"ar" format basics:

The ar format is not properly standardized. And there are at least two common variations in it. Also, there are some complex features in it (extended filenames, for example), but luckily we can safely ignore those for our purposes. All we need is the basics.

If you want a deeper understanding, [url=https://en.wikipedia.org/wiki/Ar_(Unix)]Wikipedia[/code] has a pretty good summary (that's where I learned enough to implement this in fkdep last year), but I will cover the details needed for this here:

The file has a header that looks like this (note that there must be a newline character at the end (not really 'shown' here)):
After that each file is basically concatenated into the ar file with some metadata and padding.

"ar" file records:

First, there is a small sub-header for each file. This is basically basic file information (normally we think of this as being inherently linked to the file, but remember the file is just a chunk of data - it's name, ownership, permissions, etc, are actually stored separately on filesystems, so when we're building the 'ar' file from scratch like this we have to manually include it ourselves.

Each field of the subheader has a fixed size, and the various numerical fields are in plaintext (as opposed to binary), mostly base 10, but the mode bits are in base 8, and is padded with trailing spaces up to that size. The fields (and their lengths), followed by the values we want for this use, are:
filename (16 bytes): just the name of the file
Unix timestamp (12 byes): doesn't matter what this is - it's supposed to represent when the file was last modified, which is useful when you're actually archiving files, but for our purposes it doesn't matter when the file looks like it was made. I use the time when we start building the .deb, just because that's more or less 'honest'/accurate.
ID of the user that "owns" the file (6 bytes): "root" user, aka "0" (this is the standard in all .deb files I've ever seen - I don't know/think that it matters what this is, but no point in deviating without a good reason to, I think.)
ID of the group that "owns" the file (6 bytes): "root" group, aka "0" (same reasoning as the ID of the user)
standard UNIX filesystem permission/mode/attribute bits (8 bytes): I set this to 100644, because again, this is what I've seen all .deb files I've inspected.
Size of the file (10 byes): We want this to accurately reflect the size of the file, in bytes, otherwise we'll be making a garbage 'ar' file.

This command composes and appends the entire file subheader string into the deb file we're creating:
Note that the subheader ends with a " ` " character followed by a newline. This is just another 'magic' string/byte-sequence, like the main header: The people who made the file format basically decreed "and lo, thou shalt end the sub-header for each file with the byte sequence 0x60 0x0A" back in the day, and so it is.

After the file's header, the ar file has a strict binary copy of the file, so we just concatenate the contents of the file with the .deb we're making.

Finally, the specification requires that every file record starts on an even byte number, so we check that the SIZE in bytes is odd (SIZE modulo 2 = 1) and if so, then we append one more newline to the file.
So we repeat that for each file that goes in the final ar : debian-binary, control.tar.gz, data.tar.gz.

Once that's done, hard part's over: We've kludged together a .deb file, all from on-board our stock N900.

We finish up by deleting all the intermediate files, and then invoking the dbus command interface provided by HAM to tell HAM to install the shiny new .deb we've made for it. Like so:
Alternatively, you can move the file into /home/user/MyDocs, find it in your file manager (it should have a thin red swirl on a white circle icon - a variation on the Debian logo) and click on it - the file manager will do the same thing to tell HAM to install it behind the scenes.

I recommend deleting your temporary folder and whatever files are left afterwords, but if you're like me and put it in /tmp, then it will be cleared out when you next reboot your phone.

And there you go. We've gained root access on a stock N900 without having to use anything external. Really the only 'hard' part is figuring out the 'ar' format and manually assembling the 'ar'/.deb file.