Testing with a DESFire, I picked up the following ATS: 0x75 0x77 0x81 0x02 0x80.
From what I can tell, ISO/IEC 14443-4 says that the first byte should be the "length byte" and should indicate the total number of bytes sent as part of the ATS. Why, then, is the first byte 0x75? If you ignore the first nibble, the value is correct, but is there any reason I should actually have to do that, or is there no relation between this byte and the length value?
Note: The ATS was obtained via libnfc through nfc_initiator_select_passive_target.
The ATS is perfectly fine. libnfc does not include the length byte in the value stored in nt.nti.nai.abtAts. Instead, the length of the ATS is stored in nt.nti.nai.szAtsLen. Consequently, the first byte is not the length byte but the format byte. It indicates that TA(1), TB(1), and TC(1) are present (Y(1) = 7h), and that the FSC is 64 bytes (FSCI = 5h). The remaining bytes then decode as: