Do you know how to debug Modbus protocol?

[[386743]]

The Modbus protocol adopts master-slave communication. The two most commonly used ones are Modbus RTU and Modbus TCP/IP.

The more commonly used Modbus communication debugging software are ModScan32 and ModSim32.

ModScan32 is mainly used to simulate the master device. It can send instructions to the slave device (device terminals such as smart meters using the Modbus protocol). After the slave responds, the data of the corresponding register can be returned on the interface.

ModSim32 is used to simulate slave devices. It can simulate intelligent terminals using the Modbus protocol.

In the process of interacting with the configuration software, our board or software usually acts as a slave device. In order to understand the specific interaction process of the Modbus protocol, we will use ModScan32 software and serial port assistant to debug the Modbus protocol today.

Achieving goals

• Familiar with the use of ModScan32 software
• The serial port assistant simulates data interaction between the slave device and the ModScan32 software

Material acquisition

The method for obtaining the software related to this article and the Modbus protocol manual is published in the WeChat discussion group.

Test Prerequisites

Create a pair of virtual serial ports for debugging.

We choose COM4 and COM5 here. Using this pair of virtual serial ports, the data sent by COM4 can be forwarded to COM5, and vice versa, the data sent by COM5 can be forwarded to COM4. Data interaction can be achieved through these two COM ports.

ModScan32 Software Tutorial

ModScan32 is an application that runs under Windows as a Modbus protocol master in RTU or ASCII transmission mode.

Connect one or more Modbus slave devices to a computer via a serial port, modem or network, and use ModScan to read and modify data points.

Open the software

Double-click ModScan32.exe to open the software.

Software interface introduction

There are two counts in the upper right corner of the window:

Number of Polls: Indicates the number of data packets sent by ModScan32 software;

Valid Slave Responses: Indicates the number of responses returned by the slave device.

If both counts are increasing, data communication is normal.

Connecting to the Serial Port

First, you need to configure the serial communication parameters of the Modbus device, connection parameters, and select the serial port for serial communication. Here, select COM4 in the pair of virtual serial ports above.

Click the protocol selection button and set the Modbus transmission mode in the pop-up dialog box. We select RTU for testing.

Communication parameter settings

The communication parameters include: starting address (Address), Device Id, register length (Length) and read function code.

The MODBUS Point Type (Modbus data model) includes the following four types:

• 01:COIL STATUS: read-write switch type (DO), bit operation, can be used to set the port output status, or read the output status of the bit, commonly used for solenoid valve output, MOSFET output, LED display, etc.;
• 02: INPUT STATUS: read switch type (DI), bit operation, change input status through external setting, readable but not writable, commonly used for dip switches, proximity switches, etc.;
• 03:HOLDING REGISTER: Holding register, read and write WORD type, word operation, output parameter or holding parameter, some parameters set when the controller is running, readable and writable, commonly used for analog output setting value, PID operation parameters, variable valve output size, sensor alarm upper and lower limits, etc.;
• 04: INPUT REGISTER: Input register, read WORD type, word operation, input parameter, parameter obtained from external device when the controller is running, readable but not writable, commonly used for analog input.

Select the specific Modbus data model according to the hardware manual.

connect

Click "Connect" in the "Connection Settings" menu, configure the communication parameters in the pop-up interface, and click "OK" to establish the connection.

Debugging with the Serial Assistant

Query

The host ModScan32 software sends a command to read the current status of the slave coil register. The data received by the slave (serial port assistant simulates the slave) is: 01 01 00 00 00 64 3D E1

This data packet is an instruction to read the coil register, and its specific meaning is:

answer

Normally, when the host sends a data packet, we need to send a data packet with a fixed format as a response within a certain period of time. Otherwise, it will prompt a timeout "MODBUS Message TIME-OUT" or the received response format is incorrect "Received Invalid Response to MODBUS Query" or a checksum error "Checksum Error in Response Message".

The correct response packet is as follows:

01 01 0D 08 00 00 00 00 00 00 00 00 00 00 00 00 AD E5

The number of bytes returned N = the number of registers read/8. If the remainder is not 0, N = N + 1.

In this example, the number of registers read is 0x64, which is 100. 100/8=12 with a remainder of 4, so N=12+1, which is 0x0D.

Each bit of the returned data corresponds to the coil status, 1-ON, 0-OFF.

The lowest bit of each byte of data represents the state of the coil at the lowest address. If it is less than 8 bits, the high bit of the byte is filled with 0.

After the host ModScan32 software receives the response, the value of register address 0x0004 is modified to 0x01, and the Valid Slave Responses count is +1.

The first byte of the data, 0x08, is represented in binary as 0b0000 1000. The fourth bit is 1, which is consistent with the content returned in our response.

Similarly, if the slave returns the data packet: 01 01 0D FF 00 00 00 00 00 00 00 00 00 00 00 00 E6 53, it means that the coil states of registers 00001~00008 are all ON:

The host sets the coil on/off status

ask

Modify the serial port data of address 0001 to 0x01: 01 05 00 00 FF 00 8C 3A

Some MODBUS function codes

Function codes can be divided into two categories: bit operation and word operation. The smallest unit of bit operation is bit, and the smallest unit of word operation is WORD (two bytes).

From the above table, we can see that the function code for the host to modify the value of a register is: 0x05, that is, write a single coil. The structure of the data packet for writing a single coil is:

Note: If a coil value is set to ON, the value is 0xFF00, and if a coil value is set to OFF, the value is 0x0000.

answer

The response is the same as the request: 01 05 00 00 FF 00 8C 3A

Summarize

In fact, it is most convenient to debug by directly using ModSim32 software as the slave and ModScan32 software as the host, and the two communicate data.

However, the purpose of this demonstration is to understand the working process of ModScan32 software. If you use ModSim32 software, you will not understand the specific working process.

If we use the serial port assistant, the whole working process will be clearer, and it will also be convenient for us to write the Modbus slave software ourselves in the next step.

This article is reprinted from the WeChat public account "Embedded from 0 to 1", which can be followed through the following QR code. To reprint this article, please contact the Embedded from 0 to 1 public account.