Modbus and Modbus TCP

volleyballbeginnerNetworking and Communications

Oct 27, 2013 (4 years and 17 days ago)

195 views

Modbus and Modbus TCP


Client/Server communications protocol designed by
Modicon in 1979 for use with its’ PLCs


Openly published and free of royalties or licensing
fees


The most common industrial communications
protocol in the US


Used widely for Building Management Systems


Passes raw words of bits without processing them


Originally a serial protocol very similar to RS
-
485, it
now has a TCP variant


Also available as Modbus Plus, which is proprietary
to Modicon and requires specialized hardware

Modbus and Modbus TCP


Basic Modbus protocol does not support floating point
or ASCII


A MODBUS Request
is the message sent on the
network by the Client to initiate a transaction


A MODBUS Indication
is the Request message
received on the Server side


A MODBUS Response
is the Response message sent
by the Server


A MODBUS Confirmation
is the Response Message
received on the Client side



Modbus TCP

Modbus TCP

Basic Requirements


The Ethernet physical interface must be present


The Modbus TCP firmware for the Ethernet
processor must be installed


V 1.117 or newer PMAC or V1.941 or newer
Turbo PMAC firmware must be installed


A user buffer of 256 or more words must have
been defined with the DEFINE UBUFFER
command


I67 must be set to a value greater than 0.



Modbus TCP

Basic Setup with PEWIN32 Pro2

-
Configure
-
>Modbus Setup

-
Set the start address
-

In the standard Turbo PMAC
CPU/memory configuration (Option 5C0), this address will be
$010700

-
The software will automatically set I67 to the correct value
The book says it will do so after setting it equal to any
number > 0, then SAVE and $$$, but this does not always
work

-
You must choose the size of the buffer


default is 256
words

-
Press Setup Modbus Buffer button



Modbus TCP Setup

-
Press Update PMAC button


this will SAVE and $$$


ACC
-
65ETH


Set up the IP address of the ACC
-
65ETH as per the hardware
reference manual using the web browser and the default address of
http://192.6.94.50



Go to the Modbus TCP configuration utility in PEWIN32 Pro2


Choose the next unused Active Socket. If you are not using a
socket for PMAC interrupts, you may use Socket 1


Choose Modbus Client as the Active Mode


Set Timer 1 to 50 (250 ms)


Set the Server Address as per that set in the ACC
-
65ETH


Set the Timer to 1


Set the FC Command Description to 23 (read/write multiple
words)






ACC
-
65ETH


Set the Modbus Reference Number for the Write to 4


Set the Modbus Reference Number for the Read to 0


Set the PMAC Reference Number for the Write to 36


Set the PMAC Reference Number for the Read to 32


Set both Lengths to 4


Press the Update Command button, then the Update PMAC button



This writes the command shown in the Command text box to
memory in the PMAC. You can check this by pointing MVARs to the
Modbus Command memory space at the start of the Modbus Buffer
space.




ACC
-
65ETH

Data begins at i67+$80+$10 (PMAC Reference 32=16 words =$10)

Assuming i67=$10700:

X:$10790,0,16 Digital inputs 0
-
15



32

Y:$10790,0,16


24Vok input and digital inputs 16
-
23

33

X:$10791,0,12


ADC Input1




34

Y:$10791,0,12


ADC Input2




35

X:$10792,0,16


Digital Outputs 0
-
15



36

Y:$10792,0,16


RLY1, RLY2, Digital outputs 16
-
23


37

X:$10793,0,12


DAC 1





38

Y:$10793,0,12


DAC 2





39

The PMAC Modbus/TCP
-
IP

configuration

& buffer memory format


Offset

from

I
67

23

X

Memory

0

23

Y

Memory

0

0

Sock

#
0

Mode(upper
4

of

8

bits)

TBD

(
16

bits)

TBD

(
8

bits)

Client

CmdListStrt

(
8
bits)

Client

CmdListEnd

(
8
bits)

1

IP

future

IP

future

Server

IP
0

Server

IP
1

Server

IP
2

Server

IP
3

2

Future

Spare

Future

Spare

4
-
0
xB

Repeat

above

for

Sockets

1
-
3

Repeat

above

for

Sockets

1
-
3

0
xC

TBD

(
8

bits)

TBD


(
8

bits)

Period

Timer

4

(
8

bits)

Period

Timer

3

(
8

bits)

Period

Timer

2

(
8

bits)

Period

Timer

1

(
8

bits)

0
xD

TBD

TBD

0
xE

TBD

TBD

0
xF

TBD

TBD

0
x
10

0
x
69

Start

of

1
st

Client

Modbus

Cmd

List

Start

of

1
st

Client

Modbus

Cmd

List

0
x
80

Start

of

16

bit

Client/Server

Modbus

Buffer

Start

of

16

bit

Client/Server

Modbus

Buffer

The PMAC Modbus/TCP
-
IP

configuration

& buffer memory format


The
Socket Mode
s ( upper 4 of 8 bits):


0
-

Socket NOT ACTIVE


1
-

Server TCP, PMAC ASCII protocol.


IP Address = 0.0.0.0


2
-

Server TCP, PMACtoClient Interrupt ASCII string.



IP Address = 0.0.0.0 Only available on



Turbo UMACs.


3
-

Server Modbus/TCP
-
IP. IP Address not used.


4
-

Client Modbus/TCP
-
IP. IP Address of Server.



The
IP Address 192.6.94.5

is stored as:




IP0=192, IP1=6, IP2=94, IP3=5

M6704=IP address 192.168.0.50

M6703=first digit=4 for Client

M6716=start of FC23 for Socket 1

M6717=end of FC23 for Socket 1

M6710


M6715 are commands
for PMAC ASCII on Socket 0

Modbus Client Command List
Memory Format

X
:
23

-

16

X
:
15

-

0

Y
:
23

-

16

Y
:
15

-

0

Timer

(
3

bits)/

Function

Code

(
5

bits)

Modbus

Reference

#

(
16

bits)

Count

(length)

(
8

bits)

PMAC

Reference

#

(
16

bits)

$370000040020,$000004040024

$37 = Timer 1, FC 23

$0000 = Modbus Reference Number = 0

$04 = Length = 4

$0020 = PMAC Reference Number = $20

$0004 = Modbus Reference Number = 0

$04 = Length = 4

$0024 = PMAC Reference Number = $20

$00 = no function for FC 23

First Word = Read Data

Second Word = Write Data

Reference Numbers


The PMAC one is the offset into the PMAC
Modbus Server/Client buffer where the
Modbus data is read from or written to.


The Modbus one is sent over Modbus/TCP
-
IP with the data.
Note the PMAC &
Modbus reference numbers are actual
offsets and do not abide by the
standard Modbus reference number
where you subtract one from it to get
the offset into memory. We start at
zero and not one.


Memory Allocation



PMAC Modbus/TCP Client/Server Buffer Size

is fixed at 128
x 32 bits.


Length for FC23 is fixed in 2 x Modbus Bytes = 16 bits


Length for FC2 and FC15 is in bits


Always use all 32 bits of one Modbus memory location for one
type


do not use 16 bits for inputs and 16 for outputs

Wago Modular I/O


Setting up a Wago 750
-
342 Modbus


TCP module and rack with a 753
-
512


(2 DO), a 753
-
502 ( 4 DI), 753
-
4011


(2 AO), and a 753
-
403 (2 AI)


Run BootPServer, and Edit BootPTab


If using no Proxy server then edit the line that starts with
KeinProxy:




Wago1NoProxy:ht=1:ha=0030DE00B6DF:ip=192.168.0.52:


If using proxy then edit the line that starts with Hamburg:



Wago1Proxy:ht=1:ha=0030DE00B6DF:ip=192.168.0.52:T3=0A
.01.FE.01:




NOTE: IP address of the proxy server is in Hex

NOTE: ha parameter must match the MAC address of your 750
-
342

Wago Modular I/O


When addressing, first of all the more complex
modules (modules occupying 1 or more bytes) are
taken into account in accordance with their physical
order behind the field bus coupler. As such, they
occupy the addresses starting with word 0.



Following this, the data of the other modules
(modules occupying less than 1 byte) follow,
grouped into bytes. In accordance with the physical
byte
-
wise order this data is used to fill up the bytes.
As soon as a full byte is occupied by the bit
-
oriented
modules, the next byte is automatically started.


Wago Modular I/O


FC23, PMAC refs 40, 44, Modbus ref
0,4


Note that Wago documentation starts
with 0, not 1


DO found at i67+$95


AO found at i67+$94


DI found at i67+$97


AI found at i67+$96


Wago Modular I/O

Data width >= 1 word/channel

Analog input modules

Analog output modules

Input modules for thermal elements

Input modules for resistance sensors

Pulse width output modules

Interface module

Up/down counter

I/O modules for angle and path measurement

Wago Modular I/O


Data width = 1 Bit / channel


Digital input modules


Digital output modules


Digital output modules with diagnosis (2 Bit
/ channel)


Power supply modules with fuse holder /
diagnosis


Solid State power relay


Relay output modules

Automation Direct GS
Series VFD


Set IP Address using DIP switch


Set SW2 and SW3 to RS
-
485


Parameters to set using IE or keypad:


P 3.00: 03 (keypad stop ena) 04


(keypad stop disabled)


P 4.00: 05 (frequency determined by


RS485 interface)


P 4.04: 01 (states is to enable reverse command from analog but
when = 0 the remote RUN command dead)


P 9.00: xx (unique communication address 1
-
254)


P 9.01: 01 (9600 baud data transmission rate)


P 9.02: 05 (MODBUS RTU mode
-

8 data bits, odd parity, 1 stop
bit)

Automation Direct GS
Series VFD


download NetEdit3 from Automation Direct at:
http://www.hosteng.com/SW
-
Products/NetEdit3.zip


Insure that NWLink IPX/SPX/NetBios compatible
protocol is loaded on your PC by going to the
properties of your Ethernet connection


Run NetEdit 3 and select TC/PIP as type


Press the Scan Network Button. If this is the first
time you have talked to this device you will see the
address 255.255.255.0. Click on this address and
set to the desired network address. This address
should be in the same range as that of the PMAC.


Now you must power the drive down and back up.
If you open NetEdit again you should now see the
drive type listed in the address.

Automation Direct GS
Series VFD


Connect to the drive using IE to set drive
parameters


Calculating Modbus Reference for the GS
-
EDRV


Take the GS parameter number (for example,
6.31 is the current error code)


Take the digits after the decimal place and
convert to hex (for 6.31 this will be $1F)


Multiply the digit(s) before the decimal by $100
and add to the results of the previous calculation
(for 6.31 this will yield $61f


Convert this to decimal ($61f
-
> 1567) and this
is your Modbus Reference


Automation Direct GS
Series VFD

Command

Data Location

Command
Type

Modbus Reference

PMAC
Reference

Count
(leng
th)

read frequency command

M1660
(base+
$80)

FC3

2330

1

1

set frequency command
-

NOTE
-

divide by 10 to
get freq
-

so 500 = 50.0

m1661

FC16

2330

2

1

read run command

m1662

FC3

2331

3

1

set run command

m1663

FC16

2331

4

1

read direction command

m1664

FC3

2332

5

1

set direction command

m1665

FC16

2332

6

1

read current error code

m1666

FC3

1567

7

1

read last error code

m1667

FC3

1568

8

1

Automation Direct GS
Series VFD



Read/Write


Hex

Modbus



Speed Reference

091AH

42331



Run Command


091BH

42332



Direction


091CH

42333



External Fault


091DH

42334



Fault reset


091EH

42335



Jog



091FH

42336



Status


2101H

48450



Frequency cmd


2102H

48451



Output frequency

2103H

48452



Output current


2104H

48453



DC
-
bus voltage


2105H

48454



Output voltage


2106H

48455



Motor RPM


2107H

48456



Scale freq (low)


2108H

48457



Scale freq (high)

2109H

48458



% Load


210BH

48460



Firmware Version

2110H

48465




$91a=2330


4 is used as a holder

Modbus Reference start
with 1, not 0


The correct Modbus
Reference for us is
2330, not 2331

Phoenix FL IL BK Modbus
I/O


In the demo this is a client
at 192.168.2.80 on Socket 3


FC3 with Modbus Ref 0,
PMAC Ref 6, Count 1, and
FC6 with Modbus Ref 384,
PMAC Ref 24, Count 1




Demo has 16 digital inputs mapped to M839 and 16

digital outputs mapped to M1



Demo is being set output values by the PMAC, and

the QTERM is reading input values


Phoenix FL IL BK Modbus
I/O


Base configuration at the module can
be done with IE


QTerm


Acting as a client in the demo


PLCs running on PMAC interpreting
command words from the client


M844


Feedrate override


M841


Command Word


M846


Rotary Position A


M847


Rotary Position B


QTerm

M841

Function

1

Axis Select

2

Feedhold

4

Cycle Start

8

Home

16

Estop

32

Program Set

4096

J+

8192

J
-

16384

J=

Exor Uniop Terminal


Client mode or
Server mode


Basic HMI with
development
package


Exor Uniop Terminal

Exor Uniop Terminal

Modbus TCP Software
Control Panel


Allows command of the PMAC with no code
on the PMAC exactly as the DPR Control
Panel does


I69 enables (firmware 1.942 and up)


Typically set to $80 to set the start of the
panel memory space $80 long words after
the start of Modbus memory


Reserves 26 long words



PMAC/TURBO Firmware Modbus (I69) Memory Map


PMAC
Address
(I69 +)

PMAC/Mo
dbus Ref.
#

X: Memory Parameter

Y: Memory Parameter

$0

0/1

Coordinate System Feed Pot Override
Enable

Motor/Coordinate System Enable

$1

2/3

Coordinate 1 System Feed Pot Override

Motor/Coordinate System 1 Request

$2

4/5

Coordinate 2 System Feed Pot Override

Motor/Coordinate System 2 Request

$3

6/7

Coordinate 3 System Feed Pot Override

Motor/Coordinate System 3 Request

$4

8/9

Coordinate 4 System Feed Pot Override

Motor/Coordinate System 4 Request

$5

10/11

Coordinate 5 System Feed Pot Override

Motor/Coordinate System 5 Request

$6

12/13

Coordinate 6 System Feed Pot Override

Motor/Coordinate System 6 Request

$7

14/15

Coordinate 7 System Feed Pot Override

Motor/Coordinate System 7 Request

$8

16/17

Coordinate 8 System Feed Pot Override

Motor/Coordinate System 8 Request

$9

18/19

Reserved

Reserved

$A

20/21

Reserved

Reserved

$B

22/23

Reserved

Reserved

$C

24/25

Reserved

Reserved

$D

26/27

Reserved

Reserved

$E

28/29

Reserved

Reserved

$F

30/31

Reserved

Reserved

Bit Format of Control Panel Motor/Coordinate

System Enable Word (Y:I69)


BIT

Control Panel Motor/Coordinate System Enable Mask

(Set bit to enable; PMAC clears on taking action)

0

Motor/Coordinate System # 1 + Mtr/CS offset

1

Motor/Coordinate System # 2 + Mtr/CS offset

2

Motor/Coordinate System # 3 + Mtr/CS offset

3

Motor/Coordinate System # 4 + Mtr/CS offset

4

Motor/Coordinate System # 5 + Mtr/ CS offset

5

Motor/Coordinate System # 6 + Mtr/CS offset

6

Motor/Coordinate System # 7 + Mtr/CS offset

7

Motor/Coordinate System # 8 + Mtr/CS offset

15


8

Turbo Mtr/CS offset is limited to 31 (PMAC not used)

Bit Format of Coordinate System (CS) Feed Pot

Override Enable Word (X:I69)

BIT

Set bit to enable Override, clear bit to disable

0

Coordinate System # 1 + CS offset

1

Coordinate System # 2 + CS offset

2

Coordinate System # 3 + CS offset

3

Coordinate System # 4 + CS offset

4

Coordinate System # 5 + CS offset

5

Coordinate System # 6 + CS offset

6

Coordinate System # 7 + CS offset

7

Coordinate System # 8 + CS offset

15


8

Turbo CS offset is limited to 8 (PMAC not used)

Bit Format of Motor/Coordinate System


Words (Y:I69+1 to 8)

BIT

REQUEST (1 = action requested; 0 = no action
requested)

0
-
7

(Reserved for Delta Tau Future Use)

8

Jog
-
Minus (Motor Only) *

9

Jog
-
Plus (Motor Only) *

10

Pre
-
Jog
-

J= (Motor Only)

11

Start (RUN) (Coord. Sys. Only)

12

Step (STEP/QUIT) (Coord. Sys. Only)

13

Stop (ABORT) (Coord. Sys. Only)

14

Home (Motor Only)

15

Feed Hold (HOLD) (Coord. Sys. Only)

* When both Jog
-
Minus and Jog
-
Plus are set, motor will stop

New Features (1.943+,
1.117+)


Add eight more direct control bits
commands
:


B
,

K
,

J:*
,

J^*
,

J=*
,

>
,

<
, and
^K



Read/Write an

ASCII (PMAC Modbus
Address 0xF000)



Read/Write PMAC In (PMAC Modbus
Address 0x1000
-
0x3FFF)
,
Mn (PMAC
Modbus Address 0x4000
-
0x7FFF)
,
Pn
(PMAC Modbus Address 0x8000
-
0xBFFF)

and
Qn

(PMAC Modbus Address 0xC000
-
0xEFFF)
using a Modbus 32 bit float data type.



New Features (1.943+,
1.117+)


Read/Write PMAC Qn C.S. #

(PMAC
Modbus Address 0xF500)


Read & Clear PMAC Modbus Command
Error Status word (PMAC Modbus
Address 0xF100)


Read/Write PMAC Modbus Registers
relative to I69 (PMAC Modbus Address
0xF200
-
0xF2FF)



Read/Write PMAC Modbus Coils
relative to

I69

(PMAC Modbus Address
0xF300
-
0xF4FF)


Gotchas


With a non
-
Turbo PMAC do not do power on phasing
as it turns off background processing long enough for
the Ethernet processor to initialize without the main
processor initializing the i67 sockets


Make sure that server Port 502 is not being blocked by
firewall software


Make sure that firewall software is not blocking client
ports (>1024, exact port dependent on device, but
different port for every open client socket


Server vs Client in 3d party documentation


Addressing in 3d party documentation