OScam: setting up a card sharing server from scratch (2026)

If you have already installed OScam on your receiver or Linux box and are now looking at empty configs — this article is for you. Setting up OScam from scratch can be overwhelming due to the number of parameters, but in practice, a working configuration fits into four files. Here I will break down each of them with real examples, show the reader→user connection, and explain why it breaks most often.

What is OScam and what files make up the configuration

OScam is an open-source softcam that can work both as a card sharing server and as a client, and as a proxy between multiple sources. It reads ECM requests from the tuner, sends them to the card or remote server, receives CW, and returns it to the decoder. All of this is done through a set of text configs.

Purpose of the main config files

The minimum set for operation consists of five files:

  • oscam.conf — global settings: logs, web interface, dvbapi
  • oscam.server — readers (physical cards and network connections)
  • oscam.user — client accounts that connect to your server
  • oscam.services — filtering by CAID and SID (optional)
  • oscam.dvbapi — decryption rules for the local decoder

All files are plain text in INI format. Sections are denoted by square brackets:[reader],[account],[global]. There should be no extra spaces around the equal sign — the OScam parser is sensitive to this.

Where the configs are located: /etc/tuxbox/config and /var/keys

Standard paths depend on the distribution. On Enigma2 receivers, it is usually/etc/tuxbox/config/oscam/. On Debian/Ubuntu — more often/etc/oscam/ or/usr/local/etc/oscam/. In some builds, you may find/var/keys/.

The path to the folder with configs is set by the key-c when starting the daemon:

oscam -c /etc/tuxbox/config/oscam -b

If you are starting via systemd or init script — check what path is specified there. A common mistake: OScam configuration is done in one folder, but the daemon looks in another.

File permissions and encoding

Configuration files must be readable by the user under which OScam is running. Usually, it is enough to setchmod 640 and the owner to root:oscam. If OScam is running as root — it doesn't matter at all.

Encoding — UTF-8 without BOM. Files saved in Windows Notepad in "UTF-8 with BOM" mode are not parsed — OScam sees garbage characters at the beginning of the first line and crashes on startup. The same goes for CRLF line endings: if you edited the config in Windows, run it throughdos2unix oscam.conf before starting.

Basic configuration of oscam.conf and web interface

Let's start with the main file. OScam configuration always begins withoscam.conf — without it, the daemon does not start at all. Below is the working minimum.

Section [global] and logging

[global]

maxlogsize in kilobytes — 500 is enough for diagnostics, the log will not grow to a gigabyte.nice = -1 gives the process a slightly higher priority.preferlocalcards = 1 tells OScam to try local cards first, and only then go to the network — makes sense if you have a physical card in the reader.

Section [webif]: port 8888 and access to status

[webif]

The web interface is available athttp://192.168.1.X:8888 — this is the main diagnostic tool. The tabStatus shows active connections,Readers — the status of cards and network readers,Users — who is connected and what is being decoded. Without this, you will be working blind.

httpallowed — make sure to restrict by IP. Leaving the web interface open to the entire internet without restrictions is a bad idea.

Section [dvbapi] for local decoding

If OScam is running directly on the receiver with Enigma2 and needs to decrypt channels locally through the dvbapi daemon:

[dvbapi]

pmt_mode — a frequent source of problems. On some Enigma2 builds, you need to setpmt_mode = 4 instead of 0, otherwise dvbapi does not pick up the PMT and channels are not decrypted, even though the reader seems to be working. Try both values.user must match the account inoscam.user.

Reader configuration in oscam.server: card and network protocols

Fileoscam.server describes the key sources. One block[reader] — one source. It can be a physical card, a newcamd server, or a cccam server.

Local smart card reader (protocol=internal/mp35)

[reader]

device — path to the smart card reader. On Dreambox, this is/dev/sci0 or/dev/sci1, on some other receivers/dev/ttyUSB0 (for external USB readers).mhz andcardmhz — clock frequency in tenths of MHz. The value 357 = 3.57 MHz, standard for most cards. If the card does not initialize — try 600 (6 MHz). A mismatch of these parameters with the actual card results in an ATR error during initialization.

Network reader newcamd (port and DES key)

[reader]

DES key — exactly 28 hex characters (14 bytes). This is one of the most common mistakes: people insert 32 characters (16 bytes) or 24 (12 bytes), OScam either does not start or the connection is established, but CW is not decrypted. The server and client must use the identical key.

Indevice — IP and port separated by a comma without spaces.

Connecting to the server via cccam protocol

[reader]

cccversion — version of the CCcam protocol. A version mismatch with the server causes the connection to drop immediately after the handshake. If the server is running on CCcam 2.2.1 and you specified 2.3.0 — the connection may not be established. Check the version with the provider or try 2.2.1, 2.3.0, and 2.0.11 in turn.cccmaxhops = 1 limits the depth of cards — the smaller, the faster the ECM.

Parameters group, caid, ident, and services

Parametergroup — is the link between the reader and the user. If the reader is in group 2, and the user inoscam.user specified withgroup = 1 — it will never receive CW from this reader. There will be no errors in the log, just "not found". This is the most common reason for "everything is set up, but it doesn't work".

caid filters requests by conditional access system.ident specifies down to the provider (format CAID:ProviderID). For example,caid = 1810:000000. If an incorrect ident is specified, the reader will ignore requests for this package.

Distributing to clients through oscam.user and checking functionality

After the readers are configured and OScam sees the card — you can add clients. All of this inoscam.user.

Creating a user and password

[account]

group here — the list of reader groups that the user has access to. Specify them separated by commas.uniq = 1 means that only one client can be connected with one login at the same time — the next will kick out the previous one. The valueuniq = 4 disables the lock.au = 1 enables auto-updating of EMM keys for this user.

Restrictions by group, caid, and number of connections

You can additionally restrict the user by CAID:

[account]

maxconnections = 1 strictly limits simultaneous sessions.caid here — a filter at the user level, they can only view the specified systems, even if the reader is open wider.

Checking through the web interface and oscam.log

In the web interface (port 8888), the active user line shows ECM time in milliseconds. The norm is up to 500–600 ms. If you see 1500+ ms — the reader is slow or the network delay to the server is high.

In the log, the necessary lines look like this:

2026/06/03 12:35:22 c client1 (192.168.1.5) ECM 0500/000000/1234 1 ms - FOUND (ecm time: 87ms)

FOUND — everything is good. NOT FOUND — no card or groups do not match. TIMEOUT — the reader did not respond in the allotted time.

Troubleshooting typical connection and decoding errors

Let's analyze what actually breaks and how to fix it.

The server does not start: config parsing errors

The first step is to run OScam in the foreground with detailed logging:

oscam -c /etc/tuxbox/config/oscam -b -d 255 2>&1 | tee /tmp/oscam_debug.log

Flag-b runs in the background,-d 255 — maximum debug level. Remove-b to see the output directly in the terminal. Parsing errors look likeERROR: error in oscam.server line 12 — by the line number you can immediately find the problem.

If the config was edited in Windows — first make sure todos2unix. BOM at the beginning of the file gives a mysterious error "unknown section" in the first section.

Another reason: port conflict. If two instances of OScam are running simultaneously — the second will not be able to occupy httpport 8888 and will crash. Check viass -tlnp | grep 8888.

Client online, but no picture (CW not found)

The diagnostic algorithm is simple:

  1. In the web interface: Readers → check the status of the reader. If "not connected" — the problem is at the reader level, not the user.
  2. Checkgroup of the reader andgroup of the user — they must intersect.
  3. Checkcaid in both places — if the reader specifiescaid = 1810, but the client sends ECM to CAID 0500 — the reader will ignore the request.
  4. Look in the log for lines with "rejected" — they will tell the reason.

High ECM time and timeouts

ECM time above 800–1000 ms — bad, the picture will freeze. Reasons:

  • High ping to the server (check viaping server.example.com)
  • Overloaded server — too many clients on one card
  • Too largecccmaxhops — the card passes through several intermediate servers
  • Slow physical card — some cards respond with 300–400 ms by themselves

Timeouts with normal ping most often indicate server overload or a poor internet connection with packet loss. The commandnc -zv server.example.com 15050 will check if the port is accessible at all.

Problems with permissions on /dev and the smart card

If the card does not initialize — check the ATR in the log:

2026/06/03 10:12:01 r local_card ATR: 3B 9F 21 0E ...

If there is no ATR line at all — OScam cannot open the device. Check permissions:ls -la /dev/sci0. If the user oscam is not in the groupvideo ordialout — add viausermod -aG video oscam.

Invalidcardmhz gives ATR in the log, but then an initialization error. Try values 357, 368, 600 — it depends on the specific card and reader.

How to choose a quality source without being tied to a specific provider

Here without advertising. Just technical criteria that really distinguish a normal source from junk.

Objective criteria for stability

The main parameter — ECM time. A stable source gives 50–300 ms on a normal communication channel. If you see jumps from 100 to 2000 ms in the OScam status — the server is overloaded or has problems with the channel to the card.

The percentage of freeze is directly related to ECM time. If ECM time is consistently below 500 ms and hops = 1 — there will be almost no freezes. Each extra hop adds 100–300 ms of delay.

Uptime. A serious source has an uptime of 99%+ and backup lines in case the main server goes down. Ask about backup lines before subscribing.

Technical signs of a reliable connection

In the OScam web interface (Readers tab), a good reader's metrics look something like this:

  • Status: connected
  • ECM: stable values, variation no more than 2–3x from the minimum
  • Not found %: less than 1–2%
  • Timeout %: zero or ones

If "not found" is above 5% — either not all necessary CAIDs are covered, or the server does not always manage to respond. If timeout is above 1–2% — there is a serious problem with channel stability.

Red flags when choosing

Several signs after which I would not continue:

  • No test access. Any normal source provides 24–48 hours of testing. Without testing — a cat in a bag.
  • Promises ECM time of 10–20 ms. Physically impossible for a remote server over the internet. 50–100 ms is the real minimum.
  • Unstable pings to the server. Check throughping -c 100 server.example.com — losses above 1% are already a bad sign.
  • One server without a backup. If the main line is down — that's it, there's nothing to see.

And finally: using card sharing to watch paid channels without a subscription is illegal in most countries. The responsibility for this lies with the user. This article describes the technical side of oscam configuration for educational purposes.

Frequently asked questions

What port does the OScam web interface use by default?

The default port is 8888, set by the parameterhttpport = 8888 in the section[webif] of the oscam.conf file. The port can be changed to any free one. Access by IP is restricted throughhttpallowed = 192.168.1.0/24 — make sure to configure this if the server is connected to the internet.

What is the difference between the newcamd and cccam protocols in oscam.server?

Newcamd is a classic protocol with a fixed DES key and one CAID per connection. Usually, there is one card per port on the server. CCcam supports multiple cards through one connection, automatically transmits information about available CAIDs, and works with hops — chains of servers. In oscam.server, they are described by different fields: newcamd requireskey (28 hex), cccam —cccversion andcccmaxhops.

Why does the client connect, but the image is not decrypted?

The most common reason is a mismatch of thegroup parameter between the reader in oscam.server and the user in oscam.user. The second most frequent reason is an incorrectcaid orident. Check the log for "NOT FOUND" lines — if they exist, the reader is working but cannot find the required card or ignores the request due to a filter. Also, check the status of the reader in the web interface: the Readers tab will show whether it is connected at all.

How many characters should be in the DES key for newcamd?

Exactly 28 hexadecimal characters — this is 14 bytes. Any other number of characters will cause OScam to either not start with a parsing error or the connection will be established, but CW will not be decrypted. The key on the server and client must be identical.

Where are the OScam configuration files located?

It depends on the platform. On Enigma2 receivers, it is most often/etc/tuxbox/config/oscam/, on Debian/Ubuntu —/etc/oscam/ or/usr/local/etc/oscam/. The path is set by the parameter-c at startup:oscam -c /etc/tuxbox/config/oscam. To find out exactly which path the current daemon is using, check the init script or systemd unit file.

How to check the reason why OScam is not starting?

Run with the flags-d 255 (maximum debug) without the flag-b, to see the output in the terminal:oscam -c /etc/tuxbox/config/oscam -d 255. OScam will output the line numbers of the config where the error was found. Also, checktail -f /var/log/oscam.log — there, lines like "error in oscam.server line X" or "unknown section" immediately indicate the problem.

Practical checklist for smooth viewing

Even the best CCCam or OSCam line needs two or three simple preparations. Update your receiver firmware, reset the ECM cache once a week and keep 15–20% free space on the USB stick or internal flash so that the reader can store keys without delays.

When tuning a dish, aim for MER/BER reserve: a two‑degree offset or a loose F‑connector often causes the “freezing” that users blame on cardsharing. Keep a short patch cord to test alternative routers, and save two profiles in OSCam — one for TCP, one for UDP — so you can switch instantly if your ISP starts filtering a protocol.

Utgard.tv monitors each hub 24/7, but you can speed up diagnostics by keeping a short log of your receiver actions. Note the time when you changed the channel, which CAID was active and whether you used Wi‑Fi or Ethernet. This tiny “journal” helps engineers reproduce your environment in the lab and return with a solution in minutes instead of hours.

  • Keep two line slots enabled: if the first server hits a maintenance window, the second one instantly takes over without re-entering credentials.
  • Run a monthly speed and latency test. Stable 1–2 Mbps with ping <80 ms is enough for SD/HD, but if jitter exceeds 20 ms, switch the router to wired mode.
  • Save the Utgard.tv status page and Telegram bot @utgard_tv_bot to bookmarks — they publish maintenance notices before SEMrush or uptime monitors raise alerts.