[v2] usb: serial: Repair FTDI FT232R bricked eeprom

This patch detects and reverses the effects of the malicious FTDI
Windows driver version 2.12.00(FTDIgate).

While we currently load the ftdi_sio driver for devices with
FTDI_BRICK_PID(0x0000) userspace applications that expect the
appropriate FTDI_8U232AM_PID(0x6001) PID may not work properly.

Since the malicious FTDI driver modifies the PID without modifying
the normal checksum field we can detect and limit the unbricking
to devices that were bricked specifically using the FTDI checksum
preimage attack technique used by the official Windows drivers.

This should have no effect on devices where the PID was deliberately
set to FTDI_BRICK_PID(0x0000) as the checksum would normally change
and the preimage target(address 62) should be 0. We validate that
the preimage target is not 0 before attempting to unbrick.

Since we only write to even addresses this should have no effect at
all on non-counterfeit FTDI hardware due to the hardware only
committing EEPROM writes when odd addresses are written.

References:
https://marcan.st/transf/detect_ftdi_clone.py
https://hackaday.com/2014/10/22/watch-that-windows-update-ftdi-drivers-are-killing-fake-chips/
https://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/msg535270/#msg535270
https://lkml.org/lkml/2014/10/23/266
https://lore.kernel.org/patchwork/patch/509929/
https://lore.kernel.org/patchwork/patch/510097/

Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Cc: Hector Martin <hector@marcansoft.com>
---
Changes v1 -> v2:
  - Move ftdi_read_eeprom and ftdi_write_eeprom outside #ifdef CONFIG_GPIOLIB
---
 drivers/usb/serial/ftdi_sio.c | 181 +++++++++++++++++++++++++++-------
 drivers/usb/serial/ftdi_sio.h |   4 +
 2 files changed, 152 insertions(+), 33 deletions(-)

On September 10, 2020 12:02:34 PM GMT+09:00, Oliver Neukum <oneukum@suse.de> wrote:
>Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
>> This patch detects and reverses the effects of the malicious FTDI
>> Windows driver version 2.12.00(FTDIgate).
>
>Hi,
>
>this raises questions.
>Should we do this unconditionally without asking?
>Does this belong into kernel space?

I agree; this is very cute, but does it really need to be an automatic Linux feature? Presumably someone looking to fix a bricked FTDI chip can just run my script, and those who just want to use those chips with Linux already can since the driver binds to the zero PID.

I am deeply amused by the idea of Linux automatically fixing problems caused by malicious Windows drivers, but thinking objectively, I'm not sure if that's the right thing to do.

>
>> +static int ftdi_repair_brick(struct usb_serial_port *port)
>> +{
>> +	struct ftdi_private *priv = usb_get_serial_port_data(port);
>> +	int orig_latency;
>> +	int rv;
>> +	u16 *eeprom_data;
>> +	u16 checksum;
>> +	int eeprom_size;
>> +	int result;
>> +
>> +	switch (priv->chip_type) {
>> +	case FT232RL:
>> +		eeprom_size = 0x40;
>> +		break;
>> +	default:
>> +		/* Unsupported for brick repair */
>> +		return 0;
>> +	}
>> +
>> +	/* Latency timer needs to be 0x77 to unlock EEPROM programming */
>> +	if (priv->latency != 0x77) {
>> +		orig_latency = priv->latency;
>> +		priv->latency = 0x77;
>> +		rv = write_latency_timer(port);
>> +		priv->latency = orig_latency;
>> +		if (rv < 0)
>> +			return -EIO;
>> +	}
>
>Do you really want to change this without returning to the original?
>
>	Regards
>		Oliver

On Wed, Sep 9, 2020 at 9:17 PM Hector Martin "marcan"
<hector@marcansoft.com> wrote:
>
>
>
> On September 10, 2020 12:02:34 PM GMT+09:00, Oliver Neukum <oneukum@suse.de> wrote:
> >Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> >> This patch detects and reverses the effects of the malicious FTDI
> >> Windows driver version 2.12.00(FTDIgate).
> >
> >Hi,
> >
> >this raises questions.
> >Should we do this unconditionally without asking?
> >Does this belong into kernel space?
>
> I agree; this is very cute, but does it really need to be an automatic Linux feature? Presumably someone looking to fix a bricked FTDI chip can just run my script, and those who just want to use those chips with Linux already can since the driver binds to the zero PID.
Well for one your script is not easily useable with embedded platforms
like mine where I ran into this issue, I have no python2 interpreter
available in my production builds.
>
> I am deeply amused by the idea of Linux automatically fixing problems caused by malicious Windows drivers, but thinking objectively, I'm not sure if that's the right thing to do.

On September 10, 2020 12:46:20 PM GMT+09:00, James Hilliard <james.hilliard1@gmail.com> wrote:
>On Wed, Sep 9, 2020 at 9:17 PM Hector Martin "marcan"
><hector@marcansoft.com> wrote:
>>
>>
>>
>> On September 10, 2020 12:02:34 PM GMT+09:00, Oliver Neukum
><oneukum@suse.de> wrote:
>> >Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
>> >> This patch detects and reverses the effects of the malicious FTDI
>> >> Windows driver version 2.12.00(FTDIgate).
>> >
>> >Hi,
>> >
>> >this raises questions.
>> >Should we do this unconditionally without asking?
>> >Does this belong into kernel space?
>>
>> I agree; this is very cute, but does it really need to be an
>automatic Linux feature? Presumably someone looking to fix a bricked
>FTDI chip can just run my script, and those who just want to use those
>chips with Linux already can since the driver binds to the zero PID.
>Well for one your script is not easily useable with embedded platforms
>like mine where I ran into this issue, I have no python2 interpreter
>available in my production builds.

Surely you can port the exact same algorithm to plain userspace C, as you did to kernel space C :)

>>
>> I am deeply amused by the idea of Linux automatically fixing problems
>caused by malicious Windows drivers, but thinking objectively, I'm not
>sure if that's the right thing to do.
>From my understanding Linux fixing up hardware issues caused
>by faulty/weird Windows drivers isn't exactly unusual.

I'm not aware of any instances like this where nonvolatile memory is modified. At most you'll get things like resetting devices that a previous windows warm boot misconfigured, I think?

>>
>> >
>> >> +static int ftdi_repair_brick(struct usb_serial_port *port)
>> >> +{
>> >> +    struct ftdi_private *priv = usb_get_serial_port_data(port);
>> >> +    int orig_latency;
>> >> +    int rv;
>> >> +    u16 *eeprom_data;
>> >> +    u16 checksum;
>> >> +    int eeprom_size;
>> >> +    int result;
>> >> +
>> >> +    switch (priv->chip_type) {
>> >> +    case FT232RL:
>> >> +            eeprom_size = 0x40;
>> >> +            break;
>> >> +    default:
>> >> +            /* Unsupported for brick repair */
>> >> +            return 0;
>> >> +    }
>> >> +
>> >> +    /* Latency timer needs to be 0x77 to unlock EEPROM
>programming */
>> >> +    if (priv->latency != 0x77) {
>> >> +            orig_latency = priv->latency;
>> >> +            priv->latency = 0x77;
>> >> +            rv = write_latency_timer(port);
>> >> +            priv->latency = orig_latency;
>> >> +            if (rv < 0)
>> >> +                    return -EIO;
>> >> +    }
>> >
>> >Do you really want to change this without returning to the original?
>> >
>> >       Regards
>> >               Oliver
>>
>> --
>> Hector Martin "marcan" (hector@marcansoft.com)
>> Public key: https://mrcn.st/pub

On Wed, Sep 9, 2020 at 9:49 PM Hector Martin "marcan"
<hector@marcansoft.com> wrote:
>
>
>
> On September 10, 2020 12:46:20 PM GMT+09:00, James Hilliard <james.hilliard1@gmail.com> wrote:
> >On Wed, Sep 9, 2020 at 9:17 PM Hector Martin "marcan"
> ><hector@marcansoft.com> wrote:
> >>
> >>
> >>
> >> On September 10, 2020 12:02:34 PM GMT+09:00, Oliver Neukum
> ><oneukum@suse.de> wrote:
> >> >Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> >> >> This patch detects and reverses the effects of the malicious FTDI
> >> >> Windows driver version 2.12.00(FTDIgate).
> >> >
> >> >Hi,
> >> >
> >> >this raises questions.
> >> >Should we do this unconditionally without asking?
> >> >Does this belong into kernel space?
> >>
> >> I agree; this is very cute, but does it really need to be an
> >automatic Linux feature? Presumably someone looking to fix a bricked
> >FTDI chip can just run my script, and those who just want to use those
> >chips with Linux already can since the driver binds to the zero PID.
> >Well for one your script is not easily useable with embedded platforms
> >like mine where I ran into this issue, I have no python2 interpreter
> >available in my production builds.
>
> Surely you can port the exact same algorithm to plain userspace C, as you did to kernel space C :)
Sure, but it would be significantly more complex, require a lot more code
and testing since there can be other userspace apps interacting with the
hardware, in addition to being less reliable and potentially difficult
to install
for some setups. Detecting and dealing with this issue in the kernel is
very simple and reliable in comparison. There's also potentially permissions
issues if one wants to do this from userspace from my understanding.
>
> >>
> >> I am deeply amused by the idea of Linux automatically fixing problems
> >caused by malicious Windows drivers, but thinking objectively, I'm not
> >sure if that's the right thing to do.
> >From my understanding Linux fixing up hardware issues caused
> >by faulty/weird Windows drivers isn't exactly unusual.
>
> I'm not aware of any instances like this where nonvolatile memory is modified. At most you'll get things like resetting devices that a previous windows warm boot misconfigured, I think?
Yeah, I think it's mostly nonvolatile memory, I've seen this issue quite a bit
with some of the Realtek ethernet drivers.

I think user experience for devices should be that one can move
a USB device from Linux to Windows and back without having to manually
reprogram an eeprom. The sheer amount of resources FTDI has wasted
with their malicious Windows driver is crazy and likely far exceeds any losses
from counterfeiting. I think due to how widespread this issue is it makes sense
to aggressively and automatically mitigate the damages wherever possible, it's
also likely a major source of ewaste since people may throw out perfectly
functional hardware without knowing it can be fixed easily.
>
> >>
> >> >
> >> >> +static int ftdi_repair_brick(struct usb_serial_port *port)
> >> >> +{
> >> >> +    struct ftdi_private *priv = usb_get_serial_port_data(port);
> >> >> +    int orig_latency;
> >> >> +    int rv;
> >> >> +    u16 *eeprom_data;
> >> >> +    u16 checksum;
> >> >> +    int eeprom_size;
> >> >> +    int result;
> >> >> +
> >> >> +    switch (priv->chip_type) {
> >> >> +    case FT232RL:
> >> >> +            eeprom_size = 0x40;
> >> >> +            break;
> >> >> +    default:
> >> >> +            /* Unsupported for brick repair */
> >> >> +            return 0;
> >> >> +    }
> >> >> +
> >> >> +    /* Latency timer needs to be 0x77 to unlock EEPROM
> >programming */
> >> >> +    if (priv->latency != 0x77) {
> >> >> +            orig_latency = priv->latency;
> >> >> +            priv->latency = 0x77;
> >> >> +            rv = write_latency_timer(port);
> >> >> +            priv->latency = orig_latency;
> >> >> +            if (rv < 0)
> >> >> +                    return -EIO;
> >> >> +    }
> >> >
> >> >Do you really want to change this without returning to the original?
> >> >
> >> >       Regards
> >> >               Oliver
> >>
> >> --
> >> Hector Martin "marcan" (hector@marcansoft.com)
> >> Public key: https://mrcn.st/pub
>
> --
> Hector Martin "marcan" (hector@marcansoft.com)
> Public key: https://mrcn.st/pub

On 9/10/2020 10:02, Oliver Neukum wrote:
> Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
>> This patch detects and reverses the effects of the malicious FTDI
>> Windows driver version 2.12.00(FTDIgate).
> 
> Hi,
> 
> this raises questions.
> Should we do this unconditionally without asking?
> Does this belong into kernel space?
> 

My answer to both of those question is a strong NO.

The patch author tries to justify the patch with egoistical arguments 
(easier for him and his customers) without thinking of all other users 
of memory constrained embedded hardware that doesn't need the patch code 
but have to carry it.

The bricked PID is btw already supported by the linux ftdi driver so 
there is no functionality gain in the patch.

br
Lars

On Wed, Sep 9, 2020 at 11:34 PM Lars Melin <larsm17@gmail.com> wrote:
>
> On 9/10/2020 10:02, Oliver Neukum wrote:
> > Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> >> This patch detects and reverses the effects of the malicious FTDI
> >> Windows driver version 2.12.00(FTDIgate).
> >
> > Hi,
> >
> > this raises questions.
> > Should we do this unconditionally without asking?
> > Does this belong into kernel space?
> >
>
> My answer to both of those question is a strong NO.
>
> The patch author tries to justify the patch with egoistical arguments
> (easier for him and his customers) without thinking of all other users
> of memory constrained embedded hardware that doesn't need the patch code
> but have to carry it.
If that's a concern it would not be difficult to add a kconfig option to allow
disabling it.
>
> The bricked PID is btw already supported by the linux ftdi driver so
> there is no functionality gain in the patch.
By the kernel driver sure, but userspace is where things get messed up
without something like this.
>
> br
> Lars
>
>
>

On Thu, Sep 10, 2020 at 12:48 AM James Hilliard
<james.hilliard1@gmail.com> wrote:
>
> On Wed, Sep 9, 2020 at 11:34 PM Lars Melin <larsm17@gmail.com> wrote:
> >
> > On 9/10/2020 10:02, Oliver Neukum wrote:
> > > Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> > >> This patch detects and reverses the effects of the malicious FTDI
> > >> Windows driver version 2.12.00(FTDIgate).
> > >
> > > Hi,
> > >
> > > this raises questions.
> > > Should we do this unconditionally without asking?
> > > Does this belong into kernel space?
> > >
> >
> > My answer to both of those question is a strong NO.
> >
> > The patch author tries to justify the patch with egoistical arguments
> > (easier for him and his customers) without thinking of all other users
> > of memory constrained embedded hardware that doesn't need the patch code
> > but have to carry it.
> If that's a concern it would not be difficult to add a kconfig option to allow
> disabling it.
I should maybe add that the reason I'm trying to upstream this is because
I have been repeatedly bitten by this issue for years over many totally
unrelated projects, as have many people I know. If this was a one-off
issue I would not have spent the time writing a kernel patch to fix
it. The supply
chains must be heavily contaminated with counterfeits with how often I've
personally run into this problem.

The damage done by FTDI with their malicious drivers really is hard to quantify,
both in terms of wasted man hours working around this issue and in the
inevitable mountains of e-waste they create by bricking end user hardware.
Most of these customers have likely never even heard of FTDI, they even
intentionally designed their malicious drivers to make it non-obvious that
the failures are due to counterfeits, completely unethical behavior IMO.

FTDI may very well be one of the least environmentally friendly companies
in terms of environmental damage per dollar of revenue.
> >
> > The bricked PID is btw already supported by the linux ftdi driver so
> > there is no functionality gain in the patch.
> By the kernel driver sure, but userspace is where things get messed up
> without something like this.
> >
> > br
> > Lars
> >
> >
> >

On 10/09/2020 15.45, James Hilliard wrote:
>>> +static int ftdi_write_eeprom(struct usb_serial_port *port, u8 addr, u16 data)
>>> +{
>>> +     struct usb_device *udev = port->serial->dev;
>>> +     int rv;
>>> +
>>> +     rv = usb_control_msg(udev,
>>> +                          usb_sndctrlpipe(udev, 0),
>>> +                          FTDI_SIO_WRITE_EEPROM_REQUEST,
>>> +                          FTDI_SIO_WRITE_EEPROM_REQUEST_TYPE,
>>> +                          data, addr,
>>> +                          NULL, 0, WDR_TIMEOUT);
>>> +     if (rv < 0)
>>> +             dev_err(&port->dev, "Unable to write EEPROM: %i\n", rv);
>>
>> You don't check for a "short write"?
>  From my understanding the hardware only accepts 2 byte writes, and
> the non-counterfeits actually only commit writes on odd addresses
> while they buffer writes on even(this difference is what FTDI's windows
> driver exploits). So I guess this should be "if (rv < 2)"?

It's not "data" anyway, the data word gets sent in control message 
headers. Unless I'm mistaken rv == 0 on success, so the code should be 
correct as-is.

>>
>>> +     return rv;
>>> +}
>>> +
>>> +static u16 ftdi_checksum(u16 *data, int n)
>>> +{
>>> +     u16 checksum;
>>> +     int i;
>>> +
>>> +     checksum = 0xaaaa;
>>> +     for (i = 0; i < n - 1; i++) {
>>> +             checksum ^= be16_to_cpu(data[i]);
>>> +             checksum = (checksum << 1) | (checksum >> 15);
>>> +     }
>>
>> What type of function is this, don't we have all of the needed checksum
>> functions in the kernel already?
> Some custom crc16 style checksum I guess, I'm not seeing anything
> in the kernel that's the same, although I might not be looking in the
> right places.

This isn't a CRC, it's some random xor all the words thing with a 
somewhat pointless rotation in the way. I'd be surprised if anything 
elses uses this particular function. Pretty sure other drivers are 
littered with stuff like this too, hardware manufacturers love to 
reinvent checksums.

On Thu, Sep 10, 2020 at 02:17:44AM -0600, James Hilliard wrote:
> On Thu, Sep 10, 2020 at 2:08 AM Johan Hovold <johan@kernel.org> wrote:
> >
> > On Thu, Sep 10, 2020 at 12:33:55PM +0700, Lars Melin wrote:
> > > On 9/10/2020 10:02, Oliver Neukum wrote:
> > > > Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> > > >> This patch detects and reverses the effects of the malicious FTDI
> > > >> Windows driver version 2.12.00(FTDIgate).
> > > >
> > > > Hi,
> > > >
> > > > this raises questions.
> > > > Should we do this unconditionally without asking?
> > > > Does this belong into kernel space?
> > > >
> > >
> > > My answer to both of those question is a strong NO.
> > >
> > > The patch author tries to justify the patch with egoistical arguments
> > > (easier for him and his customers) without thinking of all other users
> > > of memory constrained embedded hardware that doesn't need the patch code
> > > but have to carry it.
> > >
> > > The bricked PID is btw already supported by the linux ftdi driver so
> > > there is no functionality gain in the patch.
> >
> > I fully agree. This doesn't belong in the kernel. If the Windows driver
> > breaks someones device on purpose they should know about it, and *if*
> > they want they can reprogram the device using the tools mentioned in the
> > thread. But the kernel shouldn't be playing such games and reprogram
> > eeproms behind people's backs.
> One of the main issues is that this issue is very often not-obvious, FTDI
> specifically designed their malicious driver to make it appear that the
> hardware failed, they intentionally do not provide proper feedback to
> the user when they soft-brick it. I assume this is because they want
> to push the support costs related to their malicious driver onto the
> integrator rather than themselves.

That's fine, but why is it the Linux kernel's job to fix up this mess?

There is already a userspace tool that can be run to resolve this for
devices that wish to have this fixed up for.  Use that.  We want to keep
things that can be done in userspace, in userspace, whenever possible.

And again, Linux runs just fine with these devices so why is it Linux's

I'm with Johan here, reprogramming eeproms when people least expect it
is not nice, and in a way, is much the same thing that the Windows
drivers are doing.

thanks,

greg k-h

On Thu, Sep 10, 2020 at 2:55 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Thu, Sep 10, 2020 at 02:17:44AM -0600, James Hilliard wrote:
> > On Thu, Sep 10, 2020 at 2:08 AM Johan Hovold <johan@kernel.org> wrote:
> > >
> > > On Thu, Sep 10, 2020 at 12:33:55PM +0700, Lars Melin wrote:
> > > > On 9/10/2020 10:02, Oliver Neukum wrote:
> > > > > Am Mittwoch, den 09.09.2020, 13:34 -0600 schrieb James Hilliard:
> > > > >> This patch detects and reverses the effects of the malicious FTDI
> > > > >> Windows driver version 2.12.00(FTDIgate).
> > > > >
> > > > > Hi,
> > > > >
> > > > > this raises questions.
> > > > > Should we do this unconditionally without asking?
> > > > > Does this belong into kernel space?
> > > > >
> > > >
> > > > My answer to both of those question is a strong NO.
> > > >
> > > > The patch author tries to justify the patch with egoistical arguments
> > > > (easier for him and his customers) without thinking of all other users
> > > > of memory constrained embedded hardware that doesn't need the patch code
> > > > but have to carry it.
> > > >
> > > > The bricked PID is btw already supported by the linux ftdi driver so
> > > > there is no functionality gain in the patch.
> > >
> > > I fully agree. This doesn't belong in the kernel. If the Windows driver
> > > breaks someones device on purpose they should know about it, and *if*
> > > they want they can reprogram the device using the tools mentioned in the
> > > thread. But the kernel shouldn't be playing such games and reprogram
> > > eeproms behind people's backs.
> > One of the main issues is that this issue is very often not-obvious, FTDI
> > specifically designed their malicious driver to make it appear that the
> > hardware failed, they intentionally do not provide proper feedback to
> > the user when they soft-brick it. I assume this is because they want
> > to push the support costs related to their malicious driver onto the
> > integrator rather than themselves.
>
> That's fine, but why is it the Linux kernel's job to fix up this mess?
Well the kernel seems to be the place a fix would be most effective.
Not like it's unusual for the kernel to work around hardware issues in
general. :P
>
> There is already a userspace tool that can be run to resolve this for
> devices that wish to have this fixed up for.  Use that.  We want to keep
> things that can be done in userspace, in userspace, whenever possible.
So I'm having trouble coming up with a reliable way to fix this in userspace,
I've already got quite a few moving parts there as is and most of what I
come up with seems like it would not work reliably, at least for automatically
repairing the eeprom.
>
> And again, Linux runs just fine with these devices so why is it Linux's
>
> I'm with Johan here, reprogramming eeproms when people least expect it
> is not nice, and in a way, is much the same thing that the Windows
> drivers are doing.
Yeah, it does seem a bit sketchy at first, I went with this approach mostly
since I couldn't think of a practical scenario where fixing it automatically
would be a real issue, assuming we can reliably detect the preimage
attack.

So maybe identify the preimage attack and log a message instead? From
my understanding false positives should be nearly impossible with the
signature identification technique I'm using.

Maybe we could expose an interface that triggers the eeprom repair,
one which doesn't require userspace to implement low level USB handling?
>
> thanks,
>
> greg k-h

On Fri, Sep 11, 2020 at 04:54:08AM +0900, Hector Martin wrote:
> On 11/09/2020 03.51, James Hilliard wrote:
> > I haven't tested this yet but my assumption was that either a kernel driver
> > or libusb can issue usb control messages, but both can not be bound to
> > a device at the same time. I figured this wouldn't have come up when you
> > tested your python script since the script likely predated adding the brick PID
> > to the ftdi_sio Linux kernel driver.
> 
> Binding to interfaces is exclusive, but global device control messages are
> not issued to an interface. I think it should work even if the kernel driver
> is bound (this is how lsusb works too, since it issues control requests even
> to devices bound to drivers). Even if it is necessary to unbind it, though,
> libusb already provides a single function to do that
> (libusb_detach_kernel_driver).

You really should unbind the device from the driver when doing stuff
like this, so the kernel doesn't get confused.

thanks,

greg k-h