Click the “Technical Training” above and select “Pin to Public Account”
Over 150,000 industrial control professionals follow this WeChat platform: technical sharing, learning exchanges, industrial control videos
The day before yesterday, I discovered a true fan who comments every day on the articles shared by Technical Training. He suggested that I share some content on the Modbus communication protocol, so… enjoy!
Introduction: The ModBus network is an industrial communication system formed by connecting programmable controllers with intelligent terminals and computers through public or local dedicated lines. Its system structure includes both hardware and software. It can be applied to various data collection and process monitoring.
The ModBus network has only one master, and all communication is initiated by it. The network can support up to 247 remote slave controllers, but the actual number of slaves supported depends on the communication equipment used. With this system, each PC can exchange information with the central master without affecting its own control tasks.
Understanding the Modbus communication protocol allows you to use various third-party software for communication testing on-site.
The Modbus protocol includes ASCII, RTU, TCP, etc., and does not specify the physical layer. This protocol defines the message structure that controllers can recognize and use, regardless of the network over which they communicate. Standard Modicon controllers use RS232C to implement serial Modbus. The Modbus ASCII and RTU protocols specify the message, data structure, commands, and response methods. Data communication uses a Master/Slave method, where the Master sends data request messages, and the Slave sends data back to the Master in response to the correct message; the Master can also directly send messages to modify the Slave’s data, achieving bidirectional read/write.
The Modbus protocol requires data verification. In serial protocols, besides parity checks, the ASCII mode uses LRC checks, and the RTU mode uses 16-bit CRC checks, but the TCP mode does not have additional verification since TCP is a connection-oriented reliable protocol. Additionally, Modbus uses a master-slave method for timed data transmission. In practical use, if a Slave station disconnects (e.g., due to a fault or shutdown), the Master can diagnose it, and when the fault is repaired, the network can reconnect automatically. Therefore, the reliability of the Modbus protocol is relatively good.
For Modbus’s ASCII, RTU, and TCP protocols, TCP and RTU protocols are very similar; we just need to remove the two-byte checksum from the RTU protocol, then add five 0s and a 6 at the beginning of the RTU protocol and send it through the TCP/IP network protocol.
1. Communication Transmission Method:
Communication transmission consists of an independent header and the encoded data sent. The following communication transmission method definitions are also compatible with the ModBus RTU communication protocol:
Initial Structure = ≥4 bytes of time
Address Code = 1 byte
Function Code = 1 byte
Data Area = N bytes
Error Check = 16-bit CRC code
End Structure = ≥4 bytes of time
Address Code: The address code is the first byte of the communication transmission. This byte indicates which slave, defined by the user, will receive the information sent by the master. Each slave has a unique address code, and the response always begins with its respective address code. The address code sent by the master indicates which slave address it will send to, while the address code sent by the slave indicates the return address of the slave.
Function Code: The second byte of the communication transmission. The ModBus communication protocol defines function numbers from 1 to 127. This instrument only uses a portion of the function codes. As a master requesting to send, it tells the slave what action to perform through the function code. As a slave responding, the function code sent by the slave is the same as that sent by the master and indicates that the slave has responded to the master’s operation. If the highest bit of the function code sent by the slave is 1 (for example, function codes greater than 127), it indicates that the slave did not respond to the operation or an error occurred during sending.
Data Area: The data area varies according to different function codes. The data area can be actual values, set points, addresses sent from the master to the slave, or from the slave to the master.
CRC Code: A two-byte error detection code.
2. Communication Protocol:
When the communication command is sent to the instrument, the device that matches the corresponding address code receives the communication command, removes the address code, reads the information, and if there is no error, executes the corresponding task; then sends the execution result back to the sender. The returned information includes the address code, function code of the executed action, result data after the action, and error check code. If there is an error, no information is sent.
1. Information Frame Structure
Address Code Function Code Data Area Error Check Code
8 bits 8 bits N × 8 bits 16 bits
The address code is the first byte (8 bits) of the information frame, ranging from 0 to 255. This byte indicates which slave address set by the user will receive the information sent by the master. Each slave must have a unique address code, and only slaves that match the address code can respond. When the slave returns information, the corresponding address code indicates where the information comes from.
The function code sent by the master tells the slave what task to perform. The function codes listed in Table 1-1 have specific meanings and operations.
The data area contains the actions that the slave needs to perform or the information collected and returned by the slave. This information can be values, reference addresses, etc. For example, if the function code tells the slave to read the value of a register, the data area must include the starting address of the register to be read and the read length. The address and data information may differ for different slaves.
The error check code can be used by the master or slave to determine whether the received information has errors. Sometimes, due to electronic noise or other interference, information can undergo slight changes during transmission. The error check code ensures that the master or slave does not act on erroneous information during transmission, thus increasing system safety and efficiency. Error checks use the CRC-16 check method.
Note: The format of the information frame is generally the same: address code, function code, data area, and error check code.
2. Error Check
The Redundant Cyclic Code (CRC) consists of 2 bytes, or 16 bits. The sending device calculates the CRC code and places it at the end of the sent information. The receiving device then recalculates the CRC code of the received information and compares it with the received CRC code. If they do not match, an error is indicated.
3. Function Codes Supported by Modbus:
|
Function Code |
Name |
Function |
|
1 |
Read Coil Status |
Get the current status of a group of logical coils (ON/OFF) |
|
2 |
Read Input Status |
Get the current status of a group of switch inputs (ON/OFF) |
|
3 |
Read Holding Registers |
Get the current binary value in one or more holding registers |
|
4 |
Read Input Registers |
Get the current binary value in one or more input registers |
|
5 |
Force Single Coil |
Force the ON/OFF state of a logical coil |
|
6 |
Preset Single Register |
Load a specific binary value into a holding register |
|
7 |
Read Exception Status |
Get the status of 8 internal coils, determined by the controller |
|
8 |
Return Diagnostic |
Send diagnostic messages to the slave to evaluate communication processing |
|
9 |
Programming (only for 484) |
Enable the master to act as a programmer to modify the logic of the PC slave |
|
10 |
Inquiry (only for 484) |
Allows the master to communicate with a slave executing a long program task, inquiring whether the slave has completed its operation, only sent after a message containing function code 9 is sent |
|
11 |
Read Event Counter |
Allows the master to send a single inquiry and immediately determine whether the operation was successful, especially when this command or other responses cause communication errors |
|
12 |
Read Communication Event Log |
Allows the master to retrieve the ModBus transaction processing communication event log from each slave. If a transaction is completed, the log will provide information about errors |
|
13 |
Programming (184/384 484 584) |
Allows the master to simulate programming functionality to modify the logic of the PC slave |
|
14 |
Inquiry (184/384 484 584) |
Allows the master to communicate with a slave executing a task, regularly inquiring whether the slave has completed its program operation, only sent after a message containing function code 13 is sent |
|
15 |
Force Multiple Coils |
Force the ON/OFF state of a series of continuous logical coils |
|
16 |
Preset Multiple Registers |
Load specific binary values into a series of continuous holding registers |
|
17 |
Report Slave ID |
Allows the master to determine the type of addressed slave and the state of the slave’s running indicator |
|
18 |
(884 and MICRO 84) |
Allows the master to simulate programming functionality to modify the logic of the PC state |
|
19 |
Reset Communication Link |
After a non-modifiable error occurs, reset the slave to a known state, allowing the byte order to be reset |
|
20 |
Read General Parameters (584L) |
Display data information in the extended memory file |
|
21 |
Write General Parameters (584L) |
Write or modify general parameters in the extended storage file |
|
22-64 |
Reserved for extended functions |
|
|
65-72 |
Reserved for user functions |
Reserved for user function expansion codes |
|
73-119 |
Illegal Function |
|
|
120-127 |
Reserved |
For internal use |
|
128-255 |
Reserved |
For abnormal responses |
4. Detailed Explanation of Function Code Commands:
Among these function codes, the most commonly used are function codes 1, 2, 3, 4, 5, and 6, which can be used to perform read/write operations on digital and analog quantities of the lower machine.
1. Command 01, Read Readable and Writable Digital Registers (Coil Status):
The computer sends the command: [Device Address] [Command Number 01] [Starting Register Address High 8 bits] [Low 8 bits] [Number of Registers to Read High 8 bits] [Low 8 bits] [CRC Check Low 8 bits] [CRC Check High 8 bits]
Example: [11][01][00][13][00][25][CRC Low][CRC High]
Meaning as follows:
<1> Device Address: Multiple devices can be connected on a 485 bus. The device address here indicates which device to communicate with. In the example, it wants to communicate with device number 17 (decimal 17 is hexadecimal 11).
<2> Command Number 01: The command number for reading digital quantities is fixed at 01.
<3> Starting Address High 8 bits, Low 8 bits: Indicates the starting address of the switch quantity to be read (starting address is 0). For example, the starting address in the example is 19.
<4> Register Count High 8 bits, Low 8 bits: Indicates how many switch quantities to read starting from the starting address. In the example, it is 37 switch quantities.
<5> CRC Check: Checks from the beginning up to this point.
Device Response: [Device Address] [Command Number 01] [Number of Returned Bytes] [Data1][Data2]…[Datan] [CRC Check High 8 bits] [CRC Check Low 8 bits]
Example: [11][01][05][CD][6B][B2][0E][1B] [CRC High] [CRC Low]
Meaning as follows:
<1> Device Address and Command Number are the same as above.
<2> Number of Returned Bytes: Indicates the number of data bytes, which is the value of n in Data1, 2…n.
<3> Data1…n: Since each data is an 8-bit number, each data represents the value of 8 switch quantities, where each bit being 0 indicates the corresponding switch is open, and 1 indicates it is closed. For example, in the example, it indicates that switch number 20 (index number 19) is closed, switch number 21 is open, switches 22 and 23 are closed, switches 24 and 25 are open, and switches 26 and 27 are closed… If the queried switch quantity is not a multiple of 8, the high part of the last byte is meaningless and is set to 0.
<4> CRC Check as above.
2. Command 05, Write Digital Quantity (Coil Status):
The computer sends the command: [Device Address] [Command Number 05] [Register Address to be Set High 8 bits] [Low 8 bits] [Data to be Set High 8 bits] [Low 8 bits] [CRC Check Low 8 bits] [CRC Check High 8 bits]
Example: [11][05][00][AC][FF][00][CRC High][CRC Low]
Meaning as follows:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing digital quantities is fixed at 05.
<3> Register Address to be Set High 8 bits, Low 8 bits: Indicates the address of the switch to be set.
<4> Data to be Set High 8 bits, Low 8 bits: Indicates the status of the switch to be set. In the example, it indicates closing the switch. Note that only [FF][00] indicates closing and [00][00] indicates opening; other values are illegal.
<5> Note that this command can only set the state of one switch quantity.
Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.
3. Command 03, Read Readable and Writable Analog Registers (Holding Registers):
The computer sends the command: [Device Address] [Command Number 03] [Starting Register Address High 8 bits] [Low 8 bits] [Number of Registers to Read High 8 bits] [Low 8 bits] [CRC Check High 8 bits] [CRC Check Low 8 bits]
Example: [11][03][00][6B][00][03] [CRC High][CRC Low]
Meaning as follows:
<1> Device Address is the same as above.
<2> Command Number: The command number for reading analog quantities is fixed at 03.
<3> Starting Address High 8 bits, Low 8 bits: Indicates the starting address of the analog quantity to be read (starting address is 0). For example, the starting address in the example is 107.
<4> Register Count High 8 bits, Low 8 bits: Indicates how many analog quantities to read starting from the starting address. In the example, it is 3 analog quantities. Note that in the returned information, one analog quantity requires two bytes.
Device Response: [Device Address] [Command Number 03] [Number of Returned Bytes] [Data1][Data2]…[Data n] [CRC Check High 8 bits] [CRC Check Low 8 bits]
Example: [11][03][06][02][2B][00][00][00][64] [CRC High] [CRC Low]
Meaning as follows:
<1> Device Address and Command Number are the same as above.
<2> Number of Returned Bytes: Indicates the number of data bytes, which is the value of n in Data1, 2…n. In the example, it returns data for 3 analog quantities, since each analog quantity requires 2 bytes, totaling 6 bytes.
<3> Data1…n: Where [Data1][Data2] are the high 8 bits and low 8 bits of the first analog quantity, [Data3][Data4] are the high 8 bits and low 8 bits of the second analog quantity, and so on. In the example, the returned values are 555, 0, and 100.
<4> CRC Check as above.
4. Command 06, Write Single Analog Register (Holding Register):
The computer sends the command: [Device Address] [Command Number 06] [Register Address to be Set High 8 bits] [Low 8 bits] [Data to be Set High 8 bits] [Low 8 bits] [CRC Check High 8 bits] [CRC Check Low 8 bits]
Example: [11][06][00][01][00][03] [CRC High] [CRC Low]
Meaning as follows:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing analog quantities is fixed at 06.
<3> Register Address to be Set High 8 bits, Low 8 bits: Indicates the address of the analog quantity register to be set.
<4> Data to be Set High 8 bits, Low 8 bits: Indicates the analog quantity data to be set. For example, in the example, it sets the value of register number 1 to 3.
<5> Note that this command can only set the state of one analog quantity.
Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.
5. Command 16, Write Multiple Analog Registers (Holding Registers):
The computer sends the command: [Device Address] [Command Number 16] [Register Address to be Set High 8 bits] [Low 8 bits] [Data Count High 8 bits] [Data Count Low 8 bits] [Data to be Set High 8 bits] [Low 8 bits][……][……] [CRC Check High 8 bits] [CRC Check Low 8 bits]
Example: [11][16][00][01][00][01][00][05] [CRC High] [CRC Low]
Meaning as follows:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing analog quantities is fixed at 16.
<3> Register Address to be Set High 8 bits, Low 8 bits: Indicates the address of the analog quantity register to be set.
<4> Data Count High 8 bits, Low 8 bits: Indicates the number of data to be set, which is 1 in this case.
<5> Data to be Set High 8 bits, Low 8 bits: Indicates the analog quantity data to be set. For example, in the example, it sets the value of register number 1 to 5.
Device Response: If the command sent by the computer is successfully returned as above, otherwise there is no response.
Device Response: [Device Address] [Command Number 16] [Register Address to be Set High 8 bits] [Low 8 bits] [Data Count High 8 bits] [Data Count Low 8 bits] [CRC Check High 8 bits] [CRC Check Low 8 bits], as in the example returns:
[11][16][00][01][00][01] [CRC High] [CRC Low]
Share a little more, knowledge a little more
Click Read Original to learn about electrical engineering, PLC, frequency servo, CNC robots, and more.