I have an NFC reader attached to my Windows PC, and I've written a C program to use the Windows SCARD API (in C). This involves executing the following SCARD API methods from winscard.dll:
SCardEstablishContext: to initialize a context
SCardListReaders: to enumerate the readers available
SCardGetStatusChange: to check if an NFC tag is present on a reader
SCardConnect: to connect to the NFC tag when it is present
SCardTransmit: to exchange a request/response with the NFC tag
The above commands are well-documented in the Microsoft online help. And my C code that calls the above API methods works great. When my program calls the SCardTransmit method, I send the following sequence of 5 bytes to the NFC tag:
0xFF 0xCA 0x00 0x00 0x00
I have no idea what these 5 bytes mean, or how this message was constructed-- I found this byte sequence in a couple of NFC tutorials online with no explanation. When the SCardTransmit method returns, the receive buffer is populated with 9 bytes:
0x04 0x3c 0xf4 0x1d 0x6f 0x61 0x80 0x90 0x00
The first 7 bytes are the UID of the NFC tag. I have no idea what the last two bytes 0x90 0x00 mean.
My question is, where are these low-level NFC commands documented? I have absolutely no idea how the sequence 0xFF 0xCA 0x00 0x00 0x00 was constructed. Why does the command start with 0xFF? What does 0xCA mean? Why are there 3 zero bytes?
The only way I knew to send 0xFF 0xCA 0x00 0x00 0x00 in the request was from reading a couple of NFC tutorials online, and they say that these 5 bytes query the NFC tag's UID. And it works. But where is this command documented? Where are all the other low-level NFC commands documented?
For example, if I want to read a memory block from the NFC tag, what sequence of request bytes would I send with SCardTransmit? No one seems to talk about these low-level commands that you use to interact with the NFC tag.
Without details of the reader hardware and the NFC Tag hardware used it is difficult to exactly answer, but here are some pointers.
First is the reader hardware, details can be found in it's datasheet, for example a common usb reader is the acr122u and it's datasheet outlines in section 4.1 that 0xFF is a "Pseudo-APDU" for sending to non iso 7816 (NFC Type 4) Tags, specifically to 0xCA 0x00 0x00 0x00 is to ask for a Mifare Classic (Non NFC standard) Tag for it's ID.
As you can see it returns the ID plus 90 00h which is the ADPU "The operation completed successfully." code.
More commands standard commands are available in the reader's datasheet.
You can get more details about the commands that each type of Tag supports from the Tag's datasheet, e.g. The Mifare Classic or NTAG21X (NFC Type 2)
Usually a Tag can support more than the minimum command set required by the NFC Type standards links for each NFC Type standard, Type - 1, 2, 3, 4
NFC Type 4 tags support iso 7816-4 ADPU's but APDU's are very flexible, there are some industry standard commands but again individual Tags can support additional commands.
Finally to round things of there is the Ndef standard NFC Data format that is used to store data in a standard way on NFC Standard Types of Tags (More details here)