Before installing OpenWrt through UART, I attempted to reverse engineering the stock firmware configuration backup and restore. Although I wasn't entirely successful, I thought I'd share in case it allows someone else to develop an OpenWrt install method that doesn't involve opening the case.
The hub's configuration file is encrypted by the openrg binary with aes-128-cbc using an IV and userkey that are stored in the persisent flash in 0 and 1 entries respectively. Using the SSH mod, these can be retrieved through the command line with:
conf print persistent/ng_diagnostics
The values are obscured with a hardcoded key, they can be decoded with:
echo "83f6c6f867f29627a721ad294a4f7858" | xxd -r -p | openssl enc -d -aes-256-cbc -K "9a205d4aaade68e5bb7cd1614842c2bed3e4e62c6a32c2733625245a235f0e8e" -iv "0000000000000000000000000000000000000000000000000000000000000000" -nopad | hexdump -C
echo "a15e715d7098adcb3f6213a1bd0100f1" | xxd -r -p | openssl enc -d -aes-256-cbc -K "9a205d4aaade68e5bb7cd1614842c2bed3e4e62c6a32c2733625245a235f0e8e" -iv "0000000000000000000000000000000000000000000000000000000000000000" -nopad | hexdump -C
To finally decrypt the configuration backup:
openssl enc -d -aes-128-cbc -K "a59f544a8030daa4c9148ae1c4e808db" -iv "3ad412c0776180e62ecc6ddd387f3d65" -nopad -in plusnet_hub_one.conf -out plusnet_hub_one.conf.plaintext
However, I'm beginning to think the keys are unique to certain batches of hardware as some people report not being able to restore a backup from one device to another whilst others can. I suspect there are a few different keys in circulation.
The main advantage from this approach is it then gives you full control of the stock configuration by decrypting, modifying, encrypting and then restoring. The disadvantage (currently!) is that I can't think of a good way to read the keys without first cracking it open which defeats the whole purpose!
Sharing to the community to see if it helps anyone develop a streamlined OpenWrt install.
Other Resources
OpenRG Programmer's Guide
OpenRG Configuration Entries
Stock SSH Access