Modbus Protocol Basics

 Being able to approach the D Syntax of the Main Requests

implementation of the Modbus
protocol on various physical
media like serial link, Ethernet
TCP-IP or Modbus Plus C Implementation Classes

B Main Function Codes

A Origins and Operating Principles

Duration: 40 min. Expert, Teaching: Philippe Warin

Production: Schneider-Electric

Modbus Protocol Basics – January 2006

TOLED
ORIGINS AND OPERATING PRINCIPLES

D Syntax of the Main Requests

C Implementation Classes

B Main Function Codes

A Origins and Operating Principles

Modbus Protocol Basics – January 2006

TOLED
 - Its origins

1978

Modbus is a messaging protocol

Created in 1978 by Modicon

Open and easy to implement

Widely used in industry

Modbus Protocol Basics – January 2006

TOLED
 - Modbus and the OSI model

Modbus is based on the client/server communication model

OSI model
Layer 7

Used by
various media

and other links: Modbus Plus Serial link Modbus

infrared,
Token ring Master/Slave Ethernet TCP/IP
radio, etc…
RS232, RS485

Modbus Protocol Basics – January 2006

TOLED
 - Modbus in network architectures
Modbus can be used in numerous network architectures

Modbus on
Ethernet TCP-IP

Modbus Plus Modbus Modbus

on RS232 on RS485

Modbus Protocol Basics – January 2006

TOLED
 - Modbus uses the Client/Server concept
Request

Client How fast is the Server

motor running?

1,000 rpm

Response
The Client is the entity The Server is the entity that
requesting a service provides the service

Modbus Protocol Basics – January 2006

TOLED
 - PDU = Protocol Data Unit
A unique message format independent of the lower layers.

PDU = Protocol Data Unit

byte
Function
Address Data Error check
Code

Identifies the = 1 to 127 Additional data Validity check

target Action to depending on the
perform function code

The format of the "Address" and "Error check" fields depends on

the network media used

Modbus Protocol Basics – January 2006

TOLED
 - Error free transaction sequence
Request
Client Server

1 Initialises the data Response

2 Sends the request

Function
Code
Request data 3 Performs requested action

4 Initializes the response

1 - 127 Additional
information Sends the response
5
6 Handles the response Function
Response data
Code

Equals the request's Requested

function code data

Modbus Protocol Basics – January 2006

TOLED
 - Transaction sequence with an error
Request
Client Server

1 Initialises the data Response

2 Sends the request

Function
Code
Request data 3 Detects an error in the requested action

4 Initialises error message data

1 - 127 Additional
information 5 Sends the error message

6 Handles the response Exception

function code
Exception Code

Exception function code The Exception Code

= Function Code + 80H shows the reason for
rejection
Value from 129 to 255

Modbus Protocol Basics – January 2006

TOLED
 - Detailed operation, server end
Await request
reception Reception
Function code
validation
Invalid
Exception code = 1
Valid
Data address
validation
Invalid
Exception code = 2
Valid
Data value
validation
Invalid
Exception code = 3
Valid

Run function

Exception code = Invalid

4, 5 or 6 Valid
Send exception Send Modbus
response response

Modbus Protocol Basics – January 2006

TOLED
MAIN FUNCTION CODES

D Syntax of the Main Requests

C Implementation Classes

B Main Function Codes

A Origins and Operating Principles

Modbus Protocol Basics – January 2006

TOLED
 - The three function code categories
Function
Public Codes
127
Validated by the Modbus.org organisation Public
Publicly documented 110
User defined
Guaranteed to be unique
100

Public
User defined
72
Can be implemented without agreement from Modbus.org User defined
65
Not guaranteed to be unique

Reserved Public
Used by certain companies and not available

Modbus Protocol Basics – January 2006

TOLED
 - The four types of accessible variables

Discrete
Discrete Inputs Bit Read only
inputs

Application
Coils Bit Read/Write
modifiable data

Input Registers Word Read only Analogue inputs

for example

Application
Holding Registers Word Read/Write
modifiable data

Possible table overlapping.

Up to 65,536 variables.

Modbus Protocol Basics – January 2006

TOLED
 - Public function codes for accessing variables
Function Code
Decimal Hex.
Discrete inputs Read Discrete Inputs 02 02
Bit Read Coils 01 01
access Coils Write Single Coil 05 05
Write Multiple Coils 15 0F
Input registers Read Input Registers 04 04
Read Holding Registers 03 03
Write Single Register 06 06
Word
Write Multiple Registers 16 10
access Holding registers
Read/Write Multiple Registers 23 17
Mask Write Register 22 16
Read FIFO queue 24 18

Modbus Protocol Basics – January 2006

TOLED
 - Other public function codes

Sub
Function code
code
Decimal Hex. Decimal

File record Read File record 20 14 06

access Write File record 21 15 06
Read Exception status 07 07
Diagnostic 08 08 00 to 18
Get Com Event Counter 11 0B
Diagnostic
Get Com Event Log 12 0C
Report slave ID 17 11
Read Device Identification 43 2B 14
Other Encapsulated Interface Transport 43 2B

Modbus Protocol Basics – January 2006

TOLED
IMPLEMENTATION CLASSES

D Syntax of the Main Requests

C Implementation Classes

B Main Function Codes

A Origins and Operating Principles

Modbus Protocol Basics – January 2006

TOLED
 - Transparent Ready Implementation Classes

List of services to implement in line with target applications

to guarantee equipment interoperability

Modbus protocol is a part of these services

Messaging Device
Management

Modbus Protocol Basics – January 2006

TOLED
 - Rules and Vocabulary
Three classes dependant on the function levels implemented.

An embedded
Basic Regular Extended function level model

Belonging to a class only if all of the required characteristics are

supported.

A device can also support characteristics of a higher class.

Modbus Protocol Basics – January 2006

TOLED
 - Messaging Classes
Messaging classes are identical for both Client and Server

Access to
registers CF 03: Read Holding Registers
Basic CF 16: Write Multiple Registers
only

Basic + CF 01: Read Coils

Regular Access to bits if
CF 02: Read discrete inputs
necessary and
to diagnostics if CF 15: Write Multiple Coils
Extended serial link CF 08: Diagnostic

Regular +
CF 20: Read File Record
Access
to files CF 21: Write File Record

Write Single Register and Write Single Coil are strongly recommended for servers
(to ensure compatibility with former products).

Modbus Protocol Basics – January 2006

TOLED
 - Device Management Classes
Device Management classes are identical for Client and Server

Access to
Vendor Name, CF 43: Read Device Identification
Basic Product Code Sub code 14 – Level 1 access
and Version

Basic +
Regular Access to Vendor CF 43: Read Device Identification
URL, Product Name, Sub code 14 – Level 2 access
Model Name, User
Extended Application Name

Regular + CF 43: Read Device Identification

Access private objects
Sub code 14 – Level 3 access
depending on product

Modbus Protocol Basics – January 2006

TOLED
SYNTAX OF THE MAIN REQUESTS

D Syntax of the Main Requests

C Implementation Classes

B Main Function Codes

A Origins and Operating Principles

Modbus Protocol Basics – January 2006

TOLED
 - Read Holding Registers
Request:
1 byte 2 bytes 2 bytes
Function Address Number of
Code of the first registers to
03 register read

0 to 65535 n = 1 to 125

Response:
1 byte 2 bytes 2 bytes 2 bytes
Function Value Value
Code Number of
of the first of the last
bytes read
03 register register

2xn 0 to 65535 0 to 65535

Modbus Protocol Basics – January 2006

TOLED
 - Write Multiple Registers
Request:
1 byte 2 bytes 2 bytes 1 byte 2 bytes 2 bytes
Function Address Number of Number of
Code Value of the Value of the
of the first registers to bytes to
first register last register
16 register write write

0 to 65535 n = 1 to 123 2xn 0 to 65535 0 to 65535

Response:
1 byte 2 bytes 2 bytes
Function Address Number of
Code of the first registers
16 register written

0 to 65535 n = 1 to 123

Modbus Protocol Basics – January 2006

TOLED
 - Write Single Register
Request:
1 byte 2 bytes 2 bytes
Function
Code Address of the Value of the
register register
06

0 to 65535 0 to 65535

Response:

1 byte 2 bytes 2 bytes

Function
Code Address of the Value of the
register register
06

0 to 65535 0 to 65535

Modbus Protocol Basics – January 2006

TOLED
 - Read Coils
Request:
1 byte 2 bytes 2 bytes
Function Address of the Number of
Code first digital digital outputs
01 output to read

0 to 65535 n =1 to 2000

Response:
1 byte 1 byte 1 byte 1 byte
Function
Code Number Value of Value of
of bytes read the first byte the last byte
01

n/8 + 1 if R 0 to 255 0 to 255

Modbus Protocol Basics – January 2006

TOLED
 - Read Discrete inputs
Request:
1 byte 2 bytes 2 bytes
Function Address of the Number of
Code first digital digital inputs to
02 input read

0 to 65535 n =1 to 2000

Response:
1 byte 1 byte 1 byte 1 byte
Function
Code Number of Value of Value of
bytes read the first byte the last byte
02

n/8 + 1 if R 0 to 255 0 to 255

Modbus Protocol Basics – January 2006

TOLED
 - Write Multiple Coils
Request:
1 byte 2 bytes 2 bytes 1 byte 1 byte 1 byte
Function Address of the Number of Number of
Code Value of Value of
first digital digital outputs bytes to
the first byte the last byte
15 output to write write

0 to 65535 n =1 to 1968 n/8 + 1 if R 0 to 255 0 to 255

Response:
1 byte 2 bytes 2 bytes
Function Address of the Number of
Code first digital digital outputs
15 output written

0 to 65535 n =1 to 1968

Modbus Protocol Basics – January 2006

TOLED
 - Read Device Identification
Request:
1 byte 1 byte 1 byte 1 byte Access levels:
Function Sub funct. 1: Basic
Code Code Access Identification
Level object address 2: Regular
43 14 3: Extended
4: Individual
1 to 4 m =0 to 255

Response:
1 byte 1 byte 1 byte 1 byte 1 byte 1 byte 1 byte
Function Number of
Sub funct. Access Implementation Split If split, address
Code identification
Code 14 Level class supported response of next object
objects
43

0 = no
1 to 4 1 to 3 1 to 255 1 to 255
255 = yes
1 byte 1 byte n bytes 1 byte 1 byte n bytes

Address Length Value of object Add. object Len. object Value of object
object m object m m m+1 m+1 m+1

m = 0 to 255 n = 1 to 255

Modbus Protocol Basics – January 2006

TOLED