STFS (Secure Transacted File System) is the file system used by the Xbox 360 for all packages created and downloaded by the system. It is protected using a series of SHA1 hashes and a RSA signature. STFS is commonly found in Xbox 360 Content Packages (XContent), but is not limited to those only as the PEC (Profile Embedded Content) files employ STFS. The two known categories for STFS are read-only and writeable. Read-only content packages are found with a PIRS/LIVE signed header and writeable content packages are console signed (CON).

STFS

The 360 uses packages to transfer saves/content/games/pictures and more. Most packages start with the strings PIRS, LIVE or "CON ", some are even embedded inside gamer profiles (using the PEC format described below). All of these are STFS content packages which hold the real files along with metadata that the dashboard reads like the title, the licenses and the RSA signature which is used to verify the package.

The acronym STFS stands for Secure Transacted File System, which shows how the packages are secure (signature and hashes) and transacted (multiple file / directory revisions)

LIVE and PIRS files come from Xbox Live, these are signed using a private key that only Microsoft has. The console uses a public key which is hardcoded inside it to verify the package and make sure the person is allowed to use it. CON files are created by the console for saves and profiles. The console uses its own private key to sign CON files. Many editors are available for saves and profiles which can be used with no modification to the console.

Throughout an STFS package, there is a series of SHA1 hashes used to verify the package, and help with downloads (if a block isn't valid, it can be redownloaded). The hashes are located at certain parts of the file, a way of calculating where is (will be!) down below.

Volume Descriptor

Content Packages

Header

The magic can be one of the following:

The following is used for Console Signed ("CON ") packages, and is used by the Xbox as the format for signatures generated by it:

and for remotely signed (LIVE/PIRS) packages:

The Package Signature is generated using the value at 0x32C (Content ID/Header SHA1).

Metadata

Version 2

If the Metadata Version field is set to 2, the format is slightly changed:

License Entries

For every entry in the license data field:

Content Types

Transfer Flags

Package Embedded Content (PEC)

When extra security is needed for content which is already using STFS, PEC files may be used to add an extra layer on top. PEC files use the STFS descriptor and algorithms, but has no similarity with content packages.

PEC files are only currently used for avatar items/clothing.

Block 0 starts at 0x3000, and hash table 0 at 0x1000/0x2000.

Header

File Listing

The value at 0x37E (File Table Block Number on the structure above) determines where the file table begins. As it is a block number, you will have to convert it to an offset. Here is some code in C# for converting:

       public static int BlockToOffset(this int block)
       {
           int cluster = 0xc000 + block * 0x1000;
           while (block >= 170)
           {
               block /= 170;
               cluster += (block + 1) * 0x2000;
           }
           return cluster;
       }

Each embedded file starts at a 4096 byte boundary. The optional space between embedded files is filled with null bytes.

The file listing consists of entries which have the format below. The listing ends with an entry consisting of only null bytes.

Byte 0x28 also has two flags: bit 6 and bit 7. The meaning of bit 6 is unknown, bit 7 indicates that the file is a directory.

The path indicator indicates the path of the file. -1 (0xFFFF) means that the file is in the root directory, any other value V refers to the (sub)directory which is listed as the Vth entry in the listing (counting from 0). Directories can nest.

The FAT format is used for the date/time stamps of the files.

Hash Tables / Block Offsets

A block is 0x1000 (4096) bytes and the first block is located at 0xC000. Every 0xAA (170) blocks there is a block that contains a hash of each block and every 0xAA*0xAA (0x70E4) blocks there is another table (presumably hashing the 0xAA table blocks). This means that when using a block number from a file listing you need to account for the hash tables which are not included in the block numbering system. For example block 171 is actually located where you would expect block 172 to reside ((171 + int(171/170)) * 0x1000 + 0xC000).

Files are not always stored in consecutive blocks, you have to find the corresponding hash table record and read the next block number (similar to cluster maps in FAT).

Here is some C# code for converting a block to it's hash table position(it may not work perfectly!):

       public static int BlockToHashPosition(int block)
       {
           int multiplier = 0xAA;
           int res = block / 170;
           if (res != 0)
           {
               multiplier *= res;
           }
           else
               return 0xB000 + (block * 0x18);
           //For the BlockToOffset function, see above.
           int a = BlockToOffset(multiplier) + ((block % multiplier) * 0x18);
           return a - 0x1000;
       }

Tools

An (old) tool (Python 2.5 required) to analyze and extract these archive files is available at extract360.py (2008-08-03, 23056 bytes, MD5 = 3aa517c83d01c618927b78d0ca665d02)

wxPirs 1.1 can extract from LIVE/PIRS files fine, but as it doesn't use hash tables properly it doesn't work well with CON files.

A newer tool was released by DJ Shepherd called Le Fluffie, which can create and extract from CON/LIVE/PIRS files (but it has some problems with creation, some prefer to use XLAST)

XLAST inside the Xbox 360 SDK can create LIVE/PIRS packages, but it is illegal to share it.

A new python library py360 can read STFS files