After looking at this some more they really thinned down the places it could be lurking, most of the system is now using cram making a read only file system with only a handful of exceptions like the siglent directory. So you can make onetime changes and recompile a cram image but would have to do it for each firmware release as they just reimage it with their new one that would then be unmodded.
Was mainly looking at seeing if ssh could be kicked on, they left evidence of having had dropbear on there at one time. Thinking of making a custom cram image to perma enable telnet but this telnet script ads file works just as well to do whatever
/dev/root / cramfs ro,relatime 0 0
devtmpfs /dev devtmpfs rw,relatime,size=69852k,nr_inodes=17463,mode=755 0 0
none /proc proc rw,relatime 0 0
none /sys sysfs rw,relatime 0 0
none /tmp tmpfs rw,relatime 0 0
none /dev/pts devpts rw,relatime,gid=5,mode=620 0 0
ubi1_0 /usr/bin/siglent ubifs ro,relatime 0 0
ubi2_0 /usr/bin/siglent/firmdata0 ubifs ro,relatime 0 0
ubi3_0 /usr/bin/siglent/log ubifs rw,relatime 0 0
ubi0_0 /usr/bin/siglent/usr ubifs rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0