Subject: Assistance Needed: Accessing S7 TIA V13 System via Modbus TCP Hello everyone, I'm reaching out for help with accessing an S7 system running TIA Portal V13, which was developed by a third party for integration with various third-party devices using Modbus TCP protocol. The configuration is designed to adhere to Modbus TCP standards, and they have provided the following details on the address space: - **Coils (e.g., M100.0)**: - Read: Addresses **40001, 40002, 40044** (Two Words of bits, or 2 bytes) - Write: Address **40019** (Two Words of bits, or 2 bytes) - **Holding Registers (e.g., MDXXX)**: - Read: Addresses **40003-40018** (32-bit words, spanning two DWord addresses) - Write: Addresses **40020-40043, 40045-40050** (32-bit words, spanning two DWord addresses) When I attempt to read from these addresses, I can successfully read the first one (40001) and receive what I believe to be accurate responses in a bit-wise manner. Wireshark indicates that I'm utilizing Function Code 02, which corroborates the expected output. I'm able to access one holding register (40019) that provides reasonable data consistent with what I see in the TIA Portal watch list. Wireshark shows I'm using Function Code 03 here as well, yielding the anticipated results. However, as I continue to read other addresses, the data retrieved does not seem to match what I expect. It feels as if I might be sourcing data from incorrect addresses. Furthermore, I’ve been unsuccessful in writing to any address, specifically focusing on coil bits (not holding registers), employing Function Code 05 for my attempts. I suspect there may be an error on my part regarding the addressing, or possibly an issue with the configuration set by the contractor. As I’m relatively new to this, I would greatly appreciate any guidance or insights you could provide. Thank you for your help! Best, Matt
Hello Matt, I have reviewed the addresses, and they appear to be accurate. One potential issue could be that the byte order from the unit is reversed. Many software applications offer options to swap the Least Significant Byte (LSB) and Most Significant Byte (MSB) for the returned data. For more detailed information on Modbus TCP, you can refer to these resources: - [Simply Modbus: Modbus TCP Overview](http://www.simplymodbus.ca/TCP.htm) - [RTA Automation: Understanding Modbus TCP/IP](https://www.rtaautomation.com/technologies/modbus-tcpip/) To further validate your communications, I recommend testing with a different software package, such as AdvancedHMI. This free tool is frequently discussed in this forum and can be found here: [AdvancedHMI on SourceForge](https://sourceforge.net/projects/advancedhmi/). Additionally, you can follow this guide for installing AdvancedHMI: [Creating a PLC with HMI: An Installation Guide](http://accautomation.ca/create-a-plc-with-hmi-training-and-learning-environment-free/). I hope this information assists you! Best regards,
✅ Work Order Management
✅ Asset Tracking
✅ Preventive Maintenance
✅ Inspection Report
We have received your information. We will share Schedule Demo details on your Mail Id.
Join hundreds of satisfied customers who have transformed their maintenance processes.
Sign up today and start optimizing your workflow.