1 Introduction
In intelligent building engineering, the interconnection scheme for subsystems such as central air conditioning, elevators, ventilation, water supply and drainage, lighting, and fire alarms adopts the Modbus TCP protocol for serial communication. This is fully compatible with the Modbus industry standard, ensuring reliable data transmission, fast response speed, and flexible expansion. Communication between each subsystem and the central management system is achieved via the Internet. The Modbus TCP protocol is based on the TCP/IP standard, with the application layer using the de facto industry standard Modbus. Modbus uses port 502 at the TCP/IP application layer, which is internationally recognized. This serial bus method supports various media interfaces such as RS-232, RS-422, and RS-485. The Modbus TCP network communication mode uses a client/server approach, as shown in Figure 1.
Figure 1. Modbus TCP network communication mode
2. Analysis and Implementation of Modbus TCP Serial Communication
In a certain intelligent building, each subsystem primarily uses a PLC as the main control module, as shown in Figure 2. Network interconnection employs Modbus TCP network communication. The interconnection between the central management system and this network is a crucial issue to be addressed. The PLC stores the relevant status and parameter information of each subsystem in its registers. The central management system needs to read the values of some holding registers in the PLC to perform comprehensive monitoring and management of the intelligent building. The Modbus TCP protocol provides corresponding instructions for reading these holding registers.
Figure 2 Schematic diagram of intelligent building system
2.1 Protocol Analysis
The Modbus TCP data packet structure is shown in Figure 3.
Figure 3 Modbus TCP data packet structure
Communication analysis of a single Modbus TCP read of holding registers (IP/TCP headers omitted):
Analyzing this data message from left to right: 00 03 is the communication number, which is usually incremented by 1 after each communication to distinguish different communication data messages; 00 00 represents the protocol identifier, 00 00 indicates the Modbus protocol; 00 06 is the data length, indicating the length of the following data in bytes; 03 is the device address, used to identify the address of the remote server connected to the serial line or network. These seven bytes are also called the Modbus header. 03 is the function code, in this case, code 03 indicates reading data from the holding register. 00 00 00 01 are the parameters of the function code, indicating the address and length of the holding register to be read. Analyzing this data message from left to right: 00 03 is the communication number, and the response message must be consistent with the previously corresponding request; 00 00 is the protocol identifier, 00 00 indicates the Modbus protocol; 00 05 is the data length, indicating the length of the following data in bytes; 03 is the device address, and the response message must be consistent with the previously corresponding request. The above seven bytes also form the Modbus message header. 03 is the function code; normally, the response message should match the previous request. If an error occurs, it returns 80h + the previous function code. 02 is the first parameter of the function code, indicating the length of the following data bytes; 0017 is the data value in the holding register being read, meaning the value in the holding register at address 0000 should be 0017h.
Figure 4 shows an example analysis of the test program (master) sending data (hex) and the PLC (Modbus TCP slave) responding data (hex).
Figure 4. Sample analysis of program sending/receiving data packets
2.2 Program Flow
The following is a flowchart of the main program, as shown in Figure 5. Its main functions are to establish TCP/IP connections and handle connection errors.
The flowchart of each working cycle of the Modbus TCP protocol is shown in Figure 6.
Figure 5 Main Program Flowchart
Figure 6 Flowchart of a single work cycle
2.3 Program Testing
First, enter the IP address of the server you want to connect to in the ip field, and then click connect to establish a connection. After a successful connection, enter the starting address of the holding register to be read in oFFset, and the length of the holding register to be read in length. Finally, click trigger to read the holding register once. Simultaneously, the sent and received data packets (hex) will be displayed in send and received fields, and an explanation of these packets will be displayed in the data monitor.
3. Conclusion
This paper provides a brief introduction to the Modbus TCP protocol and its application in intelligent building engineering. It focuses on analyzing the process of reading data from the holding registers of a PLC using Modbus TCP, proposes a solution for implementing Modbus TCP protocol communication, and demonstrates successful programming and debugging to achieve the expected functionality.
