Kernels which do not have CONFIG_KALLSYMS but support loadable modules still have a symbol table for runtime linking of the modules. These are present as simple address/name pairs in sections __ksymtab, __ksymtab_gpl, __ksymtab_strings.

There is probably some simple heuristic that would allow to find them, e.g. in a few sample I have it seems "loops_per_jiffy" is the first string in __ksymtab_strings and the two tables immediately precede it.

BTW symbolizing stripped ELF kernels using these tables would be useful too.