Connecting To and Reading From TCP/IP MODBUS Unit


Thread Starter

Simon Pearce

Hi all,

I am very new to Modbus and any form of industrial control although I have a little experience of radio comms (hence the Zigbee radio units I am trying to work with).

I am trying to connect to an SHJ electronics S6889 protocol converter over my network. I can ping the ethernet card and detect that port 502 is listening, and I believe I am connected to the unit. however when I try to read the modbus registers it all seems to go wrong. I am using a ubuntu Linux laptop connected to the S6889 via ethernet. To try and send and receive Modbus data I am using qmodbus. The communications seem to be working at some level. e.g. sometimes I am getting back responses, BUT it is consistently returning "Slave threw an exception" etc etc. every now and again there are responses but they have inconsistent function codes and slave id's, despite the request being the same.

I have also tried to use Modscan32 running in Wine on Linux, but this also returns errors saying the Modbus is timed out. however many times I let it poll, it returns no valid data or slave response. To try and eliminate the network angle, I have also attempted to connect over serial RTU. I've checked my settings and they are correct however I get the same messages.

I am aware of just how limited I am with Modbus and would appreciate any help I could get on this. I realise this forum is for more skilled professionals than me. but I hope that maybe someone can give me a hand on this, even if it is where to go for some more detailed reading or troubleshooting steps.
It seems that the statement below is the governing rule for how the SHJ S6889 serial server operates:

"If the device ID not match local address or 255,then S6889 will reorganize the data according to modbus protocol, send out through zigbee or RS485 port. If register 7 is 6889, then send/receive data
to/from RS485 port, if register 7 is 16889, then send/receive data to/from Zigbee port." (page 6)

I interpret that to be the 6889 serial server is configured or its settings read (or changed) via a Modbus message addressed to the S6889's Modbus slave device ID.

It isn't stated which Function Code (FC) addresses reads from the SHJ S6889 address range, but it'll be either 03 (input registers) or 04 (Holding registers).

Presumably Function Code 06 writes a single register (2 byte) value, FC 16 (decimal) writes multiple register values.

The implication is that the serial server is another 'field device' in addition to whatever field device(s) you eventually want to talk with, but haven't mentioned in your post.

Unless you just read the setup data from the 6889 addresses/registers, you need to have some field device connected to the RS-485 side for Modbus to do any real work. What field device are you going to connect?

What is the Modbus Slave device ID address of your field device? (1 byte content in address 06?)

What is your Modbus field device, and what is its Modbus Slave device ID address?

What is the 2 byte data value in address 7?

If the document tells what the default address is, I can't find it, but I'd start with 01. Use your modbus master (Modscan) to read address 06 with FC 03 or FC 04. The message will time out (or 'not connect' if the IP address is invalid or on a different subnet) if your poll the wrong address. The address is likely 01 or 254 unless you've managed to change it. A valid "Read" confirms the returned value is the Device ID address.