Specification
MODBUS APPLICATION PROTOCOL SPECIFICATION
See also:
Modbus Data model
There are two types of data:
- discrete: single bit, can represent a single on/off state
- analog: multiple bits 16, 32, etc that can represent a number (10, 53, -1002, 232.32)
Analog values can be divided into two categories:
- integers: no decimal values (1, 23, -23, 232)
- floats: has decimal values (12.0, 151.232, -2912.23)
Integers can be divided into signed and unsigned values:
- signed: can have negative values (23, -123)
- unsigned: can only be positive values (12, 0, 982)
Integers can also be 16 or 32 bit. The number of bits determines the maximum value that can be represented:
- uint16: unsigned 16-bit (positive only) integer (range: 0 to 65535)
- int16: signed 16-bit (negative or positive) integer (range: -32767 to 32767)
- uint32: unsigned 32-bit integer (range: 0 to 4,294,967,295)
- int32: signed 32-bit integer (range: -2,147,483,647 to 2,147,483,647)
All numbers in a computer are represented as binary bits (0’s or 1’s). Humans typically represent numbers in decimal (base-10), but when working with computers, we sometimes also use hexadecimal (base-16). To think about the different bases:
- Binary (base-2): like counting with 2 fingers
- Decimal (base-10): like counting with 10 fingers (what most of us are used to)
- Hexadecimal (base-16): like counting with 16 fingers. Hex numbers are usually have a 0x preceding them, or a ‘h’ following (0x23, 4500h).
To convert between the different bases, see the following example. There are various calculators that can convert between dec and hex as well, which is needed for larger numbers.
Binary (base 2) | Decimal (base 10) | Hexidecimal (base 16) |
---|---|---|
00000 | 0 | 0x0 |
00001 | 1 | 0x1 |
00010 | 2 | 0x2 |
00011 | 3 | 0x3 |
00100 | 4 | 0x4 |
00101 | 5 | 0x5 |
00110 | 6 | 0x6 |
00111 | 7 | 0x7 |
01000 | 8 | 0x8 |
01001 | 9 | 0x9 |
01010 | 10 | 0xA |
01011 | 11 | 0xB |
01100 | 12 | 0xC |
01101 | 13 | 0xD |
01110 | 14 | 0xE |
01111 | 15 | 0xF |
10000 | 16 | 0x10 |
One might ask – why use hexadecimal, when humans have 10 fingers? The reason is that each hexadecimal digit maps exactly to 4-bits, so when working with computer registers it is much more straightforward to think about register values in hexadecimal. In the below example we map both 0x123 (hex) and 123 (dec) to bits. The hex value maps nicely to 3 groups of 4-bits. With the dec number, you need to convert the entire number to visualize the bits.
Transports
- RTU: RS485
- supported serial port setup: 9600N81 (9600 baud, no parity, 8 bits, 1 stop bit)
- TCP: Ethernet
Characteristic | RTU | TCP |
---|---|---|
Physical Layer | RS485 (4-wires) | Ethernet |
Speed | Slow | Fast |
Distance | 1000m | 100m |
Configuration | Baud rate, parity, bits, stop bits | IP address |
Topology | Single client | Multiple clients |
Used in | Simple sensors, meters, simple PLCs | PLCs, HMIs, advanced controllers |
Modbus TCP Configuration
The gateway and the device both need to have an IP address assigned to them. If there are no other devices on the network, then static IP addresses will need to be assigned to both devices. The following are suggested:
- Gateway:
10.0.0.1
- Device:
10.0.0.2
When entering Modbus registers in a component, the device address along with the standard Modbus port (502) should be used in the URI field:
10.0.0.2:502
Function codes
Each Modbus operation has a function code, which defines what type of data we are operating on, and if we are reading or writing the data.
Function codes typically map as follows:
- 01 → coil
- 02 → discrete input
- 03 → holding register
- 04 → input register
- 05 → coil
- 06 → holding register
Modbus addresses
Modbus address can be specified in two ways:
- Coil/Register Numbers. Encode the registers/coil type in the address.
- Data Address (what is used on the wire) and the function code is specified separately.
Standard Coil/Register numbers
Coil/Register Numbers | Data Addresses | Type | Table Name |
---|---|---|---|
1-9999 | 0000 to 270E | Read-Write | Discrete Output Coils |
10001-19999 | 0000 to 270E | Read-Only | Discrete Input Contacts |
30001-39999 | 0000 to 270E | Read-Only | Analog Input Registers |
40001-49999 | 0000 to 270E | Read-Write | Analog Output Holding Registers |
Converting from register numbers to addresses
The biggest challenge in setting up Modbus is figuring out if the datasheet specifies register number or address. If the numbers match up with the above table, then it might be a number. But this is not conclusive, as the address range of 0 to 0xffff can give you addresses from 0 to 65,535, so its very possible to have a input register with address 40,100, which might look like a holding register. In many cases, some experimentation is required to determine what the address numbers mean.
If you are given register numbers, then you must subtract an offset 1, 10001, 30001 or 40001 (depends on the type) to get the address.
Modbus Topology
The image below shows how Modbus RTU and TCP connections can be made. Some of the differences include:
- RTU connections can be daisychained
- TCP connections require a switch, and multiple clients can talk to a single device (server) using TCP. With RTU, you can only have a single client (gateway, HMI, etc) on the bus.