Industrial Automation Tech Note 58 - TNIA58
Overview
The purpose of this document is to try to explain the Modbus protocol in a fashion less intimidating than the Modbus Application Protocol specification, as well as how it relates to using the protocol with Red Lion Controls' HMI products.
For the purpose of this primer, all examples will be given for Modbus RTU, which is the most common version of Modbus. Understanding Modbus RTU will make learning the other 'flavors' quite easy.
Modbus ASCII is virtually the same, except instead of HEX bytes, ASCII characters are transmitted which doubles the number of bytes needed for any given transaction.
Modbus TCP/IP the frame is identical to that of Modbus RTU with the exception of the CRC, which is handled by the Ethernet packet.
The Modbus Protocol
Reading Data (Binary and Word)
A request for data transmission from the master will contain the following:
- Slave Address, 1 byte, valid values are 1-255
- Function Code, 1 byte
Most Commonly used Function Codes (Listed below in Decimal)
01: Read Coils
Coils are binary values that can be read and written
Coils are typically shown as 0(X)XXXX addresses
02: Read Discrete Inputs
Discrete inputs are binary values that can only be read
Discrete inputs are typically shown as 1(X)XXXX addresses
03: Read Holding Registers
Holding Registers are 16-bit words (2 bytes) that can be read and written
Holding Registers are typically shown as 4(X)XXXX addresses
04: Read Input Register
Input Registers are 16-bit words that can only be read
Input Registers typically are shown as 3(X)XXXX addresses
- First address to read, 2 bytes
- Number of registers to read, 1 byte
- CRC, 2 bytes
The master's request will contain the Slave's address (1 byte), function code (1 byte), starting register address (2 bytes), the number of registers to read (2 bytes), and a CRC (2 bytes). The Modbus specification limits the maximum transmission size to 256 bytes, which limits the number of data requested to not exceed 253 bytes of data from the slave.
Binary Read Response
The slave's response for a 01 or 02 will contain the Slave's address (1 byte), function code (1 byte), byte count (1 byte, N*), data (n Bytes, n = N or N + 1).
*N = Quantity of Coils/Inputs / 8, if the remainder is anything other than 0 => N = N + 1
The data will be encoded into bytes, with the lsb (least significant bit) of the MSB (most significant byte) will be the starting address's value. Figure 1 shows an example from the Modbus Application Protocol specification, which does not contain the slave address or the CRC for simplicity.
Figure 1.
"The status of coils 27–20 is shown as the byte value CD hex, or binary 1100 1101. Coil
27 is the MSB of this byte, and coil 20 is the LSB.
By convention, bits within a byte are shown with the MSB to the left, and the LSB to the right.
Thus the coils in the first byte are ‘27 through 20’, from left to right. The next byte has coils ‘35 through 28’, left to right. As the bits are transmitted serially, they flow from LSB to
MSB: 20 . . . 27, 28 . . . 35, and so on.
In the last data byte, the status of coils 38-36 is shown as the byte value 05 hex or binary
0000 0101. Coil 38 is in the sixth-bit position from the left, and coil 36 is the LSB of this byte. The five remaining high order bits are zero filled."
*Before you think there is a typo in the above, please note that traditional Modbus addressing and what is actually sent 'on the wire', are not the same thing. This will be covered in more detail later on in this document.
Word Read Response
The response for a 03 or 04 will contain the Slave's address (1 byte), function code (1 byte), byte count (1 byte, 2 x N*), data (N* x 2 bytes).
*N = Quantity of Registers
Figure 2 shows an example from the Modbus Application Protocol specification, which does not contain the slave address or the CRC.
Figure 2.
"The contents of register 108 are shown as the two-byte values of 02 2B hex or 555 decimal.
The contents of registers 109–110 are 00 00 and 00 64 hex, or 0 and 100 decimal,
respectively."
*Before you think there is a typo in the above, please note that traditional Modbus addressing and what is actually sent 'on the wire', are not the same thing. This will be covered in more detail later on in this document.
Writing Data
Most Commonly used Function Codes (Listed below in Decimal)
- 05: Write Single Coil
- 06: Write Single (Holding) Register
- 15: Write Multiple Coils
- 16: Write Multiple (Holding) Registers
A write single data transmission from a master will contain the following:
- Slave Address, 1 byte, valid values 0-255 (address 0 is used to broadcast a write to ALL of the devices on the network)
- Function Code, 1 byte
- Register address to write, 1 byte
- Data
- CRC 2 bytes
A write multiple data transmission from a master will contain the following:
- Slave Address, 1 byte, valid values 0-255 (address 0 is used to broadcast a write to ALL of the devices on the network)
- Function Code, 1 byte
- First address to write, 1 byte
- The number of registers to write
- Byte count
- Data
- CRC 2 bytes
Single Register Writes
The master's transmission for function codes 05 and 06 will contain the Slave's address (1 byte), function code (1 byte), register address (2 bytes), register data (2 bytes), and a CRC (2 bytes).
The slave's response for these functions will contain the Slave's address (1 byte), function code (1 byte), register address (2 bytes), register value (2 bytes), and a CRC (2 bytes).
Figure 3 shows an example of function code 05 from the Modbus Application Protocol specification, which does not contain the slave address or the CRC.
Figure 3.
"The requested ON/OFF state is specified by a constant in the request data field. A value of
FF 00 hex requests the coil to be ON. A value of 00 00 requests it to be OFF. All other values are illegal and will not affect the coil.
The Request specifies the address of the coil to be forced. The requested ON/OFF state is specified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON.
A value of 0X0000 requests the coil to be off. All other values are illegal and will not affect
the coil."
*Before you think there is a typo in the above, please note that traditional Modbus addressing and what is actually sent ' on the wire', are not the same thing. This will be covered in more detail later on in this document.
Figure 4 shows an example of function code 06 from the Modbus Application Protocol specification, which does not contain the slave address or the CRC.
Figure 4.
"The Request specifies the address of the register to be written. The normal response is an echo of the request, returned after the register contents have been written."
Multiple Register Writes
The master's transmission for function codes 15 and 16 will contain the Slave's address (1 byte), function code (1 byte), starting register address (2 bytes), quantity of registers to write (2 bytes), byte count (1 bytes), register data (variable bytes), and a CRC (2 bytes).
The slave's response for these functions will contain the Slave's address (1 byte), function code (1 byte), starting register address (2 bytes), quantity of registers written (2 bytes), and a CRC (2 bytes).
Figure 5 shows an example of function code 15 from the Modbus Application Protocol specification, which does not contain the slave address or the CRC.
Figure 5.
"The request data contents are two bytes: CD 01 hex (1100 1101 0000 0001 binary). The
binary bits correspond to the coils in the following way:
The first byte transmitted (CD hex) addresses coils 27-20, with the least significant bit
addressing the lowest coils (20) in this set.
The next byte transmitted (01 hex) addresses coils 29-28, with the least significant bit addressing the lowest coil (28) in this set. Unused bits in the last data byte should be
zero–filled."
Figure 6 shows an example of function code 16 from the Modbus Application Protocol specification, which does not contain the slave address or the CRC.
Figure 6.
"The requested written values are specified in the request data field. Data is packed as two bytes per register. The normal response returns the function code, starting address, and quantity of registers written."
Special Circumstances
Accessing 32-Bit Values
Reading 32-bit values can be tricky; there are 2 methods for accessing 32-bit Integers or Floating-point values.
Using 2 Registers
The most common method used for transferring 32-bit values via Modbus is using 2 separate (contiguous) Modbus registers to store the data.
Reading uses the standard function codes (03 and 04) but asks for twice the number of registers. The master then takes the response and creates a 32-bit number out of the 2 16-bit registers that the slave responded with.
Writing also uses standard function codes (06 and 16), but generally only 16 since it needs to write to more than 1 register. The master will take the 32-bit number and write it to 2 consecutive registers in the slave.
Using a Single Register
This is often referred to as Enron Modbus or Daniel's Extension; it treats a single register as a 32-bit number.
Reading uses the standard function codes (03 and 04), but the slave responds with 32-bits of data for each register that the master requests.
Writing also uses standard function codes (06 and 16). The master will send 32-bits of data for each register that it wishes to write.
Modbus Addressing Schemes
Traditional Addressing
The traditional Modbus addressing scheme uses a 5-digit number to signify the register address. The first (far left) digit indicates what function codes are used to access the register. The last 4 digits represent the register number. This address is typically in decimal.
Digital Coils (accessed with function codes 01, 05, and 15)
00001-09999 : represented 'on the wire' as 0x0000-0x270E (0-9998 decimal)
Discrete Inputs (accessed with function code 02)
10001-19999 : represented 'on the wire' as 0x0000-0x270E (0-9998 decimal)
Input Registers (accessed with function code 04)
30001-39999 : represented 'on the wire' as 0x0000-0x270E (0-9998 decimal)
Holding Registers (accessed with function codes 03, 06, and 16)
40001-49999 : represented 'on the wire' as 0x0000-0x270E (0-9998 decimal)
Extended Addressing
The Extended Modbus addressing scheme is very similar to the Traditional scheme but uses a 6-digit number to signify the register address. Once again, the first digit indicates what function codes are used to access the register. The last 5 digits are the register address, having the 5 digits for the register address allow for use of all 16-bits of the register address laid out in the Modbus specification. This address is typically in decimal.
Digital Coils (accessed with function codes 01, 05, and 15)
000001-065535 : represented 'on the wire' as 0x0000-0xFFFE (0-65534 decimal)
Discrete Inputs (accessed with function code 02)
100001-165535 : represented 'on the wire' as 0x0000-0xFFFE (0-65534 decimal)
Input Registers (accessed with function code 04)
300001-365535 : represented 'on the wire' as 0x0000-0xFFFE (0-65534 decimal)
Holding Registers (accessed with function codes 03, 06, and 16)
400001-465535 : represented 'on the wire' as 0x0000-0xFFFE (0-65534 decimal)
‘On the Wire’ Addressing
The ‘On the Wire’ addressing scheme uses the actual register number that gets transmitted in the examples above. The function codes needed to access the registers are typically listed as a heading for a list of registers, or at least implied by using the terms inputs, coils, etc…
Modbus and Crimson
Supported Function Codes
As a Master Red Lion supports the following function codes (in decimal)
01 Read Coils
02 Read Discrete Inputs
03 Read Holding Registers
04 Read Input Registers
05 Write Single Coil
06 Write Single (Holding) Register
15 Write Multiple Coils
16 Write Multiple (Holding) Registers
20 Read File Record
21 Write File Record
Frame Register Limits can be set so that the Red Lion unit does not try to read or write more registers than the slave device will allow. These limits are set on a per-device basis, in the Communications section. For Serial devices, they are set on the General tab of the device. For Ethernet device, they are set on the Extended tab of the device.
Also, the write functions can be disabled, for devices that only support single or multiple register writes.
As a Slave Red Lion supports the following function codes (in decimal):
01 Read Coils
02 Read Discrete Inputs
03 Read Holding Registers
04 Read Input Registers
05 Write Single Coil
06 Write Single (Holding) Register
15 Write Multiple Coils
16 Write Multiple (Holding) Registers
Accessing 32-bit Values
As a Master Red Lion can support both methods mentioned above.
To use the 2 Register Method, select either 3 Analog Inputs or 4 Holding Registers, and then choose Word as Long or Word as Real (depending on the data type needed) for the Data Type.
Currently (02/09) Red Lion only supports the Single Register Method for Holding Registers. To use this, choose the L4 Holding Registers (32-bit) selection for the Data Item.
Word Order by default the first word that is received from the slave is treated as the high word. So, when Word as Long or Word as Real is selected, the register that you map to is used as the high word. You can use the Swap Words transform on an Integer or Real tag if the slave uses a different word-ordering scheme.
As a Slave Red Lion only supports the 2 Register Method, you select the start address of the block and choose Word as Long or Word as Real for the Data Type. After setting the size, you will notice that the registers only show every other register as available, since it uses 2 registers per value. The default word order is Low then High for both Long and Real blocks, you can change this by clicking on the Protocol itself, and not the device.
Addressing Scheme
Red Lion uses the Extended Modbus addressing scheme, to allow access to as many registers in the slave device as possible while maintaining the look of Traditional Modbus addressing.
This means that if the slave device lists its available addresses in the Traditional addressing format, you need to add a leading 0 to the Element when mapping your tags.
Or if the slave device lists the available addresses in the ‘On the wire’ addressing format, then you need to convert the address into decimal and add 1. This value will be used as the Element, and you need to choose the correct Data Item to match the function code needed by the device to access the register.
Trouble Shooting - No Data
There are several reasons that the Modbus communications may not work, below are the thing to verify prior to looking at hardware related causes. The below assumes that the Baud Rate, Data Bits, Stop Bits, and Parity are correct for a serial device (as well as the Port Mode is RS485 is being used); or that the IP addresses are correct for both the Red Lion and the Slave device is TCP/IP is being used.
Slave Address
A relatively easy setting to overlook is the slave’s address. In Crimson, this is referred to as the Drop Number and is located on the General tab of the device. This should be set to match the address of the slave device. Be aware that address 0 is reserved for Broadcasting to all stations on the network and does not support any of the function codes for reading. While setting the Drop Number to 0 will make it look like there is good comms, that is just because the Red Lion is smart enough to know that you cannot read address 0, so it just displays 0 instead of the dashed lines.
Function Code or Frame Limit Issue
If there is more than a single register that the Red Lion is trying to read, it could be as simple as the Red Lion trying to read more registers in a single transaction than the slave device will permit. You can change the Frame Register Limits to correct this.
If the communications are fine until a write is issued, it could be that the slave does not support all of the function codes for writing, you can disable the ones that the slave does not support.
Ping Holding Register
Something unique to Red Lion is the Ping Holding Register. This is used to quickly detect that a device is online. Without this, or when it is disabled, having a device offline for a long period of time, affects how quickly communications will be re-established with the device when it comes back online. Every time a request does not receive a response, the next request is delayed slightly. This delay continues to build every time a request goes without a response. With the Ping enabled, the Red Lion will send a request on every Comms Scan, regardless if it receives a response or not. Once the response is received, the Red Lion will read any needed items from the slave.
The Ping Holding Register is set on the Extended tab of a serial device, or General tab of a TCP/IP device.
The default setting is 1, which means that the Red Lion will read 400001 (function code 03 register 0x00 length of 1) to determine if the device is online. If the slave device does not have 400001, then it should be set to the Extended Address format of a known holding register, omitting the leading 4. If the slave as no Holding Registers, then use a setting of 0, which will disable the ping.
Addressing Scheme
There could be an addressing scheme mismatch, causing the tags to read register other than what you are expecting. See the Addressing scheme section above to see what needs to be changed.
Trouble Shooting – Wrong Values
This may be reading the value of the wrong register, typically due to the offset needed for ‘On the wire’ addressing. It could be due to a 32-bit access selection problem, or just a Word order issue.
Register Offset
See the Addressing scheme section above for an explanation of Red Lion’s addressing scheme.
Strange Value
While it is possible to need to use a transform on a 16-bit value to get the correct value, it is far more common to see this when dealing with 32-bit values. With Integers, the value will just be wrong. With Reals, the number could just be wrong, but you may also see +BIG, -BIG, or NAN.
+BIG indicates that the number is too large to be displayed with the number of Digits Before DP.
-BIG indicates the same, but the number is negative
NAN indicates that it is Not A Number, I.E. not in IEEE 754 format.
The first thing to find out is how does the slave expect to have its 32-bit values accessed? Make sure to map the tag accordingly.
Next find out the Word Order that the slave uses for its 32-bit data, and set the Scaling and Transforms accordingly.
Helpful Tools
When trying to diagnose a communications problem there are 2 pieces of software I like to use:
ModScan32: This is a Modbus Master that can show you both the register values, as well as show you the traffic (in HEX) between itself and the slave. This can be helpful in determining Word order as well as if the slave is not responding with the correct data.
ModSim32: This is a Modbus Slave that can also show the traffic to verify that the master is sending the data that it should be.
Disclaimer
It is the customer's responsibility to review the advice provided herein and its applicability to the system. Red Lion makes no representation about specific knowledge of the customer's system or the specific performance of the system. Red Lion is not responsible for any damage to equipment or connected systems. The use of this document is at your own risk. Red Lion standard product warranty applies.
Red Lion Technical Support
If you have any questions or trouble contact Red Lion Technical Support by clicking here or calling 1-877-432-9908.
For more information: http://www.redlion.net/support/policies-statements/warranty-statement