Documente Academic
Documente Profesional
Documente Cultură
Request
This command is requesting the ON/OFF status of discrete coils # 20 to 56
from the slave device with address 17.
11 01 0013 0025 0E84
11: The Slave Address (17 = 11 hex)
01: The Function Code (read Coil Status)
0013: The Data Address of the first coil to read. (Coil 20 - 1 = 19 = 13 hex)
0025: The total number of coils requested. (coils 20 to 56 = 37 = 25 hex)
0E84: The CRC (cyclic redundancy check) for error checking.
Response
11 01 05 CD6BB20E1B 45E6
11: The Slave Address (17 = 11 hex)
01: The Function Code (read Coil Status)
05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes)
CD: Coils 27 - 20 (1100 1101)
6B: Coils 35 - 28 (0110 1011)
B2: Coils 43 - 36 (1011 0010)
0E: Coils 51 - 44 (0000 1110)
1B: 3 space holders & Coils 56 - 52 (0001 1011)
45E6: The CRC (cyclic redundancy check).
The more significant bits contain the higher coil variables. This shows that coil 36 is off (0) and
43 is on (1). Due to the number of coils requested, the last data field1B contains the status of
only 5 coils. The three most significant bits in this data field are filled in with zeroes.
00C4: The Data Address of the first input to read. (10197 - 10001 = 196 = C4 hex)
0016: The total number of coils requested. (197 to 218 = 22 = 16 hex)
BAA9: The CRC (cyclic redundancy check) for error checking.
Response
11 02 03 ACDB35 2018
11: The Slave Address (17 = 11 hex)
02: The Function Code (read Input Status)
03: The number of data bytes to follow (22 Inputs / 8 bits per byte = 3 bytes)
AC: Discrete Inputs 10204 -10197 (1010 1100)
DB: Discrete Inputs 10212 - 10205 (1101 1011)
35: 2 space holders & Discrete Inputs 10218 - 10213 (0011 0101)
2018: The CRC (cyclic redundancy check).
The more significant bits contain the higher Discrete inputs. This shows that input 10197 is off
(0) and 10204 is on (1). Due to the number of inputs requested, the last data field 35 contains
the status of only 6 inputs. The two most significant bits in this data field are filled in with
zeroes.
Response
The normal response is an echo of the query, returned after the coil has been written.
11 05 00AC FF00 4E8B
11: The Slave Address (17 = 11 hex)
05: The Function Code (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status written ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.
This command is writing the contents of a series of 10 discrete coils from #20 to #29
to the slave device with address 17.
11 0F 0013 000A 02 CD01 BF0B
11: The Slave Address (17 = 11 hex)
0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
02: The number of data bytes to follow (10 Coils / 8 bits per byte = 2 bytes)
CD: Coils 27 - 20 (1100 1101)
01: 6 space holders & Coils 29 - 28 (0000 0001)
BF0B: The CRC (cyclic redundancy check) for error checking.
The more significant bits contain the higher coil variables. This shows that coil 20 is on (1) and
21 is off (0). Due to the number of coils requested, the last data field01 contains the status of
only 2 coils. The unused bits in the last data byte are filled in with zeroes.
Response
11 0F 0013 000A 2699
11: The Slave Address (17 = 11 hex)
0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
2699: The CRC (cyclic redundancy check) for error checking.
10101110
2 characters 0 and 1
174
10 characters 0 through 9
16 characters 0 through F
Message Delimiting
In Modbus RTU, bytes are sent consecutively with no space in between them with a 3-1/2
character space between messages for a delimiter. This allows the software to know when a new
message is starting.
Any delay between bytes will cause Modbus RTU to interpret it as the start of a new message.
This keeps Modbus RTU from working properly with modems.
Modbus ASCII marks the start of each message with a colon character " : " (hex 3A).
The end of each message is terminated with the carriage return and line feed characters (hex 0D
and 0A). This allows the space between bytes to be variable making it suitable for transmission
through some modems.
Byte Size
In Modbus RTU each byte is sent as a string of 8 binary characters framed with a start bit, and a
stop bit, making each byte 10 bits.
In Modbus ASCII, the number of data bits is reduced from 8 to 7. A parity bit is added before the
stop bit which keeps the actual byte size at 10 bits.
Split Data bytes
In Modbus ASCII, each data byte is split into the two bytes representing the two ASCII
characters in the Hexadecimal value. For example,
Modbus Mode
data (ASCII)
data (hex)
AE
data (binary)
1010 1110
Modbus RTU
Modbus ASCII
A,E
41 , 45
The range of data bytes in Modbus RTU can be any characters from 00 to FF.
The range of data bytes in Modbus ASCII represent only the 16 hexadecimal characters.
Therefore, every data byte in Modbus ASCII must be one of these 16:
ASCII
binary
011 0000
ASCII
hex
30
hex
38
binary
011 1000
31
011 0001
39
011 1001
32
011 0010
41
100 0001
33
011 0011
42
100 0010
34
011 0100
43
100 0011
35
011 0101
44
100 0100
36
011 0110
45
100 0101
37
011 0111
46
100 0110
The sum of the resulting byte stream with the LRC will then be 0 since adding the negative
subtotal will make the final total zero.
For example, this command shows the data bytes required to request the content of analog output
holding registers 40108 to 40110 from the slave device with address 17.
11 03 00 6B 00 03
Add the bytes:
decimal
17
hex
11
binary
0001 0001
03
0000 0011
00
0000 0000
107
6B
0110 1011
00
0000 0000
03
0000 0011
decimal
hex
82
binary
1000 0010
total:
130
hex
7E
binary
0111 1110
hex
00
binary
0000 0000
Using the same example shown above to request registers 40108 to 40110 from slave address 17.
11 03 00 6B 00 03
The complete ASCII request is made by first adding the message delimiting characters. A
colon is added to the start of the message, the LRC, carriage return and line feed are added to the
end:
: 1 1
0 3
0 0
6 B
0 0
0 3
7 E
CR LF
Each character is now treated as an ASCII character and replaced with it's hex value to give the
final message.
3A 3131 3033 3030 3642 3030 3033 3745 0D 0A
This Modbus ASCII request size is 17 bytes (170 bits)
...............
The equivalent Modbus RTU message would be:
11 03 00 6B 00 03 76 87
This Modbus RTU request size is 8 bytes (80 bits)
Modbus TCP/IP
TCP/IP
TCP is Transmission Control Protocol and IP is Internet Protocol. These protocols are used
together and are the transport protocol for the internet. When modbus information is sent using
these protocols, the data is passed to TCP where additional information is attached and given to
IP. IP then places the data in a packet (or datagram) and transmits it.
TCP must establish a connection before transferring data, since it is a connection-based protocol.
The Master (or Client in Modbus TCP) establishes a connection with the Slave (or Server). The
Server waits for an incoming connection from the Client. Once a connection is established, the
Server then responds to the queries from the Client until the client closes the connection.
Modbus RTU over TCP
Simply put, this is a Modbus RTU message transmitted with a TCP/IP wrapper and sent over a
network instead of serial lines. The Server does not have a SlaveID since it uses an IP Address
instead.
Modbus TCP
Summary
The equivalent request to this Modbus RTU example
11 03 006B 0003 7687
in Modbus TCP is:
0001 0000 0006 11 03 006B 0003
0001: Transaction Identifier
0000: Protocol Identifier
0006: Message Length (6 bytes to follow)
11: The Unit Identifier (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
TCP/IP Wrapper
Exception Responses
Following a request, there are 4 possible outcomes from the slave.
1. The request is successfully processed by the slave and a valid response is sent.
2. The request is not received by the slave therefore no response is sent.
3. The request is received by the slave with a parity, CRC or LRC error.
The slave ignores the request and sends no response.
4. The request is received without an error, but cannot be processed by the slave for another
reason. The slave replies with an exception response.
In a normal response, the slave echoes the function code. The first sign of an exception response
is that the function code is shown in the echo with its highest bit set. All function codes have 0
for their most significant bit. Therefore, setting this bit to 1 is the signal that the slave cannot
process the request.
Function Code in Request
01
(01 hex)
02
(02 hex)
03
(03 hex)
04
(04 hex)
Name
Meaning
Illegal
Function
Illegal Data
Address
05
(05 hex)
Acknowledge
06
(06 hex)
Slave Device
Busy
07
(07 hex)
Negative
Acknowledge
08
Memory Parity
(08 hex)
Error
10
(0A hex)
Gateway Path
Unavailable
11
(0B hex)
Modbus is transmitted over serial lines between devices. The simplest setup would be a single
serial cable connecting the serial ports on two devices, a Master and a Slave.
>
The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. Zeroes are
sent as positive voltages and a ones as negative. The bits are sent very quickly. A typical
transmission speed is 9600 baud (bits per second).
What is hexadecimal?
When troubleshooting problems, it can be helpful to see the actual raw data being transmitted.
Long strings of ones and zeroes are difficult to read, so the bits are combined and shown in
hexadecimal. Each block of 4 bits is represented by one of the sixteen characters from 0 to F.
0000 = 0
0100 = 4
1000 = 8
1100 = C
0001 = 1
0101 = 5
1001 = 9
1101 = D
0010 = 2
0110 = 6
1010 = A
1110 = E
0011 = 3
0111 = 7
1011 = B
1111 = F
Each block of 8 bits (called a byte) is represented by one of the 256 character pairs from 00 to
FF.
How is data stored in Standard Modbus?
Information is stored in the Slave device in four different tables.
Two tables store on/off discrete values (coils) and two store numerical values (registers). The
coils and registers each have a read-only table and read-write table.
Each table has 9999 values.
Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and 270E.
Coil/Register Numbers
Data Addresses
Type
Table Name
1-9999
0000 to 270E
Read-Write
10001-19999
0000 to 270E
Read-Only
30001-39999
0000 to 270E
Read-Only
40001-49999
0000 to 270E
Read-Write
Coil/Register Numbers can be thought of as location names since they do not appear in the actual
messages. The Data Addresses are used in the messages.
For example, the first Holding Register, number 40001, has the Data Address 0000.
The difference between these two values is the offset.
Each table has a different offset. 1, 10001, 30001 and 40001.
What is the Slave ID?
Each slave in a network is assigned a unique unit address from 1 to 247. When the master
requests data, the first byte it sends is the Slave address. This way each slave knows after the first
byte whether or not to ignore the message.
What is a function code?
The second byte sent by the Master is the Function code. This number tells the slave which table
to access and whether to read from or write to the table.
Function Code
Action
Table Name
01 (01 hex)
Read
05 (05 hex)
Write single
15 (0F hex)
Write multiple
02 (02 hex)
Read
04 (04 hex)
Read
03 (03 hex)
Read
06 (06 hex)
Write single
16 (10 hex)
Write multiple
What is a CRC?
CRC stands for Cyclic Redundancy check. It is two bytes added to the end of every modbus
message for error detection. Every byte in the message is used to calculate the CRC. The
receiving device also calculates the CRC and compares it to the CRC from the sending device. If
even one bit in the message is received incorrectly, the CRCs will be different and an error will
result.
Here is a spreadsheet CRC calculator for messages up to 16 bytes.
To download a copy, right click and select Save Target As...
What are the formats of Modbus commands and responses?
Follow the links in this table to see examples of the requests and responses.
Data Addresses
Read
Write Single
Write Multiple
FC01
FC05
FC15
FC02
NA
NA
FC04
NA
NA
FC03
FC06
FC16
5652
AE41
5256
41AE
Since the range of the analog output holding registers is 40001 to 49999, it implies that there
cannot be more than 9999 registers. Although this is usually enough for most applications, there
are cases where more registers would be beneficial.
Registers 40001 to 49999 correspond to data addresses 0000 to 270E. If we utilize the
remaining data addresses 270F to FFFF, over six times as many registers can be available,
65536 in total. This would correspond to register numbers from 40001 to 105536.
Many modbus software drivers (for Master PCs) were written with the 40001 to 49999 limits and
cannot access extended registers in slave devices. And many slave devices do not support maps
using the extended registers. But on the other hand, some slave devices do support these registers
and some Master software can access it, especially if custom software is written.
How does 2-byte slave addressing work?
Since a single byte is normally used to define the slave address and each slave on a network
requires a unique address, the number of slaves on a network is limited to 256. The limit defined
in the modbus specification is even lower at 247.
To get beyond this limit, a modification can be made to the protocol to use two bytes for the
address. The master and the slaves would all be required to support this modification. Two byte
addressing extends the limit on the number of slaves in a network to 65535.
By default, the Simply Modbus software uses 1 byte addressing. When an address greater than
255 is entered, the software automatically switches to 2 byte addressing and stays in this mode
for all addresses until the 2 byte addressing is manually turned off.
How can you send events and historical data?
Enron Modbus includes commands for moving events and historical data..
What is Enron Modbus?
Enron Modbus is a modification to the standard Modicon modbus communication protocol
developed by Enron Corporation.
See Enron Modbus for details.