Advanced/hidden modbus protocol


Thread Starter


Modbus is supposed to be an open protocol, but why can't I get the entire list of commands that I can issue? For example, I'd like the ability to stop the PLC and issue the write program to flash command from our MMI. Is there a way to get this information?
Modbus ASCII, RTU and TCP are open protocols. The instruction set includes read and write instructions.

It's up to the device manufacturer to supply the the specifics of the implementation of the registers, addressing and the associated word format used in any given device.

It is unlikely that you are missing instructions, but you might be missing certain registers that will do what you want to accomplish. Or maybe your device doesn't offer Modbus access to control features that you need.

In any event, you need to direct your inquiry to the device manufacturer for specifics.


Curt Wuollet

That is, no doubt, a proprietary extension to the protocol as it would be specific (hopefully) to a particular vendor. I would suggest a serial protocol analyzer.


I use the manufacturer's reserved commands with my own proprietary data within the modbus packet. The command numbers are listed in the spec but there are reserved commands for other uses and future uses. Some of these uses could be for network routing and relaying and other special devices besides special programming and other commands for Modicon equipment.

Automation Linse

The info you want is VERY product specific, thus to do this you'll need to first query the device and confirm which product and firmware rev it is. Then generate a large list of devices that behave as you expect. This is one reason you WON'T find this info in the public space - it is too complex to describe and support. Each new gen of PLC adds "new" function, so these commands are a moving target.

You may be better off with a DOS utility from SE (if there is one) that you can run in an OS child shell to reflash a PLC.

SE uses function 0x7E as a "catch all" for things like this (at least on newer equipment). The form is just SA 0x7E LN SF ???, where SA is slave address, LN is byte count of remaining command, SF is some function code (such as start or stop PLC), and ??? is up to 249 bytes of data per the function.

The start/stop PLC would be easy to reverse engineer. The reflash of the program will be harder and you'll need to work this out repeatedly for different PLC generations.

Best Regards
- Lynn A Linse,