Skip to main content

Huawei S7721u Recovery Image Verify Failed Repack | PREMIUM |

This is a technical advisory paper regarding the resolution of the "verify failed" error encountered when flashing a repacked recovery image on Huawei S7721U series switches (and similar EdgeCore rebadges).

Technical Advisory: Resolving Recovery Image Verification Failures on Huawei S7721U Device: Huawei S7721U (and derivative OEM models) Component: U-Boot / Recovery Partition Error: Recovery image verify failed or Signature check failed 1. Executive Summary When attempting to restore a Huawei S7721U switch using a modified or "repacked" recovery image (typically via TFTP or the Bootloader menu), the device halts the process reporting a verification failure. This is a security mechanism designed to prevent the execution of unauthorized firmware. This paper outlines the root cause of the verification check and provides the specific methodologies required to successfully flash a repacked image. 2. Technical Root Cause The Huawei S7721U utilizes a secure boot chain (often based on U-Boot). The "verify failed" error occurs because the bootloader performs a checksum validation against a stored hash or digital signature. If you have "repacked" the image (e.g., extracted the filesystem, modified files, and repacked it), the internal checksums (MD5/SHA256) within the image header no longer match the actual file content. There are two distinct scenarios for this failure:

Header Mismatch: The file was modified, but the header checksum was not updated. Secure Boot (RSA/Signature): The device requires a cryptographic signature. Since you do not possess Huawei's private key, a modified image will always fail this check unless Secure Boot is bypassed.

3. Methodology A: Correcting the Header Checksum (The "Repack" Fix) If the device is checking a plaintext hash (common in non-secure-boot models or specific partition updates), you must update the image header after modifying the file. Tools Required: huawei s7721u recovery image verify failed repack

Linux environment (WSL or VM) binwalk (for extraction) imgrepacker or mkimage (for reconstruction) Hex Editor

Procedure:

Analyze the Stock Image: Use binwalk -e original_image.bin to extract the kernel and rootfs. Modify Files: Apply your necessary modifications to the rootfs (e.g., squashfs-root ). Repack: This is a technical advisory paper regarding the

Rebuild the squashfs filesystem: mksquashfs squashfs-root rootfs.bin -b 4096 -comp xz Combine Kernel and Rootfs.

Update Header (Critical Step): Many Huawei images use a specific header format. You must calculate the SHA256/MD5 of the newly packed data and insert it into the specific offset in the file header.

Note: If you simply repack the file without updating the header offset, U-Boot will read the old hash from the header, compare it to the new file data, and fail. This is a security mechanism designed to prevent

4. Methodology B: Bypassing U-Boot Verification (The "Env" Fix) If the device enforces a strict check that you cannot bypass by re-hashing, you must attempt to disable the verification flag in the U-Boot environment variables. Procedure:

Connect to the Console port (Putty/TeraTerm, 9600/115200 baud). Reboot the switch and interrupt the boot process by pressing a key (often Ctrl+B or Esc ) to enter the U-Boot CLI . Check the current boot arguments: printenv