MeshCentral - Intel AMT MEI and LMS
I'm Ylian Saint-Hilaire and in this video we're going to talk about Intel MEI and LMS two technologies that are related to Intel Active Management Technology. If you've heard about Intel AMT or Intel Active Management Technology you'll know that it's a a remote management technology that's built into the hardware so you don't need software or OS assistance to manage a device remotely this comes handy in many different ways so in this video. I want to talk a little bit about you know very quickly about amt just to recap but i want to focus on how amt talks with remote management tools and how it talks locally on the platforms to local tools that you may be running on the same platform as Intel AMT so i'm just going to start with a basic slide i have a picture of a motherboard and i just want to illustrate here that basically amt runs in a management engine chip and the chip is on the right here underneath the um this heatsink so you'll find that usually the pro processor is pretty much in the center of the motherboard and you'll have ram over here and then you'll have like some power supply stuff over here and extra cards and you'll have your i o but this chip which is usually has a heatsink on it or some kind of cooling this has basically it's called the PCH and it has the function of interacting with all the i o or a lot of the i o and the motherboard and the cpu and this is where the management engine resides and the interesting thing is when the motherboard is in soft off so it's it's mostly sleeping the ram will be off the CPU will be off but this uh chip part of it will be on and the Ethernet adapter will be on and communicating to that and so and even by the way the the management engine chip can be off itself so only the Ethernet can be on and then when it receives traffic that is for amt it will wake up this chip to actually process it so there's a little bit of ram in here just enough to run the management stuff and then if you if the console or the management tool says wake up the entire platform then obviously we can wake it all up so anyway what i want to focus on this video is is especially the interaction between the management engine and local CPU and how that works so if you're remote you can you know basically access a a remote port and then there are filters in the Ethernet adapter that will route the traffic to the management engine and so instead of going to the CPU it's going to go there and get processed so basically there's some filters that that filter out some of the ports so that when you try to connect to those ports it never goes to the operating system it will go to the management engine chip but how does this interaction between the management engine and the CPU happen like how does this work and so i picked up this little graphic here but uh again you basically have the network here that has management traffic that hits uh the wired or wireless interface and uh and then it gets route routed to to Intel ME and Intel AMT which is software basically running on the management engine right here but how does this work between the operating system and um and the management engine well let's take a look at that so first of all the super important part is that there is a driver that is loaded when you first install windows and so what you do is you go in into your device manager right here and then you will look at under system devices and you should see something called the Intel Management Engine interface or Intel ME and so this is basically an interface that the management engine will present and just be careful here if you see this it does not necessarily you mean you have amt you may have a management engine but it may not have amt running or it may have um you know essentials basically a you know one of the other variants of amt or it may not have amt at all so this does not mean you have amt necessarily but if you have to if you have the Intel management engine interface up and running then local tools can start querying the platform to see uh what features you have okay and by the way on Linux this is /dev/mei0 so if you if you have that folder on your Linux machine then that's equivalent to this under older Linux it was /dev/mei but under uh latest generations of Linux it's mostly slash dead MEI zero okay so if you don't have this driver you need to install it most of the time it will come it won't come directly when you install a fresh copy of windows if you have a really fresh copy it will basically show the driver as being needed but then if you connect to the internet and it updates all the drivers and stuff that one will get loaded okay so once you have this driver loaded what can you do well there's a tool we have i'm going to go on to i'm actually going to go on to meshcentral.com so i'm going to go meshcentral.com and if you go into download sections downloads on the bottom right there's this tool called mesh command and it's available in Windows, Linux you know windows yeah Linux and arm but obviously for our purposes only windows and Linux machines will have amt so you grab one of those and you download it and i'm going to open uh my command prompt here and i'm in a temp folder and i have mesh command the 64-bit copy of it so you can type mesh command 64 enter and it will show you a bunch of things it can do and a lot of it is amt related on the bottom side here so one of the first things you really want to take a look at is mesh command and amt info and this will show you the information about your amt or your platform whether it has amt what type of amt it has so here it says Intel AMT v9 30 activated in client control mode and then it will give you the wired and wireless interfaces depending on what's connected and then you know other things like zero connections and stuff now what's happening here is that the mesh command tool is opening a connection into the MEI driver so if if i were to disable this i won't but if i were to disable this then this tool won't work also the MEI driver is only available if you're administrator so if you if i'm running as a normal user this shell here then you know you may get a an error basically saying you know cannot access the mei driver make sure you are running as administrator and this is because you need administrator privileges to set up that pipe between the software in this case mesh command and the MEI driver okay now that's great and with the MEI driver you can pull information about your platform the amt state and so on now what you cannot do is uh you can't do any kind of TCP connection to Intel AMT locally if you have just this mei driver so let's see for example i could use mesh commander so this is the trusty Intel AMT tool what you can do is you can set up localhost here and try to connect and in this case it's going to fail for me or what i can do is open a browser again and what you can do is you can say localhost port 16992 which is the intel emt port and in my case it will fail now the reason it will fail is because the operating system doesn't have you know doesn't know what to do with this traffic you basically are connecting to um to the network stack on the loopback interface which is uh localhost and the operating system does not know what to do so in order to make local 6992693 and the basically the local tcp connectivity to the management engine um in order to enable it you need some kind of software that will listen on these ports on 69 and 2693 and so on and it will it needs to take that traffic and forward it to the MEI engine through the MEI uh to the m to the management engine through the MEI interface so the the tool to do that is called LMS so if i go on google on the you know go i can type Intel AMT LMS hopefully i'll get some explanation here yeah it's called a local manageability service and this is a windows service so here there's uh there's some instructions here on events and so on but basically this is a windows service provided by Intel that you can install on on your uh in your operating system there is a source code available on Linux but it is not you know widely it's not available by default on Linux you need to go and compile the source code and so on and on windows it is also not installed by default so unless your manufacturer of your computer has put it there or with other drivers but if you if you're just installing plain vanilla window windows you will get this manageability engine driver but you will not get LMS so no LMS you cannot connect to the manageability engine using the network sockets you can't see the web page and so on so let's see I do have LMS on my other computer so I am going to switch over here so by the way i have two computers this is my you know developer computer but on the bottom right or on my left here i happen to have an amt computer and it's running uh windows 11 so i'm going to go ctrl alternate delete i'm going to go into task manager and if you go in services and type l for lms you'll see it right there so it says LMS and you can find it Intel manageability and security application local management service and so i'll turn this on i'll hit start and then what i can do is open a web page and i can go to local host oops localhost:16992 and you see the web page pop up and if i disable this i'll stop the service and hit refresh then it won't load anymore and that's because this service is responsible for for listening on loop back-end on loopback ports and then taking the traffic from your browser sending it through the MEI interface down to amt and uh and obviously taking the responses back and sending it back up so so that's what it does there now what you know my experience is that a lot of people don't have LMS or don't install it one thing that's super annoying about it is that there's no standard installer for it so you know it comes basically for by the uh it's given to the manufacturers and the manufacturers kind of bundle it in their support and driver websites with you know bundles and so on so what happens is that if you have lots of different computers from different manufacturers going and getting LMS for all those computers can be quite annoying so what happens is that on Linux almost every Linux distribution will have the um we'll have let's see i'll switch back here so almost every Linux distribution will have /dev/mei0 they all have like it's part of the basic Linux kernel they all have the MEI driver and on windows it comes with the vanilla windows so you most likely will have this driver there but for LMS you generally will not have it so so that's a problem that's faced whenever you're deploying software on amt is that you generally have MEI but you don't have LMS the way that mesh central solves this is that we built LMS into our agent and into mesh command so for example here if i if i go back to my web browser i cannot access the port 6992 because i don't have LMS running but if you type mesh command and you type micro LMS enter then it will say setting up MEI starting LMS and actually what it's going to do is it's going and obviously this it's starting a micro version of LMS what it's going to do is it's going to take a look to see if LMS is running and if it's not it's going to take over with its own copy and so when i hit refresh here boom you see the webpage of Intel AMT and then i can log in of course see if i can log in there nope no uh it does it doesn't really matter i i don't have the password it doesn't matter but but if i had the password i could log in here is that's not relevant right now the the idea is that i do have access to it also you'll notice that if you run micro LMS then by default there's a mesh commander on on 16994 so if i type 16994 here no index there it goes then there's a there's a special version of mesh commander that's built into this LMS and so it will tell you uh what status your amt is in if there's any notifications and you can remotely log into this amt from the local interface and so on so that's a like a super extra bonus that you have if you run the micro version of LMS now what's interesting now is that when you perform actions with mesh commands so mesh command has a bunch of amt actions you can run like getting the event log or so on some of these actions actually a lot of them either won't work remotely power won't run remotely but some of these actions like the event log the audit log and so on these actions can work locally but they do require that LMS be present so mesh command will automatically when you run any of these actions mesh command will automatically look to see if LMS is running if it's not it will launch it's the MicroLMS perform the operation and and then turn off again but of course you can run MicroLMS you know by typing mesh command MicroLMS and then you have that okay so that's really nice because now you can run mesh commands get MEI information perform like pretty sophisticated management operations and you don't need LMS installed the other thing i want to mention is that if i go back to my mesh central so this is my mesh central test server i can go to one of my machines like amt 15 here and i can click on console and let's see i can type info i think that's it and you'll see here it says built-in LMS disabled so when you type info in the um for in the agent console tab you can see if the agent's built-in MicroLMS or built-in LMS is currently active or not now right now i have LMS active on the remote machine i will i'll go to split screen here so you can see what i'm doing what i'm going to do is i'm going to stop LMS here i'm going to then go to the micro the agent i'm going to restart it and now what should happen is that the agent should see now it's going to reconnect here the agent should see wait a minute LMS is not running so if i type it doesn't detect it yet or i may have multiple agents here but in any case when it's necessary then the the built-in LMS will turn on automatically here so that's really really cool especially on Linux if you're a Linux user you know and you have an amt platform almost 99 100 chance your operating system will have the MEI driver it will not have LMS installing LMS is a real pain if you're on Linux because you need to go compile the source code and do all this work but if you just drop the mesh agent and install it on your Linux machine then the built-in LMS will just trigger and you'll have LMS you know for free as part of the agent um the other nice thing is you once the agent is running and it's launching its own lms then any other application can access the local port so i as soon as i have a local agent launched i can go to 6 oops 16992 i can go to 69 and 2 locally i don't have it i don't have the agent launched let's let me go and launch that just for kicks i'm going to go to task manager service i'm going to launch my age my agent here and then hit refresh and i should see the web page pop up there it goes so now the the agent has launched LMS and actually we can see it right there uh central and info built in LMS well there's something wrong here but anyway you it did activate so so i do have LMS uh working right here and so now i can log in and do all the fun stuff i want to do so so if you have the agent running the built-in LMS may run once the built-in LMS is run it's not just that agent capable of talking to amt through the network ports local network ports it is of course any other piece of software you can run mesh commander you can run anything you want on that Linux machine and just kind of use the mesh agent or mesh command as your LMS anyway hopefully that was useful um you know a lot of people have Intel AMT they use it but often they get into trouble they're like wait a minute uh how come the web page is not showing up they're assuming that there's a problem with the platform and very often LMS is the the missing link here and so the nice thing to know is all the mesh agents and the on both on Linux and windows mesh command all come with LMS so super super practical i think. Anyway take care, have a great day.
2022-06-19 00:00
