Modbus communication from entry to proficiency_1_Modbus communication basics

The relevant knowledge about Modbus communication is relatively fragmented. Here, the found knowledge points are sorted out from 理论, 通信协议and aspects. Blog posts worth learning: Introduction to Modbus and debugging software ; Introduction to Modbus protocol and upper computer application development使用方法

1. Modbus communication theory

1.1 Modbus communication features

• Modbus is a third-party open protocol that adopts a master-slave structure. The master control equipment room is called Modbus Master, and the slave equipment side is called Modbus Slave.

• The Modbus physical interface can be a serial port: RS232, RS485, RS422, or an Ethernet port.

• The Modbus protocol corresponding to the serial port or the Ethernet port is different. The serial port communication corresponds to the Modbus RTU or Modbus ASCII protocol, and the network port corresponds to the Modbus TCP protocol.

• Modbus communication follows the following process: the master device sends a request to the slave device, the slave device analyzes and processes the request of the master device, and then sends the result to the master device, if any error occurs, the slave device will return an abnormal function code.

• The working mode of Modbus is request and response. Each time, the master device sends a command, which can be broadcast or unicast to a specific slave station. The slave station responds to the command and responds as required or reports an exception. When the master station does not send a request, the slave station will not send data by itself.

• There is no direct communication between the slave station and the slave station, only the master station can send a request to the slave station, and the slave station can respond to the request of the master station.

• Modbus communication is carried out in the form of messages. Since the Modbus protocol is divided into Modbus RTU, Modbus ASCII protocol, and Modbus TCP protocol, there are three corresponding messages

1.2 Concept and scope of storage area

1.2.1 Storage concept

The Modbus communication protocol has 4 storage areas: 输出线圈, 输入线圈, 输入寄存器,保持寄存器（也被称为输出寄存器）

• Coil: Corresponds to the bool amount in the PLC, 1 byte, the input coil is equivalent to the input point of the PLC, and the output coil is equivalent to the output point of the PLC (storing the bool amount)
• Register: A register occupies 1 word length, that is, 2 bytes (store data)

1.2.2 Memory range

Storage area range: 5-digit standard address and 6-digit extended address (may appear on the frequency converter)
Output coil code 0 00001-09999 000001-065536 Readable and writable: analogy can use PLC program to read and write output coils 39999 300001-365536 read-
only
holding
register code 4 40001-49999 400001-465536 read-write

What area of ​​the PLC does the input coil and input register correspond to?
it doesn't matter

Whether the specific hardware data is stored in the input register or the holding register, you need to read the manual

1.3 Function code

The Modbus message contains the Modbus function code. The function code and its meaning are as follows: (Because the learning resources come from 2 parts, it may be repeated) If the master station wants to access the data of the slave station, it must use the corresponding function code to access, and then add the station number address corresponding to the slave station, the starting address of the data, and the number of points to form a Modbus message


.

1.4 Differences between Modbus communication protocol and TCP/UDP protocol

In order to understand the difference between the Modbus communication protocol and the TCP/UDP protocol, the introduction of the OSI reference model and the TCP/IP reference model is as follows: In fact, the application layer, presentation layer, and session layer in the OSI seven-layer model correspond to the application layer in the four-layer model. Because the services provided by the three layers of the application layer, presentation layer, and session layer are not very different

, they are all merged for him.
Both the data link layer and the physical layer belong to the network interface layer, also known as the link layer. This is because the content of the data link layer and the physical layer are similar, so in the TCP/IP protocol they are merged into one layer of the network interface layer (link layer).

• The Modbus protocol belongs to the application layer (layer 7 of the OSI model) protocol, and the TCP/UDP protocol belongs to the protocol of the transport layer (layer 4 of the OSI model), and the two levels are not parallel.
  打个比喻，Modbus协议就像公司里的总经理，TCP/UDP协议就像公司里的轿车、商务车。某天总经理要到机场去乘飞机，他可以选择：1）自己开轿车去，2）让司机开商务车送去，3）搭的士/公交车过去。若选择1），那就是总经理-轿车的关系，Modbus TCP协议就形同这种关系。若选择3），就形同另外的Modbus RTU/ASCII协议的关系。

• Modbus protocol is a general communication protocol that has been widely used in today's industrial control field. Through this protocol, controllers can communicate with each other, or controllers can communicate with other devices via a network (such as Ethernet). The Modbus protocol uses master-slave communication technology, that is, the master device actively queries and operates the slave device. Generally, the protocol used by the master device is called Modbus Master, and the protocol used by the slave device is called Modbus Slave. Typical master devices include industrial computers and industrial controllers, etc.; typical slave devices such as PLC programmable controllers, etc. The physical interface of Modbus communication can be serial port (including RS232 and RS485), or Ethernet port.

• The Modbus TCP protocol adds an MBAP message header to the RTU protocol. Since TCP is a service based on reliable connections, the CRC check code in the RTU protocol is no longer needed, so there is no CRC check code in the Modbus TCP protocol. In a more popular way: Modbus TCP protocol is the Modbus RTU protocol with five 0s and a 6 in front, and then removes two CRC check code bytes. Although this sentence is not particularly accurate, it basically compares the difference between RTU and TCP. clear.

The two protocols, Modbus TCP and Modbus RTU, will be introduced below.

2. Modbus TCP communication protocol

An example of the Modbus TCP message format is as follows:

2.1 01 function code reading coil:

• Transaction ID: 00 01, which is equivalent to the serial number of the message, which can be any number and will not affect the meaning of the message
• Protocol ID: the default 00 00is fine, and it is also a meaningless number
• Message length: fixed to 6, which means that there are a total of 6 bytes after the two bytes of the message length
• Unit ID: 01Indicates access to station No. 1, corresponding to the "Device ID" below
• Function code: 01read coil, use function code 1
• Start address: 00 00read from the beginning
• Number of registers: read 8 coils

2.1.1 Use the "Network Debugging Assistant" to simulate the Modbus TCP client,

2.1.2 Use MODSIM to simulate Modbus TCP server

Use MODSIM to simulate the Modbus TCP server, software reference: [Tool usage] Modsim32 software usage details ; ModSim basic usage (Modbus simulator)
The figure below shows that it has been connected: After sending the first command Address:0001指起始地址为1号地址即第一个线圈，Length:8是指对应有8个线圈

above, the return is as follows: For the
palindrome format, please refer to Section 2 of Modbus TCP Communication Details and Simulation .



030011

2.2 "03" function code read holding register

• Unit ID: 09Indicates access to station No. 9
• Function code: 03read holding register
• Start address: 00 06read from the beginning
• Number of registers: read 2 registers

The Modbus address corresponding to the holding register starts from 40001 and the corresponding relationship with the register is as follows:

The meaning of the above message is to read registers 4007-4008. The corresponding server side can be as shown in the figure below. Set the values ​​of the two registers to "00011" and "00020" (decimal values). After sending the message, the following figure is obtained: it represents the content of the reply from station No.

9

2.3 "0F" function code write multiple coils

The format of the written message is different from the above read message format

• Unit ID: 23Indicates access to station No. 23 in hexadecimal (that is, station No. 35 in decimal), corresponding to the "Device ID" below
• Function code: 0Fwrite multiple coils
• Start address: 00 00start writing from
• Number of registers: write 10 coils in hexadecimal, that is, 16 coils in decimal
• Write data bytes: 02Indicates that the written data occupies 2 bytes
• Write data: Since the coil is a bit element, that is, binary, hexadecimal is FFconverted to binary 1111 1111 1111 1111, that is, all 16 bits are set to 1

After sending, all 16 coils are set to 1

and the return message is as follows:

14 32 00 00 00 06 23 0F 00 00 00 10

00 00Indicates the starting address of access; 00 10indicates access to 16 bits

Change the written data above to: 00 02, because the Modbus message is the high byte first, corresponding to the second coil starting from the second byte, that is, "0000 0010" in the second byte (the second bit in the 8 bits is 1), that is, the server side gets the following:

2.4 "10" function code write multiple holding registers

• Unit ID: 32Indicates access to station No. 32 in hexadecimal (that is, station No. 50 in decimal), corresponding to the "Device ID" below
• Function code: 10write multiple holding registers
• Start address: 00 00start writing from
• Number of registers: write 3 coils in hexadecimal, that is, 4001-4003
• Number of written data bytes: 06indicates that the written data occupies 6 bytes
• Write data: 0C BA 2F 0F 1D 9B, 0C BAwrite to 4001, 1D 9Bwrite to 4003

The result of sending the message and the content of the reply message are as follows:

The above is the explanation of the Modbus TCP message format.

3. Modbus RTU communication protocol

3.1 Modbus RTU features

ModbusRTU and ModbusASCII are almost the same in the message data transmission format, but there are some differences, which are specifically reflected in:

• ModbusASCII has a start character (:) and an end character (CR LF), which can be used as a mark for the start and end of a frame of data, while ModbusRTU does not have such a mark, and needs to use the time interval to judge the start and end of a frame of data. The time stipulated in the protocol is 3.5 character periods, that is to say, there must be an idle time greater than 3.5 character periods before a frame message starts, and there must be an idle time of 3.5 character periods after a frame message ends, otherwise sticky packets will occur.
  Note: For 3.5 character periods, it is actually a specific time, but this time is related to the baud rate. In serial communication, a character includes 1 start bit, 8 data bits (generally), 1 check bit (or not), and 1 stop bit (generally). Therefore, 1 character includes 11 bits, then 3.5 characters are 38.5 bits, and the meaning of the baud rate is the ones of the binary bits transmitted per second, so if the baud rate is 9600, the 3.5 character cycle=1000/9600*38.5=4.01ms

• The two check methods are different, ModbusRTU is CRC cyclic redundancy check, ModbusASCII is LCR longitudinal redundancy check

• In the Modbus standard, RTU is required, and ASCII is optional, that is, as a Modbus pass-through device, it can support RTU, RTU and ASCII, but it cannot only support ASII

3.2 Format of Modbus RTU message

ModbusRTU/ASII message format:从站地址 (1byte) +功能码 (1byte) +数据(N byte) +校验 (2 byte)

For read:
station address: who to look for? Each slave station device in a network needs to have its own station address, and it cannot be repeated.
Function code: what to do?
Data: How to do it?
Verification: the verification of its previous content

The figure below is an example of the Modbus RTU message that will be introduced

3.2.1 "1" function code: read coil (output coil)

• Station address: 01, occupying 1 byte
• Function code: 01, occupying 1 byte
• Register address: the starting address of the register 00 00, 2 bytes
• Number of Registers: 00 08Number of Coils to Read
• CRC check code: calculated according to the previous message, the calculation method of CRC will not be introduced here, some serial port debugging assistants can calculate it automatically

3.2.1.1 Use virtual serial port to simulate serial port hardware connection

Still use "Modsim" to simulate, and use "Serial Debug Assistant" to simulate. There are two ways to connect hardware:

• Connect two USB-to-serial cables to the same computer, open the COM ports generated by the two serial cables, and connect the corresponding COM ports on the software
• Use the virtual serial port software to create two virtual serial ports connected to each other.
  Here, use the virtual serial port software to create a pair of virtual serial ports connected to each other, virtual creation COM1and COM3Unicom
  
  . The full name information of the software intercepted elsewhere
  

After creating it, go to the device manager of the computer to confirm, you can see COM1and COM3communicate with each other

. Make the following settings in "Serial Port Debugging Assistant" and "Modsim".

Here it is explained that "Serial Port Debugging Assistant" is the master station and "Modsim" is the slave station, but I think it is the opposite, and it needs to be studied later
.

01 01 00 00 00 08 3D OC
01 01 01 21 91 90

Analysis of the returned message:
01station address;
01function code;
01refers to 21the byte count of the read back data, representing a byte;
21the returned data, the corresponding binary is 0010 0001, you can see that it corresponds to the 1st and 6th coils in Modsim, so there is no problem with the read data; it
91 90is a CRC check code, you can ignore it

3.2.2 "2" function code: read discrete input (input coil)

Discrete input is also digital input, and the meaning of each part of the message is basically consistent with the above.
The content of the sent and returned message is shown in the figure below:

06 02 00 00 00 10 78 71
06 02 02 23 80 14 E8

The message returns 2 bytes of data, 23 80, the high byte 23corresponds to binary 0010 0011, corresponding to 10001-10008 bits, 80and the corresponding binary 1000 0000is also corresponding to the value of 10009-100016

3.2.3 "3" function code read holding register

The serial port device is a non-stop sending device, it only needs to keep receiving, but the Modbus protocol is in the form of sending and returning, and it will reply if the sending is correct.

3.2.4 "4" function code: read input register

The meaning of each part of the message is basically the same as above.
The content of the sent and returned message is shown in the figure below:

20 04 00 00 00 06 76 B9
20 04 0C 00 0B 00 0C 00 00 00 00 00 00 0F FF 41 38

Returned message analysis:
20station address;
04function code;
0Crefers to the byte count of the read back data, representing 12 bytes;
a register corresponds to 2 bytes or 1 word, 00 0Bindicating that the value of the first register is 11 in decimal, the 00 0Cvalue of the second register is 12 in decimal, and 0F FFthe value of the sixth register is 4095 in decimal;
41 38it is a CRC check code, you can ignore it

3.2.5 "5" function code: write a single coil

Here, because it is a single coil, only the address of a single coil and the written data are required. That is, setting the fifth register to 1 FF 00means setting it to 1.
The content of the sent and returned message is shown in the figure below:

08 05 00 04 FF 00 CD 62
08 05 00 04 FF 00 CD 62

Send and return messages are consistent

3.2.6 "10H" function code: write multiple holding registers (the wrong writing in the figure below)

The content of the sent and returned message is shown in the figure below:

12 10 00 00 00 02 04 04 57 08 AE 9E B7
12 10 00 00 00 02 43 6B

The above is the explanation of the Modbus RTU message.

3.2.7 CRC check code generation method

Using the "Serial Debug Assistant", taking the No. 1 function code message as an example, the method of calculating the CRC check code is shown in the figure below: In

actual use, some monitoring tools can be used to monitor the communication messages between devices

Most of the above content comes from: Modbus communication explanation ;

4. Example of Modbus RTU communication

In this part, Modbus RTU communication is explained based on the actual use of Modbus equipment - temperature and humidity sensor, and using ModbusPoll as the master station to read the temperature and humidity

4.1 Modbus device - temperature and humidity sensor

温湿度传感器套装使用说明
1、温湿度传感器 (4个)
2、开关电源
3、二孔插头
4、端子(一个是作为电源端子，一个是作为485端子)
5、4根1米左右的电线，一米要分成5部分，每部分是20cm
6、螺丝刀
7、485转USB转接器
调试使用:
湿度: 40001，读取的值要除以10  40001和40002是保持寄存器地址
温度: 40002，读取的值要除以10
从站地址: 42001
波特率: 42002(0位2400,1位4800,2位9600)
第一步要分别把4个模块地址分别设置为1 2 3 4

4.2 Modbus RTU communication method

Used here 模拟的主站连接实际的存在:


read value

Tx: 01 03 00 00 00 02 C4 0B
Rx: 01 03 04 00 49 01 29 EB AB

00 49It is the humidity value (changes in real time, not necessarily consistent with the screenshot above): 0+73=73; 01 29it is the temperature value: 1*256+41=297

The communication link is full of byte arrays, and the host computer can store data through byte arrays

Reference links for the above parts: Modbus Detailed Explanation 1 ; Modbus Detailed Explanation 2 ; Modbus Detailed Explanation 3 ; Modbus Detailed Explanation 4

5. A video with a good understanding of the basics (discovered late, I haven’t watched it, I’ll watch it when I have time):

Modbus communication over RS232, RS485 and TCP (1) ; Modbus communication over RS232, RS485 and TCP (2) ; Modbus communication over RS232, RS485 and TCP (3)

6. The next article will use Siemens PLC software to build a ModbusTCP simulation environment, and through the simulation environment, introduce the basic knowledge and write a simple communication method to read PLC data in the simulation application

7. For the test software used, see: Test software used in Modbus communication from entry to mastery