Reader feedback and discussion from my earlier post analyzing the fuzzy state of iPhone 7 FeliCa and its possible support of Apple Pay Octopus, resulted in some interesting information about the Pixel 3 Japanese FeliCa model. From FeliCa Dude’s epic Reddit Octopus on iPhone 7 post:
<reader comment> Regarding the Pixel though, are you sure that the non-Japanese Pixel 3 models even have an eSE <embedded secure element>? I was under the impression that these were HCE <host card emulation> only.
<Felica Dude answer> All the Pixel 3 devices have an eSE, but it might not be able to be enabled by the end-user, and even if it is possible, it won’t be provisioned. A teardown of the global edition Pixel 3 XL (G013C) reveals a <NXP> PN81B.
The NXP PN81 announced in February is all-in-one off the shelf global NFC chip that includes both the frontend NFC A-B-F hardware and the necessary embedded secure element (eSE) + keys for EMV, FeliCa and MIFARE. The odd thing is that the Google Pixel 3 Japanese model apparently doesn’t use the PN81 for FeliCa, and has a separate FeliCa chip sitting in the fingerprint sensor assembly inside the back case.
Google Pixel 3 JP SKU iFixit teardowns do not exist but I did run across an interesting article from the Keitai Watch site showing a Pixel 3 JP SKU being taken apart for repair at an iCracked repair shop.
Just for kicks, I called the iCracked shop and asked about repairing a faulty FeliCa Pixel 3 device. The Pixel 3 repair technician explained that a FeliCa chip replacement was not expensive because it is not on the motherboard, “it’s attached to the fingerprint sensor assembly.” Look carefully at the picture from Keitai Watch piece and you can see the back case with fingerprint sensor assembly that the technician was referring to.
This presents a very strange situation. All Pixel 3 SKUs have the FeliCa ready PN81 chip but don’t use it, while Pixel 3 Japan SKUs apparently have another separate FeliCa chip attached to the back case finger sensor assemble. Google alludes to this on the Pixel 3 support page: If you purchased your Pixel 3 or Pixel 3a phone in Japan, a FeliCa chip is located in the same area as the NFC. There is also the recent batch of Pixel 3a Japan SKUs with bad FeliCa chips, but reports of bad NFC (EMV) Pixel 3a international SKUs have not surfaced; this also suggests a separate FeliCa chip. Why have two FeliCa chips in a device when one will do?
My take is different from FeliCa Dude: the Pixel 3 does not use the PN81 eSE or ‘pie in the sky’ HCE for anything. Instead, Google Pixel 3 uses the Titan M chip Secure Enclave as the virtual eSE for EMV and MIFARE, similar to what Apple does with the A/S Series Secure Enclave. Titan M FeliCa support was either not ready, or Google wanted to test the Japanese market before making a custom hardware commitment.
The point of all this is that Google has laid the foundation for a global NFC Pixel 4 made possible by a custom Google chip. The Titan M is Google’s answer to Apple’s A/S Series Secure Enclave that can host any kind of virtual embedded secure element for any kind of transaction technology, from EMV to PBOC.
I might be wrong, but even if my virtual eSE on Titan M take is incorrect, taken all together with the NXP PN81 development, I think Pixel 4 will finally be the global NFC Android device that many have hoped for.