Safe to download router firmware over unencrypted HTTP?
Sure - it could be a signed image. If the router has a built-in public key, and the image was signed by the corresponding private key, it would be perfectly safe.
Unless someone had got the private key, and uploaded a malicious version to the server, in which case, HTTPS wouldn't help either.
It is probably safe.
But downloading over https should be preferred if possible.
Without https:
If there is a flaw in the signature mechanism, it can be exploited (example: https://github.com/QubesOS/qubes-issues/issues/2520 )
An attacker can know which firmware/version you install (so if there is known flaws in that firmware/version , it could be exploited)
If the downloaded file is not just the bin file of the firmware but an executable, a modified version couldn't install a rogue firmware, but could still harm the computer
If the downloaded file is not just the bin file of the firmware but contains additional inflammations for the update program (like pre-update script to execute) it could harm the computer
If the update program has flaws (like buffer overflow for invalid bin firmware file), even if the firmware couldn't be installed, it could harm the computer.
If the firmware encryption keys are stolen, https add a significant protection.
An attacker can replace your download by an older official firmware with known flaws: it will pass the signature spec but you will be vulnerable.
Probably there's a digital signature on the firmware and a key on the router. If the update file is tampered somehow, the signature verification will fail and the router will reject the update.
It works, but employing SSL would be better.