Modbus address range

L

Thread Starter

lin

From Modbus application protocol specification, the address range of each datatype (coil, discrete input, holding register, input register) is 0-65535, but I tried several softwares (like Modscan32). They only support manipulation of coils addressed within 0-9999, discrete inputs within 10000~19999, holding registers within 40000~49999, input registers within 30000~39999.

Why?
 
E

Eric Thielking

Specifications can be confusing.

The width of the each registers is 16 bits (0-65535) but the valid address ranges is 0-9999, 10000-19999, etc.

After reading the specification, I can see how one can be confused.

Even still, some manufacturer's say that they comply with MODBUS, but they make some 'enhancements'.

Does that help?
 
You may be confusing the "address range" with the value of the data. Modbus allocates registers of 16-bit data to different types of data values (datatypes). There are 10000 registers allocated for discrete input data that
are numbered 10000 to 19999. There are a total of 10000 output coils numbered from 0 to 9999. Note that there are 10000 input registers numbered from 30000 to 39999, but when these are connected to scalar devices, more than one register may be concatenated to form a 32-bit integer or even a 64-bit floating point number, depending on the external device.

Also note that the addressing of datatypes is dependent on the manufacturer of the PLC. If you want the see the total Modbus specification, it is on the web and can be seen here for free:
http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

Dick Caro
===========================================
Richard H. Caro, Certified Automation Professional, CEO, CMC Associates,
2 Beth Circle, Acton, MA 01720
Tel: +1.978.635.9449 Mobile: +.978.764.4728
Fax: +1.978.246.1270
E-mail: [email protected] < mailto:[email protected]
Blog: < http://DickCaro.liveJournal.com
Web: < http://www.CMC.us
 
In the 4.4 chapter of Modbus application protocol:

In a MODBUS PDU, each data is addressed from 0 to 65535.

Look through whole specification, no mention of 10000 address limit.
 
There is no longer a limit of 1 to 9999 on Modbus address ranges. There never really was one, it was just a convention used in older Modicon controllers and related documentation.

The address limit is 1 to 2^16, for 1 based addressing. The starting address with a Modbus message is always 0 based, giving a range of 0 to 2^16-1.

The data type and address for the data type have always been in separate fields within a Modbus message - that's why 9999 has never been a limit.

My copy on Modscan32 and the Kepware Modbus OPC server allow the full 16 bit range to addressed.

My guess is that are looking at outdated documentation and using outdated programs.
 
D

Darrin Hansen

This item is the one "grey" area in the Modbus spec. The original intention was that there would only be 10000 of each type (holding registers, for example). However, because the "40 thousand" part of a holding register request does not go across the wire (just the offset), there's really nothing stopping you from making requests for up to 65535 holding registers. Some manufacturers limit holding register ranges to the "classical" definition of 0000-9999, but others do not. Modscan actually doesn't (at least the version I have doesn't): you can (for example) request 100 registers starting at 50,000, etc.

Our products also don't limit the range: since the "40 thousand" part is never seen on the wire, as long as it is clear that the item being discussed is a holding register, we allow users to define up to 65535 holding registers.

This same discussion also applies for coils, input registers, etc.

Darrin
 
Be careful not to confuse the "address name" with the "address number".

Output Coils are assigned the block 1-9999
Input Coils are assigned the block 10001-19999
Input Coils are assigned the block 10001-19999
Input Register are assigned the block 30001-39999
Output Register are assigned the block 40001-49999

I refer to these blocks as address names since they all use the same address numbers 0-9998 in the modbus request. The difference can be called the offset.

The test program at http://www.SimplyModbus.ca lets you enter this offset and specify the register or coil type separately. I find it more flexible and easier to use than any other test program and I've tried many. The demo version never expires. Give it a try.
 
The newer Modicon controllers and some Modbus drivers allow an alternate syntax for specifying an address.

For coil 89, instead of 00089 or 000089 you write 0:89. Or for holding register 10001 you write 4:10001.

In this syntax, here are the address limits:

Coils - 0:1 to 0:65535
Inputs - 1:1 to 1:65535
Input Regs - 3:1 to 3:65535
Output Regs - 4:1 to 4:65535

I'm guessing a bit here, but I think this a plausible explanation for the now mysterious 9999 limit: Modicon had to figure out a way to get the register designations and their values to show up on the 80x40 character text monitors available on early PCs within their 584/984 programming networks. The address convention of x0001 to x9999 guarantees that only 5 characters are needed to display any address. They also used modulo 10000 arithmetic which precluded any signed register value from exceeding 5 characters. This allowed them to put a sorely need extra column or two in the program networks.
 
N
Hello Friends,

I am confused regarding how modbus addressing works??? for example we have two plc's. I want to write one analog register from one plc to other. Lets say slave is writing to one register and i have to configure the master to read it.

So in this case suppose slave is writing on 40001 then the master will read 40001 or it will read 30001????will 40001 registers be mapped to 30001 registers or not?

Please suggest .

Thanks in Advance.
 
L

Lynn August Linse

> will 40001 registers be mapped to 30001 registers or not?

No - never. If you write to 4x00001, then you also read from 4x00001.

The 3x range is rarely used these days and really just means 'read-only because these are field inputs'. They have become somewhat obsolete because most users will use ladder logic to 'move' the value to the 4x range (which is NOT outputs, but 'holding registers'), then do math for scaling - for example converting a number in the range 389-3256 to be 0 to 10000 gallons for a tank-level input. Therefore few people really care to see the raw 3x PLC values anymore.
 
Top