Plugged in my 'scope and started probing some debug headers that looked a lot like they'd be for UART, check if one is Tx and is sending out data, figure out the baud rate, hook up Rx, Tx, and GND on my UART dongle to the correct headers, and modify the bootsting in Cisco preboot to spawn a serial console which landed me into busybox as root :)

Followed by the use of >=$100 of hardware and some not-beginner skills. Snark aside, I highly recommend anyone remotely interested in what is going on in your modem/router to have a go at this. You don't need the scope if you're okay with trial and error and it's pretty hard to break anything as long as you don't connect the 3.3/5V line to start with.