MODBUS
MODBUS is an open, de-facto application layer communications protocol used for the supervision and control of automation equipment. MODBUS was originally developed in the late 1970s by Modicon for use with its Programmable Logic Controllers (PLCs). Today, standards are maintained by MODBUS-IDA, a group of independent users and suppliers of automation equipment. The core element of a MODBUS system is an application-layer messaging protocol that provides client-server communication between devices via serial links, over an Ethernet network, or over other networks that support TCP/IP. MODBUS is typically used to connect a supervisory computer with a remote terminal unit (RTU) in a SCADA system.
MODBUS is typically used in a SCADA system
Most MODBUS devices communicate over a serial link physical layer, initially RS-232 but more commonly RS-485. Two variations of the standard could be used with serial links. MODBUS RTU represents the data in a compact binary format and employs a cyclic redundancy check (CRC) for error detection purposes, while MODBUS ASCII represents the data in human-readable format and uses a longitudinal redundancy check (LRC). The data itself consist of a series of hexadecimal digits (only the characters 0...9 and A...F are used). The ASCII representation encodes each hexadecimal digit using eight bits (one byte), enabling the data to be read as plain text. The binary representation encodes each hexadecimal digit using only four bits, so a byte actually contains two hexadecimal digits. Communication between a node configured for the RTU variant and one configured for the ASCII variant is not possible. For communication over a network that supports TCP/IP (usually Ethernet), the more recent MODBUS/TCP variant can be used. The data model and the function calls used are identical across all three variants. An extended proprietary version (MODBUS Plus) also exists, but is not discussed here.
A MODBUS system typically consists of a number of slave devices controlled by a much smaller number of master devices (often only one). Communication between devices involves the exchange of messages, the format of which is independent of the MODBUS variant used. The exchange is always initiated by a single master device sending a query message to a slave device. The slave device then returns a response message (on TCP/IP networks, any device may initiate the process, although it is usually a single master device). Each MODBUS device has a unique address, and each message contains the address of the intended recipient in its header. While a number of nodes on a MODBUS network may receive the same message, only the node to whom the message is addressed will read the message. The structure of a MODBUS message is shown in the table below.
| Field | Description |
|---|---|
| Device address | Address of recipient device |
| Function code | A code that defines the message type |
| Data | In a query message, this field provides the slave with any additional information required for it to complete the action specified by the function code (e.g. register addresses, count values etc.). In a response message, if no error occurs, the data field of a response from a slave will return the requested data. Otherwise, it will return an exception code that the master?s application software uses to determine what action to take. |
| Error check | Error detection code (CRC or LRC) |
The maximum number of devices on a single RS-232 or RS-485 data link is restricted to two hundred and forty-seven. A device address is expressed as two hexadecimal digits, and must be within the range 0-247 (00h-F7h). The addresses 01h-F7h can be assigned to individual MODBUS devices, while the address 00h is used as a broadcast address. Messages containing the broadcast address as the device address will be read by all slave devices. The message carrying the response from a slave device will use its own address as the device address, allowing the master to identify the origin of any response it receives.
The function code is also a hexadecimal value, in the range 01h-F7h, and defines the action the slave is required to perform. As with the device address, the function code specified in the query message is used in any response generated by a slave device. If an error has occurred, however, the highest-order bit of the function code (normally zero) will be set to one to notify the master device that a problem has occurred. Some of the more frequently used function codes are described in the table below.
| Code | Description |
|---|---|
| 01 | Read coil status |
| 02 | Read input status |
| 03 | Read holding registers |
| 04 | Read input registers |
| 05 | Force single coil |
| 06 | Preset single register |
| 07 | Read exception status |
| 15 | Force multiple coils |
| 16 | Preset multiple registers |
| 17 | Report slave ID |
MODBUS function 01 (read coil status) is used to request the status of one or more coils on a single device (the term coil in this case refers to a discrete output value). This is done by specifying an output range in the data field of the message, as shown below. Note that MODBUS slave device coil (output) addresses range from 1 ? 10,000 (decimal), although the actual number of outputs available is device-dependent.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 01h | Function code |
| 3 | 00h-FFh | Start address (high byte) |
| 4 | 00h-FFh | Start address (low byte) |
| 5 | 00h-FFh | Number of coils (high byte) |
| 6 | 00h-FFh | Number of coils (low byte) |
| 7/7 - 8 | LRC/CRC | Error detection code |
The length of the response message can vary between 0 and 255 bytes, depending on how many values have been requested (the number of bytes of data returned is specified in the first byte of the Data field). The general format of a function 01 response message is shown below.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 01h | Function code |
| 3 | 00h-FFh | Number of bytes of data (n) |
| 4 to n+3 | 00h-FFh | Data |
| n+4/n+4 to n+5 | LRC/CRC | Error detection code |
MODBUS function 02 (read input status) messages have a very similar format to the function 01 messages. The main difference is that the second byte of the query message and response message (the function code) will have a value of 02h. MODBUS slave device input addresses range from 10,001 ? 20,000 (decimal), although that the actual number of inputs available is device-dependent. The starting address specified in a function 02 message is an offset from the base address (0000h = 10,001 decimal). The format of a function 02 request message is shown below.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 02h | Function code |
| 3 | 00h-FFh | Start address (high byte) |
| 4 | 00h-FFh | Start address (low byte) |
| 5 | 00h-FFh | Number of inputs (high byte) |
| 6 | 00h-FFh | Number of inputs (low byte) |
| 7/7 - 8 | LRC/CRC | Error detection code |
Once again, the length of the response message can vary between 0 and 255 bytes, depending on how many values have been requested (the number of bytes of data returned is specified in the first byte of the Data field). The general format of a function 02 response message is shown below.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 02h | Function code |
| 3 | 00h-FFh | Number of bytes of data (n*) |
| 4 to n+3 | 00h-FFh | Data |
| n+4/n+4 to n+5 | LRC/CRC | Error detection code |
*n = number of inputs requested
MODBUS function 03 (read holding registers) requests the return of one or more internal values stored in the 16-bit holding registers of the slave device. These general-purpose registers hold data such as configuration parameters, or measured values (e.g. temperature readings). MODBUS slave device holding register addresses range from 40,001 ? 50,000 (decimal), and the starting address specified in a function 03 message is an offset from the base address (0000h = 40,001 decimal). The format of a function 03 request message is shown below.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 03h | Function code |
| 3 | 00h-FFh | Start address (high byte) |
| 4 | 00h-FFh | Start address (low byte) |
| 5 | 00h-FFh | Number of registers (high byte) |
| 6 | 00h-FFh | Number of registers (low byte) |
| 7/7 to 8 | LRC/CRC | Error detection code |
The length of the response message depends on the number of registers requested. Due to the size of the registers (16 bits), each register value must be encoded as two bytes (the high byte, followed by the low byte). The general format of a function 03 response message is shown below.
| Byte | Value | Description |
|---|---|---|
| 1 | 01h-F7h | Slave device address |
| 2 | 03h | Function code |
| 3 | 00h-FEh | Number of bytes of data (nx2)* |
| 4 to 2n+3 | 00h-FFh | Data |
| 2n+4/2n+4 to 2n+5 | LRC/CRC | Error detection code |
*n = number of registers requested
MODBUS messages on serial connections are framed to enable message recipients to detect the beginning and end of each frame. The start of a MODBUS ASCII frame is signalled by a colon (:), and the end of the frame is signalled using the carriage-return/linefeed combination (CR/LF). Intervals between transmitted bytes of up to one second are allowed. A MODBUS ASCII message frame is illustrated below.
A MODBUS ASCII frame
For MODBUS RTU, each frame must be preceded by an interval with a minimum duration equivalent to the time required to transmit 3.5 characters, during which time the connection must be quiet. A second quiet interval of at least the same length signals the end of a frame. For MODBUS RTU, the message must be transmitted as a continuous stream. If a quiet interval greater in duration than the time required to transmit 1.5 characters occurs before the frame is complete, the receiving device flushes the incomplete message from its receive buffer and awaits the start of a new frame. If a new message begins before the minimum time interval (3.5 character times) following a previously received message, the receiving device assumes it to be a continuation of the previous message. This will generate an error condition, because the value in the final CRC field will not be valid for the combined messages. A MODBUS RTU message frame is illustrated below.
A MODBUS RTU frame