Search code examples
nfcrfidndef

NFC tag user memory binary

I'm trying to read NDEF records out of some NTAG213 & NTAG216 NFC tags, and I seem to be getting some extra bytes in the user memory i'm not expecting.

Based on the spec, the user memory should start from block 4, but when I read from the NTAG213 tags, i see 7 extra bytes before the NDEF record start, and 2 extra bytes for the NTAG216 tags.

Here's the example of the NTAG213 memory:

01| 04 ae f4 d6 
02| 0a d7 49 80 
03| 14 48 00 00 
04| e1 10 6d 00
05| 03 db 91 01 <-- NDEF starts at 91?
06| 1a 54 02 65 
07| 6e 43 4f 43 
08| 4f 4e 55 54 
09| 20 42 4f 44 
10| 59 20 4d 49
11| ...

The NDEF record appears to start with the header byte (91) in block 05, rather than the start on block 04.

Does anyone know what the extra bytes are for, or how I can tell what the offset should be for reading back just the NDEF data?

The bytes look a bit like some of the "Memory content at delivery". But i'm not sure what the purpose is.

Solution

  • Storage of NDEF data on Type 2 Tags is defined by the NFC Forum Type 2 tag specification. This specification defines that the first four byte of the user memory (fourth page) describe the NDEF capabilities of the tag and that the following bytes contain a sequence of Type-Length-Value (TLV) constructs, one of those (T=3) is the NDEF Message TLV that contains the actual NDEF data. Other TLV's describe memory locations that contain tag specific data like lock bytes and must be skipped when reading or writing NDEF data.

    Your example content is an NTAG216 (not NTAG213).

    The content of the fourth page is a magic byte (0xE1) that indicates NDEF format, followed by the NDEF mapping version (0x10 => Version 1.0), followed by the raw tag capacity in multiples of 8 (0x6D * 8 == 872 byte user data), followed by the read/write permissions (0x00 => readable and writable w/o restrictions).

    The fifth page starts with the NDEF TLV Type (0x03 => NDEF message), followed by the TLV Length (0xDB == 219 byte) which gives the TLV Value field size. The bytes following are the actual NDEF message data but be aware that for some tags this may not be contiguous memory (other TLVs may indicate memory bytes that must be skipped when reading or writing).

    For all the bells and whistles you can study an ndef read and ndef write or obtain a copy of the Type 2 Tag specification from the NFC Forum specifications page.