S7 300 Modbus slave setup & test

I have looked through the other posts searching for “modbus S7”.

The following variants of the CP 341 communication processor are available:

CP 341-RS 232C 6ES7341-1AH02-0AE0 RS 232C interface
CP 341-20mA-TTY 6ES7341-1BH02-0AE0 20mA-TTY interface
CP 341-RS 422/485 6ES7341-1CH02-0AE0 X27 (RS 422/485) interface


I am using the following items:
1) CP 341-RS 232C 6ES7341-1AH02-0AE0 (slave mode, no dongle)
2) 313C S7 PLC
3) Dell laptop with WinCC and S7
4) Straight through 9 conductor DB9 serial cable with null modem.

I am using the example given in the new examples loaded with the software CD that comes with the com module.
C:\Program Files\Siemens\Step7\EXAMPLES\zXX21_01_PtP_Com_CP3x

I copied these blocks and source code and edited the hardware config to match my PLC and set the com port on the PC to match the com module on the PLC.

9600 8,n,1,even (the parameter setup in the PLC module is all in German for some reason while everything else is in English.)

I found this PDF instruction to be amazing. So clear and well documented.

CP 341 - First Steps in Commissioning
Getting Started, 09/2008, A5E02291899-01 5

At the end of this beautiful setup instruction, I should have some communication.

But I do not.

I loaded the example. I feel I understand the example (even though it could be simplified)

But no go.

What is so bad about this is, I have no idea what question to ask.

Can I use WinCC and my Laptop PC as a simple modbus master? I was thinking of using a simple HMI screen with runtime WinCC to test some data display from the PLC instead of using “terminal”.

I found the pin out in the documentation. It seems like a null modem should work here.

I deleted everything and started over several times.

I must be missing something.

Is it common practice in STL to move parameters into a FC through a DB as in the example? Looks like it would be easier to just put the variable after the equal sign directly.

Original example code:

L 256 //LADDR
T "SEND WORK DB".P_SND_RK_WORK_LADDR

L 42 //DB_NO
T "SEND WORK DB".P_SND_RK_WORK_DB_NO
T "SEND SRC DB".P_SND_RK_DB_NO

L 0 //DBB_NO
T "SEND WORK DB".P_SND_RK_WORK_DBB_NO
T "SEND SRC DB".P_SND_RK_DBB_NO

L 115
T "SEND WORK DB".P_SND_RK_WORK_LEN //LEN
T "SEND SRC DB".P_SND_RK_LEN //LEN
CALL "RECV"

// ------------------------
// SEND with Instance-DB
// ------------------------
CALL "P_SND_RK" , "SEND IDB"
SF :='S'
REQ :="SEND WORK DB".P_SND_RK_REQ
R :="SEND WORK DB".P_SND_RK_R
LADDR :="SEND WORK DB".P_SND_RK_WORK_LADDR
DB_NO :="SEND WORK DB".P_SND_RK_WORK_DB_NO
DBB_NO :="SEND WORK DB".P_SND_RK_WORK_DBB_NO
LEN :="SEND WORK DB".P_SND_RK_WORK_LEN
R_CPU_NO:=
R_TYP :=
R_NO :=
R_OFFSET:=
R_CF_BYT:=
R_CF_BIT:=
DONE :="SEND WORK DB".P_SND_RK_DONE
ERROR :="SEND WORK DB".P_SND_RK_ERROR
STATUS :="SEND WORK DB".P_SND_RK_WORK_STATUS

Wow. For a guy with your user name, you've provided a professional's wealth of information, not at all typical New Guy stuff.

>Can I use WinCC and my Laptop PC as a simple modbus master?

I'm S7/Siemens ignorant. So I can't help with WinCC issues.

But I can suggest that you use a generic Modbus Master utility program, like Modscan 32 (published by Win-tech product)
http://www.win-tech.com/html/modscan32.htm
Although it is share ware, it has a free-use trial period.

Using Modscan can indicate whether or not you make a make a connection, or get a timeout to a query.

Dan

"What do you mean it doesn't work?"

I have 3 or 4 different modbus master emulators now from the posts I have read here.

Modbus Poll
CAS Modbus RTU PArser
SuperMon serial
ModBus tester
and
Modscan32

I apreciate your contribution.

They all give no information. Of course I have not taken the 3 hours each to go through each one and make sure they work and that I have all the checks in the right place either. At some point you have to focus on the core issue and stop trying to fix the tools.

I have not had any indication that any communication has ever taken place, so it is entirely probable that all these tools work and they are indicating that no communication exists. And maybe they are right.

When I use a volt tester to check for 480 volts and it reads 480VAC, I assume there is 480 volts AC there, when it read zero VAC, I assume there is 480 VAC there until I can verify by some means other than touching the shiney parts. It is a test that can only be believed if it shows a positive.

And so it is with the modbus testers.

If one read something and another did not, I would think maybe there is some comms.

Even as they all read no comms, it is possible I have not used them properly.

Or I have some bit not set somewhere in some menu of S7. Which I see as very likely.

I would love to have a Siemens rep sit here and set this up by the instruction guide, while I ask questions and watch. Or at least test what I have and tell me where I messed up.(The file is just a few K too big to upload here as an attachment.)

Reading any S7 documentation seems geared toward everything working perfectly the first time. If your experience defers from this path there is no advice.

"How could it not work?"

I also enjoy watching the local IT guy press the same buttons I just pressed as if it matters who pressed the button. And then the standard question comes up "What did you do to it?". As if they have never seen a PC do something unexplainable. If it was simple I would have fixed it already.

This is the same way I feel when talking to Siemens techs. "How could that not work?"

I thought RSLinx was bad.

Someone in a post here said "Setting up S7 with modbus can be tricky....."

Yep. OK now what.

I'm calling the Siemens people tomorrow. I just wanted to explore all directions and try to figure out what the question is before I call them.

I tend to do alot of short term work, so everywhere I go I'm "the new guy". So I kept it.

I have only used S7 for about a year, so there is an ocean of information to absorb.

We are all new at something I guess.

I also see the value of posting this experience and updating with my eventual success for all those who have trouble later or for when I forget and have to do it again 3 years from now.

dahnuguy said:

9600 8,n,1,even (the parameter setup in the PLC module is all in German for some reason while everything else is in English.)

Click to expand...

In the expression 8,n,1, the n represents "No parity".
So you changed the setup on the both the PC and the S7 to
8,E,1: 8 data bits, Even Parity, 1 stop bit?

Dan

Have you checked what error status you are getting? In this example you are using, there is a variable table "CP 341 Protocol 3964" which lists some useful diagnostic variables.
The error vars being, DB40.DBW14 for Send status, and DB41.DBW14 for RCV status. These status's are the last error received by the functions. The errors are described in the Full CP341 Manual which you can download from the siemens website. Should have been on the CD aswell.
I have just set up Modbus Master on this card and it took a while to get going. Presently i'm coding for 16 slaves which is almost a nightmare but thats another thread. The status variables have been a godsend.

check out the minimum needed for Modscan32:

1) click on connection > Connect



2) to bring up the Connection Details dialogue box:


3) If your serial port is not COM 1 or COM 1 is not showing, bring up the pop-up menu of connection ports:


Select the word size (8 bits for Modbus RTU, 7 bits for ASCII), parity and 1 stop bit. These settings MUST match on the PLC's Modbus serial port.

4) At the bottom of the connection Details dialogue box is the Protocol Selections button, which brings up the Protocols page. Check to confirm that the correct protocol is selected.



5) OK your way out of connections, back to the main screen.



Select the Modbus command for the type of read/write action (I think it's easier to start with a read of a known value).

Most slaves put integer and floating point (real) reads in the 4xxxx memory which uses command 03 for a read.

6) Where it says 'Device Id' put in the slave's address, a value that is configured in the slave's setup. The number 1 is a good place to start. Many slaves default to 1.

7) Where it says 'Length' I use a value much smaller than the default value 100, like 2 or 4, because what comes back is that number of registers, and if I'm setting up and looking for a specific value from a specific register, I don't want all the 'noise' of 100 registers on the page.

8) Where it says 'Address', put in the Modbus register you expect to read, minus the memory allocator, the 4 in 4xxxx or 3 in 3xxxx or 1 in 1xxxx. Just enter the xxxx part in decimal (base 10), which of course, might require conversion from a documented location given in hex (base 16).

For instance, to read register 40013, enter 0013 in 'Address'.

9) Select the data format in which the data will be displayed in Modscan, for instance hex, decimal, integer or floating point from the icons in the second row toolbar, the toolbar above the window title bar that says 'Modsca1'.

In the image below, the 'decimal' button, second from the left is depressed. The Help > Help Topics > Tool and Status Bars > Format Selections page provides definitions.




10) When you're done, go back to connect:


click disconnect, then connect, and see if you get a
message indicating no connection or a Modbus exception error.

11) Remember that the PC is a serial DTE,
with Rx on pin 2; and Tx on pin 3 on the PC.

Dan

danw said:

In the expression 8,n,1, the n represents "No parity".
So you changed the setup on the both the PC and the S7 to
8,E,1: 8 data bits, Even Parity, 1 stop bit?

Dan

Click to expand...

Yes I tried it both ways.

And I found in the Siemens website that the newest update to the software fixes the parameter screen so it matches the language of the rest of the software.

http://support.automation.siemens.c...objaction=csopen&extranet=standard&viewreg=WW

Thanks for the details on Modscan32.

As I recall I did go through the screens as you have described, but I used ASCII instead of RTU and then was interupted before I could try it again the other way. (Set both the PLC and Modscan32 to same settings)

The address of the memory for modbus is a bit cloudy at this point. I need to study this area more.

As I understand the example, it writes to DB42 line "0.0" and writes "115" variables.

L 256 //LADDR
T "SEND WORK DB".P_SND_RK_WORK_LADDR

L 42 //DB_NO
T "SEND WORK DB".P_SND_RK_WORK_DB_NO
T "SEND SRC DB".P_SND_RK_DB_NO

L 0 //DBB_NO
T "SEND WORK DB".P_SND_RK_WORK_DBB_NO
T "SEND SRC DB".P_SND_RK_DBB_NO

L 115
T "SEND WORK DB".P_SND_RK_WORK_LEN //LEN
T "SEND SRC DB".P_SND_RK_LEN //LEN
CALL "RECV"

// ------------------------
// SEND with Instance-DB
// ------------------------
CALL "P_SND_RK" , "SEND IDB"
SF :='S'
REQ :="SEND WORK DB".P_SND_RK_REQ
R :="SEND WORK DB".P_SND_RK_R
LADDR :="SEND WORK DB".P_SND_RK_WORK_LADDR
DB_NO :="SEND WORK DB".P_SND_RK_WORK_DB_NO
DBB_NO :="SEND WORK DB".P_SND_RK_WORK_DBB_NO
LEN :="SEND WORK DB".P_SND_RK_WORK_LEN
R_CPU_NO:=
R_TYP :=
R_NO :=
R_OFFSET:=
R_CF_BYT:=
R_CF_BIT:=
DONE :="SEND WORK DB".P_SND_RK_DONE
ERROR :="SEND WORK DB".P_SND_RK_ERROR
STATUS :="SEND WORK DB".P_SND_RK_WORK_STATUS


I do not find a place to set the slave address.

I have read in several places to set the slave address or to send from the master to the slave address, but not how or where to set the slave address.

I probably overlooked this detail somewhere.

At home right now, but will use this new information in the morning.

Thanks again.

richyr32gtr said:

Have you checked what error status you are getting? In this example you are using, there is a variable table "CP 341 Protocol 3964" which lists some useful diagnostic variables.
The error vars being, DB40.DBW14 for Send status, and DB41.DBW14 for RCV status. These status's are the last error received by the functions. The errors are described in the Full CP341 Manual which you can download from the siemens website. Should have been on the CD aswell.
I have just set up Modbus Master on this card and it took a while to get going. Presently i'm coding for 16 slaves which is almost a nightmare but thats another thread. The status variables have been a godsend.

Click to expand...

I opened the VAT but it looked as if there was no activity at all.

I will look again in the morning and post a screen shot of what I see.

The PLC responds the way I would expect a unit in Stop mode to respond. It is in RUN with no fault however.

I will study this area in more detail, thank you.

I have noticed you mentioned you are running the CP341 as a slave. I have set up a CP441 as slave and the only information that was required in the S7 was the parameters in the hardware setup. The way you are trying to do this seems to be as if the CP341 were a master. P_SND_RK and P_RCV_RK are used when the CP is master
Can anyone else comment?

dahnuguy said:

As I recall I did go through the screens as you have described, but I used ASCII instead of RTU and then was interupted before I could try it again the other way.

Click to expand...

dahnuguy said:

The address of the memory for modbus is a bit cloudy at this point. (snip) I do not find a place to set the slave address.

I have read in several places to set the slave address or to send from the master to the slave address, but not how or where to set the slave address.

Click to expand...

From the Getting Started Guide, page 6:



Note the slave address in hexadecimal, how convenient, how Teutonic.

It isn't clear to me whether this CP341 Getting Started refers to Modbus at all, given that their suggestion to select ASCII is in direct violation of the Modbus Protocol Standard, which specifies 7 data bits for Modbus ASCII.

But I suspect that giving an address to a hardware module address makes sense.

What other protocol choices are available?

Dan

Does that CP 341 have Modbus RTU drivers? Apparently protocol drivers are loaded into Siemens comm modules, according to chit chat on the Siemens services forum site:

http://support.automation.siemens.c...lib.csinfo&lang=en&objid=17854293&caller=view

partial statements:


Instructions:
You can also download other transfer protocols to the serial CP in addition to the default protocols in order to extend functions and adapt the CP341 to the communication partner.

The following basic requirements must be fulfilled in order to retroload drivers into a CP 341.

• An installed version of STEP 7 Basis V4.02 or higher.
• An installed version of the configuration software CP PtP Param V4.1 or higher. You can download the configuration software CP PtP Param free of charge in Entry ID: 27013524.
• The dongle that comes with the driver must be plugged in the back of the serial CP.

<snip>

More information:

More information on loadable drivers for the serial CPs is available in the following manuals:

• "Loadable Drivers for PtP CPs; MODBUS Protocol RTU Format
  S7 is Slave" in Entry ID: 1218007.
• "Loadable Drivers for PtP CPs; MODBUS Protocol RTU Format
  S7 is Master" in Entry ID: 1220184.

Downloads

• Loadable driver "Modbus Master (RTU)" V3.1 SP4 can be downloaded in Entry ID: 27774018.
• Loadable driver "Modbus Slave (RTU)" V3.1 SP5 can be downloaded in Entry ID: 27774276.

Dan

Having the correct manual might help. The manual specific to Modbus communications appears to be


http://support.automation.siemens.c...tandard&viewreg=WW&objid=10805179&treeLang=en

Position in the System Environment
​

Function of the Driver
​

​

Function codes 01, 02, 03, 04, 05, 06, 08, 15 and 16 can be used for communication between the CP and the master system.​

Interpretation of the MODBUS Addresses
​

​

this may be too blatantly obvious to ask, but did you try to flip the 2 communication wires to your controller?

-Mike

mpiotro said:

this may be too blatantly obvious to ask, but did you try to flip the 2 communication wires to your controller?

-Mike

Click to expand...

using straight cable with null modem, from first post.

Have TXD and RXD flashing.