What Is Chip-Off Data Recovery and When Is It Necessary?
Chip-off data recovery physically removes NAND flash memory chips from the SSD circuit board and reads them on a dedicated chip reader, bypassing the controller. It is the last resort when the controller is destroyed beyond repair and cannot respond to any diagnostic commands.
This is not the first option. Firmware corruption recovery using the PC-3000 and board-level controller repair via Hakko microsoldering are always attempted before chip-off. These methods preserve the original controller and, critically, any encryption keys stored inside it. Chip-off is only used when the controller silicon is cracked, burned, or otherwise unable to power on.
Chip-off is destructive. The NAND chips are permanently removed from the board. The drive cannot be reassembled or returned to service afterward. Once the chips are desoldered, there is no going back to controller-based recovery. This is why we exhaust all other options first.
How Does the BGA Rework Process Work?
BGA rework uses controlled heat profiles to desolder NAND packages from the PCB without thermal damage to the silicon die. Each chip is then read individually, and the raw data is reconstructed by decoding the controller's interleaving and error correction algorithms.
- 01
NAND Identification
NAND flash chips are identified and cataloged on the PCB. Manufacturer, part number, die configuration, and number of chips are recorded. This determines the correct reader adapter and decoding parameters.
- 02
Underfill Removal & Controlled Desoldering
Some SSD manufacturers apply epoxy underfill adhesive beneath NAND BGA packages to improve shock resistance. This adhesive bonds the chip to the PCB & must be softened or chemically dissolved before desoldering can begin. Attempting to desolder a chip through cured underfill rips the copper pads off the PCB & fractures the silicon die.
After underfill is cleared, the Zhuo Mao BGA rework station heats each NAND package at precise temperature profiles to melt the solder balls without exceeding the thermal limits of the silicon die. Overheating destroys the NAND. Underheating tears pads from the PCB. Both are irreversible.
- 03
Raw NAND Reading
Cleaned chips are placed in a chip reader (PC-3000 Flash reader or equivalent). Raw hex data is dumped from each chip. This data is scrambled; it is not a readable file system.
- 04
Interleaving and ECC Reconstruction
The controller's specific data interleaving pattern (how it striped data across multiple chips) must be reverse-engineered. ECC (Error Correction Code) algorithms are applied to correct corrupted pages. The Flash Translation Layer and block mapping are reconstructed manually.
- 05
File System Extraction
Once the logical data layout is rebuilt, the file system is extracted and verified against expected directory structures. Files are delivered on your choice of return media.
Why Chip-Off Fails on Modern Encrypted Drives?
Hardware encryption renders chip-off useless when the controller holding the decryption key is destroyed. The NAND contents are AES-256 ciphertext. Without the key from the controller's secure enclave, brute-forcing the encryption is computationally infeasible with any current or foreseeable technology.
- Apple T2 and M-Series Macs
- All NAND data is hardware-encrypted with a key stored in the Secure Enclave on the T2 chip or M-series SoC. The SSD storage is soldered to the logic board. If the controller (or the entire SoC) is destroyed, the encryption key is gone. Chip-off returns only encrypted garbage. For details on recovery options that preserve the controller, see our Apple T2 chip data recovery and M-series soldered NAND recovery pages.
- Samsung NVMe (980 Pro, 990 Pro)
- Samsung's Elpis (980 Pro) and Pascal (990 Pro) controllers implement AES-256 hardware encryption by default, even without a user-set password. The Media Encryption Key lives in the controller's secure enclave. If the controller is destroyed, the key is gone and the NAND contents are unreadable ciphertext.
- Where Chip-Off Works
- Older SATA SSDs without hardware encryption, USB flash drives, SD cards, microSD cards, and some budget NVMe drives that do not implement hardware encryption. On these devices, chip-off produces unencrypted raw data that can be reconstructed into a usable file system.
If your drive uses controller-bound encryption (Apple T2/M-Series, Samsung Elpis/Pascal, most modern NVMe) and the controller is destroyed, the data is unrecoverable. The encryption key dies with the controller. The only path is restoring the original controller through board-level electrical repair or firmware intervention.
Chip-Off vs. Controller Repair: Which Do We Try First?
Controller repair is always attempted first. PC-3000 firmware recovery and board-level microsoldering preserve the original controller and its encryption keys. Chip-off is destructive, requires more labor, and cannot recover data from encrypted drives at all. We escalate to chip-off only after confirming the controller cannot be revived.
The escalation path for every SSD that arrives at our lab follows a strict order. First, we attempt firmware corruption recovery using the PC-3000 to communicate with the controller in technological mode. If the controller responds, we recover data without touching the hardware.
If the controller does not respond, we move to board-level repair: Hakko microsoldering to replace burned voltage regulators, rework cold solder joints on the controller BGA, or replace passive components. The goal is to restore enough controller functionality for PC-3000 access. If the controller silicon itself is cracked or burned through, and the drive does not use hardware encryption, chip-off is the final option.
We will tell you before starting chip-off if the drive uses hardware encryption. If it does, and the controller is beyond repair, we will tell you the data is unrecoverable rather than charge you for work that cannot succeed.
When Is Chip-Off the Only Recovery Option?
Chip-off becomes the only recovery option when an unencrypted SSD's controller is physically destroyed beyond any firmware or board-level repair. Four specific failure modes push a case past PC-3000 Technological Mode & Hakko microsoldering into chip-off territory: dead controller silicon, catastrophic PCB fracture, advanced liquid corrosion, & fire damage.
On encrypted drives, none of these scenarios lead to chip-off. If the controller holding the AES-256 key is beyond repair, the data is unrecoverable by any method. Chip-off on an encrypted SSD produces ciphertext with no key to decrypt it.
- Dead Controller Silicon (Cracked, Burned, or Electrically Destroyed)
- The controller IC is physically destroyed. A cracked BGA die, a burned-through package from voltage surge, or an electrical overstress event that fused internal traces. No SRAM loader, no firmware tool, & no Hakko microsoldering fix can communicate with dead silicon. If the drive used an unencrypted controller (Phison PS3111, SM2246EN, JMF670H), chip-off extracts raw NAND data directly.
- Catastrophic PCB Fracture from Impact
- Drop damage, crush force, or vehicular impact that severed copper traces between the controller & NAND across the multi-layer PCB. If the NAND BGA packages aren't physically cracked (NAND silicon is more resilient to blunt impact than the thin FR-4 substrate), they can be desoldered & read. PCB trace repair isn't feasible when fractures span multiple internal copper layers. See our physical damage recovery page for the full triage process.
- Advanced Galvanic Corrosion from Liquid Exposure
- Prolonged liquid contact (saltwater is the worst case) corrodes BGA solder joints under the controller. Ultrasonic cleaning can restore mild corrosion, but advanced galvanic damage eats through the copper pad stack beneath the controller BGA. When cleaning & board repair fail to restore continuity between the controller & its NAND bus, chip-off extracts the memory packages before corrosion reaches them. Time matters: corrosion migrates from the controller toward the NAND over days to weeks.
- Fire Damage to Controller & Passive Components
- Fire destroys the controller IC & passive components (capacitors, resistors, voltage regulators) at temperatures above 300°C. NAND packages, rated for reflow at 245°C peak, can survive brief fire exposure if the heat didn't reach the reflow threshold for the BGA solder. A charred PCB with intact NAND packages is a candidate for chip-off extraction, provided the drive used an unencrypted controller.
In every scenario above, chip-off is ONLY viable on unencrypted drives. If the destroyed controller held an AES-256 key fused to its silicon (Samsung Elpis/Pascal, Phison E12+, SM2259+, any modern NVMe), the data dies with the controller. No lab can change that.
Why Does DIY Chip-Off Fail?
Home chip-off attempts destroy the NAND silicon before any data can be read. The procedure requires a PC-3000 Flash reader, a Zhuo Mao BGA rework station with thermocouple-controlled profiles, BGA stencils matched to the chip's ball pitch, & controller-specific reconstruction software. The equipment alone costs over $10,000.
A consumer heat gun can't hold the 1.5 to 2.0°C/s ramp rate that SAC305 solder requires. It overshoots the 245°C peak within seconds, cracking the NAND die through thermal shock. One wrong temperature profile, & the only copy of your data is gone permanently.
Even if the chip survives extraction, the raw hex dump isn't readable. The controller's XOR scrambling keys, interleaving pattern, & FTL mapping must be reverse-engineered before a single file appears. PC-3000 Flash includes controller-specific modules for Phison and Silicon Motion reconstruction. Without that software, a raw NAND dump is noise.
Budget NAND Programmers Can't Reconstruct SSD Data
Forum posts recommend budget IC programmers (XGecu T48, TL866II+) for chip-off attempts. These devices cost under $200 & can read raw binary data from an unencrypted NAND or eMMC chip. The read step works. The reconstruction step doesn't.
A budget programmer dumps a binary blob with no understanding of the controller's XOR scrambling, interleaving order, or ECC algorithm. PC-3000 Flash includes controller-family-specific reconstruction modules that decode these parameters automatically for supported legacy flash families (older Phison and Silicon Motion controllers). A generic programmer produces a raw hex file that looks like random noise. The read hardware isn't the bottleneck; the reconstruction software is.
How Much Does Chip-Off Recovery Cost?
Chip-off is the most expensive recovery tier. The range is $1,200–$1,500, depending on the number of NAND chips, the controller's interleaving complexity, and the time required for data reconstruction. 50% deposit required. No data, no charge still applies. You receive a firm quote after a free evaluation.
Chip-off recovery: $1,200–$1,500. 50% deposit required. Free evaluation, firm quote, no data = no charge.
The cost is higher than firmware-level or controller repair recovery because chip-off requires physical desoldering, individual chip reading, interleaving reconstruction, and manual FTL rebuilding. A 4-chip SSD takes less time than a 16-chip enterprise drive with a complex striping pattern.
Chip-Off Pricing in Context
| Recovery Method | When Used | SATA SSD Price | NVMe Price |
|---|---|---|---|
| Firmware Recovery | Controller alive but firmware corrupted; PC-3000 Technological Mode | $600–$900 | $900–$1,200 |
| Board Repair | Dead PMIC, shorted capacitor, or failed voltage regulator; Hakko microsoldering | $450–$600 | $600–$900 |
| Chip-Off / NAND Swap | Controller destroyed on unencrypted drive; BGA rework & raw NAND reading | $1,200–$1,500 | $1,200–$2,500 |
A donor drive is a matching SSD used for its circuit board. Typical donor cost: $40–$100 for common models, $150–$300 for discontinued or rare controllers. +$100 rush fee to move to the front of the queue.
See our full SSD data recovery page for all pricing tiers & process details. Call (512) 212-9111 for a free evaluation.
BGA Thermal Profile for NAND Package Extraction
Lead-free BGA NAND packages use SAC305 solder (96.5% tin, 3% silver, 0.5% copper) with a solidus temperature of 217°C and a liquidus of 220°C. Extracting the chip requires a multi-stage thermal profile that raises the PCB temperature gradually to prevent thermal shock, die delamination, and the “popcorn effect” where trapped moisture causes catastrophic package cracking.
Heating a NAND package directly with a hot air gun without preheating the substrate creates a steep thermal gradient between the chip and the surrounding PCB. This differential warps the board, tears solder pads, and can fracture the silicon die internally. The Zhuo Mao BGA rework station used in our lab applies controlled bottom-side IR preheat to the entire PCB while the top-side nozzle targets only the NAND package. The Atten 862 hot air station handles smaller packages and precision touchup work.
Lead-Free NAND Extraction Thermal Profile
| Stage | Target Temperature | Ramp Rate | Dwell Time | Purpose |
|---|---|---|---|---|
| Preheat | 60°C to 120°C | 1.0 to 1.5°C/s | 45 to 60 seconds | Removes moisture from PCB substrate. Prevents thermal shock and board warpage. |
| Soak | 150°C to 190°C | 1.5 to 2.0°C/s | 60 to 90 seconds | Activates flux. Removes oxides from BGA solder ball surfaces. Equalizes temperature across the package. |
| Reflow | 235°C to 245°C | ~2.0°C/s | 12 to 18 seconds | Exceeds SAC305 liquidus (220°C). Time Above Liquidus must be minimized to prevent NAND die heat damage. |
| Cooling | Below 180°C | -2.0 to -3.0°C/s | Controlled descent | Prevents rapid contraction that causes internal package stress fractures. |
Temperature is measured via thermocouple at the solder joint under the BGA package, not at the nozzle exhaust. Nozzle readings do not reflect actual joint temperature and are unreliable for process control.
Atten 862 for Smaller Packages & Precision Touchup
The Zhuo Mao handles full-size BGA-152 & BGA-132 NAND packages on standard 2.5" SATA SSD boards. Smaller packages need different tooling. TSOP-48 chips on older USB flash drives, single-chip NAND packages on compact M.2 drives, & monolithic devices with exposed test pads all sit close to neighboring components that can't tolerate the Zhuo Mao's broader heat zone.
The Atten 862 hot air station addresses this gap. Its smaller nozzle diameter concentrates airflow on the target package without heating adjacent ICs or capacitors. Adjustable airflow rate (measured in liters per minute) prevents the thin M.2 PCB substrate from flexing during localized heating. After initial extraction on the Zhuo Mao, the Atten 862 handles precision touchup: cleaning residual solder from exposed PCB pads, reflowing stray solder bridges, & prepping the pad field for inspection under the stereomicroscope before the chip moves to the reader.
NAND Chip Reballing After Extraction
Extracted BGA NAND chips can't go straight into a reader socket. The desoldering process leaves irregular solder residue on the chip's ball pads: flattened remnants, bridged contacts, & oxidized surfaces that prevent reliable electrical connection with the PC-3000 Flash reader's ZIF socket pins.
Pad cleaning comes first. A Hakko FM-2032 iron with a fine chisel tip & copper solder wick removes residual solder from each pad. Chemical flux residue is washed off with isopropyl alcohol under the stereomicroscope. Clean, flat copper pads are the starting point for fresh solder ball placement.
Reballing uses a laser-cut stainless steel BGA stencil matched to the chip's ball pitch (typically 1.0mm for BGA-152 and BGA-132 NAND packages). The stencil aligns over the cleaned pads, solder paste is applied through the apertures, & a controlled reflow at 235 to 245°C forms uniform spherical contacts. The result: a chip with consistent solder ball geometry that seats cleanly in the reader's ZIF adapter.
The Multiboard carrier approach skips reballing entirely. Instead of restoring the BGA ball grid, the chip is soldered directly to a disposable carrier board that plugs into the PC-3000 Flash reader. Soldered connections provide higher signal integrity than ZIF socket contact, which matters on TLC & QLC NAND with tight read voltage margins. The tradeoff: each carrier is single-use.
NAND Reader Hardware and Chip Package Adapters
After extraction, each NAND chip connects to a PC-3000 Flash reader through package-specific adapters. The chip package determines which adapter is required: TSOP-48 uses a ZIF socket, LGA-52 uses dedicated land grid adapter plates, and BGA-152/132 chips can use either specialized ZIF socket adapters or be soldered to disposable Multiboard carrier modules for maximum signal integrity.
The PC-3000 Flash reader is purpose-built for raw NAND access. Unlike the PC-3000 SSD module (which communicates with controllers via SATA or NVMe protocol), the Flash reader bypasses the controller entirely and communicates directly with the NAND silicon through the chip's native ONFI or Toggle interface.
- TSOP-48 (Thin Small Outline Package, 48 pins)
- Found in older USB flash drives, SD cards, and lower-capacity SATA SSDs. The rectangular package has pins exposed along two edges. Adapters use a ZIF (Zero Insertion Force) socket: the chip slides in without soldering. This is the simplest package to interface with the reader.
- BGA-152 and BGA-132 (Ball Grid Array)
- The standard package on modern SATA and NVMe SSDs. Solder balls are arranged in a grid under the chip with no externally accessible pins. The PC-3000 Flash supports these chips via a specialized BGA-152/132 ZIF socket adapter (non-destructive) or via Multiboard Adapter modules where the chip is soldered to a disposable carrier board. Soldered Multiboard connections provide higher signal integrity than ZIF sockets, which matters for reading TLC and QLC NAND with tight voltage margins.
- LGA-52 (Land Grid Array, 52 pads)
- A flat-pad package (typically 14x18mm or 12x17mm) found in some compact flash storage devices. Requires a dedicated adapter plate with spring-loaded contact pins that press against the flat copper lands on the chip underside.
The Multiboard approach protects the primary PC-3000 Flash reader from repeated heat exposure. Each carrier board is inexpensive and disposable: the chip is soldered to the carrier, read, and the carrier is discarded. This prevents thermal fatigue damage to the reader's main board.
ONFI and Toggle DDR Interface Configuration
NAND chips communicate through one of two competing interface protocols, and the PC-3000 Flash reader must be configured for the correct one before reading begins. Wrong protocol selection produces garbage data or no response at all.
ONFI (Open NAND Flash Interface) is used by Micron, Intel, & SK Hynix. It runs in synchronous mode with a free-running clock signal that coordinates data transfers between the reader & the chip. Toggle DDR, developed by Samsung & Kioxia (formerly Toshiba), takes an asynchronous approach: a data strobe signal triggers reads on both rising & falling edges, doubling throughput without a dedicated clock line.
PC-3000 Flash identifies the protocol from the NAND chip's ID bytes during the READ ID command (0x90). The engineer confirms the setting against the chip's part number markings before starting a full dump. On a 16-chip SSD with 512GB of raw capacity, an incorrect protocol setting wastes hours of read time producing unusable output. Getting it right the first time is a basic competency check for any chip-off lab.
Multi-Die NAND Packages: Stacked Dies Inside a Single BGA Chip
A single BGA-152 NAND package can contain 4, 8, or 16 individual silicon dies stacked & wire-bonded inside one physical component. Reading the package as a single entity yields only a fraction of the data. The PC-3000 Flash reader must address each internal die separately through Chip Enable (CE) signal multiplexing.
SSD manufacturers stack dies to increase capacity without enlarging the package footprint. A 1TB SSD with four BGA-152 packages may contain 16 dies total (four per package). From the outside, each package looks identical. The die count is encoded in the chip's ID bytes, which the PC-3000 Flash reads during the initial READ ID command (0x90). The engineer cross-references the part number markings against the manufacturer's datasheet to confirm the target count before starting extraction.
Per the ONFI specification, each die inside a multi-die package is assigned to a Chip Enable (CE_n) signal or a Logical Unit Number (LUN). CE_n signals act as hardware select lines: asserting CE0_n activates the first die, CE1_n the second, & so on. When multiple dies share a single CE line, they're addressed by LUN identifiers through the ONFI command set. The PC-3000 Flash software must be configured with the correct number of CE targets & LUN topology. Misconfiguring this produces a partial dump that covers some dies but misses others entirely.
Multi-die packages also complicate reconstruction. SSD controllers interleave data across dies within the same package (die interleaving) to boost write throughput. The raw dump from each die contains fragments of the same logical file striped across multiple targets. The reconstruction software must de-interleave these fragments in the correct die order to produce a coherent disk image. Getting the die sequence wrong produces a file system where directory structures appear intact but file contents are scrambled.
How Is Raw NAND Data Reconstructed After Chip-Off?
Raw NAND data is not a readable file system. The controller applied error correction codes (ECC), data scrambling via XOR transforms, and proprietary interleaving before writing to the NAND. Chip-off recovery must reverse all three transformations to reconstruct usable data from the raw hex dump.
BCH vs. LDPC Error Correction
NAND flash cells degrade with each program/erase cycle. Electrons leak from floating gates, and read operations disturb adjacent cells. Controllers append ECC data to the spare area (Out-Of-Band region) of every NAND page to detect and correct bit errors before the host sees the data.
- BCH (Bose-Chaudhuri-Hocquenghem)
- The standard ECC algorithm for SLC and MLC NAND. BCH uses algebraic hard-decision decoding: each cell is read as binary 1 or 0. During chip-off recovery, the BCH polynomial can be detected from the raw dump and applied to correct bit errors. PC-3000 Flash supports automated BCH correction.
- LDPC (Low-Density Parity-Check)
- Required for TLC and QLC NAND where the raw bit error rate exceeds BCH's correction capacity. LDPC uses soft-decision decoding: instead of reading a simple 1 or 0, the controller takes multiple voltage measurements per cell to estimate the probability of the bit state. Chip-off recovery loses the controller's hardware LDPC engine. Reconstructing LDPC corrections from a raw hard-decision dump is computationally intensive and may require the original controller's read-retry voltage offset tables to decode heavily degraded pages.
Page Scrambling and XOR Key Extraction
Flash controllers scramble all data before writing it to NAND. This is not encryption; it is a data-integrity measure that prevents adjacent cells from holding identical charge states (which accelerates charge leakage). The controller generates a pseudo-random key and XORs it with the user data. Recovery requires XORing the raw dump with the same key to reverse the transformation.
XOR keys can be extracted by finding NAND regions the operating system filled with logical zeros (0x00). Since 0x00 XOR Key = Key, zero-filled regions store the pure scrambling key. NAND reconstruction tools scan physical dumps for repeating vertical bit patterns with distinctive geometric shapes (triangles, diagonals), which indicate an extractable XOR key.
Recovering Corrupted XOR Keys from Degraded NAND
On degraded NAND, the zero-filled regions used for XOR key extraction contain bit errors. A corrupted XOR key applied to the raw dump produces partially descrambled data: some pages decode cleanly while others remain noise. The fix is a bitwise majority vote across multiple key samples.
The engineer locates three or more separate NAND blocks known to contain zero-fill patterns (typically found at the end of the user partition or in unwritten spare capacity). Each block stores its own copy of the XOR key, but each copy has different random bit flips from NAND cell degradation. PC-3000 Flash compares these samples bit by bit. For each bit position, the tool takes the majority value across all samples: if two out of three copies read “1” at position N, the correct key bit is “1.” Random bit errors don't cluster at the same positions across physically separate blocks, so the majority vote cancels them out & produces a clean key.
Dynamic XOR keys (used by Phison & newer Silicon Motion controllers) add a complication: the key changes per virtual block based on a static base key combined with a page-address-dependent seed. The majority-vote process must first isolate the static base component, then identify the dynamic seed generation algorithm. On controllers where the seed is derived from the block address, the engineer can predict the per-block key once the base key is clean. On controllers with cryptographically derived seeds, the base key alone isn't enough; the seed algorithm must be reverse-engineered from known plaintext patterns in the NAND service area.
Read Retry and Voltage Calibration on Degraded NAND
When NAND cells wear out, default read voltages produce uncorrectable bit errors. The chip reader must iterate through voltage offset tables to find threshold boundaries that separate valid cell states from noise. During chip-off, this calibration happens manually because the original controller's tuning data is gone.
A healthy TLC cell stores 3 bits across 8 voltage levels separated by defined margins. After thousands of program/erase cycles, electrons leak from charge storage layers & those margins shrink. The default reference voltages that cleanly distinguished L0 from L1 now sit in the overlap zone between adjacent states. QLC is worse: 16 voltage levels per cell with tighter margins from day one.
PC-3000 Flash addresses this with configurable read-retry offset tables. The engineer shifts reference voltages in small increments (typically 50mV to 100mV steps), re-reads the page at each offset, & evaluates the ECC correction result. A working controller does this automatically using calibration data stored in its SRAM. During chip-off, that calibration data doesn't exist. The engineer tests voltage offsets empirically, page by page, until the error rate drops below the LDPC correction threshold. On a 1TB TLC drive with degraded NAND, this process can add days to the reconstruction timeline.
Controller-Specific Scrambling Patterns
Silicon Motion controllers typically use a static XOR key applied cyclically across blocks. The key length often corresponds to the block size (e.g., 128 pages), and the same key repeats for every block on the chip. Phison controllers use dynamic XOR: each virtual block gets a unique key generated from a static base key combined with a dynamic seed. The dynamic component must be identified and stripped before the static key can be applied. SandForce controllers (SF-2281) combine real-time DuraWrite data compression with hardware encryption bound to the controller silicon (marketed as AES-256, though Intel discovered a silicon-level bug in 2012 that reduced effective strength to AES-128). Regardless of key length, the encryption key is fused to the controller die, making chip-off recovery infeasible when the controller is dead.
3D NAND Extraction: Layer Variation and Vertical Crosstalk
Modern SSDs use 3D NAND that stacks memory cells vertically in 128 to 232+ layers. Chip-off on 3D NAND is harder than on older planar (2D) NAND because error rates aren't uniform across the vertical stack. Each layer can need different read-retry voltage offsets.
Planar NAND spreads cells across a flat silicon surface. Every cell sits at the same distance from the substrate, experiences the same manufacturing conditions, & degrades at roughly the same rate. 3D NAND changes that. Cells at the bottom of a 176-layer stack are formed earlier in the deposition process than cells at the top. Process variation between layers creates non-uniform threshold voltage distributions: bottom-layer cells may read cleanly at the default reference voltage while top-layer cells in the same block produce uncorrectable errors.
Vertical crosstalk compounds the problem. Adjacent cells stacked along the Z-axis interfere with each other's stored charge. Programming a cell on layer 140 shifts the threshold voltage of the cell on layer 141 through capacitive coupling. Most 3D NAND architectures use Charge Trap Flash (CTF), which stores electrons in a silicon nitride insulator layer rather than the conductive polysilicon floating gate used in planar NAND. Some manufacturers (Intel, Micron) retained floating gate designs for multiple 3D NAND generations. CTF traps charge locally, which reduces lateral cell-to-cell interference but doesn't eliminate vertical coupling between stacked layers.
During chip-off, this means the PC-3000 Flash reader can't apply a single voltage offset table across the entire chip. The engineer tests read-retry parameters per block region, adjusting for layer-dependent variation. A 1TB 3D TLC chip with 176 layers takes measurably longer to dump cleanly than a 256GB planar MLC chip of the same physical package size.
How Is the Flash Translation Layer Rebuilt from Raw NAND?
After correcting bit errors and reversing scrambling, the raw data is readable but fragmented across thousands of physical blocks in non-sequential order. The Flash Translation Layer (FTL) maps logical addresses to physical NAND locations. When the controller dies, its FTL mapping tables (stored in volatile RAM) are lost. Recovery rebuilds this mapping from metadata embedded in each NAND page's spare area.
NAND flash cannot overwrite data in place. Every update writes to a new empty block and marks the old block obsolete. Over the lifetime of an SSD, a single logical sector may exist in dozens of physical locations. The controller's FTL maintained a real-time index of which physical copy was current. Without the controller, that index is gone.
When the controller is alive but its firmware is corrupted, PC-3000 can reconstruct the FTL through firmware-level recovery without ever desoldering a chip. Chip-off FTL reconstruction is the manual, from-scratch version of the same process. For a full overview of all SSD data recovery methods & pricing tiers, see the flagship service page.
Spare Area (OOB) Metadata and Sequence Numbers
Each NAND page contains a main data area (4KB, 8KB, or 16KB depending on the NAND generation) plus a smaller spare area, also called the Out-Of-Band (OOB) region. Controllers write metadata to this spare area on every page program operation: the Logical Page Number (the host address this physical page represents), block validity flags, and a sequence number that records the write order.
Sequence numbers are the key to reconstruction. When multiple physical pages claim the same logical address, the page with the highest sequence number is the most recent valid copy. Recovery tools parse the entire spare area dataset (which can span tens of gigabytes on large SSDs), extract the sequence numbers, and programmatically build a reverse mapping table that recreates the FTL. This table converts the fragmented physical dump into a linear disk image that a file system parser can mount.
Factory and Runtime Bad Block Handling
NAND flash chips ship from the factory with defective blocks. Per the ONFI specification, factory bad blocks are marked with a non-0xFF byte in the spare area of either the first or the last page of each bad block. The controller skips them during normal operation & maintains a factory defect map in its internal tables. During chip-off, those internal tables are gone.
PC-3000 Flash scans the spare area of every block in the raw dump to rebuild the bad block table from scratch. Factory markers (written by the NAND fabricator) must be distinguished from runtime bad blocks (blocks that failed during the drive's operational life & were remapped by the controller). Including a factory bad block in the reconstructed image corrupts the output. Excluding a runtime-remapped block that still holds valid data loses user files. The engineer cross-references block erase counts & ECC error rates per block to classify each marked block correctly.
Chip-Off Reconstruction Complexity by NAND Type
| NAND Type | Bits per Cell | ECC Required | Reconstruction Difficulty |
|---|---|---|---|
| SLC | 1 | BCH (low redundancy) | Low. Reliable page structures, minimal bit errors, straightforward FTL patterns. |
| MLC | 2 | BCH (moderate) | Moderate. Shared-page programming and interleaving add complexity. Bit errors common but correctable. |
| TLC | 3 | LDPC (high redundancy) | High. Requires LDPC soft-decision data that chip-off cannot capture. Severe read-disturb and complex wear-leveling fragmentation. |
| QLC | 4 | LDPC (maximum) | Very high. 16 voltage levels per cell with tight margins. Pseudo-SLC cache areas require separate mapping and logical merging by FTL timestamps. |
How Does Controller Architecture Affect Chip-Off Reconstruction?
Chip-off reconstruction difficulty varies by controller family because each manufacturer implements FTL structures, XOR scrambling, & page mapping differently. The same physical extraction process yields raw NAND data, but the reconstruction software & parameter sets needed to reassemble that data into a readable file system change depending on who made the controller.
PC-3000 Flash includes controller-specific reconstruction modules. The engineer selects the correct module, loads the chip dump, & configures the block size, page size, XOR key type, & spare area format for that controller family. Getting these parameters wrong produces garbage output even when the raw dump is clean.
- Phison (PS3111)
- Phison stores FTL journal logs in the NAND service area rather than in dedicated DRAM. If those journal blocks are corrupted or erased, the engineer must scan every die to extract page-level metadata (LBA tags & sequence numbers) from the OOB spare areas & reconstruct the translator from scratch. The PS3111 is DRAM-less; its entire FTL lives in TLC NAND, which makes it vulnerable to corruption from P/E cycle exhaustion. Dynamic XOR scrambling on Phison generates a unique key per virtual block from a static base key combined with a dynamic seed. Both components must be identified before the data unscrambles.
- Silicon Motion (SM2246EN, SM2258)
- SMI uses a page mapping mode FTL with a well-defined mapping table stored in designated service blocks. The logical page number translates to a physical page number through a relatively standardized index. Static XOR keys are indexed by block size & repeat cyclically across the NAND. This cyclical pattern makes SMI reconstruction more predictable than Phison. The SM2246EN silicon supports AES encryption, but many budget drives (early Crucial & ADATA models) shipped with this feature disabled by the vendor, making those specific drives viable for chip-off extraction.
- Maxio (SATA Variants)
- Maxio SATA controllers (MAS0902A, MAS1102) use dynamic XOR scrambling that changes the key per page based on block address & page offset. PC-3000 Flash does not have a dedicated Maxio reconstruction module for raw NAND chip-off. Recovery from Maxio-based drives requires the original controller to be alive; PC-3000 SSD connects via SATA and uses Technological Mode to force the controller to decrypt its own data. Modern NVMe variants (MAP1602A) fuse AES-256 keys to the controller silicon, blocking chip-off entirely. If the Maxio controller is dead and board repair cannot revive it, the data is unrecoverable.
- Samsung (Proprietary Controllers)
- Samsung designs its own controllers (Phoenix, Elpis, Pascal) with no published FTL documentation. The block management scheme & page mapping structure differ from every other controller family. Chip-off on older unencrypted Samsung SSDs (pre-850 EVO era, before always-on encryption became standard) requires reverse-engineering Samsung-specific page markers & spare area formats that aren't shared with any other manufacturer. All Samsung NVMe drives (980 Pro, 990 Pro, 990 EVO) implement always-on AES-256 encryption, blocking chip-off entirely.
| Controller Family | XOR Type | FTL Storage | Chip-Off Complexity |
|---|---|---|---|
| Phison (PS3111) | Dynamic (base + seed) | NAND service area (DRAM-less) | High. Two-component key extraction required. |
| Silicon Motion (SM2246EN/SM2258) | Static (block-indexed) | Dedicated service blocks | Moderate. Predictable cyclical patterns. |
| Maxio (SATA variants) | Dynamic (page-level) | NAND with vendor-specific layout | Not viable. No PC-3000 Flash module exists. Requires live controller via PC-3000 SSD. |
| Samsung (proprietary) | Proprietary (undocumented) | Proprietary block management | Very high. No published documentation. Reverse-engineering required. |
Controller identification happens during the initial evaluation. We check the markings on the controller IC, cross-reference the drive model number against our internal database, & confirm the encryption status before quoting a price. This step is free & takes minutes. It determines whether chip-off is even worth attempting on a given drive.
How Are Monolithic Flash Devices Recovered?
Monolithic flash devices fuse the controller, NAND memory, and passive components into a single silicon package encased in epoxy. Standard BGA desoldering is not possible because there are no separate chips to remove. Recovery requires physically exposing internal test pads and discovering the proprietary pinout using a logic analyzer.
MicroSD cards, many modern SD cards, and compact USB flash drives use monolithic construction. The entire device is a single piece of molded plastic with no visible components. Monolithic NAND recovery is the most labor-intensive form of chip-off because every step, from physical access to signal identification, requires manual reverse-engineering specific to that device.
Exposing Internal Test Pads
The outer epoxy layer must be carefully removed to expose microscopic copper test pads on the silicon die surface. Technicians use fine-grit abrasives or fiberglass pens under a stereomicroscope. The goal is to remove enough material to expose the pads without grinding through the copper traces or the silicon itself. Removing too much material destroys the pads permanently. Removing too little leaves an insulating layer that prevents electrical contact.
Pinout Discovery via Logic Analyzer
Manufacturers do not publish pinout documentation for monolithic test pads. The technician discovers which pad corresponds to which NAND signal by probing with a logic analyzer while the device powers on. A standard 8-bit NAND interface requires identifying data lines D0 through D7, Command Latch Enable (CLE), Address Latch Enable (ALE), Write Enable (/WE), Read Enable (/RE), Chip Enable (/CE), and Ready/Busy (R/B).
The identification process captures the device's initialization sequence. When the device powers up, the controller issues a READ ID command (0x90) to the NAND die. The logic analyzer shows CLE going high while /WE pulses and 0x90 appears on the data bus. ALE goes high, address 0x00 is written, and /RE pulses as the chip transmits its manufacturer ID. By matching these signal patterns to physical pads, the technician maps the complete pinout.
PC-3000 Flash Spider Board Connection
After pinout discovery, the monolithic die connects to the PC-3000 Flash reader via the Spider Board adapter. The Spider Board has adjustable microscopic needle probes positioned under a stereomicroscope. Each needle is lowered onto a specific test pad. The Spider Board software assigns NAND signal names (ALE, CLE, D0 through D7) to individual needles, establishing a clean electrical connection without soldering to pads that are fractions of a millimeter wide.
eMMC and UFS Extraction from Mobile and IoT Devices
eMMC (embedded MultiMediaCard) & UFS (Universal Flash Storage) are NAND flash chips soldered directly to device mainboards in smartphones, drones, dashcams, & IoT hardware. When the device's application processor is destroyed but the flash chip survives, chip-off extraction recovers the stored data.
The physical extraction process uses the same Zhuo Mao BGA rework station, but eMMC & UFS packages are smaller (typically 11.5x13mm or 11x13mm BGA). eMMC communicates through a parallel MMC interface; UFS uses a serial MIPI M-PHY link with dedicated Tx/Rx lanes. PC-3000 Flash includes dedicated eMMC reading modes that handle the MMC protocol directly, bypassing the dead application processor.
Encryption is the barrier here, too. Most modern mobile SoCs (Qualcomm Snapdragon, Apple A-series, Samsung Exynos) encrypt eMMC & UFS storage with keys bound to the processor's secure enclave. If the SoC is destroyed, chip-off produces ciphertext. eMMC extraction is viable only on devices without full-disk encryption or where the encryption key can be recovered from a functioning processor. For full SSD data recovery pricing & methods, see the flagship service page.
eMMC chips use two common BGA package standards: BGA-153 (153-ball, defined by JEDEC MO-276) & BGA-169 (169-ball). Both packages support eMMC 5.1 and the HS400 interface mode (200 MHz, DDR) through an identical inner ball matrix that includes the Data Strobe (DS) pin required for HS400. The 16 additional balls on BGA-169 are outer-perimeter mechanical support pads, not signal pins. The PC-3000 Flash reader has dedicated eMMC reading modes for both package types, using BGA-to-board adapter plates sized for each ball count & pitch. The reader communicates directly through the MMC protocol at the speed the chip supports, bypassing the dead application processor entirely.
Which SSD Controllers Block Chip-Off Recovery?
Always-on AES-256 encryption in modern SSD controllers has made chip-off obsolete for most drives manufactured after 2015. The controller generates a Media Encryption Key (MEK) during manufacturing, fuses it into OTP memory on the controller die, & encrypts every NAND write transparently. Desoldering the NAND yields only ciphertext.
The table below maps specific controller families to their encryption status & chip-off viability. This isn't a marketing classification; it's based on the controller's silicon architecture. A controller either has hardware encryption fuses or it doesn't.
Encrypted Controllers: Chip-Off Returns Ciphertext
| Controller | Interface | Encryption | MEK Location | Chip-Off Viable? |
|---|---|---|---|---|
| Silicon Motion SM2259/XT | SATA 6Gb/s | AES-256 (always-on) | Controller silicon | No |
| Silicon Motion SM2262/EN | PCIe Gen3 x4 | AES-256 (always-on) | Controller silicon | No |
| Silicon Motion SM2264 | PCIe Gen4 x4 | AES-128/256 (always-on) | Controller silicon | No |
| Phison E12 (PS5012) | PCIe Gen3 x4 | AES-256, TCG Opal | OTP fuses | No |
| Phison E16 (PS5016) | PCIe Gen4 x4 | AES-256 | OTP fuses | No |
| Phison E18 (PS5018) | PCIe Gen4 x4 | AES-XTS 256 | OTP fuses | No |
| Marvell 88SS1074 | SATA 6Gb/s | AES-256 (always-on) | Controller silicon | No |
| Marvell 88SS1084/1100 | PCIe Gen3 x4 | AES-256 | Controller silicon | No |
| Realtek RTS5762/5763DL | PCIe Gen3 x4 | AES-256 | Controller silicon | No |
| Samsung Elpis/Pascal | PCIe Gen4 x4 | AES-256 (Class 0) | Fused to controller | No |
| WD/SanDisk proprietary | PCIe Gen3/4 | AES-256 (always-on) | Proprietary enclave | No |
Unencrypted Controllers: Chip-Off Is Viable
| Controller | Interface | Encryption | Common Drives | Chip-Off Viable? |
|---|---|---|---|---|
| Phison S11 (PS3111) | SATA 6Gb/s | None | Kingston A400, PNY CS900 | Yes (LDPC complexity) |
| Silicon Motion SM2246EN | SATA 6Gb/s | AES supported but often vendor-disabled | Early Crucial, ADATA | Yes, if vendor disabled AES (BCH, lower complexity) |
| JMicron JMF670H | SATA 6Gb/s | None | Older budget SSDs | Yes |
The MEK is generated once during manufacturing & burned into One-Time Programmable (OTP) fuses or a secure enclave on the controller die. Even without a user password set, every byte written to NAND passes through the AES engine. Moving NAND chips to a donor controller with a different MEK produces encrypted garbage; the donor's key can't decrypt data encrypted by the original.
Even on unencrypted controllers like the Phison S11, chip-off is a last resort. The S11's LDPC error correction & complex XOR scrambling make reconstruction labor-intensive. PC-3000 Technological Mode (SRAM loader injection) is always preferred because it keeps the controller's hardware ECC engine in the loop, decoding pages that a raw chip reader can't correct.
How Does Board-Level Repair Enable Encrypted SSD Recovery?
Board-level microsoldering is the prerequisite for recovering data from any encrypted SSD with a dead controller. The original controller must boot because the AES-256 decryption key is fused to its silicon. Replacing the controller destroys the key. Repairing the controller preserves it.
Most SSD “deaths” aren't controller failures. They're failures in the power delivery circuit surrounding the controller: a shorted PMIC, a blown capacitor, or a cracked voltage regulator. The controller IC itself is often intact. The diagnostic workflow below identifies the failed component before power is applied, preventing cascading damage to an already fragile board.
Pre-Power Diagnostic & Repair Workflow
- FLIR thermal imaging for fault localization. Before applying power, the board is briefly energized through a current-limited bench supply while a FLIR thermal camera identifies hotspots. A shorted PMIC or tantalum capacitor draws excess current & produces a visible thermal signature within seconds. This pinpoints the failed component without risking further damage.
- Hakko FM-2032 microsoldering for component replacement. The failed PMIC, capacitor, or voltage regulator is removed & replaced using a Hakko FM-2032 iron on an FM-203 base station. On SATA SSDs, PMICs are typically 3mm x 3mm QFN packages; on NVMe M.2 drives, voltage regulators can be sub-2mm. SATA SSD board repair runs $450–$600. NVMe board repair runs $600–$900.
- Zhuo Mao BGA rework for controller reflow or reball. If the controller IC has cold solder joints (intermittent detection, works after heating), a Zhuo Mao BGA rework station reflows or reballs the controller's BGA connections. This restores electrical contact without destroying the OTP fuses holding the MEK. Temperature profiles follow the same SAC305 parameters used for NAND extraction, but with lower peak temperatures (230 to 235°C) to avoid disturbing adjacent components.
- PC-3000 SSD imaging through the restored controller. Once the controller boots, PC-3000 SSD connects via SATA or NVMe protocol & images the drive sector-by-sector. The controller's AES engine decrypts data in real-time during the imaging process. No key extraction is needed; the controller handles decryption transparently, the same way it did when the drive was healthy.
This is not chip-off. The controller stays in place. The encryption chain is preserved. The controller's hardware LDPC engine handles soft-decision decoding during imaging, producing clean data that a raw chip reader can't match. Board repair preserves everything chip-off destroys.
SSD data recovery is board repair. The Hakko FM-2032 & Zhuo Mao rework station aren't separate services from data recovery; for encrypted drives, they are the recovery tool. No other path exists when the controller's power circuit fails & the AES key is locked inside the silicon.
PC-3000 Technological Mode: The Alternative to Chip-Off
When an SSD powers on but won't mount (reports 0 bytes, enters BSY state, or identifies as “SATAFIRM S11”), the controller is alive but its firmware is corrupted. PC-3000 SSD bypasses the corrupted firmware by injecting a custom microcode loader into the controller's volatile SRAM, giving it just enough logic to read raw NAND without executing the damaged code.
Technological Mode is the reason professional labs rarely need chip-off on modern SSDs. The controller is alive; its firmware isn't. Injecting a temporary loader into SRAM sidesteps the corruption without touching the NAND physically. Firmware-level recovery using PC-3000 runs $600–$900 for SATA SSDs & $900–$1,200 for NVMe; chip-off costs $1,200–$1,500. The price difference reflects the labor difference.
SRAM Loader Injection Workflow
- Halt the boot sequence. PC-3000 issues vendor-specific ATA or NVMe commands to stop the controller from loading its corrupted firmware modules. This prevents the controller from executing destructive operations like TRIM, garbage collection, or a factory reset that some controllers trigger on boot failure.
- Inject the SRAM loader. A proprietary microcode payload is written into the controller's volatile SRAM. This loader gives the controller minimal read logic: enough to address NAND pages & return raw data through the SATA or NVMe interface. The loader doesn't touch the corrupted firmware stored in NAND; it runs entirely from volatile memory & disappears on power cycle.
- Scan NAND for surviving metadata. PC-3000 reads raw NAND pages through the loader, scanning for page headers, spare area metadata, wear-level counters, & sequence numbers. It builds a virtual LBA-to-PBA mapping in host RAM, reconstructing the Flash Translation Layer without relying on the drive's corrupted FTL tables.
- Image with real-time AES decryption. Because the original controller handles every read operation, data passes through the controller's hardware AES engine & is decrypted in real-time during imaging. The encryption key never leaves the controller. The host receives plaintext data directly.
Professional labs prefer Technological Mode over chip-off even on unencrypted drives. The controller's hardware LDPC engine stays in the loop, performing soft-decision decoding that chip-off can't replicate. A raw chip reader does hard-decision reads (binary 1 or 0); the controller does multi-pass voltage sweeps across TLC & QLC cells to calculate bit probabilities. On a worn drive with high bit error rates, that difference determines whether pages decode cleanly or return corrupted data.
SATAFIRM S11 Firmware Corruption on Phison PS3111
The Phison PS3111-S11 controller powers a large share of budget SATA SSDs: Kingston A400, PNY CS900, Patriot Burst, & dozens of OEM variants. When the S11's FTL corrupts from sudden power loss, the controller enters ROM mode & reports its identity as “SATAFIRM S11” with 0-byte capacity. The drive appears in BIOS but is inaccessible.
DIY forums recommend flashing the controller with Phison's MPTool utility. Don't. MPTool reinitializes the controller's firmware from scratch, which overwrites the FTL mapping tables. Once the FTL is gone, the link between logical addresses & physical NAND locations is destroyed. The data is still on the NAND cells, but no tool can reassemble it without the mapping.
PC-3000's Phison utility injects an SRAM loader that reads the S11's NAND without touching the corrupted FTL. The loader accesses raw pages, extracts surviving metadata from spare areas, & rebuilds the address mapping in host memory. Because the S11 doesn't implement hardware encryption, the data on the NAND is plaintext. Recovery runs $600–$900; chip-off on the same drive costs $1,200–$1,500 & takes 2 to 4 weeks longer.
Estimate Your Chip-Off Recovery Cost
Select your symptoms and drive type for a preliminary cost range. Final pricing comes after a free evaluation.
What type of SSD do you have?
This determines the recovery method and pricing.
Not sure which type you have? Call (512) 212-9111 and we can help identify it.
Frequently Asked Questions
What is chip-off NAND data recovery?
Does chip-off work on encrypted SSDs?
How much does chip-off recovery cost?
When should I choose chip-off vs controller repair?
Can data be recovered from a physically broken USB flash drive?
What is monolithic NAND recovery?
What makes chip-off reconstruction harder on TLC and QLC NAND?
How long does chip-off NAND recovery take?
Which SSD controllers allow chip-off recovery?
Can data be recovered from a dead SSD controller?
What happens to my SSD after chip-off recovery?
What is SATAFIRM S11 and can chip-off fix it?
Why can't I move NAND chips to a donor SSD controller?
Does chip-off work differently on 3D NAND versus older planar NAND?
Can data be recovered from eMMC or UFS chips in phones and IoT devices?
Can I do chip-off data recovery at home?
What is the difference between chip-off data recovery and chip-off forensics?
Can chip-off recover deleted files from an SSD?
What is the difference between chip-off and JTAG extraction?
How do stacked-die NAND packages affect chip-off recovery?
How to Ship Your SSD for Chip-Off Evaluation
Don't power on the drive. Every power cycle on a failing SSD risks firmware self-destruct sequences, TRIM execution on corrupted mapping tables, or further controller degradation. Remove it from the computer & ship it unpowered.
- Wrap the bare drive in an anti-static bag. M.2 NVMe drives fit in a small USPS flat-rate box or a padded FedEx envelope.
- Surround the drive with foam or bubble wrap. Avoid loose packing peanuts; they shift during transit & leave the drive unprotected against impact.
- Ship to our Austin, TX lab. Call (512) 212-9111 if you need the mailing address or have questions about packaging.
- Evaluation is free. We call you with a firm quote before any work begins. If chip-off isn't viable (encrypted controller, cracked NAND), we tell you that instead of charging for work that can't succeed.
Contact us for shipping labels & drop-off instructions.
Data Handling During Chip-Off Recovery
Chip-off recovery involves direct contact with raw NAND storage. Your SSD stays in our Austin lab throughout the process. All NAND reads and reassembly happen on air-gapped workstations with no network access. Recovered data is delivered on encrypted external media, and working copies are purged after you confirm receipt.
NDAs are available on request. Full data security details cover our chain-of-custody, encryption, and erasure protocols.
Data Recovery Standards & Verification
Our Austin lab operates on a transparency-first model. We use industry-standard recovery tools, including PC-3000 and DeepSpar, combined with strict environmental controls to make sure your hard drive is handled safely and properly. This approach allows us to serve clients nationwide with consistent technical standards.
Open-drive work is performed in a ULPA-filtered laminar-flow bench, validated to 0.02 µm particle count, verified using TSI P-Trak instrumentation.
Transparent History
Serving clients nationwide via mail-in service since 2008. Our lead engineer holds PC-3000 and HEX Akademia certifications for hard drive firmware repair and mechanical recovery.
Media Coverage
Our repair work has been covered by The Wall Street Journal and Business Insider, with CBC News reporting on our pricing transparency. Louis Rossmann has testified in Right to Repair hearings in multiple states and founded the Repair Preservation Group.
Aligned Incentives
Our "No Data, No Charge" policy means we assume the risk of the recovery attempt, not the client.
Technical Oversight
Louis Rossmann
Louis Rossmann's well trained staff review our lab protocols to ensure technical accuracy and honest service. Since 2008, his focus has been on clear technical communication and accurate diagnostics rather than sales-driven explanations.
We believe in proving standards rather than just stating them. We use TSI P-Trak instrumentation to verify that clean-air benchmarks are met before any drive is opened.
See our clean bench validation data and particle test videoSSD controller destroyed?
Free evaluation. We will tell you honestly whether chip-off can recover your data. No data, no fee.