@hugch It depends on what backend you use.
If you use soft signing, all secrets and state-flags/preferences are in EEPROM. If you use ATSHA204A secrets are in the ATSHA204A while the state-flags/preferences are in EEPROM.
The secrets are specific to the security infrastructure (HMAC, serial). The state-flags/preferences are specific to the MySensors library (node signing requirements).
And if it was the wrong serial in the EEPROM, it was a whitelisting problem, as the serial is only used for whitelisting. If you use soft signing, your serial will be fetched from EEPROM (currently). If you use ATSHA204A serial will be fetched from ATSHA204A.