANY fake and potentially dangerous chips in our equipment. We don't think we have any due to the nature of our supply chain. Yet we can't assume this. Fake devices can be dangerous in more ways than compatibility and functionality issues. For example, they can have substandard ESD characteristics, RF emissions issues, power issues, thermal issues and flat out safety problems. They can represent a huge liability.

And so we are planning on setting up a process through which we have customers swap out the board with the potentially questionable chips with a known good board we Fedex in advance. We can rotate a few boards in this fashion and service all of our customers within a few months.

If one or more brick before we can get to them we'll FedEx a board right away. In this fashion the bricking acts as an inconvenient fake chip detector. We don't have any high volume consumer products so our perspective is very different from that of a company making consumer cameras or routers.

Ok, I understand you now. My experience has been working with devices which, while potentially dangerous, are voluminous enough that we can't have individual relationships with every end user. While we'd be offering warranties/exchanges if we discovered a fake chip, we'd have no way of guaranteeing that they wouldn't update their controller in the meantime or of forcing them to exchange their board for a newer rev.
Right. Different perspectives. Things don't always fit neatly into the same box.

So some degree I wonder whether FTDI is more of a niche market/small volume product than mass market.

If you are making a high volume consumer device it behooves you to optimize cost by using microprocessors with integrated USB capabilities rather than resorting to a USB to serial chip.

In other cases the USB to serial approach is attractive because either you have a very small micro or a situation where a full stack OS doesn't exist in the device. As an example, an 8051 derivative would be easier to interface with an FTDI chip. A TI (or whatever) 32 bit micro already comes with USB and there's plenty of support in the way of embedded driver code to make it work.

It'd be interesting just how FTDI's market share is segmented. Not sure this information is available anywhere.

I can understand FTDI's frustration, but vigilantism is not acceptable behavior. The lawyers are going to have a feeding frenzy on this one.
I don't get it. What's the logic behind silently killing a counterfeit chip instead of showing a pop-up window with "Unlicensed chip detected, drivers stopped." or smth? I'm sure most of the buyers of these counterfeit chips get in such situation without knowing and would be happy to return the fake chips/boards to supplier what in turn could help fighting the root cause, not just punishing the unsuspecting end users. I personally have encountered many non-working FTDI cables and blamed FTDIChip for their lousy quality control, so it not only hurts the end-users but the reputation of the legitimate company as well.