Last week Intel sent me to Israel for an Intel only gathering of engineers, architects and specialists that work on Intel AMT. I was honored to attend and also to be a speaker taking about the progress made with the DTK. First of all, I want to thank all of the people in Intel Israel for making this trip a great success. I also got to hear about many DTK success stories and it all of the hard work worth it. I was especially surprised with the DTK’s success in Asia, but also all over the world. I am still not sure if it’s the tutorial videos, the translations or what.

In addition to the meetings, we had a great time visiting the old city of Jerusalem, the Dead Sea and later on my own the city of Elat and Petra in Jordan. I got some of the most wonderful pictures and uploaded some on Google servers here:

http://picasaweb.google.com/ysainthilaire/Israel200802

These pictures cover the 10 days of my trip, starting with the old city then me playing in the mud and floating in the Dead Sea and finishing with my visit to Jordan. Jordan was probably this highlight of this trip, there is something just odd about traveling in this vast desert and realizing that I was in the country that had a common border with Iraq. For most of us in the US, it seems so distant. The city of Petra in Jordon has unique sand stone carvings in the walls. Some people will also notice that the Indiana Jones movie was filmed at this location. Petra was named one of the new 7 wonders of the world and as a result got a surge in tourism. It’s a wonderful place, hot and laid back.

Most people travel by air from Jerusalem to Elat and Jordan, but I opted to take the bus. It’s a 4 and a half hour trip thru amazing scenery. It’s also inexpensive, about 12 to 15$ and much more convenient than by airplane. I will say that except for the bus, everything was very expensive in US dollars. It’s a shame the dollar is so weak, I don’t except to make many of these trips.

Last week was the holocaust memorial day in Israel and I happened to visit the Wailing Wall with some of my Intel co-workers just as 1000’s of people where attending a ceremony that was being broadcast live on TV. One of my pictures shows all the people at the wall.

The Dead Sea was really amazing, it’s so saturated with salt that you simply float. This sea is the lowest point on Earth I am told, it’s 1,378 feet below sea level. Your ears pop on the way there as the air pressure increases. As pressure increases so does the temperature which will often be 10 degrees hotter than Jerusalem. The Dead Sea is well known for the Dead Sea salts used as skin treatment. It also gave me a great excuse to play in the mud! You let it dry and wash it off to wonderful skin… but it’s also just loads of fun.

To sum it up, this 10 day trip was simply amazing. In addition to meeting many people who use the DTK, I also got to see and experience some unique places I will never forget.

Ylian (Intel AMT Blog)

Years before I started working on Intel AMT, designers where creating a list of usages that would be enabled by Intel AMT. The list included, I presume, usages around 3PDS, remote reboot to BIOS, disk redirection, etc. Many of the Intel AMT usages that are promoted on the Intel web site. When I started work on the DTK, a personal challenge had always been to find new ways of using existing features to do different and sometimes unexpected things. Create new usages for Intel AMT that it was never originally designed to do. I now present my top 5 abuses of existing features.

TCP-over-Serial-over-LAN. The Intel AMT serial port I am told, was originally designed as an easy way to remotely take control of the BIOS and recovery OS remotely. Designers needed a way for BIOS to be able to send test display data to a remote console. A virtual serial port was a great solution. It so happens that in the original design, this serial port was always enabled and usable, even when the normal OS was running. This allows a serial agent to talk to a console while bypassing the OS’s network stack. This is interesting on its own and I started work on a serial agent of my own. Things took a weird twist when I started sending binary data and sending files over this serial port, making it very valuable. It’s only a few weeks later that I realized I could also send TCP traffic over this serial link, making it possible to contact TCP services on the Intel AMT computer even if the network stack was disabled. A few days later, I showcased the first demonstration of VNC-over-SOL, and turning this abuse of the serial port into an instant hit. To this day, VNC-over-SOL is still, one of the most impressive demonstrations of Intel AMT.

Reverse Watchdog. When Intel sales people demonstrate Intel AMT to customers, they often get asked if you can shutdown gracefully an Intel AMT computer using Intel AMT. The simple answer was no, Intel AMT will perform a brutal shutdown or reset upon request. To perform operations like a clean shutdown or reset, sleep or hibernation requires the involvement of the OS. You could tell a serial agent like Intel AMT Outpost to perform the shutdown, but that required opening the serial connection and could be a problem if you had to shutdown many computers. I needed a way to pass a small amount of information to a running Intel AMT agent on the PC, do it using SOAP/WSMAN only and if possible get confirmation of reception. We could store the command into 3PDS and have the agent read it periodically, but 3PDS required setup and that little amount of data would have required allocation of a 4K flash page. The solution came when looking at the agent presence feature. When a console creates a new agent, the agent can now register this agent locally. The agent also get the timeout of the agent in seconds (from 1 to 65535), this would be the key. By constantly trying to register a known GUID, Intel AMT Outpost could see if the agent existed or not. If suddenly the registration works, the timeout value would indicate that type of shutdown operation to perform. Better yet, the simple fact that registration occurred changes the state of the agent to “Running”, confirming to the console that the message was indeed received. Today the Intel AMT Terminal has “Agent Commands” in the remote control that allows a user to perform soft operations when the agent is running, even if the OS network stack is not working.

Mouse over serial. A few months back I started work on a smaller version of Intel AMT Outpost called Intel AMT Guardpost. The idea was that if a serial agent was going to be useful, it was going to need to run on a recovery OS, run in the background with no dependencies and with as little footprint as possible (Is it not annoying to have all there background processes running?). The C/C++ version of Intel AMT Outpost was on its way. One feature I always wanted to work on was a remote Windows command prompt; it took over a week to finally pull this off. I could now remotely shell to DOS and perform basic command line operations. I could also enter the command like editor with the “Edit” command at which point, the temptation to support the mouse-over-serial-over-LAN was a must have. Using the binary serial protocol, I added the support to the terminal in a few hours. To this day, it’s still a fun and amazing demonstration of outstanding remote manageability.

IDE-R within the OS. A few days after first enabling IDE-R within Intel AMT Commander, I stumbled upon something I had not noticed before. If an administrator where to start IDE redirection and the OS was to re-scan its plug & play devices, the additional floppy and CDROM drive would show up in Microsoft Windows. This was immediately interesting since transferring files over the serial port was limited to 115kb/sec a very slow speed in today’s world. With IDE-R, you can copy files at around CDROM 4x speed on a local network. All I needed was a way for Intel AMT Outpost to cause the OS to rescan its plug & play devices. A few hours later the “HWRESCAN” command was built and for the first time, an administrator could mount a CDROM remotely and install a patch as high speed without ever using the OS’s network stack. This feature also turned out to be an excellent compliment to VNC-over-SOL.

Fast data path using IDE-R. This is not an idea I never built into the DTK, but I wanted to add it to this list since it would also be an interesting was to use existing features in new ways. The serial-over-LAN feature turned out to be extremely valuable, but it is also slow. Serial ports are very inefficient. One way someone could speed things up is to use IDE-R as a fast by-pass to the OS. An administrator would mount a virtual floppy disk drive containing a single file. This file, would not really exist, it would contain different data each time it was read, making it possible to send data to an OS agent thru Intel AMT at much higher speeds. Also, since the floppy is a read/write device, the agent could write into the virtual file data that it wants to send to the console. It would be quite a bit of work to pull this off, but it certainly seems possible. Someone would just have to know the internal format of an .img file.

That’s my top 5. I realize this is probably a rather advanced blog article, but this is proof that you can have a lot of fun to any technologies.

Ylian (Intel AMT Blog)

Serial-over-LAN is quite useful for taking control of a computer, making changes to the BIOS and when Intel AMT Outpost or Guardpost is running, getting a management command prompt even when the OS network driver is disabled. What if you have to repeat the BIOS change on 100’s of computers? Say you want to change a BIOS boot option on 100 computers? Or want to test the reliability of a new computer platform? The Intel AMT Serial-over-LAN scripting can help.

Connect using Intel AMT Commander to the Intel AMT computer and select “Take Control” to enter the VT100 terminal. Make sure everything works well and you can connect and perform Serial-over-LAN correctly. Go in the “Terminal” menu and select “Script editor…” and write a script like this one, using the user interface to guide you:

LABEL “start”
RESET bios
WAIT 40 seconds.
RESET powerdown
WAIT 15 seconds
JUMP “start”

You can save the script, and run it. You can also write more complicated scripts to change BIOS options and do more interesting things. There is a command:

WAITFOR “abcd”

This command will wait until the string “abcd” is anywhere on the VT100 screen. This is very useful to wait for the computer to finish booting and to do something after. You can also send string to SOL:

SEND “dir\r”

To send the “dir” command. Terminal scripting is very powerful. It’s also a great way to impress your friends and customers. In a few minutes, you can write a script that will power on a computer; navigate throughout the BIOS screens and shutdown the computer when done. Once you run it, it’s like a ghost is taking control of your computer and going into the BIOS, very cool.

Ylian (Intel AMT Blog)

It's time for another release of the Intel AMT DTK v0.48x. The "X" stands for external since for the last two months I have been working on upcoming Intel platforms features and so, not releasing public updates as often as I use to. In this release there are so many changes, I can't really go thru them all.

I think users will see the Intel AMT Commander UI has been improved a lot, and some work has been done to improve responsiveness. The look of the UI is also improved, especialy heuristic and agent presence features. WSMAN support is moving along, I recently found and added a way to automaticaly detect that an Intel AMT computer is in WSMAN only mode and connect to it correctly. WSMAN support is still weak, but improving.

For people looking at the Intel AMT DTK source code, many more changes. Intel AMT Commander's main form was starting to be way to big and so now all the right hand side panels and proken up into seperate files. The terminal was also broken up, a new VT100 user control is now avaialble to process serial-over-LAN on-screen display. This is very useful for developers that want to build their own VT100 terminal that looks different from Intel AMT Commander.

Certificate and TLS handling was improved thruout. First, many of the tools will now work better with mutual-authentication, this is especialy true for IAmtTerm.exe that did not do so well with mutual-auth before. Intel AMT Director's certificate handling is improved, you can now drag & drop a certificate on Director's certificate manager to import, added more certificate formats and Director can now issue certificates with many common names, just like Intel SCS does. Commander will also handle these certificates better than before.

All in all, this is a major new update to the Intel AMT DTK. I encorage people to keep sending bug reports, and thank everyone who already did.

Download: Intel AMT DTK v0.48x Audio Blog (.mp3)

Ylian

It's time for a new release of the Intel AMT Developer Tool Kit. Version v0.45 was released Saturday morning with a bunch more bug fixes and improvements. People ask me what the formal road map for the DTK is and I answer that there is none, its customer driven and I constantly improve many features. Of course, I have my ideas where I am going with this, but I am always looking for suggestions.

Let's look at a few new features in this release:

Intel AMT Commander can now auto-detect and connect to LMS. In the past, only Intel AMT Outpost could connect to the local Intel AMT interface. In this new release, Intel AMT Commander will automatically detect and connect to LMS. So you can direct Commander to connect to "localhost" enter the username and password and it will work. Currently, you can't do much, on AMT 2.5 and higher systems, Intel AMT Commander will display the Intel AMT event log.

Intel AMT Commander re-branding. It's now easier than ever to add branding to Commander, just create a "branding" folder under Intel AMT Commander's executable and put a set of bitmaps in the directory. The default bitmaps will be replaced the next time Commander is run. You can find all the details in the readme.txt file of the DTK. By the way, it's perfectly fine to re-brand and ship Commander or any of the Intel AMT DTK tools. For example: To include with Intel AMT motherboards, etc.

Improves Intel AMT Stack. The Intel AMT stack built in C# on which Intel AMT Commander and the other tools are built on is improving all the time. In this version, I took special care to clean up the "AmtSystem" class. It's the root class for all of the Intel AMT functionality. For a quick sample on how to use the stack, look at the "IAmtCmd" project in the DTK source code.Intel AMT Developer Tool Kit

Intel AMT Developer Tool Kit v0.45 Audio Blog (.mp3)

Ylian (Intel AMT Blog)

Many months ago when Intel AMT 3.0 computers were still in pre-production, a test group at Intel came over and dropped one of these prototypes in my lab. "Have a good time" the guy said. He smiles and walked away. At the time, my lab was only composed of AMT 1.0 and AMT 2.0 computers and so, I was very excited to get one of the first AMT 3.0 computers, before anyone else outside of INtel. 24 hours later, I had built heuristic filter support in Intel AMT Commander and very quickly, Commander was the leading AMT 3.0 test tool within Intel. Later on, I also built Intel Net Traffic, a small tool to help test heuristic filters.

The heuristic filter feature of AMT 3.0 is an extension of the existing Intel AMT System Defense feature. It's a new and special type of filter that looks only at outgoing packets to see if the computer is attacking other computers. Just to be clear, heuristic filters don't protect the computer from attack; it's built to prevent the computer from attacking others. Using Intel AMT Commander, if you connect to an AMT 3.0 computer, you will see a heuristic folder in the "Network" filter of the computer. You can set the heuristic policy timeouts, what happens when it triggers and if the action is permanent or if after a while, the heuristic filter should be reset.

Testing heuristic filters is straight forward. Run "IntelNetTraffic.exe -advanced" on the AMT 3.0 computer and start a UDP packet sweep on a range of IP addresses. You can sweep at, say, 20 packets per second a given range and if you set the heuristic filter right, it will notice the sweep and block the traffic. One common mistake made when testing heuristic is that if you sweep a set of IP addresses within your own subnet, Microsoft Windows (SP2 or Vista) will block packets from being sent unless the target computer within the subnet responds to ARP requests. Unless you have a subnet with a lot of computers, most IP addresses in that sweep will not answer ARP requests and Microsoft Windows will block the packet, resulting in AMT never seeing that packet and heuristic never triggering. To fix this, just sweep a range of IP addresses located outside your own subnet.

By the way, I designed Intel Net Traffic to also allow testing of rate throttling network filters. This feature is almost never demonstrated, but it's been available since AMT 2.0. You just need to setup two Intel Net Traffic and have one send packets to the other. Then, add and activate an AMT network filter that limits the rate down. You will see the impact on the receiving Net Traffic immediately.

Ylian (Intel AMT Blog)

It's time for one more release of the Intel AMT DTK v0.43. Here are the major changes in this release:

• New Installer. Probably the most visible change is the new installer. The Intel AMT DTK is no longer a self-extract and I am looking for feedback on the installer and it's ease of use. I think users will appreciate that you can selectively install only portions on the DTK that make sense on a given computer (Console, Agent, Switchbox, Utilities).
• New Japanese translation. All of the DTK tools got a new Japanese translation this week thanks for employees from Intel Japan. Intel AMT Defender got it's first translation into a new language, and many of the new features in Intel AMT Commander and Intel AMT Director are now translated to Japanese.
• New Resource Translation Tool. I added the Intel Resource Translation tool in the DTK package. I am looking for people to translate portions of the DTK into other languages and this tool makes it very easy. Just run, load the dictionary, select a language and start translating. You can also select what tool or form you want to translate. When done, send me the dictionary file, my e-mail address is in the readme.txt file or about box and I will make it part of the next release. I also will be giving out prises, I will be figuring something out.
• Console & mouse support. Intel AMT Guardport has a new "CMD" command allowing the administrator to shell to the command prompt and access all of the power of a text mode command prompt. As a bonus, I also added mouse support in the terminal, so you can enter EDIT and move the mouse and click to get into text mode menus.
• New WMI-over-SOL. I started work on performing Windows Management Instrumentation (WMI) queries over Serial-over-LAN. It is early work, but it's looks like a powerful new way of managing and fixing computers remotly.

Download: Intel AMT DTK v0.43 Audio Blog (.mp3)

Ylian (Intel AMT Blog)

Just released version v0.40 of the Intel AMT DTK, with the addition of 802.1x and Endpoint Access Control (EAC) as I wrote about in my previous blog. This is probably not going to be a big impact on many people since this feature is exclusive to large enterprises, but it's very useful for testing Intel AMT in environments where the network has access control. As I noted previously, I don't have equipment to test 802.1x and EAC, so, I will rely on the community to give me feedback.

Another interesting feature in v0.40 is the additon of Intel AMT Guardport as a Microsoft Windows tray icon application and Windows Service. Guardpost is of course the C/C++ version of Intel AMT Outpost, perfect to deployments with smaller system footprint but also for adding to a WinPE based recovery OS.

Intel AMT DTK v0.40 Audio Blog (.mp3)

Ylian (Intel AMT Blog)