As a hacker, the problem with electronic equipments is that you usually don't have the connections you want them to have to be able to play with it.

So, is it for a (low-cost) treadmill. Unless you target a medical grade equipment, you won't find any external connector for remote control. As far as I know, if you find something, it will be a proprietary connection with undocumented protocol.

As we wanted to make a proof of concept (and we were low on budget) we didn't want to play with expensive material, and also we wanted to be sure to reach some result.

So we bet on a very pragmatic approach: keyboard hacking. No tricky serial connection, or encrypted data, just plain old key-press spoofing.

Or remark thought: we could have chosen to leave the console untouched, and use a bunch of motors to mechanically press the keys. Sure it would have been elegant as well, maybe a bit more bulky, and we a no personal fan of mechanic. Also, we couldn't resist to know what's inside this cheap device, and inject some magic in it.

Obviously, the sole act of opening the treadmill console has voided the guarantee, but at least we became the master of the beast.
No surprises in the inside, for a low cost BOM: a couple of chip on board, multi-product PCB with unpopulated components, Chinese labels...

On the bottom-right of the PCB we can see the flex cable coming from the keyboard.
(For info, the top wires are for safety key switch, and the other right connector is for power and motor control)

Next, the decoding of the keyboard.