Follow the “Automation Control System Communication” public account to understand the principles of automation control systems and master the knowledge of automation control systems. Click the blue “Automation Control System Communication” above to follow us.
Understanding what the Modbus communication protocol is allows you to perform communication tests on-site using various third-party software.
The Modbus protocol includes ASCII, RTU, TCP, etc., and does not specify the physical layer. This protocol defines the message structure that controllers can recognize and use, regardless of the network used for communication. Standard Modicon controllers use RS232C to implement serial Modbus. The ASCII and RTU protocols of Modbus specify the structure of messages and data, commands, and responses. Data communication uses a Master/Slave method, where the Master sends a data request message, and the Slave responds with data to the Master after receiving the correct message; the Master can also directly send messages to modify the Slave’s data, achieving bidirectional read and write.
The Modbus protocol requires data verification. In serial protocols, besides parity check, the ASCII mode uses LRC check, while the RTU mode uses 16-bit CRC check. However, the TCP mode does not have additional verification requirements because the TCP protocol is a reliable connection-oriented protocol. Additionally, Modbus uses a master-slave method for timed data transmission. In practical use, if a Slave site disconnects (due to a fault or shutdown), the Master can diagnose it, and when the fault is repaired, the network can automatically reconnect. Therefore, the reliability of the Modbus protocol is quite good.
For Modbus’s ASCII, RTU, and TCP protocols, TCP and RTU protocols are very similar. We just need to remove the two-byte checksum from the RTU protocol, then prepend five zeros and a six to the RTU protocol and send it through the TCP/IP network protocol.
(1) Communication Transmission Method:
Communication transmission is divided into an independent information header and the encoded data sent. The following communication transmission method definitions are also compatible with the ModBusRTU communication protocol:
Initial Structure = ≥4 bytes of time
Address Code = 1 byte
Function Code = 1 byte
Data Area = N bytes
Error Check = 16-bit CRC code
End Structure = ≥4 bytes of time
Address Code: The address code is the first byte of the communication transmission. This byte indicates which Slave with the user-defined address code will receive the information sent by the Master. Each Slave has a unique address code, and the response always starts with its own address code. The address code sent by the Master indicates the address of the Slave to which it will send the message, while the address code sent by the Slave indicates the address of the Slave responding.
Function Code: The second byte of the communication transmission. The ModBus communication protocol defines function numbers from 1 to 127. This instrument only utilizes a portion of these function codes. As a Master requesting to send, it tells the Slave what action to perform through the function code. As a response from the Slave, the function code sent by the Slave is the same as the one sent by the Master, indicating that the Slave has responded to the Master’s operation. If the highest bit of the function code sent by the Slave is 1 (for example, function code greater than 127), it indicates that the Slave did not respond to the operation or that an error occurred in sending.
Data Area: The data area varies according to different function codes. The data area can be actual values, set points, addresses sent from the Master to the Slave or from the Slave to the Master.
CRC Code: A two-byte error detection code.
(2) Communication Protocol:
When a communication command is sent to the instrument, the device with the corresponding address code receives the communication command, removes the address code, reads the information, and if there is no error, executes the corresponding task; then sends the execution result back to the sender. The returned information includes address code, function code of the executed action, result data after the action, and error check code. If there is an error, no information is sent.
1. Information Frame Structure
Address Code Function Code Data Area Error Check Code
8 bits 8 bits N × 8 bits 16 bits
Address Code: The address code is the first byte (8 bits) of the information frame, ranging from 0 to 255. This byte indicates which Slave with the user-defined address will receive the information sent by the Master. Each Slave must have a unique address code, and only the Slave with the matching address code can respond. When the Slave sends back information, the corresponding address code indicates where the information comes from.
Function Code: The function code sent by the Master tells the Slave what task to perform. The function codes listed in Table 1-1 have specific meanings and operations.
Data Area: The data area contains what action needs to be performed by the Slave or the information returned by the Slave. This information can be values, reference addresses, etc. For example, if the function code tells the Slave to read the value of a register, the data area must include the starting address of the register to be read and the read length. For different Slaves, the address and data information may differ.
Error Check Code: The Master or Slave can use the check code to determine whether there is an error in the received information. Sometimes, due to electronic noise or other interference, the information may undergo slight changes during transmission. The error check code ensures that the Master or Slave does not act on erroneous information during transmission. This increases the safety and efficiency of the system. The error check uses the CRC-16 check method.
Note: The format of the information frame is basically the same: address code, function code, data area, and error check code.
2. Error Check
The Redundant Cyclic Code (CRC) consists of 2 bytes, that is, 16 bits. The CRC code is calculated by the sending device and placed at the end of the sent information. The receiving device recalculates the CRC code of the received information and compares whether the calculated CRC code matches the received one. If they do not match, it indicates an error.
(3) Function Codes Supported by Modbus:
| Function Code | Name | Function |
| 1 | Read Coil Status | Get the current status of a group of logical coils (ON/OFF) |
| 2 | Read Input Status | Get the current status of a group of switch inputs (ON/OFF) |
| 3 | Read Holding Registers | Get the current binary value in one or more holding registers |
| 4 | Read Input Registers | Get the current binary value in one or more input registers |
| 5 | Force Single Coil | Force the state of a logical coil |
| 6 | Preset Single Register | Load a specific binary value into a holding register |
| 7 | Read Exception Status | Get the ON/OFF status of 8 internal coils, the addresses of these coils are determined by the controller |
| 8 | Return Diagnostic Check | Send diagnostic check message to the Slave for communication processing evaluation |
| 9 | Programming (for 484 only) | Allows the Master to simulate the programmer’s role to modify the PC Slave logic |
| 10 | Inquiry (for 484 only) | Allows the Master to communicate with a Slave that is executing a long program task, inquiring whether the Slave has completed its operational task, only after sending a message with function code 9 can this function code be sent |
| 11 | Read Event Count | Allows the Master to issue a single inquiry and immediately determine whether the operation was successful, especially when this command or other responses generate communication errors |
| 12 | Read Communication Event Log | Allows the Master to retrieve the ModBus transaction processing communication event log of each Slave. If a transaction is completed, the log will provide information about errors |
| 13 | Programming (for 184/384 484 584) | Allows the Master to simulate the programmer function to modify the PC Slave logic |
| 14 | Inquiry (for 184/384 484 584) | Allows the Master to communicate with a Slave that is executing a task, regularly inquiring whether the Slave has completed its program operation, only after sending a message with function 13 can this function code be sent |
| 15 | Force Multiple Coils | Force a series of continuous logical coils on and off |
| 16 | Preset Multiple Registers | Load specific binary values into a series of continuous holding registers |
| 17 | Report Slave Identification | Allows the Master to determine the type of addressed Slave and the status of the Slave’s operation indicator |
| 18 | (for 884 and MICRO 84) | Allows the Master to simulate the programming function to modify the PC state logic |
| 19 | Reset Communication Link | After a non-modifiable error occurs, the Slave resets to a known state, allowing the sequence byte to be reset |
| 20 | Read General Parameters (for 584L) | Display data information in the extended memory file |
| 21 | Write General Parameters (for 584L) | Write or modify general parameters in the extended storage file |
| 22~64 | Reserved for extended functions | |
| 65~72 | Reserved for user functions | Reserved for user function extended codes |
| 73~119 | Illegal Function | |
| 120~127 | Reserved | Reserved for internal use |
| 128~255 | Reserved | For abnormal responses |
(3) Detailed Explanation of Function Code Commands:
Among these function codes, the most commonly used are function codes 1, 2, 3, 4, 5, and 6, which can be used to perform read and write operations on digital and analog quantities of the lower machine.
1. Command 01, read readable and writable digital registers (coil status):
The computer sends the command: [Device Address] [Command Number 01] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers to Read High 8 Bits] [Low 8 Bits] [CRC Check Low 8 Bits] [CRC Check High 8 Bits]
Example: [11][01][00][13][00][25][CRC Low][CRC High]
Meaning:
<1> Device Address: Multiple devices can be connected on a 485 bus, and the device address here indicates which device to communicate with. In the example, it is intended to communicate with device number 17 (decimal 17 is hexadecimal 11).
<2> Command Number 01: The command number for reading digital quantities is fixed as 01.
<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the switch quantity to be read (starting address is 0). For example, in the example, the starting address is 19.
<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many switch quantities to read starting from the starting address. In the example, 37 switch quantities.
<5> CRC Check: Checks from the beginning up to this point.
The device responds: [Device Address] [Command Number 01] [Returned Byte Count] [Data1][Data2]…[DataN] [CRC Check High 8 Bits] [CRC Check Low 8 Bits]
Example: [11][01][05][CD][6B][B2][0E][1B] [CRC High] [CRC Low]
Meaning:
<1> Device Address and Command Number are the same as above.
<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, 2…n.
<3> Data1…n: Since each data is an 8-bit number, each data represents the value of 8 switch quantities, where each bit being 0 indicates the corresponding switch is off, and 1 indicates it is on. For example, in the example, it indicates that switch number 20 (index number 19) is closed, switch number 21 is off, switch number 22 is closed, and so on. If the queried switch quantity is not a multiple of 8, then the high part of the last byte is meaningless and should be set to 0.
<4> CRC Check as above.
2. Command 05, write digital quantity (coil status):
The computer sends the command: [Device Address] [Command Number 05] [Register Address to be Set High 8 Bits] [Low 8 Bits] [Data to be Set High 8 Bits] [Low 8 Bits] [CRC Check Low 8 Bits] [CRC Check High 8 Bits]
Example: [11][05][00][AC][FF][00][CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing digital quantities is fixed as 05.
<3> Register Address to be Set High 8 Bits, Low 8 Bits: Indicates the address of the switch to be set.
<4> Data to be Set High 8 Bits, Low 8 Bits: Indicates the state of the switch to be set. In the example, it indicates that the switch should be closed. Note that only [FF][00] indicates closed and [00][00] indicates off; other values are illegal.
<5> Note that this command can only set one switch quantity at a time.
The device responds: If the command sent by the computer is successfully returned as is, otherwise there is no response.
3. Command 03, read readable and writable analog registers (holding registers):
The computer sends the command: [Device Address] [Command Number 03] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers to Read High 8 Bits] [Low 8 Bits] [CRC Check High 8 Bits] [CRC Check Low 8 Bits]
Example: [11][03][00][6B][00][03] [CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Number: The command number for reading analog quantities is fixed as 03.
<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the analog quantity to be read (starting address is 0). For example, in the example, the starting address is 107.
<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many analog quantities to read starting from the starting address. In the example, it is 3 analog quantities. Note that in the returned information, one analog quantity needs to return two bytes.
The device responds: [Device Address] [Command Number 03] [Returned Byte Count] [Data1][Data2]…[DataN] [CRC Check High 8 Bits] [CRC Check Low 8 Bits]
Example: [11][03][06][02][2B][00][00][00][64] [CRC High] [CRC Low]
Meaning:
<1> Device Address and Command Number are the same as above.
<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, 2…n. In the example, it returns data for 3 analog quantities, since each analog quantity requires 2 bytes, a total of 6 bytes.
<3> Data1…n: where [Data1][Data2] are the high and low 8 bits of the first analog quantity, [Data3][Data4] are the high and low 8 bits of the second analog quantity, and so on. The returned values in the example are 555, 0, and 100.
<4> CRC Check as above.
4. Command 06, write a single analog quantity register (holding register):
The computer sends the command: [Device Address] [Command Number 06] [Register Address to be Set High 8 Bits] [Low 8 Bits] [Data to be Set High 8 Bits] [Low 8 Bits] [CRC Check High 8 Bits] [CRC Check Low 8 Bits]
Example: [11][06][00][01][00][03] [CRC High] [CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing analog quantities is fixed as 06.
<3> Register Address to be Set High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.
<4> Data to be Set High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, the value of register 1 is set to 3.
<5> Note that this command can only set one analog quantity at a time.
The device responds: If the command sent by the computer is successfully returned as is, otherwise there is no response.
5. Command 16, write multiple analog quantity registers (holding registers):
The computer sends the command: [Device Address] [Command Number 16] [Register Address to be Set High 8 Bits] [Low 8 Bits] [Data Quantity High 8 Bits] [Data Quantity Low 8 Bits] [Data to be Set High 8 Bits] [Low 8 Bits][……][……] [CRC Check High 8 Bits] [CRC Check Low 8 Bits]
Example: [11][16][00][01][00][01][00][05] [CRC High] [CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Number: The command number for writing analog quantities is fixed as 16.
<3> Register Address to be Set High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.
<4> Data Quantity High 8 Bits, Low 8 Bits: Indicates the quantity of data to be set, which is 1 here.
<5> Data to be Set High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, the value of register 1 is set to 5.
The device responds: If the command sent by the computer is successfully returned as is, otherwise there is no response.
The device responds: [Device Address] [Command Number 16] [Register Address to be Set High 8 Bits] [Low 8 Bits] [Data Quantity High 8 Bits] [Data Quantity Low 8 Bits] [CRC Check High 8 Bits] [CRC Check Low 8 Bits], as in the above example returns:
[11][16][00][01][00][01] [CRC High] [CRC Low]
That’s all for today. We will continue to update the system knowledge we understand. Welcome everyone to continue following the WeChat public account “Automation Control System Communication”.
Scan the image below to follow the “Automation Control System Communication” public account (long press to recognize)
