Modbus Protocol

1. Fernhill SCADA
2. Help
3. Drivers
4. Modbus
5. Protocol

Introduction

The Modbus Protocol was originally developed by Modicon (now part of Schneider Electric). Modbus was developed as a communication protocol for Modicon PLC Devices. The original Modbus Protocol specification, published in 1979, describes Serial Communications where data is transmitted one bit at a time. A later update to the standard, called Modbus TCP, describes how to use Modbus in TCP/IP networks.

The rest of this article describes the Modbus protocol is more detail:

• Modbus Data Types.
• Modbus Message Structure.
• Modbus PDU.
• Modbus Exception Codes.

Modbus Data Types

The Modbus Protocol supports these data types:

Modbus Message Structure

Modbus is a request-response protocol where:

• The client sends a request to a Modbus device.
• The Modbus device sends a response.

The structure of a Modbus message is the same for both requests and responses:

The exact format of the message depends on the variant of Modbus protocol used:

• Modbus ASCII - A serial protocol using a subset of ASCII characters.
• Modbus RTU - A serial protocol using 8-bit binary.
• Modbus TCP - A TCP/IP protocol.
• Modbus RTU over Modbus TCP - A TCP/IP protocol with an additional CRC check.

Modbus ASCII

Modbus ASCII uses a subset of the ASCII character set to send Modbus messages over Serial Communications.

Modbus ASCII messages start with the colon (:) character (ASCII 58). Modbus ASCII messages end with carriage return (ASCII 13) and line feed (ASCII 10) characters. Between the start and end characters only hexadecimal characters 0 to 9 and A to F are allowed.

The structure of a Modbus ASCII message is:

Where:

• The Unit Address field is the PLC Address encoded as 2 hexadecimal characters.
• The Message field is a Modbus PDU where each byte is encoded as 2 hexadecimal characters. The maximum length of the Message field is is 506 characters.
• The LRC field is the Longitudinal Redundancy Check of the Address and Message fields.
• The maximum Modbus ASCII message length is 513 characters.

Modbus RTU

Modbus RTU uses 8-bit Serial Communications to send Modbus messages.

The structure of a Modbus RTU message is:

Where:

• The Unit Address field is the PLC Address encoded as single byte.
• The Message field is a Modbus PDU. The maximum length of the Message field is is 253 bytes.
• The CRC field is the Cyclic Redundancy Check of the Unit Address and Message fields.
• The maximum Modbus RTU message length is 256 bytes.

Modbus TCP

Modbus TCP uses a TCP/IP link to send and receive Modbus messages.

The structure of a Modbus TCP message is:

Where:

• The Transaction Id field identifies the transaction.
• The Protocol field is zero to indicate Modbus protocol.
• The Length field is the number of following bytes.
• The Unit Address field is the PLC Address encoded as single byte.
• The Message field is a Modbus PDU. The maximum length of the Message field is is 253 bytes.
• The maximum Modbus TCP message length is 260 bytes.

Unit Address

Note: Real Modbus TCP devices use the Unit Address field in different ways:

• Some Modbus TCP devices ignore Unit Address.
• Some Modbus TCP devices require a fixed value for Unit Address, for example 0 or 255.
• Some Modbus TCP devices are a gateway to multiple PLC where the Unit Address selects which PLC to communicate with.

Modbus RTU over Modbus TCP

Modbus RTU over Modbus TCP is rarely used. It is a non-standard variant of Modbus TCP that includes the Modbus RTU CRC at the end of the message.

The structure of a Modbus RTU over Modbus TCP message is:

Where:

• The Transaction Id field identifies the transaction.
• The Protocol field is zero to indicate Modbus protocol.
• The Length field is the number of following bytes.
• The Unit Address field is the PLC Address encoded as single byte.
• The Message field is a Modbus PDU. The maximum length of the Message field is is 253 bytes.
• The CRC field is the Cyclic Redundancy Check of the Unit Address and Message fields.

Modbus PDU

The Modbus Protocol supports these PDU:

• Modbus Read Coils (01)
• Modbus Read Discrete Inputs (02)
• Modbus Read Holding Registers (03)
• Modbus Read Input Registers (04)
• Modbus Write Single Coil (05)
• Modbus Write Single Register (06)
• Modbus Write Multiple Registers (16)

Modbus Read Coils (01)

Modbus Read Coils, function code 01, reads between 1 and 2000 output coils (bits) from the PLC.

The request PDU consists of 5 bytes:

The normal response varies in length from 3 bytes up to 252 bytes depending on the number of coils requested:

Note: The total number of bytes returned is 2 + (CoilCount + 7) / 8, where CoilCount is the number of coils requested. For example:

• A request for 1 coil will return 3 bytes.
• A request for 8 coils will return 3 bytes.
• A request for 9 coils will return 4 bytes.

The largest request possible is for 2000 coils, which will return 252 bytes.

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: Read 12 coils starting at 00033 from a PLC at address 2. Response with coils 00040 and 00042 set and all others clear :

Note: The PDU part of each request and response is shown in Blue.

Modbus Read Discrete Inputs (02)

Modbus Read Discrete Inputs, function code 02, reads between 1 and 2000 inputs from the PLC.

The request PDU consists of 5 bytes:

The normal response varies in length from 3 bytes up to 252 bytes depending on the number of inputs requested:

Note: The total number of bytes returned is 2 + (InputCount + 7) / 8. InputCount is the number of inputs requested. For example a request for 1 input, will return 3 bytes. A request for 8 inputs will also return 3 bytes. A request for 9 inputs will return 4 bytes. The largest request possible is for 2000 inputs, which will return 252 bytes.

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: Read 16 inputs starting at 10501 from a PLC at address 1. Response with inputs 10501 and 10503 set and all others clear :

Note: The PDU part of each request and response is shown in Blue.

Modbus Read Holding Registers (03)

Modbus Read Holding Registers, function code 03, reads between 1 and 125 holding registers from the PLC.

The request PDU consists of 5 bytes:

The normal response varies in length from 4 bytes up to 252 bytes depending on the number of holding registers requested:

Note: The total number of bytes returned is 2 + 2 * RegisterCount, where RegisterCount is the number of holding registers requested. For example a request for 1 holding register, will return 4 bytes. A request for 2 holding registers will return 6 bytes. A request for 125 holding registers will return 252 bytes.

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: Read 2 holding registers starting at address 40601 from a PLC at address 1. Response returns register 40601 value 1000, and register 40602 value 5000:

Note: The PDU part of each request and response is shown in Blue.

Modbus Read Input Registers (04)

Modbus Read Input Registers, function code 04, reads between 1 and 125 input registers from the PLC.

The request PDU consists of 5 bytes:

The normal response varies in length from 4 bytes up to 252 bytes depending on the number of input registers requested:

Note: The total number of bytes returned is 2 + 2 * RegisterCount, where RegisterCount is the number of input registers requested. For example a request for 1 input register, will return 4 bytes. A request for 2 input registers will return 6 bytes. A request for 125 input registers will return 252 bytes.

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: Read 2 input registers starting at address 30201 from a PLC at address 1. Response returns register 30201 value 10000, and register 30202 value 50000:

Note: The PDU part of each request and response is shown in Blue.

Modbus Write Single Coil (05)

Modbus Write Single Coil, function code 05, writes a single coil to the PLC.

The request PDU consists of 5 bytes:

The normal response is the request reflected back:

If the PLC detects an error, for example an address that is not available, an error response will be sent:

Example: Set coil 00101 in device with address 1 to 1.

Note: The PDU part of each request and response is shown in Blue.

Modbus Write Single Register (06)

Modbus Write Single Register, function code 06, writes a single register to the PLC.

The request PDU consists of 5 bytes:

The normal response is the request reflected back:

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: Set Holding Register 40101 in device with address 1 to 15000.

Note: The PDU part of each request and response is shown in Blue.

Modbus Write Multiple Registers (16)

Modbus Write Multiple Registers, function code 16, writes between 1 and 123 registers to the PLC.

The request PDU consists of between 8 and 252 bytes:

The normal response consists of 5 bytes:

If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

Example: In the PLC at address 28, set register 40101 to 1000 and register 40102 to 2000.

Note: The PDU part of each request and response is shown in Blue.

Modbus Exception Codes

An exception code is a single byte providing an explanation of an error:

Further Information

Standard Modbus Data Address

To learn how Modbus data addresses are presented in human readable form.

Modbus Register Block Tag

To learn about Modbus Register Block Tags.

Modbus Driver

For an overview of the Modbus Driver.

Glossary

For the meaning of terms used in Fernhill SCADA.

Fernhill SCADA Version 4.1 (20231126.1). Copyright © 2012-2023 Fernhill Software Ltd: All rights reserved.