Modbus was developed by Modicon in 1979. It was created specifically for use in Modicon PLC for industrial application. To day it is an open protocol, used bu a wide range of automation products.
Modbus can be used over Ethernet as well as serial cable. There are three major type or variations of the modbus protocol: ASCII, RTU, TCP/IP.
Modbus was originally developed using ASCII character to the encode messages.
Modbus RTU devices typically use one of three electrical interface: RS 232, RS485, RS422 is a simple point to point arrangement. If you only need to connect one deceive to another and distance between the two devices is less than 50 feet / 15 meters. Then RS232 will do the job. To connect more than two devices on the same line and / or have distance greater than 50 feet you should use RS485, RS422 for a master communicating with mutiple salve devices (RS485 is by far the most popular method. This standard can support up to 32 nodes over a range up to 4000 feet / 1200 meters). The speed that modbus messages are sent at is referred to as the baud rate (bits per second). All device on an RTU network must use then same baud rate different devices support different transmission speed.
Example : 9600 – 19200 typical speeds, 300 -100000+ posible speeds.
A modbus serial network has a master device that issue commands to the slave devices. The salve will not transmit information unless they receive a command to do so from the master. There can only be one master on a network and maxximum up to 247 devices slave each with unique salve ID from 1 to 247. RS485 cannot drive more than 32 nodes in a single segment, so for that rate application that need more than 32 nodes a repeater is required. The master, can write data to slaves as well as read data from them.
SCADA/HMI system, typically would be the master, communicating with a series of modbus salve devices.
Where the master is connected to a slave which is then daisy chained along to all the other salve on the line.
The big difference with modbus TCP/IP is that an MBAP header or modbus application header is added to the start each message. The salve ID at the beginning at the message is removed as well as the cyclic redundancy check at the end. The MBAP header contain all the idetifyting information need to route the data to address device. Modbus uses port 502 TCP/IP communication, modbus TCP/IP devices use internet protocol addressing:
IP Address: 192.168.15.130
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.15.1
Start condition: 28 bit or 3.5 characters
8 bits = 1character.
4 bits = ½ character.
Salve ID Adderss: 8 bit.
Module bus data types and address space.
|Coils||Read – Write||1 bit||00001 – 09999|
|Discrete Input||Read – Only||1 biit||10001 – 19999|
|Input Register||Read – Only||16 bits||30001 – 39999|
|Holding Register||Read – Write||16 bits||40001 – 49999|
Send and receive function.
uint8_t readCoils(uint16_t, uint16_t); // Modbus function 0x01 Read Coils
uint8_t readDiscreteInputs(uint16_t, uint16_t); // Modbus function 0x02 Read Discrete Inputs
uint8_t readHoldingRegisters(uint16_t, uint16_t); // Modbus function 0x03 Read Holding Registers
uint8_t readInputRegisters(uint16_t, uint8_t); // Modbus function 0x04 Read Input Registers
uint8_t writeSingleCoil(uint16_t, uint8_t); // Modbus function 0x05 Write Single Coil
uint8_t writeSingleRegister(uint16_t, uint16_t); // Modbus function 0x06 Write Single Register
uint8_t writeMultipleCoils(uint16_t, uint16_t); // Modbus function 0x0F Write Multiple Coils
uint8_t writeMultipleRegisters(uint16_t, uint16_t);// Modbus function 0x10 Write Multiple Registers
Function code: 8 bit.
|Funtion code||What the function does||Valuetype||Access type|
|01 (0x01)||Read DO||Read coil status||discrete||Read|
|02 (0x02)||Read DI||Read input status||discrete||Read|
|03 (0x03)||Read AO||Read holding registers||16 bit||Read|
|04 (0x04)||Read AI||Read input registers||16 bit||Read|
|05 (0x05)||Write one DO||Write single coil status||discrete||Write|
|06 (0x06)||Write one AO||Write single register||16 bit||Write|
|15 (0x0F)||Multiple DO recording||Mutiple coil write||discrete||Write|
|16 (0x10)||Multiple AO recording||Mutiple register write||16 bit|
Data: NX 8 bit.
CRC: Error Checking 16 bit.
Stop condition: 28 bit.
Modbus RTU request for obtaining the AI value of holding register form register #40108 to 40110 with address of device 17 :
11 03 006B 0003 7687
|11||The address of the slave ID device (17=11 hex).|
|006B||The address of the frist register(40108-40001=107=6B hex)|
|0003||The number of required registers(reading 3 register 40108 to 40110)|
In response to Modbus RTU slave device get: 11 03 06 AE41 5652 4340 49AD
|11||Device address (17 = 11 hex)||Slave ID|
|03||Function code||Funtion code|
|06||The number of bytes futher(6 bytes follow)||Byte count|
|AE||The value of the upper register bit (AE hex)||Register value Hi (AO0)|
|41||The low-oder bit of the register (41 hex)||Register vaule Lo (AO0)|
|56||The value of the upper register bit (56 hex)||Register value Hi (AO1)|
|52||The low-order bit of thr register (52 hex)||Register vaule Lo (AO1)|
|43||The value of the upper register bit (43 hex)||Register value Hi (AO2)|
|40||The low-order bit of thr register (40 hex)||Register vaule Lo (AO2)|
|49||Checksum||CRC value Hi|
|AD||checksum||CRC value Lo|
The analog output register AO0 has the value AE 41 HEX or 44609 in the decimal system.
The analog output register AO1 has the value 56 52 HEX or 22098 in the decimal system.
The analog output register AO2 has the value 43 40 HEX or 17216 in the decimal system.
The AE 41 HEX value of 16 bit 1010 1110 0100 0001, can take different value, depending on the type of representation.
The vaule of the register 40108 when combined with register 40109 give a 32 bit value.
An example of a representation:
|View type||Value range||Example in HEX||In decimal form|
|16 bit unsigned integer||0 to 65535||AE41||44,609|
|16 bit signed integer||-32768 to 32767||AE41||-20,927|
|Two character ASCII string||2 char||AE41||®A|
|Discrete on/off value||0 and 1||0001||0001|
|32 bit unsigned integer||0 to 4,294,967,295||AE41 5652||2,923,517,522|
|32 bit signed integer||-2,147,483,648 to 2, 147,483,647||AE41 5652||-1,317,449,774|
|32 bit signed precision IEEE floating point number||1,2.10-38 to 3,4.10+38||AE41 5652||-4,395978 E-11|
|Four character ASCII string||4 char||AE41 5652||®A V R|