meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
automation:s7_modbus [2026/03/24 18:49] – [Modbus RTU and TCP, and Hybrid] vamsanautomation:s7_modbus [2026/03/25 08:46] (current) – [Modbus/TCP] vamsan
Line 67: Line 67:
  
 Although quite different, they can sometimes be integrated, such as in multimaster (hybrid) RTU scenarios. In this scenario, a signal converter needs to be integrated into the TCP network. The converter has its own IP address to receive Modbus/TCP telegrams. It's crucial that the client is aware of the Modbus/RTU network behind the converter, which uses traditional RTU addressing. Often, clients cannot manage both RTU addressing and TCP simultaneously, so verifying their ability to do so is essential. The Siemens TIA Portal is suitable for this task, and I will offer an example of its use later. Although quite different, they can sometimes be integrated, such as in multimaster (hybrid) RTU scenarios. In this scenario, a signal converter needs to be integrated into the TCP network. The converter has its own IP address to receive Modbus/TCP telegrams. It's crucial that the client is aware of the Modbus/RTU network behind the converter, which uses traditional RTU addressing. Often, clients cannot manage both RTU addressing and TCP simultaneously, so verifying their ability to do so is essential. The Siemens TIA Portal is suitable for this task, and I will offer an example of its use later.
 +
 +|< 100% >|
 +|{{ :automation:modbus_s7_rtu_1.svg |Modbus RTU shema}}|{{ :automation:modbus_s7_tcp_1.svg |Modbus TCP shema}}|{{ :automation:modbus_s7_hybrid_1.svg |Modbus RTU-TCP hybrid shema}}|
  
 |< 100% >| |< 100% >|
Line 80: Line 83:
 ^Wiring|3-core cable with shielding or 4-core cable|Ethernet cables (RJ45) and network switches| ^Wiring|3-core cable with shielding or 4-core cable|Ethernet cables (RJ45) and network switches|
  
 +==== Modbus/RTU ====
 +{{ :automation:modbus_s7_rtu_1.svg|}}
 +Modbus/RTU was the first Modbus communication method and remained the main standard until Ethernet became popular. It remains widely used today, partly because its hardware integration is simpler and more affordable than Modbus/TCP. As a result, it is likely to stay available for quite some time.
  
-|< 100% >| +=== Comparison of RS-232 and RS-485 === 
-|{{ :automation:modbus_s7_rtu_1.svg |Modbus RTU shema}}|{{ :automation:modbus_s7_tcp_1.svg |Modbus TCP shema}}|{{ :automation:modbus_s7_hybrid_1.svg |Modbus RTU-TCP hybrid shema}}| +
- +
-=== Modbus/RTU === +
- +
-== Comparison of RS-232 and RS-485 == +
 The Modbus/RTU transmission options depend on the physical layer: [[com:basic_rs232|RS-232]] or [[com:basic_rs485|RS-485]]. RS-232 is quite uncommon because it only supports point-to-point connections, meaning one Client and one Server. In contrast, RS-485 is a more flexible option; its technical specifications are outlined in the table below. The Modbus/RTU transmission options depend on the physical layer: [[com:basic_rs232|RS-232]] or [[com:basic_rs485|RS-485]]. RS-232 is quite uncommon because it only supports point-to-point connections, meaning one Client and one Server. In contrast, RS-485 is a more flexible option; its technical specifications are outlined in the table below.
 |< 100% >| |< 100% >|
Line 105: Line 106:
 ^Receiver Hysteresis|1.15 V|50 mV| ^Receiver Hysteresis|1.15 V|50 mV|
  
-== Modbus/RTU wiring ==+=== Modbus/RTU wiring ===
 For Modbus/RTU communication, use RS-485 with either a 3-wire with shield or a 4-wire cable. To improve noise immunity, using shielded cables and twisted pairs is recommended. The units should be connected in a daisy-chain layout, though star topology can also work in some cases with a few units. For Modbus/RTU communication, use RS-485 with either a 3-wire with shield or a 4-wire cable. To improve noise immunity, using shielded cables and twisted pairs is recommended. The units should be connected in a daisy-chain layout, though star topology can also work in some cases with a few units.
  
Line 124: Line 125:
   * **Connection:** Attach the resistor directly between the A (D0/-) and B (D1/+) data lines.    * **Connection:** Attach the resistor directly between the A (D0/-) and B (D1/+) data lines. 
  
-== Modbus/RTU RS-485 Signaling ==+=== Modbus/RTU RS-485 Signaling ===
 {{ :automation:modbus_s7_11.svg |Modbus/RTU Signaling}} {{ :automation:modbus_s7_11.svg |Modbus/RTU Signaling}}
  
Line 174: Line 175:
  
 === Modbus/RTU Error Checking (CRC) === === Modbus/RTU Error Checking (CRC) ===
-Even though "No Parity" (8N1) lacks bit-level checking, Modbus RTU is still secure because every full packet ends with a 16-bit CRC (Cyclic Redundancy Check). If a single bit is flipped during transmission due to noise, the CRC will fail, and the receiving device will ignore the command.+Even though //"No Parity"// (**8N1**) lacks bit-level checking, Modbus RTU is still secure because every full packet ends with a 16-bit **CRC** (//Cyclic Redundancy Check//). If a single bit is flipped during transmission due to noise, the CRC will fail, and the receiving device will ignore the command.
  
 The **CRC** (//Cyclic Redundancy Check//) is an error-detection method that ensures data integrity in Modbus RTU. It is a 16-bit (2-byte) value appended to each message. The **CRC** (//Cyclic Redundancy Check//) is an error-detection method that ensures data integrity in Modbus RTU. It is a 16-bit (2-byte) value appended to each message.
Line 184: Line 185:
   * **Efficiency:** It is far more dependable than a basic //"Checksum,"// as it can identify all single and double-bit errors and the majority of burst errors.   * **Efficiency:** It is far more dependable than a basic //"Checksum,"// as it can identify all single and double-bit errors and the majority of burst errors.
  
 +==== Modbus/TCP ====
 +{{ :automation:modbus_s7_tcp_1.svg|}}
 +Modbus/TCP (also known as Modbus TCP/IP) is a version of the Modbus protocol designed for Ethernet network communication. It wraps standard Modbus messages into TCP/IP packets, enabling reliable, high-speed data exchange.
 +
 +**Key Characteristics**
 +
 +  * **Architecture:** Uses a Client-Server model (previously called Master-Slave). The Client sends requests, and the Server replies with data or action confirmations. Network Port: Default is TCP Port 502.
 +  * **Reliability:** Depends on the TCP/IP stack for error detection and reliable delivery, removing the necessity of **CRC** (//Cyclic Redundancy Check//) used in serial Modbus RTU.
 +  * **Addressing:** Uses IP addresses to identify devices instead of the 1-byte Slave ID used in serial versions.
 +
 +
 +==== Modbus/TCP and Modbus/RTU Hybrid ====
 +{{ :automation:modbus_s7_hybrid_1.svg|}}
 ==== Modbus Registers and Coins ==== ==== Modbus Registers and Coins ====
 Modbus data is structured into four main //"data banks"// or //"storage units"//, categorized by whether the data is a single bit or a 16-bit word, and whether it is read-only or read-write. Modbus data is structured into four main //"data banks"// or //"storage units"//, categorized by whether the data is a single bit or a 16-bit word, and whether it is read-only or read-write.
Line 201: Line 215:
   * **Read/Write Permissions:** "Input" types (Discrete Inputs and Input Registers) are strictly for data sent from field devices to the controller and cannot be modified by a Modbus master.   * **Read/Write Permissions:** "Input" types (Discrete Inputs and Input Registers) are strictly for data sent from field devices to the controller and cannot be modified by a Modbus master.
  
 +=== Modbus Coin and Register Addressing ===
 +To index Modbus address ranges, a 5-digit address (e.g., 40001) was initially used. Over time, this was insufficient, as it allowed only 9,999 addresses per type. This was expanded to 6-digit addresses (e.g., 400001), offering 65,536 addresses aligned with Word boundaries. The first digit indicates the area type: 0x for Coils, 1x for Discrete Inputs, 3x for Input Registers, and 4x for Holding Registers. 
  
 +Addressing within each range begins at 1, so the first holding register is 40001 or 400001. Users should note that many manufacturers use hexadecimal addresses, while Modbus/RTU uses decimal addresses. Larger data types (>16 bit, such as REAL, LREAL, DT, or STRING, WSTRING) span multiple registers for a single variable; thus, both the start address (offset, e.g., 400012) and the area length are specified. 
  
 +{{ :automation:modbus_s7_04.png |Modbus Register short and long Addressing}}
  
 +==== Modbus Telegram Structure, ADU/PDU ====
 +In Modbus, the Application Data Unit (ADU) represents the complete message frame sent over a physical network. It functions as an //"envelope"// that encloses the Protocol Data Unit (PDU)—the main message with commands and data—while also including addressing and error-checking fields specific to the communication method.
 +
 +The ADU's structure changes based on whether you're using Modbus RTU (serial) or Modbus TCP (Ethernet):
 +
 +{{ :automation:modbus_s7_12.svg |Modbus Telegram Structure, ADU and PDU}}
 +
 +|< 100% 50% 50% >|
 +|**Modbus/TCP** ADU (Ethernet)|**Modbus/RTU** ADU (Serial)|
 +|**MBAP** Header (7 Bytes): \\ - Transaction ID (2 Bytes): Matches requests with responses. \\ - Protocol ID (2 Bytes): Always 0 for Modbus. \\ - Length (2 Bytes): Number of remaining bytes. \\ - Unit ID (1 Byte): Used for routing to serial devices through a gateway. \\ **PDU** (Function Code + Data): The core command. \\ \\ Max Size: 260 bytes.|Slave **Address** (1 Byte): Identifies the target device (1–247). \\ **PDU** (Function Code + Data): The core command. \\ **CRC** (2 Bytes): A Cyclic Redundancy Check used to detect transmission errors. \\ \\ Max Size: 256 bytes.|
 +
 +Error checking by Modbus/TCP is managed by the TCP layer and is not included in the ADU.
 +
 +=== Modbus Protocol Data Unit (PDU) ===
 +The //Modbus Protocol Data Unit// (**PDU**) is the core message structure common to all Modbus variants (RTU, ASCII, and TCP). It defines the actual command and data being exchanged between a client and a server, independent of the network medium. The PDU consists of two primary fields with a maximum combined size of 253 bytes.
 +
 +^Field^Size^Description|
 +^Function Code|1 Byte|Tells the server which action to perform, such as Read, Write, Diagnostic.|
 +^Data Field|0–252 Bytes|Contains request details such as register addresses, quantities, or the actual data values being transmitted or returned.|
 +
 +**Function Code Types**
 +
 +The function code ranges from 1 to 255 and is categorized by its purpose: 
 +  * **Public Codes (1–64, 73–99, 111–127):** Standardized, well-defined commands like **03** (//Read Holding Registers//) or **16** (//Write Multiple Registers//).
 +  * **User-Defined Codes (65–72, 100–110):** Reserved for custom device functions not defined by the standard.
 +  * **Exception Responses (128–255):** When an error occurs, the server returns the original function code with its highest bit set (//Original Code + 0x80//). 
 +
 +**Data Field Structure**
 +
 +The structure of the data field changes depending on whether the PDU is part of a Request or a Response:
 +
 +  * In a **Request**, the Starting Address (2 bytes) and the Quantity of items to read or write (2 bytes) are typically included.
 +  * In a **Response**, it presents a Byte Count along with the requested data values.
 +  * **Addressing:** All addresses within the PDU data field are 0-based offsets ranging from 0 to 65.535.
 +
 +**Data Encoding (Endianness)**
 +
 +Modbus uses Big-Endian representation for all 16-bit values within the PDU. This means the //Most Significant Byte// (**MSB**) is transmitted before the //Least Significant Byte// (**LSB**). //Example:// A register value of 0x1234 is sent as 0x12 followed by 0x34.
 +
 +=== Modbus Function Codes ===
 +The table below details the standard Modbus function codes, which cover data access, diagnostics, and advanced functions used in both RTU and TCP variants. The first byte in a PDU is the Function Code, indicating the operation that the telegram performs.
 +
 +|< 100% >|
 +^Code (Hex)^Code (Dec)^Function Name^Data Type^Access|
 +^0x01|01|Read Coils|Bit (0x)|Read|
 +^0x02|02|Read Discrete Inputs|Bit (1x)|Read|
 +^0x03|03|Read Holding Registers|16-bit (4x)|Read|
 +^0x04|04|Read Input Registers|16-bit (3x)|Read|
 +^0x05|05|Write Single Coil|Bit (0x)|Write|
 +^0x06|06|Write Single Register|16-bit (4x)|Write|
 +^0x07|07|Read Exception Status|Serial Only|Read|
 +^0x08|08|Diagnostics|Internal|Read|
 +^0x0B|11|Get Comm Event Counter|Serial Only|Read|
 +^0x0C|12|Get Comm Event Log|Serial Only|Read|
 +^0x0F|15|Write Multiple Coils|Bit (0x)|Write|
 +^0x10|16|Write Multiple Registers|16-bit (4x)|Write|
 +^0x11|17|Report Server ID|Serial Only|Read|
 +^0x14|20|Read File Record|File|Read|
 +^0x15|21|Write File Record|File|Write|
 +^0x16|22|Mask Write Register|16-bit (4x)|Write|
 +^0x17|23|Read/Write Multiple Registers|16-bit (4x)|R/W|
 +^0x18|24|Read FIFO Queue|16-bit|Read|
 +^0x2B|43|Read Device Identification|Internal|Read|
  
-==== Modbus Register-adressing ====+**Function Code Categories**
  
-==== Modbus Telegram structure ====+  * **Public Function Codes (1–64, 73–99, 111–127):** These are standard codes established by the Modbus community.  
 +  * **User-Defined Codes (65–72, 100–110):** These are designated for custom implementations created by manufacturers.  
 +  * **Exception Codes (128–255):** These codes are reserved for error responses. When a server encounters an error, it responds by adding 0x80 to the original function code; for example, a failed Read 0x03 returns 0x83.
  
 ==== Modbus test programs, test methods ==== ==== Modbus test programs, test methods ====