异步串行通讯基本格式
根据MODBUS协议,每个字符采用11位传输,如果使用奇偶校验则使用1位停止位,如果无奇偶校验则2位停止位(1 stop bit if
parity is used; 2 bits if no parity)
功能码和变量简述
0x01: 读线圈寄存器
0x02: 读离散输入寄存器
0x03: 读保持寄存器
0x04: 读输入寄存器
0x05: 写单个线圈寄存器
0x06: 写单个保持寄存器
0x0f: 写多个线圈寄存器
0x10: 写多个保持寄存器
如上所示一共8种功能码。这其中有涉及到线圈、离散输入、保持、输入四种寄存器。
示例解读modbus协议
示例解读modbus协议 做一个汇总整理,参考以前用过的,modbus协议文件,以及 http://www.simplymodbus.ca 中的解析
03 :读取保持寄存器
发送: 05 03 00 00 00 07 05 8C
05 从机地址,03 功能码,00 00 寄存器地址,00 07 偏移7个,05 8C crc16校验
返回:
05 03 0E 00 01 00 01 00 03 01 04 01 0E 00 00 80 00 32 85
05 从机地址,03 功能码,0E 数据长度 14 ,记为2N,00 01 00 01 00 03 01 04 01 0E 00 00 80 00 回复的数据,32 85 crc16校验
总数据长度 5+2N
http://www.simplymodbus.ca/FC03.htm中解析原文:
Request This command is requesting the content of analog output holding registers # 40108 to 40110 from the slave device with address 17. 11 03 006B 0003 7687 11: The Slave Address (11 hex = address17 ) 03: The Function Code 3 (read Analog Output Holding Registers) 006B: The Data Address of the first register requested. ( 006B hex = 107 , + 40001 offset = input #40108 ) 0003: The total number of registers requested. (read 3 registers 40108 to 40110) 7687: The CRC (cyclic redundancy check) for error checking. Response 11 03 06 AE41 5652 4340 49AD 11: The Slave Address (11 hex = address17 ) 03: The Function Code 3 (read Analog Output Holding Registers) 06: The number of data bytes to follow (3 registers x 2 bytes each = 6 bytes) AE41: The contents of register 40108 5652: The contents of register 40109 4340: The contents of register 40110 49AD: The CRC (cyclic redundancy check). —
04 :读取输入寄存器 只读
示例1:
发送:
01 04 04 45 00 01 21 2F
01 从机地址,04 功能码,04 45 寄存器地址,00 01 个数1,21 2F crc16校验
回复:
01 04 02 07 D0 BA 9C
01 从机地址,04 功能码,02 数据长度 2个字节,记录为2N,07 D0 参数,BA 9C crc16校验
总数据长度5+2N
示例2:
发送:
01 04 07 D6 00 05 D0 85 01
从机地址 04 功能码 07 D6 寄存器地址 00 05 读取个数5 D0 85 CRC16校验
回复: 01 04 0A 37 A9 42 02 00 C8 00 00 01 0D 75 A3 01
从机地址 04 功能码 0A 数据长度 10个字节 37 A9 42 02 00 C8 00 00 01 0D 数据 ,从回复看不出读取的是什么数据,需要继承查询的内容 75 A3 校验
http://www.simplymodbus.ca/FC04.htm 中解析原文: Request This command is requesting the content of analog input register # 30009 from the slave device with address 17. 11 04 0008 0001 B298 11: The Slave Address (11 hex = address17 ) 04: The Function Code 4 (read Analog Input Registers) 0008: The Data Address of the first register requested. ( 0008 hex = 8 , + 30001 offset = input register #30009 ) 0001: The total number of registers requested. (read 1 register) B298: The CRC (cyclic redundancy check) for error checking. Response 11 04 02 000A F8F4 11: The Slave Address (11 hex = address17 ) 04: The Function Code 4 (read Analog Input Registers) 02: The number of data bytes to follow (1 registers x 2 bytes each = 2 bytes) 000A: The contents of register 30009 F8F4: The CRC (cyclic redundancy check). —
06 :写一个保存寄存器
示例1:
写:
01 06 07 EC 0C E2 CC 02
01 从机地址,06 功能码,07 EC 寄存器地址,0C E2 寄存器参数,CC 02 crc16校验
回复:
01 06 07 EC 0C E2 CC 02
写回复指令同写指令
示例2:
发送:
05 06 00 00 00 01 49 8E 05
从机地址 06 功能码 00 00 寄存器地址 00 01 偏移个数 49 8E crc16校验
返回:
05 06 00 00 00 01 49 8E 同写
http://www.simplymodbus.ca/FC06.htm 中解析原文:
Request This command is writing the contents of analog output holding register # 40002 to the slave device with address 17. 11 06 0001 0003 9A9B 11: The Slave Address (11 hex = address17 ) 06: The Function Code 6 (Preset Single Register) 0001: The Data Address of the register. ( 0001 hex = 1 , + 40001 offset = register #40002 ) 0003: The value to write 9A9B: The CRC (cyclic redundancy check) for error checking. Response The normal response is an echo of the query, returned after the register contents have been written. 11 06 0001 0003 9A9B 11: The Slave Address (11 hex = address17 ) 06: The Function Code 6 (Preset Single Register) 0001: The Data Address of the register. (# 40002 – 40001 = 1 ) 0003: The value written 9A9B: The CRC (cyclic redundancy check) for error checking. —
0x10: 写多个保持寄存器
示例1:
发送:
01 10 0c 1c 00 05 0a 00 00 00 00 00 00 00 03 00 01 21 e1
01 从机地址,10 功能码,0c 1c 寄存器地址 3100,00 05 偏移5个,0a 数据长度10,00 00 00 00 00 00 00 03 00 01 数据,21 e1 CRC16校验
回复:
01 10 0C 1C 00 05 C2 9C 01
从机地址 10功能码 0C 1C 起始寄存器地址 00 05 偏移个数 C2 9C crc16校验
http://www.simplymodbus.ca/FC16.htm中解析原文:
Request This command is writing the contents of two analog output holding registers # 40002 & 40003 to the slave device with address 17. 11 10 0001 0002 04 000A 0102 C6F0 11: The Slave Address (11 hex = address17 ) 10: The Function Code 16 (Preset Multiple Registers, 10 hex – 16 ) 0001: The Data Address of the first register. ( 0001 hex = 1 , + 40001 offset = register #40002 ) 0002: The number of registers to write 04: The number of data bytes to follow (2 registers x 2 bytes each = 4 bytes) 000A: The value to write to register 40002 0102: The value to write to register 40003 C6F0: The CRC (cyclic redundancy check) for error checking. Response 11 10 0001 0002 1298 11: The Slave Address (17 = 11 hex) 10: The Function Code 16 (Preset Multiple Registers, 10 hex – 16 ) 0001: The Data Address of the first register. (# 40002 – 40001 = 1 ) 0002: The number of registers written. 1298: The CRC (cyclic redundancy check) for error checking. —
0x0F 写多个线圈,位操作,多个
示例: 写:01 0F 07 C8 00 08 01 03 5E F3 01 地址 0F 功能码 07 C8 线圈地址 00 08 偏移个数 01 数据长度 1个字节 03 数据 5E F3 crc16校验 回复:01 0F 07 C8 00 08 D4 87 01 地址 0F 功能码 07 C8 线圈地址 00 08 偏移个数 D4 87 crc16校验 http://www.simplymodbus.ca/FC15.htm中解析原文: Request This command is writing the contents of a series of 10 discrete coils from #20 to #29 to the slave device with address 17. 11 0F 0013 000A 02 CD01 BF0B 11: The Slave Address (11 hex = address17 ) 0F: The Function Code 15 (Force Multiple Coils, 0F hex? = 15 ) 0013: The Data Address of the first coil. ( 0013 hex = 19 , + 1 offset = coil #20 ) 000A: The number of coils to written ( 0A hex? = 10 ) 02: The number of data bytes to follow (10 Coils / 8 bits per byte = 2 bytes) CD: Coils 27 – 20 (1100 1101) 01: 6 space holders & Coils 29 – 28 (0000 0001) BF0B: The CRC (cyclic redundancy check) for error checking. The more significant bits contain the higher coil variables. This shows that coil 20 is on (1) and 21 is off (0). Due to the number of coils requested, the last data field01 contains the status of only 2 coils.? The unused bits in the last data byte are filled in with zeroes. Response 11 0F 0013 000A 2699 11: The Slave Address (11 hex = address17 ) 0F: The Function Code (Force Multiple Coils, 0F hex? = 15 ) 0013: The Data Address of the first coil. ( 0013 hex = 19 , + 1 offset = coil #20 ) 000A: The number of coils to written ( 0A hex? = 10 ) 2699: The CRC (cyclic redundancy check) for error checking. —
02 读离散输入,位操作,单个或多个
发送: 01 02 04 28 00 18 F9 38 01 从机地址 02 功能码 04 28 离散输入地址 00 18 连续读取24个 F9 38 crc16校验 回复: 01 02 03 09 02 03 E9 2D 01 从机地址 02 功能码 03 数据长度 3个字节 09 02 03 数据 E9 2D crc16校验 http://www.simplymodbus.ca/FC02.htm中解析原文: Request This command is requesting the ON/OFF status of discrete inputs # 10197 to 10218 from the slave device with address 17. 11 02 00C4 0016 BAA9 11: The Slave Address (11 hex = address17 ) 02: The Function Code 2 (read Input Status) 00C4: The Data Address of the first input to read. ( 00C4 hex = 196 , + 10001 offset = input #10197 ) 0016: The total number of coils requested. (16 hex = 22,? inputs 197 to 218 ) BAA9: The CRC (cyclic redundancy check) for error checking. Response 11 02 03 ACDB35 2018 11: The Slave Address (11 hex = address17 ) 02: The Function Code 2 (read Input Status) 03: The number of data bytes to follow (22 Inputs / 8 bits per byte = 3 bytes) AC: Discrete Inputs 10204 -10197 (1010 1100) DB: Discrete Inputs 10212 – 10205 (1101 1011) 35: 2 space holders & Discrete Inputs 10218 – 10213 (0011 0101) 2018: The CRC (cyclic redundancy check). The more significant bits contain the higher Discrete inputs. This shows that input 10197 is off (0) and 10204 is on (1). Due to the number of inputs requested, the last data field 35 contains the status of only 6 inputs.? The two most significant bits in this data field are filled in with zeroes. —
05 写单个线圈,位操作
示例: 发送: 11 05 00AC FF00 4E8B 11: 从机地址 05: 功能码 00AC: 线圈地址,00AC hex = 172 , + 1 偏移 = 线圈 #173 ) FF00:参数,按说是位操作,但是这里是两个字节!并且协议中规定是固定的,FF00对应ON,0000对应OFF 4E8B: crc16校验 回复: 11 05 00AC FF00 4E8B 和写格式一致 11: 从机地址 05: 功能码 00AC: 线圈地址 FF00: 参数 4E8B: crc16校验 http://www.simplymodbus.ca/FC05.htm中解析原文: Request This command is writing the contents of discrete coil # 173 to ON in the slave device with address 17. 11 05 00AC FF00 4E8B 11: The Slave Address (11 hex = address17 ) 05: The Function Code 5 (Force Single Coil) 00AC: The Data Address of the coil. (coil# 173 – 1 = 172 = AC hex). ( 00AC hex = 172 , + 1 offset = coil #173 ) FF00: The status to write ( FF00 = ON,? 0000 = OFF ) 4E8B: The CRC (cyclic redundancy check) for error checking. Response The normal response is an echo of the query, returned after the coil has been written. 11 05 00AC FF00 4E8B 11: The Slave Address (11 hex = address17 ) 05: The Function Code 5 (Force Single Coil) 00AC: The Data Address of the coil. (coil# 173 – 1 = 172 = AC hex) FF00: The status written ( FF00 = ON,? 0000 = OFF ) 4E8B: The CRC (cyclic redundancy check) for error checking. —
01 读线圈,位操作,单个或多个
示例: 发送: 11 01 0013 0025 0E84 11:从机地址 01: 功能码 0013: 线圈地址,( 0013 hex = 19 , + 1 偏移 = coil #20 ) 0025: 个数,读取37个 0E84: crc16校验 回复: 11 01 05 CD6BB20E1B 45 E6 11: 从机地址 01: 功能码 05: 数据长度,5个字节 CD6BB20E1B 数据 CD: 线圈 27 – 20 (1100 1101) 6B: 线圈 35 – 28 (0110 1011) B2: 线圈 43 – 36 (1011 0010) 0E: 线圈 51 – 44 (0000 1110) 1B: 3 占位符 & 线圈 56 – 52 (0001 1011) 45 E6: crc16校验 http://www.simplymodbus.ca/FC01.htm中解析原文: Request This command is requesting the ON/OFF status of discrete coils # 20 to 56 from the slave device with address 17. 11 01 0013 0025 0E84 11: The Slave Address (11 hex = address17 ) 01: The Function Code 1 (read Coil Status) 0013: The Data Address of the first coil to read. ( 0013 hex = 19 , + 1 offset = coil #20 ) 0025: The total number of coils requested.? (25 hex = 37,? inputs 20 to 56 ) 0E84: The CRC (cyclic redundancy check) for error checking. Response 11 01 05 CD6BB20E1B 45E6 11: The Slave Address (11 hex = address17 ) 01: The Function Code 1 (read Coil Status) 05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes) CD: Coils 27 – 20 (1100 1101) 6B: Coils 35 – 28 (0110 1011) B2: Coils 43 – 36 (1011 0010) 0E: Coils 51 – 44 (0000 1110) 1B: 3 space holders & Coils 56 – 52 (0001 1011) 45E6: The CRC (cyclic redundancy check). The more significant bits contain the higher coil variables. This shows that coil 36 is off (0) and 43 is on (1). Due to the number of coils requested, the last data field1B contains the status of only 5 coils.? The three most significant bits in this data field are filled in with zeroes.
异常码 +0x80
所请求功能码+0x80(置位错误标识位) 01-功能码未使用或对指定寄存器不适用: illegal function 02-寄存器地址越界,找不到指定地址对应的寄存器: illegal data address 03-寄存器值不适用于指定寄存器: illegal data value
历史
- 20231221 补充记录异步串行通信基本格式
- 2017-06-17 整理示例解读modbus