A brief summary of how I enabled SSH service:
I extracted the firmware of Xiaomi CR8806 because I found that they have a similar interface. In the file system, I discovered a service called elink, which related to Home Automation. It establishes a connection with the gateway's port 32768 after establishing an internet connection and registers itself to the gateway.
By decompiling this file, I found that it uses wget %s -O /tmp/update.bin to download firmware during system upgrades, and it does not check if the URL address is valid. So, if we input ; reboot ; as the address, it will execute our command (in this case, "reboot").
I wrote a Python program to implement this idea, and it works well with my device. I have already pushed it to my repo. I haven't done a lot of testing, if it doesn't work properly, please let me know or submit a PR 
@lazy.guy @hquu @shiguang55 @hank9999