CCcam Server + OScam Client Config Guide

Getting a working cccam server oscam client config takes more than just dropping a [reader] block into a file and hoping for the best. There are protocol details, group routing, version strings, and downstream listener config that all have to line up — and most guides skip half of it. This one doesn't. Below is everything you need, from the initial TCP handshake explanation to running OScam as a hardened systemd service.

How CCcam-to-OScam Communication Works

Before touching any config file, you need a clear mental model of what's actually happening on the wire. CCcam and OScam are two separate pieces of software that speak a shared protocol. OScam is connecting to the CCcam server — not the other way around.

The CCcam Protocol Handshake Overview

When OScam opens a connection to a CCcam server, the first thing that happens is an SHA1-based challenge/response handshake. The server sends a 16-byte random seed, the client uses it together with the username and password to compute a hash, and that hash is what authenticates the session. No plaintext passwords on the wire.

After auth, the server sends a share list — all the CAIDs and provider IDs it has access to. OScam stores this internally and uses it to decide which reader to route ECM requests to. The connection stays open persistently; ECM requests flow in, decrypted ECW responses flow back.

What OScam's 'cccam' Reader Type Actually Does

OScam's reader module with protocol = cccam is a pure client implementation. It speaks CCcam protocol outbound to a server. OScam does NOT expose a CCcam server port when configured this way — there's no incoming CCcam listener involved. That's a separate thing entirely ([cccam] section in oscam.conf, which you're not using here).

The reader handles connection management, reconnection on drop, share list parsing, and ECM forwarding. Think of it as a driver for a remote card that happens to live on someone else's server.

Port 12000 and Non-Standard CCcam Ports Explained

The default CCcam server port is 12000/TCP. That's the port compiled into the original CCcam binary and what most servers run on. But non-standard ports (13000, 16000, 10000, etc.) are common — operators change them to avoid automated port scanners or to run multiple instances.

Whatever port your server operator gives you, that's what goes in the device line. Never assume 12000. Always confirm. Connecting to the wrong port gives you a clean "connection refused" immediately, which is actually easier to debug than an auth failure.

Why OScam Needs a Dedicated Reader Entry Per CCcam Server

Each [reader] block in oscam.server represents one persistent TCP connection to one CCcam server. If you have two CCcam servers, you need two reader blocks with unique labels. OScam's load balancer then treats them as separate sources and can route ECM requests to whichever responds fastest.

Trying to cram two server addresses into one reader block doesn't work. One reader, one connection, one server. That's the model.

OScam oscam.server Config for a CCcam Reader

The oscam.server file lives at /etc/oscam/oscam.server on most Linux installs. On Enigma2 images it's often at /etc/tuxbox/config/oscam.server or /usr/keys/oscam.server. The syntax is identical regardless of location.

Minimum Required Directives for a Working CCcam Reader

At absolute minimum you need: label, protocol, device, user, password, and group. Everything else is optional but strongly recommended for stability. A bare-minimum block will connect but you'll hit problems with idle timeouts and missing channels without the extra directives.

Full Annotated oscam.server Block with Every Relevant Key

[reader]
label = mycccam_reader
protocol = cccam
device = SERVER_IP,12000
user = YOUR_USER
password = YOUR_PASS
cccversion = 2.3.0
ccckeepalive = 1
inactivitytimeout = 30
reconnecttimeout = 30
group = 1
cccmaxhops = 2
cccwantemu = 0
cccos = 0
ccchops = 0

Replace SERVER_IP, YOUR_USER, and YOUR_PASS with what your server operator provided. Every other value above is a reasonable production default. Here's what each line actually does:

• label — Unique name for this reader. Shows up in webif and logs. Make it meaningful, especially if you have multiple readers.
• protocol — Tells OScam which connection driver to use. cccam for standard CCcam servers.
• device — IP/hostname and port, comma-separated. No spaces around the comma.
• user / password — Credentials exactly as provided. Case-sensitive.
• cccversion — The CCcam version string OScam presents during handshake. Servers may check this.
• ccckeepalive — Sends periodic pings over idle connections. Set to 1 unless your server explicitly rejects keepalives.
• inactivitytimeout — Seconds of no ECM activity before OScam considers the connection stale and reconnects. 30 is sensible.
• reconnecttimeout — Seconds to wait before attempting reconnect after a drop. Keep this at 30 or lower.
• group — Reader group number. Must match the group in your oscam.user entries or ECMs won't route here.
• cccmaxhops — Maximum share hops to accept from the server's share list. More on this below.
• cccwantemu — Set to 1 only if you want the server to share emulated cards. Usually 0.
• cccos / ccchops — Override reported OS and hop count in handshake. Leave at 0 unless the server requires specific values.

Setting 'protocol = cccam' vs 'protocol = cccam2'

cccam2 is an OScam-internal extended variant of the CCcam protocol. It adds share list negotiation features and some extra metadata exchange. The catch: it only works correctly when both endpoints are OScam. A real CCcam server (running the actual CCcam binary) won't understand the cccam2 extensions and will either reject the connection or behave unpredictably.

Rule of thumb: use protocol = cccam for anything running actual CCcam server software. Use cccam2 only in OScam-to-OScam setups. When in doubt, start with cccam.

The 'device' Directive: Hostname and Port Syntax

Standard IPv4 or hostname: device = myserver.example.com,12000

IPv6 addresses require bracket notation: device = [2001:db8::1],12000. Skip the brackets on IPv6 and OScam will fail to parse the address correctly — it's a common mistake on IPv6-only VPS setups.

If your server sits behind a reverse proxy or load balancer, the IP that the CCcam server sees may not be your real client IP. If the server uses IP whitelisting, auth will fail even with correct credentials. That's a server-side configuration problem — contact the operator.

Username, Password, and cccversion Fields

Credentials are case-sensitive and must match exactly what's configured on the server. A trailing space in the password field will cause silent auth failure — watch out when copy-pasting.

The cccversion string is what OScam tells the server it is during the handshake. Common values servers expect: 2.3.0, 2.1.4, 2.2.1. If the server enforces a specific version and yours doesn't match, the connection drops immediately after auth — no error message that clearly says "version mismatch." You just see a disconnect. Try 2.3.0 first; if that fails, ask your server operator what version string they expect.

inactivitytimeout and Reconnect Settings

inactivitytimeout = 30 means OScam will reconnect if no ECM activity happens for 30 seconds. This is good — it recovers stale connections without waiting for the OS to detect a dead socket. On very lossy networks you might lower this to 20.

reconnecttimeout = 30 is the delay between a disconnect and the next reconnect attempt. Keeping it at 30 means about 30 seconds of potential blackscreen after a server drop. For critical setups with multiple servers, having a lower value (15–20) plus multiple reader entries is better than hammering one server with rapid reconnects.

Group Assignment and Why It Matters for Routing

The group value is OScam's internal routing mechanism. An ECM request from a downstream client (your STB) gets forwarded to readers that share the same group number as the user making the request. If your reader is in group 1 but your STB's user entry specifies group 2, the ECM never reaches this reader. Full stop. This is the single most common misconfiguration in the entire cccam server oscam client config process and almost no other guide explains it clearly.

oscam.conf and oscam.user Settings That Affect CCcam Clients

Global [global] Section: logfile, nice, maxlogsize

The oscam.conf file at /etc/oscam/oscam.conf controls global behavior. A minimal working [global] block:

[global]
logfile = /var/log/oscam/oscam.log
maxlogsize = 512
nice = -1
WaitForCards = 1
lb_mode = 1
lb_save = 1

maxlogsize is in KB — 512 KB keeps logs manageable without losing useful history. WaitForCards = 1 tells OScam to hold ECM requests until at least one reader is ready, rather than immediately returning "not found." nice = -1 gives OScam slightly elevated CPU scheduling priority, which matters on embedded devices under load.

Enabling the Web Interface for Live Reader Status Monitoring

Add this to oscam.conf to enable the HTTP monitor on port 8888:

[webif]
httpport = 8888
httpuser = admin
httppwd = yourpassword
httprefresh = 10
httpallowed = 127.0.0.1,192.168.0.0-192.168.255.255

Restrict httpallowed to your local network. Never expose port 8888 to the internet without authentication and even then it's risky. The webif is where you'll watch reader status in real time — whether the CCcam connection is up, hop counts, last ECM time, and response latency. You'll use this constantly when debugging.

oscam.user: Creating a Local User to Route Descrambled ECWs to Your STB

File location: /etc/oscam/oscam.user. You need at least one user entry for the device connecting to OScam (your STB, Dreambox, VU+ box, etc.):

[account]
user = stbuser
pwd = stbpassword
group = 1
au = 1

The group = 1 here must match the group = 1 in your reader block. That's the link. OScam sees the ECM request from stbuser (group 1), looks for readers in group 1, finds your CCcam reader, sends the ECM there, gets back the ECW, and returns it to the STB. Break the group match and nothing works even if the CCcam connection is perfectly healthy.

Linking Users to Reader Groups with 'group' Directive

Groups are just integers. You can use any number 1–64. You can assign multiple groups to both readers and users using comma separation: group = 1,2,3. This is useful when you have multiple CCcam readers in different groups and want a user to have access to all of them. OScam's load balancer will then pick the best reader across all assigned groups.

Setting 'au' (Auto-Update) Correctly for Card Sharing Readers

au = 1 in the user account enables entitlement management message (EMM) auto-update for that user. For a card sharing setup where you're only receiving ECM responses, au = 1 on the reader itself is usually unnecessary and can add noise. Set it on the downstream user account if you need subscription renewals passed through; leave it off on the reader unless your server supports and requires it.

Connecting Your STB or Softcam to OScam After CCcam Auth

Here's where most cccam server oscam client config guides completely fall apart. They get OScam connected to the CCcam server and stop. But that connection only solves half the problem — you've gotten the encrypted ECMs to the right place, but you still need to get the decrypted ECWs back out to your TV box.

Using OScam as a newcamd Listener for Dreambox/VU+ Boxes

Newcamd is the most widely supported protocol on Enigma2 STBs. Add a [newcamd] section to oscam.conf:

[newcamd]
key = 0102030405060708091011121314
port = 15050@1702:000000

The key is the newcamd DES key — it must match what you configure in the STB's newcamd client. The value above is a common default; you can use any 14-byte hex string. The port line format is port@CAID:ProviderID. Use 000000 as provider ID to accept all providers for that CAID, or specify a real provider ID (e.g., 000000 for wildcard, 000001 for a specific provider). For multiple CAIDs, add multiple port entries separated by semicolons: port = 15050@1702:000000;15051@0D00:000000.

Configuring oscam.conf [newcamd] Listener Block

On your Dreambox or VU+ box, add a newcamd server entry pointing to the IP of the machine running OScam, port 15050, with the same DES key. The STB sends ECM requests to OScam's newcamd listener, OScam routes those via the CCcam reader to the server, gets the ECW back, and returns it to the STB. That's the complete chain.

Using OScam's camd35/cs357x Listener for Other Clients

Some clients prefer camd35 (also called cs357x). Add to oscam.conf:

[cs357x]
port = 15000

The user credentials for camd35 come from oscam.user just like newcamd. The protocol is simpler than newcamd but less common on modern STBs. Use newcamd unless your client specifically needs camd35.

oscam.user Entry for the STB: Required Fields

[account]
user = stbuser
pwd = stbpassword
group = 1
au = 1
uniq = 0

uniq = 0 allows the same credentials to connect from multiple clients simultaneously. Set to 1 if you want to enforce single-connection-per-user. For a household with one STB, either works. For shared setups, set it to 0 to avoid self-lockout during reconnects.

Verifying Card Share Is Passing ECMs via Webif Reader Stats

Open http://OSCAM_IP:8888 in a browser. Click on your reader name. You'll see: connection status, last ECM time, ECM count, response time in milliseconds, and hop count. If the reader shows "connected" but ECM count stays at zero after you try to tune a channel, the problem is downstream — check the STB's connection to OScam, or check group assignments.

If ECM count increments but you still see a black screen, the CCcam server may not have the card for that CAID. Check the share list in the reader detail view to confirm the CAID you need is actually listed.

Troubleshooting CCcam Reader Connection Issues in OScam

Reader Stuck in 'CACHEEX' or 'CARDOK' Never Appears — Causes

"CACHEEX" in reader status usually means OScam is in cache exchange mode, not a direct CCcam reader mode. Check that you haven't accidentally set cacheex = 1 on the reader. A clean CCcam reader should show as "CONNECTED" or "CARDOK" once auth completes and the server sends a share list with actual cards.

If the status never reaches CARDOK, the server likely has no active cards in its share list, or cccmaxhops is filtering everything out.

AUTH FAILED: Wrong cccversion String

In the OScam log (/var/log/oscam/oscam.log), a failed auth looks like:

2024/01/15 14:23:01 9876 r mycccam_reader cccam: login failed for user YOUR_USER
2024/01/15 14:23:01 9876 r mycccam_reader cccam: connection closed

You see a connection followed immediately by disconnect. Before blaming credentials, try changing cccversion. Go from 2.3.0 to 2.1.4 or vice versa. Some servers are compiled to reject version strings they don't recognize. This is a silent failure mode — there's no explicit "wrong version" error in the log, just a disconnect.

To get verbose reader output temporarily, add loglevel = 512 to [global] in oscam.conf, restart OScam, check logs, then remove it. The log volume at level 512 is significant — don't leave it on permanently.

Connection Refused vs Connection Timeout — What Each Means

Connection refused: The TCP packet reached the server but nothing is listening on that port. Either the port number is wrong, the CCcam server isn't running, or a local process is blocking the port (on Enigma2, a CCcam plugin running alongside OScam may have claimed port 12000 — kill it).

Connection timeout: The TCP SYN packet never got a response. Either a firewall is dropping packets, the IP is wrong, or routing is broken. Test with: nc -zv SERVER_IP 12000. If it hangs, it's a network/firewall issue. If it returns "refused" immediately, the port is closed on the server.

OScam Log Lines to Look For

A successful connection sequence in the log looks like:

r mycccam_reader cccam: resolved SERVER_IP to x.x.x.x
r mycccam_reader cccam: connected to x.x.x.x:12000
r mycccam_reader cccam: login successful for user YOUR_USER
r mycccam_reader cccam: received share list (47 cards)

If you see "received share list (0 cards)" — the server is up and your credentials work, but there are no active cards on that account. Contact the server operator.

Firewall and NAT: Ensuring Port 12000 Is Reachable

OScam connects outbound to port 12000. Most home NAT setups allow outbound connections without any special configuration. Problems arise when a firewall on the client machine itself blocks outbound connections (uncommon but possible with strict iptables rules), or when the server's firewall has IP whitelisting and your public IP isn't on the list.

Also check: if you're in a shared NAT environment where multiple OScam clients share the same public IP, the CCcam server may have a per-IP connection limit and reject connections beyond that limit. Each client needs its own unique username/password pair — same credentials from the same IP sometimes works, same credentials from the same IP simultaneously almost always fails.

cccmaxhops Set Too Low — Missing Channels Explained

CCcam cards have a "hop count" — how many relays the card has passed through to reach your server. A card directly in the server hardware is hop 0. A card shared from another CCcam server to yours is hop 1. Shared again, hop 2. And so on.

cccmaxhops = 1 means OScam will only use cards with hop count 0 or 1. Cards at hop 2+ are in the share list but OScam ignores them. If the channel you need happens to come from a card at hop 2, you'll be connected, the reader will show as healthy, but that specific channel won't decrypt. Set cccmaxhops = 2 or higher if you're getting selective missing channels. Be aware that very high values (8+) can cause OScam to receive enormous share lists on busy servers, which consumes memory — a real concern on Dreambox hardware with 256MB RAM.

Duplicate Reader Entries Causing Loop Reconnects

Two reader entries with the same label in oscam.server cause confusing behavior — OScam may load both, creating duplicate connection attempts to the same server. The log will show rapid connect/disconnect cycles. Use unique labels for every reader. Check for accidental duplicates if you see a reader bouncing in the webif.

Hardening and Performance Tuning for the OScam CCcam Reader

Setting reconnecttimeout to Avoid Zap Delays

With only one CCcam reader, a server drop means a blackscreen until OScam reconnects. reconnecttimeout = 30 is the default, which means up to 30 seconds of black. Lowering to 15 reduces that window but increases reconnect frequency on flaky connections. For production, running two reader entries pointing at different servers with lb_mode = 1 is a better answer than tuning reconnect timing alone.

ccckeepalive and Its Effect on Idle Connections

ccckeepalive = 1 sends a periodic ping-style message over the CCcam TCP connection during idle periods. Without it, NAT mappings on routers typically expire after 60–300 seconds of idle, silently killing the TCP session. OScam won't know the connection is dead until the next ECM request fails. With keepalive enabled, the NAT mapping stays alive and OScam detects drops faster. Leave this on.

Using lb_mode (Load Balancing) When Connecting to Multiple CCcam Servers

Set in oscam.conf [global]:

• lb_mode = 0: No load balancing. OScam uses the first available reader in the list. Simple but gives no performance benefit.
• lb_mode = 1: Fastest reader wins. OScam tracks ECM response times per reader and routes future requests to the reader with the best average response time. This is what you want for a multi-server setup.
• lb_mode = 5: Weighted random. Factors in response time but adds randomization to spread load. Useful when you have many servers of similar quality and don't want one to get all traffic.

For most setups with 2–4 CCcam readers, lb_mode = 1 with lb_save = 1 (saves learned stats to disk so OScam doesn't start blind after a restart) is the right choice.

Logrotate Config for OScam Logs to Prevent Disk Fill

Create /etc/logrotate.d/oscam:

/var/log/oscam/oscam.log { daily rotate 7 compress missingok notifempty copytruncate
}

copytruncate is important here — OScam keeps the log file handle open, so standard rotate-and-signal won't work without sending OScam a SIGHUP. Copytruncate copies the file then truncates the original in place, which works without touching the OScam process. On embedded Enigma2 devices with small flash storage, rotate more aggressively: rotate 3 and consider maxsize 1M.

Running OScam as a Non-Root systemd Service

Create user and directory:

useradd -r -s /sbin/nologin oscam
mkdir -p /var/log/oscam
chown oscam:oscam /var/log/oscam
chown -R oscam:oscam /etc/oscam

Create /etc/systemd/system/oscam.service:

[Unit]
Description=OScam Softcam
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=oscam
Group=oscam
ExecStart=/usr/bin/oscam -B /var/run/oscam.pid -c /etc/oscam
PIDFile=/var/run/oscam.pid
Restart=on-failure
RestartSec=10
StandardOutput=null
[Install]
WantedBy=multi-user.target

Enable and start:

systemctl daemon-reload
systemctl enable oscam
systemctl start oscam

Running as non-root means a compromised OScam process can't trash the system. The Restart=on-failure directive handles unexpected crashes automatically. This is standard practice and takes about 5 minutes to set up — skip it and you're running a network-facing service as root indefinitely.

One final check before assuming your cccam server oscam client config is complete: run oscam --version and look at the module list in the output. Some minimal or stripped builds compiled for specific embedded targets exclude the CCcam reader module entirely. If you don't see "cccam" in the compiled modules list, no amount of config changes will make it work — you need a full-featured OScam build.