Serial Communications

1
MODBUS PROTOCOL
2
Items needed for this lesson

• 260 (in a 205 base) or an 06.
• D2-DSCBL-1
• PC with DirectSoft5, Modbus Poll software and
  Modbus Slave software http//www.modbustools.com/m
  odbus_poll.asp
• Modbus conversion spreadsheet http//support.auto
  mationdirect.com/docs/modbus_conversion.xls

3
MODBUS protocol

• Our products support Modbus RTU (Serial) and
  Modbus TCP (Ethernet).

- No MODBUS ASCII.
- No MODBUS Plus.
4
MODBUS RTU protocol
Master/Slave Capability
Slave-only capability
- 250 250-1 port 2
- D2-DCM
- D3-DCM
- 260 port 2
- 05 port 2
- D4-DCM
- 05 port 1
- 06 port 2
- 350 port 2
- 06 port 1
- 450 port 1 port 3
- 250-1 port 1
- 260 port 1
- D0-DCM
- F4-MAS-MB(master only)
- 340 port 2
- F4-SLV-MB
- Studio 6.5 on PC(master only)
- WINPLCH2-SERIO (w/Entivity)
- Studio 7.2 on PC(master/slave)
- H2/4-EBCH2-SERIO (w/Entivity)
- LookoutDirect on PC(master only, does
not function
with radios)
- GS drives
- C-More panels
- T1K-MODBUS
- C-More Micro panels
- T1H-EBC100
5
MODBUS TCP protocol
Client/Server Capability
Server-only capability
- H2-ECOM100
- H2-EBC100
- GS-EDRV
- H0-ECOM100
- WINPLC
- H4-ECOM100
- Cmore (Client only)
- T1H-EBC100
- Studio 6.5 on PC(master only)
- Studio 7.2.1 on PC(master/slave)
- LookoutDirect on PC(Client only)
Client/Server is the terminology typically used
with Ethernet protocols. The Client is the
device sending a request and the Server is the
device receiving a request. The Client would be
like a serial Master and the Server would be
like a serial Slave.
6
MODBUS Addressing (Decimal)
584/984
484
Coils
1-65535
1-9999
Status Input
10001-165535
1001-1999
Input Registers
30001-365535
3001-3999
Holding Registers
40001-465535
4001-4999
This addressing style would be considered more a
PLC addressing scheme as opposed to an actual
protocol addressing scheme but this is the most
prominent addressing style for MODBUS devices out
there. These modes listed above (584/984 and
484) are Modicon PLC models. As their PLCs grew
in size and memory, they had to increase their
addressing scheme. Some legacy devices still use
the 484 scheme.
7
MODBUS Addressing (Hex)
Function Codes
01 Read Coil Status
02 Read Input Status
03 Read Holding Registers
04 Read Input Registers
05 Force Single Coil
06 Preset Single Register
15 Force Multiple Coils
16 Force Multiple Registers
Address
0000-FFFF hex
This addressing style is the actual protocol
addressing scheme. Many devices use this type of
addressing as well. The GS drives use this type
of addressing. This is easier for protocol
writers to implement.
8
MODBUS network commands (RX/WX commands)
The most complex part of using ADC PLCs with
MODBUS is the conversion that has to be done for
the addressing. We use octal addressing but
MODBUS uses either decimal or hex.
9
MODBUS network commands (RX/WX commands)
For decimal addressing, use the spreadsheet.
This resides on our website. http//support.automa
tiondirect.com/docs/modbus_conversion.xls
10
MODBUS network commands (RX/WX commands)
Hex Addressing (Registers)
PLC as Master Step 1 Open up the calculator on
your PC. Choose ViewgtScientific. Step 2 Click
on the Hex button. Step 3 Type in your Hex
address and then click on the Octal button.
Step 4 Place this value, preceded by a V
into your RX/WX box.
11
MODBUS network commands (RX/WX commands)
Hex Addressing (Registers)
PLC as Slave Step 1 Open up the calculator on
your PC. Choose ViewgtScientific. Step 2 Click
on the Octal button. Step 3 Type in your PLC
numeric address (No V of course) and then click
on the Hex button.
12
MODBUS network commands (RX/WX commands)
Hex Addressing (Coils)
PLC as Master Step 1 Open up the calculator on
your PC. Choose ViewgtScientific. Step 2 Click
on the Hex button. Step 3 Type in your Hex
address and then click on the Decimal button.
Step 4 Add a one. Step 5 Find the correct
range on the spreadsheet and then type in this
decimal address in the MODBUS column. Step 6
Take this value and put it in the RX/WX box
preceded by the correct letter of the range used
(GY, Y, C, S, T or CT).
13
MODBUS network commands (RX/WX commands)
Hex Addressing (Coils)
PLC as Slave Step 1 Type the numeric value
into the correct range on the spreadsheet. Step
2 Open up the calculator on your PC. Choose
ViewgtScientific. Click on the Decimal button.
Step 3 Type in the result from the MODBUS
column of the spreadsheet. Step 4 Subtract
one. Step 5 Click on the Hex button.
14
MODBUS network commands (RX/WX commands)
Hex Addressing (Inputs)
PLC as Master Step 1 Open up the calculator on
your PC. Choose ViewgtScientific. Step 2 Click
on the Hex button. Step 3 Type in your Hex
address and then click on the Decimal button.
Step 4 Add 10001. Step 5 Find the correct
range on the spreadsheet and then type in this
decimal address in the MODBUS column. Step 6
Take this value and put it in the RX/WX box
preceded by the correct letter of the range used
(GX, X or SP).
15
MODBUS network commands (RX/WX commands)
Hex Addressing (Inputs)
PLC as Slave Step 1 Type the numeric value
into the correct range on the spreadsheet. Step
2 Open up the calculator on your PC. Choose
ViewgtScientific. Click on the Decimal button.
Step 3 Type in the result from the MODBUS
column of the spreadsheet. Step 4 Subtract
10001. Step 5 Click on the Hex button.
16
MODBUS network commands (RX/WX commands)
The function codes that our 250, 05, 450 and 350
do
17
Exercise 1

• Read and Write data from PC running Modbus Poll
  software to PLC.

18

• Connect to PLC with DirectSoft.
• Go to Secondary Comm. port setup
• Set to Modbus Communications, 19200 Baud, Odd
  parity, 1 Stop Bit (Shown Below)

19

• Place an END statement on the first rung.
• Download this to the PLC.
• Open a Data View window and place V2000 V2011
  in the window in Decimal Format.
• Open the Modbus Poll software.
• We are going to read V2000 through V2011 (open in
  your Data View) into Modbus Poll
• Click on Display and PLC Addresses (Base 1)
• Click on Setup and Read/Write Definition.

20

• Use the conversion spreadsheet to show the
  address (V2000 2000 octal to decimal 1024
  40001 41025). Note that you do not enter the
  full 41025 in the address field of the
  Read/Write definition window. The high digit is
  really more of a data type identifier (0xxxx
  indicates Coils, 1xxxx indicates Discrete Inputs,
  3xxxx indicates Input Registers and 4xxxx
  indicates Holding Registers). Only enter the
  address (1025) without the high digit identifier.
• Choose a Length of 10
• Setup should be as shown below (Remember to leave
  off the 4xxxx in the address)

21

• Click on Connection and then click Connect
• Choose the port on the PC that is connected to
  the PLC with the D2-DSCBL-1
• Choose Mode RTU, 19200 Baud, 8 Data Bits, Odd
  Parity and 1 Stop Bit.

22

• At this point, you should see the values assigned
  to the V memory locations in Data View reflected
  in the Modbus addresses inside of Modbus Poll.
• To verify the correct addressing, change the
  values of the V memory locations in Data View and
  see if they reflect correctly in Modbus Poll.
  Also try double clicking on the Modbus addresses
  in Modbus Poll and writing values over to the PLC
  and see if the values change in Data View.

23
Exercise 2

• Create single RX ladder rung reading data from PC
  running Modbus Slave software into PLC.
• Create single WX ladder rung writing data from
  PLC to PC running Modbus Slave software into PLC.

24

• Close Modbus Poll software
• Open Modbus Slave software
• Go to Display and select PLC Addresses (Base 1)
• Go to Setup and Slave Definition
• Setup as shown below
• This sets up Modbus Slave to contain Modbus
  addresses 40101 to 40110 (Note that you do not
  enter the 4xxxx in the address but you will see a
  4x0100 in the top of the column in the software.
  The high digit is really more of a data type
  identifier (0xxxx indicates Coils, 1xxxx
  indicates Discrete Inputs, 3xxxx indicates Input
  Registers and 4xxxx indicates Holding Registers)

25

• Go to Connection and click Connect
• Choose the serial port on your PC that you will
  connect the D2-DSCBL-1 to.
• Choose 19200 Baud, 8 Data Bits, Odd Parity and 1
  Stop Bit.
• Choose RTU Mode

26
Creating a RX (Read) rung

• Use a STRN SP116 to indicate only send the
  command when port 2 is not busy (Refer to PLC
  user manual for details on SP bits for each PLC
  and port)
• Place a LD box with KF101 (Refer to earlier slide
  on explanation)
• Place a LD box with K20 (20 bytes 10 Registers)
• Place a LDA box with V2000 (Data from Modbus
  Slave will go into V2000 through V2011)
• Place a RX box with V144 (Use conversion
  spreadsheet. Conversion 40101 40001 100
  Decimal 144 Octal)

27

• Download this project into the PLC (make sure you
  dont forget your end statement)
• Bring up a Data View window
• Place V2000 through V2011 into the Data View
  window. Change the display from BCD/Hex to
  Decimal.
• In Modbus Slave, double click on the individual
  fields that presently have 0s in them. Change
  the values to something else.
• You should see the values changing in your Data
  View to the values you entered in Modbus Slave.

28

• Insert 2 rungs above your RX rung.
• Enter a STR SP116 contact.
• Place a CNT at the end of the rung.
• Use CT0 as the counter and K9999 as the preset.
• Use a STR CT0 as the reset for the counter.
• Do the same thing as above for the 2nd rung but
  use STR SP117 for the count leg and CT1 as the
  counter and the reset STR.
• Place CTA0 and CTA1 in your Data View.
• You should see a value in CTA0 increasing rapidly
  and a 0 in CTA1.
• Disconnect the cable.
• You should now see CTA0 and CTA1 counting at the
  same rate.
• You can use this logic to confirm whether
  communications is actually functioning or not.
  These counter rungs must ALWAYS be above the
  RX/WX rungs

29

• Now go back to your RX rung.
• Change the second LD box to K1.
• Change the RX box to GY0. Refer to conversion
  spreadsheet. You will note that GY0 converts to
  Coil address 00001.
• Now go to Modbus Slave software and click on
  Setup and Slave Definition.
• Change the Function to 01 Coil Status and change
  the address to 1 and the Length to 1.
• Transfer your ladder logic to the PLC.
• Note that now you are getting errors.
• Important point Using the RX or WX with Modbus,
  you CANNOT read or write 1 bit. You can only
  read or write 8 bits at a time.
• Go to Modbus Slave, click on Setup and Slave
  Definiton. Change the length to 8.
• Now your errors have gone away and you can change
  the value of the bit in Modbus Slave and you will
  see the value in V2000 change from 0 to 1.

30
Creating a WX (Write) rung

• Go to the RX rung and delete the RX box.
• Place a WX box with V144 in it.
• Change the second LD box to K20.
• Download this project.
• Go to Data View and change the values in V2000
  through V2011.
• You should see the values changing in Modbus
  Slave now.

31

• Go to the second LD box and change it to K1.
• Change the WX box to GY0 (Coil 00001).
• Go to Modbus Slave, click on Setup and Slave
  Definition.
• Change the Function Code to 01 Coil Status,
  Address 1 and Length 1.
• Transfer the ladder logic change to the PLC.
• Note that you are getting errors.
• Go back to Modbus Slave and change the length to
  8.
• The errors should have gone away.
• Important point You CANNOT write 1 bit using
  the WX command in Modbus.

32
MODBUS network commands (MRX/MWX command)
These are the instructions that the 06 and 260
have implemented
33
MODBUS network commands (MRX/MWX command)
These instructions allow us to use the native
decimal MODBUS addressing. They have also added
more function code support. Function codes that
they added
05 Force single coil
06 Preset single register
07 Read Exception Status
You can now specify at a bit level and word level
instead of the byte level.
34
Exercise 3

• Create MRX ladder rung reading data from PC
  running Modbus Slave software into PLC.
• Create MWX ladder rung writing data from PLC to
  PC running Modbus Slave software into PLC.

35

• Close Modbus Poll (if still open) and open Modbus
  Slave software.
• Follow steps from Exercise 2 to setup Modbus
  Slave with Modbus addresses 40101 - 40110
• Verify that the secondary comm. port settings of
  the PLC are still Modbus, 19200 baud, Odd Parity,
  1 Stop Bit (same settings used in Exercise 1).

36
Creating a MRX rung

• Delete previous RX or WX rung and create a new
  rung.
• Enter a STRN SP116 at the left hand side of the
  rung.
• Go to the NOP and type in MRX and hit enter.
• Use K2 as the Port Number.
• Make the Slave Address K1.
• Change the Function Code to 03 Read Holding
  Registers.

37

• Type in 40101 for the Start Slave Memory Address.
• Type in V2000 for the Start Master Memory
  Address.
• Type in 10 for the Number of Elements.
• Use Modbus Data Format 584/984 mode.
• Leave V400 for the Exception Response Buffer.
• Copy and Paste the previously made CTO and CT1
  rungs to count the number of comm. transactions
  and errors above this newly created MRX rung.
• Transfer this project to the PLC.

38

• Note that no conversion was necessary to align
  the Modbus addressing correctly.
• Also note that the Number of elements aligned
  correctly.
• Change the values in the Modbus addresses in
  Modbus Slave and you should see the values
  changing in V2000 V2011
• In Data View, type in V400 V402
• Go to Modbus Slave and click on Setup and Slave
  Definition.
• Change the Address from 101 to 201.
• Note that now there are values in V400 V402.
  This is a Modbus Exception Response.

39

• We will explain the details of this data format
  in more depth later but for now, let us explain
  how to pull the error code from this data.
• V400 should contain 8301. This is in byte
  swapped format. So it would be easier to view
  this as 01 83. 01 is the Node Address. 83 is
  the function code (03) with the high bit turned
  on (exception responses always have the high bit
  turned on).
• V401 should contain C002. Swapping this looks
  like 02 C0. 02 is the actual error code. The
  next slide shows a screen shot of the Exception
  Error codes from the Modbus specification. C0 is
  the first byte of the CRC. We can ignore this
  data as well as the data in V402.

40

• Note that the 02 error code says Illegal Data
  Address.
• This would be correct since we are asking for
  Modbus address 40101 and this doesnt exist
  presently in the Modbus Slave project that we are
  running.

41

• Now go to Modbus Slave, click on Setup and Slave
  Definition.
• Change to Function 01 Coil Status and Address 1
  and Length 1.
• Go to the MRX instruction. Change to Function
  Code 01 Read Coil Status. 00001 for Start
  Slave Memory Address and Number of Elements K1.
• Transfer this to the PLC.
• Note that you can read 1 bit with the MRX
  command, where you could not with the RX command.

42
Creating a MWX rung

• Go into Modbus Slave and change the Setup and
  Slave Definition back to Address 101.
• Go to DirectSoft and delete the MRX instruction.
• Type in MWX and hit enter.
• Type in K2 for the Port Number.
• Type in K1 for the Slave Address.
• Change the Function Code to 16 Preset Multiple
  Registers
• Type in 40101 in the Start Slave Memory Address.
• Type in V2000 in the Start Master Memory Address.
• Type in K10 for the Number of Elements.

43

• Leave 584/984 mode for the Modbus Data Format
• Leave V400 for the Exception Response Buffer.
• Transfer this to the PLC.
• Change the values in V2000 V2011. You should
  see the values changing in Modbus Slave.
• Go to Modbus Slave and go to Setup and Slave
  Definition.
• Change the Address to 201.
• You should now see data in V400 V402.
• Note that V400 contains 01 90 (reversed 9001).
  Function Code 16 is 10 in hex format. If you
  turn on the high bit, you get a resulting value
  of 90.
• Note that V401 contains 02 CD (reversed CD02).
  You get the same error code when trying to write
  to an address that doesnt exist in the PLC.

44

• Now go to Modbus Slave, click on Setup and Slave
  Definition.
• Change to Function 01 Coil Status and Address 1
  and Length 1.
• Go to the MWX instruction. Change to Function
  Code 05 Force Single Coil. 00001 for Start
  Slave Memory Address.
• Transfer this to the PLC.
• Note that you can write 1 bit with the MWX
  command, where you could not with the WX command.
• Also try Change the MWX to Function Code to 15
  Force Multiple Coils and Number of Elements to
  1. Transfer this to the PLC.
• This will also work where the WX command didnt.

45
Wiring Standards
We have three wiring standards that we support
now.
RS232
Most common wiring standard. Good for up to 50
feet and point to point only.
RS485(2-wire)
Very common multi-drop wiring standard. Very
prevalent on drives. Good for up to 1000 meters.
This is only supported in the 06 and 260.
RS422(sometimes called RS485 4-wire)
Another common multi-drop wiring standard. More
immune to noise because of dual-differentials.
Also good to 1000 meters.
46
Wiring Standards
90 of the time, you really only need concern
yourself with five different signals on serial
communications
TX
Transmit. The data is transmitted on this signal.
RX
Receive. The data is received on this signal.
SG
Signal ground. The transmit and receive
reference off of this signal.
RTS
Ready To Send. This is a device output that goes
high when it is ready to send a transmission.
CTS
Clear To Send. This is a device input that goes
high when it receives a signal from RTS. The
device typically will look at this signal after
it has raised its RTS and when CTS goes high, it
will then transmit its data.
47
Wiring Standards
The same principle applies with RS422 and RS485
except that they dont reference off of signal
ground. They reference off of their own negative
signal. Here are the signals
TX
Transmit plus. Positive side of transmit
reference.
TX-
Transmit negative. Neg. side of transmit
reference.
RX
Receive plus. Pos. side of receive reference.
RX-
Receive neg. Neg. side of receive reference.
RTS
Ready to send pos. Pos. side of RTS reference.
RTS-
Ready to send neg. Neg. side of RTS reference.
CTS
Clear to send pos. Pos. side of CTS reference.
CTS-
Clear to send neg. Neg. side of CTS reference.
48
Wiring Standards
Once you know these, its pretty simple to wire
things up. There are two different schemes DTE
to DTE wiring and DTE to DCE wiring. DTE stands
for Data Terminal Equipment (PC serial ports,
PLCs, etc) and DCE stands for Data
Communication Equipment (modems, some RS232/485
converters, etc). In a DTE to DTE wiring
scheme, TX goes to RX, RTS goes to its own CTS
and SG goes to SG. In a DTE to DCE wiring
scheme, TX goes to TX, RTS goes to RTS, CTS goes
to CTS and SG still goes to SG.
RS232
DTE to DTE
DTE to DCE
TX
RX
TX
TX
RX
TX
RX
RX
SG
SG
SG
SG
RTS
RTS
RTS
RTS
CTS
CTS
CTS
CTS
49
Wiring Standards
RS422
RS485
TX
RX
TX
TX
TX-
RX-
RX
RX
RX
TX
TX-
TX-
RX-
TX-
RX-
RX-
SG
SG
SG
SG
RTS
RTS
RTS
RTS
CTS
CTS
CTS
CTS
RTS-
RTS-
RTS-
RTS-
CTS-
CTS-
CTS-
CTS-
50
Serial Communications

• The principle theory of serial communications is
  to send data over in a stream of bits. The
  data is framed into bytes of data. Each byte
  will generally be framed with a Start Bit, a Stop
  Bit and sometimes a Parity Bit. Sometimes the
  data is only 7 bits but that is not very common
  anymore. Most all devices doing serial
  communications these days use 8 data bits.
• The next slide will show what this data looks
  like on an oscilloscope and how the framing is
  represented.

51
Serial Communications
R
S
Reverse the Bits. They are basically queued
up as they come in.
Parity Bit
Start Bit
Stop Bit
1010010
1010011
Decimal 82
Decimal 83
The ASCII equivalent of Decimal 82 is R and the
ASCII equivalent of Decimal 83 is S. These two
characters were sent together in one packet.
52
MODBUS strings
01 03 00 00 00 01 84 0a
Master query
CRC Hi
CRC Lo
Node Addr.
Funct. code
Start addr. Hi
Start addr. Lo
No. of pts. Hi
No. of pts. Lo
Slave response
01 03 02 00 05 78 47
CRC Hi
CRC Lo
Data Hi
Data Lo
Byte count
Node Addr.
Funct. code
53
MODBUS strings
CRC Calculation
Calculating CRC is a complex method of exclusive
ORing and bit shifting the bits of each byte in
the message against a static register until all
bytes in the message have been calculated. This
final value is appended to the end of the message
when sent. The receiving device does this
calculation as well and compares its calculated
CRC to the CRC sent in the message. If they are
equal, the message is considered a good packet
and is accepted.
You can use the Modbus Poll Test Center function
to generate a CRC for you. Just type in the
command you want to create minus the CRC and
select Add Check CRC and click on Send. You will
see the appended CRC value.
54
MODBUS Specification
www.modbus.org has several different versions and
variations of the Modbus specification that
explains the protocol very well.
55
Exercise 4

• Show example Modbus Strings using Modbus Slave.

56

• In Modbus Slave, click on Display and
  Communication.
• Wait a few seconds and then click on Stop.
• The RX lines are the strings sent from the PLC to
  the PC.
• The TX lines are the replies sent from the Modbus
  Slave software on the PC back to the PLC.

57

• In the PLC, there is a MWX command set to Slave
  Address K1, Function Code 15 Force Multiple
  Coils, 1 (000001) for Start Slave Memory Address
  and V2000 for Start Master Memory Address.
• Note the string sent from the PLC. It is 01 0F
  00 00 00 01 01 00 2E 97.
• The next 2 slides shows this broken down.

58

• 01 Node address the PLC is trying to talk to.
• 0F Hex for 15, the function code the PLC is
  trying to use.
• 00 The high byte of the starting address that
  the PLC is trying to write to.
• 00 The low byte of the starting address that
  the PLC is trying to write to (note that 00001 is
  a PLC address. It converts to 0000 in the
  protocol)
• 00 The high byte of the number of elements
  that the PLC is trying to write. Elements refers
  to a single piece of information related to the
  function code being used. It does not define a
  data size in and of itself. If using bit
  function codes (01, 02, 05 and 15), 1 element 1
  bit. If using word function codes (03, 04, 06
  and 16), 1 element 1 word.
• 01 The low byte of the number of elements
  that the PLC is trying to write.

59

• 01 The number of bytes being written. Since we
  are only writing 1 bit, we would only send 1
  byte. When using the bit functions for writing,
  the data is packed into bytes. So if we were
  trying to write 8 elements, we still only send 1
  byte of data (8 bits in 1 byte).
• 00 The data being sent. Presently V2000 has a
  0 in it.
• 2E The high byte of the CRC.
• 97 The low byte of the CRC.
• The reply back from the Modbus Slave with this
  function code is simple. It simply echoes back
  the request with its CRC appended.
• Try changing the MWX and MRX instruction along
  with the Modbus Slave setup and look at the
  communications strings. Then correlate this data
  with the Modbus Specification information from
  www.modbus.org and see the comparisons.