A quick check (analyzing the signals on the SWP pin of a UICC inserted into the device) revealed that the Nexus 5 is not activating the SIM as an NFC secure element (neither at boot nor when putting the phone on a smartcard reader).
However, I found two interesting files on the device's system partition:
/system/etc/libnfc-brcm-20791b05.conf
and/system/etc/libnfc-brcm.conf
.
These two files seem to provide the configuration for the NFC controller (the first one a chip-sepecific configuration and the second one a chip-family specific one?).
After unlocking the bootloader, I was able to modify those files through adb by booting a clockworkmod recovery image, so I did some experimenting with the configuration parameters.
The result is that I managed to let the device activate the UICC (UICC was activated and registered its CE gates through SWP?), the device sometimes even notified the UICC about field status changes. However, with none of my modified configurations, I was able to get the reader to smoothly discover card emulation (this was working before, when only HCE was available on the device) nor to communicate with the UICC.
The interesting parameters in /system/etc/libnfc-brcm.conf
seem to be:
NFA_MAX_EE_SUPPORTED
: This is currently set to 0. I tried a value of 3, which seems to be the default.ACTIVE_SE
: This is currently set to 0 (no active SE). I tried to uncomment that line to let the device use the first SE detected.NFA_HCI_STATIC_PIPE_ID_??
: Should not be necessary but on out GS4 this is set to 0x71 for ?? = F3 and F4.UICC_LISTEN_TECH_MASK
: This is set to 0x00 on our GS4.REGISTER_VIRTUAL_SE
: I left this as it was (== commented out).SCREEN_OFF_POWER_STATE
: I did not experiment with this, but on our GS4 this is set to 3 (screen-off CE).
The interesting parameters in /system/etc/libnfc-brcm-20791b05.conf
seem to be:
NFA_DM_START_UP_CFG
: I've tried the commented-out parameters for UICC and I tried to use the configuration from our GS4. The value starts with a length byte and is structured in TLV format (one tag byte, one length byte, parameter data). The relevant tag for UICC activation seems to beC2
, where the upper two bits in the second parameter byte disable the SWP interfaces of the NFC controller if set.NFA_DM_PRE_DISCOVERY_CFG
: The comments suggest that this need to be uncommented for UICC support.