Can you share the exploit with us?
- use older ROS, i used 6.33
- leave default config, user admin, no password
- clone https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup and run exploit_full.sh
- login via telnet with user devel, no password.
ps:
# /nova/bin/poeupdatefwv3 /dev/poe "/etc/poeio.atflash"
Input file /etc/poeio.atflash, length 3952 bytes (3.9Kb)
main 787
poe update ATTINNY
enter programming mode: Invalid argument
poe update finished, res 2
Try this commands:
/sbin/insmod -r poe_v2
/sbin/insmod poeupdate
# cache program and data in RAM as NAND is locked during update
cat /nova/bin/poeupdatefw /etc/poeio.atflash > /dev/null
/nova/bin/poeupdatefw /etc/poeio.atflash
# /sbin/insmod -r poe_v2
could not unload module poe_v2: Resource temporarily unavailable
# /sbin/insmod poeupdate
could not load module poeupdate.ko: Device or resource busy
It seems that such a thing can be done only at the time when system is started (from /etc/rc.d/run.d/S03poeupdate)
Try this sh script: http://hosting.yapic.net/lede/attiny_write.sh.txt
You need to boot from memory (via network, without using a SPI flash drive) !!!
And You will need a new version of mtpoe_ctrl: https://github.com/adron-s/mtpoe_ctrl/commit/8abf25f127913476f1115ed4e9ac3fb4f78c7cbf
Good luck.
I reloaded the sh file. In the old has a mistake! Please reload!
Will give it a try when i get back home.
I updated the sh file. Added setup the lock and fuse bits. Please reload!
Not working, all i get are a tone of responses like this.
}
{
action: "raw_send",
tx: "0x40 0x00 0x19 0x81",
rx: "0x00 0x00 0x00 0x00"
}
{
action: "raw_send",
tx: "0x48 0x00 0x19 0x50",
rx: "0x00 0x00 0x00 0x00"
}
{
action: "raw_send",
tx: "0x40 0x00 0x1A 0x80",
rx: "0x00 0x00 0x00 0x00"
}
{
action: "raw_send",
tx: "0x48 0x00 0x1A 0x93",
rx: "0x00 0x00 0x00 0x00"
}
rx is always zero.... 
Let's start in order.
echo 0 > /sys/class/gpio/gpio14/value
mtpoe_ctrl --action=raw_send --raw_hex_val="AC 53 00 00"
What returns?
Ok, here we go....
root@OpenWrt:~# echo 0 > /sys/class/gpio/gpio14/value
root@OpenWrt:~# mtpoe_ctrl --action=raw_send --raw_hex_val="AC 53 00 00"
{
action: "raw_send",
tx: "0xAC 0x53 0x00 0x00",
rx: "0x00 0x00 0x00 0x00"
}
This is bad. ATtiny does not even go into programming mode. There can be several reasons: microcontroller hardware malfunction or a set previously value of the fuse bits that prohibit reprogramming.
Hm,I am gotta try the avrdude way tommorow.
And, I am sure that they have programming pins on one of the headers.
Mikrotik usually always leave stuff like that for production programming
avrdude does not help. Lets see https://github.com/SpenceKonde/ATTinyCore/blob/master/avr/avrdude.conf
Search for string: "ATtiny461"
pgm_enable = "1 0 1 0 1 1 0 0 0 1 0 1 0 0 1 1",
"x x x x x x x x x x x x x x x x";
"1 0 1 0 1 1 0 0 0 1 0 1 0 0 1 1" this is "AC 53" - Programming Enable.
In response, the microcontroller should respond "0x00 0x00 0x53 0x00"The ATtiny461a programming is carried out via the SPI bus at a LOW level on the GPIO 14. There are no other options.
If I were you, I'd look for where to buy a new chip, solder it instead of the old and try to program it using the above script.
And on my test PowerBox after the commands:
echo 0 > /sys/class/gpio/gpio14/value
mtpoe_ctrl --action=raw_send --raw_hex_val="AC 53 00 00"
I get what I need in return: 0x00 0x00 0x53 0x00
It could easily bee that lock bit was set and SPI or HVP programming wont work
Yes. And also because of the fuse bits, the microcontroller can use the external clock source that is missing.