What is Modbus?

Modbus protocol, first of all, it includes Mod and Bus. First of all, it is a Bus protocol, that is, Bus protocol, similar to I2C and SPI. Bus means that there is a host, there is a slave, these devices are on the same Bus.

Modbus supports a single host and multiple slave servers. A maximum of 247 slave servers are supported. About Mod, because this protocol was first used in PLC controller, to be precise, Modicon PLC controller, which is also the origin of the name of mod-bus.

Later, Modicon was acquired by Schneider. Modbus protocol is widely used in industrial controllers, HMI and sensors, and gradually accepted by other manufacturers. It has become a mainstream communication protocol for communication with peripheral devices.

Modbus is the seventh application layer in the LAYER 7 OSI reference model. There are two types of data link layer: Based on the standard serial port protocol and TCP protocol. At the physical layer, multiple transmission media such as 3-wire 232, 2-wire 485, 4-wire 422, optical fiber, network cable, and wireless can be used.

Modbus protocol is a request/reply interaction process. The host actively initiates the communication request, and the slave machine responds to the request of the host. When the slave machine does not receive the request from the host, it will not actively send data, and the slave machine will not communicate with each other.

Just like boys chasing girls, boys have to take the initiative, girls will respond to you, can’t wait for girls to take the initiative to talk to you.

At present, there are two authoritative official Modbus standard documents:

  • Modbus_application_protocol_specification_v1. 1 b3. PDF
  • Industrial automation network specification based on Modbus Protocol GB-T19582.1-2008.pdf

It can be said that 90% of books and Internet materials are translated from these two documents, the end of the article to obtain the standard document download method.

Four data types

According to the Modbus protocol, data types for read and write operations can be classified into the following four types based on read and write attributes and types:

  • Discretes Input: 1 bit, read only
  • Coils (Coils) : 1, reading and writing
  • Input Registers: 16-bit, read-only
  • Holding Registers: the Registers are 16 bits and can be read and written

Three transmission modes

In 1979, Modicon first introduced the serial Modbus standard. Later, due to the popularity of network, higher transmission speed was required. In 1997, Modbus standard based on TCP network was developed.

So the total can be divided into two transmission modes: serial link based and Ethernet TCP/IP based. However, I personally prefer to divide into three modes of transmission:

  • Modbus-rtu based on serial port

    Data is encoded according to the standard serial port protocol, which is the most widely used Modbus protocol and uses the CRC-16_MODbus verification algorithm.

  • Modbus-ascii based on serial port

    All data is in ASCII format. The original data of one byte needs two characters to represent, which is low efficiency and LRC verification algorithm is adopted.

  • Modbus-tcp based on network port

    Modbus-tcp is based on TCP/IP protocol, occupying 502 ports. The data frame mainly includes two parts: MBAP (packet header) and PDU (frame structure). The data block is consistent with the serial link.

So when we talk about Modbus protocol, it is important to determine which mode: RTU, ASCII or TCP, the three modes are very different.

Some devices support multiple Modbus modes while others support only one. For example, the PLC S7-200 supports only Modbus RTU but not Modbus ASCII. All devices on the Modbus bus must use the same transmission mode.

The actual use should be based on the device manual to choose which mode to use.

Class 3 function code

The Modbus function code, which is written in the host request data frame, determines whether the host is reading or writing, whether it is reading coils, discrete quantities or registers, whether it is writing to a single register or multiple registers, etc., determines what type of data the host is requesting.

There are three types of function codes: public function codes, user-defined function codes, and reserved function codes

In fact, the most commonly used are the four function codes in the common function code: 03/04/06/10

  • 0x03: Read multiple hold registers
  • 0x04: Read input register
  • 0x06: Writes a single hold register
  • 0x10: Write multiple hold registers

Because the PLC mainly controls the relay contacts, the Coils are often read and written over the PLC.

One point of special attention here is: write hold register, need to distinguish between 0x06 to write a single register and 0x10 to write multiple registers, while read hold register does not distinguish between single and multiple reads, when a single hold register needs to be read, also use the 0x03 instruction, specifying the number of reads to be 1.

Data frame format

The Modbus frame format is the same regardless of one of the three modes:

Mainly include:

  • Address field: 1 byte, that is, the address of the slave device, usually 1-247 is the valid address, 0 is the broadcast address
  • Function code: 1 byte, indicating the type of data requested by the host.
  • Data: N bytes,
  • Error check: The result of a redundancy check on data, CRC or LRC

Here’s a detailed description of the data frame format for each transmission mode.

Modbus RTU data frames

Modbus-rtu data frame. The maximum length of a frame is 256 bytes and consists of the following four parts:

  1. The address of the child node ranges from 0 to 247 bytes
  2. Function code: 1 byte
  3. Data block: 0-252 bytes
  4. CRC check value: 2 bytes, with the lower 8 bits first

Modbus-rtu frame interval. Modbus-rtu requires that the frame interval between two RTU messages be greater than 3.5 bytes.

The interval in each packet frame is less than 1.5 bytes; otherwise, the packet is considered incomplete.

The MODbus-RTU uses the CRC-cyclical Redundancy Checking algorithm to calculate all the data of the packet frame. The obtained check value is appended to the end of the packet frame, and the low value is first. For the CRC-16_modbus calculation method, refer to the CRC-16_modbus verification algorithm

Examples of actual request/reply interactions:

Example 1: Write to a single register. Write 1 piece of data: 0x0190 to the 01 address device 0x0105 hold register

Host send:01 06 01 05 01 90 99CB reply from machine:01 06 01 05 01 90 99 CB
Copy the code

01 indicates the address of the slave machine, 06 function code indicates writing a single hold register, 0105 indicates the register address, 0190 indicates the value written to the register, and 99CB indicates the CRC check value. As can be seen, when writing 1 register data, the data frame from the machine response and the data frame sent by the host complete the same.

Example 2: Write to multiple registers. Write three registers: 0x1102, 0x0304, 0x0566 to the address device 0x0105, 0x0106, and 0x0107 address hold registers

Host send:01 10 01 05 00 03 06 11 02 03 04 05 66 4a 12Reply from machine:01 10 01 05 00 03 91 f5
Copy the code

Similarly, 01 is the slave address, 10 is the function code to write multiple hold registers, 0105 is the start address, 0003 is to write three registers, 06 is to write six bytes of data, 1102/0304/0566 is to write three registers, 4a12 is to write the CRC check value.

As can be seen, when writing multiple registers, use 10 function code, and the data returned from the machine is relatively simple.

Example 3: Read a single register. Read 01 Address device 0x0105 Hold register data.

Host send:01 03 01 05 00 01 95F7 Slave reply:01 03 02 56 78 87 c6
Copy the code

03 indicates multiple registers are read, 0105 indicates the start address, and 0001 indicates one register is read

02 represents 2 bytes, 56 78 represents the data in the register.

Example 4: Read multiple registers. Read 01 Address device 0x0105, 0x0106, 0x0107 address hold registers, a total of three registers data.

Host send:01 03 01 05 00 03 14 36Reply from machine:01 03 06 11 22 33 44 55 66 2a 18
Copy the code

03 indicates that multiple registers are read, 0105 indicates the start address, and 0003 indicates that three registers are read

06 represents 6 bytes, 11, 22, 33, 44, 55, 66 represents the data in the register.

Modbus – ASCII data frames

In modbus-ASCII transmission mode, each byte is encoded in ASCII. In actual packets, one byte is sent as two ASCII characters. Therefore, this mode is less efficient than modbus-RTU mode. For example, packet data 0x5B = “5” + “B” = 0X35 + 0X42.

The data frame format is as follows:

As you can see from THE ASCII message frames, ASCII mode adds the frame start (” : “) and the frame end flag (Carriage return & line feed). Since each byte of message data requires 2 characters to encode in ASCII mode, the maximum length of data block in ASCII mode is 252×2 to ensure application-level compatibility between ASCII mode and RTU mode. Therefore, the maximum length of a packet frame can be calculated as 1+2+2+2×252+2+2=513 characters, and the interval between characters in a packet frame can reach 1 second.

The MODbus-ASCII mode verification method uses the LRC-LONGITUDINAL Redundancy Checking (LRC) algorithm, which does not include the beginning and end of the frame.

The calculation method is also relatively simple. The sum of the verification content is calculated, the carry is ignored, and the binary complement is converted:

For example, in modbus-ASCII mode, the host sends a request to the address 0x405 of the secondary device whose address is 1 and writes the value 0x1234. The message is as follows:

:010604051234AA<CR><LF>

That is:

: 01 06 04 05 12 34 AA <CR><LF>

You can see that 01 represents the device address and 06 represents writing a single hold register. The address is 0x0405, the data is 0x1234, and the LRC check value is 0xAA. The actual verification data does not include the frame header and the frame tail.

0xAA = LRC(01, 06, 04, 05, 12, 34).

Manual LRC calculation method:

1+06+04+05+12+34=0x56

0x56 = 0101 0110Take the:1010 10011:1010 1010 = 0xAAOr:0x100-0x56 = 0xAA
Copy the code

Modbus TCP data frames

Modbus-tcp is based on four packet types:

  • MODBUS request

    The client sends a packet over the network to start a transaction

  • MODBUS confirmed

    Is the response information received at the client

  • MODBUS instructions

    Is the request packet received by the server

  • MODBUS response

    Is the response message sent by the server

Modbus-tcp Message frames:

More details can be found in “GB-T19582.1-2008 part 3: Modbus Protocol Implementation Guide over TCP/IP”.

Two request patterns

In Modbus, a host can make requests to a slave device in two modes: unicast and broadcast.

Unicast mode

In unicast mode, the address of the slave server must be unique and ranges from 1 to 247. The host accesses a specified slave at a specific address and issues a request data frame. This data frame can be used to read or write data. After receiving and processing, the host will return a reply data frame, indicating that the read or write was successful.

Broadcasting mode

In broadcast mode, the host sends a request frame to all the slaves, all the slaves process the command, and no slave needs to respond to a broadcast request. General Address 0 indicates the broadcast address.

However, there are also some special devices that use 0xFE as the broadcast address. Take a gas sensor data manual for example, 0xFE is used as the broadcast address to modify the device address:

Therefore, refer to the actual device manual.

Modbus address rule

Modbus extended version

Modbus is the use of asynchronous transmission mode, the speed is slow, the application has its limits, especially when two PLC to exchange data, the data transmission volume is large, asynchronous mode has been unable to meet the overall system response time requirements. This is where Modbus Plus comes in. It uses synchronous transmission technology and data format the same as Modbus. This protocol is proprietary to Modicon, and unlike Modbus, it requires a specialized coprocessor to handle high-speed token rotation similar to HDLC. It uses a 1Mbit/s twisted-pair cable, and each node has a conversion isolation device. It is an edge-triggered device rather than a level-triggered device. Connecting Modbus Plus to a computer requires a special interface, usually a board that supports ISA (SA85), PCI, or PCMCIA buses.

Standard Document download

At present, there are mainly the following two standard documents with comparative authority:

  1. Published by Modbus In April 2012: modbus_application_PROTOCOL_specification_V1.1b3.pdf

  2. National standard ** Industrial Automation Network Specification based on Modbus Protocol GB-T19582.1-2008. PDF **, mainly includes three parts

  • Gb-t19582.1-2008 Part 1: Modbus application protocol
  • Gb-t19582.1-2008 Part 2: Implementation guide for Modbus protocol over serial links
  • Gb-t19582.1-2008 Part 3: Modbus protocol implementation guide over TCP/IP