MODBus Memory Mapping

Hi Guys,

Is it possible that all the discret inputs, coils, input registers and holding registers are in the same memory area I mean in the 40000's.
I have a honeywell controller. It's manual says the following (some example)<pre>
Cooling_Signal 40121 uint16 Read Only
Open_Temp 40122 uint16 Read and Write
Fireman_Switch 40164 bool Read Only
External_Stop 40165 bool Read and Write</pre>
Have you ever seen like these before?

Thanks in advance,
There should be no problems. The memory mapping that resulted in addresses in the 40000s is the Modicon PLCs memory locations for holding registers. However, the registers can be used for any purpose based on what ModBus command you use to get the data. ModBus knows nothing about the memory location it is asked to access except what the Modbus command is used to access it and it is up to the Modbus master to make sense out of the data you collect and get it to the correct locations in the Honeywell system. Thus you can read/write bits or registers into that area of memory so long as the slave device uses the same memory locations.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, FS Engineer (TUV Rheinland)

Winner of the 2018 ISA Raymond D. Molloy Award
Sr. Safety Consultant
SIS SILverstone, LLC
They are up to manufacturer design. If they need it they can use holding registers for read/write discrete or analog value. I have seen some devices use 4xxxx address for read only words, but for discrete I have never seen before. But I think if they use 4xxxx for boolean means if data is Off values are 0 and On values are 1.
I can tell you that Honeywell's 1st generation XYR5000 wireless base station had all values mapped to Holding registers as 32 bit Floating point values, even boolean values.

It certainly appears that those values are mapped to the 4xxxx Holding Register memory area, even the switch and stop boolean bit values.

So, yes, I've seen booleans, integers, and floating point values all mapped to 4xxxx Holding Registers.
Hi Guys!

Thank you for your quick response!

OK, I will try to handle them in a normal way and we will see...

Thanks again!
Hi Guy!

Another interesting addressing example. In the same system but on MODbus TCP/IP network there is VTS device.
Here is some example of<pre>
(BMS : Buliding management system )

1st column : Bms type
2nd column : Modbus index
3rd Column : BMS Direction
4th column : Variable

Nr1. Analog 0002 Out gFan_ExhOutputCurr_1
Nr2. Analog 0029 In/Out gInputAI_Offset_1
Nr3. Digital 0002 Out fAlarm_Chillers
Nr4. Digital 0063 In/Out gSched_ExcEnable_1
Nr5. Integer 5002 Out gConf_AppCodeNum
Nr6. Integer 5003 In/Outg Fan_ExhFireSetp</pre>
For me it is not obvious which register is which. As you see there is overlaping between the Modbus indexes.

Is there any hint?
That documentation is positively, pathetically poor. You're just going to have to experiment and compare what you read to what the device is currently configured as.

There are two 0002 register addresses. Two different values cannot reside in the same 0002 register so the 'digital' is a boolean value in a different memory area than the 'analogs'.

I'd use a generic Modbus master that displays values it reads in various formats (but starting with decimal format).

I'd start by using FC03 to read (4)xxxx registers for Nr1, Nr2, Nr5 and Nr6 and see what values come up.

Analogs are typically integers or floating point. Integers might be scaled by some factor that isn't provided.
Floating point values will take up 2 registers

Is Nr5 "app code number" something the changes or is like firmware revision, for all purposes a constant?
Is Nr6 maybe a setpoint value (Setp)? That's likely a value you can determine what is configured and compare it to what you read.

Beware the one offset. It isn't clear whether these register/address values are indexed from zero or one.

Nr 3 is likdly a coil being an OUT (Modbus has no function code to write to discrete inputs).
Nr 4 is (?) in/out?
A coil uses FC01 to read from the (0)xxxx memory area. FC05 is used to write to a single coil
A discrete input uses FC02 to read from the (1)xxxx memory area

Hopefully the digital/boolean values are not bit packed into some larger word.

You just gotta try each and see.