List of APDU codes

[DavidParticipant]

Hi there!

We just got our ACR35 reader in the mail and we are excited to start hacking away.

I see that the demo app you guys supplied has a default APDU command of 0x0084000008. I can’t find the list of other APDU codes that are commonly supported anywhere on the internet. We are using NTAG203 chips from NXP… Any idea where I can get a list of APDU codes? Any pointers or advice would be so appreciated!

– Dave

[RichardKeymaster]

Hi Dave, let’s start with a little background first. The APDU command-response protocol that most NFC tags conform to is defined by the ISO7816-4 specification. However, in order for you to craft the right commands, you’ll need to review the reference documents from the NFC tags you are attempting to interact with. If I recall correctly you’re using Mifare Ultralight wristbands, so this reference sheet would work. The ACR35 Reference Manual also has some details about Mifare Ultralights. Finally, you should look through the ACR35 User Guide to make sure you have a good feel of how to use their app and device.

Most applications these days can be put together by just using the NFC tag UID as a reference to a record in a backend datastore. It’s not the most secure but for quick and dirty demos, it gets the job done. Assuming that’s you’re goal, this is how you get the ACR35 and accompanying iOS app to work for you:

1) Launch the ACS MobileMate app and connect the ACR35 to the audio jack of your iPhone. Immediately a green LED on the ACR35 should light up. If not your iPhone volume is low or the ACR35 needs to be charged.
2) Select “Explore Contactless Card” from the menu options.
3) Place a tag on the surface of the ACR35 where it has the “NFC” logo (both sides of device work)
4) Tap the “Answer-to-Reset (ATR)” field at the top of the app window. This will pull the tag into reset and get some basic protocol information. This is what I get when reading one of our NFC stickers:

                               Answer-To-Reset (ATR)
Init| T0| TD1| TD2| T1| Tk|  Len |      RID      | Std | Card |  RFU       | TCK
Hdr |   |    |    |   |   |      |               |     | Name |            |   
 3B | 8F| 80 | 01 | 80| 4F|  0C  | A0 00 00 03 06| 03  | 00 03| 00 00 00 00| 68

Worth studying are the following fields:

Len = 0C              // 12 bytes of config data
RID = A0 00 00 03 06  // Registered App Provider Identifier: PC/SC Workgroup
Std = 03              // Standard format: ISO14443A, Part3
Card Name = 00 03     // Mifare Ultralight

Other possibilities for cards include:

00 01 // Mifare 1K
00 02 // Mifare 4k
00 26 // Mifare Mini
F0 04 // Topaz and Jewel 
F0 11 // Felica 212k
F0 12 // Felica 424k 

5) Now that you know what card name you have, you can construct the APDU to request it’s UUID. The Mifare Ultralight has a 7 byte UUID so the Get UID Format should be:

Command  | Class | INS | P1 | P2 | Le
Get Data |   FF  | CA  | 00 | 00 | 00

Response |         UID          | SW1 | SW2
Result   | 04 CC 2F DA C4 29 80 | 90  | 00  // this is my UID

6) You can then validate you’ve read the right UUID by read the same tag with an Android NFC phone running NFC TagInfo and reviewing the Tag Information->UID[7] field value.

Once you have this working, you should be able to use the ACR35 app source code to build a simple app to just grab UIDs from wristbands for you. Also, if you look through the FloJackExample code you can snatch some audio playback code that will route sounds to the iPhone speakers when the ACR35 is plugged in to indicate successful scans. A good feature to make the solution more usable.

Hope that helps.

[Author]

Posts