Modbus Protocol Basics

Being able to approach the implementation of the Modbus protocol on various physical media like serial link, Ethernet TCP-IP or Modbus Plus

Syntax of the Main Requests

Implementation Classes

Main Function Codes

Origins and Operating Principles

Duration: 40 min.

Expert, Teaching: Philippe Warin Production: Schneider-Electric

TOLED

Modbus Protocol Basics January 2006

ORIGINS AND OPERATING PRINCIPLES

Syntax of the Main Requests

Implementation Classes

Main Function Codes

Origins and Operating Principles

TOLED

Modbus Protocol Basics January 2006

- Its origins

1978

Modbus is a messaging protocol Created in 1978 by Modicon Open and easy to implement Widely used in industry

TOLED

Modbus Protocol Basics January 2006

- Modbus and the OSI model

Modbus is based on the client/server communication model
OSI model
Layer 7

Used by various media

and other links: infrared, radio, etc Modbus Plus Token ring Serial link Master/Slave RS232, RS485 Modbus Ethernet TCP/IP

TOLED

Modbus Protocol Basics January 2006

- Modbus in network architectures

Modbus can be used in numerous network architectures
Modbus on Ethernet TCP-IP

Modbus Plus

Modbus on RS232

Modbus on RS485

TOLED

Modbus Protocol Basics January 2006

- Modbus uses the Client/Server concept

Request

Client

How fast is the motor running?

Server

1,000 rpm

Response
The Client is the entity requesting a service The Server is the entity that provides the service

TOLED

Modbus Protocol Basics January 2006

- PDU = Protocol Data Unit

A unique message format independent of the lower layers.

PDU = Protocol Data Unit

byte
Address Function Code Data Error check

Identifies the target

= 1 to 127 Action to perform

Additional data depending on the function code

Validity check

The format of the "Address" and "Error check" fields depends on the network media used

TOLED

Modbus Protocol Basics January 2006

- Error free transaction sequence

Client
Request

Server

Initialises the data

Response

2 Sends the request

Function Code Request data

3 4

Performs requested action Initializes the response Sends the response

Function Code Response data

1 - 127

Additional information

6 Handles the response

Equals the request's function code

Requested data

TOLED

Modbus Protocol Basics January 2006

- Transaction sequence with an error

Client
Request

Server

Initialises the data

Response

2 Sends the request

Function Code Request data

3 4

Detects an error in the requested action

Initialises error message data Sends the error message

Exception Code

1 - 127

Additional information

6 Handles the response

Exception function code

Exception function code = Function Code + 80H Value from 129 to 255

The Exception Code shows the reason for rejection

TOLED

Modbus Protocol Basics January 2006

- Detailed operation, server end

Await request reception
Reception

Function code validation

Invalid

Exception code = 1

Valid

Data address validation

Invalid

Exception code = 2
Valid

Data value validation Exception code = 3

Invalid Valid

Run function Exception code = 4, 5 or 6 Send exception response

Invalid Valid

Send Modbus response

TOLED

Modbus Protocol Basics January 2006

MAIN FUNCTION CODES

Syntax of the Main Requests

Implementation Classes

Main Function Codes

Origins and Operating Principles

TOLED

Modbus Protocol Basics January 2006

- The three function code categories

Public
Validated by the Modbus.org organisation Publicly documented Guaranteed to be unique 110 User defined 100 Public 72 Can be implemented without agreement from Modbus.org Not guaranteed to be unique 65 Function Codes 127 Public

User defined

User defined

Reserved
Used by certain companies and not available

Public

TOLED

Modbus Protocol Basics January 2006

- The four types of accessible variables

Discrete Inputs Coils
Bit
Read only

Discrete inputs Application modifiable data

Bit

Read/Write

Input Registers

Word

Read only

Analogue inputs for example Application modifiable data

Holding Registers

Word

Read/Write

Possible table overlapping. Up to 65,536 variables.

TOLED

Modbus Protocol Basics January 2006

- Public function codes for accessing variables

Function Code
Decimal Hex. 02 01 05 0F 04 03 06 10 17 16 18

Discrete inputs Bit access Coils Input registers

Read Discrete Inputs Read Coils Write Single Coil Write Multiple Coils Read Input Registers Read Holding Registers Write Single Register

02 01 05 15 04 03 06 16 23 22 24

Word access Holding registers

Write Multiple Registers Read/Write Multiple Registers Mask Write Register Read FIFO queue

TOLED

Modbus Protocol Basics January 2006

- Other public function codes

Function code
Decimal Hex. 14 15 07 08 0B 0C 11 2B 2B 14 00 to 18 Sub code Decimal 06 06

File record access

Read File record Write File record Read Exception status Diagnostic

20 21 07 08 11 12 17 43 43

Diagnostic

Get Com Event Counter Get Com Event Log Report slave ID Read Device Identification

Other

Encapsulated Interface Transport

TOLED

Modbus Protocol Basics January 2006

IMPLEMENTATION CLASSES

Syntax of the Main Requests

Implementation Classes

Main Function Codes

Origins and Operating Principles

TOLED

Modbus Protocol Basics January 2006

- Transparent Ready Implementation Classes

List of services to implement in line with target applications

to guarantee equipment interoperability

Modbus protocol is a part of these services

Messaging

Device Management

TOLED

Modbus Protocol Basics January 2006

- Rules and Vocabulary

Three classes dependant on the function levels implemented.

Basic

Regular

Extended

An embedded function level model

Belonging to a class only if all of the required characteristics are supported. A device can also support characteristics of a higher class.

TOLED

Modbus Protocol Basics January 2006

- Messaging Classes
Messaging classes are identical for both Client and Server
Access to registers only

Basic

CF 03: Read Holding Registers CF 16: Write Multiple Registers

Regular Extended

Basic + Access to bits if necessary and to diagnostics if serial link

CF 01: Read Coils CF 02: Read discrete inputs CF 15: Write Multiple Coils CF 08: Diagnostic

Regular + Access to files

CF 20: Read File Record CF 21: Write File Record

Write Single Register and Write Single Coil are strongly recommended for servers (to ensure compatibility with former products).
Modbus Protocol Basics January 2006

TOLED

- Device Management Classes

Device Management classes are identical for Client and Server
Access to Vendor Name, Product Code and Version

Basic

CF 43: Read Device Identification Sub code 14 Level 1 access

Regular Extended

Basic + Access to Vendor URL, Product Name, Model Name, User Application Name

CF 43: Read Device Identification Sub code 14 Level 2 access

Regular + Access private objects depending on product

CF 43: Read Device Identification Sub code 14 Level 3 access

TOLED

Modbus Protocol Basics January 2006

SYNTAX OF THE MAIN REQUESTS

Syntax of the Main Requests

Implementation Classes

Main Function Codes

Origins and Operating Principles

TOLED

Modbus Protocol Basics January 2006

- Read Holding Registers

Request:
1 byte
Function Code

2 bytes
Address of the first register

2 bytes
Number of registers to read

03

0 to 65535

n = 1 to 125

Response:
1 byte
Function Code

2 bytes
Number of bytes read

2 bytes
Value of the first register

2 bytes
Value of the last register

03

2xn

0 to 65535

0 to 65535

TOLED

Modbus Protocol Basics January 2006

- Write Multiple Registers

Request:
1 byte
Function Code

2 bytes
Address of the first register

2 bytes
Number of registers to write

1 byte
Number of bytes to write

2 bytes
Value of the first register

2 bytes
Value of the last register

16

0 to 65535

n = 1 to 123

2xn

0 to 65535

0 to 65535

Response:
1 byte
Function Code

2 bytes
Address of the first register

2 bytes
Number of registers written

16

0 to 65535

n = 1 to 123

TOLED

Modbus Protocol Basics January 2006

- Write Single Register

Request:
1 byte
Function Code

2 bytes
Address of the register

2 bytes
Value of the register

06

0 to 65535

0 to 65535

Response:
1 byte
Function Code

2 bytes
Address of the register

2 bytes
Value of the register

06

0 to 65535

0 to 65535

TOLED

Modbus Protocol Basics January 2006

- Read Coils
Request:
1 byte
Function Code

2 bytes
Address of the first digital output

2 bytes
Number of digital outputs to read

01

0 to 65535

n =1 to 2000

Response:
1 byte
Function Code

1 byte
Number of bytes read

1 byte
Value of the first byte

1 byte
Value of the last byte

01

n/8 + 1 if R

0 to 255

0 to 255

TOLED

Modbus Protocol Basics January 2006

- Read Discrete inputs

Request:
1 byte
Function Code

2 bytes
Address of the first digital input

2 bytes
Number of digital inputs to read

02

0 to 65535

n =1 to 2000

Response:
1 byte
Function Code

1 byte
Number of bytes read

1 byte
Value of the first byte

1 byte
Value of the last byte

02

n/8 + 1 if R

0 to 255

0 to 255

TOLED

Modbus Protocol Basics January 2006

- Write Multiple Coils

Request:
1 byte
Function Code

2 bytes
Address of the first digital output

2 bytes
Number of digital outputs to write

1 byte
Number of bytes to write

1 byte
Value of the first byte

1 byte
Value of the last byte

15

0 to 65535

n =1 to 1968

n/8 + 1 if R

0 to 255

0 to 255

Response:
1 byte
Function Code

2 bytes
Address of the first digital output

2 bytes
Number of digital outputs written

15

0 to 65535

n =1 to 1968

TOLED

Modbus Protocol Basics January 2006

- Read Device Identification

Request:
1 byte 1 byte 1 byte

1 byte

Function Code

Sub funct. Code

43

14

Access Level

Identification object address

Access levels: 1: Basic 2: Regular 3: Extended 4: Individual

1 to 4

m =0 to 255

Response:
1 byte 1 byte 1 byte 1 byte Implementation class supported 1 byte 1 byte
If split, address of next object

1 byte Number of identification objects

Function Code

43

Sub funct. Code 14

Access Level

Split response

1 to 4 1 byte 1 byte n bytes

1 to 3 1 byte

0 = no 255 = yes

1 to 255

1 to 255 n bytes

1 byte

Address object m

Length object m

Value of object

Add. object

Len. object

Value of object

m+1

m+1

m+1

m = 0 to 255
TOLED

n = 1 to 255
Modbus Protocol Basics January 2006