having a quick look at "startup.s" in "system/cpu/arm/boot" it seems like they're not using any branch instructions but instead explicitly change the PC so one has to look for opcodes like "ldr pc, SomeHandler" which translates (i compiled with gnu assembler) to "ldr pc, [pc, #offs_of_addr_to_handler]" and (always?) to something like 0xE59F for the upper 16bits of the opcode.
i actually found this:
Code:
SystemReset:
14de74: e59ff018 ldr pc, [pc, #24] ; ResetAddr
14de78: e59ff01c ldr pc, [pc, #28] ; DBG_Addr
14de7c: e59ff01c ldr pc, [pc, #28] ; DBG_Addr
14de80: e59ff014 ldr pc, [pc, #20] ; DBG_Addr
14de84: e59ff010 ldr pc, [pc, #16] ; DBG_Addr
14de88: e59ff00c ldr pc, [pc, #12] ; DBG_Addr
14de8c: e59ff004 ldr pc, [pc, #4] ; IRQ_Addr
14de90: e59ff004 ldr pc, [pc, #4] ; DBG_Addr
14de94: 00000030 ResetAddr
14de98: 00000040 IRQ_Addr
14de9c: 600f3390 DBG_Addr
14dea0: 600f3390 DBG_Addr
ResetAddr:
14dea4: e59fd004 ldr sp, [pc, #4] ; 0x14deb0 -> sp = 60e00000
14dea8: e51ff004 ldr pc, [pc, #-4] ; 0x14deac goto __main
14deac: 6000f940 __main
14deb0: 60e00000 ||Image$$REALTABLE_SDRAM$$ZI$$Limit||
IRQ_Addr:
14deb4: e24ee004 sub lr, lr, #4 ; 0x4
14deb8: e92d500f stmdb sp!, {r0, r1, r2, r3, ip, lr}
[...]
I filled in the names of "startup.s" where appropriate. So seems like the "main()" resides at @ 0x6000f940 in memory.