Chip-Off Recovery

Solid-state storage devices have two main components: NAND flash memory chips that store the actual data, and a controller chip that manages how data is written, read, and organized across the NAND. When the controller dies but the NAND chips still hold valid data, chip-off recovery extracts the data by skipping the controller entirely. Engineers desolder the NAND chips from the failed device’s circuit board, place them into a chip programmer, read the raw memory contents, and then reverse-engineer how the original controller had organized the data.¹

When chip-off applies

Chip-off recovery is appropriate for any device that stores data on NAND or NOR flash memory:

• SSDs: consumer SATA SSDs, NVMe SSDs, and enterprise SSDs with discrete NAND chips on the PCB.
• USB flash drives: typically the simplest chip-off cases due to single-chip designs.
• SD cards and microSD cards: older designs have separate NAND and controller; modern monolithic designs combine them in a single package.
• eMMC chips: embedded multimedia memory cards used in phones, tablets, and embedded devices. The controller is built into the chip, simplifying reconstruction.
• UFS chips: universal flash storage in modern smartphones; similar to eMMC but newer interface.
• Mobile device storage: phones and tablets with embedded flash that has failed at the controller level.

When chip-off is NOT the right option

The technique is destructive and increasingly limited by encryption. It’s not the first option for solid-state recovery; less invasive methods are always attempted first:

• Logical SSD failures (deleted files, formatted drive, RAW partition, file system corruption) are handled by software recovery without any physical intervention.
• Firmware corruption: specialized hardware tools like PC-3000 SSD can communicate with controllers in technological mode and repair firmware-level issues without removing chips.
• Partial controller failures: if the controller can be revived through board-level repair (microsoldering, capacitor replacement, voltage regulator swap), the original controller remains in place with its encryption keys intact.
• HDD failures: hard drives need cleanroom recovery, not chip-off. The two techniques apply to different storage technologies.

The escalation order

The Rossmann Group documentation captures the typical escalation: software recovery first, firmware-level recovery (PC-3000) second, board-level controller repair third, chip-off only when the controller silicon is cracked, burned, or otherwise unable to power on.² Skipping straight to chip-off when other methods are still available is a procedural mistake; preserving the controller preserves access to encryption keys and avoids the destructive nature of NAND removal.

Chip-off and cleanroom are parallel techniques addressing the same general problem (physical-intervention recovery for failed storage) but for different storage technologies. Understanding when each applies is the first decision in any physical-recovery case.

Side-by-side comparison

Concern	Cleanroom recovery	Chip-off recovery
Storage type	Mechanical drives (HDDs)	Solid-state (SSD, USB, SD, eMMC)
What fails	Heads, platters, motors, pre-amps	Controller chip, PCB, sometimes NAND itself
Required environment	ISO Class 5 cleanroom for air quality	Static-controlled bench with BGA rework station
Reversibility	Drive can be reassembled (heads/platters preserved)	Destructive: chips permanently removed
Donor parts needed	Often (head stack, PCB, platters)	Sometimes (replacement controller for board-level repair)
Encryption issue	Mostly absent (HDD encryption is rare)	Major: modern SSDs encrypt at controller
Reconstruction needed	Standard imaging once drive responds	Extensive reverse-engineering of FTL
Typical cost range	$1,200-$7,000+	$300-$10,000+
Last-resort indicator	Drive making sounds; physical damage	Controller dead; PCB destroyed

Why both exist

The two techniques solve fundamentally different problems. Hard drives store data magnetically on platters that can be transferred between drive housings; the recovery work is mechanical (transplant heads, transfer platters, replace motors). SSDs store data electronically in NAND chips that depend on a specific controller to make sense of how data is laid out; the recovery work is electronic (extract chips, read raw, reconstruct logical layout). Cleanroom techniques don’t apply to SSDs because there are no moving parts to repair. Chip-off doesn’t apply to HDDs because the data isn’t stored in removable chips that can be read independently.

The first stage of chip-off recovery is physically removing the NAND chips from the device’s circuit board without damaging them. This is delicate, time-consuming work that requires specialized equipment and substantial training.³

NAND chip package types

Different devices use different NAND package formats, each with its own desoldering challenges:

• TSOP-48 (Thin Small-Outline Package, 48 pins): older USB drives and SD cards. Pins are accessible from the chip’s edges; relatively straightforward to desolder with hot air.
• BGA (Ball Grid Array): modern SSDs and most current NAND. Solder balls are underneath the chip rather than at the edges; requires precise hot air or infrared rework.
• TLGA (Thin Land Grid Array): compact form-factor devices; solder pads underneath the chip with no balls; specialized rework procedures needed.
• WLCSP (Wafer-Level Chip-Scale Package): used in some mobile devices; tiny solder pads directly on the silicon die.
• Monolithic packages: microSD cards and many modern full-size SD cards combine NAND and controller in a single epoxy-sealed package; require removal of the epoxy and direct wiring to internal test points rather than standard chip extraction.

Equipment needed

Professional chip-off requires substantial equipment investment:

• Hot air rework station: $500-$2,000 for a quality unit. Provides controlled hot air for desoldering BGA chips.
• Infrared rework station: alternative to hot air; provides more uniform heating for sensitive chips. $2,000-$10,000.
• BGA reballing kit: for chips that need new solder balls before reading.
• Microscope: for inspecting solder joints and chip surfaces during rework.
• Chip programmer: the device that reads desoldered chips. PC-3000 Flash from ACE Lab is the dominant professional option at $3,000+ plus annual licensing. FlashExtractor, VR Flash Reader, and Soft Center are alternatives.
• NAND adapter sockets: different chip packages require different adapters; a complete set covers TSOP-48, multiple BGA pinouts, and TLGA at $50-$200 each. Active recovery labs maintain dozens.
• Static-controlled workstation: ESD-safe surfaces, wrist straps, and grounded tools to prevent electrostatic damage to extracted chips.

The desoldering procedure

For a typical BGA chip on an SSD PCB, the procedure is roughly:

1. Pre-heat the PCB from below to bring the entire board to a moderate temperature, reducing thermal shock when the chip area is heated.
2. Apply controlled hot air to the chip area at temperatures around 220-240°C, monitoring with a thermocouple.
3. Lift the chip with a vacuum tool when the solder reflows; the chip should release with gentle pressure rather than force.
4. Clean residual solder from the chip’s contact pads using flux and solder wick.
5. Inspect the chip under magnification for any damage to pads or the chip body.
6. Reball if necessary for chips that will be placed in adapter sockets requiring fresh solder balls.
7. Place the chip in the appropriate adapter for reading.

Where extraction goes wrong

Common failure modes during physical extraction:

• Overheating: excessive temperature damages the chip’s internal silicon. Recovery from overheating is rare.
• Pad lift: contact pads on the chip detach from the chip body during desoldering, making subsequent reading impossible.
• Static damage: electrostatic discharge during handling can corrupt NAND cells.
• Mechanical damage: applying force during chip lift before solder is fully reflowed can crack the chip.
• Solder bridging during reballing: incorrectly applied solder balls can create shorts that prevent the adapter from reading the chip correctly.

Successful chip extraction yields a raw NAND dump: a binary file containing every bit stored in the chip. This raw dump is not a usable disk image. The original controller had organized the data in ways that recovery software cannot directly interpret. Reconstruction is the slow, technical, often-frustrating part of chip-off work that frequently takes longer than the physical extraction itself.⁴

The Flash Translation Layer (FTL)

SSDs and modern flash devices use a Flash Translation Layer in the controller that handles several functions:

• Wear leveling: spreading writes across NAND cells to extend drive life. The result is that logical block 100 might physically live anywhere on the chip; wear leveling has scrambled the layout.
• Bad-block management: failed NAND cells are skipped, with their data redirected to spare cells. The chip dump contains both used and skipped blocks; reconstruction has to know which is which.
• Garbage collection: deleted data isn’t immediately erased but marked for later collection. The dump may contain remnants of previously deleted data alongside current data.
• XOR data whitening: data is XOR’d with a controller-specific pattern before being written to NAND. This improves NAND reliability but means the dump is scrambled at the bit level.
• Multi-chip interleaving: for SSDs with multiple NAND chips, data is striped across chips for performance. Reconstruction has to know the interleaving pattern.
• ECC (Error Correction Coding): NAND cells flip bits occasionally; ECC algorithms correct these errors during read. The dump contains both data and ECC bytes; reconstruction has to apply the right ECC.

What reconstruction has to figure out

For each device, recovery engineers have to determine:

• The page size (typically 2KB-16KB depending on NAND generation).
• The block size (number of pages per erase block).
• The bit ordering within bytes.
• The XOR whitening pattern (controller-specific).
• The ECC algorithm and parameters.
• The interleaving pattern across multiple chips.
• The address translation tables that map logical to physical locations.
• The garbage collection state to identify current vs old data.

Why eMMC chip-off is easier

The Gillware Digital Forensics documentation notes one important exception: eMMC chips have a controller built into the chip itself.⁵ When you desolder an eMMC chip, you take the controller with it, which means the FTL still has the original mapping information. Reconstruction is much simpler because the eMMC’s built-in controller can present a normal block device interface to the chip reader. eMMC chip-off recovery is therefore typically faster and more successful than discrete NAND chip-off, when the device uses eMMC storage.

Tools that help reconstruction

Several specialized tools handle FTL reconstruction:

• PC-3000 Flash: includes built-in FTL templates for many common controller families.
• FlashExtractor: commercial tool with controller-specific extraction profiles.
• VR Flash Reader: hardware reader with reconstruction software.
• Visual NAND Reconstructor: specialized for monolithic and microSD reconstruction.

For unsupported controllers, manual reverse-engineering may be required. This can take days or weeks for complex modern controllers.

Hardware encryption has fundamentally changed what chip-off can recover from modern devices. The 2010s and 2020s have seen near-universal adoption of controller-level encryption in SSDs, which means chip-off recovery from a destroyed-controller device often returns nothing usable.⁶

How modern SSD encryption works

Modern SSDs typically implement AES-256 encryption with these characteristics:

• The encryption key lives in the controller’s secure enclave. The key is generated when the SSD is first manufactured or initialized.
• All data going to NAND is encrypted before being written. The NAND chips never see plaintext data.
• The key is bound to the specific controller silicon. Other controllers, even of the same model, have different keys.
• The key cannot be extracted from a working controller through software means (this is the security feature, not a recovery limitation).
• If the controller dies, the key dies with it. This is the recovery limitation.

Specific devices with controller-level encryption

Recovery engineers have flagged the following as particularly affected:

• Apple T2 chip Macs: Intel Macs from 2018 onward with the T2 security chip. The T2 contains the SSD encryption key.
• Apple Silicon Macs: M1, M2, M3, and M4 series. Encryption is part of the SoC.
• Samsung 980 and 990 Pro NVMe: Elpis and Pascal controllers with built-in encryption.
• Most enterprise NVMe SSDs: security features are standard at the enterprise tier.
• BitLocker-encrypted Windows drives: Microsoft has been pushing encryption defaults; affected drives need the BitLocker recovery key for decryption even with successful chip-off.

What chip-off returns from encrypted devices

The technical result of chip-off on a destroyed-controller encrypted device:

1. NAND extraction succeeds normally; the chips read fine.
2. FTL reconstruction succeeds; the data layout is reconstructed.
3. The reconstructed data is AES-256 ciphertext.
4. Without the controller’s encryption key, decryption is mathematically infeasible (AES-256 brute force takes longer than the universe’s age).
5. The recovery output is essentially random bytes.

This is not a recovery failure in the technical sense; the chip-off worked perfectly. The limitation is that what was extracted cannot be made into usable data without the keys that were destroyed alongside the controller.

Devices where chip-off still works well

Not all flash storage uses controller-level encryption:

• Most consumer USB flash drives: hardware encryption is uncommon; chip-off recovers data normally.
• Most SD cards: consumer cards typically don’t encrypt; chip-off works.
• Older SSDs: SATA SSDs from before approximately 2015 often didn’t implement controller encryption.
• Industrial flash: embedded systems often use unencrypted flash for cost and simplicity reasons.
• Devices with software-only encryption (like some BitLocker setups) where the encryption is at the OS level rather than the controller, and chip-off can recover the encrypted disk image for separate decryption with the user’s key.

The recovery question to ask first

For any modern SSD chip-off case, the first diagnostic question is whether the specific drive model implements controller-level encryption. If it does, chip-off without controller repair is likely to fail. If the controller can be repaired through board-level work (microsoldering, capacitor replacement), the original controller can be restored to the board with its keys intact. This is one of the few recovery scenarios where attempting controller repair is preferred over chip-off even when chip-off would be technically simpler.