I am building a Windows/Java program (using javax.smartcardio) to communicate with Jewel/Topaz512 tags (from Innovision/Broadcom) using an ACR122U device (with a PN532 NFC Controller chip inside).
I implemented the Topaz512 protocol (from this data sheet) but only half of my commands are working.
RID, RALL, READ, WRITE-NE, RSEGWRITE-E, READ8, WRITE-E8, WRITE-NE8For instance, here is what I get when I send a WRITE-NO-ERASE command:
Command: FF:00:00:00:0C:D4:40:01:1A:7F:42:38:01:9A:00:17:E8
Where:
D4:40:01 is the InDataExchange command,1A:7F:42 is the WRITE-NO-ERASE command (value: 0x42, block 0x0F, byte 7),38:01:9A:00 is the 4-bytes tag UID,17:E8 is the CRC.Response: D5:41:00:42:90:00
Here the response is correct: 0x42. The status byte (0x00) informs that everything went well.
And here is what I get when I send a WRITE-WITH-ERASE command:
Command: FF:00:00:00:0C:D4:40:01:53:7F:42:38:01:9A:00:28:6E
Where:
D4:40:01 is the InDataExchange command,53:7F:42 is the WRITE-WITH-ERASE command (value: 0x42, block 0x0F, byte 7),38:01:9A:00 is the 4-bytes tag UID,28:6E is the CRC.Response: D5:41:01:90:00
Here, the status byte (0x01) informs of a timeout detected by the PN532. (From the PN532 documentation (p67): "Time Out, the target has not answered - 0x01")
Also when I remove the PN532 timeouts (with FF:00:00:00:06:D4:32:02:00:00:00) non-working commands do not respond D5:41:01:90:00, but wait longer, then I get no response.
I just tried to execute the commands using gscriptor (from the pcsc-tools suite) and I got the same behavior. Here are my results:
The script:
FF 00 00 00 06 D4 32 05 02 02 02
# SAMConfiguration
FF 00 00 00 04 D4 14 01 00
# SetParameters
FF 00 00 00 03 D4 12 04
# InListPassiveTarget: Jewel mode
FF 00 00 00 04 D4 4A 01 04
# InDataExchange: RID
FF 00 00 00 04 D4 40 01 78
# InDataExchange: RALL
FF 00 00 00 04 D4 40 01 00
# InDataExchange: RSEG 0-3
FF 00 00 00 05 D4 40 01 10 00
FF 00 00 00 05 D4 40 01 10 20
FF 00 00 00 05 D4 40 01 10 40
FF 00 00 00 05 D4 40 01 10 60
##########
# GetFirmwareVersion
FF 00 00 00 02 D4 02
# GetGeneralStatus
FF 00 00 00 02 D4 04
##########
# RFConfiguration: No timeout
FF 00 00 00 06 D4 32 02 00 00 00
# InDataExchange: READ-1
FF 00 00 00 05 D4 40 01 01 7F
# InDataExchange: READ-8
FF 00 00 00 05 D4 40 01 02 00
# InDataExchange: WRITE-E-1
FF 00 00 00 06 D4 40 01 53 7F 42
# InDataExchange: WRITE-E-8
FF 00 00 00 0C D4 40 01 55 02 01 02 03 04 05 06 07 08
# InDataExchange: WRITE-NE-1
FF 00 00 00 06 D4 40 01 1A 7F 42
# InDataExchange: WRITE-NE-8
FF 00 00 00 0C D4 40 01 1B 02 01 02 03 04 05 06 07 08
The results:
Sending: FF 00 00 00 06 D4 32 05 02 02 02
Received: D5 33 90 00
Normal processing.
Sending: FF 00 00 00 04 D4 14 01 00
Received: D5 15 90 00
Normal processing.
Sending: FF 00 00 00 03 D4 12 04
Received: D5 13 90 00
Normal processing.
Sending: FF 00 00 00 04 D4 4A 01 04
Received: D5 4B 01 01 0C 00 38 01 9A 00 90 00
Normal processing.
Sending: FF 00 00 00 04 D4 40 01 78
Received: D5 41 00 12 4C 38 01 9A 00 90 00
Normal processing.
Sending: FF 00 00 00 04 D4 40 01 00
Received: D5 41 00 12 4C 38 01 9A 00 00 10 25 00 00 10 3F
00 01 03 F2 30 33 02 03 F0 02 03 03 E3 D1 01 DF
54 02 65 6E 30 31 32 33 34 35 36 37 38 39 30 30
31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA
AA 12 4C 06 00 01 E0 00 00 00 00 00 00 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 10 00
Received: D5 41 00 38 01 9A 00 00 10 25 00 00 10 3F 00 01
03 F2 30 33 02 03 F0 02 03 03 E3 D1 01 DF 54 02
65 6E 30 31 32 33 34 35 36 37 38 39 30 30 31 32
33 34 35 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12
4C 06 00 01 E0 00 00 00 00 00 00 00 00 00 00 00
00 00 47 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 10 20
Received: D5 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 10 40
Received: D5 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 10 60
Received: D5 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 90 00
Normal processing.
Sending: FF 00 00 00 02 D4 02
Received: D5 03 32 01 06 07 90 00
Normal processing.
Sending: FF 00 00 00 02 D4 04
Received: D5 05 01 00 01 01 00 00 02 80 90 00
Normal processing.
Sending: FF 00 00 00 06 D4 32 02 00 00 00
Received: D5 33 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 01 7F
Received: D5 41 00 47 90 00
Normal processing.
Sending: FF 00 00 00 05 D4 40 01 02 00
Received:
wrong SW size for:
Sending: FF 00 00 00 06 D4 40 01 53 7F 42
Received:
wrong SW size for:
Sending: FF 00 00 00 0C D4 40 01 55 02 01 02 03 04 05 06
07 08
Received:
wrong SW size for:
Sending: FF 00 00 00 06 D4 40 01 1A 7F 42
Received: D5 41 00 47 90 00
Normal processing.
Sending: FF 00 00 00 0C D4 40 01 1B 02 01 02 03 04 05 06
07 08
Received:
wrong SW size for:
Script was executed without error...
Some time ago I looked into this in detail and concluded that the PN532 NFC controller chip from NXP has an issue with its firmware that prevents it from successfully transceiving some commands with NFC Forum Type 1 tags (Topaz/Jewel brands). The ACR122U is based on this chip as noted.
When I tried to write 8 byte blocks at a time using the WRITE-E8 (0x54) command, the response received is 0x01, a timeout waiting for the tag to respond.
Things I tried that don't work:
Including the UID echo in the InDataExchange, I even played with the endianness of the UID echo and still the same result.
Using the inCommunicateThru command rather than InDataExchange and calculating the CRC1 and CRC2 values at the application level (same results)
The final conclusion I reached is:
The PN532 cannot write to pages 0x10 and greater on a Type 1 tag which makes it impossible to write to the full range of memory on popular models such as the Topaz 512.
Recommendation:
This issue was relevant in 2012 when the Topaz 512 was a great low cost yet high memory NFC tag. Now that there's the NAG215 and NTAG216 models, I recommend using those models that have high memory and universal compatibility with NFC readers.