On Sat, 15 Aug 1998, you wrote:
>Hi Guys,
>Has anyone found a better description of the Modbus Protocol than the
>one at http://www.modicon.com/techpubs ?  I have one of those serial
>port "sniffers" connected to two PLCs that are talking on the modbus.
>The master says (in RTU hex):
>01    (start of header)
>03    (??)
>0f    (slave source address MSB)
>f6    (slave source address LSB)
>00   (??)
>01   (number of bytes)
>67   (rev 16bit CRC)
>2c  (??)
>
>I am trying to find out what the (??) bytes are as shown above.
>After I understand the protocol a bit, I hope to make a PIC a slave.
>Anyone been down this path?

Hi Greg,

I have done the *basic* modbus a few times, not on the pic however,
the message from the master has the following format, please note
a silent period of 3.5 character times is REQUIRED between messages.

[start][address][function][data][crc][end]
where
[start] silence 3.5 character times
[address] 8 bits
        1-240 for individual addresses
        241-255 for group broadcasts
        0 is global broadcast
[function] 8 bits
        Some examples:
        1= read coil status
        2= read input status
        3= read holding register
        4= read input register
        5= force single coil
        6= force single register
        ... and many more...
        slave sets msb of function code in response when
        exception occurs

[data] nx8 bits
        Always MSB first
        Usually consists of address start
        and number of registers depending on function
        address ranges can be a bit tricky sometimes.
[crc] 16bits
        calculated from x16+x15+x2+x1 (0xA001) init to 0xFFFF
        then use shift/xor stuff as normal
[end] silence

There are other flavours of Modbus, such as the ASCII RTU format and
Modbus plus, but hopefully this gets you started in the right
direction.

Modbus plus add extra layers for routing over ethernet etc.. but when you
unwrap it the same basic RTU packets are inside.

The example you asked for would be..
>01    (start of header)                No this is address 01
>03    (??)                             Function = Read Holding register
>0f    (slave source address MSB)
>f6    (slave source address LSB)       0x0FF6  addres of holding register
>00   (??)
>01   (number of bytes)                 0x0001  number of addresses to read =1
>67   (rev 16bit CRC)
>2c  (??)                               CRC=0x672C
>

So the message reads holding register 0x0FF6 the response to this would
be
[address] =01
[function]=03
[byte count]=2
[data]=0x????    depending on what the data is.
[crc]

Hope this helps.
--
Ray Gardiner ray@hdc.com.au