There are many things that I would like to do, the problem is finding sufficient free time! However, I have downloaded a copy of your PDF format file ("Unlocking the BT Openreach HG612 VDSL2 modem router") and devoured its contents with relish. 
I am just a little puzzled as to what you mean at the second bullet point of the notes on page six -- "The dropbear sshd is configured incorrectly . . .". "Dropbear"? 
Dropbear is a smallish ssh server..[1] but it's not configured properly on the Huawei..
asbokid@core2quad:~$ nc 192.168.1.1 22
SSH-2.0-dropbear_0.50
^C
asbokid@core2quad:~$ ssh -V
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
asbokid@core2quad:~$ ssh admin@192.168.1.1
admin@192.168.1.1's password: [admin]
PTY allocation request failed on channel 0
asbokid@core2quad:~$ ssh -T admin@192.168.1.1
admin@192.168.1.1's password: [admin]
ATP>sh
BusyBox v1.9.1 (2010-01-07 10:24:29 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux (none) 2.6.21.5 #43 Thu Jan 7 10:23:47 CST 2010 mips GNU/Linux
I'm tempted. Quite a bit . . . 
One for me, one for Eric, one for Walter . . . 
(b*cat now departs to check eBay.)
£36.. quite a lot of cash..
happy bidding!
p.s...
you're just one firewall rule away from the web interface and shell on the huawei - the offending rule is the penultimate one in the INPUT_SERVICE_ACL rulechain:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
INPUT_SERVICE_ACL all -- 0.0.0.0/0 0.0.0.0/0
INPUT_SERVICE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
DROP udp -- 0.0.0.0/0 192.168.1.1 udp dpt:53
DROP tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:53
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
FWD_IPFLT all -- 0.0.0.0/0 0.0.0.0/0
FWD_APPFLT all -- 0.0.0.0/0 0.0.0.0/0
FWD_URLFLT all -- 0.0.0.0/0 0.0.0.0/0
FWD_SERVICE all -- 0.0.0.0/0 0.0.0.0/0
FWD_FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FWD_APPFLT (1 references)
target prot opt source destination
Chain FWD_FIREWALL (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FWD_IPFLT (1 references)
target prot opt source destination
Chain FWD_SERVICE (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FWD_URLFLT (1 references)
target prot opt source destination
Chain INPUT_FIREWALL (1 references)
target prot opt source destination
Chain INPUT_SERVICE (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain INPUT_SERVICE_ACL (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,80,22,23,8081
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
#
Deleting that firewall rule is simple enough but, SFAICS, it involves adding the iptables command to one of the start up scripts.. However, the scripts are stored in the root file system which is a partition on the flash device, and read only. So adding just a single line of code to delete that rule means the whole rootfs (and kernel, since they come as a pair) has to be re-flashed.
There must be an easier way of doing the job that doesn't involve re-flashing the whole firmware.
Since UDP isn't firewalled at all, the SNMP service (BTAgent) perhaps holds the key..
# netstat -natup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN 207/zebra
tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN 560/monitor
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 137/web
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 581/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 717/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 140/cli
tcp 0 0 127.0.0.1:2600 127.0.0.1:48203 ESTABLISHED 207/zebra
tcp 0 0 127.0.0.1:48203 127.0.0.1:2600 ESTABLISHED 209/ripd
udp 0 0 0.0.0.0:161 0.0.0.0:* 162/btagent
udp 0 0 0.0.0.0:53 0.0.0.0:* 581/dnsmasq
udp 0 0 0.0.0.0:69 0.0.0.0:* 709/tftpd
#
I just checked, and tftpd stores uploaded files under /var which is a read-write ramdisk. However, I can't see a way to execute uploaded code. The tftp client will do exactly what is needed - modify the firewall configuration - but you need shell access to run it.
While I remember...
# /bin/xdslcmd --help
Usage: xdslcmd start [--up] [--mod <a|d|l|t|2|p|e|m|v>] [--lpair <(i)nner|(o)uter>]
[--trellis <on|off>] [--snr <snrQ4>] [--bitswap <on|off>] [--sesdrop <on|off>]
[--sra <on|off>] [--CoMinMgn <on|off>] [--i24k <on|off>] [--phyReXmt <0xBitMap-UsDs>]
[--TpsTc <0xBitMap-AvPvAaPa>] [--monitorTone <on|off>]
[--profile <0x00 - 0xFF>|<"8a |8b |8c |8d |12a |12b |17a">] [--us0 <on|off>]
[--dynamicD <on|off>] [--dynamicF <on|off>] [--SOS <on|off>]
[--forceJ43 <on|off>] [--toggleJ43B43 <on|off>]
xdslcmd stop
xdslcmd connection [--up] [--down] [--loopback] [--reverb]
[--medley] [--noretrain] [--L3] [--diagmode] [--L0]
[--tones] [--normal] [--freezeReverb] [--freezeMedley]
xdslcmd configure [--mod <a|d|l|t|2|p|e|m|v>] [--lpair <(i)nner|(o)uter>]
[--trellis <on|off>] [--snr <snrQ4>] [--bitswap <on|off>] [--sesdrop <on|off>]
[--sra <on|off>] [--CoMinMgn <on|off>] [--i24k <on|off>] [--phyReXmt <0xBitMap-UsDs>]
[--TpsTc <0xBitMap-AvPvAaPa>] [--monitorTone <on|off>]
[--profile <0x00 - 0xFF>|<"8a |8b |8c |8d |12a |12b |17a">] [--us0 <on|off>]
[--dynamicD <on|off>] [--dynamicF <on|off>] [--SOS <on|off>]
[--forceJ43 <on|off>] [--toggleJ43B43 <on|off>]
xdslcmd bert [--start <#seconds>] [--stop] [--show]
xdslcmd afelb [--time <sec>] [--tones] [--signal <1/2/8>]
xdslcmd qlnmntr [--time <sec>] [--freq <msec>]
xdslcmd inm [--start <BB_THRESH 10*dB> <INMIATO> <INMIATS>] [--stop] [--show]
xdslcmd snrclamp [--shape <shapeId>] [--bpshape [bpIndex-bpLevel,]]
xdslcmd diag [--logstart <nBytes>] [--logpause] [--logstop] [--loguntilbufferfull <nBytes>]
[--loguntilretrain <nBytes>]
xdslcmd info [--state] [--show] [--stats] [--SNR] [--QLN] [--Hlog] [--Hlin] [--HlinS] [--Bits]
[--pbParams] [--linediag] [--linediag1] [--reset] [--vendor] [--cfg]
xdslcmd profile [--show] [--save] [--restore]
xdslcmd --version
xdslcmd --help
#
Loads of options to tweak..
xdslcmd configure --snr looks interesting! ;-) [4]
[1]
http://matt.ucc.asn.au/dropbear/dropbear.html [2]
https://peterkieser.com/actiontec/source/[3]
http://huaweihg612hacking.wordpress.com/2011/07/16/map-of-the-hg612-flash-memory/[4]
http://forums.kustompcs.co.uk/showpost.php?p=409076&postcount=25
