40 byte header at the start of FIT image

There is a 40 byte header appended to the start of the FIT image of my device. I dumped the partition that contains my kernel image and if I remove the first 40 bytes, "mkimage -l img.bin" works.

Now I want to customize this partition to write a new image to disk, but first I need to figure out this 40 byte header. This was mentioned in the AX9000 router thread too, so I guess that router does it too.

Has anyone attempted to interpret these?

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 44  ............(..D
00000010  FC 25 47 00 FC 0C 47 00 24 0D 47 44 00 01 00 00  ü%G.ü.G.$.GD....
00000020  24 0E 47 44 00 18 00 00 D0 0D FE ED 00 47 0C FC  $.GD....Ð.þí.G.ü
00000030  00 00 00 38 00 47 06 90 00 00 00 28 00 00 00 11  ...8.G.....(....
00000040  00 00 00 10 00 00 00 00 00 00 00 6C 00 47 06 58  ...........l.G.X
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 01 00 00 00 00 00 00 00 03 00 00 00 04  ................
00000070  00 00 00 5C 60 66 05 B7 00 00 00 03 00 00 00 29  ...\`f.·.......)
00000080  00 00 00 00 41 52 4D 36 34 20 4F 70 65 6E 57 72  ....ARM64 OpenWr
00000090  74 20 46 49 54 20 28 46 6C 61 74 74 65 6E 65 64  t FIT (Flattened
000000A0  20 49 6D 61 67 65 20 54 72 65 65 29 00 00 00 00   Image Tree)....
000000B0  00 00 00 03 00 00 00 04 00 00 00 0C 00 00 00 01  ................
000000C0  00 00 00 01 69 6D 61 67 65 73 00 00 00 00 00 01  ....images......
000000D0  6B 65 72 6E 65 6C 40 31 00 00 00 00 00 00 00 03  kernel@1........
000000E0  00 00 00 1B 00 00 00 00 41 52 4D 36 34 20 4F 70  ........ARM64 Op
000000F0  65 6E 57 72 74 20 4C 69 6E 75 78 2D 34 2E 34 2E  enWrt Linux-4.4.
00000100  36 30 00 00 00 00 00 03 00 3C DC 20 00 00 00 1B  60.......<Ü ....
00000110  1F 8B 08 08 A9 04 66 60 02 03 49 6D 61 67 65 00  .‹..©.f`..Image.
00000120  EC 5B 0F 70 14 65 96 7F DD 3D 49 86 24 CA 90 49  ì[.p.e–.Ý=I†$Ê.I
00000130  48 C4 E0 CC 24 28 32 A2 58 90 C4 64 F1 48 CF 24  HÄàÌ$(2¢X.ÄdñHÏ$
00000140  9A 14 7F 14 93 59 45 71 37 13 02 C2 5E D8 F2 02  š...“YEq7..Â^Øò.
00000150  AC 22 70 A6 03 9C C7 CA 55 2D 9D B4 85 87 57 66  ¬"p¦.œÇÊU-.´…‡Wf
00000160  12 E4 8A 99 B2 76 B3 48 D4 B9 D5 CD 00 2E A7 AB  .䊙²v³HÔ¹ÕÍ..§«
00000170  77 15 93 1D CA 3A 6F 75 02 EA EE 2D DE 9A F0 47  w.“.Ê:ou.êî-ÞšðG
00000180  D2 2B 30 F7 7B DD 33 24 88 FF B6 EA CA DC D5 CE  Ò+0÷{Ý3$ˆÿ¶êÊÜÕÎ

The prepended 40 bytes part

00000000  17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 44  ............(..D
00000010  FC 25 47 00 FC 0C 47 00 24 0D 47 44 00 01 00 00  ü%G.ü.G.$.GD....
00000020  24 0E 47 44 00 18 00 00                          $.GD....

Here are two dumps of the firmware partition from 2 different firmware versions.

Askey-RT5010W-D187-REV6/Stock Kernel/compare_two_router_images at master · MeisterLone/Askey-RT5010W-D187-REV6 (github.com)

I try to figure it out by comparing 2 different firmware versions FIT images. There is 0x4 byte pointing to FIT image and another 0x4 byte pointing to CALDATA directly at the back of the FIT image. But then theres some single bytes and unknowns

Image 1

FIT +28 = end of image (4725FC + 28 = 472624)   
CALDATA    =  470CFC + 28 = 470D24  length E6E  (ends at 471B92)
CALDATA2?  = 4725FC + 28 = 472624	 length E96
unk1 = 44470D
unk2 = 44470E
												[FIT      ] [CALDATA  ] [] [unk1     ] [      ] [] [unk2     ]
17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 44 FC 25 47 00 FC 0C 47 00 24 0D 47 44 00 01 00 00 24 0E 47 44 00 18 00 00
17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 44 E0 72 47 00 E0 59 47 00 08 5A 47 44 00 01 00 00 08 5B 47 44 00 18 00 00

FIT +28 = end of image (4772E0 + 28 = 477308)   
CALDATA   = 4759E0 + 28 = 475A08 length E6E
CALDATA2? = 4772E0 + 28 = 477308 length E96
unk1 = 44475A
unk2 = 44475B


Image 2

Additional header is only available in international AX9000 firmware:

17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 42 98 15 5E 00 98 FC 5D 00 C0 FC 5D 42 00 01 00 00 C0 FD 5D 42 00 18 00 00

Firmware: https://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/ra70/miwifi_ra70_firmware_a79cd_3.0.40_INT.bin