Scribd
Upload
28 views35 pages

Chuong 4 (Modbus)

Uploaded by

21146290
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views35 pages

Chuong 4 (Modbus)

Uploaded by

21146290
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Part 2: Modbus

Modbus History
Modbus and the ISO model
Physical layer
Link layer
Application layer
Profiles
Strengths -Weaknesses
4.1 History

The MODBUS protocol is a message handling structure created


by MODICONin 1979 to connect PLCs to programming tools.

Today, this protocol is mainly used to set up master/client type


communications with slaves/servers between intelligent devices.

MODBUS is independent of the physical layer. It can be


implemented on RS232, RS422, or RS485 links as well as on a
wide variety of other media (e.g.: optical fibre, radio, etc.).
4.2 Modbus serial link and the ISO model
MODBUS on a serial link operating at 1200 to 56 Kbps with a
master/slave access method.
4.3 Modbus Plus and the ISO model
MODBUS PLUS is a bus operating at 1 Mbps based on a token
ring access method which uses the MODBUS message handling
structure.
4.5 MODBUS Ethernet TCP/IP

MODBUS Ethernet TCP/IP uses TCP/IP and Ethernet 10 Mbps


or 100 Mbps to carry the MODBUS message handling structure.
4.6 RS485 physical layer
Medium: Shielded twisted pair

Topology: Bus type With tap links and line terminators

Maximum distance:1300 m without repeaters

Speed:19,200 bps (56 Kbps on some products)

Max. no. of devices: 32


1 master and 31 slaves
4.6 RS485 physical layer
Connectors recommended by Schneider
4.6 RS485 physical layer
Example architecture
4.6 Link layer

Medium access method: Master/slave

Transmission method: Client/server

Max. size of useful data: 120 PLC words

Transmission security: LRC or CRC


Start and stop delimiters
Parity bit
Continuous flow
4.6 Link layer
Modbus ASCII and Modbus RTU

There are 2 versions of the MODBUS protocol:


-ASCII mode Each byte in the frame is sent in 2-character ASCII
format.

-RTU mode Each byte in the frame is sent in 1-character 8-bit


hexadecimal format. The main advantage of RTU mode is that it
sends data more quickly.

-ASCII mode allows the insertion of a time interval of one


second between 2 characters without generating a transmission
error.
4.6 Link layer
Modbus frame

The structure of a Modbus frame is the same for requests


(message from the master to the slave) and responses (message
from the slave to the master)
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example Read Coil Status (FC=01)
Request
This command is requesting the ON/OFF status of discrete coils # 20 to 56
from the slave device with address 17.
11 01 0013 0025 0E84
11: The Slave Address (11 hex = address17 )
01: The Function Code 1 (read Coil Status)
0013: The Data Address of the first coil to read.
( 0013 hex = 19 , + 1 offset = coil #20 )
0025: The total number of coils requested. (25 hex = 37, inputs 20 to 56 )
0E84: The CRC (cyclic redundancy check) for error checking.
Response
11 01 05 CD6BB20E1B 45E6
11: The Slave Address (11 hex = address17 )
01: The Function Code 1 (read Coil Status)
05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes)
CD: Coils 27 - 20 (1100 1101)
6B: Coils 35 - 28 (0110 1011)
B2: Coils 43 - 36 (1011 0010)
0E: Coils 51 - 44 (0000 1110)
1B: 3 space holders & Coils 56 - 52 (0001 1011)
45E6: The CRC (cyclic redundancy check)
4.6 Link layer
Modbus Example
Read Input Status (FC=02)
Request
This command is requesting the ON/OFF status of discrete inputs # 10197 to 10218
from the slave device with address 17.
11 02 00 C4 00 16 BA A9
11: The Slave Address (11 hex = address17 )
02: The Function Code 2 (read Input Status)
00C4: The Data Address of the first input to read.
( 00C4 hex = 196 , + 10001 offset = input #10197 )
0016: The total number of coils requested. (16 hex = 22, inputs 197 to 218 )
BAA9: The CRC (cyclic redundancy check) for error checking.
Response
11 02 03 AC DB 35 20 18
11: The Slave Address (11 hex = address17 )
02: The Function Code 2 (read Input Status)
03: The number of data bytes to follow (22 Inputs / 8 bits per byte = 3 bytes)
AC: Discrete Inputs 10204 -10197 (1010 1100)
DB: Discrete Inputs 10212 - 10205 (1101 1011)
35: 2 space holders & Discrete Inputs 10218 - 10213 (0011 0101)
2018: The CRC (cyclic redundancy check).
4.6 Link layer
Modbus Example
Read Holding Registers (FC=03)
Request
This command is requesting the content of analog output holding registers # 40108 to
40110 from the slave device with address 17.
11 03 00 6B 00 03 76 87
11: The Slave Address (11 hex = address17 )
03: The Function Code 3 (read Analog Output Holding Registers)
006B: The Data Address of the first register requested.
( 006B hex = 107 , + 40001 offset = input #40108 )
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.
Response
11 03 06 AE 41 56 52 43 40 49 AD
11: The Slave Address (11 hex = address17 )
03: The Function Code 3 (read Analog Output Holding Registers)
06: The number of data bytes to follow (3 registers x 2 bytes each = 6 bytes)
AE41: The contents of register 40108
5652: The contents of register 40109
4340: The contents of register 40110
49AD: The CRC (cyclic redundancy check).
4.6 Link layer
Modbus Example
Read Input Registers (FC=04)
Request
This command is requesting the content of analog input register # 30009
from the slave device with address 17.
11 04 00 08 00 01 B2 98
11: The Slave Address (11 hex = address17 )
04: The Function Code 4 (read Analog Input Registers)
0008: The Data Address of the first register requested.
( 0008 hex = 8 , + 30001 offset = input register #30009 )
0001: The total number of registers requested. (read 1 register)
B298: The CRC (cyclic redundancy check) for error checking.
Response
11 04 02 00 0A F8 F4
11: The Slave Address (11 hex = address17 )
04: The Function Code 4 (read Analog Input Registers)
02: The number of data bytes to follow (1 registers x 2 bytes each = 2 bytes)
000A: The contents of register 30009
F8F4: The CRC (cyclic redundancy check).
4.6 Link layer
Modbus Example
Force Single Coil (FC=05)
Request
This command is writing the contents of discrete coil # 173 to ON
in the slave device with address 17.
11 05 00 AC FF 00 4E 8B
11: The Slave Address (11 hex = address17 )
05: The Function Code 5 (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex).
( 00AC hex = 172 , + 1 offset = coil #173 )
FF00: The status to write ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.
Response
The normal response is an echo of the query, returned after the coil has been written.
11 05 00AC FF 00 4E 8B
11: The Slave Address (11 hex = address17 )
05: The Function Code 5 (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status written ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.
4.6 Link layer
Modbus Example
Preset Single Register (FC=06)
Request
This command is writing the contents of analog output holding register # 40002
to the slave device with address 17.
11 06 0001 0003 9A9B
11: The Slave Address (11 hex = address17 )
06: The Function Code 6 (Preset Single Register)
0001: The Data Address of the register.
( 0001 hex = 1 , + 40001 offset = register #40002 )
0003: The value to write
9A9B: The CRC (cyclic redundancy check) for error checking.
Response
The normal response is an echo of the query, returned after the register contents have been
written.
11 06 0001 0003 9A9B
11: The Slave Address (11 hex = address17 )
06: The Function Code 6 (Preset Single Register)
0001: The Data Address of the register. (# 40002 - 40001 = 1 )
0003: The value written
9A9B: The CRC (cyclic redundancy check) for error checking.
4.6 Link layer
Modbus Example Force Multiple Coils (FC=15)
Request
This command is writing the contents of a series of 10 discrete coils from #20 to #29
to the slave device with address 17.
11 0F 0013 000A 02 CD01 BF0B
11: The Slave Address (11 hex = address17 )
0F: The Function Code 15 (Force Multiple Coils, 0F hex = 15 )
0013: The Data Address of the first coil.
( 0013 hex = 19 , + 1 offset = coil #20 )
000A: The number of coils to written ( 0A hex = 10 )
02: The number of data bytes to follow (10 Coils / 8 bits per byte = 2 bytes)
CD: Coils 27 - 20 (1100 1101)
01: 6 space holders & Coils 29 - 28 (0000 0001)
BF0B: The CRC (cyclic redundancy check) for error checking.
The more significant bits contain the higher coil variables. This shows that coil 20 is on (1) and 21 is off (0).
Due to the number of coils requested, the last data field01 contains the status of only 2 coils. The unused bits
in the last data byte are filled in with zeroes.
Response
11 0F 0013 000A 2699
11: The Slave Address (11 hex = address17 )
0F: The Function Code (Force Multiple Coils, 0F hex = 15 )
0013: The Data Address of the first coil.
( 0013 hex = 19 , + 1 offset = coil #20 )
000A: The number of coils to written ( 0A hex = 10 )
2699: The CRC (cyclic redundancy check) for error checking.
4.6 Link layer
Modbus ASCII vs Modbus RTU
Data formats
To review, we can see that each byte of data can be represented in different ways.
Binary (base2): 10101110 2 characters 0 and 1
Decimal (base10): 174 10 characters 0 through 9
Hexadecimal (base 16): AE 16 characters 0 through F
ASCII (base 256): ® 256 different characters
Message Delimiting
In Modbus RTU, bytes are sent consecutively with no space in between them with a 3-1/2
character space between messages for a delimiter. This allows the software to know when a new
message is starting.
Any delay between bytes will cause Modbus RTU to interpret it as the start of a new message.
This keeps Modbus RTU from working properly with modems.
Modbus ASCII marks the start of each message with a colon character " : " (hex 3A).
The end of each message is terminated with the carriage return and line feed characters
(hex 0D and 0A). This allows the space between bytes to be variable making it suitable for
transmission through some modems.
Byte Size
In Modbus RTU each byte is sent as a string of 8 binary characters framed with a start bit, and a
stop bit, making each byte 10 bits.
In Modbus ASCII, the number of data bits is reduced from 8 to 7. A parity bit is added before the
stop bit which keeps the actual byte size at 10 bits.
4.6 Link layer
Split Data bytes
In Modbus ASCII, each data byte is split into the two bytes representing the two ASCII
characters in the Hexadecimal value. For example,

Error Checksum - LRC Calculation


As mentioned earlier, each Modbus RTU message is terminate with two error checking bytes called a CRC or Cyclic
Redundancy Check. Similarly, Modbus ASCII is terminated with an error checking byte called an LRC or
Longitudinal Redundancy Check.
Here is a spreadsheet CRC calculator for messages up to 16 bytes.
To download a copy, right click and select Save Target As...
The calculation of the LRC is much easier than the CRC.
To calculate the LRC:
1. Add up all the data bytes in the message (before converting to ASCII and without the initial colon and final
CR/LF).
2. Throw away any bits that carry over 8 bits.
3. Make the result negative (by twos compliment) to get the LRC byte.
The sum of the resulting byte stream with the LRC will then be 0 since adding the negative subtotal will make the
final total zero.
For example, this command shows the data bytes required to request the content of analog output holding registers
40108 to 40110 from the slave device with address 17.
11 03 00 6B 00 03
4.6 Link layer
ASCII vs RTU example:
Using the same example shown above to request registers 40108 to 40110 from slave address 17.
11 03 00 6B 00 03
The complete ASCII request is made by first adding the message delimiting characters. A
colon is added to the start of the message, the LRC, carriage return and line feed are added to the
end:
1 1 0 3 0 0 6 B 0 0 0 3 7 E CR LF
Each character is now treated as an ASCII character and replaced with it's hex value to give the
final message.
3A 3131 3033 3030 3642 3030 3033 3745 0D 0A
This Modbus ASCII request size is 17 bytes (170 bits)
...............
The equivalent Modbus RTU message would be:
11 03 00 6B 00 03 76 87
This Modbus RTU request size is 8 bytes (80 bits)

https://www.simplymodbus.ca/TC
P.htm
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example
4.6 Link layer
Modbus Example

https://www.studocu.com/vn/docu
ment/truong-dai-hoc-su-pham-ky-
thuat-thanh-pho-ho-chi-
minh/mang-giao-tiep-du-
lieu/chuong-9-phat-hien-va-sua-
loi/24149504
4.6 Link layer

PDF format version of the MODBUS Protocol

The original was found at:

http://irtfweb.ifa.hawaii.edu/~smokey2/software/about/sixnet/
modbus/modbus_protocol.pdf
SUMMARY
SUMMARY

You might also like