NFC Card Emulation Issue S3 (Android 4.3) and ACR122U

0
votes

In our project we are trying to emulate ISO14443-3 PICC in NFC reader ACS ACR122U and read that card with NFC phones (Samsung S3 or S4). In case of S4 we can successfully communicate with the emulated card but in case of S3 there is no NFC event.

We noted all command/response and logs from Android (logcat) which indicates S3 can not activate LLCP communication. I am posting all data we have, please help us in resolving issue.

COMMAND/RESPONSE to ACR122u (PN532 controller in reader):

COMMAND:FF0000002DD48C0400000000002001FE0FBBBAA6C9890000000000000000FFFF01FE0FBBBAA6C98900000647666D01011000
RESPONSE:D58D08E080

COMMAND:FF00000002D486
RESPONSE:D5870000A4040007D276000085010100

COMMAND:FF00000004D48E6A82
RESPONSE:D58F00

COMMAND:FF00000002D486
RESPONSE:D5870000A4040007D2760000850100

COMMAND:FF00000004D48E6A82
RESPONSE:D58F00

COMMAND:FF00000002D486
RESPONSE:D5870000A4040C05A00000000100 (Data we want to send to emulated card from NFC phone)

Response D58D08E080 indicates card reader emulated as:

  • ISO/IEC 14443-4 PICC --> YES
  • DEP --> NO
  • FRAMING TYPE --> Mifare

Now when we put S4 over the reader we have following log:

02-10 10:23:13.711: I/BrcmNci(3355): --
02-10 10:23:13.711: I/BrcmNci(3355): TX: Type 4 Tag Command (13 bytes)
02-10 10:23:13.711: I/BrcmNci(3355): CLA:0x00
02-10 10:23:13.711: I/BrcmNci(3355): INS:0xA4(Select)
02-10 10:23:13.711: I/BrcmNci(3355): P1:0x04(Name)
02-10 10:23:13.711: I/BrcmNci(3355): P2:0x00(First or Only)
02-10 10:23:13.711: I/BrcmNci(3355): Lc:0x07(7)
02-10 10:23:13.711: I/BrcmNci(3355): Data(7 bytes)
02-10 10:23:13.711: E/AudioResampler(2497): Unsupported sample format, 1 bits, 2 channels
02-10 10:23:13.716: I/BrcmNci(3355): 00 : d2 76 00 00 85 01 01
02-10 10:23:13.716: I/BrcmNci(3355): Le:0x00(0)
02-10 10:23:13.716: I/BrcmNci(3355): --
02-10 10:23:13.716: I/AudioHardwareTinyALSA(2497): AudioStreamOutALSA::write setDevice

02-10 10:23:13.741: I/BrcmNci(3355): --
02-10 10:23:13.741: I/BrcmNci(3355): RX: Type 4 Tag Response (2 bytes)
02-10 10:23:13.746: I/BrcmNci(3355): SW:0x6A82(Not Found)
02-10 10:23:13.746: I/BrcmNci(3355): --
02-10 10:23:13.746: I/BrcmNci(3355): --
02-10 10:23:13.746: I/BrcmNci(3355): TX: Type 4 Tag Command (12 bytes)
02-10 10:23:13.746: I/BrcmNci(3355): CLA:0x00
02-10 10:23:13.746: I/BrcmNci(3355): INS:0xA4(Select)
02-10 10:23:13.746: I/BrcmNci(3355): P1:0x04(Name)
02-10 10:23:13.746: I/BrcmNci(3355): P2:0x00(First or Only)
02-10 10:23:13.746: I/BrcmNci(3355): Lc:0x07(7)
02-10 10:23:13.746: I/BrcmNci(3355): Data(7 bytes)
02-10 10:23:13.746: I/BrcmNci(3355): 00 : d2 76 00 00 85 01 00
02-10 10:23:13.746: I/BrcmNci(3355): --
02-10 10:23:13.786: I/BrcmNci(3355): --
02-10 10:23:13.786: I/BrcmNci(3355): RX: Type 4 Tag Response (2 bytes)
02-10 10:23:13.786: I/BrcmNci(3355): SW:0x6A82(Not Found)
02-10 10:23:13.786: I/BrcmNci(3355): --

02-10 10:23:14.996: I/BrcmNci(3355): --
02-10 10:23:14.996: I/BrcmNci(3355): RX: Type 4 Tag Response (2 bytes)
02-10 10:23:14.996: I/BrcmNci(3355): SW:0x9000(Command Completed)
02-10 10:23:14.996: I/BrcmNci(3355): --

But in case we try to use the S3, we get only this log:

01-07 03:16:47.555: D/NFCJNI(2694): Discovered P2P Target
01-07 03:16:47.555: D/NfcService(2694): LLCP Activation message
01-07 03:16:48.880: D/NFCJNI(2694): Discovered P2P Target
01-07 03:16:48.885: D/NfcService(2694): LLCP Activation message
01-07 03:16:51.860: D/NFCJNI(2694): Discovered P2P Target
01-07 03:16:51.860: D/NfcService(2694): LLCP Activation message
01-07 03:16:53.185: D/NFCJNI(2694): Discovered P2P Target
01-07 03:16:53.185: D/NfcService(2694): LLCP Activation message
01-07 03:16:58.870: D/NFCJNI(2694): Discovered P2P Target
01-07 03:16:58.870: D/NfcService(2694): LLCP Activation message

And any Android app registering to any NFC event is not woken up. It seems their is some compatibility issue between the S3 and the card reader or some NFC implementation issue with the S3.

Can you please let us know why there is that communication difference between the two phones when both have the same OS version (i.e. Android 4.3). Why does not the S3 get beyond beyond "LLCP Activation message"?

System information of both phones we are using can be found here

1
androidnfcnfc-p2phce

1 Answers

0
votes

If you only want to use ISO-DEP card emulation, you might want to correctly register your ACR122U NFC device for passive ISO 14443-4 PICC emulation.

Currently you use the TgInitAsTarget command as follows:

D4 8C (TgInitAsTarget)
  04 (Mode = PICC only)
  0000 (ATQA/SENS_RES = invalid)
  000000 (NFCID1t/UID = 0x80000000)
  20 (SAK/SEL_RES = ISO 14443-4 supported)
  01FE0FBBBAA6C9890000000000000000FFFF (FeliCaParams)
  01FE0FBBBAA6C9890000 (NFCID3t)
  06 47666D010110 (6 ATR_RES general bytes)
  00 (0 historical bytes)

However, as you don't want to use NFC-DEP mode/FeliCa mode, you definitely want to set the FeliCa params, the NFCID3t and the ATR_RES general bytes to zero. Moreover, you would want to set a more useful UID value and a valid ATQA (one that has at one of the bit frame anticlossion bits set). I'm not sure if that's necessary, but I suggest that you also set the passive mode flag.

D4 8C (TgInitAsTarget)
  05 (Mode = PICC only | passive mode only)
  0400 (ATQA/SENS_RES)
  012345 (NFCID1t/UID)
  20 (SAK/SEL_RES = ISO 14443-4 supported)
  000000000000000000000000000000000000 (FeliCaParams)
  00000000000000000000 (NFCID3t)
  00 (no ATR_RES general bytes)
  00 (no historical bytes)

Moreover, you might want to set additional configuration registers on some ACR122U devices. See this answer for more information.