APISQUEEN FOC ESC RS485 Bus Communication Modbus RTU Protocol
Geplaatst door Fengyukun op
Chapter 1: Introduction to the Modbus Protocol
The Modbus protocol is a universal language used in electronic controllers. Through this protocol, controllers can communicate with one another, and controllers can communicate with other devices via a network (such as Ethernet). It has become a universal industrial standard. With it, control devices produced by different manufacturers can be connected into an industrial network for centralised monitoring.
This protocol defines a message structure that a controller can recognise and use, regardless of the type of network through which communication takes place. It describes the process by which a controller requests access to other devices, how to respond to requests from other devices, and how to detect and log errors. It establishes a common format for the structure and content of message fields.
When communicating on a Modbus network, this protocol dictates that each controller must know its device address, recognise messages sent to that address, and determine the appropriate action to take. If a response is required, the controller generates feedback and transmits it using the Modbus protocol. On other networks, messages containing the Modbus protocol are converted into the frame or packet structures used on that network. This conversion also extends methods for resolving addresses, routing paths and error detection specific to the particular network.
The protocol uses a reply-based connection (half-duplex) on a single communication line, meaning that signals travel in both directions along a single line. First, a signal from the master computer is addressed to a single terminal device (slave); subsequently, an acknowledgement signal transmitted by the terminal device in the opposite direction is sent back to the master. The protocol permits data exchange only between the master computer and the terminal device, and does not allow data exchange between independent devices. Consequently, the communication line is not occupied during initialisation, but is restricted to responding to query signals received by the device.
1.1 Transmission Mode
The transmission mode consists of a series of independent data structures within a message frame, along with a finite set of rules for data transmission. When communicating on the Modbus bus in RTU mode, each 8-bit byte in the message is divided into two 4-bit hexadecimal characters, and each message must be transmitted consecutively. The transmission mode defined below is compatible with the Modbus protocol – RTU mode.
Code System
· 8-bit binary, hexadecimal digits 0…9, A…F
· Each 8-bit field in a message consists of two hexadecimal characters
Bits per Byte
· 1 start bit
· 8 data bits, with the least significant bit transmitted first
· 1 parity bit (omitted if no parity is used)
· 1 stop bit (when parity is used), 2 bits (when no parity is used)
Error Detection Field
· CRC (Cyclic Redundancy Check)
1.2 Protocol
When an information frame arrives at a terminal device, it enters the addressed device via a simple ‘port’. The device removes the ‘envelope’ (data header) from the data frame, reads the data, and, if there are no errors, executes the task requested by the data. It then adds the data it has generated to the retrieved ‘envelope’ and returns the data frame to the sender. The returned response data contains the following: the terminal slave address (Address), the command executed (Function), the requested data generated by executing the command (Data), and a checksum (Check). No successful response will be returned if any errors occur.
1.2.1 Data frame
|
Address |
Function |
Data |
Check |
|---|---|---|---|
|
8-Bits |
8-Bits |
N x 8-Bits |
16-Bits |
Figure 1–1. Message Frame Format
Note: The maximum length permitted for a Modbus message frame is 256 bytes; that is, the range of N is greater than or equal to zero and less than or equal to 252 (N{0, 252}).
In other words, there are 256 bytes in total, leaving 253 bytes for data.
1.2.2 Address Field
The address field (message address) of a message frame is located at the beginning of the frame and consists of 8 bits. The valid range of slave device addresses is 0–247 (decimal), with each slave device being addressed within the range 1–247. The master places the slave address in the address field of the message frame and addresses the slave. When the slave responds, it places its own address in the address field of the response message, allowing the master to identify the slave address that has responded.
Address 0 is the broadcast address, which all slaves can recognise. When the Modbus protocol is used in advanced networks, broadcasting or other alternatives are not permitted.
1.2.3 Function Field
The function field code in the information frame instructs the addressed terminal as to which function to perform. Valid codes range from 1 to 225 (decimal); some codes are applicable to all controllers, some are specific to certain controllers, and others are reserved for future use. For a complete list of function codes, see Appendix A.
When the master sends a message to the slave, the function code instructs the slave on the action to be performed. Examples include reading the ON/OFF status of a set of discrete coils or input signals, reading data from a set of registers, reading the slave’s diagnostic status, writing to coils (or registers), and permitting the downloading, logging or acknowledging of programs within the slave. When the slave responds to the master, the function code may indicate a normal response or an error (i.e. an abnormal response). In the case of a normal response, the slave simply returns the original function code; in the case of an abnormal response, the slave returns a code equivalent to the original code, with the most significant bit set to ‘1’.
For example, when the master requests the slave to read a set of latch registers, the function code for sending the message is:
0000 0011 (hexadecimal 03)
If the slave correctly receives the requested action message, it returns the same code value as a normal response. If an error is detected, it returns a non-normal response message:
1000 0011 (hexadecimal 83)
In addition to modifying the function code, the slave device includes a special code in the data field of the response message to inform the master of the type of error and the reason for the abnormal response. Abnormal responses are detailed in Appendix B. The application programme on the master device is responsible for handling abnormal responses; typically, the master sends test and diagnostic messages to the slave device and notifies the operator. Table 1–1 lists the function codes commonly used by all devices, their meanings and their initial functions.
Table 1–1 Common Function Codes
|
Code |
Name |
Function |
|---|---|---|
|
01 |
Read Coil Status | Get the current status (ON/OFF) of a group of logical coils |
|
02 |
Read Input Status | Get the current status (ON/OFF) of a group of switch inputs |
|
03 |
Read Holding Registers | Retrieve the current binary value from one or more holding registers |
|
04 |
Read Input Registers | Retrieve the current binary value from one or more input registers |
|
05 |
Force Single Coil | Force the ON/OFF status of a single logical coil |
|
06 |
Preset Single Register | Place a specific binary value into a single register |
|
07 |
Read Exception Status | Get the ON/OFF status of 8 internal coils |
|
15 |
Force Multiple Coils | Force the ON/OFF status of a series of consecutive logical coils |
|
16 |
Preset Multiple Registers | Place a series of specific binary values into a series of registers |
|
17 |
Report Slave ID | Allows the master to determine the type of addressed slave and the status of its indicator LEDs |
1.2.4 Data Field
The data field contains the data required for the terminal to perform specific functions, or data collected when the terminal responds to a query. The content of this data may consist of numerical values, reference addresses or limit values. It comprises two 16-bit data fields (2⁸ = 256), with a data range of 00–FF (hexadecimal). For example: whilst the function field code instructs the terminal to read a register, the data field must specify the starting register and the number of data items to be read. The embedded addresses and data vary depending on the type and capabilities of the slave device. If no error occurs, the response from the slave device to the host contains the requested data; if an error occurs, the data includes an error code, enabling the host to identify the issue and take appropriate action. The length of the data field may be ‘zero’ to indicate a specific type of information.
1.2.5 Error Checking Field
This field enables the host and terminal to detect errors during transmission. Occasionally, due to electrical noise and other interference, a data packet may undergo alterations whilst being transmitted from one device to another. Error checking ensures that the host or terminal does not respond to data that has been altered during transmission, thereby enhancing the system’s security and efficiency. Error checking employs a 16-bit cyclic redundancy check (CRC).
The error detection field contains a 16-bit value (implemented using two 8-bit characters). The contents of the error detection field are derived by applying a cyclic redundancy check to the message content. The CRC field is appended to the end of the message, with the low-order byte added first, followed by the high-order byte. Consequently, the high-order byte of the CRC is the final byte of the transmitted message.
1.2.6 Sequential Transmission of Characters
When messages are transmitted over a standard Modbus network, each character or byte is sent in left-to-right order:
Least Significant Bit (LSB) … Most Significant Bit (MSB).
The bit sequence is:
With parity
|
Starting point |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
parity bit |
Stop bit |
|---|
No parity check
| Starting point |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
Stop bit |
Stop bit |
|---|
Figure 1–2. Bit Order (RTU)
1.3 Error Detection
1. Parity Checking
The user can configure the controller to use odd-parity, even-parity, or no parity. This determines how the parity bit is set within each character.
If odd or even parity is specified, the number of ‘1’s will be counted as part of the total number of bits in each character (7 data bits in ASCII mode, 8 data bits in RTU). For example, an RTU character frame contains the following 8 data bits: 1 1 0 0 0 1 0 1
The total number of ‘1’s is 4. If parity is set to even, the parity bit in the frame will be 0, meaning the total number of ‘1’s remains 4. If parity is set to odd, the parity bit in the frame will be 1, meaning the total number of ‘1’s is 5.
If no parity bit is specified, no parity bit is transmitted and no parity check is performed. Instead, an additional stop bit is inserted into the character frame to be transmitted.
2. CRC Checking
In RTU mode, the CRC method is used to calculate an error check code, with the CRC checking all transmitted data. It disregards the parity checking method applied to individual characters within the data.
The Cyclic Redundancy Check (CRC) field occupies two bytes and contains a 16-bit binary value. The CRC value is calculated by the transmitting device and appended to the data frame. Upon receiving the data, the receiving device recalculates the CRC value and compares it with the value in the received CRC field; if the two values do not match, an error has occurred.
To calculate the CRC, all 16 bits of the register are initially set to ‘1’. Subsequently, the data from two adjacent 8-bit bytes is loaded into the current register. Only the 8-bit data of each character is used to generate the CRC; the start bit, stop bit and parity bit are not included in the CRC calculation.
When generating the CRC, each 8-bit byte is XORed with the contents of the register; the result is then shifted to the left, with the most significant bit (MSB) filled with a ‘0’. The least significant bit (LSB) is shifted out and checked; if it is a 1, the register is XORed with a preset fixed value; if the LSB is 0, no action is taken.
The above process is repeated until eight shift operations have been completed. Once the final bit (the 8th bit) has been shifted, the next 8-bit byte is XORed with the current value in the register, and the same sequence of eight shift-and-XOR operations is performed again. Once all bytes in the data frame have been processed, the final value generated is the CRC value.
The procedure for generating a CRC is as follows:
1. Initialise a 16-bit register to 0FFFFH (all 1s), referred to as the CRC register.
2. Perform an XOR operation between the first 8-bit byte in the data frame and the least significant byte in the CRC register; store the result back in the CRC register.
3. Shift the CRC register one bit to the right, set the most significant bit to 0, and examine the least significant bit.
4. If the least significant bit is 0: repeat step 3 (next shift).
If the least significant bit is 1: perform an XOR operation between the CRC register and a predefined fixed value (0A001H).
5. Repeat steps 3 and 4 until eight shifts have been performed. This completes the processing of a full 8-bit byte.
6. Repeat steps 2 to 5 to process the next eight bits, until all bytes have been processed.
7. The final value in the CRC register is the CRC value.
When appending the CRC value to the data, the least significant bit comes first, followed by the most significant bit. Refer to the example in Appendix C, which details the CRC verification process.
Chapter 2 Detailed Explanation of Modbus Data and Control Functions
All data addresses in Modbus messages are zero-based, with the first data address numbered 0. Unless otherwise specified, values in this section are expressed in decimal notation, whilst data fields in the diagrams are shown in hexadecimal notation.
Figure 2–1 provides an example illustrating a Modbus query message, whilst Figure 2–2 shows an example of a normal response. The data in both examples is presented in hexadecimal format and also demonstrates the method of constructing data frames in RTU mode.
The master query reads a hold register; the requested slave address is 06, and the data read comes from the hold register at address 40108. Note that this message specifies the starting address of the register as 0107 (006BH).
The slave response returns this function code, indicating a normal response, whilst the ‘Byte count’ field specifies the number of 8-bit bytes returned. It indicates the number of 8-bit bytes contained in the data area; when organising the response message in the buffer, the value in the “Byte Count” field must match the number of bytes in the data area of the message. For example, in RTU mode, 63H is transmitted using a single byte (01100011). “Byte Count” is calculated in units of 8 bits, disregarding the method used to construct the data frame.
|
Addr |
Fun |
Data start reg hi |
Data start reg lo |
Data #of regs hi |
Data #of regs lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
06H |
03H |
00H |
6BH |
00H |
01H |
XXH |
XXH |
Figure 2–1 Modbus query information
|
Addr |
Fun |
Byte count |
Data1 hi |
Data1 Lo |
Data 2 hi |
Data2 lo |
Data3 hi |
Data3 lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|---|---|---|
|
06H |
03H |
06H |
02H |
2BH |
00H |
00H |
00H |
63H |
XXH |
XXH |
Figure 2–2 Modbus response message
2.1 Reading coil status (Function Code 01)
Reads the ON/OFF status of the slave’s discrete output (DO, 0x type); broadcasting is not supported.
Query
The query message specifies the starting tag and the number of tags to be read. The starting address for tags is 0000H; the addressing for tags 1 to 16 ranges from 0000H to 0015H (DO1 = 0000H, DO2 = 0001H, and so on).
The example in Figures 2–3 reads the status of DO1 to DO6 from a slave device at address 17.
|
Addr |
Fun |
DO start reg hi |
DO start reg lo |
DO #of regs hi |
DO #of regs lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
01H |
00H |
00H |
00H |
06H |
XXH |
XXH |
Figure 2–3 Reading Coil Status—Query
Response
The status of each coil in the response message corresponds to the value of each bit in the data section; that is, each DO occupies one bit (1 = ON, 0 = OFF). The LSB of the first data byte is the address specified in the query, and the remaining coils are arranged sequentially within that byte from least significant bit (LSB) to most significant bit (MSB), up to a total of eight coils. The next byte is also arranged from LSB to MSB. If the number of coils returned is not a multiple of 8, the remaining bits in the final data byte up to the most significant bit are all set to 0; the byte count field indicates the total number of bytes of data.
Figure 2–4 shows an example of a coil output status response.
|
Addr |
Fun |
Byte count |
Data |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|
|
11H |
01H |
01H |
2AH |
XXH |
XXH |
Data
|
0 |
0 |
0 |
0 |
0 |
0 |
DO2 |
DO1 |
|---|---|---|---|---|---|---|---|
|
MSB |
7 |
6 |
5 |
4 |
3 |
2 |
LSB |
Figure 2–4 Reading Coil Status—Response
2.2 Reading Input Status (Function Code 02)
Reads the ON/OFF status of the slave’s discrete input signals (DI, 0X type); broadcasting is not supported.
The
The query specifies the starting address of the inputs to be read, as well as the number of input signals. The starting address for inputs is 0000H; the addresses for input ports 1 to 16 are 0 to 15 respectively (DO1 = 0000H, DO2 = 0001H, and so on).
The example in Figure 2–5 reads the status of DI1 to DI16 from a slave with address 17.
|
Addr |
Fun |
DI start addr hi |
DI start addr lo |
DI num hi |
DI num lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
02H |
00H |
00H |
00H |
10H |
XXH |
XXH |
Figure 2–5 Reading Input Status—Query
Response
The status of each input port in the response message corresponds to each bit in the data field, where 1 = ON and 0 = OFF. The LSB of the first data byte represents the address specified in the query, and the other input ports are arranged sequentially within that byte from least significant to most significant, up to a total of 8 bits. The 8 input bits in the next byte are also arranged from least significant to most significant. If the number of input bits returned is not a multiple of 8, the remaining bits in the final data byte, up to the most significant bit, are all set to zero. The byte count field specifies the total number of bytes of data.
Figure 2–6 shows an example of a response for reading digital output status.
|
Addr |
Fun |
Byte count |
Data1 |
Data2 |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|
|
11H |
02H |
02H |
33H |
CCH |
XXH |
XXH |
Data 1
|
DI8 |
DI7 |
DI6 |
DI5 |
DI4 |
DI3 |
DI2 |
DI1 |
|---|
MSB LSB
Data 2
|
DI16 |
DI15 |
DI14 |
DI13 |
DI12 |
DI11 |
DI10 |
DI9 |
|---|
MSB LSB
Figure 2–6 Reading Input Status—Response
2.3 Reading the Hold Register (Function Code 03)
eads binary data from the slave hold register (4X type); broadcasting is not supported.
The query
The query specifies the starting address of the hold registers to be read and the number of hold registers. The starting address for addressing the hold registers is 0000H, with registers 1–16 corresponding to addresses 0000H–0015H respectively.
The example in Figure 2–7 reads three acquired basic data values, U1, U2 and U3, from slave 17. The address of U1 is 0000H, the address of U2 is 0001H, and the address of U3 is 0002H.
|
Addr |
Fun |
Data start addr hi |
Data start addr lo |
Data #of regs hi |
Data #of regs lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
03H |
00H |
00H |
00H |
03H |
XXH |
XXH |
Figure 2–7 Reading the Hold Register—Query
Response
The register data in the response is in binary format, with each register corresponding to two bytes; the first byte represents the high-order data and the second byte represents the low-order data.
The example in Figure 2–8 shows the response to reading U1, U2 and U3 (U1=03E8H, U2=03E7H, U3=03E9H).
|
Addr |
Fun |
Byte count |
Data1 hi |
Data1 Lo |
Data 2 hi |
Data2 lo |
Data3 hi |
Data3 lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|---|---|---|
|
11H |
03H |
06H |
03H |
E8H |
03H |
E7H |
03H |
E9H |
XXH |
XXH |
Figure 2–8 Reading the Hold Register—Response
2.4 Reading the Input Register (Function Code 04)
Reads binary data from the slave input register (3X type); broadcasting is not supported.
The query
The query specifies the starting address of the register to be read and the number of registers; the starting address is 0, and the addresses corresponding to registers 1–16 are 0000H–0015H respectively.
The example in Figure 2–9 requests register 0009 from slave 17.
|
Addr |
Fun |
DO addr hi |
DO addr lo |
Data #of regs hi |
Data #of regs lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
04H |
00H |
08H |
00H |
01H |
XXH |
XXH |
Figure 2–9 Reading Input Registers—Query
Response
In the response message, the register data consists of two bytes for each register; the first byte represents the high-order data and the second byte represents the low-order data.
In the example shown in Figure 2–10, the data in register 30009 is represented by the two-byte value 000AH.
|
Addr |
Fun |
Byte count |
Data hi |
Data Lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|
|
11H |
04H |
02H |
00H |
0AH |
XXH |
XXH |
Figure 2–10 Reading Input Registers—Response
2.5 Forcing a Single Coil (Function Code 05)
Forces a single coil (DO, 0X type) to the ON or OFF state. When broadcast, this function forces all coils of the same type in all slave devices to the ON or OFF state.
This function overrides the controller’s memory protection status and the coil’s disabled status. The forced coil state remains active until the next control logic is applied to the coil. If there is no coil programme in the control logic, the coil remains in the forced state.
The query
The query information specifies the type of individual coil to be forced. The starting address of the coil is 0000H; the addressing addresses for coils 1–16 are 0000H–0015H (DO1 = 0000H, DO2 = 0001H, and so on).
A constant in the query data area specifies the ON/OFF status of the requested coil; a value of FF00H requests the coil to be in the ON state, a value of 0000H requests the coil to be in the OFF state, and other values have no effect on the coil.
The example shown in Figure 2-11 requests that slave 17 set DO1 to the ON state.
|
Addr |
Fun |
DO addr hi |
DO addr lo |
Value hi |
Value lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
05H |
00H |
00H |
FFH |
00H |
XXH |
XXH |
Figure 2-11 Forced Single Coil — Query
Response
Figure 2-12 shows the normal response to this command request, which is the data received after the DO state has changed.
|
Addr |
Fun |
DO addr hi |
DO addr lo |
Value hi |
Value lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
05H |
00H |
00H |
FFH |
00H |
XXH |
XXH |
Figure 2-12 Forced Single-Coil Response
2.6 Pre-set Single Register (Function Code 06)
This function pre-sets a value into a hold register (4X type); when broadcast, it pre-sets the value into registers of the same type on all slave units.
This function bypasses the controller’s memory protection. It ensures that the preset value in the register remains valid. The preset value can only be processed by the controller’s next logic signal. If there is no register programme in the control logic, the value in the register remains unchanged.
The query
The query information specifies the type of register to be preset. The starting address for register addressing is 0000H, and the address corresponding to Register 1 is 0000H.
The example shown in Figure 2-13 requests the value 2717 from slave 17 at address 0040H.
|
Addr |
Fun |
Data start reg hi |
Data start reg lo |
Value hi |
Value lo |
CRC hi |
CRC lo |
|---|---|---|---|---|---|---|---|
|
11H |
06H |
00H |
40H |
0AH |
9DH |
XXH |
XXH |
Figure 2-13 Pre-set Single Register – Query
Response
As shown in Figure 2-14, the normal response to a pre-set single register request is to return the received data after the register value has been updated.
|
Addr |
Fun |
Data start reg hi |
Data start reg lo |
Value hi |
Value lo |
CRC hi |
CRC lo |
|---|---|---|---|---|---|---|---|
|
11H |
06H |
00H |
40H |
0AH |
9DH |
XXH |
XXH |
Figure 2-14 Preset Single Register — Response
2.7 Reading Fault Status (Function Code 7)
Reads data from eight abnormal status coils in the central unit. Certain coil numbers are predefined in different controller models, whilst others are programmed by the user to provide status information regarding the controller, such as ‘machine ON/OFF’, ‘heads retraced’, ‘safeties satisfied’, ‘error conditions’ or other user-defined flags. This function code does not support broadcasting.
This function code provides a simple method for accessing this type of information, as the type of fault coil is known (no coil type is required in the function code). The predefined fault coil numbers are as follows:
| Controller model | Coil | Setting |
| M84,184/384,584,984 | 1-8 | User-defined |
| 484 | 257 | Battery status |
| 258-264 | User-defined | |
| 884 | 761 | Battery status |
| 762 | Memory protection status | |
| 763 | R10 operating status | |
| 764-768 | User-defined |
Query
The example shown in Figure 2-15 illustrates a request to read the abnormal status of slave device 17.
|
Addr |
Fun |
CRC16 hi |
CRC16 lo |
|---|---|---|---|
|
11H |
07H |
XXH |
XXH |
Figure 2-15 Reading Fault Conditions — Query
Response
A normal response contains 8 abnormal coil states, represented as a single data byte, with one bit per coil. The LSB corresponds to the state of the coil with the lowest number.
Figure 2-16 shows the response returned in accordance with the query request:
|
Addr |
Fun |
DO Data |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|
|
11H |
07H |
6DH |
XXH |
XXH |
Figure 2-16 Reading Fault Conditions — Response
In this example, the coil data is 6DH (binary 0110, 1101). From left to right (most significant bit to least significant bit), the coil states are: OFF – ON – ON – OFF – ON – ON – OFF – ON. If the controller model is 984, these bits represent the states of coils 8 to 1; if the controller model is 484, they represent the states of coils 264 to 257.
2.8 Force Multiple Coils (Function Code 15)
Forces each coil (DO, 0x type) to ON or OFF in coil order. When broadcast, this function code forces coils of the same type in each slave.
This function code bypasses memory protection and coil disable status. The forced state remains active and can only be processed by the controller’s subsequent logic. If there is no coil control logic programme, the coils will remain in the forced state.
The query
The query information specifies the type of coil to be forced. The starting address of the coils is 0000H, and the addressing addresses for coils 1–16 are divided into 0000H–0015H (DO1=0000H, DO2=0001H, and so on).
The query data field specifies the ON/OFF status of the requested coils; if a bit in the data field is set to “1”, the corresponding coil is in the ON state, and if the bit is set to “0”, it is in the OFF state.
Figure 2-17 illustrates a request to set a group of 10 coils in slave device 17 to a forced state, with the starting coil being 20 (hence the address is 19 or 13H). The query data consists of 2 bytes, CD01H (binary 11001101 0000 0001). The binary bit patterns for the corresponding coils are as follows:
|
Bit: |
1 |
1 |
0 |
0 |
1 |
1 |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Coll: |
27 |
26 |
25 |
24 |
23 |
22 |
21 |
20 |
– |
– |
– |
– |
– |
– |
29 |
28 |
The first byte transmitted, CDH, corresponds to coils 27–20, with the LSB corresponding to coil 20; the second byte transmitted is 01H, corresponding to coils 29–28, with the LSB being coil 28; all remaining unused bits are set to ‘0’.
|
Addr |
Fun |
DO addr hi |
DO addr lo |
Data #of reg hi |
Data #of reg lo |
Byte count |
Value hi |
Value lo |
CRC hi |
CRC lo |
|---|---|---|---|---|---|---|---|---|---|---|
|
11H |
0FH |
00H |
13H |
00H |
0AH |
02H |
CDH |
01H |
XXH |
XXH |
Figure 2-17 Forced Multi-Coil – Query
Response
A normal response returns the slave address, function code, start address and the number of forced coils.
Figure 2-18 Response to the query described above.
|
Addr |
Fun |
DO addr hi |
DO addr lo |
Data #of reg hi |
Data #of reg lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
0FH |
00H |
13H |
00H |
0AH |
XXH |
XXH |
Figure 2-18 Forced Multi-Coil — Response
2.9 Pre-set Multi-Register (Function Code 16)
This function pre-sets data sequentially into each (4X-type) register; when broadcast, this function code pre-sets the data into registers of the same type in all slave units.
This function code bypasses the controller’s memory protection; the pre-set values in the registers remain valid and can only be processed by the controller’s subsequent logic. If the control logic does not contain a programme for that register, the value in the register remains unchanged.
Figure 2-18 Forced Multi-Coil — Response
2.9 Pre-set Multi-Register (Function Code 16)
This function pre-sets data sequentially into each (4X-type) register; when broadcast, this function code pre-sets the data into registers of the same type in all slave units.
This function code bypasses the controller’s memory protection; the pre-set values in the registers remain valid and can only be processed by the controller’s subsequent logic. If the control logic does not contain a programme for that register, the value in the register remains unchanged.
The query
The query information specifies the type of register to be loaded; the starting address for register addressing is 0000H, and the address corresponding to Register 1 is 0000H.
The example shown in Figure 2-19 requests the value 178077833 from slave 17 at address 0040H.
The query information specifies the type of register to be loaded; the starting address for register addressing is 0000H, and the address corresponding to Register 1 is 0000H.
The example shown in Figure 2-19 requests the value 178077833 from slave 17 at address 0040H.
|
Addr |
Fun |
Data start reg hi |
Data start reg lo |
Data #of reg hi |
Data #of reg lo |
Byte count |
Value hi |
Value lo |
Value hi |
Value lo |
CRC hi |
CRC lo |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
11H |
10H |
00H |
40H |
00H |
02H |
04H |
40H |
89H |
0AH |
9DH |
XXH |
XXH |
Figure 2-19: Pre-set Multi-register – Query
Response
As shown in Figure 2-20, the normal response to a pre-set single-register request is to return the received data after the register value has been updated.
|
Addr |
Fun |
Data start reg hi |
Data start reg lo |
Data #of reg hi |
Data #of reg lo |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
10H |
00H |
40H |
00H |
02H |
XXH |
XXH |
Figure 2-20: Multi-register Preset — Response
2.10 Report Slave Identification (Function Code 17)
Returns the type of the slave address controller, the current status of the slave, and other information regarding the slave. Broadcasting is not supported.
Query
The example in Figure 2-21 requests the identification ID and status of slave device 17.
|
Addr |
Fun |
CRC16 hi |
CRC16 lo |
|---|---|---|---|
|
11H |
11H |
XXH |
XXH |
Figure 2-21: Slave Identification – Query
Response
Figure 2-22 shows the format of a normal response; the data content corresponds to the type of each controller.
|
Addr |
Fun |
Byte Count |
Slave ID |
Run Indicator Status |
Additfional Data |
CRC16 hi |
CRC16 lo |
|---|---|---|---|---|---|---|---|
|
11H |
11H |
XXH |
XXH |
XXH |
XXH |
XXH |
XXH |
Figure 2-22 Report: Slave ID — Response
Summary of Slave IDs
The first byte in the data area is the slave ID returned by the Modicon controller
| Slave ID | Controller |
| 0 | Micro 84 |
| 1 | 484 |
| 2 | 23/48 |
| 3 | 584 |
| 8 | 884 |
| 9 | 984 |
Note: For further details, please refer to the English or Chinese version of the Modbus protocol.
Chapter 3 Appendices
Appendix A: Complete List of Modbus Function Codes
The Modbus network is an industrial communication system comprising programmable logic controllers (PLCs) and computers equipped with intelligent terminals, connected via public or private local lines. Its system architecture encompasses both hardware and software. It can be applied to various data acquisition and process monitoring applications. Table 3–1 below provides the definitions of Modbus function codes.
Table 3–1 Modbus Function Codes
|
Function code |
Name |
Function |
|---|---|---|
|
01 |
Read coil status | Retrieve the current status (ON/OFF) of a set of logic coils |
|
02 |
Read input status | Retrieve the current status (ON/OFF) of a set of switch inputs |
|
03 |
Read hold register | Retrieve the current binary values in one or more latch registers |
|
04 |
Read input register | Retrieve the current binary values in one or more input registers |
|
05 |
Force single coil | Force the ON/OFF status of a logic coil |
|
06 |
Preset single register | Load a specific binary value into a latch register |
|
07 |
Read fault status | Retrieve the ON/OFF status of 8 internal coils; the addresses of these 8 coils are determined by the controller, and user logic can define these coils to indicate the slave unit’s status; short messages are suitable for rapid status reading |
|
08 |
Return diagnostic check | Send a diagnostic check message to the slave unit to evaluate communication processing |
|
09 |
Program (484 only) | Enable the host to act as a programmer to modify the logic of the PC slave unit |
|
10 |
Control query (484 only) | Enables the master to communicate with a slave currently executing a long program task, to enquire whether the slave has completed its operational task; this function code is only transmitted following the dispatch of a message containing function code 9 |
|
11 |
Read event counter | Enables the master to issue a single enquiry and immediately determine whether the operation was successful, particularly when a communication error occurs with this command or any other response |
|
12 |
Read communication event log | Enables the master to retrieve the Modbus transaction event log for each slave. If a transaction is completed, the log will indicate any errors |
|
13 |
Program (184/384, 484, 584) | Enables the master to emulate a programmer function to modify the logic of a PC slave |
|
14 |
Poll (184/384, 484, 584) | Enables the master to communicate with a slave currently executing a task, periodically enquiring whether the slave has completed its program operation; this function code may only be sent after a message containing function code 13 has been transmitted |
|
15 |
Force single coil | Forces the on/off state of a series of consecutive logic coils |
|
16 |
Preset single register | Loads specific binary values into a series of consecutive latch registers |
|
17 |
Report slave identifier | Enables the host to determine the type of the addressed slave and the status of its operational indicator |
|
18 |
(884 and MICRO 84) | Enables the host to simulate programming functions and modify the PC’s state logic |
|
19 |
Reset communication link | Following a non-modifiable error, the slave returns to a known state; the sequence byte may be reset |
|
20 |
Read general parameters (584L) | Displays data information from the extended memory file |
|
21 |
Write general parameters (584L) | Writes general parameters to the extended memory file, or modifies them |
|
22~64 |
Reserved for future expansion functions | |
|
65~72 |
Reserved for user functions | Reserved for user function extension codes |
|
73~119 |
Invalid function | |
|
120~127 |
Reserved | Reserved for internal use |
|
128~255 |
Reserved | Used for exception responses |
A Modbus network consists of a single master, from which all communication originates. The network can support up to 247 remote slave controllers, although the actual number of slaves supported depends on the communication equipment used. With this system, individual PCs can exchange information with the central master without affecting their own control tasks. Table 3–2 shows the data types corresponding to each Modbus function code.
Table 3–2 Correspondence between Modbus function codes and data types
|
Code |
Function |
Data type |
|---|---|---|
|
01 |
Read | Bit |
|
02 |
Read | Bit |
|
03 |
Read | Integer, Character, Status Word, Floating-point |
|
04 |
Read | Integer, Status Word, Floating-point |
|
05 |
Write | Bit |
|
06 |
Write | Integer, Character, Status Word, Floating-point |
|
08 |
N/A | Repeat “loop feedback” information |
|
15 |
Write | Bit |
|
16 |
Write | Integer, Character, Status Word, Floating-point |
|
17 |
Read | Character |
Appendix B: Abnormal Responses
Abnormal Responses:
With the exception of broadcasts, when the host sends a query to a slave device and expects a normal response, four types of events may occur in the host query:
¨ If the slave receives the query and processes the communication error normally, it returns a normal response event.
¨ If, due to a communication error, the slave is unable to receive the query data, it does not return a response. In this case, the host relies on the handling routine to generate a query timeout event.
¨ If the slave receives the query, detects a communication error (LRC or CRC), and returns a response, the host’s handling routine will generate a query timeout event.
¨ If the slave receives the query without communication errors but is unable to process it (e.g. attempting to read non-existent coils or registers), it reports the nature of the error to the host.
Abnormal response messages contain two areas that differ from normal responses:
Function Code Area: In a normal response, the function code area of the slave’s response contains the function code from the original query. The MSB of all function codes is 0 (i.e. the value is less than 80H). In an abnormal response, the slave sets the MSB of the function code to 1, resulting in a function code value greater than 80H, which is higher than the value in a normal response. In this way, the host application can identify the abnormal response event and inspect the data area of the abnormal code.
Data section: In a normal response, the data section contains the data or statistical values (as specified by the query). In an abnormal response, the data section contains an error code, which describes the conditions and reasons for the slave’s abnormal response.
Example: The host issues a query, and the slave responds abnormally. (Data is in hexadecimal.)
Query:
|
Addr |
Fun |
DO start reg hi |
DO start reg lo |
DO #of regs hi |
DO #of regs lo |
CRC16 Hi |
CRC16 Lo |
|---|---|---|---|---|---|---|---|
|
0AH |
01H |
04H |
A1H |
00H |
01H |
XXH |
XXH |
Response (abnormal or exception):
|
Addr |
Fun |
Exception Code |
CRC16 Hi |
CRC16 Lo |
|---|---|---|---|---|
|
0AH |
81H |
02H |
XXH |
XXH |
Figure 3–1. Format of an error message frame
In the example above, the slave device address is 10 (0AH), the function code for reading the coil status is (01), and the address for the master’s request for the coil status is 1245 (04A1H). Note: Only one specified coil is read, with the address being (0001).
If this coil address does not exist in the slave device, an error response is returned to the master with error code (02), indicating an invalid address.
Table 3–3 Modbus error codes:
|
Code |
Name |
Meaning |
|---|---|---|
|
01 |
Invalid function code | The slave has received a function code that cannot be executed. Following the issuance of a query command, this code indicates that no programme function is available. |
|
02 |
Invalid data address | The data address received is not permitted by the slave. |
|
03 |
Invalid data | The value in the query data area is not permitted by the slave. |
|
04 |
Slave device fault | An unrecoverable error has occurred whilst the slave was executing the action requested by the master. |
|
05 |
Confirmed | The slave has received the request to process data but requires a significant amount of processing time; it sends this acknowledgement to prevent the master from encountering a timeout error. The master then sends a ‘Query Programme Complete’ message without determining whether the slave has completed processing. |
|
06 |
Slave device busy | The slave is currently occupied processing a long-running programme command and requests that the master send the message when the slave becomes idle. |
|
07 |
Negative | When the slave is unable to execute the programme function requested by the query, this code uses decimal codes 13 or 14 to return a “failed programme request” message to the master. The master should request diagnostic error information from the slave. |
|
08 |
Memory parity error | When reading data from expanded memory, the slave detects a parity error; the master resends the data request as requested by the slave. |
///
|
Function code |
Description |
Supports broadcasting |
Start address |
Remarks |
|---|---|---|---|---|
|
01 |
Read coil status DO | Not supported |
0000H |
Read discrete output (0X type) status |
|
02 |
Read input bit status DI | Not supported |
0000H |
Read discrete input signal (0X type) status |
|
03 |
Read hold register | Not supported |
0000H |
Read hold register data |
|
04 |
Read input register | Not supported |
0000H |
Read input register (3X type) data |
|
05 |
Force single coil DO | Supported |
0000H |
Force single coil (0X type) status |
|
06 |
Preset single hold register | Supported |
0000H |
Set hold register (4X type) |
|
07 |
Read fault status | Not supported |
|
|
|
08 |
Diagnostics (see Chapter 3) | Not supported |
0000H |
|
|
09 |
Program 484 | No |
0000H |
Not found |
|
10 |
Query 484 | No |
0000H |
Not found |
|
11 |
Communication Event Control | Not supported |
|
|
|
12 |
Communication Event Log | Not supported |
|
|
|
13 |
Programme Controller | No |
0000H |
Not found |
|
14 |
Query Controller | No |
0000H |
Not found |
|
15 |
Force Multiple DO Coils | Supported |
0000H |
Force status of all coils (0X type) |
|
16 |
Preset Multiple Hold Registers | Supported |
0000H |
Set to hold register (4X type) |
|
17 |
Report Slave ID | Not supported |
|
|
|
18 |
Programme 884/M84 | No |
0000H |
Not found |
|
19 |
Communication Link Reset | No |
0000H |
Not found |
|
20 |
Read General Reference Value | Not supported |
0000H |
Extended register (6X type) |
|
21 |
Write General Reference Value | Not supported |
0000H |
Extended register (6X type) |
|
22 |
Masked Write to 4X-Type Registers | Not supported |
0000H |
Hold register (4X type) |
|
23 |
Read/Write 4X-Type Registers | Not supported |
0000H |
Hold register (4X type) |
|
24 |
Read FIFO Query Data | Not |
0000H |
Hold register (4X type) |