> On Thu, Oct 23, 2014 at 04:27:50PM +0800, Perry Hung wrote: >> It doesn't seem so, there's an IDA pro dump from somebody who decompiled the >> driver: >> >> https://twitter.com/marcan42/status/525126731431038977/photo/1 > > A picture of the source code created by disassembling a binary driver > that was written to brick a cloned USB controller device. > > Reverse engineering inception layers... And I used a Windows disassembler/decompiler... running on Wine, which itself is a clone of the Windows API. :-) FWIW, here's a more accurate analysis, after I had time to figure out exactly what's going on: https://marcan.st/transf/ftdi_evil.png The code only reprograms the PID to 0, but leave the VID alone. FTDI's driver's INF file only registers it for devices under FTDI's own VID, so it should be safe to say that this update will only bork devices with VID 0403, and so we only need to add 0403/0000 to the ID list. FTDI's code also only touches devices with bcdDevice & 0xFF00 == 0x600 (because, amusingly, the code will actually brick other legitimate FTDI devices, just not FT232RL due to its specific EEPROM quirk): https://marcan.st/transf/checkbrick.png Amusing note: they're evidently missing a return statement for non-232RL devices, which ended up returning the dev pointer as garbage, which confused the decompiler as to the type of the return value. It's ignored anyway, but it seems they don't care about compiler warnings! If some manufacturer incorporates this update into their own driver package, with a custom INF and VID, and they are also shipping counterfeit/clone chips, then we could end up with another VID also being affected, but this is probably relatively unlikely (hopefully those shipping their own customized drivers are aware of this saga and will either not ship this build or will make damn sure they haven't sold any devices with clones). (I hope I got the In-Reply-To header right this time around...) -- Hector Martin (hector@xxxxxxxxxxxxxx) Public Key: http://www.marcansoft.com/marcan.asc -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
