As announced on PacketStormSecurity, Luca Hall of Grid32 has written an article on Cisco IOS rootkits:
Writing Cisco IOS Rootkits
This paper is about the work involved in modifying firmware images with the test case focused on Cisco IOS. It will show how it is a common misconception that doing such a thing involves advanced knowledge or nation state level resources. I think that one of the main reasons people think it’s so difficult is because there are no commonly known papers or tutorials that walk the reader through the entire process or give all the resources necessary in order to end the paper with a working rootkit. This paper will change that. This paper will provide sound methodologies, show how to approach the subject, and walk the reader through the entire process while providing the necessary knowledge so that by the end of the paper, if the reader is to follow it completely through, they will have a basic but functional firmware rootkit.
PDF is here:
https://packetstormsecurity.com/files/133917/Writing-Cisco-IOS-Rootkits.html
Firmware Security 