i am so sorry! I am new to modbus systems...
In Modbus there are two addressing models: Data Model Addressing; PDU* Addressing. Cf. Section 4.4 at
this link and Figure 8 at
this link; yes I know that is as clear as mud and does not help much.
* PDU = Protocol Data Unit
Data Model Addressing uses ordinal numbers starting at one, so 1 through 65536.
Protocol (from PDU) is what goes "over the wire" (TCP/IP or serial), and only two bytes are ever used for an address, which obviously** limits the range of possible addresses to 0 through 65535. So if you want the first element of a particular data type (Data Model Address 1) then a 0 would be the address in the PDU, and if you want the tenth element of a particular data type (Data Model Address = 10) the you use 9 as the address in the PDU.
** If this is not obvious to the reader, I apologize, but I am not going to go into the reasons here.
So Modbus addresses are limited to five
decimal digits, with a lower limit of 0 or 1, and and an upper limit of 65535 or 65536, depending on the data model being referred to. That is decimal; in hexadecimal, which would only apply to the PDU Model, the lower and upper limits are 0x0000 and 0xFFFF (i.e. 0 and 65535 decimal).
There is also the commonly-used convention,
not part of Modbus proper***, that couples the concepts of "Modbus Object Type" coupled with Access, in the Data Model, into a decimal prefix to the Data Model Address; cf. the Modbus wiki
this link, and highlighted in
bold magenta below.
Code:
[U][B]Object type[/B][/U] [U][B]Access[/B][/U] [U][B]Size[/B][/U] [U][B]Address Space[/B][/U]
Coil**** Read-write 1 bit [COLOR=Magenta][B]0[/B][/COLOR]0001 – [COLOR=magenta][B]0[/B][/COLOR]9999
Discrete input Read-only 1 bit [B][COLOR=magenta]1[/COLOR][/B]0001 – [COLOR=magenta][B]1[/B][/COLOR]9999
Input register Read-only 16 bits [COLOR=magenta][B]3[/B][/COLOR]0001 – [COLOR=magenta][B]3[/B][/COLOR]9999
Holding register Read-write 16 bits [COLOR=magenta][B]4[/B][/COLOR]0001 – [COLOR=magenta][B]4[/B][/COLOR]9999
N.B. there are only four digits shown in each Object Type's address space there, they should all be
X00001 -
X65535.
*** AFAICT
**** Coil = a physical Discrete Output usually, but it can also refer to an internal bit that is both readable and writable.
That prefix means nothing in Data Model Addressing; and of course it is impossible to even implement in the two bytes of an address in a PDU on the wire. It is, as far as I can tell, a convention that allows abbreviating the verbosity of "Discrete input xxxx" with the more concise "1xxxx" e.g. in a user interfaces. Also note that these prefixes are redundant with the Function Code in any Modbus PDU e.g. Function codes 01, 05 and 15 (decimal) all refer to an Object Type of Coil (prefix
0 above). To make it even more confusing, there is no, and if anything anti-, correlation between the PDU function Codes and the prefixes e.g. PDU Function Codes 03 and 04 read Holding Registers and Input Registers, respectively, which Holding (Function Code 03) and Input (Function Code 04) registers have "common" prefixes of 4 and 3, respectively.
That said, the prefix may show up in a user interface (e.g. popup or dialog window) for configuring a Modbus transaction. E.g. some vendors' Modbus Client configuration interfaces
might expect to see the prefix prepended the user-supplied address in order to determine which Function Code to use. So to execute a PDU with a Function Code of 03 (Read Holding Register) and a Data Model address of 16, the user interface might require the user to configure options
- "Read" as the data transfer direction, and
- "400016" as the address,
which options the interface would convert to a Function Code of 03 and a PDU address of 15 (0x000F) on the wire.
Again, whether the user needs to supply the Data Model (1-65536) or the PDU Address (0-65535), with or without the "Object Type" prefix, to a configuration menu interface is vendor specific, and often the quickest way to sort it all out is to poke around and try different things; there are only a dozen or so possibilities, so an empirical session of half an hour or so should be enough to get it sussed. Some vendors' Modbus server's implementations conveniently place a fixed value, e.g. a 32-bit floating point value (e.g. -1234.0) at a documented, but otherwise-unused, Holding Register address, which supports empirically characterizing the menu interface's options, the protocol, the byte order, etc.
It is only ones and zeros; it cannot be hard - Jouni Ryno
-