Modbus protocol for MORSE 0.1 Description of the Modbus Protocol 0.1.1 Overview of the Most Common Modbus Protocol Functions 1. Function of the Modem in the MODBUS protocol. - transparent mode - cache mode - packet mode - time synchronisation - watchdog - phantom access - virtual station 1.1 Modem as MASTER 1.1.1 Modem MASTER in cache mode 1.1.2 Modem MASTER in Transparent Mode 1.1.3 Modem MASTER in Packet Mode 1.1.4 Modem MASTER and Time Synchronisation 1.2 Modem as SLAVE 1.2.1 Modem SLAVE in Cache Mode 184.108.40.206 Phantom Access 220.127.116.11 Virtual station 1.2.2 Modem SLAVE in Transparent Mode 1.2.3 Modem SLAVE in Packet Mode 1.2.4 Modem SLAVE and Time Synchronisation 2. Parameters of the Modbus Protocol 3. Examples and Explanations 3.1. Packet type. 3.2 Example of Reading Data in Cache Mode. 3.3 Examples of Packet Mode. 3.4 Basic Modbus Communication. 3.5 Sending a Short User Packet from Master to Modbus. 3.6 Sending a short user packet from Slave to Modbus. 3.7 Sending a long user packet from Master to Modbus. 3.8 Sending a long user packet from Slave to Modbus. 3.10 Automaster sends Herman's broadcast. 4. History The MODBUS protocol in its standard format contains one Master and a group of Slaves connected by an RS485 bus network. There can be a maximum of 255 Slaves - single-byte address). The standard Modbus is also limited to a max. address of 247. The Master cyclically polls individual Slaves and reads data from them. Mingled in with this are commands which the Master inserts between requests as is necessary. Each frame from the Master is either duly confirmed or contains data corresponding to the function of the frame. On the basis of this simple principle the Master determines the aliveness, and also non-functionality of individual Slaves. The order for polling Slaves is not defined. The Master can arrange the polling list as it likes. The Master does not have its own address. Modbus network with RS485 bus: master slave PLC PLC ___ | | | addresses: ______ +-------------------|___| 01 | | | ___ | PLC |--------------+ | | |______| +-------------------|___| 02 | ___ |RS485 | | 03 +-------------------|___| | In the following diagram the Modbus network is connected by the MORSE radio network. Slave PLC's are connected separately or in groups to the MORSE CU (communication unit, modem, radio), which locally substitutes the function of the Master PLC: [A] [B] [C] [D] master slave master slave PLC CU CU PLC ______ \|/........... \|/ | |RS232 _|_ : _|_ ___ slave | PLC |-----| | : | | RS485 | | addresses: |______| |___| : |___|----+----|___| (0):01 (m)ode:SLAVE : (m)ode:MASTER| ___ FF 691122FF : 69112201 | | | : +----|___| (1):02 address : (d)est:FF :..... \|/ : _|_ ___ : | | RS485 | | (0):03 : |___|----+----|___| : 69112203 | ___ : | | | : +----|___| (1):04 :..... \|/ _|_ ___ | | RS232 | | |___|---------|___| (0):05 69112205 period m(i)rror (p)eriod The Modbus is interrupted by the inserted radio network which mediates the connection in the three modes described below. The diagram illustrates the use of the terms Master and Slave in the following definition. Symbols [A],[B],[C],[D] are used for distinguishing levels in the communication hierarchy. Even if CU [B] also behaves like a Master with respect to CU [C] in the radio network for transparency we avoid this kind of labelling. Symbols in brackets such as m(i)rror label protocol parameters. An example of addresses is also given. The address of the master PLC [A] is the same as the lower byte of the MORSE address of CU slave [B]. The lower byte of the address of CU master [C] is the same as one of the addresses of the connected PLC [D] Slaves. For routing other PLC´s the "multiaddressing" function in menu (N)odes (e)dit is used. 0.1 Description of the Modbus Protocol Modbus is a typical example of a family of protocols determined for buses implemented on RS485. It uses a 256 byte frame equipped with a 16-bit CRC. Because Modbus distinguishes the types of transmitted data (bit, byte, word), types of frames are established for distinguishing these variations. The Modbus type of frame is described by the number of the function implemented by the frame. 0.1.1 Overview of the Most Common Modbus Protocol Functions Overview of Modbus commands for reading and writing from various parts of the PLC memory. unit for: function/8 start/16 (hex) number/16 ___________ | | 02 1bit | OUT |-> 0F --> bits | |-> |___________|-> | Analog | 04 1word | | 03 words | Registers | 17 words | | |___________| Description of individual functions: - 01 (Read Output Status) Reads output states (relays, transistor switches, etc.) from the Slave. The basic unit read by means of this function is one output - for us this means one bit. Of course as the protocol is able to transfer one byte as the smallest element output bits are combined into bytes. The Master can address more bits at once. It then obtains them stacked into several bytes of the reply. Typical forms of frames then look as follows: request | adr/8 | fce/8 | start/16 | number/16 | crc/16 | reply | adr/8 | fce/8 | cnt/8 | data/8 * cnt | crc/16 | adr - address of PLC on Modbus, this address must be unique within the whole bus. The address is the same for a request as for a reply. fce - function, which the PLC performs after receiving the frame start - start address of data (output), which is to be processed number - number of items (bits), which are to be processed cnt - number of frame data bytes data - actual data of the request aligned into 8 bits crc - security word Example: If we have the state of outputs in our PLC from the zero address 0x1480. The PLC has an address on the Modbus of 0x10. Using the function 01 first we read everything at once and then the second part only. Request for the first case: 1001 0000 0010 crc - we want 16 outputs from the zero position reply: 1001 0214 80 crc - all 16 outputs returned. It is necessary to point out that data is not aligned into an even number of bytes as is common in MORSE networks. Request for the second case: 1001 0008 0008 crc - we want 8 outputs from the eighth position reply: 1001 0180 crc - 8 outputs returned. As is seen outputs are organised in Intel format (little endian). - 02 (Read Input Status) It is absolutely identical to the previous function, but it reads inputs from the Slave PLC. The form of frames are also the same. - 03 (Read Holding Registers) 16 bit memory registers return from the PLC. These registers are general purpose. In our case they are used for cache and packet mode. The frames then look as follows: request | adr/8 | fce/8 | start/16 | number/16 | crc/16 | reply | adr/8 | fce/8 | cnt/8 | data/8 * cnt | crc/16 | adr - address of the PLC on the Modbus fce - function, which the PLC performs after receiving the frame start - start address of data (output), which is to be processed number - number of items (words), which are to be processed cnt - number of frame data bytes data - content of required registers aligned into 16 bits crc - security word Example: In our PLC from the previous example the contents of three registers from the zero address are 0x1480, 0x3450 and 0x4054. request: 1003 0000 0003 crc reply: 1003 0614 8034 5040 54 crc - again the frame is not aligned into an even number of bytes. - 04 (Read Input Registers) In principle this is the same as the function for reading registers. The difference of course is that it returns the states of analog inputs. - 05 (Force Single Output) It sets one output, i.e. one bit. As the binary output can only be set or deleted the forms of commands are very simple. request | adr/8 | fce/8 | start/16 | 0xFF00 | crc/16 | for setting 1 output | adr/8 | fce/8 | start/16 | 0x0000 | crc/16 | for deleting 1 output reply | adr/8 | fce/8 | start/16 | 0xFF00 | crc/16 | or | adr/8 | fce/8 | start/16 | 0x0000 | crc/16 | it is a simple copy of the request adr - address of the PLC on the Modbus fce - function, which the PLC performs after receiving the frame start - start address of data (output), which is to be processed crc - security word - 06 (Preset Single Register) Sets the content of one register = 1 word. It is a similar function to the previous one however the state of the register appears instead of the state of the bit. request | adr/8 | fce/8 | start/16 | data/16 | crc/16 | reply | adr/8 | fce/8 | start/16 | data/16 | crc/16 | again it is a simple copy of the request. adr - address of the PLC on the Modbus fce - function, which the PLC performs after receiving the frame start - start address of data which is to be processed data - content of written register crc - security word - 0F hex (Force Multiple Outputs) Simultaneous setting of more outputs. request | adr/8 | fce/8 | start/16 | number/16 | cnt/8 | data/8 * cnt | crc/16 | reply | adr/8 | fce/8 | start/16 | number/16 | crc/16 | adr - address of the PLC on the Modbus fce - function, which the PLC performs after receiving the frame. start - start address of data (output), which is to be processed. number - number of bits for writing cnt - number of bytes necessary for transmission of the addressed group of bits data - states of written outputs, words contain swapped bytes in the form L,H, L,H, L,H, ... crc - security word. - 10 hex (Preset Multiple Regs) Similar to the previous function it sets more registers at once. request | adr/8 | fce/8 | start/16 | number/16 | cnt/8 | data/16 * numb | crc/16 | reply | adr/8 | fce/8 | start/16 | number/16 | crc/16 | adr - address of the PLC on the Modbus fce - function, which the PLC performs after receiving the frame start - start address of data (output), which is to be processed number - number of words for writing cnt - number of bytes necessary for the transmission of the required group of words data - states of written registers crc - security word - 17 hex (READ/WRITE HOLDING REGISTERS) Joins the functions 03 read and 06 write. request | a/8 | f/8 | rst/16 | rno/16 | wst/16 | wno/16 | wcnt/8 | wdata/cnt*8 | |crc/16 | reply | a/8 | f/8 | cnt/8 | data/cnt*8 | crc/16 | a - slave address f - function READ/WRITE HOLDING REGISTERS rst - start of read area rno - number of registers of the read area wst - start of written area wno - number of registers of written area wcnt - number of bytes of data in the frame wdata - data that should be written If the Slave PLC does not understand something in a request/command it is obligated to return an exception. The exception should inform the Master about the situation in which it tried to work with either an unauthorised function for the given Slave or with data outside of the valid range for the given Slave PLC. - reply to the request or command entered incorrectly | adr/8 | 0x80+fce /8 | excode/8 | crc/16 | adr - address of the PLC on the Modbus fce - function, which develops the exception excode - exception number, specifies where exactly and what error occurred 1 - erroneous function number 2 - erroneous data address 3 - erroneous data content 5 - confirmed receipt of command, whose execution is slow 6 - rejection, Slave is busy with the function of a slower command crc - security word 1. Function of the Modem in the MODBUS protocol. The modem connected to Modbus has several function options (see below for a detailed description): - transparent mode In this mode data is transmitted as it was generated at the Master (or Slave in the case of a reply). It is only checked on a valid CRC and subsequently sent to the proper MORSE address. This is found by simple direct mapping of the Modbus address through the mask to the MORSE address. This mode does not check the content of transmitted data in any way. I.e. it is possible to transmit practically anything that meets the conditions of the correct CRC and address. This mode can only be recommended for applications for which the amount and what data will be transmitted is not known in advance. Another significant disadvantage are the Master Slave response speeds, which are directly proportionate to the transport of a packet through the network and back. - cache mode This mode comes from the assumption that most technology needs to gather data in one place (control centre) and only from time to time to send some command from the control centre. All data travelling in the direction of the control centre is memorised in the central modem's cache and from there immediately returned upon the Master's request, i.e.the central modem appears as a complete network of Slaves for the Master. Only commands for Slaves, changes, and from time to time updates in order to synchronise data in the cache and in the corresponding Slave are transmitted through the network. This saves about 90% of network capacity because it removes the transmission of data already contained in cache. An undisputed advantage is the fact that the response speed to a request to cache is of the order of milliseconds. Hence the Slave polling cycle is very fast. At this point of course a small defect surfaces - some of the PLC´s are not able to wait for a sufficiently long time for a reply - when they were designed calculations were not made with networks with a very long response (in comparison with conventional metallic wiring). This concerns the case when the Master is sending a command in the direction of the Slave. Then the response is longer - complete transport through the network and back. The moment the time runs out for such a PLC it starts to repeat the process even though the command has still not yet been delivered to the Slave. After several repeats it does wait for a reply, however it is the reply from first sending the command. The PLC stops repeating however the network is now teeming with the unnecessary repeating of commands and replies to them. For such an unfortunate PLC a draw bar exists which can be used to limit such a situation. By means of the parameter "(r)epeat discard" it is possible to set how many repeats should be discarded before it releases another into the network. The central modem is able to recognise a dead Slave. It keeps in memory times between individual updates or change packets and if such a time runs through the set value the corresponding Slave is declared as dead and the modem ceases to reply to requests to this Slave. Cache mode can be recommended for most applications where the volume of transmitted data does not exceed 50 bytes and the number of Slave stations is also under 100. (Aid: the volume of data can be greater but the product (volume_data * number_stations) should not exceed 5000, which is the maximum size of the cache). From the information above it is obvious that the cache mode removed unnecessary loading of the network when transmitting request from the Master to the Slave PLC´s because polling PLC´s is done locally between the modem and the PLC. Only commands and changes are then transferred through the network. - packet mode This mode only makes use of Modbus as a link layer. Data packets which contain information in the header for correct delivery within the MORSE network are transmitted (practically the same as in MORSE networks) between individual participants of this type of communication. The difference between the Master and the Slave ceases to exist in this mode. Hence it doesn't matter whether the Master is a modem or connected equipment in this communication. All participants can transmit packets without limits. For the Master the modem acts as a Slave and for the Slave the modem acts as Master. It is absolutely no problem to make a connection between two Master (Slave) PLC´s, which would not be possible with the general Modbus. Addressing passes from Modbus addresses to MORSE addresses. The original addresses are used only as link addresses and can be repeated within the MORSE network this even simplifies configuration. This mode is strongly recommended for heterogeneous networks where there are a large amount of different types of PLC´s and where there are high demands on variability (size and speed) of transmitted data. When operating in this mode there can also be spontaneous transformation of protocols. This can be used to relative advantage when connecting various pieces of technology mounted with PLC´s with various communication protocols. The packet mode also enables for example in the centre the use of communication with applications via the UDP/IP and Morse Application Server and on Slave stations besides the Modbus protocol the use of other protocols. Use of the packet mode and Application server saves significantly on invested resources because the need is dropped in most cases for fitting an expensive PLC Master, which generally only works as a data concentrator for the subsequently connected SCADA system. - time synchronisation This matter is not actually communication along the network but enables time to be synchronised between individual PLC´s and networks. Here the modem can be the source of time data or conversely the receiver. Probably the most common variation will be as follows: the central modem will be locked onto the time of the Master system. For other modems in the network it will be the source of time and other modems will then be the source of time for Slave PLC´s. - watchdog This element comes from the fact that the program in the Slave PLC does not have the possibility to learn whether communication has taken place or not. This is caused by the structure of the PLC and its firmware (Caution! Do not confuse with user software). In parametrising this mode the modem, in Master mode, will periodically write the agreed value (again a parameter) to a specific address in the PLC. - phantom access Phantom access can only be used in the mode when the modem is Slave and works with cache switched on. With the help of the phantom principle it is possible to approach cache without the addresses of individual Slaves. The whole cache appears to the Master system as a single Slave with a large pack of data. This principle is very advantageous for configuration with many Slave PLC´s in the network. Unnecessary requests on the small packs of data from individual Slaves drop out on the side of the Master system. The Master can read the whole cache using several small requests. Although the Master must know the organisation within the cache for this principle of activity. This is given by the structure of the data arriving from the Slave PLCs. - virtual station Similar to the phantom this element is also functional only for cache and for the Slave mode of the modem. This aid provides the superior Master system information about newly arrived messages from the network.On the basis of this information the Master can modify the sequence of polling in order to read data from cache only from addresses of stations that underwent change (change/update packet delivered). In this way it is possible to minimise polling from the side of the master system and thus significantly save on bus costs. The combination of cache, phantom and virtual station appears to be the most optimum. On the basis of information from the virtual station the Master makes a list of Slaves which underwent change and reads the necessary addresses for the phantom. Then using phantom it reads the necessary data all at once. Instead of many gradual requests now two requests will be sufficient. The first reads the contents of the virtual station and the second reads the necessary information from phantom. 1.1 Modem as MASTER The modem emulates the Master on the side of the Slave PLC. Here it is possible to connect a max. of 4 Slaves. Their addresses on RS485 should be unique within the MORSE-Modbus network because direct mapping using the MORSE->Modbus mask is used and vice versa (this rule does not apply to the packet mode). For certain modes it is also possible to use Art tables, however these are primarily determined for routing. According to the selected variations of operation the modem can periodically "lick" Slave PLCs and read data from them in cache and packet mode. A special case is transparent mode when requests to Slave PLCs are received without change from the central Master PLC via the network and replies to it are transferred without change via the network back to the central PLC. All modes mentioned can be switched on at once. 1.1.1 Modem MASTER in cache mode If the modem is parameterised to this mode it forms the Master for several connected Slave PLCs. The cache mode is based on the assumption that common technology more often than not concentrates data into one place (SCADA, Master PLC), whereas commands to the technology are more often than not sporadic. For correct operation program support is necessary even in connected Slave PLCs. The program in the PLC forms a so-called "communica-tion zone", into which data from technology necessary for the superior control process (SCADA, Master PLC) is stored. The order and types of data are not critical. The communication zone is a continuous part of the PLC memory for so-called Holding Registers (Modicon). These registers are generic memory cells which are accessible through the function of the Modbus protocol (different manufacturers have various names for this part of the memory, however Holding Registers is probably the most common). This zone is read cyclically by the modem (period of reading can be parameteri- sed). Modem [C] (see network diagram) forms a copy of the data from this zone and compares it with the latest data received (data received from a request to this "communication zone"). If the modem finds any difference between the copy and the latest data received it immediately sends this data to the central modem [B], where it is stored in cache. Data is also transmitted after a certain predefined time of forced updating has elapsed. This principle ensures that even if there is an accidental loss of a packet with change data all data is still transmitted after a certain time irrespective of its state. Hence data in the central modem is only as old as that period of forced updating. For optimum operation of the cache mode it is necessary to ensure that changes in the replicated (cache) area of memory are well-founded, using the user program in the PLC. This mainly means good handling of analog variables for example. It often occurs, thanks to various interference, that the signal from the sensor is full of induced clicks. If these spurious elements appeared in the communication zone the modem would regard every such change - fault as a signal for sending to the central station. In itself this wouldn't actually matter, however the fact that such transmission brings no useful data is certainly not trivial from the point of view of network loading. Program support in the PLC requires knowledge of the structure of transmitted data, because from the point of view of the modem it is all regarded as binary. Because Master [A] in the Modbus protocol has no address it is necessary to at least assign it a MORSE address. This is done with a parameter in the modem. It is possible to switch on time synchronisation and watchdog as additional accessories. The modem can also be operated with packet mode switched on. 1.1.2 Modem MASTER in Transparent Mode When setting the modem to this mode the modem is Master for the connected bus and determines who will have space on the bus. It is obligatory for all other devices to be Slaves. Otherwise this would lead to undefinable states and collisions. The Modbus protocol isn't able to use the multimaster mode. In transparent mode packets are transmitted via the network in the same form they were received from the Slave PLC. Of course the CRC is checked. If checking of the CRC fails the frame is discarded. The only condition here is that the frame received from bus 485 (to which Slave PLCs are connected) must be provoked by the frame sent to the bus. In practice this only means that if the modem does not send a command or request and still receives something from the bus, even if the CRC is checked to be alright, it considers it as random disturbance and disposes of the received frame.As the modem in the transparent mode does not carry out any other activity besides checking the CRC it is possible to send absolutely obscure functions and data through the network. A typical case is remotely reprogramming a Slave PLC. In order for the transparent mode to operate correctly it is necessary to ensure that addresses of connected Slaves are the same as MORSE addresses in the modem. Naturally this requires network multiaddressing to be switched on in the modem and correctly set local routing tables.Mapping of addresses MORSE -> Modbus is done with an eight bit mask, which trims the upper part of the MORSE address and remains a Modbus address which is used for sending to the 485 bus. Reverse mapping from Modbus addresses to MORSE is done in the same way. The upper part of the MORSE address is determined according to the mask and is connected to the Modbus address using a simple OR function. The complete MORSE address produced in this way is used for sending to the network (in MORSE this is termed the source address). As the modbus protocol does not use the Master system address it is necessary to inform the modem of it. Otherwise it is not possible to ensure correct delivery of data in the direction of the Master system. The MORSE network cannot operate in both directions without the addresses. This is ensured by the configurable parameter that determines this address. The modem then directs all authorised replies from the Slave PLCs to this address. It is a good idea to select a value outside of the designed range so that it doesn't lead to confusion, e.g. the designed network will have 34 participants set from one, so MORSE addresses will be in the range, for example, from 45230001 to 45230022 (34 is 22 in hexadecimal). Hence the address of the Master system can lie in the range from 45230023 to 452300FF. It is often better to select an address at the other end of the range in case of future expansion - if the division of network addresses actually allows this, i.e. the Master system could have a MORSE address of 452300FF in such an application. Of course the most common application case will be that of a modem + one Slave PLC. This situation is very simple for configuration because all that is necessary is to ensure that the address of the PLC conforms with the last byte of the MORSE address, set the correct mode in the modem, and the address of the Master system and its done. 1.1.3 Modem MASTER in Packet Mode Packet mode assumes the existence of two buffers in the Slave device for temporary storage of packets determined for transport through the network. These buffers are implemented as areas of general memory which are directly accessible via Modbus. The function which enables reading and writing to memory areas terms this area as Holding Registers (Modicon). One of these buffers is determined for sending to the network and the second for receiving from the network. The buffer determined for sending from Modbus to the MORSE network is called H2Nbuf (host to network buffer). Similarly the buffer for receiving from the MORSE network to Modbus is termed N2Hbuf (network to host buffer). Both directions are completely independent and can be operated asynchronously. Because the modem is a Master in the version described it is the one that determines the course of communication on the RS485 bus according to set parameters. Before launching into a detailed description of communication it is necessary to make the structure of the buffers clear. Both have a similar structure but they needn't have the same length. The minimum length of the buffer corresponds to the maximum length of the Modbus frame, i.e. 250 bytes (the lengths of headers and CRC are subtracted). The maximum length is not limited, however when using the MORSE system 1600 bytes, which is the maximum permitted packet length in MORSE networks, is sufficient. Structure of buffers: H2Nbuf: | H2Ndesc/16 | H2Nfr/modbusMRU | N2Hbuf: | N2Hdesc/16 | N2Hfr/modbusMTU | description of individual items: H2Ndesc stands for "host to net descriptor", and contains information necessary for transferring the packet via the Modbus: |ret/1|rep/1|No/2|res/1|rxsize/11| N2Hdesc (net to host descriptor) is similar to H2Ndesc: |ret/1|rep/1|No/2|res/1|txsize/11| ret - 0 - user pseudoframe, 1 - routing pseudoframe (reserved for Racom use) rep - repeat bit No - packet number res - reserved rxsize - size of pseudoframe including address and type in bytes txsize - size of pseudoframe including address and type in bytes N2Hfr - user pseudoframe H2Nfr - user pseudoframe modbusMRU - Maximum Receive Unit modbusMTU - Maximum Transmit Unit Memory addresses of individual blocks (H2Nbuf, N2Hbuf) are freely configurable in the modem according to the needs of the connected device. The pseudoframe contains the actual packet determined for transfer to/from the network. A header containing network information is concealed inside the pseudoframe. This is made up of the address, length and serial number. The header is located immediately behind the descriptor in the buffer. The structure of data and header of the pseudoframe is as follows: User pseudoframe: | T/8 | D/1 | R/4 | N/3 | A/32 | data | T - type of packet D - bit DTE, if it is 0, the sender is DCE, A is source address. Conversely if it is 1, the sender is DTE, A is destination address. R - reserved, must be zero N - network number (transmitted along the network). A - address in the network data - actual data of the pseudoframe Numbering of packets is not obligatory. The number is supplied to the target address and can serve for checking the order of the supplied packets (the MORSE network does not guarantee that the order will be kept precisely). The address is either the source address (DTE receives packet) or the destination address (DTE sends packet). The packet comes to the protocol via the CNI (Channel to Node Interface), which can transfer the user address space to MORSE address space, e.g. by means of a mask. The max. permitted length of data in the MORSE network layer is 1626 bytes. Longer packets are not defined in the system. The optimum packet size for the MORSE system is 200-400 bytes. The packet type is similar to packets in the MORSE system. a detailed description about them can be found in other documents (e.g. Mars-A). We can now take a look at how communication will take place. If a Slave wants to send a packet then the descriptor (H2Ndesc) in H2Nbuf is tested. If it is zero H2Nbuf is filled according to the description. In the first word there is the descriptor with the length, from the second word there is the actual transferred packet (user pseudoframe) with the header followed by the actual data. The Master (modem) constantly (over the set period of reading) checks the descriptor in H2Nbuf and if it is not zero it reads a packet from H2Nbuf and subsequently sets the descriptor in H2Nbuf to zero. In this way it tells the Slave device that it has taken the packet and inserted it into the Morse network for sending. The Slave can now fill H2Nbuf with another packet, etc. In the opposite direction - receiving from the network - the process is analogical however only the modem checks the descriptor before writing. If the modem finds out that the descriptor is not zero, i.e. the Slave has still not taken the previously delivered pseudoframe, it tries it again and again until the life of this frame expires. This frame is then discarded. However, if during the course of the delivery attempt a zero descriptor is found (Slave processed the frame) the normal transfer process starts running. As the maximum size of data transferable in one frame of the Modbus protocol is 256 bytes this packet needs to be read (written) using several frames (fragments) if it is necessary to transmit a longer packet through the buffers. 1.1.4 Modem MASTER and Time Synchronisation A lot of technology based on Modbus requires Slave PLCs to be time synchronous (real time). Modbus alone does not have any hardware for time synchronisation and so generally it is resolved at the program level. These transmissions of time information are unnecessary from the point of view of the MORSE network because the MORSE network itself allows real time to be found at any point with relatively negligible demands on capacity. To save the Modbus application programmer work and also network capacity a mode of time synchronisation was introduced between the Slave device and the modem. The modem as Modbus Master can work in two modes: it is able to provide real time or conversely to receive time and synchronise to it. In the first case when the modem is the source of time it writes time to a specific area of memory in the Slave PLC in the set interval. Functions for work with Holding registers are used as well, the same as in cache and packet mode. The program in the Slave PLC tests this area and if it finds out that it contains some data it takes it and uses it for time synchronisation. After successful processing it deletes the area. On the contrary if the modem is time synchronised from the Slave PLC this area is read and data contained in it is used for synchronising the modem. In this case it is useful if the program in the Slave PLC adjusts the time in this area as often as pos-sible. Only in doing this will there be no differences when synchronising. If the modem is synchronised it is enough to fill the zone with data about GMT, summer/winter time and milliseconds. The other items are ignored. The structure of time data provided by the modem is relatively extensive and so the Slave PLC can choose the most suitable data. Format of time data: | gmtsec/32 | R/1 | ts/1 | R/4 | msec/10 | sec/8 | min/8 | hour/8 | day/8 | | month/8 | year/8 | gmtsec - current time, GMT indicated in seconds from 1.1.1970 is used (Unix time) msec - milliseconds in the current second. ts - timesavings, switch for summer/winter time (1 - summer, 0 - winter time) Other items contain local time including correction of the time zone. sec - current second min - minutes hour - hours (0 - 23) mday - day of the month (1 - 31) mon - month (0 - 11) year - year (data in the year form - 1900) R - reserved 1.1.5 Modem MASTER and Watchdog Some critical control processes require information about the correct activity of the modem. As most PLCs, thanks to their internal firmware, grade communication on the serial port from the user program the user does not have a means of finding out if the modem is working correctly. In light of this a mode was introduced where the modem regularly writes defined data to a predefined location. The program in the Slave PLC tests this area and evaluates its state. If the program finds out that nothing was written into this area for longer than the set period it can switch to a state not requiring communication, or alternatively safely shut down the technology. The modem knows how to write into the area of free memory (Holding Registers) using the set bit mask. Time is also configurable in wide bands. Generally the watchdog mode runs as follows: the modem, for example, once every five seconds writes to the Slave PLC, e.g. to address 0x1000 the value 0x8000 (i.e. sets a higher bit in the given word). This address is also tested by the program in the PLC. If it finds it has written to a correct bit it deletes this bit and starts the timer, which is set to a time slightly greater than five seconds. The cycle repeats when writing occurs again. If the timer runs out it is an unmistakable sign that the correct bit was not written and this can be declared as a modem failure. 1.2 Modem as SLAVE Slave mode is essential for connecting to the Master system. According to the selected variations of operation the modem appears as a complete 485 network or communicates in packet mode when operation typically for the 485 network fades away. Typical applications use the Master as a data concentrator and hence the connected modem is the route to the remote Slave PLCs. It is important to note that in this mode the modem will be loaded several times more than any remote modem at a Slave PLC. All data to/from the network must pass through it. 1.2.1 Modem SLAVE in Cache Mode Slave modem [B] is connected to the Master PLC [A]. On its requests, which must be in accordance with replicated areas (supported by practically all reading functions), the modem returns replies the same as if Slave PLCs would be directly on the same segment of the bus. If the request is not correct an exception is returned. As the modem does not know what data is contained in cache it returns the same data to various types (functions) of requests with the same address, i.e. if the program in the Slave PLC positioned bit data (inputs/outputs) in a specific position in cache and the Master makes a request to this position like to a register this data is returned like the content of the registers. The situation is similar even in the case of a bit request to the position of a register. Commands and other write functions pass outside of cache and are directly transferred through the network to the Slave PLC [D]. The reply to these commands is also transferred directly. This results in a request on the Master system: it must be able to wait for a reply for a longer period than for replies from cache. Because memory for cache in modem [B] is limited, it is necessary to know in advance the amount of data from one Slave PLC and the number of them. (See help above). It is necessary to mention the fact that when starting the modem, either because of a power failure or when resetting the software the whole of the cache is initialised. In this case all data is lost and must be updated from Slave stations. Also all stations will be declared as dead. This is because of the need for clearly defined starting conditions. It is necessary to make allowances for this disadvantage during the design phase. In cache mode support tools are available for saving costs on the bus. As was previously mentioned above this concerns phantom access and virtual stations. Services connected with real time and packet mode are also available. 18.104.22.168 Phantom Access By switching on phantom access it is possible to move around the cache area without the use of Slave PLC addresses which are necessary under normal conditions. The principle comes from the fact that data in cache is arranged consecutively according to the addresses of individual Slaves. If a Slave is not occupied there is space in cache with zero content of the size the Slave would have occupied. By cancelling the rule that it is only possible to access the area in cache reserved for a certain Slave via its address and by establishing a linear address space through the whole cache we almost achieve the desired effect. It is also necessary to distinguish normal requests from requests to the phantom. This can be done in two ways. First by establishing a new address within the network which the phantom will listen to. It is obvious that this address cannot exist anywhere else in the network. The other method is to distinguish requests to the phantom by means of the start address of the request (see the description of Modbus frames). This principle is a little more complicated because the Master system must count offsets within cache from the phantom's initial address. When using the first principle counting of the offset drops out because cache is then set from the zero address. When using phantom access the Master system must read data irregardless of which Slave it belongs to. Its sorting is then only a matter of the ingenuity of the program in the Master system. The greatest advantage of this access to cache is the marked saving on bus costs. Furthermore there is also a significant increase in response time of the whole system. At the present time only the principle of a unique phantom address is supported, the other is still under development. 22.214.171.124 Virtual station By permitting this feature the Master obtains the ability of having a constant view of incoming messages from the network. Naturally this option is only supported in cache mode. Virtual station data are actually data fields whose individual items (bits) correspond to remote stations, i.e. the first bit corresponds to station number one, the second bit to number two, etc. When a packet has arrived from a remote station the modem ascertains the senders address and sets the respective bit in the virtual station's bit field to log. 1. If the Master reads anything from cache from the address of station which is sending the data the respective bit is again flipped back to log. 0. For example, data packets arrived from stations 5, 28 and 49. Data from the packets is stored in cache and the bits corresponding to the numbers of the stations (5, 28, 49) are set to 1. In one of the following requests the Master ascertains the state of the virtual station and can modify the polling list in such a way that it inserts the numbers of stations 5, 28, and 49 at the beginning of the whole cycle. Hence data from these stations is read first without unnecessary waiting until it is their turn in the polling cycle. The modem subsequently flips the corresponding bits and the whole process can be repeated. A virtual station appears as another member of the network for the Master system, i.e. it has its own address within Modbus. It also has a specific structure of data (see above). It is obvious that in this way it is possible to save on a lot of the time which data would wait in cache before the Master would read and process it. This again shows itself positively on faster system responses. 1.2.2 Modem SLAVE in Transparent Mode Transparent mode in the SLAVE modem does not differ greatly from that in the MASTER modem. Data is subject to the same checks on the CRC. Also the address of the remote Slave PLC is ascertained by the same mechanism. As the modem cannot anticipate the states of individual remote systems packets are transmitted from the network irregardless of whether they were called by the Master system or not. The Master system should be resistant to such cases where an unsolicited packet emerges from the network. The cause of such states can be a loss of confirmation and subsequent duplication of packets. This should not occur in a well tuned network. 1.2.3 Modem SLAVE in Packet Mode Packet transmission in SLAVE mode is based on the same principle as in the MASTER case. The difference now is that the modem does not determine movement on the bus but must wait until the Master addresses it. So, it stores the incoming packet from the network in a queue and sets its specified lifetime. The Master is obligated to call the modem on such a frequency that it manages to receive all incoming packets, otherwise the modem starts discarding packets. The Master reads N2Hdesc and ascertains its status. If it finds that the descriptor is not zero it counts how many times it is going to read the incoming packet. It then starts its own packet counting mechanism. If the packet is read it confirms it has been read correctly by writing a zero in the descriptor. The modem can prepare another packet. The Master proceeds in a similar manner if it needs to send a packet. First it reads descriptor H2Ndesc and makes sure that it is zero. It then starts to transfer the packet. Finally it records the descriptor as a signal that the packet as a whole is ready to be sent through the network. The modem processes the packet and sends it to the network. It then deletes the descriptor as confirmation for the Master that everything has been done. 1.2.4 Modem SLAVE and Time Synchronisation In this mode the modem is again capable of two versions of operation. It can operate as a source of real time or can be synchronised from the Master system. In the first case when the modem is a source of time the Master reads information, in the set interval, about the time from a specific area of modem memory. On the contrary if the modem is synchronised with time from the Master system this area is recorded and data in it is used for synchronising the modem. As with the MASTER modem it's enough to fill in data about GMT, summer time and milliseconds. If it is found that data will be recorded right at the start of a new second milliseconds do not need to be used and it can contain zeros. The structure of time data is similar to the case of the MASTER modem. 2. Parameters of the Modbus Protocol MODBUS parameters: (m)ode:MASTER (c)ache:OFF (p)acket:ON (t)rans:ON (a)utomaster:OFF (s)ervices (C)ache params (M)aster params (S)lave params (P)acket params (A)utomaster params (q)uit >> (m)ode:MASTER (c)ache:OFF (p)acket:ON (t)rans:ON - mode selection (a)utomaster:OFF - Slave can have the automaster function on, it then assumes the Master function when interrupting communication on RS458 >>C cache parameters: (v)irtual:0000 (p)hantom:0000 (l)ower address:0000h (h)igher address:0000h (q)uit >> Parameters for cash mode: (v)irtual:0000 - address of the location of the memory block for recording current messages from the Slave, 0000 = function off (p)hantom:0000 - address of the location of the memory block for one-off reading of the image of all Slaves, 0000 = function off (l)ower address:0000h - beginning of transferred section of memory in PLC (h)igher address:0000h - end of transferred section of memory in PLC >>M master parameters: (d)estination:69000031h m(i)rror:0s d(e)vice type:PLC slave addresses: (0):4h (1):5h (2):0h (3):0h (a)ddress mask:Fh (p)eriod:200ms (t)imeout:3000ms (q)uit >> Parameters for Master station - [C] in the introductory diagram: (d)estination:69000031h - address of centre in MORSE network, for cache and transparent modes, 00000000 = messages are sent back m(i)rror:60s - after this time the Master CU regularly passes the MORSE network message to the Slave CU d(e)vice type:PLC - choice between connected SEP technological unit and normal PLC slave addresses: (0):4h (1):5h (2):0h (3):0h - list of Slave stations included in the polling cycle (a)ddress mask:Fh - masked part of the MORSE address is used as a Modbus address (p)eriod:200ms - period for polling Slave stations (t)imeout:1000ms - max. time for waiting for a reply >>S slave parameters: RS485 (a)ddress:0h m(i)rror:0s (r)epeat discard:0 d(e)vice type:PLC (q)uit >> Parameters for Slave stations - [B] in the introductory diagram: RS485 (a)ddress:0h - address of Slave stations in the Modbus network, 01 to FF m(i)rror:120s - Slave CU waits for this time for a message from each Master CU, otherwise it discards it from the polling list (r)epeat discard:0 - number of repeats from Master PLC, which are discarded before one is sent to the radio network d(e)vice type:PLC - choice between connected SEP technological unit and normal PLC >>P packet parameters: (A)RT table No.:4 (N)2H buffer:1000 (H)2N buffer:2000 Warning! Both addresses should be nonzero. (q)uit >> Parameters for packet mode: (A)RT table No.:4 - selection of Art table for the transfer of MORSE addresses to Modbus addresses (N)2H buffer:1000 - Net to Host, which is MORSE Net to Modbus (H)2N buffer:2000 - Host to Net, which is Modbus to MORSE Net - addresses in memory, at which the respective buffer for storing data sent by the Modbus in packet mode starts. These addresses must be selected identically at all participants of the Modbus network. Here the term Net represents the connecting MORSE network or also the only CU connected to the RS485. >>A Modbus automaster: t(i)meout:0s master mode after switching: (c)ache:OFF (p)acket:OFF (t)rans:OFF (q)uit >> Parameters for Automaster mode: t(i)meout:0s - after this idle period on the RS485 the Slave with the (a)utomaster parameter switched on takes the Master task and continues in the mode determined by the following three parameters. Upon restoring the activity of the original Master the Slave returns to its task. >>s Modbus services: (t)ime sync:ON (m)ode:SENDER (p)eriod:10s time (a)ddress :3000h time sync (b)it:0000h (w)dog bit:0000h wd(o)g address:0000h wdog p(e)riod:0s (d)ebug address:69000011h (q)uit >> (t)ime sync:ON - switches on the function of transfer of time data between the Master and the Slave defined in "slave addresses (0)" (m)ode:SENDER - Master or Slave can be selected as SENDER (transmits time), and the other as RECEIVER (receives) (p)eriod:10s - period for transferring time data is only defined in Master time (a)ddress :3000h - address for saving time, Master and Slave time sync (b)it:0000h - special function (Toth) (w)dog bit:0000h - word periodically written to "slave addresses (0)" wd(o)g address:0000h - address of write to Holding Registers in Slave (0) wdog p(e)riod:0s - write period - parameters for watchdog are only set in Master (d)ebug address:69000011h - address for tuning purposes; all user packets, which came to the CU are sent to this address, to which, for example, Setr or async. link are connected 3. Examples and Explanations 3.1. Packet type. Brief description of the packet type for the user interface: |U/1|B/1|R/1|subt/5| U - link security bit (1 - secured packet) B - broadcast (multicast) bit (1 - broadcast packet) R - reserved subt - subtype subt=0x09 - USER DATA The basic type of packet for transporting data from the source to the destination. By setting the bit U=1 we obtain the mostly used packet type 0x89, it is secured user packet. subt=0x0A - PROT DATA This type of data is designed for data flow control in the user protocol. The service of both preceding types of packets in the MORSE network is equivalent. Packets are sent to the destination with the path and priority settings at the participants addresses. An error message is sent to the original sender if a packet is lost, but the packet carrying this error message can be, of course, lost as well, and in this case silently. subt=0x0Ch PACK ERROR REPORT MORSE error message. First word is the Error Number, the rest of the message holds more detailed information about the network error. Generation of these errors can be turned off and on for whole network. Some of these Error Numbers are here: 1 - PACKET_NOT_CONFIRMED 2 - STORE_TIMEOUT 3 - NO_CHANNEL_ASSIGNED 4 - ACCESS_TIMEOUT_ERROR 6 - WRONG_PACKET_FORMAT 7 - DEST_PROT_MISSING 8 - WRONG_PATH 9 - WIRE_LINK_FAIL subt=0x10 - SERVICE REQUEST Request for a MORSE service. subt=0x12 - SERVICE REPORT Response from the MORSE service. 3.2 Example of Reading Data in Cache Mode. The MASTER PLC sends requests to the connected CU MR25 and receives replies with data (left column). The CU provides data from its cache memory (right column). [A] [B] MASTER PLC interpreter CU (MR25) cache cache 01 02 00 08 00 08 CRC --> 79h 01 02 01 01 CRC | +-- 78h 2.word 01 03 02 56 78 CRC +------ 01h 01 01 01 0F CRC >O.K. >> 15:28:10.018| |69000014 69000021|S00I IN 409 6serv AAAA AAAA = Modbus Master protocol received data for sending for Slave 4 15:28:10.784 tx 8 | S00 0403 2000 0001 8F9F = Slave 4, do you have a free buffer H2N ? 15:28:10.788 rx;i 7 | S00 0403 0200 0074 44 = yes 15:28:10.789 tx 21 | S00 0410 2000 0006 0C30 0A09 0669 0000 14AA AAAA AA4C A0 = write a message 15:28:10.794 rx;i 8 | S00 0410 2000 0006 4B9E = I have written it 15:28:11.785 tx 8 | S00 0503 1000 0001 814E = Slave 5, do you have any data for me ? ... polling continues 15:28:11.788 rx;i 7 | S00 0503 0200 0049 84 = I don't 15:28:12.786 tx 8 | S00 0403 1000 0001 809F = 4, do you ? 15:28:12.790 rx;i 7 | S00 0403 0200 0074 44 = I don't For examples of the format of packets see article Sending a short user packet from Master to Modbus. 3.5 Sending a Short User Packet from Master to Modbus. Report AAAAAAAA is sent from Morse address 69000011 to address 69000014. In the Modbus network there is only one Slave with the address 04. 17:51:31.528 tx 8 | S00 0403 1000 0001 809F = packet 1 17:51:31.532 rx;i 7 | S00 0403 0200 0074 44 = packet 2 17:51:32.529 tx 8 | S00 0403 1000 0001 809F 17:51:32.533 rx;i 7 | S00 0403 0200 0074 44O.K. >> 17:51:32.640| |69000014 69000011|S00I IN 409 0serv AAAA AAAA 17:51:33.530 tx 8 | S00 0403 2000 0001 8F9F 17:51:33.533 rx;i 7 | S00 0403 0200 0074 44 17:51:33.534 tx 21 | S00 0410 2000 0006 0C30 0A09 8069 0000 14AA AAAA AA06 C6 = packet 3 17:51:33.540 rx;i 8 | S00 0410 2000 0006 4B9E = packet 4 17:51:34.531 tx 8 | S00 0403 1000 0001 809F 17:51:34.534 rx;i 7 | S00 0403 0200 0074 44 packet 1 - reading register | 04 | 03 | 1000 | 0001 | 809F | | adr| fce | start adr | number of words | CRC | in register read packet 2 - reply to reading | 04 | 03 | 02 | 00 00 | 7444 | | adr| fce | number | content | CRC | of bytes of bytes read read packet 3 - write to register in Slave 04 | 04 | 10 | 2000 | 0006 | 0C | 300A | 098069000014 | AAAAAAAA | 06C6| | adr| fce|start |number |number |H2Ndesc| header | data | CRC | |address|write |write | | user pseudoframe | |in reg.|words |bytes | content of written buffer | H2Ndesc - descriptor of Host to Net buffer 300A = 0011 0000 0000 1010 0 - user pseudoframe 0 - repeat bit 11 - packet number 0 - reserve 000 0000 1010 - size of user pseudoframe (10 bytes) header of user pseudoframe 098069000014 = 09hex 1000 0000 69000014hex 09hex - type of packet 1 - bit DTE -> address is destination 0000 - reserve 000 - network number 69000014hex - address, here destination packet 4 - reply to write | 04 | 10 | 2000 | 0006 | 4B9E | | adr| fce| start | number | CRC | | address| written | | in reg.| words | 3.6 Sending a short user packet from Slave to Modbus. Message BBBBBBBB is sent from the Morse address 69000014 to address 69000004. There is only one Slave in the Modbus network with address 04. 18:07:33.650 rx;i 8 | S00 0403 1000 0001 809F 18:07:33.651 tx 7 | S00 0403 0200 0074 44 18:07:34.651 rx;i 8 | S00 0403 1000 0001 809F 18:07:34.652 tx 7 | S00 0403 0200 0074 44s >>O.K. >> 18:07:35.652 rx;i 8 | S00 0403 1000 0001 809F 18:07:35.653 tx 7 | S00 0403 0200 0074 44 18:07:35.739| |69000004 69000014|S01I OUT 489 0serv BBBB BBBB 18:07:35.740| |69000004 69000014|S00I IN 489 7serv BBBB BBBB 18:07:36.653 rx;i 8 | S00 0403 1000 0001 809F = do you have data in N2Hbuf ? 18:07:36.654 tx 7 | S00 0403 0220 0AED 83 = yes, I have 10 bytes 18:07:36.657 rx;i 8 | S00 0403 1000 0006 C15D = send 2+10=12 bytes (including N2Hdesc) 18:07:36.658 tx 17 | S00 0403 0C20 0A09 8769 0000 04BB BBBB BB30 0D = I am sending 12 bytes 18:07:36.665 rx;i 11 | S00 0410 1000 0001 0200 0088 C1 = delete N2Hdesc 18:07:36.667 tx 8 | S00 0410 1000 0001 055C = deleted 18:07:37.654 rx;i 8 | S00 0403 1000 0001 809F = do you have data in N2Hbuf ? 18:07:37.655 tx 7 | S00 0403 0200 0074 44 = no 18:07:38.655 rx;i 8 | S00 0403 1000 0001 809F 18:07:38.656 tx 7 | S00 0403 0200 0074 44 3.7 Sending a long user packet from Master to Modbus. A message 404 bytes long is sent from Morse address 69000011 to address 69000014. There is only one Slave in the Modbus network with address 04. 17:50:19.456 tx 8 | S00 0403 1000 0001 809F 17:50:19.459 rx;i 7 | S00 0403 0200 0074 44s 17:50:20.457 tx 8 | S00 0403 1000 0001 809F 17:50:20.460 rx;i 7 | S00 0403 0200 0074 44 >> 17:50:20.834| |69000014 69000011|S00I IN 40409 0serv AAAA AAAA CFAC F1C2 1471 E0B5 EB8D 420F 0A6C 3CAB 5EC2 D591 6F5C 8501 7478 BF1A 2973 3B6F BC35 529F 3F99 9AD6 D4C8 73B7 0C3C 6020 F9F0 4FD2 D0DC 44D5 C0CE 8039 F652 877E 2F0C 4FC9 05E3 9DBA 18CB A06F 2708 EC21 714E AC63 ADFB 1FDC FA68 9F24 0701 8601 7EA5 C236 0A7B 7CAF 823B B99E 85AA D9EE 16AF 0C1A 8445 E443 3D47 F320 A6BC 3916 0433 2E9D 914A BCC5 4A7A 586A 3FBD 7084 D6A6 F38E CA05 C9FB 2C2E 3336 E57E E89D 4BA8 3575 2EFD C4C9 49AB 2DBB 099C 34A3 6885 BB17 9E46 62B1 20A2 662D 4801 1235 43B7 02F5 78FE CD4C 26B1 7238 E462 D8CB 7E61 FECB 78D2 89D5 5AE4 528A 77C1 593C 6DD3 BF14 B579 D09D 8730 5648 CDEA 2D3A F50B 0E82 DA36 5495 31F7 EE96 F2F8 76D2 0E30 FD88 8B58 7ACA 3F89 7211 70D0 0FEE 0418 5DD3 FBBB 01E2 43A0 D057 BCA2 29D5 5BC1 2DCA B246 19A2 82E1 357C D46D 5CA8 6DD9 F414 7F6D EA6A A460 9D94 0C79 26E5 B038 0B10 A2AF 8CB5 131A 582D 0CDD DCE6 AF62 DC5C 2017 709B 0F7A 7BD4 FEF9 0861 B808 0C51 45BC 3551 70D7 498E EAFB 37E7 3086 9583 6143 F0A5 16F3 805F 455D 3E67 A265 D444 A55A E685 0B7B A0C4 AC63 E2ABO.K. >> = sent data enter S00, where Modbus is 17:50:21.458 tx 8 | S00 0403 2000 0001 8F9F = do you have H2Nbuf free ? 17:50:21.461 rx;i 7 | S00 0403 0200 0074 44 = yes 17:50:21.464 tx 255 | S00 0410 2053 007B F633 36E5 7EE8 9D4B A835 752E FDC4 C949 AB2D BB09 9C34 A368 85BB 179E 4662 B120 A266 2D48 0112 3543 B702 F578 FECD 4C26 B172 38E4 62D8 CB7E 61FE CB78 D289 D55A E452 8A77 C159 3C6D D3BF 14B5 79D0 9D87 3056 48CD EA2D 3AF5 0B0E 82DA 3654 9531 F7EE 96F2 F876 D20E 30FD 888B 587A CA3F 8972 1170 D00F EE04 185D D3FB BB01 E243 A0D0 57BC A229 D55B C12D CAB2 4619 A282 E135 7CD4 6D5C A86D D9F4 147F 6DEA 6AA4 609D 940C 7926 E5B0 380B 10A2 AF8C B513 1A58 2D0C DDDC E6AF 62DC 5C20 1770 9B0F 7A7B D4FE F908 61B8 080C 5145 BC35 5170 D749 8EEA FB37 E730 8695 8361 43F0 A516 F380 5F45 5D3E 67A2 65D4 44A5 5AE6 850B 7BA0 C4AC 63E2 ABA5 7A = write the last part of the data to H2Nbuf 17:50:21.492 rx;i 8 | S00 0410 2053 007B 7BAE = written 17:50:21.494 tx 175 | S00 0410 2000 0053 A611 9A09 8069 0000 14AA AAAA AACF ACF1 C214 71E0 B5EB 8D42 0F0A 6C3C AB5E C2D5 916F 5C85 0174 78BF 1A29 733B 6FBC 3552 9F3F 999A D6D4 C873 B70C 3C60 20F9 F04F D2D0 DC44 D5C0 CE80 39F6 5287 7E2F 0C4F C905 E39D BA18 CBA0 6F27 08EC 2171 4EAC 63AD FB1F DCFA 689F 2407 0186 017E A5C2 360A 7B7C AF82 3BB9 9E85 AAD9 EE16 AF0C 1A84 45E4 433D 47F3 20A6 BC39 1604 332E 9D91 4ABC C54A 7A58 6A3F BD70 84D6 A6F3 8ECA 05C9 FB2C 2EAD 9A = write the next part of the data from the end (here the beginning of the data including the header of the user pseudoframe) 17:50:21.514 rx;i 8 | S00 0410 2000 0053 8BA1 = written 17:50:22.459 tx 8 | S00 0403 1000 0001 809F 17:50:22.462 rx;i 7 | S00 0403 0200 0074 44 3.8 Sending a long user packet from Slave to Modbus. The message is sent from the Morse address 69000014 to address 69000004. There is only one Slave in the Modbus network with address 04. 18:17:30.241 rx;i 8 | S00 0403 1000 0001 809F 18:17:30.242 tx 7 | S00 0403 0200 0074 44s 18:17:31.243 rx;i 8 | S00 0403 1000 0001 809F 18:17:31.243 tx 7 | S00 0403 0200 0074 44 18:17:32.097| |69000004 69000014|S00I IN 40489 2serv AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA ABBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF = data enters port S00, where Modbus is 18:17:32.243 rx;i 8 | S00 0403 1000 0001 809F = do you have data in N2Hbuf for the Master? 18:17:32.244 tx 7 | S00 0403 0211 9AF8 7F = yes, I have 0x19A bytes 18:17:32.248 rx;i 8 | S00 0403 1051 007D D0AF = send 0x7D bytes 18:17:32.250 tx 255 | S00 0403 FACC CCCC DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD DDDD EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEEE EEFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFE6 63 = first part of data (from end) sent 18:17:32.278 rx;i 8 | S00 0403 1000 0051 80A3 = send 0x51 bytes 18:17:32.280 tx 167 | S00 0403 A211 9A09 8269 0000 04AA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CC59 3D = next part of data sent 18:17:32.303 rx;i 11 | S00 0410 1000 0001 0200 0088 C1 = delete N2Hdesc 18:17:32.305 tx 8 | S00 0410 1000 0001 055C = N2Hdesc deleted 18:17:33.245 rx;i 8 | S00 0403 1000 0001 809F 18:17:33.245 tx 7 | S00 0403 0200 0074 44 18:17:34.245 rx;i 8 | S00 0403 1000 0001 809F 18:17:34.246 tx 7 | S00 0403 0200 0074 44 3.9 Automaster sends Herman's packet. The Slave switched to the Automaster mode sends an imitation "Herman's" packet generated from the MORSE main menu using the mth. command. There is only one other Slave in the network with address 04. 0403 1000 0001 809F 06:52:00.388 rx;i 7 | S00 0403 0200 0074 44h 06:52:01.373 tx 8 | S00 0403 1000 0001 809F 06:52:01.389 rx;i 7 | S00 0403 0200 0074 44 Send type :09 69000005h> 06:52:01.784| |69000005 69000025|S00I IN 25589 6serv 0410 2092 007B F600 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0022 93 = packet enters SCC0 where Modbus is 06:52:02.374 tx 255 | S00 0410 2092 007B F600 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0022 93 = write 0xF6 bytes of data to Slave memory 06:52:02.527 rx;i 8 | S00 0410 2092 007B 2A52 = written 06:52:02.528| |69000025 69000005|S00I OUT 8 89 0serv 0410 2092 007B 2A52 = acknowledgement of the transfer of the packet is sent to src address 69000025 06:52:03.375 tx 8 | S00 0403 1000 0001 809F 06:52:03.390 rx;i 7 | S00 0403 0200 0074 44 3.10 Automaster sends Herman's broadcast. The Slave switched to the Automaster mode sends an imitation "Herman's" broadcast generated from the MORSE main menu using the mtH. command. The packet spreads through the MORSE network like a broadcast, in Modbus as a direct packet. Upon acknowledgement in Modbus a return message to the MORSE network is not generated. In the example it is the only other Slave in the network with address 04. 07:05:53.204 tx 8 | S00 0403 1000 0001 809F 07:05:53.220 rx;i 7 | S00 0403 0200 0074 44H 07:05:54.205 tx 8 | S00 0403 1000 0001 809F 07:05:54.221 rx;i 7 | S00 0403 0200 0074 44 Send type :49 69000005h> 07:05:55.206 tx 8 | S00 0403 1000 0001 809F 07:05:55.214| |F31E4335 69000025|S00I IN 25589 1serv brc 0410 2092 007B F600 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0022 93 = brc packet inserted in SCC0 07:05:55.222 rx;i 7 | S00 0403 0200 0074 44 07:05:56.207 tx 255 | S00 0410 2092 007B F600 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0022 93 = write to Slave memory, packet is sent to Modbus network 07:05:56.361 rx;i 8 | S00 0410 2092 007B 2A52 = written = acknowledgement message not generated for src address 69000025 07:05:57.208 tx 8 | S00 0403 1000 0001 809F 07:05:57.224 rx;i 7 | S00 0403 0200 0074 44 4. History This description is valid for sw version 574 from 20.5.2002.