[Q] how do you scan meid locations with cdma workshop 2.7 thats all i want to know ?

Search This thread

jabu

Member
Sep 6, 2007
42
6
Samsung Galaxy S5
LG Nexus 5X
Phone: Htc Droid Incredible: Android 2.2: Baseband Version 2.15.00.07.28

Tools: CDMA Workshop 2.7, QXDM 3.9.19, QPST 2.7, Winhex, Scientific calculator (RealCalc app)

Step 1. Download the HTC diagnostic drivers.

Step 2. Connect the phone to Computer & Dial ##3424# to put the phone in diagnostic mode. It will ask to install the diagnostic Drivers, manually install the drivers from the location where you have downloaded the drivers.

You need to keep the phone in Diagnostic Mode for Programming.

Step 3. Now open QPST Configuration & select the port the phone is on
phone is now showing try to Add port.

Step 4. Open CDMA Work Shop 2.7 Select the port on which phone is connected
Connect the phone & Then Press Read.

Step 5. Now go to security tab and send the spc 000000 Press read button in ESN then Select Universal Ram Method from drop down menu
Press the write button It will ask for 2 options select 2nd option "Scan for ESN Addresses".
Leave the locations as is and click ok. While Scanning u will get all the pEsn Locations.
It will ask you to save the pEsn locations txt file after the scan is finish. Choose to save on the desktop for easy location of the file.

If you don't want to scan these are my ESN Locations for Incredible.
ESN addresses:
0x00FCADB0 0x00FCC67C 0x00FDD590 0x00FED590 0x01144E1C 0x01275C2C 0x015F2CA8 0x017C191C 0x017C1D7C 0x017C8238 0x01882F24 0x01D34C12
(Please do your own scans)

Step 6. Now the memory tab in the "Memory/Eeprom" area, enter the beginning of the address range in the Start box "00FA:0000" and "296124 bytes" in the "Size (bytes)" box. Now click "read" it will ask you to save to a file. Do this for "BOTH REGIONS" you scanned. The second region will likely take a while. The range address are "0108:0000" and "13500000 bytes".

Step 7. Press the (Phone) button on the home screen to get to the dial pad and Enter ##778 call Select view mode and then display. Find the MEID (Hex) and the ESN (Hex) They should Look something like this.

MEID: A1000009C57FQZ
ESN: 8373B5C5

Now pay close attention following the example MEID and ESN I provided above your going to separate every 2 characters and then you are going to flip a few to make it backwards just follow my model and do the same to your numbers.

Original: MEID: A1000009C57FQZ
ESN: 8373B5C5

Separated: MEID: A1 00 00 09 C5 7F QZ
ESN: 83 73 B5 C5

Now Flipped: MEID: QZ 7F C5 09 00 00 A1
ESN: C5 B5 73 83

Step 8. now you have your .bin files open them up in Winhex. Hit CTRL+Alt+X to find the hex values you're looking for your reversed MEID: QZ7FC5090000A1 & ESN: C5B57383. Look at the line your hex value begins on: on the left side of the screen is the line number written in Hex. Put the calculator into Hex mode, then add this value to the value which represents the start of your memory range for that dump. This will be your memory location in hex.
For example, if your range started at 00FA:0000 and you find something you're looking for on line 311B8, you would add FA0000 to 311B8 in your calculator and get FD11B8 add a few 0's and a : and you have the memory location of 00FD:11B8 or 0x00FD11B8
By the calculations above you will get all MEID Locations in QXDM
Now After u have All MEID & pEsn Location u can proceed to the next step.

If you don't want to scan these are my MEID Locations for Incredible.
MEID Addresses: 0x00FAC594 0x00FCD950 0x00FD8350 0x015E7E8C 0x015E7E98 0x017C1DD0 0x018E7A14 0x01D38E2C 0x01D546C1 0x01D3A540
(Please do your own scans)

Step 9. Open QXDM go to communication, Select the port now in Command Line Type "mode offline-d" & press enter then type "spc 000000" & press enter again. Now press F4 and the memory viewer will open 1st start by changing the rows from 8 to 16 then putting the address you got for MEID for Example: 0x00FD11B8 & press Enter now u will get your MEID 14digit in reverse. make it zero & press write. (Note: some meid numbers continue onto other lines so read each location thoroughly and zero them out please.) After you have made MEID zero proceed in same manner for ESN locations & make it zero.

Step 10. Now after MEID & ESN has been made zero you can confirm it by putting the command: "requestnvitemread esn" for esn & "requestnvitemread meid" for meid.
After you get a message that it's zero than u can proceed to write your ESN or MEID which ever you prefer.
Commands are
requestnvitemwrite scm 0x3a
requestnvitemwrite meid 0x(Your MEID)
MEID = actual 14 digit meid (not in reverse)
If u are writing MEID no need to write the ESN.
requestnvitemwrite esn 0x(Your ESN)
esn= actual 8 digit esn (not in reverse)

Restart your phone & hope ur ESN would have changed. Now upload the PRL file of desired operator.

I used this method on an Evo Shift and it worked great. The only instructions I could find that were complete. Thanks.
 

weinerwad3000

Senior Member
Feb 9, 2011
381
37
Flagstaff, az
An easy way to change meid and esn numbers (on the evo at least) is to open efs explorer in qpst and create a folder called "open sesame door". Restart the phone and the nvm folder will be unlocked. Open it up and drag files 0 and 1943 to your desktop. Open them up and it will have your esn in one and meid in the other. Change them to 0 and drag it back into efs. Reboot the fone and write the new numbers in qxdm.
 
  • Like
Reactions: nrgyitguy

Klown80

Senior Member
Aug 22, 2011
611
342
Everywhere
Yes, way easier than scanning!

But inside the nvm folder there is a num folder, the file 0 & 1943 are inside of it :)
Sent from my PC36100 using xda premium
 
Last edited:
  • Like
Reactions: nrgyitguy

lovejimia

Member
Oct 5, 2010
15
0
agemarc keeps

i dont see any other file in the nvn directory! the step i use to get the is right click on the main file and new directory the put in open sesame door. re boot and then in the nvn fold i see a file lable prl 0. thats the only file i see. iam doing somthing wrong?
 

louforgiveno

Senior Member
Jun 24, 2010
3,973
2,509
i dont see any other file in the nvn directory! the step i use to get the is right click on the main file and new directory the put in open sesame door. re boot and then in the nvn fold i see a file lable prl 0. thats the only file i see. iam doing somthing wrong?

inside the "nvm" folder click into the "num" folder and the files should be there.
 

lovejimia

Member
Oct 5, 2010
15
0
i found theses off sets when i scan for meid. 5200780 and 5200964 so how do i find the location? i did the scan 0108-0000 so will the location be 01080000+5200780= location?
 

weinerwad3000

Senior Member
Feb 9, 2011
381
37
Flagstaff, az
i found theses off sets when i scan for meid. 5200780 and 5200964 so how do i find the location? i did the scan 0108-0000 so will the location be 01080000+5200780= location?

There should be two sets of offsets. I assume yours is readable from 5200780-5200963 since 5200964 is where it stops being readable. So what I would do is open your calculator and set it to programner and set it for hex. Do 5200963-5200780 and click dec to convert it to decimal. Scan from 5200780 and use the decimal number as your bytes.
 
  • Like
Reactions: lovejimia

lovejimia

Member
Oct 5, 2010
15
0
ok the **** is getting on my dam nervs! i try the efs way and there are no files in there at all! i then tried about five radios and i got all the esn for each one. but when i got to the meid on each one i couldnt find the last one to clear it out! can somebody post meid location to any radio for me or email me all the location for meid on any radio i would be very thankful so i can get some sleep at night! lovejimia@yahoo.com
 
Last edited:

weinerwad3000

Senior Member
Feb 9, 2011
381
37
Flagstaff, az
ok the **** is getting on my dam nervs! i try the efs way and there are no files in there at all! i then tried about five radios and i got all the esn for each one. but when i got to the meid on each one i couldnt find the last one to clear it out! can somebody post meid location to any radio for me or email me all the location for meid on any radio i would be very thankful so i can get some sleep at night! lovejimia@yahoo.com

There's locations all over the web if you google it but have you tried scanning for the meid in airplane mode? Last time I scanned meid addresses there were some some meids in areas that said were unscannable. Not sure how to find them in this instance.
 
  • Like
Reactions: lovejimia

lovejimia

Member
Oct 5, 2010
15
0
i did every thing you said i searched google i scan in air plan mood and nothing! tring to find the last meid is a *****! with the efs way i cant find any files at all so the scan is my next option and the is where i stuck!
 

weinerwad3000

Senior Member
Feb 9, 2011
381
37
Flagstaff, az
i did every thing you said i searched google i scan in air plan mood and nothing! tring to find the last meid is a *****! with the efs way i cant find any files at all so the scan is my next option and the is where i stuck!

You have the evo correct? Can you screen cap the nvm folder in efs? What radio do you have? Pm me if you want to use remote access with team viewer.

Also try typing RequestNVItemRead scm. If its 0x2a type RequestNVItemWrite scm 0x3a and vice versa. This may help depending on whether your esn is zeroed or not. How many meid locations do you have? There should be ten total I believe.
 
Last edited:

lovejimia

Member
Oct 5, 2010
15
0
i am new to this meid esn writing thing. and i dont know what screen cap the nvm folder in efs is. i did the open sesame door and i see only one file and it is name prl 0. yes i have an the evo and my radio is 2.15.00.11.19 android versoino 2.2
build number 3.70.651.1
 
Last edited:

jerebediah

Member
Aug 3, 2009
31
2
Richmond, Il
Open sesame

used this and everything worked but when I went to overwrite the files it says " An error occurred while trying to write the file 'nvm/num/0' to the phone - Error Code (222): Invalid argument" anyone know why? I believe I did everything write... thank you!

Figured it out you have to delete file 0 and 1943 before u can replace them...
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    A lil somethin 4 da community!
    worked for me
    hw 0004
    was at 2.2 with 2.15.00.11.15 radio couldn't do anything with that but
    i upgraded to 2.3.3 rooted with 05.02 radio

    based on Radio 2.15.00.05.02

    cdmaws:scan 0150-01DC for floating ESN addresses

    with QXDM (f4) zero out PESN not "MEID" (not just yet) addresses that were found on the new scan
    Zero out ESN from PESN addresses below:


    00FD2DC8 - pESN
    00FD4694 - pESN
    00FE581C - pESN
    0114DD53 - pESN
    0114DF63 - pESN
    0127DCCC - pESN
    015FAD48 - pESN
    0179FFA4 - pESN
    017C9A1C - pESN
    017C9E7C - pESN
    017D0338 - pESN
    017D1234 - pESN
    017DE3A8 - pESN
    017E0E80 - pESN
    0188D6BC - pESN
    01D6B473 - pESN

    in QXDM send command "RequestNVItemRead ESN"
    should display "00000000"

    now proceed and zero out MEID ESN inlcluding the ones that were found on the new scan:

    00FB45AC - MEID
    00FD5968 - MEID
    00FE0528 - MEID
    015EFF2C - MEID
    015EFF38 - MEID
    017C9ED0 - MEID
    018F21AC - MEID
    018F2288 - MEID
    01902438 - MEID
    01D63E2C - MEID
    015EFF2C - MEID
    015EFF38 - MEID
    017C9ED0 - MEID
    018F21AC - MEID
    018F2288 - MEID
    01902438 - MEID
    01D63E2C - MEID

    after run commands
    "RequestNVItemRead meid” and "RequestNVItemRead ESN"
    both should display 0000000000000

    full power off your phone and take off battery for a few seconds
    power it back on
    now zero out all MEID ESN as they will return
    then run command "RequestNVItemRead meid" and "RequestNVItemRead esn"
    should both display 00000000000
    In the field "Command" enter: "RequestNVItemWrite meid 0x&&&&&&&&&&&" replacing the "&"s with MEID

    don't power off phone yet run another check by
    running command "RequestNVItemRead meid" and "RequestNVItemRead esn"
    ESN should display successfully
    now reboot

    ##786#
    reset or restore
    allow ota provisioning
    should be okay
    might have to check profiles if anything

    good luck

    This is the right method. It's very simple if you remember you have to scan for the extra esn floating a round. I usually just scan 01D0:0000 - 01D9:FFFF. That will pop up the 2 or 3 you need. Also so you don't zero them out one by one by one. I prefer to write a script. I'll give you guys one block and just copy and paste this and replace the ****:**** with the memory location

    This is to check the locations first to verify the esn is there if you want

    PEEK DWORD 00FD:2DC8 1

    IT SHOULD DISPLAY YOUR ESN IF IT'S IN THAT MEMORY LOCATION

    THIS WILL WRITE ZEROS TO THE SAME LOCATION WHICH IS WHY I LIKE TO CHECK WITH PEEK BEFORE I WRITE WITH POKE

    POKE DWORD 00FD:2DC8 0X0

    Just copy the poke command and replace the memory locations

    POKE DWORD ****:**** 0X0
    POKE DWORD ****:**** 0X0
    POKE DWORD ****:**** 0X0

    Copy this as many times as you have the esn location around 12 then put it in a text file. Name it esn.scr and in qxdm "run esn.scr"

    Automation is quicker. But also if your not careful it can automatically mess your stuff up

    Hit the thanks if this was helpful
    Sent from my PC36100 using XDA Premium App
    2
    ok so does anyone have a full list of MEID and ESN locations for GB 2.3.3 that they can list out in this thread?
    A lil somethin 4 da community!
    worked for me
    hw 0004
    was at 2.2 with 2.15.00.11.15 radio couldn't do anything with that but
    i upgraded to 2.3.3 rooted with 05.02 radio

    based on Radio 2.15.00.05.02

    cdmaws:scan 0150-01DC for floating ESN addresses

    with QXDM (f4) zero out PESN not "MEID" (not just yet) addresses that were found on the new scan
    Zero out ESN from PESN addresses below:


    00FD2DC8 - pESN
    00FD4694 - pESN
    00FE581C - pESN
    0114DD53 - pESN
    0114DF63 - pESN
    0127DCCC - pESN
    015FAD48 - pESN
    0179FFA4 - pESN
    017C9A1C - pESN
    017C9E7C - pESN
    017D0338 - pESN
    017D1234 - pESN
    017DE3A8 - pESN
    017E0E80 - pESN
    0188D6BC - pESN
    01D6B473 - pESN

    in QXDM send command "RequestNVItemRead ESN"
    should display "00000000"

    now proceed and zero out MEID ESN inlcluding the ones that were found on the new scan:

    00FB45AC - MEID
    00FD5968 - MEID
    00FE0528 - MEID
    015EFF2C - MEID
    015EFF38 - MEID
    017C9ED0 - MEID
    018F21AC - MEID
    018F2288 - MEID
    01902438 - MEID
    01D63E2C - MEID
    015EFF2C - MEID
    015EFF38 - MEID
    017C9ED0 - MEID
    018F21AC - MEID
    018F2288 - MEID
    01902438 - MEID
    01D63E2C - MEID

    after run commands
    "RequestNVItemRead meid” and "RequestNVItemRead ESN"
    both should display 0000000000000

    full power off your phone and take off battery for a few seconds
    power it back on
    now zero out all MEID ESN as they will return
    then run command "RequestNVItemRead meid" and "RequestNVItemRead esn"
    should both display 00000000000
    In the field "Command" enter: "RequestNVItemWrite meid 0x&&&&&&&&&&&" replacing the "&"s with MEID

    don't power off phone yet run another check by
    running command "RequestNVItemRead meid" and "RequestNVItemRead esn"
    ESN should display successfully
    now reboot

    ##786#
    reset or restore
    allow ota provisioning
    should be okay
    might have to check profiles if anything

    good luck
    1
    Start 00fa end 00ff /
    Start 0108 end 01d9

    (Quick search on Google)
    1
    I have only been able to find eight meid locations for the new EVO 2.3.3 update. Google DFS Cdma tool. It's free, you dont have to pirate it and it scans memory and reads just fine. If anyone finds more locations, I would be interested in knowing them. Thanks in advance!
    1
    post the meid locations .. i have the esn locations which are

    ESN addresses:
    00FD:2DC8
    00FD:4694
    00FE:581C
    00FF:581C
    0127:DCCC
    015F:AD48
    0179:FFA4
    017C:9A1C
    017C:9E7C
    017D:0338
    0188:D6BC
    01D6:4473


    the smile faces are D


    for gb 2.3.3