Quote Originally Posted by bank View Post
I think, I found algo.

Pin stores in a6-a9 and b0-b3, XORed by two different keys
XOR for a6-a9 is 3f 46 33 d5
XOR for b0-b3 is 46 3c d9 3f
After XOR pin will be a7, a6, a9, a8 and the same in b1, b0, b3, b2. It's works for 16bit dumps which starts with "7F 01", "7E 01"

The same algo and pin location for 16bit dumps which starts with "6A 0C", "6B 0C" but another keys for XOR:
XOR for a6-a9 is 51 87 44 3C
XOR for b0-b3 is 5A 3C 9F 35

The same algo and pin location for 16bit dumps which starts with "04 88", "05 88" but another keys for XOR:
XOR for a6-a9 is 8D FF 3A 3C
XOR for b0-b3 is 3C 8E F7 C3

I checked this algo on different dumps with khown pin and it works correctly
Hi,

on 2002 XU CIMs SW 93 and SW 94 with 2xMC68HC908AZ60 mask 2J74Y the EEPROM dumps start with different bytes so the algorithm for storing the PIN might be different.

In the EEPROM.bin file saved by Orange 5 there are these bytes at addresses 0x0000 and 0x0200:

Code:
0x0000: 0x5e, 0xde, 0xb1, 0xfd
.
.
.
0x0200: 0xfe, 0xf8, 0x39, 0xfe
I am not sure if Orange saves .bin file in order as the data is in the processor (EEPROM2 then EEPROM1) or the data is in the order EEPROM1 then EEPROM2 - that's why I wrote bytes at both 0 and 512.