ras019 Moaious Protocol modbus tools For test, simulation and programming. Protocol Description MODBUS® Protocol s @ messaging structure, widely used to establish master-shve communication between inteligent devices. A MODBUS message sert from 2 master to @ slave contains the address of the slave, the ‘command’ (e.g. ‘read register’ or ‘write register’), the data, ane 2 check sum (LRC oF CRC), Since Modbus protocol s just a messaging structure, ks Independent of the underlying physical layer. [eis traditionally implemented using RS232, RS422, or RSA8S ‘The Request ‘The function code in the request tes the addressed slave device what kind of action to perform. Tne data bytes contains any additional information that the slave wil need to perform the function. For example, function code 03 wil request the slave to read holng registers and respond with their contents. The data fld must contain the information teling the slave which Fegister to start at ane how meny registers to reed. The error check “els provides a mathog {or the slave to valdate the integrity of the message contents. ‘The Response 1 the slave maces a normal response, the function code in the response is an echo of the function code in the request. The data bytes contaln tne data collected by the slave, such as regster values or status. if an error occurs, the function code is modified to dicate that the response is an error response, and the data bytes contain a code that describes the error. The terror check fel alls the master to confi that the message contents are vald, Controlles can be setup to communicate on standard Modbus networks using ether of two transmission modes: ASCIL or RTU. ASCII Mode When controlkrs are setup to communicate on a Modbus network using ASCI (American Standard Code for Information Interchange) mode, each eight-bit byte In @ message & sent as two ASCII characters. The main advantage of this mode is that * alpws time intervals of up to fone second te occur between characters wienout causing an error. Coding System Hexadecimal ASCH printable characters 0 wu 9, Av: F Bits per Byte stare bit, 7 data bits, least sonficant bit sent frst 1 bt for even / odd party-no bi: for no party 1 stop bit if party s usec-2 brs ino party Error Checking LLongtudinal Redundancy Check (LRC) RTU Mode When controllers are setup to communicate on a Modbus network using RTU (Remote Terminal Unit) mode, each eight=bit byte In a message contains two four-br hexadecimal characters The main advantage ofthis moce fs that ts greater character density albws better data throughput than ASCI for the same baud rate. Each message must be transmitted in a continuous stream, Coding system Eight=bit Binary, hexadecimal 0... 9, A..F ‘Two hexadecimal characters contamnec in each eight-bi eld of the message Bits per Byte. stare bit, 8 data bits, least sianficant bit sent first 1 bt for even / odd party-no bi for no parity I stop bk if party s usee-2 Rs no party Error Check Field Cyclical Reduncancy Check (CRC) In ASCII moce, messages start with s colon ( :) character (ASCII 3A hex), ane end with 3 carriage return-ine feed (CALF) pair (ASCIT OD and OA hex). ‘The allowaoke characters transmitted for all other feds are hexedecimal 0 au. 9, As f Networked devices monitor tne network bus conthwuously for the colon character. When one is Feceved, each device decodes the next flld (the address field) to find out tls the addressea device. Interval of up to one second can elapse between characters within the message, If @ greater interval occurs, the receiving device assumes an exrar has occurred. A typical message frame is shown below, RTU Framing In RTU mode, messages start with a silent interval of at loa tps svn. madoustools.cormadbus Hire 3.5 character times. This & most 18ra82019 Moaious Protocol easily implemented as a mukiple of character limes at the baud rate thet is being used on the network (shown as T1-T2-T3-Ts in the figure below). The frst Feld tnen transmittec & the device address, ‘The allowable characters transmitted for all fields are hexadecimal... 9, A..F. Networked devices monitor the network bus continuously, including during the Silent intervals. When the fist fele (the address fled) is received, each deve cecodes to find out RS the addressed deve Following the lst transmitted character, a simlar interval of at least 3.5 character times marks the end of the message, A new message can begin after this interval The entie message frame must be transmitec as a continuous steam. Ifa silent interval of mare thar 1.5 character times occurs Sefore completion of the frame, the receiving device flushes the incomplete message and assumes that the next byte wll be the address field of @ new message, Simlary, #2 new message begins earler than 3.5 character times follwing a previous massage, the receiving device wil consider ita continuation of the arevous message, Ts wil Set an error, a5 tne value in the fnal CRC fled wil not De vale for the combined messages. A typical message frame is shown below. 3.5 Char time gorse Ftd ‘The address eld of a message frame contains two characters (ASCII) or eight bis (RTU). The Individual stave devices are assigned adaresses In the range of 1.247. Function Field ‘The Function Code field tells the addressed slave what function to perform. ‘The folowing functions are supported by Modbus poll READ NUT STATUS GaaEAD UT REGISTERS SEWRITE SIVGLE ReGisveR SEMRIE MITE Rranerens ‘The data fielé contains the requested or send data Contents of the Error Checking Field ‘Two kinds of error-checking methods are used for standard Modbus networks. The error checking eld contents depend upon the method that is being used. scr When ASCIt mode is used for character framing, the error-checking fie contains two ASC cnaracters. The error check characters are the result of 2 Longitucinal Redundancy Cneck (LRC) calctletion that s performed on the message contents, exclusive of the beginning colon and terminating CRLF characters. ‘The LRC characters are appended to the message as IRC Examale Code RTu When RTU mode is used for character framing, the error-checking field contahns a 16-bit value Implemented as two eight-bie bytes. The e-vor check value 's the resur of a Cyctcal Recundency Check calulation performed on the message contents. ‘The CRC fled appended to the message as the last fein the message. When this Is done, the low-order Byte of the field is appended fst, followed by the high-order byte. The CRC high-oréer byte is the last byte to be sent in the message, ‘CRC Example Code field preceding the CRLF Function 01 (O1hex) Read Coils Reads the ON/OFF status of discrete cols in the slave Request ‘The request message species the starting coll and quantity of cols to be read. Example of a recuest to read 10.22 (Coll 11 to 23) from slave device address jeld Name [RTU (hex) [ASCH Characters Ineeaer [None (Colon) ‘Slave Address loa ios Fruneton (on ion Starting Address Hi (oo loo Starting Address Lo [oa oa. (auantty af Cois Hi foo loo [Guantiy of Coit Lo loo loo. [error Check Lo lop lace a) [Eror Check Hi 98 Traler inone (RF [Total Bytes is hz, tps diva madbustools.commadbus ire 28ra82019 Moaious Protocol Response ‘The call status response message Is packed as one coll per bk of the data file. Status s Indicated as: tf the value ON, and O's the value OFF. The LSB of the ist data byte contains the coll addressed In the request. The other cols folw towara the nigh-order end of this oyte and from low order to high order in subsequent bytes. If the returned coll quantity is not a Truttple of elght, the remaining Dts in the fnal data byte wll be paddee with zeroes (toward the high-order end of the byte). The byte count ‘eld species the cuantity of complete bytes of aata, Example ofa response to the request [Feld Name [RTU (hex) [ASCH Characters iHescer inone I (Colon) ‘Stave Address (oa ioe FFuncton (on loa [Byte Count (oz loz [Data (Cots 7-10) fon ba, (bata (Cots 27...20) it Ina lerror Check Lo iss Lac Oe) [err Check Hi iso None rater [none (CR LE [Total Bytes, 2 hs Function 02(02hex) Read Discrete Inputs Reads the ON/OFF status of iscrate inputs in the slave, Request ‘The request message specifies the starting Input and quantity of inputs to be read. Example of a recuest to reac 20..22 (Input 10011 to 10023) from slave device address 4: [Field Name [RTU (hex) [ASCH Characters iHeeder [None I (Colon) ‘Suave address [oa ioe Fruncton (o2 loz Starting Address Hi (oo loo Starting Address Lo on oA. fauartty of inputs Hi (oa loo fauantty of inputs Lo (oD. loo. leror Check Lo 99 lace 3) [Err Check Hi i [rater [None eR [Total Bytes is 7 Response ‘The input status response message is packed as one input per bit ofthe data field. Status is Indieated as: 1 isthe value ON, and 01s the value OFF. The LSB of the fist data byte contains the input edcressed in the request, The other Mputs follow toward the high-order end of this byte and from low order to high order in subsequent nytes. IF the returned input quantity is not @ mukipke of eght, the remaining bits i the final date byte wil De padded with zeroes (toward the high-order end af the byte). The byte count fald species the quantty of complete bytes of data, Example of @ response to the request (Fela Name IRTU (hex) [ASCH Characters IHeecer [None I (Colon) ‘Sve Address [oa los Fruneton (02 loz iayte Count (oz loz (bata (inputs 172.10) [oa oa. ;Data (Inputs 27...20) mn it [Eror Check Lo (33 Lac OD) leror Check Hi ha iNone [Teer Inone (eR LF [Total Bytes i i Function 03 (03hex) Read Holding Registers Read the binary contents of holding registers in the slave. Request The request message specifies the starting register and quantity of registers to be reac. Example of a recuest to read 0..1 (register 40001 to 40002) from slave device 1 Field Name IRTU (hex) [ASCH Characters tps sven madbustools.cmmadbus Hiters19 Moaious Protocol Header INone I (Colon) Slave address fot ot Fruneton (03 ios ‘Starting Address Hi foo oo Starting Address Lo (oo loo (Quantity of Registers Hi foo loo (auantiy of Registers Lo (oz loz lErcor Check Lo ica Lac ten) [error Check Hi i) ral INone (RL [Total yes, 5 hi? Response ‘The register data in the response message are packed as two b high-oreer bits, and the second contains the low-order bis example ofa response to the request yes per realster with the binary contents right justified wehin each byte, For each rogster the fst byte contains the (Field Name IRTU (hex) [ASCH Characters Header [None I (Colon) ‘Suave address (on io Frunceon (os los iayte Count [oa low [bate ra (oa oo [bata Le los log [Data ra (oa loo [bata Le (05 os [Err Check Lo [Da Lac ED) [Error Check Hi iat None [Tealer INone (eR LE [Total Bytes 5 19 Function 04 (O4hex) Read Input Registers Read the binary contents of Input registers In the slave Request The request message spacifies the starting register and quanti of registers to be read Example ofa recuest to read 0...1 (register 30001 to 30002) from slave device 1 The register data in the response message are packed as two b high-oréer bts, and the second contains the lovrorder bis, Example ofa response to the request: (Field Name [RTU (hex) [ASCH Characters: iHeecer inone I (Colon) ‘Slave address ion ion Function (oa io Starting Address Hi (oo loo Starting Address Lo foo loo (aunty of Registers Hi (oa loo (quanty of Registers Lo (oz loz [err Check Lo (7a Lac 9 [Error Check Hi ice [Trailer INone eR [Total Bytes is 7 Response yes per register, with the binary contents right justified within each byte. For each regster the fist byte contains the Field Name [RTU (hex) [ASCH Characters Heeger [None F (Colon) Slave Aadress oy loa Frunetion loa log iayte Count [oa loa (Data ta loa loo [bata Lo (os ios [Data ta loa loo [bata to (05 os [err Check Lo ioe. lace q [Err Check Hi 6 iNone [Trailer None (eR LF [Total Bytes i i tps diva madbustools.commadbus irera82019 Moaious Protocol Function 05 (oShex) Write Single Coil Writes a single coll to ether ON or OFF. Request ‘The request message specifies the col reference to be written. Coit are addressed starting at zero-col 1 is addressed 95 0 ‘The requested ON / OFF state Is spectied by a constant in the request data fled. & value of FF (00 hex requests the coll to be ON. A vakie of 00 00 requests to be OFF Allather values are egal and will not affect the coil Here s an exemple of @ request to write coll 173 ON in slave device 17: (Field Name IRTU (hex) [ASCH Characters ineeder [None f (Colon) ‘Slave Address it ina FFuneton (os ios (coll Acarass Hi (oa loo (Coit Acdress Lo IAC c iweee Oata Hi iF loo were Date Lo (oa FF lercor Check Lo ise lac A [Eror Check Hi is6 rater [None (ca [Total Bytes is hz, Response ‘The normal response is an echo of the request, returned after the coll state has bsen write. Example of a response to the request [Field Name [RTU (hex) ASCH Characters IHeeger [None [ (Colon) Slave Address bt Ina Frunetion (05 ios (coll Acaress Hi (oa loo (Coit Acdress Lo lac c \were Data Hi iF oo iwrte Date Lo [oa FF. [Err Check Lo ise iac BH [error Check Hi ise [Tealer [None (eR [Total Bytes is 7 Function 06 (OShex) Write Single Register Writes a value into a single holding reeiste: Request ‘The request message species the register reference to be Wrkten, Registers are addressed starting at zero-regster 1 addressed as 0. ‘The requested Write value is specified in the request data field. Here is an example of a request to Wirke register 40002 to 00 03 hex in slave device 17, (Fela Name IRTU (hex) [ASCH Characters IHeecer [None (Colon) 'Shve Address ht Ina Fruneton (05 ioe Register Address Hi (oo loo Register Address Lo (on lox ieee Date Hi loo loo \Were Data Lo (05 ios lercor Check Lo [oa lace 5) [Eror Check Hi ‘95 [Tatler INone CRI [Total Bytes is 7, Response ‘The normal response Is an echo of the request, returned after the register contents have been wrkten, Field Name IRTU (hex) [ASCH Characters IHeeder [None [- (Colon) ‘Slave Address it Ina Fruneton (os ios (coll Acarass Hi foo loo (coll Acdress Lo (on loa tps sven madbustools.cmmadbus Hiters19 Moaious Protocol jwexe Data Hi loo loo iWere Data Lo (os ios [Eror Check Lo loa LACES) lerror Check Hi ios [Teer INone eRe [otal Bytes is iy Function 15 (OFhex) Write Multiple Colls Writes each collin @ sequence of cols to ether ON or OFF Request The request message specifies the col references to be written, Cols are addressed starting at zero-col 1is addressed as 0. ‘The requested ON / OFF states are spected by contents of the request data fel. A logical t inva bt postion of the field requests the corresponding cols to be ON. A logical O requests & to be OFF, Below isan example of a request to write a series of ten cos starting at coll 20 (addressed as 419, or 13 hex) in save devee 17, ‘The request data contents are two bytes: CO OL hex (1100 1101 0000 000: binary). The binary brs correspond to the colk in'tne following way: Bit: 11001 10100000001 Colt 27 26 25 24 23 2221 20------ 2928 The frst byte transmsted (CD hex) addresses cols 27... 20, with the least signficant bit acdressing the bwest col (20) inthis set, ‘The next byte transmitted (01 hex) addresses colls 29 and 28, with the least significant bit accressing the bwest coll (28) inthis set. Unused bits in the last data byte should be zero- fe [Feld Name [RTU (hex) [ASCH Characters IHeeaer [None i (Colon) ‘Slave Address nt int Function (oF oF (coll Acaress Hi (oo oo (Coit Acdress Lo 3 ns {quantity of Coils Hr (oo oo lauanty of Cois Lo [oa DA [Byte Count (02 loz irks Date Hi ico. ico \were Date Lo ion or lercor Check Lo iar inc 3) [Eror Check Hi (os [rater [None CRE [Total Bytes bt 23 Response. ‘The normal response returns the slave address, function code, starting address, and number of colb writen, Here & an exemple af a response to the request shown above (Field Name [RTU (hex) [ASCH Characters iHeeder [None (Colon) ‘Stave Address nt ina Frunction lor lor (coll Acdress Fi (oo oo (Coll Acdress Lo 3 ns [quart of Cois (oo loo [Quantiy of Cots Lo lon Da. lerror Check Lo is. ace 3} [Err Check Hi 99 [ater [None CRE [Total Bytes is 7. Function 16 (10hex) Write Multiple Registers Writes values ito @ sequence of holcing registers Request The requast message spacfies the reglster references to be written. Registers are addressed starting at zero-register 1 addressed as 0, tps diva madbustools.commadbus irera82019 Moaious Protocol ‘The requested write values are specified In the request data field. Data's packed as two bytes per racist. Here is an example of a request to write two registers starting at 40002 to 00 0A and 01 02 hex, in sleve device 17 [Field Name [RTU (hex) [ASCH Characters IHeeder [None (Colon) ‘Slave Address na ina Frunceon ia ho ‘Starting Address Hi (oa oo Starting Address Lo os ion (Quanty of Registers Hi foo loo (avantiy of Registers Lo (oz loz iayte Count [oa loa [Data ta loa loo joata Lo loa oa [Data ta ion loa [bata to (02 oz [err Check Lo ice Laces) [Eror Check Hi Fo [Trailer None RF [Total Bytes 13 3 Response ‘The normal response returns the slave address, function code, starting address, and quantity of registers written, Here Is an exemple of a response to the request shown above. jald Name [RTU (hex) [ASCH Characters iHeeder INone (Colon) ‘Stave Address ra ina Fruncton io ro. 'Starting Address Hi (oo loo Starting Address Lo ion ion [Quantiy of Registers Hi (oo loo (avantiy of Registers Lo (oz loz fervor Check Lo nz lac OO [Eror Check Hi 98 [iraier None RF [Total Byes is 7. LRC Example Code This function fs an example how to calculate a LRC BYTE using the C language. BYTE LRC (BYTE *nData, WORD wLength) ‘ 5 // RC char initializes for (int 4 = 0; 4 < wlengths S44) return (BYTE)(-nLRC)s DIF Ends URC CRC Example Code This function fs an example how to calculate a CRC word using the C language. WoRD cRCI6 (const BYTE *nbata, WORD Length) { static const MoRD weRCTablel] = { exesce, exe7a2, excact, excusi, exoect, expres, ex12c0, 6x1380, exeect, oxr781, bxcms, enn, ent, ees, ste, oxeset, ducte, oes, sroies, exo0e2) excece, frasce, exsate, eat, exaace, oxtoat, OxF9Cs, OXFee:, 013840, ex2ece, exerai, @xEDC:, OXECBi, @x2C80, exezct, 62340, OxE181, 6323C8, 9X2080, OxE0«1, tps diva madbustools.commadbus ire 7ra82019 Moaious Protocol Sxesoo; acct, nares, oxe740, rane, oxenco, exctee, oxo, Shot, o7kco, exrrao, ores, Sio200, exezet, exeaes, 817340, roser, oxseco, exs7e8, axs74t, Sree, wxaAet, exabes, 815840, thatoo, exatet, exares, oxarso, Sxesco, oxeato, aust, Suasch, ous, exetso, Stock, owes, areas, Oeics, ex70%0, e108, Seosct, oat, sas, Sxssco, sxc, asst, Sues, aces, oxaces, reich, oxo, exaose’)s BYTE nTemps while (wLength > « temp = tnatas+ * wcRciord; wcRevord eneword "*= wencTable(atenp]; > 3/7 End: CRAG Ccopyrght © 2019 Witte Sofware -Al nights reserved. tps sAvawimadbustools.crmadbus Hire