I have no specific knowledge, but I would think that the bad block map is stored on the flash memory itself, but the controller only stores the block number (or page) of the bad block map (which is determined at first power-on). This allows identical firmware to be flashed into the controller, and it can scan the NAND flash that was assembled into the board and find a reliable area to store the bad block map itself.
Then the firmware can report back if it found 1G, 2G, 4G or 8G of good memory.
However, in this scheme, after first power-on, the NAND and the controller are now married.