I might have figured it out. The reason deblob-check was only printing one
filename is that it exits once it finds a blob. By commenting out the exit
line I was able to get it to keep looking and list all files with blobs.
As expected, running deblob-check on the original kernel results in finding a
lot of blobs. I then tried running it on the new kernel generated by
deblob-main. It found six files with blobs:
/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
/arch/arm/boot/dts/sun7i-a20-cubietruck.dts
/arch/arm/boot/dts/sun7i-a20-cubieboard2.dts
/arch/arm/boot/dts/sun5i-r8-chip.dts
/arch/arm/boot/dts/sun4i-a10-cubieboard.dts
/arch/arm/boot/dts/sun5i-a13-olinuxino.dts and then ran for another eight
hours without finding anything else. It didn't exit, presumably because I had
commented out the exit line, but I'm pretty sure it was done. I'll try
running it again with verbose output to make sure that it has definitely
checked all of the files.
I think that the sun*i-* files might be false positives. The offending code
in each seems to be nand-randomizer-seeds = /bits/ 16