Just registered here and I had been working on this solo, but from a network side rather than hardware hacking.
Thought I'd just jump in with what I've discovered so far.
You don't need to do anything fancy in regards to the DSL PPPoE creds and packet capture, just use two machines to log in to web interface of the router. One starts a packet capture against "ALL" (not just WAN) , and the other initiates a reconnection of the DSL. You might need to do this a few times to capture enough PPP packets to complete the handshake.
The WAN port is indeed active if you have the latest update 188.8.131.52.2184.108.40.206.6 it's just 10Mbs half so use ethtool to manually set that.
I have success in building a PPPoE server and authenticating the email@example.com
user and issueing a PPP supplied IP address of my choosing over the ETH WAN port and I suspect I could plug that into the LAN port of a vDSL modem and have that complete a full ACS configuration, however, I have an issue with a fully working and provisioned VF router in that it constantly logs that it can't connect to the ACS so I suspect if I had an issue with the router and VF had to reset it, it would probably fail.
That asside, I'm impressed and hopeful with the work that others are doing on the hardware/flash front.
If anyone is interested then I can supply the source code of a C program I have written (I'm no programmer) that I am using to brute the password from the MD5 CHAP packet capture. You cannot use hashcat as that -m 4800 is limited to a 16byte challenge and the Juniper equipment always offers a challenge in excess of that. Probably deliberate.
Now we know that the username is firstname.lastname@example.org
and that the password is length 8 consisting of the usual mixed case alphanumeric but it would assist greatly with probability if those who were lucky to obtain the password could confirm if the left most (or right most) character of the pass was consistantly upper, lower or number. Just to reduce the number we would all need to force.
I can also confirm the username is not connected to the router MAC or serial number, and I also believe the password is random. Vodafone cocked up my account and had to issue a new user/pass but I kept the same router.
Keep up the good work.