Hello there!

I'm trying to hack my functioning treadmill.
The unit is just terrible:

• There are 14 speeds, one button cycles through 3,6,9 and 12.
• The - and + buttons increase the speed by 0.1 increments.
• The predefined programs are bad.
• As soon as you finish your run, you have no data about the session, it just turns off.

My idea is to control the speed with an Arduino to give it better control over the speed, define my own running programs and to be able to upload the stats (ESP32).

Specs:
Motor: Revo Drive M610 - 2.5HP, 4000 RPM, 180VDC
Controller Board: JFDZ_PBJ_XK_COMST_V2.20

The display unit connects to the controller board through 5 pins with the codes V,T,R,G,S.
Initially I thought the S pin received the PWM signal so my idea was to dump the display unit and make the arduino control the PWN signals.
But it turns out the display unit maintain a serial communication with the controller board through the T and R pins and the S pin is not for PWM.
The display unit is ruled by a STM32 controller (32G030F6P6) and the controller board by a STM8S (8S003F3P6), and apparently they talk to each other about the motor speed and killer switch.
Without the T and R pins connected the display unit shows an error.
Without the S pin the display unit works properly but the motor doesn't turn.

I bought one of those cheap logic analysers on amazon - still waiting for the delivery - and I'll try to decode the serial signals with the hope that I'll be able to replicate them with the Arduino.

Plan B:
If dumping the display unit doesn't work, I'll try to control the buttons on the display unit and make the arduino "press" them programatically and internally calculate speed and distance.

Does anyone knows about the STM controllers and how to decode them?
Or any other idea how to accomplish this without buying another expensive controller board?

Thanks in advance

 

Welcome to AAC.

I don’t have a lot of time this morning, but to get you started in the right direction…

The first thing I would do it try to see what information I can get from the MCU. Normally, when reverse engineering something like that we’d look for a serial or JTAG port—and what do you know? J1 (an unpopulated 2.54mm pin header location) is directly adjacent, and has traces running to, the MCU (U1). Two pads have traces to pins 18 and 19 respectively, which are PA13 and PA14.

​

In this case, the STM32 being used has (according to its datasheeet) an SW-DB (Serial Wire Debug) interface—which is an ARM thing. It provides access to all sorts of things including the processor boot and directly to memory devices. Very powerful. It’s not quite as simple as a UART running serial data, but it has full JTAG capability in addition to the other things. Pin 18 is SWDIO and pin 19 is SWCLK—the two wires of the SW-DB interface. The square pad of J1 is circuit ground.

​

You need hardware to interface to it, but this affordable and extremely capable Mini DAPlink probe from Muse Lab is just the ticket. [alternative source]

​

So soldering on a pin header and connecting the DAPlink probe would be my first move in reverse engineering the system. Getting some idea of what might be going on with the processor and if you might be able to get the code from it—and even reflash it with your own improvements will help give you some direction.

Sorry for the cursory response, I will try to add more later if I can. Good luck with your project.

 

Hey Ya'akov, that was very impressive, I'm looking forward to knowing more about the process when you have time.
I couldn't find the daplink here in Australia so I got it from Muse Labs as you suggested, it'll take a few weeks to get here.

I'm not proficient in electronics, the closest I got to it was through Arduino and out of the shelf modules. But I'm already searching how to access and flash the STM32.
In case I can't access the current code in the MCU any ideas on how to decode the communication with the STM8?

PS: The square pad of J1 is actually tagged as V, I attached the original photo zoomed out.
And as you said, the pins 18 and 19 are connected to C and D, as CLK and DIO.

Thanks a lot for you help, it was a very good start.
I'm looking forward to hear more from you.

Cheers

 

PS: The square pad of J1 is actually tagged as V, I attached the original photo zoomed out.
And as you said, the pins 18 and 19 are connected to C and D, as CLK and DIO.

Ugh, sorry about misleading you. I was too quick to come to a conclusion on that. Fortunately, device in hand, I am much more circumspect since a mistake like that can mean letting the magic smoke out of something I’d rather keep it in.

Glad to hear you are exploring it. I am also glad the pads were labeled, I made a bad assumption.

The V pad will be \(\mathsf{V_{SUPPLY}}\) either 5V or 3.3V, the R pad goes to the NRST (\(\mathsf{\over{RESET}}\), active low reset)) pin. It’s called that because is gets pulled low (i.e. 0V or less) to reset the MCU. This is used in debugging and flashing.

Reverse engineering devices can be a lot of fun. Take a look on YouTube for "reverse engineering MCU” or a similar search, there is a lot of good content. I will try to get you a few recommendations for creators who do good work.

 

Hey Ya’akov,

I've been away for a few weeks and wasn't able to progress on this, but I'm back now and the DAPLink arrived. I soldered the pin headers and I tried searching how to use the DAPLink but couldn't find anything in a beginner's language.
I found something about Keil MDK, OpenOCD and STLinks but can't understand how to put the parts together. I also got one of those logic analysers with the hope of decoding the serial communication between the MCUs but haven't looked into it.

Any help on how to start would be awesome.

 

Any progress on this Rafael? I am going to attempt something similar on the treadmill I just got (it's a chinese white labeled product)

 

Any progress on this Rafael? I am going to attempt something similar on the treadmill I just got (it's a chinese white labeled product)

i am success decoder the treadmill.