Modbus telegrams¶
The send and receive telegrams shown in this section are not visible in the PLC. However, the complete telegrams can be made visible using a serial data analyzer connected to the connection line between server and client, if required.
The amount of user data depends on the properties of the server and client.
For the following examples, it is assumed that an AC500 Modbus module is used as client. There may be different properties if modules of other manufacturers are used.
FCT 1 or 2: Read n bits
Server request
| Client address | Function code | Client operand address | Number of bits | CRC | |||
| High | Low | High | Low | High | Low | ||
Client response
| Client address | Function code | Number of bytes | …Data… | CRC | |
| High | Low | ||||
| Example: | Modbus interface of the server: | COM1 |
| Server reads from: | Client 1 | |
| Data: | %MX0.1026.4 = FALSE; %MX0.1026.5 = TRUE %MX0.1026.6 = FALSE |
|
| Source address at client: | %MX0.1026.4 : 2014HEX = 8212DEC | |
| Target address at server: | abReadBool: ARRAY[0..2] OF BOOL; | |
| The values of the flags %MX0.1026.4..%MX0.1026.6 on the client are written to the ARRAY abReadBool on the server. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of bits | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 01HEX | 20HEX | 14HEX | 00HEX | 03HEX | 37HEX | CFHEX |
Modbus response of the client
| Client address | Function code | Number of bytes | Data | CRC | |
|---|---|---|---|---|---|
| High | Low | ||||
| 01HEX | 01HEX | 01HEX | 02HEX | D0HEX | 49HEX |
Parameterization of the COM_MOD_MAST block inputs NB = Number of bits
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
| FALSE -> TRUE | 1 | 1 | 1 | Application- specific | 8212 | 3 | ADR (abReadBool[0]) |
FCT 3 or 4: Read n words
Server request
| Client address | Function code | Client operand address | Number of words | CRC | |||
| High | Low | High | Low | High | Low | ||
Client response
| Client address | Function code | Number of bytes | …Data… | CRC | |
| High | Low | ||||
| Example: | Modbus interface of the server: | COM1 |
| Server reads from: | Client 1 | |
| Data: | %MW0.8196 = 4; %MW0.8197 = 5; %MW0.8198 = 6 |
|
| Source address at client: | %MW0.8196 : 2004HEX = 8196DEC | |
| Target address at server: | awReadWord : ARRAY[0..2] OF WORD; | |
| The values of the flag words %MW0.8196..%MW0.8198 on the client are written to the ARRAY awReadWord on the server. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of words | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 03HEX | 20HEX | 04HEX | 00HEX | 03HEX | 4FHEX | CAHEX |
Modbus response of the client
| Client address | Function code | Number of bytes | Data | Data | Data | CRC | |
|---|---|---|---|---|---|---|---|
| High / Low | High / Low | High / Low | High | Low | |||
| 01HEX | 03HEX | 06HEX | 00HEX /04HEX | 00HEX /05HEX | 00HEX /06HEX | 40HEX | B6HEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of words
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 3 | Application- specific | 8196 | 3 | ADR (awReadWord[0]) |
FCT 3 or 4: Read n double words
The function code “read double word” is not defined in the Modbus RTU standard. This is why the double word is composed of a low word and a high word (depending on the manufacturer).
Server request
| Client address | Function code | Client operand address | Number of words | CRC | |||
| High | Low | High | Low | High | Low | ||
Client response
| Client address | Function code | Number of bytes | …Data… | CRC | |
| High | Low | ||||
| Example: | Modbus interface of the server: | COM1 |
| Server reads from: | Client 1 | |
| Data: | %MD0.8193 = 32DEC = 00000020HEX; %MD0.8194 = 80000DEC = 00013880HEX |
|
| Source address at client: | %MD0.8193: 4002HEX = 16386DEC | |
| Target address at server: | adwReadDWord : ARRAY[0..1] OF DWORD | |
| The values of the flag double words %MD0.8193..%MD0.8194 on the client are written to the ARRAY adwReadDWord on the server. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of words | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 03HEX | 40HEX | 02HEX | 00HEX | 04HEX | F0HEX | 09HEX |
Modbus response of the client
| Client address | Function code | Number of bytes | Data | Data | Data | Data | CRC | |
|---|---|---|---|---|---|---|---|---|
| High / Low | High / Low | High / Low | High / Low | High | Low | |||
| 01HEX | 03HEX | 08HEX | 00HEX /00HEX | 00HEX /20HEX | 00HEX /01HEX | 38HEX /80HEX | 57HEX | B0HEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of words
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 3 | Application- specific | 16386 | 4 | ADR (adwReadDWord[0]) |
FCT 5: Write 1 bit
For the function code “write 1 bit”, the value of the bit to be written is encoded in one word.
BIT = TRUE -> Data word = FF 00 HEX
BIT = FALSE -> Data word = 00 00 HEX
Server request
| Client address | Function code | Client operand address | Number of words | CRC | |||
| High | Low | High | Low | High | Low | ||
| Client address | Function code | Client operand address | Data | CRC | |||
| High | Low | High | Low | High | Low | ||
Client response
| Client address | Function code | Client operand address | Data | CRC | |||
| High | Low | High | Low | High | Low | ||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | bBit := TRUE | |
| Source address at server: | bBit : BOOL; | |
| Target address at client: | %MX0.1026.7 : 2017HEX = 8215DEC | |
| The value of the BOOL variable bBit on the server is written to %MX0.1026.7 on the client. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Data | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 05HEX | 20HEX | 17HEX | FFHEX | 00HEX | 37HEX | FEHEX |
Modbus response of the client (mirrored)
| Client address | Function code | Client operand address | Data | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 05HEX | 20HEX | 17HEX | FFHEX | 00HEX | 37HEX | FEHEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of bits
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 5 | Application- specific | 8215 | 1 | ADR (bBit) |
FCT 6: Write 1 word
Server request
| Client address | Function code | Client operand address | Data | CRC | |||
| High | Low | High | Low | High | Low | ||
Client response
| Client address | Function code | Client operand address | Data | CRC | |||
| High | Low | High | Low | High | Low | ||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | wData := 7 | |
| Source address at server: | wData : WORD; | |
| Target address at client: | %MW0.8199 : 2007HEX = 8199DEC | |
| The value of the WORD variable bBit on the server is written to %MW0.8199 on the client. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Data | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 06HEX | 20HEX | 07HEX | 00HEX | 07HEX | 72HEX | 09HEX |
Modbus response of the client (mirrored)
| Client address | Function code | Client operand address | Data | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 06HEX | 20HEX | 07HEX | 00HEX | 07HEX | 72HEX | 09HEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of words
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 6 | Application- specific | 8215 | 1 | ADR (wData) |
FCT 7: Fast reading the status byte of the CPU
Server request
| Client address | Function code | CRC | |||||
| High | Low | ||||||
Client response
| Client address | Function code | Data byte | CRC | |||
| High | Low | |||||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | ||
| Source address at client: | ||
| Target address at client: | ||
| In version V1.x, this function always returns 0! | ||
Modbus request of the server
| Client address | Function code | CRC | |||||
|---|---|---|---|---|---|---|---|
| High | Low | ||||||
| 01HEX | 07HEX | 41HEX | E2HEX | ||||
Modbus response of the client
| Client address | Function code | Data byte | CRC | |||
|---|---|---|---|---|---|---|
| High | Low | |||||
| 01HEX | 07HEX | 00HEX | xxHEX | xxHEX | ||
Parameterization of the COM_MOD_MAST block inputs
NB = Number of bits
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 7 | Application- specific | 0 | 0 | ADR (BoolVar) |
Note
Note: In version V1.x, function 7 always returns 0!
FCT 15: Write n bits
Server request
| Client address | Function code | Client operand address | Number of bits | Number of bytes | …Data… | CRC | |||
| High | Low | High | Low | High | Low | ||||
Client response
| Client address | Function code | Client operand address | Number of bits | CRC | |||
| High | Low | High | Low | High | Low | ||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | abWriteBool[0] := TRUE; abWriteBool[1] := FALSE; abWriteBool[2] := TRUE |
|
| Source address at server: | abWriteBool : ARRAY[0..2] OF BOOL; | |
| Target address at client: | %MX0.1026.1 : 2011HEX = 8209DEC | |
| The values of the BOOL variables abWriteBool[0]..abWriteBool[2] on the server are written to %MX0.1026.1..%MX0.1026.3 on the client. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of bits | Number of bytes | Data | CRC | |||
|---|---|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||||
| 01HEX | 0FHEX | 20HEX | 11HEX | 00HEX | 03HEX | 01HEX | 05HEX | B4HEX | 37HEX |
Modbus response of the client
| Client address | Function code | Client operand address | Number of bits | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 0FHEX | 20HEX | 11HEX | 00HEX | 03HEX | 4EHEX | 0FHEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of bits
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
FALSE -> TRUE |
1 | 1 | 15 | Application- specific | 8209 | 3 | ADR (abWriteBool[0]) |
FCT 16: Write n words
Server request
| Client address | Function code | Client operand address | Number of words | Number of bytes | …Data… | CRC | |||
| High | Low | High | Low | High | Low | ||||
Client response
| Client address | Function code | Client operand address | Number of words | CRC | |||
| High | Low | High | Low | High | Low | ||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | awWriteWord[0] := 1; awWriteWord[1] := 2; awWriteWord[2] := 3 |
|
| Source address at server: | awWriteWord : ARRAY[0..2] OF WORD; | |
| Target address at client: | %MW0.8193 : 2001HEX = 8193DEC | |
| The values of the WORD variables awWriteWord[0]..awWriteWord[2] on the server are written to %MW0.8193..%MW0.8195 on the client. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of words | Number of bytes | Data | Data | Data | CRC |
|---|---|---|---|---|---|---|---|---|
| High / Low | High / Low | High / Low | High / Low | High / Low | High / Low | |||
| 01HEX | 10HEX | 20HEX / 01HEX | 00HEX / 03HEX | 06HEX | 00HEX / 01HEX | 00HEX / 02HEX | 00HEX / 03HEX | C0HEX / 84HEX |
Modbus response of the client
| Client address | Function code | Client operand address | Number of words | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 10HEX | 20HEX | 01HEX | 00HEX | 03HEX | DAHEX | 08HEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of words
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 16 | Application- specific | 8193 | 3 | ADR (awWriteWord[0]) |
FCT 16: Write n double words
The function code “write double word” is not defined in the Modbus RTU standard. This is why the double word is composed of a low word and a high word (depending on the manufacturer).
Server request
| Client address | Function code | Client operand address | Number of words | Number of bytes | …Data… | CRC | |||
| High | Low | High | Low | High | Low | ||||
Client response
| Client address | Function code | Client operand address | Number of words | CRC | |||
| High | Low | High | Low | High | Low | ||
| Example: | Modbus interface of the server: | COM1 |
| Server writes to: | Client 1 | |
| Data: | adwWriteDWord[0] := 18DEC = 00000012HEX; adwWriteDWord[1] := 65561DEC = 00010019HEX; |
|
| Source address at server: | adwWriteDWord : ARRAY[0..1] OF DWORD; | |
| Target address at client: | %MD0.8192 : 4000HEX = 16384DEC | |
| The values of the Double WORD variables adwWriteDWord[0].. adwWriteDWord[1] on the server are written to %MD0.8192..%MD0.8193 on the client. | ||
Modbus request of the server
| Client address | Function code | Client operand address | Number of words | Number of bytes | Data | Data | Data | Data | CRC |
|---|---|---|---|---|---|---|---|---|---|
| High / Low | High / Low | High / Low | High / Low | High / Low | High / Low | High / Low | High / Low | ||
| 01HEX | 10HEX | 40HEX / 00HEX | 00HEX / 04HEX | 00HEX / 08HEX | 00HEX / 00HEX | 00HEX / 12HEX | 00HEX / 01HEX | 00HEX / 19HEX | 60HEX / B3HEX |
Modbus response of the client
| Client address | Function code | Client operand address | Number of words | CRC | |||
|---|---|---|---|---|---|---|---|
| High | Low | High | Low | High | Low | ||
| 01HEX | 10HEX | 40HEX | 00HEX | 00HEX | 04HEX | DAHEX | 0AHEX |
Parameterization of the COM_MOD_MAST block inputs
NB = Number of words = 2 x Number of double words
| EN | COM | SLAVE | FCT | TIMEOUT | ADDR | NB | DATA |
|---|---|---|---|---|---|---|---|
FALSE -> TRUE |
1 | 1 | 16 | Application- specific | 16384 | 4 | ADR (adwWriteDWord[0]) |
Error telegram
In operating mode Modbus server, the AC500 does only send telegrams, if the parameters at the MODMAST inputs are logically correct. Nevertheless, it can happen that a client cannot process the request of the server or that the client cannot interpret the request due to transmission errors. In those cases, the client returns an error telegram to the server. In order to identify this telegram as an error telegram, the function code returned by the client is a logical OR interconnection of the function code received from the server and the value 80HEX.
Client response
| Client address | Function code OR 80HEX |
Error code | CRC | |
| High | Low | |||
Possible error codes of the client
| Code | Meaning |
| 01DEC | The client does not support the function requested by the server |
| 02DEC | Invalid operand address in the client |
| 02DEC | Operand area exceeded |
| 03DEC | At least one value is outside the permitted value range |
| 12DEC | The amount of data is higher than the client can process |
| 13DEC | The telegram contains an odd number of words in case of double word access |
| 10DEC | Length specifications in the telegram do not match |
| 11DEC | The type of operand area and the function do not match |
| 22DEC | Write mask |
| 23DEC | Read /write multiple words |
Example:
| Modbus request of the server: | |||
|---|---|---|---|
| Function code: | 01 | (Read n bits) | |
| Client operand address: | 4000HEX = 16384DEC | (Area for read access disabled in client) | |
| Modbus response of the client: | |||
| Function code: | 81HEX | ||
| Error code: | 03 | ||