Posted by Zach C on May 22

Part 5 is up. In this and the next several parts we start analyzing
the structure of Netgear R6200 firmware updates. We switch over to the
HTTP daemon because it’s less broken and a little easier to analyze
than upnpd.

The overall goal is to reverse engineer the firmware format so we can
generate a malicious firmware image to use when exploiting the
SetFirmware SOAP action described in parts 1-4.

Binary patching, emulating with QEMU, and…