New SW update Aug 7 2023?

[Uknown]

Do you have any other details on version? Mine goes into service Thursday… I will ask.

Sponsored

 

[W1NGE]

The car is 2nd hand? Then there is no Stuttgart guidance full stop on delivery.
which then either means 2 things, your dealer is not a fully equipped reseller and needs a fully equipped dealer to update your vehicle / reset service interval as he doesn’t have the right equipment, or something is wrong and the car is not ready for delivery.

2nd hand or not it would be stopped in UK from a franchised dealer.

 

[RSouthern]

just to update everyone, the dealer did the update and I took delivery of my CPO 2022 GTS (only 200 miles!) and I love it! They didn't provide any explanation of what the update was but I did ask, somewhat cheekily, about why this wasn't an OTA update since that seems to be the direction the industry is going in lead by the folks up in Fremont California. They explained that OTA updates are for minor updates, but the big changes (I presume one's that might brick the car) need to be done at the dealer.

This sounds like Porsche is being conservative/cautious with their updates, probably because they aren't a software company like Tesla and are unwilling to take the same risks as Tesla does with their releases. I'm good with that. Our BMW X7 also gets OTA updates, but only 2-3 times a year so far, and that's good as I'd hate to have to re-learn where something is after an update, like I hear some Tesla drivers experience.

For those that are avoiding doing updates, here's one thing to consider. There are a lot of embedded systems in the Taycan and you should take security seriously. I would imagine that Porsche will not be publishing vulnerability details and doesn't seem to publish which open source code libraries they use, but it's easy to guess they use things like openssl for all their communications and have an off the shelf kernel to run the computers and a commercial IP stack to handle data from the car. Those all have regular updates due to vulnerabilities and bugs and you really want to keep them up to date. At some point Porsche will likely stop providing patches and the car will no longer be able to communicate with the Porsche servers and we'll loose whatever services were dependent on that communication. But if you aren't keeping your sw at least relatively up to date, you may not be able to communicate with Porsche servers long before the car is considered obsolete, or worse, you may find a hacker doing things with/to your car that you didn't plan for.

 

[WasserGKuehlt]

I didn't say noone has bricked their car after updates. But I would still say that it is worth it for fixes, new features and so one. [...] And since software is such an essential part of an electric car I would always keep it updated.

I'm not picking sides here, but clearly bricking the car cannot possibly be worth any fix or new feature.

Also, software has this nasty habit of breaking when it's being changed. Most of the time, at least.

just to update everyone, the dealer did the update and I took delivery of my CPO 2022 GTS (only 200 miles!) and I love it!

Congrats! Previous owner (and/or dealer) must have taken a bath on this.

For those that are avoiding doing updates, here's one thing to consider. There are a lot of embedded systems in the Taycan and you should take security seriously. I would imagine that Porsche will not be publishing vulnerability details and doesn't seem to publish which open source code libraries they use, but it's easy to guess they use things like openssl for all their communications and have an off the shelf kernel to run the computers and a commercial IP stack to handle data from the car. Those all have regular updates due to vulnerabilities and bugs and you really want to keep them up to date. At some point Porsche will likely stop providing patches and the car will no longer be able to communicate with the Porsche servers and we'll loose whatever services were dependent on that communication. But if you aren't keeping your sw at least relatively up to date, you may not be able to communicate with Porsche servers long before the car is considered obsolete, or worse, you may find a hacker doing things with/to your car that you didn't plan for.

There's a lot to unpack in there, but briefly and in no particular order:
- you can see in the PCM the complete list of software libraries with their respective versions
- there is this thing called Coordinated Vulnerability Disclosure, where, in general, security researchers and vendors collaborate on addressing security vulnerabilities responsibly. It is not Porsche's call whether to publish details or not - unless, of course, they found it in house, in their code, and are addressing it directly.
- regarding stopping of patching - well, that's kinda covered by the warranty. If the car no longer works as advertised during the warranty period, it's on them to fix it. If the car becomes bricked (due to lack of updates) out of warranty, they'll be hit with a lawsuit for the ages. But in general, software doesn't just stop working because it's not updated (and usually it's the other way around).
- not trying to diminish the importance of your advice (I do work in software security), but to be honest the vulnerabilities that we see lately are more of an attention grab/gathering likes on Twitter. The OpenSSL vulns of late are fairly exotic (understandably, it's a well-established library) and someone close enough to your car to launch an exploit is more likely to just steal it. That is, the car is not an open endpoint, readily taking requests.

 

[RSouthern]

I'm not picking sides here, but clearly bricking the car cannot possibly be worth any fix or new feature.

Also, software has this nasty habit of breaking when it's being changed. Most of the time, at least.

I agree, but having worked in tech for so long I've seen too many cases where not keeping up with patches has bitten users. Not saying you should be a bleeding edge early adopter, but being several versions behind can cause lots of problems too, especially if you suddenly have to update. But to each their own. I'm happy keeping up but waiting to see if others have problems, and that's why I was asking the forum if anyone was aware of this supposedly new patch. The dealer said it was just released on Monday morning in Germany and that's why the dealership wasn't aware of it and couldn't release the car Sunday night. Since there's no word of a new patch though, I suspect the dealership simply hadn't kept the car updated until a customer wanted to take it home.

Congrats! Previous owner (and/or dealer) must have taken a bath on this.

thanks! I'm pretty sure it was the dealership. From what I can tell they ordered it when the GTS came out and kept it on the showroom floor until Feb 2023 when they decided to make it a demo car and that's when it got the 200 miles. I think I put a significant % of those on when I took it out for multiple test drives, lol!

There's a lot to unpack in there, but briefly and in no particular order:
- you can see in the PCM the complete list of software libraries with their respective versions

That's good to know! I did a Google search for PCM and software libraries and didn't find the listing for Taycan, but it sounds like I just need to do more digging.

- there is this thing called Coordinated Vulnerability Disclosure, where, in general, security researchers and vendors collaborate on addressing security vulnerabilities responsibly. It is not Porsche's call whether to publish details or not - unless, of course, they found it in house, in their code, and are addressing it directly.

Yep, very familiar with the responsible disclosure concept. The equipment vendors I have worked for follow this process, and yes, you're right, how much information that's disclosed really depends on where the problem was found. More information will be disclosed if found by an outside researcher, and more so if it's close to a Black Hat conference, lol! Vendors generally want to say as little as possible and wait as long as possible since it gives users a chance to upgrade past the vulnerability and then the announcement becomes a non-event for most.

- regarding stopping of patching - well, that's kinda covered by the warranty. If the car no longer works as advertised during the warranty period, it's on them to fix it. If the car becomes bricked (due to lack of updates) out of warranty, they'll be hit with a lawsuit for the ages. But in general, software doesn't just stop working because it's not updated (and usually it's the other way around).

I was thinking more along the lines of when TLS 1.1 and earlier which were finally removed so you can't even force a handshake these days. That will eventually happen with the stack the Taycan is running (hopefully they are implementing 1.3). When that happens it's going to be a decade or more from today I assume. Will the car be able to connect to Porsche services then or will the developers have moved on to whatever is the latest and the Taycan 1.0 will be left behind? I hope Porsche maintains there reputation for their legacy cars!

That also gets me thinking about protocols for the EVSE (charging stations), and what is likely to be supported 10+ years from now. I'm sure some backward compatibility will be maintained but who knows!

- not trying to diminish the importance of your advice (I do work in software security), but to be honest the vulnerabilities that we see lately are more of an attention grab/gathering likes on Twitter. The OpenSSL vulns of late are fairly exotic (understandably, it's a well-established library) and someone close enough to your car to launch an exploit is more likely to just steal it. That is, the car is not an open endpoint, readily taking requests.

No problem, it's all good and healthy discussion! I think that with the "computer on wheels" that the future holds for personal transportation (looking at you Tesla!), security will continue to be important but overlooked by regular people. Who knows what or where the next exploit will be and if it can be leveraged to jump to other systems, what data will be exfiltrated or if the breach will be isolated. Working at a software security vendor myself I've learned it never hurts to be too paranoid but it's also not a call to action for regular users... yet!

 

[GreenHornet]

The PCM is based on the Audi MMI MIB Gen 3. You can find more info on that all over.

 

[snstevens]

The PCM is based on the Audi MMI MIB Gen 3. You can find more info on that all over.

OP, since you are new to the Taycan, know that from within the PCM you can see the subsystem versions by going to Settings > System > System Information and then look into "Version information" and "Software Components". I think it is the SW Components piece you are interested in.

 

[Fish Fingers]

I wonder if car manufacturers will have to keep software updated for a certain time after production ends in line with current spare mechanical parts rules?

I remember thinking what a massive logistical task it must be when I heard about it previously.
So I've just Googled it....

 

[Uknown]

Congratulations on the GTS!!
I am curious What does your pcm version show now?

 

[RSouthern]

Here are the version screen shots for reference

Going through the component info, it's interesting to see Droid and Apache among the other items. i giess it really is more like a big smart phone after all. Good to see that there is only 1 Audi component there, probably the UI.

Porsche should consider using Docker to manage their updates, lol.

 

[whitex]

I have all the updates on my 23 CT4. Not bricked. So when they released an update to fix issues with charingcurves and temperature in the battery to keep the longevity of the battery. You will not install it? Do you not update your phone, computer and other electronics either? Your loss.

The primary reason for me update is security fixes for internet connected things. Everything else can be a gamble, since you cannot choose à la carte what you want updated. While I update all my connected devices (Taycan included), I often don't update devices which have no internet connection if they work exactly as I want them to work. Every update is not just bug fixes, and features you want, it potentially has new bugs and features you don't want. If there is some feature I want, I usually weight the need for that feature with the risk of other features no longer working (or being removed).

I have an old Microsoft Office running on one of my PC's. It's works so much faster and more reliable than the latest and greatest Office 365 on my work PC, which has significantly more powerful hardware too. Not upgrading the old one until there is something it doesn't do that I need. I only apply security patches to it.

 

[tigerbalm]

I never use automatic updates on anything.

If the device(s) are internet connected – that is a genuine security risk.

There are mitigation approaches you can take – like putting that device on its own VLAN (and dedicated SSID if only wifi connected) – but doing that definitely increases the complexity of your local network setup – which brings its own risks and complications.

I do appreciate your point that bloat is a big issue in the software business. But it has been ever such. You should hear what an assembly programmer thinks about FORTRAN – and a machine code programmer (do they still exist?) thinks about assembly!

 

[f1eng]

If the device(s) are internet connected – that is a genuine security risk.

There are mitigation approaches you can take – like putting that device on its own VLAN (and dedicated SSID if only wifi connected) – but doing that definitely increases the complexity of your local network setup – which brings its own risks and complications.

I do appreciate your point that bloat is a big issue in the software business. But it has been ever such. You should hear what an assembly programmer thinks about FORTRAN – and a machine code programmer (do they still exist?) thinks about assembly!

I wrote assembly programmes and Fortran back in the day. My first programme that earned me money was written in 1970-2 in Fortran.
I stopped writing my own software in 1986 though.

Agreed once you are connected to the internet you are basically super vulnerable.
We have crime in normal life despite the rule of law and a police force to enforce it.
The internet has, effectively, neither and is hence bound to be completely saturated in every corner by criminal activity and deception as we can observe.
Sadly inevitable IMO.

The more I reflect on it the more I feel like not owning anything modern at all - I have already gone back to LPs and CDs from streaming, but for reasons other than security, despite adopting file based music over 20 years ago.

 

[Ambroos]

Here are the version screen shots for reference
Going through the component info, it's interesting to see Droid and Apache among the other items. i giess it really is more like a big smart phone after all. Good to see that there is only 1 Audi component there, probably the UI.

Porsche should consider using Docker to manage their updates, lol.

The PCM operating system is Automotive Grade Linux. They actually do use Docker to containerize a lot of the applications, for example Spotify and the Calendar integration etc.

Also, the entire MIB3 base software is shared with the entire VW group and co-developed by Audi. The navigation, audio playback, basic UI code, Bluetooth stack, ... basically the entire thing IS the exact same you'd get in Audi (Q8) e-tron / e-tron GT or most other MIB3 Audi's. It's only the UI layer and a few minor changes on top that are specific to Porsche.

It's also not actually developed by Porsche but largely done by Aptiv / Harman if I'm not mistaken.

 

[tigerbalm]

Interestingly Audi is bringing an "app store" to their MIB3 systems this year – including the etron GT fork of the Taycan.

https://www.audi-mediacenter.com/en...ates-store-for-apps-into-various-models-15204

Sponsored