KernelKatana 🗡️

Turn an Android ARM64 kernel (boot.img or raw Image) into a Ghidra/IDA-ready kernel.elf with symbols by:

1. extracting the embedded AArch64 ELF hidden inside many vendor kernels
2. running vmlinux-to-elf on that extracted ELF (where kallsyms is actually discoverable)

This avoids the common “0 candidates for kallsyms_token_table” trap when feeding raw Image blobs directly.

Why this exists

Some Android kernels ship as a raw ARM64 Image containing embedded blobs (ELF chunks, cpio initramfs, etc.).
vmlinux-to-elf can fail to detect kallsyms in the raw Image, but succeeds quickly when fed the embedded ELF64 blob.

KernelKatana automates that workflow.

Requirements

Linux / WSL

• python3
• binwalk
• readelf (from binutils)
• file, dd

Optional (only if you want boot.img auto-unpack):

• magiskboot

Install deps (Debian/Ubuntu)

sudo apt update
sudo apt install -y binwalk binutils file

vmlinux-to-elf dependency

Clone it somewhere:

git clone https://github.com/marin-m/vmlinux-to-elf.git

By default KernelKatana looks for ./vmlinux-to-elf. Or set:

export VMLINUX_TO_ELF_DIR=/path/to/vmlinux-to-elf

Usage

chmod +x kernelkatana.sh
./kernelkatana.sh -i boot.img -o kernel.elf

If your input is already a raw kernel Image:

./kernelkatana.sh -i Image -o kernel.elf

WSL speed mode (recommended when your files are under /mnt/c or /mnt/e):

./kernelkatana.sh -i /mnt/e/.../Image -o kernel.elf --prefer-home

Keep intermediate files for debugging:

./kernelkatana.sh -i boot.img -o kernel.elf --keep

Output

• kernel.elf — load this in Ghidra/IDA, architecture AArch64.
• If symbols look shifted, verify _stext / _text addresses match expected kernel base (often ffffffc008... on Android).

Common pitfall: BrokenPipeError

If you do:

... | head

Python may print BrokenPipeError because head closes the pipe early. Redirect to a file instead:

... > kallsyms.txt