Quoted from Markharris2000:RS485 is a just simple connection scheme that has been around 50 years or more, so a cheap sniffer could probably easily decode what's going on under the playfield. It would be interesting academically to see just how it programmatically works. I suspect a simple command/response protocol of their own design, but easily captured. Note: I believe their license agreement prohibits any such reverse engineering of it.
The protocol has already been decoded by the MPF guys. It's a simple protocol where the MPU initiates all transactions and addresses a single node at a time (except when polling).
No need to buy a sniffer either: it's easy to intercept the serial port traffic in the linux distro.