Treadmill Motor Controller - fl3xbl0w
Reverse engineering project. It started with the Bowflex Treadmill 22 but ended up being generalized for any Android machine sold by Nautilus Inc. (Nautilus, Bowflex, Schwinn).
This mainly applies to the Treadmill 22 & Treadmill 56.
The motor control board is manufactured by Electronics Way Industry.
Given the service manual provided by Nautilus Inc. (backup on archive.org):
And focusing specifically on this part:
We can identify the “communication cable” that connects the motor controller as a 5-pin one. There is only one 5-pin connector. I have labeled the wires with their corresponding colors (data & switch are optoisolated):
| wire color | label |
|---|---|
| red | GND |
| white | RXD |
| black | TXD |
| yellow | +12 |
| green | SW |
The board is not connected directly to the Android console.
The only 5-pin connector is from the Molex brand. A Google search for “small Molex connectors” led me to an image of what they call Molex Micro-Fit 3.0 Single Row (5-Pin), which is used to connect the motor controller board:
Taking a look at NautilusLauncher.apk through jadx-gui, I can see that they communicate with the Android tablet with their “Universal Console” using Serial at 230400 Baud (using /dev/ttyS4). That is NOT what we are analyzing here. That refers to the communication between Android and the “Universal Console”. We are investigating the comms between the “Universal Console” and the “Motor Control Board”.
Attempting to connect an ESP32 or a CH340-based serial bridge directly to the wires between the treadmill base and the Bowflex controller board caused the treadmill base not to initialize correctly, so I started to suspect that they are using RS232.
Note: By connecting only to GND and RXD, we can “see” some seemingly garbage hexadecimal information at 9600 baud. Connecting to TXD causes the treadmill base not to initialize.
— To be continued, I need some time to play with my new logic analyzer —