ModBus

Modbus

Links zu Informationen:

• http://www.modicon.com/ Schneider Automation
• http://www.modbus.org/ Modbus-IDA (Interface for Distributed Automation), Gruppe von vielen Anbietern. Hält jetzt Copyright am Modbus-Protokoll. Bietet Zertifizierung an!?
• http://www.speff.com/ Linkliste

Wichtige und/oder interessante Dokumente:

• PI-MBUS-300 "Modicon Modbus Protocol Reference Guide" von Modicon oder modbus.org?
• "Modbus-Protokoll ACS 140/400" von Blumenbecker

Software

• http://www.win-tech.com/html/modscan32.htm WIndows Software 65USD
• http://mbserver.w3.to/ "Free Windows Modbus Master" mbfull
• http://members.tripod.com/mbserver/ Free Windows Modbus Master (in Z)

Schnipsel aus Newsgroups, Mailinglisten, sollten gelegentlich aufgearbeitet werden:

Neil Dunbar in comp.realtime 1994-07-12:

...

Modbus, in its true form is a point-to-point protocol implemented via RS-232 at up to 19,200 bps. The company that invented it, AEG Modicon had as their main interest a protocol for interrogating/controlling PLCs, but as other people (desperately seeking a common data acquisition protocol) looked at it, they figured it could be used for various purposes, e.g. data acquisition, system control, etc. So AEG/Modicon released the information into the public domain. Modbus requires no special hardware to set up a network of nodes. It is also true that many installations of 'Modbus' nodes ignore the more stringent requirements, and end up installing 38,400 bps transmissions hosted over an RS-422/485 multidrop cabling system.

The Modbus protocol has two incarnations, ASCII and RTU modes. ASCII transfers all numbers as explicit ASCII digits, e.g. number 7F hex would be transmitted as '7' 'F'. RTU mode transmits all bytes as 8 bit bytes. Two byte values are tranmitted as MSB:LSB pairs. The parity setting is not defined, but if parity is enabled (Even or Odd), then 1 stop bit is used. If parity is disabled, 2 stop bits are used. 1 start bit is used in either case. ASCII mode defines a 7 bit data byte, RTU mode defines 8.

A Modbus network can have one node designated as a master, which means that it alone can transmit request. All other nodes (slaves) can only respond to requests by the master node. Nodes have unique numbers between 1 and 64. When the master transmits to node number 0, this is taken to mean a broadcast to all nodes. The protocol specifies that broadcasts cannot elicit responses. As far as I know, multicasting is not supported on standard Modbus.

A Modbus packet is defined as a series of bytes, corresponding to the following meanings -

        +-------------+
        | ASCII ':'   | -- ASCII mode ONLY - Start of message indicator
        | Node Number | -- 00-40h: if a request, the node that the request is
        |             |    is addressed to, if a reply, the node that replied.
        | Function No.| -- function number. 00-7F. Functions 01 to 24h are
        |             |    defined by AEG as standard. Function 08, for
        |             |    example, is the diagnostic command, which has as
        |             |    its parameters various subfunctions designed to
        |             |    test various aspects of the remote unit.
        |     :       |
        |     :       | -- zero or more bytes serving as data for the
        |     :       |    function defined above.
        | LRC or CRC  | -- If ASCII mode, a Longitudinal Redundancy Check is
        |             |    used. If RTU mode, Cyclic Redundancy Check is used.
        | (16 bit val)|    Checked over the length of the message.
        | ASCII CR/LF | -- ASCII mode ONLY - Carriage Return and Line Feed
        |             |    acts as message terminator.
        +-------------+

...

A message must be preceded by a silence on the serial line of the time taken for 3.5 characters to be transmitted. The message in RTU mode is taken to end when a silence of 3.5 character spaces has been observed. If a silence of 1.5 characters is observed, and other characters are then received before the necessary 3.5 character spaces has elapsed, those characters are discarded and the message received so far is designated as faulty.

When a response is sent to the master, the function number field simply should echo that within the request. If, however, the top bit is set within the field, this denotes an exception, and the first byte within the data field is the actual exception code, which is a number 1 through 8. These exception codes define Illegal Function, Illegal Data Address, Illegal Data Value, Slave Device Failure, Acknowledge (used to signal that the request will be a while in computing, so don't time out the slave), Slave Busy, Negative Acknowledge, Memory Parity Error.

Kerry Berland in der 68HC05_08 Mailingliste 2003-09-17:

...

Some of the required protocol information was available from the Modicon website. However as the project progressed, it turned out that various PLC manufacturers have made various protocol customizations that aren't in the formal specifications. For example, baud rates and serial data formats. Documentation is hard to come by. A fully robust implementation may need changes based on what flavor of PLC you are talking to.

As another complication, people are tending to shift control functionality from PLCs to PCs running Windows. A PC running Windows and trying to run Modbus through a simple RS-485 interface cannot meet certain Modbus timing parameters.

This endeavor is very easy to underestimate...

Kommandos

03 - mehrere "Halteregister" lesen Halteregister sind 16 Bit, Registernummern ab 40001, werden mit 0... adressiert Slave-Adresse 03 Anfangsadreses Hoch Anfangsadreses Niedrig Anzahl der Register Hoch Anzahl der Register Niedrig CRC

Antwort:

Slave-Adresse Funktion 03 Bytezahl

Daten Hoch (Register 40108) 02 Daten Niedrig (Register 40108) 2B

Fehlerprüfung CRC

06 - Einzelregister einstellen Slave-Adresse Funktion 06 Registeradresse Hoch Registeradresse Niedrig Daten Hoch Daten Niedrig Fehlerprüfung CRC

Antwort ist identisch

0x10 - mehrere Register einstellen

KategorieFeldbus