Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > ylian
Up to Blog Posts in Intel® vPro™ Expert Center

Intel vPro Expert Center Blog

10 Posts tagged with the ylian tag
Ylian Saint-Hilaire
0

In the last part of the latest edition of the Intel Technology Journal (ITJ), I write about a new usage for Intel AMT and peer-to-peer computing. See Extreme Programming with Intel® vPro™ Technology: Pushing the Limits with Innovative Software.

 

The general idea is that you can use Intel AMT to represent a computer while it’s asleep to the rest of the peers. Normally, when you have lots of computers talking to each other in a peer-to-peer network and one of them goes to sleep, it just disappears from the network, just as if it had been completely disconnected.

 

Intel AMT can allow for network presence of a sleeping computer in a peer-to-peer network by creating an Intel AMT guest account that is very limited in its access (General Info + 3PDS) but allows other computers in the network to occasionally connect and read it’s sleeping state. This has many benefits: In the past, peer-to-peer networks required all computers to be always on; this is no longer the case. By using 3PDS, even off, computers are still discoverable and searchable.

 

Imagine for a moment 100 sleeping computers in a room. Someone wakes one up and searches for a tutorial video file located on one of the other sleeping computers. With Intel AMT and a peer-to-peer network, software can search all of the computers, find the one with the file, wake it up and download the file. Everything is very power efficient.

 

This technique does not have to be used only for files; you can find hardware, free disk space, backups, software and hardware services, etc.

 

Ylian

 

GetAttachment.aspx.jpg

0 Comments Permalink Tags: intel_amt, power, ylian, mesh, peer-to-peer
Ylian Saint-Hilaire
3

Well, my co-authors and myself are in the final stages of writing the book on Intel AMT. It’s called Active Platform Management Demystified and it’s been a lot of work. Lots of author’s meetings. For me, many hours alone at the Roadhouse, a local restaurant, writing chapters. Throughout the last few months, I was lucky not to have any writers block, in fact, it would have been easy to write huge chapters, just dumping my entire brain’s content into a word processor. The original plan was to write 13 chapters, but the book is coming out with 19 chapters.

 

We are going thru the final edits now before the final manuscript is going to head off to real layout and other book related professionals, so it’s still going to be a while before I can touch a printed copy. I have this vision of the book being rather big, but we will see.

 

Oh, the other big news recently was the book information showing up on Amazon.com. It is exciting for me to see my name on the site; also helps make it sink in. I was hesitant to blog about the book before because you never know if something bad happens, but it’s really going to come true.

 

I will post more as it’s moving along the process.

 

Ylian

 

51ZtB4AkDpL._SS500_.jpg

3 Comments Permalink Tags: ylian, active_platform_management_demystified, book
Ylian Saint-Hilaire
0

Ok, I have one more trick for all you Intel AMT developers trying to build high security software. One good use of Intel AMT is for power state monitoring, one could build an application that polls many computers for their power state and plots the results on a graph. You can see just how “green” your network is. Typically to do this, you call the Intel AMT method to get the power state periodically located in the Remote Control security realm of Intel AMT.

 

The way Intel AMT security realms are designed: granting a user access to the Remote Control realm gives this user access to reading the power state but also turning on and shutting down (hard shutdown) the computer. As a result, the nice monitoring application you are building can only be run by trusted administrators. It would be nice to be able to create an Intel AMT user with only minimal access to features that could only be used to read the power state and not much else. This is not technically possible…

 

But wait, there is a trick! Create a user account within Intel AMT with only General Info and Hardware Inventory access. These two realms are the minimum needed to access the Intel AMT web UI. Then, using a normal browser we can load the Web UI and notice that the computer power state is displayed on the web page! With a little code, we can extract this information out of what is normally a human readable web page.

 

Of course, this is a hack and your software may need to be upgraded as new firmware may change the WebUI. Still, it’s such a good trick; I use it with great success in my own code. Note that the Intel AMT 2.0 page is a little different from Intel AMT 2.5 and above. So far, I have to handle 2.0 differently but the same parsing code seems to work on all Intel AMT computers (up to 5.0). Also, that web UI page is very fast and you get, as bonus information, the computer’s unique identifier and Intel AMT time in a single call.

 

The only drawback I have noticed is that the WebUI will show the string “Standby” for both S1 and S3 states. So you can’t tell exactly what power state it’s sleeping in. Otherwise, you can detect S0, S4 and S5 states.

 

Ylian

0 Comments Permalink Tags: webui, ylian, amt, power, state
Ylian Saint-Hilaire
5

Hi everyone. I have not been posting much lately, but have been keeping busy writing a book and white papers on Intel AMT. In the last section of the Intel Technology Journal article on extreme usages, I talk about how Intel AMT could be used to build a peer-to-peer mesh network, and that is what I have been working on for the last few months. More to come on this I am sure.

 

Right now, I want to talk about Wake-on-LAN and Intel AMT. I read somewhere that wake-on-LAN is obsolete with Intel AMT, but I want to disagree and explain why Intel AMT in fact makes Wake-on-LAN better. For people how don’t know, Wake-on-LAN is a way to wake-up a computer using a magic packet composed anywhere in the payload of “FFFF FFFF FFFF” + 16 repetitions of the MAC address of the computer you want to wake up.

 

In normal circumstances, the magic packet can only be really used within the same Ethernet subnet as the computer you want to wakeup. All this changes if the target computer supports Intel AMT, since even when sleeping or in soft-off, the Intel AMT computer will defend its IP address (ARP Protocol), it’s now possible to send a directed magic packet to a computer across many routers and have it reach its destination correctly and so, wake up the PC.

 

Now, why would you use a magic packet if you can use Intel AMT to do the same? Everything has to do with security. Because of how Intel AMT security realms are designed, granting permission within Intel AMT for a users to wake up a computer, also grants the same user permission to shutdown the PC at anytime (and not a nice shutdown too). You can’t just grant only the “power on” access in Intel AMT and so, this is a security concern.

 

In conclusion, if we want other general users to be able to wake up a PC on the network to perform routine tasks (access files, backup data, etc .). Making use of Wake-on-LAN + Intel AMT makes a lot of sense. With Intel AMT PC’s, Wake-on-LAN now works better than ever.

 

Ylian

5 Comments Permalink Tags: packet, wake-on-lan, security, ylian, magic, amt, wol
Josh Hilliker
2

Ylian created this based on his class at IDF (Intel Developers Forum). this video is 23 minutes and well worth the time. If you are getting started, looking for a refresher or just want to hear one of the brightest folks talk about AMT, this is your video..

 

 

Enjoy..

2 Comments Permalink Tags: josh_hilliker, vpro_expert_center, amt, vpro, ylian
Ylian Saint-Hilaire
2

 

Hi everyone. A few days ago, I did a demonstration of Intel AMT at an Intel event. This is a standard demonstration of Intel AMT with reboot, remote BIOS edit and the unique TCP-over-SOL to perform a VNC session on a computer that has the operating system network stack disabled.

 

This video is also available in high quality within the YouTube site. You have to go into YouTube and click ont the high quality link. I am pretty impressed how must better the quality is when viewing it in high quality.

 

The VNC-over-SOL demonstration is probably my number one demonstration for WOW'ing an audience with Intel AMT. I sometimes also do demonstration on agent presence that is also unique to the DTK.

 

Ylian

2 Comments Permalink Tags: intel, amt, dtk, vpro_tools, video, demonstration, ylian
Ylian Saint-Hilaire
2

I often get questions about the Intel AMT serial port. Ever since the DTK started to make heavy use of it, serial-over-LAN has gotten a lot of attention. First, how do you change the COM port number of the Intel AMT serial port? The COM number (COM3: for example) is assigned by the operating system, so you don’t see that is any AMT/BIOS/MEBx option. You have to go into Microsoft Windows Device Manager, go to the properties of the “Intel(R) Active Management Technology – SOL” port. Then go into the “Port Settings” tab and press the advanced button. There, you can change the COM port.

 

Also, it’s often useful for application to be able to automatically detect the AMT serial port. In Intel AMT Outpost, I scan the device drivers looking for the “Intel(R) Active Management Technology – SOL” device and read the COM port number that follows in that string. Sofar, it seems to work great, even in non-English countries, something I am always worried about.

 

The Intel AMT serial port is much like any other serial port, but it has a PCI device identifier that is not normally known to Microsoft Windows and so, Windows does not know what to do with this device. On Intel’s web site, there is an SOL driver available. The serial driver itself is just a small .INF that tells Microsoft Windows to load and use the standard serial driver. In fact, one can manually force the standard Windows serial driver to be used for this device. You need to go in the device manager and pick a driver from the list, select Microsoft as the manufacturer and you will see it. Even if it’s possible, I don’t recommend it because the DTK code will no longer recognize that COM port as being the AMT port, it’s going to work but will have the wrong name for auto-detection.

 

Lastly, if someone needed to know if a computer is AMT enabled without having to load any drivers, one way to do it would be to detect the presence of the Intel AMT serial port. It is always present even when AMT is un-provisioned, and it can’t be turned off, unless AMT is disabled entirely in MEBx. This can be a good way to figure out if you need to start considering a computer for AMT setup.

 

Ylian

(Intel AMT Blog)

 

 

2 Comments Permalink Tags: intel, amt, dtk, ylian, serial, sol
Ylian Saint-Hilaire
1

As many of you may know, there are two ways of contacting Intel AMT: The remote network interface and the local LMS/HECI interface. These interfaces are very different; the remote interface that is available thru the wired and sometimes wireless Ethernet and is rich with features while the local Intel AMT interface is very limited. Intel AMT was designed this way from the start for security. Intel AMT acting as an IT agent on desktops and laptops could not be allowed to be meddled with by the local user or local applications that could try to use or deactivate Intel AMT. That at least was the original design intent.

 

Times have changed it seems and many users of Intel AMT don’t see local users and applications as being always hostile. There are many reasons why it would be very interesting to access all of the features of Intel AMT locally. For example

 

  • If the user changes the name of the computer is the OS, it would be nice to have a local agent sync up the Intel AMT network with the OS name automatically. This way, when the computer goes to sleep next, Intel AMT will report the correct new name.

  • Circuit breaker policies could be used as a local firewall implemented in hardware. Set it once and the gigabit network chip does all the filtering and counters at gigabit speeds.

  • On a mobile platform, wireless profiles could also be synched up automatically. The user adds a new wireless profile with a WPA key and this profile is automatically added to Intel AMT.

  • Enterprise provisioning of Intel AMT could be done entirely locally using local software removing the need for complicated centralized servers.

 

Instead of seeing the local user as hostile, the local application now cooperate to setup Intel AMT so that if something goes wrong, it’s ready to be used to recover the computer. All this and more would be possible if Intel AMT allows the local applications full access to all the remote interface features.

 

A local application can’t simply connect to TCP port 16992 or 16993 and access all of the Intel AMT features since the traffic has to flow thru the gigabit network interface. Connecting to 127.0.0.1 will not work, that will access the more limited local interface.

 

A solution is to use a reflection application like Intel DTK Network Reflector found in the Intel AMT DTK. This tool runs on a central always on server and simply reflects back all TCP connections back to the source on ports 16992 to 16995. Using this tool an Intel AMT console or even a web browser can connect to "http://reflector:16992" and log into its own Intel AMT remote services. However, there are issues with this solution: You need this reflector tool running and know where on the network it is running. Also, a rogue application could log into the remote interface and put an annoying circuit breaker policy to drop all packets, etc.

 

In the future, Intel AMT itself could be modified to allow all services on the local interface removing the need for the reflector. There are security considerations of course, but feedback from users of Intel AMT on this idea would be appreciated.

 

Ylian (Intel AMT Blog)

1 Comments Permalink Tags: ylian, intel, amt, dtk, reflector, local, remote, developer_tool_kit
Ylian Saint-Hilaire
0

Last week Intel sent me to Israel for an Intel only gathering of engineers, architects and specialists that work on Intel AMT. I was honored to attend and also to be a speaker taking about the progress made with the DTK. First of all, I want to thank all of the people in Intel Israel for making this trip a great success. I also got to hear about many DTK success stories and it all of the hard work worth it. I was especially surprised with the DTK’s success in Asia, but also all over the world. I am still not sure if it’s the tutorial videos, the translations or what.

 

In addition to the meetings, we had a great time visiting the old city of Jerusalem, the Dead Sea and later on my own the city of Elat and Petra in Jordan. I got some of the most wonderful pictures and uploaded some on Google servers here:

 

http://picasaweb.google.com/ysainthilaire/Israel200802

 

 

 

These pictures cover the 10 days of my trip, starting with the old city then me playing in the mud and floating in the Dead Sea and finishing with my visit to Jordan. Jordan was probably this highlight of this trip, there is something just odd about traveling in this vast desert and realizing that I was in the country that had a common border with Iraq. For most of us in the US, it seems so distant. The city of Petra in Jordon has unique sand stone carvings in the walls. Some people will also notice that the Indiana Jones movie was filmed at this location. Petra was named one of the new 7 wonders of the world and as a result got a surge in tourism. It’s a wonderful place, hot and laid back.

 

 

 

Most people travel by air from Jerusalem to Elat and Jordan, but I opted to take the bus. It’s a 4 and a half hour trip thru amazing scenery. It’s also inexpensive, about 12 to 15$ and much more convenient than by airplane. I will say that except for the bus, everything was very expensive in US dollars. It’s a shame the dollar is so weak, I don’t except to make many of these trips.

 

 

 

Last week was the holocaust memorial day in Israel and I happened to visit the Wailing Wall with some of my Intel co-workers just as 1000’s of people where attending a ceremony that was being broadcast live on TV. One of my pictures shows all the people at the wall.

 

 

 

The Dead Sea was really amazing, it’s so saturated with salt that you simply float. This sea is the lowest point on Earth I am told, it’s 1,378 feet below sea level. Your ears pop on the way there as the air pressure increases. As pressure increases so does the temperature which will often be 10 degrees hotter than Jerusalem. The Dead Sea is well known for the Dead Sea salts used as skin treatment. It also gave me a great excuse to play in the mud! You let it dry and wash it off to wonderful skin… but it’s also just loads of fun.

 

 

 

To sum it up, this 10 day trip was simply amazing. In addition to meeting many people who use the DTK, I also got to see and experience some unique places I will never forget.

 

 

 

Ylian (Intel AMT Blog)

 

 

0 Comments Permalink Tags: ylian, travel, intel, amt, dtk, commander, israel, jordon
Ylian Saint-Hilaire
0

 

 

I just posted a new YouTube video on my own Intel AMT 3.0 computer that runs under my television. It runs Microsoft Media Center, has 4 cores, 4 tuners, 4 hard drives, 3 Gigs of RAM, 2 DVD's... Certainly the most powerful computer I have ever owned. Most importantly, it has Intel AMT 3.0 using an Intel DQ35JO motherboard. This is very useful for me to work on Intel AMT Commander on my spare time and also to remotely manage my computer from anywhere in the world.

 

If you guys have your own computer project that runs Intel AMT, please let me know. Better yet, if you have pictures it would be great to share with the community.

 

Ylian (Intel AMT Blog)

0 Comments Permalink Tags: intel, amt, dtk, ylian, home

Popular Blog Posts