I have an Android tablet with Android 4.2. This tablet does not have NFC hardware. However I have an external USB reader: ACR 1252U, that came with an Android library. I have asked some general questions of my setup here. Now that it gets more specific, I need to ask another one. In this previous question I found out, that I can use the ACS Android library to access the readers card emulation capabilities.

My first goal is to make that reader emulate an NFC tag, that contains a URL. Any NFC-capable Android phone should be able to scan this emulated tag and automatically open the browser. I have tested it, and it works with a real (physical) tag. But unfortunately I am not able to emulate this tag correctly...

Now I wrote an Android application, but I am stuck. According to the readers API (PDF), I can get it into card emulation mode by sending the command

E0 00 00 40 03 01 00 00

When I do this, it gives me the answer:

E1 00 00 00 03 01 01 01

This confirms, that it is in card emulation mode. With an Android application I now can scan the emulated Tag, which says, that this is recognized as a "NXP MIFARE Ultralight" tag.

My problem now is, how to feed the tag with a URL. According to the reader API (section 5.10.3), I need to send the command:

E0 00 00 60 13 01 01 00 0F D1 01 0B 55 01 67 6F 6F 67 6C 65 2E 63 6F 6D

where D1 01 0B 55 01 67 6F 6F 67 6C 65 2E 63 6F 6D is the NDEF message that contains the URL "http://www.google.com". I created this NDEF message using this Android Java code:

String target_url = "http://www.google.com";
Uri uri = Uri.parse(target_url);
NdefRecord recordNFC = NdefRecord.createUri(uri);
NdefMessage message = new NdefMessage(recordNFC);

An application on my Android phone, that reads NFC tag says the following:

As you can see, the URL is saved on the emulated tag.

• So why doesn't the browser of my phone open the url?
• Am I missing something? Are my commands wrong?
• Why are there some "?" characters?

The command that you are using,

E0 00 00 60 <Lc> 01 01 <Byte address> <Length> <Data>

writes data bytes starting at block 3 of the emulated NFC Forum Type 2 tag. Thus, the byte address 0x00 addresses the first byte of block 3.

The problem that you are facing is that you only write the NDEF message itself starting at block 3 (byte 0). However, an NFC Forum Type 2 tag needs further metadata. Specifically, block 3 is the capability container block. For the specific memory layout presented by the ACR1252U, the CC block would need to be filled with the value

• E1 10 06 00 (if write access should be allowed) or
• E1 10 06 0F (if other NFC devices should treat the tag as read-only).

E1 is the magic number indicating that this is an NFC Forum tag, 10 refers to version 1.0 (the current version) of the data mapping defined by the NFC Forum Type 2 Tag Operation specification, and 06 indicates that the tag has a total of 12 data blocks.

Further, you need to wrap the NDEF message into an NDEF Message TLV block. The NDEF Message TLV block has the tag 0x03. Thus, the wrapped NDEF message would look like this:

03 0F D1010B5501676F6F676C652E636F6D

The tag memory, that you need to write would therefore look like this:

E1 10 06 00
03 0F D1 01
0B 55 01 67
6F 6F 67 6C
65 2E 63 6F
6D         

Finally, you should fill the tag memory to full blocks by placing a Terminator TLV (tag 0xFE, no length) at the end and filling the remaining bytes with zeros (0x00). This also applies to the case where the data is already aligned to full blocks but there is further (empty) blocks beyond the end of your data.

E1 10 06 00
03 0F D1 01
0B 55 01 67
6F 6F 67 6C
65 2E 63 6F
6D FE 00 00

Thus, you would want to use the following write command to store the data on the emulated Type 2 tag:

E0 00 00 60 1C 01 01 00 18 E1 10 06 00 03 0F D1 01 0B 55 01 67 6F 6F 67 6C 65 2E 63 6F 6D FE 00 00