FTDI's latest driver update appears to be semi-permanently disabling counterfeit FT232 chips.
As you may or may not have heard by now, the latest driver update from chip manufacturer FTDI is disabling, semi-permanently, counterfeited chips. I’ll get more into the technical details later, but I’m going to open with this:
At this time, SparkFun does not believe any of our products to be compromised by this issue.
Why does this matter so much? Well, the FTDI USB-to-Serial bridge IC (the FT232, specifically) has been a mainstay of the hardware hacking community for many years. The first USB-based Arduino boards used it; SparkFun’s RedBoard still does.
As soon as we heard about it (from Twitter, of course), we immediately began assessing our product line for products which might be of concern. At the moment, we have about 30 individual products using the FT232 chip. We immediately crossed most of them off the list; our in-house assemblies are all produced using chips from reputable suppliers (like Mouser, Digikey, Future, etc.).
We have less visibility into assemblies that come pre-made to us, however, so we immediately set about testing them for vulnerability to this change. Testing is still ongoing, but our preliminary tests show that current stock is not affected. We already had the discussion with suppliers in the past regarding counterfeit chips (you may recall that we had a brush with this issue in the past), so we’re quite confident in the product we’re currently selling.
If you think something you purchased from SparkFun is affected by this please contact our tech support team immediately. They’re really good at what they do, and they’ll get your problem sorted out in no time.
Okay, now that we’ve covered the business end, let’s talk nerdy.
From what we’ve been able to glean from other posts (as yet, we’ve not been able to duplicate this in house, since we don’t have any counterfeit FTDI chips), this is an intentional attempt by FTDI to address the growing population of counterfeit FTDI chips on the world market. With the release of Windows driver version 184.108.40.206 on 26 August, a part of the driver’s functionality is to silently change the PID (which is the 16-bit code assigned to a product by its manufacturer to allow the OS to identify the driver which should be used for that part) from 0x6001 to 0x0000.
This change takes place in the target’s non-volatile memory, so even after the counterfeit device is removed from the system which altered it, that chip will no longer be recognized as an FTDI-compatible USB to serial bridge, on any computer, under any operating system.
Of course, it may be possible to change the PID back, but any Windows computer with v220.127.116.11 of the driver installed will immediately alter the PID again.
The reason this has become an issue recently (remember, the date on this driver is 26 August) is because the new driver recently hit Windows update. Anyone who’s used FTDI chips extensively under Windows has probably experienced the COM port proliferation issue: whenever an FTDI chip is plugged into a USB port that it’s not been plugged into before, Windows searches Windows Update for a new driver and assigns a new COM port number to that chip on that USB port. If you don’t tell Windows to stop looking online, it will automatically and silently load the new driver which will automatically and silently brick the counterfeit FTDI chips.
I haven’t heard anything suggesting Mac or Linux drivers have a similar function, although if they don’t now it’ll only be a matter of time until they do. It’s unclear at this time how the FTDI driver identifies counterfeit chips; until we know more about that process, if you think you may have received counterfeit parts (say, as a part of a knock-off Arduino clone purchased on Ebay at a suspiciously low price), avoiding updating your drivers is probably a wise thing to do.
Keep an eye on this post and the SparkFun (or SFE_Engineering) Twitter accounts; if we find out anything new we’ll update this post. I’ll be trying to find a non-destructive means for identifying the counterfeits, and if I don’t and someone else does, we’ll post it here.