Important ROM addresses

It is important to know that the ROM is loaded in to this memory range: 0x00200000..0x003FFFFF + 1.

00200040

This is where the bootloader jumps into, in ARM mode. When the processor is reset, it is in Arm mode. To get into thumb, you need to execute the BX instruction (branch and exchange instruction sets)

The bootloader jumps here after it checks to see if it should flash, I think. Please see the Project Blacksphere page with the path: /sub_100hardware/sub_arm/sub_bootrom.htm

002eebec

002eebec e7 fe           b

This is a tight loop waiting for a reset. The code path that leads us here appears to initiate a software reset (002eebde)

002eec46

                     LAB_MainLoop?
002eec46 2d 01           cmp        r5,#0x1
002eec48 d1 fd           bne        LAB_MainLoop?
002eec4a f7 f9 ff 13     bl         FUN_KeyboardRead?
002eec4e 28 81           cmp        r0,#0x81
002eec50 d1 f9           bne        LAB_MainLoop?

This is what I have, perhaps incorrectly called, the MainLoop. There is a question mark after it in the decompilation because I am not sure. It sure loops here, anyway!

Links to the Past

wikipedia: Nokia 3310

youtube: Vintage Firmware Modding Nokia DCT3 Phones

reddit: NokiX -- open-source firmware modding tool and SDK for classic Nokia mobile phones (including Nokia 3310)
first mention i've seen of nokix

hackaday: 1337 3310 tool
someone building tools that use the Nokia 3310 as a platform

gitea: DCT3-GSMTAP
first mention of project blacksphere

cosconor: cosconor.fr Nokia 3310 Flash Files
a frenchman dumped the Nokia 3310's firmware. this is the one we're working with.

freeavatars: NOKIA 3310 TRUOUBLE.jpg
a labelled image of the Nokia 3310 mainboard