Kallsyms Utility

The Kallsysms utility is a Win32 utility for extracting kernel symbols from a kernel. The kernel must be in an uncompressed condition. See also imgutil.exe.

Usage: kallsyms <flags> <kernel> <symbols> /b block size in bytes /a address width in bits /m marker width in bits /l load address /r addresses are relative /t maximum number of tokens in symbol /c check symbols (much slower) /d debug

Finding the correct parameters

There are many variations of how kallsyms are packed into the kernel. To find the correct parameters may take some experimentation. The good thing is that when you find them for a device they will probably stay the same forever.

/b is the block alignment. For the newest devices it could be 8. For most new devices it could be 256. For older 32 bit kernels it might be 16 or 8.

/a is the width of the entries in the address table. It could be 32 bits even in a 64 bit kernel if the relative option is being used.

/m is the width of the entries in the marker table. This will normally be the same width as the kernel itself. It defaults to the value of /a.

/r is a flag that says that addresses in the address table are relative (zero-based). This option also affects the position of the address table as relative uses another block.

/l allows you to modify the reported addresses, especially useful when addresses are relative.

/t sets the maximum number of tokens in a symbol. The default should be fine for most kernels. Samsung will require a value of 100 for their absurdly long symbol names.

/c enables checking of symbols. Enable this only if the heuristics are finding the wrong name block.

/d allows display of partial solutions when there are errors. It should only be used when trying things.

Taming the addresses

For 64 bit kernels you may get large and ungainly addresses outside the 4 GB 32 bit address range. Since with Kernel Address Space Layout Randomization (KASLR) you're not going to get a really useful address anyway you might as well stick with a load address of zero. Just use the /l0 flag.


kallsyms /b256 /a64 /l0 kernel kernel.sym

Note that on a live, rooted system you might be able to extract the kallsyms directly.

echo 0 > /proc/sys/kernel/kptr_restrict cat /proc/kallsyms

Download kallsyms.exe, the Kallsyms utiliy.