The Intel® Active Management Technology (Intel® AMT) Serial-over-LAN (SOL) feature is probably one of the most flexible features of Intel® AMT, but also one of the most overlooked. Most people think of a serial port as a return of the old PC days of modems and dial-up. However, this article covers the basics of how serial-over-LAN works in Intel® AMT and how it can be used to its fullest extent to make a PC do things that seem simply impossible.
With Intel® Active Management Technology (Intel AMT), the good old serial port is back! This time, connected to a gigabit network card and a powerful PC management engine – What was Intel thinking? It still works at a top speed of 115 kb/sec and still sometimes carries the same VT100 text characters that we often associate with the serial port. Yet with only the power and Ethernet cords attached, we can use the serial port to scroll the mouse and move through Microsoft Windows even after we disabled all the operating system (OS) network drivers. How is this possible?
The basics of Serial-over-LAN
One of the basic features of Intel AMT is its virtual serial port. It’s virtual because the OS sees it as a serial port, but there is no serial port connector in the back of the PC. Instead, a management console securely connected to Intel® AMT using the Ethernet port can now send and receive data to this virtual serial port. If no management software is connected, the data sent to the serial port is simply lost, just like a normal serial port would work.
Figure 1 - Intel AMT exposes a virtual serial port that is accessible to authenticated management consoles. Note that the COM port number is assigned by the OS and may vary.
What is interesting about Serial-over-LAN is that is works all the time, even without an OS. A management console can connect to it, boot a basic Microsoft DOS disk, and communicate with software that listens on the COM port. A more typical use is to use this serial port along with a BIOS feature that redirect the screen text output to the serial port. This allows administration consoles to remotely view what is going on during boot, access the BIOS screens and change settings or boot to a simple OS, such as Microsoft DOS and get a command prompt.
Figure 2 - Using Intel AMT Serial-over-LAN, a management console can access the BIOS screen remotely and change settings.
Serial-over-LAN and Linux
If an Intel AMT enabled PC happens to be running Linux, it’s rather easy to start up a new shell prompt and redirect the text input and output to the virtual serial port. Once this is done, authorized administrators can connect to Intel AMT and access this command prompt. T his is especially useful if the OS network drivers are disabled or incorrectly set. It’s also useful if the administrator set an Intel AMT “System Defense” network policy that drops all of the network packets. Because packets directed to Intel AMT are never affected by “System Defense” network policies, serial-over-LAN will always work.
Administration agents using Serial-over-LAN
Another interesting use of serial-over-LAN is to talk to an administration agent running on the OS. For example, in Microsoft Windows, a network agent can use the virtual serial port to offer a command prompt to the administration console. A good example of this is the sample agent provided in the Intel AMT Developer Tool Kit (DTK). It uses the Intel AMT serial port to provide the administration console with an administrative command prompt and offers a full set of commands, such as: start and stop processes, shutdown the PC, and more.
Figure 3 - If a connection can't be established normally, Intel AMT Serial-over-LAN can be used as an alternative.
A good demonstration of serial-over-LAN is to run the sample agent from the DTK and use the sample console to connect to the serial port. Once a network administrator gets to the agent command prompt, a user can disable the network driver on the Intel AMT PC and the prompt still works! We can for example, start and stop notepad by typing “exec notepad” and “kill <process id>”.
Using Serial-over-LAN to its fullest
In the case of Intel AMT Developer Tool Kit (DTK) , both the sample agent and sample console know about a special escape sequence and can send each other binary data while the command prompt is working. This makes command to upload and download files possible using SOL. Because the connection between AMT and the management console is TCP-based and reliable, no error-correction is needed. Some may remember the days of “X-Modem” and “Z-Modem” transfer protocols from years ago, but because data is already transferring over a reliable protocol, it’s not necessary. A nice side-effect is that file transfers and binary data exchange can be done at the same time as the user uses a TV100 command prompt. One way to do data transfer, while a TV100 command prompt is active, is to create a new custom escape code that is used to tell the remote party that a block of data is coming.
In the case of the Intel AMT DTK, both the sample console and agent have a complete serial data stack on both sides to handing a variety of data commands. In addition to file transfers, there is a set of data commands to monitor and control remote processes. This is very useful because, trying to start and stop processes using a command prompt is less convenient for the administrator.
The ultimate feature: TCP-over-Serial-over-LAN
Probably the most innovative of the features demonstrated in the Intel AMT Developer Tool Kit (DTK) is the ability to transport TCP connections and data over Intel AMT’s serial-over-LAN. This allows any management software that is not AMT aware to connect to any other non-AMT aware software listening for TCP connections on the managed PC. The DTK does this is by having the sample console li sten for incoming connections on local ports. Once a connection is established, the console sends a data command to the agent to initiate a TCP connection to a local port on the remote PC. In this scenario, only the loopback network adapter on the managed PC is used.
Figure 4 - With the right software, Intel AMT Serial-over-LAN can also be used to carry out otherwise impossible connections. In this figure, the TCP client and server could be any application, including remote display.
A great demonstration of this feature is to disable the network driver on the managed PC and establish a remote desktop (RDP or VNC). Of course, the user interface will be slower compared to using direct connections, due to the speed limitation of Serial-over-LAN, and agent software must be running.
The Intel AMT Serial-over-LAN (SOL) feature is quite flexible and can be used as a completely new way of communicating with software on a managed PC no matter what the state of the OS network drivers is. It’s also a great way to remotely change BIOS settings and even, at its most extreme, a way to connect to network services that would otherwise not be accessible. As more software is built to make use of Intel AMT, we encourage developers to make the most of the possibilities offered by the SOL feature.