2-byte slave modbus address

Hi everyone,

How are you all? I'm here again to make an easy question. One of our clients decided to modify their Modbus protocol. Within all the changes, he decided to have 2 bytes for the slave address (so he can have 65,535 available addresses!!!!) Apparently, some guys added a couple of Omron PLC's to this configuration. Now they are asking us to add the M340 there. Does anyone did this? I've being looking for information but I couldn't find anything.

Thanks in advance for any help you can give me.

Nick

Slave node ID? Really?

From its origins, the Modbus protocol has used one byte to address 256 slave nodes, reserving address zero as a broadcast (no reply) ID. That means there are millions of devices that use one and only one byte for the slave node ID address.

If that part of the Modbus message was actually altered, then no device using conventional Modbus will ever work on the network, because the added 2nd byte will be misinterpreted as the function code and all other following bytes are offset from they are expected to be. Communication would never happen because no slave would ever recognize its ID, so no slave would ever reply.

Furthermore, for serial RS-485 the practical limitation is 32 devices, due to the electronics. Modbus TCP has a limitation of 256 devices with a 255.255.255.0 subnet mask, but that 255.255.0.0 would get you 254*254 slaves.

So a need to alter the fundamental slave node ID field does not make sense.

Furthermore, it is highly unlikely that a commercial PLC would even offer access to the underlying Modbus protocol, because after all, it's a protocol - a set of rule for the frame format. One doesn't mess with frame formatting and get successful communications.

5 digit or 6 digit addressing?

It is far more likely that the issue is 5 digit vs 6 digit register addressing.

The early Modbus implementation were hampered by limited and costly memory restrictions.

Although the protocol provides for register addressing from by using a 2 byte, 16 bit "Quantity of Registers" field, the implementations of that era frequently limited decimal register addressing from (4)0001 to (4)9999 (known now as "5 digit addressing"), or one less than 10,000 registers by only allowing a 4 digit decimal entry when defining the register addressing. It wasn't the protocol limitation, it was an implementation limitation.

[note: The leading numeral (4) indicates Function Code 3 Holding Register data. The leading numeral is not used in the actual message frame, it used only for humans to identify the address as a FC3 Holding Register address.]

As the general availability of memory increased vendors began implementing the full range of decimal register addressing, for example (4)00001 to (4)99999, or one less the 100,000 registers (known now as "6 digit addressing")

Many slave vendors are now assuming that the master/client can address the full 6 digit register range up (4)99999 and are mapping their data into registers above (4)9999. If a master/client is limited to the older (4)9999 (so called 5 digit addressing), then it has no means of addressing those registers above (4)9999.

I don't know of a means other than empirical trial to determine whether a master/client is capable of 6 digit addressing. I've never seen mention of it in a spec sheet or even a manual, it just depends on the acceptable numerical entry when defining an address.

I would assume that an OPC server's Modbus driver would handle 6 digit addressing, just because those vendors see so many devices and have to write their software to accommodate the full market.

We actually added support for a 2 byte slave address to our Modbus Ethernet driver in KEPServerEX V5.20 released in May of 2016. It is in all versions since then. You use it you would select the CEG device model. You can try it out for free at www.kepware.com.

Modbus is the most widely modified protocol in device communications by fire. There are many different flavors of it using in different industries.

Fred_Loveless said:

You use it you would select the CEG device model.

Click to expand...

Fred,
So what's a CEG device?

Holy crow, Fred ! What are the device vendors you see doing two-byte Slave IDs ?

DanW and Ken, That particular device is used in the Oil and Gas industry and they are actually CanBus. The vendor designed a Modbus Ethernet to CanBus Protocol converter to talk to the hardware. I have seen them talk to 10k devices through one converter and they can have several hundred converters in one project. Believe it or not then can get 20msec resolution with that many devices, I had to see it before I believed it.

Dan, We use models to specify protocol configurations that are more unique then just swapping byte or word order. For instance the Danials Flow model is similar to the Enron Modbus protocol. The CEG model is the same as a regular Modbus model but uses 2 byte slave addresses in the MBAP header of the Modbus Ethernet packet It also changes the Modbus Protocol ID to 1 instead of the standard 0 which is what you are supposed to do if you modify the protocol in your device. Unfortunately most vendors do not.

Hope that helps. Let me know if you have any other questions. If you contact Kepware directly mention that you were talking with me on this message board and one of the support or sales techs will come grab me.

Dan, That particular device is used in the Oil and Gas industry and they are actually CanBus. The vendor designed a Modbus Ethernet to CanBus Protocol converter to talk to the hardware. I have seen them talk to 10k devices through one converter and they can have several hundred converters in one project. Believe it or not then can get 20msec resolution with that many devices, I had to see it before I believed it.

Dan, We use models to specify protocol configurations that are more unique then just swapping byte or word order. For instance the Danials Flow model is similar to the Enron Modbus protocol. The CEG model is the same as a regular Modbus model but uses 2 byte slave addresses in the MBAP header of the Modbus Ethernet packet It also changes the Modbus Protocol ID to 1 instead of the standard 0 which is what you are supposed to do if you modify the protocol in your device. Unfortunately most vendors do not.

Hope that helps. Let me know if you have any other questions. If you contact Kepware directly mention that you were talking with me on this message board and one of the support or sales techs will come grab me.

Thanks Fred. That is eye-opening explanation, especially when my projects are 5-6 slaves, maybe.

Thank you all for the replies.

Dan, I've checked Schneider documentation and in some part, it says "Most of the times, the Slave Address will be ranged between 1 to 247". So, I could imagine that it was going to be possible to change that.

Fred, I will check your solution and I will contact you when my doubts appear.

Cheers,

Nick