Scribd
Upload
170 views

Understanding Modbus

Uploaded by

Николай Муха
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
170 views

Understanding Modbus

Uploaded by

Николай Муха
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Modbus

Project:

Product

Synopsis:

Document number: 1 Revision: a


Customer doc number: Document version:

Contract number: Number of pages: 29


Rev. Date Reason for issue Made by Checked Approved

Kongsberg Maritime AS
Kongsberg Maritime AS

Table of contents
1 ABOUT THIS DOCUMENT ..................................................................................5
1.1 Document history ..................................................................................................5
1.2 References .............................................................................................................5

/ / Page 2 of 29
Kongsberg Maritime AS

2 WHAT IS MODBUS?.............................................................................................. 6

3 WHAT IS IT USED FOR? ......................................................................................6

4 HOW DOES IT WORK? ........................................................................................6

5 WHAT IS HEXADECIMAL? ................................................................................6

6 HOW IS DATA STORED IN STANDARD MODBUS?......................................7

7 WHAT IS THE SLAVE ID? ...................................................................................8

8 WHAT IS A FUNCTION CODE? .........................................................................8

9 WHAT IS A CRC?...................................................................................................8

10 WHAT ARE THE FORMATS OF MODBUS COMMANDS AND


RESPONSES? ..................................................................................................................9

11 WHAT ARE DATA TYPES? .............................................................................9

12 WHAT IS BYTE AND WORD ORDERING? ...............................................10

13 WHAT IS A MODBUS MAP? .........................................................................10

14 WHAT IS THE DIFFERENCE BETWEEN MODBUS ASCII AND


MODBUS RTU? ............................................................................................................11

15 WHAT ARE EXTENDED REGISTER ADDRESSES?................................ 11

16 HOW DOES 2-BYTE SLAVE ADDRESSING WORK? .............................. 11

17 HOW CAN YOU SEND EVENTS AND HISTORICAL DATA? ................12

18 FUNCTION CODES .........................................................................................12


18.1 Read Coil Status (FC=01) ...................................................................................12
18.2 Read Input Status (FC=02) ..................................................................................13
18.3 Read Holding Registers (FC=03) ........................................................................14
18.4 Read Input Registers (FC=04) .............................................................................15
18.5 Force Single Coil (FC=05) ..................................................................................15
18.6 Preset Single Register (FC=06) ...........................................................................16
18.7 Force Multiple Coils (FC=15) .............................................................................17
18.8 Preset Multiple Registers (FC=16) ......................................................................18

/ / Page 3 of 29
Kongsberg Maritime AS

19 MODBUS ASCII VS MODBUS RTU ............................................................. 19

20 MODBUS TCP/IP ............................................................................................. 23


20.1 TCP/IP .................................................................................................................23
20.2 Modbus RTU over TCP.......................................................................................23
20.3 Modbus TCP ........................................................................................................23
20.4 ADU & PDU .......................................................................................................23
20.5 MBAP Header .....................................................................................................24
20.6 TCP/IP Wrapper ..................................................................................................25

21 TROUBLESHOOTING - EXCEPTION RESPONSES ................................ 26

/ / Page 4 of 29
Kongsberg Maritime AS

1 ABOUT THIS DOCUMENT

1.1 Document history

Revision Description of Change

A First Issue

1.2 References

No Doc No Description

1 Internet site: www.simplymodbus.ca

/ / Page 5 of 29
Kongsberg Maritime AS

2 WHAT IS MODBUS?
Modbus is a communication protocol developed by Modicon systems. In simple terms,
it is a way of sending information between electronic devices. The device requesting the
information is called the Modbus Master and the devices supplying information are
Modbus Slaves. In a standard Modbus network, there is one Master and up to 247
Slaves, each with a unique Slave Address from 1 to 247. The Master can also write
information to the Slaves.

The official Modbus specification can be found at www.modbus-ida.org.

3 WHAT IS IT USED FOR?


Modbus is an open protocol, meaning that it's free for manufacturers to build into their
equipment without having to pay royalties. It has become a very common protocol used
widely by many manufacturers throughout many industries. Modbus is typically used to
transmit signals from instrumentation and control devices back to a main controller or
data gathering system.

4 HOW DOES IT WORK?


Modbus is transmitted over serial lines between devices. The simplest setup would be a
single serial cable connecting the serial ports on two devices, a Master and a Slave.

>

The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage.
Zeroes are sent as positive voltages and a ones as negative. The bits are sent very
quickly. A typical transmission speed is 9600 baud (bits per second).

5 WHAT IS HEXADECIMAL?
When troubleshooting problems, it can be helpful to see the actual raw data being
transmitted. Long strings of ones and zeroes are difficult to read, so the bits are
combined and shown in hexadecimal. Each block of 4 bits is represented by one of the
sixteen characters from 0 to F.

/ / Page 6 of 29
Kongsberg Maritime AS

0000 = 0 0100 = 4 1000 = 8 1100 = C

0001 = 1 0101 = 5 1001 = 9 1101 = D

0010 = 2 0110 = 6 1010 = A 1110 = E

0011 = 3 0111 = 7 1011 = B 1111 = F

Each block of 8 bits (called a byte) is represented by one of the 256 character pairs from
00 to FF.

6 HOW IS DATA STORED IN STANDARD


MODBUS?
Information is stored in the Slave device in four different tables.
Two tables store on/off discrete values (coils) and two store numerical values
(registers). The coils and registers each have a read-only table and read-write table.

Each table has 9999 values.


Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and
270E.

Coil/Register Numbers Data Addresses Type Table Name


1-9999 0000 to 270E Read-Write Discrete Output Coils
10001-19999 0000 to 270E Read-Only Discrete Input Contacts
30001-39999 0000 to 270E Read-Only Analog Input Registers
40001-49999 0000 to 270E Read-Write Analog Output Holding Registers

Coil/Register Numbers can be thought of as location names since they do not appear in
the actual messages. The Data Addresses are used in the messages.

For example, the first Holding Register, number 40001, has the Data Address 0000.
The difference between these two values is the offset.
Each table has a different offset. 1, 10001, 30001 and 40001.

/ / Page 7 of 29
Kongsberg Maritime AS

7 WHAT IS THE SLAVE ID?


Each slave in a network is assigned a unique unit address from 1 to 247. When the
master requests data, the first byte it sends is the Slave address. This way each slave
knows after the first byte whether or not to ignore the message.

8 WHAT IS A FUNCTION CODE?


The second byte sent by the Master is the Function code. This number tells the slave
which table to access and whether to read from or write to the table.

Function Code Action Table Name

01 (01 hex) Read Discrete Output Coils

05 (05 hex) Write single Discrete Output Coil

15 (0F hex) Write multiple Discrete Output Coils

02 (02 hex) Read Discrete Input Contacts

04 (04 hex) Read Analog Input Registers

03 (03 hex) Read Analog Output Holding Registers

06 (06 hex) Write single Analog Output Holding Register

16 (10 hex) Write multiple Analog Output Holding Registers

9 WHAT IS A CRC?
CRC stands for Cyclic Redundancy check. It is two bytes added to the end of every
modbus message for error detection. Every byte in the message is used to calculate the
CRC. The receiving device also calculates the CRC and compares it to the CRC from
the sending device. If even one bit in the message is received incorrectly, the CRCs will
be different and an error will result.

Here is a spreadsheet CRC calculator for messages up to 16 bytes.


To download a copy, right click and select Save Target As.

/ / Page 8 of 29
Kongsberg Maritime AS

10 WHAT ARE THE FORMATS OF MODBUS


COMMANDS AND RESPONSES?
Follow the links in this table to see examples of the requests and responses.

Data Addresses Read Write Single Write Multiple

Discrete Output Coils 0xxxx FC01 FC05 FC15

Discrete Input Contacts 1xxxx FC02 NA NA

Analog Input Registers 3xxxx FC04 NA NA

Analog Output Holding Registers 4xxxx FC03 FC06 FC16

11 WHAT ARE DATA TYPES?


The example for FC03 shows that register 40108 contains AE41
which converts to the 16 bits 1010 1110 0100 0001
Great! But what does it mean? Well, it could mean a few things.

Register 40108 could be defined as any of these 16-bit data types:


A 16-bit unsigned integer (a whole number between 0 and 65535)
register 40108 contains AE41 = 44,609 (hex to decimal conversion)

A 16-bit signed integer (a whole number between -32768 and 32767)


AE41 = -20,927
(hex to decimal conversion that wraps, if its over 32767 then subtract 65536)

A two character ASCII string (2 typed letters)


AE41 = ® A

A discrete on/off value (this works the same as 16-bit integers with a value of 0 or
1.
The hex data would be 0000 or 0001)

Register 40108 could also be combined with 40109 to form any of these 32-bit data
types:
A 32-bit unsigned integer (a number between 0 and 4,294,967,295)
40108,40109 = AE41 5652 = 2,923,517,522

A 32-bit signed integer (a number between -2,147,483,648 and 2,147,483,647)


AE41 5652 = -1,371,449,774

/ / Page 9 of 29
Kongsberg Maritime AS

A 32-bit double precision IEEE floating point number.


This is a mathematical formula that allows any real number (a number with decimal
points) to represented by 32 bits with an accuracy of about seven digits.
AE41 5652 = -4.395978 E-11

Here is a spreadsheet IEEE float calculator for inputs of 4 bytes or 2 words.


To download a copy, right click and select Save Target As...

A four character ASCII string (4 typed letters)


AE41 5652 = ® A V R

More registers can be combined to form longer ASCII strings. Each register being used
to store two ASCII characters (two bytes).

12 WHAT IS BYTE AND WORD ORDERING?


The Modbus specification doesn't define exactly how the data is stored in the registers.
Therefore, some manufacturers implemented modbus in their equipment to store and
transmit the higher byte first followed by the lower byte. (AE before 41).
Alternatively, others store and transmit the lower byte first (41 before AE).

Similarly, when registers are combined to represent 32-bit data types, Some devices
store the higher 16 bits (high word) in the first register and the remaining low word in
the second (AE41 before 5652) while others do the opposite (5652 before AE41)

It doesn't matter which order the bytes or words are sent in, as long as the receiving
device knows which way to expect it.

For example, if the number 29,235,175,522 was to be sent as a 32 bit unsigned integer,
it could be arranged any of these four ways.

AE41 5652 high byte first high word first


5652 AE41 high byte first low word first
41AE 5256 low byte first high word first
5256 41AE low byte first low word first

13 WHAT IS A MODBUS MAP?


A modbus map is simply a list for an individual slave device that defines
- what the data is (eg. pressure or temperature readings)
- where the data is stored (which tables and data addresses)
- how the data is stored (data types, byte and word ordering)

/ / Page 10 of 29
Kongsberg Maritime AS

Some devices are built with a fixed map that is defined by the manufacturer. While
other devices allow the operator to configure or program a custom map to fit their
needs.

14 WHAT IS THE DIFFERENCE BETWEEN


MODBUS ASCII AND MODBUS RTU?
The difference between these two modes is explained here.

15 WHAT ARE EXTENDED REGISTER


ADDRESSES?
Since the range of the analog output holding registers is 40001 to 49999, it implies that
there cannot be more than 9999 registers. Although this is usually enough for most
applications, there are cases where more registers would be beneficial.

Registers 40001 to 49999 correspond to data addresses 0000 to 270E. If we utilize


the remaining data addresses 270F to FFFF, over six times as many registers can be
available, 65536 in total. This would correspond to register numbers from 40001 to
105536.

Many modbus software drivers (for Master PCs) were written with the 40001 to 49999
limits and cannot access extended registers in slave devices. And many slave devices do
not support maps using the extended registers. But on the other hand, some slave
devices do support these registers and some Master software can access it, especially if
custom software is written.

16 HOW DOES 2-BYTE SLAVE ADDRESSING


WORK?
Since a single byte is normally used to define the slave address and each slave on a
network requires a unique address, the number of slaves on a network is limited to 256.
The limit defined in the modbus specification is even lower at 247.

To get beyond this limit, a modification can be made to the protocol to use two bytes for
the address. The master and the slaves would all be required to support this
modification. Two byte addressing extends the limit on the number of slaves in a
network to 65535.

/ / Page 11 of 29
Kongsberg Maritime AS

By default, the Simply Modbus software uses 1 byte addressing. When an address
greater than 255 is entered, the software automatically switches to 2 byte addressing and
stays in this mode for all addresses until the 2 byte addressing is manually turned off.

17 HOW CAN YOU SEND EVENTS AND


HISTORICAL DATA?
Enron Modbus includes commands for moving events and historical data..

18 FUNCTION CODES

18.1 Read Coil Status (FC=01)


Request

This command is requesting the ON/OFF status of discrete coils # 20 to 56


from the slave device with address 17.

11 01 0013 0025 0E84

11: The Slave Address (17 = 11 hex)


01: The Function Code (read Coil Status)
0013: The Data Address of the first coil to read. (Coil 20 - 1 = 19 = 13 hex)
0025: The total number of coils requested. (coils 25 to 56 = 37 = 25 hex)
0E84: The CRC (cyclic redundancy check) for error checking.

Response

11 01 05 CD6BB20E1B 45E6

11: The Slave Address (17 = 11 hex)


01: The Function Code (read Coil Status)
05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes)
CD: Coils 20 - 27 (1100 1101)
6B: Coils 28 - 35 (0110 1011)
B2: Coils 36 - 43 (1011 0010)
0E: Coils 44 - 51 (0000 1110)

/ / Page 12 of 29
Kongsberg Maritime AS

1B: Coils 52 - 56 (0001 1011)


45E6: The CRC (cyclic redundancy check).

The more significant bits contain the higher coil variables. This shows that coil 36 is off
(0) and 43 is on (1). Due to the number of coils requested, the last data field1B contains
the status of only 5 coils. The three most significant bits in this data field

18.2 Read Input Status (FC=02)


Request

This command is requesting the ON/OFF status of discrete inputs # 10197 to 10218
from the slave device with address 17.

11 02 00C4 0016 BAA9

11: The Slave Address (17 = 11 hex)


02: The Function Code (read Input Status)
00C4: The Data Address of the first input to read. (10197 - 10001 = 196 = C4 hex)
0016: The total number of coils requested. (197 to 218 = 22 = 16 hex)
BAA9: The CRC (cyclic redundancy check) for error checking.

Response

11 02 03 ACDB35 2018

11: The Slave Address (17 = 11 hex)


02: The Function Code (read Input Status)
03: The number of data bytes to follow (22 Inputs / 8 bits per byte = 3 bytes)
AC: Discrete Inputs 10197 - 10204 (1010 1100)
DB: Discrete Inputs 10205 - 10212 (1101 1011)
35: Discrete Inputs 10213 - 10218 (0011 0101)
2018: The CRC (cyclic redundancy check).

The more significant bits contain the higher Discrete inputs. This shows that input
10197 is off (0) and 10204 is on (1). Due to the number of inputs requested, the last
data field35 contains the status of only 6 inputs. The two most significant bits in this
data field are filled in with zeroes.

/ / Page 13 of 29
Kongsberg Maritime AS

18.3 Read Holding Registers (FC=03)


Request

This command is requesting the content of analog output holding registers # 40108 to
40110 from the slave device with address 17.

11 03 006B 0003 7687

11: The Slave Address (17 = 11 hex)


03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 = 6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.

Response

11 03 06 AE41 5652 4340 49AD

11: The Slave Address (17 = 11 hex)


03: The Function Code (read Analog Output Holding Registers)
06: The number of data bytes to follow (3 registers x 2 bytes each = 6 bytes)
AE41: The contents of register 40108
5652: The contents of register 40109
4340: The contents of register 40110
49AD: The CRC (cyclic redundancy check).

/ / Page 14 of 29
Kongsberg Maritime AS

18.4 Read Input Registers (FC=04)


Request

This command is requesting the content of analog input register # 30009


from the slave device with address 17.

11 04 0008 0001 B298

11: The Slave Address (17 = 11 hex)


04: The Function Code (read Analog Input Registers)
0008: The Data Address of the first register requested. (30009-30001 = 8)
0001: The total number of registers requested. (read 1 register)
B298: The CRC (cyclic redundancy check) for error checking.

Response

11 04 02 000A F8F4

11: The Slave Address (17 = 11 hex)


04: The Function Code (read Analog Input Registers)
02: The number of data bytes to follow (1 registers x 2 bytes each = 2 bytes)
000A: The contents of register 30009
F8F4: The CRC (cyclic redundancy check).

18.5 Force Single Coil (FC=05)


Request

This command is writing the contents of discrete coil # 173 to ON


in the slave device with address 17.

11 05 00AC FF00 4E8B

11: The Slave Address (17 = 11 hex)


05: The Function Code (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status to write ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.

/ / Page 15 of 29
Kongsberg Maritime AS

Response

The normal response is an echo of the query, returned after the coil has been written.

11 05 00AC FF00 4E8B

11: The Slave Address (17 = 11 hex)


05: The Function Code (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status written ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.

18.6 Preset Single Register (FC=06)


Request

This command is writing the contents of analog output holding register # 40002
to the slave device with address 17.

11 06 0001 0003 9A9B

11: The Slave Address (17 = 11 hex)


06: The Function Code (Preset Single Register)
0001: The Data Address of the register. (# 40002 - 40001 = 1 )
0003: The value to write
9A9B: The CRC (cyclic redundancy check) for error checking.

Response

The normal response is an echo of the query, returned after the register contents have
been written.

11 06 0001 0003 9A9B

11: The Slave Address (17 = 11 hex)


06: The Function Code (Preset Single Register)
0001: The Data Address of the register. (# 40002 - 40001 = 1 )
0003: The value written
9A9B: The CRC (cyclic redundancy check) for error checking.

/ / Page 16 of 29
Kongsberg Maritime AS

18.7 Force Multiple Coils (FC=15)


Request

This command is writing the contents of a series of 10 discrete coils from #20 to #29
to the slave device with address 17.

11 0F 0013 000A 02 CD01 BF0B

11: The Slave Address (17 = 11 hex)


0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
02: The number of data bytes to follow (10 Coils / 8 bits per byte = 2 bytes)
CD: Coils 20 - 27 (1100 1101)
01: Coils 27 - 29 (0000 0001)
BF0B: The CRC (cyclic redundancy check) for error checking.

The more significant bits contain the higher coil variables. This shows that coil 20 is on
(1) and 21 is off (0). Due to the number of coils requested, the last data field01
contains the status of only 2 coils. The unused bits in the last data byte are filled in with
zeroes.

Response

11 0F 0013 000A 2699

11: The Slave Address (17 = 11 hex)


0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
2699: The CRC (cyclic redundancy check) for error checking.

/ / Page 17 of 29
Kongsberg Maritime AS

18.8 Preset Multiple Registers (FC=16)


Request

This command is writing the contents of two analog output holding registers # 40002 &
40003 to the slave device with address 17.

11 10 0001 0002 04 000A 0102 C6F0

11: The Slave Address (17 = 11 hex)


10: The Function Code (Preset Multiple Registers 16 = 10 hex)
0001: The Data Address of the first register. (# 40002 - 40001 = 1 )
0002: The number of registers to write
04: The number of data bytes to follow (2 registers x 2 bytes each = 4 bytes)
000A: The value to write to register 40002
0102: The value to write to register 40003
C6F0: The CRC (cyclic redundancy check) for error checking.

Response

11 10 0001 0002 1298

11: The Slave Address (17 = 11 hex)


10: The Function Code (Preset Multiple Registers 16 = 10 hex)
0001: The Data Address of the first register. (# 40002 - 40001 = 1 )
0002: The number of registers written.
1298: The CRC (cyclic redundancy check) for error checking.

/ / Page 18 of 29
Kongsberg Maritime AS

19 MODBUS ASCII VS MODBUS RTU


Data formats

To review, we can see that each byte of data can be represented in different ways.

Binary (base2): 10101110 2 characters 0 and 1

Decimal (base10): 174 10 characters 0 through 9

Hexadecimal (base 16): AE 16 characters 0 through F

ASCII (base 256): ® 256 different characters

Message Delimiting

In Modbus RTU, bytes are sent consecutively with no space in between them with a 3-
1/2 character space between messages for a delimiter. This allows the software to know
when a new message is starting.

Any delay between bytes will cause Modbus RTU to interpret it as the start of a new
message. This keeps Modbus RTU from working properly with modems.

Modbus ASCII marks the start of each message with a colon character " : " (hex 3A).
The end of each message is terminated with the carriage return and line feed characters
(hex 0D and 0A). This allows the space between bytes to be variable making it suitable
for transmission through some modems.

Byte Size

In Modbus RTU each byte is sent as a string of 8 binary characters framed with a start
bit, and a stop bit, making each byte 10 bits.

In Modbus ASCII, the number of data bits is reduced from 8 to 7. A parity bit is added
before the stop bit which keeps the actual byte size at 10 bits.

Split Data bytes

In Modbus ASCII, each data byte is split into the two bytes representing the two ASCII
characters in the Hexadecimal value. For example,

Modbus Mode data (ASCII) data (hex) data (binary)

/ / Page 19 of 29
Kongsberg Maritime AS

Modbus RTU ® AE 1010 1110


Modbus ASCII A,E 41 , 45 100 0001 , 100 0101

The range of data bytes in Modbus RTU can be any characters from 00 to FF.
The range of data bytes in Modbus ASCII represent only the 16 hexadecimal characters.
Therefore, every data byte in Modbus ASCII must be one of these 16:

ASCII hex binary ASCII hex binary


0 30 011 0000 8 38 011 1000
1 31 011 0001 9 39 011 1001
2 32 011 0010 A 41 100 0001
3 33 011 0011 B 42 100 0010
4 34 011 0100 C 43 100 0011
5 35 011 0101 D 44 100 0100
6 36 011 0110 E 45 100 0101
7 37 011 0111 F 46 100 0110

Error Checksum - LRC Calculation

As mentioned earlier, each Modbus RTU message is terminate with two error checking
bytes called a CRC or Cyclic Redundancy Check. Similarly, Modbus ASCII is
terminated with an error checking byte called an LRC or Longitudinal Redundancy
Check.

Here is a spreadsheet CRC calculator for messages up to 16 bytes.


To download a copy, right click and select Save Target As...

The calculation of the LRC is much easier than the CRC.


To calculate the LRC:
1. Add up all the data bytes in the message (before converting to ASCII and without
the initial colon and final CR/LF).
2. Throw away any bits that carry over 8 bits.
3. Make the result negative (by twos compliment) to get the LRC byte.

The sum of the resulting byte stream with the LRC will then be 0 since adding the
negative subtotal will make the final total zero.

/ / Page 20 of 29
Kongsberg Maritime AS

For example, this command shows the data bytes required to request the content of
analog output holding registers 40108 to 40110 from the slave device with address 17.

11 03 00 6B 00 03

Add the bytes:

decimal hex binary


17 11 0001 0001
3 03 0000 0011
0 00 0000 0000
107 6B 0110 1011
0 00 0000 0000
3 03 0000 0011

total:

decimal hex binary

130 82 1000 0010

two's compliment (make negative) to get the LRC

decimal hex binary

-130 7E 0111 1110

total of the entire message including the LRC

decimal hex binary

0 00 0000 0000

The single hex LRC byte is 7E

The LRC byte is then split into two ASCII bytes with the rest of the data.

/ / Page 21 of 29
Kongsberg Maritime AS

The two ASCII bytes for the LRC are then 37 and 45

ASCII vs RTU example:

Using the same example shown above to request registers 40108 to 40110 from slave
address 17.

11 03 00 6B 00 03

The complete ASCII request is made by first adding the message delimiting
characters. A colon is added to the start of the message, the LRC, carriage return and
line feed are added to the end:

: 1 1 0 3 0 0 6 B 0 0 0 3 7 E CR LF

Each character is now treated as an ASCII character and replaced with it's hex value to
give the final message.

3A 3131 3033 3030 3642 3030 3033 3745 0D 0A

This Modbus ASCII request size is 17 bytes (170 bits)

...............

The equivalent Modbus RTU message would be:

11 03 00 6B 00 03 76 87

This Modbus RTU request size is 8 bytes (80 bits)

/ / Page 22 of 29
Kongsberg Maritime AS

20 MODBUS TCP/IP

20.1 TCP/IP
TCP is Transmission Control Protocol and IP is Internet Protocol. These protocols are
used together and are the transport protocol for the internet. When modbus information
is sent using these protocols, the data is passed to TCP where additional information is
attached and given to IP. IP then places the data in a packet (or datagram) and transmits
it.

TCP must establish a connection before transferring data, since it is a connection-based


protocol. The Master (or Client in ModbusTCP) establishes a connection with the Slave
(or Server). The Server waits for an incomming connection from the Client. Once a
connection is established, the Server then responds to the queries from the Client until
the client closes the connection.

20.2 Modbus RTU over TCP


Simply put, this is a Modbus RTU message transmitted with a TCP/IP wrapper and sent
over a network instead of serial lines. The Server does not have a SlaveID since it uses
an IP Address instead.

20.3 Modbus TCP


A Modbus Messaging Implementation Guide provided by Schneider Automation
outlines a modified protocol specifically for use over TCP/IP. The official Modbus
specification can be found at www.modbus-ida.org. The main differences between
ModbusRTU and ModbusTCP are outlined here.

20.4 ADU & PDU


Aside from the main differences between serial and network connections stated above,
there are a few differences in the message content.

Starting with the Modbus RTU message and removing the SlaveID from the beginning
and the CRC from the end results in the PDU, Protocol Data Unit.

Here is an example of a Modbus RTU request for the content of analog output holding
registers # 40108 to 40110 from the slave device with address 17.

11 03 006B 0003 7687

/ / Page 23 of 29
Kongsberg Maritime AS

11: The SlaveID Address (17 = 11 hex)


03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.

Removing the SlaveID and CRC gives the PDU:

03 006B 0003

20.5 MBAP Header


A new 7-byte header called the MBAP header (Modbus Application Header) is added to
the start of the message. This header has the following data:

Transaction Identifier: 2 bytes set by the Client to uniquely identify each request. These
bytes are echoed by the Server since its responses may not be recieved in the same order
as the requests.

Protocol Identifier: 2 bytes set by the Client. ModbusTCP = 00 00

Length: 2 bytes identifying the number of bytes in the message to follow.

Unit Identifier: 1 byte set by the Client and echoed by the Server for identification of a
remote slave connected on a serial line or on other buses.

Summary

The equivalent request to this Modbus RTU example

11 03 006B 0003 7687

in ModbusTCP is:

/ / Page 24 of 29
Kongsberg Maritime AS

0001 0000 0006 11 03 006B 0003

0001: Transaction Identifier


0000: Protocol Identifier
0006: Message Length (6 bytes to follow)
11: The Unit Identifier (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)

20.6 TCP/IP Wrapper

/ / Page 25 of 29
Kongsberg Maritime AS

21 TROUBLESHOOTING - EXCEPTION
RESPONSES
Following a request, there are 4 possible outcomes from the slave.

1. The request is successfully processed by the slave and a valid response is sent.

2. The request is not received by the slave therefore no response is sent.

3. The request is received by the slave with a parity, CRC or LRC error.
The slave ignores the request and sends no response.

4. The request is received without an error, but cannot be processed by the slave for
another reason. The slave replies with an exception response.

In a normal response, the slave echoes the function code. The first sign of an exception
response is that the function code is shown in the echo with its highest bit set. All
function codes have 0 for their most significant bit. Therefore, setting this bit to 1 is
the signal that the slave cannot process the request.

Function Code in Request Function Code in Exception Response


01 (01 hex) 0000 0001 129 (81 hex) 1000 0001
02 (02 hex) 0000 0010 130 (82 hex) 1000 0010
03 (03 hex) 0000 0011 131 (83 hex) 1000 0011
04 (04 hex) 0000 0100 132 (84 hex) 1000 0100
05 (05 hex) 0000 0101 133 (85 hex) 1000 0101
06 (06 hex) 0000 0110 134 (86 hex) 1000 0110
15 (0F hex) 0000 1111 143 (8F hex) 1000 1111
16 (10 hex) 0001 0000 144 (90 hex) 1001 0000

Here is an example of a request with an Exception Response:

Request

This command is requesting the ON/OFF status of discrete coil #1186


from the slave device with address 10.

0A 01 04A1 0001 AC63

/ / Page 26 of 29
Kongsberg Maritime AS

0A: The Slave Address (10 = 0A hex)


01: The Function Code (read Coil Status)
04A1: The Data Address of the first coil to read. (Coil 1186 - 1 = 1185 = 04A1 hex)
0001: The total number of coils requested.
AC63: The CRC (cyclic redundancy check) for error checking.

Response

0A 81 02 B053

0A: The Slave Address (10 = 0A hex)


81: The Function Code (read Coil Status - with the highest bit set)
02: The Exception Code
B053: The CRC (cyclic redundancy check).

Following the Function Code is the Exception Code. The exception code gives an
indication of the nature of the problem. The possible codes are shown in the table
below.

The exception code shown above 02 is an indication that coil #1186 is an illegal
address in the slave. This coil has not been defined in the slave's modbus map.

The exception codes as explained in the Modbus specification are:

Exception
Name Meaning
Code
The function code received in the query is not an
allowable action for the slave. This may be because
the function code is only applicable to newer devices,
and was not implemented in the unit selected. It could
01 Illegal also indicate that the slave is in the wrong state to
(01 hex) Function process a request of this type, for example because it is
unconfigured and is being asked to return register
values. If a Poll Program Complete command was
issued, this code indicates that no program function
preceded it.
The data address received in the query is not an
allowable address for the slave. More specifically, the
02 Illegal Data combination of reference number and transfer length is
(02 hex) Address invalid. For a controller with 100 registers, a request
with offset 96 and length 4 would succeed, a request
with offset 96 and length 5 will generate exception 02.
03 Illegal Data A value contained in the query data field is not an

/ / Page 27 of 29
Kongsberg Maritime AS

(03 hex) Value allowable value for the slave. This indicates a fault in
the structure of remainder of a complex request, such
as that the implied length is incorrect. It specifically
does NOT mean that a data item submitted for storage
in a register has a value outside the expectation of the
application program, since the MODBUS protocol is
unaware of the significance of any particular value of
any particular register.
04 Slave Device An unrecoverable error occurred while the slave was
(04 hex) Failure attempting to perform the requested action.
Specialized use in conjunction with programming
commands.
The slave has accepted the request and is processing it,
05 but a long duration of time will be required to do so.
Acknowledge
(05 hex) This response is returned to prevent a timeout error
from occurring in the master. The master can next issue
a Poll Program Complete message to determine if
processing is completed.
Specialized use in conjunction with programming
commands.
06 Slave Device
The slave is engaged in processing a long-duration
(06 hex) Busy
program command. The master should retransmit the
message later when the slave is free..
The slave cannot perform the program function
received in the query. This code is returned for an
07 Negative
unsuccessful programming request using function code
(07 hex) Acknowledge
13 or 14 decimal. The master should request diagnostic
or error information from the slave.
Specialized use in conjunction with function codes 20
and 21 and reference type 6, to indicate that the
extended file area failed to pass a consistency check.
08 Memory Parity
The slave attempted to read extended memory or
(08 hex) Error
record file, but detected a parity error in memory. The
master can retry the request, but service may be
required on the slave device.
Specialized use in conjunction with gateways, indicates
that the gateway was unable to allocate an internal
10 Gateway Path
communication path from the input port to the output
(0A hex) Unavailable
port for processing the request. Usually means the
gateway is misconfigured or overloaded.
Gateway Target Specialized use in conjunction with gateways, indicates
11
Device Failed to that no response was obtained from the target device.
(0B hex)
Respond Usually means that the device is not present on the

/ / Page 28 of 29
Kongsberg Maritime AS

network.

Caution Remark

Note Note

Warning Warning

/ / Page 29 of 29

You might also like