Professional Documents
Culture Documents
Modbus Troubleshooting
Modbus Troubleshooting
Modbus Troubleshooting
Understanding
Modbus
SCHNEIDER ELECTRIC
Modbus Troubleshooting
Schneider Electric
Table of Contents
Modbus Introduction ................................................................. 1
Brief Modbus History ....................................................................... 1
Modbus Protocol Description .......................................................... 1
Understanding Modbus ............................................................ 1
Modbus Memory Sections............................................................... 1
Registers ......................................................................................... 2
Function Codes ............................................................................... 3
Polling ............................................................................................. 4
Modbus Remote Terminal Unit (RTU) ...................................... 5
Introduction ..................................................................................... 5
RTU Packet..................................................................................... 6
Transmission Mode ......................................................................... 7
RS – 485 ......................................................................................... 7
Modbus TCP ............................................................................ 8
Introduction ..................................................................................... 8
MBAP Header ................................................................................. 8
Supporting Layers ........................................................................... 9
S C H N E I D E R - E L E C T R I C
Modbus Introduction
Brief Modbus History
Modicon first introduced Modbus in 1979. Modbus is an open standard, and it is the
most widely used in the industrial environment. Modbus is publicly available and, due
to its simplicity, many manufacturers use Modbus as a solution for integration in their
own products. Many commercial products and systems support the Modbus RTU and
Modbus TCP protocols. For further information, visit the Modbus website at
http://www.Modbus-IDA.org.
Understanding Modbus
Modbus Memory Sections
Modbus has four memory sections that consist of four data types. The four sections
of memory hold specific data in registers. The data held in registers has a unique
address. The points and starting register addresses are:
1. Coils 1 (Read/Write)
Memory sections are identified by using function codes. They are used in combination
with the device address to locate a specific memory section, or point. This type of
request is done by the master device in Remote Terminal Unit (RTU) networks or the
client in Modbus Transmission Control Protocol (TCP) networks.
1
Registers
Registers are also known as “Words” equal to sixteen bits or two bytes. The
interpretation of a register is based on how data is specified (e.g. analog or
digital).
Registers are read from the Least Significant Bit (LSB) to the Most Significant
Bit (MSB).
Registers can represent a 32 bit IEEE floating point register. 32 bit registers
are generally read from Least Significant Word (LSW) to Most Significant
Word (MSW) but some manufacturers reverse the order of the words.
2
Function Codes
Function Codes identify the memory section that a master device is trying to access in
a slave device. They also specify whether the action is to read or write a register.
• Public
• User defined
• Reserved
The following table shows the most common Public Function Codes:
For a full description of the three categories, visit http://modbus.org and download
http://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
3
Polling
Once the address of the device and function code have been specified, Modbus
requires the address of the first register that is to be read or written to. The next part of
the request is for the number of registers that are to be read in that specific request or
poll.
Base offset is the starting address used to specify access to different sections within a
device.
Modbus does not have specific guidelines on how a document should provide
information about its register point map or the function codes supported. Other
protocols like LON provide a functional profile or BACnet provides a Protocol
Implementation Conformance Statement (PICS).
1. Modbus
2. Decimal
3. Hexadecimal
The Modbus addressing format is based on a 5-digit number (e.g. 40001). It is most
commonly used in commercial controllers.
The Decimal addressing format value may not be as common and may not represent
the absolute address of a point offset.
The Hexadecimal addressing format will most likely represent the absolute address of a
point (no offset required).
4
Modbus Remote Terminal Unit (RTU)
Introduction
Modbus Remote Terminal Unit is one of two different serial transmission modes.
It is based on a Master/Slave model. Only one master is connected to the bus and
several slave nodes are connected to the same trunk.
The Master initiates communication. The slave nodes only respond to a request
from the Master. Slave nodes do not communicate with each other.
Master devices have two ways to request data from a slave device, unicast and
broadcast:
After receiving and processing the request, the slave device returns a
message or reply.
5
RTU Packet
The Modbus protocol defines a simple Protocol Data Unit (PDU) independent of the
underlying communication layers. The mapping of MODBUS protocol on specific
buses or networks can introduce some additional fields on the Application Data Unit
(ADU).
RTU Packet:
A Master device addresses a slave by placing the slave address in the address field of
the message. When the slave returns its response, it places its own address in the
response address field to let the Master know which slave is responding.
The function code indicates to the server what kind of action to perform. The function
code is followed by a data field that contains request and response parameters.
The error checking field is the result of a Cycle Redundancy Check (CRC) calculation
that is performed on the message contents. The CRC field checks the contents of the
entire message. It is applied regardless of any parity checking method used for the
individual characters of the message. The CRC field contains a 16–bit value
implemented as two 8–bit bytes.
6
Transmission Mode
The format (11 bits) for each byte in RTU mode is :
Coding System: 8–bit binary
Bits per Byte: 1 start bit
8 data bits, least significant bit sent first
1 bit for parity completion
1 stop bit
Even parity is required. Other modes (odd parity, no parity) may also be used. In order
to ensure a maximum compatibility with other products, it is also recommended to
support the no parity mode. The default parity mode must be even parity. The use of
no parity requires 2 stop bits.
RS – 485
At the physical level, MODBUS over Serial Line systems may use different physical
interfaces (RS485, RS232). TIA/EIA-485 (RS485.) Two-wire interface is the most
common. As an add-on option, RS485 four-wire interface may be implemented. A
TIA/EIA-232-E (RS232) serial interface may also be used as an interface, when only
short point-to-point communication is required.
http://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf
7
Modbus TCP
Introduction
The Modbus TCP protocol is based on a Client/Server model. The Client
replaces the Master, and Server replaces slave. Modbus TCP relies on TCP for the
delivery of data and IP for routing the data.
A dedicated header is used to identify the Modbus Application Data Unit (ADU).
It is known as the MBAP header (Modbus Application Protocol Header). It
includes the following:
● Transaction Identifier
● Protocol Identifier
● Length
● Unit Identifier
MBAP Header
The Modbus protocol defines a simple Protocol Data Unit( PDU) independent of
the underlying communication layers. The mapping of MODBUS protocol on
specific buses or networks can introduce some additional fields on the Application
Data Unit (ADU). The Modbus TCP ADU is sent via TCP to registered port 502.
This port may be required but can be changed in specific situations.
8
The MBAP header contains the following fields:
● Transaction Identifier
o Used for transaction pairing. The MODBUS server copies in
the response the transaction identifier of the request.
● Protocol Identifier
o Used for intra-system multiplexing. The MODBUS protocol
is identified by the value 0.
● Length
o The length field is a byte count of the following fields,
including the Unit Identifier and data fields.
● Unit Identifier
o Used for intra-system routing purpose. It is typically used to
communicate to a MODBUS+ or a MODBUS serial line
slave through a gateway between an Ethernet TCP-IP network
and a MODBUS serial line. This field is set by the MODBUS
Client in the request and must be returned with the same value
in the response by the server.
Supporting Layers
Transmission Control Protocol (TCP, Layer 4) is a connection oriented protocol that
provides transparent transfer of data between devices, providing reliability of a given
link through flow control, segmentation/ de-segmentation, and error control.
Internet Protocol (IP, layer 3) is a connectionless network layer protocol that provides
features for addressing, type of service specification, fragmentation, reassembly, and
security.
Ethernet is responsible for the last two layers Data Link and Physical. It is responsible
for the creation of the frame and encapsulation of PDUs. Ethernet rules for distance
and cabling should be followed:
9
Ethernet Bandwith Cable Type Maximum Distance (meters)
Type
http://modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf
10