Modbus TCP/IP (2) Chinese Version

4. Protocol Structure This section describes the general formats of Modbus requests and response encapsulation carried by Modbus/tcp networks. Note that the structure of the request and response body (from the functional code to the end of the Data Section) has the same layout format and meaning as other Modbus variables, such: modBus serial port-ASCII encoded ModBus serial port-RTU (Binary) encoded Modbus plus network-data tunnel these other cases are only in the frame Order, the error detection mode and address description formats are different. All requests are sent through TCP from register port 502. Requests are usually sent in half-duplex mode in a given connection. That is to say, when a single connection is occupied by a response, other requests cannot be sent. Some devices use multiple TCP connections to maintain a high transmission rate. However, some client devices attempt "Pipeline" requests. The technology that allows the server to work in this way is described in Appendix. The Modbus "Slave Station Address" field is replaced by a single-byte "unit identifier", which is used for communication between devices such as bridges and gateways, these devices use a single IP address to support multiple independent termination units. The request and response are prefixed with six bytes, as follows: byte 0: Transaction Identifier-replicated by the server-usually 0 byte 1: transaction Identifier-replicated by the server-usually 0 byte 2: Protocol identifier = 0 byte 3: Protocol identifier = 0 byte 4: length field (upper part of the byte) = 0 (all messages have a length less than 256) byte 5: length field (lower half byte) = number of subsequent bytes byte 6: unit identifier (original "Slave site address ") byte 7: Modbus Function Code byte 8 on: the required data is therefore processed in the example "read 1 register from UI 9 with an offset of 4". The returned value of 5 is the request: 00 00 00 00 06 09 03 00 04 00 01 response: 00 00 00 00 05 09 03 02 00 05 consistency level 0-2 function code application example can be found later part of the familiar Modbus designer will notice that modb The CRC-16 or LRC check field is not required in US/TCP. Instead, the TCP/IP and link layer (Ethernet) verification mechanisms are used to verify the accuracy of group exchange.       5. Protocol Reference Value of consistency level Note that in the example, the request and response are listed before the feature code byte. As mentioned above, there is a dependency transmission prefix containing 7 bytes in the Modbus/tcp case. Ref ref 00 00 00 Len unit the "Ref ref" of the first two bytes does not have a specific value on the server. It is simply copied from the request and response for the convenience of the client. A single client usually sets this value to 0. In this example, the request and response are in the following format (the example is a "read register" request. For details, see the following section ). 03 00 00 00 01 => 03 02 12 34 This indicates adding a hex serial byte to the prefix. In this way, the entire message on the TCP connection will be (assuming the unit identifier or 09) Request: 00 00 00 00 00 06 09 03 00 00 01 response: 00 00 00 00 05 09 03 02 12 34 (all these requests and responses are verified by querying the modicon Quantum PLC specification using an automatic tool. 5.1 Level 0 Instruction details   5.1.1 Read multiplication register (FC 3)Request byte 0: fc = 03 byte 1-2: Reference Value byte 3-4: Number of commands (1-125) response byte 0: fc = 03 byte 1: number of bytes of the response (B = 2 X number of instructions) byte 2-(B + 1): Register values exception byte 0: fc = 83 (HEX) byte 1: exception Code = 01 or 02 example: When the read reference value is 0 (984 in modicon 40001), the 1 register gets the hexadecimal value 1234 03 00 00 00 01 => 03 02 12 34           5.1.2 Write multiplication register (FC 16)Request byte 0: fc = 10 (HEX) byte 1-2: Reference Value byte 3-4: Number of commands (1-100) byte 5: number of bytes (B = 2 x word count) byte 6-(B + 5): register value response byte 0: fc = 10 (HEX) byte 1-2: reference Value byte 3-4: Command number exception byte 0: fc = 90 (HEX) byte 1: Exception Code = 01 or 02 example: Read reference value is 0 (modicon 984 is 40001) the hexadecimal value is 1234 10 00 00 00 00 01 02 12 34 => 10 00 00 00 01. 5.2 Level 1 Instruction details 5.2.1 Read coil (FC 1)Request byte 0: fc = 01 byte 1-2: Reference Value byte 3-4: bits (1-2000) response byte 0: fc = 01 byte 1: number of bytes of the response (B = (BITS + 7)/8) byte 2-(B + 1): bit value (the minimum meaning bit first bypasses the coil !) Exception byte 0: fc = 81 (HEX) byte 1: Exception Code = 01 or 02 example read reference value is 0 (984 in modicon 00001) when the value of 1 coil is 1 01 00 00 00 01 => 01 01 01, it is noted that the returned data format is different from the big-Endian architecture. In addition, if this request calls the multiplication command and these commands are not arranged in 16 bits, the request will be computed and reinforced on the slave site. 5.2.2 Read discrete input (FC 2)Request byte 0: fc = 02 byte 1-2: Reference Value byte 3-4: bits (1-2000) response byte 0: fc = 02 byte 1: number of bytes of the response (B = (BITS + 7)/8) byte 2-(B + 1): bit value (the minimum meaning bit first bypasses the coil !) Exception byte 0: fc = 82 (hexadecimal) byte 1: Exception Code = 01 or 02 example read reference value is 0 (984 in modicon 10001) 1 00 00 00 01 => 02 01 01 The returned data is in a different format than the big-Endian architecture. In addition, if this request calls the multiplication command and these commands are not arranged in 16 bits, the request will be computed and reinforced on the slave site. 5.2.3 Read input register (FC 4)Request byte 0: fc = 04 byte 1-2: Reference Value byte 3-4: Number of commands (1-125) response byte 0: fc = 04 byte 1: response bits (B = 2 x instruction count) byte 2-(B + 1): register value exception byte 0: fc = 84 (HEX) byte 1: exception Code = 01 or 02 example when the read reference value is 0 (984 in modicon 30001), the 1 input register gets the hexadecimal value 1234 04 00 00 00 01 => 04 02 12 34 5.2.4 Write coil (FC 5)Request byte 0: fc = 05 byte 1-2: Reference Value byte 3: = FF open the coil, = 00 close the coil byte 4: = 00 response byte 0: fc = 05 byte 1-2: Reference Value byte 3: = FF open the coil, = 00 close the coil (ECHO) byte 4: = 00 abnormal byte 0: fc = 85 (hexadecimal) byte 1: Exception Code = 01 or 02 In the example, set the value 1 to 0 in the reference value (984 in modicon 00001) when writing 1 coil 05 00 00 ff 00 => 05 00 00 ff 00 5.2.5 Write a single register (FC 6)Request byte 0: fc = 06 byte 1-2: Reference Value byte 3-4: register value response byte 0: fc = 06 byte 1-2: Reference Value byte 3-4: register value exception byte 0: fc = 86 (hexadecimal) byte 1: Exception Code = 01 or 02 In the example, the hexadecimal value 1234 is set to 0 in the reference value (modicon 984 is 40001) when writing 1 coil 06 00 00 12 34 => 06 00 00 12 34 5.2.6 Read exception status (FC 7)Note that the "exception status" is irrelevant to "exception response. The "read exception status" message is intended to allow the maximum response speed in the early Modbus with a small baud rate round-robin multi-point network. PLC's will specifically plan an 8-coil (discrete output) range to use this message for inquiry. Request byte 0: fc = 07 response byte 0: fc = 07 byte 1: abnormal status word (usually pre-determined range of 8 coils) exception byte 0: fc = 87 (hexadecimal) byte 1: Exception Code = 01 or 02. For example, the hexadecimal value of the read exception state is 34, 07 => 07 34. 5.3 Level 2 Instruction details 5.3.1 Forced multi-point coil (FC 15)Request byte 0: fc = 0f (hexadecimal) byte 1-2: Reference Value byte 3-4: Bit count (1-800) byte 5: bytes (B = (BITS + 7)/8) byte 6-(B + 5): the written data (minimum meaning bit = the first coil) responds to byte 0: fc = 0f (hexadecimal) byte 1-2: Reference Value byte 3-4: bit number exception byte 0: fc = 8f (hexadecimal) byte 1: exception Code = 01 or 02 when the reference value is 0 (984 in modicon 00001), the value 0 is written to the 3 coils, 1 0f 00 00 00 03 01 04 => 0f 00 00 03 notice that the format of the returned data is different from that of the big-Endian system. In addition, if this request calls the multiplication command and these commands are not arranged in 16 bits, the request will be computed and reinforced on the slave site. 5.3.2 Read general reference value (FC 20)Request byte 0: fc = 14 (hexadecimal) byte 1: number of bytes of the remainder of the request (= 7 x number of groups) byte 2: reference Value Type of the first group = 06 byte 3-6 suitable for 6 XXXX extended external storage: reference value for the first group = memory offset for 6 XXXX external memory = 32-bit reference value for 4 XXXX register byte 7-8: instruction for the first group bytes 9-15: (2-8 bytes, suitable for the second group )... response byte 0: fc = 14 (hexadecimal) byte 1: Total number of bytes of the response (= number of groups + total number of bytes) byte 2: number of bytes in the first group (b1 = 1 + (2 X number of instructions) byte 3: Reference Type of the first group byte 4-(b1 + 2 ): register value byte (b1 + 3) of the first group: number of bytes of the second group (b2 = 1 + (2 X number of instructions) byte (b1 + 4): Reference of the second group Type byte (b1 + 5)-(b1 + B2 + 2): register value of the second group... exception byte 0: fc = 94 (hexadecimal) byte 1: Exception Code = 01 or 02 or 03 or 04 when the reference value of the example is 1 read 1 extended register: 2 (in modicon 984 Chinese and foreign Memory 1 offset 2) Get hexadecimal value 1234 14 07 06 00 01 00 02 00 01 => 14 04 03 06 12 34 (future) when the reference value is 0, the hexadecimal value 1234 is returned for the read 1 register, and the hexadecimal value 5678 and 9abc are returned for the read 2 register when the reference value is 5. 14 0e 04 00 00 00 00 00 01 04 00 00 05 00 02 => 14 0a 03 04 12 34 05 04 56 78 9A BC pay attention to transmission size restrictions and it is difficult to accurately define using mathematical formulas. In summary, the size of the buffer and the size of the request and Response Message considering the total length of each request and response data frame are limited to 256 bytes. If the slave station refuses to send this message because the response is too large, the exception type 04 is generated. 5.3.3 Write general reference value (FC 21)Request byte 0: fc = 15 (hexadecimal) byte 1: number of bytes of request balance byte 2: Reference Value Type of the first group = 6 XXXX extended register memory 06 byte 3-6: reference Value of the first group = memory offset suitable for 6 XXXX external memory = 32-bit reference value for 4 XXXX register byte 7-8: instruction number of the first group (W1) byte 9-(8 + 2 x W1): register data of the first group (data frame of another group replication group starting from byte 2 )... response is a direct response to the query. byte 0: fc = 15 (hexadecimal) byte 1: number of bytes in the request balance. byte 2: reference Value Type of the first group = 6 06 byte 3-6 of xxxx extended register memory: reference Value of the first group = 6 XXXX Memory offset = 32-bit reference value for the 4 XXXX register byte 7-8: Command number of the first group (W1) BYT E 9-(8 + 2 x W1): register data of the first group (data frame of another group replication group starting from byte 2 )... exception byte 0: fc = 95 (hexadecimal) byte 1: Exception Code = 01 or 02 or 03 or 04 when the reference value of the example is 1, write 1 extended register: 2 (in modicon 984, Chinese and foreign Memory 1 offset 2) get the hexadecimal value 1234 15 09 06 00 01 00 02 00 01 12 34 => 15 09 06 00 01 00 02 00 01 12 34 (in the future) when the reference value is 0, write 1 register to return the hexadecimal value 1234. When the reference value is 5, write 2 register to return the hexadecimal value 5678 and 9abc. 15 14 04 00 00 00 00 01 12 34 04 00 00 05 0002 56 78 9A BC & ETH; 15 14 04 00 00 00 00 00 01 12 34 04 00 0000 05 00 02 56 78 9A BC note that the transmission size limit is hard to be accurately defined using mathematical formulas. In summary, the size of the buffer and the size of the request and Response Message considering the total length of each request and response data frame are limited to 256 bytes. If the slave station refuses to send this message because the response is too large, the exception type 04 is generated. 5.3.4 Mask write register (FC 22)Request byte 0: fc = 16 (hexadecimal) byte 1-2: Reference Value byte 3-4: And mask used for register byte 5-6: or mask used for register response byte 0: fc = 16 (hexadecimal) byte 1-2: Reference Value byte 3-4: And mask used for register byte 5-6: or mask is used for register exception byte 0: fc = 96 (hexadecimal) byte 1: Exception Code = 01 or 02 example in reference value 0 (modicon 984 is 40001) when the 0-3 field of the Register is changed to the hexadecimal value 4 (and with 000f, or 0004) 16 00 00 00 00 0f 00 04 => 16 00 00 00 0f 00 04 5.3.5 Read/ Write register (FC 23)Request byte 0: fc = 17 (hexadecimal) byte 1-2: reference value for read byte 3-4: Number of read commands (1-125) byte 5-6: reference value for writing byte 7-8: number of instructions for writing (1-100) byte 9: byte 10-(B + 9): register value response byte 0: fc = 17 (hexadecimal) byte 1: byte Count (B = 2 X number of read commands) byte 2-(B + 1) register value exception byte 0: fc = 97 (hexadecimal) byte 1: when the Exception Code is 01 or 02, the reference value of the example is 3 (984 in modicon 40004), The hexadecimal value of register 1 is 0123, when the reference value is 0, read 2 registers return values 0004 and 5678 (hexadecimal) 17 00 00 00 00 02 00 01 01 01 23 => 17 04 00 04 56 78 Note that the result is ambiguous if the registers are read and written alternately. Some devices first write and then read, while others read and then write. 5.3.6 Read FIFO Queue (FC 24)Request byte 0: fc = 18 (hexadecimal) byte 1-2: Reference Value response byte 0: fc = 18 (hexadecimal) byte 1-2: bytes (B = 2 + number of commands) (maximum 64) byte 3-4: Number of commands (number of accumulated commands in FIFO) (maximum 31) byte 5-(B + 2): the Register data starting before the FIFO is abnormal. byte 0: fc = 98 (hexadecimal) byte 1: exception Code = 01, 02, or 03 example reads the content of a FIFO segment starting from the reference value 0005 (984 in modicon 40006), including the value 1234 and 5678 in hexadecimal notation of instruction 2) 18 00 05 => 18 00 06 00 02 12 34 56 78 Note that this function executed on 984 is very limited in terms of versatility-assuming that the Register's segment contains a value ranging from 0 to 31 counter, the data is followed by a maximum of 31 characters. When this function is completed, the counter script does not return 0 as expected by the FIFO operation. In general, this can be seen as a limited subset of the 16-read multiplication register function, which can be used to complete the necessary functionality. 6. Exception CodeWhen a problem occurs, a series of defined exception codes are sent back from the slave station. It is noted that the main site will send commands in a "speculative" manner, and use the received success or abnormal code to determine which Modbus determines the device is willing to respond and the size of different available data zones on the slave site. All exceptions are marked by adding the code 0x80 to the Request function. The following is a single cause byte: 03 12 34 00 01 => 83 02 when the index 0x1234 responds to the exception type 2-"invalid data address", the request read 1 register exception is listed as follows: 01 invalid features for the slave site, the functional code received during the query process is not allowed. This may be because the function code only applies to the recent controller and cannot be used in the selected unit. It can also be inferred that the slave station is in an error state and such a request is sent, for example, the returned register value is required without configuration. 02 illegal data addresses for the slave station, the data addresses received during the inquiry are not permitted addresses. More specifically, the combination of reference values and transmission lengths is invalid. For a controller with 100 registers, requests with an offset of 96 and a length of 4 will succeed, and requests with an offset of 96 and a length of 5 will generate an exception of 02. 03 The invalid data value is not allowed for the slave site. This concludes an error in the structure of the complex request balance. For example, the implicit length is incorrect. Since the Modbus protocol does not understand the significance of some special values of some special registers, this does not mean that the data object submitted in the register for storage has a value other than the expected value of the application, 04 invalid response Length indicates that an out-of-box request will generate a response whose size exceeds the available Modbus data size. It is only used for the response of multiple functions, such as functions 20 and 21. 05 validation is dedicated to associated program design instructions. 06 slave devices are dedicated to associated program design commands. 07 deny that it is dedicated to associated program design instructions. 08 the memory parity error is dedicated to the association Function Code 20 and 21, indicating that the extended file area does not pass the consistency check. 0a gateway cannot be used to associate the Modbus plus gateway, indicating that the gateway failed to allocate the Modbus plus path to process the request. This usually means that the gateway configuration is incorrect. The failure in responding to the target device of the 0b gateway is dedicated to associating the Modbus plus gateway, indicating that the target device failed to receive a response. This usually means that the device is not connected to the network.