WoW
Thank you SO MUCH someone else ( i mean you, not someone else )
It is much more "readable" than what i got.
i am not used to MIPs neither (my poor skills in dissembling speak for-themselves :P )
i wil try to with the tool you used, i am curious about LOAD:0040C8C0 / and checking sub_404128 / sub_403F60
The very last line you underline is definitely like a simple "printf" that's "stdout" the value of the PIN
SO GREAT!
first, thanks to you, we know 100% sure that building time is the string used with some randomization.
the startup.sh script was giving a strong clue : time was "generated" just before the PIN....
Another clue : we already know that time is used as a seed for the diffie Hellman key exchange.
Now we know : time is definitely and surely used to generate the default PIN
And it is the first build time.
That's kind of an issue if we look in a way to generate the exact default PIN. . depending of the randomization, but it looks like this with the devices i saw; we might be able to guess the firsts digit correctly realtioning with the year of production,,,, then the PIN respects the checksum so the seconds start on 7 digits
One hour is 3600 seconds and we would need to have maximum about 15 minutes more or less from exact building time to get the first half of PIN... sorry for my english, but i guess you see what i mean...
but a little pixie flying around told me that this kind of "unsuported realteck" would, maybe, who knows?, not be unsupported anymore for so long....
thanks so much for the information and it is helping a lot.................