What is Modbus?
Modbus is a serial communication protocol developed by Modicon published by Modicon® in 1979 for use with its programmable logic controllers (PLCs). In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
The main reasons for the use of Modbus in the industrial environment are
- It has been developed with industrial applications in mind
- It is openly published and royalty-free
- It is easy to deploy and maintain
- It moves raw bits or words without placing many restrictions on vendors
- Ease of availability of SCADA systems on the Modbus protocols
There are different flavours of Modbus Protocol
- Modbus TCP
- Modbus RTU
- Modbus ASCII
- Modbus Plus
- Modbus Daniels
- Modbus Tek-Air
- Modbus Omniflow
The most popular of these are Modbus RTU and Modbus TCP/IP.
It is a serial communication protocol that connects different devices on the same network and would make the communication between them possible.
A Modbus Messaging Implementation Guide provided by Schneider Automation outlines a modified protocol specifically for use over TCP/IP. The official Modbus specification can be found at www.modbus.org/specs.php . The main differences between Modbus RTU and Modbus TCP are outlined here.
MODBUS MEMORY MODEL/ MODBUS STORAGE MODEL
MODBUS has a unique addressing pattern. A Modbus device will store every value in it at a particular address. For example an EATON power meter will store a value of Volt A-N only at Modbus address 40001.
There four Modbus DATA Type
|Types of Modbus Data||Data format and common name||Address where they begin||Type|
|Modbus Coils||Bits, Binary values||00001||This type of data can be provided by an I/O system.|
|Digital Inputs||Binary values||10001||This type data can be changed by an application layer.|
|Analog Inputs||Binary values||30001||This type of data can be provided by an I/O system.|
|Modbus Registers/ Holding registers||Analog values||40001||This type data can be changed by an application layer.|
How does MODBUS RTU work?
- Modbus is transmitted over serial lines between devices. The simplest setup would be a single serial cable connecting the serial ports on two devices, a Master and a Slave.
- The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. Zeroes are sent as positive voltages and ones as negative. The bits are sent very quickly. A typical transmission speed is 9600 baud (bits per second).
How does Modbus TCP work?
The Modbus device can be connected using an Ethernet port on the gateway. We can make a query using any standard Modbus Scanner to extract the value from a Modbus device. All requests are sent via TCP/IP on registered port 502.
How is data stored in Standard Modbus?
Information is stored in the Slave device in four different tables.
Two tables store on/off discrete values (coils) and two store numerical values (registers). The coils and registers each have a read-only table and read-write table.
Each table has 9999 values.
Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and270E.
|Coil/Register Numbers||Data Addresses||Type||Table Name|
|1-9999||0000 to 270E||Read-Write||Discrete Output Coils|
|10001-19999||0000 to 270E||Read-Only||Discrete Input Contacts|
|30001-39999||0000 to 270E||Read-Only||Analog Input Registers|
|40001-49999||0000 to 270E||Read-Write||Analog Output Holding Registers|
Coil/Register Numbers can be thought of as location names since they do not appear in the actual messages. The Data Addresses are used in the messages.
For example, the first Holding Register, number 40001, has the Data Address 0000.
The difference between these two values is the offset.
Each table has a different offset. 1, 10001, 30001 and 40001.
What is the Slave ID?
Each slave in a network is assigned a unique unit address from 1 to 247. When the master requests data, the first byte it sends is the Slave address. This way each slave knows after the first byte whether or not to ignore the message.
What is a Modbus Map?
A modbus map is simply a list for a slave device that defines
– what the data is (eg. pressure or temperature readings)
– where the data is stored (which tables and data addresses)
– how the data is stored (data types, byte and word ordering)
Some devices are built with a fixed map that is defined by the manufacturer. While other devices allow the operator to configure or program a custom map to fit their needs.
MODBUS ERROR CHECKING
MODBUS networks employ two methods of error checking: parity checking
- Parity checking of the data character frame (even, odd, or no parity)
- Frame checking within the message frame (Cyclical Redundancy Check in RTU Mode, or Longitudinal Redundancy Check in ASCII Mode).
A MODBUS device can be configured for even or odd parity, or for no parity checking. This determines how the parity bit of the character’s data frame is set. If even or odd parity checking is selected, the number of 1 bit in the data portion of each character frame is counted. Each character in RTU mode contains 8 bits. The parity bit will then be set to a 0 or a 1, to result in an even (even parity), or odd (odd parity) total number of 1 bits.
LRC Longitudinal Redundancy Check (ASCII Mode Only) In the ASCII transmission mode, the character frame includes an LRC field as the last field preceding the CRLF characters. This field contains two ASCII characters that represent the result of a longitudinal redundancy calculation for all the fields except the starting colon character and ending CR LF pair of characters.
CRC Error Checking (RTU Mode Only)
RTU Mode message frames include an error checking method that is based on a Cyclical Redundancy Check (CRC). The error-checking field of a message frame contains a 16-bit value (two 8-bit bytes) that contains the result of a Cyclical Redundancy Check (CRC) calculation performed on the message contents.
Function codes Defined by Modbus:
The second byte sent by the Master is the Function code. This number tells the slave which table to access and whether to read from or write to the table.
|Function Code||Action||Table Name|
|01 (01 hex)||Read||Discrete Output Coils|
|05 (05 hex)||Write single||Discrete Output Coil|
|15 (0F hex)||Write multiple||Discrete Output Coils|
|02 (02 hex)||Read||Discrete Input Contacts|
|04 (04 hex)||Read||Analog Input Registers|
|03 (03 hex)||Read||Analog Output Holding Registers|
|06 (06 hex)||Write single||Analog Output Holding Register|
|16 (10 hex)||Write multiple||Analog Output Holding Registers|
Modbus Exception Codes
|01||ILLEGAL FUNCTION||The function code received in the query is not an allowable action for the server (or slave). This may be because the function code is only applicable to newer devices, and was not implemented in the unit selected. It could also indicate that the server (or slave) is in the wrong state to process a request of this type, for example because it is unconfigured and is being asked to return register values.|
|02||ILLEGAL DATA ADDRESS||The data address received in the query is not an allowable address for the server (or slave). More specifically, the combination of reference number and transfer length is invalid. For a controller with 100 registers, the PDU addresses the first register as 0, and the last one as 99. If a request is submitted with a starting register address of 96 and a quantity of registers of 4, then this request will successfully operate (address-wise at least) on registers 96, 97, 98, 99. If a request is submitted with a starting register address of 96 and a quantity of registers of 5, then this request will fail with Exception Code 0x02 “Illegal Data Address” since it attempts to operate on registers 96, 97, 98, 99 and 100, and there is no register with address 100.|
|03||ILLEGAL DATA VALUE||A value contained in the query data field is not an allowable value for server (or slave). This indicates a fault in the structure of the remainder of a complex request, such as that the implied length is incorrect. It specifically does NOT mean that a data item submitted for storage in a register has a value outside the expectation of the application program, since the MODBUS protocol is unaware of the significance of any particular value of any particular register.|
|04||SLAVE DEVICE FAILURE||An unrecoverable error occurred while the server (or slave) was attempting to perform the requested action.|
|05||ACKNOWLEDGE||Specialized use in conjunction with programming commands. The server (or slave) has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the client (or master). The client (or master) can next issue a Poll Program Complete message to determine if processing is completed.|
|06||SLAVE DEVICE BUSY||Specialized use in conjunction with programming commands. The server (or slave) is engaged in processing a long–duration program command. The client (or master) should retransmit the message later when the server (or slave) is free.|
|08||MEMORY PARITY ERROR||Specialized use in conjunction with function codes 20 and 21 and reference type 6, to indicate that the extended file area failed to pass a consistency check The server (or slave) attempted to read record file, but detected a parity error in the memory. The client (or master) can retry the request, but service may be required on the server (or slave) device.|
|0A||GATEWAY PATH UNAVAILABLE||Specialized use in conjunction with gateways, indicates that the gateway was unable to allocate an internal communication path from the input port to the output port for processing the request. Usually means that the gateway is not configured correctly or overloaded.|
|0B||GATEWAY TARGET DEVICE FAILED TO RESPOND||Specialized use in conjunction with gateways, indicates that no response was obtained from the target device. Usually means that the device is not present on the network.|