COVID certificate and other large NDEFs

Not done with this quite yet :slight_smile:

Now I’m trying to reduce the load time. NFC transfer rates range from 106 to 424 Kb/s, which should be plenty fast enough for an 8KB NDEF to be transferred in under a second at even the lowest speed.

Sadly, Android is VERY inefficient and reads the NFC tag several times (and does a bunch of unfathomable operations too), which results in terrible load times.

So there’s value in bringing the NDEF to the smallest possible size with Android. The obvious way to do this is optimizing the size of the inline images. Here in this case, I have two: the EU flag and the QR code.

I thought I had done a pretty thorough job of finding the best possible compression manually, but apparently there’s even better. I just found this website: I fed it my lovingly hand-crafted PNGs and it managed to compress them even further, 16% smaller. Wow! This knocks almost 500 bytes off the final NDEF and it brings the load time under 2s.

I figured I’d share this site with you: if you too want to optimize your NDEFs and you have images in em, it might be worth running you images through that site. The performances are quite spectacular.


Great work and thanks for sharing @Rosco …its almost like you are back, or never left…:stuck_out_tongue_winking_eye:

I’m not. I’m not interacting in the sense of “having a conversation” in here. I know better now. I’m just dumping technical information for those who might look this stuff up, to spare them the effort of figuring all this out by themselves. And for me, when I can’t remember where the fuck I put my notes :slight_smile:

1 Like

Fair enough, appreciated and I like your note keeping strategy

1 Like

how about a GIF file?

PNGs are almost always smaller than GIFs for that sort of image (flags, icons, QR codes and such), especially at smaller size. But you’re correct, I did try GIFs too - you never know, they might be smaller in some circumstances :slight_smile:

There are smaller file sizes with different formats, but they’re all lossy compression schemes that are totally unsuitable for simple geometry shapes in an indexed color space such as a flag design or a QR code. But for images that involve mostly human interpretation of fuzzy features, such as a photograph to put in a vCard on your tag for instance, WEBP works wonders. See this:

The compressed Amal is 555 bytes!




I put mine onto my Vivokey as a link, I scanned into pdf, then a made the file a gif, on google and then hid the folder. Then I can also see who I actually share it with as well when they do scan it. I guess since it is on google though, I could do it at higher quality but ehhhhh.

1 Like

I looked into the format of the official EU Digital COVID Certificate QR code out of curiosity, and I found out how it works: basically it holds an encrypted string containing the vaccinated person’s name, date of birth, vaccination doses information, vaccine maker/type… To decrypt it, one must download the official public key. Simple and secure, and this is all documented and open-source (official repo here: eu-digital-green-certificates · GitHub, and the verifier here: GitHub - eu-digital-green-certificates/dgca-verifier-app-android: Repository for the dgca verifier android app.)

Now, you would expect a kajillion spinoff apps to scan EU COVID-19 certificate QR codes, right? I mean after all, all it takes is to download the official repo, slap a new start page, some ads, and voila: you can publish your very own COVID app in a matter of hours. Countless app developers do this sort of thing all the time to make a buck on the cheap.

Well, strangely enough, it turns out that’s not the case: I’ve looked just about everywhere, but I only found two:

  • VerificaC19 (Android and iOS), a fork of the official verifier from the Italian Ministry of Health (open-source too, repos here and here)

  • TousAntiCovid Verif, an application from some French dudes I don’t trust, that decodes the French version of the official EU QR code the French government publishes an app for called - unsurprisingly - TousAntiCovid. Because… France: they have to give everything their own funky French names.

That’s it. Plenty of apps to display the QR codes from official EU countries’ health administrations out there, but only those two available to the general public to scan and decode them, as far as I can tell. Amazing… I’m assuming the verification applications and software are done in-house by those who need it, like airlines, and aren’t published.

So here’s an idea: wouldn’t it be great if there was a DT fork of the EU COVID certificate verifier app that scanned the QR codes of course, like the others, but could also optionally read the QR code string off of an NFC tag? :slight_smile:

Imagine that: if such an app was available in the app stores, it would basically be the only game in town for anyone looking to scan and decode their EU COVID certificate QR code (and I’m sure I’m not the only one who’s curious about his own certificate). The app would provide this service, and also promote the idea of carrying the certificate in an implant at the same time. It might even draw the attention of the European health authorities.

It would have zero competition in the app stores for such applications in English: each time someone searches for “QR COVID certificate scanner” or “COVID certificate verification app” or something, they’d be almost 100% sure to hit the DT COVID app (considering how surprisingly hard it was to root out the aforementioned Italian and French apps), and they’d get to read about NFC implants in the app’s description. And DT, an obscure little biohacking company in the US, would provide a valuable health-related app at the same time.

Would that be great advertising or what?

EDIT: also, it would be possible to tie the string in the NDEF record and the app in an AAR record: if someone scanned the implant, it would redirect them to the DT COVID app on the Google Play store. I suppose the same sort of mechanism also exists in iOS.


I love this idea!! Even though I’m in the US and the EU certificate doesn’t apply, I definitely love this idea! Maybe I can figure something out to at least store my covid cert info somehow like that. Currently it is in text form as an ndef record on my NExT. :wink:

1 Like

What I heard here in Belgium that not everyone is allowed to ask and scan the QR code 🤷

And that the airline only sees a green screen or a red screen upon reading the QR code. Red = false qr code.

The technology is out there, it’s well-documented and there’s nothing secret about it. Nothing prevents anyone from decoding the string, or offering a decoder to do it.

What people and organizations are or aren’t allowed to do with it, that’s another matter - one for the court to decide probably, if someone is asked to produce the QR code inappropriately.

As for the airlines, I’m fairly certain they get to see the name and date of birth encoded in the QR code, because the airline employee needs to match them against the traveler’s passport. Otherwise anybody could present any old valid QR code from someone who’s had all their shots and board a flight no questions asked.

I got my flexDF2 in the mail today (thanks again Amal and Michelle - it went very smoothly, if not very cheaply :slight_smile:).

Of course, I promptly proceeded to write my COVID certificate on it - if only to make sure I’m not going to implant a brick this week-end.

Couple of observations that may be of interest:

  • The flexDF2 seems to have more range than my (ex-)flexM1. Quite a lot more actually: it’s still in its little test tube floating in chlorhexidine, and it hits like a freight train on all my cellphones. That bodes well for performances after it gets under my skin, as the skin of a middle-aged man is much thinner than a plastic test tube half-full of chlohexidine and a layer of air between the tube wall and the implant :slight_smile:

  • Here’s something new I’ve just discovered: if you have an Android app that registers an intent to read a DESFire without an NDEF (if it has an NDEF on it, the NDEF intent would take precedence of course), then it gets into a race with TagWriter. Net result: if you try to format the DESFire to stick an NDEF container on it, TagWriter says it works, but it doesn’t do anything. Maddening… until I realized my fucking PTA app was creating the problem. I formatted my flexDF2 on a vanilla cellphone with only TagWriter installed, no problem. My advice: when you do stuff to implants, save yourself headaches and use some older cellphone dedicated to the job.

  • The EV2 reads slower than the EV1. It takes a good 3 seconds for my COVID certificate to load where my EV1 test card takes less than 2 seconds. Oh well… Still, if this is important to you, bear that in mind.

Now I can’t wait to get that thing in my hand.


absolutely the DESFire chip is much more efficient than the grey market magic chips, particularly the “hicap” 70pF chips we use for the flexDF2 and xDF2 … those are designed for smaller inductors.


The actual bandwidth capabilities of the two chips are identical, but my hunch is that Android is doing some other :poop: on the ev2 before actually reading and processing the NDEF container. I would be curious to see a sniff log of an ev1 vs ev2 with the same data with the same phone.

1 Like

Public Transport Authority - the stupid app that pops up whenever I scan a DESFire that doesn’t contain an NDEF because it thinks it’s my bus card and I desperately need to buy a bus ticket or reload the card or something.

That is quite possible. Android is a champ at wasting precious NFC bandwidth - by an order of magnitude. My comment was just from a user’s experience point of view, not at all a judgment call on EV1 vs EV2.

I’ll get that to you when my liver is done processing the ethanol in my bloodstream.


I just did another “cheap” way to have my NExT bring up my COVID card info. I got one of those Immunabands which come printed with a QR code that links to my card information and picture. I basically just scanned the QR code on the band then and wrote that URL link to my NExT so when it’s scanned it also does the same thing. You can either scan the QR code or scan my hand with the NFC… :wink:

1 Like

this is very interesting, I am really curious to know the solution you adopted for writing on Next :thinking:

He just copied a hyperlink,

There are 2 crowds,

One wants it stored locally on the chip, which is harder to do… due to various reasons… but more secure

The other crowd is fine with it being stored online and just pointing a link at it,

1 Like

What an sublimely elegant way of summarizing the core point of this thread, which is: silly ole me is a member of the one-person paranoia club while everybody else moves on and does something more interesting with their life :slight_smile:

I never said it’s remotely secure, I just said they’re fine with it

Honestly if someone wants to steal or clone my vax data, I could probably care less

I’m absolutely certain the vaccine record system is broken in so many ways we just don’t know about yet lol

Guy just asked how the previous poster put in on a Next,
I realized it might have come off as biased so I edited my post