If someone wanted to break into your network then by the time they've got physical access to the OpenWRT device to reset it and activate the failsafe mode they've got plenty of other options to achieve their aims anyway.
Edit: Even if the failsafe method was altered so it only was available after a failed boot it'd be likely that anyone with physical access would be able to interrupt a normal boot sequence in such a way as to trigger that option.
No my question is whether in the current situation you have been able to convert the failsafe signalling to gain passwordless root access to the modem without pressing a button on the router? That would be a backdoor.
Simple, if you build your OpenWrt firmware with a different filesystem than squashfs (probably any read write fs) the failsafe machanism is documented to not work. So not even with pressing a button on the router in the right time window will your attacker/hacker be able to gain passwordless root access via the failsafe mechanism.
Certainly a position to take.
Well unless it runs automatically and always surely the method used to deduce whether to run or not can go pear shaped. But this is open source, if you come up with an elegant way to avoid that (e.g. only offer failsafe access once ofter each coldboot) I am sure people will look at your patches.
As I said your attacker needs physical access to the router (unless you demonstrate successful login as root without password and without pushing the buttons, in which case I agree you would have found a bug) and at that point your better assume your router is already taken over.
So could I convince you to try logging in without pressing a button, please?