This is a guide/general infodump of things I've found while poking through the VRV9517 modem, as supplied by Spark/Skinny in New Zealand, and maybe also under other names in different countries. What you see here is the extent of what I've found, mostly concentrated on decrypting the exported config file.
- Samba
- MiniUPnP
- MiniDLNA
- vsftpd
I have created a Python script you can find here, which easily decrypts the exported config file to a .tar.gz archive. You will need the original WiFi password, which can be found on the back on the removable card that comes with the router. It requires OpenSSL to be installed. It appears most of the configuration is stored in the '.gblcfg' file, and most of the other files are dynamically generated from this.
The config file mentioned above contains the URL for the auto-update feature. For Skinny devices this is currently https://www.bigpipe.co.nz/assets/firmware/skinny/version.txt, which links to the latest version. Unfortunately the main image seems to be encrypted or obfuscated somehow, and I haven't had the time to go through and reverse engineer it.
It has a Telnet server onboard that can be enabled but unfortunately requires a root password, which I don't know. Serial port can probably also be found by probing around on the board but I would imagine the same situation would occur.
Nice work! Based on the firmware, would it be possible to get the WPA2 Keyspace to generate a wordlist for cracking to target this specific router?