Just to clarify, the PBC method is - protocol-wise - identical to the PIN method. The only difference is the method of activation (a button) and that the PIN is already known, being '00000000'.
I successfully recovered the WPA of my router after pressing the button, using Reaver and Pixiewps some time ago.
If you want you can pass me the data and I can try to to experiment a bit. But maybe the two equal hashes are part of the 'patching work' of the devs. We know for sure Realtek devices are weird.