Table of contents
1. Environment configuration and preparation
1. Install TF6250-Modbus-TCP library in PLC
2. Check the license of TF6250
3. Add the Tc2_ModbusSrv library file to the PLC project
4. Create Server and Client programs for testing ModbusTCP test respectively.
1. Set the test computer IP address
(3) Single coil write operation
(4) Multiple coil write operations
(5) Read the input register value
(6) Read the holding register value
(7) Single holding register write operation
(8) Multiple holding register write operations
(1) Register variable definition
4. Use server and client programs to perform register operations in PLC
(2) PLC Client program reading operation
(3) PLC Client program writing operation
1. Environment configuration and preparation
1. Install TF6250-Modbus-TCP library in PLC
PLC address
Install library files
PLC hardware environment settings, library file installation, firewall settings, etc., please refer to the blog article:ModbusTCP Server and C# Client connection in TwinCAT3 - CSDN Blog
2. Check the license of TF6250
3. Add the Tc2_ModbusSrv library file to the PLC project
4. Create Server and Client programs for testing ModbusTCP test respectively.
Add the created program to Task.
2. PLC as Client
1. Set the test computer IP address
The IP address of the test computer and the IP address of the PLC are in the same network segment.
2. Run the MobusTCP test tool
Use the testing tool ModSim32 to create a ModbusTCP Server. The default port number is 502, and the default IP address of the test software is the local address of the computer.
3. PLC program writing
Define variables: ModbusTCP Server server ip address
Server_IpAddress :STRING:='192.168.1.33'; //ModbusTCP Server服务端ip地址(1) Read discrete input
Define variables
02: Input Status 读取//
fbReadInputs : FB_MBReadInputs; (*读取离散量输入功能块*)
bReadInputs : BOOL; (*读取离散量输入执行条件*)
nQuantityinput : WORD:=1 ; (*读取离散量输入个数*)
nMBAddrinput : WORD:=1 ; (*读取离散量输入起始地址*)
arrDatainput : BYTE; (*存放离散量输入的值*)program
nUnitID: Modbus-Tcp slave station number. If you don’t know the slave station number in practice, just write 1 by default.
fbReadInputs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nQuantity:=nQuantityinput , //读取离散量输入个数
nMBAddr:= nMBAddrinput, //读取离散量输入 Modbus起始地址
cbLength:= SIZEOF(arrDatainput), //存放离散量输入变量的个数
pDestAddr:=ADR(arrDatainput), //存放离散量输入变量指针起始地址
bExecute:=bReadInputs , //读取离散量输入执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ,
cbRead=> );Run test 1, single discrete read operation:
Write 1 to 10002
PLC read
The number of reads is 1, and the nQuantityinput value is 1
The register corresponding to writing 1 to the starting address nMBAddrinput is 10002. Actual address of discrete variable =10001+nMBAddrinput
read
Run test 2, multiple discrete read operations:
Write 1 for 10002, 1 for 10003, and 1 for 10004
PLC read
Set the number of reads to 3. The value read is 7. (All three bits are 1, which is 7)
(2) Read coil
Define variables
fbReadCoils : FB_MBReadCoils; (*读取线圈功能块*)
bReadCoils : BOOL; (*读取线圈执行条件*)
nQuantitycoils : WORD :=3; (*读取线圈个数*)
nMBAddrcoils : WORD :=1; (*读取线圈起始地址*)
arrDatacoils : BYTE; (*存放线圈的值*)PLC program
fbReadCoils(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502 , //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nQuantity:=nQuantitycoils , //读取线圈个数
nMBAddr:=nMBAddrcoils , //读取线圈 Modbus起始地址
cbLength:=SIZEOF(arrDatacoils) , //存放线圈变量的个数
pDestAddr:=ADR(arrDatacoils) , //存放线圈变量指针起始地址
bExecute:=bReadCoils , //读取线圈执行条件
tTimeout:= T#1S,
bBusy=> ,
bError=>,
nErrId=> ,
cbRead=> );Run test, multiple coil read operations:
Write 1 operation to coil 00005/00006/0007/0008/00009
PLC
nMBAddrcoils: Read the address of the coil
nQuantitycoils: Number of coils read
The actual address of the coil = 00001 + nMBAddrcoils.
The nMBAddrcoils address setting corresponding to 00005 is 4.
The values of the 5 coils are all ON, which is 31
Data display in PLC, binary, decimal and hexadecimal display settings
(3) Single coil write operation
Define variables
fbWriteSingleCoil : FB_MBWriteSingleCoil; (*写入单个线圈功能块*)
bWriteSingleCoil : BOOL; (*写入单个线圈执行条件*)
nMBAddrWriteSingleCoil : WORD := 3; (*写入单个线圈Modbus 地址*)
nValueWriteSingleCoil : WORD := 16#FF00; (*16#FF00:True;16#0000:False*)PLC program
fbWriteSingleCoil(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:= 502, //Modbus-Tcp端口号
nUnitID:= 1, //Modbus-Tcp从站号
nMBAddr:=nMBAddrWriteSingleCoil , //写入单个线圈Modbus起始地址
nValue:=nValueWriteSingleCoil , //写入单个线圈的值:16#FF00:True;16#0000:False
bExecute:=bWriteSingleCoil , //写入单个线圈执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> );Running the test, single coil write operation:
Write operation to coil 00004
Coil address nMBAddrWriteSingleCoil value setting: 3. (Coil address=00001+nMBAddrWriteSingleCoil)
nValueWriteSingleCoil value setting:
TRUE:16#FF00, which is 65280 in decimal.
FALSE:16#0000, which is decimal 0.
(4) Multiple coil write operations
Variable definitions
fbWriteCoils : FB_MBWriteCoils; (*写入线圈功能块*)
bWriteCoils : BOOL; (*写入线圈执行条件*)
nQuantityWriteCoils : WORD := 10; (*写入离散量输入个数*)
nMBAddrWriteCoils : WORD := 14; (*写入离散量输入起始地址*)
arrDataWriteCoils : ARRAY[1..2] OF BYTE := [16#11, 16#33];(*写入离散量输入的值*)PLC program
fbWriteCoils(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nQuantity:= nQuantityWriteCoils , //写入线圈个数
nMBAddr:=nMBAddrWriteCoils , //写入线圈Modbus起始地址
cbLength:=SIZEOF(arrDataWriteCoils), //写入线圈的变量个数
pSrcAddr:=ADR(arrDataWriteCoils), //写入线圈的变量指针起始地址
bExecute:=bWriteCoils , //写入线圈的执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> );Run test, multiple coil writes:
Write 16 coils, and the coil address starts from 00006. (00001+nMBAddrWriteCoils, nMBAddrWriteCoils setting value is 5).
1 BYTE is 8 bits, and all 8 bits are 1, that is, the BYTE value is 255.
The BYTE array arrDataWriteCoils has a length of 2, which is 16 bits. Up to 16 coil operations can be written.
(Note: writeThe number of coil BYTE must be the same as the array length, 16 coils 2 BYTE. Corresponding otherwise an error will be reported.)
(5) Read the input register value
Variable definitions
fbReadInputRegs : FB_MBReadInputRegs; (*读取输入寄存器功能块*)
bReadInputRegs : BOOL; (*读取输入寄存器执行条件*)
nQuantityInputRegs : WORD := 3; (*读取输入寄存器个数*)
nMBAddrInputRegs : WORD:= 2; (*读取输入寄存器起始地址*)
arrDataInputRegs : ARRAY [1..3] OF WORD; (*存放输入寄存器的值*)PLC program
fbReadInputRegs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1, //Modbus-Tcp从站号
nQuantity:=nQuantityInputRegs, //读取输入寄存器个数
nMBAddr:=nMBAddrInputRegs , //读取输入寄存器Modbus起始地址
cbLength:= SIZEOF(arrDataInputRegs), //存放输入寄存器变量的个数和指针起始地址
pDestAddr:=ADR(arrDataInputRegs), //存放输入寄存器变量指针起始地址
bExecute:= bReadInputRegs , //读取输入寄存器执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ,
cbRead=> );Run test, multiple input register read operations:
Assign values to 30003, 30004, 30005
PLC reading
Register address 30003=30001+nMBAddrInputRegs, nMBAddrInputRegs setting value 2
Three more registers
(Note: The number of registers read must be the same as the array length, otherwise an error will be reported.)
(6) Read the holding register value
Variable definitions:
fbReadRegs : FB_MBReadRegs; (*读取保持寄存器功能块*)
bReadRegs : BOOL; (*读取保持寄存器执行条件*)
nQuantityregs : WORD:=2; (*读取保持寄存器个数*)
nMBAddrregs : WORD:=24; (*读取保持寄存器起始地址*)
arrDataregs : ARRAY [1..2] OF WORD; (*存放保持寄存器的值*)PLC program:
fbReadRegs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:= 1, //Modbus-Tcp从站号
nQuantity:=nQuantityregs, //读取保持寄存器个数
nMBAddr:=nMBAddrregs , //读取保持寄存器Modbus起始地址
cbLength:=SIZEOF(arrDataregs) , //存放保持寄存器变量的个数
pDestAddr:=ADR(arrDataregs) , //存放保持寄存器变量指针起始地址
bExecute:=bReadRegs, //读取保持寄存器执行条件
tTimeout:= T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ,
cbRead=> );Run test, multiple holding register reads:
Read holding registers 40005, 40006
The first address of the register is 40005=40001+nMBAddrregs, and the nMBAddrregs value is set to 4. Read two registers.
(Note: The number of registers read must be the same as the array length, otherwise an error will be reported.)
(7) Single holding register write operation
Variable definitions:
fbWriteSingleReg : FB_MBWriteSingleReg; (*写入单个寄存器功能块*)
bWriteSingleReg : BOOL; (*写入单个寄存器执行条件*)
nMBAddrSingleReg : WORD := 4; (*写入单个寄存器Modbus 地址*)
nValueSingleReg : WORD := 16#1234; (*写入单个寄存器数值*)PLC program:
fbWriteSingleReg(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nMBAddr:=nMBAddrSingleReg, //写入单个保持寄存器起始地址
nValue:=nValueSingleReg, //写入单个寄存器数值
bExecute:=bWriteSingleReg , //写入单个寄存器的执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ); Running test, single holding register write:
Write holding register 40005. 40005=40001+nMBAddrSingleReg, set nMBAddrSingleReg value to 4
(8) Multiple holding register write operations
Variable definitions:
fbWriteRegs : FB_MBWriteRegs; (*写入保持寄存器功能块*)
bWriteRegs : BOOL; (*写入保持寄存器个数*)
nQuantityWriteRegs : WORD := 4; (*写入保持寄存器个数*)
nMBAddrWriteRegs : WORD := 4; (*写入保持寄存器起始地址*)
arrDataWriteRegs : ARRAY[1..4] OF WORD := [1122, 3344, 5566, 7788];(*写入保持寄存器的值*)PLC program:
fbWriteRegs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nQuantity:=nQuantityWriteRegs , //写入保持寄存器个数
nMBAddr:= nMBAddrWriteRegs , //写入保持寄存器起始地址
cbLength:= SIZEOF(arrDataWriteRegs), //写入变量的个数和指针起始地址
pSrcAddr:=ADR(arrDataWriteRegs) , //写入变量指针起始地址
bExecute:= bWriteRegs , //写入保持寄存器的执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> );Run test, multiple holding register writes:
Write holding registers 40003, 40004, 40005, the first address of the register is 40003=40001+nMBAddrWriteRegs, and set the nMBAddrWriteRegs value to 2
(Note: writeThe number of registers must be the same as the array length, otherwise an error will be reported.)
3. PLC as Server
1. PLC program
(1) Register variable definition
arr1 AT%MB0 :ARRAY[1..5] OF WORD; //起始地址是12289
arr2 AT%MB10 :ARRAY[1..10] OF WORD; //起始地址是122942. Client tool
Use the testing tool ModScan32 to simulate the ModbusTCP Client.
Open ModScan32
According to the register defined in the Server PLC, make the following settings
The starting address corresponding to MB0 is 12289.
Register description:One MW register corresponds to two MB registers. For example, MW0 is composed of MB0 and MB1. A 12289 corresponds to a MW0 register, which corresponds to MB0 and MB1.
3. Communication test
(1) Client write operation
Register writing operation of client ModScan32 to server PLC
Received by PLC server
(2) PLC server writing operation
PLC register write
Received by client ModScan32
4. Use server and client programs to perform register operations in PLC
1. PLC program
(1) Server program
The PLC server program remains unchanged, just define the register variables for reading and writing.
Variable definitions
arr1 AT%MB0 :ARRAY[1..5] OF WORD; //起始地址是12289
arr2 AT%MB10 :ARRAY[1..10] OF WORD; //起始地址是12294(2) Client program
Variable definitions
Server_IpAddress :STRING:='192.168.1.21';
03: Holding Register 读取&写入
fbReadRegs : FB_MBReadRegs; (*读取保持寄存器功能块*)
bReadRegs : BOOL; (*读取保持寄存器执行条件*)
nQuantityregs : WORD:=5; (*读取保持寄存器个数*)
nMBAddrregs : WORD:=12288; (*读取保持寄存器起始地址*) // 寄存器地址=40001+nMBAddrregs
arrDataregs : ARRAY [1..5] OF WORD; (*存放保持寄存器的值*)
fbWriteRegs : FB_MBWriteRegs; (*写入保持寄存器功能块*)
bWriteRegs : BOOL; (*写入保持寄存器个数*)
nQuantityWriteRegs : WORD := 10; (*写入保持寄存器个数*)
nMBAddrWriteRegs : WORD := 12294; (*写入保持寄存器起始地址*) // 寄存器地址=40001+nMBAddrWriteRegs
arrDataWriteRegs : ARRAY[1..10] OF WORD := [11, 22, 33, 44,55,66,77,88,99,100]; (*写入保持寄存器的值*)
fbWriteSingleReg : FB_MBWriteSingleReg; (*写入单个寄存器功能块*)
bWriteSingleReg : BOOL; (*写入单个寄存器执行条件*)
nMBAddrSingleReg : WORD := 4; (*写入单个寄存器Modbus 地址*)
nValueSingleReg : WORD := 16#1234; (*写入单个寄存器数值*)
//PLC program
fbReadRegs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:= 1, //Modbus-Tcp从站号
nQuantity:=nQuantityregs, //读取保持寄存器个数
nMBAddr:=nMBAddrregs , //读取保持寄存器Modbus起始地址
cbLength:=SIZEOF(arrDataregs) , //存放保持寄存器变量的个数
pDestAddr:=ADR(arrDataregs) , //存放保持寄存器变量指针起始地址
bExecute:=bReadRegs, //读取保持寄存器执行条件
tTimeout:= T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ,
cbRead=> );
fbWriteRegs(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nQuantity:=nQuantityWriteRegs , //写入保持寄存器个数
nMBAddr:= nMBAddrWriteRegs , //写入保持寄存器起始地址
cbLength:= SIZEOF(arrDataWriteRegs), //写入变量的个数和指针起始地址
pSrcAddr:=ADR(arrDataWriteRegs) , //写入变量指针起始地址
bExecute:= bWriteRegs , //写入保持寄存器的执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> );
fbWriteSingleReg(
//sIPAddr:='169.254.0.1' , //modsim32的IP地址
sIPAddr:=Server_IpAddress , //modsim32的IP地址
nTCPPort:=502, //Modbus-Tcp端口号
nUnitID:=1 , //Modbus-Tcp从站号
nMBAddr:=nMBAddrSingleReg, //写入单个保持寄存器起始地址
nValue:=nValueSingleReg, //写入单个寄存器数值
bExecute:=bWriteSingleReg , //写入单个寄存器的执行条件
tTimeout:=T#1S ,
bBusy=> ,
bError=> ,
nErrId=> ); 2. Communication test
(1) Register description
One MW register corresponds to two MB registers, for example, MW0 corresponds to 12289, and 12289 corresponds to MB0 and MB1.
Variables in PLC client program
Read register address = 40001+nMBAddrregs , then MB0 correspondingly sets nMBAddrregs12288
Write register address=40001+nMBAddrWriteRegs
(2) PLC Client program reading operation
First assign values to the registers on the server side
PLCServer program reading
(3) PLC Client program writing operation
PLC client writes register
The PLC server receives the register written by the client
5. Test project download
https://download.csdn.net/download/panjinliang066333/88609166
Projects include:
(1) Client and server PLC programs
(2) TF6250-Modbus-TCP library file installation software
(3) ModbusTCP test tool
Simulated client: modscan32
Simulation server: modsim32
(4) Beckhoff official simple test reference