Modbus adressing question

rQx

Lifetime Supporting Member
Join Date
Oct 2010
Location
Trelleborg
Posts
1,049
Hi!

We have a MicroLogix 1400 that is programmed to be readable to modbus tcp. This is working and I use for example adress 10001 to access coils and 40001 to access a register. I was learned that each table had 9999 values.

1-9999 output coil
10001-19999 input coil
30001-39999 input register
40001-49999 output register

Now we had a customer that wanted me to change our adressing so that it matched their standard modbus mapping. This is where my question arise.

They specified that they wanted to se:

PLC INPUTS at 1001 divided into 16 bits
PLC INPUTS at 1002 divided into 16 bits
PLC OUTPUTS at 0001 divided into 16 bits.
PLC OUTPUTS at 0002 divided into 16 bits.

This confuse me. In my world the adress should be 10001, 10002, 0001 and 0002? and that is a bit, not a word.

ALARM at 4001 divided into 16 bits ---- this make sense to me but not the address of 4001???

INTEGER at 4010 - also make sense but not the 4010 adress?

I'm no expert at all, what am I missing here?
I guess the adressing could be a typo, but the coils divided into 16 bits?

/Tim
 
Wikipedia article is just a bunch of BS.
The real modbus tcp standard is here: http://modbus.org/specs.php

Your best bet is to ask your client what equipment they have on the other end. They are obviously confused.

Or they are trying to trick you into doing their job. It's the job of the modbus tvp client (their equipment) to be set up so that they are reading the correct addresses from the modbus tcp server (the PLC) and interpret them correctly.


PS. The thing that might confuse you (and everyone else) is that addresses that start with 3 & 4 indicates that it's a register. But the register address in modbus tcp is a word. So address 30001 is actually not a request for address 30001 but rather a request for the first address of the input register type 3.

Traditionally modbus uses 1-9999 for addresses but since it's a word the represents the address you could use larger addresses as well. There are more confusion to add because the first address is actually 0 but it is named 1.

Connecting two devices over modbus tcp is usually something that requires some time to figure out what settings is needed in either end. Some vendors are confused about the purpose of the slave address with modbus tcp (it has no purpose for standard modbus devices) so that is a thing that might end up causing problems.

Expect problems and some tweaking when the manufacturer even couldn't be bothered to be a member of the modbus organization. Rockwell isn't a member btw.
 
Last edited:
First off, we don't know what your client means either. You need to ask them for clarification.

But to make sure you are speaking the same language, a brief tutorial is in order. Caveat: I only work with Modsoft/Proworx/Concept/Unity every few years, just enough to go through the pain, but not enough to be a pro. Take everything I say with lots of salt.

First off, Modicon addressing is either 5 or 6 characters, 00001 or 000001. The leading character ('0','1','3', or '4') are roughly the equivalent of "O:", "I:, or "N7" -- a file identifier; the remainder of the number is parsed to match whether the system is configured for 5 or 6 characters. 30001 is the same as 300001. Many of the addresses in your post are only 4 characters, making it hard to know exactly what you're tying to say. Use at least 5 characters in all your correspondence from here on out, and include the leading 0 if talking about the 00000 - 09999 bit registers.

They specified that they wanted to see:

PLC INPUTS at 1001 divided into 16 bits
PLC INPUTS at 1002 divided into 16 bits
PLC OUTPUTS at 0001 divided into 16 bits.
PLC OUTPUTS at 0002 divided into 16 bits.

As you correctly point out, 10001 is a bit address, and cannot be divided into 16 bits. Because "1001" is not a valid address, they could be that they are referring to 1001xx, and so what they are asking for is:

Map: I:0/0 to I:0/15 to 100101 to 100115
Map: I:1/0 to I:0/15 to 100201 to 100215
Map: O:2/0 to O:2/15 to 000101 to 000115
Map: O:3/0 to O:3/15 to 000201 to 000215

rather than I:0 & I:1 getting mapped to 100001 to 100032, etc.

But this is just a guess. ASK!

----

You are also correct that the 4000x is an unusual choice for registers. Typically in Modicon programming, the 0000x registers are used for internal coils, and you pick addresses outside the I/O range. Similarly, the 3000x addresses are used for internal integer & floating point math, HMI data and whatnot. IIRC, it is difficult to reference bits in 3000x and 4000x addresses. Unlike, say N7:0/1, 30001/1 is not valid for an -| |- instruction. (Salt, lots of salt).

(If) so, it would be weird to pack "alarms" in a 4000x register.

So perhaps they aren't talking about 1001xx and 4010xx, but about 001001 and 004010. In which case they really mean:

001xxxx = mapped inputs
002xxxx = mapped outputs
004xxxx = alarms

But it's impossible to be sure, with so little information.

Good luck
 
Thanks alot, I'm going to ask ofcourse but as I'm no expert I wanted to have some conversation about it before I questioned anything. This thread has now given me some more inputs so I can ask more relevant questions to my customer.
Thanks!
 
it would be weird to pack "alarms" in a 4000x register.

Not really, done all the time in remote SCADA systems where you need transmission efficiency over low bandwidth links, i.e. one read and one write per remote device.

Unity can reference bits in words using either the word.x nomenclature, or the WORD_TO_BIT function block.

Agree that the OPs client is asking for weird stuff though with their addressing
 
Not really, done all the time in remote SCADA systems where you need transmission efficiency over low bandwidth links, i.e. one read and one write per remote device.

Unity can reference bits in words using either the word.x nomenclature, or the WORD_TO_BIT function block.

Agree that the OPs client is asking for weird stuff though with their addressing

Packing the bits into words makes no difference for the modbus protocol because the bits are always packed into bytes anyway. All binary protocols do that.

A byte is the smallest amount of data that can be transferred over modbus rtu (serial) or modbus tcp (ethernet). So if you want to read the status of for example 256 flags (I/O or whatever) you will get 8 bytes of data back. So there no reason to pack bits into words for the sake of efficiency.
 
1. In Modbus addressing, a leading digit representing the address memory table is widely used as a help in identifying the type of data:
discrete input uses a leading or inferred numeral (0)
coil uses a leading numeral (1)
input register uses a leading number (3)
holding register uses a leading numeral (4)

I put the leading numeral in parentheses, because the leading numeral is NOT part of the Modbus message, it is an aid for human beings to interpret what type of data the address holds.

I do a lot of Scada and (4)0412 or (4)00412 address tells me the data is in a holding register because of the leading (4), which Function Code 03 addresses.

2.
a. 5 digit addressing
Your customer is likely 12 years behind the times because the 1979 era Modbus used address (0)0001-(0)9999 or (1)0001-(1)9999 addressing. This is known as 5 digit addressing.

b. 6 digit addressing
The more recent Modbus Application Protocols, V1.1a (June 4, 2004) and (V1.1b December 28, 2006) state in para 4.4 MODBUS

Addressing model:
"The MODBUS application protocol defines precisely PDU addressing rules.
In a MODBUS PDU each data is addressed from 0 to 65535."

(Each protocol further states (para 6.3) that the addressing range for the 03 read/write holding registers
is 0x0000 to 0xFFFF, [which is understood to be at the 40000 to 4FFFF (hex) or 40000 (decimal) to 465535 (decimal)])

This is known as 6 digit addressing and would translate to (0)00001-(0)65353 for FC01 or (1)00001-(1)65535 for FC02

c. The purpose of Modbus Function Code (FC) 01 is to read a bit-packed byte of data representing 8 sequentially numbered coils.

See these explanations from various sources. Caveat Emptor - correctly computing the initial offset and number of sequential coils is tedious and should not be done when consuming adult beverages.

FC_01_read_coils_RTU_and_ASCII_frame.jpg


Function_Code_01_-_Read_Coils.jpgttp:


FC01_Lammerties.jpg


Simply_Modbus_FC_01.jpg


FC_01_read_coils_20-38_example.jpg
 
Packing the bits into words makes no difference for the modbus protocol because the bits are always packed into bytes anyway. All binary protocols do that.

A byte is the smallest amount of data that can be transferred over modbus rtu (serial) or modbus tcp (ethernet). So if you want to read the status of for example 256 flags (I/O or whatever) you will get 8 bytes of data back. So there no reason to pack bits into words for the sake of efficiency.

When you have a 2400 baud radio channel, doing a single read instead of a read for 0x and then another read for 4x makes a big difference. Radio key up time, protocol overhead etc all add up. Doing one read instead of two means i can get more sites on a single radio channel.

I have made plenty of money fixing systems implemented by people who have no understanding of how the transmission systems they have chosen actually work. People trying to do 4 reads from a site every second over a radio link via a repeater... it doesn't work... i wonder why!
 
Thanks alot for all replies. I'm feeling more confident that my understanding is correct and I can question the customer
 

Similar Topics

I am trying to connect to a Chiller through Modbus TCP that has been setup as a Modbus slave and I see the Rockwell AOI and it looks pretty...
Replies
7
Views
311
Modbus Adressing - Just Out of Curiosity What is/was the 2xxxx series of modbus addressing used for?
Replies
1
Views
1,679
Hello, I need to access the bits from the fire system control panel through RS-485. So, I used Read Var block to read from the panel...
Replies
0
Views
44
I am having a problem communicating my PLC with Drive via Modbus connection. I start by opening the port and there is no problem, but then when I...
Replies
5
Views
64
Does anyone have an example project of the cm ptp ET200 SP HA with 410-5H DCS (PCs7 9.1 SP1) for MODBUS MASTER/SLAVE communication ?
Replies
2
Views
68
Back
Top Bottom