A Real-Time Approach to Autonomous CAN Bus Reverse Engineering

This paper introduces a real-time method for reverse engineering a vehicle’s CAN bus without prior knowledge of the vehicle or its CAN system. By comparing inertial measurement and CAN data during significant vehicle events, the method accurately identified the CAN channels associated with the accelerator pedal, brake pedal, and steering wheel. Utilizing an IMU, CAN module, and event-driven software architecture, the system was validated using prerecorded serialized data from previous studies. This data, collected during multiple vehicle drives, included synchronized IMU and CAN recordings. By using these consistent datasets, the improvements made in this work were tested and validated under the same conditions as in the previous studies, enabling direct comparison to earlier results. Faster processing times were produced and less computational power was needed, as compared to the earlier methods. This work could have potential application to making aftermarket autonomous vehicle kits and for cybersecurity applications. It is a scalable and adaptable solution for autonomous CAN reverse engineering in near real-time.

💡 Research Summary

The paper presents a novel real‑time method for reverse‑engineering a vehicle’s CAN bus without any prior knowledge of the vehicle’s network architecture. Building on two earlier studies that performed offline correlation between inertial measurements and CAN traffic to identify accelerator, brake, and steering signals, the authors redesign the entire pipeline to operate under live constraints. The hardware platform is deliberately minimal – a laptop, a USB‑CAN interface connected to the OBD‑II port, and a fixed‑mount high‑precision IMU – enabling direct comparison with the prior work while reducing cost and integration complexity.

The software architecture is organized into five ROS‑based layers. The Measurement layer streams raw IMU and CAN frames. The Event‑Detection layer continuously monitors the IMU streams, applying simple threshold logic on linear acceleration and angular velocity to flag discrete vehicle actions (acceleration, deceleration, steering). When an event is detected, a short pre‑ and post‑event window is captured and passed downstream. The Correlation layer implements a real‑time adaptation of the “rate‑of‑change” correlation algorithm introduced in the earlier papers; it computes the temporal similarity between each candidate CAN channel and the event‑localized IMU signal, producing a ranked list of likely control channels. The Control‑Discovery layer selects the top‑ranked channel for each control input (throttle, brake, steering) and forwards the result to the Visualization layer, which displays and logs the identified mappings in real time.

Key methodological enhancements include: (1) an event‑driven processing model that limits analysis to short, semantically rich windows, dramatically reducing computational load; (2) multithreading to parallelize acquisition, correlation, and visualization, exploiting modern multi‑core CPUs; (3) a CAN‑channel masking technique that discards irrelevant frames before correlation, further improving efficiency; and (4) a simplification of the tokenization problem – the system assumes fixed‑width candidate channels and focuses solely on translation, postponing full signal boundary recovery to future work.

To evaluate the approach, the authors replayed the exact rosbag datasets used in the prior offline studies, ensuring that any performance differences stem from the new architecture rather than data variability. The real‑time system achieved a 3–5× speedup over the offline pipeline and kept CPU utilization below 30 % on a standard laptop, while maintaining or slightly improving identification accuracy. Notably, the incorporation of GPS‑derived stationary intervals (as in the second prior study) allowed the brake‑pedal channel to be correctly identified even when the vehicle was at rest, a scenario that previously caused ambiguity.

The paper argues that real‑time CAN reverse engineering unlocks several practical applications: aftermarket autonomous‑driving kits that can automatically map control signals on a new vehicle, adaptive diagnostic tools that update their knowledge base while the car is being driven, and live cybersecurity monitors that can flag anomalous CAN traffic as soon as it appears. The authors acknowledge limitations: the current method does not perform true tokenization, relying on fixed‑width hypotheses; the evaluation is limited to replayed data rather than on‑road testing; and robustness across a broader set of vehicle makes and models remains to be demonstrated.

Future work is outlined as (i) integrating a full tokenization module to achieve end‑to‑end signal extraction, (ii) validating the system on diverse real‑world vehicles under varying noise conditions, (iii) extending the event‑detection logic with additional sensors (e.g., lidar, cameras) for richer context, and (iv) embedding anomaly‑detection algorithms for real‑time CAN‑bus security monitoring. Overall, the study provides a compelling proof‑of‑concept that semantic CAN reverse engineering can be transitioned from an offline research tool to a lightweight, real‑time capability suitable for deployment in practical automotive applications.