×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ, Entry ID: 100633819, Entry date: 05/11/2017
(6)
Rate

How do you address the memory areas in the SIMATIC S7-1200/S7-1500 and in the Modbus device in the case of Modbus/TCP data communication?

  • Entry
  • Associated product(s)
The Modbus data model is simple in structure and has 4 separate memory areas. Examples for correct addressing are given in the tables in this entry.

Modbus data model
The Modbus data model is simple in structure and has 4 separate memory areas (data types):

  • Coils (outputs - bit-oriented, read and write)
  • Discrete Inputs (inputs - bit-oriented, read only)
  • Input Register (input data - word-oriented, read only)
  • Holding Register (output data - word-oriented, read and write)

Table 1 shows a comparison of the register and bit addresses in the Modbus device (Application Layer) with the Modbus address transferred in the protocol (Data Link Layer).
 

Memory areaAddress of the application layers in the Modbus deviceModbus address transferred in the message (Data Link Layer)
Coils (output bits)1 to 99990 to 9998
Discrete Inputs (input bits)10001 to 199990 to 9998
Input Register (input words)

30001 to 39999

0 to 9998
Holding Register (output words)40001 to 49999
400001 to 465536 with extended address area
0 to 9998
0 to 65535

Table 1

There are instructions for the SIMATIC S7 which enable Modbus/TCP communication.

Addressing on the instruction for the Modbus/TCP communication in the S7-1200/S7-1500
With SIMATIC S7-1200/S7-1500 the instructions for the Modbus/TCP communication use the addressing of the application layer for the values 0 and 1 of MB_MODE.
For the values 0 and 1 of MB_MODE the combination of the parameters MB_MODE, MB_DATA_ADDR and MB_DATA_LEN defines the function code that is used in the current Modbus message.

  • MB_MODE includes the information about whether it is to be read or written.
    MB_MODE=0: Read, MB_MODE=1: Write
  • MB_DATA_ADDR includes the information that is to be read or written as well as address data from which the MB_CLIENT calculates the remote address.
  • MB_DATA_LEN includes the number of the values to be read / written.

Table 2 shows how to address the Modbus function 03 "Holding Register (output words) on the MB_CLIENT instruction to read 10 output words from the remote address 0.
 

Parameters of the MB_CLIENT instructionValue of the parameter of the MB_CLIENT instructionDescriptionAddressing in the Modbus device
MB_MODE0 (dec)Modbus request: Read10 output words are read from the Modbus device starting at the remote address 0.
MB_DATA_ADDR40001 (dec)Start address=40001: Holding Register (output words)
DATA_LEN10 (dec)Amount of data to be read (words)
MB_DATA_PTR"DATA_CON1".MB_DATA_PTRBuffer for the data received from the Modbus server (data register).
Example
The data is stored in the DB2 "DATA_CON1" in the "MB_DATA_PTR" variable of the data type Array [0..9] of Word.

Table 2

Table 3 shows how to address the Modbus function 03 "Holding Register (output words) on the MB_CLIENT instruction to read 10 output words from the remote address 4.
 

Parameters of the MB_CLIENT instructionValue of the parameter of the MB_CLIENT instructionDescriptionAddressing in the Modbus device
MB_MODE0 (dec)Modbus request: Read10 output words are read from the Modbus device starting at the remote address 4.
MB_DATA_ADDR40005 (dec)Start address=40005: Holding Register (output words)
DATA_LEN10 (dec)Amount of data to be read (words)
MB_DATA_PTR"DATA_CON1".MB_DATA_PTRBuffer for the data received from the Modbus server (data register).
Example
The data is stored in the DB2 "DATA_CON1" in the "MB_DATA_PTR" variable of the data type Array [0..9] of Word.

Table 3

With STEP 7 (TIA Portal) V14 and higher in version V4.1 of the instructions for the Modbus/TCP communication, the following holds for the values 111 to 116 of MB_MODE:

  • MB_MODE defines the Modbus function code.
  • MB_DATA_ADDR includes the remote address.
  • MB_DATA_LEN includes the number of the values to be read / written.

Table 4 shows how to address the Modbus function 03 "Holding Register (output words) on the MB_CLIENT instruction to read 10 output words from the remote address 0.
 

Parameters of the MB_CLIENT instructionValue of the parameter of the MB_CLIENT instructionDescriptionAddressing in the Modbus device
MB_MODE103 (dec)MB_MODE=103 defines the function code 03 "Read Holding Register (output data)".10 Ausgangs-Worte werden ab derremoten Adresse0 aus dem Modbus-Gerät gelesen.
MB_DATA_ADDR0 (dez)remote Adresse=0
DATA_LEN10 (dez)Anzahl der zu lesenden Daten (Worte)
MB_DATA_PTR"DATA_CON1".MB_DATA_PTRPuffer für die vom Modbus-Server empfangenen Daten (Datenregister).
Beispiel
Die Daten werden im DB2 "DATA_CON1" in der Variable "MB_DATA_PTR" vom Datentyp Array[0..9]ofWord gespeichert.

Tabelle 4

Tabelle5 zeigt, wie Sie an der AnweisungMB_CLIENTdie Modbus-Funktion 03 "Holding Register (Ausgangs-Worte) lesen" adressieren, um10 Ausgangs-Worte ab der Adresse4zu lesen.

Parameter der Anweisung MB_CLIENTWert am Parameter der Anweisung MB_CLIENTBeschreibungAdressierung im Modbus-Gerät
MB_MODE103 (dez)MB_MODE=103 defines the function code 03 "Read Holding Register (output data)".10 output words are read from the Modbus device starting at the remote address 4.
MB_DATA_ADDR4 (dec)Remote address=0
DATA_LEN10 (dec)Amount of data to be read (words)
MB_DATA_PTR"DATA_CON1".MB_DATA_PTRBuffer for the data received by the Modbus server (data register).
Example
The data is stored in the DB2 "DATA_CON1" in the "MB_DATA_PTR" variable of the data type Array [0..9] of Word.

Table 5

Further Information
Detailed information about the addressing of the MB_CLIENT instruction is available in the manual "SIMATIC STEP 7 Professional V14.0", in the section entitledParameters MB_MODE, MB_DATA_ADDR and MB_DATA_LEN (S7-1200, S7-1500).