What is Modbus?
Modbus is a serial communication protocol developed by Modicon, published by Modicon® in 1979, for use with programmable logic controllers (PLC). In simple words, it is a method for transmitting information over serial lines between electronic devices.
The device requesting information is called Modbus Master and the devices providing information are called Modbus Slaves. In a standard Modbus internet network, there may be a Master and Slave, each with 1 to 247 different Slave
What is it used for?
Modbus is an open protocol, which means that manufacturers are free to build Modbus without having to pay copyright to their hardware.
Modbus has become a standard communication protocol in the industry and is now the connection point for widely used industrial electrical devices. It is used by most manufacturers in many industries.
It is used for signal transmission from Modbus device and control devices to main controller or data acquisition systems. For example, a system measures temperature and humidity, then sends the results to the computer.
Modbus generally connects the central computer to the Remote Connection Unit (RTU) for centralized control and data collection. Modbus protocol versions serial lines ( Modbus RTU and Modbus ASCII) and Ethernet Available for (Modbus TCP).
How does it work?
It is transmitted over serial lines between Modbus devices. The easiest installation, two devices, one Master one Slave, connects the serial ports on it with a single cable.
This data is sent in one and zero series, called bits. Each bit is sent as voltage.
The zeros are sent as positive voltage and the ones as negative voltage.
Lice are sent very quickly. The transmission rate is generally 960 baud (the amount of bits per second).
What is Hexa decimal?
When solving problems, it may be helpful to see that raw data is transmitted. The bits are shown as hexadecimal (16 strings) because it is difficult to read a long and zero string. Each 4-bit block is represented by one of 16 characters from 0 to F.
0001 = 1 0101 = 5 1001 = 9 1101 = D
0010 = 2 0110 = 6 1010 = A 1110 = E
0011 = 3 0111 = 7 1011 = B 1111 = F
Each block of 8 bits (called bytes) is shown in pairs with one of 256 characters from 00 to FF.
How is Data Stored in Standard Modbus ?
The information is stored in four different charts on the Slave device.
Two tables store on / off status values (coils), the other two store numerical values (register).
Coils and registers each have read-only and read-write charts. Each chart has 9999 values. Each coil or contact is 1 bit and a data address is allocated between 0000 and 270E.
Each Register is 1 word = 16 bits = 2 bytes, and also has a data
address between 0000 and 270E.
| Coil / Register Numbers |
Data Addresses |
Type | Chart Number |
| 1-9999 | 0000 to 270E | ReadWrite | Discrete Output Coils |
| 10001-19999 | 0000 to 270E | ReadOnly | Discrete Input /Contacts |
| 30001-39999 | 0000 to 270E | ReadOnly | Analog Input/Registers |
| 40001-49999 | 0000 to 270E | ReadWrite | Analog Output/Holding Registers |
because they do not really appear in messages. Data addresses are used in messages.
For example; The first Holding Register has 40001 number and
0000 data address.
The difference between these two values is offset.
Each chart has a different offset. 1, 10001, 30001 and 40001.
What is Slave ID?
Each Slave in a network has its own address number ranging from 1 to 247. When the master requests data, Slave’s address information is the first byte sent. Thus, each Slave knows
whether to ignore the message after the first byte.
What is Function Code?
The second byte sent by the master is called the function code.
These numbers inform the slave about the chart it will access
and whether it will read it or write it to it.
| Function Code | Action | Table Name |
| 01 (01 hex) | Reader | Discrete Output Coils |
| 05 (05 hex) | Write single | Discrete Output Coil |
| 15 (0F hex) | Write multiple | Discrete Output Coils |
| 02 (02 hex) | Reader | Discrete Input Contacts |
| 04 (04 hex) | Reader | Analog Input Registers |
| 03 (03 hex) | Reader | Analog Output Holding Registers |
| 06 (06 hex) | Write single | Analog Output Holding Register |
What is CRC?
CRC stands for Cyclic Reduncany check. CRC is two bytes added to the end of each modbus message for error checking.
Each byte in the message is sent to calculate the CRC. The receiving device also calculates the CRC and compares it to the CRC from the sending device. If even one bit in the message is received incorrectly, CRCs will be different and an error will occur.
What are the Formats of Modbus Commands and Responses?
You can find examples of requests and responses in the table below.
| Data Addresses | Reader | Write Single | Write Multiple |
| Discrete Output Coils 0xxxx | FC01 | FC05 | FC15 |
| Discrete Input Contacts 1xxxx | FC02 | NA | NA |
| Analog Input Registers 3xxxx | FC04 | NA | NA |
| Analog Output Holding Registers 4xxxx | FC03 | FC06 | FC16 |
What are the Data Types?
The example of FC03 shows that register 40108 contains AE41,which has a conversion of 16 bits to 1010 1110 0100 0001.
Register 40108 can be defined as any of these 16-bit (16-bit) data.
A 16-bit unsigned integer (an integer between 0 and 65535)
Contents of register 40108 AE41 = 44,609 (conversion from hex to decimal)
A 16-bit unsigned integer (an integer from -32768 to 32767)
AE41 = -20,927 (conversion from hex to decimal, when finished -32767 then 65536)
A two-character ASCII string (2 letters)
AE41 = ® A
A discrete on / off value (like a 16-bit integer, the value runs as 0 or 1.Here the hax data is 0000 or 0001)
Also, Register 40108 can combine with 40109 to create any of
the following 32-bit data:
A 32-bit unsigned integer (a number between 0 and 4,294,967,295)
40108,40109 = AE41 5652 = 2,923,517,522
A 32-bit unsigned integer (a number between -2,147,483,648 and 2,147,483,647)
AE41 5652 = -1,371,449,774
A 32-bit single precision IEEE floating number.This is a mathematical formula that provides a 7 digit 32 bit function to any real number (decimal point number). bytes and 2 letters.
One 4-character ASCII string (4 letters)
AE41 5652 = ® AVR
More registers can be combined to create longer ASCII strings.
Each register consists of two ASCII characters (2 bytes).
What does Byte and Letter Order (word ordering) mean?
Modbus advertisements do not fully explain how the data is stored in the register. Therefore, manufacturers applied Modbus to their hardware to store and transmit the high byte first and then the low byte. (AE before 41)
Alternatively, others store and transmit the low and then the high byte. (41 before AE)
Similarly, when registers are combined as 32-bit data types,some devices store the higher 16-bit data (high word) first and then the remaining low data (5652 after AE41) others do the opposite (5652 ‘ after AE41)
It does not matter in which order the Byte or words are sent, if the receiving device knows what form it will be.
For example; If the number 2,923,517,522 is sent as 32 bit unsigned integer, it can be sent as one of the 4 different combinations below.
AE41 5652 high byte first high word first
5652 AE41 high byte first low word first
41AE 5256 low byte first high word first
5256 41AE low byte first low word first
What is Modbus Map (Map)?
- What the data is (eg pressure or temperature readings)
- Where data is saved (which chart and data addresses)
- How data is saved (data types, byte and letter order)
Some devices are installed on a fixed device defined by the manufacturer, while others allow the customer to configure or program the device to meet their needs.
What’s the Difference Between Modbus ASCII and Modbus RTU?
Must read our complete article on this topic : Link
What is Extended Register Address?
Since analog output registers are from 40001 to 49999, it means there can be no more than 9999 registers. While this is sufficient for most applications, sometimes it is useful to have more registers.
If we make the remaining addresses from 270F to FFFF efficient, then 65536, in other words, more than six times registers will be available in total. This expands the number of registers from 40001 to 105536.
Most Modbus software drivers (for Master PCs) offer a limited range from 40001 to 49999, in which case access to extended registers on slave devices cannot be accessed. And most slave
devices do not support maps using extended regsiters. On the other hand, some slave devices support these registers, while some master softwares provide access, if specially written.
How Does 2-byte Slave Addressing Work?
The number of slaves on the network is limited to 256 because it is used to define the single byte slave address and assign a To overcome this limitation, the protocol can be modified to use two bytes in the address.
All masters and slaves must support this change. 2-byte addressing increases the number of Slaves on the network to 65535.