bartool/linuxcnc-modbus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
bartool
2026-06-05 11:31:00 +02:00
commit f3de789a98
5 changed files with 2502 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
VariableFrequencyDrive(M)_1734946688662.pdf Normal file
View File

Binary file not shown.

1687
console.log Normal file
View File

File diff suppressed because it is too large Load Diff

310
manual.md Normal file
View File

@@ -0,0 +1,310 @@
### 6.10 Communication function parameters
| F163 | Setting range | Unit | Ex-factory value | Alteration |
|-|-|-|-|-|
| Communication address | 0-250 | 1 | 1 | X |
When RS-485 communication port control is set for the inverter, the position of each inverter shall be set via a parameter.
0: No communication function
01-250: Position of inverter
| F164 | Setting range | Unit | Ex-factory value | Alteration |
|-|-|-|-|-|
| Communication transmission speed | 0-3 | 1 | 2 | X |
0:4800 bit/s 1:9600 bit/s 2:19200 bit/s 3:38400 bit/s
| F165 | Setting range | Unit | Ex-factory value | Alteration |
|-|-|-|-|-|
| Communication data mode | 0-5 | 1 | 3 | X |
0: 8N1 For ASCII 1: 8E1 For ASCII 2: 8O1 For ASCII
3: 8N1 For RTU 4: 8E1 For RTU 5: 8O1 For RTU
example:
```tekst
1. 8N1 For ASCII F165=0 or 8N1 For RTU F165=3<br>
2. 8E1 For ASCII F165=1 or 8E1 For RTU F165=4<br>
3. 8O1 For ASCII F165=2 or 8O1 For RTU F165=5
```
| F166-F168 | Reserved |
|-|-|
| F169 | Setting range | Unit | Ex-factory value | Alteration |
|-|-|-|-|-|
| Given decimal point of communication frequency | 0: Communication 0201H egister adopts 1 bit decimal<br>1: Communication 0201H register adopts 2 bit decimal | 1 | 0 | X |
F169 sets the decimal point position of the given communication frequency (0201h register)
#### Summary
(1) D100 series converters support RTU mode in standard Modbus protocol.
RTU mode: Each 8bit data is composed of two hexadecimal characters of 4bit, for example: 64H (hex).
| | RTU Mode|
|-|-|
| Start bit | 3.5 bits |
|Slave address | 1 bit |
| Modbus function NO. | 1 bit |
| Data | n bit |
| CHECK | CRC162 bit|
| End bit | 3.5 bits|
Inverter parameters communication address indicate hexadecimal system, for example communication address of F100 is 0064H. Communication specific variables: including communication specific instruction variables and communication specific state variables, address starting from 0200H. Save of communication variables: rewrite inverter parameters (for example F100) to be stored in EEPROM.Still save after power failure. But parameters cannot be rewritten frequently, otherwise EEPROM memory may be damaged. Rewriting communication-specific variables (variables after 0200H) only modifies values in RAM. Do not save after power failure, it allow rewriting frequently. Data Types in Communication: because of data is hexadecimal integer, the smallest unit can be seen from the decimal point position of the parameters in the function table. For example, the minimum unit of F003 is 0.1Hz. Therefore, according to Modbus protocol, communication transmission 300 represents 30.0Hz. Rewritten, of F013 and F172 parameters can only by 06H function, not support by 10H function, and there is no response frame.
**Supported Modbus Function**
| Parameter | Function | Specification |
|-|-|-|
| 01H | Read parameter address status | Read from 1 to 32 |
| 03H | Read holding register | Read from 1~20. Read all parameters,communication-specific variables |
| 04H | Read input register | Read from 1~20. |
| 05H | Write single parameter address | Write data FF00Hparameter address ONwrite 0000Hparameter address OFF |
| 06H | Write single holding register | All parameters and communication-specific variables can be rewritten |
| 0FH | Write multiple parameter address | Write from 1~32. parameter address start from 0048H |
| 10H | Write multiple holding registers | Rewritten from 1~20. All parameters and communication-specific variables can be rewritten
### (1) Communication Address table
**1. parameter address address table**
Modbus mode include01H (read parameter address status), 05H (write single parameter address), 0FH (write multiple parameter address)
| parameter address | Name | R/W | Specification |
|-|-|-|-|
| 0000 | Operation | R | 0Stop 1Operating |
| 0001 | JOG | R | 0Invalid 1JOG |
| 0002 | Forward/reverse | R | 0Forward 1Reverse |
| 0003 | In operation | R | 0Stop 1In operation |
| 0004 | In jogging | R | 0Invalid 1In jogging |
| 0005 | In forward/reverse rotation | R | 0In forward rotation 1In reverse rotation |
| 0006 | In braking | R | 0Invalid 1In braking |
| 0007 | Frequency tracking | R | 0Invalid 1Frequency tracking |
| 0008-0047 | reserved |
| 0048 | Operation | W | 0000—Invalid FF00or 100 bit8 set 1-Valid |
| 0049 | Forward | W | 0000—Invalid FF00-Valid |
| 004A | Reverse | W | 0000—Invalid FF00-Valid |
| 004B | Stop | W | 0000—Invalid FF00-Valid |
| 004C | Forward/reverse switch | W | 0000—Invalid FF00-Valid |
| 004D | JOG | W | 0000—Invalid FF00-Valid |
| 004E | JOG Forward | W | 0000—Invalid FF00-Valid |
| 004F | JOG Reverse | W | 0000—Invalid FF00-Valid |
**2. Input register address table**
All address only read. Modbus function include 04H (read input register).
**Fault Code table:**
| Address | Name |
|-|-|
| 0000 | Output frequency |
| 0001 | Set frequency |
| 0002 | Output current |
| 0003 | Output speed |
| 0004 | DC voltage |
| 0005 | AC voltage |
| 0006 | temperature |
| 0007 | Counter |
| 0008 | PID target value |
| 0009 | PID feedback value |
| 000A | Current fault |
| 000B | Total operating hours |
| 000C | Output power |
| 000D | X terminal state |
| Decimal | Fault code |
|-|-|
| 64 | E.OCS |
| 80 | E.oUS |
| 88 | E.LuS |
| 92 | E.oHS |
| 96 | E.oLS |
| 100 | E.oAS |
| 104 | E.oTS |
**Note 1:** The BIT0-BIT5 in X terminal state corresponds to the
X1-X6 terminal , and 1 means terminal is closed.<br>
**Note 2:** The fault code suffixes S, A, d and n are four consecutive
numbers, such as 65 for E.OC.A.
**3. Holding register address table**
Modbus functions include: 03H (read and hold register), 06H (write a single hold register), 10H (write multiple hold registers)
| Definition | Address | Specification |
|-|-|-|
| Internal parameters | 0000H00FFH | Inverter parameter addressF000F255
| Communication Specific Instruction Variable | 0200H | Main control bitBIT0-BIT7 mapping parameter address 0048H004FHBIT8 virtual input terminal enable
| Communication Specific Instruction Variable | 0201H | Given frequencygiven frequency address when F002=2
| Communication Specific Instruction Variable | 0202H | Virtual input terminal1BIT0-BIT15 corresponding digital input terminal function 01-16. Digital input terminal function 1-8 already exists in the main control bit, the modification here is invalid.
| Communication Specific Instruction Variable | 0203H | Virtual input terminal 2, BIT0-BIT15 corresponding digital input terminal function 17-32
| Communication Specific Instruction Variable | 0204H | EDOCommunication control digital output terminal, BIT3 corresponding (FA, FB, FC) relay terminal
| Communication Specific Instruction Variable | 0205H | EAOCommunication control analog output terminal AO
| Communication Specific Instruction Variable | 0206H020FH | Reserved
| Communication-specific state variables, read-only | 0210H | Main control bitBIT0BIT15 mapping parameter address 0000H000FH
| Communication-specific state variables, read-only | 0211H | Digital terminal statusBIT0-BIT5 corresponding X1-X6 , BIT11 corresponding (FA, FB, FC) relay
| Communication-specific state variables, read-only | 0212H | Virtual Output State 1, BIT0-BIT15 corresponding to Digital Output Terminal Function 0116.
| Communication-specific state variables, read-only | 0213H | Virtual output state 2, BIT0-BIT15 corresponds to digital output terminal function 17-32.
| Communication-specific state variables, read-only | 0214H-021FH | Reserved
| Communication-specific state variables, read-only | 0220H022DH | Mapping input registers (addresses 0000H-000DH)
| Communication-specific state variables, read-only | 022EH | AI1. Analog input value 10100.00%
| Communication-specific state variables, read-only | 022FH | AI2. Analog input value 20100.00%
| Communication-specific state variables, read-only | 0230H | PFI. Pulse input value
| Communication-specific state variables, read-only | 0231H023FH | Reserved
(1) For example
1. Setting No.01 inverter given frequency is 300.0Hz, Application Function Code 06H. Given frequency is communication port (F002=2)
**Master command message**
| | RTU Mode |
|-|-|
| Mute interval | |
| Slave address | 01H |
| Modbus function NO. | 06H |
| High bit of register address | 02H |
| Low bit of register address | 01H |
| High bit of written data | 0BH |
| Low bit of written data | B8H |
| Check | DEH (CRC low bit)<br>F0H (CRC high bit)
| END | Mute |
**Slave response:** frequency is set to 300.0Hz, returns the same data as the master requests.
**Note 1:** When F002 = 2, use 06H or 10H function to rewrite frequency, address is 0201H, EPROM is not operated at this time. If the rewriting frequency is to be written to EEPROM, the F003 value needs to be rewritten.
**Note 2:** Calculations of check bits RTU mode adopts CRC method. The C language code of CRC16 is as follows
```C
unsigned char data // Indicators of information buffer
unsigned char length //Number of bytes in the information buffer
unsigned int crc_chk(unsigned char data,unsigned char length)
{
int j;
unsigned int reg_crc=0xffff;
while(length--)
{
reg_crc^=*data++;
for(j=0;j<8;j++)
{
if(reg_crc&0x01)
reg_crc=(reg_crc>>1)^0xa001;
else
reg_crc=reg_crc>>1;
}
}
return reg_crc;
}
```
2. Make No. 01 inverter run, function code 05H or 06H. Requirement control mode is communication port (F001=2). 0FH and 10H can also achieve this function as multi-write modes.
See the following examples for their formats.
**Master command message**
| | Write parameter address | Write hold register |
|-|-|-|
| Slave address | 01H | 01H |
| Modbus function number | 05H | 06H |
| High bit of parameter address/register address | 00H | 02H |
| Low bit of parameter address/register address | 48H | 00H |
| High bit of write data | FFH | 00H |
| Low bit of write data | 00H | 01H |
| CRC | —— | —— |
**Slave response:** inverter is forward operation and returns the same data as the master requests.
3. Read 01 slave running status, function code 01H or 03H.
**Master command message**
| | Read parameter address | Read hold register |
|-|-|-|
|Slave address | 01H | 01H
|Modbus function number | 01H | 03H
|High bit of parameter address/register start address | 00H | 02H
|Low bit of parameter address/register start address | 00H | 10H
|Read parameter address/register quantity (high bit) | 00H | 00H
|Read parameter address/register quantity (low bit) | 08H | 01H
|CRC | —— | ——
**Slave response:** 09H to 00001001Bcomparing with the parameter address table, it indicates that inverter on command and operating.
| | Read parameter address | Read hold register |
|-|-|-|
| Slave address | 01H | 01H |
| Modbus function number | 01H | 03H |
| Byte number | 01H | 02H |
| Read data | 09H | 00H<br>09H |
| CRC | —— | —— |
4. Read the operating frequency and setting frequency of No. 01 inverter, function code 04H or 03H.
**Master command message:**
| | Read input register | Read hold register |
|-|-|-|
| Slave address | 01H | 01H |
| Modbus function number | 04H | 03H |
| High bit of input/hold register start address | 00H | 02H |
| Low bit of input/hold register start address | 00H | 20H |
| Read byte number(high bit) | 00H | 00H |
| Read byte number(low bit) | 02H | 02H |
| CRC | —— | —— |
**Slave response:** The return content indicates that the current frequency of inverter is 0.0Hz and the set frequency is 50.0Hz.
| | Read input register | Read hold register |
|-|-|-|
| Slave address | 01H | 01H |
| Modbus function number | 04H | 03H |
| Return byte number | 04H | 04H |
| High bit of first register content | 00H | 00H |
| Low bit of first register content | 00H | 00H |
| High bit of second register content | 01H | 01H |
| Low bit of second register content | F4H | F4H |
| CRC | —— | —— |
5. Write 20.0s for F014, 15.0s for F015 and 10H for function code.
**Master command message:**
| | |
|-|-|
| Slave address | 01H |
| Modbus function number | 10H |
| Start address (high bit) | 00H |
| Start address (low bit) | 0EH |
| Register number(high bit) | 00H |
| Register number(low bit) | 02H |
| Byte number | 04H |
| High bit of first number | 00H |
| Low bit of first register content | C8H |
| High bit of second register content | 00H |
| High bit of second register content | 96H |
| CRC | —— |
**Slave response:**
| | |
|-|-|
| Slave address | 01H |
| Modbus function number | 10H |
| Start address (high bit) | 00H |
| Start address (low bit) | 0EH |
| Register number(high bit) | 00H |
| Register number(low bit) | 02H |
| CRC | —— |
**Abnormal response frame:** When the slave station cannot complete the request sent by the master station, the abnormal response frame is returned. The frame format is as follows:
* 1 bit
* 1 bitModbus function number+80H
* 1 bit:
- 01Modbus function number that cannot be processed
- 02Unreasonable data address
- 03Out-of-range data values
- 04Operation failure (write read-only parameters, change
parameters that cannot be changed during operation, etc.)
* ——

483
modbus.md Normal file
View File

@@ -0,0 +1,483 @@
# Vevor D100 VFD - Modbus RTU Reverse Engineering Notes
## Hardware
* VFD: Vevor D100
* Interface: RS485
* Connection: USB-RS485 adapter
* LinuxCNC version: 2.9.8
## Communication Settings
Configured on VFD:
| Parameter | Value |
| ------------- | ---------- |
| Slave Address | 1 |
| Baud Rate | 9600 |
| Data Bits | 8 |
| Parity | None |
| Stop Bits | 1 |
| Protocol | Modbus RTU |
---
# Addressing
The VFD documentation uses hexadecimal Modbus addresses.
Practical testing with `mbpoll` showed that mbpoll uses addresses shifted by +1 relative to the addresses shown in the manual.
Formula:
```text
mbpoll_address = documented_hex_address + 1
```
Examples:
| Documentation | Hex | mbpoll |
| ------------- | --- | ------ |
| 0200H | 512 | 513 |
| 0201H | 513 | 514 |
| 0210H | 528 | 529 |
| 0220H | 544 | 545 |
| 0221H | 545 | 546 |
| 0222H | 546 | 547 |
| 0223H | 547 | 548 |
---
# Frequency Command
Parameter:
```text
0201H = Given Frequency
```
mbpoll address:
```text
514
```
Manual example:
```text
01 06 02 01 0B B8
```
which means:
```text
3000 decimal = 300.0 Hz
```
---
## F169
Parameter:
```text
F169 = Given decimal point of communication frequency
```
Configured value:
```text
F169 = 0
```
Meaning:
```text
0201 = frequency * 10
```
Examples:
| Frequency | Register Value |
| --------- | -------------- |
| 10.0 Hz | 100 |
| 25.0 Hz | 250 |
| 50.0 Hz | 500 |
| 100.0 Hz | 1000 |
| 300.0 Hz | 3000 |
---
# Verified Read Registers
## 0210H - Main Control Status
mbpoll:
```text
529
```
Documentation:
```text
0210H
Main control bit
BIT0-BIT15 mapping parameter address 0000H-000FH
```
Verified values:
### Stopped
```text
0210 = 0
```
Binary:
```text
0000 0000 0000 0000
```
### Running Forward
```text
0210 = 9
```
Binary:
```text
0000 0000 0000 1001
```
Meaning:
```text
BIT0 = Operation
BIT3 = In operation
```
### Running Reverse
```text
0210 = 13
```
Binary:
```text
0000 0000 0000 1101
```
Meaning:
```text
BIT0 = Operation
BIT2 = Reverse
BIT3 = In operation
```
### Stopped After Reverse
```text
0210 = 4
```
Binary:
```text
0000 0000 0000 0100
```
Meaning:
```text
BIT2 = Reverse selected
```
---
## 0220H Block
mbpoll start address:
```text
545
```
Read command:
```bash
mbpoll -m rtu -a 1 -b 9600 -P none -t 4 -r 545 -c 4 /dev/ttyUSB0
```
Mapping:
| Address | Function |
| ------- | ---------------- |
| 0220H | Output Frequency |
| 0221H | Set Frequency |
| 0222H | Output Current |
| 0223H | Output Speed |
mbpoll:
| Address | Register |
| ------- | ---------------- |
| 545 | Output Frequency |
| 546 | Set Frequency |
| 547 | Output Current |
| 548 | Output Speed |
Verified example while running:
| Register | Value |
| -------- | ----- |
| 545 | 1266 |
| 546 | 1267 |
| 547 | 214 |
| 548 | 7602 |
Interpreted as:
| Parameter | Value |
| ---------------- | -------- |
| Output Frequency | 126.6 Hz |
| Set Frequency | 126.7 Hz |
| Output Current | 21.4 A |
| Output Speed | 7602 RPM |
---
# 0200H Main Control Register
Documentation:
```text
0200H Main control bit
BIT0-BIT7 mapping parameter address 0048H-004FH
```
Bit mapping:
| Coil | Name | Bit | Decimal |
| ---- | ---------------------- | ---- | ------- |
| 0048 | Operation | BIT0 | 1 |
| 0049 | Forward | BIT1 | 2 |
| 004A | Reverse | BIT2 | 4 |
| 004B | Stop | BIT3 | 8 |
| 004C | Forward/Reverse Switch | BIT4 | 16 |
| 004D | JOG | BIT5 | 32 |
| 004E | JOG Forward | BIT6 | 64 |
| 004F | JOG Reverse | BIT7 | 128 |
---
# Verified Control Commands
Control register:
```text
0200H
```
mbpoll address:
```text
513
```
---
## Forward Run
Command:
```bash
mbpoll -m rtu -a 1 -b 9600 -P none -t 4 -r 513 /dev/ttyUSB0 2
```
Writes:
```text
0200 = 2
```
Result:
```text
Forward Run
```
---
## Reverse Run
Command:
```bash
mbpoll -m rtu -a 1 -b 9600 -P none -t 4 -r 513 /dev/ttyUSB0 4
```
Writes:
```text
0200 = 4
```
Result:
```text
Reverse Run
```
---
## Stop
Command:
```bash
mbpoll -m rtu -a 1 -b 9600 -P none -t 4 -r 513 /dev/ttyUSB0 8
```
Writes:
```text
0200 = 8
```
Result:
```text
Stop
```
---
## Toggle Direction
Command:
```bash
mbpoll -m rtu -a 1 -b 9600 -P none -t 4 -r 513 /dev/ttyUSB0 16
```
Writes:
```text
0200 = 16
```
Result:
```text
Toggle Direction
```
Important:
The toggle works only on a rising edge.
To trigger it again:
```text
0200 = 0
0200 = 16
```
must be sent.
---
# LinuxCNC Relevant Registers
## Write
| Function | Documented | mbpoll |
| --------------- | ---------- | ------ |
| Main Control | 0200H | 513 |
| Given Frequency | 0201H | 514 |
## Read
| Function | Documented | mbpoll |
| ---------------- | ---------- | ------ |
| Status | 0210H | 529 |
| Output Frequency | 0220H | 545 |
| Set Frequency | 0221H | 546 |
| Output Current | 0222H | 547 |
| Output Speed | 0223H | 548 |
---
# RapidChange ATC Notes
Useful registers for future ATC implementation:
## Current
```text
0222H
```
Can potentially be used to detect:
```text
tool tightening
tool loosening
stall condition
```
based on current increase.
## Status
```text
0210H
```
Can be used instead of fixed delays.
Example:
Wait until:
```text
BIT3 = 0
```
before moving after spindle stop.
This is more reliable than:
```text
G4 P2
```
fixed delay logic.
---
# Known Issues
RS485 communication becomes less reliable when spindle is running.
Observed:
```text
Timeouts
CRC errors
Dropped frames
```
Likely causes:
* EMI from spindle motor cables
* insufficient cable separation
* missing shield grounding
* missing termination resistor
Communication is stable when spindle is stopped.

22
q.md Normal file
View File

@@ -0,0 +1,22 @@
1) parameter address address table
Modbus mode include01H (read parameter address status), 05H (write single parameter address), 0FH (write multiple parameter address)
| parameter address | Name | R/W | Specification |
|-------------------|------|-----|---------------|
| 0000 | Operation | R | 0Stop 1Operating |
| 0001 | JOG | R | 0Invalid 1JOG |
| 0002 | Forward/reverse | R | 0Forward 1Reverse |
| 0003 | In operation | R | 0Stop 1In operation |
| 0004 | In jogging | R | 0Invalid 1In jogging |
| 0005 | In forward/reverse rotation | R | 0In forward rotation 1In reverse rotation |
| 0006 | In braking | R | 0Invalid 1In braking |
| 0007 | Frequency tracking | R | 0Invalid 1Frequency tracking |
| 0008-0047 | reserve |
| 0048 | Operation | W | 0000—Invalid FF00 (or 100 bit8 set 1)-Valid |
| 0049 | Forward | W | 0000—Invalid FF00-Valid |
| 004A | Reverse | W | 0000—Invalid FF00-Valid |
| 004B | Stop | W | 0000—Invalid FF00-Valid |
| 004C | Forward/reverse switch | W | 0000—Invalid FF00-Valid |
| 004D | JOG | W | 0000—Invalid FF00-Valid |
| 004E | JOG Forward | W | 0000—Invalid FF00-Valid |
| 004F | JOG Reverse | W | 0000—Invalid FF00-Valid |