Post by thread:Modbus Protocol

Hi Guys, Has anyone found a better description of the Modbus Protocol than the one at http://www.modicon.com/techpubs ? I have one of those serial port "sniffers" connected to two PLCs that are talking on the modbus. The master says (in RTU hex): 01 (start of header) 03 (??) 0f (slave source address MSB) f6 (slave source address LSB) 00 (??) 01 (number of bytes) 67 (rev 16bit CRC) 2c (??) I am trying to find out what the (??) bytes are as shown above. After I understand the protocol a bit, I hope to make a PIC a slave. Anyone been down this path? Thanks a bunch, Greg

On Sat, 15 Aug 1998, you wrote: >Hi Guys, >Has anyone found a better description of the Modbus Protocol than the >one at http://www.modicon.com/techpubs ? I have one of those serial >port "sniffers" connected to two PLCs that are talking on the modbus. >The master says (in RTU hex): >01 (start of header) >03 (??) >0f (slave source address MSB) >f6 (slave source address LSB) >00 (??) >01 (number of bytes) >67 (rev 16bit CRC) >2c (??) > >I am trying to find out what the (??) bytes are as shown above. >After I understand the protocol a bit, I hope to make a PIC a slave. >Anyone been down this path? Hi Greg, I have done the *basic* modbus a few times, not on the pic however, the message from the master has the following format, please note a silent period of 3.5 character times is REQUIRED between messages. [start][address][function][data][crc][end] where [start] silence 3.5 character times [address] 8 bits 1-240 for individual addresses 241-255 for group broadcasts 0 is global broadcast [function] 8 bits Some examples: 1= read coil status 2= read input status 3= read holding register 4= read input register 5= force single coil 6= force single register ... and many more... slave sets msb of function code in response when exception occurs [data] nx8 bits Always MSB first Usually consists of address start and number of registers depending on function address ranges can be a bit tricky sometimes. [crc] 16bits calculated from x16+x15+x2+x1 (0xA001) init to 0xFFFF then use shift/xor stuff as normal [end] silence There are other flavours of Modbus, such as the ASCII RTU format and Modbus plus, but hopefully this gets you started in the right direction. Modbus plus add extra layers for routing over ethernet etc.. but when you unwrap it the same basic RTU packets are inside. The example you asked for would be.. >01 (start of header) No this is address 01 >03 (??) Function = Read Holding register >0f (slave source address MSB) >f6 (slave source address LSB) 0x0FF6 addres of holding register >00 (??) >01 (number of bytes) 0x0001 number of addresses to read =1 >67 (rev 16bit CRC) >2c (??) CRC=0x672C > So the message reads holding register 0x0FF6 the response to this would be [address] =01 [function]=03 [byte count]=2 [data]=0x???? depending on what the data is. [crc] Hope this helps. -- Ray Gardiner spam_OUTrayTakeThisOuThdc.com.au

{Quote hidden}> Hi Guys, > Has anyone found a better description of the Modbus Protocol than the > one at http://www.modicon.com/techpubs ? I have one of those serial > port "sniffers" connected to two PLCs that are talking on the modbus. > The master says (in RTU hex): > 01 (start of header) > 03 (??) > 0f (slave source address MSB) > f6 (slave source address LSB) > 00 (??) > 01 (number of bytes) > 67 (rev 16bit CRC) > 2c (??) > > I am trying to find out what the (??) bytes are as shown above. > After I understand the protocol a bit, I hope to make a PIC a slave. > Anyone been down this path? > > Thanks a bunch, > Greg > I am currenly heading down the same road (implementing Modbus on a PIC) I see a couple of problems with your breakdown of the packet. 1. Modbus uses 8 bit node addresses, not 16 bit. 2. CRC is 16 bits, not 8 According to the Modbus spec for RTU mode: 01 Slave address 03 Function# = Read Multiple registers 0F Register Address High byte F6 Register Address Low byte 00 Number of words to read High byte 01 Number of words to read Low byte 67 LSB CRC 2C MSB CRC Another good reference is at the modicon site you mentioned, document: openmbus.doc. It's in the Modbus over TCP/IP area. Modbus implementations are divided into classes. A minimal Modbus implementation (Class 0) needs only implement commands 0x03 and 0x10 with their associated error responses. Hope this helps Thomas J Macauley, KD7BDW .....thomasKILLspam@spam@advancedcontrol.com (208) 362-5858

Thomas, I spent the weekend checking it out and even coded some bits of it. My findings is that coding the RTU in a PIC will take to many resources even if it is possible. To do a class 0 ASCII device would be possible without taking to much out of a 16F84 or alike. The only way to go (IMHO) is to use a 12C508/12C509 and implement the protocol in that piece, interfacing to the actual controller. This adds very little cost. I however like the protocol very much. Powerful yet simple. The good thing with this is that one get a generic device out of the 12... device. I face the same problem in implementing the 1-Wire slave protocol on a PIC and will probably go for a two chip solution. I don't like this very much but I also don't like to have a PIC where 60-70 % of the code in the PIC is used by the protocol functions. I will probably also go for some kind of modbus stuff after I have finished he 1-wire stuff. It would be nice if we could share some code. Regards /Ake ====================================================================== Ake Hedman - Soft.Dev.Eng. Eurosource, Gruvbyn 415A, S-820 50 LOOS, SWEDEN Phone: +46 657 413422 Fax: +46 657 10612 WEB: http://www.eurosource.se Carpe diem quam minimum credula postero ====================================================================== > {Original Message removed}