If You own this device instructions how to get root access to OEM firmware are in this topic. In case You want an offline investigation, I uploaded two versions of rootfs copied from the device, use binwalk or p7zip to extract the .bin files.:
1.1-16r
https://mega.nz/file/8c4H2BwB#dxI6eUwQ7jq_YJ3mpn2ocgmG8YmigWciIn1SgWejYa4
1.1-18
https://mega.nz/file/QAoVwJ6K#4dyVzW0pjIzLVdX8XOstZ2MzqulMvgvaSorIK_IkIak
You can look for example how they enable ssh access by searching/grepping for string disable_ssh. But then You'll also need to decode at least one of the users password (preferably root). You can also go for decoding app communication with servers. These are only pointers, I don't have time to pursue this further but if You do, I will gladly test any exploit.
@rayclark
The easiest one: https://openwrt.org/docs/guide-user/network/wifi/dumbap
@drandyhaas
Did the installation instructions work for both devices with different flash layouts?