Press "Enter" to skip to content
Decoding Proprietary PGNs and Unknown CAN Messages

J1939 Reverse Engineering: Decoding Proprietary PGNs and Unknown CAN Messages

By Wilfried Voss on June 24, 2026
Print Friendly, PDF & Email

If you spend enough time working with heavy-duty vehicles, agricultural equipment, construction machinery, or industrial engines, you will eventually encounter proprietary J1939 messages.

At that point, many engineers ask the same question:

Can I reverse engineer a J1939 network?

The short answer is yes—but only to a certain extent.

Before discussing the challenges, let’s first examine why someone would even want to reverse engineer a J1939 network.

Why Reverse Engineer a J1939 Network?

There are many legitimate reasons for wanting to understand undocumented network traffic.

Replacing Failed Components

One common example involves DEF (Diesel Exhaust Fluid) systems.

A DEF sensor may fail, while the replacement part is either unavailable, prohibitively expensive, or backordered for months. Since the sensor communicates with the vehicle over J1939, some users attempt to determine which messages the sensor transmits and then emulate those messages using a replacement device.

Whether this is legal or compliant with local regulations is a separate discussion. From a technical standpoint, however, the challenge remains the same:

What messages is the sensor transmitting, and what data do they contain?

Repairing Older Equipment

Many machines remain operational for decades.

Unfortunately, manufacturers do not always support older products indefinitely. When replacement electronic modules become unavailable, owners may attempt to recreate their functionality by analyzing the J1939 communication between the original modules.

Integrating Third-Party Equipment

Another common scenario involves telematics systems, displays, controllers, or data loggers.

The standard J1939 messages are well documented, but manufacturers often transmit additional information using proprietary PGNs. A third-party developer may need access to that data to support a particular vehicle or machine.

Understanding Equipment Behavior

Some users simply want to understand how a machine operates.

Modern agricultural and construction equipment may contain dozens of ECUs exchanging thousands of messages every minute. Analyzing that communication can reveal valuable information about system operation, diagnostics, and control strategies.

Right-to-Repair Initiatives

In recent years, repairability has become an increasingly discussed topic.

Certain equipment manufacturers have been criticized for making repairs difficult without access to dealer software or proprietary documentation. This has motivated some owners and independent repair organizations to analyze network traffic in order to better understand system operation.

Regardless of the motivation, the technical challenge is always the same:

How much information can be extracted from a J1939 network without access to manufacturer documentation?

The Good News: Standard PGNs Are Easy

One of the strengths of J1939 is that much of the network traffic is standardized.

For example:

  • Engine Speed (PGN 61444)
  • Vehicle Speed (PGN 65265)
  • Fuel Rate (PGN 65266)
  • Engine Temperatures
  • Oil Pressure
  • Diagnostic Messages

Once these PGNs are identified, the corresponding SPNs and scaling information are readily available.

In many vehicles, a significant portion of network traffic consists of standard messages that can be decoded immediately using commercial tools or publicly available documentation.

Unfortunately, that is usually where the easy part ends.

The Real Challenge: Proprietary PGNs

Most manufacturers extend J1939 using proprietary messages.

These messages often contain information such as:

  • Hydraulic system data
  • Transmission details
  • Machine-specific status information
  • Sensor values
  • Configuration parameters
  • Diagnostic data
  • Control commands

The problem is that the message structure is usually undocumented.

You may be able to identify:

  • The PGN
  • The source address
  • The transmission frequency

But the actual meaning of the data bytes remains unknown.

For example, you might observe a message:

PGN: 65280

Data:
01 45 2A 7F 00 FF FF FF

The challenge becomes determining whether:

  • Byte 1 is a status flag
  • Byte 2 represents pressure
  • Byte 3 represents temperature
  • Multiple bytes form a larger value
  • Some bytes are simply reserved

Without documentation, the message is little more than a collection of numbers.

The Detective Work Begins

Successful reverse engineering usually relies on correlation.

The basic process is surprisingly simple:

  1. Record network traffic.
  2. Change one physical parameter.
  3. Observe which bytes change.
  4. Repeat many times.

For example:

  • Increase engine speed.
  • Turn on a hydraulic pump.
  • Raise a boom.
  • Change transmission gear.
  • Press a switch.

If a particular byte changes consistently with a physical action, you may have found a useful signal.

This process sounds straightforward, but it often requires many hours of testing.

Frequency Analysis Can Help

Message transmission frequency often provides valuable clues.

For example:

  • 10 ms messages often contain control information.
  • 50 ms messages frequently carry rapidly changing measurements.
  • 100 ms or 250 ms messages often contain status information.
  • Multi-second messages frequently contain identification or configuration data.

The transmission rate alone will not reveal the message content, but it can provide useful hints regarding its purpose.

Source Addresses Tell a Story

The source address can also provide clues.

If a proprietary message originates from:

  • The engine ECU
  • A transmission controller
  • A brake controller
  • A DEF module
  • A hydraulic controller

You immediately gain some context regarding the likely content of the message.

Sometimes this information dramatically narrows the search.

The Biggest Problem: Commands Versus Data

Monitoring traffic is one thing.

Generating traffic is something entirely different.

Suppose you successfully determine that a particular proprietary message contains a pressure value.

That does not necessarily mean you can generate valid messages yourself.

Many systems implement:

  • Message counters
  • Rolling sequence numbers
  • Checksums
  • Timing requirements
  • Authentication mechanisms
  • State-dependent behavior

Simply transmitting a message with the correct PGN may not be sufficient.

In fact, many reverse engineering projects fail at this stage.

What Can Be Realistically Achieved?

In practice, reverse engineering efforts are usually successful when the goal is:

  • Data logging
  • Monitoring
  • Display generation
  • Telematics integration
  • Diagnostic analysis

Success becomes more difficult when the goal is:

  • Replacing ECUs
  • Emulating sensors
  • Controlling equipment
  • Bypassing manufacturer functionality

The difference is important.

Observing data is usually much easier than reproducing system behavior.

Tools Required

A typical reverse engineering setup includes:

  • A CAN interface
  • J1939 monitoring software
  • Data logging capability
  • The ability to export data for analysis

The more network traffic you can record and compare, the higher your chances of success.

Long-term logging is often more valuable than short snapshots.

Patterns frequently emerge only after observing a system under many different operating conditions.

Final Thoughts

So, can you reverse engineer a J1939 network?

The answer is yes—but with realistic expectations.

Standard J1939 messages can often be decoded quickly because they are publicly documented.

Proprietary PGNs are a different story. They frequently require careful observation, experimentation, and a substantial amount of detective work.

In many cases, you can successfully determine what a message represents.

Determining how an ECU makes decisions internally, however, is often far more difficult.

The good news is that J1939 was designed around structured communication. Even when the content is proprietary, the message format, timing, source addresses, and network behavior provide valuable clues.

And sometimes, those clues are enough to solve the mystery.

SAE J1939 Starter Kit and Network Simulator

Our JCOM.J1939 Starter Kit and Network Simulator is designed to allow the experienced engineer and the beginner to experiment with SAE J1939 data communication without the need to connect to a real-world J1939 network, i.e., a diesel engine. It may sound obvious, but you need at least two nodes to establish a network. That fact applies especially to CAN/J1939, where the CAN controller shuts down after transmitting data without receiving a response. Therefore, our jCOM.J1939 Starter Kit and Network Simulator consists of two J1939 nodes, namely our jCOM.J1939.USB, an SAE J1939 ECU Simulator Board with USB Port.

The jCOM.J1939.USB gateway board is a high-performance, low-latency vehicle network adapter for SAE J1939 applications. The board supports the full SAE J1939 protocol according to J1939/81 Network Management (Address Claiming) and J1939/21 Transport Protocol (TP). More Information…

Published in Blog Post and Misc. J1939

Wilfried Voss
Wilfried Voss

Creator of the JCOM1939 gateways and monitor software, blends German engineering with Vermont charm. Living on a historic farm with his Irish-American wife and a lively mix of dogs, cats, chickens, and horses, he brings precision and warmth to every innovation in vehicle network technology.

More from Blog PostMore posts in Blog Post »
More from Misc. J1939More posts in Misc. J1939 »

Comments are closed.

JCOM1939 Monitor Pro - SAE J1939 Data Monitoring, Recording & Simulation

Copyright © 2024 Copperhill Technologies Corporation
wpChatIcon
wpChatIcon