CP 341 441-Slave

Preface, Contents
Product Description 1
SIMATIC 2
Installation
Loadable Driver for Mode of Operation 3

Point-to-Point CPs 4
Commissioning the Driver
MODBUS Protocol
RTU Format Commissioning the FB 5
S7 is Slave
CPU - CP Interface 6
Manual
Transmission Protocol 7
Function Codes 8
Diagnostics of the Driver 9
Diagnostics of the FB 10
Appendices
Technical Data A
Wiring Diagrams Multipoint B
Literature List C
Glossary, Index
This manual is part of the documentation

package with the order number:
6ES7870-1AB00-0YA0
Edition 05/2003
A5E00218418-04
Safety Guidelines
This manual contains notices intended to ensure personal safety, as well as to protect the products and
connected equipment against damage. These notices are highlighted by the symbols shown below and
graded according to severity by the following texts:
Danger
! indicates that death, severe personal injury or substantial property damage will result if proper
precautions are not taken.
Warning
! indicates that death, severe personal injury or substantial property damage can result if proper
precautions are not taken.
Caution
! indicates that minor personal injury can result if proper precautions are not taken.
Caution
indicates that property damage can result if proper precautions are not taken.
Notice
draws your attention to particularly important information on the product, handling the product, or to a
particular part of the documentation.
Qualified Personnel
Only qualified personnel should be allowed to install and work on this equipment. Qualified persons are
defined as persons who are authorized to commission, to ground and to tag circuits, equipment, and
systems in accordance with established safety practices and standards.
Correct Usage
Note the following:
Warning
! This device and its components may only be used for the applications described in the catalog or the
technical description, and only in connection with devices or components from other manufacturers
which have been approved or recommended by Siemens.
This product can only function correctly and safely if it is transported, stored, set up, and installed
correctly, and operated and maintained as recommended.
Trademarks
SIMATIC®, SIMATIC HMI® and SIMATIC NET® are registered trademarks of SIEMENS AG.
Third parties using for their own purposes any other names in this document which refer to trademarks might
infringe upon the rights of the trademark owners.
Copyright © Siemens AG 2003 All rights reserved Disclaimer of Liability

The reproduction, transmission or use of this document or its We have checked the contents of this manual for agreement with
contents is not permitted without express written authority. the hardware and software described. Since deviations cannot be
Offenders will be liable for damages. All rights, including rights precluded entirely, we cannot guarantee full agreement. However,
created by patent grant or registration of a utility model or design, the data in this manual are reviewed regularly and any necessary
are reserved. corrections included in subsequent editions. Suggestions for
improvement are welcomed.
Siemens AG
Bereich Automation and Drives
Geschaeftsgebiet Industrial Automation Systems ©Siemens AG 2003
Postfach 4848, D- 90327 Nuernberg Technical data subject to change.
Siemens Aktiengesellschaft A5E00218418-04
Preface
Purpose of the Manual

The information in this manual will enable you to establish and commission a data
link between a CP in the form of a “Modbus capable” slave and a Modbus Master
control system.
Required Basic Knowledge

You require a general knowledge in the field of automation engineering to be able
to understand this manual.
In addition, you should know how to use computers or devices with similar
functions (e.g programming devices) under Windows 95/98/2000/NT or XP
operating systems. Since loadable driver are based on the STEP 7 software, you
should also know how to operate it. This is provided in the manual "Programming
with STEP 7 V5.2".
Where is this Manual valid?

This manual is valid for the following software package:
Product Order Number from Version

Loadable Driver for Point-to-Point CPs 6ES7 870-1AB00-0YA0 3.0
Notice
This manual contains the description of the driver and the function block as is valid
at the time of publication.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

A5E00218418-04 iii
Preface
Finding Your Way

This manual describes the function of the loadable driver and how it is linked to the
hardware and software of the CP 341 and CP 441-2 communications processors.
The manual covers the following topics:
• Product Description / Installation
• Mode of Operation of the Data Link
• Commissioning the Driver / Installation / Parameter Assignment
• Commissioning the Function Block / Parameter Assignment / STEP 7
Application Example
• CPU-CP Interface
• Transmission Protocol / Function Codes
• Diagnostics of the Driver
Diagnostics of the Function BlockConventions

This documentation uses the terms CP, CP 341 and/or CP 441-2.
Special Notes
The driver described in this manual serves as a loadable protocol for the CP. It
may be used instead of standard protocols 3964R, RK512, ASCII, and the printer
protocol.
Notice
With this driver, modifications or expansions to the sequences between CP and
CPU are possible.
These modifications and expansions may apply in particular to event classes or

event numbers available for diagnostic purposes.
Furthermore, you should note that this manual only describes the modifications
and expansions as against the standard functions. Basic information can be found
in the manual for the CP used.
In order to ensure safe use of this driver, you should have detailed knowledge of
the way in which the CP functions.
Further Support
If you have any technical questions, please get in touch with your Siemens
representative or agent responsible.
http://www.siemens.com/automation/partner

iv A5E00218418-04
Preface
Training Centers
Siemens offers a number of training courses to familiarize you with the SIMATIC
S7 automation system. Please contact your regional training center or our central
training center in D 90327 Nuremberg, Germany for details:
Telephone: +49 (911) 895-3200.
Internet: http://www.sitrain.com
Service & Support on the Internet

In addition to our documentation, we offer our Know-how online on the internet at:
http://www.siemens.com/automation/service&support
where you will find the following:
• The newsletter, which constantly provides you with up-to-date information on
your products.
• The right documents via our Search function in Service & Support.
• A forum, where users and experts from all over the world exchange their
experiences.
• Your local representative for Automation & Drives via our representatives
database.
• Information on field service, repairs, spare parts and more under "Services".

A5E00218410-04 v
Preface
A&D Technical Support

Worldwide, available 24 hours a day:
Nuernberg
Johnson City Beijing
Worldwide (Nuernberg)
Technical Support
24 hours a day, 365 days a year

Phone: +49 (0) 180 5050-222
Fax: +49 (0) 180 5050-223
E-Mail: adsupport@
siemens.com
GMT: +1:00
Europe / Africa (Nuernberg) United States (Johnson City) Asia / Australia (Beijing)
Authorization Technical Support and Technical Support and
Authorization Authorization
Local time: Mon.-Fri. 8:00 to 17:00 Local time: Mon.-Fri. 8:00 to 17:00 Local time: Mon.-Fri. 8:00 to 17:00
Phone: +49 (0) 180 5050-222 Phone: +1 (0) 423 262 2522 Phone: +86 10 64 75 75 75
Fax: +49 (0) 180 5050-223 Fax: +1 (0) 423 262 2289 Fax: +86 10 64 74 74 74
E-Mail: adsupport@ E-Mail: simatic.hotline@ E-Mail: adsupport.asia@

siemens.com sea.siemens.com siemens.com
GMT: +1:00 GMT: -5:00 GMT: +8:00
The languages of the SIMATIC Hotlines and the authorization hotline are generally German and English.

vi A5E00218418-04
Contents
1 Product Description 1-1

1.1 Application Possibilities.....................................................................................1-1
1.2 Hardware and Software Requirements.............................................................1-2
1.3 Summary of the GOULD-MODBUS Protocol....................................................1-3
1.4 Notes .................................................................................................................1-4
2 Installation 2-1
2.1 Use of the Dongle .............................................................................................2-1
2.2 Interface Connection .........................................................................................2-2
3 Mode of Operation of the Data Link 3-1
3.1 Components of the SIMATIC / MODBUS Slave Data Link ...............................3-1
3.2 Task Distribution ...............................................................................................3-2
3.3 Used MODBUS Function Codes.......................................................................3-2
3.4 Data Areas in the SIMATIC CPU ......................................................................3-3
3.5 Access with Bit-Orientated Function Codes......................................................3-4
3.6 Access with Register-Orientated Function Codes ............................................3-5
3.7 Enable / Disable Write Access ..........................................................................3-7
4 Commissioning the Driver 4-1
4.1 Installing the Driver on the STEP 7 Programming Device / PC ........................4-1
4.2 De-Installing the Driver......................................................................................4-2
4.3 Configuring the Data Link..................................................................................4-2
4.3.1 Configuring a Data Link with the CP 341 ..........................................................4-2
4.3.2 Configuring a Data Link with the CP 441-2.......................................................4-3
4.4 Assigning Parameters to the CP .......................................................................4-4
4.4.1 Assigning Parameters to the CP 341................................................................4-4
4.4.2 Assigning Parameters to the CP 441-2.............................................................4-5
4.5 Project Configuration of the Data Link ..............................................................4-7
4.6 Assigning Parameters to the Loadable Driver ..................................................4-8
4.6.1 Modbus Slave Protocol .....................................................................................4-8
4.6.2 Conversion of Modbus Addresses for Bit Functions .......................................4-11
4.6.3 Conversion of Modbus Addresses for Register Functions..............................4-15
4.6.4 Limits for Write Functions................................................................................4-17
4.6.5 RS422/485 (X27) Interface .............................................................................4-18
4.7 Loading the Configuration and Parameter Assignment Data for the
CP 341 ............................................................................................................4-20
CP 441-2 .........................................................................................................4-20
4.9 Startup Characteristics of the CP....................................................................4-21
4.10 Parameter Assignment “Startup of the CPU”..................................................4-21

A5E00218418-04 vii
Contents
5 Commissioning the Communications FB 5-1

5.1 Installing the FB.................................................................................................5-1
5.2 STEP 7 Project..................................................................................................5-1
5.3 FB 80 Parameters (CP 341)..............................................................................5-3
5.4 FB 180 Parameters (CP 441-2) ........................................................................5-4
5.5 Program Call .....................................................................................................5-5
5.6 Cyclic Operation ................................................................................................5-8
6 CPU - CP Interface 6-1
6.1 CPU - CP Interface for CP 341 .........................................................................6-1
6.1.1 General Information ..........................................................................................6-1
6.1.2 Data Transfer Length CPU <-> CP ...................................................................6-1
6.1.3 Data Consistency ..............................................................................................6-1
6.2 CPU - CP Interface for CP 441-2 ......................................................................6-2
6.2.1 General Information ..........................................................................................6-2
6.2.2 Data Transfer Length CPU <-> CP ...................................................................6-3
6.2.3 Data Consistency ..............................................................................................6-3
7 Transmission Protocol 7-1
8 Function Codes 8-1

8.1 Function Code 01 - Read Coil (Output) Status .................................................8-2
8.2 Function Code 02 - Read Input Status..............................................................8-5
8.3 Function Code 03 - Read Output Registers......................................................8-7
8.4 Function Code 04 - Read Input Registers.......................................................8-10
8.5 Function Code 05 - Force Single Coil .............................................................8-13
8.6 Function Code 06 - Preset Single Register.....................................................8-15
8.7 Function Code 08 - Loop Back Diagnostic Test..............................................8-16
8.8 Function Code 15 - Force Multiple Coils .........................................................8-18
8.9 Function Code 16 - Preset Multiple Registers ................................................8-21
9 Diagnostics of the Driver 9-1
9.1 Diagnostic Facilities on the CP 341 ..................................................................9-2
9.1.1 Diagnostics via Display Elements of the CP 341 ..............................................9-2
9.1.2 Diagnostic Messages of the Function Blocks of the CP 341 ............................9-3
9.2 Diagnostic Facilities on the CP 441-2 ...............................................................9-4
9.2.1 Diagnostics via Display Elements of the CP 441-2...........................................9-4
9.2.2 Diagnostic Messages of the System Function Blocks of the CP 441-2 ............9-5
9.2.3 Reading Error Message Area SYSTAT for CP 441-2 .......................................9-6
9.2.4 Diagnostics via Error Message Area SYSTAT of the CP 441-2 .......................9-6
9.3 Table of Errors / Events ....................................................................................9-8
9.3.1 Error Codes in SYSTAT for “CPU Job Errors” ..................................................9-9
9.3.2 Error Codes in SYSTAT for “Receive Errors” ...................................................9-9
9.3.3 Error Codes in SYSTAT for “General Processing Errors”...............................9-11
10 Diagnostics of the Communications FB 10-1
10.1 Diagnostics via Parameters ERROR_NR, ERROR_INFO .............................10-1
10.1.1 Errors during “Initialization” .............................................................................10-2
10.1.2 Errors during “Processing of Function Codes”................................................10-2
10.1.3 “Other” Errors ..................................................................................................10-3

viii A5E00218418-04
Contents
A Technical Data A-1
B Wiring Diagrams Multipoint B-1
C Literature List C-1
Glossary
Index

A5E00218418-04 ix
Contents

x A5E00218418-04
Product Description
1 Product Description
1.1 Application Possibilities
Position in the The driver described here is a software product for the communications
System processors CP 341 (S7-300) and CP 441-2 (S7-400).
Environment
CP 341 and CP 441-2 can be used in S7 automation systems and can
establish serial communication links to partner systems.
Function of the This driver, together with the appropriate function block, enables you to
Driver establish a communications link between a Modbus Master control system (for
example, Modicon controllers or Honeywell TDC 3000) and the CP 341 or
CP 441-2 communications module in the form of a “Modbus capable” slave
system.
The transmission protocol used is the GOULD - MODBUS Protocol in RTU

Format. Data transmission is carried out in accordance with the Master-Slave
principle.
The master has the initiative during the transmission, the CP / the S7 CPU
operates as the slave.
Function codes 01, 02, 03, 04, 05, 06, 08, 15 and 16 can be used for
communication between the CP and the master system.
Interpretation of The MODBUS address in the request message from the master is interpreted
MODBUS by the driver “in an S7 way.”
Addresses This means that it is possible to:
• read and write to memory bits, outputs, data blocks,
• read memory bits, inputs, timers, counters
in the S7 CPU.
The interpretation of the MODBUS address is explained in the following
chapters.
Usable Interfaces The two serial interfaces of the CP 441-2 can be operated independently using
and Protocols different standard protocols or loadable driver protocols.
You can use RS232C, TTY, or RS422/485 (X27) interface submodules as an

interface for the CPs.
When using the RS422/485 (X27) interface in 2-wire operation, it is possible to

connect up to 32 slaves to one master, thus creating a multipoint connection
(network).
Creation of a multipoint connection with other types of physical interface

requires additional external hardware (for example, Honeywell DHP).
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 1-1

A5E00218418-04
Product Description
Possible System The following figure shows a schematic illustration of a possible system
Configuration configuration.
PSU CPU416 CP441-2
Interface Submodule
RS232C/TTY/X27
S7-400
1.2 Hardware and Software Requirements
Useable Module The driver runs on CP 341 and CP 441-2 with part number MLFB 6ES7 441-
2AA02-0AE0 or higher.
CP 441-1 with part number MLFB 6ES7 441-1AA0x-0AE0 and CP 441-2 with
part number MLFB 6ES7 441-2AA00-0AE0 or 6ES7 441-2AA01-0AE0 cannot
be used with loadable drivers.
Dongle In order to use the CP with loadable drivers, you require a dongle. The dongle
is supplied with the driver.
Loading Memory If you are using the CP 441-2, the loadable drivers are downloaded into the
of the CPU loading memory of the CPU after parameter assignment and transferred to the
(Memory Card) CP memory on startup.
The CPU must have sufficient loading memory available for this purpose.
Therefore a RAM or FLASH Memory Card (part number MLFB 6ES7 952-…)
is required.
Every CP interface for which this loadable driver has been assigned
parameters, requires a CPU loading memory amount of about 25 Kbytes.
If you are using the CP 341, the loadable drivers are downloaded directly to
the CP 341. Therefore you do not require a loading memory on the S7-300
CPU. You should note, however, that this means that you cannot change a
module without a programming device.
Software An installed version of STEP 7 Standard V4.02.1 or higher.

Requirements
An installed version of the optional package Point-To-Point Communication /
Parameter Assignment (CP PtP Param) or higher.
Data Structures Prior to project configuration of your S7 data structures, you should ensure
that they are compatible with the user programs of the MODBUS Master
systems (clarify which function codes and which Modbus addresses will be
used).

A5E00218418-04
Product Description
1.3 Summary of the GOULD-MODBUS Protocol
Function Codes The type of data exchange between the MODBUS systems is controlled by
Function Codes (FCs).
Data Exchange The following FCs can be used to carry out data exchange bit-by-bit:
FC 01 Read coil (output) status,
FC 02 Read input status,
FC 05 Force single coil,
FC 15 Force multiple coils.
The following FCs can be used to carry out data exchange register-by-
register:
FC 03 Read holding registers,
FC 04 Read input registers,
FC 06 Preset single register,
FC 16 Preset multiple registers.
Data Areas As a rule, the individual FCs operate in accordance with the table below:
Function Data Data Type Type of Access

Code
01, 05, 15 Coil (output) Bit Output Read/write
status
02 Input status Bit Input Read only
03, 06, 16 Holding register Register Output Read/write
(16 bit) register
04 Input register Register Input Read only
(16 bit) register
Address Analogous to the partitioning into read/write and read-only areas, data at user
Representation level can be represented as shown in the table below:
Function Type of Data Address Representation at User

Code Level (Decimal)
01, 05, 15 Output bit 0xxxx
02 Input bit 1xxxx
04 Input register 3xxxx
03, 06, 16 Holding register 4xxxx
In the transmission messages on the serial transmission line, the addresses

used in the MODBUS user system are referenced to 0.
In the MODBUS user system itself, these addresses are counted beginning
with 1.
Example: The first holding register in the user system is represented as
register 40001. In the transmission message the value 0000 Hex is
transmitted as the register address when FC 03, 06, or 16 is used.
The 127th coil is represented as coil 00127 in the user system and
is assigned the coil address 007E Hex in the transmission
message.

A5E00218418-04
Product Description
1.4 Notes
Data Consistency The data exchange between the S7 CPU and the CP is carried out block-by-
block by integrated system functions.
You should also note the section “Data Consistency” in the chapter “CPU-CP
Interface” in this manual.

A5E00218418-04
Installation
2 Installation
2.1 Use of the Dongle
Introduction In order to run the CP with loadable drivers, you require a dongle. When the
dongle is plugged in, drivers can be loaded. Both interfaces of the CP 441-2
can operate with loadable drivers.
How to Plug In the Before you can plug in the dongle, you must take the CP out of the rack. At
Dongle the back of the CP, above the plugs for the backplane bus, there is a slot into
which the dongle can be inserted.

A5E00218418-04
Installation
2.2 Interface Connection
RS232C / TTY It is possible to create a point-to-point connection to a master system.

Further information on the interface connection can be found in the manual
“CP: Point-to-Point Communication.”
X27 / RS485 It is possible to create a multipoint connection (network) connecting up to 32

(2-wire) slaves to one master system.
The driver of the CP switches the receive 2-wire line between send and
receive.
Schematic Connection: 1 Master System, 1 Slave System at the Bus
MODBUS - MODBUS-Slave
Master-System SIMATIC CP441
T/R (A) 4 R(A)

T/R (B) 11 R(B)
GND 8 GND
Chassis shield Chassis shield
Further information on the interface connection can be found in the manual

“CP: Point-to-Point Communication.”
X27 / RS422 It is possible to create a point-to-point connection to a master system.

(4-wire)
Direct creation of a multipoint connection (network) is not possible, because it
is not supported by the RS422 / RS485 (X27) interface hardware.
Further information on the interface connection can be found in chapter B and

in the manual “CP: Point-to-Point Communication.”

A5E00218418-04
Mode of Operation
3 Mode of Operation of the Data Link
General The supplied data link converts data access of the MODBUS protocol to the
Information specific memory areas of the SIMATIC S7 CPU.
3.1 Components of the SIMATIC / MODBUS Slave Data Link
MODBUS Slave The Modbus slave data link for the CP consists of two parts:
Data Link
1) Loadable Driver for the CP
2) MODBUS Communications Function Block for the SIMATIC S7 CPU
MODBUS Slave In addition to the loadable MODBUS slave driver, the SIMATIC MODBUS
Communications slave data link requires a special Communications FB in the S7 CPU.
FB
This can be found on the supplied diskette for the Modbus in the STEP 7
library Modbus. It contains the MODBUS communications function block
FB180.
The MODBUS communication function block FB80 required for the CP 341
can also be found in the STEP 7 library Modbus.
The call of the FBs is shown in the example OBs in the STEP 7 project file
Examples\Modsl. The call for the CP 441-2 is stored in the Station Modbus
Slave 400 and the call for the CP 341 is stored in the Station Modbus Slave
300.
The MODBUS communications FB processes all functions necessary for the

data link.
The supplied MODBUS slave communications function block FB180/80 must

be called in the cyclic program of the user program. The MODBUS
communications FB uses an instance data block as the work area.
Note
Any modifications carried out to the supplied function block will invalidate the
warranty. Consequential damages cannot be claimed.
MODBUS Slave The loadable driver realizes the MODBUS protocol and converts the MODBUS
Driver addresses in the SIMATIC memory areas.
The loadable driver is loaded into SIMATIC using the parameter assignment
tool CP: Point-to-Point Communication, Parameter Assignment where it is
automatically transferred into the CP.

A5E00218418-04
Mode of Operation
Parameters The parameters and operating modes listed below must be set for the
loadable driver using the parameter assignment tool.
• Transmission rate, parity

• Slave address of CP
• Operating mode (normal, interference suppression)
• Multiplication factor for character delay time
• Address areas for FC01, 05, 15
• Address areas for FC02
• Base DB number for FC03, 06, 16
• Base DB number for FC04
• Limits for write-only access
3.2 Task Distribution
Task Distribution Modbus function codes 01, 02, 03, 04, 06, and 16 are processed by the CP
directly.
For function codes 05 and 15 the communications FB carries out data input
into the SIMATIC memory area bit-by-bit.
3.3 Used MODBUS Function Codes
Used Function The following MODBUS function codes are supported by the driver:
Codes
Function Function in accordance with General Description
Code MODBUS Specification
01 Read Coil Status Read bits
02 Read Input Status Read bits
03 Read Holding Registers Read registers (words)
04 Read Input Registers Read registers (words)
05 Force Single Coil Write 1 bit
06 Preset Single Register Write 1 register (word)
08 Loop Back Test Line check
15 Force Multiple Coils Write several bits
16 Preset Multiple Registers Write several registers

A5E00218418-04
Mode of Operation
3.4 Data Areas in the SIMATIC CPU
Data Areas The individual FCs access the following SIMATIC data areas in the PLC:
Function MODBUS Data SIMATIC Data Type of Access

Code Type Type
01 Coil status Memory bits Read bit-by-bit
Outputs Read bit-by-bit
Timers Read bit-by-bit
(16 bit intervals)
Counters Read bit-by-bit
(16 bit intervals)
02 Input status Memory bits Read bit-by-bit
inputs Read bit-by-bit
03 Holding registers Data block Read word-by-word
04 Input registers Data block Read word-by-word
05 Single coil Memory bits Write bit-by-bit
Outputs Write bit-by-bit
06 Single (holding) Data block Write word-by-word
register
08 - - Mirror reception
15 Multiple coils Memory bits Write bit-by-bit
Outputs Write bit-by-bit
16 Multiple (holding) Data block Write word-by-word
registers
Address The MODBUS address in the messages is interpreted by the driver “in an S7
Transformation way” and transformed in the SIMATIC memory area.
Access to the individual SIMATIC memory areas can be specified by the user
by means of the parameter assignment tool CP: Point-to-Point
Communication, Parameter Assignment.

A5E00218418-04
Mode of Operation
3.5 Access with Bit-Orientated Function Codes
Function Codes The bit-orientated function codes 01, 05, and 15 allow both read and write
01, 05, 15 access to the SIMATIC memory areas memory bits, outputs, timers,
counters;
Timers and counters are read-only with FC01.
You can use the parameter assignment tool to specify from/to which
MODBUS address access is made to memory bits, outputs, timers, and
counters.
Furthermore, it is possible to assign parameters to a certain data element at
which access in the SIMATIC memory area is to commence.
MODBUS Address in SIMATIC Memory Area

Transmission Message
from aaaa ---> memory commence at

bits M uuuuu.0
to bbbb
from cccc ---> outputs commence at

Q ooooo.0
to dddd
from eeee ---> timers commence at

T ttttt
to ffff
from gggg ---> counters commence at

C zzzzz
to hhhh

A5E00218418-04
Mode of Operation
Function Code 02 The bit-orientated function code 02 permits read-only access to the SIMATIC
memory areas memory bits, and inputs.
You can use the parameter assignment tool to specify from/to which
MODBUS address access is made to memory bits and inputs.
Furthermore, it is possible to assign parameters to a certain data element at
which access in the SIMATIC memory area is to commence.
The MODBUS address areas and SIMATIC memory areas of FC 02 may be

selected independently from those of FC 01, 05, and 15.

from kkkk ---> memory commence at

bits M vvvvv.0
to llll
from nnnn ---> inputs commence at

I sssss.0
to rrrr
3.6 Access with Register-Orientated Function Codes
Function Codes The register-orientated function codes 03, 06, and 16 permit read and write
03, 06, 16 access to the SIMATIC memory area data blocks.
Calculation of the required data block number is carried out in two steps.
1) You can use the parameter assignment tool to specify a base DB number.
This base DB is the first DB which can be accessed.
2) The MODBUS Start_Register address (Register Number) transmitted in

the message is interpreted as follows:
Modbus Register Number (start_register)
15 9 8 7 0 Bit
Offset DB Number Word Number

A5E00218418-04
Mode of Operation
Resulting DB Number
The resulting DB number which is then accessed, is calculated as follows:

Base DB number + Offset DB number.
This means that it is possible to access a data block area consisting of 128
consecutive data blocks within the entire addressable data block area (65535
DBs).
Word Number in DB
Via the word number it is possible to address the area from DBW 0 to
DBW 1022 within each data block.
The DBs which are normally organized in bytes are in this instance interpreted
by the driver word-by-word as follows.
Word Number 0 accesses DBW 0 ( = DBB 0/1)

1 2 ( 2/3)
2 4 ( 4/5)
3 6 ( 6/7)
: : ( : / :)
511 DBW ( 1022/1023)
1022
Function Code 04 The register-orientated function code 04 permits read-only access to the
SIMATIC memory area data blocks.
The mode and operation of this access is as described in function codes 03,
06, and 16.
Function code 04 has its own base DB number available for free parameter
assignment with the parameter assignment tool. This will enable you to select
a second independent area consisting of 128 DBs.
These DBs have read-only access; it is not possible to write to them.

A5E00218418-04
Mode of Operation
3.7 Enable / Disable Write Access
Function Codes For the write function codes 05, 06, 15, and 16 it is possible to disable or
05, 06, 15, 16 limit access to the relevant SIMATIC memory areas.
You can use the parameter assignment tool to specify an area which enables
write access from the MODBUS master system.
If the master tries to access any SIMATIC memory areas which are outside
the enabled area, access is denied by means of an error message
(exception).
Enable Write
SIMATIC Memory Area
Access
Data blocks MIN - DB No.

(resulting DB number)
MAX - DB No.
Memory bits M MIN - M (Byte)
MAX - M (Byte)
Outputs Q MIN - Q (Byte)
MAX -Q (Byte)

A5E00218418-04
Mode of Operation

A5E00218418-04
4 Commissioning the Driver
General All of the statements in the following sections referring to STEP 7 relate to
Information STEP 7 Version 4.02.
Operation flows, names and directory names may be modified in later
versions.
4.1 Installing the Driver on the STEP 7 Programming Device / PC
To install the driver, consisting of driver code and driver-specific mask files,
proceed as follows:
1. Insert your Modbus Slave CD in the CD-ROM drive.
2. Using Windows 95, open the dialog box for software installation by double-
clicking the “Add / Remove Software” symbol in the “Control Panel.”
3. Select the CD-ROM drive and the Setup.EXE file in the dialog box and
start the installation procedure.
4. Follow step-by-step the instructions which are displayed by the installation

program.
Result: The driver and the parameter assignment dialog boxes are installed in
the following directory: Step7\S7fptp\S7Driver.
The directory includes the following files:
• S7wfpb1a.dll
• S7wfpb1x.cod
• S7wfpb2x.cod

A5E00218418-04
4.2 De-Installing the Driver
The driver can be de-installed from the STEP 7 package under Windows 95
by selecting “Control Panel,” “Add / Remove Software,” and “De-Installation.”
The user can check if all the files S7wfpb1?.*, S7wfpb2?.*, S7wfpb3?.* have
been deleted successfully in the Step7\S7fptp\S7Driver directory.
Note:
Prior to de-installation of the package “Parameter Assignment Tool CP:
Point-to-Point Communication, Parameter Assignment” it is essential to de-
install all the loadable drivers.
4.3 Configuring the Data Link
Introduction The configuration of a data link comprises the hardware allocation in the
configuration table using HW config. The configuration can be carried out
using the STEP 7 software.
4.3.1 Configuring a Data Link with the CP 341
S7 Project Before you can carry out the configuration, you must have created a S7
Project with STEP 7.
Project Insert the required project components into the opened project with the
Components SIMATIC Manager:
SIMATIC 300 station.
Before each insertion, you must select the required project by clicking it.
Insert ½ Station ½ SIMATIC 300 Station
Hardware The configuration of the hardware comprises defining the hardware

Configuration components themselves, and also their properties.
To start the hardware configuration, select the SIMATIC 300 station and
double-click “Hardware” (or select the menu command Edit ½ Open Object).
Use the menu command Insert ½ Hardware Components to insert a RACK-
300, a PS-300, a CPU-300 from SIMATIC 300, and the CP PtP from CP-300
with the appropriate part number.
A detailed description of how to configure S7-300 modules can be found in the

User Manual for STEP 7.

A5E00218418-04
4.3.2 Configuring a Data Link with the CP 441-2
For a point-to-point data link, you must configure a SIMATIC 400 station, the
link partner station, the PtP nodes, and the PtP network.
S7 Project Before you can carry out the configuration, you must have created a S7
Project with STEP 7.
Project Insert the required project components into the opened project using the
Components SIMATIC Manager:
SIMATIC station, partner station, PtP network.
Before each insertion, you must select the required project by clicking it.
Insert ½ Station ½ SIMATIC 400 Station

for your own S7 program (Rack, PS, CPU, CP 441-2, ...),
Insert ½ Station ½ Other Station
for the data link partner,
Insert ½ Subnet ½ PtP
for a PtP network between the SIMATIC 400 Station and the data link partner.
Hardware The configuration of the hardware comprises defining the hardware

Configuration components themselves, and also their properties.
To start the hardware configuration select the SIMATIC 400 station and
double-click “Hardware” (or select the menu command Edit ½ Open Object).
Use the menu command Insert ½ Hardware Components to insert a RACK-
400, a PS-400, a CPU-400 from SIMATIC 400, and the CP PtP from CP-400
with the appropriate part number.
A detailed description of how to configure S7-400 modules can be found in the

User Manual for STEP 7.

A5E00218418-04
4.4 Assigning Parameters to the CP
Assigning After you have arranged the modules in your rack using “Hardware
Parameters to the Configuration,” you must assign parameters to them.
CP To start the parameter assignment tool, double-click the CP in “Hardware
Configuration” or click the CP and select the menu command Edit ½ Object
Properties.
4.4.1 Assigning Parameters to the CP 341
1) Properties - CP ½ Basic Parameters

Clicking the “Parameters” button (single click) opens the protocol selection
interface “Parameter Assignment of Point-to-Point Connection.”
Here you can select the required transmission protocol.
After selecting the “Protocol,” you can carry out Parameter Assignment
of the Driver (start by double-clicking the letter-box symbol).
A detailed description of how to select the protocol and assign parameters
to the dialog boxes for the loadable driver can be found in the section
“Assigning Parameters to the Loadable Driver.”
After parameter assignment is complete, you return to the “Properties -
CP” dialog box.
2) Properties - CP ½ Addresses
No settings are required in the “Addresses” tab (Properties - CP dialog

box).
3) Properties - CP ½ General
No settings are required in the “General” tab (Properties - CP dialog box).
You can complete the parameter assignment of the CP by clicking “OK” in

the “Properties - CP” dialog box. You return to the “Hardware
Configuration” dialog box.
Save the parameter assignment and close the “Hardware Configuration”

dialog box. You return to the basic menu of the STEP 7 project.

A5E00218418-04
4.4.2 Assigning Parameters to the CP 441-2
1) Properties - CP 441-2 ½ Basic Parameters

Specify the required “Interface” of the CP 441 module (1=upper, 2=lower
interface) in the “Basic Parameters” tab. Select the inserted interface
submodule as the “Module.”
Clicking the “Parameters” button (single click) opens the protocol selection
interface “Parameter Assignment of Point-to-Point Connection.”
Here you can select the required transmission protocol.
After selecting the “Protocol,” you can carry out the Parameter
Assignment of the Driver (start by double-clicking the letter-box symbol).
A detailed description of how to select the protocol and assign parameters
to the dialog boxes for the loadable driver can be found in the section
“Assigning Parameters to the Loadable Driver.”
After parameter assignment is complete, you return to the “Properties -
CP 441-2” dialog box.
2) Properties - CP 441-2 ½ Addresses
No settings are required in the “Addresses” tab (Properties - CP 441-2

dialog box).
3) Properties - CP 441-2 ½ General
In the “General” tab (Properties - CP 441-2 dialog box), you specify to

which PtP network the interfaces of the CP are connected.
PtP(1) corresponds to the upper interface, PtP(2) to the lower interface of
the CP.
Clicking the PtP(1) or PtP(2) button opens the dialog box for project
configuration of the subnet.
Select the required subnet and activate the checkbox “Partner is
connected to the selected network.”
The selected subnet represents the connection of the CP interface to the
link partner interface.
Click “OK” to return to the “Properties - CP 441-2” dialog box. Here you
complete parameter assignment of the CP with “OK” and return to the
“Hardware Configuration” dialog box.

A5E00218418-04
Save the parameter assignment data and close the “Hardware Configuration”
dialog box. You return to the basic menu of the STEP 7 project.
Assigning After you have inserted the link partner station into your STEP 7 project, as
Parameters to the described under “Project Components: Inserting ½ Other Station,” you have to
Link Partner specify the object properties of this partner station.
Starting from the opened STEP 7 project, you can select the link partner (other
station) by clicking it.
Select the menu command Edit ½ Object Properties.

This opens the “Properties - Other Station” dialog box.
1) Properties - Other Station ½ Node list
Select the “New” button in the “Node List” tab.

At “Select Type,” choose “PTP Nodes” and click “OK.”
The next dialog box to appear is “Network Connection.”
Choose the required subnet which represents the connection between CP
interface and link partner interface, and activate the checkbox “Node is
connected to selected network.”
Click “OK” to return to the “Node List” tab.
2) Properties - Other Station ½ General
No settings are required in the “General” tab.
Click “OK” to return to the basic menu of the STEP 7 project.
A partner station may also have several interfaces (=PtP nodes) and may be
connected to different point-to-point networks.

A5E00218418-04
4.5 Project Configuration of the Data Link
This section is only relevant for the CP 441-2. If you are using a CP 341, you
can skip this section.
Communications In a data link between a S7 CPU and a communications partner / bus

Link connected via a point-to-point data link, the CP acts as the linking element.
You must carry out a data link project configuration for each serial interface to
be connected to the link partner / bus.
Project Select the CPU in the STEP 7 project in its own opened S7-400 station and
Configuration of open the “Project configuration of data link” by double-clicking “Connection.”
the Data Link The dialog box “Carry Out Project Configuration of Connections” appears.
Select the menu command Insert ½ Connection to open the “New
Connection” dialog box. Here you can select the link partner (other station) for
the new data link and select “S7 Point-to-Point Connection” as the “connection
type.”
Click “OK” to acknowledge. The “Connection Properties” dialog box is now

opened.
Connection • You are given an ID which you can modify if required.

Properties • Select “Communication Direction 3: Local <-> Partner.”
• The parameterized connection rooting is displayed.
• Both indications of a CPU number are irrelevant for the operation of this
driver.
Accept all settings with “OK.”

Save the “Project Configuration of Data Link” and close the dialog box.
You should note that the Connection ID (Local ID) must be used again when
you call the Modbus communications FB in the user program.

A5E00218418-04
4.6 Assigning Parameters to the Loadable Driver
Opening the Select the SIMATIC station and double-click “Hardware” (or select the menu
Parameter command Edit ½ Open Object) to start the “Hardware Configuration.”
Assignment Tool Click the CP and select the menu command Edit ½ Object Properties.
CP-PtP
After selecting the interface (CP 441-2 only) and the interface submodule
(CP 441-2 only), click the “Parameters” button to open the protocol selection
dialog box.
In addition to the standard protocols, the selection box also displays all
Protocol Selection
installed loadable drivers. Select “MODBUS Slave” for this driver. Double-
clicking the symbol for the transmission protocol (letter-box) opens the dialog
box where the protocol-specific parameters are set.
Driver-Specific The parameters described below can be set for this driver in the individual
Parameters dialog boxes.
4.6.1 Modbus Slave Protocol
Overview of
Speed, Character Frame
Transmission
Parameters Parameter Description Value Default
Range Value
Transmission Data transmission speed in bits / 300 9600
Rate second 600
1200
2400
4800
9600
19200
38400
76800
Additional transfer rates for the CP 341 with order 57600
number 6ES7 341-1xH01-0AE0
Additional transfer rates for the CP 441-2 with order 57600
number 6ES7 441-2AA03-0AE0 115200
Data Bits Bit per character 8 8
Stop Bits Amount of stop bits 1 1
2
Parity No parity bit transferred none even
Amount of data bits is completed to odd
an odd number
Amount of data bits is completed to even
an even number

A5E00218418-04
Transmission Rate The transmission rate is the speed of data transmission in bits per second
(bps).
Note the maximum total transmission rate of the CP 441-2. The total
transmission rate is the sum of the transmission rates parameterized for the
two interfaces.
The maximum transmission rate for the TTY interface is 19200 bps.
Data Bits The amount of data bits describes how many bits represent a character to be
transmitted.
Stop Bits The amount of stop bits defines the smallest possible time interval between
two characters to be transmitted.
Parity The parity bit is for data protection; depending on parameter assignment, it
completes the amount of transmitted data bits to either an even or an odd
number.
When “no” parity is selected, no parity bit is transmitted. This reduces the
safety of data transmission.
Overview of
Protocol Parameters
Protocol
Parameters Parameter Description Value Range Default
Value
Slave Address Own slave address of the CP 1 to 255 222
Operating “Normal” operation Normal Normal
Mode “Interference Suppression” Interference
Suppression
Multiplier Multiplication factor for 1 to 10 1
Character transmission rate-dependent
Delay Time character delay time
Slave Address Here you can specify the MODBUS Slave address, to which the CP should
reply. The CP only replies to messages where the received slave address is
identical to the parameterized slave address. Messages to other slaves are
not checked and not replied to.
Normal Operation In this operating mode, all recognized transmission errors and/or BREAK
before and after receive messages from the master result in an appropriate
error message.

A5E00218418-04
Interference If “BREAK” is recognized on the receiving line at the start of a receive

Suppression message, or if the CP interface block notices transmission errors, the driver
considers the received message to be faulty and ignores it.
The start of the receive message from the master is recognized by means of
the correctly-received slave address.
Transmission errors and/or BREAK are also ignored when they occur after the
end of the receive message (CRC code).
Multiplier If a link partner cannot meet the time requirements of the MODBUS
Character Delay specification, it is possible to multiply the character delay time ZVZ by means
Time of multiplication factor fMUL. The character delay time should only be adjusted if
the link partner cannot meet the required times.
The resulting character delay time tZVZ is calculated as follows: -
tZVZ = tZVZ_TAB ✳ fMUL ;
tZVZ_TAB : Table value for ZVZ (see Chapter "Transmission Protocol")

fMUL : Multiplication factor.

A5E00218418-04
4.6.2 Conversion of Modbus Addresses for Bit Functions
Overview of FC 01,
Conversion of MODBUS Addressing for FC 01, 05, 15
05, 15
Parameter Input Meaning
SIMATIC Area Memory Bits
MODBUS Address in from 0 .. 65535 Starting with this
transmission message (decimal) Modbus address
(Bit number) to 0 .. 65535 Including this Modbus
(decimal) address
SIMATIC memory area commence 0 .. 65535 Commence at this
Memory bits at (decimal) memory byte
(Memory byte number)
SIMATIC Area Outputs
(decimal) address
Outputs at (decimal) output byte
(Output byte number)
SIMATIC Area Timers
(decimal) address
Timers at (decimal) timer (= 16 bit word)
(Timer number )
SIMATIC Area Counters
(decimal) address
Counter at (decimal) counter (= 16 bit word)
(Counter number )

A5E00218418-04
"from" / "to" - You can use the “from” address to set the Modbus address which is the start
Modbus Address of the appropriate area; for example, memory bits, outputs, etc.
(= first bit number of area).
You can use the “to” address to set the Modbus address which is the end of
the appropriate area; for example, memory bits, outputs, etc.
(= last bit number of area).
The “from” / “to” addresses refer to the Modbus address in the transmission
message (bit numbers commencing at 0) for function codes FC 01, 05, and
15.
The individual “from / to” areas must not overlap.
Gaps between the individual “from / to” areas are permitted.
"commence at" You can use the “commence at” input to specify the start of the SIMATIC area
SIMATIC Memory where the “from” / “to” Modbus area is displayed (= first memory byte-, output
Area byte-/ timer-/ counter number of SIMATIC area).
Example
from 0 ---> memory commence at

bits M 1000.0
to 2047
from 2048 ---> outputs commence at

Q 256.0
to 2559
from 4096 ---> timers commence at

T 100
to 4255
from 4256 ---> counters commence at

C 120
to 4415
The Modbus addresses from 0 to 2047 access the SIMATIC memory bits
commencing at memory bit M 1000.0;
i.e. length of area = 2048 bits = 256 bytes, which means last memory bit =
M 1255.7.
The Modbus addresses from 2048 to 2559 access the SIMATIC outputs
commencing at output Q 256.0;
i.e. length of area = 512 bits = 64 bytes, which means last output bit =
Q 319.7.

A5E00218418-04
The Modbus addresses from 4096 to 4255 access the SIMATIC timers
commencing at timer T 100;
i.e. length of area = 160 bits = 10 words, this means last timer = T 109.
The Modbus addresses from 4256 to 4415 access the SIMATIC counters
commencing at counter C 120;
i.e. length of area = 160 bits = 10 words, this means last counter = C 129.
Overview of FC02
Conversion of MODBUS Addressing for FC 02

SIMATIC Area Memory Bits
(decimal) address
memory bits at (decimal) memory byte
(Memory byte number)
SIMATIC Area Inputs
(decimal) address
Inputs at (decimal) input byte
(Input byte number)
"from" / "to" - You can use the “from” address to set the Modbus address which is the start
Modbus Address of the appropriate area; for example, memory bits, inputs
(= first bit number of area).
You can use the “to” address to set the Modbus address which is the end of
the appropriate area
(= last bit number of area).
The “from” / “to” addresses refer to the Modbus address in the transmission
message (bit numbers commencing at 0) for function code FC 02.
The individual “from / to” areas must not overlap.
Gaps between the individual “from / to” areas are permitted.
"commence at" - You can use the “commence at” input to specify the start of the SIMATIC area
SIMATIC Memory where the “from” / “to” Modbus area is displayed (= first memory byte-, input
Area byte number of SIMATIC area).

A5E00218418-04
Example
from 0 ---> memory commence at

bits M 0.0
to 4095
from 4096 ---> inputs commence at

I 128.0
to 5119
The Modbus addresses from 0 to 4095 access the SIMATIC memory bits
commencing at memory bit M 0.0;
i.e. length of area = 4096 bits = 512 bytes, which means last memory bit =
M 511.7.
The Modbus addresses from 4096 to 5119 access the SIMATIC inputs
commencing at input I 128.0;
i.e. length of area = 1024 bits = 128 bytes, which means last input bit =
I 255.7.
Note The input of value “commence at memory bit” is completely independent of

input “commence at memory bit” for function codes 01, 05, and 15.
This means that with FC 02 it is possible to use a second SIMATIC memory
bits area (read-only), which is completely independent from the first.
There is no point in defining memory bytes for simultaneous access with both
FC01 and FC02.

A5E00218418-04
4.6.3 Conversion of Modbus Addresses for Register Functions
Overview of FC 03,
Conversion of MODBUS Addressing for FC 03, 06, 16
06,16
SIMATIC Area Data Blocks
MODBUS Address = 0 in transmission
message
(register number) means access to:
Data Blocks at DB (decimal) data block
Commence at DBW 0
(= base DB number)
"commence at DB" You can use the “commence at DB” input to specify the first data block of the
SIMATIC area which is to be accessed (= base DB Number).
This DB is accessed when the register number of the Modbus message has
value 0, starting at data word DBW 0.
Higher Modbus register numbers access the following data words / data
blocks.
Up to 127 successive DBs can be addressed.
The driver interprets bits 9 - 15 of the Modbus register number for the access of
the individual successive DBs (please follow the note on page 8-2).
Example
Register Number = 0
means: access to ---> Data Blocks commence
at DB 800
You can use Modbus register address 0 to access data block 800
commencing at DBW 0 in the SIMATIC system.
Higher Modbus register addresses (≥ 512, etc.) access the following DBs
DB 801, etc.

A5E00218418-04
Overview of FC 04
Conversion of MODBUS Addressing for FC 04

SIMATIC Area Data Blocks
MODBUS Address = 0 in
transmission message
(register number) means access to:
SIMATIC memory area commence 1 .. 65535 Commence at this data
Data Blocks at DB (decimal) block
Commence at DBW 0
(= base DB number)
"commence at DB" You can use the “commence at DB” input to specify the first data block of the
SIMATIC area which is to be accessed (= base DB Number).
This DB is accessed when the register number of the Modbus message has
value 0, starting at data word DBW 0.
Higher Modbus register numbers access the following data words / data
blocks.
Up to 127 successive DBs can be addressed.
The driver interprets bits 9 - 15 of the Modbus register number for the access
of the individual successive DBs (please follow the note on page 8-2).
Note The input of value “commence at DB” is completely independent of input

“commence at DB” for function codes 03, 06, and 16.
This means that with FC 04 it is possible to use a second SIMATIC data block
area (read-only), which is completely independent from the first.
Example
Register Number = 0
means: access to ---> Data Blocks commence
at DB 1200
You can use Modbus register address 0 to access data block 1200
commencing at DBW 0 in the SIMATIC system.
Higher Modbus register addresses (≥ 512, 1024, etc.) access the following
DBs DB 1201, 1202, etc.

A5E00218418-04
4.6.4 Limits for Write Functions
Overview of FC 05,
SIMATIC Limits for Write Access (FC 05, 06, 15, 16)
06, 15, 16
Data blocks DB: MIN 1 to 65535 First enabled DB
Resulting DB number
MAX 1 to 65535 Last enabled DB
MAX = 0 all DBs disabled.
Memory bits M MIN 0 to 65535 First enabled memory byte
(Memory byte
number)
MAX 1 to 65535 Last enabled memory byte
MAX = 0 all memory bits
disabled
Outputs Q MIN 0 to 65535 First enabled output byte
(Output byte number)
MAX 1 to 65535 Last enabled output byte
MAX = 0 all outputs
disabled.
"MIN" / "MAX" For the write function codes, it is possible to specify lower and upper access
SIMATIC Memory limits (MIN / MAX). Write access is permitted within this enabled area only.
Area
If the value for the upper limit is 0, it means that the entire area is disabled.
When selecting the size of the enabled area, remember which CPU it refers
to.
If the master attempts a write access to an area which is outside the upper /
lower limit, this is rejected by the CP with an error message.
The MIN / MAX values for the data block area must be specified as resulting
DB numbers.

A5E00218418-04
Example
SIMATIC Memory Area
Data Blocks MIN - DB 600

(resulting DB number)
MAX - DB 699
Memory bits M MIN 1000
MAX 1127
Outputs Q MIN 256
MAX 319
SIMATIC data blocks DB 600 to DB 699 can be accessed with write function
codes (FC 06, 16).
SIMATIC memory bytes MB 1000 to MB 1127 (FC 05, 15) can be accessed
with write function codes.
SIMATIC outputs output bytes QB 256 to QB 319 (FC 05, 15) can be
accessed with write function codes.
4.6.5 RS422/485 (X27) Interface
Overview
X27 (RS422/485) Interface
Parameter Description Value Range Default

Value
Presets of the No presets None R(A)5V,
Receiving Line Preset “Break” R(A)5V,R(B)0V R(B)0V
Preset “High” R(A)0V,R(B)5V
X27 Operation Use the transmission line T(A), Full-duplex Full-
Mode T(B) to send data, (RS422) four- duplex
use the receiving line R(A), wire operation (RS422)
R(B) to receive data. four-wire
The receiving line R(A),R(B) is Half-duplex operation
switched from send to receive (RS485) two-
operation. wire operation

A5E00218418-04
“Full-Duplex In this operating mode, data are sent via the transmission line T(A),T(B) and
(RS422) Four-Wire received via the receive line R(A),R(B).
Operation”
Error handling is carried out in accordance with the function set at the “driver
operating mode” parameter (Normal or Interference Suppression).
“Half-Duplex In this operating mode, the driver switches the 2-wire receiving line R(A),R(B)
(RS485) Two-Wire of the RS422/485 (X27) interface from send to receive operation.
Operation”
In this operating mode, all recognized transmission errors and/or BREAK
before and after receive messages are ignored.
BREAK level during messages pauses is also ignored.
The start of the receive message from the master is recognized by means of
the correctly-received slave address.
The setting R(A) 0V, R(B) 5V (High) is recommended as the preset for the
receiving line.
Presetting of the “None” (Float)

Receiving Line
The two-wire line R(A),R(B) is not preset.
In this instance presetting should be carried out by the link partner.
Presetting “R(A) 5V, R(B) 0V” (BREAK)

The two-wire line R(A),R(B) is preset by the CP as follows:
R(A) --> +5V, R(B) --> 0V (VA - VB ≥ +0.3V).
This means that BREAK level occurs on the CP in the event of a line break.
Presetting “R(A) 0V, R(B) 5V (High)”

The two-wire line R(A),R(B) is preset by the CP as follows:
R(A) --> 0V, R(B) --> +5V (VA - VB ≤ -0.3V).
This means that HIGH level occurs on the CP in the event of a line break
(and/or idle state when nobody is transmitting).
The line status BREAK cannot be recognized.
Selecting Select the settings required for your data link and exit the individual dialog
Parameters boxes by clicking “OK.”

A5E00218418-04
4.7 Loading the Configuration and Parameter Assignment Data for the CP 341
Data Management When you close the “Hardware Configuration,” the data are automatically
saved into your STEP 7 project.
Loading the The configuration and parameter assignment data can now be loaded online
Configuration and from the programming device to the CPU. Use the menu command PLC ½
Parameters Download to transfer the data to the CPU.
During CPU startup and each time you switch between STOP mode and
RUN mode, the module parameters of the CP are automatically transferred
to the CP as soon as it can be reached via the S7-300 backplane bus.
The driver code is not saved in the CPU, but directly with the parameter
assignment tool in the retentive memory of the CP 341. You should note,
however, that for this reason you cannot change a module without a
programming device.
Further Please refer to the User Manual for STEP 7 for a detailed description of:
Information
• How to save the configuration and the parameters.
• How to load the configuration and the parameters into the CPU.
• How to read, change, copy, and print the configuration and the
parameters.
CP 441-2
Data Management When you close the “Hardware Configuration” and/or “Project Configuration of
Connection,” the data (including module parameters and driver codes) is
automatically saved into your STEP 7 project.
Loading the The configuration and parameter assignment data can now be loaded online
Configuration and from the programming device to the CPU. Use the menu command PLC ½
Parameters Download to transfer the data to the CPU.
The module parameters of the CP are automatically transferred to the CP

during CPU startup as soon as it can be reached via the S7-400 backplane
bus.
Further Please refer to the User Manual for STEP 7 for a detailed description of:
Information
• How to save the configuration and the parameters.
• How to load the configuration and the parameters into the CPU.
• How to read, change, copy, and print the configuration and the
parameters.

A5E00218418-04
4.9 Startup Characteristics of the CP
Introduction The startup of the CP is divided into two phases:

• Initialization (mains-on of CP)
• Parameter assignment
Initialization As soon as voltage is applied to the CP, and after completion of a hardware
test program, the firmware on the CP is prepared for operation.
Parameter During parameter assignment, the CP receives the module parameters

Assignment allocated to the current slot.
The CP is now ready to run.
4.10 Parameter Assignment “Startup of the CPU”
This section is only relevant for the CP 441-2. If you are using a CP 341, you
can skip this section.
Hardware To avoid problems during startup of the CPU-CP, the following setting should
Configuration be made when carrying out Parameter Assignment of the CPU in
“Hardware Configuration.”
After starting the parameter assignment by double-clicking the CPU or by
clicking the CPU and selecting the menu command Edit ½ Object
Properties, the “Properties - CPU” page appears.
In the “Startup” tab set a minimum value of 1000 (= 100s) under “Monitoring
Time for” at the point “Transfer of Parameters to Modules (100ms):”.
Reason: When a CP 441-2 interface is assigned parameters with a loadable
driver, the driver code is transferred to the CP as well as the parameter
assignment values. The entire loading procedure is monitored for the time
mentioned above which must be long enough.

A5E00218418-04

A5E00218418-04
Comissioning the Communications FB
5 Commissioning the Communications FB
5.1 Installing the FB
Supplied Diskette The MODBUS slave communications FB is part of a STEP 7 project which is
stored to the directory EXAMPLES of the STEP 7 software under the name
“Modsl” for CP 441-2 or CP 341 when the driver is installed. It is also stored in
the library Modbus.
You should ensure that there is not already a project with the same name.
Transfer 1. The project file Modsl contains a complete STEP 7 project in the form of a
loadable example.
2. Transfer the Modbus communications FB180 for CP 441-2 or FB80 for

CP 341 to your user project if you wish to continue working in your own
user project.
3. If required, transfer the startup OBs OB100 and OB101, the cyclic OB1,
and DB180 or DB80 to your user project.
This will enable you to access the call example for the communications
FB, as well as a completed instance DB for the FB.
Note:
OB1 and OB100/OB101 can also be generated themselves.
If the instance DB is not included in the transfer, it must be generated when
calling FB180 or FB80 in OB1/OB100/OB101.
5.2 STEP 7 Project
STEP 7 Project The STEP 7 project file Modsl contains a complete project in the form of a
loadable example consisting of:
• Hardware project configuration with UR1, PS, CPU and CP
• CP parameter assignment
• STEP 7 program with OBs and Modbus communications FB
The blocks in the program file are to be understood as examples only and
may be changed by the user according to his requirements.
If necessary, the Modbus communications FB may be renamed as required.

A5E00218418-04
Contents of Modsl The project file example contains the following:

for CP 341
FB 180 Function Block Modbus slave communications FB for
CP 341
DB 80 Instance DB Instance DB and work area for Modbus
FB
OB 1 Example OB Cyclic program

OB 100 Example OB Cold restart (complete restart)
FB 7 P_RCV_RK Receive data

FB 8 P_SND_RK Send data
SFC 36 MSK_FLT Mask synchronous error events

SFC 37 DMSK_FLT Unmask synchronous error events
SFC 38 READ_ERR Read event status register
SFC 41 DIS_AIRT Delay alarms
SFC 42 EN_AIRT Enable alarms
SFC 51 RDSYSST Read system area (SZL) of CPU
The SFCs are integrated in the CPU, the variable tables have been added for
diagnostic purposes only.
Contents of Modsl The example project contains the following:

for CP 441-2
FB 180 Function block Modbus slave communications FB for
CP 441-2
DB 180 Instance DB Instance DB and work area for Modbus
FB
OB 1 Example OB Cyclic program

OB 100 Example OB Cold restart (complete restart)
OB 101 Example OB Restart
SFB 12 BSEND Send data block-orientated

SFB 22 STATUS Read error message area SYSTAT
SFC 36 MSK_FLT Mask synchronous error events

SFC 37 DMSK_FLT Unmask synchronous error events
SFC 38 READ_ERR Read event status register
SFC 41 DIS_AIRT Delay alarms
SFC 42 EN_AIRT Enable alarms
SFC 51 RDSYSST Read system area (SZL) of CPU
The SFBs and SFCs are integrated in the CPU, the variable tables have been
added for diagnostic purposes only.

A5E00218418-04
5.3 FB 80 Parameters (CP 341)
Name Type Data Type Meaning Permitted Assignment
LADDR I Int Base address of the CP Use HW Config assignment.
START_TIMER I Timer Timer for “Timeout

initialization”
START_TIME I S5Time Time value “Timeout

initialization”
OB_MASK I BOOL Mask I/O access errors, FALSE:

delay alarms
I/O access errors are not
masked.
TRUE:
Errors in access to non-

existent I/Os are masked and
alarms are delayed.
CP_START I BOOL Start FB initialization
CP_START_FM I BOOL The initialization is

activated with the rising
edge of CP_START
CP_START_NDR O BOOL Info: write job from CP
CP_START_OK O BOOL Initialization completed TRUE:

without error
The initialization job could be
completed without error
before the monitoring time
elapsed.
CP_START_ERROR O BOOL Initialization completed TRUE:

with error
The initialization job could not
be completed without error
even after the monitoring time
had elapsed.
ERROR_NR O Word Error number Assignment, see diagnostics.
ERROR_INFO O Word Error additional info Assignment, see diagnostics.

A5E00218418-04
5.4 FB 180 Parameters (CP 441-2)
Name Type Data Type Meaning Permitted Assignment
ID I Int Connection ID Connection ID from project

configuration of the data link.
START_TIMER I Timer Timer for “Timeout

initialization”
START_TIME I S5Time Time value “Timeout

initialization”
STATUS_TIMER I Timer Read Timer for SYSTAT
STATUS_TIME I S5Time Read Time value for
SYSTAT
OB_MASK I BOOL Mask I/O access errors, FALSE:

delay alarms
I/O access errors are not
masked.
TRUE:
Errors in access to non-

existent I/Os are masked and
alarms are delayed.
CP_START I BOOL Start FB initialization
CP_START_FM I BOOL The initialization is

activated with the rising
edge of CP_START
CP_START_NDR O BOOL Info: write job from CP
CP_START_OK O BOOL Initialization completed TRUE:

without error
The initialization job could be
completed without error
before the monitoring time
elapsed.
CP_START_ERROR O BOOL Initialization completed TRUE:

with error
The initialization job could not
be completed without error
even after the monitoring time
had elapsed.
ERROR_NR O Word Error number Assignment, see diagnostics.
ERROR_INFO O Word Error additional info Assignment, see diagnostics.

A5E00218418-04
5.5 Program Call
General The Modbus communications FB for the loadable Modbus slave driver must
Information be called in SIMATIC S7 CPU in the cyclic part.
The communications FB initializes the CP and carries out those Modbus

functions which the driver cannot carry out itself. The Modbus slave
communications FB must be called in the user program, even if these function
codes are not used by the Modbus master system.
Communication between the CP and the FB is carried out via the CPU
operating system functions and the system function block SFB BSEND
(CP 441-2) or P_SND_RK and P_RCV_RK (CP 341) which is called from the
FB.
Furthermore, the Modbus FB (CP 441-2 (FB180) only) reads the error
message area SYSTAT of the CP using SFB STATUS.
Startup, After each complete restart or restart of the CPU, you must carry out an
Initialization initialization of the Modbus communications FB.
Initialization is activated with a rising edge at input CP_START.

First of all the FB deletes the instance DB, reads operand areas I, Q, M, T, C
from the CPU with SFC51 SZL_READ, and files them in the instance DB. This
enables you to check the write requirements of the Modbus master system for
area overflow.
The number of the instance DB and the completed initialization sequence is
communicated to the CP by means of a SEND job.
As soon as the SEND job has been completed without error, output
CP_START_OK is set and the FB initialization is complete.
If the SEND job is completed with error, CP_START is reset and
CP_START_ERROR is set.
If the initialization was completed with error, Modbus communication is not
possible.
All requests from the Modbus Master system are answered with an Exception
Code message.
Instance DB All data relevant to the Modbus FB are located in an instance data block.
This DB is also the instance DB (multi instances) for the used FBs / SFBs and
work area for the Modbus communications FB. No further data area is
required.
The Modbus FB only uses the instance DB and local data.
Access to the instance DB is permitted only as read-only.

A5E00218418-04
Timeout After mains-on, the CP needs several seconds for hardware and memory
Initialization checks until it is ready for run. Initialization attempts of the Modbus FB during
(START_TIME) this time are completed with error. Because of this, the Modbus FB repeats its
initialization job several times during this timeout.
CP_START_OK is set if the initialization could be completed without error

within the parameterized time START-TIME of the timer START-TIMER. If
initialization could not be completed without error after the monitoring time has
elapsed, CP_START_ERROR is set.
Time Value for A cyclic read of the SYSTAT area (only relevant for CP 441-2 (FB180)) on
Read SYSTAT every PLC cycle or every other PLC cycle would cause an overload for the CP
(CP 441-2 only) and the K-Bus and would reduce data throughput. Therefore a time interval
can be set for reading the SYSTAT area.
After the time interval STATUS_TIME in STATUS_TIMER has elapsed, the
Modbus FB activates the SFB STATUS for reading the SYSTAT area.
I/O Access Errors, Input parameter OB_MASK can be used to instruct the Modbus FB to mask
Delay Alarms I/O access errors. In the event of a write access to non-existent I/Os, the CPU
does not go to STOP and neither does it call the error OB.
The access error is, however, recognized by the FB and the function is ended
with an error message to the CP. I/O access errors in the event of a write
command are masked only if parameter OB_MASK is = TRUE.
Prior to masking the access errors, all higher priority alarms are delayed
(SFC14), and they are re-enabled after write access of the FBs and after
unmasking the access errors (SFC42).
This ensures that access errors are recognized by higher priority programs
(time or process alarms) in case the FB is interrupted between masking and
unmasking.

A5E00218418-04
Example
OB100/101 Segment 1
UN M 180.0 // set CP_START

S M 180.0 // !
U M 180.1 // re-set CP_START_FM
R M 180.1 // !
Example OB1 for Segment 1

CP 341
CALL FB 180 , DB80 // MODBUS SLAVE CP341 FB
LADDR :=256 // Base address of the CP
START_TIMER :=T120 // Timer “Timeout initi.”
START_TIME :=S5T#5S // Time value “Timeout .”
OB_MASK :=TRUE // Mask access errors
CP_START :=M180.0 // Initialization start
CP_START_FM :=M180.1 // Edge trigger memory bit
CP_NDR :=M180.2 // New write job from CP
CP_START_OK :=M180.3 // Initial. without error
CP_START_ERROR :=M180.4 // Initial. with error
CP_ERROR_NR :=MW182 // Error number
CP_ERROR_INFO :=MW184 // Error additional info
Example OB1 for Segment 1

CP 441-2
CALL FB 180 , DB180 // MODBUS SLAVE CP441 FB
ID :=W#16#1000 // Connection-ID
START_TIMER :=T180 // Timer “Timeout initi.”
START_TIME :=S5T#5S // Time value “Timeout .”
STATUS_TIMER :=T181 // Timer “Read SYSTAT”
STATUS_TIME :=S5T#2S // Time value “Read SYST”
OB_MASK :=TRUE // Mask access errors
CP_START :=M180.0 // Initialization start
CP_START_FM :=M180.1 // Edge trigger memory bit
CP_NDR :=M180.2 // New write job from CP
CP_START_OK :=M180.3 // Initial. without error
CP_START_ERROR :=M180.4 // Initial. with error
CP_ERROR_NR :=MW182 // Error number
CP_ERROR_INFO :=MW184 // Error additional info

A5E00218418-04
5.6 Cyclic Operation
Communications The MODBUS communications FB carries out all necessary SFB calls and
FB processes those function codes which the CP cannot run itself (write bit-by-
bit with FC05 or FC15 to the SIMATIC areas memory bits and outputs).
SYSTAT Area The Modbus FB180 for the CP 441-2 reads from the SYSTAT area of the CP
(CP 441-2 only) cyclically and stores the data in the instance DB commencing at DBW 40.
Furthermore, you must program the user-specific error handling in the user
program.
Bytes 4 to 15 (events 1 to 6) of SYSTAT are always stored in the instance
DB commencing at DBW 44, providing the error bit (Bit 2.0) has been set in
SYSTAT.
Please refer to chapter “Diagnostics” of this manual and the CP 441-2
manual for a detailed description of the structure of SYSTAT.
Reaction Times One FB sequence (one PLC cycle) plus data transfer times CP--->CPU and
CPU--->CP are required to process the write function codes FC05, FC15.
The other functions which are processed by the CP directly only require data
transfer times CP--->CPU or CPU--->CP.
The CP does not send the reply message to the master system until after the
data transfer CPU--->CP. In this instance the standard reply monitoring time
of 2 sec. can be met.
Processed by
Modbus FB
Data transfer Data transfer

CP-->CPU CPU-->CP
Request CP sends
message reply
received from message
Master
t
----------------------->
The reaction times depend on the cycle time of the CPU program (Modbus
FB) and the CPU type (data transfer CPU<-->CP).

A5E00218418-04
CPU - CP Interface
6 CPU - CP Interface
6.1 CPU - CP Interface for CP 341
6.1.1 General Information
Modbus Data transfer between CP and CPU is carried out by the function blocks
Communications P_SND_RK and P_RCV_RK.
FB The supplied Modbus communications FB calls the FBs.
It is not necessary to program any further FB calls in the SIMATIC user

program.
Module Address The only remaining task is to specify the module address (LADDR) at the
Modbus communications FB.
6.1.2 Data Transfer Length CPU <-> CP
Data Transfer Transfer of data CP <-> CPU is carried out by the function blocks P_SND_RK
Length and P_RCV_RK.
The length of data transfer is a maximum of 1024 bytes.
This means that the Modbus slave driver replies with an error message with
Exception_Code, in the event that a read or write access is carried out which
exceeds the data lengths specified above.
6.1.3 Data Consistency
Block Size Data transfer between CPU and CP is carried out by function blocks
P_SND_RK and P_RCV_RK.
To ensure a stable reaction handling to system alarms of the S7 automation

system, data transfer between CPU and CP is carried out block-by-block.
The block size for the access to the SIMATIC memory area (data blocks,
memory bits,…) is 32 bytes.

A5E00218418-04
CPU - CP Interface
Data Consistency Data consistency during data transmission is given only for the above-listed
block size of 32 bytes.
For larger amounts of data, the data is transferred in the listed block size with
a time delay between each block.
Data consistency between the individual blocks cannot be guaranteed

because the data may be processed by the user program at the same time.
Access to the CPU memory is carried out while the user program is running
whenever the P_RCV_PK is passed.
Modbus Slave This means the following for the driver Modbus slave:
If data consistency is required when reading / writing registers or bits, the

amount of data transferred by a single message must be limited to the above-
listed block size: for example, a maximum of 16 registers with FC 03,04,16 or
a maximum of 256 bits with FC 01,02,15.
If required, it is possible to ensure consistent processing of related data areas

by appropriate coordination mechanisms at user level.
6.2 CPU - CP Interface for CP 441-2
6.2.1 General Information
Modbus Data transfer between CP and CPU is carried out by the integrated system
Communications functions PUT and GET and the SFBs BSEND and STATUS. The supplied
FB Modbus communications FB calls the SFBs BSEND and STATUS.
PUT and GET are operating system functions which run in the background
program of the CPU, independently of the user program.
It is not necessary to program any further SFB calls in the SIMATIC user
program.
Communications The only remaining task is to specify the Connection ID from the project
Link configuration at the Modbus communications FB.
The Parameter ID describes the unique communication link to a

communication partner.

A5E00218418-04
CPU - CP Interface
6.2.2 Data Transfer Length CPU <-> CP
Data Transfer Transfer of data CP <-> CPU is carried out by the system functions PUT and
Length GET.
The length of data transfer depends on the CPU type:

(see also Reference Manual “System and Standard Functions”)
System Function S7-400

PUT/GET 450 Byte
This means that the Modbus slave driver replies with an error message with
Exception_Code, in the event that a read or write access is carried out which
exceeds the data lengths specified above.
The table below shows the maximum amount of data.
S7-400
Modbus Maximum Maximum
Function Code Amount of Amount of
Registers Bits
01, 02 2040
03, 04, 16 127
15 2040
6.2.3 Data Consistency
Block Size Data transfer between CP and CPU is carried out by the integrated system
functions PUT and GET.
To ensure a stable reaction handling to system alarms of the S7 automation

system, data transfer between CPU and CP is carried out block-by-block.
The block size for the access to the SIMATIC memory areas (data blocks,
memory bits,…) is 32 bytes.

A5E00218418-04
CPU - CP Interface
Data Consistency The access to the CPU memory areas by the utilities PUT and GET is carried
out asynchronous to the STEP 7 application program. Therefore data
consistency during data transmission is given only for the above-listed block
sizes.
For larger amounts of data, the data is transferred in the listed block sizes with
a time delay between each block.
Data consistency between the individual blocks cannot be guaranteed

because the data may be processed by the user program at the same time.
Please note furthermore, that access to the CPU memory can be carried out
at any time while the user program is running because the integrated system
functions PUT and GET run in the background program of the CPU.
This is a system specific to the S7 CPUs and is described in the Reference

Manual “System and Standard Functions” Chapters 17 and 18 (Data
Consistency). (See also Further Sources of Information in the preface of this
manual.)
Modbus Slave This means the following for the driver Modbus slave:
If data consistency is required when reading / writing registers or bits, the

amount of data transferred by a single message must be limited to the above-
listed block size: for example, for S7-400: a maximum 16 registers with FC
03,04,16 or a maximum of 256 bits with FC 01,02,15.
You should also note that the read and write access of the Modbus function
codes may be carried out at any time within the S7 application program.
If required, it is possible to ensure consistent processing of related data areas

by appropriate coordination mechanisms at user level.

A5E00218418-04
Transmission Protocol
7 Transmission Protocol
General The procedure used is a code-transparent, asynchronous half-duplex

Information procedure.
Data transfer is carried out without handshake.
Master-Slave The Modbus master system initiates transmission, and after outputting a
Relationship request message it waits for a reply message from the slave. Message
exchange from slave to slave is not possible.
Message Structure The data exchange “Master-Slave” and/or “Slave-Master” begins with the
Slave Address, followed by the Function Code. Then the data are
transferred. The structure of the data field depends on the function code used.
The CRC check is transmitted at the end of the message.
ADDRESS FUNCTION DATA CRC CHECK
Byte Byte n Byte 2 Byte
ADDRESS MODBUS Slave Address
FUNCTION MODBUS Function Code
DATA Message Data: Byte_Count, Coil_Number, Data
CRC CHECK Message Checksum
Slave Address The slave address can be within the range 1 to 255. The address is used to
address a defined slave on the bus.
Broadcast The master uses slave address zero to address all slaves on the bus.
Message Message
Broadcast Messages are only permitted in conjunction with writing Function
Codes 05, 06, 15, and 16.
A Broadcast Message is not followed by a reply message from the slave.

A5E00218418-04
Function Code The function code defines the meaning as well as the structure of a message.
The following function codes are supported by the CP:
Function Code Function in accordance with

MODBUS Specification
01 Read Coil Status
02 Read Input Status
03 Read Holding Registers
04 Read Input Registers
05 Force Single Coil
06 Preset Single Register
08 Loop Back Test
15 Force Multiple Coils
16 Preset Multiple Registers
Data Field DATA The data field DATA is used to transfer the function code-specific data such
as:
Bytecount, Coil_Start Address, Register_Start Address; Number_of_Coils,
Number_of_Registers, ... . See also Chapter “Function Codes.”
CRC Check Message end is identified by means of the CRC 16 checksum consisting of 2
16 15 2
bytes. It is calculated by the following polynominal: x + x + x + 1.
The first byte to be transferred is the Low Byte, then the High Byte.
Message End The driver recognizes message end, when no transmission takes place
during the time period required for the transmission of three and a half
characters (3.5 times character delay time) (see MODBUS Protocol
Reference Guide).
This message end TIME_OUT is therefore dependent on the transmission

rate.
Transmission TIME_OUT
Rate
76800 bps 0.5 ms
38400 bps 1 ms
19200 bps 2 ms
9600 bps 4 ms
4800 bps 8 ms
2400 bps 16 ms
1200 bps 32 ms
600 bps 64 ms
300 bps 128 ms
After completion of the message end TIME_OUT, the reply message received
by the slave is evaluated and its format is checked.

A5E00218418-04
Exception On recognition of an error in the request message from the master (for
Responses example, register address illegal), the slave sets the highest value bit in the
function code of the reply message.
This is followed by transmission of one byte of error code (Exception Code),
which describes the reason for the error.
Exception Code The error code reply message from the slave has the following structure:
Message for example, slave address 5, function code 5, exception code 02
Reply Message from Slave EXCEPTION_CODE_xx:
05H Slave Address

85H Function Code
02H Exception Code (1..4)
xxH CRC Check Code “Low”
xxH CRC Check Code “High”
The following error codes are sent by the CP:
Excep- Meaning in Cause

tion accordance with
Code MODBUS
Specification
01 Illegal Function Illegal function code received
02 Illegal Data Address Access to a SIMATIC area which is not
enabled (see parameter assignment -
areas, limitation)
03 Illegal Data Value Length greater 2040 bits or 127 registers,
data field not FF00 or 0000 for FC05,
diagnostics subcode <> 0000 for FC08.
04 Failure in Associated Initialization by Modbus communications
Device FB not yet carried out or FB reports error,
Error during data transfer CP<->CPU
(for example, DB does not exist, maximum
transferable data length exceeded (block
size CPU<->CP) ).

A5E00218418-04
Function Codes
RS 232C The following RS 232C secondary signals exist on the CP when the RS 232C
Secondary Signals interface submodule is used
• DCD (input) Data carrier detect;

Data carrier detected
• DTR (output) Data terminal ready;

CP ready for operation
• DSR (input) Data set ready;

Communication partner ready for operation
• RTS (output) Request to send;

CP ready to send
• CTS (input) Clear to send; Communication partner

can receive data from the
CP (response to RTS = ON of the CP)
• RI (input) Ring indicator;

Indication of an incoming call
When the CP 441 is switched on, the output signals are in the
OFF state (inactive).
You can parameterize the way in which the DTR/DSR and RTS/CTS control
signals are used with the CP 441: Point-to-Point Communication,
Parameter Assignment parameterization interface or control them by
means of function calls (FBs) in the user program.
Using the RS 232C The RS 232C secondary signals can be used as follows:
Secondary Signals
• When the automatic use of all RS 232C secondary signals is
parameterized
• By means of the V24_STAT and V24_SET functions (FBs)
Note
When automatic use of the RS 232C secondary signals is parameterized,
neither RTS/CTS data flow control nor RTS and DTR control by means of the
V24_SET FB are possible.
On the other hand, it is always possible to read all RS 232C secondary
signals by means of the V24_STAT FB.
The sections that follow describe how the control and evaluation of the RS
232C secondary signals is handled.

A5E00218418-04
Function Codes
Automatic Use of The automatic use of the RS 232C secondary signals on the CP is
the Secondary implemented as follows:
Signals • As soon as the CP is switched by means of parameterization to an
operating mode with automatic use of the RS 232C secondary signals, it
switches the RTS line to OFF and the DTR line to ON (CP ready for use).
Message frames cannot be sent and received until the DTR line is set to
ON. As long as DTR remains set to OFF, no data is received via the
RS 232C interface. If a send request is made, it is aborted with an error
message.
• When a send request is made, RTS is set to ON and the parameterized
data output waiting time starts. When the data output time elapses and
CTS = ON, the data is sent via the RS 232C interface.
• If the CTS line is not set to ON within the data output time so that data
can be sent, or if CTS changes to OFF during transmission, the send
request is aborted and an error message generated.
• After the data is sent, the RTS line is set to OFF after the parameterized
time to RTS OFF has elapsed. The CP340 does not wait for CTS to
change to OFF.
• Data can be received via the RS 232C interface as soon as the DSR line
is set to ON. If the receive buffer of the CP threatens to overflow, the CP
does not respond.
• A send request or data receipt is aborted with an error message if DSR
changes from ON to OFF. The message "DSR = OFF (automatic use of
V24 signals)" is entered in the diagnostics buffer of the CP.
Note
Automatic use of the RS 232C secondary signals is only possible in half-duplex
mode. When automatic use of the RS 232C secondary signals is parameterized,
neither RTS/CTS data flow control nor RTS and DTR control by means of the
V24_SET FB are not possible.
Note
The "time to RTS OFF" must be set in the parameterization interface so that the
communication partner can receive the last characters of the message frame in
their entirety before RTS, and thus the send request, is taken away. The "data
out put waiting time" must be set so that the communication partner can be
ready to receive before the time elapses.

A5E00218418-04
Function Codes
Time Diagram
The following figure illustrates the chronological sequence of a send request.
ON
RTS
OFF
ON
CTS
OFF
1
TXD
0
t
Send request: Transmission
RTS = ON terminated
Partner: Time to RTS OFF

CTS = ON elapsed
Data output wait time Partner:

expired: ³ Send CTS = OFF
Data output Time to RTS

waiting time OFF
Figure 4-1 Time Diagram for Automatic Use of the RS 232C Secondary Signals

A5E00218418-04
Function Codes
8 Function Codes
Used Function The following MODBUS function codes are supported by the driver:
Codes
Function Function in Function in SIMATIC S7
Code accordance with
MODBUS
Specification
01 Read coil status Read bit-by-bit Memory bits M
Read bit-by-bit Outputs Q
Read bit-by-bit Timers T
(16 bit interval)
Read bit-by-bit Counters C
(16 bit interval)
02 Read input status Read bit-by-bit Memory bits M
Read bit-by-bit Inputs I
03 Read holding Read word-by-word Data block DB
registers
04 Read input Read word-by-word Data block DB
registers
05 Force single coil Write bit-by-bit Memory bits M
Write bit-by-bit Outputs Q
06 Preset single Write word-by-word Data block DB
register
08 Loop back test - -
15 Force multiple coils Write bit-by-bit Memory bits M
(1...2040 bits)
Write bit-by-bit Outputs Q
(1...2040 bits)
16 Preset multiple Write word-by-word Data block DB
(holding) registers (1...127 registers)
Note
All Modbus addresses listed below refer to the transmission message level
and not to the user level in the Modbus master system.
This means that the Modbus addresses in the transmission messages begin
with 0000 Hex.

A5E00218418-04
Function Codes
Note
The MODBUS slave driver supports a maximum data block length of 512
data words in all the function codes, which access the SIMATIC range “data
block DB“ (FC 03, 04, 06,16).
When converting addresses from MODBUS to SIMATIC addresses, a “direct

transition“ from one DB number to the subsequent DB number within a
MODBUS Master Request Telegram is not possible. The MODBUS slave
replies this Request Telegram with an Exception Code Telegram and outputs
“0E 39“ (error while accessing the SIMATIC range “Data block“) into the
diagnostic buffer.
For example, the DBX word address 510 with a length >2 cannot be output
because the address for Register no. >2 (e.g. Register 3) would automatically
mean word address 0 in DBX+1.
8.1 Function Code 01 - Read Coil (Output) Status
Function This function enables the MODBUS master system to read individual bits from
the SIMATIC memory areas listed below.
Request Message ADDR FUNC start_address bit_number CRC
Reply Message ADDR FUNC Byte_count n n Byte DATA CRC
start_address The Modbus bit address “start_address” is interpreted by the driver as

follows:
The driver checks that “start_address” is located within one of the areas which
were specified during parameter assignment in the dialog box
“Conversion of MODBUS Addressing for FC 01, 05, 15” (from / to : memory
bits, outputs, timers, counters).
If MODBUS bit address access is made to the following

start_address is located in SIMATIC memory area
area
from aaaaa to bbbbb commence M uuuuu.0
at memory
bit
from ccccc to ddddd commence Q ooooo.0
at output
from eeeee to fffff commence T ttttt
at timer
from ggggg to hhhhh commence C zzzzz
at counter

A5E00218418-04
Function Codes
The address calculation for access (address conversion) is carried out as

follows:
Access Conversion Formula

beginning with
SIMATIC
Memory byte = ((start_address - aaaaa) / 8) + uuuuu
Output byte = ((start_address - ccccc) / 8) + ooooo
Timer = ((start_address - eeeee) / 16) + ttttt
Counter = ((start_address - ggggg) / 16) + zzzzz
Access to “Memory bits” and “Outputs”

When accessing SIMATIC areas “Memory bits” and “Outputs,” the remaining
Rest Bit_Number is calculated and used to address the relevant bit within the
first / last memory or output byte.
Access to “Timers” and “Counters”

With the address calculation, it must be possible to divide the result
(start_address - eeeee) or
(start_address - ggggg) by 16 without having a left over value
(access word-by-word only starting from word limit).
bit_number Values between 1 and 2040 are permitted as the bit_number (number of
coils). This amount of bits is read.
When accessing SIMATIC areas “Timers” and “Counters,” it must be possible
to divide the “bit_number” by 16 (access word-by-word only).
Please note that a maximum of 16 “Timers” and/or “Counters” can be read if
you are using the CP 341.
Note
Please note the CPU-specific limitations as described in the chapter “CPU-CP
Interface.”
Application Example for Parameter Assignment:

Example
Conversion of MODBUS Addressing for Function Codes FC 01, 05, 15
MODBUS address in SIMATIC memory area

from 0 to 2047 comm. at M 1000.0
memory bit
from 2048 to 2559 commence Q 256.0
at output
from 4096 to 4607 commence T 100
at timer
from 4608 to 5119 commence C 200
at counter

A5E00218418-04
Function Codes
Request Message FUNCTION 01:

05H Slave Address ADDR
01H Function Code FUNC
00H start_address “High”
40H start_address “Low”
00H bit_number “High”
20H bit_number “Low”
Reply Message FUNCTION 01:
04H Byte_count
01H <DATA 1> M 1008.0 - M 1008.7
17H <DATA 2> M 1009.0 - M 1009.7
02H <DATA 3> M 1010.0 - M 1010.7
18H <DATA 4> M 1011.0 - M 1011.7
Address Calculation:
The Modbus address “start_address” 0040 Hex (64 decimal) is located in the
“memory bit” area:

= ((64 - 0) / 8) + 1000
= 1008 ;
The remaining Rest Bit_Number results in:
Rest-Bit_No. = ((start_address - aaaaa) % 8) [Modulo 8]

= ((64 - 0) % 8)
= 0;
Access is made starting from bit M 1008.0 up to and including M 1011.7.
Amount of Bits:
The amount of Modbus bits “bit_number” 0020 Hex (32 decimal) means that
32 Bits = 4 Bytes should be read.

A5E00218418-04
Function Codes
Further Examples
Some other access examples are listed in the table below.
All examples are based on the above area specification.
start_address Access in SIMATIC beginning -> with

Hex decimal (decimal)
0000 0 Mem.bit ((0 - 0) / 8) + 1000 -> M 1000.0
0021 33 Mem.bit ((33 - 0) / 8) + 1000 -> M 1004.1
0400 1024 Mem.bit ((1024 - 0) / 8) + 1000 -> M 1128.0
0606 1542 Mem.bit ((1542 - 0) / 8) + 1000 -> M 1192.6
0840 2112 Output ((2112 - 2048) / 8) + 256 -> Q 264.0
09E4 2532 Output ((2532 - 2048) / 8) + 256 -> Q 316.4
1010 4112 Timers ((4112 - 4096) / 16) + 100 -> T 101
10C0 4288 Timers ((4288 - 4096) / 16) + 100 -> T 112
1200 4608 Counters ((4608 - 4608) / 16) + 200 -> C 200
13E0 5088 Counters ((5088 - 4608) / 16) + 200 -> C 230
8.2 Function Code 02 - Read Input Status
Function This function enables the MODBUS master system to read individual bits from
the SIMATIC memory areas listed below.
Request Message ADDR FUNC start_address bit_number CRC
Reply Message ADDR FUNC Byte_count n n Byte DATA CRC

follows:
The driver checks whether “start_address” is located within one of these
areas, which was entered during parameter assignment in the dialog box
“Conversion of MODBUS Addressing for FC 02” (from / to : memory bits,
inputs).
If MODBUS bit address SIMATIC memory area is

start_address is located in accessed
area
from kkkkk to lllll commence M vvvvv.0
at memory
bit
from nnnnn to rrrrr commence I sssss.0
at input

A5E00218418-04
Function Codes

follows:

beginning with
SIMATIC
Memory byte = ((start_address - kkkkk) / 8) + vvvvv
Input byte = ((start_address - nnnnn) / 8) + sssss
Access to “Memory bits” and “Inputs”

When accessing SIMATIC areas “memory bits” and “inputs,” the remaining
Rest Bit_number is calculated and used to address the relevant bit within the
first / last memory or input byte.
bit_number Any value from 1 to 2040 is allowed as the bit_number (number of coils). This
amount of bits is read.
Note:
Interface.”

Example
Conversion of MODBUS Addressing for Function Code FC 02

from 0 to 4095 commencing M 2000.0
at memory
bit
from 4096 to 5119 commencing I 128.0
at input

00H bit_number “High”
18H bit_number “Low”
03H Byte_count
12H <DATA 1> E 134.0 - E 134.7
34H <DATA 2> E 135.0 - E 135.7
56H <DATA 3> E 136.0 - E 136.7

A5E00218418-04
Function Codes
The Modbus address “start_address” 1030 Hex (4144 decimal) is located in
the area “Inputs”:
Input byte = ((start_address - nnnnn) / 8) + sssss

= ((4144 - 4096) / 8) + 128
= 134 ;
The remaining Rest Bit_number results in:
Rest-Bit_No. = ((start_address - aaaaa) % 8) [Modulo 8]

= ((4144 - 4096) % 8)
= 0;
Access is made starting from input I 134.0 up to and including I 136.7.
Amount of Bits:
The amount of Modbus bits “bit_number” 0018 Hex (24 decimal) means that
24 bits = 3 bytes should be read.
Further Examples Some other access examples are listed in the table below.
All examples are based on the above area specification.
start_address Access in SIMATIC beginning -> with

Hex decimal (decimal)
0000 0 Mem.bit ((0 - 0) / 8) + 2000 -> M 2000.0
0071 113 Mem.bit ((113 - 0) / 8) + 2000 -> M 2014.1
0800 2048 Mem.bit ((2048 - 0) / 8) + 2000 -> M 2256.0
0D05 3333 Mem.bit ((3333 - 0) / 8) + 2000 -> M 2416.5
1000 4096 Input ((4096 - 4096) / 8) + 128 -> I 128.0
10A4 4260 Input ((4260 - 4096) / 8) + 128 -> I 148.4
8.3 Function Code 03 - Read Output Registers
Function This function enables the MODBUS master system to read data words from a
data block.
Request Message ADDR FUNC start_register register_number CRC
Reply Message ADDR FUNC Byte_count n n/2-Register DATA (High, Low) CRC

A5E00218418-04
Function Codes
start_register The Modbus register address “start_register” is interpreted by the driver as

follows:
15 9 8 7 0 Bit
start_register offset_DB_No. start_register word No.
For further address generation, the driver uses the “base DB number” (from
DB xxxxx) entered in the dialog box “Conversion of MODBUS Addressing
for FC 03, 06, 16.”
The address calculation for access (address conversion) is carried out in two
steps as follows:
Access to Conversion Formula

SIMATIC
Data block DB = (base DB number xxxxx +
(resulting DB) start_register offset_DB_No.)
Data word DBW = (start_register word_No. ∗ 2)
Calculation Providing the resulting DB to be read is known, the Modbus address

Formula for start_register required in the master system can be calculated in accordance
start_register with the following formula:
start_register = ((resulting DB - base DB number) ∗ 512) +

(data word_DBW / 2)
This is based on even numbered data word numbers only.
register_number Any value from 1 to 127 is permitted as the register_number (number of

registers). This amount of registers is read. Please follow the following rule:
(register_number)max = 512 - start_register
Note:
Interface.”

Example

0 commencing at data DB 800
block (base DB
number)

A5E00218418-04
Function Codes

00H start_register “High”
50H start_register “Low”
00H register_number “High”
02H register_number “Low”
04H Byte_count
87H <DATA 1> DBW 160 “High”
65H <DATA 2> DBW 160 “Low”
43H <DATA 3> DBW 161 “High”
21H <DATA 4> DBW 161 “Low”
The Modbus address “start_register” 0050 Hex (80 decimal) is interpreted as
follows:
Modbus Register Number (start_register) = 0050 Hex
15 9 8 7 0 Bit
start_register-Offset_DB_No. = start_register- word No. =

00 Hex (0 decimal) 050 Hex (80 decimal)
Data block DB = (base DB Number xxxxx +

(resulting DB) start_register-Offset_DB_No.)
= (800 + 0)
= 800 ;

= (80 ∗ 2)
= 160 ;
Access is made to DB 800, data word DBW 160.
Amount of Registers:
The amount of Modbus registers “register_number” 0002 Hex (2 decimal)
means 2 registers = 2 data words are read.

A5E00218418-04
Function Codes
Further Examples Some other access examples are listed in the table below.
start_register
start_register Base Offset Word Number resulting DB DBW
DB No. DB_No.
Hex decimal decimal decimal Hex decimal decimal decimal
0000 0 800 0 000 0 800 0

01F4 500 800 0 1F4 500 800 1000
0200 512 800 1 000 0 801 0
02FF 767 800 1 0FF 255 801 510
0300 768 800 1 100 256 801 512
03FF 1023 800 1 1FF 511 801 1022
0400 1024 800 2 000 0 802 0
8.4 Function Code 04 - Read Input Registers
Function This function enables the MODBUS master system to read data words from a
data block.
Request Message ADDR FUNC start_register register_number CRC
Reply Message ADDR FUNC Byte_count n n/2-Register DATA (High, Low) CRC
start_register The Modbus Register Address “start_register” is interpreted by the driver as

follows:
15 9 8 7 0 Bit
start_register-Offset_DB_No. start_register-word-No.
For further address generation, the driver uses the “base DB number” (from
DB xxxxx) entered in the dialog box “Conversion of MODBUS Addressing
for FC 04.”
steps as follows:

SIMATIC
Data Block DB = (base DB number xxxxx +
Data word DBW = (start_register-word_No. ∗ 2)

A5E00218418-04
Function Codes


(data word_DBW / 2)
register_number Any value from 1 to 127 is permitted as the register_number (number of

registers). This amount of registers is read. Please follow the following rule:
(register_number)max = 512 - start_register
Note:
Interface.”

Example
Conversion of MODBUS Addressing for Function Code FC 04
block (base DB
number)

C0H start_register “Low”
00H register_number “High”
03H register_number “Low”
06H Byte_count
A1H <DATA 1> DBW 384 “High”
A2H <DATA 2> DBW 384 “Low”

A5E00218418-04
Function Codes
The Modbus address “start_register” 02C0 Hex (704 decimal) is interpreted as
follows:
Modbus Register Number (start_register) = 02C0 Hex
15 9 8 7 0 Bit
start_register-Offset_DB_No. = start_register-word -No. =

01 Hex (1 decimal) 0C0 Hex (192 decimal)
Data block DB = (Base-DB-Number xxxxx +

= (900 + 1)
= 901 ;

= (192 ∗ 2)
= 384 ;
Amount of Registers:
The amount of Modbus registers “register_number” 0003 Hex (3 decimal)
means 3 registers = 3 data words are read.
Further Examples Some other access example are listed in the table below.
start_register
start_register Base Offset Word Number resulting DB DBW
DB No. DB_No.
Hex decimal decimal decimal Hex decimal decimal decimal
0000 0 900 0 000 0 900 0

0064 100 900 0 064 100 900 200
00C8 200 900 0 0C8 200 900 400
0190 400 900 0 190 400 900 800
1400 5120 900 10 000 0 910 0
1464 5220 900 10 064 100 910 200
14C8 5320 900 10 0C8 200 910 400

A5E00218418-04
Function Codes
8.5 Function Code 05 - Force Single Coil
Function This function enables the MODBUS master system to write a bit into the
SIMATIC memory areas of the CPU as listed below.
Request Message ADDR FUNC coil_address DATA-on/off CRC
Reply Message ADDR FUNC coil_address DATA-on/off CRC
coil_address The Modbus bit address “coil_address” is interpreted by the driver as follows:
The driver checks whether “coil_address” is located within one of these areas,
which was entered during parameter assignment in the dialog box
“Conversion of MODBUS Addressing for FC 01, 05, 15” (from / to : memory
bits, outputs, timers, counters).

coil_address is located in accessed
area
from aaaa to bbbb commencing M uuuu.0
from
memory bit
from cccc to dddd commencing Q oooo.0
from output

follows:

beginning with
SIMATIC

When accessing SIMATIC areas “memory bits” and “outputs,” the remaining
Rest Bit_number is calculated and used to address the relevant bit within the
memory or output byte.
Access to SIMATIC areas timers and counters is not permitted with function
code FC 05 and is rejected by the driver with an error message.
DATA on/off The following two values are permitted as DATA on/off:
FF00H ➭ set bit.
0000H ➭ delete bit.

A5E00218418-04
Function Codes

Example

at memory
bit
from 2048 to 2559 commencing Q 256.0
at output

08H coil_address “High”
09H coil_address “Low” A257.1
FFH DATA on/off “High”
00H DATA on/off “Low”
08H coil_address “High”
09H coil_address “Low” A257.1
FFH DATA on/off “High”
00H DATA on/off “Low”
The Modbus address “coil_address” 0809 Hex (2057 decimal) is located in the
area “outputs”:
Output byte = ((coil_address - ccccc) / 8) + ooooo

= ((2057 - 2048) / 8) + 256
= 257 ;
The remaining Rest Bit_number results in:
Rest Bit_No. = ((coil_address - ccccc) % 8) [Modulo 8]

= ((2057 - 2048) % 8)
= 1;
Access is made to output Q 257.1.
Further Examples For further access examples to memory bits and outputs, please refer to
FC 01.

A5E00218418-04
Function Codes
8.6 Function Code 06 - Preset Single Register
Function This function enables the MODBUS master system to write a data word in a
data block of the CPU.
Request Message ADDR FUNC start_register DATA value (High, Low) CRC
Reply Message ADDR FUNC start_register DATA value (High, Low) CRC

follows:
15 9 8 7 0 Bit
start_register-Offset_DB_No. start_register word No.
For further address generation, the driver uses the “base DB number”
(commencing at DB xxxxx) entered in the dialog box
“Conversion of MODBUS Addressing for FC 03, 06, 16” during parameter
assignment.
steps as follows:

SIMATIC
Data Block DB = (Base DB Number xxxxx +
Data Word DBW = (start_register-word_No. ∗ 2)


(data word_DBW / 2)
This is based on even numbered data numbers only.
DATA Value Any value can be used as the DATA value (register value).

A5E00218418-04
Function Codes

Example

block
(Base DB Number)

80H start_register “Low” DBW 768
2BH DATA Value “High”
1AH DATA Value “Low”
2BH DATA Value “High”
1AH DATA Value “Low”
The Modbus address “start_register” 0180 Hex (384 decimal) is interpreted:
15 9 8 7 0 Bit
0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0
start_register-Offset_DB_No. = start_register- word_No. =

Data Block DB = (base-DB-Number xxxxx +

= (800 + 0) = 800 ;
Data Word DBW = (start_register-word_No. ∗ 2)

= (384 ∗ 2) = 768 ;
Further Examples For further access examples please, refer to FC 03.
8.7 Function Code 08 - Loop Back Diagnostic Test

A5E00218418-04
Function Codes
Function This function serves to check the communications connection.
It does not effect the S7 CPU, nor the user programs, nor user data. The
received message is independently returned to the master system by the
driver.
Request Message ADDR FUNC Diagnostic Code (High, Low) Test Data CRC
Reply Message ADDR FUNC Diagnostic Code (High, Low) Test Data CRC
Diagnostic Code Only Diagnostic Code 0000 is supported.
Test Data Any value (16 bit).
Application Request Message FUNCTION 08:

Example
00H Diagnostic Code “High”
00H Diagnostic Code “Low”
A5H Test Value “High”
C3H Test Value “Low”

00H Diagnostic Code “High”
00H Diagnostic Code “Low”
A5H Test Value “High”
C3H Test Value “Low”

A5E00218418-04
Function Codes
8.8 Function Code 15 - Force Multiple Coils
Function This function enables the MODBUS master system to write several bits in the
SIMATIC memory areas listed below.
Request Message
ADDR FUNC start_address quantity byte_count n n-DATA CRC
Reply Message ADDR FUNC start_address quantity CRC

follows:
The driver checks if “start_address” is located within one of the areas which
were entered in the dialog box “Conversion of MODBUS Addressing for
FC 01, 05, 15” during parameter assignment (from / to : memory bits, outputs,
timers, counters).

start_address accessed
is located in area
from aaaaa to bbbbb commencing M uuuuu.0
at memory
bit
from ccccc to ddddd commencing Q ooooo.0
at output

follows:

beginning with
SIMATIC

When accessing SIMATIC areas “memory bits” and “outputs,” the remaining
Rest Bit_Number is calculated and used to address the relevant bit within the
memory or output byte.
Access to SIMATIC areas timers and counters is not permitted with function
code FC 15 and is rejected by the driver with an error message.

A5E00218418-04
Function Codes
Quantity Any value between 1 and 2040 is permitted as the quantity (amount of bits).
Note:
Interface.”
DATA Bit status (any values) are contained in the DATA field.

Example

at memory
bit
from 2048 to 2559 commencing Q 256.0
at output
Action:
The MODBUS master system wants to write the following bit status on to
memory bits M 1144.0 ... M 1144.7 and M 1145.0 ... M 1145.3:
Memory bit 7 6 5 4 3 2 1 0 Bit

M 1144 ON ON OFF OFF ON ON OFF ON
Memory bit 7 6 5 4 3 2 1 0 Bit

M 1145 - - - - ON OFF OFF ON

0FH Function Code FUNC
80H start_address “Low” (M 1144.0 ... )
00H Quantity “High”
0CH Quantity “Low” (12 Bits)
02H bytecount
CDH Status coil (M 1144.0 ... M 1144.7)
09H Status coil (M 1145.0 ... M 1145.3)
0FH Function Code FUNC
0CH Quantity “Low”

A5E00218418-04
Function Codes
The Modbus address “coil_address” 0480 Hex (1152 decimal) is located in the
“memory bit” area:

= ((1152 - 0) / 8) + 1000
= 1144 ;
The remaining Rest Bit_Number results in:
Rest Bit_No. = ((start_address - aaaaa) % 8) [Modulo 8]

= ((1152 - 0) % 8)
= 0;
Access is made to memory bits commencing at M 1144.0.
Further Examples For further access examples to memory bits and outputs, please refer to
FC 01.

A5E00218418-04
Function Codes
8.9 Function Code 16 - Preset Multiple Registers
Function This function code enables the MODBUS master system to write several data
words in a data block of the SIMATIC CPU.
Request Message ADDR FUNC start_register quantity byte_count n n-DATA (High, Low) CRC
Reply Message ADDR FUNC start_register quantity CRC

follows:
15 9 8 7 0 Bit
start_register offset_DB_No. start_register word No.
For further address generation, the driver uses the “base DB number”
(commencing at DB xxxxx) entered in the dialog box
“Conversion of MODBUS Addressing for FC 03, 06, 16” during parameter
assignment.
steps as follows:

SIMATIC
Data block DB = (Base DB Number xxxxx +
Calculation Providing the resulting DB to be written to is known, the Modbus address

start_register = ((resulting DB - base-DB-number) ∗ 512) +

(data word_DBW / 2)

A5E00218418-04
Function Codes
Quantity Any value between 1 and 127 is permitted as the quantity (amount of
registers). Please follow the following rule:
(Quantity)max = 512 - start_register
Note:
Interface.”
DATA (High, Low) Any value can be used as DATA (High, Low) (register value).

Example

0 from data block DB 800
(base DB Number)
Action:
The MODBUS master system wants to write values CD09 Hex, DE1A Hex,
EF2B Hex to data words DBW 100, DBW 102, DBW 104 of DB 800.

03H Quantity “Low” (3 registers)
06H bytecount
CDH Register Value -High (DBW100)
09H Register Value -Low
DEH Register Value -High (DBW102)
1AH Register Value -Low
EFH Register Value -High (DBW104)
2BH Register Value -Low
32H start_register “Low”
03H Quantity “Low” (3 registers)

A5E00218418-04
Function Codes
The Modbus Address “start_register” 0032 Hex (50 decimal) is interpreted:
15 9 8 7 0 Bit
0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0
start_register offset_DB_No. = start_register word No. =

Data Block DB = (base DB number xxxxx +

(resulting DB) start_register-offset_DB_No.)
= (800 + 0) = 800 ;
Data Word DBW = (start_register word_No. ∗ 2)

= (50 ∗ 2) = 100 ;
Access is made to DB 800, data word DBW 100 .
Further Examples For further access examples, please refer to FC 03.

A5E00218418-04
Function Codes

A5E00218418-04
Diagnostics of the Driver
9 Diagnostics of the Driver
Diagnostic The diagnostic functions of the CP enable you to locate occurred errors
Functions quickly. The following diagnostics facilities are available:
• Diagnostics via display elements of the CP
• Diagnostics via the STATUS output of the function blocks
• Diagnostics via error message area SYSTAT (CP 441-2 only)
• Diagnostic buffer of the CP
Display Elements The display elements provide information on the operating status and/or a
(LED) possible error status of the CP. The display elements give a first overview of
internal or external errors, as well as interface-specific errors.
STATUS Output of Each function block / system function block has a STATUS output for error
FBs / SFBs diagnostics purposes. Reading this STATUS output enables the user to obtain
information on errors which occurred during communication. The STATUS
parameter can be evaluated in the user program.
Error Message The error message area SYSTAT is a storage area on the CP where all errors
Area SYSTAT / events recognized by the CP are entered in detail. You can read the SYSTAT
(CP 441-2 only) area by programming the system function block STATUS in the user program.
Diagnostic Buffer All errors / events described in Section 9.3 are also entered in the diagnostic
of the CP buffer of the CP. The manual for the CP describes how you can read the
diagnostic buffer.

A5E00218418-04
9.1 Diagnostic Facilities on the CP 341
9.1.1 Diagnostics via Display Elements of the CP 341
Introduction The display elements of the CP 341 provide information on the CP 341. The
following different display functions are available:
• Group Error Displays
- SF (red) Error occurred or new parameters assigned
• Special Displays
- TXD (green) Send active; lights up when the CP 341 sends user
data via the interface
- RXD (green) Receive active; lights up when the CP 341 receives
user data via the interface
Group Error The group error display SF always lights up after mains-on and goes out after
Display SF initialization is complete. If parameter assignment data were created for the
CP 341, the SF LED lights up again briefly when new parameters are
assigned.
The group error display SF lights up, when the following errors have occurred:
• Hardware error
• Firmware error
• Parameter assignment error
• BREAK (Receiving line between CP 341 and communication partner is

interrupted.)

A5E00218418-04
9.1.2 Diagnostic Messages of the Function Blocks of the CP 341
Introduction Each function block has a STATUS parameter for error diagnostics purposes.
Each STATUS message number has the same meaning, independent of the
system function block used.
Event Class / The following figure shows the structure of the STATUS parameter.
Event Number
Numbering
Scheme
Bit No. 15 13 12 8 7 0
STATUS
Reserve Event Class Event Number
(Error Number)
The individual errors / events are listed in Section 9.3

A5E00218418-04
9.2 Diagnostic Facilities on the CP 441-2
9.2.1 Diagnostics via Display Elements of the CP 441-2
Display Functions The display elements of the CP 441-2 provide information on the CP 441-2.
The following different display functions are available:
• Group Error Displays

- INTF Internal error
- EXTF External error
• Special Displays
- TXD BSEND job for this interface is being processed on the CP
- RXD Received data of this interface are being transferred by the CP to
the CPU
• Interface Error Displays

FAULT Interface error
Error Messages of The following table describes the error messages of the display elements.
Display Elements
Error Display Error Description Remedy
INTF lit CP reports an internal error; Program the SFB STATUS
for example, hardware or for detailed information.
software error.
EXTF lit CP 441-2 reports an Program the SFB STATUS
external error; for example, for detailed information.
BREAK on receiving line
FAULT off Interface ready, or interface -
submodule not plugged in
FAULT blinking Interface is initialized and Check general configuration
slowly ready, but no and data link project
communication possible via configuration
S7-400 backplane bus.
FAULT blinking Parameter incorrect or Check parameter setting in
fast wrong and/or faulty parameter assignment
interface submodule interface and/or interface
plugged in (submodule and submodule.
interface parameters do not
match).
FAULT lit No interface parameters Carry out parameter
available or substantial assignment with parameter
error in submodule assignment tool and/or
(hardware). check interface submodule.

A5E00218418-04
9.2.2 Diagnostic Messages of the System Function Blocks of the CP 441-2
Introduction Each system function block has a STATUS parameter for error diagnostics
purposes. Each STATUS message number has the same meaning,
independent of the system function block used. The STATUS messages
which are most important for the CP are described in the table below. You will
find a complete and current description of the STATUS messages in the
reference manual “System Software for S7-300/400, System and Standard
Functions.”
Messages at
STATUS Output of STATUS Error Description
SFB
0 no error
1 Communications problems between CP and CPU.
2 Negative acknowledgment, function cannot be executed
(for example, link partner does not respond or sends negative
acknowledgment).
3 R-ID not known in this communications link, device not available.
4 Number of data areas or individual data types do not match.
5 Reset request received.
6 Remote block is in disabled state.
7 Remote partner in incorrect state.
8 Access to remote object denied, access error occurred in server
(GET/PUT).
9 Overrun warning (ERROR=0): receive data were overwritten with
newer data.
10 Access to local user memory not possible (for example, DB
deleted).
11 Warning (ERROR=0): new job ineffective, because previous job
not yet completed.
12 Instance is incompatible with system call; no instance, but normal
DB was called.
13 Error in format description.
14 The referenced data link (application-related) does not exist, ID
not known (you must specify the local ID from the data link project
configuration).
15 Data link referenced via ID is generated.
16 Data link cannot be generated due to lack of resources.
Displaying and The STATUS output of the system function blocks can be displayed and
Evaluating evaluated by means of the STEP 7 variable table.
STATUS Output

A5E00218418-04
Note:
Reading the SYSTAT area with the STATUS job will provide you with detailed
information on errors / events which have occurred during communication
between the CP, the associated CPU, and the connected link partner.
9.2.3 Reading Error Message Area SYSTAT for CP 441-2
Reading by The error message area SYSTAT is already read by the MODBUS
Communications Communications FB.
FB
The FB reads the SYSTAT area cyclically and stores the data in the instance
DB commencing at DBW 40.
(See also Chapter “Commissioning the Communications FB.”
Note:
Due to the fact that the STATUS job runs asynchronously to the other jobs on
a link, it is not possible to allocate an SFB with a specific R_ID. This means
that even though it is possible to display which errors occurred on the data
link, it is impossible to ascertain which SFB call caused them.
9.2.4 Diagnostics via Error Message Area SYSTAT of the CP 441-2
Introduction The error message area SYSTAT is a data area of CP 441 where all errors /
events recognized by the CP are entered in detail. The SYSTAT area
comprises six events for each interface, as well as information on the
operating state of the CP and the state of the SYSTAT area.
Structure of The first six errors / events recognized by the CP are entered into the SYSTAT
SYSTAT Area area. Further errors / events can only be entered once the SYSTAT area has
been deleted.

A5E00218418-04
The errors / events are entered in the parameter LOCAL as follows:

• Byte 0 operating state of CP
(02H for RUN, 05H for defective)
• Byte 1 reserved
• Byte 2 Bit 0 - F Error entered in SYSTAT
Bit 1 - U Error overflow
Bit 2 - B BREAK
• Byte 3 reserved
• Byte 4/5 Event 1
Deleting the After the SYSTAT area has been read with SFB STATUS, all SYSTAT
SYSTAT Area messages are automatically deleted.
Numbering The numbering scheme for the events in the SYSTAT area is structured as
Scheme follows:
Bit No. 15 13 12 8 7 0
Reserved Event Class Event Number / Error Number
An exact breakdown of event classes and event numbers can be found in the
following chapters and in the manual CP 441-2: Point-to-Point
Communication.
Note:
In contrast to standard drivers, the event classes / event numbers for the
SYSTAT area are partly modified for use with loadable drivers.
The following sections describe all modified event classes / event
numbers in their driver-specific meaning.
Unless an event is mentioned in this manual, you can assume it corresponds
to the standard data links, and it will be described in the CP 441-2 manual.

A5E00218418-04
9.3 Table of Errors / Events
Event Classes The following event classes are defined:
Event Description described in

Class
1 Hardware error on CP CP Manual
2 Error during initialization CP Manual
3 Error during parameter assignment of CP Manual
PBK
4 Errors in CP - CPU data traffic CP Manual
recognized by CP
5 Error during processing of a CPU job CP Manual, Driver Manual
6 Error during processing of a partner CP Manual
job
7 Send error CP Manual
8 Receive error Driver Manual
9 Error message received from link not used
partner
10 Errors recognized by CP in reply not used
message from partner
14 General processing errors of loadable Driver Manual
driver

A5E00218418-04
9.3.1 Error Codes in SYSTAT for “CPU Job Errors”
Event Class 5 (05H)

“CPU Job Errors”
Event Event Event Text Remedy
Class / Number
Number (Decimal)
(Hex)
05 18H 24 Transmission length during transmission is Check communications FB,

too large (> 4 Kbytes), or possibly reload.
transmission length for SEND is too small.
9.3.2 Error Codes in SYSTAT for “Receive Errors”
Event Class 8 (08H)

“Receive Errors”
Class / Number
Number (Decimal)
(Hex)
08 06H 6 Character delay time (ZVZ) exceeded Eliminate error in partner

device or interference on the
transmission line.
08 0CH 12 Transmission error (parity error, overflow Check for interference which
error, stop bit error (frame)) recognized in a could influence the
character. transmission line.
If required, change system
structure and/or cable laying.
Check whether the protocol
parameters transmission rate,
amount of data bits, parity,
amount of stop bits have the
same settings for the CP and
the link partner.
08 0DH 13 BREAK Establish connection between
the devices or switch on
Receiving line to partner device is
partner device.
interrupted.
For use with TTY operation,
check line current at idle state.
For use with an RS422/485
(X27) connection, check and, if
required, change the connector
pin assignment of the 2-wire
receiving line R(A),R(B).

A5E00218418-04
Event Class 8 (08H)

“Receive Errors”
Class / Number
Number (Decimal)
(Hex)
08 30H 48 Broadcast not allowed with this function code. The Modbus master system is
allowed to use Broadcast only
for the function codes enabled
for this purpose.
08 31H 49 Received function code not allowed. This function code cannot be
used for this driver.
08 32H 50 Maximum amount of bits or registers Limit maximum amount of bits
exceeded, to 2040, maximum amount of
or amount of bits cannot be divided by 16 registers to 127. Access to
when accessing SIMATIC memory areas SIMATIC timers / counters only
timers or counters. in 16 bit intervals.
08 33H 51 Amount of bits or registers for function codes Correct amount of bits /
FC 15/16 and message element byte_count registers or byte_count.
do not match.
08 34H 52 Illegal bit coding recognized for “set bit / reset Only use codings 0000Hex or
bit.” FF00Hex for FC05.
08 35H 53 Illegal diagnostic subcode (≠ 0000Hex) Only use subcode 0000Hex for
recognized for function code FC 08 “Loop FC08.
Back Test.”
08 36H 54 The internally-generated value of the CRC 16 Check CRC checksum
checksum does not match the received CRC generation by Modbus master
checksum. system.
08 37H 55 Message sequence error: Increase the timeout to the
The Modbus master system sent a new slave reply message for the
request message before the last reply Modbus master system.
message was transferred by the driver.

A5E00218418-04
9.3.3 Error Codes in SYSTAT for “General Processing Errors”
Event Class 14 (0EH)

“Loadable Driver - General Processing Errors”
Class / Number
Number (Decimal)
(Hex)
0E 01H 1 Error during initialization of the driver-specific Reassign parameters of driver

SCC process and reload.
0E 02H 2 Error during startup of driver: Reassign parameters of driver
Wrong SCC process active (SCC driver). and reload.
The driver cannot function with this SCC
driver.
0E 03H 3 Error during startup of driver: Reassign parameters of driver
Wrong data transfer process active (interface and reload.
to SFBs).
The driver cannot function with this data
transfer process.
0E 04H 4 Error during startup of driver: Check and correct parameter
Illegal interface submodule. assignment.
The driver cannot run with the parameterized
interface submodule.
0E 05H 5 Error with driver dongle: Check if a driver dongle is
No dongle plugged in, or inserted dongle is plugged into the CP.
faulty. If the inserted dongle is faulty,
The driver is not ready to run. replace it with a correct dongle.
0E 06H 6 Error with driver dongle: Obtain a correct dongle from
The dongle has no valid contents. the Siemens office which
The driver is not ready to run. supplied you with the driver.
: :
0E 10H 16 Internal error procedure: default branch in Restart CP (Mains_ON)
Send automatic device.
0E 11H 17 Internal error procedure: default branch in Restart CP (Mains_ON)
Receive automatic device.
0E 12H 18 Internal error active automatic device: default Restart CP (Mains_ON)
branch.
0E 13H 19 Internal error passive automatic device: Restart CP (Mains_ON)
default branch.

A5E00218418-04

“Loadable Driver - General Processing Errors <Parameter Assignment>”
Event Event No Event Text Remedy
Class / (Decimal)
Number
(Hex)
0E 20H 32 For this data link the amount of data bits Correct parameter assignment
must be set to 8. of the driver.
The driver is not ready to run.
0E 21H 33 The multiplication factor set for the character Correct parameter assignment
delay time is not within the range of 1 to 10. of the driver.
The driver is operating with a standard setting
of 1 .
0E 22H 34 The operating mode set for the driver is Correct parameter assignment
illegal. “Normal” or “Interference of the driver.
Suppression” must be specified.
0E 23H 35 An illegal value has been set for the slave Correct parameter assignment
address. Slave address 0 is not allowed. of the driver.
0E 24H 36 Illegal limitations have been set for write Correct parameter assignment
access. of the driver.
0E 25H 37 An illegal “from/to” combination has been set Correct parameter assignment
for the input of areas “Conversion of Modbus of the driver.
Addressing for FC 01,05,15.”
(Areas memory bits, outputs, timers,
counters). The driver is not ready to run.
0E 26H 38 An illegal “from/to” combination has been set Correct parameter assignment
for the input of areas “Conversion of Modbus of the driver.
Addressing for FC 02.”
(Areas memory bits / inputs).
0E 27H 39 An overlap has been set for the “from/to” Correct parameter assignment
combination for the input of areas of the driver.
“Conversion of Modbus Addressing for
FC 01,05,15.”
(Areas memory bits, outputs, timers,
counters). The driver is not ready to run.
0E 28H 40 An overlap has been set for the “from/to” Correct parameter assignment
combination for the input of areas of the driver.
“Conversion of Modbus Addressing for
FC 02.” (Areas memory bits, inputs).
0E 2EH 46 An error occurred when reading the interface Restart CP (Mains_ON).
parameter file.

A5E00218418-04

“Loadable Driver - General Processing Errors <CPU-CP>”
Event Event No Event Text Remedy
Class / (Decimal)
Number
(Hex)
0E 30H 48 Internal error during data transfer to CPU: Can be ignored if it happens
Unexpected acknowledgment Passive. intermittently.
0E 31H 49 Timeout during data transfer to CPU. Check CP-CPU interface.
0E 32H 50 Error occurred during data transfer to CPU Check CP-CPU interface.
with RCV:
Exact failure reason (detailed error) is in
SYSTAT before this entry.
0E 33H 51 Internal error during data transfer to CPU: Check CP-CPU interface.
Illegal status of automatic device.
: :
0E 38H 56 Error occurred when accessing one of the Check if the addressed
SIMATIC areas “memory bits, outputs, SIMATIC area exists and
timers, counters, inputs” with function codes whether an attempt was made
FC 01 or FC 02: to access in excess of range
for example, input does not exist, or read end.
attempt in excess of range end.
0E 39H 57 Error occurred when accessing SIMATIC Check if the addressed data
area “data block” with function codes FC 03, block exists and that it is
04, 06, 16: sufficiently long.
Data block does not exist or is too short.
0E 3AH 58 Error occurred when executing a write job Check if instance DB
with function codes FC 05, 15: parameterized on the Modbus
Instance data block of Modbus FB does not communications FB exists and
exist or is too short. that it is sufficiently long.
0E 3BH 59 Timeout during execution of a write job by Check project configuration of
Modbus communications FB. data link and CP-CPU interface
(SFB SEND): possibly reload
Modbus communications FB.
0E 3CH 60 Illegal job with this driver. Only SFB BSEND, BRCV,
STATUS (CP 441-2 only) are
permitted.

A5E00218418-04

“Loadable Driver - General Processing Errors <Receive Evaluation>”
Event Event Event Remedy
Class / Number
Number (Decimal)
(Hex)
0E 50H 80 The rest bit number resulting from the Only use Modbus addresses
Modbus address is ≠ 0 for the word- which result in valid bit
orientated SIMATIC areas timers / counters. numbers.
0E 51H 81 The received Modbus address is outside the Only use addresses as the
parameterized “from/to” areas. (see section address specification in the
“Assigning Parameters to the Loadable request message, which have
Driver”). previously been defined during
parameter assignment.
0E 52H 82 SIMATIC range limitation exceeded during Limit access range to valid
access attempt by Modbus master system: SIMATIC memory areas.
Resulting DB number < 1, or
write access to an area which has not been
enabled (parameter assignment), or
write access to instance DB of the
communications FB.
0E 53H 83 SIMATIC range limitation exceeded during Limit access range to valid
access attempt by Modbus master system, SIMATIC memory areas.
for example, overflow when generating the
resulting DB number (> 65535).
0E 54H 84 Access in excess of parameterized range Limit access range to valid
end, or access in excess of SIMATIC range SIMATIC memory areas.
end.
0E 55H 85 Write access to this SIMATIC memory area Carry out write access only to
is not allowed. SIMATIC data areas memory
bits, outputs.
0E 56H 86 Data link operation not possible because Make cyclic call of Modbus
communications FB not running. communications FB in STEP 7
user program.
If required, re-initialize
communications FB.
0E 57H 87 Error occurred in communications FB during Analyze exact reason as
processing of the Modbus function code. described in Chapter
“Diagnostics of the
Communications FB.”

A5E00218418-04
Diagnostics of the Communications FB
10 Diagnostics of the Communications FB
Diagnostic The Modbus communications FB has the following two output parameters,
Functions which indicate occurred errors:
• Parameter “ERROR_NR”
• Parameter “ERROR_INFO”
ERROR_NR, Occurred errors are indicated at the ERROR_NR output.

ERROR_INFO
Further details on the error in ERROR_NR are displayed at the output
ERROR_INFO.
Deleting the Errors The errors are deleted with a rising edge at CP_START.
The error displays may be deleted by the user at any time, if required.
10.1 Diagnostics via Parameters ERROR_NR, ERROR_INFO
ERROR_No 1...9 Error during Initialization FB and CP

Error numbers 1...9 indicate initialization with error. Parameter
CP_START_ERROR is 1.
MODBUS communication to the master system is not possible.
ERROR_No 10...19 Error during Processing of a Function Code

Error numbers 10...19 indicate an error during processing of a function code.
The CP transmitted an illegal processing job to the communications FB.
The error is also reported to the driver.
Subsequent processing jobs continue to be processed.
ERROR_No 90...99 Other Errors

A processing error has occurred.
The error is not reported to the driver.
Subsequent processing jobs continue to be processed.

A5E00218418-04
10.1.1 Errors during “Initialization”
“Errors during Initialization”

ERROR_ ERROR_INFO Error Text Remedy
No
(decimal)
0 0 no error
1 SFC51->RET_VAL Error when reading SZL with SFC51. Analyze RET_VAL in
ERROR_INFO, eliminate
cause.
2 SFB12->STATUS, Timeout when initializing CP or Check if protocol “MODBUS
SFB22->STATUS error when initializing CP (Error in Slave” has had parameters
BSEND job). assigned on this interface.
Check whether the “ID”
specified on the
communications FB is correct.
Analyze ERROR_INFO.
10.1.2 Errors during “Processing of Function Codes”
“Errors during Processing of Function Codes”

No
(decimal)
10 Processing Code Illegal processing function Restart CP (Mains_ON)
transferred by the driver to the
communications FB.
11 Start Address Illegal start address transferred by Check Modbus address of
the driver to communications FB. Modbus master system.
12 Amount of Illegal amount of registers Check amount of registers of
Registers transferred by the driver to Modbus master system,
communications FB: if required restart CP
Amount of registers = 0. (Mains_ON)
13 Amount of Illegal amount of registers Check amount of registers of
Registers transferred by the driver to Modbus master system,
communications FB: if required restart CP
Amount of registers > 128. (Mains_ON)
14 Memory bits M - Attempted access to SIMATIC Reduce Modbus start address
End Address memory area “memory bits” in and/or access length in
excess of range end. Modbus master system.
Attention:
Range length in SIMATIC CPU is
CPU type-dependent.

A5E00218418-04
“Errors during Processing of Function Codes”

No
(decimal)
15 Outputs Q - End Attempted access to SIMATIC Reduce Modbus start address
Address memory area “outputs” in excess of and/or access length in
range end. Modbus master system.
Attention:
CPU type-dependent.
16 Timers T - End Attempted access to SIMATIC Reduce Modbus start address
Address memory area “timers” in excess of and/or access length in
Attention:
CPU type-dependent.
17 Counters C - End Attempted access to SIMATIC Reduce Modbus start address
Address memory area “counters” in excess of and/or access length in
Attention:
CPU type-dependent.
18 0 Illegal SIMATIC memory area If required, restart CP
transferred by the driver to (Mains_ON)
communications FB.
19 Error during access to SIMATIC Check if required I/Os exist
I/Os. and are error-free.
10.1.3 “Other” Errors
“Other Errors”
No
(decimal)
90 SFB12->STATUS Error during transmission of an Analyze STATUS information.
acknowledgment message to the
driver with SFB12 (BSEND).
91 SFB22->STATUS Error when reading SYSTAT with Analyze STATUS information.
SFB22 (STATUS).
92 FB7->STATUS Error when executing a Analyze FB7-STATUS
RECEIVE/FETCH call with FB7
(RCV_RK).

A5E00218418-04
Diagnostics of the Communications FC

A5E00218418-04
Technical Data
A Technical Data
Transmission The following tables contain measured transmission times for the different
Times function codes.
The times were measured using an S7-300 programmable controller with a

CPU 315-2 DP (6ES7315-2AF01-0AB0) and a CP 341, and an S7-400
programmable controller as the partner device with a CPU 414 (6ES7414-
1XG01-0AB0) and a CP 441-2. In each case the processing time was
measured
• from the initiation of the job in the user program, and included the
processing time on the master,
• the time taken for the job to be transmitted to the partner via the serial
interface,
• the time for processing on the slave,
• the time required for transmission of the acknowledgment on the
serial interface.
If you are using another device as a partner (master or slave), you must use
the times which correspond to that device for either the master or the slave,
instead of the times in the table. The times for the job and acknowledgment
remain the same; they are only dependent on the transmission rate used.
Slave is CP 341 Function Code 1 (Read) – Read Coil (Output) Status (Times in msec.)
Transmission 300
Rate (bps)
Master Job Slave Acknowl-

edgment
User Data CP 441-2 CP 341
1 Byte 229 257 179 184
10 Bytes 229 257 179 514
20 Bytes 229 257 180 882
50 Bytes 232 257 182 1986
100 Bytes 236 257 192 3824
200 Bytes 243 257 208 7501
255 Bytes 251 257 214 9487
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave A-1

A5E00218418-04
Technical Data
Transmission 9600
Rate (bps)

edgment
1 Byte 74 8 18 6
10 Bytes 75 8 19 16
20 Bytes 77 8 19 27
50 Bytes 83 8 62 62
100 Bytes 90 8 119 119
200 Bytes 92 8 235 235
255 Bytes 95 8 296 296
Transmission 76800
Rate (bps)

edgment
1 Byte 73 1 13 1
10 Bytes 74 1 13 2
20 Bytes 76 1 13 3
50 Bytes 86 1 20 8
100 Bytes 93 1 29 15
200 Bytes 95 1 45 29
255 Bytes 97 1 50 37

A5E00218418-04
Technical Data
Slave is CP 341 Function Code 15 (Write) – Force Multiple Coils (Time in msec.)
Transmission 300
Rate (bps)

edgment
1 Byte 205 331 199 257
10 Bytes 206 662 200 257
20 Bytes 206 1028 201 257
50 Bytes 208 2132 212 257
100 Bytes 211 3971 223 257
200 Bytes 217 7648 238 257
255 Bytes 221 9634 243 257
Transmission 9600
Rate (bps)

edgment
1 Byte 48 10 41 8
10 Bytes 48 20 41 8
20 Bytes 50 32 43 8
50 Bytes 52 67 48 8
100 Bytes 55 124 56 8
200 Bytes 63 239 74 8
255 Bytes 67 301 88 8

A5E00218418-04
Technical Data
Transmission 76800
Rate (bps)

edgment
1 Byte 58 1 40 1
10 Bytes 61 3 43 1
20 Bytes 62 4 43 1
50 Bytes 63 8 44 1
100 Bytes 64 15 50 1
200 Bytes 66 30 69 1
255 Bytes 68 38 85 1
Slave is CP 441-2 Function Code 1 (Read) – Read Coil (Output) Status (Times in msec.)
Transmission 300
Rate (bps)

edgment
User Data CP 341 CP 441-2
1 Byte 236 257 188 184
10 Bytes 236 257 190 515
20 Bytes 238 257 190 882
50 Bytes 244 257 193 1986
100 Bytes 280 257 199 3824
200 Bytes 286 257 207 7502
255 Bytes 288 257 216 9487

A5E00218418-04
Technical Data
Transmission 9600
Rate (bps)

edgment
1 Byte 33 8 40 6
10 Bytes 33 8 43 16
20 Bytes 35 8 44 28
50 Bytes 42 8 45 62
100 Bytes 56 8 56 120
200 Bytes 75 8 64 235
255 Bytes 82 8 77 296
Transmission 76800
Rate (bps)

edgment
1 Byte 35 1 23 1
10 Bytes 36 1 25 2
20 Bytes 37 1 26 3
50 Bytes 46 1 27 8
100 Bytes 61 1 30 15
200 Bytes 82 1 39 29
255 Bytes 92 1 48 37

A5E00218418-04
Technical Data
Slave is CP 441 Function Code 15 (Write) – Force Multiple Coils (Time in msec.)
Transmission 300
Rate (bps)

edgment
1 Byte 225 331 223 257
10 Bytes 227 662 224 257
20 Bytes 227 1030 228 257
50 Bytes 227 2132 232 257
100 Bytes 229 3971 236 257
200 Bytes 230 7648 243 257
255 Bytes 237 9634 255 257
Transmission 9600
Rate (bps)

edgment
1 Byte 64 11 62 8
10 Bytes 64 21 63 8
20 Bytes 69 32 64 8
50 Bytes 69 67 68 8
100 Bytes 72 124 70 8
200 Bytes 75 239 76 8
255 Bytes 75 301 86 8

A5E00218418-04
Technical Data
Transmission 76800
Rate (bps)

edgment
1 Byte 60 1 56 1
10 Bytes 60 3 58 1
20 Bytes 62 4 58 1
50 Bytes 64 9 60 1
100 Bytes 67 16 67 1
200 Bytes 72 30 77 1
255 Bytes 77 38 84 1
Memory The following table displays the memory requirements of the function blocks of
Requirements the CP 341 (FB80) and CP 441 (FB180) in bytes. The memory requirements
of the FBs 7 and 8 can be found in the manual for the CP 341.
Block Name Version Loading Work Local

Memory Memory Data
FB 80 MODB_341 1.0 2770 2034 104
FB 180 MODB_441 1.0 2982 2360 102

A5E00218418-04
Technical Data

A5E00218418-04
Wiring Diagrams Multipoint
B Wiring Diagrams Multipoint
Wiring diagram RS422 multipoint (MODBUS Multipoint)
Sender Receiver
MODBUS Master
e.g.: CP341 or CP441-2
2 9 4 11
T(A)- T(B)+ R(A)- R(B)+
Connector
330 Ω
330 Ω
Slave (non-Siemens) Slave (non-Siemens) Slave (non-Siemens)
Caution
In the RS422 mode CP341 and CP441-2 can only be used as a Master“ because
you can switch your receive lines to “Tri State“!
Wiring diagram RS485 multipoint (MODBUS Multipoint)
Sender Receiver
MODBUS Master
e.g.: CP341 or CP441-2
4 11
Connector
R(A)- R(B)+
330 Ω
330 Ω
4 11
R(A)- R(B)+
Slave (non-Siemens) Slave (non-Siemens) Slave (CP341 or CP441-2)
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave B-1

A5E00218418-04
Wiring Diagrams Multipoint
The following applies for both modules:
• GND (PIN 8 by CP341 / CP441-2) must always be connected on both sides
• The casing shield must be installed everywhere
• A terminating resistor of approx. 330 Ω is to be soldered into the connector on the last receiver
of a node sequence
• Recommended cable type: LIYCY 3 x 2 x 0,14 R(A)/R(B) and T(A)/T(B) twisted pairs
• A wiring with “Stub“ is not allowed
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave B-2

A5E00218418-04
Literature List
C Literature List
Modbus Protocol /1/ Gould Modbus Protocol

Reference Guide
PI-MBUS-300 Rev B
GOULD Electronics
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave C-1

A5E00218418-04
Literature List
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave C-2

A5E00218418-04
Glossary
Address The address identifies a physical storage location and enables the user
to directly access the operand stored there.
B
Block Blocks are elements of the user program which are defined by their
function, structure, or purpose. With STEP 7 there are
_ Code blocks (FB, FC, OB, SFB, SFC)
_ Data blocks (DB, SDB)
_ User-defined data types (UDT).
Block Call A block call occurs when program processing branches to the called
block.
Block Parameter Block parameters are wildcards within multiple-use blocks, which are
replaced with current values when the relevant block is called.
C
Communications Communications processors are modules for point-to-point connections

Processor and bus connections.
Configuration The configuration is the setup of individual modules of the PLC in the
configuration table.
CPU Central processing unit of the S7 programmable controller with control

and arithmetic unit, memory, operating system, and interfaces to I/O
modules.
CRC Cyclic Redundancy Check = checksum with a guaranteed accuracy of

error recognition.
Cycle Time The cycle time is the time the CPU needs to scan the user program
once.
Cyclic Program In cyclic program processing, the user program is executed in a

Processing constantly-repeating program loop, called a cycle.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave Clossary-1

A5E00218418-04
Glossary
Data Block (DB) These are blocks containing data and parameters with which the user
program works. Unlike all other blocks, data blocks do not contain
instructions. They are subdivided into global data blocks and instance
data blocks. The data held in the data blocks can be accessed
absolutely or symbolically. Complex data can be stored in structured
form.
Data Type Data types allow the user to define how the value of a variable or
constant is to be used in the user program. They are subdivided into
elementary and structured data types.
Default Setting The default setting is a practical basic setting which is always used if no
other value is specified.
Diagnostic Buffer Every CPU has a diagnostic buffer, in which detailed information on
diagnostic events is stored in the order in which they occur.
Diagnostic Events Diagnostic events are, for example, errors on a module or system errors
in the CPU, which may be caused by a program error or by operating
mode transitions.
Diagnostic Functions The diagnostic functions cover the entire system diagnosis and include
detection, analysis, and reporting of errors within the PLC.
Download Downloading means loading load objects (for example, code blocks)
from the programming device into the load memory of the CPU.
F
Function Block (FB) Function blocks are components of the user program and, in
accordance with the IEC standard, are “blocks with memory.” The
memory for the function block is an assigned data block of the “instance
data block.” Function blocks can be assigned parameters, or they can
be used without parameters.
H
Hardware Hardware is the term given to all the physical and technical equipment of
a PLC.
I
Instance Data Block An instance data block is a block assigned to a function block and
contains data for this particular function block.
Interface Submodule The CP 441-2 interface submodule is responsible for the physical
conversion of signals. By changing the interface submodule, you can
make the communications processor compatible with the
communications partner.

A5E00218418-04
Glossary
Interrupt An interrupt occurs when program processing in the processor of a PLC

is interrupted by an external alarm.
M
Module Modules are pluggable printed circuit boards for programmable

controllers.
Module Parameter Module parameters are used to set the module reactions. A distinction is
made between static and dynamic module parameters.
O
Online / Offline Online means that a data circuit exists between PLC and programming
device. Offline means that no such data circuit exists.
Online Help STEP 7 allows you to display contextual help texts on the screen while
working with the programming software.
Operand An operand is part of a STEP 7 instruction and states with what the
processor is to do something. It can be both absolutely and symbolically
addressed.
Operating Mode The SIMATIC S7 programmable controllers have three different

operating modes: STOP, RESTART and RUN. The functionality of the
CPUs varies in the individual operating modes.
Operating System of The operating system of the CPU organizes all functions and operations
the CPU of the CPU which are not connected to a specific control task.
Parameter Parameters are values that can be assigned. A distinction is made

between block parameters and module parameters.
Parameter Assignment Parameter assignment means setting the behavior of a module.
Parameter Assignment The CP: Point-to-Point Communication, Parameter Assignment Tool is

Tool CP: used to assign parameters to the interface submodule of the
Point-to-Point communications processor and to set the driver-specific parameters.
Communication, The standard range is expanded for each loadable driver.
Parameter Assignment
Point-to-Point In a point-to-point connection the communications processor forms the

Connection interface between a PLC and a communications partner.
Procedure The execution of a data interchange operation according to a specific

protocol is called a procedure.

A5E00218418-04
Glossary
Process Image The process image is a special memory area in the PLC. At the
beginning of the cyclic program, the signal states of the input modules
are transferred to the process image input table. At the end of the cyclic
program, the process image output table is transferred to the output
modules as signal state.
Programmable Programmable controllers (PLCs) are electronic control devices

Controller consisting of at least one central processing unit, various input / output
modules, and operator control and monitoring devices.
Project Configuration Project configuration of data link is the term given to the allocation of a
of Data Link Connection ID in the system function block. The Connection ID enables
the system function blocks to communicate between two communication
terminal points.
Protocol The communications partners involved in a data interchange must abide

by fixed rules for handling and implementing the data traffic. These rules
are called protocols.
R
Rack A rack is the rail containing slots for mounting modules.
RESTART On transition from the STOP to the RUN mode, the PLC goes through
the RESTART mode.
S
Software Software is the term given to all the programs used on a computer
system. These include the operating system and the user programs.
STEP 7 This is the programming software for SIMATIC S7 programmable

controllers.
System Block System blocks differ from the other blocks in that they are already
integrated into the S7-300/400 system and are available for already
defined system functions. They are subdivided into system data blocks,
system functions, and system function blocks.
System Function (SFC) System functions are modules without memory which are already
integrated into the operating system of the CPU and can be called up by
the user as required.
System Function Block System function blocks are modules with memory which are already
(SFB) integrated into the operating system of the CPU and can be called up by
the user as required.

A5E00218418-04
Glossary
Upload Uploading means loading load objects (for example, code blocks) from
the load memory of the CPU into the programming device.
User Program The user program contains all instructions and declarations for signal
processing, by means of which a system or a process can be controlled.
The user program for SIMATIC S7 is structured and is divided into
smaller units called blocks.
V
Variable A variable is an operand (for example, E 1.0) which can have a symbolic
name and can therefore also be addressed symbolically.
W
Work Memory The work memory is a RAM on the CPU which the processor accesses
while processing the user program.

A5E00218418-04
Glossary

A5E00218418-04
Index
Index
A L
Address representation ................................. 1-3 Loading memory............................................1-2
B M
Broadcast Message ...................................... 7-1 Memory bits ...................................................3-3
Message structure .........................................7-1
C
Multiplier ZVZ.................................................4-9
Character delay time ............................4-10, 7-2 Multipoint connection .....................................1-1
Communications FB....................... 5-8, 6-1, 9-6
N
Configuration of data link .............................. 4-7
Connection ID.........................................4-7, 6-2 Normal operation ...........................................4-9
Counter.......................................................... 3-3
O
CPU parameter assignment........................ 4-21
CRC............................................................... 7-2 Operating mode.............................................4-9
Outputs ..........................................................3-3
D
P
Data bits ........................................................ 4-8
Data block ..................................................... 3-3 Parameter assignment .......................... 4-4, 4-8
Data consistency ............................ 1-4, 6-2, 6-4 Parity..............................................................4-8
De-installation................................................ 4-2
Diagnostics R
Communications FB ................................ 10-1 Reaction times ..................................................8
Driver ......................................................... 9-1
Display elements (LED)................................. 9-1 S
Dongle ....................................................1-2, 2-1 Slave address ........................................ 4-9, 7-1
E Startup
Loading procedure ...................................4-21
Exception code.............................................. 7-3 Startup characteristics .................................4-21
F Stop bits.........................................................4-8
SYSTAT.......................................... 5-8, 9-1, 9-6
Function Block......................... 1-1, 3-1, 3-2, 5-2 Event class.................................................9-7
Function Code ......................... 1-1, 3-3, 7-2, 8-1 Event number.............................................9-7
FC-01........................................ 1-3, 4-11, 8-2
FC-02........................................ 1-3, 4-13, 8-5 T
FC-03........................................ 1-3, 4-15, 8-7 Timer .............................................................3-3
FC-04...................................... 1-3, 4-16, 8-10 Transmission errors............................. 4-9, 4-19
FC-05............................. 1-3, 4-11, 4-17, 8-13 Transmission rate ..........................................4-8
FC-06............................. 1-3, 4-15, 4-17, 8-15 Transmission times ...................................... A-1
FC-08....................................................... 8-17
FC-15............................. 1-3, 4-11, 4-17, 8-18
FC-16............................. 1-3, 4-15, 4-17, 8-21
I
Inputs............................................................. 3-3
Instance data block ........................ 3-1, 5-1, 5-5
Interface
RS422/485 (X27) ..................................... 4-18
Interface submodule
RS232C ..................................................... 1-1
RS422/485 (X27) ....................................... 1-1
TTY.....................................................1-1, 2-2
X27 ............................................................ 2-2
Interference suppression............................. 4-10
Loadable Driver CP441-2: MODBUS-Protocol, S7 is Slave Index-1

A5E00218418-04
Index
Loadable Driver CP441-2: MODBUS-Protocol, S7 is Slave Index-2

A5E00218418-04

CP 341 441-Slave

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP 341 441-Slave

Uploaded by

Copyright:

Available Formats

Preface, Contents

Loadable Driver for Mode of Operation 3

Diagnostics of the Driver 9

Wiring Diagrams Multipoint B

This manual is part of the documentation

Copyright © Siemens AG 2003 All rights reserved Disclaimer of Liability

Purpose of the Manual

Required Basic Knowledge

Where is this Manual valid?

Product Order Number from Version

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

Finding Your Way

Diagnostics of the Function BlockConventions

These modifications and expansions may apply in particular to event classes or

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

Service & Support on the Internet

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

A&D Technical Support

Johnson City Beijing

24 hours a day, 365 days a year

E-Mail: adsupport@ E-Mail: simatic.hotline@ E-Mail: adsupport.asia@

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

1 Product Description 1-1

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

5 Commissioning the Communications FB 5-1

8 Function Codes 8-1

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

A Technical Data A-1

B Wiring Diagrams Multipoint B-1

C Literature List C-1

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave

1.1 Application Possibilities

The transmission protocol used is the GOULD - MODBUS Protocol in RTU

You can use RS232C, TTY, or RS422/485 (X27) interface submodules as an

When using the RS422/485 (X27) interface in 2-wire operation, it is possible to

Creation of a multipoint connection with other types of physical interface

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 1-1

1.2 Hardware and Software Requirements

Software An installed version of STEP 7 Standard V4.02.1 or higher.

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 1-2

1.3 Summary of the GOULD-MODBUS Protocol

Function Data Data Type Type of Access

Function Type of Data Address Representation at User

In the transmission messages on the serial transmission line, the addresses

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 1-3

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 1-4

2.1 Use of the Dongle

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 2-1

2.2 Interface Connection

RS232C / TTY It is possible to create a point-to-point connection to a master system.

X27 / RS485 It is possible to create a multipoint connection (network) connecting up to 32

T/R (A) 4 R(A)

Further information on the interface connection can be found in the manual

X27 / RS422 It is possible to create a point-to-point connection to a master system.

Further information on the interface connection can be found in chapter B and

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 2-2

3 Mode of Operation of the Data Link

3.1 Components of the SIMATIC / MODBUS Slave Data Link

The MODBUS communications FB processes all functions necessary for the

The supplied MODBUS slave communications function block FB180/80 must

Loadable Driver for Point-to-Point CPs: MODBUS Protocol, S7 is Slave 3-1

• Transmission rate, parity

3.2 Task Distribution