@zfgeng thank you! Removing that nasty OOB chunks at the exact location helped calculating CRC-32. I got telnet and root, but this is not for the faint of heart 
Small guide to help newbies:
-
dump first 0x200000 bytes of nand in raw mode:
snander.exe -d -l 0x200000 -r dump.raw -
open hex editor and Find "ssh_en", there are multiple locations, look for the second one, it should be after 0x180000, in my case it was 0x195000. Locate start of this block (multiple of 0x22000). Let's suppose it starts at START
-
Save block starting from START length 0x22000 into to two files - block.raw and fix.raw, yes, two copies
3.1) Open block.raw and fill with zero everything starting from 0x200 length 0xffff to clear those nasty OOB chunks (OOB is internal nand error correction data, don't bother with it) -
Now you can calculate CRC-32 of a block starting from 0x4 and length 0xfffc, it should match to initial CRC-32 written at the beginning (look other guide up there if you don't understand)
-
If CRC-32 matches you can continue (remember the order of bytes, it is reversed). Change telnet_en=0 to telnet_en=1
-
recalculate CRC-32 checksum and remember it
-
now open fix.raw, because you need those nasty OOB chunks again ...
-
modify this fix.raw dump from telnet_en=0 to telnet_en=1 and write that new calculated CRC-32 checksum to the beginning (warning - order of bytes is reversed). Save file.
-
use snander to write fix.raw into START location on your nand like this:
erase block:
snander.exe -e -d -a START -l 0x22000
write new data:
snander.exe -d -a START -l 0x22000 -w fix.raw -
start router, you got telnet
-
use python script up there to calculate root password from serial