> On Thu, Oct 23, 2014 at 04:27:50PM +0800, Perry Hung wrote:
>> It doesn't seem so, there's an IDA pro dump from somebody who decompiled the
>> driver:
>> https://twitter.com/marcan42/status/525126731431038977/photo/1
> A picture of the source code created by disassembling a binary driver
> that was written to brick a cloned USB controller device.
> Reverse engineering inception layers...

And I used a Windows disassembler/decompiler... running on Wine, which
itself is a clone of the Windows API. :-)

FWIW, here's a more accurate analysis, after I had time to figure out
exactly what's going on: https://marcan.st/transf/ftdi_evil.png

The code only reprograms the PID to 0, but leave the VID alone. FTDI's
driver's INF file only registers it for devices under FTDI's own VID, so
it should be safe to say that this update will only bork devices with
VID 0403, and so we only need to add 0403/0000 to the ID list.

FTDI's code also only touches devices with bcdDevice & 0xFF00 == 0x600
(because, amusingly, the code will actually brick other legitimate FTDI
devices, just not FT232RL due to its specific EEPROM quirk):

Amusing note: they're evidently missing a return statement for non-232RL
devices, which ended up returning the dev pointer as garbage, which
confused the decompiler as to the type of the return value. It's ignored
anyway, but it seems they don't care about compiler warnings!

If some manufacturer incorporates this update into their own driver
package, with a custom INF and VID, and they are also shipping
counterfeit/clone chips, then we could end up with another VID also
being affected, but this is probably relatively unlikely (hopefully
those shipping their own customized drivers are aware of this saga and
will either not ship this build or will make damn sure they haven't sold
any devices with clones).

(I hope I got the In-Reply-To header right this time around...)
Hector Martin (hec...@marcansoft.com)
Public Key: http://www.marcansoft.com/marcan.asc

To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to