Scribd
Upload
109 views19 pages

Modbus: Soulimane MAMMAR

Modbus is a widely used protocol for industrial communication. It can operate over serial lines using Modbus RTU or ASCII, or over Ethernet using Modbus TCP. The document discusses the basics of Modbus including its master-slave architecture, data types, function codes, frame structure, and exceptions. Modbus TCP adds a header to frames but can also transport Modbus RTU messages over TCP.

Uploaded by

Abdelkader Chahmi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views19 pages

Modbus: Soulimane MAMMAR

Modbus is a widely used protocol for industrial communication. It can operate over serial lines using Modbus RTU or ASCII, or over Ethernet using Modbus TCP. The document discusses the basics of Modbus including its master-slave architecture, data types, function codes, frame structure, and exceptions. Modbus TCP adds a header to frames but can also transport Modbus RTU messages over TCP.

Uploaded by

Abdelkader Chahmi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Modbus

Soulimane MAMMAR

March 6, 2021
Modbus Overview

Modbus is one of the most commonly used protocols for field


communicaitons.
Protocol of choice for many automation hardware and
software vendors.
simplicity
robustness
openness
Modbus is a safe choice for organization to commit to
There are always devices that support it.
Modbus does not prescribe a specific physical layer.
Can work on top of RS-232, RS-485 or TCP/IP over Ethernet.

Soulimane MAMMAR Modbus


Modbus Overview

Different types of Modbus implementation:


Modbus RTU (binary over serial link)
Modbus ASCII (text-based over serial link)
Modbus TCP (binary over TCP/IP transport)

Soulimane MAMMAR Modbus


Modbus RTU Protocol Overview

Modbus RTU is a master-slave protocol.


Only the master, is allowed to initiate communication.
The other devices on the network are called slaves
May only respond to the requests
Modbus RTU can support up to 247 devices on the same
physical network.
Modbus RTU encodes data as binary and uses big-endian
encoding for 16-bit values.
The most significant byte of a 16-bit word is sent first.

Soulimane MAMMAR Modbus


Mobbus RTU Protocol Example

First, a master sends a request telling the slave 1 to return the value of one register
starting at address 2.
slave id (1 byte)
| function code (read holding registers)
| | address of first register to read (2 bytes)
| | | number of registers to read (2 bytes)
| | | | checksum (2 bytes)
| | | | |
01 03 00 02 00 01 25 CA

The request also includes a checksum All slaves except for 1 must ignore the message.
Slave 1 is expected to send a response message similar to the following:

slave id (repeats own id)


| function code (repeats requested code)
| | number of bytes of data (2)
| | | the value of the register (0x07FF)
| | | | checksum
| | | | |
01 03 02 07 FF FA 34

Soulimane MAMMAR Modbus


Modbus ASCII

Modbus ASCII works similar to Modbus RTU


Uses text-based encoding of data
This make requests and responses human-readable
Much less efficient
Modbus ASCII is only used for testing and rarely in production.
Address, function, data, and LRC are all capital hexadecimal readable pairs of
characters representing 8-bit values (0-255).
For example, 122(7 × 16 + 10) will be represented as 7A.
LRC is calculated as the sum of 8-bit values (excluding the start and end
characters), negated (two’s complement) and encoded as an 8-bit value.
Example:
If address, function, and data encode as 247, 3, 19, 137, 0, and 10
Their sum is 416. Two’s complement (−416) trimmed to 8 bits is 96
represented as 60 in hexadecimal.
Frame: :F7031389000A60<CR><LF>.

Soulimane MAMMAR Modbus


Limitations of Modbus RTU and ASCII

Low requirements and simplicity of the protocol has it’s drawbacks:

There is no good way to have multiple masters on the same


network, or achive two-way communication.
no mechanism to control media access
It’s hard to support many slaves with serial links such as
RS-485.
The bandwidth of serial links is limited to 115200 baud. This
is quite low by modern standards, but still works for many
applications.

Soulimane MAMMAR Modbus


Modbus TCP

Modbus TCP is an adaptation of Modbus to be used on top of modern


TCP/IP networks.
There are two types of Modbus TCP implementation:
Modbus RTU over TCP, which simply uses TCP as a transport layer for
RTU messages
Normal Modbus TCP which has some changes in the message format.
Because Modbus TCP uses Ethernet networks, the data transmission speeds is
much higher than in RTU using serial links.

The drawback is that TCP/IP stack is much more difficult to support in some
types of field devices where Modbus RTU would work fine.

Soulimane MAMMAR Modbus


Modbus RTU Data Frame

A Modbus data frame is a message transmitted over Modbus


network.
There are Request and Response frames.
A request is a message from the master to a slave.
A response is a message from the slave back to the master.
The length and the contents of the data frame vary based on
the type of read/write operation being performed.

Soulimane MAMMAR Modbus


Modbus RTU Data Frame

Let’s examine the basic structure of a request frame:


01 03 02 00 01 25 CA

01 03 02 00 01 25 CA
-----------------------------------------------------
slave id function function-specific data CRC
1 byte 1 byte 2 bytes

Modbus message in general form


[ID][FC][DATA][CRC]

Soulimane MAMMAR Modbus


Modbus Addresses

Modbus devices have 4 types of addresses:


Coil: 1-bit (boolean) read/write devices
Discrete Input: similar to coils, but they are read-only
Input Register: 16-bit words which you can both read and
write via Modbus protocol.
Holding Register: 16-bit words, but they are read-only

Soulimane MAMMAR Modbus


Function Codes
Read Coils - 0x01
This function code allows the master to query the state of slave’s coils.

Request
[ID][FC][ADDR][NUM][CRC]
ADDR - the address of the first coil (2 bytes)
NUM - the number of coils to read (2 bytes)
A read coils request is always 8 bytes long

Response
[ID][FC][BC][DATA(1+)][CRC]
BC - the nubmer of bytes of DATA in the response (1 byte)
DATA - a sequence of bytes that contains the state of coils (1 byte per 8 coils)

Example:
Request:
ID FC ADDR NUM CRC
[01] [01] [00 0A] [00 02] [9D C9]
Response:
ID FC BC DATA CRC
[01] [01] [01] [03] [11 89]
Soulimane MAMMAR Modbus
Function Codes
Read Discrete Inputs - 0x02
This function code allows the master to query the state of slave’s discrete inputs.

Request
[ID][FC][ADDR][NUM][CRC]
ADDR - the address of the first discrete input (2 bytes)
NUM - the number of discrete input to read (2 bytes)
A read discrete inputs request is always 8 bytes long

Response
[ID][FC][BC][DATA(1+)][CRC]
BC - the nubmer of bytes of DATA in the response (1 byte)
DATA - a sequence of bytes that contains the state of discrete inputs(1 byte per
8 coils)

Example:
Request: (always 8 bytes)
ID FC BC DATA CRC
[01] [02] [01] [02] [20 49]
Response: (at least 6 bytes)
ID FC BC DATA CRC
[01] [02] [01] [02] [20 49]
Soulimane MAMMAR Modbus
Function Codes

Read Coils - 0x01


Read Discrete Inputs - 0x02
Read Holding Registers - 0x03
Read Input Registers - 0x04
Write Single Coil - 0x05
Write Single Register - 0x06
Write Multiple Coils - 0x0F
Write Multiple Registers - 0x10

Soulimane MAMMAR Modbus


Exception Response

In some cases a slave might be unable to process a master request. For such occasions
Modbus defines an Exception Response Frame:

[ID][FC][EC][CRC]
FC - the function code of the request that led to the exception with the most
significant bit set to 1 (1 byte)
EC - an exception code explaining what happened (1 byte)

Example of an exception response to a read coils request:


ID FC EC CRC
[01] [81] [02] [C1 91]

The function code of read coils is 0x01, but in the exception response the most
significant bit has been set to 1, so the code becomes 0x81:
0000 0001 => 1000 0001
(0x01) (0x81)

Soulimane MAMMAR Modbus


Standard Exception Codes

Most common Modbus exception codes:


01 - Illegal Function - The specified function code is not support by the
slave
02 - Illegal Data Address - The specified data address is not defined on
the slave
03 - Invalid Data Value - The specified data is not valid
04 - Device Failure - Slave has failed to generate a response
05 - Acknowledge - Slave accepted the command and is processing it
06 - Busy - Slave is busy and will not process the message

Soulimane MAMMAR Modbus


Modbus TCP

Modbus TCP is the protocol designed for transmitting


Modbus frames using TCP/IP stack, typically over Ethernet
physical layer.
There are two ways Modbus and TCP can work together.
Modbus TCP protocol
The message (frame) has different structure
Modbus RTU-over-TCP
TCP is used to transport the exact same messages as are used
in Modbus RTU

Soulimane MAMMAR Modbus


Modbus TCP Frame

A Modbus TCP frame is different from a regular Modbus RTU frame.


To transform a Modbus RTU frame into a TCP frame we must:
remove slave ID
remove CRC bytes
add MBAP header in the front of the message
[slave ID][data][CRC bytes]
[MBAP][data]
MBAP stands for Modbus Application Protocol.

The MBAP header itself has the following structure:


[transaction ID][protocol ID][ length ][unit id]
2 bytes 2 bytes 2 bytes 1 byte
Transaction ID is random number that is set by the master for each new
request and must be used by the slave in the response.
Protocol ID is always 0 in Modbus TCP.
Length is the number of bytes following, including unit id and the remaining
data.
Unit ID is a device address similar to slave id

Soulimane MAMMAR Modbus


Thanks

Soulimane MAMMAR Modbus

You might also like