MODBUS MESSAGING ON TCP/IP

MODBUS is an application layer messaging protocol, positioned at level 7 of the OSI model, that provides client/server communication between devices connected on different types of buses or networks. It is a request/reply protocol and offers services specified by function codes.MODBUS function codes are elements of MODBUS request/reply PDUs. The MODBUS messaging service provides a Client/Server communication between devices connected on an Ethernet TCP/IP network. This client / server model is based on four types of messages: MODBUS Request, MODBUS Confirmation, MODBUS Indication, MODBUS Response

Request Confirmation MODBUS Client

Indication Response MODBUS Server

A MODBUS Request is the message sent on the network by the Client to initiate a transaction, A MODBUS Indication is the Request message received on the Server side, A MODBUS Response is the Response message sent by the Server, A MODBUS Confirmation is the Response Message received on the Client side The MODBUS protocol defines a simple Protocol Data Unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or networks can introduce some additional fields on the Application Data Unit (ADU).

MODBUS TCP/IP ADU

MBAP Header
MBAP Header

Function code
PDU

Data

Fields
Transaction Identifier Protocol Identifier Length

Length
2 Bytes

Description
Identification of a MODBUS Request / Response transaction 0 = MODBUS protocol

Client
Initialized by the client Initialized by the client Initialized by the Client(request)

Server
Recopied by the server from the received request Recopied by the server from the received request Initialized by the server ( Response) Recopied by the server from the received request

2 Bytes

2 Bytes

Number of following bytes Identification of a remote slave connected on a serial line or on other buses

Unit Identifier

1 Byte

Initialized by the client

The header is 7 bytes long: Transaction Identifier - It is used for transaction pairing; the MODBUS server copies in the response the transaction identifier of the request. Protocol Identifier It is used for intra-system multiplexing. The MODBUS protocol is identified by the value 0. Length - The length field is a byte count of the following fields, including the Unit Identifier and data fields. Unit Identifier This field is used for intra-system routing purpose. It is typically used to communicate to a MODBUS or a MODBUS+ serial line slave through a gateway between an
MODBUS MESSAGING IMPLEMENTATION GUIDE 1.0 8-May-02

Ethernet TCP-IP network and a MODBUS serial line. This field is set by the MODBUS Client in the request and must be returned with the same value in the response by the server. All Modbus/TCP ADU are sent via TCP on registered port 502.

MODBUS FUNCTIONS CODES DESCRIPTION

Standard function codes used on MODBUS application layer protocol are described in details in the MODBUS Application Protocol Specification [2]. Here We are using only Four Function codes 0x01,0x02, 0x03, 0x04, 0x05, ,0x06, 0x0F, 0x10 and their detailed description is give below Function Code: 01 (0x01) Read Coils This function code is used to read from 1 to 2000 contiguous status of coils in a remote device. The Request PDU specifies the starting address, i.e. the address of the first coil specified, and the number of coils. In the PDU Coils are addressed starting at zero. Therefore coils numbered 1-16 are addressed as 0-15. The coils in the response message are packed as one coil per bit of the data field. Status is indicated as 1= ON and 0= OFF. The LSB of the first data byte contains the output addressed in the query. The other coils follow toward the high order end of this byte, and from low order to high order in subsequent bytes. If the returned output quantity is not a multiple of eight, the remaining bits in the final data byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data. Request Function code 0x01 1 Byte Starting Address Quantity of Inputs Response Function code Byte count Input Status Error Error code Exception code 1 Byte 1 Bytes 0x81 0x01 to 0x0C 2 Bytes 2 Bytes 1 Byte 2 Bytes 2 Bytes 1-16 0x01

Function Code: 02 (0x02) Read Discrete Inputs: This function code is used to read from 1 to 2000 contiguous status of discrete inputs in a remote device. The Request PDU specifies the starting address, i.e. the address of the first input specified, and the number of inputs. In the PDU Discrete Inputs are addressed starting at zero. Therefore Discrete inputs numbered 1-16 are addressed as 0-15.

The discrete inputs in the response message are packed as one input per bit of the data field. Status is indicated as 1= ON; 0= OFF. The LSB of the first data byte contains the input addressed in the query. The other inputs follow toward the high order end of this byte, and from low order to high order in subsequent bytes. If the returned input quantity is not a multiple of eight, the remaining bits in the final data byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data. Request Function code Starting Address Quantity of Inputs Response Function code Byte count Input Status Error Error code Exception code 1 Byte 1 Bytes 0x82 0x01 to 0x0C 1 Byte 2 Bytes 2 Bytes 1 Byte 2 Bytes 2 Bytes 1-16 0x02 0x02

Function Code: 03 (0x03) Read Holding Registers: This function code is used to read the contents of a contiguous block of holding registers in a remote device. The Request PDU specifies the starting register address and the number of registers. In the PDU Registers are addressed starting at zero. Therefore registers numbered 1-16 are addressed as 0-15. The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits. Request Function code Starting Address Quantity of Inputs Response Function code Byte count Input Status Error Error code Exception code 1 Byte 1 Bytes 0x83 0x01 to 0x0C 1 Byte 2 Bytes 2 Bytes 0x03 0x0000 to 1-30

1 Byte 2 Bytes 2 Bytes

0x03

Function Code: 04 (0x04) Read Input Registers This function code is used to read from 1 to 125 contiguous input registers in a remote device. The Request PDU specifies the starting register address and the number of registers. In the PDU Registers are addressed starting at zero. Therefore input registers numbered 1-16 are addressed as 0-15. The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits.

Request Function code Starting Address Quantity of Inputs Response Function code Byte count Input Status Error Error code Exception code 1 Byte 1 Bytes 0x84 0x01 to 0x0C 1 Byte 2 Bytes 2 Bytes 0x04 0x0000 to 1-30 0x04

1 Byte 1 Byte 2 Bytes

Function Code: 05 (0x05) Write Single Coil This function code is used to write a single output to either ON or OFF in a remote device. The requested ON/OFF state is specified by a constant in the request data field. A value of FF 00 hex requests the output to be ON. A value of 00 00 requests it to be OFF. All other values are illegal and will not affect the output. The Request PDU specifies the address of the coil to be forced. Coils are addressed starting at zero. Therefore coil numbered 1 is addressed as 0. The requested ON/OFF state is specified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON. A value of 0X0000 requests the coil to be off. All other values are illegal and will not affect the coil. The normal response is an echo of the request, returned after the coil state has been written. Request Function code Starting Address Quantity of Inputs Response Function code Byte count Input Status Error Error code Exception code 1 Byte 1 Bytes 0x85 0x01 to 0x0C 1 Byte 2 Bytes 2 Bytes 0x05 0x0000 to 1-30 0x05

1 Byte 2 Bytes 2 Bytes

Function Code: 06 (0x06) Write Single Register This function code is used to write a single holding register in a remote device. The Request PDU specifies the address of the register to be written. Registers are addressed starting at zero. Therefore register numbered 1 is addressed as 0. The normal response is an echo of the request, returned after the register contents have been written. Request Function code Starting Address Quantity of Inputs 1 Byte 2 Bytes 2 Bytes 0x05 0x0000 to 1-30

S.No
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 18 19 20 21

Parameter
High Alarm Very High Alarm System Fail Dose Rate Monitor_id Countfail_time High Alarm Very High Alarm Detector 1 Sensitivity Detector 2 Sensitivity HV Reference Password IP1 Subnet Mask 1 Gateway 1 MAC 1 IP2 Subnet Mask 2 Gateway 2 MAC 2

Address
10001 10002 10003 30001 40001 40003 40005 40007 40009 40011 40013 40019 40021 40025 40029 40033 40039 40043 40047 40051

Read/Write
R R R R R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W R/W

Data Type(size)
Boolean Boolean Boolean Float (4)

Integer (2) Integer (2) Float Float (4) (4)

Integer (2) Integer (2) Integer (2) Integer (2) Byte Byte Byte Byte Byte Byte Byte Byte (4) (4) (4) (6) (4) (4) (4) (6)