Is there NFC on Sony SmartWatch 3 (SWR50)?

We recently received our brand new Sony SmartWatch 3 SWR50 (powered by Android Wear). We intend to use them in our research on ShakeUnlock where we try to transfer authentication state transfer between two devices equipped with accelerometers by briefly shaking both devices together. Until then, I decided to explore that device to find out what else we could possibly do with it. As my research focus is (among other mobile security topics) on Near Field Communication (NFC), I was really happy to see that the specs read "Connectors: NFC". Particularly when it comes to access control scenarios (e.g. door access) or payment, using a smart watch instead of (or in addition to) a regular smartcard or a mobile phone could be very convenient. So I was hoping to see host-based card emulation (HCE) functionality. Moreover, I would love to see my NFC TagInfo app running on a smart watch and being able to scan tags with the watch.

About a month ago, a question (and its answer) on StackOverflow already revealed a white paper by Sony that states that the SWR50 only supports NFC "to power on the SWR50 and [to] start the Android Wear host application". If that was really the case, the watch would not be usable for the above scenarios.

So let's see what we found...

NFC Tag

First, I started by scanning the SWR50 with another smart phone using my NFC TagInfo app.

NFC TagInfo identified the SWR50 as an NFC Forum Type 2 Tag. The ATQA (answer-to-request) of the tag is 0x0044 and the SAK (select acknowledge) is 0x00. This indicates that the tag supports a proprietary protocol on top of ISO/IEC 14443-3 (e.g. Type 2 Tag platform) but that it does neither support ISO-DEP (ISO/IEC 14443-4) nor NFC-DEP (NFC peer-to-peer mode).

The 7-byte-UID of the NFC tag of our watch is 2e020d00000000 (and it remains the same after rebooting the device). So the manufacturer ID (0x2e) identifies Broadcom as the chip manufacturer. This information (in combination with the fact that this is a Type 2 Tag) is interesting for two reasons:

1. I did not find any information that Broadcom manufactures Type 2 Tags.
2. The UID contains a rather unusual number of zero bytes.

Both make me think that this NFC tag might actually be emulated using a Broadcom NFC controller.

Just to make sure that my NFC TagInfo app did not miss anything, I decided to also scan the watch with NXP's TagInfo app. And, in fact, NXP's app found something very interesting: Even though the SAK byte does not indicate support for ISO-DEP, the watch returns an ATS (answer-to-select) in response to a RATS (request answer-to-select) command. The ATS is 0578808002 and codes

• FSCI = 8: Maximum frame size from reader to tag is 256 bytes.
• TA(1) = 80: Only 106 kbps supported in both directions.
• TB(1) = 80: Frame waiting time is 77.33 ms. Start-up frame guard time is 302 us.
• TC(1) = 02: CID (card identifier) supported, NAD (node addressing) not supported.

Hence, this further backs my hypothesis that the Type 2 Tag is actually emulated using an NFC controller that supports more than just being a Type 2 memory tag.

Tag Memory

The tag 488 bytes of memory in total (split into 122 blocks with 4 bytes each) filled with the following data:

     0: 2E 02 0D 0C     1: 00 00 00 00
     2: 00 00 FF FF     3: E1 11 3C 0F
     4: 00 00 00 01     5: 03 78 30 35
     6: 03 31 D4 0F     7: 1F 61 6E 64
     8: 72 6F 69 64     9: 2E 63 6F 6D
    10: 3A 70 6B 67    11: 63 6F 6D 2E
    12: 67 6F 6F 67    13: 6C 65 2E 61
    14: 6E 64 72 6F    15: 69 64 2E 77
    16: 65 61 72 61    17: 62 6C 65 2E
    18: 61 70 70 FE    19: FF FF FF FF
    20: 30 A8 DB F2    21: 43 1C FF FF
    22: 30 A8 DB F5    23: 2A 78 FF FF
    24: 14 39 2D 4D    25: F2 6A 91 40
    26: FF FF FF FF    27: FF FF FF FF
   ...: FF FF FF FF   ...: FF FF FF FF
   120: FF FF FF FF   121: FF FF FF FF

• The static lock bits (block 2, bytes 2 and 3) are all set (indicates locked state).
• Block 3 contains a capability container for a Type 2 tag (magic byte 0xE1).
• However, the mapping version number 1.1 (0x11) does not comply to any of the current mapping version documents provided by the NFC Forum! The only mapping version number that is currently defined (as of version 1.2 of the NFC Forum Type 2 Tag Operation specification) is 1.0.
• Block 4 contains 3 NULL TLVs (0x00) and the first byte of a Lock Control TLV (tag 0x01).
• The Lock Control TLV indicates that there are 48 lock bits located starting at byte position 232 (= 7 * 2⁵ + 8). I.e. 6 bytes starting at block 58, so they are all set (FF FF FF FF FF FF). Each lock bit locks 3 bytes, so they indicate that blocks 16 to 51 are locked.
• Block 6 contains the start of an NDEF Message TLV (tag 0x03, length 0x31). The NDEF message consists of a single NDEF record (Android Application Record for app com.google.android.wearable.app):

+--------------------------------------------+
| TNF:  EXTERNAL TYPE                        |
| Type: urn:nfc:ext:android.com:pkg          |
+--------------------------------------------+
| Payload: com.google.android.wearable.app   |
+--------------------------------------------+

• Block 18 contains a Terminator TLV (tag 0xFE) indicating the last TLV block within the tag memory area.
• Blocks 20 and 21 (first 2 bytes) contain the device Bluetooth address.
• Blocks 22 and 23 (first 2 bytes) contain something that looks like a Bluetooth address too.
• Blocks 24 and 25 contain the device serial number.
• The remaining blocks are all filled with FF FF FF FF.

To summarize this, the NFC tag contains a static NDEF message that is used to launch the companion app on an NFC-enabled Android smart phone and to discover the peer Bluetooth address of the smart watch. Moreover, there are some hints that this NFC tag might be emulated using a full-blown NFC controller.

NFC API

Next, I wanted to dig into the NFC capabilities that are provided to app developers through the Android API. Unfortunately, requesting an instance of the NFC adapter fails as the getDefaultAdapter() method returns null:

NfcManager nfcMgr = (NfcManager)mContext.getSystemService(Context.NFC_SERVICE);
NfcAdapter nfcAdapter = nfcMgr.getDefaultAdapter();  // -> null

This is a clear indication that there is no Android NFC stack available on the device. In addition there is a log message that the device does not support NFC:

V/NFC: this device does not have NFC support

Moreover, looking at the NFC system features, none of the NFC system features are available:

PackageManager pkgMgr = mContext.getPackageManager();
boolean featureNfc = pkgMgr.hasSystemFeature("android.hardware.nfc");      // -> false
boolean featureHce = pkgMgr.hasSystemFeature("android.hardware.nfc.hce");  // -> false

As both, featureNfc and featureHce, are false, neither NFC (android.hardware.nfc) nor HCE (android.hardware.nfc.hce) are available.

Consequently, there currently is no NFC API available on the SWR50.

Firmware / Android System

Last, I decided to run adb shell to analyze the file system of the smart watch Android firmware. The interesting things that I found are:

• There is a file named BCM43341B0_002.001.014.0122.0174.hcd under /system/vendor/firmware, so it seems that the watch contains Broadcom's BCM43341 quad-radio chip which also contains an NFC controller.
• /proc/misc lists a bcm2079x device driver. The BCM2079x family is Broadcom's family of NFC controllers. This is also the type of NFC controller that's integrated into the BCM43341. Consequently, it seems that the low-level driver necessary to interact with the NFC controller (that is supposedly integrated into the smart watch) is compiled into the kernel. This does not necessarily mean that the driver can actually be used to communicate with the NFC controller though.
• There is no NFC service app (Nfc*.apk) on the /system partition. This confirms what we already found out with our analysis of the NFC API: There is no NFC stack integrated into the Android system and, consequently, there is no NFC functionality accessible from apps.

So, even though there might be support for NFC from the hardware side and the kernel side, the user-space part of the NFC stack is missing. Though, the kernel driver might just as well point to nowhere (i.e. might not represent a device that is actually backed by hardware). And the firmware of the BCM43341 might be coded in a way that the NFC controller simply emulates the Type 2 tag while being inaccessible from the operating system.

Summary

After some hands-on experimenting, testing and exploring the file system of the Android OS on the watch, it seems that, unfortunately, the description in the white paper is right. At least for now, the smart watch exposes only an NFC tag with a static NDEF message that is used to launch the companion app for the watch. No NFC functionality is accessible through apps. However, seeing that the watch contains a BCM43341 featuring a full-blown NFC controller as well as the fact that the bcm2079x device driver is compiled into the kernel give us a bit of hope that the watch may support more NFC functionality in the future (either through an official firmware upgrade or through some custom ROM).