When adjusting the resistance of the exercise machine, one single digit of the large time dispaly (the 10's digit) is shown on the screen. This is perfect for reverse engineering the protocol because there is very little data change from sample to sample to puzzle out.

Method:

I first looked only at the two changing bytes of the SPI packet (line 2-8 below). I arbitrarily assigned a number to each of seven segments of a digit (lines 25-31 below). I then began comparing the samples that I had for numbers where just one segment is different.

To do so I made a list of segments -- and missing segments in parenthesis -- for each number (lines 33-42 below). This makes it obvious that 0 and 6 both uses segment 3 and 4 differently which makes the bit location for those obvious. Once that was established I removed those columns from lines 16-21 using stars. I just kept going until I had almost all of them.

The only problem I had is that I had not captured a 7 or a 9 which is the only way to establish the difference between the top segment and the bottom segment. But I had a way around that.

When choosing one of the six exercise routines the display shows only P1, P2... P6. I had also captured this data (below). A close look at this showed that the next digit to the left (hour-ones digit) uses the same data scheme. Showing "P" on the display doesn't use the bottom segment and this solved the rest of the puzzle.

Spotting the Peculiar:

Looking closely, each digit spans a curious number of nibbles. Here's a binary example for the numeral 8:

0b0000 0111 1011 1000

The data can easily fit in two nibbles, why does it bleed over into 3? The answer is in the datasheet for the LCD controller (HT621):

Look at the data line and count the bits up to the first data nibble. There are 3 bits to signify a "write" operation, then 6 bits for the memory address followed by an indeterminate number of 4-bit nibbles of data.

My microcontroller's hardware SPI accepts 8-bit packets. So after this 9-bit preamble, all of the data nibbles are shifted by 1 bit. Oh well, I'm going to be decoding this data packet for my own custom display anyway so I'll deal with it on that end of things.

I've seen 9-bit SPI before, but in that case every operation was 9-bits. I don't know if there are microcontrollers out there that can roll with this peculiarity in hardware.