What I have tried so far:

Poking at the serial port looking for activity in boot loader and normal mode -Failed

Wireshark sniffing on the ethernet interface - Nothing interesting

Port scan on the ethernet interface - Port 80 and 4001 are open

Lifted CS# on the EEPROM hoping it might force the display into some mode were I can talk to it over serial. No noticeable affect on operation, strangely.

So, I have not been able to find any attack vectors so far. There is the firmware update mode that could be explored a bit, but without the software tool, no firmware images, and no activity present on the serial port, I am completely blind.

I suspect that there are additional factory pages in the webserver, but I do not know of any way of finding hidden pages, so one would need to know the URL.

The next step, I suppose, is to dump the flash memory and have a look. Things to look out for will be filenames, signs of Linux, etc... if it is a known filesystem, it might be possible to to patch in SSH.

Another adventure would be to JTAG into the SoC and look at the 16K internal boot rom.