Understanding Modbus Communication Protocol

ModBus network is an industrial communication system formed by connecting programmable controllers with intelligent terminals and computers through public or local dedicated lines. Its system structure includes both hardware and software. It can be applied to various data acquisition and process monitoring.

The ModBus network has only one master, and all communication is initiated by it. The network can support up to 247 remote slave controllers, but the actual number of slaves supported depends on the communication equipment used. By adopting this system, each PC can exchange information with the central host without affecting its own control tasks.

To understand what Modbus communication protocol is, you can use various third-party small software for communication testing on-site.

Understanding Modbus Communication Protocol

The Modbus protocol includes ASCII, RTU, TCP, etc., and does not specify the physical layer. This protocol defines the message structure that controllers can recognize and use, regardless of the network through which they communicate. Standard Modicon controllers use RS232C to implement serial Modbus. The ASCII and RTU protocols of Modbus specify the structure of messages, data, commands, and responses. Data communication uses a Master/Slave method, where the Master sends a data request message, and the Slave can send data back to the Master in response after receiving the correct message; the Master can also directly send messages to modify Slave data, achieving bidirectional read and write.

The Modbus protocol requires data verification. In serial protocols, besides parity check, the ASCII mode uses LRC check, while the RTU mode uses 16-bit CRC check. However, the TCP mode does not have additional verification requirements because TCP is a reliable connection-oriented protocol. Additionally, Modbus uses a master-slave method to periodically send and receive data. In practical use, if a Slave site disconnects (e.g., due to failure or shutdown), the Master can diagnose it, and when the fault is repaired, the network can automatically reconnect. Thus, the reliability of the Modbus protocol is quite good.

For Modbus’s ASCII, RTU, and TCP protocols, TCP and RTU protocols are very similar. We just need to remove the two-byte checksum from the RTU protocol, then add five 0s and one 6 at the beginning of the RTU protocol and send it through the TCP/IP network protocol.

(1) Communication Transmission Method:

Communication transmission is divided into an independent information header and the encoded data sent. The following communication transmission method definitions are also compatible with the ModBus RTU communication protocol:

Initial structure = ≥4 bytes of time

Address code = 1 byte

Function code = 1 byte

Data area = N bytes

Error check = 16-bit CRC code

End structure = ≥4 bytes of time

Address code: The address code is the first byte of the communication transmission. This byte indicates that the slave with the user-defined address code will receive the information sent by the master. Each slave has a unique address code, and the response begins with its own address code. The address code sent by the master indicates the address of the slave to which the information will be sent, while the address code sent back by the slave indicates the address of the responding slave.

Function code: The second byte of the communication transmission. The ModBus communication protocol defines function numbers from 1 to 127. This instrument only utilizes a part of these function codes. As a request from the master, the function code tells the slave what action to perform. As a response from the slave, the function code sent by the slave is the same as the one sent by the master, indicating that the slave has responded to the master’s operation. If the highest bit of the function code sent by the slave is 1 (for example, function codes greater than 127), it indicates that the slave did not respond to the operation or an error occurred in sending.

Data area: The data area varies according to different function codes. The data area can be actual values, set points, addresses sent from the master to the slave, or addresses sent from the slave to the master.

CRC code: A two-byte error detection code.

(2) Communication Protocol:

When the communication command is sent to the instrument, the device with the corresponding address code receives the communication command, removes the address code, reads the information, and if no error occurs, performs the corresponding task; then sends the execution result back to the sender. The returned information includes the address code, the function code of the executed action, the data of the execution result, and the error check code. If an error occurs, no information is sent.

1. Information Frame Structure

Address code Function code Data area Error check code

8 bits 8 bits N × 8 bits 16 bits

Address code: The address code is the first byte (8 bits) of the information frame, ranging from 0 to 255. This byte indicates that the slave with the user-set address will receive the information sent by the master. Each slave must have a unique address code, and only the slave that matches the address code can respond. When the slave returns information, the corresponding address code indicates where the information comes from.

Function code: The function code sent by the master tells the slave what task to perform. The function codes listed in Table 1-1 have specific meanings and operations.

Data area: The data area contains what action the slave should perform or the information returned collected by the slave. This information can be values, reference addresses, etc. For example, if the function code tells the slave to read the value of a register, the data area must include the starting address of the register to be read and the read length. The address and data information are different for different slaves.

Error check code: The master or slave can use the check code to determine whether the received information is erroneous. Sometimes, due to electronic noise or other interferences, the information may undergo slight changes during transmission. The error check code ensures that the master or slave does not act on erroneous information during transmission. This increases the safety and efficiency of the system. The error check uses the CRC-16 check method.

Note: The format of the information frame is basically the same: address code, function code, data area, and error check code.

2. Error Check

The Redundant Cyclic Code (CRC) consists of 2 bytes, i.e., 16 bits. The CRC code is calculated by the sending device and placed at the end of the sent information. The receiving device recalculates the CRC code of the received information and compares it with the received CRC code. If the two do not match, it indicates an error.

(3) Function Codes Supported by Modbus:

Function Code

Name

Function

1

Read Coil Status

Get the current status of a set of logical coils (ON/OFF)

2

Read Input Status

Get the current status of a set of switch inputs (ON/OFF)

3

Read Holding Registers

Get the current binary value in one or more holding registers

4

Read Input Registers

Get the current binary value in one or more input registers

5

Force Single Coil

Force the ON/OFF state of a logical coil

6

Preset Single Register

Load a specific binary value into a holding register

7

Read Exception Status

Get the ON/OFF status of 8 internal coils, whose addresses are determined by the controller

8

Return Diagnostic

Send diagnostic check message to the slave to evaluate communication processing

9

Programming (only for 484)

Allows the master to simulate the programmer’s role, modifying the logic of the PC slave

10

Poll (only for 484)

Allows the master to communicate with a slave that is executing a long program task, inquiring whether that slave has completed its operation, only after sending a message with function code 9 can this function code be sent

11

Read Event Counter

Allows the master to issue a single inquiry and immediately determine whether the operation was successful, especially when this command or other responses produce communication errors

12

Read Communication Event Log

Allows the master to retrieve the ModBus transaction processing communication event log from each slave. If a transaction is completed, the log will provide information about errors

13

Programming (184/384 484 584)

Allows the master to simulate programming functions to modify the logic of the PC slave

14

Poll (184/384 484 584)

Allows the master to communicate with a slave that is executing a task, periodically polling whether that slave has completed its program operation, only after sending a message with function 13 can this function code be sent

15

Force Multiple Coils

Force the ON/OFF state of a series of consecutive logical coils

16

Preset Multiple Registers

Load specific binary values into a series of consecutive holding registers

17

Report Slave Identification

Allows the master to determine the type of the addressed slave and the status of the slave’s running indicator

18

(884 and MICRO 84)

Allows the master to simulate programming functions, modifying the PC status logic

19

Reset Communication Link

After a non-modifiable error occurs, resets the slave to a known state, can reset the sequence byte

20

Read General Parameters (584L)

Displays data information in the extended memory file

21

Write General Parameters (584L)

Writes or modifies general parameters into the extended storage file

22~64

Reserved for extended functions

65~72

Reserved for user functions

Reserved for user function extension codes

73~119

Illegal Function

120~127

Reserved

Reserved for internal use

128~255

Reserved

Used for abnormal responses

(3) Detailed Explanation of Function Code Commands:

Among these function codes, the most commonly used are function codes 1, 2, 3, 4, 5, and 6, which can be used for reading and writing digital and analog quantities of the lower machine.

1. Command 01, read readable and writable digital registers (coil status):

The computer sends the command: [Device Address] [Command Number 01] [Starting Register Address High 8 bits] [Low 8 bits] [Number of Registers to Read High 8 bits] [Low 8 bits] [CRC Check Low 8 bits] [CRC Check High 8 bits]

Example: [11][01][00][13][00][25][CRC Low][CRC High]

The meanings are as follows:

<1> Device Address: Multiple devices can be connected on a 485 bus, and the device address here indicates which device to communicate with. In the example, it is intended to communicate with device 17 (decimal 17 is hexadecimal 11).

<2> Command Number 01: The command number for reading digital quantities is fixed at 01.

<3> Starting Address High 8 bits, Low 8 bits: Indicates the starting address of the switch quantity to be read (starting address is 0). For example, in the example, the starting address is 19.

<4> Number of Registers High 8 bits, Low 8 bits: Indicates how many switch quantities to read from the starting address. In the example, it is 37 switch quantities.

<5> CRC Check: It checks from the beginning to this point.

Device Response: [Device Address] [Command Number 01] [Returned Byte Count] [Data1] [Data2] … [DataN] [CRC Check High 8 bits] [CRC Check Low 8 bits]

Example: [11][01][05][CD][6B][B2][0E][1B] [CRC High] [CRC Low]

The meanings are as follows:

<1> Device Address and Command Number are the same as above.

<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, Data2…n.

<3> Data1…n: Since each data is an 8-bit number, each data represents the value of 8 switch quantities, where each bit being 0 indicates the corresponding switch is OFF, and 1 indicates it is ON. For example, in the example, it represents that switch 20 (index number 19) is ON, switch 21 is OFF, switch 22 is ON, switch 23 is ON, switch 24 is OFF, switch 25 is OFF, switch 26 is ON, switch 27 is ON… If the inquired switch quantity is not a multiple of 8, the high part of the last byte is meaningless and set to 0.

<4> CRC Check is the same as above.

2. Command 05, write digital quantity (coil status):

The computer sends the command: [Device Address] [Command Number 05] [Register Address to Set High 8 bits] [Low 8 bits] [Data to Set High 8 bits] [Low 8 bits] [CRC Check Low 8 bits] [CRC Check High 8 bits]

Example: [11][05][00][AC][FF][00][CRC High][CRC Low]

The meanings are as follows:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing digital quantities is fixed at 05.

<3> Register Address to Set High 8 bits, Low 8 bits: Indicates the address of the switch that needs to be set.

<4> Data to Set High 8 bits, Low 8 bits: Indicates the state of the switch that needs to be set. In the example, it is to close the switch. Note, this can only be [FF][00] for ON and [00][00] for OFF, any other value is illegal.

<5> Note that this command can only set the state of one switch at a time.

Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.

3. Command 03, read readable and writable analog registers (holding registers):

The computer sends the command: [Device Address] [Command Number 03] [Starting Register Address High 8 bits] [Low 8 bits] [Number of Registers to Read High 8 bits] [Low 8 bits] [CRC Check High 8 bits] [CRC Check Low 8 bits]

Example: [11][03][00][6B][00][03][CRC High][CRC Low]

The meanings are as follows:

<1> Device Address is the same as above.

<2> Command Number: The command number for reading analog quantities is fixed at 03.

<3> Starting Address High 8 bits, Low 8 bits: Indicates the starting address of the analog quantity to be read (starting address is 0). For example, in the example, the starting address is 107.

<4> Number of Registers High 8 bits, Low 8 bits: Indicates how many analog quantities to read from the starting address. In the example, it is 3 analog quantities. Note that in the returned information, one analog quantity needs to return two bytes.

Device Response: [Device Address] [Command Number 03] [Returned Byte Count] [Data1] [Data2] … [DataN] [CRC Check High 8 bits] [CRC Check Low 8 bits]

Example: [11][03][06][02][2B][00][00][00][64] [CRC High] [CRC Low]

The meanings are as follows:

<1> Device Address and Command Number are the same as above.

<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, Data2…n. In the example, it returns 3 analog quantity data, as one analog quantity requires 2 bytes, so a total of 6 bytes.

<3> Data1…n: Where [Data1][Data2] are the high and low bytes of the first analog quantity, [Data3][Data4] are the high and low bytes of the second analog quantity, and so on. In the example, the returned values are 555, 0, and 100.

<4> CRC Check is the same as above.

4. Command 06, write a single analog register (holding register):

The computer sends the command: [Device Address] [Command Number 06] [Register Address to Set High 8 bits] [Low 8 bits] [Data to Set High 8 bits] [Low 8 bits] [CRC Check High 8 bits] [CRC Check Low 8 bits]

Example: [11][06][00][01][00][03][CRC High][CRC Low]

The meanings are as follows:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing analog quantities is fixed at 06.

<3> Register Address to Set High 8 bits, Low 8 bits: Indicates the address of the analog quantity register that needs to be set.

<4> Data to Set High 8 bits, Low 8 bits: Indicates the analog quantity data that needs to be set. For example, in this case, the value of register 1 is set to 3.

<5> Note that this command can only set the state of one analog quantity at a time.

Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.

5. Command 16, write multiple analog registers (holding registers):

The computer sends the command: [Device Address] [Command Number 16] [Register Address to Set High 8 bits] [Low 8 bits] [Data Quantity High 8 bits] [Data Quantity Low 8 bits] [Data to Set High 8 bits] [Low 8 bits][……][……] [CRC Check High 8 bits] [CRC Check Low 8 bits]

Example: [11][16][00][01][00][01][00][05][CRC High][CRC Low]

The meanings are as follows:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing analog quantities is fixed at 16.

<3> Register Address to Set High 8 bits, Low 8 bits: Indicates the address of the analog quantity register that needs to be set.

<4> Data Quantity High 8 bits, Low 8 bits: Indicates the quantity of data to be set, here it is 1.

<5> Data to Set High 8 bits, Low 8 bits: Indicates the analog quantity data that needs to be set. For example, in this case, the value of register 1 is set to 5.

Device Response: If the command sent by the computer is successfully returned, otherwise there is no response.

How to Become an Industrial Robot Application Engineer?

Link: A lot of information here

Not just a conveyor of dry goods, ↓↓Long press to follow

Understanding Modbus Communication Protocol

Guidance Car Robot Academy ∣ Robot Craftsman Cradle

Related posts

  1. Understanding the Modbus Communication Protocol
  2. Understanding The Modbus Communication Protocol
  3. RS485 and Modbus Communication Protocol
  4. Understanding the Modbus Communication Protocol
  5. Understanding the Modbus Communication Protocol
  6. Modbus TCP Programming and Experimentation
  7. MODBUS Weight Instrument Communication with Siemens PLC
  8. Understanding Modbus RTU, ASCII, and TCP Protocols
  9. Introduction to Various Modbus Protocols
  10. Notes on Pitfalls Encountered with Modbus Protocol
  11. Modbus Communication Training Tutorial
  12. Summary of ModBus RTU Issues
  13. Understanding Modbus RTU Protocol
  14. Introduction to Modbus Protocol
  15. Detailed Explanation of SPI Protocol (Based on ZhiXin Z20K11X)
  16. UART Application Layer Protocol Design
  17. Modbus Software Resource Library
  18. Understanding the Modbus Communication Protocol
  19. ABB Robot Modbus/TCP Communication

Leave a Comment