UHF Reader Modbus Protocol development manual

Dpment Man

UHF RFID Reader Modbus Protocol

Development Manual

Shen Zhen VANCH Intelligent Technology Co.,Ltd

ADD：4/F, the West of Building B, Fuana Industrial Park, No.1 Qingning Road,
Longhua District, Shenzhen City-518109, Guangdong Province, Chin
Site：www.vanch.cn Tel：0755-82426775 82403457 Email：[email protected]
 UHF Reader Modbus Protocol development manual

Dpment Man
Table of Contents
1. Introduction.....................................................................................................................................................................2
1.1.Document specification.......................................................................................................................................2
1.2.Scope of application............................................................................................................................................2
1.3.Notice before use.................................................................................................................................................2
2. Error code table..............................................................................................................................................................3
3. Basic parameters...........................................................................................................................................................5
4. Relay control...................................................................................................................................................................9
5. Automatic / Trigger mode read label.........................................................................................................................11
5.1. Mode introduction.............................................................................................................................................11
5.2. Read a single label (automatic / trigger mode)............................................................................................13
5.3. Read multiple labels (automatic / trigger mode)..........................................................................................14
5.3.1 List label data (96bit)..............................................................................................................................14
5.3.2 List label data (336bit)...........................................................................................................................16
6. Command mode read label........................................................................................................................................17
6.1. Mode introduction.............................................................................................................................................17
6.2. Read a single label EPC(command mode)..................................................................................................17
7. Fast write label EPC....................................................................................................................................................19
7.1. Label mask........................................................................................................................................................19
7.2. Fast write label EPC.........................................................................................................................................21
8. Read label EPC/TID/USER/PASSWORD................................................................................................................22
8.1. Read label EPC/TID/USER/PASSWORD.....................................................................................................22
8.2.Read label result flag bit and Label data display..........................................................................................23
9. Write label EPC/USER/PASSWORD........................................................................................................................25
9.1. Write label EPC/USER/PASSWORD.............................................................................................................25
9.2.Write label result flag bit...................................................................................................................................27
10. Clear label data..........................................................................................................................................................28
11. PLC(Modbus TCP protocol)example application..................................................................................................29
11.1. Preparation stage...........................................................................................................................................29
11.2. Function description.......................................................................................................................................29
11.3. Introduction to PLC configuration (Botu V15.1 SP1 as an example)......................................................30
11.3.1. Create project...................................................................................................................................... 30
11.3.2. PLC address formation.......................................................................................................................30
11.3.3. Communication between PLC and reader.......................................................................................33
11.3.4. Data monitoring...................................................................................................................................35
11.3.5. PLC and host computer communication establishment................................................................36
12. Example application of PLC (Modbus RTU protocol)...........................................................................................38
12.1. Preparation stage...........................................................................................................................................38
12.2. Introduction to PLC configuration (Botu V15.1 SP1 as an example)......................................................38
12.2.1. Create a project...................................................................................................................................39
12.2.2. Communication between PLC and reader......................................................................................39
13. Attached: Modbus protocol.......................................................................................................................................43
13.1. Protocol frame format....................................................................................................................................43
13.2. （0x03）Read holding register PDU..............................................................................................................44
13.3. （0x06）Write a single register PDU.............................................................................................................44
13.4. （0x10）Write multiple register PDU.............................................................................................................45
14. Appendix.....................................................................................................................................................................46

1
 UHF Reader Modbus Protocol development manual

Dpment Man
1. Introduction

1.1.Document specification

For the data in document, decimal numbers are directly represented by numbers, such as 1,247. The
hexadecimal number is represented by 0x, such as 0x12, 0x34. The 03 function code of Siemens PLC
starts from 40001, and the readers 5000 and 5001 correspond to 45001 and 45002 of Siemens PLC
respectively, and so on.

1.2.Scope of application

The document applies to our UHF readers that support Modbus protocol. The target readers of
document are: reader developers, API interface developers, system integration developers, reader
technical support personnel.

1.3.Notice before use

The default baud rate of our UHF reader RS232/RS485 interface is 115200, data bit 8, stop bit 1, no
check, slave station address 1; The default IP address of the network port is 192.168.0.128, and the
Modbus TCP connection port number is 502. If you need to modify the corresponding parameters,
please operate through the rfid-manager management software (the Modbus TCP connection port is
the default value of 502, so there is no need to modify it). When using Modbus protocol for
communication, please set it according to "Mode Introduction" in subsection 5.1 or 6.1 of this
document.

The "Equipment Address" column in the Modbus protocol format frame introduced in this document
takes effect when Modbus RTU(RS485 interface) protocol is used, and can be filled in arbitrarily when
Modbus RTU(RS232 interface) and Modbus TCP protocol are used.

2
 UHF Reader Modbus Protocol development manual

Dpment Man

2. Error code table

Table 2-1 Error code comparison table

0x01 Unsupported function code

0x02 Register address error
0x03 Data range error
0x04 Write failed
0x05 Confirm
0x06 Server is busy
0x07 Keep
0x08 Storage parity error
0x09 Keep
0x0A Unavailable gateway path
0x0B Gateway target device failed to respond
0x0C Access length error
0x0D The matching EPC length is too long
0x0E The length of the access target label must be an even number
0x0F The access label address must be an even number
0x10 Access data length is too long
0x11 The length of the data to be accessed must be an even number
0x12 Write failed
0x13 Read failed
0x14 Device address is out of range
0x15 Baud rate is out of range
0x16 Parameter error
0x17 Command execution failed
0x18 No Label
0x19 Checksum error
0x1A This command is not supported
0x1B Antenna number error
0x1C Filter length is out of range
0x1D Access area is out of range
0x1E Address or length is not a multiple of 2
0x1F Read length out of range
0x20 The write length is not an integer multiple of 2
0x21 EPC pointer is used without initialization
0x22 EPC length is not an integral multiple of 2
0x23 Power is out of range
0x24 When setting the baud rate, the specified interface number is wrong

3
 UHF Reader Modbus Protocol development manual

Dpment Man
0x25 When setting the baud rate, the baud rate is out of range
0x26 When setting the 485 address, the 485 address is out of range
0x27 When setting the relay status, the relay status is wrong
0x28 Wrong relay number
The relay is under automatic control, please turn off the automatic control
0x29
relay first
0x2A Filter mode error
0x2B TID length is out of range
0x2C USER area length is out of range
0x2D Need to switch the reader to command mode
0x2E Protocol error, only supports UDP or TCP reporting
0x2F RFID module returned an error
0x30 Heartbeat packet length error
0x31 The length field in the frame does not match the total length of the frame
The parameter length is inconsistent with the allowed length of the
0x32
command
0x33 Does not support the custom report of this route
0x34 The length of the reported parameter is out of range
The antenna is out of range, the device does not support so many
0x35
antennas
0x36 file size too big
0x37 Key error
0x38 File number verification error
0x39 File write error
0x3A File number sequence is wrong
0x3B IAP needs to be reinitialized
0x3C Other unknown errors
0x3D The number of downloaded data bytes does not match
0x3E Has entered IAP mode
0x3F File size check error
0x40 Flash erase failed
0x41 This register does not support this command code
0x42 The Bootloader does not support permanent exit from the upgrade mode
0x43 Jump to APP is not supported under APP
The frequency range of European frequency is 0-6, the frequency range
0x44 of US frequency is 0-52, and the frequency range of China is 0-10. The
minimum frequency cannot exceed the maximum frequency.
0x45 The region parameter range is 1-7
0x46 Does not support this trigger
0x47 Wiegand output is not supported
0x48 The switch value can only be 0 or 1
0x49 Failed to set power
0x4A Failed to set frequency band
0x4B Failed to set antenna
0x4C Buzzer parameter error
4
 UHF Reader Modbus Protocol development manual

Dpment Man
0x4D Card reading mode error
0x4E Trigger level error
0x4F Report mode error
0x50 Relay parameter error
0x51 Wrong label recognition area
0x52 TID address or length is not an integer multiple of 2
0x53 USER address or length is not an integral multiple of 2
0x54 The length of the read label is not an integral multiple of 8
0x55 Read TID function is not turned on
0x56 Read USER function is not turned on

3. Basic parameters

Register address: 8000-8035 (access address can be defined by yourself)

Register length: 0-36 (access length can be defined by yourself)

(This function is applicable to firmware versions of SW:1.1.8 and above. Firmware versions of
SW:1.1.8 and below can only access the 8000-8031 address field, and the device firmware version
number can be queried in the rfid-manager management software.)

Function description: If you set the relay 1 to be closed, you need to set the addresses of 8000 and
8001 to 0x01, if you set the relay 2 to be closed, you need to set the addresses of 8002 and 8003 to
0x01.

Note: 8000-8035 is a holding register, and the data of the whole register will be refreshed when the
instruction is issued. When modifying a certain parameter, to ensure that other parameters will not be
modified, please set the "set valid bit" of the parameter that does not need to be modified to 0.

Register Register Function code Length R/W Description

5
 UHF Reader Modbus Protocol development manual

address function
Dpment
(words)Attribute
Man
Register
status
value
Relay 1
8000 0x03/0x06/0x10 1 RW 0x00 invalid
valid
0x01 valid
0-
Register
status
value
8001 Relay1 0x03/0x06/0x10 1 RW
0x00 open
0x01 close
8002 Relay2valid 0x03/0x06/0x10 1 RW
Reference relay1
8003 Relay2 0x03/0x06/0x10 1 RW
8004 Relay3valid 0x03/0x06/0x10 1 RW
Reference relay1
8005 Relay3 0x03/0x06/0x10 1 RW
8006 Relay4valid 0x03/0x06/0x10 1 RW
Reference relay1
8007 Relay4 0x03/0x06/0x10 1 RW

S Register
y Working status
value
s 8008 mode valid
0x03/0x06/0x10 1 RW
t 0x00 invalid
e 0x01 valid
m
Register
Mode
p value
a 0x00 Command mode
r Working 0x01 Automatic mode
a 8009 mode
0x03/0x06/0x10 1 RW
m 0x02 Trigger mode
e Access door
t 0x03
mode
e
r Register
a status
Report value
r 8010 0x03/0x06/0x10 1 RW
mode valid 0x00 invalid
e
a 0x01 valid
Register
Report mode
value
0x00 Report directly
Report Regular reporting
8011 0x03/0x06/0x10 1 RW 0x01
mode method one
Regular reporting
0x02
method 2
0x03 Passive report
Register
status
Buzzer value
8012 0x03/0x06/0x10 1 RW
switch valid 0x00 invalid
0x01 valid
8013 Buzzer 0x03/0x06/0x10 1 RW Register
switch Status
value
0x00 close
6
 UHF Reader Modbus Protocol development manual

Dpment Man
0x01 Open
Register
status
Output value
8014 0x03/0x06/0x10 1 RW
power valid 0x00 invalid
0x01 valid
Output The output power range is:
8015 0x03/0x06/0x10 1 RW
power 0~33dbm
Register
Filter status
value
8016 interval 0x03/0x06/0x10 1 RW
0x00 invalid
valid
0x01 valid
Filter label filtering time interval
8017 0x03/0x06/0x10 1 RW
interval setting, unit: second
Register
RS485 status
value
8018 Baud rate 0x03/0x06/0x10 1 RW
0x00 invalid
is valid
0x01 valid
Register
Baud rate
value
0x00 9600
RS485 0x01 19200
8019 0x03/0x06/0x10 1 RW
Baud rate
0x02 38400
0x03 57600
0x04 115200
Register
RS485 status
value
8020 Address is 0x03/0x06/0x10 1 RW
0x00 invalid
valid
0x01 valid
RS485 Address range: 0~247, 0 is the
8021 0x03/0x06/0x10 1 RW
Address broadcast address
Register
RS232 status
value
8022 Baud rate 0x03/0x06/0x10 1 RW
0x00 invalid
is valid
0x01 valid
Register
Baud rate
value
0x00 9600
RS232 0x01 19200
8023 0x03/0x06/0x10 1 RW
Baud rate
0x02 38400
0x03 57600
0x04 115200
8024 Whether to 0x03/0x06/0x10 1 R/W Register
save the state
value
parameters
Don't save when
0x00
power off
0x01 Power-down save
0-
7
 UHF Reader Modbus Protocol development manual

8025 reserve 0x03/0x06/0x10 1

Dpment
RW ------
Man
8026 reserve 0x03/0x06/0x10 1 RW ------
8027 reserve 0x03/0x06/0x10 1 RW ------

register status
Set network value
8028 0x03/0x06/0x10 1 RW
parameters 0x00 not set
0x01 set
4 bytes, high byte in front, low
8029 IP address 0x03/0x06/0x10 2 RW
byte in the back.
Subnet 4 bytes, high byte in front, low
8031 0x03/0x06/0x10 2 RW
mask byte in the back.
Default 4 bytes, high byte in front, low
8033 0x03/0x06/0x10 2 RW
gateway byte in the back.
8035 reserve 0x03/0x06/0x10 1 RW ------

Modbus RTU message frame：

Send message format：

Explain Equipment Function code Start address Length: words CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Message 01H 03H 1FH 40H 00H 24H 43H D1H

Response message format：

Explain Equipment Function code Number of bytes Register value CRC（2 bytes）
address (1 byte) (1 byte) (1 byte) (N bytes)
Message 01H 03H 48H ...... Checksum

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Message ...... 01H 03H 1FH 40H 00H 24H

Response message format：

Explain Header Equipment Function code Number of bytes Register value
(N bytes) address (1 byte) (1 byte) (1 byte) (N bytes)
Message ...... 01H 03H 48H ......

4. Relay control

Note: If you need to use relay control in the project configuration but do not need to use other basic
parameters, you can use the registers in this area to control the relay. The relay-related registers only
8
 UHF Reader Modbus Protocol development manual

Dpment Man
support fixed address and length access. For example, the address accessed by relay 1 can only be
7000. The length can only be 1.
Relay control register
Reader Function Length(word R/W Power-down
Address(word) instruction
function code ) Attributes save
Relay 1 0x03/0x06 7000 1 RW ×
Relay 2 0x03/0x06 7001 1 RW ×
Relay 3 0x03/0x06 7002 1 RW ×
Relay 4 0x03/0x06 7003 1 RW ×

Modbus RTU message frame：

Example:Read relay 1 status.

Send message format：
Explain Equipment Function code Start address Length: words CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 1BH 58H 00H 01H 03H 3DH
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 bytes）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H 02H ...... Checksum
e

Example: Set relay 1 status.

Send message format：
Explain Equipment Function code address Register value CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (N bytes)
Messag 01H 06H 1BH 58H ...... Checksum
e

Response message format：

Explain Equipment Function code address Register value CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (N bytes)
Messag 01H 06H 1BH 58H ...... Checksum
e

9
 UHF Reader Modbus Protocol development manual

Dpment Man
Modbus TCP message frame：

Example: Read relay 1 status.

Send message format：
Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 (1 byte) (2 bytes) (2 bytes)
byte)
Messag ...... 01H 03H 1BH 58H 00H 01H
e

10
 UHF Reader Modbus Protocol development manual

Dpment Man
Response message format：
Explain Header (N Equipment Function code Number of Register value
bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H 02H ......
e

11
 UHF Reader Modbus Protocol development manual

Dpment Man
Example: Set relay 1 status.
Send message format：
Explain Header Equipment Function code Address Register value
(N bytes) address (1 byte) (1 byte) (2 bytes) (N bytes)
Messag ...... 01H 06H 1BH 58H ......
e

12
 UHF Reader Modbus Protocol development manual

Dpment Man
Response message format：
Explain Header Equipment Function code Address Register value
(N bytes) address (1 byte) (1 byte) (2 bytes) (N bytes)
Messag ...... 01H 06H 1BH 58H ......
e

5. Automatic / Trigger mode read label

5.1. Mode introduction

1. Users can configure the reader's working mode as "automatic card reading mode" and the reporting
condition as "passive reporting mode" through rfid-manager management software. When the reader
works in "automatic card reading mode" and "passive reporting mode", it is only necessary to set the
polling antenna (if there is only a single antenna, it is not necessary to set it) and then take out the
label continuously.

13
 UHF Reader Modbus Protocol development manual

Dpment Man
2. * Note: When using Modbus protocol to automatically read the label, the reader must be switched to
"passive reporting mode", otherwise the label will not be reported.
The trigger mode also belongs to the automatic mode, which requires the reader to access the external
trigger signal.

14
 UHF Reader Modbus Protocol development manual

Dpment Man

Note: After setting as shown above, do not use "Read / Write Tag" to test the listed labels, otherwise
the working mode will be switched to "Command Mode".

5.2. Read a single label (automatic / trigger mode)

Modbus function code：0x03

Register address：4000-4037（Access address can be defined by yourself）

Register length (words)：0-38（Access length can be defined by yourself）

15
 UHF Reader Modbus Protocol development manual

Dpment Man
Function: The reader is in the automatic/ trigger reading mode, and returns the data of EPC, TID and
USER area of one label from the FIFO of the reader. The default reporting field of the reader is EPC
area. If you want to read TID and USER area, you need to check the corresponding areas in the
"Reporting Field" of rfid-manager. (This register area will automatically hold the read label data, and
whether the label is read or not can be judged by the label status)

Register address Register definition Register description

4000 Label status 0x00 has no label, 0x01 has a label.
4001 Read antenna 0x01-- antenna 1
0x02-- antenna 2
0x03-- antenna 3
0x04-- antenna 4
4002 EPC effective length Indicates a valid EPC length. Unit:bytes
4003 TID effective length Indicates a valid TID length. Unit:bytes
4004 USER effective length Indicates a valid USER length. Unit:bytes
4005 Total label data length Total length of EPC+TID+USER. Unit:bytes
4006-4037 Label data The labels are arranged in the order of
EPC+TID+USER, with a maximum of 64 bytes.
To read the TID and USER areas, you need to
check the corresponding areas in the "Report
Field" of rfid-manager.
Modbus RTU message frame：

Send message format：

Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 0FH A0H 00H 26H C7H 26H
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H 4CH ...... Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 0FH A0H 00H 26H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H 4CH ......
e

16
 UHF Reader Modbus Protocol development manual

Dpment Man

5.3. Read multiple labels (automatic / trigger mode)

Function description: the reader is in the automatic/ trigger reading mode, and the data of tag EPC, TID
and USER area are returned from the FIFO of the reader. The default field reported by the reader is
EPC area. If you need to read TID area and USER area, you need to check the corresponding area
through the "Report Field" of rfid-manager.

5.3.1 List label data (96bit)

Modbus function code：0x03

Register address：5000（fixed）

Register length (words)：88（fixed）

One label takes up 22 register addresses, and at most 4 labels can be taken out at a time, that is, 88
register addresses. (If the reader reads only one label at a time, the label data will be displayed in the
first label, and the label data will not be automatically saved. If it is necessary to save the label data,
please do data transfer processing. )
Note: In automatic mode, the following labels will be cached, and the cache will be cleared after all the
labels are taken out.

The mapping relationship between the register label and the register label: (See Appendix: Figure 14-1
for detailed address description)

17
 UHF Reader Modbus Protocol development manual

Dpment Man
Register address Register definition Register description
The first label
5000 High byte：Ant Ant indicates the antenna number that reads
Low byte：Fin the label.

Fin indicates the card reading reason (bitmap)

BIT0 Automatic card reading
BIT1 FIN1Trigger card reading
BIT2 FIN2Trigger card reading
BIT3 FIN3Trigger card reading
BIT4 FIN1-->2Trigger card reading
BIT5 FIN2-->1Trigger card reading
5001 EPC useful length Indicates a valid EPC length,Unit: bytes
5002-5007 EPC data EPC data of the label(96bit)
5008 TID useful length Indicates a valid TID length,Unit: bytes
5009-5014 TID data TID data of the label(96bit)
5015 USER useful Indicates a valid USER length,Unit: bytes
length
5016-5021 USER data USER data of the label(96bit)
Second to fourth labels
5022-5043 The second label Same format as the first label
5044-5065 The third label Same format as the first label
5066-5087 The fourth label Same format as the first label
C

18
 UHF Reader Modbus Protocol development manual

Dpment Man
Modbus RTU message frame：

Send message format：

Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 13H 88H 00H 58H C0H 9EH
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H B0H ...... Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 13H 88H 00H 58H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H B0H ......
e

5.3.2 List label data (336bit)

Modbus function code：0x03

Register address：4900（fixed）

Register length (words)：100（fixed）

One label takes up 25 register addresses, and at most 4 labels can be taken out at a time, that is, 100
register addresses. (If the reader reads only one label at a time, the label data will be displayed in the
first label, and the label data will not be automatically saved. If it is necessary to save the label data,
please do data transfer processing. )
Note: In automatic mode, the following labels will be cached, and the cache will be cleared after all the
labels are taken out.
(This function is applicable to SW:1.1.8 and above firmware versions, and the firmware version number
of the equipment can be queried in the rfid-manager management software.)

19
 UHF Reader Modbus Protocol development manual

Dpment Man
Register address Register definition Register description
The first label
4900 High byte：Ant Ant indicates the antenna number that reads
Low byte：Fin the label.

Fin indicates the card reading reason (bitmap)

BIT0 Automatic card reading
BIT1 FIN1Trigger card reading
BIT2 FIN2Trigger card reading
BIT3 FIN3Trigger card reading
BIT4 FIN1-->2Trigger card reading
BIT5 FIN2-->1Trigger card reading
4901 EPC useful length Indicates a valid EPC length,Unit: bytes
4902 TID useful length Indicates a valid TID length,Unit: bytes
4903 USER useful length Indicates a valid USER length,Unit: bytes
4904-4924 EPC+TID+USER The label data is arranged in the order of
EPC+TID+USER, with a maximum of 42 bytes
(336bit).
Second to fourth labels
4925-4949 The second label Same format as the first label
4950-4974 The third label Same format as the first label
4975-4999 The fourth label Same format as the first label

20
 UHF Reader Modbus Protocol development manual

Modbus RTU message frame：

Dpment Man
Send message format：
Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 13H 24H 00H 64H 00H AEH
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H C8H ...... Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 13H 24H 00H 64H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H C8H ......
e

6. Command mode read label

6.1. Mode introduction

Users can configure the reader's working mode to "command card reading mode" through rfid-
manager management software. When the reader works in "command card reading mode", it can send
a specified command packet, and then take out the label EPC.

6.2. Read a single label EPC(command mode)

Note: If the reader has only one antenna, antenna 1 is used to read the label by default.

Function: The reader is in the command card reading mode, and returns the label EPC area data from
21
 UHF Reader Modbus Protocol development manual

Dpment Man
the FIFO of the reader. This mode cannot return the label TID area and the USER area, and only one
label can be listed when a card reading command is issued. This register area will automatically store
the read label data, and whether the label is read or not can be judged by the label status.

Mapping relationship between registers and labels:

Address Functio Length Register function Register description

n code (word)
5100：
5100 0x03 0-34(change) Antenna 1 Read 0x00 has no label.
Label EPC 0x01 has a label.
5101：EPC useful length，Unit (Bytes)
5102-5133： EPC number

5200：
5200 0x03 0-34(change) Antenna 2 Read 0x00 has no label.
Label EPC 0x01 has a label.
5201：EPC useful length，Unit (Bytes)

5202-5233：EPC number

5300：
5300 0x03 0-34(change) Antenna 3 Read 0x00 has no label.
Label EPC 0x01 has a label.
5301：EPC useful length，Unit (Bytes)

5302-5333：EPC number

5400：
5400 0x03 0-34(change) Antenna 4 Read 0x00 has no label.
Label EPC 0x01 has a label.
5401：EPC useful length，Unit (Bytes)

5402-5433：EPC number

22
 UHF Reader Modbus Protocol development manual

Dpment Man

Modbus RTU message frame：

Example: Antenna 1 read label EPC.

Send message format：

Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 13H ECH 00H 22H 00H A2H
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 (1 byte) bytes (2 bytes) (64 bytes)
byte)
Messag 01H 03H ...... ...... Checksum
e

Modbus TCP message frame：

Example: Antenna 1 read label EPC.

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 13H ECH 00H 22H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (2 bytes) (64 bytes)
Messag ...... 01H 03H ...... ......
e

23
 UHF Reader Modbus Protocol development manual

Dpment Man
7. Fast write label EPC

Note: This function can be used to quickly modify the EPC number of the label in command mode and
automatic mode.

7.1. Label mask

Function description: This register can only be accessed from address 7100 and supports 03H and
10H function codes. The EPC mask of the label can be set through this register. When the length of the
mask is not 0, the reader will match before writing the label. Target label EPC; when the mask length is
set to 0, it means that the mask is not used. The mask is not saved when power off. The length of the
access address can be adjusted according to the actual length of the EPC.

Address (word) Function code Binding function Description

7100 0x03/0x10 EPC Len Mask length, unit, byte, up to 64 bytes
7101 0x03/0x10 EPC Data0 EPC mask data 0
7102 0x03/0x10 EPC Data1 EPC mask data 1
... ... ... ...
7132 0x03/0x10 EPC Data31 EPC mask data 31

24
 UHF Reader Modbus Protocol development manual

Modbus RTU message frame：

Dpment Man
Example: Read mask data,EPC mask data length is 6 words.
Send message format：
Explain Equipment Function code Start address Length: words CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 1BH BCH 00H 07H C3H 08H
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 bytes）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H 0EH ...... Checksum
e

Example: Set the label mask to lock the EPC length of the target label to 6 words.
Send message format：
Explain Equipment Function Address Write Data Write data CRC
address (1 code (1 (2 bytes) length: length: (N bytes) (2 bytes)
byte) byte) word (2 Byte (1
bytes) byte)
Messag 01H 10H 1BH BCH 00H 07H 0EH ...... Checksum
e

Response message format：

Explain Equipment Function code Address Write length: CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag 01H 10H 1BH BCH 00H 07H Checksum
e

Modbus TCP message frame：

Example: Read mask data,EPC mask data length is 6 words.

Send message format：
Explain Header (N Equipment Function code Start address Length: words
bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 1BH BCH 00H 07H
e

Response message format：

Explain Header (N Equipment Function code Number of Register value
bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H 0EH ......
e

25
 UHF Reader Modbus Protocol development manual

Dpment Man
Example: Set the label mask to lock the EPC length of the target label to 6 words.
Send message format：
Explain Header (N Equipment Function Address Write Data Write data
bytes) address (1 code (1 (2 bytes) length: length: (N bytes)
byte) byte) word (2 Byte (1
bytes) byte)
Messag ...... 01H 10H 1BH BCH 00H 07H 0EH ......
e

Response message format：

Explain Header Equipment Function code Address Write length:
(N bytes) address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag ...... 01H 10H 1BH BCH 00H 07H
e

7.2. Fast write label EPC

Note: If the reader has only one antenna, antenna 1 is used to write labels by default.
Function description: When the user writes the corresponding address, the EPC number of the label
will be rewritten. If the label mask is not set, a label will be rewritten randomly. If a label mask is set,
only labels that meet the mask conditions will be written. The length of the access address can be
adjusted according to the actual length of the EPC, with a maximum write length of 32 words.

Address Function Length Register function Description

(word) code (words)
0x10 0-32(change) Map to the EPC area of the Use antenna 1 to write
6000
label labels
6100 0x10 0-32(change) Map to the EPC area of the Use antenna 2 to write
label labels
6200 0x10 0-32(change) Map to the EPC area of the Use antenna 3 to write
label labels
6300 0x10 0-32(change) Map to the EPC area of the Use antenna 4 to write
label labels

Modbus RTU message frame：

Example: 1 write label EPC for antenna, the length of EPC area is 6 words, and write data.
Send message format：
Explain Equipment Function Address Write Data Write data CRC
address (1 code (1 (2 bytes) length: length: (N bytes) (2 bytes)
byte) byte) word Byte (1
(2 bytes) byte)
Messag 01H 10H 17H 70H 00H 06H 0CH ...... Checksum
e

Response message format：

Explain Equipment Function code Address Write length: CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag 01H 10H 17H 70H 00H 06H Checksum
e

26
 UHF Reader Modbus Protocol development manual

Dpment Man
Modbus TCP message frame：

Example: 1 write label EPC for antenna, the length of EPC area is 6 words, and write data.
Send message format：
Explain Header (N Equipment Function Address Write Data Write data
bytes) address (1 code (1 (2 bytes) length: length: (N bytes)
byte) byte) word Byte (1
(2 bytes) byte)
Messag ...... 01H 10H 17H 70H 00H 06H 0CH ......
e

Response message format：

Explain Header (N Equipment Function code Address Write length:
bytes) address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag ...... 01H 10H 17H 70H 00H 06H
e

8. Read label EPC/TID/USER/PASSWORD

Function description: When the reader is in automatic card reading mode or

command card reading mode, it can issue commands to read the data in EPC
area, TID area and USER area of the tag through the 4138-4143 register. The
obtained tag data and results are displayed in the 4038-4074 address field.

8.1. Read label EPC/TID/USER/PASSWORD

Modbus function code：0x10

Register address：4138-4143（fixed）

Register length (words)：6（fixed）

Read EPC area: read the data in the specified area, and the starting address of reading starts from the
4th byte.
Read TID area: read the data in the specified area, and the starting address of reading starts from byte
0.
Read USER area: read the data in the specified area, and the starting address of reading starts from
byte 0.

27
 UHF Reader Modbus Protocol development manual

Dpment Man
Register address Register definition Register description
4138 Write antenna 0x01-- write with antenna 1
0x02-- write with antenna 2
0x03-- write with antenna 3
0x04-- write with antenna 4
4139-4140 Label access password If the label is locked, an access password is
required to successfully write, 4 bytes.
4141 Read area 0x00-- password area
0x01-- EPC area
0x02-- TID area
0x03-- USER area
4142 Read address Must be a multiple of 2.Unit:bytes
4143 Read length Must be a multiple of 2.Unit:bytes

Modbus RTU message frame：

Send message format：

Explain Equipment Function Address Write Data Write data CRC
address (1 code (1 (2 bytes) length: length: (N bytes) (2 bytes)
byte) byte) word Byte (1
(2 bytes) byte)
Messag 01H 10H 10H 2AH 00H 06H 0CH ...... Checksum
e

Response message format：

Explain Equipment Function code Address Write length: CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag 01H 10H 10H 2AH 00H 06H Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header (N Equipment Function Address Write Data Write data
bytes) address (1 code (1 (2 bytes) length: length: (N bytes)
byte) byte) word Byte
(2 bytes) (1 byte)
Messag ...... 01H 10H 10H 2AH 00H 06H 0CH ......
e

Response message format：

Explain Header (N Equipment Function code Address Write length:
bytes) address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag ...... 01H 10H 10H 2AH 00H 06H
e

28
 UHF Reader Modbus Protocol development manual

Dpment Man

8.2.Read label result flag bit and Label data display

Modbus function code：0x03

Register address：4038-4074（Access address can be defined by yourself）

Register length (words)：0-37（Access length can be defined by yourself）

This register area can be used to view the read result flag of "Read label EPC/TID/USER/PASSWOR"
and the read label data.

Register address Register definition Register description

4038 write label result flag bit 0x55 success
0x11 failed
0x00 No operation
4039 Read antenna 0x01-- antenna 1
0x02-- antenna 2
0x03-- antenna 3
0x04-- antenna 4
4040 Read area 0x00-- password area
0x01-- EPC area
0x02-- TID area
0x03-- USER area
4041 Read address Unit:bytes
4042 Read length Unit:bytes
4043-4074 Label data Maximum 64 bytes

29
 UHF Reader Modbus Protocol development manual

Modbus RTU message frame：

Dpment Man
Send message format：
Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 0FH C6H 00H 25H 67H 38H
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H 4AH ...... Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 0FH C6H 00H 25H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H 4AH ......
e

9. Write label EPC/USER/PASSWORD

9.1. Write label EPC/USER/PASSWORD

Modbus function code：0x06/0x10

Register address：4100-4037（Access address can be defined by yourself）

Register length (words)：0-38（Access length can be defined by yourself）

Function: The reader is in the "automatic card reading mode" or "command card reading mode", and
the data in EPC area and USER area of the label can be modified by issuing commands in this register
area.

30
 UHF Reader Modbus Protocol development manual

Dpment Man
Write EPC area: only modify the data of the specified area, and the actual length of EPC will not be
changed. The write start address starts from the 4th byte.
Fast write EPC area : modifying the data of the whole EPC area will change the actual length of the
target label, The writing start address starts from the 0th byte.
USER area: only the data of the specified area will be modified, and the actual length of the USER
area will not be changed. The writing start address starts from the 0th byte.

Register address Register definition Register description

4100 Write antenna 0x01-- write with antenna 1
0x02-- write with antenna 2
0x03-- write with antenna 3
0x04-- write with antenna 4
4101-4102 Label access password If the label is locked, an access password is
required to successfully write, 4 bytes.
4103 Write area 0x00 password area
0x01 EPC area
0x02 (meaningless, reserved)
0x03 USER area
0x04 fast write EPC area
4104 Write address Must be a multiple of 2.Unit:bytes
4105 Write length Must be a multiple of 2.Unit:bytes
4106-4137 Write data Maximum 64 bytes

Modbus RTU message frame：

Example: Write the label EPC, and write 3 words of data into the label EPC area (that is, write the
4100-4108 register).

Send message format：

Explain Equipment Function Address Write Data Write data CRC
address (1 code (1 (2 bytes) length: length: (N bytes) (2 bytes)
byte) byte) word Byte (1
(2 bytes) byte)
Messag 01H 10H 10H 04H 00H 09H 12H ...... Checksum
e

Response message format：

Explain Equipment Function code Address Write length: CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag 01H 10H 10H 04H 00H 09H Checksum
e

Modbus TCP message frame：

31
 UHF Reader Modbus Protocol development manual

Dpment Man
Example: Write the label EPC, and write 3 words of data into the label EPC area (that is, write the
4100-4108 register).
Send message format：
Explain Header (N Equipment Function Address Write Data Write data
bytes) address (1 code (1 (2 bytes) length: length: (N bytes)
byte) byte) word Byte
(2 bytes) (1 byte)
Messag ...... 01H 10H 10H 04H 00H 09H 12H ......
e

Response message format：

Explain Header (N Equipment Function code Address Write length:
bytes) address (1 byte) (1 byte) (2 bytes) word (2 bytes)
Messag ...... 01H 10H 10H 04H 00H 09H
e

9.2.Write label result flag bit

Description: This command can view the writing result of "write label EPC/USER/PASSWORD".

write label result flag bit

Function Address Length R/W Power-down
Reader function instruction
code (word) (word) Attributes save
0x55 success
write label result
0x03 4705 1 R × 0x11 failed
flag bit
0x00 No operation

32
 UHF Reader Modbus Protocol development manual

Modbus RTU message frame：

Dpment Man
Send message format：
Explain Equipment Function code Start address Length: words CRC（2bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 03H 0FH EBH 00H 01H F7H 2AH
e

Response message format：

Explain Equipment Function code Number of Register value CRC（2 byte）
address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag 01H 03H 02H ...... Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Start address Length: words
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 03H 0FH EBH 00H 01H
e

Response message format：

Explain Header Equipment Function code Number of Register value
(N bytes) address (1 byte) (1 byte) bytes (1 byte) (N bytes)
Messag ...... 01H 03H 02H ......
e

10. Clear label data

Description: This command can clear the label data read in automatic mode and command mode.And
33
 UHF Reader Modbus Protocol development manual

write label result flag bit.

Dpment Man
Clear label data
Function Address Length R/W Power-down
Reader function instruction
code (word) (word) Attributes save
Clear label data 0x06/0x10 7004 1 W ×

Modbus RTU message frame：

Send message format：

Explain Equipment Function code address Register value CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag 01H 06H 1BH 5CH 00H 01H Checksum
e

Response message format：

Explain Equipment Function code address Register value CRC（2 bytes）
address (1 byte) (1 byte) (2 bytes) (N bytes)
Messag 01H 06H 1BH 5CH 00H 01H Checksum
e

Modbus TCP message frame：

Send message format：

Explain Header Equipment Function code Address Register value
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 06H 1BH 5CH 00H 01H
e

Response message format：

Explain Header Equipment Function code Address Register value
(N bytes) address (1 byte) (1 byte) (2 bytes) (2 bytes)
Messag ...... 01H 06H 1BH 5CH 00H 01H
e

11. PLC(Modbus TCP protocol)example

application

11.1. Preparation stage

·UHF reader supporting Modbus protocol

·Siemens PLC Controller
·Botu Software (V15.1)

34
 UHF Reader Modbus Protocol development manual

·Network switch and host computer

Dpment Man

11.2. Function description

The SIMATIC S7-1200 series PLC communicates with the reader through Modbus TCP protocol. If the
PLC model is different, please refer to the same parameter configuration.

The CPU module of the SIMATIC S7-1200 series PLC integrates the Profinet communication network
port, which is an open, standard, real-time Ethernet industrial standard, and supports multiple protocols
such as S7 and Modbus TCP for communication. The reader communicates with the SIMATIC S7-
1200 series PLC through the Modbus TCP protocol, which can transmit data and receive instructions
quickly and accurately.

The PLC reads/writes data to the reader, and the host computer reads/writes data to the reader
through the PLC.

Schematic diagram of working principle

11.3. Introduction to PLC configuration (Botu V15.1 SP1 as an

example)

11.3.1. Create project

1. Open the software -> create a project -> device and network management -> add a new device
(PLC) -> click on the device view -> set the subnet and IP address (if need to use the router, check the
use of router).

35
 UHF Reader Modbus Protocol development manual

Dpment Man

11.3.2. PLC address formation

1. Check the hardware identifier of the CPU, device configuration -> select interface -> properties ->
system constants.

2.Create the DB data block "ModbusTCP_CONNECT" in the PLC, create the "TCON_IP_v4"
background data area, and fill in the IP address, slave address, and port number of the corresponding
reader.

36
 UHF Reader Modbus Protocol development manual

Dpment Man

3. Create the DB data block "Read_Config", uncheck "Optimized block access" in the properties, add
the data storage area "static", create the address area corresponding to the register table of the reader
in "static", use To collect the data of the reader and store it. For different types of data, the PLC reads
the data in the form of bytes or words. For holding registers, Siemens supports address ranges from
40001 to 49999 and 40001 to 465535.

37
 UHF Reader Modbus Protocol development manual

Dpment Man

4.For the special register area set in the reader (only words or bytes of the corresponding length can
be read/written), the specific address area is also divided in the PLC.

5.Also create the DB data block "Write_Config", uncheck "Optimized block access" in the properties,
and add the data storage area "static" to write data to the reader.

38
 UHF Reader Modbus Protocol development manual

Dpment Man

11.3.3. Communication between PLC and reader

The PLC serves as the client, the reader as the server, and Modbus TCP communication is established
to realize the data transmission from the reader to the PLC, or the PLC to write data to the reader.
1.Instruction introduction
The "MB_CLIENT" instruction acts as a Modbus TCP client to communicate through a network
port connection. Through the "MB_CLIENT" instruction, you can establish a connection between the
client and the server, send Modbus requests, receive responses, and control the connection terminal
of the Modbus TCP client.
* When using a client connection, remember the following rules:
·Each "MB_CLIENT" connection must use a unique instance data block.
·For each "MB_CLIENT" connection, a unique server IP address must be specified.
·Each "MB_CLIENT" connection requires a unique connection ID.
·Each instance data block of this instruction must use its corresponding connection ID. The
connection ID and the instance data block are combined into a pair, and the combination pair must
be unique for each connection.
·Depending on the server configuration, the unique number of the IP port may or may not be
required.

2.Create FC1 block, select "MB_CLIENT" function block in Instruction Communication -> Others ->
Modbus TCP, drag it into the middle of the program segment to complete the configuration as shown in
the figure below
Main parameter configuration:
·DISCONNECT: 0=establish connection, 1=terminate connection;
39
 UHF Reader Modbus Protocol development manual

·MB_MODE：0=read data，1=write data；

Dpment Man
·MB_DATA_ADDR: Register address, the address of 03 read function code is 40001-49999 and
400001-465535;
·MB_DATA_LEN: register length;
·MB_DATA_PTR: Point to the data to be received from the Modbus server or the data buffer to be sent
to the Modbus server;
·CONNECT：Pointer to the connection description structure.

（1）For example, the following figure configures the registers used to read the reader 5000 to 5087 in
the FC1 block， and stores them in the PP1 data area of the PLC's Read_Config.

（2）Create a "write" instruction block with "MB_CLIENT".

40
 UHF Reader Modbus Protocol development manual

Dpment Man
3.The other read/write addresses are constructed in FC1 in the same way. If the project needs to
access more register areas of the reader, it is recommended to increase the polling function to access
the "MB_CLIENT" function block. After the construction is completed, in the Main ( OB1) call the "FC1"
block.

11.3.4. Data monitoring

1.After the compilation is correct, download the program to the PLC, connect the reader to
the PLC, and monitor the data of the reader in real time in the corresponding DB data
area.

41
 UHF Reader Modbus Protocol development manual

Dpment Man

2.Stay online and check the PLC to read the data from the reader.

11.3.5. PLC and host computer communication establishment

The PLC is used as the server, and the upper computer is used as the client ， to establish Modbus
TCP communication to realize the transmission of data collected by the PLC to the upper computer for
display, and the upper computer to issue control commands to the PLC.

42
 UHF Reader Modbus Protocol development manual

Dpment Man

1.Create the "ModbusTCP_Server" DB block, call the "TCON_IP_v4" background data area, fill in the
parameters of the PLC as the server; create a storage area for transmitting data to the host computer.

2.In Instruction -> Communication -> Others -> Modbus TCP, select the MB_SERVER function block
and drag it to the main program segment to configure the corresponding parameters.

43
 UHF Reader Modbus Protocol development manual

Dpment Man
12. Example application of PLC (Modbus RTU

protocol)

12.1. Preparation stage

·UHF reader supporting Modbus protocol

·Siemens PLC and RS232/RS485 serial port module
·Botu Software (V15.1)
·Network switch and host computer

12.2. Introduction to PLC configuration (Botu V15.1 SP1 as an

example)

Note: Examples of data block creation and communication between PLC and host computer have been
introduced in Section 6, and will not be detailed here.

Take Siemens' 1200 series CPU and CM1241 communication module with model 1214 as an example.
If the PLC model is different, please refer to the same parameter configuration. The Modbus RTU in
the Botu software TIA library contains three instructions (Modbus_Comm_Load, Modbus_Master,
Modbus_Slave). The CM1241 Modbus RTU master station uses two communication blocks,
"Modbus_Comm_Load" and "Modbus_Master". Among them, the "Modbus_Comm_Load" block only
needs to be called once to initialize the Modbus communication port, which is usually executed during
the first scan. The "Modbus_Master" block is used for the master to read and write the register data of
the slave modules.

44
 UHF Reader Modbus Protocol development manual

Dpment Man

Schematic diagram of working principle

Note: The input parameter "MB_DB" when calling "Modbus_Comm_Load" is the instance data block
when calling "Modbus_Master" to establish.

12.2.1. Create a project

1. Open the software -> create a project -> device and network management -> add a new device
(PLC) -> click on the device view -> open the hardware catalog -> communication module -> point to
point -> add the corresponding serial port module.

12.2.2. Communication between PLC and reader

45
 UHF Reader Modbus Protocol development manual

Dpment Man
1.View the hardware identifier, select the corresponding serial port to be added, and click Properties ->
System Constant. The hardware identifier of the RS485 communication module is 269. (The method of
viewing the hardware identifier of the RS232 module is the same).

2.Select Communication -> Communication Processor -> Modbus_Comm_Load instruction in the

Modbus (RTU) instruction library, and drag it into the program segment.
The configuration items of Modbus_Comm_Load mainly include:
·PORT：the hardware identifier of the communication port;
·BAUD：Baud rate selection;
·RESP_TO:Set the response data timeout time;
·MB_DB:Reference to the instance data block of Modbus_Master or Modbus_Slave instruction.

3.Modbus_Comm_Load instruction instance data block configuration. The static variable "MODE" in
the Modbus_Comm_Load instruction instance data block is used to describe the working mode of the
PTP module. The valid working modes include:
46
 UHF Reader Modbus Protocol development manual

Dpment Man
·0 = Full duplex (RS232)
·1 = Full duplex (RS422) four-wire mode (point-to-point)
·2 = Full duplex (RS422) four-wire mode (multipoint master station)
·3 = Full duplex (RS 422) four-wire mode (multipoint slave)
·4 = Half-duplex (RS485) two-wire mode

The default data of the static variable "MODE" is 0 (RS232 full-duplex mode), and the value
needs to be modified according to the actual configuration. Taking RS485 communication as an
example, the module working in RS485 half-duplex mode needs to modify the value to 4. (The
parameter configuration of RS232 and RS485, except for this difference, the other configuration
methods of RS232 and RS485 are the same.)

Click system block -> program resources -> Modbus_Comm_Load background data -> modify
the value of MODE.

4. PLC as the master station, the reader as the slave station, calling the Modbus_Master block to
realize the function

Main parameter configuration:

·MB_ADDR:Slave address；

·MODE：0 = read data，1 = write data；

·DATA_ADDR：Register address, the address of 03 read function code is 40001-49999 and 400001-
465535;

·DATA_LEN：Register length；

·DATA_PIR:Data storage area, used to set the storage length of the read data and store the read register
data.

47
 UHF Reader Modbus Protocol development manual

Dpment Man
（1）For example, read the registers of the reader 5000 to 5087 and store them in the PP1 data area of
PLC's Read_Config.

（2）Create a "write" instruction block through Modbus_Master.

5.The other read/write addresses are constructed in FC1 in the same way. If the project needs to
access more register areas of the reader, it is recommended to increase the polling function to access
the "MB_Master" function block. After the construction is completed, in Main (OB1 ) Call the "FC1"
block.

48
 UHF Reader Modbus Protocol development manual

Dpment Man

49
 UHF Reader Modbus Protocol development manual

Dpment Man
13. Attached: Modbus protocol

13.1. Protocol frame format

Table 13-1 and Table 13-2 are the frame formats of Modbus protocol applied to RS485/RS232 and
TCP protocol respectively. Their simple protocol data unit (PDU) is the same, which includes function
codes and data. The application data unit (ADU) varies according to the communication layer carried.
When the Modbus protocol is mounted on RS485/RS232, it is necessary to add the device address
and CRC check to form the ADU. When the Modbus protocol is mounted on the TCP protocol, the
MBAP header needs to be added to form the ADU, see Table 13-3.

Table13-1 Modbus RTU frame format

<<- - - - - - - - - - - - - - - - - - - - - - - - - - -（ADU）- - - - - - - - -- - - - - - - - - - - - - - - - - - - - >>

<<- - - - - - - - - - - -（PDU）- - - - - - - - - - -
- ->>
Address domain Function code Data CRC check
1 byte 1 byte Maximum 253 bytes 2 bytes

Table 13-2 Modbus RTU frame format

<<- - - - - - - - - - - - - - - - - - - - - - - - - - -（ADU）- - - - - - - - - - - - - - - - - - - - - - - - - - - - - >>

<<- - - - - - - - - - - - - - - - - - - - -（PDU）- - - - - - - - - - - - - - - - - - - - ->>
MBAP
message Function code Data
header
7 Bytes 1 byte Maximum 253 bytes

Table13-3 Modbus TCP MBAP header format

Domain Length Description Client Server

MODBUS MODBUS
Transaction The client The server to copy from the
2 bytes request/response
identifier starts received request
transaction identifier
Protocol The client The server to copy from the
2 bytes 0=Modbus Protocol
identifier starts received request
The
Number of bytes
Length 2 bytes Client The Server response
after this field
request
The identification
code of the remote
Unit slave station The client The server re-copy from the
1 byte
identifier connected on the starts received request
serial link or other
bus

50
 UHF Reader Modbus Protocol development manual

Dpment Man
13.2. （0x03）Read holding register PDU

0x03 function code is used to read one or more registers. The start address of the register to be read
and the number of registers to be read need to be specified in the request PDU. The response
message contains the number of bytes returned and the register value.

Request:
Function code 1 byte 0x03
Start address 2 bytes 0x0000 to 0xFFFF
Number of registers 2 bytes 1 to 125（0x7D）

Response:
Function code 1 byte 0x03
Number of bytes 1 byte 2*N
Register value 2*N bytes Value

Error:
Error code 1 byte 0x83
Exception code 1 byte Error code comparison table

13.3. （0x06）Write a single register PDU

0x06 function code is used to write a single holding register. The request PDU needs to specify the
address of the register to be written and the value of the register. The response message contains the
written register address and register value.

Request
Function code 1 byte 0x06
Register address 2 byte 0x0000 to 0xFFFF
Register value 2 bytes Value

Response:
Function code 1 byte 0x06
Register address 1 byte 2*N
Register value 2*N bytes Value

Error :
Error code 1 byte 0x86
Exception code 1 byte Error code comparison table

51
 UHF Reader Modbus Protocol development manual

Dpment Man

13.4. （0x10）Write multiple register PDU

0x10 function code is used to write consecutive register blocks. The request PDU needs to specify the
starting address of the register block to be written, the number of registers to be written, the number of
bytes to be written, and the register to be written. The response message contains the start address of
the register to be written and the number of registers.

Request:
Function code 1 byte 0x10
Start address 2 bytes 0x0000 to 0xFFFF
Number of registers 2 bytes 0x0001 to 0x0078
Number of bytes 1 byte 2*N
Register value 2*N bytes Value

Response:
Function code 1 byte 0x10
Start address 2 bytes 0x0000 to 0xFFFF
Number of registers 2 bytes 1 to 123（0x7B）

Error:
Error code 1 byte 0x90
Exception code 1 byte Error code comparison table

52
 UHF Reader Modbus Protocol development manual

Dpment Man

14. Appendix

Figure 14-1 Read multiple labels (automatic mode) table (bytes)

53