Re: Firmware update URL?

GamerHonu · ‎2016-11-30

Does anyone know the URL that Orbi is using to automatically check for firmware updates? Thanks!

rhester72 · ‎2016-11-30

@GamerHonu wrote:
Does anyone know the URL that Orbi is using to automatically check for firmware updates? Thanks!

To my enormous surprise, it doesn't use HTTP. It does a passive anonymous FTP connection to updates1.netgear.com (216.151.177.114) and hits directory "rbr50/us" (which fails). It then tries again (by disconnecting and reconnecting) and hits directory "rbr50/ww", looking at fileinfo.txt to see if an update is available. (I'm already updated, so I'm not sure what it does next - the directories and files are hidden.)

The content of fileinfo.txt appears to be binary, despite the extension, and contains a _lot_ more data than one would expect for a simple version marker (it's currenly 6948 bytes in size and filled with data).

There is a "rbs50/ww" directory as well, which I assume the satellite uses.

You do get a fun scary banner on connect:

230-
230- ---------------------------------------------------------------------------
230- WARNING:  This is a restricted access system.  If you do not have explicit
230-           permission to access this system, please disconnect immediately!
230 ----------------------------------------------------------------------------

I don't know, if as an owner of the device, if I have explicit permission to access, but I'm willing to live dangerously. *laughs*

Note that it will ONLY use unencrypted FTP - there is no HTTP(S) fallback. If you block port 21 outbound, a firmware update check results in "Service unreachable" on the router...take note, outbound firewall lovers!

(I'd really, REALLY like to see this done in a much more secure way - this method is not only ancient and firewall-unfriendly, it's completely insecure and wide-open to MITM injection attacks. HTTPS/TLS with certificate validation would be an infinitely better option.)

Rodney

View solution in original post

rhester72 · ‎2016-11-30

@GamerHonu wrote:
Does anyone know the URL that Orbi is using to automatically check for firmware updates? Thanks!

To my enormous surprise, it doesn't use HTTP. It does a passive anonymous FTP connection to updates1.netgear.com (216.151.177.114) and hits directory "rbr50/us" (which fails). It then tries again (by disconnecting and reconnecting) and hits directory "rbr50/ww", looking at fileinfo.txt to see if an update is available. (I'm already updated, so I'm not sure what it does next - the directories and files are hidden.)

The content of fileinfo.txt appears to be binary, despite the extension, and contains a _lot_ more data than one would expect for a simple version marker (it's currenly 6948 bytes in size and filled with data).

There is a "rbs50/ww" directory as well, which I assume the satellite uses.

You do get a fun scary banner on connect:

230-
230- ---------------------------------------------------------------------------
230- WARNING:  This is a restricted access system.  If you do not have explicit
230-           permission to access this system, please disconnect immediately!
230 ----------------------------------------------------------------------------

I don't know, if as an owner of the device, if I have explicit permission to access, but I'm willing to live dangerously. *laughs*

Note that it will ONLY use unencrypted FTP - there is no HTTP(S) fallback. If you block port 21 outbound, a firmware update check results in "Service unreachable" on the router...take note, outbound firewall lovers!

(I'd really, REALLY like to see this done in a much more secure way - this method is not only ancient and firewall-unfriendly, it's completely insecure and wide-open to MITM injection attacks. HTTPS/TLS with certificate validation would be an infinitely better option.)

Rodney

GamerHonu · ‎2016-11-30

Fantastic information! Thanks a ton! Glad to know someone else was curious and then actually went and figured it out. I know what I need to do now 🙂

peteytesting · ‎2016-11-30

hi

TBH i would much rather have the ability to enable / disable the auto update from the gui , i prefer to not have anyone accessing the gui without my permission and i have no issue manually updating from the web site

pete

GamerHonu · ‎2016-11-30

@peteytesting wrote:
hi

TBH i would much rather have the ability to enable / disable the auto update from the gui , i prefer to not have anyone accessing the gui without my permission and i have no issue manually updating from the web site

pete

I completely agree! I'm a little miffed that there isn't an option to disable auto updates. Even if it's on by default more "most people" there are those that don't like surprises. Always updating to the newest firmware updates isn't always a good thing.

rhester72 · ‎2016-11-30

tbh, that's the way of the world with consumer (note: not "prosumer") gear these days - Google OnHub, Wifi and Home, Amazon Echo, eero, et al all do automatic transparent updates.

When they work, it's a good thing. No disrespect to the vendor intended, but I'm not quite sure that Netgear has the experience to move to that model just yet - and certainly not with raw FTP, I hope!

Rodney