What does the Modbus protocol look like? What are the parameters of the Modbus RTU protocol?

The Modbus protocol can be used via the serial port or the network port.

We will focus on Modbus RTU first, after all, Modbus RTU is used so many times.

In fact, as long as you master and understand Modbus RTU, you will naturally understand other derived protocols.

So what does the Modbus protocol look like?

Let’s first look at a set of data.

The master sends: 01 03 00 14 00 01 C4 0E

Slave reply: 01 03 02 00 63 F8 6D

Okay, whether you have learned the Modbus protocol or not, let's pretend that you understand the above message.

We enter the situation.

There is an HMI on site.

There is also a PLC .

The PLC is connected to 100 lights, 100 doors, and 100 scales.

"Whose PLC would be connected to so many lights and scales?"

"What's it to you? It's Double Eleven and I can't buy a few more."

The data of the light is either on or off. It is either 0 or 1. It is a switch type.

What about the data on the scale? If the unit is grams, it can be 0 to 9999 grams. For example, this scale can only weigh up to an upper limit of 9999 grams.

Then the HMI should be able to read the data of any one or several consecutive lights among the 100 lights through the Modbus protocol.

It is also possible to read the data of one scale or several scales in succession.

In other words, these should be expressed in the message.

For example, if the HMI wants to read the data of the 20th scale, it only reads one.

That's 20, which is hexadecimal 0x14.

Read one, 1, which is 0x01.

Let’s take a look at the message.

01 03 00 14 00 01 C4 0E.

There are really 14 bytes.

But is it 00 14 or 14 00 or 14?

If there is only one byte, it can only represent 0 to 255. No, the number is too small and definitely not enough. Then it must be represented by two bytes.

So, 0014 is the 20th number, which is what we call the address.

At first glance, it seems that only three fields are needed to represent the data that the HMI needs to read.

Indeed, HMI only wants to read the data of a scale, so there is no need to send other irrelevant data.

"Can HMI connect to multiple PLCs? How do I connect them?"

"HMI can be connected to several PLCs via 485."

"But how do I know which PLC data I want to read?"

"How about this, we give different PLCs a number, which is the station number, and that's it."

"Should I also include this station number in the Modbus protocol?"

"Yes, we just need to add a station number on Modbus. In this way, if the message received by the PLC is from its own station number, it will reply. If it is not from its own station number, it will not reply. The problem is solved."

"Well, that's a good idea. Let's use the first byte."

In this way, a Modbus RTU protocol was born.

Let's go back and summarize. This modbus protocol has about five parameters .

Let’s start by talking about each field.

The first field is the station number.

The master device does not have a station number. Only the slave device has a station number.

Why does the master device have no station number?

This is mainly because in a modbus communication , there is only one master station. Only the master station can actively send messages, and the slave device receives the message and then determines whether to reply.

Is there only one slave device?

If it is connected to the 485 bus, there can be multiple slaves. It is generally recommended not to exceed 32. This will be discussed in the next issue.

When the master device wants to access a device, it distinguishes it based on the station number.

However, sometimes, if you need to operate multiple slave devices at the same time, for example, if you want to turn on the lights of 10 slave devices at the same time, what is the appropriate way to do it?

Sending write requests one by one would be a bit slow.

So there is the concept of broadcast station number. Station number 0 represents the broadcast station number. When the master station writes to station number 0, all slave devices will only execute the command without replying after receiving it.

The second field is the function code.

Let’s explain this function code from a different angle.

Let's go back to the protocol itself. This protocol is mainly used for communication, collection and control. So what data is collected?

These are bit variables and numeric variables. Some are read-only, and some are readable and writable.

In fact, at this point, we have basically mastered the modbus protocol.

Modbus ascii and modbus tcp are also inseparable from these parameters.

Generally speaking, as long as a novice understands this, it is basically enough. Modbus is considered an entry point.

As for whether to continue or give up from the beginning, it depends on fate.

Since I started working in the Internet of Things , I have come across quite a few devices that support modbus. It can be said that 99% of them only use the content introduced above, and there is really no more.

Therefore, this article will not go into more detail about the function codes and contents of modbus rtu.

Common PLCs at home and abroad, as well as controllers made from various single-chip microcomputers , basically revolve around the function codes 0X, 1X, 4X, and 3X.

So when you search online for various Chinese and English introductions to the Modbus protocol, you may not know which ones to read and which ones not to read. My experience tells me that you don’t need to understand all of them.

Let’s look at what we read first.

Bit Register It is special, 8 bits occupy one byte. In the Modbus reply data, one byte is not used to represent one bit register. Instead, one bit is used to represent one bit register.

Reading 20 registers in this way requires 3 bytes.

In this way, the data replied by the slave station is FF FF 0F.

That is, the slave station replies with at least one byte. If the bit is less than a byte, it replies with one byte.

The approximate formula is to divide the number of bit registers by 8 to get the number of bytes, and then see if it is divisible. If it is not divisible and there is a remainder, then add another register.

20/8=2, and then there is a remainder, which is 4. So it is three bytes. For the last byte, only the lower 4 bits are valid.

4. [Function code 02] Read 1X register, address 10, read 16 registers

In summary, the Modbus protocol has 8 common function codes. Since multi-write is compatible with single-write, some controllers even directly remove the single-write command and use multi-write, so there are only 6 function codes.