ask question about motor controllers


Introduction

The Roboteqâ Modbus Implementation User manual contains information about how Roboteq implemented Modbus protocol in controllers.

What is Modbus

Modbus is a serial communication protocol developed by Modicon published by Modiconâ in 1979 for use with its programmable logic controllers (PLCs). In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
The official Modbus specification can be found at www.modbus.org/specs.php.

Modbus object types

The following is a table of object types provided by a Modbus slave device to a Modbus master device:


Object type

Access

Size

Coil

Read/Write

1 bit

Discrete Input

Read Only

1 bit

Input Register

Read Only

16 bits

Holding Register

Read/Write

16 bits

Protocol versions

Versions of the Modbus protocol exist for serial port and for Ethernet and other protocols that support the Internet protocol suite. There are many variants of Modbus protocols:

  • Modbus RTU: This is used in serial communication and makes use of a compact, binary representation of the data for protocol communication. The RTU format follows the commands/data with a cyclic redundancy check checksum as an error check mechanism to ensure the reliability of data. Modbus RTU is the most common implementation available for Modbus. A Modbus RTU message must be transmitted continuously without inter-character hesitations. Modbus messages are framed (separated) by idle (silent) periods.
  • Modbus ASCII: This is used in serial communication and makes use of ASCII characters for protocol communication. The ASCII format uses a longitudinal redundancy check checksum. Modbus ASCII messages are framed by leading colon (":") and trailing newline (CR/LF).
  • Modbus TCP/IP or Modbus TCP: This is a Modbus variant used for communications over TCP/IP networks, connecting over port 502. It does not require a checksum calculation, as lower layers already provide checksum protection.
  • Modbus over TCP/IP or Modbus over TCP or Modbus RTU/IP: This is a Modbus variant that differs from Modbus TCP in that a checksum is included in the payload as with Modbus RTU.

Data model and function calls are identical for the previous 4 variants of protocols; only the encapsulation is different.

Communication and devices

Each device intended to communicate using Modbus is given a unique address. On Ethernet, any device can send out a Modbus command, although usually only one master device does so. A Modbus command contains the Modbus address of the device it is intended for (1 to 247). Only the intended device will act on the command, even though other devices might receive it (an exception is specific broadcastable commands sent to node 0, which are acted on but not acknowledged). All Modbus commands contain checksum information, to allow the recipient to detect transmission errors. The basic Modbus commands can instruct an RTU to change the value in one of its registers, control or read an I/O port, and command the device to send back one or more values contained in its registers.
There are many modems and gateways that support Modbus, as it is a very simple protocol and often copied. Some of them were specifically designed for this protocol. Different implementations use wireline, wireless communication, such as in the ISM band, and even Short Message Service (SMS) or General Packet Radio Service (GPRS). One of the more common designs of wireless networks makes use of mesh networking. Typical problems that designers have to overcome include high latency and timing issues.

Frame format

A Modbus frame is composed of an Application Data Unit (ADU), which encloses a Protocol Data Unit (PDU):

  • ADU = Address + PDU + Error check,
  • PDU = Function code + Data.

Note:
The byte order for values in Modbus data frames is big-endian (MSB, most significant byte of a value received first).
All Modbus variants choose one of the following frame formats:

Modbus RTU frame format

Name

Length (bytes)

Description

Address

1

Node address

Function

1

Function code

Data

n

n is the number of data bytes, it depends on function

CRC

2

Cyclic redundancy check (CRC-16-IBM)

Example of frame in hexadecimal: 01 04 02 FF FF B8 80 (CRC-16-ANSI calculation from 01 to FF gives 80B8, which is transmitted least significant byte first).

Modbus ASCII frame format

Name

Length (bytes)

Description

Start

1

Starts with colon : (ASCII hex value is 3A)

Address

2

Node address in hex

Function

2

Function code in hex

Data

n x 2

n is the number of data bytes, it depends on function

LRC

2

Checksum (Longitudinal redundancy check)

End

2

CR/LF

Address, function, data, and LRC are all capital hexadecimal readable pairs of characters representing 8-bit values (0–255). For example, 122 (7 × 16 + 10) will be represented as 7A.

Modbus TCP frame

Name

Length (bytes)

Description

Transaction ID

2

For synchronization between messages of server and client

Protocol ID

2

0 for Modbus/TCP

Length

2

Number of remaining bytes in this frame

Unit ID

1

Node address

Function

1

Function code

Data

n

n is the number of data bytes, it depends on function

Unit identifier is used with Modbus/TCP devices that are composites of several Modbus devices, e.g. on Modbus/TCP to Modbus RTU gateways. In such case, the unit identifier tells the Slave Address of the device behind the gateway. Natively Modbus/TCP-capable devices usually ignore the Unit Identifier.

Function Codes

Modbus protocol defines several function codes for accessing Modbus registers. There are four different data blocks defined by Modbus, and the addresses or register numbers in each of those overlap. Therefore, a complete definition of where to find a piece of data requires both the address (or register number) and function code (or register type).
The function codes most commonly recognized by Modbus devices are indicated in the table below. This is only a subset of the codes available - several of the codes have special applications that most often do not apply.


Function Code

Register Type

1

Read Coil

2

Read Discrete Input

3

Read Holding Registers

4

Read Input Registers

5

Write Single Coil

6

Write Single Holding Register

15

Write Multiple Coils

16

Write Multiple Holding Registers

Roboteq Implementation

Roboteq’s implementation of Modbus doesn’t contain all supported functions and modes but contains only subset of it. I this section we are introducing the supported modes and functions implemented in Roboteq’s micro controllers.

Supported Functions

Controllers only supports two functions:

Read Input Registers (0x04)

This function is implemented to read exactly 4 bytes (2 registers). Issuing any messages to read other than 2 registers will return no response.
For queries that returns values less than 4 bytes, the result will be in the least significant bytes of the returned response.
For example, to read Motor Amps for second channel, you need to read 2 registers from address 0x2002 so you need to send the following RTU message:
01 04 20 02 00 02 DB CB


Name

Description

01

Node address

04

Function code (Read Input Registers)

20 02

Register address for reading motor amps for second channel.

00 02

Length of registers to be read (must be 2)

DB CB

Cyclic redundancy check (CRC-16-IBM)

The response for this message will be as following:
01 04 04 00 00 FF FF FA 34


Name

Description

01

Node address

04

Function code (Read Input Registers)

04

Total bytes read (always 4 bytes)

00 00 FF FF

Value in big Indian notation (MSB first).
As the amps query is 16 bits, so we will take last 16 bits from the given value which is FFFF.
Also the amps query returns signed value, so we should deal with 0xFFFF as signed 16 bits integer which is -1 in decimal.

FA 34

Cyclic redundancy check (CRC-16-IBM)

Write Multiple Holding Registers (0x10)

This function is implemented to write exactly 4 bytes (2 registers). Issuing any messages to write other than 2 registers will have no effect.
For commands that takes values less than 4 bytes, the values for the command will be obtained from the least significant bytes of the message.
For example, to set the motor command on the second channel to value 500 which is 0x1F4, you need to write 2 registers to address 0x0002 so you need to send the following RTU message:
01 10 00 02 00 02 04 00 00 01 F4 72 61


Name

Description

01

Node address

10

Function code (Write Multiple Holding Registers)

00 02

Register address for writing motor command on channel 2.

00 02

Number of registers to write (must be 2)

04

Number of bytes to be written (must be 4)

00 00 01 F4

Value to be written in big Indian notation (MSB first)

72 61

Cyclic redundancy check (CRC-16-IBM)

The response for this message will be as following:
01 10 00 02 00 02 E0 08


Name

Description

01

Node address

10

Function code (Write Multiple Holding Registers)

00 02

Address of written register (motor command on channel 2).

00 02

Number of registers written.

E0 08

Cyclic redundancy check (CRC-16-IBM)

Exception responses

Following a request, there are 4 possible outcomes from the slave:

  • The request is successfully processed by the slave and a valid response is sent.
  • The request is not received by the slave therefore no response is sent.
  • The request is received by the slave with a parity, CRC or LRC error (The slave ignores the request and sends no response).
  • The request is received without an error, but cannot be processed by the slave for another reason.  The slave replies with an exception response.

Here is an example of an exception response:
0A 81 02 B053
0A 81 02 B053


Name

Description

0A

Node address

81

Function code with the highest bit set.

02

The exception code.

B0 53

Cyclic redundancy check (CRC-16-IBM)

The exception codes as explained in the Modbus specification are:


Code

Name

Meaning

0x01

Illegal
Function

The function code received in the query is not an allowable action for the slave.  This may be because the function code is only applicable to newer devices, and was not implemented in the unit selected.  It could also indicate that the slave is in the wrong state to process a request of this type, for example because it is unconfigured and is being asked to return register values. If a Poll Program Complete command was issued, this code indicates that no program function preceded it.

0x02

Illegal Data Address

The data address received in the query is not an allowable address for the slave. More specifically, the combination of reference number and transfer length is invalid. For a controller with 100 registers, a request with offset 96 and length 4 would succeed, a request with offset 96 and length 5 will generate exception 02.

0x03

Illegal Data Value

A value contained in the query data field is not an allowable value for the slave.  This indicates a fault in the structure of remainder of a complex request, such as that the implied length is incorrect. It specifically does NOT mean that a data item submitted for storage in a register has a value outside the expectation of the application program, since the MODBUS protocol is unaware of the significance of any particular value of any particular register.

0x04

Slave Device Failure

An unrecoverable error occurred while the slave was attempting to perform the requested action.

0x05

Acknowledge

Specialized use in conjunction with programming commands.
The slave has accepted the request and is processing it, but a long duration of time will be required to do so.  This response is returned to prevent a timeout error from occurring in the master. The master can next issue a Poll Program Complete message to determine if processing is completed.

0x06

Slave Device Busy

Specialized use in conjunction with programming commands.
The slave is engaged in processing a long-duration program command.  The master should retransmit the message later when the slave is free..

0x07

Negative Acknowledge

The slave cannot perform the program function received in the query. This code is returned for an unsuccessful programming request using function code 13 or 14 decimal. The master should request diagnostic or error information from the slave.

0x08

Memory Parity Error

Specialized use in conjunction with function codes 20 and 21 and reference type 6, to indicate that the extended file area failed to pass a consistency check. 
The slave attempted to read extended memory or record file, but detected a parity error in memory. The master can retry the request, but service may be required on the slave device.

0x0A

Gateway Path Unavailable

Specialized use in conjunction with gateways, indicates that the gateway was unable to allocate an internal communication path from the input port to the output port for processing the request. Usually means the gateway is misconfigured or overloaded.

0x0B

Gateway Target Device Failed to Respond

Specialized use in conjunction with gateways, indicates that no response was obtained from the target device. Usually means that the device is not present on the network.

Supported Modes

Controllers are supporting the following modes:

Modbus RTU over TCP (2)

Simply put, this is a Modbus RTU message transmitted with a TCP/IP wrapper and sent over a network instead of serial lines.
For examples, to read VAR1, you need to read 2 registers from address 0x20C1 so you need to send the following RTU message:
01 04 20 C1 00 02 2B F7


Name

Description

01

Node address

04

Function code (Read Input Registers)

20 C1

Register address for reading VAR1

00 02

Length of registers to be read (must be 2)

2B F7

Cyclic redundancy check (CRC-16-IBM)

The response for this message will be as following:
01 04 04 00 00 12 34 F6 F3


Name

Description

01

Node address

04

Function code (Read Input Registers)

04

Total bytes read (always 4 bytes)

00 00 12 34

Value in big Indian notation (MSB first).

F6 F3

Cyclic redundancy check (CRC-16-IBM)

Modbus TCP (1)

Modbus TCP message is the same as RTU over TCP message by removing CRC and adding MBAP header (Modbus Application Header) is being added to the start of the message. Also, node address moved from into MBAP header and named Unit ID.

The MBAP header is consisting from the following:

Name

Description

Transaction ID

2 bytes set by the Client to uniquely identify each request. These bytes are echoed by the Server since its responses may not be received in the same order as the requests.

Protocol Identifier

2 bytes set by the Client, must be 0x0000.

Length

2 bytes identifying the number of bytes in the message to follow.

Unit Identifier

Node address.

For example, to read VAR1, you need to read 2 registers from address 0x20C1 so you need to send the following TCP message:
00 02 00 00 00 06 01 04 20 C1 00 02


Name

Description

00 02

Transaction ID.

00 00

Protocol Identifier (0x0000 for TCP).

00 06

Number of bytes in the record.

01

Node address

04

Function code (Read Input Registers)

20 C1

Register address for reading VAR1

00 02

Length of registers to be read (must be 2)

The response for this message will be as following:
00 02 00 00 00 0D 01 04 04 00 00 12 34


Name

Description

00 02

Transaction ID.

00 00

Protocol Identifier (0x0000 for TCP).

00 0D

Number of bytes in the record (13 bytes).

01

Node address

04

Function code (Read Input Registers)

04

Total bytes read (always 4 bytes)

00 00 12 34

Value in big Indian notation (MSB first).

Modbus RS232 ASCII

Modbus ASCII marks the start of each message with a colon character ":" (hex 3A). The end of each message is terminated with the carriage return and line feed characters (hex 0D and 0A).
In Modbus ASCII, each data byte is split into the two bytes representing the two ASCII characters in the Hexadecimal value.
Modbus ASCII is terminated with an error checking byte called an LRC or Longitudinal Redundancy Check (See appendix B).
For examples, to read VAR1, you need to read 2 registers from address 0x20C1 so you need to send the following ASCII message:
:010420C10002AE<CRLF>


Name

Description

':'

Start of message - 0x3A

'0' '1'

Node address – 0x01

'0' '4'

Function code (Read Input Registers) – 0x04

'2' '0' 'C' '1'

Register address for reading VAR1 – 0x20C1

'0' '0' '0' '2'

Length of registers to be read (must be 2) – 0x0002

'A' 'E'

LRC

<CRLF>

End of message, carriage return and line feed – 0x0D0A

The response for this message will be as following:
:01040400001234DE<CRLF>


Name

Description

':'

Start of message - 0x3A

'0' '1'

Node address – 0x01

'0' '4'

Function code (Read Input Registers) – 0x04

'0' '4'

Read data length (4 bytes) – 0x04

'0' '0' '0' '0' '1' '2' '3' '4'

Value read from VAR1 – 0x00001234

'D' 'E'

LRC

<CRLF>

End of message, carriage return and line feed – 0x0D0A

Register Address Calculation

With the help of Command Mapping table and Query Mapping table, you can calculate the register address by getting the Modbus ID value from the table then add to it the desired command/query index.
For example, the read user integer variable Modbus ID is 0x20C0, to get the first variable:

  • ModbusID = 0x20C0.
  • Add the index                                    à 0x20C0 + 0x01 = 0x20C1
  • Use 0x20C1 as the address.

Command Mapping

Command

ModbusID

AC

0x00C0

AO

0x0320

ASW

0x03C0

AX

0x0240

B

0x02A0

C

0x0060

CB

0x0080

CG

0x0000

CSW

0x0380

D0

0x0140

D1

0x0120

DC

0x00E0

DS

0x0100

DX

0x0260

EES

0x02E0

EX

0x0180

G

0x0000

H

0x0160

MG

0x01A0

MS

0x01C0

P

0x0020

PR

0x01E0

PRX

0x0220

PSW

0x03A0

PX

0x0200

R

0x0300

RC

0x02C0

S

0x0040

SX

0x0280

TV

0x0360

TX

0x0340

VAR

0x00A0

Query Mapping

Query

ModbusID

A

0x2000

AI

0x8020

AIC

0x8040

ANG

0x2640

B

0x22A0

BA

0x2180

BCR

0x2120

BS

0x2140

BSR

0x2160

C

0x2080

CB

0x20A0

CIA

0x22E0

CIP

0x2300

CIS

0x22C0

CR

0x2100

D

0x21C0

DI

0x8000

DO

0x2260

DR

0x2360

E

0x2280

EO

0x24E0

F

0x2200

FC

0x26A0

FF

0x2240

FIN

0x26E0

FM

0x2440

FS

0x2220

GY

0x2620

HS

0x2460

ICL

0x2680

K

0x2340

LK

0x2480

M

0x2020

MA

0x2380

MGD

0x23A0

MGM

0x23E0

MGS

0x2400

MGT

0x23C0

MGY

0x2420

ML

0x2560

MRS

0x25A0

MZ

0x25C0

P

0x2040

PI

0x8060

PIC

0x8080

PK

0x25E0

QO

0x24C0

RF

0x2600

RMA

0x2500

RMG

0x2520

RMM

0x2540

S

0x2060

SCC

0x2660

SL

0x26C0

SR

0x20E0

T

0x21E0

TM

0x2320

TR

0x24A0

TS

0x2580

V

0x21A0

VAR

0x20C0

Controller Configuration

To configure controller to use Modbus, you will find new configuration section called Modbus under control board:

From the configuration you could set Modbus mode to (Off, TCP, RTU over TCP, or RS232 ASCII). You will be also able to set the Modbus Save ID.

You can use terminal to issue commands for changing mode and slave ID:


Command

Description

^DMOD 0

Set mode Off.

^DMOD 1

Set mode TCP.

^DMOD 2

Set mode RTU over TCP.

^DMOD 3

Set mode RS232 ASCII.

^MNOD 5

Set slave ID to 5.

~DMOD

Query mode.

~MNOD

Query slave ID.

Motor Controller Finder

Motor Type

Max Voltage

Number of Channels

Max Amps per Channel

USB

CANbus

MicroBasic Scripting

Cooling

Total products: 76
Results: Show
Go to top