S7_Modbus
A Data Transfer Utility between Siemens S7 PLC and ModbusTCP Devices
(c) kmb@kai-m-becker.de, 2014

What is S7_Modbus

S7_Modbus can

  • transfer data between Siemens S7 PLCs and ModbusTCP devices via Ethernet / TCP/IP.
  • run once or continuously
  • be started manually, from Startup or Scheduler

S7_Modbus runs on Windows 32- and 64bit.

Source and target can be

  • of the same (S7->S7, Modbus->Modbus) or
  • different type (S7->Modbus, Modbus->S7),
  • different devices (most likely), as long as they're reachable via TCP/IP, or
  • the same device (if there's any use case for that, please let me know).

S7_Modbus

  • transfers a maximum amount of 125 Word (16b) in one direction. Use multiple instances, if you need more data paths.
  • Siemens S7 side source/target is always a data block (DB), starting from Byte 0.
  • Modbus side source/target is always the "Holding Registers", i.e. addresses 4:x.

Bonus: You can use S7_Modbus to just read and dump data from a S7 PLC or a Modbus device, for example to test the reachability of a device.

S7_Modbus is available free of charge, but a donation would be appreciated.

Requirements

  1. S7_Modbus Executable + DLL, downloadable as zip file at www.kmb-tools/s7_modbus
  2. PC with Windows 32- or 64bit OS. WinXP, Win7, Win8, ... or Server OS. Not tested on Vista!
  3. The devices you want to connect, i.e.
    • Siemens S7 PLC or compatible with Ethernet CP (e.g. CP343), and/or
    • ModbusTCP compatible device, e.g. a Schneider-Electric Quantum, Premium, etc.
  4. A ethernet network connection between PC and the devices
  5. A little experience with Windows' shell

Installation

  1. Unpack the Zip file into a directory of your choice
  2. done

Usage

S7_Modbus runs as a console application and receives its arguments as console arguments.

Open a console window ("Start" / "Run..." / "cmd.exe"), cd to the directory with the s7_modbus.exe and type s7_modbus to see the usage and arguments.

Usage: s7_modbus.exe [-h] [-d] [-v] [-1] [-t sec] -w no -from sys ip[:port] addr [-to sys ip[:port] addr]
-h help
-d - dry-run, just print how the arguments are understood and quit
-v n - verbosity. 0, 1..9 = nothing, errors only .. telegram data
-1 (one) - run once and quit
-s - swap bytes
-r n - retry n times, -1 = unlimited
-t sec - sleep between transfers in seconds
-w no - number of words to transfer
-from / -to sys ip addr
     either 's7' ipaddr DB#'
         or 'modbus' ipaddr 4:address

Minimum required arguments are number of words and source address:

s7_modbus -w n -from type ip adr

s7_modbus needs the libnodave.dll to run, which is contained in the zip file. If you don't see the usage information, check that the libnodave.dll exists in the same directory as s7_modbus.exe.

Dry-run (optional)

-d

When set, s7_modbus will print out a detailed description, how the arguments will be understood and quit.

Use this as a safety check, before you write data into a running controlling device.

Verbosity (optional)

-v n

n sets the depth of printed output.

  • 0 = Nothing
  • 1 = Errors
  • 3 = Connection issues(1) - Overview
  • 4 = Connection issues(2) - Details
  • 6 = Telegram events
  • 7 = Telegramm data
  • 9 = Raw Data

Run once and quit (optional)

-1

When used, s7_modbus will perform only one transfer and quit.

The retry setting -r will be observed.

Swap bytes (optional)

-s

When set, the bytes of the received data words will be swapped before writing them into the -to device.

Example:

Received: 0001 0002 0003 ABCD
Written: 0100 0200 0300 CDAB

Retry (optional)

-r n

Sets the number of retries when trying to connect to source and target. The retry counter will be reset after every successful connect.

Sleep between transfers (optional)

-t s

Sets the time (in seconds), s7_modbus will sleep between transfers. It will use no CPU time during sleep. If set to 0 (default), s7_modbus will run as fast as possible, although it will still release the remaining milliseconds of its Windows time slice.

Number of words to transfer (required)

-w n

This is the number of 16bit words s7_modbus will read/write. Allowed numbers are 1..125.

Source (required)

-from type ip[:port] address

The device to read the data from.

type
either "s7" or "modbus"
ip[:port]
The Ethernet address and optional port number. Name resolution is not supported. Standard port numbers are 102 for S7 and 502 for ModbusTCP.
address
The system dependent address within the device. Either a DB# number for S7 or a 4:xxxxx address in a ModbusTCP device. S7 DBs must exist.

ModbusTCP addresses start at 0, but Schneider-electric PLC's address start at 4:00001. Therefore, to access 4:00001, use "-from modbus ip[:port] 0"

Target (optional)

-to type ip[:port] address

The device to write the data to. When omitted, s7_modbus will only read from the -from-source, e.g. to test wether it can be reached or to log the data.

Examples

Send data from S7 to Modbus device

  • Source: S7 PLC at IP-address 192.168.0.7, DB 20
  • Target: Schneider Quantum at IP-address 192.168.0.50, register 4:100
  • Transfer 10 words

s7_modbus -w 10 -from s7 192.168.0.7 20 -to modbus 192.168.0.50 100

Send data from Modbus to S7, only once

  • Source: Schneider Quantum at IP-address 192.168.0.50, register 4:100
  • Target: S7 PLC at IP-address 192.168.0.7, DB 20
  • Transfer 10 words
  • run only once (-1)

s7_modbus -1 -w 10 -from modbus 192.168.0.50 100 -to s7 192.168.0.7 20

Send data from Modbus to Modbus, retry only 3 times

  • Source: Schneider Quantum at IP-address 192.168.0.50, register 4:100
  • Target: Schneider Premium at IP-address 192.168.0.30, register 4:7000
  • Transfer 100 words
  • Retry max 3 times (-r 3)

s7_modbus -r 3 -w 100 -from modbus 192.168.0.50 100 -to modbus 192.168.0.30 7000

Send data from S7 to S7, every 60 seconds

  • Source: S7 PLC at IP-address 192.168.0.7, DB 20
  • Target: S7 PLC at IP-address 192.168.0.8, DB 17
  • Transfer 25 words
  • wait 60 between transfers (-t 60)

s7_modbus -t 60 -w 25 -from s7 192.168.0.7 20 -to s7 192.168.0.8 17

Special Use Cases

Check arguments without communication

To check your arguments without really starting a transfer, use -d ("dry run").

Example 1: (full options):

s7_modbus -d -1 -v 9 -r 5 -t 5 -w 100 -from s7 127.0.0.1 15 -to modbus 192.168.0.129 8

Just try it :) You should get a result like this:

running s7_modbus.exe
working dir c:\Work\s7_modbus
From: S7, IP 127.0.0.1, DB 15
To:   Modbus, IP 192.168.0.129, Reg 4:8
Transfer 100 words(16b)
Run once
Verbosity 9
Retry 5 times (-1 = unlimited)
Sleep 5 seconds between transfers

Test only if a device is available

Solution: Leave the -to argument

Example 1:

s7_modbus -1 -r 0 -w 1 -from modbus 192.168.0.7 1

If there's no ModbusTCP device at 192.168.0.7, you will get an error message. Most likely -Connect (192.168.0.7:502), 10060, where 10060 is the Windows socket error for Timeout ("WSAETIMEDOUT").

Example 2:

s7_modbus -1 -r 0 -w 1 -from s7 192.168.0.7 1

If there's no S7 PLC at 192.168.0.7, you'll get an error -S7: Couldn't open TCP connection to 192.168.0.7:102.

Hints:

  • Use -1 -r 0 to test only once with no retries
  • Use -v 9 for full debug info

Start From Desktop

  1. Create a new shortcut on the desktop
  2. Locate the S7_Modbus.exe as target
  3. Complete the Target field with the arguments for S7_Modbus (i.e. "-from", etc.)
  4. Select the directory of S7_Modbus as "Start in" directory

Hints:

  • Use Right-Click, Properties to refine your settings
  • "Run: Minimized" will execute S7_Modbus without opening its console window

Start at Windows Startup without User Logon

Ensure a Windows user with proper rights to start Scheduled Tasks, i.e. at least a local administrator

  1. cd to the S7_Modbus directory and create a batch file like starthere.cmd with the following contents:

    echo Runs... >>logit.txt
    s7_modbus.exe -t 30 -r 1 -w 1 -from modbus 192.168.0.108 1 >>logit.txt
    echo ------- >>logit.txt

  2. Start Control Panel, Schedules Tasks and Add Scheduled Task

  3. Click Browse... and select the batch file above in its directory
  4. Enter user name and password for a user with the proper rights
  5. Click Open advanced properties
  6. Select the directory of the batch file as Start in directory
  7. Remove the check mark at Run only if logged on
  8. Ensure the check mark at Enabled
  9. Select Run at system startup as Schedule

Every time, the batch file runs, some lines will be added to the logfile logit.txt.

Test your new task:

  • Right click the new line in Scheduled Tasks and click Run
  • Running should appear in the Status column for a few seconds
  • The file logit.txt should be created in the S7_Modbus directory
  • Check the contents of logit.txt if everything worked.

You can now change the S7_Modbus settings in the batch file.

Hints:

  • Use a loop inside the batch file, to restartrt S7_Modbus in case of a fatal error
  • If you change the batch file, you should also manually restart the task (End Task + Run).

Copyright and Stuff

  • S7_Modbus is copyright by kmb@kai-m-becker.de
  • libnodave.dll is an Open Source communication library for Siemens S7 PLC, copyright by Thomas Hergenhahn, licensed under GNU Library or Lesser General Public License version 2.0 (LGPLv2) and available at libnodave.sourceforge.net
  • Simatic, Simatic S5, Simatic S7, S7-200, S7-300, S7-400 are registered Trademarks of Siemens Aktiengesellschaft
  • Modbus, ModbusTCP and the Modbus protocol are Trademarks of The Modbus Organization, Inc.