Modbus

from Wikipedia, the free encyclopedia

The Modbus protocol is a communication protocol based on a master / slave or client / server architecture . It was launched in 1979 by Gould- Modicon for communication with its programmable logic controllers . In the industry, Modbus has become a de facto standard because it is an open protocol. The Modbus TCP version has been part of the IEC 61158 standard since 2007 .

Basics

A master (e.g. a PC) and several slaves (e.g. measuring and control systems) can be connected using Modbus. There are two versions: One for the serial interface ( EIA-232 and EIA-485 ) and one for Ethernet .

There are three different operating modes for data transmission:

  • Modbus RTU
  • Modbus ASCII
  • Modbus TCP

Each bus participant must have a unique address. The address 0 is reserved for a broadcast . Each participant can send messages via the bus. Usually, however, this is initiated by the master and an addressed slave replies.

Read and write access is possible to the following object types:

Object type access size Function code
Single input / output "Coil" Read Write 1-bit 01/05/15
Single input "Discrete Input" just read 1-bit 02
(analog) inputs "Input Register" just read 16-bits 04
(analog) inputs / outputs "Holding Register" Read Write 16-bits 03/06/16

RTU Modbus

Modbus RTU (RTU: Remote Terminal Unit ) transmits the data in binary form. This ensures a good data throughput, but the data cannot be evaluated directly by humans, but must first be converted into a readable format.

Protocol structure

In RTU mode, the start of transmission is marked by a transmission pause of at least 3.5 times the character length. Depending on the operating mode of the UART, a character has a length of 10 to 12 bits (depending on the number of stop bits and the presence of a parity bit). The length of the pause in transmission therefore depends on the transmission speed. This must be strictly adhered to at low data rates. With a bit rate of more than 19200 bps, a fixed pause time of 1.75 ms can be used. The address field consists of eight bits that represent the recipient address. When it replies to the master, the slave sends this address back so that the master can assign the reply. The function field consists of 8 bits. If the slave has received the request from the master correctly, it answers with the same function code. If an error has occurred, it changes the function code by setting the most significant bit of the function field to 1. The data field contains information about which registers the slave should read out and from which address they begin. The slave uses the read data (e.g. measured values) there in order to send them to the master. In the event of an error, an error code is transmitted there. The field for the checksum, which is determined using CRC , is 16 bits. The entire telegram must be transmitted in a continuous data stream. If a transmission interruption occurs between two characters that is longer than 1.5 characters, the telegram is to be assessed as incomplete and should be rejected by the recipient.

begin address function Data CR check The End
Waiting time (min. 3.5 characters) 1 byte 1 byte n bytes 2 bytes Waiting time (min 3.5 characters)

ASCII Modbus

In the Modbus ASCII no binary sequence is transmitted , but ASCII code . This means that it can be read directly by humans, but the data throughput is lower compared to RTU.

Protocol structure

In ASCII mode, messages begin with a preceding colon; the end of the message is marked by the string Carriage return  - Line feed ( CRLF ).

The first two bytes contain two ASCII characters that represent the address of the recipient. The command to be executed is encoded on the next two bytes. The data follow over another n characters. An LRC is carried out over the entire telegram (without start and end markings) to check for errors . If there is a pause of> 1 s during the transmission of a frame, the frame is evaluated as an error. The user can configure a longer timeout.

begin address function Data LR check The End
1 character (:) 2 characters 2 characters n characters 2 characters 2 characters (CRLF)

Modbus / TCP

Modbus / TCP is very similar to RTU, except that TCP / IP packets are used to transfer the data. The TCP port 502 is reserved for Modbus / TCP. Modbus / TCP has been specified in the IEC 61158 standard since 2007 and is referenced in IEC 61784-2 as CPF 15/1.

Protocol structure

Transaction number Protocol identifier Number of bytes remaining address function Data
2 bytes 2 bytes (always 0x0000) 2 bytes ( n + 2) 1 byte 1 byte n bytes

Since no CRC checksum bytes have to be calculated here, the implementation of a driver for the TCP interface is easier than for the serial interface, provided that an existing TCP implementation can be used.

MODBUS / TCP Security Protocol

In October 2018, a secure variant of the Modbus / TCP protocol based on Transport Layer Security (TLS) was published. This uses X.509 v3 digital certificates to authenticate the server and client. This is to prevent attacks on networked Modbus / TCP components (e.g. man-in-the-middle attacks). The secure Modbus / TCP also offers role-based access control. It uses the TCP port 802. The protocol is described in the MODBUS / TCP Security Protocol Specification.

Web links

Individual evidence

  1. Modbus Organization, Inc .: MODBUS over Serial Line - Specification and Implementation Guide. Modbus Organization, Inc., accessed March 27, 2020 .
  2. Modbus Organization, Inc .: PRESS RELEASE Modbus Security - New Protocol to Improve Control System Security. Modbus Organization, Inc., October 29, 2018, accessed January 25, 2019 .
  3. Modbus Organization, Inc .: MODBUS / TCP Security Protocol Specification. Modbus Organization, Inc., accessed January 25, 2019 .