CCcam config: setting up CCcam.cfg from scratch
If you are opening this file for the first time and do not understand what to write where — that's normal. The documentation for CCcam has always been, to put it mildly, sparse. I will break down the cccam config into parts: where the file is located, what each line means, why the daemon silently ignores your edits, and how to read logs when channels do not open.
This material is aimed at those who have already installed the daemon on a receiver or Linux server and are stuck at the configuration stage. We will not cover the installation of CCcam here — only the file and its syntax.
Where CCcam.cfg is located and the basic structure of the file
The first thing to understand: there is one configuration file, but it can be located in different places depending on the platform and firmware. CCcam reads it once at startup — changes are not applied without restarting the daemon.
Standard paths: /var/etc/CCcam.cfg and /etc/CCcam.cfg
On most Enigma2 images (OpenATV, OpenPLi, OpenViX), the config is located at/var/etc/CCcam.cfg. On some older or non-standard builds, you may find/etc/CCcam.cfg. The easiest way to check via SSH is with the command:
find / -name "CCcam.cfg" 2>/dev/null
If the file is completely missing — create it at the required path. CCcam will simply not find the config at startup and will run with empty settings, without errors in the log.
Difference in location on Enigma2 and on Linux server
On an Enigma2 receiver, the config is traditionally in/var/etc/CCcam.cfg, while on DreamOS (Dreambox with a new kernel) it may be placed in/etc/tuxbox/config/. On a clean Linux server (Ubuntu, Debian), it all depends on how you start the daemon and what is specified in the init script or systemd unit. Often used/etc/CCcam.cfg or/usr/local/etc/CCcam.cfg.
Check your init script: there will be a line like-c /path/to/CCcam.cfg, which tells the daemon where to look for the config. This path is what matters.
File encoding and line endings (LF, not CRLF)
This kills more configs than any syntax errors. If you edit the file on Windows in regular Notepad and save it — lines C: and F: will contain a carriage return character\r at the end. CCcam does not understand it and silently skips the line. The daemon starts, there are no connections, and nothing suspicious in the log.
Use Notepad++ with the mode "Edit → EOL Conversion → Unix (LF)", or edit the file directly on the receiver via nano or vi over SSH. You can check for CRLF with the command:
cat -A /var/etc/CCcam.cfg | grep "^C:"
If you see^M$ at the end of the line instead of just$ — the problem is indeed with the line endings. Quick fix:
sed -i 's/\r//' /var/etc/CCcam.cfg
File permissions: chmod 644 and owner root
CCcam runs as root and must be able to read the config. The standard permissions are 644, owner root:
chmod 644 /var/etc/CCcam.cfg
If the daemon runs as another user (which is rare, but happens), the permissions need to be adjusted for that user. A file with permissions 600 and a different owner will simply not be opened by CCcam.
Line C: — connection to the server (client part)
LineC: — is what makes your receiver a client. It tells CCcam: "connect to this server and request a key for decryption." Without it, the cccam config loses its meaning from the client part's perspective.
Syntax: C: hostname port username password
The basic format looks like this:
C: server.example.com 12000 myuser mypassword
Field breakdown:
- C: — type of line, space after the colon is mandatory
- server.example.com — hostname or IP address of the server provided by your provider
- 12000 — TCP port on which the server is listening
- myuser — login (case-sensitive)
- mypassword — password (case-sensitive)
Extra spaces between fields are not stylistic, they are a malfunction. CCcam parses the line character by character, and an extra space between the port and the login will result in the login being recognized with an empty value. The result is an authorization error that is not immediately associated with formatting.
Additional parameters: wantemus, no/yes for encryption
The fifth parameter controls the encryption of the channel between the client and the server. There are several options depending on the version of CCcam:
C: server.example.com 12000 myuser mypassword yes
The valueyes enables encryption,no — disables it. The problem is that different versions of CCcam (2.1.x, 2.2.x, 2.3.x) interpret this parameter differently. If the server expects encryption and the client sends plain text — the connection will be established, but the authorization will fail. Check with the server owner which parameter to use.
The parameterwantemus — is an outdated syntax from older versions, meaning the same thing. If you see it in someone else's configs — just know that it's not a typo.
Multiple C: lines and their processing order
You can specify multiple servers:
C: server1.example.com 12000 user1 pass1
CCcam will connect to all at once and will request keys from all. This provides redundancy: if the first server does not respond, the request will go to the second. But there is a nuance: two C: lines to the same server with the same account will cause a double connection. Most servers ban accounts for exceeding the connection limit. Check that you do not have duplicate entries.
Connection check via telnet and logs
Quick check to see if the server port is accessible from your network:
telnet server.example.com 12000
If the connection cannot be established — it's a network problem or the port is closed on the server. If it connects and then immediately closes — the server is running, then we check authorization.
To view CCcam logs on Enigma2:
tail -f /tmp/CCcam.log
Lines withCONNECT,LOGIN,DENIED — these show what happens during the connection.
Server configuration: F-lines, local readers, and sharing
If you are sharing access with others — you need linesF:. These turn your receiver into a server. Confusing C: and F: is the most common mistake of beginners.
F: user password — sharing access with clients
The format of the line for creating a client account:
F: clientuser clientpassword 1 0 0 0 0
The first two fields are the client's login and password. The other fields are uphops, downhops, and several flags. The minimum working option:
F: clientuser clientpassword 1 0 0
Use a unique login and password for each client. This is not paranoia — it's the only way to later understand who among the clients is overloading your server or has shared data with outsiders.
Parameters uphops and downhops
The third field in the F: line — uphops. The fourth — downhops. They determine the depth of the sharing chain.
uphops — how many levels up the client can "see" through your server. A value of 1 means: the client sees only your card, does not see the cards of the servers to which you are connected. A value of 2 — sees deeper. Setting it higher than 2 without understanding the consequences is not advisable: foreign shares come from long chains, the quality of decryption drops, freezes occur.
downhops — how far down your server distributes the received shares. 0 means that the client receives only what you have explicitly allowed him. Usually, downhops are kept at 0 for control.
Connecting a local card through an internal reader
CCcam automatically detects smart cards in the built-in readers of the receiver. If the card is inserted and supported — it will appear in the share-list as local without additional configuration in CCcam.cfg. This is the card that clients will receive through the F: lines.
For external USB readers or PC/SC devices on a Linux server, the configuration is more complex — you need to configure the reader section separately or use OScam as a card server with proxying to CCcam.
Limiting the number of connections per account
The last fields of the F: line include limiting simultaneous connections. The format with an explicit limit:
F: clientuser clientpassword 1 0 0 0 1
The last digit — the maximum number of simultaneous connections with this account. A value of 0 usually means "unlimited," which is undesirable if you do not fully trust the client.
Global directives and web interface
The top part of CCcam.cfg — these are global settings that determine the behavior of the daemon as a whole. They are usually set once and forgotten, but it's important to understand them.
WEBINFO LISTEN PORT and access to status
The CCcam web interface — is a simple page with a list of connected clients, share list, and status. By default, the port is 16001:
WEBINFO LISTEN PORT : 16001
Open in browser:http://192.168.1.100:16001/ — replace the IP with the address of the receiver in your network. You can also check which CAIDs and providers are available through the server — this is the first place for diagnostics when channels do not open.
Never open this port to the internet without a firewall or at least IP restrictions. The CCcam web interface has no authorization. Anyone who knows your external IP and guesses the port will see the entire structure of your sharing network.
SERVER LISTEN PORT — port for incoming clients
If you are granting access to others:
SERVER LISTEN PORT : 12000
Clients connect to this port through the C: line in their configs. Port 12000 is historically popular but not standard. You can use any unoccupied port above 1024. The main thing is to ensure that it is open in the firewall and, if you are behind NAT, forwarded from the router to the receiver.
ALLOW TELNETINFO and monitoring security
The CCcam Telnet interface allows you to connect and view live status in the terminal:
ALLOW TELNETINFO : yes
The same security rules apply as for the web interface: only local network, no access from the internet. If the receiver is connected directly to the network — close 16000 and 16001 to incoming connections from WAN.
DEBUG and logging levels
By default, logging is minimal. For diagnostics, we raise the level:
DEBUG : 0
Values range from 0 to 8, where 0 is the minimum and 8 is the most detailed log including all ECM requests. It is not advisable to set it above 2 permanently — the log will grow quickly. Raise the level only for debugging, then return it back.
Diagnostics: why the cccam config does not work
The config is written, the daemon is running, but channels do not open. We analyze by levels — from network to decryption. It is not advisable to skip levels because symptoms at different levels may be similar.
There is a connection, but channels do not open (missing required CAID)
ONLINE status in the receiver menu or in the log — this only indicates network connectivity. It does not mean that the server is providing the necessary keys.
Open the web interface on port 16001 and check the share-list. There will be a list of CAIDs (conditional access system identifiers) and providers that are available through your server. If the required CAID for your channel is missing there — the server simply does not have access to this package. This is not a config problem — it is a question for the provider you are getting access from.
Typical CAIDs: Viaccess — 0x0500, Nagravision — 0x1800, Irdeto — 0x0600, Conax — 0x0B00. If the CAID of your channel does not match what is in the share-list — the channels will not open with any cccam config.
Server is not visible: port is closed or NAT
The client cannot connect to the server — the log shows repeated CONNECT attempts without success.
Port check from the outside:
nc -zv server.example.com 12000
If the port is not open — there are three options: the firewall on the server is blocking incoming connections, the server is behind NAT without port forwarding, or the CCcam daemon is not running. We check in that order.
On a receiver that is behind a home router and wants to accept incoming clients: without port forwarding from the router to the receiver, clients will not be able to connect. This is a hardware limitation of NAT, not a CCcam bug.
Authorization error: incorrect login/password or case sensitivity
In the log, a line likeDENIED user orLOGIN FAILED — means the network connection was successful, but authentication failed.
We check in order:
- Does the login and password in the C: line exactly match what the server owner provided? CCcam is case-sensitive
- Are there any extra spaces at the end of the login or password — especially if you copied the text from an email
- Has the account expired or has it been blocked for exceeding the connection limit
- The file was not saved with CRLF (see the section on line breaks)
Another nuance: some servers check not only the login/password but also the number of simultaneous connections. If you have two C: lines to one server with one account in your config — you have already exceeded the limit with the first connection.
Freezes and hangs: hops and line quality
The picture is there, but it periodically freezes for 2-5 seconds. This is one of the most unpleasant symptoms because there are several reasons.
The first thing to check is the latency to the server. A ping above 150-200ms on a regular basis will cause freezes with any configuration. CCcam expects a response from the server within a certain timeout — if the server is physically far away or the line is unstable, the timeout triggers before the key arrives.
The second is uphops. If the uphops parameter in the F: lines is raised to 3-4, your CCcam starts receiving shares from long sharing chains. The longer the chain, the higher the latency of each link adds up. A value of 1 guarantees that the client only works with a direct source. This means less content, but more stability.
The third is to look at the ECM time in the log (the time of key reception). Lines likeECM time: 850ms are already on the edge. If the ECM time is consistently above 500ms, freezes are inevitable regardless of the settings.
Frequently asked questions
Where is the CCcam.cfg file located on the receiver?
On most Enigma2 images, it is/var/etc/CCcam.cfg. On some firmware versions —/etc/CCcam.cfg or the directory/etc/tuxbox/config/. The exact path depends on the firmware build and the method of daemon installation. Usefind / -name "CCcam.cfg" 2>/dev/null to find the file on a specific device.
What do the parameters in the C: line mean?
Format:C: host port login password [encryption]. Host and port are the server address, login and password are provided by the server owner. The last optional parameter (yes/no) controls the encryption of the channel between the client and the server. Check with the provider what value to use — different versions of CCcam interpret it differently.
Is it necessary to restart CCcam after editing the config?
Yes, definitely. CCcam reads CCcam.cfg only once at startup. Changes to the file are not applied on the fly — a full restart of the daemon is needed through the firmware panel or by restarting the service command. On Enigma2, this is usually done through the plugin menu or the Restart button in the CCcam interface.
Connection ONLINE, but channels do not open — why?
The ONLINE status only means a network connection to the server, not the availability of the necessary keys. Open the share-list via the web interface on port 16001 and check if your channel's CAID is there. If the required CAID is not in the share-list — the server simply does not have access to this package, and no changes in the config will help here.
What is the difference between the C: line and the F: line?
C: — client line: it connects your receiver to someone else's server and requests keys from it.F: — server line: it creates accounts that other clients can connect to you. The uphops and downhops parameters in the F: line set the depth of sharing — how many levels of the chain the client can "see" through your server.
What port to use for CCcam?
The server listening port is set by the directiveSERVER LISTEN PORT in the config. Historically, port 12000 is popular, the web interface by default operates on 16001, telnet — on 16000. Agree on the specific port for connection as a client with the server owner — it is specified in the C: line of your cccam config.
Practical checklist for smooth viewing
Even the best CCCam or OSCam line needs two or three simple preparations. Update your receiver firmware, reset the ECM cache once a week and keep 15–20% free space on the USB stick or internal flash so that the reader can store keys without delays.
When tuning a dish, aim for MER/BER reserve: a two‑degree offset or a loose F‑connector often causes the “freezing” that users blame on cardsharing. Keep a short patch cord to test alternative routers, and save two profiles in OSCam — one for TCP, one for UDP — so you can switch instantly if your ISP starts filtering a protocol.
Utgard.tv monitors each hub 24/7, but you can speed up diagnostics by keeping a short log of your receiver actions. Note the time when you changed the channel, which CAID was active and whether you used Wi‑Fi or Ethernet. This tiny “journal” helps engineers reproduce your environment in the lab and return with a solution in minutes instead of hours.
- Keep two line slots enabled: if the first server hits a maintenance window, the second one instantly takes over without re-entering credentials.
- Run a monthly speed and latency test. Stable 1–2 Mbps with ping <80 ms is enough for SD/HD, but if jitter exceeds 20 ms, switch the router to wired mode.
- Save the Utgard.tv status page and Telegram bot @utgard_tv_bot to bookmarks — they publish maintenance notices before SEMrush or uptime monitors raise alerts.