Quite some time ago (late 2011) I got sufficiently bored to poke and prod the firmware of a ZTE ZXDSL 931WIIA brand VDSL2 device, primarily to find out if it had a usable telnet interface and/or a convenient way to run arbitrary code. I always meant to write up a description of what was hiding under this particular rock, but never got around to. Well, here we (belatedly) are.
Most things in the following are likely to be — more or less — particular to the exact model and firmware version (
ZXDSL931WIIA_ElisaV2.8.2a_Z40_FI) I have.
The model is probably discontinued by now, but perhaps the illustrated principles may be helpful for someone.
If you still have one, don't try any of this at home if you're very attached to the device.
Finally, the approach taken is a very "manual" one (GNU binutils, dd, etc.), and more intelligent tools could well make it simpler.
tl;dr? There is a telnet interface (in this version), with hardcoded ZTE "debugging" username:password pairs, allowing for full root shell access.