MODBUS

By KANADE D G

Introduction
MODBUS Protocol is a messaging structure created by MODICON company to connect PLC to programming tools.
It is now widely used to establish master-slave communication between intelligent devices. MODBUS is independent of the physical layer.
It can be implemented using RS232, RS422, or RS485 or over a variety of media (e.g. fiber, radio, cellular, etc..

MODBUS Serial line RS485

It is a low cost network Uses a master/slave medium access Transmission speed from 1,200bits to 115 Kbits/s.
7 Application 6 Presentation
Modbus

5
4 3

Session Transport Network

2 Link 1 Physical

Master - Slave
RS485

MODBUS TCP/IP
It uses TCP/IP and Ethernet 10 Mbit/s or 100 Mbits/s to carry the MODBUS messaging structure.
7 Application 6 Preentation 5 4 3 2 1 Session Transport Network Link Physical
TCP
IP Modbus

CSMA / CD ETHERNET V2 ou 802.3

MODBUS PLUS
It is a higher speed network 1 Mbit/s token passing derivative that uses the MODBUS messaging structure.
7 Application 6 Presentation
Modbus

5
4 3

Session Transport Network

2 Link 1 Physical

802.4 Token passing

RS485

Types of MODBUS
The MODBUS protocol comes in 2 versions

ASCII transmission mode

RTU (Remote Terminal Unit)transmission mode

ASCII transmission mode

Each eight-bit byte in a message is sent as 2 ASCII characters ASCII mode allows time intervals of up to 1 second to occur between characters without causing an error.

Coding System:
Hexadecimal, ASCII characters 09, AF One hexadecimal character contained in each ASCII character of the message

Bits per Byte:

1 start bit 7 data bits, least significant bit sent first 1 bit for even/odd parity; no bit for no parity 1 stop bit if parity is used; 2 bits if no parity

Error Check Field: Longitudinal Redundancy Check (LRC)

RTU Mode
Each eight-bit byte in a message is sent as two four-bit hexadecimal characters The main advantage of the RTU mode is that it achieves higher throughput than ASCII for same baud rate.

Coding System:
8bit binary, hexadecimal 09, AF Two hexadecimal characters contained in each 8bit field of the message

Bits per Byte:

1 start bit 8 data bits, least significant bit sent first 1 bit for even/odd parity; no bit for no parity 1 stop bit if parity is used; 2 bits if no parity

Error Check Field: Cyclical Redundancy Check (CRC)

Modbus Message Framing

For ASCII or RTU, a Modbus message is placed by the transmitting device into a frame that has a known beginning and ending point. This allows receiving devices to begin at the start of the message, read the address portion and determine which device is addressed. Partial messages can be detected and errors can be set as a result. MAP or Modbus Plus: The network protocol handles the framing of messages with beginning and end delimiters that are specific to the network. The Modbus address is converted to a network node address and routing path by the originating controller or its network adapter.

MODBUS Frame Structure

The Modbus frame structure is the same for requests (master to slave messages) and responses (slave to master messages).
Modbus RTU
silence

Address

Function

Data

Checksum

silence

Silence >= 3,5 characters

Modbus ASCII : Address Function Data Checksum CR LF

0A Hex

3A Hex

0D Hex

ASCII Framing
Messages start with a colon ( : ) character
(ASCII 3A hex)

End with a carriage return line feed (CRLF) pair

(ASCII 0D and 0A hex).

For all other fields are hexadecimal 09, AF. Networked devices monitor the network bus continuously for the colon character. When one is received, each device decodes the next field (the address field) to find out if it is the addressed device.

Intervals of up to one second can elapse between characters within the message. If a greater interval occurs, the receiving device assumes an error has occurred.

ASCII Message Frame

RTU Framing
In RTU mode, messages start with a silent interval of at least 3.5 character times. The first field then transmitted is the device address. The allowable characters transmitted for all fields are hexadecimal 09, AF. Networked devices monitor continuously the silent intervals. Each device decodes first field after silent intervals to find out if it is the addressed device.

RTU Message Frame

Address Field
Address Function Data Checksum

Valid slave device addresses are in the range of 0 ... 247 decimal. The individual slave devices are assigned addresses in the range of 1 ... 247. Value 0 is reserved for broadcast messages (no response).

Address Field(continued..)

Request :
A master addresses a slave by placing the slave address in the address field of the message.

Response :
When the slave sends its response, it places its own address in this address field of the response to let the master know which slave is responding.

Function Field
Address Function Data Checksum

Valid codes are in the range of 1 ... 255 decimal.

Request :
The function code field tells the slave what kind of action to perform.

Response :
For a normal response, the slave simply echoes the original function code. For an exception response, the slave returns a code that is equivalent to the original function code with its most significant bit set to a logic 1.

Data Field
Address Function Data Checksum

Valid codes are in the range of 0 ... 255 decimal. Request :

The data field contains additional information which the slave must use to take the action defined by the function code. This can include items like register addresses, quantity of items to be handled, etc...

Data Field(continued)

Address

Function

Data

Checksum

Response : If no error occurs, the data field contains the data requested. If an error occurs, the field contains an exception code that the master application can use to determine the next action to be taken.

Checksum Field
Address Function Data Checksum

Valid codes are in the range of 0 ... 255 decimal.

Modbus RTU uses CRC : Cyclycal Reduncy Check (2 byte) Modbus ASCII uses LRC : Longitudinal Redundancy Check (1 byte)

Request :
The checksum is calculated by the master and sends to the slave.

Response :
The checksum is re-calculated by the slave and compared to the value sent by the master. If a difference is detected, the slave will not construct a response to the master.

Frame Exemple in RTU Mode

Function code = 03 : Read Holding Registers
Request :
1 byte 1 byte 2 bytes 2 bytes 2 bytes

Slave Function First word Address code = 03 address

Number of CRC16 words to read

Response :
1 byte 1 byte 2 bytes 2 bytes 2 bytes 2 bytes

Slave Function Number of Address code = 03 bytes read

Value of the first word

Value of the CRC16 last word

Frame Exemple in RTU Mode

Function code = 06 : Write Single Register
Request :
1 byte 1 byte 2 bytes 2 bytes 2 bytes

Slave Address

Function code = 06

Word address

Value of word

CRC16

Response :
1 byte 1 byte 2 bytes 2 bytes 2 bytes

Slave Address

Function code = 06

Word address

Value of word

CRC16

How Characters are Transmitted Serially

With ASCII character framing, the bit sequence is:

How Characters are Transmitted Serially

With RTU character framing, the bit sequence is:

Master-Slave Query Response Cycle

Error Checking Methods

Standard Modbus serial networks use two kinds of error checking. Parity checking :-(even or odd) can be optionally applied to each character. Frame checking (LRC or CRC) is applied to the entire message. The master is configured by the user to wait for a predetermined timeout interval before aborting the transaction. message addressed to a nonexistent slave device will also cause a timeout.

Parity Error Checking

Users can configure controllers for Even or Odd Parity checking, or for No Parity checking. If either Even or Odd Parity is specified, the quantity of 1 bits will be counted in the data portion of each character (seven data bits for ASCII mode, or eight for RTU). The parity bit will then be set to a 0 or 1 to result in an Even or Odd total of 1 bits. Can detect an error if an odd number of bits are in error.

LRC Error Checking

Used in ASCII mode of transmission. Checks the contents of the message, exclusive of the beginning colon and ending CRLF pair Applied regardless of any parity check method used for individual characters. The LRC field is one byte.

CRC Error Checking

Used in RTU mode of transmission. The CRC field checks the contents of the entire message. Applied regardless of any parity check method used for the individual characters. Only the eight bits of data in each character are used for generating the CRC. The CRC field is two bytes.

Function Code Exemples

01 (0x01) 02 (0x02) 03 (0x03) 04 (0x04) 05 (0x05) 06 (0x06) Read Coils Read Discrete Inputs Read Holding Registers Read Input Registers Write Single Coil Write Single Register

Code

Function

15 (0x0F)
16 (0x10) 23 (0x17) 43 (0x2B)

Write Multiple Coils

Write Multiple Registers Read/Write Multiple Registers Read Device Identification

The complete description of all Modbus request is freely available on the Modbus.org web site :

http://www.modbus.org

Error Checking Methods

Parity checking
Even or odd can be optionally applied to each character

Frame checking
LRC or CRC is applied to the entire message

Continuous stream
The entire message frame must be transmitted as a continuous stream. If a silent interval (more than 1.5 character times RTU mode or 1 second ASCII mode) occurs before completion of the frame, the receiving device flushes the incomplete message and assumes that the next byte will be the address field of a new message

Exception Responses

Except for broadcast messages, when a master device sends a query to a slave device it expects a normal response.

Exception Responses
One of four possible events can occur from the masters query:
Slave device receives the query without a communication error. -Normal response Slave does not receive the query due to a communication error.-No response Slave receive the query with a communication error.(Parity,LRC or CRC)-No response Slave receives the query without a communication error, but cannot handle it.-Exception response.

Exception Response
The exception response message has two fields that differentiate it from a normal response:
Function Code Field: In a normal response, the slave echoes the function code of the original query. In an exception response, the slave sets the MSB of the function code to 1.
All function codes have a mostsignificant bit (MSB) of 0

Data Field: In a normal response, the slave may return data. In an exception response, the slave returns an exception code in the data field.

Exception Handling
Byte 1 2 3 4 5 6 7 Byte 1 2 3 4 Contents Slave Address Function Starting Address Hi Starting Address Lo No. of Coils Hi No. of Coils Lo LRC Contents Slave Address Function Exception Code LRC Example 0A 01 04 A1 00 01 4F Example 0A 81 02 73

Exception Codes
Exception Code 01 02 03 04 05 06 07 08 Exception ILLEGAL FUNCTION ILLEGAL DATA ADDRESS ILLEGAL DATA VALUE SLAVE DEVICE FAILURE ACKNOWLEDGE SLAVE DEVICE BUSY NEGATIVE ACKNOWLEDGE MEMORY PARITY ERROR

Error Checking Methods (continued...)

The master is configured by the user to wait for a predetermined timeout interval before aborting the transaction.

This interval is set to be long enough for any slave to respond normally.
If the slave detects a transmission error, the message will not be acted upon. The slave will not construct a response to the master. Thus the timeout will expire and allow the master's program to handle the error.

RS485 Physfical Layer

RS485 is the most common physical layer used on Modbus. The RS485 standard allows variants of different characteristics :

Polarisation Line terminator Distribution of a reference potential Number of slaves Length of the bus

The Various Versions of the RS485 Physical Layer

The new Telemecanique devices conform to the Modbus specification published in 2002 on the Modbus.org web site. But some Schneider older devices comply with earlier specifications : Uni-Telway Jbus

New Modbus RS485 standard schematic

5V

Master
650

650

120 1 nF

D1

120 1 nF

D0 Common

Slave 1

Slave 2

Maximum length of Bus Max. no of stations (without repeater) Max. length of Tap Link Bus polarization Line terminator Common polarity

1000m at 19200 bps 32 (31 slaves) 20m for one tab link 40 m divided by no. taps 650 at 5V and common for the Master 120 -0,25Wm in series with 1nF,10V Yes common connected to PG

Uni-Telway RS485 schematic

5V

Master
4,7 K

4,7 K

D(B) 120 1 nF D(A) 0 VL 5V 4,7 K 4,7 K 5V 120 1 nF

4,7 K

4,7 K

Slave 1

Slave 2

Maximum length of Bus Max. no of stations (without repeater) Max. length of Tap Link Bus polarization Line terminator Common polarity

1000m at 19200 bps 28 (27 slaves) 20m for one tab link 40 m divided by no. taps 4.7k at 5V and common for the Master and slave 120 -0,25Wm in series with 1nF,10V Yes (0 VL)High impedance between 0VL and ground in each station

Jbus RS485 schematic

Master
470 5V 470

L-(B/B )
150 L+(A/A ) 150

Slave 1

Slave 2

Maximum length of Bus Max. no of stations (without repeater) Max. length of Tap Link Bus polarization Line terminator Common polarity

1300m at 19200 bps 32 (31 slaves) 3m 470 at 5V and common for the Master 150 No

Mixed RS485 schematic

5V

Suitable polarization Rp must be calculated

Master
Rp

Rp

120 1 nF

D1 D0 Common 5V 4,7 K

120 1 nF

Slave 1

4,7 K

Slave 2

If the master is fitted with a 470 polarisation, it s possible to connect a maximum of 18 slaves with 4,7 K polarisation

Maximum length of Bus Max. no of stations (without repeater) Max. length of Tap Link Bus polarization Line terminator Common polarity

1000m at 19200 bps At most 32 (depending upon Rp and no.of 4.7k) 20m for one tab link 40 m divided by no. taps 470 at 5V and common for the Master 120 -0,25Wm in series with 1nF,10V Yes common connected to PG

Thank You