You are on page 1of 62

SIMATIC

OPEN MODBUS / TCP


Communication via CP343-1 and CP443-1
Manual

Preface, Table of Contents


Product Description

Mounting

Commissioning

Function Block MODBUS

Transmission Protocol

Diagnostics

Application Sample

SIMATIC S7
OPEN MODBUS / TCP
Communication via
CP343-1 and 443-1
Manual

Appendices
Literature
Glossary

Edition 3.0

Safety Precautions and


Warnings

This manual contains warnings, which you should note for your own safety as well as for
the prevention of damage to property. These warnings are indicated by means of a triangle
and displayed as follows in accordance with the level of danger:
__________________________________________________________________
Danger
indicates that loss of life, severe personal injury or substantial damage
will result if proper precautions are not taken.

__________________________________________________________________
__________________________________________________________________
Warning
indicates that loss of life, severe personal injury or substantial damage can result if proper
precautions are not taken.

__________________________________________________________________
__________________________________________________________________
Caution
indicates that minor personal injury or property damage can result if proper precautions are
not taken.

__________________________________________________________________
__________________________________________________________________
Notes
call attention to information that is especially significant to the product, handling of the
product or a specific part of this documentation.

__________________________________________________________________
Qualified
Personnel

The equipment may be commissioned and put into operation by qualified personnel only.
For the purpose of safety relevant warnings of this manual a qualified person is one who is
authorized to commission, ground and tag devices, systems and circuits.

Use as prescribed

Please note the following:


_________________________________________________________________________
Warning
This equipment must only be used in applications as prescribed in the catalogue and the
technical description and in conjunction with equipment and components recommended and
authorized by Siemens.
Successful and safe operation of this equipment is dependent upon proper transport, and
storage, erection and installation as well as careful operation and maintenance.

SIMATIC and SIMATIC NET are registered trademarks of SIEMENS AG.


Trademarks

The other brand names in this manual may be trademarks use of which by third parties for
their purposes may infringe the proprietors rights.

Copyright Siemens AG 2004 All Rights Reserved

Exclusion from Liability

The reproduction, transmission or use of this document or its contents


is not permitted without express written authority. Offenders will be
liable for damages. All rights, including rights created by patent grant
or registration of a utility model or design, are reserved.

We have checked the contents of this document with regard to


conformity to the described hardware and software. Deviations,
however, cannot be excluded; therefore we cannot accept prejudice
for its complete conformity. The information in this document is
checked regularly and necessary corrections are contained in
subsequent issues. Any suggestions for improvement are gratefully
received.

Siemens AG
Industrial Solution and Services
IT4Industry
P.O. Box 3240, D- 91050 Erlangen
IT4Industry@siemens.com

Siemens AG 2004
We reserve the right to make technical changes.

Preface

Preface
Purpose of the
Manual

The information in this manual allows you to set up and put in operation the
connection between the CP 343-1/CP 443-1 and a device that supports the
Open MODBUS/TCP protocol.

Contents of the
Manual

This manual describes the function of the function block MODBUS and the
integration into the hardware and software of the communications processor
CP 343-1/CP 443-1.
The manual contains the following topics:
Production description / Mounting
Commissioning / Installation / Parameterization
Function block
Transmission protocol
Diagnostics
Application sample

Scope of this
Manual

This manual is valid for the following software:


Product

Identification number

From version

FB OPEN MODBUS / TCP

2XV9 450-1MB00

3.0

Function Block FB100

2.2

Function Block FB101

1.0

Note
This manual contains the FB description, as it is valid at the time of
publication

How to Access the


Information in this
Manual

To enable you a quick access to selected information, the manual provides


the following access aids:

The next pages contain a complete table of contents.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Preface

Additional
Sources of
Information

All additional information concerning CP 343/CP 443 (mounting,


commissioning etc.) can be found in the manual
SIEMENS
SIMATIC NET
S7-CPs for Industrial Ethernet
device manual C79000-G8900-C155
SIEMENS
SIMATIC NET
S7-CPs for Industrial Ethernet
device manual part B1
CP 343-1 / CP 343-1EX20
C79000-G8900-C158
SIEMENS
SIMATIC NET
S7-CPs for Industrial Ethernet
device manual part B4
CP 443-1
C79000-G8900-C152
SIEMENS
SIMATIC NET
NCM S7 for Industrial Ethernet
manual C79000-G8900-C129
Additional information concerning STEP7 can be found in the following
manuals:
SIEMENS
SIMATIC Software
Base software for S7 and M7
STEP7 user manual
C79000-G7000-C502-..
SIEMENS
SIMATIC Software
System software for S7-300/400
System and standard functions
Reference manual C79000-G7000-C503-02

Additional
Questions

If you have further questions regarding the use of the FBs described in this
manual, which are not answered in this document, please contact your
Siemens partner who supplied you with this function block.

Terminology

This document uses the term CP or CP 343/CP 443. The descriptions only
apply to communications processor CP 343-1/CP 443-1.

Scope of
Application

The function block described in this manual establishes a connection


between the CP 343-1/CP 443-1 and third party MODBUS devices.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Table of contents

Table of Contents
1 ...... Product Description....................................................................................................... 1-1
1.1 ........ Field of Applications.......................................................................................... 1-1
1.2 ........ Hardware and Software Prerequisites.............................................................. 1-2
2 ...... Mounting ......................................................................................................................... 2-1
2.1 ........ Interface Connection ........................................................................................ 2-1
3 ...... Commissioning .............................................................................................................. 3-1
3.1 ........ Installing the Library on the STEP7 PG/-PC .................................................... 3-1
3.2 ........ Configuration of the Communication Link ........................................................ 3-2
3.3 ........ Parameterisation of the CP .............................................................................. 3-3
3.4 ........ Network Configuration ...................................................................................... 3-4
3.5 ........ Insertion of the Function Blocks into the Program............................................ 3-6
3.6 ........ Start_up Characteristics of CP343 / CP443 ..................................................... 3-7
4 ...... Function Block MODBUS .............................................................................................. 4-1
4.1 ........ Functionality of the FB ...................................................................................... 4-1
4.2 ........ Parameters of the Function Block MODBUS ................................................... 4-3
4.3 ........ Parameters of the Function Block MODB4 .................................................... 4-10
4.4 ........ Data and Standard Functions used by the FB ............................................... 4-12
5 ...... Transmission Protocol .................................................................................................. 5-1
5.1 ........ Overview ........................................................................................................... 5-1
5.2 ........ Function Code 03 Read Holding Registers ................................................... 5-3
5.3 ........ Function Code 16 Write Holding Register ..................................................... 5-4
5.4 ........ Exception Code Telegram ................................................................................ 5-5
5.5 ........ Function Code 04 Read Input Registers ....................................................... 5-6
5.6 ........ Further Sources of Information......................................................................... 5-6
6 ...... Diagnostics..................................................................................................................... 6-1
6.1 ........ Diagnostics via the Display Elements of the CP .............................................. 6-1
OPEN MODBUS / TCP communication via CP343-1 and 443-1
2XV9450-1MB00; Manual edition 3.0

Table of contents

6.2 ........ Verification by the FB MODBUS....................................................................... 6-2


6.3 ........ Diagnostic Messages of the FB MODBUS....................................................... 6-5
6.4 ........ Diagnostic Messages of included FCs/SFCs ................................................... 6-8
6.5 ........ Diagnostic Messages of SFC24 ....................................................................... 6-8
7 ...... Application Sample........................................................................................................ 7-1
7.1 ........ Programming Example CP is Client ................................................................. 7-5
7.2 ........ Programming Example CP is Server................................................................ 7-9
A ...... Literature............................................................................................................................ 1

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

ii

Product description

Product Description

1.1

Field of Applications

Placement in the
System Environment

The driver described here is a software product for the Communications


Processor CP 343-1/CP443-1.
The CP 343-1 can be used in the SIMATIC S7-300 automation system and
can establish communication links to partner systems.
CP 443-1 can be used in the SIMATIC S7-400 automation systems and can
establish communication links to partner systems.

Function of the FB

This function block enables a communication link between CP 343-1 /


CP 443-1 and a device that supports the Open MODBUS/TCP protocol.
Thereby Conformance Class 0 is applied.
Function code 4, which is part of Conformance Class 1, can be use in
addition if necessary. All other function codes of Conformance Class 1 and
the function codes of Conformance Class 2 are not implemented in this
function block.
Data transmission is carried out following the Client-Server principle.
The SIMATIC S7 can act as both client and server during the data
transmission.
In operating mode server the functionality multitasking according to the
MODBUS reference is not implemented.

TCP/IP with
CP343-1 / CP443-1

TCP/IP with CP 343-1 and CP434-1 uses static connections. The TCP
connection is not disconnected during operation.
Network configuration of STEP7 enables only a unique use of a specific
port number, when using TCP native stack of the CP. Therefore the CP/FB
is not capable to be addressed from different devices by the same port
number.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

1-1

Product description

1.2

Hardware and Software Prerequisites

Usable Modules

The function block is executable on CP 343-1 as of part number


6GK7 343-1CX00-0XE0
6GK7 343-1EX11-0XE0
6GK7 343-1GX11-0XE0
The function block is executable on CP 443-1 as of part number
6GK7 443-1EX11-0XE0
6GK7 443-1GX11-0XE0

Software Versions

The usage of the FB MODBUS is possible with STEP7 Version 5.1 or higher
with the option NCM S7 for Industrial Ethernet.

Memory
requirements

The FB MODBUS requires 8800 byte work memory and 9886 byte load
memory.
The FB MODB4 requires 9818 byte work memory and 11082 byte load
memory.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

1-2

Mounting

2.1

Mounting

Interface Connection

General
Information

An Industrial Ethernet connection to a subsystem can be established. The


connection of the CP to Industrial Ethernet is possible via Bus coupler or a
twisted pair connection.

Bus Coupler
(Transceiver) via
AUI-Connection

The CP produces and supplies the required voltage for the Bus Coupler.

Transceiver cable
Plugable cable 727-1

Bus coupler

Industrial Twisted
Pair Connection
e. g via OSM

When using the Industrial Ethernet installation instructions according to the


following diagram the CP will recognize the Twisted Pair and automatically
change to it.

E. g. Optical Switch
Module (OSM)

ITP installation cable

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

2-1

Mounting

Twisted Pair
Connection via
RJ45connector

In an environment with low EMC pollution like offices and switchboards, the
CP can be connected to the Ethernet using a Twisted Pair cable with a RJ-45
connector.
E. g. Optical Switch
Module (OSM)

Additional
Information

Note
An AUI/ITP connector or a TP connector may be connected for a flawless
connection.
When hardware is changed (a cable is disconnected and plugged to another
interface) during the run mode it is possible that the new connection (change)
is not recognized. Therefore, the device must be turned off before you change
the interface.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

2-2

Commissioning

Commissioning

General
Information

The configuration of the CP 4431/CP 3431 is possible via MPI or


LAN/Industrial Ethernet.
STEP7 is required with NCM S7 for Industrial Ethernet (shortly named NCM
IE).
The information below about STEP7 and the communication link configuration
refers to STEP7 Version 5.1 and NCM S7 Industrial Ethernet Version 5.1.
In later versions, the sequences, names and directories might be different.

Requirements

3.1

Knowledge of AWL and basic knowledge of STEP7 and PLC.

Installing the Library on the STEP7 PG/-PC

What We Provide
You

The library with the Function blocks for your S7 project can be found on the
enclosed CD.
The CD additionally contains this documentation in electronic format and a
sample STEP7 project.

Requirements

To install, STEP7 must be installed together with the option NCM S7 for
Industrial Ethernet.

Installation

The insertion of the block takes place as follows:


1. Insert CD into your PG/PC.
2. Copy the folder Modbus_TCP from the CD into the directory
Siemens\S7libs\.
Result: The library is installed in the following directory:
Siemens\S7libs\Modbus_TCP.
To access the library use the browse function of the open dialog for libraries.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-1

Commissioning

3.2

Configuration of the Communication Link

Introduction

The configuration of the communication link consists of the order of the


hardware in the configuration table using HW Config. You do the
configuration using STEP7 software.
For an Industrial Ethernet link, the SIMATIC 400-Station,
SIMATIC 300-Station, the communication partner and the
Industrial Ethernet-network must be configured.

S7 Project

Before you can do the configuration, you must have created a new S7
Project on STEP7.

Project
Components

Insert the necessary project components with SIMATIC-Manager into the


opened project: SIMATIC-Station, Other Station, Industrial Ethernet network.
Before each insertion, click on the opened project to select it.
SIMATIC 300-Station
Insert Station SIMATIC 300-Station
for your S7 Program (Rack, PS, CPU, CP343-1, ...),
Insert Station Other Station
for the communication partner
Insert Subnet Industrial Ethernet
for an Industrial Ethernet network between the SIMATIC 300 -Station and the
communication partner.
SIMATIC 400-Station
Insert Station SIMATIC 400-Station
for your S7-Program (Rack, PS, CPU, CP443-1, ...),
Insert Station Other Station
for the communication partner,
Insert Subnet Industrial Ethernet
for an Industrial Ethernet network between the SIMATIC 400-Station and the
communication partner

Configure
Hardware

The configuration of the hardware includes the selection of the hardware


components and its characteristics.
SIMATIC 300-Station
By selecting the SIMATIC 300-Station and double clicking on Hardware (or
Edit Open object) HW Configuration is started. With Insert Hardware
components insert from SIMATIC 300 a RACK-300, a PS-300, a CPU-300,
and from CP-300 the CP Industrial Ethernet CP 343-1 with the appropriate
order numbers.
The procedures for configuring S7 300-devices are described in detail in the
user manual of STEP7.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-2

Commissioning

SIMATIC 400-Station
By selecting the SIMATIC 400-Station and double clicking Hardware (or
Edit Open object) HW Config will be started. With Insert Hardware
components insert from SIMATIC 400 a RACK-400, a PS-400, a CPU-400,
and from CP-400 the CP Industrial Ethernet CP 443-1 with the appropriate
order numbers.
The procedures for the configuration of S7 400-devices are described in detail
in the users manual for STEP7.

3.3

Parameterization of the CP

Parameterization
of the CP

After the devices are arranged on your rack with HW Config they have to be
parameterized.
The parameterization window of the CP 343-1 or CP 443-1 can be started in
HW Config by double clicking the CP or selecting the CP and clicking the
menu item Edit Object properties.
Properties CP343-1 General or
Properties CP443-1 General
Click on tab General, then select Properties (single click). This will open
the Ethernet interface window.
Here you can enter the IP Address and the Subnet Mask of the CP. If you
have your stations connected with each other without a router, then they have
to be within the same subnet.
In the field Subnet connect the CP with the Industrial Ethernet. In order to do
that, select the entry with the name of your network. For newly created
networks this is normally Ethernet(1)
After the successful parameterization you will be back in the dialog box,
Properties CP343-1 or Properties CP443-1. Here click on OK to
finish the parameterization of the CP and you will be back in the dialog box
HW Config.
Save and Compile the parameterization and close HW Config. You will be
back in the main menu of the STEP7 project.

Parameterization
of the
Communication
Partner

After you have inserted the communication partners station into your STEP7
project (as described in Project components: Insert Other station) you
have to specify the object properties of the external station.
Starting from the STEP7 project, you can select the communication partner
(Other station) by clicking it.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-3

Commissioning

Select the menu item Edit Object Properties.


This opens the dialog box Properties Other Station.
1) Properties Other Station Interfaces
On the tab Interfaces click on New. In the upcoming selection, select
Industrial Ethernet and click on OK.
This opens a dialog box Properties Ethernet Interface. Enter an IP
Address that is in the same subnet as the communication partners station.
The subnet mask should be the same as the one of the partners station.
Select the associated subnet that connects the CP interface with the
communication partners interface.
Click on the OK button. This will bring you back to the tab Interfaces.
2) Properties Other StationGeneral
In tab General you do not have to make any settings.
Click on the OK button and you will be back in the main menu of the STEP7
project.
An external station can have multiple interfaces (= Ethernet devices) and may
be connected to different Ethernet connections.

3.4

Network Configuration

Communications
Connection

The CP is the link for the Industrial Ethernet connection between the S7-CPU
and the communication partner / bus. A connection configuration must be
made for the connection of the interfaces to the communication partner / bus.

Configure Network

In the STEP7 project, select the CPU in your S7 300/S7 400-Station and open
Network configuration by double clicking Connections. This opens the
program NetPro with which your connections can be configured.
After selecting Insert New Connection... the dialog box Insert new
connection will come up. Select the connection partner (Other Station) for the
new connection and use TCP Connection for the connection. Put a check
mark on Show properties dialog
Click OK. This will take you back to the dialog box Properties TCP
connection.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-4

Commissioning

Object Properties
of the Connection

An ID is provided. You can change the ID if needed.


Click on the button Routing and the configured connection will be shown.
The MODBUS client normally does Active connection establishment.
In the register Addresses the port numbers are defined.

Click on OK and the inputs are accepted.


Save the network configuration and close the program NetPro.
Please note that the connection ID (Local ID) has to be used when the FB is
called in the user program.
Selection of the
Port Number

In a MODBUS communication a MODBUS server are normally addressed via


port 502, whereas a MODBUS client uses a port different to 502.

Unspecified
Connection

If you have got a communication with CP as MODBUS server, and you did
not know the port number of the client, the communication can be set up as
unspecified connection. But the client has to meet the requirement of active
connection establishment.
You do not need an other station in your S7-project in that case. After
selecting Insert New Connection... the dialog box Insert new connection
will come up. Select here unspecified instead of the communication partner
and use TCP Connection for the connection. Put a check mark on Show
properties dialog
Click OK. This will take you back to the dialog box Properties TCP
connection.
Active connection establishment must not be activated, in the register
addresses all information regarding the partner, IP and PORT are left
blank.
Click on OK and the inputs are accepted.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-5

Commissioning

3.5

Insertion of the Function Blocks into the Program

Content of
MODBUS library

The Modbus library contains two function blocks.


The function block FB100 (MODBUS) executes the Modbus function codes of
conformance class 0, FC3 and FC16.
The function block FB101 (MODB4) executes function code 4 in addition to
FC3 and 16.
Please select that function block which is suitable for your application.
Subsequent the notation FB MODBUS applies for both function blocks, unless
the extended function block FB MODB4 is referenced explicitly.

Insertion of the
MODBUS FBs

In order to exchange data with MODBUS devices, you need the function block
MODBUS. To be able to insert this into your project you have to copy the
function block from the library. For that, open the library Modbus_TCP by
selecting the menu item File Open. In the dialog box Open Project select
the tab Libraries. Select the library Modbus_TCP using the BrowseButton and click OK.
This opens the library. Select the function block FB MODBUS and copy it via
Edit Copy.
Then change back to your project by selecting Window Your project.
In the Step7 project, in your opened S7 300/S7 400-Station, select the CPU.
Double click S7-program, and then Blocks.
This will open the Blocks folder.
Select Edit Paste. This will insert the block into your program.

Insertion of the
Communication
Blocks

The function block MODBUS uses the function blocks AG_SEND and
AG_RECV or AG_LSEND and AG_LRECV in S7-400. These should be
inserted into your program. You can find these communication function blocks
in the library SIMATIC_NET_CP which are included in the software
package NCM S7 for Industrial Ethernet. Open the library by selecting File
Open. In the dialog box Open Project select the tab Libraries.
Select the library SIMATIC_NET_CP and click OK.
This will open the library.

CP 300

For CP 300 family open the folder CP 300 by double clicking it. Select the
function FC5 (AG_SEND) and FC6 (AG_RECV) and copy it with Edit
Copy. Then change back to your project by selecting Window Your
Project.
Select in the STEP7 project in your opened S7 300-Station the CPU. Open
the Blocks folder by double clicking S7-Programm and then Blocks.
With Edit Paste, insert the function block into your program.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-6

Commissioning

CP 400

For CP 400 family, open the folder CP 400 by double click. Select the
function FC50 (AG_LSEND) and FC60 (AG_LRECV) and copy it with Edit
Copy. Then change back to your project by selecting Window Your
Project.
Select in the STEP7 project in your opened S7 400-Station the CPU. Open
the Blocks folder by double clicking S7-Programm and then Blocks.
With Edit Paste, insert the function block into your program.
Please note, that the following versions of the FCs are a prerequisite for the
faultless function of the FB MODBUS:
S7/400:

AG_LSEND
AG_LRECV

V3.0 or higher
V3.0 or higher

S7/300:

AG_SEND
AG_RECV

V4.2 or higher
V4.7 or higher

Important!
The communication blocks must not be renamed to another block number.
They have to be used with their original number FC5/6 or FC50/60.

3.6

Start_up Characteristics of CP343 / CP443

Introduction

The start up of the CP is divided into the following phases:


Initialization (Power on of the CP)
Parameterization

Initialization

As soon as the CP is connected to power, the hardware self test runs. The
firmware of the CP is set up for operation.

Parameterization

During parameterization the CP receives the device parameters that are


assigned to its slot.
The CP is now ready for operation.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

3-7

Function Block MODBUS

Function Block MODBUS

4.1

Functionality of the FB

General
Information

The function block MODBUS allows a communication between a CP443-1


and CP 343-1 and a partner, which supports conformance class 0 of Open
MODBUS/TCP.
Depending on the parameterization the FB can be operated both in client and
in server mode.
In the operating mode server the functionality multitasking, according to the
MODBUS reference, is not implemented.
The function block performs the following functions:

Call of the FB

Calls the standard functions for the data transfer between the CPU
and the CP

Generates MODBUS specific telegram header before send

Verification of the MODBUS specific telegram header after receive

Verification if the memory areas exist which are requested by the


client

Generate exception telegrams when failures occur (only when CP is


in server mode)

Data transfer to and from the parameterized DB

Monitoring the data reception with a time-out

The function block has to be called both in the start up OB100 as well as in
the cyclic OB1.
For each connection of NETPRO either FB MODBUS or FB MODB4 can be
called.
It is not allowed to call FB MODBUS in cyclic interrupt organization blocks
(e. g. OB35).

Start Up of the FB

The function block MODBUS should unconditionally be called once in OB100.


The initialization parameters must be set according to the station
configuration. They will be copied into the instance DB.
The runtime parameters are not evaluated during start up.

Cyclical Operation
of the FB

In cyclical operation the FB MODBUS is called in OB1. According to the


runtime parameters, the functions of the function block are activated. While a
request is running changes to the runtime parameters are ignored.
In the cyclical operation initialization parameters are ignored.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-1

Function Block MODBUS

Initiate Request
CP is Client

A rising edge at the trigger input ENQ_ENR initiates a request. Depending on


the input parameters UNIT, READ/WRITE, START_ADDRESS, LENGTH and
TI a MODBUS request telegram is generated and sent to the partner station
via the TCP/IP connection. The client waits for the parameterized monitoring
time MONITOR for a response from the server.
When the monitoring time elapses (no response from the server) the
activated request is terminated with an error. A new request can be initiated
again.
After the receipt of the response telegram a validity check is carried out. If the
result is positive, necessary actions will be taken and the request will be
terminated without error. The output DONE_NDR is set. When an error is
recognized during verification, the request is terminated with an error, the
ERROR bit is set and an error number is returned in STATUS.

Activation of the
Function Block
CP is Server

With TRUE signal at the trigger input ENQ_ENR the FB is ready for receiving
a request telegram from the client. The server remains passive.
The received telegram is verified. If the telegram is verified positive, the
response telegram is sent. The completed transmission is reported to the
user by setting the DONE_NDR bit.
At this point the completed function is indicated at the outputs
START_ADDRESS, READ_WRITE, LENGTH, UNIT and TI.
A faulty request telegram causes an error message and the ERROR bit is
set. The error number is returned in STATUS. The request of the client is not
answered.

Data Transfer
CPU CP

The data transfer between CP and CPU are done with the standard function
blocks AG_SEND and AG_RECV.
At the activation of a MODBUS request by the user (CP is client) or at the
receipt of a telegram from the client (CP is server) the standard blocks
necessary for the CP are called by the FB in the right order and number.
At the receipt of a telegram, the first 6 Bytes are read with the function
AG_RECV. This header contains the length of the rest of the telegram. A
second call of the AG_RECV function follows with the rest of the telegram
length. The verification of the received data takes place after the complete
receipt of the data.

TCP/IP with
CP343-1 / CP443-1

TCP/IP with CP 343-1 and CP434-1 uses static connections. The TCP
connection cannot be disconnected while in run mode.
Given this system characteristic, telegrams might be lost under unfavorable
conditions when the synchronization had been lost after an error. The function
of the FB in these situations is described in chapter 6.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-2

Function Block MODBUS

4.2

Parameters of the Function Block MODBUS

Parameter

Decl.

Type

Description

ID

IN

WORD

Connection-ID as per configuration

Value range

Init

1 to 64

yes

W#16#1 to
W#16#40

LADDR

IN

WORD

LADDR-Address from HW Config

CPU
dependent

yes

TIMER_NR

IN

TIMER

Timer number for response monitoring


time

CPU
dependent

yes

MONITOR

IN

WORD

Monitoring Time: Wait for data from


communication partner; 100 ms units

1 to 999

no

DB_1

IN

WORD

Data block number, first range

W#16#1 to
W#16#3E7

1 to 65535

yes

W#16#1 to
W#16#FFFF

START_1

IN

WORD

First MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_1

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

DB_2

IN

WORD

Data block number, second range;

1 to 65535

yes

W#16#1 to
W#16#FFFF

NULL if not used


START_2

IN

WORD

First MODBUS register address

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_2

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

DB_3

IN

WORD

Data block number, third range;

1 to 65535

yes

W#16#1 to
W#16#FFFF

NULL if not used


START_3

IN

WORD

First MODBUS register address

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_3

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-3

Function Block MODBUS

Parameter

Decl.

Type

Description

DB_4

IN

WORD

Data block number, fourth range;

Value range

Init

1 to 65535

yes

W#16#1 to
W#16#FFFF

NULL if not used


START_4

IN

WORD

First MODBUS register address

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_4

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

DB_5

IN

WORD

Data block number, fifth range;

1 to 65535

yes

W#16#1 to
W#16#FFFF

NULL if not used


START_5

IN

WORD

First MODBUS register address

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_5

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

WRITE_
PROTECT1

IN

BOOL

Area 1 is write protected (only in SERVER


mode)

TRUE
FALSE

yes

WRITE_
PROTECT2

IN

BOOL

Area 2 is write protected (only in SERVER


mode)

TRUE
FALSE

Yes

WRITE_
PROTECT3

IN

BOOL

Area 3 is write protected (only in SERVER


mode)

TRUE
FALSE

yes

WRITE_
PROTECT4

IN

BOOL

Area 4 is write protected (only in SERVER


mode)

TRUE
FALSE

yes

WRITE_
PROTECT5

IN

BOOL

Area 5 is write protected (only in SERVER


mode)

TRUE
FALSE

yes

ENQ_ENR

IN

BOOL

CP is Client:
Initiate request at TRUE signal

TRUE
FALSE

no

CP is Server:
Ready to receive at TRUE signal
SERVER_
CLIENT

IN

DONE_NDR OUT

BOOL

CP/FB operates in server mode


or client mode

TRUE
FALSE

yes

BOOL

CP is Client:
Active request finished without errors

TRUE
FALSE

no

TRUE
FALSE

no

0 to FFFF

no

CP is Server:
Request from the client was executed and
answered
ERROR

OUT

BOOL

An error has occurred.

STATUS

OUT

WORD

Error number

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-4

Function Block MODBUS

Parameter

Decl.

Type

Description

START_
ADDRESS

IN/
OUT

WORD

MODBUS start address


(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)

LENGTH

IN/
OUT

BYTE

Value range

Init

0 to 65535

no

W#16#0000 to
W#16#FFFF

Number of registers to be processed


(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)
Read function

no

1 to 125
B#16#1 to
B#16#7D

Write function

1 to 100
B#16#1 to
B#16#64

WRITE_
READ

IN/
OUT

BOOL

Read or write access


(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)

TRUE
FALSE

no

TI

IN/
OUT

WORD

Transaction Identifier
(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)

0 to 65535

no

IN

BYTE

UNIT

General
Information

Unit identification
(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)

W#16#0 to
W#16#FFFF

0 to 255

no

B#16#0 to
B#16#FF

The parameters of the FB MODBUS can be divided into two groups:

Initialization parameters

Runtime parameters

Initialization parameters are evaluated only during the initial execution of the
function block MODBUS and taken over into the instance DB. They are
marked in the above table in the column INIT with yes.
A modification of the initialization parameters during run mode has no impact.
After a modification of these parameters (e. g. during the test phase), the
instance DB must be initialized again via a STOP RUN transition of the
CPU.
Runtime parameters can by modified during the cyclical operation. It is not
advised to modify the input parameters while a request is active. Wait with the
preparations for the next request and the change of the parameters until the
previous request ends with DONE_NDR or ERROR.
The output parameters should only be evaluated when DONE_NDR is TRUE.
Range of Values

For the range of values of the different parameters, CPU specific restrictions
must be taken into consideration.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-5

Function Block MODBUS

ID

For each configured connection in STEP7 a connection ID is assigned. The


connection ID identifies unambiguously the connection from the CPU via the
CP to the communication partner.
The number from the connection configuration has to be entered here.
The range of values for this parameter depends on the CPU.

LADDR

The parameter LADDR is the base address of the CP from HW Config (input
address). The configured value has to be entered here.
The range of values for this parameter depends on the CPU.
The parameters ID and LADDR can also be taken from the dialog box
Properties of TCP Connection.

TIMER_NR

This specifies the particular timer, which realizes the monitoring time
MONITOR.
The range of values for this parameter depends on the CPU. Any other
program must not use this timer.

MONITOR

The monitoring time MONITOR observes the data input from the
communication partner. The monitoring time can be set in 100 ms intervals. A
monitoring time of approximately 1,5 second is recommended.
In the operating mode CP is client MONITOR specifies the timeout for the
receipt of the complete response telegram from the server. When the
monitoring time elapses, the active request is cancelled with an error. The
timer is started after the completed send of the request telegram and is
stopped after the receipt of the complete data.
In the operating mode CP is server the receipt of the second part of the
telegram is monitored with the MONITOR time. When the time elapses an
error is reported. The timer is started after the receipt of the MODBUS specific
telegram header and is stopped after the receipt of the complete request
telegram.

DB_x
START_x
END_x

The FB offers 5 memory areas for mapping the MODBUS register addresses
in the S7 storage. One data area must be defined at minimum. The other 4
data areas are optional. Depending on the type of request, those memory
areas are read or written.
With one request only one DB can be accessed. Even if consecutive register
numbers are located in two different DBs, you need two requests to access
them. This has to be taken into account during parameterization.
In the operating mode CP is Client 3 parameters are required: DB_x,
START_x und END_x. In the operating mode CP is Server the parameter
WRITE_PROTECTx is required additionally.
The parameter DB_x specifies the DB, into which the below defined
MODBUS registers are mapped. START_x specifies the first memory
address, which is stored in word 0 of the DB. END_x defines the address of
the last MODBUS register.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-6

Function Block MODBUS

The number of the data word of the S7 DB in which the last register is
mapped, can be calculated with the following formula:
DBW number = (END_x START_x) 2
If 0 is entered for DB_x, the respective memory area is not used.
The defined memory areas must not overlap. The parameter END_x must not
be smaller than START_x. In case of an error the initialization of the FB is
stopped with an error.
At the end of this chapter you can find an example of the mapping of the
MODBUS addresses to S7 memory areas.
WRITE_
PROTECTx

Memory areas can be set write protected in the operating mode CP is


Server. That ensures that the client cannot write to certain memory areas of
the S7.
For each memory area there is a separate write protection flag. Write
accesses to locked memory areas initiate an Exception Telegram.

ENQ_ENR

Operating mode CP is Client:


The data transfer is initiated with a TRUE signal at the input. The request
telegram is generated with the values of the input parameters UNIT,
READ/WRITE, START_ADDRESS, LENGTH and TI. A new request may only
be initiated, when the previous one is ended with DONE or ERROR.
Operating mode CP is Server:
The FB is activated with a TRUE signal at the input. Telegrams from the client
can be received. With a FALSE signal at the input data is received from the
CP and discarded.

SERVER_CLIENT

This parameter differentiates the client from the server mode. If the input is
TRUE, then the operating mode is CP is Server.
If the input is FALSE, then the operating mode is CP is Client.

DONE_NDR

The parameter DONE_NDR indicates an error free execution of the request.


In the operating mode CP is Client the activated request was executed
without error. For a read function the response data from the server has
already been entered into the DB. For a write function the response to the
request telegram has been received from the server.
In the operating mode CP is Server this output indicates a telegram
exchange without errors. In the parameters READ_WRITE,
START_ADDRESS and LENGTH the request parameters of the client are
displayed. These outputs are only available and valid as long as DONE_NDR
is TRUE.

ERROR

When this output is set, an error was recognized.


In the operating mode CP is Client the activated request was ended with an
error. The error number is displayed in the STATUS output.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-7

Function Block MODBUS

In the operating mode CP is Server an error is detected at a request


telegram of the client or at sending a response telegram. The error number is
displayed in the STATUS output.
STATUS

The STATUS output displays the error number when ERROR is TRUE. The
error numbers are described in chapter 6.

START_ADDRESS

The parameter START_ADDRESS specifies the first MODBUS register that is


read or written. In the operating mode CP is Client it is an input parameter,
in the operating mode CP is Server it is an output parameter.

LENGTH

The parameter LENGTH specifies the number of MODBUS registers that are
read or written. In the operating mode CP is Client it is an input parameter.
In the operating mode CP is Server it is an output parameter.
For read functions, a maximum of 125 registers is possible per telegram. For
write functions a maximum of 100 registers is possible. All registers have to
be in the same DB per telegram.

WRITE_READ

This parameter defines if a read or write function should be carried out. If the
value of the input/output is FALSE, it specifies the read mode. The value
TRUE specifies the write mode. In the operating mode CP is Client it is an
input parameter. In the operating mode CP is Server it is an output
parameter.

TI

The parameter TI, Transaction Identifier is copied by the server from the
request telegram to the respond telegram according to the MODBUS
specification.
In the operating mode CP is Client it is an input parameter. The FB copies
this value to the request telegram and verifies when the respond telegram is
received.
In the operating mode CP is Server it is an output parameter. The FB copies
this value from the request telegram to the respond telegram.
The Transaction Identifier is used for identification of telegrams, respectively
the correlation of request and respond. The FB MODBUS can only do this
correlation if the TI is changed with each transaction. A changed TI can only
solve some special situations caused by TCP. A reliable operation of the FB
can be obtained with a changed TI. Therefore we recommend to increment
the TI by 1 with any request.

UNIT

In mode CP is Client the parameter UNIT is an input parameter. This input


has to be set according to the requirements. The FB copies this value to the
request telegram and verifies when the respond telegram is received.
In mode CP is Server the parameter UNIT is an output parameter. The FB
copies this value from the request telegram to the respond telegram. The
output is set with the received value when the job is finished without error.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-8

Function Block MODBUS

Example:
Parameterization
of the Memory
Areas

SERVER_CLIENT
DB_1
START_1
END_1
WRITE_ PROTECT1
DB_2
START_2
END_2
WRITE_ PROTECT2
DB_3
START_3
END_3
WRITE_ PROTECT3
DB_4
DB_5

Server
W#16#A (10)
W#16#1 (1)
W#16#8 (8)
FALSE
W#16#B (11)
W#16#B (11)
W#16#11 (17)
TRUE
W#16#C (12)
W#16#64 (100)
W#16#67 (103)
FALSE
0
0

DB 10
Address
+0.0
+2.0
+4.0
+6.0
+8.0
+10.0
+12.0
+14.0

Name

Type

Comment

Register 1
Register 2
Register 3
Register 4
Register 5
Register 6
Register 7
Register 8

WORD
WORD
WORD
WORD
WORD
WORD
WORD
WORD

read write
read write
read write
read write
read write
read write
read write
read write

Name

Type

Comment

Register 11
Register 12
Register 13
Register 14
Register 15
Register 16
Register 17

WORD
WORD
WORD
WORD
WORD
WORD
WORD

read only
read only
read only
read only
read only
read only
read only

Name

Type

Comment

Register 100
Register 101
Register 102
Register 103

WORD
WORD
WORD
WORD

read write
read write
read write
read write

DB 11
Address
+0.0
+2.0
+4.0
+6.0
+8.0
+10.0
+12.0

DB 12
Address
+0.0
+2.0
+4.0
+6.0

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-9

Function Block MODBUS

4.3

Parameters of the Function Block MODB4

Description of the
Parameters

Subsequent you will find the additional parameters of FB MODB4. The


parameters of FB MODBUS apply too.

Parameter

Decl.

Type

Description

DB_6

IN

WORD

START_6

IN

WORD

Value range

Init

Data block number, sixth range


for input registers

1 to 65535

yes

First MODBUS register address

0 to 65535

W#16#1 to
W#16#FFFF

yes

W#16#0000 to
W#16#FFFF

END_6

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

DB_7

IN

WORD

Data block number, seventh range;


for input registers
NULL if not used

START_7

IN

WORD

First MODBUS register address

1 to 65535

yes

W#16#1 to
W#16#FFFF

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_7

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

DB_8

IN

WORD

Data block number, eighth range;


input registers
NULL if not used

START_8

IN

WORD

First MODBUS register address

1 to 65535

yes

W#16#1 to
W#16#FFFF

0
0 to 65535

yes

W#16#0000 to
W#16#FFFF

END_8

IN

WORD

Last MODBUS register address

0 to 65535

yes

W#16#0000 to
W#16#FFFF

INPUT_
HOLDING

DB_x
START_x
END_x

IN/
OUT

BOOL

CP/FB operates with input registers (FC3)


or holding registers (FC4)

TRUE
FALSE

no

The FB MODB4 offers 3 additional memory areas for mapping the MODBUS
register addresses of input registers in the S7 storage. One data area must
be defined at minimum. The other 2 data areas are optional. These three
memory areas can only be read.
With one request only one DB can be accessed. Even if consecutive register
numbers are located in two different DBs, you need two requests to access
them. This has to be taken into account during parameterization.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-10

Function Block MODBUS

The parameter DB_x specifies the DB, into which the below defined
MODBUS registers are mapped. START_x specifies the first memory
address, which is stored in word 0 of the DB. END_x defines the address of
the last MODBUS register.
The number of the data word of the S7 DB in which the last register is
mapped, can be calculated with the following formula:
DBW number = (END_x START_x) 2
If 0 is entered for DB_x, the respective memory area is not used.
The defined memory areas 6 to 8 must not overlap. The parameter END_x
must not be smaller than START_x. In case of an error the initialization of the
FB is stopped with an error.
Input registers and holding registers are addressed from 0 to FFFFH each.
The two register types are physical different memory areas. Within DB_1 to
DB_5 as well as DB_6 to DB_8 register numbers must not overlap. But
register numbers may exist in both areas, DB_1 to DB_5 and DB_6 to DB_8
INPUT_HOLDING

This parameter defines if an input registers or holding registers should be


worked on. If the value of the input/output is FALSE, it specifies that holding
registers are executed. The value TRUE specifies execution of input
registers. In the operating mode CP is Client it is an input parameter. In the
operating mode CP is Server it is an output parameter.
Holding registers can be read and written. Function code 3 reads holding
registers, function code 16 writes holding registers.
Input registers can only be read. Function code 4 reads input registers.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-11

Function Block MODBUS

4.4

Data and Standard Functions used by the FB

Instance DB

The function block MODBUS stores its data in an instance DB. This instance
DB is created by STEP7 at the first call of the FB.
The instance data block contains parameters of type Input, Output,
Input/Output as well as static variables that it needs for its execution. These
variables are non-volatile and keep its validity between FB calls. The
variables control the internal process flow of the FB.
Required memory of the instance-DBs:
Instanz-DB

work memory

load memory

MODBUS

704 Byte

1070 Byte

MODB4

742 Byte

1148 Byte

Local Variables

The FB requires 102 Bytes of local variables. Additionally AG_SEND or


AG_RECV require local variables, up to 58 bytes, depending on the used
function block. That gives a maximum of 160 Bytes of local data for a FB
MODBUS-call.

Timers

The function block uses one timer to realize the monitoring time. The number
of the used timer that you want to use can be parameterized.

Flags

The function block does not use any flags.

Standard FCs for


Data Transfer

The function block uses the blocks AG_SEND/AG_LSEND and


AG_RECV/AG_LRECV from the SIMATIC_NET library for the data transfer
between CPU and CP.
The following versions of the FCs are tested with FB MODBUS and released
for the communication:

SFCs for
Miscellaneous
Functions

S7-300:

FC5 AG_SEND version 4.2


FC6 AG_RECV version 4.7

S7-400

FC50 AG_LSEND version 3.0


FC60 AG_LRECV version 3.0

The FB MODBUS uses the following SFCs from the standard library:

SFC6 READ_SINFO

SFC24 TEST_DB

With the SFC6 the FB checks if it was called from OB100 or OB1 and decides
this way if the initialization part or the cyclic part should be executed.
A call of SFC24 determines, whether the DB specified in DB_x is available at
runtime and has the required length.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

4-12

bertragungsprotokoll

Transmission Protocol

5.1

General Communication Architecture

General MODBUS
frame

The MODBUS protocol defines a simple Protocol Data Unit (PDU)


independent of the underlying communication layers. The mapping of
MODBUS protocol on specific buses or networks can introduce some
additional fields on the Application Data Unit (ADU).
ADU
Additional
address

Function
code

Data

Error
Check

PDU
MODBUS on
TCP/IP Application
Data Unit

The picture shows the encapsulation of a MODBUS request or response


when it is carried on a MODBUS TCP/IP network.
MODBUS TCP/IP ADU
Header

Function
code

Data

PDU
With MODBUS on TCP the error check of TCP is used, so the error check of
the general MODBUS frame is not used.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-1

Transmission Protocol

5.2

Overview

General
Information

The protocol Open MODBUS/TCP uses the standardized TCP/IP protocol to


transfer data. The MODBUS specific data is created or verified by the FB.
The function block complies Conformance Class 0 of the MODBUS
specification.

Client/Server

The PLC S7 with its CP and FB can act as both client and server.
Functionality multitasking of server according to the MODBUS reference is
not supported.
The client sends a request telegram to the server. The server responds
within the monitoring time. The server itself cannot initiate any data
transmission. A communication from server to server is not possible.

Function Codes

Conformance Class 0 consists of the following codes:

FC3:

FC16: Write holding register

Read holding register

The function block MODB4 comprises the following function code in addition
to Conformance Class 0:

Protocol Structure

FC4:

Read input registers

An Open MODBUS/TCP telegram starts with a header. This header is


identical for request and response telegrams and consists of 6 bytes.
The 6 bytes of the header are defined as follows:
Byte 0 : Transaction Identifier
Byte 1 : Transaction Identifier
Byte 2 : Protocol Identifier = 0
Byte 3 : Protocol Identifier = 0
Byte 4 : Length Specifier, High Byte = 0
Byte 5 : Length Specifier, Low Byte
Followed by:
Byte 6 : Unit Identification
Byte 7 : MODBUS Function Code
Byte 8 : first byte of Telegram Data

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-1

Transmission Protocol

Transaction
Identifier

The server copies the Transaction Identifier TI from the request telegram to
the response telegram according to the MODBUS specification.
With a TI changed cyclically it is possible to have a firm correlation of
request and respond telegrams. We recommend using a TI, which is
incremented with every telegram sequence.
In the operating mode CP is Client the received transaction identifier is
compared to the one sent. If differences appear, the actual job is ended with
an error.
In the operating mode CP is Server the received transaction identifier is
copied to the response telegram.

Protocol Identifier

The protocol identifier must always be 0. The FB sets the protocol identifier
in the request telegram to 0. When a telegram is received, the protocol
identifier is checked for the value 0. A value other than 0 creates an error
message.

Length Field

The length specifier in the length field defines the data length of the telegram
without the Header (starting with byte 6). Thus the end of the telegram is
determined. The following telegram lengths are allowed for request and
response telegrams for read and write functions:
Request

Response

Read

3 or 5 to 253

Write

9 to 207

3 or 6

Unit Identifier

The parameter UNIT identifies a remote slave connected on a serial line or


on other buses. It is used for intra-system routing purposes.
With MODBUS/TCP the parameter UNIT is copied from the request to the
respond telegram. The Master verifies that the UNIT of the received
telegram is identical to the one in the telegram sent.

Function Code

The function code describes the function of the telegram. The structure of the
telegram data depends on the function code.

Interpretation of
MODBUS Register
Addresses

MODBUS bases its data model on a series of tables, which have


distinguishing characteristics. The distinction between these memory areas is
done via the register address by some systems, e.g. MODICON PLCs. So a
MODBUS message requesting the read of a holding register at offset 0 would
return the value known to the application programmer as found in register
40001 (memory type 4xxxx, reference 0001).
One potential source of confusion is the varying interpretation of the register
address in different manuals. Sometimes the register address means the
address of the application layer, sometimes the address transferred.
The FB MODBUS uses the register address transferred at its parameters
START_x und START_ADDRESS. So it is possible to use register addresses
from von 0000H to FFFFH with each function code.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-2

Transmission Protocol

5.3

Function Code 03 Read Holding Registers

General
Information

With the function code multiple holding registers can be read. The request
telegram contains UNIT, the function code, the start address of the registers
and the number of registers to be read.
The response telegram contains UNIT, the function code, the byte count for
the following data as well as the contents of the registers that were read. In
case of an error, the response can be an exception code telegram.
An open MODBUS/TCP specific header precedes the telegram structure that
is shown below.

Request Telegram

Byte 0: Unit Identifier


Byte 1: Function Code = 03
Byte 2: Register Start Address, High Byte
Byte 3: Register Start Address, Low order Byte
Byte 4: Number of Registers, High Byte = 0
Byte 5: Number of Registers, Low Byte

Response
Telegram

Byte 0: Unit Identifier


Byte 1: Function Code = 03
Byte 2: Byte count
Byte 3 to ( 2 * number of registers +2 ): Register Values

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-3

Transmission Protocol

5.4

Function Code 16 Write Holding Register

General

With function code 16 multiple holding registers can be written. The request
telegram contains UNIT, the function code, the start address of the registers,
the byte count and the values to be written.
The response telegram contains UNIT, the function code, the start address of
the registers and the number of registers written. In case of an error, the
response can be an exception code telegram.
The open MODBUS/TCP specific header precedes the telegram structure
shown below.

Request Telegram

Byte 0: Unit Identification


Byte 1: Function Code = 10H
Byte 2: Register Start Address, High Byte
Byte 3: Register Start Address, Low Byte
Byte 4: Number of Registers, High Byte = 0
Byte 5: Number of Registers, Low Byte
Byte 6: Byte Count
Byte 7 to ( 2 * number of words + 2 ): Register values

Response
Telegram

Byte 0: Unit Identification


Byte 1: Function Code = 10H
Byte 2: Register Start Address, High Byte
Byte 3: Register Start Address, Low Byte
Byte 4: Number of Registers, High Byte = 0
Byte 5: Number of Registers, Low Byte

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-4

Transmission Protocol

5.5

Exception Code Telegram

General
Information

For certain errors the server responds with an exception code telegram.

Telegram
Structure

The exception code telegram contains UNIT, the function code in which Bit 27
is set and the exception code.
The open MODBUS/TCP specific header precedes the telegram structure
shown below.
Byte 0: Unit Identification
Byte 1: Function Code + 80H
Byte 2: Exception Code
Exception
Code

According to
MODBUS
specification

01

Illegal Function

02

Illegal Data Address

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Reason

Function code not defined

FC16: Access to write


protected area

DB does not exist

Not all the data are located in


the same DB

Number of registers is too


high

5-5

Transmission Protocol

5.6

Function Code 04 Read Input Registers

General
Information

With the function code multiple input registers can be read. The request
telegram contains UNIT, the function code, the start address of the registers
and the number of registers to be read.
The response telegram contains UNIT, the function code, the byte count for
the following data as well as the contents of the registers that were read. In
case of an error, the response can be an exception code telegram.
An open MODBUS/TCP specific header precedes the telegram structure that
is shown below.

Request Telegram

Byte 0: Unit Identifier


Byte 1: Function Code = 04
Byte 2: Register Start Address, High Byte
Byte 3: Register Start Address, Low order Byte
Byte 4: Number of Registers, High Byte = 0
Byte 5: Number of Registers, Low Byte

Response
Telegram

Byte 0: Unit Identifier


Byte 1: Function Code = 04
Byte 2: Byte count
Byte 3 to ( 2 * number of registers +2 ): Register Values

5.7

Further Sources of Information


Please find further information on the Open MODBUS/TCP protocol in the
document listed in appendix A.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

5-6

Diagnostics

Diagnostics

Diagnostic
Function

The diagnostic functions of the CP 343/ CP 443 allow you fast failure
localization. The following diagnostic features are available:
Diagnostics via the display elements of the CP
Diagnostics via the STATUS output of the MODBUS function block.

Display Elements
(LED)

The display elements inform you about the operating mode or about the
failure conditions of the CP. The display elements give you an overview of
internal failures, external failures and interface specific failures.

STATUS Output of
the MODBUS FB

For error diagnostics, the MODBUS function block has a STATUS output. By
reading the STATUS output you get a general indication of failures that have
occurred during the communication. The STATUS parameter can be
evaluated in the users program.

6.1

Diagnostics via the Display Elements of the CP

Display Functions

The display elements of the CP give you information on the module status.
There are two types of display functions:

Group Error Displays


- INTF Internal failure
- EXTF External failure

Special Displays
CP 343-1:
- RX/TX
A telegram is being transmitted via the interface.
CP 443-1:
- TXD
A telegram is being sent via the interface.
- RXD
A telegram is being received via the interface.

A detailed description of the display elements can be found in the device


manual of the CP.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-1

Diagnostics

6.2

Verification by the FB MODBUS

During start up

Parameter group DB_x, STAT_x, END_x. (x 1 to 5)


1. With DB_x = 0 the register area is disabled and not verified
further. At least one area must be enabled.
2. Test END_x >= START_x
3. Register addresses that are defined in two DB_x lead to an
error message (register overlap).

Evaluation of the monitoring time MONITOR

CP is Server:
UNIT is within the allowed range of values.

Errors during start up provoke the ERROR bit to remain set. In the cyclical
operation no requests are executed. A correction of the parameterization and
a STOP RUN transition of the CPU are necessary.
Cyclical Operation
CP is Client

Verification when the FB is called:

Range of values START_ADRESS

Range of values LENGTH

At the execution of a request, it is checked whether the data block


that is specified by the register address is available and has the
necessary length.

Receipt of the response telegram within the monitoring time.


The monitoring time can also elapse if less data than specified in the
MODBUS telegram header is received. Subsequent failures with loss
of telegrams can occur.

Verification in the response telegram:

Received transaction identifier is equal to the sent one.

Protocol identifier = 0

Length is between 3 and 253


Besides the length in the header of the response telegram is checked
for plausibility regarding the request.

UNIT sent is equal to the received one.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-2

Diagnostics

Cyclical Operation
CP is Server

FC sent is equal to the received one.

Response is an Exception Code Telegram.

For read requests, the number of registers in the request telegram,


length in the header and byte count in the telegram must match.

For write requests it is verified that start address and number of


registers match with the request telegram.

Receipt of the second part of the request telegram within the


monitoring time.

The monitoring time also can elapse if less data than specified in the
MODBUS telegram header is received. Subsequent failures can
occur with loss of telegrams.

Protocol Identifier = 0

Length between 6 and 207


Additional the length in the header of the response telegram is
checked for plausibility regarding the telegram data.

Received FC is verified. If the FC is not equal to 03 or 16 an


exception telegram is sent.

For write requests, the length in the header, the number of registers
and the byte count in the telegram must match.

The number of registers is verified. If the number is too large an


exception telegram is sent.

Access to write protected area: Send exception telegram.

At the execution of a request, it is checked whether the data block


that is specified by the register address is present and has the
necessary length. In case of an error an exception telegram is sent.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-3

Diagnostics

Lost
Synchronization

The lost synchronization described below can only occur when the
communication partner has extreme malfunctions or there are serious
interferences on the transmission line.
In order to read a MODBUS specific telegram header, the function block
MODBUS starts an AG_RECV with 6 bytes length. With the length in the
telegram header another AG_RECV is started. If the length in the telegram
header is not equal to the actual number of bytes sent to the CP (which is a
serious failure), the CP resolves this situation as follows:
1. More data as specified in the header is received:
The next AG_RECV gets data that are not compliant with the
MODBUS specific header. This leads to after effects like wrong TI or
PI, data is interpreted as a length specification, the length used by
FB/AG_RECV is wrong.
2. Less data as specified in the header is received:
The activated AG_RECV returns no ready signal and the monitoring
time MONITOR elapses. The activated AG_RECV has only received
a part of the data, therefore it is still in the receiving state. This
AG_RECV cannot be cancelled. More data has to be received in
order to be synchronized again.
In operating mode CP is client the request of the FB MODBUS is
cancelled with ERROR. Another FB request can be activated. The
response data is received with the old AG_RECV. Receiving must
continue until the expected amount of data has been received.
Multiple requests, which all end with the status monitoring time
elapsed, might be necessary to regain synchronization.
In the operating mode CP is server the expected amount of data
must be reached with request telegrams of the client. Multiple error
messages No response from server might occur at the client.
When the old AG_RECV ends, the FB reads a single byte in order to
receive a possible telegram fragment from the CP. The reading is
observed with the monitoring time MONITOR as well. When the
monitoring time elapses it is assumed that the synchronization has
been regained. The normal operation of the FB MODBUS is
continued.
3. The announced amount of data does not match the request telegram
(CP is client):
The FB MODBUS receives the announced amount of data and
ignores it. ERROR and STATUS return an error code.
The above mentioned function of the FB is necessary because neither the
TCP/IP connection nor the activated AG_RECV can be cancelled.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-4

Diagnostics

6.3

Diagnostic Messages of the FB MODBUS

Messages at the
STATUS Output of
the FB

The error messages are displayed at the status output of the FB MODBUS.
STATUS is valid when ERROR is TRUE. Below you will find a list of FB
specific error messages.

Error Messages of
the called SFCs
and FCs

The FB MODBUS uses the standard functions SFC6, SFC24, FC5 and FC6,
or FC50 and FC60. The error messages of these blocks are passed on
without any changes.
In the diagnostics buffer or in the online help of SIMATIC Manager you will
find further details on these error messages, as well as in the SIMATIC
STEP7 NCM S7 Industrial Ethernet Manual.

Error messages of FB MODBUS


STATUS Event text

Remedy

(Hex)

A002

The parameter END_x is less than START_x.

Correct the parameterization

A003

The DB, to which MODBUS addresses shall be


mapped, is too short.
Minimum length: ( END_x START_x + 1 ) 2

Extend the DB.


CP is Client: Correct the
parameters START_ADDRESS
or LENGTH

Other possible reasons:

A004

Wrong initialization parameter (CP is client)

CP is Server:
Wrong address area in the request telegram of Modify the request of the client.
the client (CP is server)

Applies only with CP is client:

Correct the parameters.

Both parameters INPUT_HOLDING and


WRITE_READ are set. It is not possible to write input
registers.
A005

CP is client:
An invalid value for the parameter LENGTH is given.

CP is Client:
Correct the parameter LENGTH.

CP is Server:
The number of registers in the request telegram is
invalid.
Range of values: 1 to 125 for read, 1 to 100 for write.

CP is Server:
Modify the number of registers in
the request telegram.

A006

The given range of registers does not exist in DB_1 to


DB_5.

CP is Client:
Correct the parameters
combination START_ADDRESS,
LENGTH.
CP is Server:
Modify the request of the client or
correct the parameterization of
DB_x.

A007

An invalid monitoring time MONITOR is


parameterized. Range of values: 1 to 999

Correct the parameterization.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-5

Diagnostics

Error messages FB MODBUS


STATUS Event text

Remedy

(Hex)

A008

Monitoring time MONITOR elapsed when AG_RECV


waits for receipt.

Verify error messages at the


communication partner.

E.g. connection is not established. Partner is not


ready.

Check if the communication


partner needs a special unit
identifier.

As an after effect the loss of synchronization can


occur, which leads to a loss of telegrams.
A009

A Protocol Identifier not equal to 0 was received,


or if CP is client:
The received transaction identifier TI is not equal to the
sent one.
This error can also indicate an unsuccessful attempt
for synchronization.
This error may occur once, when CPU Restart is
executed during data transfer. In that case the CP
turns over old data to the CPU.

Verify the data of the


communication partner with the
help of a telegram trace.
CP is server:
Ensure that the parameterized
monitoring time MONITOR is
shorter than the monitoring time
MONITOR of the client. This is
necessary to remove corrupted
data from the CP.

A00A

CP is client:
The received UNIT is not equal to the sent one.

Verify the data of the


communication partner with the
help of a telegram trace.

A00B

CP is client:
Received function code is not equal to the sent one.
CP is server:
An invalid Function Code was received.

CP is client:
Verify the data of the
communication partner with the
help of a telegram trace.
CP is Server :
The FB supports only the function
codes 03 and 16

A00C

The received byte count does not match the number of Verify the data of the
registers.
communication partner with the
help of a telegram trace.

A00D

The register address in the response telegram is not


equal to the one in the request telegram (only if CP is
client).

A00E

The length indicated in the MODBUS specific telegram Verify the data of the
header does not match the number of registers or the communication partner with the
byte count in the telegram. The FB receives all data
help of a telegram trace.
and ignores them. As an after effect a loss of
synchronization might occur.

A00F

CP is server
Attempt to write on a write protected area.

Modify the request of the client or


correct the parameterization.

A010

The parameterized area DB_1 to DB_8 a DB number


is used twice.

Correct the parameterization.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Verify the data of the


communication partner with the
help of a telegram trace.

6-6

Diagnostics

Error messages the FB MODBUS


STATUS Event text

Remedy

(Hex)

A01A

Corrupted data or wrong length in header:


Byte 4 of the prefix is not equal to 0

Verify the data of the


communication partner with the
help of a telegram trace.

A01B

An exception telegram with exception code 1 was


received (only if CP is client)

The communication partner does


not support the requested
function.

A01C

An exception telegram with exception code 2 was


received (only if CP is client)

Correct LENGTH or
START_ADDRESS at the call of
the FB.

An attempt to an invalid or non existing address at the


communication partner was made or not all data are
located in the same DB.
A01D

An exception telegram with an unknown exception


code was received (only if CP is client).

Check the error message of the


communication partner and verify
the data with a telegram trace if
needed.

A01E

The CP has received invalid data which could not be


assigned. The CP has lost synchronization and needs
data from the communication partner to finish the
active AG_RECV.

Check the error message of the


communication partner and verify
the data with a telegram trace if
needed.

A012

The parameterized DB_1 and DB_2 overlap.

Correct the parameterization.

A013

The parameterized DB_1 and DB_3 overlap.

A014

The parameterized DB_1 and DB_4 overlap.

The data areas must not contain


any overlapping register areas.

A015

The parameterized DB_1 and DB_5 overlap.

A023

The parameterized DB_2 and DB_3 overlap..

A024

The parameterized DB_2 and DB_4 overlap.

A025

The parameterized DB_2 and DB_5 overlap.

A034

The parameterized DB_3 and DB_4 overlap.

A035

The parameterized DB_3 and DB_5 overlap.

A045

The parameterized DB_4 and DB_5 overlap.

Correct the parameterization.

A067

The parameterized DB_6 and DB_7 overlap.

A068

The parameterized DB_6 and DB_8 overlap.

The data areas must not contain


any overlapping register areas.

A078

The parameterized DB_7 and DB_8 overlap.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-7

Diagnostics

6.4

Diagnostic Messages of included FCs/SFCs

Error messages of included FCs/SFCs


STATUS Event text

Remedy

(Hex)

7xxx

For detailed information please refer to the online help


of SIMATIC Manager.

See online help (SIMATIC


manager -> mark block -> key F1
> Ethernet -> see also -> code
evaluation )

8xxx

For detailed information please refer to the online help


of SIMATIC Manager.

See online help (SIMATIC


manager -> mark block -> key F1
> Ethernet -> see also -> code
evaluation )

6.5

Diagnostic Messages of SFC24

Error messages of SFC24


STATUS Event text

Remedy

(Hex)

80A1

DB Number = 0 or too large for the CPU

Choose a valid DB number.

80B1

The DB does not exist in the CPU.

All data blocks that are specified


in DB_x must be created and
copied into the CPU.

80B2

DB UNLINKED

DB must not be created as


UNLINKED.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

6-8

Application Sample

Application Sample

General
Information

The following simple programming example illustrates the use of


FB MODBUS.
The S7 program is for information purposes only and is not to be
understood as a solution for a customer specific installation configuration.

Example Project
on the CD

On the CD you can find an extensive example project, which offers all
varieties of parameterization possibilities for the Simatic stations.

Simatic Station is S7-300 or S7-400

Simatic Station is client or server

Use of FB MODBUS or FB MODB4

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-1

Application Sample

Simatic Stations in
the Example
Project

The example project consists of the following Simatic stations:


Station Name

S7300

S7400

Client

S7-400(Client-MODB4)

S7-400(Server-MODB4)

Simatic 400(Client)

Simatic 400(Server)

S7-300(Client-MODB4)

S7-300(Server-MODB4)

Simatic 300(Client)

Simatic 300(Server)

Server

FB
MODBUS

FB
MODB4
x

x
x

x
x

x
x

x
x

Two connections are defined per station to show you the different kinds of
parameterization. During run-time only one TCP-connection is necessary.
If a S7 as client runs with a third party device, please use the connection to
other station.
If a S7 as server runs with a third party device, please use the unspecified
connection.
If two S7 communicate, please use the connection S7 S7.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-2

Application Sample

Programming
Example

The programming example consists of:

Used Blocks

The following blocks are used in the printed programming example. This
block numbers are also used in the example project for S7 stations with FB
MODBUS.

Start-Up OB100, FB200/FB201


Cyclic program processing OB1 with call of FB 100/FB101
Work-DB for job trigger e.g. with variable table
Data blocks for register values

S7 stations with FB MODB4 of the example project use partly


different/additional block numbers, which are not printed bold in the following
table.
Block

Used Data

Symbol

Comment

OB 1

Cyclic program processing

OB 100

Start-Up OB for Re-Start

FB 200/ FB201

FB INITIATE_MODBUS/ INIT_MODB for


Start-Up

FB 100/ FB202

FB MODBUS/ FB MODB4

DB 100/ DB101

Instance-DB for FB MODBUS

DB 200/ DB201

Instance-DB for FB INITIATE_MODBUS

DB 222/ DB223

Work-DB CONTROL DAT/ CONTR_DAT


for FB MODBUS, FB INITIATE_MODBUS

DB 11

Register -DB for memory area 1

DB 12

Register -DB for memory area 2

DB 13

Register -DB for memory area 3

DB 14

Register -DB for memory area 4

DB 15

Register -DB for memory area 5

DB 16

Register -DB for memory area 3

DB 17

Register -DB for memory area 4

DB 18

Register -DB for memory area 5

The following operands (memory bits, data bits or data words) have been
used in the programming example.
You can find the structure of DB223 in the example project.
Operand

Type

Name

T5

TIMER

unattached TIMER

DB222.DBW 0

INT

"CONTROL DAT".ID

DB222.DBW 2

WORD

"CONTROL DAT".LADDR

DB222.DBB 4

INT

"CONTROL DAT".RESERVED1

DB222.DBW 6

INT

"CONTROL DAT".MONITOR

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-3

Application Sample

Operand

Type

Name

DB222.DBW 8

WORD

"CONTROL DAT". DB_1

DB222.DBW 10

WORD

"CONTROL DAT". START_1

DB222.DBW 12

WORD

"CONTROL DAT". END_1

DB222.DBW 14

WORD

"CONTROL DAT". DB_2

DB222.DBW 16

WORD

"CONTROL DAT". START_2

DB222.DBW 18

WORD

"CONTROL DAT". END_2

DB222.DBW 20

WORD

"CONTROL DAT". DB_3

DB222.DBW 22

WORD

"CONTROL DAT". START_3

DB222.DBW 24

WORD

"CONTROL DAT". END_3

DB222.DBW 26

WORD

"CONTROL DAT". DB_4

DB222.DBW 28

WORD

"CONTROL DAT". START_4

DB222.DBW 30

WORD

"CONTROL DAT". END_4

DB222.DBW 32

WORD

"CONTROL DAT". DB_5

DB222.DBW 34

WORD

"CONTROL DAT". START_5

DB222.DBW 36

WORD

"CONTROL DAT". END_5

DB222.DBX 38.0

BOOL

"CONTROL DAT".WRITE_PROTECT1

DB222.DBX 38.1

BOOL

"CONTROL DAT".WRITE_PROTECT2

DB222.DBX 38.2

BOOL

"CONTROL DAT".WRITE_PROTECT3

DB222.DBX 38.3

BOOL

"CONTROL DAT".WRITE_PROTECT4

DB222.DBX 38.4

BOOL

"CONTROL DAT".WRITE_PROTECT5

DB222.DBX 38.5

BOOL

"CONTROL DAT". ENQ_ENR

DB222.DBX 38.6

BOOL

"CONTROL DAT".SERVER_CLIENT

DB222.DBW 39

BYTE

"CONTROL DAT".RESERVED2

DB222.DBX 40.0

BOOL

"CONTROL DAT".DONE_NDR

DB222.DBX 40.1

BOOL

"CONTROL DAT".ERROR

DB222.DBW 42

WORD

"CONTROL DAT".STATUS

DB222.DBW 44

WORD

"CONTROL DAT".START_ADRESS

DB222.DBW 46

WORD

"CONTROL DAT".LENGTH

DB222.DBX 47.0

BOOL

"CONTROL DAT".WRITE_READ

DB222.DBW 48

WORD

"CONTROL DAT".TI

DB222.DBW 50

WORD

"CONTROL DAT".TI

Operand

Type

Name

DB11.DBW 0
DB11.DBW 248

ARRAY[1..125]
WORD

"REG_BEREICH_1".DB-REG1[1]
"REG_BEREICH_1".DB-REG1[125]

DB12.DBW 0
DB12.DBW 248

ARRAY[1..125]
WORD

"REG_BEREICH_2".DB-REG2[1]
"REG_BEREICH_2".DB-REG2[125]

DB13.DBW 0
DB13.DBW 248

ARRAY[1..125]
WORD

"REG_BEREICH_3".DB-REG3[1]
"REG_BEREICH_3".DB-REG3[125]

DB14.DBW 0
DB14.DBW 248

ARRAY[1..125]
WORD

"REG_BEREICH_4".DB-REG4[1]
"REG_BEREICH_4".DB-REG4[125]

DB15.DBW 0
DB15.DBW 248

ARRAY[1..125]
WORD

"REG_BEREICH_5".DB-REG5[1]
"REG_BEREICH_5".DB-REG5[125]

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-4

Application Sample

7.1

Programming Example CP is Client

Programming
Example

Start-Up

The blocks are listed as follows:


Block

Comment

OB 1

Cyclic Program Processing

OB 100

Start-Up OB for Re-start

FB 200

FB INITIATE_MODBUS for Start-up OB

DB 222

work-DB "CONTROL DAT"


for FB MODBUS, FB INITIATE_MODBUS

OB100

Start-Up-OB
Call of FB 200 for initialization of "MODBUS"

CALL "INITIATE_MODBUS" , "INITIATE DAT"


ID
LADDR
TIMER_NR
MONITOR
DB_1
START_1
END_1
DB_2
START_2
END_2
DB_3
START_3
END_3
DB_4
START_4
END_4
DB_5
START_5
END_5
WRITE_PROTECT1
WRITE_PROTECT2
WRITE_PROTECT3
WRITE_PROTECT4
WRITE_PROTECT5
ENQ_ENR
SERVER_CLIENT

:=2
:=W#16#7FC
:=T5
:=
:= W#16#B
:= W#16#1
:= W#16#7D
:= W#16#C
:= W#16#7E
:= W#16#FA
:= W#16#D
:= W#16#FB
:= W#16#177
:= W#16#E
:= W#16#178
:= W#16#1F4
:= W#16#F
:= W#16#1F5
:= W#16#271
:=
:=
:=
:=
:=
:=FALSE
:=FALSE

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

// fr. NETPRO connection table


// from HW Config
// nonattached Timer
// first memory area

// second memory area

// third memory area

// fourth memory area

// fifth memory area

// with CP is client
// irrelevant

// trigger bit
// CP is client

7-5

Application Sample

FB 200 "INITIATE_MODBUS"
The FB 200 copies its parameters into the DB222 to provide the user with the
opportunity to start jobs with the Variable Table.
OPN "CONTROL DAT"

// DB 222

L
T

#ID
"CONTROL DAT".ID

L
T

#LADDR
"CONTROL DAT".LADDR

L
T
L
T
L
T

#DB_1
"CONTROL DAT".DB_1
#START_1
"CONTROL DAT".START_1
#END_1
"CONTROL DAT".END_1

L
T
L
T
L
T

#DB_2
"CONTROL DAT".DB_2
#START_2
"CONTROL DAT".START_2
#END_2
"CONTROL DAT".END_2

L
T
L
T
L
T

#DB_3
"CONTROL DAT".DB_3
#START_3
"CONTROL DAT".START_3
#END_3
"CONTROL DAT".END_3

L
T
L
T
L
T

#DB_4
"CONTROL DAT".DB_4
#START_4
"CONTROL DAT".START_4
#END_4
"CONTROL DAT".END_4

L
T
L
T
L
T

#DB_5
"CONTROL DAT".DB_5
#START_5
"CONTROL DAT".START_5
#END_5
"CONTROL DAT".END_5

A
=

#SERVER_CLIENT
"CONTROL DAT".SERVER_CLIENT

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-6

Application Sample

CALL "MODBUS" , "MODBUS_DAT"


ID
LADDR
TIMER_NR
MONITOR
DB_1
START_1
END_1
:
DB_2
START_2
END_2
DB_3
START_3
END_3
DB_4
START_4
END_4
DB_5
START_5
END_5
WRITE_PROTECT1
WRITE_PROTECT2
WRITE_PROTECT3
WRITE_PROTECT4
WRITE_PROTECT5
ENQ_ENR
SERVER_CLIENT
DONE_NDR
ERROR
STATUS
START_ADDRESS
LENGTH
WRITE_READ
TI
UNIT
AN
JC

:="CONTROL DAT".ID
:="CONTROL DAT".LADDR
:=#TIMER_NR
:=
:="CONTROL DAT".DB_1
:="CONTROL DAT".START_1
="CONTROL DAT".END_1
:="CONTROL DAT".DB_2
:="CONTROL DAT".START_2
:="CONTROL DAT".END_2
:="CONTROL DAT".DB_3
:="CONTROL DAT".START_3
:="CONTROL DAT".END_3
:="CONTROL DAT".DB_4
:="CONTROL DAT".START_4
:="CONTROL DAT".END_4
:="CONTROL DAT".DB_5
:="CONTROL DAT".START_5
:="CONTROL DAT".END_5
:=
:=
:=
:=
:=
:="
:="CONTROL DAT".SERVER_CLIENT
:=
:=CONTROL DAT".ERROR
:=CONTROL DAT".STATUS
:=
:=
:=
:=
:=

"CONTROL DAT".ERROR
TRIG

//Init completed without error


//Init completed with error
//put your error handling here

TRIG:

JU

END

L
T

1
"CONTROL DAT".UNIT

L
T

1
"CONTROL DAT".START_ADDRESS

L
T

2
"CONTROL DAT".LENGTH

L
L
+I
T

"CONTROL DAT".TI
1
"CONTROL DAT".TI

SET
=

"CONTROL DAT".WRITE_READ

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

//default values for client job

//TI should be incremented


//with each job

7-7

Application Sample

Cyclic Program

OB1

Cyclic-OB

OPN "CONTROL DAT"


CALL "MODBUS" , "MODBUS_DAT"
ID
:=
LADDR
:=
TIMER_NR
:=
MONITOR
:="CONTROL DAT".MONITOR
DB_1
:=
START_1
:=
END_1
:=
DB_2
:=
START_2
:=
END_2
:=
DB_3
:=
START_3
:=
END_3
:=
DB_4
:=
START_4
:=
END_4
:=
DB_5
:=
START_5
:=
END_5
:=
WRITE_PROTECT1
:=
WRITE_PROTECT2
:=
WRITE_PROTECT3
:=
WRITE_PROTECT4
:=
WRITE_PROTECT5
:=
ENQ_ENR
:="CONTROL DAT".ENQ_ENR
SERVER_CLIENT
:=
DONE_NDR
:="CONTROL DAT".DONE_NDR
ERROR
:="CONTROL DAT".ERROR
STATUS
:="CONTROL DAT".STATUS
START_ADDRESS
:="CONTROL DAT".START_ADDRESS
LENGTH
:="CONTROL DAT".LENGTH
WRITE_READ
:="CONTROL DAT".WRITE_READ
TI
:="CONTROL DAT".TI
UNIT
:="CONTROL DAT".UNIT
A
R

"CONTROL DAT".ENQ_ENR
"CONTROL DAT".ENQ_ENR

//reset trigger

A
JC

"CONTROL DAT".DONE_NDR
TRIG

//job finished without error


//trigger new job

"CONTROL DAT".ERROR

//job finished with error


//put your error handling here

BEU
TRIG:
L "CONTROL DAT".TI
L 1
+I
T "CONTROL DAT".TI
SET
= "CONTROL DAT".ENQ_ENR

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

//wait until job finished

//increment TI with each job

//trigger
//initialize values for a
//new job here

7-8

Application Sample

7.2

Programming Example CP is Server

Programming
Example

Start-Up

The blocks are listed as follows:


Block

Comment

OB 1

Cyclic Program Processing

OB 100

Start-Up OB for Re-start

FB 200

FB INITIATE_MODBUS for Start-up OB

DB 222

work-DB "CONTROL DAT"


for FB MODBUS, FB INITIATE_MODBUS

OB100

Start-Up-OB
Call of FB 200 for initialization of "MODBUS"

CALL "INITIATE_MODBUS" , "INITIATE DAT"


ID
LADDR
UNIT
TIMER_NR
MONITOR
DB_1
START_1
END_1
DB_2
START_2
END_2
DB_3
START_3
END_3
DB_4
START_4
END_4
DB_5
START_5
END_5
WRITE_PROTECT1
WRITE_PROTECT2
WRITE_PROTECT3
WRITE_PROTECT4
WRITE_PROTECT5
ENQ_ENR
SERVER_CLIENT

:=1
:=W#16#100
:=b#16#2
:=T5
:=
:= W#16#B
:= W#16#1
:= W#16#7D
:= W#16#C
:= W#16#7E
:= W#16#FA
:= W#16#D
:= W#16#FB
:= W#16#177
:= W#16#E
:= W#16#178
:= W#16#1F4
:= W#16#F
:= W#16#1F5
:= W#16#271
:=FALSE
:=FALSE
:=FALSE
:=FALSE
:=FALSE
:=FALSE
:=TRUE

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

// from connection table


// from HW Config
// UNIT number 2
// nonattached Timer
// first memory area

// second memory area

// third memory area

// fourth memory area

// fifth memory area

//CP is server

7-9

Application Sample

FB 200 "INITIATE_MODBUS"
FB 200 copies its parameters to DB222. The user can monitor the jobs by watching
DB222 data in the variable table.
OPN "CONTROL DAT"

// DB 222

L
T
L
T

#ID
"CONTROL DAT".ID
#LADDR
"CONTROL DAT".LADDR

L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
L
T
A
=
A
=
A
=
A
=
A
=

#DB_1
"CONTROL DAT".DB_1
#START_1
"CONTROL DAT".START_1
#END_1
"CONTROL DAT".END_1
#DB_2
"CONTROL DAT".DB_2
#START_2
"CONTROL DAT".START_2
#END_2
"CONTROL DAT".END_2
#DB_3
"CONTROL DAT".DB_3
#START_3
"CONTROL DAT".START_3
#END_3
"CONTROL DAT".END_3
#DB_4
"CONTROL DAT".DB_4
#START_4
"CONTROL DAT".START_4
#END_4
"CONTROL DAT".END_4
#DB_5
"CONTROL DAT".DB_5
#START_5
"CONTROL DAT".START_5
#END_5
"CONTROL DAT".END_5
#WRITE_PROTECT1
"CONTROL DAT".WRITE_PROTECT1
#WRITE_PROTECT2
"CONTROL DAT".WRITE_PROTECT2
#WRITE_PROTECT3
"CONTROL DAT".WRITE_PROTECT3
#WRITE_PROTECT4
"CONTROL DAT".WRITE_PROTECT4
#WRITE_PROTECT5
"CONTROL DAT".WRITE_PROTECT5

A
=

#SERVER_CLIENT
"CONTROL DAT".SERVER_CLIENT

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-10

Application Sample

//

Call of MODBUS FB with copied initialization values


CALL "MODBUS" , "MODBUS_DAT"
ID
LADDR
TIMER_NR
MONITOR
DB_1
START_1
END_1
:
DB_2
START_2
END_2
DB_3
START_3
END_3
DB_4
START_4
END_4
DB_5
START_5
END_5
WRITE_PROTECT1
WRITE_PROTECT2
WRITE_PROTECT3
WRITE_PROTECT4
WRITE_PROTECT5
ENQ_ENR
SERVER_CLIENT
DONE_NDR
ERROR
STATUS
START_ADDRESS
LENGTH
WRITE_READ
TI
UNIT
A
JC

:="CONTROL DAT".ID
:="CONTROL DAT".LADDR
:=#TIMER_NR
:=
:="CONTROL DAT".DB_1
:="CONTROL DAT".START_1
="CONTROL DAT".END_1
:="CONTROL DAT".DB_2
:="CONTROL DAT".START_2
:="CONTROL DAT".END_2
:="CONTROL DAT".DB_3
:="CONTROL DAT".START_3
:="CONTROL DAT".END_3
:="CONTROL DAT".DB_4
:="CONTROL DAT".START_4
:="CONTROL DAT".END_4
:="CONTROL DAT".DB_5
:="CONTROL DAT".START_5
:="CONTROL DAT".END_5
:="CONTROL DAT".WRITE_PROTECT1
:="CONTROL DAT".WRITE_PROTECT2
:="CONTROL DAT".WRITE_PROTECT3
:="CONTROL DAT".WRITE_PROTECT4
:="CONTROL DAT".WRITE_PROTECT5
:=
:="CONTROL DAT".SERVER_CLIENT
:=
:= :="CONTROL DAT".ERROR
:= :="CONTROL DAT".STATUS
:=
:=
:=
:=
:=

"CONTROL DAT".ERROR
ERR

SET
=
"CONTROL DAT".ENQ_ENR
JU END
ERR:

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

//INIT completed with error


//cyclic operation doesnt
//make sense
//INIT completed without error
//enable data transfer

//put your error handling here

7-11

Application Sample

Cyclic Program

OB1

Cyclic-OB

OPN "CONTROL DAT"


CALL "MODBUS" , "MODBUS_DAT"
ID
LADDR
TIMER_NR
MONITOR
DB_1
START_1
END_1
DB_2
START_2
END_2
DB_3
START_3
END_3
DB_4
START_4
END_4
DB_5
START_5
END_5
WRITE_PROTECT1
WRITE_PROTECT2
WRITE_PROTECT3
WRITE_PROTECT4
WRITE_PROTECT5
ENQ_ENR
SERVER_CLIENT
DONE_NDR
ERROR
STATUS
START_ADDRESS
LENGTH
WRITE_READ
TI
UNIT

:=
:=
:=
:="CONTROL DAT".MONITOR
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=
:=CONTROL DAT".ENQ_ENR
:=
:="CONTROL DAT".DONE_NDR
:="CONTROL DAT".ERROR
:="CONTROL DAT".STATUS
:="CONTROL DAT".START_ADDRESS
:="CONTROL DAT".LENGTH
:="CONTROL DAT".WRITE_READ
:="CONTROL DAT".TI
:="CONTROL DAT".UNIT

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

7-12

A Literature
Schneider Electric

OPEN MODBUS/TCP SPECIFICATION


Release 1.0, 29 March 1999
Andy Swales
Schneider Electric

MODBUS

http://www.modbus.org

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Appendix - 1

Glossary

A
Address

The address identifies a physical storage location. If the address is


known, the operand stored there can be directly accessed.

Automation System

An automation system is a programmable logic controller that contains


at least a CPU, different input and output devices as well as HMI
devices.

B
Block Call

A block call occurs when program processing branches to the called


block

Block Parameter

Block parameters are variables within multiple-use blocks, which are


replaced with actual values when the relevant block is called.

Blocks

Blocks are elements of the user program which are defined by their
function, structure, or purpose. With STEP7 there are

Code blocks (FB, FC, OB, SFB, SFC)

Data blocks (DB, SDB)

User-defined data types (UDT)

C
Communications Processor

Communications processors are modules for point-to-point connections


and bus connections.

Configuration

The configuration is the set up of individual modules of the PLC in the


configuration table.

Connection Parameterization The specification of a connection ID in the system function block. With
the help of a connection ID the system function blocks can
communicate between two communication points.
CPU

Central processing unit of the S7 programmable logic controller with


control and arithmetic unit, memory, operating system, and interfaces to
I/O modules.

CRC

Cyclic Redundancy-Check = Checksum which guarantees a high


probability of error recognition.

Cycle Time

The cycle time is the time the CPU needs to execute the user program
once.

Cyclic Program Processing

In cyclic program processing, the user program is executed in a


constantly repeating program loop, called a cycle.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Glossary - 1

D
Data Block (DB)

These are blocks containing data and parameters with which the user
program works. Unlike all other blocks, data blocks do not contain
instructions. They are subdivided into global data blocks and instance
data blocks. The data held in the data blocks can be accessed
absolutely or symbolically. Complex data can be stored in structured
form.

Data Type

Data types allow users to define how the value of a variable or constant
is to be used in the user program. They are classified into elementary
and structured data types.

Default Setting

The default setting is a basic setting which is always used if no other


value is specified.

Diagnostic Buffer

Every CPU has a diagnostic buffer, in which detailed information on


diagnostic events are stored in the order in which they occur.

Diagnostic Event

Diagnostic events are, for example, errors on a module or system


errors in the CPU, which are caused by, say, a program error or by
operating mode transitions.

Diagnostic Functions

The diagnostics functions cover the entire system diagnosis and include
detection, analysis and reporting of errors within the automation
system.

Download

Downloading means loading objects (e.g. code blocks) from the


programming device into the load memory of the CPU.

F
Function Block (FB)

Function blocks are components of the user program and, in


accordance with the IEC standard, are blocks with memory. The
memory for the function block is an assigned data block, a so called
instance data block. Function blocks can be parameterized but can
also be used without parameters.

H
Hardware

Hardware is the term given to all the physical and technical equipment
of a PLC.

I
Instance Data Block

An instance data block is a block assigned to a function block and


contains data for this special function block.

Interface Module

On the interface module the physical conversion of signals takes place.


By exchanging the pluggable interface module you can adapt the
communications processor to the physical interface of the
communications partner.

Interrupt

Interrupt is a name for a break of the program processing in the


processor of an automation system by an external alarm.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Glossary - 2

M
Module

Modules are pluggable printed circuit boards for programmable logic


controllers

Module Parameters

Module parameters are used to set the module behaviors. A distinction


is made between static and dynamic module parameters.

O
Online / Offline

Online means that a data connection exists between PLC and


programming device. Offline means that no such data connection
exists.

Online Help

STEP7 allows you to display contextual help texts on the screen while
working with the programming software.

Operand

An operand is part of a STEP7 instruction and states with what the


processor is to do something. It can be both absolutely and symbolically
addressed.

Operating Mode

The SIMATIC S7 programmable controllers have three different


operating modes: STOP, START UP and RUN. The functionality of the
CPUs varies in the individual operating modes.

Operating System of the


CPU

The operating system of the CPU organizes all functions and


operations of the CPU which are not connected to a specific control
task.

P
Parameter

Parameters are values that can be assigned. A distinction is made


between block parameters and module parameters.

Parameterization

Parameterization means setting the behavior of a module.

Parameterization Interface
CP 441:
Point-to-Point
Communication,
Parameter Assignment

The CP 441: Point-to-Point Communication, Parameter Assignment


parameterization interface is used to parameterize the interface
modules of the communications processor and the driver specific
parameters. Each loadable driver extends the standard functionality
(i. e. adds more functionality).

Point-to-Point connection

In a point-to-point connection the communications processor is the


interface between a PLC and a communications partner.

Procedure

The execution of a data interchange operation according to a specific


protocol is called a procedure.

Process image

This is a special memory area in the PLC. At the beginning of the cyclic
program, the signal states of the input modules are transferred to the
process image input table. At the end of the cyclic program, the process
image of the outputs is transferred to the output modules as output
signals.

Protocol

The communications partners involved in a data interchange must


abide by fixed rules for handling and implementing the data traffic.
These rules are called protocols.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Glossary - 3

R
Rack

A rack is a rail containing slots for mounting modules.

S
Software

Software is the term given to all programs used on a computer system.


These include the operating system and the user programs.

START UP

The operating mode START UP is active when the CPU transits from
operating mode STOP to operating mode RUN.

STEP7

STEP7 is the programming software of SIMATIC S7.

System Block

System blocks differ from the other blocks in that they are already
integrated into the S7-400 system and are available for already defined
system functions. They are classified into system data blocks, system
functions, and system function blocks.

System Function (SFC)

System functions are software modules without memory which are


already integrated into the operating system of the S7-CPU and can be
called by the user as required.

System Function Block (SFB) System function blocks are software modules with memory which are
already integrated into the operating system of the S7-CPU and can be
called up by the user as required.

T
Tool

A tool is a piece of software that is capable of accessing operating


system functions in a programming device.

U
Upload

Uploading means loading objects (e.g. code blocks) from the load
memory of the CPU into the programming device.

User Program

The user program contains all instructions and declarations for signal
processing, by means of which a system or a process can be
controlled. The user program for SIMATIC S7 is structured and is
divided into smaller units called blocks.

V
Variable

A variable is an operand (e.g. E 1.0) which can have a symbolic name


and can therefore also be addressed symbolically.

W
Work Memory

The work memory is a RAM on the CPU which the processor accesses
while processing the user program.

OPEN MODBUS / TCP communication via CP343-1 and 443-1


2XV9450-1MB00; Manual edition 3.0

Glossary - 4