Modbus protocol
The function code of the servo drive is divided into 16 bit and 32-bit according to the data length. The MODBUS RTU protocol can be used to read and write data to the function code. When writing function code data, the command code varies according to the different data lengths.
RTU protocol:
Each 8-bit data is composed of two 4-bit hexadecimal characters, for example: 1-byte data 64H. Each character is set to 8 data bits, 1 or 2 stop bits, with or without odd/even check bits. The communication data structure is shown in the following table:
Start | The minimum time interval from the previous frame is 3.5 characters |
Slave Address | Communicate address:1byte |
Function | Function code:1byte |
Data(n-1) | Data massage:n word =2n byte,n<=8 |
…… | |
Data(0 ) | |
CRC | Verification code:2byte |
End 1 | The minimum time interval between the next frame is 3.5 characters |
signal and ends with another stationary signal. Between the beginning and end, there are communication address, function code, data content, and Cyclical Redundancy Check (CRC) in sequence.
The functions currently supported by MSA servo are shown in the table below.
Code | Function |
0x03 | Read 16/32-bit function code |
0x06 | Write a 16 digit function code |
0x10 | Write a 32-bit function code |
Taking the reading function code 0x03 and writing function code 0x06 as examples, briefly explain the command information of the MODBUS master station and the response information of the servo drive slave station. The remaining function code commands and response information comply with the Modbus standard.
Reading function: Function code 03H, read 16 bit and 32-bit function codes:
Master command frame:
Slave Address | Slave station(1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | Code :0x03 |
Starting data location | DATA[0]:The starting function code group number, such as function code P0312, 03, is the group number. ◆Note: Here, 03 is a hexadecimal number, and there is no need for conversion when entering DATA [0] |
DATA[1]:The offset within the starting function code group, such as function code P0312, 12 is the offset。 ◆Note: Here, 12 is a decimal number. When filling in DATA [1], it should be converted to hexadecimal 0x0C | |
Data bit | DATA[2]:Read the number of function codes (8 digits high) in hexadecimal format |
DATA[3]:Read the number of function codes (8 digits low) in hexadecimal format | |
CRC Check Low | CRC Verify valid bytes (low 8 bits) |
CRC Check High | CRC Verify valid bytes (high 8 bits) |
Slave response frame:
Slave Address | Slave station(1~247) ◆Note: Here 1-247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR |
Function | Code :0x03 |
Data bit (Calculated in bytes) | The number of bytes of the function code is equal to the number of read function codes N*2 |
Starting data address content | DATA[0]:Starting function code value, 8 bits high |
DATA[1] :Starting function code value, 8 bits low | |
Subsequent data | DATA[…] |
DATA[N*2-1]:Last function code value, low 8 bits | |
CRC Check Low | CRC Verify low significant bytes |
CRC Check High | CRC Verify high significant bytes |
In the MODBUS RTU protocol, the command code 0x06 is used to write 16 bit function codes; Write 32-bit function code using command code: 0x10.
Write function: Function code 06H, write a single word (16 bit data):
Master command frame:
Slave Address | Slave station(1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | Code :0x06 |
Starting data location | DATA[0]:The starting function code group number, such as function code P0312, 03, is the group number. ◆Note: Here, 03 is a hexadecimal number, and there is no need for conversion when entering DATA [0] |
DATA[1]:The offset within the starting function code group, such as function code P0312, 12 is the offset。 ◆Note: Here, 12 is a decimal number. When filling in DATA [1], it should be converted to hexadecimal 0x0C | |
Data content | DATA[2]:Read the number of function codes (8 digits high) in hexadecimal format |
DATA[3]:Read the number of function codes (8 digits low) in hexadecimal format | |
CRC Check Low | CRC Verify valid bytes (low 8 bits) |
CRC Check High | CRC Verify valid bytes (high 8 bits) |
Slave response frame:
Slave Address | Slave station(1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | code:0x06 |
Starting data location | Write the function code group number, such as writing function code P0312, which is 0x03 |
If the written function code is offset, such as writing function code P0312, it will be 0x0C | |
Data content | Write high byte data in hexadecimal format |
Write low byte data in hexadecimal format | |
CRC Check Low | CRC check low valid byte |
CRC Check High | CRC check highly valid byte |
Write function: Function code 10H, write double words (32-bit data):
Master command frame:
Slave Address | Slave station(1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | code:0x06 |
Starting data location | DATA [0]: The starting function code group number, such as function code P0530, where 05 is the group number. ◆Note: Here, 05 is a hexadecimal number, and there is no need for conversion when filling in DATA [0] |
DATA [1]: offset within the starting function code group, such as function code P0530, where 30 is the offset. ◆Note: Here, 30 is a decimal number. When filling in DATA [1], it should be converted to hexadecimal 0x1E | |
Data content | DATA [2]: The number of function codes 8 bits high M(H). 32-bit function codes are counted as 2. For example, if P0530 is written alone, DATA [2] is 00, DATA [3] is 02, and M=H0002. |
DATA[3]:The number of function codes 8 bits low M(L) | |
DATA [4]: The number of function codes corresponds to a byte count of M * 2.。 For example, if P0530 is written alone, DATA [4] is H04. | |
DATA[5]:Write into the starting function code 8 bits high in hexadecimal format | |
DATA[6]:Write into the starting function code 8 bits low in hexadecimal format | |
DATA[7]:Write the high 8 bits,offset+1 in the starting function code group, in hexadecimal format | |
DATA[8]:Write the low 8 bits,offset+1 in the starting function code group, in hexadecimal format | |
CRC Check Low | CRC CRC check valid bytes (low 8 bits) |
CRC Check High | CRC check valid bytes (high 8 bits) |
Slave response frame:
Slave Address | Slave station(1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | code:0x010 |
Starting data location | Write the function code group number, such as writing function code P0530, which is 0x05 |
Write function code offset, such as writing function code P0530, which is 0x1E | |
Data content | The number of written function codes is 8 bits high |
The number of written function codes is 8 bits low | |
CRC Check Low | CRC check low valid byte |
CRC Check High | CRC check high valid byte |
Error frame function code:
Slave Address | Slave (1~247) ◆Note: Here 1~247 are decimal numbers, converted to hexadecimal numbers when filling in ADDR. |
Function | code |
Starting data location | DATA[0]:0x80 |
DATA[1]:0x01 | |
Data content | DATA[2]:Error code high 8 bits |
DATA[3]:Error code low 8 bits | |
CRC Check Low | CRC check low valid byte |
CRC Check High | CRC check high valid byte |
Error code :
Error code | description |
0x0001 | Illegal command code |
0x0002 | Illegal data address |
0x0003 | Illegal data |
0x0004 | Slave device fault |
Function code (parameter number) addressing (16 bit address)::
When we receive a set of parameter numbers and need to use HMI, PLC and other equipment tools to read or write servo drive parameters, we first need to know their addresses. The following is the correspondence between parameter numbers and their addresses.
Firstly, it should be noted that only parameters starting with "P" have a clear relationship with the address.
The structure of R8 servo parameter code is consisting of "P" and 4 digits, such as P0005. The corresponding address relationship is that the first two digits are in hexadecimal form as high 8 bits address, and the last two digits are in decimal form as low 8 bits address, forming a total of 16 bits of the address. For example:
Parameter P0516: Command pulse form, corresponding to address 0x510 or 1296.
Parameter P1321: Bus voltage, corresponding to address 0x1315 or 4885.
Parameter P0C04: Position instruction type selection, corresponding to address 0x0C04 or 3076.
The specific parameter corresponds to the numerical range and rules written in Chapter 6 Parameter List.
Examples of Communication:
1)Host sends request frame
01 | 03 | 01 | 04 | 00 | 01 | CRCL | CRCH |
The request frame indicates that:the slave station axis is 01,
The function code P0104 of the driver reads 0x0001 word length data (i.e. 16 bit data) from the starting register.
Slave station response feedback frame:
01 | 03 | 02 | 00 | 01 | CRCL | CRCH |
This response frame indicates that the slave machine returns data of 1 word length (i.e. 2 bytes) with a content of 0x0001.
If Slave station response feedback frame as this:
01 | 03 | 80 | 01 | 00 | 02 | CRCL | CRCH |
This response frame indicates: Communication error occurred, with error code 0x0002; 0x8001 indicates an error.
2)Host sends request frame
01 | 06 | 01 | 04 | 00 | 01 | CRCL | CRCH |
This request frame indicates writing 0x0001 to function code P0104 of drive with axis address 01。
slave station response feedback frame:
01 | 06 | 01 | 04 | 00 | 01 | CRCL | CRCH |
This response frame indicates:write successful.
If slave station response feedback frame:
01 | 06 | 80 | 01 | 00 | 02 | CRCL | CRCH |
This response frame indicates: Communication error occurred, with error code 0x0002; 0x8001 indicates an error.
Modbus communication parameters are not written to EEPROM
Adding 1 to the highest bit of the write parameter (when the highest bit is 1, the address is 0x8000) can prevent information from being stored in the EEPROM during Modbus writing. For example, when writing parameter P5-40 with an address of 0x528, if the communication address is 0x528, the information will also be stored in the EEPROM after communication writing. At this time, the communication address calculation method is 0x8000+0x528=0x8528. After communication writing, the information will not be stored in the EEPROM, which can effectively protect the EEPROM from damage caused by continuous writing.
CRC calculation in RTU mode:
The CRC value calculation steps are as follows:
Step 1: Load a 16 bit register with FFFF H content, called the "CRC" register.
Step 2: XOR the first bit (bit0) of the instruction message with the low bit (LSB) of the 16 bit CRC register, and store the result back into the CRC register;
Step 3: Check the least significant bit (LSB) of the CRC register. If this bit is 0, shift the CRC register value to the right by one bit; If this bit is 1, the CRC register value is shifted to the right by one bit and then XOR with A001 H;
Step 4: Return to step 3 until step 3 has been executed 8 times before proceeding to step 5;
Step 5: Repeat steps 2 to 4 for the next bit of the instruction message until all bits have been processed in this way. At this point, the content of the CRC register is the CRC error detection value.
example:
Generate CRC values in C language below. This function requires two parameters:
unsigned char * data;
unsigned char length;
This function will return an unsigned integer CRC value。
unsigned int crc_chk(unsigned char * data,unsigned char length)
{
int i,j;
unsigned int crc_reg=oxFFFF;
While(length--)
{
crc_ reg ^=*data++;
for(j=0;j<8;j++)
{
If(crc_reg & 0x01)
{
crc_reg=( crc_reg >>1)^0xA001;
}else
{
crc_reg=crc_reg >>1;
}
}
}
return crc_reg;
}