It's saddening to see that even in 2021 manufacturers <i>still</i> insist on rolling their own custom shitty UI on top of what is essentially Linux's iptables and iproute2 and obviously get it wrong and introduce security vulnerabilities (not to mention miss/break/restrict functionality that the aforementioned components give you for free), all while OpenWRT is around and is trivial to port especially if you're a manufacturer.
Dump the flash over serial or see if there is tftp support (or maybe nfsv1) These bootloaders usually support high-speed serial (maybe even up to 921600 baud). Alternatively, if it supports tftp, the transfer would be trivial (ha).<p>I recently had to download flash via serial converting an aerohive with old firmware to ddwrt. Bootloader supported Kermit, xmodem, and ymodem.... really brought me back!
Interesting. I have a Huawei CPE Pro and I've noticed these 'mystery' IPs too when doing traceroute. Perhaps they use a similar hardware configuration.