Hello my dear friend, today i discovered something good, or not. I finally re-unlock bootloader, but this is some strange to explain.
You are doing now a port from WW to Chinese version, and, in my search to knowledge about this phone i find something, the bootloader was locked with a seccfg partition instruction, and believe, this partition is the only what you can flash with mtk-su temp root.
Months ago i try to unlock bootloader with asus unlock tool, and i do it, but when you try getvar all the system says Unlocked: no, but the BL it already unlocked after this.
Then using WWR tool and SPFlashTool i dump my WW firmware, but i do some mistake after backup my rom, clicking in Erase all in SPFlashTool, reset all system including NVRAM and seccfg, after this things the BL lock again, like a new smartphone, IMEI, and all others things reset to zero. Using others tools IMEI and other adresses worked ok.
I know, you thinking "why you do not use the backup firmware", when i try this discovered, if you try flash using SPFlashTool you cant do anything, BROM error appers, the dump rom ins no signed with Asus signature system, if you try dd, in the WW version, you cannot do anything because a Android Security System called AVB((Android Verified Boot)SP not flash unsigned images too), and the bootloader lock this. In chinese version the smartphone firmware also have seccfg, but the bootloader is old than WW version, because this you can do the dd with locked bootloader. Next to that, still has the question about DM(digital managment) or something like this, what block the copy and piracy products with their rights, chinese version without google apps dont have anything like the dm block.
Temp root work in WW version, and with lucky i try to flash some partitions, the bootloader emmcblk0boot0/boot0 partitions are not permitted but, seccfg, proinfo and some others you can. Using this i flash the dump of my older firmware, and work, after the BL unlocked again, without erase all data or other things, i flash magisk, and now i got a rooted X018D.
The bad news is, my seccfg is codified to work with my SN/IMEI, i try flash again with other SN what i modified with SNWriter, just to test, and my bootloader locked again, the i restore my Serial and my BL unlocked again. Give to you my seccfg partition not do anything in your phone or other.
I try various times unpack seccfg and preloader.bin, but i dont know programs to do it. If I find any way to unpack or reverse engineering in seccfg i have the locked and unlocked, signed to my phone, if you know any tool to do this i can compare two programming in seccfg, preloader.bin and other paritions, if discover anything or way to remove the block, we can do universal seccfg or preloader to unlock all X018D.
This enable a lot of possiblity like port custom roms, and develpment, like port WW to Chinese version.
Also, i discovered why some people have bootloop when use dd to flash boot image with temp root or other ways, the preloader system block if the image no signed with some key(what i dont know), and reset the boot, because Android Verified Boot, and the /system partition cant remounted rw, this is so bad, but you can change group and owner with temp root if someone want to try new things. If you known some way to signed boot.img.
You cant dump your firmware with temp root and dd, i do it to test and work ok, anyone can do it. just dd if=path/to/partition of=/sdcard/ if someone got seccfg to you dd in your smartphone and try unlock BL, but mine not work in other phontes, or just a bug.
