NFC Memory Dumps and Hex: Reading the Raw Bytes on a Tag

A memory dump is the raw, page-by-page contents of an NFC tag shown as hexadecimal — usually with an ASCII column beside it. Instead of reading the decoded URL or text record, you see the actual bytes the chip stores, including the parts a normal scan hides: the UID, the lock bytes, and the capability container. It is the closest you can get to looking at the silicon directly.

Quick answer

Most consumer NFC tags are NFC Forum Type 2 chips, and Type 2 memory is organized into pages of exactly 4 bytes each, per the NXP NTAG datasheet. A dump lists those pages in order, each as eight hex digits, next to the printable-character interpretation of the same four bytes. So a single line in a dump looks like this:

PAGE  HEX          ASCII
03    E1 10 6D 00  ..m.
04    03 2A D1 01  .*..

Read the hex left to right, one page per row, and you have the entire tag. The skill is knowing which page holds what.

How a tag's memory is laid out

The page count depends on the chip. An NTAG213, NTAG215, or NTAG216 has 45, 135, or 231 pages, giving 144, 504, or 888 bytes of user memory. The first few pages are reserved for the chip itself, and the rest is yours.

The blocks you'll always see

Pages 0 and 1 hold the serial number, the UID the reader announces the moment the tag wakes up. The very first byte is 04 on any NTAG — that is NXP's manufacturer ID under ISO/IEC 14443-3, so an opening 04 is a quick sign you are holding a genuine NXP chip.

Page 2 carries the static lock bytes in its last two bytes. Flip a bit there and the matching user page becomes read-only — permanently, since lock bits are one-time-programmable and cannot be cleared. That is the mechanism behind locking a tag.

Page 3 is the capability container, and it is the one worth memorizing. Its first byte is E1, the magic number that tells a phone "there is an NDEF message here." The next byte is the version, the third encodes the available size, per the NFC Forum Type 2 Tag specification. User data — your NDEF records — begins at page 4.

Step-by-step: dumping a tag and reading the hex

1. Hold the tag to your phone and start a scan in an app that exposes raw memory. A plain system scan only decodes the NDEF payload; you need a tool that reads pages.
2. The app issues the Type 2 READ command — opcode 0x30 — which returns 16 bytes, or four pages, at a time. Android exposes this through MifareUltralight.readPages() or a raw NfcA.transceive(), per the Android reference.
3. Walk down the hex column from page 0. Confirm the 04 manufacturer byte, find the E1 at page 3, and note where the 03 NDEF TLV starts in the user area.
4. Use the ASCII column to spot text. A URL or plain-text record shows up as readable characters; everything else is structural bytes that look like noise, which is normal.

Common problems and fixes

If pages past a certain point read back as all zeros or refuse to return, the tag is likely password-protected or locked. On iPhone this is more common, because Core NFC does not expose Ultralight authentication or password-protected pages — Android's lower-level stack reaches more of the chip. If the ASCII column is gibberish, that is expected for the header and lock pages; only record payloads are meant to be human-readable. And if a dump stops short of the chip's full size, you are usually looking at a smaller chip than you assumed — check the page count against the NTAG family.

Doing this on NFCore specifically

NFCore's Memory Dump shows the full hex grid with the ASCII column beside it, and it highlights the meaningful blocks for you: the UID pages, the static and dynamic lock bytes, the capability container, and where your NDEF data begins. You can scroll the whole chip page by page, copy the hex out for a bug report, and compare two tags side by side. It is a read view — NFCore shows you the bytes; it does not bypass passwords or copy protected cards. NFCore is free on the App Store and Google Play.

FAQ

What is an NFC memory dump?

It is the complete contents of a tag's memory shown as raw hexadecimal, page by page, usually with an ASCII column. It includes the UID, lock bytes, and capability container — not just the decoded NDEF message a normal scan returns.

Why is tag memory measured in pages?

NFC Forum Type 2 chips like NTAG address memory in 4-byte pages, and the READ and WRITE commands operate on those page boundaries. So a dump naturally lines up as one 4-byte row per page.

What does the byte E1 mean in a dump?

E1 is the NDEF magic number in the capability container at page 3. It tells a phone the tag is formatted to hold an NDEF message. Without it, most phones treat the tag as empty or unformatted.

Can an iPhone read a full memory dump?

Partly. iOS can read the open pages of a Type 2 tag, but Core NFC does not expose password-protected pages or Ultralight authentication, so a locked-down tag dumps more completely on Android.