Modbus

• Modbus protocol developed by modicon in 1979

• Modbus communication is open source communication protocol which is widely used
in industrial automation and each intelligent device has Modbus communication port
Modbus

● RS 232, RS 422, RS 485, Mod. ASCII, Mod. RTU are serial communication
● Modbus TCP/IP is Ethernet communication
● Modbus ASCII
○ American Standard code for information interchange
○ Data length is 7bit
○ Data transfer is slow
● Modbus RTU
○ Remote Terminal unit
○ Data length is 8 bit
○ Data transfer is fast
RS 232

● The RS-232 interface complies with the interface standard for serial data
communication established by the Electronic Industries Alliance (EIA).
The original number is EIA-RS-232 (232, RS232 for short). It is widely
used for computer serial interface peripheral connections, connect
cables, and mechanical, electrical, signal, and transfer processes.
● The RS-232 standard specifies a data transmission rate of 50, 75, 100,
150, 300, 600, 1200, 2400, 4800, 9600, and 19200 baud per second.
Rs 232 deficiencies

● RS-232 is one of the mainstream serial communication interfaces. Due

to the early appearance of the RS232 interface standard, there are
inevitably deficiencies
● #1: High interface signal level
● The interface’s signal level is high, making it easy to damage the chip of
the interface circuit. The voltage of any signal line on the RS232
interface is in a negative logic relationship.
● The logic “1” is -3 – 15V; the logic is “0”: +3 – +15V, and the noise margin
is 2V. The receiver must recognize a signal higher than +3V as a logic
“0”, a signal lower than -3V as a logic “1”, a TTL level of 5V as a logic
positive, and 0 as a logic negative. Incompatible with the TTL level, a
level-shifting circuit is required to connect to the TTL circuit.
Rs 232 deficiencies

● #2: Low transmission rate

● The transmission rate is low. In asynchronous transmission, the bit rate
is 20Kbps; therefore, the 51CPLD development board’s integrated
program baud rate can only be 19200, which is also the reason.
● #3: Weak noise immunity
● The RS232 interface uses a signal line and a signal return string to form
a common ground transmission form. This standard ground transmission
is prone to common-mode interference, so the noise immunity is weak.
● #4: Short transmission distance
● The transmission distance is limited. The maximum distance is 50 feet,
and it can only reach about 15 meters.
What is RS485

● The RS-485 serial bus is widely used when the communication distance
must be several tens of meters to several kilometers. RS-485 uses
balanced transmit and differential receives to reject common-mode
interference.
● In addition to the high sensitivity of the bus transceiver, it can detect
voltages as low as 200mV, so it recovers the transmitted signal beyond
the kilometer.
● RS-485 uses a half-duplex mode of operation and sends only one point
at any time. Therefore, the transmitting circuit must be controlled by an
enabled signal.
Rs 485
● S-485 is very convenient for multi-point interconnection and can save many signal lines.
Applications RS-485 can be networked to form a distributed system that connects up to 32 drives
and 32 receivers in parallel.
● Electrical characteristics of RS-485: The logic “1” is represented by the voltage difference
between the two lines +2V~+6V, and the logic “0” is represented by the voltage difference
between the two lines -6V~-2V. The interface signal level is lower than RS-232-C, and damaging
the interface circuit chip is difficult. The level is compatible with the TTL level, which is convenient
for connecting with the TTL circuit.
● The highest data transmission rate is: 10Mbps
● The RS-485 interface combines a balanced driver and a differential receiver, which has anti-
common solid mode interference capability and good anti-noise performance.
● The maximum transmission distance of the RS-485 interface is 4000 feet, up to 3000 meters.
● The RS-232-C interface allows only one transceiver to be connected to the bus, i.e., single-station
capability. In contrast, the RS-485 interface allows up to 128 transceivers to be connected on the
bus, i.e., multi-station ability. The user’s device network can be quickly established using a single
RS-485 interface.
RS 422
● The full name of the RS-422 standard is “the electrical characteristics of the
balanced voltage digital interface circuit,” which defines the characteristics
of the interface circuit. There is a signal ground, a total of 5 lines.
● Since the receiver uses high input impedance and the transmission driver
has a more vital driving capability than RS232, it can connect multiple
receiving nodes on the same transmission line, and up to 10 nodes can be
connected.
● There is one master device (Master), and the rest are slave devices
(Slave). The slave devices cannot communicate with each other, so RS-
422 supports point-to-multidirectional two-way communication. The
receiver input impedance is 4k, so the maximum load capacity of the
transmitter is 10 & TImes; 4k + 100Ω (terminating resistor).
Rs 422
● Since the RS-422 four-wire interface uses separate transmit and receive channels,
there is no need to control the data direction. Any necessary signal exchange
between devices can be done in software mode (XON/XOFF handshake) or
hardware mode (a pair of separate pairs). Stranded wire).
● The RS-422 has a maximum transmission distance of 4000 feet (about 1219 meters)
and a maximum transmission rate of 10 Mb/s.
● The length of the balanced twisted pair is inversely proportional to the transmission
rate, and it is possible to reach the maximum transmission distance below the 100
kb/s rate. The highest rate of transmission is only possible at very short distances.
The maximum transmission rate on a typical 100-meter twisted pair is only 1 Mb/s.
● RS-422 requires a terminating resistor with a resistance equal to approximately the
characteristic impedance of the transmission cable. In short-distance transmission,
the resistor is not needed. That is, generally, it is not needed below 300 meters. The
terminating resistor is connected to the farthest end of the transmission cable.
RS422 vs RS-485, What is the difference

● The RS-422 and RS-485 circuits have the same principle. They are sent and received in
differential mode; no digital ground is required. Differential operation is the fundamental
reason for the long transmission distance under the same rate condition.
● That is the real difference between the RS-422, RS-485, and RS232. Because RS232 is a
single-ended input and output, at least digital ground is required for duplex operation.
Send line and accept line three (asynchronous transmission). You can also add other
control lines to complete synchronization and other functions.
● RS-422 can work and receive with full-duplex operation through two twisted pairs. RS485
can only work half-duplex and cannot perform transmission and reception simultaneously,
but it only needs one couple of twisted pairs. RS422 and RS485 can transmit 1200 meters
at 19kpbs. A device can connect to the line on the new transceiver.
● The electrical performance of RS-422 is the same as that of RS-485. The main difference
is that RS-422 has four signal lines: two transmissions (Y, Z) and two receptions (A, B).
Since the reception and transmission of RS-422 are separate, they can be simultaneously
received and transmitted (full-duplex); RS-485 has two signal lines: transmission and
reception.
Difference b/w rs 485 and 232

● RS232 is full-duplex, RS485 is half-duplex, and RS422 is full-duplex.

● RS485 and RS232 are the only physical communication protocols (i.e.,
interface standard); RS485 is the differential transmission mode, and
RS232 is the single-ended transmission mode. Still, the communication
program does not have much difference.
Modbus RS 485 Wiring

● D+, D- and SG for grounding

PLC
Master st.
D+ D- Id - 9

D+ D- D+ D- D+ D-

PID VFD Servo Slave 12

Slave 10 Slave 11
Modbus 485 master slave configuration

●Baud rate- bits per second – 1200, 2900, 9800, 19200

●Data length – 7 for ASCII and 8 for RTU
●Stop bit – 1 or 2
●Parity – Even or odd or none- sending the no of 1s
●All the above 4 conditions should be same for master and all slave
●Slave id should be different for all slave
●EX –
○ BR – 9600
○ DL – 8
○ Sp – 1
○ Parity – none
○ Slave id - 11
Modbus TCP/IP

● It is connected between server and client via Ethernet

● Ip address should be same i.e 192.168.0.10
● To connect with other devices we need to do socket program
Modbus memory mapping
No Register number Type Name Repersentation
1 1-10000 (9999) R/W Discrete o/p coil D0 or Y0 or Q0
2 10001-20000 Read Discrete input contacts Di or X0 0r I0
3 30001- 40000 Read – 16 bit Analog input registers AI
4 40001 - 50000 R/W – 16 bit Analog o/p Holding AO
Register
Total input output increased from 1024 to 9999 with help of Modbus

M0 ------------------------------------------ MOV K4 Y0 D0
We read output by this instruction where k4 represents total consecutive bits from y0 stored in D0
i.e y0 to y17 will be stored like… if y0 and y1 is on 3 will be stored in D0
To write the value in output M0-------------------------- MOV D2 K4 Y20
It will write the value from y20 to y37
Modbus function code
Function Code Work Value type
01- (01H) Read Coil Status (Do) Digital o/p
02 – (02H) Read Input contact status(Di) Digital input
03 03H Read Analog o/p register 16 bit data register
04 or 04H Read Analog input register 16 bit data register
05 or 05H Write one digital o/p register Digital o/p
06 or 06H Write one analog o/p register 16 bit data register
15 or 0FH Write multiple digital o/p coil Digital o/p
16 or 10H Write multiple analog o/p 16 bit data register
Register
 Modbus function code 1
Query format for Modbus
Slave ID Function Code Starting Address Count Error Check
1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 02 1 0 32 0 12 XX XX
Total 8 Bytes will be sent from Master to Slave

Q – Read 12 Coils starting at 00033 from PLC slave address 2 response with coils 00040 and 00042 is on and
others are off

Response format for Modbus

Slave ID Function Code No of Bytes R/W by Read Data Error Check
master
1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol hex values – 02 01 02 128 or 80 in Hex 02 XX XX
Modbus communication simulation

● Modscan 32 - https://www.win-tech.com/demos/modscan32.zip

● Modsim 32 - https://www.win-tech.com/demos/modsim32.zip

● Virtual com port - https://drive.google.com/file/d/1Iu6n4CMsi-

eI0eHqGoepKpXPmndOm-Rz/view
Modbus function code 2
Q – Read I/P contacts DI 10197 to DI 10218 from plc slave ID 17 and response contacts DI
10200 to DI 10210 is on, and others are off
A – we have total 21 contacts to read the status
starting address = 10197 – 10001 = 196
00011111 = 248 11111100 = 127

Slave ID Function Code Starting Address Count Error Check

1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 17 or 11 02 0 C4 or 196 0 16 or 21 XX XX

Slave ID Function Code No of Bytes R/W by Read Data Error Check

master
1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 17 or 11 02 03 248 or f8 127 or f7 XX XX
 Function code 3
● Q – Read 2 holding registers starting number 40601 from slave ID – 2
Response returns registers 40601 value (1000) & 40602 value (5000)
● Address = 40601-40001 = 600
● 600 = 00000010 01011000 similarly 1000 = 3 232/e8 5000 = 19/13 136/86

Slave ID Function Code Starting Address Count Error Check

1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 2 03 02 88/56H 00 02 XX XX
Slave ID Function Code No of Bytes R/W by Read Data Error Check
master
1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 02 03 04 [03][E8] [13][86] XX XX
 Function code 4

● Q – Read I/P Register number 3030 from slave plc id – 2, response return
register value 10000
● Starting address = 300 = 01 44/2c
● 10000 = 00100111 00010000

Slave ID Function Code Starting Address Count Error Check

1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 2 04 01 44/2C 00 01 XX XX
Slave ID Function Code No of Bytes R/W by Read Data Error Check
master
1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 02 04 02 [39][27] [16][10] XX XX
Function code 5

● Q - Write a turn on discrete coil 11 in slave device id 7

● Address = 10 = 00000000 00001010
● By default higher byte is FF or 256 in data to write in output
● If we receive the same data from slave device that means out output is
turned on
● If we need to turn off the coil than we need need to replace FF by 00

Slave ID Function Code Starting Address Data Error Check

1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 7 05 00 10/0A FF 00 XX XX
Function code 6

Write a value in analog output holding register i.e 40005 and slave device id
is 2 and decimal value is 45
Range is 40001 - 50000
Address =4 = 00000000 00000100 = 2D in hex
It will also give the same code in return
If any other code comes in return than there is some mistake

Slave ID Function Code Starting Address Data Error Check

1 Byte 1 Byte 2 Byte 2 Byte 2 Byte
Sol – 2 06 00 04 00 2D XX XX
Communication in Xinje plc
Control Mode Selection:

● Set P0-01 (Control mode 1) to 9 (XNET Bus Speed Mode). This tells the servo driver to expect speed commands over the communication bus.
● Note: Changes to P0-01 require the servo to be powered off and then on again to take effect. 1

Modbus RTU Communication Parameters (RS485):

● P7-00 (RS485 station number): Assign a unique slave ID (e.g., 1) to the servo driver on the Modbus network. Default is 1.
● P7-01 (Communication setting): This parameter defines the baud rate, parity, and stop bits. The default n.2206 sets communication to 19200bps, 8 data
bits, 1 stop bit, and even parity. It's critical that these match the PLC's settings.
● P7-02 (RS485 communication protocol): Ensure this is set to 1 for "Modbus RTU protocol".
● Note: Changes to P7-XX parameters require the servo to be powered off and then on again to take effect.

Internal Speed Control Parameters (Modbus-Accessible):

● P3-05 (Internal speed 1): This is where the PLC will write the desired motor speed in RPM (range -9999 to +9999 RPM).
● P3-09 (Acceleration time): Sets the time for the motor to accelerate from stop to commanded speed (in ms).
● P3-10 (Deceleration time): Sets the time for the motor to decelerate from commanded speed to stop (in ms).
Communication in xinje plc
II. PLC Instructions (XDPPro Ladder Logic) for Servo Motor Control

Xinje PLCs, including the ZG3 series, are typically programmed using XDPPro software, which supports ladder logic. For Modbus RTU communication, you will
primarily use the REGW (Write Single Register) and REGR (Read Holding Registers) instructions.

A. PLC Communication Port Configuration: Ensure the RS485 port on your ZG3 PLC is configured to match the servo driver's settings:

● Baud Rate: 19200bps.

● Data Bits: 8 bits.
● Parity: Even parity.
● Stop Bits: 1 bit.

B. Key Modbus Instructions:

1. REGW (Write Single Register - Function Code 06H):

○ Purpose: Used to write a single 16-bit value from the PLC to a specific register in the servo driver.
○ Format: REGW D1 D2 S1 S2
■ D1: Remote communication station number (servo slave ID, e.g., K1 for ID 1).
■ D2: Remote register start address (Modbus address of the servo parameter, e.g., H0305 for P3-05).
■ S1: Start address of the local register in the PLC containing the value to be written (e.g., D100 for a speed value).
■ S2: Serial port number on the PLC (e.g., K0 for Port0, K1 for Port1, K2 for Port2).
○ Triggering: Always trigger REGW with a rising edge (LDP) or a pulse (PLS) to prevent continuous execution, which can cause communication issues
Communication in xinje plc
1. REGR (Read Holding Registers - Function Code 03H):
○ Purpose: Used to read the values of one or more contiguous holding registers from the servo driver into the PLC.
○ Format: REGR S1 S2 S3 D1 D2
■ S1: Remote communication station number (servo slave ID, e.g., K1).
■ S2: Remote register start address (Modbus address of the servo parameter, e.g., H1000 for U0-00, actual motor speed).
■ S3: Number of registers to read (e.g., K1 for one register).
■ D1: Start address of the local register in the PLC where the read data will be stored (e.g., D200).
■ D2: Serial port number on the PLC (e.g., K2).
○ Triggering: Similar to REGW, use a rising edge or pulse for REGR.
Communication with servo drive
// PLC Initialization Block (Execute once on PLC power-up or a
dedicated startup condition) // Main Control Loop (Execute continuously for dynamic speed control) // Read present alarm code (U1-00)

// This ensures the servo is configured and enabled. // This section allows changing motor speed based on input (e.g., HMI, sensor). // Modbus Address for U1-00 is 0x1100

IF PLC_First_Scan_OR_System_Reset THEN IF Start_Motor_Command_Active THEN LDP M21 // Continuous trigger

// 1. Set Servo Control Mode to XNET Bus Speed Mode (P0-01 = 9) // Get desired speed (e.g., from an HMI input linked to D100) REGR K1 H1100 K1 D201 K2 // Read 1 register from U1-00 on Slave ID 1, store in D201, Port 2
// Modbus Address for P0-01 is 0x0001
// Write desired speed to P3-05 (Internal speed 1)
LDP M0 // Rising edge trigger for one-time execution
// Modbus Address for P3-05 is 0x0305 // Alarm Handling Logic (Example)
REGW K1 H0001 K9 K2 // Write 9 to P0-01 on Slave ID 1, using
Port 2 LDP M10 // Trigger on start command or speed change IF D201 <> K0 THEN // If alarm code (D201) is not 0

REGW K1 H0305 D100 K2 // Write value from D100 to P3-05 on Slave ID 1, Port 2 // Trigger HMI alarm display, stop process, etc.
// 2. Enable Servo (F1-05 = 1)
ELSE IF Stop_Motor_Command_Active THEN // Example: Clear alarm (F0-00 = 1) after acknowledging
// Modbus Address for F1-05 is 0x2105
// Set speed to 0 RPM to stop the motor IF Alarm_Acknowledge_Button_Pressed THEN
LDP M1 // Rising edge trigger
LDP M11 // Trigger on stop command LDP M30
REGW K1 H2105 K1 K2 // Write 1 to F1-05 on Slave ID 1, using
Port 2 REGW K1 H0305 K0 K2 // Write 0 to P3-05 on Slave ID 1, Port 2 REGW K1 H2000 K1 K2 // Write 1 to F0-00 to clear alarm

END_IF END_IF
// 3. Set Acceleration and Deceleration Times (Optional, e.g., P3-09
= 200, P3-10 = 200) END_IF

// Modbus Address for P3-09 is 0x0309, P3-10 is 0x030A // Monitoring and Feedback (Continuous reading for diagnostics)

LDP M2 // Rising edge trigger // Read actual motor speed (U0-00)

REGW K1 H0309 K200 K2 // Write 200 to P3-09 on Slave ID 1, // Modbus Address for U0-00 is 0x1000
using Port 2
LDP M3 // Rising edge trigger LDP M20 // Continuous trigger (e.g., every scan or timed)

REGW K1 H030A K200 K2 // Write 200 to P3-10 on Slave ID 1, REGR K1 H1000 K1 D200 K2 // Read 1 register from U0-00 on Slave ID 1, store in D200, Port 2
using Port 2
END_IF
Communication with xinje drive

SI1: /S-ON (Servo Enable)

SI2: /ALM-RST (Alarm Reset)

SI3: /P-OT (Forward Run Prohibition)

L/N: Power supply input for the main circuit (single-phase AC 200-
240V).

U, V, W, PE: Connect directly to the servo motor's phase windings and

protective earth. Correct phase sequence is crucial.

P+, C, D: Used for connecting regenerative resistors. P+ and D are

shorted for built-in resistance, while P+ and C are used for external
regenerative resistors.

SO1: /COIN (Positioning Completion)

SO2: /ALM (Alarm)

SO3: Not distributed by default.

Dual Control/Monitoring Paths: Many functions can be triggered or monitored either by a physical signal on an external terminal or by reading/writing to a
corresponding Modbus register.

● Example: Servo Enable: The servo can be enabled by activating the /S-ON input signal (default SI1). Alternatively, if parameter P0-03 is set to
● 2 (Software enable), the servo can be enabled by writing 1 to the auxiliary function F1-05 (Software enable) via Modbus (Modbus Address 0x2105).
● Example: Alarm Reset: An alarm can be cleared by activating the /ALM-RST input signal (default SI2). It can also be cleared by writing
● 1 to F0-00 (Alarm clear) via Modbus (Modbus Address 0x2000).

Monitoring Physical I/O Status via Modbus: The status of the physical input and output terminals can be read directly by the PLC over Modbus RTU.

● Input Signal Status: The status of SI input signals (SI1-SI20) can be monitored by reading U0-21 (Input signal status 1) and U0-22 (Input signal status 2).
Each bit within these registers corresponds to a specific input signal. For instance, if the least significant bit of U0-21 is 1, it means /S-ON (SI1) has an input.
● Output Signal Status: Similarly, the status of SO output signals (SO1-SO20) can be monitored by reading U0-23 (Output signal status 1) and U0-24 (Output
signal status 2). Each bit corresponds to a specific output signal.

The Modbus address for the "forward run prohibition" function, which corresponds to parameter P5-22 (/P-OT), is 0x0516 in hexadecimal, or 1302 in decimal.