What is Modbus and How does it work
WHAT IS MODBUS?
Modbus is a serial communication protocol developed by Modicon systems. In simple terms, it is a method used for transmitting information over serial lines between electronic devices.
The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves.
In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
The official Modbus specification can be found at http://www.modbus.org/.
WHAT IS IT USED FOR?
Modbus is an open protocol, meaning that it’s free for manufacturers to build into their equipment without having to pay royalties. It has become a very common protocol used widely by many manufacturers throughout many industries. Modbus is typically used to transmit signals from instrumentation and control devices back to a main controller or data gathering system.
HOW DOES IT WORK?
Modbus is transmitted over serial lines between devices. The simplest setup would be a single serial cable connecting the serial ports on two devices, a Master and a Slave.
The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. Zeroes are sent as positive voltages and a ones as negative. The bits are sent very quickly. A typical transmission speed is 9600 baud (bits per second).
What is Baud
Baud is a unit of transmission speed equal to the number of times a signal changes state per second. For signals with only two possible states one baud is equivalent to one bit per second.
WHAT IS HEXADECIMAL?
When troubleshooting problems, it can be helpful to see the actual raw data being transmitted. Long strings of ones and zeroes are difficult to read, so the bits are combined and shown in hexadecimal. Each block of 4 bits is represented by one of the sixteen characters from 0 to F.
| 0000 = 0 | 0100 = 4 | 1000 = 8 | 1100 = C |
| 0001 = 1 | 0101 = 5 | 1001 = 9 | 1101 = D |
| 0010 = 2 | 0110 = 6 | 1010 = A | 1110 = E |
| 0011 = 3 | 0111 = 7 | 1011 = B | 1111 = F |
Each block of 8 bits (called a byte) is represented by one of the 256 character pairs from 00 to FF.
HOW IS DATA STORED IN STANDARD MODBUS?
Information is stored in the Slave device in four different tables. Two tables store on/off discrete values (coils) and two store numerical values (registers). The coils and registers each have a read-only table and read-write table.
Each table has 9999 values.
Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and 270E.
| Coil/Register Numbers | Data Addresses | Type | Table Name |
| 1-9999 | 0000 to 270E | Read-Write | Discrete Output Coils |
| 10001-19999 | 0000 to 270E | Read-Only | Discrete Input Contacts |
| 30001-39999 | 0000 to 270E | Read-Only | Analog Input Registers |
| 40001-49999 | 0000 to 270E | Read-Write | Analog Output Holding Registers |
Coil/Register Numbers can be thought of as location names since they do not appear in the actual messages. The Data Addresses are used in the messages.
For example, the first Holding Register, number 40001, has the Data Address 0000. The difference between these two values is the offset. Each table has a different offset. 1, 10001, 30001 and 40001.
WHAT IS THE SLAVE ID?
Each slave in a network is assigned a unique unit address from 1 to 247. When the master requests data, the first byte it sends is the Slave address. This way each slave knows after the first byte whether or not to ignore the message.
WHAT IS A FUNCTION CODE?
The second byte sent by the Master is the Function code. This number tells the slave which table to access and whether to read from or write to the table.
| Function Code | Action | Table Name |
| 01 (01 hex) | Read | Discrete Output Coils |
| 05 (05 hex) | Write single | Discrete Output Coil |
| 15 (0F hex) | Write multiple | Discrete Output Coils |
| 02 (02 hex) | Read | Discrete Input Contacts |
| 04 (04 hex) | Read | Analog Input Registers |
| 03 (03 hex) | Read | Analog Output Holding Registers |
| 06 (06 hex) | Write single | Analog Output Holding Register |
| 16 (10 hex) | Write multiple | Analog Output Holding Registers |
WHAT IS A CRC?
CRC stands for Cyclic Redundancy check. It is two bytes added to the end of every modbus message for error detection. Every byte in the message is used to calculate the CRC. The receiving device also calculates the CRC and compares it to the CRC from the sending device. If even one bit in the message is received incorrectly, the CRCs will be different and an error will result.
Here is a spreadsheet CRC Calculator for messages up to 16 bytes. http://www.simplymodbus.ca/crc.xls. To download a copy, right click and select Save Target As…
WHAT ARE THE FORMATS OF MODBUS COMMANDS AND RESPONSES?
Follow the links in this table to see examples of the requests and responses.
| Data Addresses | Read | Write Single | Write Multiple |
| Discrete Output Coils 0xxxx | FC01 | FC05 | FC15 |
| Discrete Input Contacts 1xxxx | FC02 | NA | NA |
| Analog Input Registers 3xxxx | FC04 | NA | NA |
| Analog Output Holding Registers 4xxxx | FC03 | FC06 | FC16 |
WHAT ARE DATA TYPES?
The example for FC03 shows that register 40108 contains AE41 which converts to the 16 bits 1010 1110 0100 0001. Great! But what does it mean? Well, it could mean a few things.
Register 40108 could be defined as any of these 16-bit data types:
A 16-bit unsigned integer (a whole number between 0 and 65535)
register 40108 contains AE41 = 44,609 (hex to decimal conversion)
A 16-bit signed integer (a whole number between -32768 and 32767)
AE41 = -20,927 (hex to decimal conversion that wraps, if its over 32767 then subtract 65536)
A two character ASCII string (2 typed letters)
AE41 = ® A
A discrete on/off value (this works the same as 16-bit integers with a value of 0 or 1. The hex data would be 0000 or 0001)
Register 40108 could also be combined with 40109 to form any of these 32-bit data types:
A 32-bit unsigned integer (a number between 0 and 4,294,967,295)
40108,40109 = AE41 5652 = 2,923,517,522
A 32-bit signed integer (a number between -2,147,483,648 and 2,147,483,647)
AE41 5652 = -1,371,449,774
A 32-bit double precision IEEE floating point number. This is a mathematical formula that allows any real number (a number with decimal points) to represented by 32 bits with an accuracy of about seven digits.
AE41 5652 = -4.395978 E-11
Here is a spreadsheet for inputs of 4 bytes or 2 words. http://www.simplymodbus.ca/ieeefloats.xls. To download a copy, right click and select Save Target As…
A four character ASCII string (4 typed letters)
AE41 5652 = ® A V R
More registers can be combined to form longer ASCII strings. Each register being used to store two ASCII characters (two bytes).
WHAT IS BYTE AND WORD ORDERING?
The Modbus specification doesn’t define exactly how the data is stored in the registers. Therefore, some manufacturers implemented modbus in their equipment to store and transmit the higher byte first followed by the lower byte. (AE before 41). Alternatively, others store and transmit the lower byte first (41 before AE).
Similarly, when registers are combined to represent 32-bit data types, Some devices store the higher 16 bits (high word) in the first register and the remaining low word in the second (AE41 before 5652) while others do the opposite (5652 before AE41).
It doesn’t matter which order the bytes or words are sent in, as long as the receiving device knows which way to expect it. For example, if the number 29,235,175,522 was to be sent as a 32 bit unsigned integer, it could be arranged any of these four ways.
AE41 5652 high byte first high word first
5652 AE41 high byte first low word first
41AE 5256 low byte first high word first
5256 41AE low byte first low word first
WHAT IS A MODBUS MAP?
A modbus map is simply a list for an individual slave device that defines:
- what the data is (eg. pressure or temperature readings)
- where the data is stored (which tables and data addresses)
- how the data is stored (data types, byte and word ordering)
Some devices are built with a fixed map that is defined by the manufacturer. While other devices allow the operator to configure or program a custom map to fit their needs.
WHAT ARE EXTENDED REGISTER ADDRESSES?
Since the range of the analog output holding registers is 40001 to 49999, it implies that there cannot be more than 9999 registers. Although this is usually enough for most applications, there are cases where more registers would be beneficial.
Registers 40001 to 49999 correspond to data addresses 0000 to 270E. If we utilize the remaining data addresses 270F to FFFF, over six times as many registers can be available, 65536 in total. This would correspond to register numbers from 40001 to 105536.
Many modbus software drivers (for Master PCs) were written with the 40001 to 49999 limits and cannot access extended registers in slave devices. And many slave devices do not support maps using the extended registers. But on the other hand, some slave devices do support these registers and some Master software can access it, especially if custom software is written.
HOW DOES 2-BYTE SLAVE ADDRESSING WORK?
Since a single byte is normally used to define the slave address and each slave on a network requires a unique address, the number of slaves on a network is limited to 256. The limit defined in the modbus specification is even lower at 247.
To get beyond this limit, a modification can be made to the protocol to use two bytes for the address. The master and the slaves would all be required to support this modification. Two byte addressing extends the limit on the number of slaves in a network to 65535.
By default, the Simply Modbus software uses 1 byte addressing. When an address greater than 255 is entered, the software automatically switches to 2 byte addressing and stays in this mode for all addresses until the 2 byte addressing is manually turned off.
The information in this white paper was first published by Simply Modbus. In an effort to bring our customers the best possible information, B&B Electronics has received permission to republish this document. B&B Electronics thanks Simply Modbus for allowing us to distribute this information to our customers. You can visit their site at http://www.simplymodbus.ca
In the real world of the device to device process automation communication, a dialogue or conversation between devices occurs systematically, in many cases, over different types of communication networks and in different languages. Depending on the process automation equipment manufacturer, a very specific or proprietary language is used or it may be a language that is commonly open to the industry. It is these open protocols many manufacturers adapt to easily integrate their products in a market. An “Open protocol” means the specifications are published and may be used by anyone freely or by license. Open protocols are usually backed by a combination of corporations, user groups, professional societies, and governments. This provides users with a much wider choice of devices or systems that can be utilized to meet specific applications. Advantages of open protocols include support by multiple manufacturers, software vendors, and install/service organizations, active community groups for support, the ability to stay current and add capabilities in the future. One of the most common automation communication protocols of connecting industrial electronic devices used today is Modbus. In this lesson, we will discuss what Modbus communication protocol is and the types of Modbus communication used in the industry. Before we get started on today’s video, if you love our videos, be sure to click the like button below. and, make sure to click subscribe and the little bell to receive notifications of new RealPars videos. This way you never miss another one! The Modbus communication protocol is the oldest and by far the most popular automation protocol in the field of process automation and SCADA (Supervisory Control and Data Acquisition). Knowing how to create Modbus based networks is essential for any electrical technician and engineer working in these occupation fields. Being able to integrate devices from different manufacturers is a skill that is in demand and will ultimately make you more valuable and marketable in the industry.
Modbus is a communications protocol published by Modicon in 1979 for use with its programmable logic controllers (PLCs). Modicon is now owned by Schneider Electric. Modbus provides common language for devices and equipment to communicate with one another. For example, Modbus enables devices on a system that measures temperature and humidity connected on the same network to communicate the results to a supervisory computer or PLC. And the development and update of Modbus protocols have been managed by the Modbus Organization. The Modbus Organization is an association of users and suppliers of Modbus-compliant devices. Several versions of the Modbus protocol exist for the serial port and Ethernet and the most common are Modbus RTU, Modbus ASCII, Modbus TCP and Modbus Plus. Modicon published the Modbus communication interface for a multidrop network based on a master/slave architecture. Communication between the Modbus nodes is achieved with send request and read response type messages. Modbus is an open standard that describes the messaging communication dialog. Modbus communicates over several types of physical media such as serial RS-232, RS-485, RS-422 and over Ethernet. The physical media will be selected at the time when you purchase the devices. The original Modbus interface ran on RS-232 serial communication, but most of the later Modbus implementations use RS-485 because it allowed longer distances, higher speeds and the possibility of multiple devices on a single multi-drop network. Master-Slave Modbus communication over serial RS-485 physical media showing two-wire transmit and receive connections. On simple interfaces like RS485 or RS232, the Modbus messages are sent in plain form over the network and the network will be dedicated to only Modbus communication. However, if your network requires multiple heterogeneous devices using a more versatile network system like TCP/IP over ethernet, the Modbus messages are embedded in Ethernet packets with the format prescribed for this physical interface. So in this case, Modbus and other types of mixed protocols can co-exist at the same physical interface at the same time. The main Modbus message structure is peer-to-peer. Modbus is able to function on both point-to-point and multidrop networks. Modbus devices communicate using a master-slave (client-server for Ethernet) technique in which only one device can initiate transactions (called queries). The other devices respond by supplying the requested data to the master, or by taking the action requested in the query. A slave is any peripheral device such as an I/O transducer, valve, network drive, or other measuring types of devices which processes information and sends its response message to the master using Modbus. Masters can address individual slaves or initiate a broadcast message to all slaves. Slaves return a response to all message queries addressed to them individually, but do not respond to broadcast messages. Slaves do not initiate messages on their own and only respond to message queries transmitted from the master. The master’s query will consist of a slave address (or broadcast address), a function code with a read or write data command to the slave, along with the write command data if a write command was initiated by the master, and an error checking field. The error checking is a value the master or slave creates at the beginning of the transmission or response and then checked when the message is received to verify the contents are correct. A slave’s response consists of fields confirming it received the request, the data to be returned, and an error checking data. If no error occurs, the slave’s response contains the data as requested. If an error occurs in the message query received by the slave, or if the slave is unable to perform the action requested, the slave will return an exception message as its response. The error check field of the slave’s message frame allows the master to confirm that the contents of the message are valid. In this video you learned about what Modbus communication protocol is and the types of Modbus communication used in the industry. In the next video, we will discuss the characteristics of how Modbus communication protocol works between devices. Stay tuned!
Modbus Variations
- Modbus TCP/IP or Modbus TCP — This is a Modbus variant used for communications over TCP/IP networks, connecting over port 502. It does not require a checksum calculation, as lower layers already provide checksum protection. The TCP version of Modbus follows the OSI Network Reference Model; however the serial implementations of Modbus do not. Modbus/TCP defines the presentation and application layers in the OSI model.
- Modbus RTU — This is used in serial communication and makes use of a compact, binary representation of the data for protocol communication. The RTU format follows the commands/data with a cyclic redundancy check checksum as an error check mechanism to ensure the reliability of data. Modbus RTU is the most common implementation available for Modbus. A Modbus RTU message must be transmitted continuously without inter-character hesitations. Modbus messages are framed (separated) by idle (silent) periods.
