Data Network Resource
       Earn on the Web

Modbus


Introduction


Modbus was originally developed by Modicon� (now Schneider Electric) in 1979 and is an open, royalty free serial communication protocol. Since April 2004 the Modbus Organization (a trade association) has taken control of the development of Modbus.

Because of its open nature, Modbus is widely used in Supervisory Control And Data Acquisition (SCADA) systems, however due in part to its age Modbus has no security and the serial versions consume bandwidth because of the requirement to continuously poll all field devices. There are several versions, some for serial lines and some for wired and wireless networks, plus there are numerous deviations from the standard by manufacturers which can make the communication between devices of different manufacturer difficult.

The list below summarises the various versions that exist:
  • Modbus Remote Terminal Unit (RTU) - serial-based originally on EIA-232 before EIA-485 was used more widely due to its greater speeds, distances and multi-drop capability.
  • Modbus ASCII - serial-based and commonly run at 9600 baud
  • Modbus TCP - uses port 502 and relies on the lower layers for checksum integrity check. More than 247 devices can be addressed and Open mbus allows field (slave) devices to report exceptions.
  • Modbus over TCP/IP - the same as Modbus TCP but includes a checksum.
  • Modbus over UDP
  • Modbus Plus - It uses twisted pair at 1 Mbps and includes transformer isolation at each node, which makes it transition/edge triggered instead of voltage/level triggered and a bit like HDLC.
  • Modbus PEMEX - support for historical and flow data.
  • Enron Modbus - support for 32 bit Integer and Floating Point variables, and historical and flow data.

Data Storage


The device that requests information is called the Modbus Master and the devices giving the information are Modbus Slaves. There can be up to 247 slaves, each one numbered from 1 to 247. One-byte addressing restricts the theoretical number of slaves to 256, 0 is used for broadcast messages. Some implementations allow for two-byte addressing that increases the number of devices to a theoretical maximum of 65536.

The Slave device stores information in four tables for 1 bit digital outputs (Coils), 1 bit digital inputs (Contacts) and 16 bit numerical values (Registers), for read-only and read-write. Each piece of information is assigned a number and a data address according to the following table:

Table Name Coil or Register Number Type Data Addresses
Discrete Output Coils 1 - 9999 Read-Write 0x0000 - 0x270E
Discrete Input Contacts 10001 - 19999 Read-Only 0x0000 - 0x270E
Analog Input Registers 30001 - 39999 Read-Only 0x0000 - 0x270E
Analog Output Holding Registers 40001 - 49999 Read-Write 0x0000 - 0x270E

The Data Address which is used in the messages is related to the Coil/Register numbers via an offset peculiar to that table. From the list above the offsets are 1, 10001, 30001 and 40001.

Once the addresses get to 0x270E some manufacturers extend these to utilise the data addresses 0x270F to 0xFFFF extending the number of available registers. It depends on the particular manufacturer's software on whether these Extended Register Addresses can be utilised.

RTU Frame Format


The diagram below illustrates the frame format for Modbus RTU:

RTU Frame Format

  • Start - the length has to be at least 3.5 characters (4 bits) of silence. Any delays greater than 1.5 characters in transmission results in the device assuming that this is the start of a new transmission, so it clears its receive buffers and the system keeps up and running.
  • Slave ID - between 1 and 247
  • Function Code - (see below for the function codes that can be used)
  • Data - this varies according to the data inserted in here, the length will be a whole number of bytes and the range of data bytes is 0x00 to 0xFF.
  • Cyclic Redundancy Check (CRC) - Every byte in the message is used to calculate the CRC. The receiving device also calculates the CRC and compares it to the CRC from the sending device to check the integrity of the message.
  • End - the length has to be at least 3.5 characters (4 bits) of silence.

ASCII Frame Format


The diagram below illustrates the frame format for Modbus ASCII:

ASCII Frame Format

  • Start - this is a colon with ASCII value 0x3A.
  • Slave ID - between 1 and 247
  • Function Code - (see below for the function codes that can be used)
  • Data - this varies according to the data inserted in here but the range of data bytes is restricted to the hexadecimal characters 0 to F which translate in ASCII to 0x30 to 0x39 and 0x41 to 0x46.
  • Longitudinal Redundancy Check (CRC) - Every byte in the message including the Start and End is used to calculate the LRC. The receiving device also calculates the LRC and compares it to the LRC from the sending device to check the integrity of the message.
  • End - this is Carriage Return (CR) and Line Feed (LF) characters 0x0D and 0x0A.

TCP Frame Format


The diagram below illustrates the frame format for Modbus TCP:

TCP Frame Format

  • Transaction Identifier - To synchronise messages between the server (master) and client (slave).
  • Protocol Identifier - set at 0 to identify Modbus TCP.
  • Length - the number of remaining bytes in this frame.
  • Unit Identifier - this is the Slave ID and is between 1 and 247, or 255 if this field is not used.
  • Function Code - (see below for the function codes that can be used)
  • Data - this varies according to the data inserted in here, the length will be a whole number of bytes

Function Codes


The Modbus function codes relate to the four tables that are stored in the Slave device and these are as follows:
  • 0x01 (01) - Read from the table Discrete Output Coils
  • 0x02 (02) - Read from the table Discrete Input Contacts
  • 0x03 (03) - Read from the table Analog Output Holding Registers
  • 0x04 (04) - Read from the table Analog Input Registers
  • 0x05 (05) - Write once to the table Discrete Output Coil
  • 0x06 (06) - Write once to the table Analog Output Holding Register
  • 0x07 (07) - Diagnostics - Read Exception Status
  • 0x08 (08) - Diagnostic
  • 0x0B (11) - Diagnostic - Get Com Event Counter
  • 0x0C (12) - Diagnostic - Get Com Event Log
  • 0x0F (15) - Write multiple times to the table Discrete Output Coils
  • 0x10 (16) - Write multiple times to the table Analog Output Holding Registers
  • 0x11 (17) - Diagnostics - Report Slave ID
  • 0x14 (20) - File Record Access - Read File Record
  • 0x15 (21) - File Record Access - Write File Record
  • 0x16 (22) - Mask Write Register in the table Analog Output Holding Registers
  • 0x17 (23) - Read/write multiple times to the table Analog Output Holding Registers
  • 0x18 (24) - Read FIFO Queue in the table Analog Output Holding Registers
  • 0x2B (43) - Diagnostics - Read Device Identification
A Modbus Map is a list used for a slave device that defines what the data is (e.g. pressure or temperature readings), where the data is stored (which tables and data addresses), and how that data is stored (data types, byte and word ordering). Some devices have a fixed map built in defined by the manufacturer, whilst other devices allow the operator to configure or programme a custom map to suit.

References and Further Reading


The Modbus organisation.
The Modbus Protocol Specification.

Home

Valid HTML 4.01 Transitional

Disclaimer



Earn on the Web    


All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.