1. What is MODBUS?
1. Basic Concepts
MODBUS is a communication protocol initially advocated by MODICON (now a brand of Schneider Electric). It has gradually been recognized as a standard communication protocol through practical applications by most companies. As long as data communication or transmission is conducted according to this protocol, different systems can communicate with each other. Currently, this protocol is widely adopted in RS232/RS485 communication processes.
There are two commonly used MODBUS communication protocols: MODBUS ASCII and MODBUS RTU. Generally, MODBUS ASCII is used when the communication data volume is small and mainly consists of text, while MODBUS RTU is used when the communication data volume is large and consists of binary values.
In practical applications, to solve a specific problem, people often modify the MODBUS protocol to meet their needs (in fact, people frequently use self-defined protocols for communication, which can solve problems but are not very standardized). A more common practice is to make minor modifications to the protocol, while attaching the protocol format to the software documentation or directly placing it in the help section, making it convenient for users to communicate.
2. Brief Overview of the MODBUS Protocol
The ACRXXXE series instruments use the MODBUS-RTU communication protocol, which defines the checksum, data sequence, etc., all of which are necessary for specific data exchanges. The MODBUS protocol uses a master/slave response connection (half-duplex) on a single communication line, meaning that signals are transmitted in opposite directions along a single communication line. First, the master computer addresses a unique terminal device (slave), and then the response signal sent by the terminal device is transmitted back to the master in the opposite direction.
The MODBUS protocol only allows communication between the master (PC, PLC, etc.) and terminal devices, and does not permit data exchange between independent terminal devices. This prevents each terminal device from occupying the communication line during their initialization and limits responses to queries directed at them.
3. Query-Response Cycle
Query
The function code in the query message indicates what function the selected slave device should perform. The data segment contains any additional information required for the slave device to execute the function. For example, function code 03 is a request for the slave device to read holding registers and return their contents. The data segment must contain the information to inform the slave device: the starting register to read from and the number of registers to read. The error detection field provides a means for the slave device to verify whether the message content is correct.
Response
If the slave device generates a normal response, the function code in the response message matches the function code in the query message. The data segment includes the data collected from the slave device, such as register values or statuses. If an error occurs, the function code will be modified to indicate that the response message is erroneous, and the data segment will contain a code describing the error. The error detection field allows the master device to confirm whether the message content is usable.
4. Transmission Method
The transmission method refers to a series of independent data structures within a data frame and limited rules used for data transmission. Below is the definition of the transmission method compatible with the MODBUS protocol – RTU mode.
Each byte consists of:
· 1 start bit
· 8 data bits, with the least significant bit sent first
· No parity bit
· 1 stop bit
Error detection (Error checking): CRC (Cyclic Redundancy Check)
5. Protocol
When a data frame reaches the terminal device, it enters the addressed device through a simple “port,” which removes the “envelope” (data header) of the data frame, reads the data, and if there are no errors, executes the requested task. Then, it adds its own generated data back into the received “envelope” and returns the data frame to the sender. The returned response data contains the following content: the terminal slave address (Address), the executed command (Function), the requested data generated by executing the command (Data), and a checksum (Check). If any errors occur, there will be no successful response or an error indication frame will be returned.
6. Data Frame Format
7. Address (Address) Field
The address field is at the beginning of the frame and consists of one byte (8 bits), in decimal from 0 to 255. In our system, only addresses from 1 to 247 are used, with other addresses reserved. These bits indicate the address of the terminal device specified by the user, which will receive data from the connected master. Each terminal device’s address must be unique, and only the addressed terminal will respond to queries that contain that address. When the terminal sends back a response, the slave address data in the response informs the master which terminal is communicating with it.
8. Function (Function) Field
The function field code tells the addressed terminal what function to execute. The table below lists the function codes used by this series of instruments, along with their meanings and functions.
9. Data (Data) Field
The data field contains the data required for the terminal to execute a specific function or the data collected when the terminal responds to a query. The content of this data can be values, reference addresses, or set values. For example, the function code tells the terminal to read a register, and the data field must specify which register to start reading from and how many data points to read, with the embedded addresses and data varying according to type and content between the slave devices.
10. Error Check (Check) Field
This field allows the master and terminal to check for errors during the transmission process. Sometimes, due to electrical noise and other interferences, a set of data may change while being transmitted from one device to another on the line. Error checking ensures that the master or terminal does not respond to data that has changed during the transmission process, thereby improving system safety and efficiency. Error checking uses a 16-bit cyclic redundancy method (CRC16).
11. Error Detection Methods
Error checking (CRC) occupies two bytes and contains a 16-bit binary value. The CRC value is calculated by the transmitting device and then attached to the data frame. The receiving device recalculates the CRC value when receiving the data and compares it with the value in the received CRC field; if the two values are not equal, an error has occurred.
During CRC calculation, a 16-bit register is first preset to all 1s. Then, each of the 8 bits of each byte in the data frame is continuously processed with the current value of that register. Only the 8 data bits of each byte participate in generating the CRC; the start and stop bits, as well as any parity bits used, do not affect the CRC. When generating the CRC, each of the 8 bits of each byte is XORed with the contents of the register, and then the result is shifted low, with the high bit being filled with “0”. The lowest bit (LSB) is shifted out and checked; if it is 1, the register is XORed with a preset fixed value (0A001H); if the lowest bit is 0, no processing is done.
This process is repeated until 8 shift operations are completed. After the last bit (the 8th bit) is shifted out, the next 8-bit byte is XORed with the current value of the register, and the same 8 shift XOR operations are performed. When all bytes in the data frame have been processed, the final value generated is the CRC value.
12. The Process of Generating a CRC is as Follows
Ø Pre-set a 16-bit register to 0FFFFH (all 1s), called the CRC register.
Ø XOR the 8 bits of the first byte in the data frame with the low byte of the CRC register, storing the result back in the CRC register.
Ø Shift the CRC register to the right by one position, filling the high bit with 0, and shifting out the lowest bit for detection.
Ø If the lowest bit is 0: repeat the third step (next shift); if the lowest bit is 1: XOR the CRC register with a preset fixed value (0A001H).
Ø Repeat the third and fourth steps until 8 shifts are completed. This processes a complete 8 bits.
Ø Repeat steps 2 to 5 to process the next 8 bits until all bytes are processed.
Ø The final value of the CRC register is the CRC value.
Additionally, there is a method of calculating CRC using a preset table, which is characterized by fast computation speed, but requires a large storage space for the table. This method will not be elaborated here; please refer to related materials.
13. Detailed Explanation of Communication Application Format
This section will use examples in the format shown in the figure (numbers are in hexadecimal).
Addr: Slave Address
Fun: Function Code
Data start reg hi: Starting Address High Byte
Data start reg lo: Starting Address Low Byte
Data #of reg hi: Number of Registers High Byte
Data #of reg lo: Number of Registers Low Byte
CRC16 Hi: Cyclic Redundancy Check High Byte
CRC16 Lo: Cyclic Redundancy Check Low Byte
14. Read Data (Function Code 03)
Query Data Frame
This function allows users to obtain data collected and recorded by the device and system parameters. The master can request an unlimited number of data points at once, but it cannot exceed the defined address range. The example below reads 3 basic data points (each address occupies 2 bytes) from slave 01, where the address for UA is 0025H, UB is 0026H, and UC is 0027H.
Response Data Frame
The response includes the slave address, function code, number of data points, and CRC error check. The example below shows the response for reading UA, UB, UC (UA=082CH, UB=082AH, UC=082CH).
Error Indication Code
If the address requested by the master does not exist, it returns the error indication code: FFH.
2. Characteristics
MODBUS has the following characteristics:
1. Standard and open; users can freely and confidently use the MODBUS protocol without paying licensing fees or infringing on intellectual property rights. Currently, more than 400 manufacturers support MODBUS, and over 600 types of products support MODBUS.
2. MODBUS can support multiple electrical interfaces, such as RS-232, RS-485, etc., and can transmit over various media, such as twisted pair, fiber optics, and wireless.
3. The frame format of MODBUS is simple, compact, and easy to understand. It is easy for users to use and simple for manufacturers to develop.
3. Function Code Definitions
1. ModBus Function Codes
4. Transmission Method
In the ModBus system, there are two transmission modes to choose from. These two transmission modes are equivalent to the ability of the slave PC to communicate. The choice should depend on the ModBus master being used. Each ModBus system can only use one mode; mixing two modes is not allowed. One mode is ASCII (American Standard Code for Information Interchange), and the other mode is RTU (Remote Terminal Unit).
Users select the desired mode, including serial communication parameters (baud rate, parity, etc.), when configuring each controller. All devices on a Modbus network must choose the same transmission mode and serial port parameters. The selected ASCII or RTU mode applies only to standard Modbus networks, defining each bit of the message segment continuously transmitted across these networks and determining how to package information into message fields and how to decode it. In other networks (like MAP and Modbus Plus), Modbus messages are converted into frame formats that are independent of serial transmission.
1. Transmission Mode Characteristics
ASCII printable characters facilitate fault detection and are suitable for master computers and PCs programmed in high-level languages (such as Fortran). RTU is suitable for computers and PC masters programmed in machine language.
Data transmitted in RTU mode consists of 8-bit binary characters. To convert to ASCII mode, each RTU character should first be divided into high and low parts, each containing 4 bits, and then converted to hexadecimal equivalent values. The ASCII characters used to form the message are all hexadecimal characters. Although ASCII mode uses characters that are twice as many as RTU mode, the decoding and processing of ASCII data are somewhat easier. Additionally, when using RTU mode, message characters must be transmitted in a continuous data stream; in ASCII mode, characters can have intervals of up to 1 second, accommodating slower machines.
The controller can be set to either of the two transmission modes (ASCII or RTU) for standard Modbus network communication.
2. ASCII Mode
When the controller is set to communicate in ASCII mode on the Modbus network, each 8-bit byte in a message is transmitted as 2 ASCII characters. For example, the value 63H in ASCII mode would require sending two bytes, namely ASCII “6” (0110110) and ASCII “3” (0110011). The ASCII characters occupy 7 bits and 8 bits, with the internationally common 7 bits being more frequent. This method’s main advantage is that the time interval for sending characters can reach 1 second without generating errors.
Code System:
Hexadecimal, ASCII characters 0…9, A…F
Each ASCII character in the message is composed of a hexadecimal character, with each byte consisting of:
1 start bit
7 data bits, with the least significant bit sent first
1 parity bit, none if no parity
1 stop bit (when there is parity), 2 bits (when there is no parity)
Error Detection Field:
LRC (Longitudinal Redundancy Check)
3. RTU Mode
When the controller is set to communicate in RTU mode on the Modbus network, each 8-bit byte in the message is transmitted in its original value without processing, such as 63H, RTU will directly send 01100011. The main advantages of this method are that there are no gaps between data frame transmissions, and the density of transmitted data at the same baud rate is higher than that of ASCII, allowing for faster transmission.
Code System:
8-bit binary, hexadecimal numbers 0…9, A…F
Each 8-bit field in the message consists of one or two hexadecimal characters:
1 start bit
8 data bits, with the least significant bit sent first
1 parity bit, none if no parity
1 stop bit (when there is parity), 2 bits (when there is no parity)
5. Data Verification Methods
1. CRC
The CRC field is two bytes, containing a 16-bit binary value. It is calculated by the transmitting device and added to the message. The receiving device recalculates the CRC of the received message and compares it with the value in the received CRC field. If the two values differ, an error has occurred.
CRC starts with a 16-bit register initialized to all “1s”; then, a process is called to process the continuous 8-bit bytes in the message with the current value of the register. Only the 8-bit data in each character is valid for the CRC; the start bits, stop bits, and parity bits are invalid.
During the CRC generation process, each 8-bit character is individually XORed with the contents of the register, and the result is shifted towards the least significant bit, filling the most significant bit with 0. The LSB is extracted for detection; if it is 1, the register is XORed with a preset value; if it is 0, no action is taken. This process is repeated 8 times. After the last bit is processed, the next 8-bit byte is XORed with the current value of the register, and the same process is repeated until all bytes in the message have been processed. The final value in the register is the CRC value.
The CRC is added to the message with the low byte first, followed by the high byte.
The CRC-16 error checking program is as follows: the message (this only involves the data bits, not the start bits, stop bits, and optional parity bits) is treated as a continuous binary, with the most significant bit (MSB) sent first. The message is multiplied by X^16 (left-shifted 16 bits), and then divided by X^16 + X^15 + X^2 + 1. X^16 + X^15 + X^2 + 1 can be represented as the binary number 11000,0000,0000,0101. The integer quotient is ignored; the 16-bit remainder is added to the message (MSB sent first), resulting in two CRC check bytes. All bits in the remainder are initialized to ensure that all zeros do not become a message received. After processing the message containing CRC bytes, if there are no errors, it will be divided by the same polynomial at the receiving device, resulting in a zero remainder (the receiving device verifies this CRC byte and compares it with the transmitted CRC).
All calculations are modulo 2 (no carry). Devices accustomed to sending data in streams will prefer to send the rightmost character (LSB – least significant bit). In generating CRC, the first bit sent should be the most significant bit (MSB) of the dividend. Because no carry is used in the calculations, for ease of operation, the CRC calculation should treat the MSB as the rightmost bit. The bit order of the polynomial must also be reversed to maintain consistency. The MSB of the polynomial is omitted as it only affects the quotient and does not affect the remainder.
Steps to Generate the CRC-16 Check Bytes:
① Load a 16-bit register with all bits set to 1.
② XOR the high byte of this 16-bit register with the first 8 bits of the message. The result is placed back into this 16-bit register.
③ Shift this 16-bit register to the right by one bit.
④ If the shifted-out bit is 1, XOR this register with the polynomial 10,1000,000,0000,001; if the shifted-out bit is 0, return to step ③.
⑤ Repeat steps ③ and ④ until 8 bits are shifted out.
⑥ XOR the next 8 bits with the 16-bit register.
⑦ Repeat steps ③ to ⑥ until all bytes of the message are XORed with the 16-bit register and shifted 8 times.
⑧ The content of this 16-bit register becomes the 2-byte CRC error check, which is added to the highest significant bit of the message. Additionally, in some non-ModBus communication protocols, CRC16 is often used as a verification method, and some variants of CRC16 have emerged that use the CRC16 polynomial X^16 + X^15 + X^2 + 1, with the initially loaded 16-bit register set to 0000; using the reversed CRC16 polynomial X^16 + X^14 + X^1 + 1, the initial register value is either 0000 or FFFFH.
2. LRC
LRC error checking is used in ASCII mode. This error check is an 8-bit binary number that can be transmitted as two ASCII hexadecimal bytes. The hexadecimal characters are converted to binary, and the non-carry binary characters are summed to generate the LRC error check (see diagram). This LRC is verified by the receiving device and compared with the transmitted LRC; colons (:), carriage return characters (CR), newline characters (LF), and any other non-ASCII hexadecimal characters inserted are ignored during the calculation.
Comparison of Modbus and PROFIBUS-DP Protocols
Modbus protocol content is completely open, simple, and easy to implement; microcontrollers, PLCs, and DCS can all achieve it easily.
Profibus is somewhat more complex; it requires dedicated chips for secondary development and certification from higher organizations, which significantly increases development costs.
Of course, in terms of performance, serial-based Modbus RTU/ASCII communication cannot compare with Profibus DP, but for simple communication at the instrument level or small data volume communication at the controller level, Modbus is sufficient. In simple terms, Modbus is the *poor, while Profibus is the rich and handsome!
Function Codes Supported by Modbus
Function Code Command Details
Among these function codes, the most frequently used are 1, 2, 3, 4, 5, and 6, which can be used to perform read and write operations on digital and analog quantities of the lower machine.
1. Command 01, Read Writable Digital Registers (Coil Status):
The computer sends the command: [Device Address] [Command Code 01] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers to Read High 8 Bits] [Low 8 Bits] [CRC Check Low] [CRC Check High]
Example: [11][01][00][13][00][25][CRC Low][CRC High]
Meaning:
<1> Device Address: Multiple devices can be connected on an RS-485 bus; the device address here indicates which device to communicate with. In the example, it is to communicate with device 17 (decimal 17 is hexadecimal 11).
<2> Command Code 01: The command code for reading digital quantities is fixed at 01.
<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the switch quantity to be read (the starting address is 0). For example, the starting address in the example is 19.
<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many switch quantities to read starting from the starting address. In the example, it is 37 switch quantities.
<5> CRC Check: The check is from the beginning up to this point. Device Response: [Device Address] [Command Code 01] [Number of Returned Bytes] [Data 1] [Data 2] … [Data n] [CRC Check High] [CRC Check Low]
Example: [11][01][05][CD][6B][B2][0E][1B] [CRC High] [CRC Low]
Meaning:
<1> Device Address and Command Code are the same as above.
<2> Number of Returned Bytes: Indicates the number of bytes of data, which is the value of n in Data 1, 2 … n.
<3> Data 1 … n: Since each data is an 8-bit number, each data represents the value of 8 switch quantities, with each bit being 0 indicating that the corresponding switch is off and 1 indicating that it is on. In the example, it indicates that switch 20 (index number 19) is on, switch 21 is off, switch 22 is on, switch 23 is on, switch 24 is off, switch 25 is off, switch 26 is on, switch 27 is on … If the queried switch quantity is not an integer multiple of 8, the high part of the last byte is meaningless and set to 0.
<4> CRC Check is the same as above.
2. Command 05, Write Digital Quantity (Coil Status):
The computer sends the command: [Device Address] [Command Code 05] [Register Address High 8 Bits] [Low 8 Bits] [Data High 8 Bits] [Low 8 Bits] [CRC Check Low] [CRC Check High]
Example: [11][05][00][AC][FF][00][CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Code: The command code for writing digital quantities is fixed at 05.
<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the switch to be set.
<4> Data High 8 Bits, Low 8 Bits: Indicates the state of the switch to be set. In the example, it indicates that the switch is to be turned on. Note that this can only be [FF][00] for on and [00][00] for off; other values are invalid.
<5> Note that this command can only set the state of one switch at a time.
Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.
3. Command 03, Read Writable Analog Registers (Holding Registers):
The computer sends the command: [Device Address] [Command Code 03] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers to Read High 8 Bits] [Low 8 Bits] [CRC Check High] [CRC Check Low]
Example: [11][03][00][6B][00][03] [CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Code: The command code for reading analog quantities is fixed at 03.
<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the analog quantity to be read (the starting address is 0). For example, the starting address in the example is 107.
<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many analog quantities to read starting from the starting address. In the example, it is 3 analog quantities. Note that in the returned information, one analog quantity requires two bytes to return.
Device Response: [Device Address] [Command Code 03] [Number of Bytes Returned] [Data 1] [Data 2] … [Data n] [CRC Check High] [CRC Check Low]
Example: [11][03][06][02][2B][00][00][00][64] [CRC High][CRC Low]
Meaning:
<1> Device Address and Command Code are the same as above.
<2> Number of Bytes Returned: Indicates the number of bytes of data, which is the value of n in Data 1, 2 … n. In the example, 6 bytes are returned, as each analog quantity requires 2 bytes.
<3> Data 1 … n: Where [Data 1][Data 2] are the high and low bytes of the first analog quantity, [Data 3][Data 4] are the high and low bytes of the second analog quantity, and so on. The returned values in the example are 555, 0, and 100.
<4> CRC Check is the same as above.
4. Command 06, Write Single Analog Register (Holding Register)
The computer sends the command: [Device Address] [Command Code 06] [Register Address High 8 Bits] [Low 8 Bits] [Data High 8 Bits] [Low 8 Bits] [CRC Check High] [CRC Check Low]
Example: [11][06][00][01][00][03] [CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Code: The command code for writing analog quantities is fixed at 06.
<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.
<4> Data High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, in the example, the value of register 1 is set to 3.
<5> Note that this command can only set the state of one analog quantity.
Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.
5. Command 16, Write Multiple Analog Registers (Holding Registers)
The computer sends the command: [Device Address] [Command Code 16] [Register Address High 8 Bits] [Low 8 Bits] [Data Quantity High 8 Bits] [Data Quantity Low 8 Bits] [Data High 8 Bits] [Low 8 Bits][……][……] [CRC Check High] [CRC Check Low]
Example: [11][16][00][01][00][01][00][05] [CRC High][CRC Low]
Meaning:
<1> Device Address is the same as above.
<2> Command Code: The command code for writing analog quantities is fixed at 16.
<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.
<4> Data Quantity High 8 Bits, Low 8 Bits: Indicates the number of data points to be set, which is 1 here.
<5> Data High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, in the example, the value of register 1 is set to 5.
Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response. The device response: [Device Address] [Command Code 16] [Register Address High 8 Bits] [Low 8 Bits] [Data Quantity High 8 Bits] [Data Quantity Low 8 Bits] [CRC Check High] [CRC Check Low], as in the above example: [11][16][00][01][00][01] [CRC High][CRC Low]
Source: This article is adapted from the internet, and the copyright belongs to the original author. If there are any copyright issues, please contact us promptly for deletion. Thank you!
Scan to Follow
WeChat ID|13615417996
Scan the left QR code to get
【Siemens Data Collection】