Then try to clean (potentially) corrupted NVRAM: push and hold WPS button then turn N66 on.
Edit: Ops, you already done this.
It reads lan_ipaddr variable on my RT-N66U, here is an example.
In that case this is bad design on Broadcom's part IMHO. What happens if lan_ipaddr contains garbage? Or an IP that people can't remember anymore? (tho there are ways to work around that, as long you know the MAC address and are willing to do some ARP fiddling).
Hopefully the WPS reset code is being applied before the LAN IP gets configred, so one would be able to at least reset to factory default even tho the lan_ipaddr is corrupted.