Spoof PPPoA Access Concentrator

I have a router/modem with an ADSL connection that connects to my ISP over PPPoA.
It has a username and password built in to the device which I cannot extract from its web interface.
I was wondering, would it be possible to connect the ADSL port of this router/modem to the ADSL port of another router/modem running OpenWrt and spoof the ISP to extract the credentials from the device?
Running something like rp-pppoe on the OpenWrt device, but over the modem? Or perhaps just rerouting the demodulated traffic to and from my laptop?
I don't know from looking at the web interface whether the PPP protocol is over PAP or CHAP. Do you think it's possible to force it to be over PAP? Does anyone know what kind of hashing CHAP uses or any resources they could point me to re understanding PAP and CHAP authentication?
This is more a question of curiosity than anything. I know I could contact my ISP, or I could hack the hardware of the router/modem and extract the password from the memory chips. I'm just curious if it's possible.