The layout looks very 'box standard' for a domestic router. What is the CPU/SOC? There are no visible test points except... for the pins at JP1. This looks like a serial header.
One pin will be ground, one TX and the other RX. The fourth pin
might be the 3V3 power rail. You can try connecting your serial UART to this, respecting the 3V3 rail. You'll just have to best-guess the pinout, baud speed and bit settings. 19200-8-N-1 is always a good start.
If this is a serial port, you should be able to read the OEM bootlog. Another feature of a serial connection can be, by hitting RETURN [or another other key] at power on, drops into the bootloader prompt: granting access to the environment variables. You might then spot a local host address for a TFTP server.
If I am not mistaken, if the distro is OpenWRT-like, somewhere there should be a public repo (github?) with their code - either in full or as a fork of the main branch. Otherwise Yinuo-Link are taking an angle grinder to the open source license. If it's proprietory, then you are stuck. btw, some cellular modem cards have their own OS, which might be Android based. A whole new house of pain.
The bootloader and firmware are likely held inside the Winbond chip (U5/6) to the left of JP1. From the lo-res image, it's a jellybean SPI type. Is it a 2/4/8/16Mb flash size?
You might be able to read out U5/6 by attaching a SOIC clip directly. If not, you'll need to remove the chip, read it, and resolder it. Not so easy but this will give you all the bytes. This should include the bootloader, firmware and settings regions. Hopefully a bootlog will provide the file system mappings.
You can then use Linux
strings to hunt for any
E.T. phone home IP addresses. You should also be able to compare the SHA256 hashes against the 'official firmware'.
Try JP1 and get a bootlog.
Happy angle grinding