NFC Secure Element

by Gruntz Dominik » Tue, 07 Dec 2010 19:42:37 GMT

Sponsored Links
 Hi everyone,

Do I see it right, that the Android 2.3 NFC API does not provide functionality 
to access a secure element? A secure element is a smartcard connected to the 
NFC controller, i.e. a secure storage in the device, either embedded in the 
mobile phone, on the SIM card or on a SD card.

With JavaME access to the secure element was provided with JSR177 which 
supported the communication with smart card applications usind APDU commands. I 
have not seen comparable functionality in package android.nfc.

Thanks for any hints


Re: NFC Secure Element

by nemik » Mon, 20 Dec 2010 09:27:05 GMT


Yea, that's right. All it does currently is read; at least via the
Java API. If you look at the kernel source though, a bunch of ifdefs
which allow for emulation were all disabled. So full compliance with
the NFC standard will have to wait for a future kernel release.


Sponsored Links

Re: NFC Secure Element

by nemik » Sun, 09 Jan 2011 03:40:25 GMT

 I was able to enable a secure element the other day by messing around
with this external/libnfc-nxp library. I enabled SMX (SmartMX) in the
config headers, and upon booting and monitoring `adb logcat` during
boot I saw 1 secure elements (a SmartMX one) had been enabled. I was
then able to change the mode in to card emulation

The Nexus S is now emulating a MiFare Classic 4k card. However, I am
not able to read sectors from the card directly. I've been trying to
use the micmd tool to do that but things act pretty strangely. For
example, I tried to read block 0 and micmd tells me "Could not read
the data block! Tag halted, reconnecting..." but what's even stranger
is that at that point, 'adb logcat' shuts itself off. As if that read
command somehow interfered with USB or logging?
However trying `a` commands to authenticate in micmd always works for
some reason and it'll even pretent to write and persist data to
blocks; but of course that data never actually gets persisted to the
emulated card. Maybe this is a bug in micmd?

Does anyone know if the Nexus S hardware (or its PN544 NFC chipset)
even contains a hardware secure element like SmartMX? I tried also
enabling UICC but that didn't seem to work at all and NFC service
wouldn't even start in that case. Plus my SIM card is MANY years old
and not sure it'd even work...

Either way, I used's `nfc-mfclassic` tool to dump out the
contents of that emulated 4k card. It is here: 

Seems to be entirely blank which is why I'm wondering if these aren't
some default values it would spit out anyway even if no SmartMX module

If anyone has any more insights into this, I'd be very happy to hear



Re: Re: NFC Secure Element

by Ajith Kamath » Mon, 10 Jan 2011 13:31:30 GMT

 i Nemik

* I have small doubt with current implementation. Is SmartMX a Secure
Element ?If so can you give me examples?
* I have checked libnfc-nxp , enabling P2P parameter was at phnfcconfig.h.
what needs to be done to enable Secure element?
what are MifarePlus, Desfire, Topaz . Is it a Card type or Secure Element?

* Also where is the general read-write methods for entry of Secure element.
All I can see is phLibNfc_SE.c is methods for getting list of secured
element, selecting secure element, deselecting.
* But method for exchange of data is not present. Can you tell me where can
I find this?

* In libnfc-nxp There are files like phFriNfc_NdefMap.c,
phFriNfc_MifareULMap.c, phFriNfc_TopazMap.c, phFriNfc_TopazDynamicMap.c,
phFriNfc_DesfireMap.c, phFriNfc_FelicaMap.c.
Can you tell me what these files are used for. The current comments in the
file do not provide sufficient information

* I am trying to use Wired Mode, Hence phHciNfc_WI.c will be used to
communicate between Controller and Secure element right?

Please advice.



On Sun, Jan 9, 2011 at 1:00 AM, nemik <> wrote:


Re: NFC Secure Element

by nemik » Mon, 10 Jan 2011 14:14:15 GMT


According to
the CN072 is a secure element in the Smart MX family. I'm not sure the
same one is in the Nexus S, but I presume the one in there is at least
very similar.

Here is the info on it:

I'm still trying to figure out how to get access to it as well, for
reading or writing. I doubt there are any specific commands for it
though, it just takes regular commands over ISO14443 just like other
MiFare cards.

On Jan 9, 11:31pm, Ajith Kamath <> wrote:


Re: Re: NFC Secure Element

by Ajith Kamath » Mon, 10 Jan 2011 15:51:54 GMT

 i Nemik

I'm running over the libnfc code.
I can see these 4 files to be prominent for communication with SE


I am thinking the above two might be used for R/W into SE from App
And the below two is used for communication between NFC Controller and SE.


Please go through these files and let me know if I'm in right path.


On Mon, Jan 10, 2011 at 11:44 AM, nemik <> wrote:


Re: NFC Secure Element

by gusdgg » Fri, 14 Jan 2011 21:21:40 GMT

 i Nemik,

Please, could you tell me how do you enable the SMX in the nexus s
configuration and change the mode in the Nfcservice? So far, I can
read and write tags,


On 10 ene, 04:51, Ajith Kamath <> wrote:


Re: NFC Secure Element

by gusdgg » Fri, 14 Jan 2011 21:21:42 GMT

 Could you tell me how do you enabled SMX (SmartMX) and set the
cardemulation mode? So far, I was able to read and write tags with the
Nexus S.




Re: NFC Secure Element

by Dominik » Tue, 18 Jan 2011 08:11:19 GMT

 According to the NXP documentation of PN544, three SE variants are
- SIM Card (via UICC)
- Embedded (SmartMX security chip)
- SD Card

Do you know which version is intended to be used by the Nexus S

The above messages describe attempts to enable SmartMX. As soon as
access to this SE is possible:
Which keys do you use to access the SE? Such keys should be private
and not generally be known.

I am at a loss.

- Dominik


Re: NFC Secure Element

by Ajith Kamath » Tue, 18 Jan 2011 11:11:50 GMT

 I still dont have nexus s but there is a high probability that its Embedded

Yes Keys are private and most likely needs to be provided by Service
Provider. The same thing has been mentioned in nokia forum
But I am not sure  how this will be done for nexus S.(may be there are ties
with Service Provider)

If anyone can explain OTA agent and its communication with TSM, it would be
very helpful. Since this too is not clear (w.r.t android)



Re: NFC Secure Element

by Ajith Kamath » Thu, 20 Jan 2011 11:29:50 GMT

 Hi Dominik

Can you explain how what did you use to access Secure element?
Which methods , which file?

Because permission may depend on how you are accessing it.



Re: NFC Secure Element

by nemik » Fri, 21 Jan 2011 05:01:16 GMT

 Sorry for not replying in a while, been very busy with projects at

I posted my diff's to enable the Nexus S to emulate an NFC tag. The
links are below: for ;a=summary
and for ;a=summary

These are just based on the on the open source, plain vanilla Android
Gingerbread codebase. If you patch it with the diffs above, you can
build the OS, upload the images to the phone's bootloader (make sure
to unlock the bootloader first) and then see it for yourself.

It is pretty badly broken and this is just to prove that it can kinda
work, I hacked it up pretty hard.

Also, I added a lot of LOGD()'s in the NFC app's JNI so I could see
what was going on when trying things out on the phone so I could read
it when doing an 'adb logcat' on the computer with the phone attached
over USB.

Have fun!


Re: NFC Secure Element

by mtk » Tue, 25 Jan 2011 02:50:55 GMT

 Thanks Nemik for posting the patch, I was trying to get the emulation
working without much luck so far, I see you have flipped some
additional flags than what I had, so I'll trying those.
Btw I was able to set the SE to wired mode by calling
nfc_jni_se_set_mode_callback,(void *)nat);
so now the SE gets detected as a local tag and I can open a tag
connection to same - I tried a few APDUs, but getting error codes 6a
82 (not found), 69 85 etc back.. I'll post if I'm able to make any


Re: NFC Secure Element

by gusdgg » Tue, 25 Jan 2011 02:58:58 GMT


Thanks for posting the diff's and great work! I'll patch the codebase
and see what happen. In the meantime and coming back to your question
about the Nexus S hardware containing a secure element like SmartMX,
did you get the secure element list with the method
getSecureElementList() in the patched version? I called this method
(via reflection, no patched yet) but it gets the error message
"WRITE_SECURE_SETTINGS permission required"

As you may know, there are an excelent nexus s teardown (http:// from iFixit. You'll
see there, in the step 7 - 2nd picture, the NXP PN544 NFC chip closely
located to the UICC slot, but as far I can see there isn't any SmartMx
chip in that picture, nor in the others.



Re: NFC Secure Element

by nemik » Fri, 28 Jan 2011 13:25:55 GMT

 mtk, very cool! So when you did that call directly (somewhere in init
of the jni code?) you got it to detect? How are you sending APDU
commands? Also, if I understand wired mode correctly, the tag is not
emulated externally to other readers; it's only available internally
using the NFC API?

gusdgg, yes, I saw the secure elements using the
getSecureElementList() and just doing logging with those and observing
them using `adb logcat`. I think that is in one of the diffs I posted.
It worked OK for me and I wasn't seeing any permission errors. Though
I never even bothered to do it via reflection on the stock firmware
since I figured it would just deny it. Your findings clearly confirm
As for the SmartMX chip, maybe you're right. But I suppose it could
also be built into the PN544 chip itself. I have no idea, I wasn't
able to find any datasheets that talk about it and have no details on
the NXP chips Samsung's been sourcing for the Nexus S.


Other Threads

1. Can't show ProgressDialog during listview update

What am I doing wrong here? I have a listview of items (songs on the
sd card). The user has an option to load all the songs on the sd card
to into a current playlist -- those songs are what is displayed in the
listview. Because this can take few seconds to load if they have a lot
of songs on the card, I want to display a progress dialog to just tell
the user "One moment..." until the list refresh is done.

I launch a thread to do this. I've done this successfully on another
app I have (which just updates a database in the background but
doesn't update any display), but this one fails with this error
message, "Can't create handler inside thread that has not called
Looper.prepare()". I chopped down the activity and pasted it below.
What am I doing wrong here? I have just a vague idea of what might be

By the way, everything works when I take out the threaded stuff, it
just looks like the app freezes for a couple seconds.



public class ListingThing extends ListActivity implements Runnable {
        public static final String PREF_NAME = "PlaylistAlarmPreferences";
    static final private int CONFIGURE_PLAYLIST = Menu.FIRST;
    static final private int DELETE_LIST = Menu.FIRST+1;
    static final private int DELETE_SONG = Menu.FIRST;
    static final private int LOAD_ALL = Menu.FIRST+2;
        String playlistName, CURRENT_PLAYLIST;
    SharedPreferences settings;
    String[] items, subitems, fullpath;
    int DRILL_DOWN_LEVEL, resultCount;
    MediaPlayer mMediaPlayer;
    ProgressDialog myProgressDialog;

        /** Called when the activity is first created. */
    public void onCreate(Bundle savedInstanceState) {

                mMediaPlayer = new MediaPlayer();

        setListAdapter(new MySpecialAdapter(this));
                // you need this for the contextmenu

    public void getListOfPlaylists(){
        // query db for list of songs

    class MySpecialAdapter extends ArrayAdapter {
        Activity context;

        MySpecialAdapter(Activity context) {
                super(context, R.layout.double_list_item, items);

        public View getView(int position, View convertView, ViewGroup
parent) {
                View row=convertView;

                if (row==null) {
                        LayoutInflater inflater=context.getLayoutInflater();
                        row=inflater.inflate(R.layout.double_list_item, null);

                TextView text1 = (TextView)row.findViewById(;
                TextView text2 = (TextView)row.findViewById(;

                        return row;

        // This handles a context menu item click
        public boolean onContextItemSelected(MenuItem item) {
                AdapterContextMenuInfo info = (AdapterContextMenuInfo)
                Object n = this.getListAdapter().getItemId((int);
        final String pos = n.toString();        // get the item number of

        myProgressDialog =,
                  "One moment...", "Refreshing list of songs in
playlist.", true);
                CURRENT_PLAYLIST = items[Integer.parseInt(pos)];
        Thread t = new Thread(this);

                return super.onContextItemSelected(item);

    public void run(){

    private Handler handler = new Handler() {
        public void handleMessage(Message msg){
                // refresh the listing of playlists
            setListAdapter(new MySpecialAdapter(ListingThing.this));


    // delete all songs in playlist and then reload all songs into it
    private void loadsongs(String pl){
                        Uri media = MediaStore.Audio.Media.EXTERNAL_CONTENT_URI;
                        DBAdapter db_songs = new DBAdapter(ListingThing.this);

                        String[] projection = {                                 
        // The columns we want
        // 0
// 1 artist
// 2 song
// 3 full path of file "/sdcard/In
Da Club.mp3"
                                MediaStore.Audio.Media.DISPLAY_NAME,    // 4 
"In Da Club.mp3"
// 5 time in milliseconds

                        String selection = MediaStore.Audio.Media.IS_MUSIC + " 
!= 0";
                        Cursor c = this.managedQuery(media, projection, 
selection, null,

                        db_songs.deletePlaylist(pl);    // delete all songs in 
playlist first
                        if (c.moveToFirst()){
                                do {
                                }while (c.moveToNext());
                        resultCount = c.getCount();
                                        "All songs on the SD card where added 
to the playlist

                }catch(Exception e){
                                "Error loading all songs to playlist.\n: "+e,



2. Content Observer

As per normal content observer, you will just get to know that content
has been changed but not the data.

So how can I exactly find out what changes has been made using Content
Is there any alternative way to obtain the changes done on specific
content URI?

Thanks a lot in advance !!



3. How to get Bitmap from SurfaceView?

4. Gestures in app Widget

5. Usb Tethering in Android Eclair 2.1

6. SMS inbox Read Problem

7. How to move Activity to foreground