1. Introduction Huawei’s HiLink protocol powers millions of routers, LTE dongles, and IoT gateways. While standard U-Boot images (UImages) use a well-documented header structure ( struct image_header ), recent HiLink firmware variants employ an encrypted header layer —a deliberate obfuscation to prevent third-party firmware modifications, analysis, and repacking.
strings u-boot.bin | grep -i "aes" Look for key arrays in rodata section.
cipher = AES.new(key, AES.MODE_CBC, iv) dec_header = cipher.decrypt(enc_header)
hexdump -C firmware.bin | head -n 20 Look for strings like "HUAWEI" , "HiLink" , or "UPDATE" at offset > 0x1000 (they often appear after the encrypted header). Method A – Static key (older devices) Search U-Boot binary (extracted via JTAG or from a decrypted image):
# Extract first 64+ bytes of encrypted header (adjust count) dd if=firmware.bin of=enc_header.bin bs=1 count=4096 openssl enc -aes-128-cbc -d -K $KEY -iv $IV -in enc_header.bin -out dec_header.bin Verify magic hexdump -C dec_header.bin | head -1 Should see 56 19 05 27
Example decrypted header (hexdump):
