About Modbus & Modbus/TCP...
Modbus is an industrial protocol standard that has been in use for many years. Modbus ASCII and Modbus RTU are relatively simple serial protocols that use EIA-232 or EIA-485 to transmit data packets. The protocol defines function codes and the encoding scheme for transfering data as either single points (1-bit, coils) or as 16-bit data registers. This basic data packet is then encapsulated according to the protocol specifications for Modbus ASCII, RTU, or TCP.
The TCP version of Modbus follows the OSI Network Reference Model; however the serial implementations of Modbus do not. Modbus/TCP defines the presentation and application layers in the OSI model.
Modbus protocol is defined as a master/slave protocol, meaning a device operating as a master will poll one or more devices operating as a slave. This means a slave device cannot volunteer information; it must wait to be asked for it. The master will write data to a slave device’s registers, and read data from a slave device’s registers. A register address or register reference is always in the context of the slave’s registers.
Modbus/TCP makes the definition of master and slave less obvious because Ethernet allows peer to peer communication. The definition of client and server are better known entities in Ethernet based networking. In this context, the slave becomes the server and the master becomes the client. There can be more than one client obtaining data from a server. In Modbus terms, this means there can be multiple masters as well as multiple slaves. Rather than defining master and slave on a physical device by device basis, it now becomes the system designer’s responsibility to create logical associations between master and slave functionality.
Control Solutions' Babel Buster 485 can operate as a master or a slave, but only in one mode at a time. The entire gateway is assigned either master or slave functionality. Modbus register references when operating in slave mode mean a master can access these registers in the Babel Buster gateway. Modbus register references when operating in master mode mean the Babel Buster gateway will attempt to access these registers in the remote slave device.
Control Solutions' Babel Buster 10/100 provides both a client and a server which function simultaneously. Each functional block is individually assigned master/slave status. As a server (slave), the Modbus register references define the addresses that a remote TCP client will use to access that data in the Babel Buster. As a client (master), the Modbus register references define the addresses that the Babel Buster gateway will attempt to access in a remote server.
Control Solutions' Babel Buster SP and AddMe III family of products contain both Modbus RTU and Modbus TCP. The RTU side of the SP can be master or slave. The RTU side of AddMe III is intended to only be a master. The TCP side is both client and server, or master and slave, at the same time.
Regardless of which product, a functional block or register mapping operating as a slave will be a passive member of the Modbus network simply waiting for a master (or client) to read or write data. A functional block or register mapping operating as a master will be an active member of the Modbus network, initiating data transfers as determined by its configuration. For LonWorks gateways, a functional block defined as a master, and associated with a LonWorks input network variable, will initiate a Modbus data transfer upon each network variable update, and optionally periodically. A functional block defined as master, and associated with a LonWorks output network variable, will initiate a Modbus data transfer periodically at a rate set in configuration properties, and will update the output network variable according to the send on delta, minimum and maximum send times, etc., as defined by LonMark functional profiles.
Commonly used Modbus register formats which are supported by Babel Buster include the following:
• Bit or Boolean
• Signed or unsigned 16-bit integer
• Signed or unsigned 32-bit integer
• Floating point (single precision IEEE-754 big endian)
Modbus registers defined as 32-bit integer or floating point are “double registers” meaning they occupy two 16-bit register addresses. If there is a mismatch in interpretation between the two Modbus devices being interfaced, data transfer may return half of a floating point value as an integer (resulting in an invalid number), or may write a floating point to two consecutive integer registers (resulting in two invalid numbers). Other invalid combinations are possible. It is simply necessary to note that the device must be configured to look for and provide the correct register format to avoid unexpected results.
Double registers are sometimes “swapped”. By default, the high order bytes are expected to be found in the first register and the low order bytes are expected to be found in the second register. If the reverse is true, double register swapping may be turned on by setting nciGatewayOpts.bit6 to 1. (Note that “bit6” refers to the SNVT_state definition of bits in which bit0 is the MSB and bit15 is the LSB since the bits are defined as a structure.)
The types of registers most commonly referenced in Modbus devices, and supported by Babel Buster, include the following:
• Coil (Discrete Output)
• Discrete Input
• Input Register
• Holding Register
Valid address ranges as originally defined for Modbus were 0 to 9999 for each of the above register types. Valid ranges allowed in the current specification are 0 to 65,535. The address range originally supported by Babel Buster wass 0 to 9999. The extended range addressing was later added to all new Babel Buster (LonWorks) products.
The address range applies to each type of register, and one needs to look at the function code in the Modbus message packet to determine what register type is being referenced. To simplify documentation, an old defacto standard widely recognized as Modbus (sometimes referred to as Modicon convention) is also used in Babel Buster. This defacto standard uses the first digit of a register reference to identify the register type. A less useful aspect of this defacto standard is that register references use a 1-based index while addresses use a 0-based index.
Register types and reference ranges recognized by Babel Buster (LonWorks) are as follows:
0x Coil 00001-09999
1x Discrete Input 10001-19999
3x Input Register 30001-39999
4x Holding Register 40001-49999
Translating references to addresses, reference 40001 selects the holding register at address 0000. The reference 40001 will appear in documentation and is used to define the Modbus register in the location property of the functional block. The address 0000 will be transmitted in the message packet. Addresses are often not directly used by the application or the user.
On occasion, it is necessary to access more than 10,000 of a register type. Based on the original convention, there is another defacto standard that looks very similar. Additional register types and reference ranges recognized by Babel Buster are as follows:
0x Coil 000001-065535
1x Discrete Input 100001-165535
3x Input Register 300001-365535
4x Holding Register 400001-465535
When using the extended register referencing, it is mandatory that all register references be exactly six digits. This is the only way Babel Buster will know the difference between holding register 40001 and coil 40001. If coil 40001 is the target, it must appear as 040001.
To determine how to set up Modbus addresses, you need to get the register map from the manufacturer of the Modbus device. There is no equivalent of an XIF file for Modbus. The register map will exist in the form of documentation you need to obtain from the manufacturer.
Once you get your hands on the documentation, the next trick is interpreting it. Some high percentage of the time, all of the registers will simply be holding registers. When this is the case, registers may be documented as starting from zero, starting from one, starting from 40001, or starting from 400001.
It is common to document registers starting at #1, but this becomes address 0000 over the wire. Technically, "by the book" or per spec, addresses only start at zero. But their "references" are commonly documented as starting from #1. If you don't get the response you expect at the address you think you should, try that address plus one and that address minus one. This will rule out the zero versus one issue.
The following function codes are recognized by Babel Busters.
| Master (client) |
. |
Slave (server) |
. |
| Function Code |
Register Type |
Function Code |
Register Type |
|
1
|
Read Coil |
.
|
. |
|
2
|
Read Discrete Input |
.
|
. |
|
3
|
Read Holding Registers |
3
|
Read Holding Registers |
|
4
|
Read Input Registers |
.
|
. |
|
.
|
. |
6
|
Write Single Holding Register |
|
15
|
Write Multiple Coils |
.
|
. |
|
16
|
Write Multiple Holding Registers |
16
|
Write Multiple Holding Registers |
Note: Prior to software version 1.3, function code 6 was not recognized by Babel Busters operating as a slave. Only function code 16 was recognized for writing holding registers. V1.3 and after also recognize function code 6.
Note that only holding registers are contained within the Babel Buster when it is accessed as the slave. In the case of an RTU to TCP gateway, RTU coils, discrete inputs, and input registers will be mapped to gateway holding registers.
The LonWorks gateways (Babel Buster 232, 485, 10/100) require that you define its internal holding registers (accessed when Babel Buster is a slave) in the 40001-49999 range by setting SCPTlocation accordingly. Babel Buster SP and i.CanDoIt support a larger register count and assigns these starting at reference #1 (address 0). Since the i.CanDoIt and Babel Buster SP embedded web interface provides ample room for configuration parameters, you select register type from a drop down list, and all references for all register types start at #1. The LonWorks Babel Busters only have a single ASCII string to identify a register, so it becomes useful to make the register type implicit in the register number.
The benefit of using the Modicon style register numbering is that you get two pieces of information in the same number. When you see 40001, you know it is register #1, but you also know this refers to a holding register based on the 40,000 offset. These two pieces of information are maintained separately in Babel Buster SP and all i.CanDoIt or AddMe III products. In these cases, all register numbers start at #1, and you additionally specify a register type.
Complete specifications for the Modbus protocol may be found at www.modbus-ida.org.
