You are on page 1of 21

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N

A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Chapter VI
CANBUS and MODBUS communication protocol
1.1. CANBUS communication protocol
1.1.1. Descri ption of protocol
Controller Area Network (CAN bus) is a serial interface for data
transmission in real time with speed of up to 1Mbps featuring excellent
possibilities for error correction. It is used in high speed data transmission ISO
11898 and low speed applications ISO 11519 as well. Interface adaptors
manufactured by OKI, MICROCHIP, MOTOROLA, etc. are used for
communication between devices.
The physical line is a parallel-wire line (Fig. 6.1).

Fig. 6.1.
Data transmitted by CAN are send simultaneously along the bus toward all
devices in the network (Fig. 6.2).

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S


Fig. 6.2.
1.1.2. The principle of the action
The principle of operation of CAN networks is based on the fact that each
module is capable of transmitting messages should there be available free bus.
Since each message carries priority, then in case of several transmitting
modules, access is granted to the message of highest priority. By way of
analogy, when certain module is simultaneously reached by more than one
message reception is carried out depending on their priority. Each of the
modules included in CAN network could require the reception of messages by
sending inquiries. Each correctly received message is confirmed by sending
acknowledgement message. Reply is sent in cases where in certain message is
not received due to error. CAN network recognizes the occurrence of permanent
errors and automatically shuts off the faulty module.
Message content is encoded by a special identifier specific for CAN
network, which carries information about what is being transmitted with this
message (t, P, F). All receivers receive the information and each of them tests
the identifier in order to determine the content of this message. If the message is
suitable for the receiver it is received and processed, if not it is omitted. The
identifier contains information about message priority which is graded into at
least two levels: high and low. Information transmission is effected through
parallel wire twisted pair or a telephone line provided induced interferences are
not high.
CAN network is flexible and allows new devices to be included to a network
which already exists without the need of creating new additional changes in
hardware or software of the existing CAN network.

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

CAN utilizes Non Return to Zero (NRZ) for data encoding. The usage of
NRZ encoding provides concise messages with minimum number of transitions
and inconsiderable influence on behalf of external interferences.
In CAN networks priority is given to those parameters which change faster
than the other ones. For example, the revolutions of an automobile engine will
change with greater frequency as compared to its temperature.
Priority of parameters is established by Carrier Sense, Multiple Access
with Collision Detect (CSMA/CD) method. The priority of a message is
recorded in the identifier during the first phase of system designing. Highest
priority is granted to the identifier with the lowest digital value.
1.1.3. Descri ption of information package
In CAN systems information is transmitted and received in the form of a
packet (Message Frame).
There two versions of CAN: 2.0 and 2.0. Version 2.0 is characterized by
11 bit identifier and the genuine protocol of Bosh whereas version 2.0 features
21 bit identifier which is developed in the USA for the needs of the American
automotive industry.
CAN networks developed according to version 2.0 receive and transmit
information between devices which are built up according to this particular
standard only. Version 2.0 receives and transmits information in mixed
networks containing controllers from both versions.
The shape of frame in version 2.0 is shown in Fig. 6.3.

Delimiter
Sb1
Delimiter
r1
r0 RTR
SRR bit
DLC 15 bits Data (0-8 Bytes) 11 bit Identifier
Bus Idle Int EOF ACK CDR field Data Field Control Arbitration field
Message Frame
Bus Idle
18 bit Identifier
IDE bit
S
t
a
n
d
a
r
t

f
o
r
m
a
t
Delimiter
Sb1
Delimiter
r1
r0 RTR SOF
DLC 15 bits Data (0-8 Bytes) 11 bit Identifier
Bus Idle Int EOF ACK CDR field Data Field Control Arbitration field
Message Frame
Bus Idle
E
x
t
e
n
d
e
t

f
o
r
m
a
t
SOF


I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Fig. 6.3.

d "dominant", r "recessive"
Fig. 6.4.
Number of
Data Bytes
Data Length Code
DLC3 DLC2 DLC1 DLC0
0 D d d d
1 D d d r
2 D d r d
3 D d r r
4 D r d d
5 D r d r
6 D r r d
7 D r r r
8 R d d d

Fig. 6.5.

Fig. 6.6.
Initially, a pulse from high to low potential is transmitted along the line, Start
Of Frame (SOF) followed by 11 bit identifier (Arbitration) in which the content
of transmission is encoded. After that follows 1 bit of information Remote
Transmission Request (RTR) through which authorization is requested from the
transmitter to transmit information to the receiver. Bits r0 and r1 in the protocol
are blank. The Data Length Code (DLC) field is 4 bits in size and contains the
ACK Delimiter ACK Slot
CRC Field
ACK Field Ack Field

CRC Delimiter CRC Sequence
Data or
Control
Field
CDR Field Ack Field
r
1
r
0
DLC2 DLC1 DLC0
Data Length Code
Reserved bits
Data Field
or
CRC Field
Arbitration
Field
Control Field
DLC3

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

length of information which is to be transmitted during Data interval. This
interval has duration from 0 to 8 pulses which is indicated in DLC. The next 15
bits of Cycle Redundancy Code (CRC) are used to check the correctness of
received information, followed by DEL interval. For recognition of the
information transmitting device 2 Acknowledge pulses are used (ACK). The
packet ends with the End Of Frame (EOF) marker which is 7 pulses in duration.
The packet end is indicated by 3 INTERMISSION bits after which the line is
released.

Fig. 6.7.
Recessi ve and dominant bit
For the sake of isolation from the transmission medium CAN avoids
description with binary values "0" and "1". Instead, the terms "recessive" and
"dominant" signal are accepted. For instance, in optical connection a "recessive"
signal can be dark and "dominant" may mean light. With electrical signal
"Recessive" may mean high level electrical signal whereas "dominant" could
mean absent.
1.1.4. Types of frames
Four frames are included in CAN protocol:
Data frame transmits data;
Remote frame serves to request transmission of data frames for the
current identifier;
Overload frame assures spacing between frames of data or requests;
Accepted
Choice
Receive
message
Choice
Receive
message
Ready
Send
message
Accepted
Choice
Receive
message
CAN Station 2 CAN Station 1 CAN Station 3 CAN Station 4

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Error frame it is transmitted from the node in which error is detected.
Frames of data and requests are divided from the preceding frames by
spacing.
Request frame format matches the frame for standard or extended format
with two exceptions:
In field RTR place "recessive" instead of "dominant";
Lack of data field.
1.1.5. Arbitrage during data transmissi on
If there is a free bus available then each node could start transmitting at any
time. Arbitrage of transmission is carried out in case of simultaneous
transmission of frames from two or more nodes (Fig. 6.8).
Priority is transmitted along with the message comprising 11 bit device
identifier (the device address). The identifier of lowest binary value has the
highest priority. Priority is set at the time of network development and therefore
cannot be dynamically changed. Collision during access to bus is resolved by
means of digit comparison of the identifier appropriated at each station. Fig. 6.8
demonstrates an example which illustrates the described procedure. In this
example three CAN-nodes want to transmit their data. Unlike Ethernet in CAN
there is no loss of packets allowed as well as creation of collision. The
possibility not to transmit a low priority message is considered a major
disadvantage.

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S


Fig. 6.8.
1.1.6. Error control
CAN features several mechanisms for error control and prevention:
Transmission control: During transmission the bit level in the network is
compared with the bits being transmitted;
Bit stuffing: After a transmission of five identical bits in sequence there
follows automatic transmission of a bit with opposite significance. In this
way all fields of the data and request frame are encoded with the
exception of the distinguisher of the control sum, the EOF marker;
Control sum: The transmitter calculates it and then adds it in the
transmitted frame; the receiver reads the control circuit in real time,
calculates the control sum for the received frame and compares them;
Field value control during transmission.
1.1.7. Transfer rate and network length
Speed (rate) range
All nodes in the net should operate at equal speed/rate. The CAN standard
does not determine operation speed, however most inbuilt systems use

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

continuous change of speed from 20 KBit/sec to 1 MBit/sec. Of course, there
also are solutions which operate over that range.
Critical network length
The above method of error control requires its distribution across the entire
net till the moment of its calculation. This in turn assigns the maximum network
length. The higher the transfer rate the lower the network length. For example,
the critical length of a network from the ISO 11898 standard corresponds
approximately to:
1 Bit/sec 40 m;
500 Bit/sec 100 m;
125 Bit/sec 500 m;
10 Bit/sec 5000 m.
1.1.8. High level/layer protocol s
CAN base specification offers a number of possibilities such as transmission
of data of length larger than 8 bytes; automatic distribution of identifiers
between nodes, homogeneous control of devices of various type and
productivity. Due to this fact protocol modifications of higher level have been
under development ever since the appearance of CAN such as:
CANopen;
DeviceNet;
CAN Kingdom;
J 1939;
SDS.
1.1.9. Advantages of CAN
Possibility for operation in fixed real time mode;
Simple implementation and minimum operational costs;
High interference immunity;
Arbitrage of access to network without carrying capacity loss;
Reliable error control during transmission and reception;

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Wide range of operating speed;
Large dissemination over a wide variety of devices.
1.1.10. Disadvantages of CAN
Network critical length is inversely proportional to transfer rate;
Large size of service data in the packet (as related to useful data);
Lack of conventional standard for protocols of higher level.
Standard network provides extensive possibilities for practical safe data
transmission between nodes. The following tables contain the most frequently
used connectors and the matching of pins during connection.

9 Pin (male) D-Sub CAN Bus PinOut
Pin # Signal Names Signal Description
1 Reserved Upgrade Path
2 CAN_L Dominant Low
3 CAN_GND Ground
4 Reserved Upgrade Path
5 CAN_SHLD Shield, Optional
6 GND Ground, Optional
7 CAN_H Dominant High
8 Reserved Upgrade Path
9 CAN_V+ Power, Optional

10-Pin Header CAN Bus PinOut
Pin # Signal Names Signal Description
1 Reserved Upgrade Path
2 GND Ground, Optional
3 CAN_L Dominant Low
4 CAN_H Dominant High
5 CAN_GND Ground
6 Reserved Upgrade Path
7 Reserved Upgrade Path
8 CAN_V+ Power, Optional
6 Reserved Upgrade Path
7 Reserved Upgrade Path

7-Pin Open Style CAN Bus PinOut
Pin # Signal Names Signal Description
1 CAN_GND Ground
2 CAN_L Dominant Low
3 CAN_SHLD Shield, Optional
4 CAN_H Dominant High
5 CAN_V+ Power, Optional
5-Pin Micro/Mini CAN Bus PinOut
Pin # Signal Names Signal Description
1 CAN_SHLD Shield, Optional
2 CAN_V+ Power, Optional
3 CAN_GND Ground
4 CAN_H Dominant High
5 CAN_L Dominant Low

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

RJ10, RJ45 CAN Bus PinOut
RJ45 Pin # RJ10 Pin # Signal Name Signal Description
1 2 CAN_H Dominant High
2 3 CAN_L Dominant Low
3 4 CAN_GND Ground
4 - Reserved Upgrade Path
5 - Reserved Upgrade Path
6 - CAN_SHLD CAN Shield, Optional
7 - CAN_GND Ground
8 1 CAN_V+ Power, Optional


CAN Bus I/O Characteristics
CANbus Signal Type Digital Interface
Output Voltage (High) V
OH
+4 volts min, +5.5 volts max
Output Voltage (Low) V
OL
+0 volts min, +1.5 volts max
Output Voltage +16 volts (Absolute Max)
Output Current 100mA
Impedance 124 ohm termination between +/- terminals
Circuit Type Differential
Bit Times 1uS @ 1Mb/s; 2uS @ 5Mb/s 4uS @ 25Mb/s
Encoding Format Non-Return-to-Zero (NRZ)
Transmit/Receive Frequency 1Mb/s @ 40 meters
Topology Point-to-Point
Medium Shielded Twisted Pair (STP) @ 9 pin D-Sub
Access Control Carrier Sense, Multiple Access with Collision Detect (CSMA/CD).
Non-destructive bit wise arbitration
Round Style CAN Bus PinOut
9-Pin # 8-Pin # 7-Pin # Signal Names Signal Description
1 3 3 CAN_H Dominant High
2 4 4 CAN_L Dominant Low
3 5 2 CAN_GND Ground
4 6 - - Reserved
5 7 - - Reserved
6 8 - - Reserved
7 1 1 CAN_V+ Power, Optional
8 2 - GND Ground
9 - - - Reserved
- - 5 DIL-1 DIP Switch 1 connected to CAN_V+
- - 6 DIL-2 DIP Switch 2 connected to CAN_V+
- - 7 DIL-3 DIP Switch 3 connected to CAN_V+

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

1.2. Modbus communication protocol
1.2.1.
Modbus communication protocol is based on the "client-server"
architecture. It finds wide application in industry for effecting connection
between controllers. Data is transmitted through serial channels such as RS-485,
RS-422, RS-232 (Fig. 6.9), or network type TCP/IP (Modbus TCP) (Fig. 6.10).
A descri pti on of protocol

Fig. 6.9.
9/12-Pin Round Flange Style CAN Bus PinOut
12-Pin # 9-Pin # Signal Names Signal Description
1 - - Reserved
2 7 CAN_L Dominant Low
3 8 CAN_GND Ground
4 9 - Reserved
5 - - Reserved
6 - - Reserved
7 2 CAN_H Dominant High
8 - - Not Used
9 - - Reserved
10 - GND Ground, Optional
11 - - Reserved
12 1 CAN_V+ Power, Optional
- 3 DIL-1 DIP Switch 1 connected to CAN_V+
- 4 DIL-2 DIP Switch 2 connected to CAN_V+
- 5 DIL-3 DIP Switch 3 connected to CAN_V+
- 6 DIL-4 DIP Switch 4 connected to CAN_V+

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S


Fig. 6.10.
Modbus is related to the application level protocols of the OSI network
model. Controllers which interact under Modbus utilize the client-server model
based on transactions made up of requests and replies.
Usually in the net there are only one master device and several slave devices.
The master device initializes transactions (communication requests). Slave
devices return required information to the master device. The master could
individually address each of the lave devices or address a group of such devices
(Fig. 6.11). In turn the slave device formulates a message and returns it to the
sender. Upon receipt of packet request no reply is formulated.

Slave
Initialise Request
Function code Data Request
Receive the response
Perform the action
initiate the response
Function code Data Response
Master


I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Fig. 6.11.
1.2.2. A format of frame
Modbus specification describes the structure of requests and replies. The are
at the basis of elementary packet control also referred to as PDU (Protocol Data
Unit). PDU structure does not depend on the type of connection line and
includes code of function and data field. The function code is encoded in a
single byte field and can receive values within the range 1127. The range
128255 is reserved for error code. Data field is of variable length and the size
of the PDU packet is limited to 253 bytes (Fig. 6.12).

Modbus PDU
Number of function Datas
1 byte N <253 (byte)
Fig. 6.12.
PDU puts the contents of additional fields into another packet to enable
packet transmission along the physical line for connections. This packet is
referred to as ADU (Application Data Unit). Its form depends on the type of
connection line.

Fig. 6.13.
There are three basic implementations of Modbus protocol: two for data
transmission along serial interface, modem EIA/TIA-232-E (RS-232), EIA-422,
EIA/TIA-485-A (RS-485), optical and radio connection:
Modbus RTU;
Modbus ASCII;
And for data transmission along Ethernet check TCP/IP:
Modbus TCP.
Slave address Function code Data Error Check
ADU Application Data Unit
PDU Protocol Data Unit
General MODBUS frame
PDU
ADU

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

The general structure of ADU is as follows (Fig. 6.14):
Start
3.5 char
Station
Address
8 bits
Function
Code
8 bits
Data
N x 8 bits
CRC Check
16 bits
End
3.5 char

at least 3.5 char
3.5 char
4.5 char
Frame 1 Frame 2 Frame 3
MODBUS RTU frame

Fig. 6.14.
where:
Station address is the address of the slave device to which the record is
addressed. Each device corresponds to only one address. Likewise, the
reply begins with the address of the slave device. Devices addresses are
from 1 to 247. Address 0 is used for packet addressing and is recognized
by all devices; addresses in the range 248255 are reserved;
Function code one byte field in which the execution command is
assigned;
Data it contains information which the device needs in order to carry
out the command ordered by the master device or contains the
information which is required in replying. The length of the form depends
on the number of the function and varies in the range of 0252 bytes;
Error Check (CRC Check) control sum for error check in the frame.
During line transmission the lowest order byte of the control sum is
written first.
The maximum size of ADU for sequential network RS232/RS485 is 256
bytes whereas for TCP network it is 260 bytes.
Modbus ASCII information frame has the form presented in Fig. 6.15:
Start
1 char
Address
2 chars
Function
2 chars
Data
0 up to 2x252 char(s)
LRC
2 chars
End
2 chars
CR,LF


I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Fig. 6.15.
The function of the individual fields is given in Table 6.9.
Table 6.9.
Name Length Function
Start 1 char Starts with colon ( : ) (ASCII value is 3A hex)
Address 2 chars Station Address
Function 2 chars Indicates the function codes like read coils / inputs
Data n chars Data +length will be filled depending on the message type
LRC Check 2 chars Error checks
End 2 chars Carriage return line feed (CRLF) pair (ASCII values of 0D & 0A hex)

The TCP Modbus information frame is of the following kind:

Fig. 6.16.

Fig. 6.17.
Where:
Address Function
Code
Data
Check sum
Function
Code
Data
Unit ID Function
Code
Data Transaction
Identifier

Protocol
Identifier
Length
Field
Protocol Data Unit
(PDU)
Modbus Application Protocol (MBAP) Parter
(7 Bytes)
(2 Bytes) (2 Bytes) (2 Bytes) (1 Bytes) (1 Bytes) Varies
Modbus Frame With
TCP/IP Transmission
CONSTRUCTION OF A
MODBUS TCP DATA
PACKET
Function Code & Data
Are Not Modified
Traditional
Modbus
Serial
Frame
Application Data Unit (ADU)
MODBUS TCP/IP ADU
(This information is embedded info the data portion of the TCP frame)
MBAP Parter Function code Data
PDU
MODBUS TCP/IP ADU

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Transaction ID two byte identification number of transaction;
Protocol ID two byte identification number of protocol;
Length two bytes containing the length of transmitted data;
Unit ID address of device to which the request is addressed. Usually
ignored when it communicates with only one device.
In TCP Modbus there is no field for control sum.

Fig. 6.18.
1.2.3.
There are three categories of functions in the available protocols:
Standardized commands, User commands and Reserved commands (Fig. 6.19).
Categories of function codes
MODBUS
MODBUS
Client TCP/IP
MODBUS
Client TCP/IP
MODBUS
Client
Serial Line

MODBUS
Server TCP/IP
MODBUS
Server TCP/IP
MODBUS
Server
Serial Line

MODBUS
Server
Serial Line

MODBUS Serial
Server
TCP/IP
gateway
Client
TCP/IP

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S


Fig. 6.19.
1.2.4. Standardized commands
Their description must be published and confirmed by Modbus-IDA. This
category includes both allocated and free codes.
Table 6.10.
Function # Request / Response
1 (0x01)
Read Coil Statu
A
1
A
0
Q
1
Q
0

N D (N byte)
2 (0x02)
Read Discrete Inputs
A
1
A
0
Q
1
Q
0

N D (N byte)
3 (0x03)
Read Holding Registers
A
1
A
0
Q
1
Q
0

N D (N byte)
4 (0x04)
Read Input Registers
A
1
A
0
Q
1
Q
0

N D (N byte)
5 (0x05)
Force Single Coil
A
1
A
0
D
1
D
0

A
1
A
0
D
1
D
0

6 (0x06)
Preset Single Register
A
1
A
0
D
1
D
0

A
1
A
0
D
1
D
0

15 (0x0F)
Force Multiple Coils
A
1
A
0
Q
1
Q
0
N D (N byte)
A
1
A
0
Q
1
Q
0

16 (0x10)
Preset Multiple Registers
A
1
A
0
Q
1
Q
0
N D (N byte)
A
1
A
0
Q
1
Q
0

A
1
A
0
address of the element,
Q
1
Q
0
number of elements,
N number of bytes with data
D data
127


110

100

72

65





1
PUBLIC function codes
User Defined Function codes
User Defined Function codes
PUBLIC function codes
PUBLIC function codes
MODBUS Function Code Categories

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

For reading of values, commands of values from 1 to 4 are used.
Data readi ng
1 (0x01) (Read Coil Status) returns the value to several status registers;
2 (0x02) (Read Discrete Inputs) returns the value to several discrete
inputs;
3 (0x03) (Read Holding Registers) returns the value to holding registers;
4 (0x04) (Read Input Registers) returns the value to some input
registers.
The request consists of the first element address from the table; the value for
which it should be read and the number of elements for reading. Both address
and size are assigned by a 16-bit number. Requested data are received in the
reply. Data is preceded by a byte which contains the size of the transmitted data.
Table 6.11.
Sub-function code
Name
Hex Dec
00 00 Return Query Data
01 01 Restart Communications Option
02 02 Return Diagnostic Register
03 03 Change ASCII Input Delimiter
04 04 Force Listen Only Mode
J 05..09 RESERVED
0A 10 Clear Counters and Diagnostic Register
0B 11 Return Bus Message Count
0C 12 Return Bus Communication Error Count
0D 13 Return Bus Exception Error Count
0E 14 Return Slave Message Count
0F 15 Return Slave No Response Count
10 16 Return Slave NAK Count
11 17 Return Slave Busy Count
12 18 Return Bus Character Overrun Count
13
14
N.A
19
20
21...65535
RESERVED
Clear Overrun Counter and Flag
RESERVED
1.2.5. User commands

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

They are contained in two ranges of codes (65 72 and 100 110), in which
several arbitrary functions could be implemented. However, there is no
assurance that these commands will not be used by another devices for
implementation of other functions.
1.2.6. Reserved commands
This category of input codes for functions is not standardized, however, they
are used in the devices manufactured by different companies. These codes are:
9, 10, 13, 14, 41, 42, 90, 91, 125, 126 and 127.
1.2.7.
One of the standardized activities carried out by this protocol is reading and
writing data in the controllers registers. The protocol specification specifies
four table s of data displayed in table 6.12.
Model of data
Table 6.12
Primary tables Object type Type of
operation
Comments
Discretes Input Single bit Read-Only This type of data can be provided by an
I/O system.
Coils Single bit Read-Write This type of data can be alterable by an
application program.
Input Registers 16-bit word Read-Only This type of data can be provided by an
I/O system.
Holding
Registers
16-bit word Read-Write This type of data can be alterable by an
application program.
Access to elements in each table is possible through a 16-bit address; the first
location corresponding to address 0. In this way each table could contain up to
65536 elements. The specification does not determine the physical length of
elements from the table nor the internal address to which they correspond. For
instance, it is allowed to organize overlapping tables. In this case all commands
which operate with discrete data and 16-bit registers will actually address
selfsame data.
1.2.8. Error control i n
Two types of error could arise during data exchange:
Modbus RTU protocol

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

Errors related to information distortion during data transmission;
Logic errors.
Errors of the first type are detected by means of a frame symbol, parity
control and cyclic control sum CRC-16-IBM (numeric polynomial =0xA001 is
used).
For error detection of the second type the Modbus RTU protocol assumes
that the device might have missed the reply or that the reply itself could contain
error code (Table 6.13). A sign of the fact that the reply may contain an error
message is the setting of the highest order bit in the command code. Modbus
proceeds according to the scheme below in order for a logic error to be detected:
If Slave has received correct request and is able to process it in a standard
way then it returns a standard reply;
No reply is generated if Slave has not received any value. In this case
Master diagnoses timeout error;
If Slave has received the request but has also detected an error (parity,
LRC, or CRC) then no reply is generated. In this case Master diagnoses
timeout error;
If Slave has received the request, but because of some reason is unable to
process it, a reply is generated which indicates the error type.
Table 6.13.
Direction for
transfer
Address of slave
device
Function
number
data (or error
code)
CRC
Order
(MasterSlave)
0x01 0x77 0xDD 0xC7 0xA9
Request
(SlaveMaster)
0x01 0xF7 0xEE 0xE6 0x7C
Table 6.14.
Error # Error Message
0 No Errors
1 Illegal Funct ion
2 Illegal Data Address
3 Illegal Data Value
4 Master - Time Out
5 No Communication

I IN ND DU US ST TR RI IA AL L N NE ET TW WO OR RK KS S A AN ND D I IN NT TE ER RF FA AC CE ES S I IN N
A AU UT TO OM MA AT TI IO ON N S SY YS ST TE EM MS S

6 Mismatched Unit ID
7 Mismatched Command
8 Length of message
9 Funct ion not supported
10 Illegal format
11 Mismatched received data