The Modbus protocol is a common language used in electronic controllers. Through this protocol, controllers can communicate with each other and with other devices via networks (e.g. Ethernet). It has become a common industrial standard. With it, control devices from different manufacturers can be connected to an industrial network for centralized monitoring.
This protocol defines the message structure that a controller can recognize and use, regardless of the network through which they communicate. It describes the process by which a controller requests access to other devices, if it responds to requests from other devices, and how to detect errors and log them. It establishes a common format for the message field pattern and content.
When communicating on a Modbus network, this protocol dictates that each controller must know the address of their device, identify the messages sent by address, and decide what action to generate. If a response is required, the controller will generate feedback and send it using the Modbus protocol. On other networks, messages containing the Modbus protocol are converted to the frame or packet structure used on this network. This conversion also extends the methods of addressing section addresses, routing paths and error detection according to the specific network.
The protocol uses an answering connection (half-duplex) on one communication line, which means that signals are transmitted in two opposite directions on a single communication line. First, the signal from the master computer is addressed to a unique terminal device (slave), and then the answer signal from the terminal device in the opposite direction is transmitted to the master. The protocol allows data exchange only between the master computer and the terminal device, but not between independent devices, which do not occupy the communication line when initializing them, but are limited to responding to the query signal arriving at the machine.
1.1 Transmission method
When communicating in RTU mode on the Modbus bus, each 8-bit byte of the message is divided into two 4-bit hexadecimal characters, and each message must be transmitted continuously. The following transmission modes are defined as compatible with the Modebus protocol – RTU mode.
– 8-bit binary, hexadecimal numbers 0…9, A… .9, A… .F
– Each 8-bit field in the message is composed of one of two hexadecimal characters
Bits per byte 1-8-N-1
– 1 start bit
– 8 data bits, the least significant bit is sent first
– 1 parity bit, no parity then none
– 1 stop bit (with parity), 2 bits (without parity)
Error detection field
– CRC (cyclic redundancy detection)
When the information frame arrives at the terminal device, it enters the addressed device through a simple “port”, which removes the “envelope” (data header) of the data frame, reads the data, performs the task requested by the data if there are no errors, and then adds its Then, it adds the generated data to the obtained “envelope” and returns the data frame to the sender. The returned response data contains the following contents: the address of the terminal slave (Address), the executed command (Function), the requested data generated by the executed command (Data) and a check code (Check). There will be no successful response for any error.
1.2.1 Message frames
N x 8-Bits
Figure 1 – 1 . Message frame format
Note: The maximum length of a Modbus message frame is 256 bytes, i.e. N is greater than or equal to zero and less than or equal to 252 (N｛0, 252}).
In other words, all the data are 256 in total and 253 data are left.
1.2.2 Address field
The address field of the information frame (information address) is at the beginning of the frame and consists of 8 bits, the valid address range of the slave device is 0-247 (decimal), and the addressing range of each slave device is 1-247. When the slave responds, it puts its own address into the address area of the response message, so that the host can identify the address of the slave that has responded.
Address 0 is the broadcast address, which is recognized by all slaves. When the Modbus protocol is used in advanced networks, no broadcast or other substitution is allowed.
1.2.3 Function field
The function field code of the message frame tells what function is performed by the addressed terminal. Valid codes range from 1 to 225 (decimal), some codes are applicable to all controllers, some are adapted to certain controllers, and some are reserved for later use. See Appendix A for a full list of function substitution codes.
When the host sends a message to a slave, the function code indicates to the slave the action that should be performed. For example, read the ON/OFF status of a set of discrete coils or input signals, read the data of a set of registers, read the diagnostic status of the slave, write the coils (or registers), allow the intercept, record, confirm the program in the slave, etc. When the slave responds to the host, the function code can indicate the normal response or error (i.e. abnormal response), when the normal response, from the sentence simply return to the original function code; abnormal response, the slave returns a code equivalent to the original code, and the highest valid bit is set to “1”.
For example, when the host asks the slave to read a set of holding registers, the function code of the message is
0000 0011 (hex 03) If the slave correctly receives the requested action information, it returns the same code value as a normal response. When an error is found, an abnormal ringing message is returned as follows
1000 0011 (hex 83)
The slave is responsible for processing the abnormal response, typically by sending a test and diagnosis of the message to the slave from the host and notifying the operator. Table 1 – 1 lists all the common function codes for the device, their meaning, and their initial function.
Table 1-1 Common Function Codes
Read coil status
Obtain the current status (ON/OFF) of a set of logic coils
Read the input status
Obtain the current state of a set of switch inputs (ON/OFF)
Read holding registers
Obtain the current binary value in one or more holding registers
Reading input registers
Get the current binary value in one or more input registers
Force single coil
Force the on/off status of a logic coil
Presetting a single register
Placing a specific binary value into a single register
Reading the exception status
Get the on/off status of 8 internal coils
Forcing multiple coils
Forcing a string of consecutive logic coils on and off
Presetting multiple registers
Places a series of specific binary values into a series of multiple registers
Report Slave Identification
Enables the host to determine the type of addressed slave and the status of that slave’s operation indicator
1.2.4 Data Fields
The data field contains the data required by the terminal to perform a specific function or the data collected by the terminal in response to a query. The content of these data may be numeric values, reference addresses or limit values. It consists of two hexadecimal data bits (2 to the eighth power of 256) in the data range 00-FF (hexadecimal). For example: the function field code tells the terminal to read a register, while the data field needs to specify which register to start from and how many data to read, with embedded addresses and data varying according to the type and capability of the slave. If no error occurs, the response message from the slave to the host contains the requested data, and if an error occurs, there is an abnormal code in the data that enables the host to determine and make the next action. The length of the data area can be “zero” to indicate a certain type of information.
1.2.5 Error check field
The domain allows the host and terminal to check for errors in the transmission process. Sometimes, due to electrical noise and other interference, a set of data in the transmission from one device to another device on the line may be some changes, error checking to ensure that the host or terminal does not respond to those changes in the transmission process of data, which improves the security and efficiency of the system, error checking using a 16-bit cyclic redundancy method, that is, CRC checksum.
The error detection field contains a 16Bits value (implemented with two 8-bit characters). The content of the error detection field is derived from the cyclic redundancy detection method for the message content.The CRC field is appended to the end of the message, and the low byte is added first followed by the high byte. Therefore, the high byte of CRC is the last byte of the sent message.
1.2.6 Sequential transmission of characters
When a message is transmitted on a standard Modbus family network, each character or byte is sent in a left-to-right sequence:
Least Significant Bit (LSB)…. Maximum Significant Bit (MSB).
The sequence of bits is :
No parity check
Figure 1 – 2 . Bit Sequence (RTU)
1.2 Error detection
1. Parity check
The user can configure the controller to be parity or even parity, or no parity. This will determine how the parity bit is set in each character.
If parity is specified, the number of “1” bits will be counted in the number of bits per character (7 data bits in ASCII mode, 8 data bits in RTU). For example, the RTU character frame contains the following 8 data bits: 1 1 0 0 0 1 0 1
The whole number of “1s” is 4. If even parity is used, the parity bit of the frame will be 0, so the number of “1s” is still 4. If odd parity is used, the parity bit of the frame will be 1, and the number of “1s” will be 5.
If no parity bit is specified, no parity bit is transmitted, and no parity detection is performed. Instead, an additional stop bit is filled in the character frame to be transmitted.
RTU method, using the CRC method to calculate the error check code, CRC checks all the data transmitted. It ignores the parity check method for individual character data in the message.
The cyclic redundancy check (CRC) field occupies two bytes and contains a 16-bit binary value. the CRC value is calculated by the transmitting device and then appended to the data frame, the receiving device recalculates the CRC value when receiving the data and then compares it with the value in the received CRC field. if the two values are not equal, an error has occurred.
The CRC starts by setting all 16 bits of the register to “1”, and then putting the data of two adjacent 8-bit bytes into the current register, only the 8-bit data of each character is used to generate the CRC, the start bit, stop bit and parity bit are not added to the CRC.
When generating CRC, each 8-bit byte is iso-or with the content of the register, then the result is shifted to the lower bit, the higher bit is supplemented by “0”, the lowest bit (LSB) is shifted out and detected, if it is 1, the register is iso-or with a preset fixed value, if the lowest bit is 0, no processing is done.
After the last bit (the 8th bit) is shifted, the next 8-bit byte and the current value of the storage device will perform an iso-or operation, and another 8-bit shift iso-or operation will be performed.
The process of generating a CRC is:
1、 Preset a 16-bit register to 0FFFFH (all 1s), called CRC register.
2、 Perform an iso-or operation between the first 8-bit byte in the data frame and the low byte in the CRC register, and store the result back to the CRC register.
3、 Shift CRC register one bit to the right, fill the highest bit with 0, the lowest bit is shifted out and detected.
4、 If the lowest bit is 0: repeat step 3 (next shift).
If the lowest bit is 1: set the CRC register to a preset fixed value (0A001H) to perform an iso-or operation.
5. Repeat step 3 and step 4 until 8 shifts. This completes the processing of a full eight bits.
6、 Repeat step 2 to step 5 to process the next octet until all bytes are processed.
7、 The final CRC register value is the CRC value.
When CRC value is appended to the message, the low bit comes first and the high bit comes second. Look up an example in Appendix C, which explains the CRC checksum in detail.