scl3711 - time out error with android HCE

The communication with Type 4 Tags is using the ISO-DEP protocol, which is completely handled by the PN53x. The non_dep_to value applies only to FeliCa and Mifare communication. The ISO-DEP frame waiting time (until a response is expected) is calculated from the ATS (Answer To Select) response, thus can be controlled by the target. You may be able to increase the value in your Android application.

To get an idea of the current timings you can give the "-f logfile" option to tagtool.py to get a debug log with timestamp values. Also the frame waiting time is computed, though not printed, in nfc/tag/tt4.py Type4Tag.__init__() method. Just add a print.

Thanks Stephen,

I am not able to figure out the timing part in the android system. ONe thing that I do notice is the response from the system changes right before the timeout happens. Can you help me understand the difference.

If the solution works the response is

2015-01-08 10:42:31,838 DEBUG [nfc.dev.pn53x] InDataExchange command with timeout 2550 ms
2015-01-08 10:42:31,838 DEBUG [nfc.dev.transport] >>> 0000ff10f0d4400100a4040007d2760000850101006d00
2015-01-08 10:42:31,842 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:42:31,875 DEBUG [nfc.dev.transport] <<< 0000ff05fbd5410090005a00

while for timeout error it is

2015-01-08 10:53:39,707 DEBUG [nfc.dev.pn53x] InDataExchange command with timeout 2550 ms
2015-01-08 10:53:39,707 DEBUG [nfc.dev.transport] >>> 0000ff10f0d4400100a4040007d2760000850101006d00
2015-01-08 10:53:39,710 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:53:39,953 DEBUG [nfc.dev.transport] <<< 0000ff03fdd54101e900

I would like to know the difference between the last responses, 0000ff05fbd5410090005a00 & 0000ff03fdd54101e900

Following are the complete logs with the time for the error

2015-01-08 10:53:39,697 DEBUG [nfc.dev.pn53x] found NFC-A target @ 106 kbps
2015-01-08 10:53:39,697 DEBUG [nfc.clf] found target TTA br=106 cfg=040060 uid=08066ac4 ats=0578807002
2015-01-08 10:53:39,697 DEBUG [nfc.tag.tt4] init TTA br=106 cfg=040060 uid=08066ac4 ats=0578807002
2015-01-08 10:53:39,697 DEBUG [nfc.tag.tt4] select file
2015-01-08 10:53:39,698 DEBUG [nfc.clf] >>> 00a4040007d276000085010100 4.039s
2015-01-08 10:53:39,698 DEBUG [nfc.dev.pn53x] RFConfiguration command with timeout 200 ms
2015-01-08 10:53:39,698 DEBUG [nfc.dev.transport] >>> 0000ff06fad432020b0b10d200
2015-01-08 10:53:39,701 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:53:39,703 DEBUG [nfc.dev.transport] <<< 0000ff02fed533f800
2015-01-08 10:53:39,703 DEBUG [nfc.dev.pn53x] RFConfiguration command with timeout 200 ms
2015-01-08 10:53:39,703 DEBUG [nfc.dev.transport] >>> 0000ff04fcd4320403f300
2015-01-08 10:53:39,706 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:53:39,707 DEBUG [nfc.dev.transport] <<< 0000ff02fed533f800
2015-01-08 10:53:39,707 DEBUG [nfc.dev.pn53x] InDataExchange command with timeout 2550 ms
2015-01-08 10:53:39,707 DEBUG [nfc.dev.transport] >>> 0000ff10f0d4400100a4040007d2760000850101006d00
2015-01-08 10:53:39,710 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:53:39,953 DEBUG [nfc.dev.transport] <<< 0000ff03fdd54101e900
2015-01-08 10:53:39,953 DEBUG [nfc.dev.pn53x] [PN53x Error 0x01] Time out, the Target has not answered
2015-01-08 10:53:39,953 ERROR [nfc.tag.tt4] while reading ndef: TimeoutError(None)
2015-01-08 10:53:39,954 DEBUG [nfc.clf] connected to Type4Tag ATQ=0400 SAK=60 UID=08066ac4 ATS=0578807002
2015-01-08 10:53:39,954 DEBUG [nfc.dev.pn53x] RFConfiguration command with timeout 200 ms
2015-01-08 10:53:39,956 DEBUG [nfc.dev.transport] >>> 0000ff04fcd4320100f900
2015-01-08 10:53:39,959 DEBUG [nfc.dev.transport] <<< 0000ff00ff00
2015-01-08 10:53:39,963 DEBUG [nfc.dev.transport] <<< 0000ff02fed533f800
2015-01-08 10:53:39,963 DEBUG [nfc.dev.transport] >>> 0000ff00ff00

BTW i also found the following comment on the android site.

ISO-DEP activation

After the Nfc-A protocol is activated, the ISO-DEP protocol activation is initiated by the NFC reader. It sends a "RATS" (Request for Answer To Select) command. The RATS response, the ATS, is completely generated by the NFC controller and not configurable by HCE services. However, HCE implementations are required to meet NFC Forum requirements for the ATS response, so NFC readers can count on these parameters being set in accordance with NFC Forum requirements for any HCE device.

The section below provides more details on the individual bytes of the ATS response provided by the NFC controller on a HCE device:

TL: length of the ATS response. Must not indicate a length greater than 20 bytes.
T0: bits 5, 6 and 7 must be set on all HCE devices, indicating TA(1), TB(1) and TC(1) are included in the ATS response. Bits 1 to 4 indicate the FSCI, coding the maximum frame size. On HCE devices the value of FSCI must be between 0h and 8h.
T(A)1: defines bitrates between reader and emulator, and whether they can be asymmetric. There are no bitrate requirements or guarantees for HCE devices.
T(B)1: bits 1 to 4 indicate the Start-up Frame Guard time Integer (SFGI). On HCE devices, SFGI must be <= 8h. Bits 5 to 8 indicate the Frame Waiting time Integer (FWI) and codes the Frame Waiting Time (FWT). On HCE devices, FWI must be <= 8h.
T(C)1: bit 5 indicates support for "Advanced Protocol features". HCE devices may or may not support "Advanced Protocol features". Bit 2 indicates support for DID. HCE devices may or may not support DID. Bit 1 indicates support for NAD. HCE devices must not support NAD and set bit 1 to zero.
Historical bytes: HCE devices may return up to 15 historical bytes. NFC readers willing to interact with HCE services should make no assumptions about the contents of the historical bytes or their presence.

The nfc.dev.transport log lines show the frames send to or received from the reader chip. The byte sequence "0000ff05fbd5410090005a00" is frame header "0000ff05fb" + response code "d541" + status byte "00" + ISO14443 success status "9000" + crc16 "5a00". The byte sequence "0000ff03fdd54101e900" differs in the status byte "01" which says that the chip timed out while waiting for a response.

The delta time between the PN533's acknowledge of the send data command frame and the response frame is ~240 ms. The PN533 does some retries of sending the command to the tag. The frame waiting time integer coded in ATS "0578807002" is FWT=7 (upper nibble of fourth byte). Thus the frame waiting time is FWT = (256 x 16/fc ) x 2^FWI => ~38 ms. Looks all well except that the tag doesn't send a response. I'd guess there's some additional stuff to do on the Android side.

Thanks Stephen for the response.,

I have not yet solved the problem as I am not sure where the timeout is happening. If something is missing from the service that I built the problem should occur when the phone is locked and unlocked.

Also the responses on the python seems to have been sent by the android nfc controller which I have no control over. So I guess this is a dead end for me.

Thanks Anyways for helping me out till this point.

If you are able to send me your application as apk, I could maybe try it on different Android phones. Address would be stephen.tiedemann at gmail.com. Completely up to you.

It seems like a hardware issue. One plus one running kitkat works perfectly . Thanks Stephen for helping me out.