Open Type MODBUS-TCP specification (Chinese version) 2

Guide:
　　 5.3 Level 2 instruction details
　　 5.3.1 Force Multi-point coils (FC)
　　
　　 Request
　　
Byte 0:FC = 0F (16 binary)
Byte 1-2: Reference value
Byte 3-4: Number of bits (1-800)
BYTE 5: Number of bytes (B = (bits + 7)/8)
Byte 6-(b+5): Data written (minimum point = First coil)
　　
　　 Response
　　
Byte 0:FC = 0F (16 binary)
Byte 1-2: Reference value
Byte 3-4: Number of Bits
　　
　　 Exception
　　
Byte 0:FC = 8F (16 binary)
Byte 1: Exception code = or 02
　　
　　 Sample
　　
Write values to 3 coils when the reference value is 0 (in Modicon 984 00001) 0,0,1
　　
0F => 0F 00 00 00 03
　　
Note that the returned data has a different format than the Big-endian architecture. And if this request calls the multiplication instruction and the instructions are not aligned in 16-bit bounds, the request will be computed hardening from the station.
　　
　　 5.3.2 Read General reference value (FC)
　　
　　 Request
　　
Byte 0:FC = 14 (16 binary)
BYTE 1: Number of bytes of the request remainder (=7 x Group)
Byte 2: Reference value type for the first group = 06 for 6xxxx Extended Storage
Byte 3-6: Reference values for the first group
= Memory offset suitable for 6xxxx external memory
= 32-bit reference value suitable for 4xxxx registers
Byte 7-8: Order of the first group
Bytes 9-15: (As for 2-8 bytes, suitable for the second group)
. . .
　　
　　 Response
　　
Byte 0:FC = 14 (16 binary)
BYTE 1: The total number of bytes in the response
(= group number + total number of bytes in group)
BYTE 2: Number of bytes in the first group (B1=1 + (2 x Instruction))
Byte 3: Reference type for the first group
Byte (b1+2): Register value of the first group
Byte (b1+3): Number of bytes in the second group (B2=1 + (2 x instruction number))
Byte (b1+4): Reference type of the second group
Byte (b1+5)-(b1+b2+2): Register value of the second group
. . .
　　
　　 Exception
　　
Byte 0:FC = 94 (16 binary)
Byte 1: Exception code = 01 or 02 or 03 or 04
　　
　　 Sample
　　
Reference value is 1 read 1 expansion register: 2 (in Modicon 984 foreign memory 1 offset 2) to get 16 binary value 1234
　　
The => 14 04 03 06 12 34
　　
Future
　　
The reference value 0 time read 1 registers returns 16 to the value 1234, the reference value 5 time reads 2 registers returns 16 the binary value 5678 and 9ABC.
　　
For the 0E => 0A to be in 9A BC, at the same for the same.
　　
Note that transmission dimension limits are difficult to define precisely with mathematical formulas. In general, the size of the buffer and the message dimensions for the total length requests and responses of each request and response data frame are limited to 256 bytes. If the rejection of this message from the station because of the response is too large, the exception type 04 is generated.
　　
　　 5.3.3 Write general reference values (FC)
　　
　　 Request
　　
Byte 0:FC = 15 (16 binary)
BYTE 1: Number of bytes to request balance
Byte 2: Reference value type of the first group = 6xxxx Extended Register Memory 06
Byte 3-6: Reference values for the first group
= Memory offset suitable for 6xxxx external memory
= 32-bit reference value for the 4XXXX register
Byte 7-8: Number of instructions for the first group (W1)
Byte 9-(8 + 2 x W1): Register data for the first group
　　
(Data frames for other groups are copied from byte 2)
. . .
　　
　　 Response
　　
Response is a direct response to a query
　　
Byte 0:FC = 15 (16 binary)
BYTE 1: Number of bytes to request balance
Byte 2: Reference value type of the first group = 6xxxx Extended Register Memory 06
Byte 3-6: Reference values for the first group
= Memory offset of 6xxxx external memory
= 32-bit reference value for the 4XXXX register
Byte 7-8: Number of instructions for the first group (W1)
Byte 9-(8 + 2 x W1): Register data for the first group
　　
(Data frames for other groups are copied from byte 2)
. . .
　　
　　 Exception
　　
Byte 0:FC = 95 (16 binary)
Byte 1: Exception code = 01 or 02 or 03 or 04
　　
　　 Sample
　　
Write 1 extension registers when reference value is 1:2 (in Modicon 984 foreign memory 1 offset 2) Get 16 binary Value 1234
　　
15 09 06 00 01 00 02 00 01 12 34 (=>)
　　
Future
　　
The reference value 0 writes 1 registers returns 16 to the value 1234, the reference value 5 when writes 2 registers returns 16 the binary value 5678 and 9ABC.
　　
All of the 9A BC, at the same (a).
The 9A BC, at the same as the same as the other.
　　
Note that transmission dimension limits are difficult to define precisely with mathematical formulas. In general, the size of the buffer and the message dimensions for the total length requests and responses of each request and response data frame are limited to 256 bytes. If the rejection of this message from the station because of the response is too large, the exception type 04 is generated.
　　
　　 5.3.4 Mask Write Register (FC)
　　
　　 Request
　　
Byte 0:FC = 16 (16 binary)
Byte 1-2: Reference value
Byte 3-4: and mask for registers
Byte 5-6: OR Mask for registers
　　
　　 Response
　　
Byte 0:FC = 16 (16 binary)
Byte 1-2: Reference value
Byte 3-4: and mask for registers
Byte 5-6: OR Mask for registers
　　
　　 Exception
　　
Byte 0:FC = 96 (16 binary)
Byte 1: Exception code = 01 or 02
　　
　　 Sample
　　
Change the 0-3-bit field of the register to 16-value 4 when the reference value is 0 (Modicon 984 is 40001)
(And with 000F, or with 0004)
　　
=> 0F 00 04 (at 0F)
　　 5.3.5 read/write registers (FC)
　　
　　 Request
　　
Byte 0:FC = 17 (16 binary)
Byte 1-2: Reference value for reading
Byte 3-4: Number of instructions for reading (1-125)
Byte 5-6: Reference value for writing
Byte 7-8: Number of instructions used for writing (1-100)
BYTE 9: Number of bytes (B = 2 x for the number of instructions written)
Byte 10-(b+9): Register value
　　
　　 Response
　　
Byte 0:FC = 17 (16 binary)
BYTE 1: Byte Count byte count (B = 2 x number of instructions for reading)
Byte (b+1) Register value
　　
　　 Exception
　　
Byte 0:FC = 97 (16 binary)
Byte 1: Exception code = 01 or 02
　　
　　 Sample
　　
The reference value is 3 (when Modicon 984 is 40004) writes 1 registers 16 The binary value 0123, the reference value is 0 when reads 2 registers returns the value 0004 and 5678 (16)
　　
The 17 04 00 04 56 78 of the => for the "the same"
　　
Note that if the registers are alternately read and write, the result is ambiguous. Some of the devices are written and read, while the other part is read first and then written.
　　 5.3.6 read FIFO queue (FC)
　　
　　 Request
　　
Byte 0:FC = 18 (16 binary)
Byte 1-2: Reference value
　　
　　 Response
　　
Byte 0:FC = 18 (16 binary)
BYTE 1-2: Number of bytes (B = 2 + directives) (max. 64)
Byte 3-4: Number of instructions (number of instructions accumulated in FIFO) (maximum 31)
Byte (b+2): Register data that starts before the FIFO
　　
　　 Exception
　　
Byte 0:FC = 98 (16 binary)
Byte 1: Exception code = 01 or 02 or 03
　　
　　 Sample
　　
Read the contents of the FIFO section starting from the reference value 0005 (40006 in Modicon 984), which includes the value 1234 and 5678 of the 2 Directive (16)
　　
=> 18 00 06 00 02 12 34 56 78
　　
Note that the function performed on 984 is very limited in generality-assuming that the section of the register contains counters containing values ranging from 0 to 31, followed by data with a maximum of 31 instruction words. When the function is complete, the counter directive will not be as 0 as expected after the FIFO operation.
　　
In general, this can be seen as a finite subset of the function 16-read multiplication registers, since the latter can be used to complete the required functionality.
　　
　　 6. Exception Code
　　
When something goes wrong, a series of defined exception codes are sent back from the station. Note that the main station will "speculate" to send instructions, using the received success or exception code to determine which modbus the device is willing to respond to and from the station different available data area size.
　　
All exceptions are marked by adding 0x80 to the requested function code, followed by a single reason byte as shown in the following example:
　　
=> 83 02
　　
Request to read 1 registers when index 0x1234 response to exception type 2-"illegal data address"
　　
The exceptions are listed as follows:
　　
　　 01 Illegal functions
　　
For the station, the function code received during the inquiry process is not allowed behavior. This may be because the functional code applies only to the most recent controller and not to the selected unit. You can also infer that a request is made from a station in an error state, such as being required to return a register value without being configured.
　　
　　 02 Illegal data addresses
　　
For the station, the data address received during the inquiry is not an allowed address. More specifically, the combination of reference values and transmission lengths is not valid. For a controller with 100 registers, a request with an offset of 96 and a length of 4 will succeed, and a request with an offset of 96 and a length of 5 will produce an exception of 02.
　　
　　 03 Illegal data values
　　
For a station, it is not permissible to ask for a value contained in the data section. This infers an error in the structure of the complex request balance, for example, the implied length is incorrect. Since the Modbus protocol does not understand the meaning of the special values of some special registers, this does not mean that the data objects that are submitted for storage in the register have a value other than the application expectation.
　　
　　 04 Illegal response length
　　
Indicates that a request for a marquee will result in a response that exceeds the size of the available modbus data. Used only for multiple-part responses generated by features, such as features 20 and 21.
　　
　　 05 Confirmation
　　
Dedicated to association programming instructions.
　　
　　 06 from station equipment busy
　　
Dedicated to association programming instructions.
　　
　　 07 Renouncement
　　
Dedicated to association programming instructions.
　　
　　 08 Memory Parity Error
　　
Dedicated to associative feature codes 20 and 21, it is noted that the extended file area failed the consistency test.
　　
　　 0A gateway access is not available
　　
Dedicated to the association Modbus Plus Gateway, which indicates that the gateway could not allocate modbus plus paths to handle requests. Usually means a gateway configuration error.
　　
　　 0B Gateway target device response failed
　　
Dedicated to the associated Modbus plus gateway, indicating that the response was not received from the target device. Usually means that the device is not connected to the network.
　　
　　 Appendix
　　 A. client and Server application guide
　　
The comments in this section should not be bundled with any particular application of the client and server. However, when using multi-vendor systems and gateways to install Modbus devices, complying with these content will greatly reduce the overall "problem".
　　
　　
The software architecture below assumes familiarity with the BSD Sockets server interface, as it is for UNIX and Windows NT.
　　
　　 A.1 Client Design
　　
The design of the MODBUS/TCP makes the design of the client as simple as possible. Examples of software are available elsewhere, but the basic process of dealing with transactions is as follows:
　　
Use Connect () to establish a connection to the desired server port 502.
　　
Prepare a Modbus request, encoded using the method described earlier.
　　
Submits the Modbus request, including its 6-byte modbus/tcp prefix, which is transmitted as a single buffer with send ().
　　
Wait for the response to appear on the same TCP connection. If you want to consider the communication faster than the TCP normal report, use the Select () to run the timeout instruction at random in this step.
　　
Reads the first 6 bytes of the response with recv (), which indicates the actual length of the response message.
　　
Read the remaining bytes of the response with recv ().
　　
If the next step is not possible to connect to this particular target, shut down the TCP connection so that the server's resources can serve other clients during the intermittent period. The maximum time allowed to open a connection to a client is 1 seconds.
　　
In the event of a timeout waiting for a response, the publication unilaterally closes the connection directive, opens a new connection, and submits the request again. This technique allows client control to retry at the right time, which is better than the TCP default (setting) functionality available. It also allows for reliable fallback policies, such as submitting a request to an alternate IP address with an overall independent communication network when the backbone fails.
　　 A.2 Server Design
　　
The MODBUS/TCP server should be designed to support multiple concurrent clients, even when the intended user has only a single customer to respond to (concurrency). This allows the client to turn off and restart the connection in a high speed order to respond quickly to unsent responses.
　　
If you use a traditional TCP protocol group, reducing the size of the receive and send buffers can save memory resources. A TCP server that uses UNIX or NT typically allocates each connection with 8K bytes or more receive caching to encourage "fluent" data transfer from devices such as file servers. Such buffer space is not valuable in modbus/tcp because the maximum size of the request and send is less than 300 bytes. It is generally possible to exchange storage space for additional connection resources.
　　
Or a multithreaded or single-threaded model can be used to handle multiple connections. Described in subsequent chapters.
　　 a.2.1 Multithreaded Server
　　
Operating systems or languages that encourage multi-threaded applications, such as Java, can be used in multithreaded strategies, as described below:
　　
Use Listen () to wait for a TCP connection to be introduced to Port 502.
　　
When a new connection request is received, it is accepted with accept () and a new thread is generated for the connection operation.
　　
　　
During the new thread, infinite loops do the following:
　　
A recv (6) request is issued for a 6-byte modbus/tcp header. Do not set timeouts here, but wait until a request arrives or the connection is closed. In both cases, the thread is automatically aroused.
　　
Analyze the head. If the Protocol field is not 0 or the message length exceeds 256 bytes, if it appears frequently, then unilaterally close the connection。 This is the normal response of the server to an error in the implied TCP encoding.
　　
Publishes a recv () for a known length of bytes remaining in the message. Pay special attention to publishing a recv () with such a length limit will allow the client to adhere to the "pipelining" request. Any such pipelining request will remain in the server or client's TCP buffer and be selected after the current request is fully serviced.
　　
Now process the incoming Modbus message and, if necessary, suspend the current thread until the correct response is calculated. In the end, you either have a valid Modbus message or a response exception message.
　　
Generates a MODBUS/TCP prefix for the response, copies the event identifier field from the requested bytes 0 and 1, and recalculates the Length field.
　　
Submit a response that includes the MODBUS/TCP prefix, as a single transmission buffer on the connection, using Send ().
　　
Go prefix the next 6 byte.
　　
Finally, when the client chooses to close the connection, the 6-byte prefix recv () is invalidated. An ordered shutdown usually causes the recv () byte to count back to 0. Forced shutdown may result in an error returned from recv (). In either case, close the connection and cancel the current thread.
　　
　　 a.2.2 single-Thread servers
　　
Some embedded systems and older operating systems such as UNIX and MS-DOS encourage the processing of multiple connections, using the "SELECT" Access socket interface. In such a system, the request is processed as a polymorphic computer on a regular processor rather than on their threads processing their concurrent requests.
　　
The structure is as follows:
　　
The state is set to idle to initialize the polymorphic computer.
　　
LISTEN () is used to introduce a TCP connection to port 502
　　
Now, start the infinite loop check "LISTEN" ports and polymorphic computers as follows:
　　
On the receiving port, if a new connection request is received, it is received with accept () and a polymorphic computer is pushed from "idle" to the "new request" state to handle the imported connection.
　　
For each polymorphic computer
　　
If the status is "new request":
　　
Using select () to see if the request arrives usually sets a timeout of 0, since you are unwilling to suspend the transaction because the particular connection is in an inactive state.
　　
If select () indicates that a group appears, read the head with recv (6) as in a multithreaded case. If the header is wrong, close the connection and set the polymorphic computer as idle.
　　
If the read succeeds and the Select () indicates that more input is available, the remaining requests are read.
　　
If the request is complete, change the path state to "wait for response."
　　
If the recv () return value indicates that the connection is not in use, close the connection and reset the polymorphic computer to idle.
　　
If the status is "Wait for response"
　　
See if the application response information is available, set up a response grouping and send (), which is strictly similar to multithreading. Set the status to "new request".
　　
　　
It is possible to optimize performance without affecting the application's functional structure by combining multiple select () calls into a single invocation on a per-cycle basis.
　　 A.3 required and expected performance
　　
There is no specification for the response time required to handle the Modbus or modbus/tcp office.
　　
This is because MODBUS/TCP is expected to be used for as wide a variety of communications as possible, from a millisecond-delayed I/O scan device to a long distance wireless connection over a few seconds.
　　
In addition, the Modbus family is designed to support automatic conversion between networks through "non intelligent" conversion gateways. Such devices include the Schneider Company's "Modbus + Bridge Ethernet" and various devices from MODBUS/TCP to Modbus serial connections. The use of these devices means that the performance of current Modbus devices is consistent with the use of modbus/tcp.
　　
In general, the "scan" behavior shown by devices such as PLC will respond to incoming requests within a scanning cycle, 20 that will change between 20 milliseconds and 200 milliseconds.
　　
From the client's point of view, time must be extended in accordance with the expected transmission of the network Shi Yanlai to determine a "reasonable" response time. This delay may be a few milliseconds for switched Ethernet, and hundreds of milliseconds for a WAN connection.
　　
In turn, the time that the client uses to initiate a new request retry should be greater than the expected maximum "reasonable" response time. Otherwise, the network and terminal devices will be excessively congested, resulting in larger errors. This is a situation that must be avoided.
　　
In practice, therefore, client timeouts for high-performance applications always rely on the network topology and client performance.
　　
Scanning 10 I/O devices via a local Ethernet network, setting the timeout to 30 milliseconds is reasonable, and each device responds 1 milliseconds later. On the other hand, it may be more appropriate to use the 1-second timeout setting for a slow Plc ' s using a gateway and serial connection, where the normal scan sequence is completed in 300 milliseconds.
Non-time-approaching applications often set the timeout value to normal TCP acquiescence and fail to report communication after a few seconds on the main platform.
　　
Clients are encouraged to shut down and rebuild MODBUS/TCP connections that are used only for data access (non-PLC programming), and the expected time here is meaningful before the next use, say more than 1 seconds. If the client complies with this principle, a server with limited connection resources will be able to serve a large number of clients, as well as a choice of error correction policies such as optional destination IP addresses. It should be remembered that the additional communication and CPU load caused by shutting down and re-opened the connection are comparable to that of a single modbus transaction.
　　 B. Coding of non-instruction data
　　
The most effective way to transfer large quantities of information on Modbus is to use function code 3 (read registers), 16 (write registers), or possibly 23 (read/write registers).
　　
Although these features are defined by their operation on a 16-bit register, they can transfer any type of information from one device to another, as long as the information is described in sections that are close to 16-bit instructions.
　　
The early modbus-capable PLC ' s was dedicated to computers using the "Big-endian" architecture. Most modern plc ' s are based on commercial microprocessors using the "Little-endian" architecture. The fact that Modbus is potentially used to exchange data between the two systems introduces the subtleties of confusing people.
　　
Almost all data types that are different from the original "discrete bit" and "16-bit register values" are introduced after the introduction of the Little-endian microprocessor. So the notation for data types on Modbus follows the Little-endian pattern, meaning
　　
First register bit 15-0 = data Object bit 15-0
Second register bit 15-0 = data Object bit 31-16
Third Register bit 15-0 = data Object bit 47-32
Wait a minute
　　 B.1 the number of bits in the command word
　　
Modicon PLC has a predetermined function in 984 Ladder Language, which converts a series of adjacent register values to a 1-bit "discrete" block of equal length. The most commonly used function is BLKM (block move).
　　
Because it is consistent with the original Big-endian architecture, it is confusing to start numbering from the most significant digits, all numbering sequences start at 1 rather than 0. (The bit number in this manual always starts with 0 as the smallest bit of meaning and is consistent with modern software files.) ）
　　
In such a command word (register value)
　　
Discrete 1 will be bit 15 (value 0x8000)
Discrete 2 will be bit 14 (value 0x4000)
Discrete 3 will be bit 13 (value 0x2000)
Discrete 4 will be bit 12 value 0x1000)
Discrete 5 will be bit 11 (value 0x0800)
Discrete 6 will be bit 10 (value 0x0400)
Discrete 7 will be bit 9 (value 0x0200)
Discrete 8 will be bit 8 (value 0x0100)
Discrete 9 will be bit 7 (value 0x0080)
Discrete 10 will be bit 6 (value 0x0040)
Discrete 11 will be bit 5 (value 0x0020)
Discrete 12 will be bit 4 (value 0x0010)
Discrete 13 will be bit 3 (value 0x0008)
Discrete 14 will be bit 2 (value 0x0004)
Discrete 15 will be bit 1 (value 0x0002)
Discrete 16 will be bit 0 (value 0x0001)
　　
When more than 16 bits, such as a discrete input modulus of 32 points, the discrete 1 to 16 will be in the first register, and the discrete 17 to 32 will be in the second register.
　　
This coding convention is particularly important for understanding when processing discrete input and output devices on MODBUS/TCP, where discrete coding and Modicon PLC ' s are consistent.
　　
In particular, note that the IEC-1131 coding conventions for bits in a command word are from 0 (least bit) to 15 (the maximum meaning bit), which is the opposite of discrete coding.
　　
　　 B.2 Multi-instruction Word variable
　　
In principle, any data structure that can be "cast" to a sequence of 16-bit commands can be transmitted and the device is reached in the same data format.
　　
The following PLC data types should be noted
　　 b.2.1 984 Data Type
　　
　　 984 16- bit unsigned integer
　　
Normal meaning: bit of integer 15-0 = bit 15-0 of register
　　
　　 984 16- bit signed integers
　　
Normal meaning: bit of integer 15-0 = bit 15-0 of register
　　
　　 984 ASCII
　　
Although PLC has no such ability to handle the message, the original ladder language editor allowed 2 ASCII characters to represent registers. The first character represents the upper half byte (bit 15-8), and the second character represents the lower half byte (bit 7-0). This is in contrast to the use of advanced languages such as C, which are used by modern PLC s.
　　
　　 984 floating point numbers
　　
Intel Single-precision real
The first registers contain 32-digit 15-0 bits (15-0 bits of the active bit)
The second register contains a 32-digit 31-16-bit (description part and 23-16 of the valid bit)
　　
　　 984 single-precision Decimal unsigned number
　　
Although the range of values is limited to 0-9999, the data representation is the same as the 16-bit unsigned integer.
　　
　　 984 Double decimal unsigned number
　　
This data format is now rarely used except for the 4-bit decimal notation in the old format.
Values range from 0 to 99999999. The first registers contain the most significant 4-bit, and the second registers contain the most insignificant 4 bits, each represented by a binary value in the range of 0-9999.
　　
　　 b.2.2 IEC-1131 Data Type
All IEC-1131 data types are expressed in the form of Modicon PLC ' s in Little-endian. Examples are as follows
　　
　　 BYTE
　　
8-digit number.
Register 7-0 bits = BYTE 7-0 bits
　　
　　 DINT
　　
32-digit number.
15-0 bits of the first register = 15-0 bits of DINT
15-0 bits of the second register = 31-16 bits of DINT
　　
　　 INT
　　
Register 15-0 bits = INT 15-0 bits
　　
　　 Real
　　
32-bit Intel single precision real number.
15-0 bits of the first register = 15-0 bits of real (15-0 bits of the active bit)
The second register of 15-0 bits = Real 31-16 bits (description and 23-16 bits of valid digits)
　　
　　
　　 Udint
　　
32-digit number.
15-0 bits of the first register = 15-0 bits of Udint
15-0 bits of the second register = 31-16 bits of Udint
　　
　　 UINT
　　
15-0 bits of register = 15-0 bits of UINT
　　
For other types, refer to the relevant IEC-1131 procedures manual.

This article turns from
Http://www.fieldbuses.com/n1024c45p2.aspx