@danluu So much wrong with this:

1. The detailed instructions for the tow truck operator imply that there was sufficient knowledge that this was likely and that a choice between shipping the car with the broken update path and a pretty failed update screen, and a robust failed-update rollback process was available, and the choice (possibly forced by an announced launch date) was made to ship with the nice failure screen.

2. The update was pushed rather than a notification to schedule users to drive past a dealer to update via the same mechanism that will be used to fix the problem, avoiding the tow.

3. That someone signed off on this.

4. That maybe someone didn't sign off on it because it was thought unnecessary to escalate.

5. That whoever designed the hardware either chose not to have a robust OTA flashing process, or did, and whoever designed the firmware chose not to use it.

6. Whoever chose the hardware, or the firmware decided that robust updates were not required, but updates were required.

7. That something like updated navigation, wireless carplay, or more accurate DTE was considered more important than a percentage of users being able to drive their vehicle.

It has been nearly 30 years since I worked on embedded automotive systems (specifically ABS), so they've moved on a bit since then 🤣 but back when I did, every car that came off the line was tested (on a rolling dyno) to check if the ABS and all sensors were working, and all of the on-board computers were correctly interpreting the ABS signals. This included inducing a simulated skid (by de-clutching the rollers when up to speed and braking one of the rollers) to check that the stability control would attempt to correct the skid (by confirming that the ABS computer would signal to actuate the brakes on the opposite wheel). If not, that vehicle didn't leave the production line. Bad flash or bad wiring or incorrectly fitted sensors meant the system wasn't safe, and the car wasn't saleable.