Newcamd line: configuration and connection in OScam 2026

If you are encountering the newcamd protocol for the first time, you have likely been sent a line likeCWS = hostname 15000 user pass 01 02 03 04 05 06 07 08 09 10 11 12 13 14 and expect that you will figure out what to do with it. This article breaks down the newcamd line format by fields, shows how to write a reader in OScam and CCcam, and explains why the connection may be ONLINE but the channels still do not open.

What is a newcamd line and what does it consist of

Newcamd is a card sharing protocol that transmits control words (CW) over TCP with DES encryption. The client connects to the server, authenticates via username/password and a 14-byte key, after which it sends ECM requests and receives decrypted CW in response. The channel itself is decrypted on the receiver.

The protocol was developed as an improvement over camd3 — hence the prefix "new". It operates over TCP, the connection is persistent, and keepalive is supported.

Newcamd protocol: purpose and default port (TCP 15000)

The standard port is TCP 15000. This is a historically established value used by most servers, but nothing prevents the administrator from running the daemon on 10000, 20000, or any other port. The port is always explicitly stated in the second position of the line — blindly trusting the default is not advisable.

Encryption in newcamd is two-layered: authentication is done via 3DES with a 14-byte key, and the traffic after login is protected by the same key. This distinguishes the protocol from CCcam, where the authorization is fundamentally different.

Breakdown of the line format: CWS = host port user pass DES-key

The canonical format of a newcamd line looks like this:

CWS = hostname 15000 username password 01 02 03 04 05 06 07 08 09 10 11 12 13 14

Breakdown by positions:

• hostname — IP address or domain name of the server
• 15000 — TCP port (set by the server)
• username — login
• password — password
• 01 02 … 14 — 14 bytes of the DES key in hex, separated by spaces

Spaces between fields can be single or multiple — parsers handle this normally. However, the order of fields cannot be changed.

What is a 14-byte DES key and why is it needed

14 hex bytes are the key for 3DES encryption, which protects the connection during the handshake and authentication phase. It must be identical on the server and client down to the last byte. A discrepancy in even one byte will result in the server denying authorization with the error "login failed."

It is common to encounter several variations of writing the same key. Bytes can be separated by spaces (01 02 03), by colons (01:02:03) or concatenated (010203). OScam accepts all three variations, but CCcam.cfg requires spaces. If you copied the key with colons, replace them with spaces before pasting into CCcam.

The case of letters in hex (a-f vs A-F) does not matter — both variations are correct.

Configuring the newcamd reader in OScam

OScam stores the description of each connection to an external server in a file/etc/oscam/oscam.server. On some firmware (Enigma2 with OpenPLi, DreamElite) the path is —/var/etc/oscam.server, and on Armbian/x86 builds —/etc/oscam/oscam.server. Before editing, check withps aux | grep oscam, with which-c the daemon is running.

The [reader] section in oscam.server: protocol = newcamd

Minimal working block for one newcamd line:

[reader]

Note: the fielddevice accepts host and port separated by a comma without a space. This is not a typo — a space here will break the parser.

The fieldkey — DES key without separators, 28 hex characters (14 bytes × 2). If in the original line the bytes were separated by spaces (01 02 03 ...), just remove the spaces.

The parameters device, key, user, password, group

group — the group number to which the reader belongs. In the fileoscam.user each user has a parametergroup, and the reader will only be used for those users whose groups intersect with the reader's group. The standard practice is group 1 for everything.

If you need to limit the reader to a specific CAID (for example, only 0x0500 for Viaccess), add:

caid                  = 0500

The parameterident filters by provider ID within CAID. This is convenient when the source provides multiple packages, and you only need one — without the filter OScam will chase ECM across all providers and get "not found" for the extras.

Check the reader status via the web interface (port 8888)

After restarting OScam (systemctl restart oscam or/etc/init.d/oscam restart) open WebIF in the browser:http://<ip-receiver>:8888. The port is configured inoscam.conf in the section[webif] with the parameterhttpport = 8888.

On the "Readers" tab, you will see the status:ONLINE — connection established,connecting — still trying to connect,OFFLINE — connection failed with an error. Next to each reader, the last ECM time in milliseconds is displayed — a good indicator of the stability of the source.

If you read the logs directly, look for lines like:

reader my_newcamd: ONLINE, caid: 0500, ecm time 280ms

Using newcamd line in CCcam and other card sharing

The data itself — host, port, username, password, DES key — is the same for any client. Only the syntax of the config changes. If you have a working newcamd line, transferring it to CCcam takes just a minute.

Line N: in CCcam.cfg and the order of parameters

In the file/etc/CCcam.cfg the newcamd line is written using the directiveN::

N: hostname 15000 username password 01 02 03 04 05 06 07 08 09 10 11 12 13 14

The order of fields is the same as in the CWS format. Only instead ofCWS = at the beginning, it isN:. The DES key here is mandatory with spaces — CCcam does not accept a continuous entry or colons.

Conversion between CWS and N formats:

The conversion is trivial:

Format	Example
CWS (mgcamd/OScam)	CWS = host 15000 user pass 01 02 ... 14
N: (CCcam)	N: host 15000 user pass 01 02 ... 14

Essentially — you change the prefix. The data is identical. The order of DES bytes is the same in all formats: always from left to right from the first byte to the fourteenth.

Features of mgcamd: file newcamd.list / cardserver

In mgcamd, connections to newcamd servers are specified in the filenewcamd.list, which is usually located in/var/keys/newcamd.list or/etc/newcamd.list depending on the firmware.

The format is the same CWS:

CWS = hostname 15000 username password 01 02 03 04 05 06 07 08 09 10 11 12 13 14

After editing, mgcamd needs to be restarted — it reads the file at startup. On Enigma2, this is done through the plugin manager or the commandkillall -9 mgcamd&& mgcamd& from ssh.

One nuance: mgcamd does not support multiple CWS lines for one CAID with automatic fallback as flexibly as OScam. If prioritization is needed, OScam with multiple readers and the parameterlb_weight is the best choice.

Diagnostics and troubleshooting common errors

Most problems with newcamd fall into three categories: not connecting at all, connecting but not decoding, decoding with interruptions. Let's break down each one.

Reader connecting / login failed: incorrect login, password, or deskey

Status "connecting" does not change for several minutes — means TCP connection is not being established. Check basic availability:

telnet hostname 15000

If telnet hangs or returns "Connection refused" — the port is unavailable. Reasons: firewall on the server or in transit, incorrect IP/domain, server is down. If the connection is established but the reader immediately goes to reconnect — this is already "login failed."

“Login failed” is almost always one of three: typo in login or password, mismatch of the DES key, or the server uses a different version of the protocol. Check the key byte by byte. Often, when copying and pasting, the last byte is lost or a space is added at the end of the password line.

Another trap — a domain instead of an IP that does not resolve. If the receiver works without the internet or the DNS server is not specified, OScam cannot resolve the hostname and shows "connecting" without an explicit DNS error. Check:nslookup hostname directly on the receiver. If it does not resolve — enter the IP directly or specify the DNS in/etc/resolv.conf.

Connection exists, but channels do not open (no required caid/ident)

Reader ONLINE, but a specific channel does not open — check the logs. Enable debugging through WebIF (tab "Log", level 255) or run OScam with the flag:

oscam -d 255 -c /etc/oscam

In the log, look for lines withecm and response coderc:

• rc=0 — found, CW received, everything is fine
• rc=4 — not found, the server does not have the required card/CAID
• rc=5 — timeout, the server did not respond in the allotted time
• rc=7 — no card, the card is not inserted or unavailable

If you seerc=4 — the source does not have the required package. Ifrc=5 — either the server is overloaded, or the ping is too high, or the user limit has been exceeded.

With rc=4, check if you have configuredcaid andident in the reader correctly. Sometimes the server returns CAID 0x0D00 (Cryptoworks), while the receiver sends a request for 0x0D02 — these are different provider IDs. Clarify the exact ident with the provider.

Reading OScam logs: debug level and filtering by reader

The full log at level 255 is a sea of text. Filter by the reader name:

tail -f /tmp/oscam.log | grep "my_newcamd"

Or through WebIF: enter the reader name in the log search line — you will get only its lines.

Useful patterns for searching:ecm hash (shows the processing of each ECM request),rc= (response codes),ONLINE/OFFLINE (change of reader state). The combination of rc=0 + ecm time under 300ms indicates that the reader is working normally.

If you need to compare several readers with the same CAID, enable the load balancer inoscam.conf:

[lb]

OScam will automatically select the reader with the best response time. The priority between readers in the same group is regulated by thelb_weight parameter in the section[reader] — a higher value means a higher priority.

How to choose a reliable source for newcamd line

Technically competent configuration is half the battle. The other half is the quality of the source itself. By analyzing OScam logs, you can objectively evaluate any server in a few hours.

Stability criteria: uptime, ping to the server, local cards

The main parameter is ECM time. Good value: 100–350 ms. Acceptable: up to 500 ms. At 800+ ms, pauses will be noticeable when switching channels. Look not at the average, but at the spread: if ECM time jumps from 100 to 2000 ms — the server is overloaded or unstable.

The geographical proximity of the server directly affects the ping. If the source is on another continent, the base RTT is already 150–200 ms, and even with an ideal server, ECM time will be high. Check the ping to the host:ping -c 10 hostname.

Local card vs reshare — a fundamental difference. A local card provides predictable ECM time and rc=0. Reshare (a card from another server) adds another hop and dependence on the upstream. If the provider does not specify — you can indirectly check the stability of ECM time: reshare usually gives a higher spread.

Signs of a problematic source

Red flags in the logs:

• Frequent transitions ONLINE → connecting → ONLINE — unstable connection or server overload
• rc=5 (timeout) more than 5% of the total number of ECM — the server cannot handle the load
• ECM time above 800 ms systematically, not just once
• Disconnects every 30–60 minutes — often a sign that you are being "rotated" on an overloaded server

If you see these patterns in the first 24 hours of use — the source is problematic. Don't wait for it to "fix itself."

Testing period and checking before long-term use

A reasonable approach: test for at least 24–48 hours with logging before paying for a long period. During this time, OScam will accumulate enough statistics — look at the average and maximum ECM time, percentage of rc=0 vs rc=4/5, number of reconnects.

In WebIF on the "Readers" tab, there is a column "answered" — it shows how many ECM requests the reader answered successfully. Divide by the total number of ECM — you get the real success rate for your specific package.

Check during prime time (evening hours) — this is when servers experience maximum load and problematic sources manifest themselves.