S7-1200 Modbus TCP access by 3rd Party Master

Mattyb

Member
M
Join Date
May 2018
Location
Florida
Posts
1
Hello all,
I am trying to access an S7 system (TIA v13, which is what we use) that was developed by a 3rd party for use with 3rd party devices via Modbus TCP.


They set it up to be compliant with Modbus TCP and describe the address space as follows:

  1. Coils (M100.0, etc) (Two Words of bits, or 2 bytes of bits) - Read: Addresses 40001, 40002, 40044
  2. Coils (M100.0, etc) (Two Words of bits, or 2 bytes of bits) - Write: Address 40019
  3. Holding Registers (MDXXX) (32 Bit words across two DWord addresses) - Read 40003-40018
  4. Holding Registers (MDXXX) (32 Bit words across two DWord addresses) - Write 40020-40043, 40045-40050
When I try to access these I can read the first Address and get what I know to be correct responses, bit-wise. When reading the Bits from the first address (40001), wireshark shows I'm using Function Code 02, and again, I get the expected result.


I can also get one holding register address (40019) to give me information that seems reasonable (matches the TIA Portal watch list). Wireshark reports that I am using Function Code 03 and I get the expected result.


I can read anything I want, but the data doesn't match. It seems as though I'm pulling from the wrong addresses somehow?


I can't seem to write to any address at all, although I've only tried to write to the coil bits (not holding registers). Attempts to write were using Function Code 05.


I assume that I am doing something incorrectly with the addressing (or possibly the contractor, but I'm the novice so I'm sure it's my fault).


Thanks,
Matt

Move_Blocks.jpg Modbus_Server_Block.jpg
 
Hi Matt
The addresses look correct. One possible answer is that the order of bytes coming from the unit is reversed. Allot of software will give you an option for reversing the LSB and MSB of the words being returned.

Here is some background information on Modbus TCP:
http://www.simplymodbus.ca/TCP.htm
https://www.rtaautomation.com/technologies/modbus-tcpip/

You may want to test your communications with another software package to verify the operation. I would use AdvancedHMI. This is a free package that is discussed regularly here in this forum.
https://sourceforge.net/projects/advancedhmi/
Here is a post that will show you the installation of AdvancedHMI:
http://accautomation.ca/create-a-plc-with-hmi-training-and-learning-environment-free/
I hope this helps you out.
Regards,
 

Similar Topics

G
yokogawa controller with modbus tcp/ip communication with s7 1200 plc
can i send and recieve data using my yokogawa UT35A controller with my siemens s7 1200 plc using profinet communication without using gsd file
Replies
1
Views
378
Puddle
P
B
Pinout Modbus TCP onto S7-1200 through profinet port
Hello All I have a modbus tcp device(Julabo magio) with an DB9 pin assignment. Pin3=B and Pin8=A. I would like to connect it on the secondary...
Replies
4
Views
1,595
the_msp
the_msp
A
Using MODBUS TCP for connecting to Siemens S7-1200 PLC
Hi All, I have a closed loop stepper motor (Nanotec make), https://en.nanotec.com/products/2512-pd4-e601l42-e-65-4. This uses MODBUS TCP for...
Replies
4
Views
3,822
504bloke
504bloke
Ricardo Carmo
Scheneider M241 Modbus tcp/ip connect S71200 siemens
Hello; i'm having some troubles with a com test i'm handling. i have another end for it, but for now i would like to have : M241 in io_scanning...
Replies
4
Views
3,478
Ricardo Carmo
Ricardo Carmo
R
s7-1200 slave with two masters (modbus TCP)
Hi, I currently have a s7-1200 enabled as modbus tcp slave for customers master to connect to freely. Now my customer want to add a new modbus...
Replies
8
Views
4,650
rQx
R
Back
Top Bottom