jsastriawan
commented
2 months ago Try putting the meshcommander firmware edition at /amt-storage/index.htm.
Open Spamm00r opened 2 months ago
jsastriawan
commented
2 months ago Try putting the meshcommander firmware edition at /amt-storage/index.htm.
Spamm00r
commented
2 months ago Try putting the meshcommander firmware edition at /amt-storage/index.htm.
How can I do that? The windows firmware installer does not give any option to change the path for the installation?
The github mentions that you can install the firmware "On other platforms, you can use MeshCMD to load MeshCommander into Intel AMT."
But I couldn't find a documentation on how to do that using MeshCMD. The documentation only gives the follwoing command:
C:\MeshCmd>meshcmd amtloadwebapp --host 192.168.2.144 --pass xxxxxxxx
How do I point it to another path?
jsastriawan
commented
2 months ago The command to launch meshcommander using meshcmd is
meshcmd meshcommander
It has built-in help as well.
You should be able to open http://localhost:3000 and add AMT machine to manage.
To upload file to AMT, you can use HTTP PUT using curl. But I guess the easiest is to use meshcmd method.
Spamm00r
commented
2 months ago I followed this guide and created the firmware to upload: https://www.youtube.com/watch?v=vPoUf87RHtc&ab_channel=AAlliieennX
I'm getting this error when I try to upload the firmware to the storage:
And trying to load webapp with MeshCMD. Gives this error:
C:\Asus.Q670\Mesh>meshcmd amtloadwebapp --host 192.168.178.111 --pass PASS Invalid "action" specified.
This method worked in the past on older hardware without issues, just as Ylian describes it in his video. I'm pretty sure that Intel also locked down this possibility.
Any other suggestions that might work?
jsastriawan
commented
2 months ago The flash space for webapp hosting is limited. Please ensure that it has enough space before you upload meshcommander firmware edition. If the size is too big, it will fail.
So, if there is an existing file, you should remove it first.
Additionally for "amtloadwebapp" meshcmd, it was removed 3 years ago.
Spamm00r
commented
2 months ago Even with no file on storage and only a 75 byte file for upload it gives the same error message.
Only the firmware installer reports success in uploading a 44561 byte large file .but uploads a file called console. And the amt website reports: "Web browser access to Intel® Active Management Technology is disabled on this computer, or the page in the address bar is unavailable."
The issue here is not the file size I think.
jontywigster
commented
2 months ago Hello,
This won't be much help but might provide a hint.
I wanted to get an unused NUC12 back in action. After a BIOS update (including ME v16.1.30), I'm in the same boat.
'meshcmd meshcommander' can upload a .gz file but any file with extension .htm or .html results in the same 500 error (for info, files with, say, a comma in the name, generate a 400 error). A link specified in the upload page does appear in the NUC's AMT web UI too so we're frustratingly close.
I had a look at meshcommander's HTML/JS code in Chrome's debug tools and saw that file uploads are handled slightly differently, depending on whether the file extension is .gz or .html/.html (e.g. 'function SetStorageName'). I cannot figure out what the actual difference is though.
For me, the Windows firmware installer seems to try to connect to the NUC with TLS 1.0. The NUC rejects this so I gave up with this tool.
Regarding the path jsastriawan mentioned, it does seem that the JS code prefixes uploads with '/amt_storage/' so I guess this isn't the problem
jsastriawan and https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Faddingcustomwebapplications.htm mention HTTP PUT. With Mesh Commander's firmware file extracted to index.htm, I tried -
curl -k --anyauth -u user:password -F "file=@index.htm" https://host:16993/amt-storage/v/a/index.htm
The connection is just rejected.
I don't know what I'm doing but guess something's changed in AMT and however Mesh Commander uploads HTML files no longer works. Curl might work but I don't know how to invoke it.
Spamm00r
commented
2 months ago Yes something did in fact change.
Intel has stopped Web UI access deliberately and entirely due to security concerns, just as access to port 5900 and non TLS access has been removed despite it working fine before.
My research indicates that they announced it 2 or 3 years ago and now pulled through with it in their latest ME firmwares. And Yilianst wrote somewhere that he won't be following this path anymore due to Intel's decision to stop the WebUI access.
So with like so many things with Intel, this is not an error but a "feature", which Intel deliberately removed making several steps backwards.
It is not possible anymore to use Intel AMT without any third party tools.
Additionally, while they removed WebUI and 5900 port access, they do not provide any working tool to use intel AMT, as their tools like Manageability Commander have become outdated by their own firmware updates but instead they expect third parties to provide such tools, like meshcommander.
Someone at Intel must be working hard to stop customers from using intel AMT. They succeeded at that.
With the possibility of being able to install meshcommander on the internal memory of the AMT mahcine removed, there is no way to access intel AMT without having a third machine running that is at least capable of running node. And if I need a third PC running for remote KVM then why do I need intel AMT in the first place? Any non-AMT machine will do the same thing as the castrated intel AMT machines.
With all these, steps back, I consider Intel AMT to be end of life. I have been purchasing AMT machines since Q67 chipset. Going forward, I won't be purchasing intel AMT hardware anymore.
jontywigster
commented
2 months ago TLDR - I uploaded Mesh Commander 'firmware'. It works.
I had another look. An uploaded file is split into chunks. A file of size 65535 bytes is fine. A file of 65536 bytes will fail :) Gzips vs HTML files was a red herring, I was tired when I looked last night.
The Vendor Name and Application Name are arbitrary and just set the path the file is uploaded to. This path is then prefixed with 'amt-storage'. In other words -
will result in an upload path of https://amt_host:16993/amt-storage/V/A/65.5k.txt. A link, imaginatively titled 'link' in my example, in the AMT web apps menu points to that uploaded file.
Intel has stopped Web UI access deliberately and entirely due to security concerns, just as access to port 5900 and non TLS access has been removed despite it working fine before.
I just happened to have a machine that supports AMT and wanted to give it a go. I'm not familiar with AMT or Mesh Commander. Looking at text from Intel that says the AMT Web UI will go, I don't know the full story but sometimes I'm optimistic and this might be a chance for something better. If I'm very lucky, perhaps even something with IDER that's not excruciatingly slow :D.
Spamm00r
commented
2 months ago Are you on the latest ME Firmware Intel AMT v16.1.33.2307?
It appears that you can upload smaller files but that doesn't help as you can't host MeshCommander. If Intel says they removed the wbhosting feature, I believe them.
If only 65KB files can be uploaded, this does not help as the smallest package of MeshCommander ist 73KB as gzip.
Also where do you see the file as a link? I always get "Web browser access to Intel® Active Management Technology is disabled on this computer, or the page in the address bar is unavailable." Without any links at all. Which is consistent with Intel's claim to have ended Web UI access for good/bad.
jontywigster
commented
2 months ago Are you on the latest ME Firmware Intel AMT v16.1.33.2307?
For my NUC12WSHV5, the latest BIOS update from ASUS (ASUS took over NUC supply and support from Intel) provides (AMT) ME Firmware 16.1.30.2307. This is what I have installed. Obviously, I might find a subsequent BIOS update removes things for me :(.
If Intel says they removed the wbhosting feature, I believe them.
mentions -
The storage feature was deprecated ... and removed .... In its place, the [Web Application Hosting](https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/webapplicationhosting.htm) feature has been implemented.
WAH seems similar to the removed storage functionality and indeed mentions WAH can be used to replace the default AMT web UI. The AMT web UI is available for me on port 16993.
Where do you see that all web hosting has been removed from AMT?
If only 65KB files can be uploaded, this does not help as the smallest package of MeshCommander ist 73KB as gzip.
The Windows firmware installer doesn't work for me but I found https://github.com/Ylianst/MeshCommander/tree/master/output. From here, Firmware-Small.gz is 43KB, so within the limit. I uploaded the file to my NUC and KVM works, which is what I'm interested in. Is this the wrong place to be looking?
Also where do you see the file as a link?
After uploading Mesh Commander 'firmware' to my NUC via Mesh Commander, in the AMT web UI (not Mesh Commander), I see within 'Web Applications Links' -
That link works for me, as does KVM -
I always get "Web browser access to Intel® Active Management Technology is disabled on this computer, or the page in the address bar is unavailable."
I noticed this error on going to an invalid URL.
Spamm00r
commented
2 months ago Can you post a screenshot of the upload settings you use and the exact url you enter to reach the WebUI please?
jontywigster
commented
2 months ago I see Mesh Commander truncates filenames and then MIME stuff doesn't work; a file is then downloaded instead of rendered. I guess this is another of your issues.
Firmware-Medium.gz to fwm.htm.gz. In Mesh Commander, I clicked Choose File and selected fwm.htm.gz for upload. Mesh Commander has automatically dropped the '.gz' suffix and picked text/html as the MIME type. I did not bother specifying a Vendor or App. I added MeshCMD as the 'link' - https://nuc.ip.address.here:16993 - Web Applications Links. This section now has a link titled MeshCMD. I didn't capture the mouse pointer but it's hovering over the link so you can see where it points, and how 'amt-storage', vendor and app are automatically set by Mesh Commander - Spamm00r
commented
2 months ago Thanks for the screenshots.
Your firmware isn't restricted yet, as you have a WebUI. So you don't really have the problem I'm having.
Which is strange, as you are on Firmware 16.1. and according to Intel starting with 16.1. Intel AMT has been severly restricted. Apperntly not on the device you are using.
I don't even have a Web UI with any options. I only get the error message that WebUI access has been disabled. Apparently the firmware 16.0 for my device still has WebUI access but not 16.1 anymore.
You better do not update your firmware or you will be in the same situation as me.
Spamm00r
commented
2 months ago Which makes me think, that it is just a settings switch that toggles WebUI access or not., which one may edit in the firmware
Can you give the link to the exact bios you flashed?
Is it this?
jontywigster
commented
2 months ago Can you give the link to the exact bios you flashed?
The URL you posted is good but, on that page, the specific model has to be selected -
BIOS update 0092 is what I have installed. That download doesn't provide a separate file to update Intel ME. There's nothing in my NUC's BIOS settings that specifically enables/disables the AMT web UI.
Having a quick look through the relevant Intel AMT security advisories, it doesn't seem that my NUC is vulnerable. Maybe this is why the ME/AMT stuff I'm offered (16.1.30.2307) is a bit behind compared to you (16.1.33.2307). Maybe ASUS will offer an updated BIOS for my NUC soon and things will then stop working for me too.
I really don't know what's going on for you. If you can upload at all, and you mentioned that the Windows util did send the 'firmware' version of Mesh Commander , the storage stuff in AMT must be working. If you're getting a message that the web UI is unavailable, I guess it is AMT's web server that is serving that message.
Maybe just blocking logins to that web UI was the fastest way to mitigate the AMT vulnerabilities now, and the web server will be removed properly later since Intel seems to be planning to remove it for everyone anyway. I have no idea though.
pcmike
commented
5 days ago Have some random insights on 6th gen and 12th gen.. safari/chrome. Will update this post later
I have issues installing the meshcommander firmware on board Asus Q670 with Intel AMT v16.1.33.2307. On earlier models I never had any issue.
The firmware installer completes successfully, and points me to:
http://localhost:16992/amt-storage/mesh/commander/console
But as port 16992 is closed, I have to login via port 16993:
https://localhost:16993/amt-storage/mesh/commander/console
But then instead of displaying the amt website, it downloads a file called "console" or "download".
Also the default AMT website has been disabled and only shows the following error code when logging in:
"Web browser access to Intel® Active Management Technology is disabled on this computer, or the page in the address bar is unavailable."
That leaves us only with meshcommander to manage the pc, and as I understand also the meshcommander support has ended, making it impossible to make use of the Intel AMT features on newer boards and once meshcommander isn't available anymore.
This is a huge step back in the name of security, intel AMT has become unusable. In the past I could manage the Intel AMT workstation with just and browser from any phone, now there is no way around a meshcommander or meschcentral installation on a pc that is able to run node.js. And with end of support for meshcommander the future of Intel AMT is in doubt. Also Intels manageability commander hasn't been updated to connect over TLS giving their customers no tool to work with Intel AMT other than outdated meshcommander.
Please provide a solution on how to get web access to newer intel AMT versions again without having to run a instance of meshcommander/mshcentral on another pc.
Thanks!