Search This Blog

Monday, July 06, 2015

Using Intel AMT’s embedded VNC server

Intel Chipsets with vPro/Intel AMT, paired with a Core i5/i7 or Xeon with integrated graphics, have a feature called Remote KVM.

To activate it, press Ctrl-P at the BIOS - this brings you to the MEBx menu, set a password (minimum 8 characters, mixed case, numbers and special characters are enforced - try to avoid #@$% - use star or exclamation), configure the network settings (DHCP, or static - it can even match the OS’s IP address!), enable Remote KVM and disable User Opt-In.

in order to set it up, download the Intel AMT SDK from extract the ZIP and open ./Windows/Intel_AMT/Bin/KVM/KVMControlApplication.exe. (I had to install .net 2.0 in my wine in order to be able to run it.)
There, you can enable KVM by clicking "Edit Machine Settings" as seen in the following screenshot:

KVM Status can either be set to
-“redirection ports” (meaning it will only be accessible to clients that specifically support Intel AMT, such as RealVNC Viewer Plus or Intel’s KVM Console, the former of which costs $100, the later constantly overlays a RealVNC logo on the screen), or to
-“default port” (meaning it will be accessible on TCP port 5900 with any VNC client), or to
-“all ports” (which is the combination of both).
If you enable VNC access, you will also need to set an RFB Password. Warning, the password gets truncated at 8 characters but     at the same time has the security requirements identical to the general AMT password (Capital, small letter, number and special-character - WARNING: underscore is not special char, @$%&| are NOT allowed, choose star or exclamation to play safe).
If you disabled User Opt-In in the MEBx menu, you can disable it here as well.

Now you can use almost any VNC client you like (KRDC, Real, Ultra, and Tight VNC works fine, while TigerVNC seems to be unable to auth, and Apple Remote Desktop appears to cause the VNC server to freeze - it's Apple crap, what do you expect?).

Two things worth mentioning:
1: the initial BIOS splash screen is not visible during a KVM connection (not even on a directly-attached screen), so to get to the BIOS, you needed to blindly hit the F10.
2: it is not possible to enter the MEBx menu during a KVM connection (probably for security reasons), if you hit the corresponding CTRL+P key, it immediately exits and continues normal boot; if you establish a KVM connection while already in MEBx, you get disconnected immediately.

 If you’re building a home server, you should definitely consider getting system with Intel vPro/AMT 6.0 or later, you get ILO-like remote management capabilities for free.

Oh yeah, http://your_machine:16992 gives you access to logs, power control, network setup, users, exactly the same way ILO does!

And of course the OS has no idea something is running below him, there is no CPU load, on the host netstat shows no other connections except my ssh:
 tcp        0      0       ESTABLISHED 2314/sshd

while from my workstation we can see a second connection to the VNC port 5900:
tcp        0      0          ESTABLISHED 13362/ssh   
tcp        0      0        ESTABLISHED 29457/krdc

 Note the black blinking monitors in the upper-right corner - that screams "AMT":

No comments:

Post a Comment

Blog Archive