Modbus Registers

lostcontrol

Lifetime Supporting Member
L
Join Date
May 2009
Location
NeverSayNever
Posts
1,071
 
Modbus addresses 3xxxxx are input registers and are read-only.
Modbus addresses 4xxxxx are holding registers and are read-write.

The confusion may be due to the fact that Modbus command code 3 is to read holding registers (addresses 4xxxxx) while Modbus command code 4 is to read input registers (addresses 3xxxxx).
 
You are likely confusing the register address with function.

Address is well, address location but it can get confusing because some vendor drop the initial address.

Analog Inputs: address from 30000 to 39999
Holding register: address from 40000 to 49999

But vendor some time drop 3xxxx or 4xxxx instead just say Analog input register #1 (if they use 1 based addressing) which mean 30000. Easy, right?

Function code is the action code to read a register. If the client send a function code of 3 to the server it means to read Holding Register which are addressed from 4xxxx.

But a function code of 4 means to read Analog Input register which are address in the 3xxxx range.
 
Steve Bailey said:
Modbus addresses 3xxxxx are input registers and are read-only.
Modbus addresses 4xxxxx are holding registers and are read-write.

The confusion may be due to the fact that Modbus command code 3 is to read holding registers (addresses 4xxxxx) while Modbus command code 4 is to read input registers (addresses 3xxxxx).
Click to expand...
Yep, that what I always thought as well.


harryting said:
You are likely confusing the register address with function.
Click to expand...
Nope, not confusing anything at all.

But vendor some time drop 3xxxx or 4xxxx instead just say Analog input register #1 (if they use 1 based addressing) which mean 30000. Easy, right?
Click to expand...
This is just one of the 'acceptable issues' that comes with Modbus. The other being that not all vendors implement all functions codes..
 
Steve Bailey said:
Modbus addresses 3xxxxx are input registers and are read-only.
Modbus addresses 4xxxxx are holding registers and are read-write.

The confusion may be due to the fact that Modbus command code 3 is to read holding registers (addresses 4xxxxx) while Modbus command code 4 is to read input registers (addresses 3xxxxx).
Click to expand...
^ THIS!

If you look at the Modbus specification (modbus.org, technical documentation), the xxxxx addresses above are described (16-bit unsigned integers), but the blue 3- and 4- prefixes* above are not part of the spec nor are they part of the Modbus Address model(s).

Those prefixes are a common (de facto) convention used to conceptually combine the red 3 and 4 function codes with an offset into an area of memory in the Modbus Server device, so that one can specify "read 'address' 301234" in a configuration window instead of "execute function code 4 at memory address/offset 01234" i.e. "read 3-prefixed address" is equivalent to "execute function code 4 on a non-prefixed address."

* that is 3xxxxx and 4xxxxx, not function codes 3 and 4.

Confused? Good. Welcome to Modbus.
 
The 3 and 4 prefixes date back to the addressing scheme of the original Modicon PLC.
If I remember correctly:
Inputs were addressed from 1000 to 1777 octal
Outputs were addressed from 0000 to 0777 octal
Analog inputs were addressed from 3000 to 3777 octal
Holding registers were addressed from 4000 to 4777 octal
 
drbitboy said:
...but the blue 3- and 4- prefixes* above are not part of the spec nor are they part of the Modbus Address model(s).
Click to expand...


They were part of the original specification.

I have the original specification from when it was Gould, 1979, paper only, and it references 3001 and 4001 many times.

Not starting a flame war.
 
Last edited:
Steve Bailey said:
The 3 and 4 prefixes date back to the addressing scheme of the original Modicon PLC.
If I remember correctly:
Inputs were addressed from 1000 to 1777 octal
Outputs were addressed from 0000 to 0777 octal
Analog inputs were addressed from 3000 to 3777 octal
Holding registers were addressed from 4000 to 4777 octal
Click to expand...
Thanks, Steve. I have often wondered where the leading numerals originated and yours is the ONLY explanation I have ever come across.
 
I stand corrected.

So they are not part of the current modbus.org standard (maybe I should double-check that), but they were in the original.


Amazing. Were the prefixes on the wire i.e. in the "PDU," or were they only in the "Modbus Address Model?" Since the former was zero-based and @Steve Bailey said they ran from 8#1000 to 8#1777, it sounds like they were in both.



Agreed: no flame war.
 
I tend to refer to Modbus register maps as the armpit of technical documentation because of the lack of clarity and insufficient information. Many times they do not mention allowed read and write lengths and byte ordering. They say very little about how the data is encoded. Sometimes you're doing good to be able to find if temperatures are in C or F without firing up the equipment and experimenting.

Modicon has even been inconsistent across products with default translations of 4### classical holding register addresses to IEC %MW addresses.

Holding register address alignment for 32-bit REAL data is another area of interest. The old Quantum CPUs weren't as picky about it as the newer ARM-based M340 stuff.

Back in ancient history there were 2### and 5### addresses. 6### addresses are in the spec - but don't use them.

Yet despite its deficiencies, Modbus is like Mauser 98 bolt actions and 1911s. It's lasted for years and will still be around after many of its critics have retired. Thats because it has adequate performance, it can be used with underpowered CPUs, it can be forced to pass any type of data, it doesn't require paying ongoing fees to a standards organization, it is easy to dissect packets, and so on. We can love it or hate it - I've done both - but it's not going away and mastering it is one of the tools of the trade.
 
I came to prefer the notation I ran across in Indusoft studio.
40001 = 4X:1
30001 = 3X:1
00001 = 0X:1
10001 = 1X:1


I might not have enjoyed the editing of driver sheets in that program, but at least I could copy and paste Mass rows from the sheets into Excel, and easily split a column of those # along their ":" into two columns. Then fill-down however I needed and merge them back again
 
drbitboy said:
Amazing. Were the prefixes on the wire...
Click to expand...

The prefix was not on the wire. It states registers/inputs are addressed starting at zero (register 1 is address zero).

Modicon Modbus Protocol Reference Guide PI–MBUS–300 Rev. J, June 1996 (available as printed and PDF)

03 Read Holding Registers

Reads the binary contents of holding registers (4X references) in the slave. Broadcast is not supported.

The query message specifies the starting register and quantity of registers to be read. Registers are addressed starting at zero: registers 1–16 are addressed as 0–15.

Here is an example of a request to read registers 40108–40110 from slave device 17:
 
One of my favorite meaningless gripes about Modbus is that function code 3 reads register addresses that start with 4 and function code 4 reads addresses that start with 3.

Thats just bad Feng Shui.
 
I found an old manual from 1981 for the Modicon Micro 84 and found I misspoke.

The addressing is decimal, not octal. The numeric data in 3xxx and 4xxx memory is interpreted as BCD. That particular model also includes 2xxx memory addressing for sequencers.
None of the above has any bearing on the Modbus protocol. The Modbus spec doesn't care about how the data transmitted is to be interpreted. And there aren't any Modbus command codes for 2xxx memory.
 

Similar Topics

T
Modbus registers
Good day guys. I have a third party device with its Modbus registers which I want to copy/set up on a plc because I need to convert my Modbus tcp...
Replies
3
Views
141
Corsair
C
V
Modbus Registers
Hello everyone, I want to read a register in HC900 honeywell but I am not understanding. https://ibb.co/2dNDsmk In this link are the things I...
Replies
10
Views
1,786
danw
danw
ryangriggs
How to write Modbus/TCP discrete registers from Wonderware InTouch
Hello, I am attempting to add some IO Discrete tags to a AVEVA InTouch project (version 2020). These tags use the MBTCP driver and attempt to map...
Replies
1
Views
1,188
Saffa
S
R
Modbus RTU Writing Multiple Registers CCW
Platform: CCW, 2080-LC50-24QBB, Using 2080-SERIALISOL card Task: Writing Multiple Registers Using Modbus RTU (RS485) Problem: I am attempting...
Replies
4
Views
1,362
danw
danw
N
TotalFlow G4/G5 Modbus Slave Registers
Hello all, I am working on project to pull data from G4/G5 ABB Totalflows via a modbus master/data radio. I don't have a physical totalflow with...
Replies
5
Views
1,831
danw
danw
Back
Top Bottom