Further document the format and produce a rogue system update

* Truncate filesize to 20 bytes in hacked.toc (001b? IIRC)
* Add various 0x00 as well.. firsy 0x80... gets turned into the
compressed length but that fails.. needs to be bigger than 0x2000
to succeed.
* LZMA size and trailer overlap.. I was too lazy to add/deal with
padding so kept it short.. can be fixed...
* Modified path for /etc/rc2.d.. to extract new script

We seem lucky with file permissions.. that it is somehow executable
even if SetFileAttributes is not set...

3 files changed, 11 insertions, 1 deletions

diff --git a/update-ec20/README.ascii b/update-ec20/README.ascii
index eee0cea..636acdb 100644
--- a/update-ec20/README.ascii
+++ b/update-ec20/README.ascii
@@ -11,7 +11,17 @@ compressed update. The size of that area seems to be computed
 as:
 	8 * num_diffs (maybe two CRC32?)
 	4 * num_insert (maybe a single CRC32)?
-	followed by lzma
+	followed by lzma... TOC of size compress_sz
+	LZMA again.. depends on the TOC.. delta_pos contains addr
+
+
+LZMA needs to be compressed in 'alone' format and needs to have
+the decompressed size in the header! 0xFF... leads to parse error
+xz -F alone demo.sh
+
+LZMA: https://github.com/nobled/xz/commit/7d17818cec8597f847b0a2537fde991bbc3d9e96
+removed uncompressed_size support. So an plder version is needed..
+or use the original lzma SDK
 
 
 0x0000d084 in is_expected_sig ()
diff --git a/update-ec20/data/hacked.toc b/update-ec20/data/hacked.toc
new file mode 100755
index 0000000..aa9cd6e
--- /dev/null
+++ b/update-ec20/data/hacked.toc
diff --git a/update-ec20/data/hacked_system_diff_no_diff.diff b/update-ec20/data/hacked_system_diff_no_diff.diff
new file mode 100755
index 0000000..1ea739a
--- /dev/null
+++ b/update-ec20/data/hacked_system_diff_no_diff.diff