A full AES-128-CBC implementation with a hardcoded key found at 0x2C010: a3 f1 82 0e 5c 91 27 6b 4c 0d 38 f9 ab 12 44 6e. This decrypts configuration blobs from the cloud server api.yg-device.net.
At offset 0x1A4C8, a string yg_admin:yg6m021pass appears. This enables a telnet daemon on port 2323 if the device fails three normal login attempts. An attacker on the same network can gain root shell access. yg-6m021.bin