The device appears to support the Serial Peripheral Interface protocol, which Scott discovered (and others before him too: https://mlug-au.org/lib/exe/fetch.php?media=20210726-goodwe....). He did this by poking around with nmap for open ports, discovering that the telnet port is open, and then trying to talk to the device with telnet.
"spi rd" are commands that can be used to dump some data from the device, as you can read in my linked presentation.
And the one-liner Scott has in the blog just automates the following process:
1. logging in with admin/admin on the device with telnet
2. issuing the telnet command "spi rd 0 2097152"
3. capturing its output into a file, while also viewing it on the standard output at the same time
I think `spi rd 0 2097152` is probably something in the telnet prompt that reads values from an SPI flash, the two number seems to be starting and ending range.
echo -e 'admin\nadmin\nspi rd 0 2097152\n' | nc 192.168.18.17 23 | tee ~/download/hk1000.spi2.img
downloads the firmware?