iz there a way to totally revert all settings on this phone back to factory?

iz there a way to totally revert all settings on this phone back to factory?

I think its ##RTN#, you will need to get the spc first though.

already set to all 0's haha thanks tho dude

How To: Sprint HERO MEID / ESN repair on official 2.1 builds
Yes, it can be done! No need to downgrade radios, ROOT or spend countless hours trying to figure out how to downgrade your OS. It is possible to complete the repair on the latest Sprint 2.27.651.6 release

Tools Needed:
- QPST 2.7 build 359
- QXDM 03.09.19
- CDMA WS 2.7
- HxD Hex Editor Tool
- HTC Sync (for drivers)
- HTC Diag Drivers

Information Needed:
MDN for your wireless network
MSID for your wireless network

Preparing the device and Connections to the PC

1. Install latest official rom from here
2. Connect the phone via USB
3. On the phone dial ##3424# to enter DIAG mode
4. Install drivers if needed (on some systems it will find all the right drivers BUT the HTC Diag driver. For me I had to manually force it to take the x64 driver in Windows 7. Once you add the driver it functions perfectly.)
5. Open device manager and look for the device under "Modems" -> HTC USB Modem
6. Double click on HTC USB modem and go to the "modem" tab and note the COM port.
7. Open QPST Configuration
8. Click on "Ports" tab
9. If the port you wrote down is not here click "Add New Port"
10. Uncheck "Show Serial and USB/QC Diagnostic ports only" and your port should appear on the list.
11. Highlight it and click "ok" to add.
12. Close QPST

**** You have now established a connection with your device ****

Establishing a connection with CDMA WS 2.7 (preparing for memory scan and dump)

1. Open CDMA WS 2.7
2. Under COM Settings (AT Mode) select your COM port for your device, leave baud rate at 115200
3. Click "Connect"
4. Click "Read" (This is not necessary but I do it to ensure I have a good connection to the device. The "read" output will display the phone information in the fields on the left. If you don’t see this information populate you have not established a connection with the device and need to verify your COM port settings and try again.)
5. Click the "Security" Tab
6. Under SPC make sure it is set to "Default (nv_read)" and click "Read"
7. It will display your SPC in the empty box. WRITE THIS DOWN for later!
8. Click on "SPC" button and click on "Send"
9. If you have done everything correctly you will get a popup that says "SPC is correct. Phone Unlocked."
10. Click "ok"
* Leave CDMA WS 2.7 open and move to the next section.

Scanning for readable memory locations with CDMA WS 2.7

1. Click the "Memory" Tab
2. Under "Scan Memory" leave the start address as 0000:0000 and set the "End Address" to 2000:0000
*Very important, do not let the phone reboot this is why I set the address range to C000:0000 if you go over this value the scan will go out of range and reboot the device automatically. If the phone reboots start the scans over again, the memory locations will change after any reboots.
3. Set the step byte to 16384
4. Click "Start” and you will get spew in the output window similar to this: (these are my exact scans for the Sprint
2.27.651.6 Release)
----------------------------------------------
Scanning memory for readable areas:
Unreadable area from: 0000:0000
Readable area from: 0103:C000
Unreadable area from: 0161:C000
Readable area from: 1075:C000
Unreadable area from: 1079:0000
Readable area from: 1082:C000
Unreadable area from: 10D5:4000
Readable area from: C000:0000
----------------------------------------------
5. Once the scan completes copy the text outputted to notepad and save the file locally.

Scanning for MEID and ESN memory locations using the addresses you have found with CDMA WS 2.7

1. While still on the "Memory" Tab move your attention to Memory / Eeprom
2. Take the first readable area from the scan you have done and enter it into the "Start Addr.:" field. Example 0103:C000
3. for Size (bytes) make the value 99999999
4. Click "Read" and you will get a popup window to "save" a .bin file. I name mine the address range I'm scanning. Example 0103C000.bin
5. The Scan will complete and you will get a dialog box saying the file name and how many bytes were written, click "ok"
6. Do the same for the next two "Readable Area" address ranges. The last one may take a while (20-30 minutes)
* Do Not Scan on the C000:0000 address range, there are NO MEID or ESN values in this range and if you scan this range you will get the "out of range" error and your phone WILL reboot and you WILL have to start the scanning process over again.
7. Once you have scanned all three address ranges move on to the next section. Do not close CDMA WS 2.7 yet.
Do NOT reboot or disconnect your phone

Getting your ESN and MEID addresses

1. While still in CDMA WS 2.7 go back to the "Security" Tab.
2. Under "ESN" click "Read" This will output your ESN in this format -> 81380CRA:2F5D28D1
3. Copy the first part of the ESN only to notepad, the second portion is not needed.
4. Close CDMA WS 2.7, we are done with it for now.
5. Open QXDM
6. Under "Options" on the main menu click "Communications.."
7. Set "Target Port" to your COM port for your device.
8. Click "Ok"
9. Click "View" on the main menu, navigate to New -> Common -> Command Output (this will open a black command prompt window in QXDM.)
10. in the "Command" text field at the bottom of QXDM type "RequestNVItemRead meid" and press enter.
11. Your MEID string will be displayed as fallows, copy this to notepad with your ESN.
22:25:40.971 meid = 0x00A10000053179FF
12. Minimize QXDM, we are done with it for a while.

Preparing your MEID and ESN values and flipping them

1. In Notepad take your ESN and MEID values and strip them of the 0x00's as follows:
MEID = 0x00A10000053179FF
Change to = A10000053179FF

2. Now flip the values as shown and add a space between every two values:
MEID Original = A10000053179FF
MEID Flipped = FF 79 31 05 00 00 A1

ESN Original = 81380CRA
ESN Flipped = RA 0C 38 81

3. Now move to the next section, make sure to save this notepad file.

Finding your Memory Locations using HxD

1. Open HxD
2. Go to File and click Open and navigate to the location you saved your .bin output files from your memory scans in CDMA WS 2.7
3. Load the first one
4. Click on the very first "black text" value in the top left corner, this will ensure you are starting your search from the very TOP of the dump file.
5. On the File menu click "Search -> Find" or do a Cntrl + F
6. Change the drop down Datatype to "Hex-Values"
7. Copy and paste your "reversed" MEID values WITH the spaces into the "Search For:" field
8. Click OK.
* My first set of address ranges never had any MEID or ESN values, the Second always had 3 of each and the Third had 4
to 5.
9. Once you find a location make a note of it in notepad.
Example of locations found This is your location to note ---> 00006EA0 05 00 00 00 01 00 00 00 B6
00 00 00 09 01 01 00
10. Search for all the other MEID and ESN locations using this same method. To search for the next location go to file menu "Search -> Find Again"
*Note. When writing the memory locations down in notepad always group the MEID's and ESN addresses found under the memory scan locations from CDMA WS 2.7, this is very important for later when you do your calculations!
Example:
1075:B900 <-Memory Location from CDMA WS 2.7
MEID
00011490
ESN
00000090

1082:8600 <-Memory Location from CDMA WS 2.7
MEID
00099C20
ESN
0009FE90
11. Once you have found all the locations from all your .bin files move onto the next section.

Converting the memory locations found to HEX values

Now that you have found almost all the values (there's hidden ESN values you will scan for later ) you will now need to calculate your hex values which will give you the exact memory location addresses for each of your MEID and ESN memory locations.

1. Open this Hex calculator website
2. Under the "Required Data Entry" enter the memory location from CDMA WS 2.7 in the "Enter a Hex Value" field.
Example 1075:B900 (remove the : ) -> 1075B900
3. In the "Enter a Second Hex Value" field enter the location you found in HxD Example 0001C810
4. Click "Calculate"
5. Copy the output from "Calculated Hex Addition" to notepad next to the value you used fro the addition and add a 0x to the front of each value.
6. Repeat for each of the MEID and ESN addresses, make sure you change the CDMA WS 2.7 memory address values when you move into another scanned memory section.

Here are all the values I found:

0103:8900 <-Memory Range

MEID
N/A

ESN
N/A

1075:B900 <-Memory Range

MEID
00011490 = 0x1076cd90
00018080 = 0x10773980
0001C810 = 0x10778110

ESN
00000090 = 0x1075b990
000139C0 = 0x1076f2c0
0001B580 = 0x10776e80
0001D310 = 0x10778c10

1082:8600 <-Memory Range

MEID
00099C20 = 0x108c2220
00184DB0 = 0x109ad3b0
00184E80 = 0x109ad480
00191FB0 = 0x109ba5b0
00000000 = 0x015CF49C

ESN
00000000 = 0x015D52C8
00033060 = 0x1085b660
00099790 = 0x108c1d90
0009FE90 = 0x108c8490
000AB670 = 0x108d3c70
000B09E0 = 0x108d8fe0
00000000 = 0x015D52C8

7. Once you have found all your values and have done all your calculations save the notepad file and move to the next section.

Zeroing out your ESN and MEID values in QXDM

At this point if you followed the instruction QXDM should be minimized and still connected to your phone. Your phone should still be SPC unlocked and there should have been NO reboots in the entire process. If you did get a reboot you will need to rescan your memory addresses as they change when the phone is rebooted.

1. Maximize QXDM
2. Go to the file menu and select "View -> New -> Common -> Memory Viewer"
3. Change the drop down box next to "Rows" from 8 to 16
4. Now carefully copy a MEID or ESN address from your saved notepad file to the "Address" field and press enter. Example: 0x108D8FE0
5. Find your FLIPPED ESN or MEID address in the string and change ONLY those values to 00 (zero's)
DO NOT CHANGE ANYTHING ELSE EVEN IF IT IS CLOSE OR OFF BY EVEN ONE DIGIT!!!! (You may permanently damage your phone!)

6. Once you change the MEID or ESN to zero click "Write" The values will change from red to black indicating they have been written.
7. Do this for all the rest of your MEID and ESN values and when you have finished move to the next section.

Verifying you have Zero'd out your MEID and ESN

1. Bring the Command Output Window back to the front.
2. In the Command field at the bottom type "RequestNVItemRead meid" it should display:
22:25:40.971 DIAG TX item:
22:25:40.971 meid = 0x0000000000000000
22:25:40.971 DIAG RX item:
22:25:40.971 meid = 0x0000000000000000
3. If your MEID is zero'd out proceed to step 4.
If your MEID is not zero'd out. Don’t bother proceeding to ESN you MUST zero out your MEID before you can change your ESN.
* If your MEID did not zero out and you used all the address locations you could possibly find by scanning I highly suggest going through the forums and trying all the MEID addresses people have submitted. I will also include a master list of all the ones I can find at the bottom of this post.
4. In the Command field at the bottom type "RequestNVItemRead esn" it should display:
23:39:40.442 DIAG TX item:
23:39:40.442 esn = 0x00000000
23:39:40.442 DIAG RX item:
23:39:40.442 esn = 0x00000000
5. Now unplug the phone from the USB cable and Reboot it.!

Verifying your MEID is now Zero'd out after reboot
1. Once your phone reboots dial ##3424# and reconnect the USB cable.
2. in QXDM you need to SPC unlock the phone so in the command field type "SPC [your MSL]" Your MSL we noted early on!
3. Press enter and you should see:
23:44:37.981 s23:44:38.011 RequestItem "Send Service Programming Code Request" 0x31 0x32 0x33 0x34 0x35
0x36
spc 123456
23:44:38.120 DIAG TX item:
23:44:38.120 Security Code[0] = 0x31
23:44:38.120 Security Code[1] = 0x32
23:44:38.120 Security Code[2] = 0x33
23:44:38.120 Security Code[3] = 0x34
23:44:38.120 Security Code[4] = 0x35
23:44:38.120 Security Code[5] = 0x36
23:44:38.120 DIAG RX item:
23:44:38.120 SPC Result = Correct
Your phone is now unlocked and ready to for the MEID and ESN to be verified.
4. In the Command field at the bottom type "RequestNVItemRead meid" it should be zero'd out.
5. In the Command field at the bottom type "RequestNVItemRead esn" it will have reverted to the original ESN.
This is expected!
6. Now go back into "Memory Viewer" and zero out all the ESN addresses again.
7. Once you have zero'd out all the ESN addresses verify the ESN is zero'd out by typing "RequestNVItemRead esn" into the command field with the command prompt brought to the front.
8. Regardless of if the ESN is completely zero'd out or not proceed to the next step. This is how you uncover the hidden ESN memory entries and any locatons that may have changed from the reboot!
*Do Not disconnect the phone or reboot it!

Now put the phone into AIRPLANE MODE, let is sit for a minute and then Re-Enable CDMA (disable airplane mode) Now proceed!

Finding the last hidden ESN entries using CDMA WS 2.7
1. Close QXDM
2. Open CDMA WS 2.7 and establish a connection with the phone as outlined in the above section(s.)
3. Click the "Security" tab.
4. Click "Read" under ESN
5. Your Original ESN should now be displayed
6. Under ESN change the drop down box value to "Universal, RAM method"
7. Click "Write"
8. A "Choose Action" box will appear. Select "Scan Memory for ESN addresses" and click OK
9. A "Choose Addresses" box will appear. Set start address to 0000:0000 and end address to C000:0000
10. Click OK
11. The phone will now scan through all the memory locations looking for the ESN up to C000:0000 It will take about 20 minutes to complete.
Output will look like this:
Scanning memory for ESN addresses:
ESN address has been found at: 0104:2B18
ESN address has been found at: 0104:3148
12. When the scan completes it will ask you to save it to a file, name it ESN_Scan and save it with your other notepad files!
13. Close CDMA WS 2.7 and proceed to the next section.

Zeroing out the last ESN addresses and writing the MEID

1. Re-Open QXDM
2. In the command field at the bottom type "RequestNVItemRead meid" and verify MEID is still zero'd out! (If not you will need to rescan all your memory locations! I know.. it sucks!!!)
3. If MEID is still zero'd out open "Memory Viewer"
4. Now open the "ESN_Scan.txt" file you saved and search for each address by removing the : and adding a 0x to the front. Example 0x01042B18
5. Zero out all of the ESN entries in the same manner as described earlier, click "write" when finished.
6. Once all the ESN memory address locations are zero'd out go back to the command output window and type "RequestNVItemRead esn" in the command field at the bottom and hit enter.
7. With luck your esn should report as follows:
00:09:13.344 DIAG TX item:
00:09:13.344 esn = 0x00000000
00:09:13.344 DIAG RX item:
00:09:13.344 esn = 0x00000000
8. The ESN is now zero'd out! Try to write your MEID by using the following command "RequestNVItemWrite meid 0x00A100000XXXXXXX"
9. If it succeeds it will show:
00:11:53.415 DIAG TX item:
00:11:53.415 meid = 0x00A100000XXXXXX
00:11:53.415 DIAG RX item:
00:11:53.415 meid = 0x00A100000XXXXXX
10. Your MEID has now successfully been written and your ESN will be automatically generated from your MEID.
Disconnect the phone and reboot it and verify the MEID has stayed changed!

Changing your MDN and MSID
Now that your phone has been repaired you need to update your MDN and MSID to reconnect to the network for voice and text messages.
1. Turn on the Phone
2. Dial ##[your MSL]# to allow you to enter EPST. Your MSL should not have changed from the one you noted earlier before the MEID repair but If it did go to the steps above on how to find your MSL with CDMA WS 2.7
3. Chose "Edit Mode"
4. Edit your Mobile Directory Number (MDN) and enter the one for your wireless network
5. Click "Ok"
6. Edit your MSID and enter the one for your wireless network
7. Click "Ok"
8. Press the "Menu" key and select "Commit Modifications" and the phone will reboot.
9. Once rebooted try to dial out and send yourself a text message!

You are done! Enjoy!

Questions and Answers:

Q: After I get Data working I am prompted that there is an update avaliable to download from Sprint. The update is to build 2.31.651.7 Can I upgrade?
A: Yes, the MEID, ESN and Data values will not change after the upgrade.

Q: Can I downgrade to Sprint 2.27.651.5 to Root?
A: Absolutely, the MEID, ESN and Data values do not change after the downgrade.

Q: Can I install custom ROMS?
A: Yes, once you have changed the MEID and ESN the only way to revert it back is by doing a ##786# and hitting "Menu" then "Reset" This will wipe your device and restore factory settings and values.

Q: Can I choose "Wipe / Factory Reset" when flashing custom roms in Recovery Mode?
A: Yes, most custom ROM's insist you must use the WIPE option in recovery before flashing the new ROM. You will not lose any of the MEID, ESN or Data Settings.

Q: I've zero'd out my ESN and MEID but my ESN keeps coming back, or I can not write my MEID. I get "unable to build buffer" error.
A: After you zero out your MEID and ESN put the phone into airplane mode then turn off airplane mode and rescan for your ESN addresses. This should uncover the last one or two ESN values not found by initial scans.

Q: My MEID says it is zero'd out but after a reboot it comes back, what am I doing wrong?
A: You are missing one or more MEID or ESN values that are not showing up in the memory scans. Depending on the radio flashed to the phone I was unable to find atleast one every time. Use the MEID or ESN addresses I have posted below and try to find your missing location. Zero it out and reboot the phone and see if it sticks

MEID and ESN Address locations by Radio / Rom

Here are all the MEID and ESN addresses I have found through the forums or by doing my own scans. If you cannot zero out your MEID I suggest trying the ones listed under the radio / rom you currently have on your device.

1.29 Radio 1.56 Radio Fresh 2.4.0 Sprint 2.1_5 Sprint 2.1_6
MEID MEID MEID MEID MEID
0x0142201C 0x0142201C 0x1076cd90 0x1876a650 0x1076cd90
0x01422028 0x01422028 0x10773980 0x18771240 0x10773980
0x015B46DC 0x015B46DC 0x10778110 0x187759d0 0x10778110
0x1876A658 0x1876A658 0x108c2220 0x0142201C 0x108c2220
0x18771248 0x18771248 0x108c2230 0x015B46DC 0x109ad3b0
0x187759D0 0x187759D0 0x109ad3b0 0x188bf9a0 0x109ad480
0x188BF9AC 0x188BF9AC 0x109ad480 0x189aaae0 0x109ba5b0
0x189AAAEC 0x189AAAEC 0x109ba5b0 0x189aabb0 0x015CF49C
0x189AABBC 0x189AABBC 0x0142201C 0x189b7cf0
0x189B7CF0 0x189B7CF0 0x015B46DC

ESN ESN ESN ESN ESN
0x015ADA85 0x015b8cF9 0x1076f2c0 0x1876cb80 0x1075b990
0x015ADB53 0x015AF5C5 0x10776e80 0x18774740 0x1076f2c0
0x015AF5C5 0x015ADA85 0x10778c10 0x187764c0 0x10776e80
0x015AF58F 0x015ADB53 0x1085b660 0x015BA508 0x10778c10
0x015AF693 0x015AF5C5 0x108c1d90 0x18858de0 0x015D52C8
0x1876CB80 0x015AF58F 0x108c1e60 0x188bf510 0x1085b660
0x18774744 0x015AF693 0x108c8490 0x188bf5e0 0x108c1d90
0x187764CC 0x1876CB80 0x108d8fe0 0x188c5c10 0x108c8490
0x18858DE8 0x188c6b14 0x015D52C8 0x188c9a20 0x108d3c70
0x188BF514 0x18774744 0x10776E84 0x188d6760 0x108d8fe0
0x188BF5EC 0x187764CC 0x10778C18 0x015D52C8
0x188C5C18 0x18858DE8 0x1085B668
0x188CEB58 0x188BF514 0x108C1D94
0x188D13F0 0x188BF5EC 0x108C1E6C
0x188D6760 0x188C5C18 0x108C8498
0x18D4133D 0x188CEB58 0x108CC2A8
0x188D13F0 0x108D8FE0

I thought I had gotten it but I can't seem to zero out my meid..I've put in all the addresses I could find on the different threads (which I will post here one I get this figured out) but still no luck. I was able to find two more instances of my meid with one of the addresses you posted(the first one actually) but my meid still isn't cleared.

One thing that did slightly confuse me though was this statement: "2. Under "Scan Memory" leave the start address as 0000:0000 and set the "End Address" to 2000:0000
*Very important, do not let the phone reboot this is why I set the address range to C000:0000 if you go over this value the scan will go out of range and reboot the device automatically." I set the start and end to what you said but where does the C000:0000 come in at.

Oh, and one more thing..what I went to save the bin files, it gave me an out of range error for the last two..why would it do that?

Thanks for any help, this has been a great write up...just wish I knew the password to that automation file that wcars05 posted..

Conrad, try this...
1) scan your phone using CDMAWS for ESN/MEID locations
2) zero out those locations using QXDM...do not reboot phone until step 7
3) in QXDM, verify that your ESN is zero'd out by typing "RequestNVItemRead esn". You'll know it's zero'd out if both the Tx and Rx response says all zeros
4) in QXDM, verify that your MEID is zero'd out by typing "RequestNVItemRead meid". You'll know it's zero'd out if both the Tx and Rx response says all zeros
5) if either ESN/MEID is not zero'd out from the QXDM output, rescan the phone in the appropriate locations and you should see new ESN/MEID locations show up. If you are using CDMAWS 2.7, this should be easy to do for ESN...for MEID you will have to dump memory location to a bin file and manually scan for the MEID using a hex editor for the appropriate offsets.
6) if you were lucky enough to get all zeros in both steps (3) and (4), then immediately put the phone into into MEID mode with "RequestNVItemWrite scm 0x3a" followed by a "RequestNVItemWrite meid 0xA100000XXXXXXXX" to write the new MEID.
7) reboot

Somehow these phones can shift ESN/MEID locations around and the only way I've found to locate all these dynamic addresses is repeat steps (1)-(4) until QXDM verifies everything is zerod out.

If you are using CDMAWS 2.7, the amount of work required will vary depending on whether it's your ESN (easier) or MEID (more work) that keeps reverting back. This is because CDMAWS 2.7 has a feature to scan memory locations for your ESN, but MEID searching is only available in newer versions of CDMAWS.

Since it's your MEID that is not zero'd out, you will have to grin and bear it and keep doing more scan dumps. I don't have an explanation for it, but I have noticed that the phone will shift MEID locations around as commands are issued to the phone (this includes commands we send to try and zero the ESN/MEID out). So here's what I would do if I were you:

Do NOT reboot the phone until you make it to step (5)!!!

0) Either use CDMAWS or QXDM to send your SPC to the phone.

1) Scan readable memory locations with CDMAWS 2.7. Use start as 0000:0000 and end as 2000:0000. You will get output like this:

----------------------------------------------
Scanning memory for readable areas:
Unreadable area from: 0000:0000
Readable area from: 0103:C000
Unreadable area from: 0161:C000
Readable area from: 1075:C000
Unreadable area from: 1079:0000
Readable area from: 1082:C000
Unreadable area from: 10D5:4000
----------------------------------------------

Just a note, you may miss small memory areas when you use a step byte of 16384 as suggested by the guide. For example, the actual first readable area might be 0102:FF84 instead of 0103:0000. By using a smaller step byte size, you can nail down the start readable addresses down to a single byte! I have had cases where I found ESN/MEID locations in these areas and it drove me crazy trying to figure out what I was doing wrong.

2) For each of the readable areas, you then need to go to "Memory" tab and dump these locations to a bin file. For example, for the first readable area you would use Start as 0103:C000 and size of 99999999. Remember the 0103:C000 as this is the offset (0x0103C000) you will put into Wcar's tool once you open the dumped bin in his tool. It looks like his tool is misreporting found MEID locations by 1 byte, so you will have to adjust your MEID locations for this.

3) Once you have obtained the MEID locations from Wcar's tool, then open up QXDM and zero all MEID locations you found in step (2). After you are done use the command "RequestNVItemRead meid" to see if both the Tx and Rx responses from QXDM are all zeros. If so, you can move onto step (4). If not, you will need to repeat steps 2-3 and you should find more MEID addresses magically appear. Repeat until you can move onto step (4).

4) Immediately after you have verified MEID is zero'd out, type in "RequestNVItemWrite scm 0x3a" followed by a "RequestNVItemWrite meid 0xA100000XXXXXXXX" to write your new MEID. Verify the new MEID has been written by typing in "RequestNVItemRead meid".

5) Now you can finally reboot your phone! After it has rebooted, you need to change MDN and MSID, followed by the profile 0 and profile 1 to get EVDO data working.

It's a long and tedious process (and moreso when searching for MEID locations) to keep dumping the memory locations but this is the only foolproof way I have found to make sure everything zero's out. I have done 5 Hero's now and each phone is different. Sometimes you get lucky and only one scan/dump is needed. But usually after the 2nd redump I can always zero out a pesky Hero.

Good luck

The method posted by sledwrecker and details I gave work for any phone...it's not specific to the Hero so should work on your Eris. On the byte size its fine to start with 16384 but gradually lower this so you can pinpoint the exact start address down to a single byte. The byte size is the step size(in Decimal) that CDMAWS uses to sample the memory locations to see if its readable. By using 16384 it's quicker to roughly map out the readable memory locations but you could miss the actual start readable location unless you start to reduce the step size to zero in on the start location. So you just have to iterate using smaller step sizes until you get the exact start address down. Example

1) start 0000:0000 to stop 2000:0000 step 16384 -> Readable area from: 0103:C000
2) start 0103:8000 to stop 0103:C000 step 256 -> Readable area from: 0103:BF80
3) start 0103:BF80 to stop 0103:C000 step 1 -> Readable area from: 0103:BF87

You need to do this for all the readable blocks to pinpoint the exact start address to scan. Finally, if you have ESN blanked out...don't revert it back to the original number!!! You're only creating more work for yourself. Focus on zeroing out the MEID. Follow the steps as I've outlined it...it will work just pay attention to the details. Your task is to be persistent to find those dynamic MEID locations that keep shifting around