Presentation on theme: "TOP Server: Understanding Modbus for Device Connectivity"— Presentation transcript:
1 TOP Server: Understanding Modbus for Device Connectivity Presenter: Kevin Rutherford
2 Modbus Protocol Training Agenda OverviewModbus Protocol SpecificsModbus TypesModbus TerminologyModbus “Quirks”Example Modbus packetsTOP Server Modbus Suite FlexibilitySupported ProtocolsDealing with “Non-Standard” Modbus DevicesLive Modbus DemoConfigurationTroubleshootingUsing Quick ClientUsing Channel DiagnosticsQuestions?
3 What is a Protocol?Protocols can happen at many levels and cover many thingsCablingElectricalPacket structureContent of PacketsTiming of PacketsRarely does ONE protocol cover all of these thingsMultiple protocols involved in making a full connection
4 What is a Protocol? Analogy – Train Tracks, Cars, & Cargo RS-232, 485, Ethernet define cabling and electrical protocols, i.e. the Train Tracks…In Ethernet connections, the transport defines the Train Cars (Packet structure)In Serial connections, the application protocol usually defines the Train CarsWhat’s in the Train Cars (packets) is the Cargo – the data – which is defined by the actual device/application protocol….Physical Transport Media- RS-232, RS-422, 10-Base-T = The Train TracksNetwork Protocol Transport – TCP/IP Ethernet, FTP, HTTP = The train and carsApplication Protocols – Modbus TCP = Contents of the Train Cars
5 Parts of a Typical Application Protocol Many application protocols use some or all of these in their structures:Header/start charactersTarget Device IDFunction Code, Sub-Function CodesData LengthDataChecksum/error checkingTermination characterData section usually containsRead: Memory type, start location, length, or multiple locations in some protocolsWrite: Memory type & location to write, size to write, actual data to writeData contents is usually driven by what Function Code or Sub-Function Codes are used in the requestData is OFTEN communicated in Hex – Base 16!!!!
6 Modbus – Used Everywhere! Schneider/Modicon/Telemecanique PLCsNearly every other PLC brand offers built-in Modbus or a Modbus option moduleElectrical transmission & distribution control & monitoring equipmentWater/wastewater control equipmentTemperature controllersAC Variable Speed DrivesServo DrivesPick a device – it just might support ModbusWhen in doubt – find out – is Modbus a choice on the hardware?
7 Modbus Types Serial – RS-232/422/485 electrical protocol Two possible transmission modes:Modbus RTUModbus ASCIIProprietary – Vendor specific electrical protocolModbus PlusEthernet – standard TCP/IP Ethernet electrical +transportModbus TCP or Modbus EthernetEthernet Encapsulated Modbus RTU or ASCIIGateway DevicesEthernet or Modbus PlusModbus RTU or ASCII serial on other sideMultiple serial devices on downstream side
8 Modbus Terminology Memory Types & Addressing Input coils = Digital inputs1xxxxx address type0/1 valuesBoolean data typeOutput Coils = Digital outputs0xxxxx address typeInput Registers = Analog inputs3xxxxx address type16-bit registers32-bit data types use two consecutive registersHolding (Output) Registers = Analog outputs4xxxxx address type
9 Modbus Terminology Read/Write Access Addressing – 5 or 6 digits Offset Read Only: Input registers & Input CoilsRead/Write: Output Coils and Holding RegistersAddressing – 5 or 6 digitsOriginal Modbus was 5 digits – i.eAs PLC memories grew, went to 6, i.eOffsetModbus address offset is all digits after the first digit identify which memory type the address isCan be 0 or 1 basedPointer that specifies where into that memory type to go and start getting data or writing data
10 Modbus Terminology Modbus Node Address Modbus Function Codes Used with serial devicesEach device on serial connection has unique IDSlave ID values = 1 to 247Master’s don’t have a Node addressModbus Function CodesUsed by Modbus Masters to tell a Modbus Slave what they want it to doRead or Write?Memory Type?Single item or Multiple Items in a Transaction
12 Modbus Terminology Modbus Exception Codes Used by slaves to tell Master what it did not like about a requestExamples:02 - Bad memory address01 - I don’t understand this function code0x0B - Slave didn’t respond – gateway devices
13 Common Modbus Quirks Data Byte Ordering Addressing – 0 or 1 based 32 bit data type word order64 bit data type Dword orderByte order within wordsAddressing – 0 or 1 basedFunction Code supportUse of user definable function codesNon-Modicon use of memory type + offset for addressing in documentation confusing
14 Modbus RTU Packet Framing PDU = protocol data unitAddress field – 1 byte – node address of the slaveCRC = error checking calculation, 2 bytesFunction Code + Data depends on what you want to accomplish.
15 Modbus Packet Format Modbus RTU A MODBUS message is placed by Modbus Master into a serial frame that has a known beginning and ending point.This is an amount of time indicating to devices that receive a new frame to begin at the start of the message, and to know when the message is completed.In RTU mode, message frames are separated by a silent interval of at least 3.5 character times. Character time= time to send one chosen baud rate
16 Modbus RTU Example Read Holding Registers 108-110 from Slave Node 01 Transmit: TX: B xx xxReceive: RX: B xx xxxx xx = 2 byte checksumIMPORTANTNotice:Request is in # of registersResponse is in # of bytes1 Register = 2 bytes
17 Modbus RTU Example Write Single Holding Register 2 with value of 3 on Slave Node 1 Transmit: TX: xx xxReceive: RX: xx xxxx xx = 2 byte checksum
18 Modbus RTU Example Exception Response Master asks for memory address that doesn’t exist in the slave
19 Modbus Packet Format Modbus TCP A Modbus TCP Packet is put into a TCP/IP wrapperNotice similarity to Modbus RTU with function code + dataMBAP Header=Modbus Application Protocol Header – similar to the address field in the serial framingMBAP = 7 extra bytes on beginning of transmission
20 Modbus TCP MBAP Header Contents Unit identifier used when using bridging to downstream serial devices. 0 = no bridging being used
21 Modbus TCP - ExampleReading Input Register 30070, Reading through a gateway to slave device ID 1 on serial connectionRequest:TX: 08 3B08 3B = MBAP08 3B = Transaction ID00 00 = Protocol ID00 06 = 6 bytes follow from here01 = Node ID 1= regular Modbus Read input Registers command04 = Function Code00 46 = Starting address in hex 0x46 = 70 decimal = offset into input registers00 01 = Quantity of input registers to readResponseRX: 08 3B08 3B = MBAP08 3B = Transaction ID – notice this matches the request00 05 = 5 bytes follow from here01 = slave ID 1= regular response to Modbus Read Input Registers02 = byte count01 23 = Value in hex = 291 Decimal
22 TOP Server Modbus Suite Flexibility Protocols SupportedModbus RTU Serial Master and SlaveModbus ASCII MasterModbus PlusModbus TCP Ethernet Master and SlaveFlexible Settings for Non-Standard ModbusZero or One-Based AddressingHolding Register Bit Mask WritesSpecifying Function Code for WritesData order manipulation
23 Live Demo Overview Modbus Protocol Specifics Modbus TypesModbus TerminologyModbus “Quirks”Example Modbus packetsTOP Server Modbus Suite FlexibilitySupported ProtocolsDealing with “Non-Standard” Modbus DevicesLive Modbus DemoConfigurationTroubleshootingUsing Quick ClientUsing Channel DiagnosticsQuestions?
24 Questions? Questions later? TOP Server Modbus Suite (Info / Free Demo) Kevin Rutherfordx1326TOP Server Modbus Suite (Info / Free Demo)Other learning opportunitiesVisit