I developed a tool to automatically recover a static XOR key from the special patterns that are generated by my initpattern tool. I had originally developed it to further automate the LDPC parameter recovery process, but since it is also helpful for non-LPDC devices, I create a dedicated video for the XOR key recovery:
https://youtu.be/rRWWPTnJn4U

You can get the tools on https://github.com/thesourcerer8/drresearch/

Well done! Looking forward to a more user friendly Windows based GUI tool. Some tips: for controllers with XOR after ECC, it's usually necessary to write in 00 mode. For controllers with ECC after XOR, 77 mode is more suitable. Through testing, it's observed that certain controllers, mostly SSD controllers, won't write to the actual physical area if the write mode is recognized as 00
If you want to make it more comprehensive, I think some additional settings are needed.

1: The XOR generator should take into account page structure, such as SM controllers typically only needing XOR data regions. If users are allowed to configure page structure, one mode can match most cases without considering SA and ECC lengths.

2: The impact of bad bytes on XOR continuity—bad bytes are "invisible" for XOR modes for most controllers, but for some, they are "visible."

3: Some controllers use two different modes for XOR between SA and ECC parts and DATA parts. Presetting page structure is required to distinguish the different modes among them.

4: XOR mode's continuity when encountering cross-plane situations—the traditional controllers use the same XOR between different planes, but new controllers use different XOR between planes.

5: Whether dynamic XOR or static XOR, they are essentially obtained from a seed array through regular shifts. In a sense, they have no fundamental difference. Finding the underlying pattern is the perfect solution.

_________________
Auxiliary Tool Used For MonoLith Data Recovery, featuring the industry's most extensive Monolith pinouts
http://flash-matrix.com/

I suspected this. Is this quite common? can you give some examples? Were you able to observe this?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

The most typical controller models are SSS and some SD card controllers . Prediction can be made by observing the power consumption in 77 mode and 00 mode.

_________________
Auxiliary Tool Used For MonoLith Data Recovery, featuring the industry's most extensive Monolith pinouts
http://flash-matrix.com/

Aha, that makes sense thank you, I think: Due to no actual writes taking place, power consumption will be below expected?

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service

You are correct， through this method, it can also be used to track the location where the controller writes to the FTL (requiring the calculation of row and column addresses). This is typically associated with the activation of SLC mode. I have already identified the FTL location of the SSS controller using this approach, but I am unable to comprehend its significance. The FTL is not as intuitive as the CBM controller, representing the relationship between physical blocks and logical blocks.

_________________
Auxiliary Tool Used For MonoLith Data Recovery, featuring the industry's most extensive Monolith pinouts
http://flash-matrix.com/