Modbus _RTU (Memory Map)

U p d a t e d: February 1, 2011

file_V1.0
Update 12.2015

[email protected]
 Communication protocol between xLogic and
HMI

This communication protocol adopts MODBUS protocol. Any operation on

PLC data, such as acquisition data from PLC or write data to PLC, and
control etc must be in accordance with this communication protocol
format, besides connecting hardware and communication parameters
setting shall match each other between PLC and HMI, otherwise, PLC
cannot normally respond.

1. Communication Mode

At present, xLogic can only be setup to communicate on standard

Modbus networks using the transmission mode: RTU. Users select this
mode, along with the serial port communication parameters (baud rate,
parity mode, etc), during configuration of each controller. The mode and
serial parameters must be the same for all devices on a Modbus network.

Modbus ASCII also applied to Standard PR-12,PR-18 PR-24 series.

RTU mode

Addres Functio Data Data 1 ... Data CRC low-order CRC high-order
s n code Numb n byte byte
er

PLC mode selection：MODBUS RTU

Communication parameter set：

Baud rates：9600

Data bit：8

Stop bit：1
Checkout mode: Non parity checking

The selection of RTU mode pertains only to standard Modbus networks.

It defines the bit contents of message fields transmitted serially on those
networks. It determines how information will be packed into the
message fields and decoded.
On other networks like MAP and Modbus Plus, Modbus messages are
placed into frames that are not related to serial transmission.

RTU Framing

In RTU mode, messages start with a silent interval of at least 3.5

character times. This is most easily implemented as a multiple of
character times at the baud rate that is being used on the network
(shown as T1–T2–T3–T4 in the figure below).The first field then
transmitted is the device address.
The allowable characters transmitted for all fields are hexadecimal 0–9,
A–F. Networked devices monitor the network bus continuously, including
during the ‘silent’ intervals. When the first field (the address field) is
received, each device decodes it to find out if it is the addressed device.
Following the last transmitted character, a similar interval of at least 3.5
character times marks the end of the message. A new message can
begin after this interval.
The entire message frame must be transmitted as a continuous stream.
If a silent interval of more than 3.5 character times occurs before
completion of the frame, the receiving device flushes the incomplete
message and assumes that the next byte will be the address field of a
new message. Similarly, if a new message begins earlier than 3.5
character times following a previous message, the receiving device will
consider it a continuation of the previous message. This will set an error,
as the value in the final CRC field will not
be valid for the combined messages.

A typical message frame is shown below.

START ADDRES FUNCTIO DATA CRC END

S N CHECK
T1-T2-T3- 8Bit 8Bit n 个 8Bit 16Bit T1-T2-T3-
T4 T4

How the Address Field is Handled

The address field of a message frame contains two characters (ASCII) or
eight bits (RTU). Valid slave device addresses are in the range of 0 – 247
decimal. The individual slave devices are assigned addresses in the
range of 1 – 247. A master addresses a slave by placing the slave
address in the address field of the message. When the slave sends its
response, it places its own address in this address field of the response to
let the master know which slave is responding.
Address 0 is used for the broadcast address, which all slave devices
recognize. When Modbus protocol is used on higher level networks,
broadcasts may not be allowed or may be replaced by other methods.

How the Function Field is Handled

The function code field of a message frame contains two characters
(ASCII) or eight bits (RTU). Valid codes are in the range of 1 – 255
decimal. Of these, some codes are applicable to all xLogic, while some
codes apply only to certain models, and others are reserved for future
use.

When a message is sent from a master to a slave device the function

code field tells the slave what kind of action to perform. Examples are to
read the ON/OFF states of a group of discrete coils or inputs; to read the
data contents of a group of registers; to read the diagnostic status of the
slave; to write to designated coils or registers; or to allow loading,
recording, or verifying the program within the slave.

When the slave responds to the master, it uses the function code field to
indicate either a normal (error–free) response or that some kind of error
occurred (called an exception response). For a normal response, the
slave simply echoes the original function code. For an exception
response, the slave returns a code that is equivalent to the original
function code with its most–significant bit set to logic 1.

The master devices application program has the responsibility of

handling exception responses. Typical processes are to post subsequent
retries of the message, to try diagnostic messages to the slave, and to
notify operators.

Data Field

The data field is constructed using sets of two hexadecimal digits, in the
range of 00 to FF hexadecimal. These can be made from a pair of ASCII
characters, or from one RTU character, according to the network’s serial
transmission mode.

The data field of messages sent from a master to slave devices contains
additional information which the slave must use to take the action
defined by the function code. This can include items like discrete and
register addresses, the quantity of items to be handled, and the count of
actual data bytes in the field.

If no error occurs, the data field of a response from a slave to a master

contains the data requested. If an error occurs, the field contains an
exception code that the master application can use to determine the next
action to be taken.

The data field can be nonexistent (of zero length) in certain kinds of
messages. For example, in a request from a master device for a slave to
respond with its communications event log (function code 0B
hexadecimal), the slave does not require any additional information.

How Characters are Transmitted Serially

When messages are transmitted on standard Modbus serial networks, each
character or byte is sent in this order (left to right):

Least Significant Bit (LSB) . . . Most Significant Bit (MSB)

With RTU character framing, the bit sequence is:

Without Parity Checking

Start 1 2 3 4 5 6 7 8 Stop Stop

Bit Order（RTU）

2 It is optional for xLogic to be as a slave or master in

Modbus communication network.
As the following figure:
 Query message
Peripheral xLogic/Peripheral
device/xLogic device
（MASTER） （SLAVE）
Response message
At present xLogic supports baud rate: 9600. The default is 9600. The
default is non parity checking mode. MODBUS RTU is used as
communication protocol of xLogic. The defaulted communication
protocol is MODBUS RTU format .Defaulted address: 1, and legal
address range: 1~247.

Notes: 1.The Max length of frame command/order which xLogic

supports is 40 characters (Excluding STX and ETX).
2. The address and baud rate of xLogic can be modified via the
unit’s keypad.
3. If xLogic serves as master, the blocks F, AF, Modbus Read, and
Modbus Write would be used when programming.
3 xLogic/x-Messenger MODBUS Protocol Memory
Map:

Note ： All sorts of register’s start address of xLogic is from

0 ,customers should plus 1 if start address is from 1 of third part device.
For example in MD204L configuration software the Q1 address should be
0x 1.
 Name Set address method Data Attribute
(DECIMAL) format
Digital input
BIT R
Block in EXM-12/ELC-12(CPU):0～7
xLogicsoft: EXM-E-8(EXT1):8～15
EXM-E-8(EXT2):16～23
EXM-E-8(EXT3):24～31
∙
∙
EXM-E-8(EXT8):64～71
Type:(1x)
(Configuration in Text
panel software) PR-6(CPU):0~3
PR-12:0～7
PR-18(CPU):0～11
PR-E-16(EXT1):12～19
MODBUS code: PR-E-16(EXT2):20～27
02 PR-E-16(EXT3):28～35
∙
∙
PR-E-16(EXT9):76～83
PR-E-16(EXT10):84～91
∙
∙
PR-E-16(EXT15):124～131
PR-E-16(EXT16):132～139

PR-24(CPU):0～13
PR-E-16(EXT1):16～23
PR-E-16(EXT2):24～31
PR-E-16(EXT3):32～39
∙
∙
PR-E-16(EXT9):80～87
PR-E-16(EXT10):88～95
∙
∙
PR-E-16(EXT15):128～135
PR-E-16(EXT16):136～143
 4 cursors
（Cursor key） BIT R

C1-C4: 256~259

Type:(1x)
MODBUS code:
02
Digital outputs BIT R/W

EXM-12/ELC-12(CPU):0～7
EXM-E-8(EXT1):8～15
EXM-E-8(EXT2):16～23
(0x) EXM-E-8(EXT3):24～31
∙
MODBUS code: ∙
01(read) EXM-E-8(EXT7):56～63
05 EXM-E-8(EXT8):64～71
(single Write)
PR-6(CPU):0～1
15
PR-12(CPU):0～3
(Multiple Write)
PR-18(CPU):0～5
PR-E-16(EXT1):8～15
PR-E-16(EXT2):16～23
PR-E-16(EXT3):24～31
∙
∙
PR-E-16(EXT9):72～79
PR-E-16(EXT10):80～87

PR-E-16(EXT11):88～95
PR-E-16(EXT12):96～103
∙
∙

PR-E-16(EXT15):120～127
PR-E-16(EXT16):128～135

PR-24(CPU):0～9
PR-E-16(EXT1):10～17
PR-E-16(EXT2):18～25
PR-E-16(EXT3):26～33
∙
∙
PR-E-16(EXT9):74～81
PR-E-16(EXT10):82～89
∙
∙
PR-E-16(EXT15):122～129
PR-E-16(EXT16):130～137
Middle coil PR-6&Economic PR-12 BIT R
Series:256~319

Standard EXM-12/
ELC-12 Series：256~767

(0x)
(0x)
PR-12/ELC-22 Series:256~767
MODBUS code: PR-18/PR-24 Series:256~1279
01(read)

Digital Flag BIT R/W

PR-6 Series:
1536~1567

PR-12-E series:
1536~1567

(0x) ELC-22 series:

1536~1663
MODBUS code: PR-18 series:
01(read) 1536~1791
05 PR-12/PR-24 series:
(single Write) 1536~1791

15
(Multiple Write)
REG LONG R/W
PR-18/PR-24 Series:0~1023
Holding register(timer、
counter value) PR-6/Economic PR-12 Series:
0~63

Standard RR-12 Series:

0~511

(4x)

(4x)

MODBUS code:
03(read)

16(Multiple Write)
Analog input EXM-12/ELC-12 Series： Signed R
(1024~1279) short

CPU:1024~1031
EXT1:1032~1039
(4x) EXT2:1040~1047
…………

MODBUS code: EXT8:1088~1095

03(read)

ELC-22/26 Series
CPU :1024~1031
EXT1:1032~1039
EXT2:1040~1047
…..
EXT9:1096~1103

PR-6 Series:
1024~1027

PR-12 Series:
1024~1027

PR-18/24 Series:
CPU:1024~1031
EXT1:1032~1039
EXT2:1040~1047

…..
EXT9:1096~1103
…..
EXT15:1144~1151
EXT16:1152~1159
Analog output Signed R/W
ELC-22/PR-18/PR-24 Series: short
CPU:1280~1281
EXT1:1282~1283
EXT2:1284~1285
(4x)
…..
EXT9:1298~1299
…..
MODBUS code: EXT15:1310~1311
03(read) EXT16:1312~1313

06(Single Write) PR-12 Series:1280~1281

16(Multiple Write)
Analog quantity buffer PR-6&Economic PR-12 Signed R
Series:1536~1599 short

EXM-12/ELC-12 Series:
1536~2047

PR-12 Series:1536~2047
PR-18/PR-24
Series:1536~2559
(4x)
MODBUS code:
03(read)

Analog quantity buffer PR-6&Economic PR-12 Series: Signed R/W

3072~3103 short

EXM-12/ELC-12 Series
(4x) PR-12/PR-18/PR-24Series:
3072~3327
MODBUS code:
03(read)

06
(Single Write)

16(Multiple Write)
HEG for block Word R
EXM-12/ELC-12 Series:
The frequency value 2560~3071
buffer of threshold
trigger
PR-12 Series:2560~3071

PR-18/PR-24 Series:
HEG0-HEG511:2560--3071
Data latching Relay
HEG512 - HEG1023:
19456--19967

(4x)
MODBUS code: PR-6 Series:
03(read) 2560--2623

16(Multiple Write)
RTC All ELC series CPU Signed R/W
(4x) short
Year:3328
MODBUS code: Month:3329
03(read) Day:3330
Hour:3331
Minute:3332
16(Multiple Write) Second:3333

On the upper table host address range and xLogic Max address range are
the same, and also different series plc has different address range, hence
user shall voluntarily pay more attention to host address range of the
PLC being used. In case host address of communication order/command
exceeds the address range of PLC being used, then such PLC would
respond to ERROR 4 (illegal address), and simultaneously such
command/order would not be executed by PLC being used.

Note:
1. 10 milliseconds would be regarded as the unit of Time for writing
to the HMI.
2. One second would be regarded as the unit of Time for reading
from the HMI.
3. The default address of xLogic is 1.
 4. The total number of address being accessed should less than the
above table showing .

4 Explanation of communication order in detail

The following table contains some communication orders supported by
xLogic.

Length of
Order
message(one
code(Hex Function description Remarks
frame order can
)
deal with)
01 Read one group coil status -- Read Coil Status
（00000～0XXXX） (Output relay)
02 Fetch one group data of the -- Read input Status
status of switch input (input relay)
（10000～1XXXX）
03 Read data of multi-holding -- Read Holding
register（40000～4XXXX） Registers
(Output
register)
05 Force the switch status of single 1 Force Single Coil
coil（00000～0XXXX）
06 Pre-set the data of single 80 Set single output
register register
（40000～4XXXX）
15 Force multi-coils on/off data many
（00000～0XXXX）
16 Write multi-holding registers
data（40000～4XXXX）

19~4F Reserve
RTU Format
Note1：In data field, one byte stands for BIT (1 means ON, 0 means OFF). One
byte (00 ~FF) would be used to represent “char” type register parameters. The
“int” type register parameter can be expressed with two bytes (0000~FFFF). 4
bytes (00 00 00 00 ~ FF FF FF FF) can stand for “long” type register parameter.
The high-order byte is appended first, followed by the low-order byte.

Note2: The Max length of command/order message sent to PLC by host can not
exceed 80 bytes, otherwise PLC will not execute such order, also without
responding to such command/order message, furthermore, host cannot allow
the Max length of responding message from PLC to exceed 80 bytes, otherwise,
PLC would return to ERROR 3 (command/order cannot be executed.)status.