Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 109474481, Entry date: 12/05/2018

How can you read input words in the address range from 9999 to 65535 with the SIMATIC S7-1200/S7-1500 via Modbus RTU?

  • Entry
  • Associated product(s)
In STEP 7 V14 (TIA Portal) and higher the "Modbus_Master" instruction provides with V2.4 and higher for SIMATIC S7-1200/S7-1500 the option of reading out the extended address range (9999 - 65535) of input words (function code 04) of a Modbus slave.

The following table lists the minimum requirements for reading out the extended input address range:

 S7-1200 S7-1500 / ET 200SP CPU 
 CPU firmware V4.1.1 and higher V1.7 and higher
 Communication board CB 1241 RS485 -
 Communication module CM 1241 RS422/485 (V2.1 and higher) CM PtP RS422/485 HF (V1.0 and higher)
 CM 1241 RS232 (V2.1 and higher) CM PtP RS232 HF (V1.0 and higher)
 ET 200SP CM PtP (V1.0 and higher)
 STEP 7 (TIA Portal) V13 SP1 and higher V14 and higher
 "MODBUS ( RTU )" instructions V3.0 and higher V3.1 and higher
 "Modbus_Master" instruction V2.2 and higher V2.4 and higher

Table 01

You also need the "Modbus_Comm_Load" instruction in addition to the "Modbus_Master" instruction in order to establish the communication.
Both blocks are in STEP 7 (TIA Portal) in the communication instructions under "Communication processor" in the folder "MODBUS ( RTU )":

Fig. 1

The Modbus_Comm_Load block is used to select the communication module, set the communication parameters and parameterize the connection with the master (or slave) parameters.

Fig. 2
The acyclic block Modbus_Comm_Load must have been run through once with DONE before the Modbus_Master (or Modbus_Slave) is called for the first time. It can be started, for example, in the first program cycle (by enabling the system marker M1.0 in the hardware settings). After inserting the communication module in the hardware configuration you can transfer the symbolic name of the communication module at the PORT parameter.
The communication parameters BAUD (transmission rate) and PARITY (parity) must be changed for the slave to be addressed. At the MB_DB parameter you transfer the data structure MB_DB of the instance data of the Modbus_Master (or Modbus_Slave) and in this way define the communication module (identified by the PORT parameter) as MODBUS Master (or Slave). In addition, you must change the static parameter MODE in the instance data of the Modbus_Comm_Load for the duplex operating mode, preferably via the start value (0 = full duplex (RS232), 1 = full duplex (RS422) four-wire mode, 4 = half duplex (RS485) two-wire mode).

Fig. 3

You use the Modbus_Master block to define the communication module selected with the Modbus_Comm_Load configuration block as MODBUS master.

Fig. 4

The Modbus_Master block is used to select the MODBUS slave to be addressed, specify the function code and define the local data storage area. The table below explains the parameters.

REQEnables communication
MB_ADDRMODBUS-RTU station address
MODEType of request:
 "0" = Read
 "1" = Write
 "104" = Read the input words of the slave (up to register address 65535)
DATA_ADDRSpecification of the MODBUS start address (= offset + slave register address):
for MODE = 104: Offset =0
DATA_LENSpecification of the MODBUS data length: (in bits or words)
for MODE = 104: Words
DATA_PTRDefinition of the local receive and send data areas of the master. The DATA_PTR parameter must refer to a data block whose attribute property "Optimized block access" has been disabled.

Table 02

The project includes the sample programs for reading out the extended input address range via Modbus RTU

  •  with an S7-1200 CPU via the CM 1241 RS422/485
  •  with an S7-1200 CPU via the CB 1241 RS485
  •  with an S7-1500 CPU via the CM PtP RS422/485 HF (project example with STEP 7 V15.1 and higher)
  •  with an ET 200SP CPU via the CM PtP (project example with STEP 7 V15.1 and higher)

With the default settings you can read out 9 input words from the address 53248 (16#D000) from a Modbus slave with the address 1 via RS485 using the Watch table (like the Motor VarioDrive C by ebm-papst, for example).

Further Information

DescriptionEntry ID 
Firmware update for SIMATIC S7-1200 CPUs Download
Operating system update V2.1.0 for CM 1241 108819199
Firmware update for S7-1500 CPUs incl. Displays and ET200 CPUs (ET200SP, ET200pro) 109478459 
How do you specify a higher start address than 9999 for the "Modbus_Master" instruction? 86158926
How do you establish a MODBUS-RTU communication with STEP 7 (TIA Portal) for the SIMATIC S7-1200? 47756141
Application example: Control of multiple fans (ebm-papst) with the SIMATIC S7-1200 via Modbus RTU 109476801 
Application example: Master-Slave Communication via a CM PtP using the Modbus RTU Protocol 68202723
Manual: SIMATIC S7 S7-1200 Automation System91696622 
Manual: SIMATIC STEP 7 Basic/Professional V15.1 and SIMATIC WinCC V15.1109755202 



Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit