This is what gives NFC a bad name. Samsung decides to ship NFC tags in an effort to promote the fledgling technology. Later it turns out many devices including its own flagship Galaxy S4 can not read these “Tectile” tags. This blog post tries to explain what is going on.
There are three modes an NFC controller can operate in, covered in greater detail in earlier post. For our purposes the relevant one is reader mode. This is when the Android device is attempting to interrogate an NFC-enabled object and read/write data. Because this is a client-server interaction with the phone in charge of driving the protocol, compatibility becomes a function of both sides: controller hardware inside the phone/tablet/laptop and the tag.
Tags and controllers: diversity vs. concentration
When it comes to tags, there is no shortage of variation and diversity. There are four “types” of tags defined by NFC Forum. Within each category, there are multiple offerings with differing capacities and security levels. Android NFC API groups tags by type (A, B, F for Felica, V for proximity which is a slightly different standard and IsoDep for 14443-4) along with dedicated features for special-case handling of Mifare Classic and Ultralight. How many of these are users likely to run into?
- Mifare Classic is the original technology that started it all. To this day it is used for public transit scenarios where subscribers are issued cards for long-term use.
- By contrast disposable paper tickets typically use cheaper Ultralight tags which are type-2 in NFC forum designation.
- Stickers and conference badges are also commonly based on type-2 tags.
- The NFC Ring popularized by a Kickstarter campaign uses type-2 NTAG203 tags.
- Type-3 or Felica is relatively uncommon outside Japan.
- More recently transit systems including Clipper in Bay Area and ORCA in Seattle have deployed DESFire EV1, which is a type-4 tag.
- Credit cards used for tap-and-pay appear as type-4 tags at NFC level.
For all this diversity, it is a very different story on the controller side. Since NFC is a standard much like Bluetooth, in principle anyone can build an NFC controller. One may expect the usual proliferation of hardware with multiple companies getting into the game, creating a market with competing alternatives for an OEM to choose from. In reality Android devices have historically sourced hardware from only two manufacturers:
- NXP: The very first NFC-enabled Android device was the Nexus S released at the end of 2010. This device shipped the PN65N which combined an NFC controller (PN544) along with an embedded secure element from the SmartMX line of secure ICs.
- Broadcom: This is the newcomer, first making its debut with Nexus 4. It was also picked up by the far more popular Samsung Galaxy S4. It also required a change to the NFC stack in the operating system in terms of how libnfc communicates with the NFC controller at low-level.
In principle nothing prevents an enterprising OEM from including an NFC controller from ay other supplier. OEMs do in fact make independent decision about sourcing ancillary components such as the NFC antenna that is typically embedded in the back cover of the phone. But Google has spent a lot of time fine-tuning the low-level NFC stack in Android to play nice with these popular hardware choices. OEMs going off the reservation also become responsible for maintaining necessary tweaks for their chosen brand even as Android itself continues to evolve its own stack.
Then there is the original NFC application that started it all, Mifare Classic. This product predates NFC forum and standardization of the technology but remains very popular for many applications, especially in public-transit systems. As explained in this summary:
Mifare Classic is not an NFC forum compliant tag, although reading and writing of the tag is supported by most of the NFC devices as they ship with an NXP chip.
This contains a hint about what is going on. All other tag types follow standard laid out by NFC forum, Mifare Classic does not. Interfacing with this tag type requires licensing and implementing additional protocols.
That explains why phones equipped with NXP-built PN65N and PN65O controllers have no problem with Classic tags. Broadcom on the other hand, appears to have decided on skipping the feature, perhaps betting on the market moving away from Classic tags to newer options such as DESFire EV1. In the long run this may be a reasonable strategic call. There are plenty of reasons to migrate, including security concerns: Mifare Classic uses a proprietary cryptographic protocol which has been successfully reverse-engineered and broken as early as 2008. In the short term however, Mifare Classic is far from going extinct and users with Broadcom devices are in for an unpleasant surprise.
Bonus: Mifare emulation in secure element
Demonstrating the complex intertwined dependencies in hardware industry, devices such as Nexus 4 can do Mifare Classic emulation. This is not reading an NFC tag– that would be handled by the NFC controller, which as we noted earlier does not support the proprietary Mifare classic protocol. Instead the phone is playing the opposite role and acting as a Mifare Classic tag to external readers. This seems particularly odd considering that card-emulation mode itself is a feature of NFC controller.
The contradiction is resolved by noting that in card-emulation mode the controller is simply acting as pass-through for the communication; it is not the one fielding Mifare Classic commands. The actual target communicating with the external NFC reader is the embedded secure element. On Nexus 4 and similar devices, the controller is built by Broadcom but the attached SE is sourced from well-known French smart-card manufacturer Oberthur instead. That particular hardware does in fact license Mifare Classic protocols and can emulate such tags.
To answer the logical question of why one would want a phone with fully-programmable secure element acting as a primitive NFC sticker: Mifare emulation was used in Google Wallet for offer redemption. For example the user could receive a coupon that is provisioned into the secure element. This would be redeemed during checkout by tapping the NFC terminal at the point-of-sale. Logically two different NFC tags are involved in such a transaction. One of them is the emulated Mifare Classic tag that contains a coupon for that merchant. The other is a type-4 ISO14443 standard “tag” containing EMV-compliant credit card responsible for payment.