Clone wiki

arduino-pn532 / NFC Forum Type 4 tags

Home

NFC Forum Type 4 tag

NFC tags, which follow NFC Forum Type 4 specification, use a somewhat more complex communication protocol.

The communication protocol consists of C-APDU and R-APDU messages.

C-APDU messages are commands, which are sent from the NFC reader/writer to the NFC tag. They are at least 4 bytes long, but sometimes longer.

R-APDU messages responses to C-APDU messages and they are at least 2 bytes long.

For reading and writing, you need to know 4 different of C-APDU messages:

  • Select NDEF Tag application
  • Select File
  • Read Binary
  • Update Binary

The functions/procedures in PN532 are:

function PN532_NFC_Forum_Type_4_Select_Application return Boolean;

function PN532_NFC_Forum_Type_4_Select_File
  (File_ID : Interfaces.Unsigned_16) return Boolean;

procedure PN532_NFC_Forum_Type_4_Read_Binary
  (Offset     : Interfaces.Unsigned_16;
   Buf        : out PN532_Buf;
   Byte_Count : out Interfaces.Unsigned_8;
   Status     : out Boolean);

procedure PN532_NFC_Forum_Type_4_Update_Binary
  (Offset : Interfaces.Unsigned_16;
   Buf    : PN532_Buf;
   Status : out Boolean);

"Select NDEF Tag Application" message is sent first. If it succeeds, you are talking with NFC Forum Type 4 tag.

The command is quite long:

01 02 03 04 05 06 07 08 09 10 11 12 13
00 A4 04 00 07 D2 76 00 00 85 01 01 00

The meaning of the bytes:

Position Description Value
01 Class 00
02 Instruction A4
03 Param 1 04
04 Param 2 00
05 Length (Lc) 07
06..12 Application name ...
13 Expected response length (Le) 00

As a reply (R-APDU) you should get 2 bytes:

90 00

This code means that the C-APDU message was accepted.

Reading NFC Forum Type 4 tag

Once the "Select NDEF Tag Application" message is sent, you need to read the capability container (CC). This happens by first sending "Select File" message with "CC" parameter and then sending "Read Binary" message.

"Select File" for CC is:

01 02 03 04 05 06 07
00 A4 00 0C 02 E1 03

And the meanings are:

Position Description Value
01 Class 00
02 Instruction A4
03 Param 1 (00 = Select by ID) 00
04 Param 2 (0C = First only) 0C
05 Length (Lc) 02
06..07 Capability container ID E103

Notice how the instruction byte is same as in the "Select NDEF Tag Application" message. The select commands can be identified by using their parameter bytes, which are different.

Again, if the command was accepted, you get bytes 90h and 00h back.

On NFC Forum Type 4 cards, the capability container is 15 (0Fh) bytes long and you can get the contents using "Read Binary" C-APDU:

01 02 03 04 05
00 B0 00 00 0F

As a reply, you should get 15+2 (17) bytes):

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
00 0F 20 00 3B 00 34 04 06 E1 04 00 32 00 00 90 00

The last two bytes are the status code (90h 00h) and the first 15 bytes the contents of the capability container.

Bytes at positions 10 and 11 (E1h 04h) tell the ID of NDEF message file. Other interesting bytes are at positions 12 and 13. They tell the maximum NDEF message size (0032h).

Once you know the ID of NDEF message file, you can select it using "Select File" command and then read the contents with "Read Binary" command.

The select command for NDEF is very similar to select for CC:

01 02 03 04 05 06 07
00 A4 00 0C 02 E1 04

And the meanings are:

Position Description Value
01 Class 00
02 Instruction A4
03 Param 1 (00 = Select by ID) 00
04 Param 2 (0C = First only) 0C
05 Length (Lc) 02
06..07 NDEF message ID E104

Note: For your NFC tags, the ID might be something else than E104. It is best to get the ID from capability container instead of using hardcoded value.

After selecting the NDEF file, you can read the contents using "Read Binary":

01 02 03 04 05
00 B0 00 00 02

The above command asks for 2 bytes from the NDEF file, starting from beginning (offset 00 00, bytes at positions 03 and 04).

These first two bytes will give you the length of the rest of the NDEF file.

For example, the response can be:

01 02 03 04
00 30 90 00

This means that there is 48 bytes of NDEF data. So, you can call "Read Binary" again:

01 02 03 04 05
00 B0 00 02 30

This time you want 48 (30h) bytes from offset 02h.

The bytes you get, will contain normal NDEF message. NFC Forum Type 4 tags don't have TLV block structure like NFC Forum Type 2 tags have.

Writing to NFC Forum Type 4 tag

When Writing to type 4 NFC tag, the initial commands are same as for writing. But instead of calling "Read Binary" for NDEF file, you call "Update Binary" and send the NDEF file contents.

Example:

00 D6 00 00 05 00 03 D0 00 00

The class is again 00h, the instruction for "Update Binary" is D6h, then comes two offset bytes (00h 00h), the length of the new content (05h), and then the rest 5 bytes are the real content.

The content needs to have NLEN as first two bytes (00h 03h). Actual NDEF message is 3 bytes, D0h 00h 00h, which means empty message.

Updated