That was cool.
According to https://github.com/alibaba/AliOS-Things/blob/c9074e99fbb7ba5c5ecde2ae38ae30b27a913afe/platform/mcu/rda5981x/tools/ota_pack_image_lzma.py#L7-L21 the header has no CRC (it’s zero). But that’s just an assumption.
And here is some fun:
To instruct the device to download the firmware, send this command over MQTT:
echo -en "\xa9\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\xaa" | mosquitto_pub ....
The command is “0xA9 0xF0”
In order to set an IP for an MQTT broker (instead of using cloud .qh-tek.com broker), here is a small python script which generates the necessary sequence for you. I tried to restart the bulb and did not see DNS requests to their cloud anymore. However I can’t confirm the new IP address setting will persist for several reboots (just haven’t had time to play with it).
You can run this at eg. https://pyfiddle.io/ and put the result into your echo command. Please note, the bulb must be connected to an MQTT server (most likely to their cloud) 
def calcChecksum(stream):
checksum = 0
for i in range(1, 14):
checksum = checksum ^ stream[i]
stream[14] = checksum & 255
return bytearray(stream)
def changeIP (ipAddr, port):
Command = bytearray.fromhex("AF 00 00 00 00 00 00 f0 00 00 00 00 00 00 00 b0")
l = list(Command)
idx = 1
for ip in map(int,ipAddr.split('.')):
l[idx] = ip
idx = idx + 1
l[5] = port & 0xff
l[6] = port >> 8
return calcChecksum(l)
print 'Change IP payload: \\x' + '\\x'.join(format(x, '02x') for x in changeIP('192.168.1.100',1883))