The regular boot sequence of a typical Qualcomm Snapdragon chipset-powered Android device is initiated with the Primary Bootloader (PBL), although there exists an alternative boot mode called Emergency Download Mode (EDL). The latter is strictly intended for OEM servicing and can be used to 'unbrick' a device with appropriate software binaries via a protocol named 'Firehose'. Interestingly, EDL is often utilized by tinkerers to get low-level partition access, which can further be exploited to achieve bootloader unlock on some devices. Based on this principle as well as the previous research work done by the Aleph Security team, XDA Senior Member alexenferman has now discovered a generic method to unlock the bootloader of a bunch of ZTE phones without any data loss.

ZTE apparently uses the 'devinfo' partition to store crucial bootloader state parameters, including the lock/unlock status. As the Firehose protocol has a provision of reading the contents of individual partitions, one can dump the 'devinfo' partition from a bootloader-locked device, change the offset where the unlocking parameters are stored, and write the modified image back to the device to unlock the bootloader. Unlike Xiaomi and some other OEMs, ZTE doesn't even put a safeguard before the EDL mode against such 'attacks', thus you can easily trigger the device to boot to emergency download mode via a simple ADB command. The only catch is that the method won't work on ZTE phones that launched with Android 8.0 Oreo or newer, and it also won't work on flagship devices like the Axon 9 Pro, Axon 10 Pro, Axon M, etc.

zte_bootloader_unlock_devinfo_qfil
Dumping the 'devinfo' partition using QFIL

According to XDA Recognized Developer deadman96385, this method works with the following devices:

Additionally, the ZTE Avid 4, ZTE Tempo X, ZTE Imperial Max, and ZTE Grand X View 2 should also be compatible with this procedure. Interested users should take a look at deadman96385's unofficial ZTE Firehose repo and pick the right set of programmers before fiddling with their devices. The step-by-step bootloader unlocking process can be found in the thread linked below.

Bootloader Unlocking on Qualcomm ZTE Devices — XDA Discussion Thread