Modbus

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs).

Table of Contents

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices. The main reasons for the use of Modbus in the industrial environment are: Modbus enables communication among many devices connected to the same network, for example a system that measures temperature and humidity and communicates the results to a computer. Modbus is often used to connect a supervisory computer with a remote terminal unit (RTU) in supervisory control and data acquisition (SCADA) systems. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called adiscrete input or a contact.
The development and update of Modbus protocols has been managed by the Modbus Organization since April 2004, when Schneider Electric transferred rights to that organization. The Modbus Organization is an association of users and suppliers of Modbus compliant devices that seeks to drive the adoption and evolution of Modbus

MODBUS RTU PROTOCOL VERSIONS

Versions of the Modbus protocol exist for serial port and for Ethernet and other protocols that support the Internet protocol suite. There are many variants of Modbus protocols:

  • Modbus RTU— This is used in serial communication & makes use of a compact, binary representation of the data for protocol communication. The RTU format follows the commands/data with a cyclic redundancy check checksum as an error check mechanism to ensure the reliability of data. Modbus RTU is the most common implementation available for Modbus. A Modbus RTU message must be transmitted continuously without inter-character hesitations. Modbus messages are framed (separated) by idle (silent) periods.
  • Modbus ASCII— This is used in serial communication & makes use of ASCII characters for protocol communication. The ASCII format uses a longitudinal redundancy check Modbus ASCII messages are framed by leading colon (‘:’) and trailing newline (CR/LF).
  • Modbus TCP/IPor Modbus TCP — This is a Modbus variant used for communications over TCP/IP networks, connecting over port 502.] It does not require a checksum calculation as lower layers already provide checksum protection.
  • Modbus over TCP/IPor Modbus over TCP or Modbus RTU/IP — This is a Modbus variant that differs from Modbus TCP in that a checksum is included in the payload as with Modbus RTU
  • Modbus over UDP— Some have experimented with using Modbus over UDP on IP networks, which removes the overheads required for TCP [7]
  • Modbus Plus (Modbus+, MB+ or MBP)Modbus over Fieldbus (Modbus+ or MB+), also exists, but remains proprietary to Schneider Electric. requires a dedicated co-processor to handle fast HDLC-like token rotation. It uses twisted pair at 1 Mbit/s and includes transformer isolation at each node, which makes it transition/edge triggered instead of voltage/level triggered. Special interfaces are required to connect Modbus Plus to a computer, typically a card made for the ISA (SA85), PCI or PCMCIA bus.
  • Modbus PEMEX– This variant is an extension of standard Modbus with support for historical and flow data. It was designed for process control and never gained widespread adoption [8]
  • EnronModbus– This variant is an extension of standard Modbus with support for 32 bit Integer and Floating Point variables, and historical and flow data. Data types are mapped using standard addresses.[9] The historical data is used to meet anAmerican Petroleum Institute (API) industry standard for how data should be stored[10]

Data model and function calls are identical for the first 4 variants of protocols; only the encapsulation is different. However the variants are not interoperable as the frame formats are different.

Communication and devices

Each device intended to communicate using Modbus is given a unique address. In serial and MB+ networks, only the node assigned as the Master may initiate a command. On Ethernet, any device can send out a Modbus command, although usually only one master device does so. A Modbus command contains the Modbus address of the device it is intended for (1 to 247). Only the intended device will act on the command, even though other devices might receive it (an exception is specific broadcastable commands sent to node 0 which are acted on but not acknowledged). All Modbus commands contain checksum information, to allow the recipient to detect transmission errors. The basic Modbus commands can instruct an RTU to change the value in one of its registers, control or read an I/O port, and command the device to send back one or more values contained in its registers.

There are many modems and gateways that support Modbus, as it is a very simple protocol and often copied. Some of them were specifically designed for this protocol. Different implementations use wireline, wireless communication, such as in the ISM band, and even short message service (SMS) or General Packet Radio Service (GPRS). One of the more common designs of wireless networks makes use of Mesh networking. Typical problems that designers have to overcome include high latency and timing issues.

Frame format

A Modbus frame is composed of an Application Data Unit (ADU) which encloses a Protocol Data Unit (PDU)

  • ADU = Address + PDU + Error check
  • PDU = Function code + Data

All Modbus variants choose one of the following frame formats.

Modbus RTU frame format (primarily used on 8-bit asynchronous lines like EIA-485)
NameLength (bits)Function
Start28At least 3 12 character times of silence (mark condition)
Address8Station address
Function8Indicates the function code; e.g., read coils/holding registers
Datan × 8Data + length will be filled depending on the message type
CRC16 bitsCyclic Redundancy Check
End28At least 3 12 character times of silence between frames

Note about the CRC:

  • Polynomial: x16+ x15 + x2 + 1 (CRC-16-ANSI also known as CRC-16-IBM, normal hexadecimal algebraic polynomial being 8005 and reversed A001)
  • Initial value: 65,535
  • Example of frame in hexadecimal: 01 04 02 FF FF B8 80(CRC-16-ANSI calculation from 01 to FF gives 80B8 which is transmitted least significant byte first)
Modbus ASCII frame format (primarily used on 7- or 8-bit asynchronous serial lines)
NameLength (bytes)Function
Start1Starts with colon : (ASCII hex value is 0x3a)
Address2Station address
Function2Indicates the function codes like read coils / inputs
Datan x 2Data + length will be filled depending on the message type
LRC2Checksum (Longitudinal redundancy check )
End2Carriage return – line feed (CR/LF) pair (ASCII values of 0x0d & 0x0a)

Address, function, data, and LRC are all capital hexadecimal readable pairs of characters representing 8-bit values (0-255). For example, 122 (7×16+10) will be represented as 7A.
LRC is calculated as the sum of 8-bit values, negated (two’s complement) and encoded as an 8-bit value. Example: if address, function, and data encode as 247, 3, 19, 137, 0, and 10, their sum is 416. Two’s complement (-416) trimmed to 8-bit is 96 (e.g. 256×2-416) which will be represented as 60 in hexadecimal. Hence the following frame :F7031389000A60

Modbus TCP frame format (primarily used on Ethernet networks)
NameLength (bytes)Function
Transaction identifier2For synchronization between messages of server & client
Protocol identifier2Zero for Modbus/TCP
Length field2Number of remaining bytes in this frame
Unit identifier1Slave address (255 if not used)
Function code1Function codes as in other variants
Data bytesnData as response or commands

Unit identifier is used with Modbus/TCP devices that are composites of several Modbus devices, e.g. on Modbus/TCP to Modbus RTU gateways. In such case, the unit identifier tells the Slave Address of the device behind the gateway. Natively Modbus/TCP-capable devices usually ignore the Unit Identifier.

The byte order for values in Modbus data frames is Big-Endian (MSB, Most Significant Byte of a value received first).

Supported function codes[edit]

The various reading, writing and other operations are categorised as follows.[12] The most primitive reads and writes are shown in bold. A number of sources use alternative terminology, for example Force Single Coil where the standard uses Write Single Coil.[13]
Prominent entities within a Modbus slave are:

  • Coils: readable and writable, 1 bit (off/on)
  • Discrete Inputs: readable, 1 bit (off/on)
  • Input Registers: readable, 16 bits (0 to 65,535), essentially measurements and statuses
  • Holding Registers: readable and writable, 16 bits (0 to 65,535), essentially configuration values
Modbus function codes
Function typeFunction nameFunction code
Data AccessBit accessPhysical Discrete InputsRead Discrete Inputs2
Internal Bits or Physical CoilsRead Coils1
Write Single Coil5
Write Multiple Coils15
16-bit accessPhysical Input RegistersRead Input Registers4
Internal Registers or Physical Output RegistersRead Multiple Holding Registers3
Write Single Holding Register6
Write Multiple Holding Registers16
Read/Write Multiple Registers23
Mask Write Register22
Read FIFO Queue24
File Record AccessRead File Record20
Write File Record21
DiagnosticsRead Exception Status7
Diagnostic8
Get Com Event Counter11
Get Com Event Log12
Report Slave ID17
Read Device Identification43
OtherEncapsulated Interface Transport43

Format of data of requests and responses for main function codes

Requests and responses follow frame formats described above. This section gives details of data formats of most used function codes.

Function code 1 (read coils) and function code 2 (read discrete inputs)

Request:

  • Address of first coil/discrete input to read (16-bit)
  • Number of coils/discrete inputs to read (16-bit)

Normal response:

  • Number of bytes of coil/discrete input values to follow (8-bit)
  • Coil/discrete input values (8 coils/discrete inputs per byte)

Value of each coil/discrete input is binary (0 for off, 1 for on). First requested coil/discrete input is stored as least significant bit of first byte in reply.
If number of coils/discrete inputs is not a multiple of 8, most significant bit(s) of last byte will be stuffed with zeros.
For example, if eleven coils are requested, two bytes of values are needed. Suppose states of those successive coils are on, off, on, off, off, on, on, on, off, on, on, then data part of the response will be 02E506 in hexadecimal.

Function code 5 (force/write single coil)

Request:

  • Address of coil (16-bit)
  • Value to force/write: 0 for off and 65,280 (FF00 in hexadecimal) for on

Normal response: same as request.

Function code 15 (force/write multiple coils)

Request:

  • Address of first coil to force/write (16-bit)
  • Number of coils to force/write (16-bit)
  • Number of bytes of coil values to follow (8-bit)
  • Coil values (8 coil values per byte)

Value of each coil is binary (0 for off, 1 for on). First requested coil is stored as least significant bit of first byte in request.
If number of coils is not a multiple of 8, most significant bit(s) of last byte should be stuffed with zeros. See example for function codes 1 and 2.

Normal response:

  • Address of first coil (16-bit)
  • number of coils (16-bit)

Function code 4 (read input registers) and function code 3 (read holding registers)

Request:

  • Address of first register to read (16-bit)
  • Number of registers to read (16-bit)

Normal response:

  • Number of bytes of register values to follow (8-bit)
  • Register values (16 bits per register)

Because the number of bytes for register values is 8-bit wide, only 128 registers can be read at once.

Function code 6 (preset/write single holding register)

Request:

  • Address of holding register to preset/write (16-bit)
  • New value of the holding register (16-bit)

Normal response: same as request.

Function code 16 (preset/write multiple holding registers)

Request:

  • Address of first holding register to preset/write (16-bit)
  • Number of holding registers to preset/write (16-bit)
  • Number of bytes of register values to follow (8-bit)
  • New values of holding registers (16 bits per register)

Because the number of bytes for register values is 8-bit wide, only 128 holding registers can be preset/written at once.

Normal response:

  • Address of first preset/written holding register (16-bit)
  • number of preset/written holding registers (16-bit)

Exception responses

For a normal response, slave repeats the function code. Should a slave want to report an error, it will reply with the requested function code plus 128 (3 becomes 131 or 83 in hexadecimal), and will only include one byte of data, known as the exception code.

Main Modbus exception codes

CodeTextDetails
1Illegal FunctionFunction code received in the query is not recognized or allowed by slave
2Illegal Data AddressData address of some or all the required entities are not allowed or do not exist in slave
3Illegal Data ValueValue is not accepted by slave
4Slave Device FailureUnrecoverable error occurred while slave was attempting to perform requested action
5AcknowledgeSlave has accepted request and is processing it, but a long duration of time is required. This response is returned to prevent a timeout error from occurring in the master. Master can next issue a Poll Program Complete message to determine if processing is completed
6Slave Device BusySlave is engaged in processing a long-duration command. Master should retry later
7Negative AcknowledgeSlave cannot perform the programming functions. Master should request diagnostic or error information from slave
8Memory Parity ErrorSlave detected a parity error in memory. Master can retry the request, but service may be required on the slave device
10Gateway Path UnavailableSpecialized for Modbus gateways. Indicates a misconfigured gateway
11Gateway Target Device Failed to RespondSpecialized for Modbus gateways. Sent when slave fails to respond

Coil, discrete input, input register, holding register numbers and addresses

Some conventions govern how access to Modbus entities (coils, discrete inputs, input registers, holding registers) are referenced.
It is important to make a distinction between entity number and entity address:

  • Entity numberscombine entity type and entity location within their description table
  • Entity addressis the starting address, a 16-bit value in the data part of the Modbus frame. As such its range goes from 0 to 65,535

In the traditional standard, numbers for those entities start with a digit, followed by a number of four digits in range 1 – 9,999:

  • coils numbersstart with a zero and then span from 00001 to 09999
  • discrete input numbersstart with a one and then span from 10001 to 19999
  • input register numbersstart with a three and then span from 30001 to 39999
  • holding register numbersstart with a four and then span from 40001 to 49999

This translates into addresses between 0 and 9,998 in data frames.
For example, in order to read holding registers starting at number 40001, corresponding address in the data frame will be 0 with a function code of 3 (as seen above). For holding registers starting at number 40100, address will be 99. Etc.
This limits the number of addresses to 9,999 for each entity. A de facto referencing extends this to the maximum of 65,536.[14]
It simply consists of adding one digit to the previous list:

  • coil numbersspan from 000001 to 065536
  • discrete input numbersspan from 100001 to 165536
  • input register numbersspan from 300001 to 365536
  • holding register numbersspan from 400001 to 465536

When using the extended referencing, all number references must be exactly six digits. This avoids confusion between coils and other entities. For example, to know the difference between holding register #40001 and coil #40001, if coil #40001 is the target, it must appear as #040001.

JBUS mapping

Another de facto protocol tightly related with Modbus[15] appeared after it and was defined by PLC brand April Automates, resulting of a collaborative effort of French companies Renault Automation and Merlin Gerin et Cie in 1985:[16] JBUS. Differences between Modbus and JBUS at that time (number of entities, slave stations) are now irrelevant as this protocol almost disappeared with April PLC series which AEG Schneider Automation bought in 1994 and then made them obsolete. However the name JBUS survived to some extent.

JBUS supports function codes 1, 2, 3, 4, 5, 6, 15, and 16 and thus all the entities described above. However numbering is different with JBUS:[17]

  • Number and address coincide: entity #x has address x in the data frame
  • Consequently, entity number does not include the entity type. For example, holding register #40010 in Modbus will be holding register #9, located at address 9 in JBUS
  • Number 0 (and thus address 0) is not supported. Slave should not implement any real data at this number and address and it can return a null value or throw an error when requested

Implementations

Almost all implementations have variations from the official standard. Different varieties might not communicate correctly between equipment of different suppliers. Some of the most common variations are:

  • Data types
    • 32-bit integer
    • 8-bit data
    • Mixed data types
    • Bit fields in integers
    • Multipliers to change data to/from integer. 10, 100, 1000, 256 …
  • Protocol extensions
    • 16-bit slave addresses
    • 32-bit data size (1 address = 32 bits of data returned)
    • Word swapped data

Limitations

  • Since Modbus was designed in the late 1970s to communicate to programmable logic controllers, the number of data types is limited to those understood by PLCs at the time. Large binary objects are not supported.
  • No standard way exists for a node to find the description of a data object, for example, to determine if a register value represents a temperature between 30 and 175 degrees.
  • Since Modbus is a master/slave protocol, there is no way for a field device to “report by exception” (except over Ethernet TCP/IP, called open-mbus)- the master node must routinely poll each field device, and look for changes in the data. This consumes bandwidth and network time in applications where bandwidth may be expensive, such as over a low-bit-rate radio link.
  • Modbus is restricted to addressing 254 devices on one data link, which limits the number of field devices that may be connected to a master station (once again Ethernet TCP/IP being an exception).
  • Modbus transmissions must be contiguous which limits the types of remote communications devices to those that can buffer data to avoid gaps in the transmission.
  • Modbus protocol itself provides no security against unauthorized commands or interception of data.
Modbus TCP Gateway

Modbus Gateway: An In-depth Exploration

In the world of automation and control systems, you may have encountered the term “Modbus Gateway.” But what exactly does this term mean? How does it function, and why is it vital in our technology-driven world? This article is your comprehensive guide to understanding Modbus Gateway.

Read More »
Modbus TCP Gateway

Decoding Modbus Error Codes

Modbus, an established communication protocol used extensively in industrial control systems, has withstood the test of time due to its simplicity and ease of deployment. But, as with any technical protocol, understanding error codes is essential to ensure smooth operation.

Read More »
Modbus TCP Gateway

Efficient Modbus Communication for Industrial Automation

Modbus communication is not a new term in the industrial automation field. Established in 1979 by Modicon, it has become a de facto standard communication protocol, especially in the realm of industrial automation. How has it managed to stay relevant over all these decades, you ask? Well, its simplicity, reliability, and open-source nature have played significant roles in its longevity.

Read More »
Modbus TCP Gateway

Exploring the Modbus TCP/IP Protocol

Modbus is a communication protocol developed by Modicon systems. Primarily used with Industrial devices, it’s designed to allow these devices to communicate over various types of media, including both wired and wireless networks.

Read More »
Scroll to Top