SCHNEIDER ELECTRIC

Modbus Troubleshooting

Understanding
Modbus
 SCHNEIDER ELECTRIC

Modbus Troubleshooting

 Schneider Electric
Table of Contents
Modbus Introduction ................................................................. 1
Brief Modbus History ....................................................................... 1
Modbus Protocol Description .......................................................... 1
Understanding Modbus ............................................................ 1
Modbus Memory Sections............................................................... 1
Registers ......................................................................................... 2
Function Codes ............................................................................... 3
Polling ............................................................................................. 4
Modbus Remote Terminal Unit (RTU) ...................................... 5
Introduction ..................................................................................... 5
RTU Packet..................................................................................... 6
Transmission Mode ......................................................................... 7
RS – 485 ......................................................................................... 7
Modbus TCP ............................................................................ 8
Introduction ..................................................................................... 8
MBAP Header ................................................................................. 8
Supporting Layers ........................................................................... 9
S C H N E I D E R - E L E C T R I C

Modbus Introduction
Brief Modbus History
Modicon first introduced Modbus in 1979. Modbus is an open standard, and it is the
most widely used in the industrial environment. Modbus is publicly available and, due
to its simplicity, many manufacturers use Modbus as a solution for integration in their
own products. Many commercial products and systems support the Modbus RTU and
Modbus TCP protocols. For further information, visit the Modbus website at
http://www.Modbus-IDA.org.

Modbus Protocol Description

The Modbus protocol defines a simple Protocol Data Unit (PDU) independent of the
underlying communication layers. The mapping of Modbus protocol on specific buses,
or networks, can introduce some additional fields on the application data unit (ADU).
Modbus is a request/reply protocol and offers services specified by function codes.
Function codes are elements of MODBUS request/reply PDUs.

Understanding Modbus
Modbus Memory Sections
Modbus has four memory sections that consist of four data types. The four sections
of memory hold specific data in registers. The data held in registers has a unique
address. The points and starting register addresses are:

1. Coils 1 (Read/Write)

2. Binary Inputs 10,001 (Read Only)

3. Analog Inputs 30,001 (Read Only)

4. Holding 40,001 (Read/Write)

Memory sections are identified by using function codes. They are used in combination
with the device address to locate a specific memory section, or point. This type of
request is done by the master device in Remote Terminal Unit (RTU) networks or the
client in Modbus Transmission Control Protocol (TCP) networks.

1
Registers

Registers are also known as “Words” equal to sixteen bits or two bytes. The
interpretation of a register is based on how data is specified (e.g. analog or
digital).

Registers are read from the Least Significant Bit (LSB) to the Most Significant
Bit (MSB).

A single register represents:

 A 16 bit unsigned integer (whole number) from 0 – 65535

 A 16 bit signed integer between -32767 to 32767.

Two registers can be combined to represent:

 A 32 bit unsigned (double register) = 0 – 4,294,967,295

 A 32 bit signed = 2,147,483,647 to 2,147,483,647.

Registers can represent a 32 bit IEEE floating point register. 32 bit registers
are generally read from Least Significant Word (LSW) to Most Significant
Word (MSW) but some manufacturers reverse the order of the words.

2
Function Codes
Function Codes identify the memory section that a master device is trying to access in
a slave device. They also specify whether the action is to read or write a register.

There are three categories of Function Codes:

• Public

• User defined

• Reserved

The following table shows the most common Public Function Codes:

Register Type Function Code Point Type

Read Coils 1 DI, DO

Read Binary input 2 DI

Read Holding 3 AI, AO

Read Analog Inputs 4 AI

Write Single Coil 5 DO

Write Single Holding

6 AO
Register

Write Multiple Coils 15 DO

Write Multiple holding

16 AO
Registers

For a full description of the three categories, visit http://modbus.org and download
http://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf

3
Polling
Once the address of the device and function code have been specified, Modbus
requires the address of the first register that is to be read or written to. The next part of
the request is for the number of registers that are to be read in that specific request or
poll.

It is always important to request data in sequence. This will make your

communications more efficient. For example, if a Master device requests registers
40,001, 40,005, 40,010, this would create three separate polls. If the Master device
requested registers 40,001 through 40,010 instead, this would create one poll and keep
the trunk free of communications until the next poll.

Base offset is the starting address used to specify access to different sections within a
device.

Modbus does not have specific guidelines on how a document should provide
information about its register point map or the function codes supported. Other
protocols like LON provide a functional profile or BACnet provides a Protocol
Implementation Conformance Statement (PICS).

When reading a manufacturer’s document, register addresses are represented in three

different formats:

1. Modbus

2. Decimal

3. Hexadecimal

The Modbus addressing format is based on a 5-digit number (e.g. 40001). It is most
commonly used in commercial controllers.

The Decimal addressing format value may not be as common and may not represent
the absolute address of a point offset.

The Hexadecimal addressing format will most likely represent the absolute address of a
point (no offset required).

4
 Modbus Remote Terminal Unit (RTU)
Introduction
Modbus Remote Terminal Unit is one of two different serial transmission modes.
It is based on a Master/Slave model. Only one master is connected to the bus and
several slave nodes are connected to the same trunk.

The Master initiates communication. The slave nodes only respond to a request
from the Master. Slave nodes do not communicate with each other.

Master devices have two ways to request data from a slave device, unicast and
broadcast:

1. Unicast communications are directed to a single device.

 After receiving and processing the request, the slave device returns a
message or reply.

2. Broadcast communications are sent to all devices.

 No response is sent back. Broadcast requests are writing commands.

All devices must accept a broadcast writing request. Address 0 is
reserved for broadcasts.

Modbus Addressing rules:

0 1-247 248 - 255

Broadcast Slave Individual Address Reserved

5
 RTU Packet
The Modbus protocol defines a simple Protocol Data Unit (PDU) independent of the
underlying communication layers. The mapping of MODBUS protocol on specific
buses or networks can introduce some additional fields on the Application Data Unit
(ADU).

RTU Packet:

Slave Address Function Code Data CRC

1 byte 1 byte 0 – 252 bytes 2 bytes

A Master device addresses a slave by placing the slave address in the address field of
the message. When the slave returns its response, it places its own address in the
response address field to let the Master know which slave is responding.

The function code indicates to the server what kind of action to perform. The function
code is followed by a data field that contains request and response parameters.

The error checking field is the result of a Cycle Redundancy Check (CRC) calculation
that is performed on the message contents. The CRC field checks the contents of the
entire message. It is applied regardless of any parity checking method used for the
individual characters of the message. The CRC field contains a 16–bit value
implemented as two 8–bit bytes.

6
Transmission Mode
The format (11 bits) for each byte in RTU mode is :
 Coding System: 8–bit binary
 Bits per Byte: 1 start bit
 8 data bits, least significant bit sent first
 1 bit for parity completion
 1 stop bit

Even parity is required. Other modes (odd parity, no parity) may also be used. In order
to ensure a maximum compatibility with other products, it is also recommended to
support the no parity mode. The default parity mode must be even parity. The use of
no parity requires 2 stop bits.

RS – 485
At the physical level, MODBUS over Serial Line systems may use different physical
interfaces (RS485, RS232). TIA/EIA-485 (RS485.) Two-wire interface is the most
common. As an add-on option, RS485 four-wire interface may be implemented. A
TIA/EIA-232-E (RS232) serial interface may also be used as an interface, when only
short point-to-point communication is required.

RS-485 rules should be followed as specified by EIA/TIA -485, for example:

● 32 maximum full loads per segment without a repeater

● Length depends on the baud rate, the cable (Gauge, Capacitance or
Characteristic Impedance), the number of loads on the daisy chain, and the
network configuration (2-wire or 4-wire).
● No T tap connections allowed.
● Two end of line terminators per segment.
● A bias resistor per segment.
● Addressing:
● 0 broadcast
● 1-247 Slaves
● 248-255 reserved
Baud rates 9600 bps and 19.2 Kbps are required and 19.2 is the required default.
Other baud rates may be implemented: 1200, 2400, 4800, 38400 bps, 56 Kbps, 115
Kbps. For further information, consult document:

http://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf

7
 Modbus TCP
Introduction
The Modbus TCP protocol is based on a Client/Server model. The Client
replaces the Master, and Server replaces slave. Modbus TCP relies on TCP for the
delivery of data and IP for routing the data.

A dedicated header is used to identify the Modbus Application Data Unit (ADU).
It is known as the MBAP header (Modbus Application Protocol Header). It
includes the following:

● Transaction Identifier
● Protocol Identifier
● Length
● Unit Identifier
MBAP Header
The Modbus protocol defines a simple Protocol Data Unit( PDU) independent of
the underlying communication layers. The mapping of MODBUS protocol on
specific buses or networks can introduce some additional fields on the Application
Data Unit (ADU). The Modbus TCP ADU is sent via TCP to registered port 502.
This port may be required but can be changed in specific situations.

A dedicated header is used on TCP/IP to identify the MODBUS Application Data

Unit. It is called the MBAP header (MODBUS Application Protocol header).

MBAP Function Code Data

7 byte 1 byte 0 – 252 bytes

8
The MBAP header contains the following fields:

● Transaction Identifier
o Used for transaction pairing. The MODBUS server copies in
the response the transaction identifier of the request.
● Protocol Identifier
o Used for intra-system multiplexing. The MODBUS protocol
is identified by the value 0.
● Length
o The length field is a byte count of the following fields,
including the Unit Identifier and data fields.

● Unit Identifier
o Used for intra-system routing purpose. It is typically used to
communicate to a MODBUS+ or a MODBUS serial line
slave through a gateway between an Ethernet TCP-IP network
and a MODBUS serial line. This field is set by the MODBUS
Client in the request and must be returned with the same value
in the response by the server.

Supporting Layers
Transmission Control Protocol (TCP, Layer 4) is a connection oriented protocol that
provides transparent transfer of data between devices, providing reliability of a given
link through flow control, segmentation/ de-segmentation, and error control.

Internet Protocol (IP, layer 3) is a connectionless network layer protocol that provides
features for addressing, type of service specification, fragmentation, reassembly, and
security.

Ethernet is responsible for the last two layers Data Link and Physical. It is responsible
for the creation of the frame and encapsulation of PDUs. Ethernet rules for distance
and cabling should be followed:

9
Ethernet Bandwith Cable Type Maximum Distance (meters)
Type

10BASE5 10Mbps Thick Coax 1640 (500)

10BASE2 10Mbps Thin Coax 606 (185)

10BASE-T 10Mbps Cat3/Cat5 UTP 328 (100)

100BASE- 100Mbps Cat5 UTP 328 (100)

TX

100BASE- 100Mbps Multimode / single 1312/6561 (400/2000)

FX mode fiber

1000BASE-T 1Gbps Cat5e UTP 328 (100)

1000BASE- 1Gbps Cat6 UTP 328 (100)

TX

1000BASE- 1Gbps Multimode fiber 1804 (550)

SX

1000BASE- 1Gbps Single-mode fiber 6561 (2000)

LX

10GBASE-T 10Gbps Cat6a/Cat7 UTP 328 (100)

10GBASE- 10Gbps Multimode fiber 984 (300)

LX4

10GBASE- 10Gbps Single –mode fiber 3280 (10,000)

LX4

For further information, consult document:

http://modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf

10