MODBUS is an open source serial communication protocol meant for the communication of multiple industrial electronic devices within the same network. Modicon introduced it in 1979 for use with its Programmable Logic Controllers (PLCs). It is now a standard method for the transfer of discrete input, analog I/O information, as well as register data between industrial control and monitoring devices.
MODBUS is an application layer protocol suitable for both peer-to-peer and broadcast communication. Depending on the physical layer used, the MODBUS is categorized into two types:
- MODBUS Serial: MODBUS devices connect over serial communication links at standard baud rates such as 9600 or 19200bps using one of two transmission modes.
I. MODBUS RTU (Remote Terminal Unit): In RTU mode the data is represented in binary format.
II. MODBUS ASCII: The data is in a readable American Standard Code for Information Interchange (ASCII) format.
- MODBUS TCP/IP: MODBUS TCP/IP clients and servers communicate over Ethernet via port 502.
MODBUS is a master-slave (in a serial communication network using RS232/RS422/RS485) or client-server (in an Ethernet-based network) communication protocol. A standard MODBUS network can have one or many Master controllers along with multiple slave devices. One master controller can communicate with up to 247 Slaves devices. Figure 1 shows the MODBUS serial communication network:
Figure 1: MODBUS network
Master controller: The master controller can be a PLC, SCADA (supervisory control and data acquisition system), or an SBC such as a Raspberry Pi. This device includes a Human Machine Interface (HMI) and requires a software tool to manage the communication process. The master controller requests the data from the slave and receives the data from the slave.
Slave Controller: The slave devices can be controllers, PLCs, or intelligent I/O devices (sensors, relays or actuators). Each slave has a unique device address. These devices are equipped with a MODBUS interface to send a response to the master controller. MODBUS slave devices store environmental variables such as temperature, pressure, stress, strain, motor speed, and rotor position values in an array or block of registers. There are four register types:
- Discrete Input: A single-bit read-only register used as inputs.
- Coil (Discrete Output): Coils are single-bit read-write registers. They are used to control discrete outputs such as a relay, a valve, or an actuator.
- Input Register: These are read-only 16-bit registers used for input. These registers are used to represent analog-input, integer values.
- Holding Register: These are the universal 16-bit registers. They are used to represent a variety of things, including inputs, outputs, configuration data, or any requirement for "holding" data.
The message frame format is independent of the type of physical layer used in a MODBUS network. The MODBUS serial and Ethernet-based MODBUS frame structure is given below:
ASCII frame format (American Standard Code for Information Interchange): The frame begins with a colon “:” character and ends with a CR/LF (carriage return-line feed) combination. In this method frame, seven bits are used to represent ASCII characters. Table 1 shows the MODBUS ASCII frame format.
Table 1: MODBUS ASCII frame format
RTU frame format: In this method, a single byte includes two hexadecimal characters. The master inserts a silent interval of at least 3.5 character times at the beginning and end of the frame. Table 2 shows the MODBUS RTU frame format.
Table 2: MODBUS RTU frame format
The standard field in ASCII frame and RTU frames are:
• Device Address
• Function Code
• Error Check
Device Address: In the MODBUS frame, the first byte consists of a device (slave) address. Usable slave addresses are in the range of 0 to 247 decimals, and other addresses kept reserved. The master requests the slave by placing the slave address in the device address field, and a slave device responds by setting its address in the same field in the response message frame.
Function Code: The Function Code field defines the type of action required by the slave. The function field consists of one byte and two characters in an ASCII frame. There are 255 function codes in the MODBUS standard. The manufacturer defines the function codes based on their products.
Data: The data field contains the requested or response data:
• The request frame data field contains the information about the slave, which register to start at, and how many registers to read.
• The response data field contains the data collected by the slave, such as register values or status.
Error Check: All MODBUS messages contain a numeric check value, which allows the recipient to detect transmission errors. Every byte in the frame is used to calculate the numeric check value. The receiving device also calculates the received bits and compares it to the numeric check value from the sending device.
In ASCII mode, the error-checking field contains two ASCII characters called a Longitudinal Redundancy Check (LRC). These characters consist of frame information exclusive of the beginning and end of the frame. In RTU mode, the error-checking field contains a 16-bit CRC (cyclic redundancy check) value.
The MODBUS TCP/IP frame includes the Ethernet frame information along with the MODBUS message information, since it does not consist of the checksum calculation field.
MODBUS TCP/IP frame format: The MODBUS TCP message consists of a 7-byte MODBUS Application Header information, one-byte function code, and n bytes of data.
Table.3: MODBUS TCP/IP frame format
- Transaction ID: The client sets the 2-byte identifier. When multiple messages share the same TCP connection, the transaction identifier helps in transaction pairing.
- Protocol ID: The client sets 2 bytes for intra-system multiplexing. This value is always zero for MODBUS services.
- Length: The 2-bytes of value represent the remaining field counts that include the Unit Identifier, Function Code, and Data fields.
- Unit ID: The MODBUS Client sets the 1-byte Unit Identifier in the request message, and the server must return with the same value. It is used to identify a remote server located on a non-TCP/IP network like on a serial line or other buses.
Function Code and Data fields are similar to the MODBUS serial mode.
How does it work?
After power-up, the master sends a request and releases the idle state. The master initiates a MODBUS transaction and waits for a response. The transaction message consists of the Slave Address, Function Code, Data, and CRC.
The slave devices receive the error-free request and act as specified in the function field. The slave devices will give a successful response, with the same function code to the master controller. If there is an error in response, the master repeats the same request.
In a broadcast communication mode, the master controller assigns zero in the device address field and sends a common message to all network devices; it will not wait for a response. All slave devices receive the broadcast message, and they do not return the response message to the master.
On detection of an illegal function, data address, or data, slave device failure, or busy, the slave responds with an exception code and sets the most significant bit in the function code to indicate the exception response.