Mifare DESFire communication is routed to HCE instead off-host (UICC) on several Android devices.
From OMAPI based communication with off-host secure elements, I already learned how to add AIDs to Android off-host routing table, so that I can select them on UICC. (Thanks to @MichaelRoland)
My current problem: I do have a virtual Mifare DESfire card on my UICC. Now some devices do not route my native wrapped Mifare commands to the UICC and I still do not have a switch to change the default routing. So I wanted to have another entry in my off-host routing table, but I do not know which AID to use.
There is a PICC application AID of our MIFARE DESFire test application F01010. This is the AID that is used for selecting the application on CLT interface, but this cannot be entered to Android off-host routing table. In addition, we have two additional AIDs related to the MIFARE DESFire application. This is the Virtual Card Manager AID (A0000003964D344D1400000000000000) and the Service Manager AID (A0000003964D344D2400000000000000).
But which AID do I have to insert into the routing table?
Android (and probably the NFC controllers themselves) currently only supports routing configuration based on ISO/IEC 7816-4 AIDs/DF names. You can't add routing for native DESFire AIDs (i.e. those 3 byte AIDs) nor for all native wrapped communication.
What you can do:
Assign your DESFire applications an ISO/IEC 716-4 DF name during application creation. This DF name is an AID that can be specified in the Android off-host routing configuration. However, you need to use the DESFire ISO command set (and specifically issue a SELECT FILE (by DF name) command to select your DESFire application) to trigger the AID based routing.
DESFire EV1 itself has the AID/DF name D2 76 00 00 85 01 00. If your reader selects this AID (using a SELECT FILE (by DF name) command), the DESFire card will switch to ISO framing (ISO commands and wrapped native commands allowed) and select its master file. You can register this AID with Android to route all DESFire communication to the UICC. However, each reader needs to start the DESFire communication by sending that SELECT FILE command.