Ok, so the previous tries to get to the data oin the hard disk without doing too much work didn't went too good. Perhaps it's time to scale down a bit and try not to go for the silver bullet? Perhaps it's possible to make bruteforcing the code feasible?
With the previous attempt, we've already uncovered a flaw in the anti-bruteforce-routines the device attempts: When we lower the voltage as soon as the PIC tries to write the number of attempts left to the EEPROM, we can make it write garbage which then gets interpreted as a valid and high, number. The problem with this is that every try still takes 3 to 4 seconds, which is a bit too much when the code is at least 6 digits. Can we perhaps shorten that time? Perhaps the timing technique we used earlier can help. Let's see what the delay between stopping to scan the keypad matrix and the start of the EEPROM write is on a completely good and a completely wrong attempt:
On the left, the attempt with a wrong pincode, on the right the PIC got fed the correct PIN. The white lines are exactly in the same position on the two pictures, and as you can see the EEPROM gets written just a tiny bit earlier when the PINcode is wrong.
So, how can this be used? Quite simple: I recovered the circuit I used to try to fail EEPROM-writes. I added a line from my AVR to the keyboard-matrix, so it can detect the time between the PIC starting to process the PINcode and it writing to the EEPROM. I added another line to the /MCLR of the PIC and wrote some firmware: the AVR would basically wait for me to enter a pincode and would then measure the processing time. If it decided the PIC thought the entered PINcode was wrong, it'd reset the PIC before it had the chance to save the decreased number of attempts to the EEPROM. This way, I could enter PIN-codes as quickly as I wanted, without waiting for the PIC to tell me my attempt was wrong or running into the brute-force-protection.
A quick calculation indicates this attack is feasible to actually use against short PIN-codes. My experience tells me it takes a maximum of one second to enter a password and see if it's wrong. If we automate the process and try all possible pincodes in a 6-digit pincode, we would only need 10*10*10*10*10*10=1000000 seconds, which amounts to 11 days. With some more info we can shorten this even further. After a lot of use, the buttons used to enter the 6 digits of the pincode may accumulate a bit more grime from the users fingers or maybe wear out a tiny bit sooner than the others. If we can detect this and make out which 6 digits got used when entering the PIN, the brute force time would go down to 6*5*4*3*2*1 seconds, which amounts to 12 minutes. Even with this additional information, longer PINcodes take exponentially more time: 7 digits means 1.5 hours of bruteforcing, 8 digits amount to 11 hours, 9 digits is 4 days and 10 digits would take a month and a half to crack.