Check for HiLink markers:
binwalk -E firmware.bin If the first 1 MB shows high entropy (>0.98) with no known signatures, suspect encryption. encrypted hilink uimage firmware header
If you’ve ever run binwalk on a HiLink firmware update (e.g., from an E3372, B310, or AR series router) and seen only high entropy data with no recognizable UImage magic ( 0x27051956 ), you’ve likely encountered this encrypted header. Check for HiLink markers: binwalk -E firmware
with open("firmware.bin", "rb") as f: enc_header = f.read(4096) The rest of the firmware may be encrypted in blocks
Example decrypted header (hexdump):
If the magic appears, you have the correct key. The rest of the firmware may be encrypted in blocks. Many HiLink images encrypt only the header + first block. The remaining data may be plain or compressed. After decryption, run:
This article explains what it is, how it works, and practical methods to decrypt and analyze it. A normal, unencrypted UImage header (64 bytes) looks like this: