Modbus Tutorial

Modbus Tutorial


What is Modbus?

Modbus is a serial communication protocol developed by Modicon published by Modicon® in 1979 for use with its programmable logic controllers (PLCs). In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.

The main reasons for the use of Modbus in the industrial environment are

  •  It has been developed with industrial applications in mind
  •  It is openly published and royalty-free
  •  It is easy to deploy and maintain
  •  It moves raw bits or words without placing many restrictions on vendors
  •  Ease of availability of SCADA systems on the Modbus protocols

There are different flavours of Modbus Protocol

  •  Modbus TCP
  •  Modbus RTU
  •  Modbus ASCII
  •  Modbus Plus
  •  Modbus Daniels
  •  Modbus Tek-Air
  •  Modbus Omniflow

The most popular of these are Modbus RTU and Modbus TCP/IP.

Modbus RTU

It is a serial communication protocol that connects different devices on the same network and would make the communication between them possible.

Modbus TCP

A Modbus Messaging Implementation Guide provided by Schneider Automation outlines a modified protocol specifically for use over TCP/IP. The official Modbus specification can be found at . The main differences between Modbus RTU and Modbus TCP are outlined here.


MODBUS has a unique addressing pattern. A Modbus device will store every value in it at a particular address. For example an EATON power meter will store a value of Volt A-N only at Modbus address 40001.

There four Modbus DATA Type

Types  of Modbus Data Data format and common name Address where they begin  Type
Modbus Coils Bits, Binary values 00001 This type of data can be provided by an I/O system.
Digital Inputs Binary values 10001 This type data can be changed by an application layer.
Analog Inputs Binary values 30001 This type of data can be provided by an I/O system.
Modbus Registers/ Holding registers Analog values 40001 This type data can be changed by an application layer.

How does MODBUS RTU work?

  • Modbus is transmitted over serial lines between devices. The simplest setup would be a single serial cable connecting the serial ports on two devices, a Master and a Slave.
  • The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. Zeroes are sent as positive voltages and ones as negative. The bits are sent very quickly. A typical transmission speed is 9600 baud (bits per second).

How does Modbus TCP work?

The Modbus device can be connected using an Ethernet port on the gateway. We can make a query using any standard Modbus Scanner to extract the value from a Modbus device. All requests are sent via TCP/IP on registered port 502.

How is data stored in Standard Modbus?

Information is stored in the Slave device in four different tables.
Two tables store on/off discrete values (coils) and two store numerical values (registers). The coils and registers each have a read-only table and read-write table.

Each table has 9999 values.
Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and270E.

Coil/Register Numbers Data Addresses Type Table Name
1-9999 0000 to 270E Read-Write Discrete Output Coils
10001-19999 0000 to 270E Read-Only Discrete Input Contacts
30001-39999 0000 to 270E Read-Only Analog Input Registers
40001-49999 0000 to 270E Read-Write Analog Output Holding Registers

Coil/Register Numbers can be thought of as location names since they do not appear in the actual messages. The Data Addresses are used in the messages.

For example, the first Holding Register, number 40001, has the Data Address 0000.
The difference between these two values is the offset.
Each table has a different offset. 1, 10001, 30001 and 40001.

What is the Slave ID?

Each slave in a network is assigned a unique unit address from 1 to 247. When the master requests data, the first byte it sends is the Slave address. This way each slave knows after the first byte whether or not to ignore the message.

What is a Modbus Map?

A modbus map is simply a list for a slave device that defines
– what the data is (eg. pressure or temperature readings)
– where the data is stored (which tables and data addresses)
– how the data is stored (data types, byte and word ordering)

Some devices are built with a fixed map that is defined by the manufacturer. While other devices allow the operator to configure or program a custom map to fit their needs.


MODBUS networks employ two methods of error checking:  parity checking

  1.   Parity checking of the data character frame (even, odd, or no parity)
  2.   Frame checking within the message frame (Cyclical Redundancy Check in RTU Mode, or Longitudinal Redundancy Check in ASCII Mode).

Parity Checking

A MODBUS device can be configured for even or odd parity, or for no parity checking.  This determines how the parity bit of the character’s data frame is set.  If even or odd parity checking is selected, the number of 1 bit in the data portion of each character frame is counted.  Each character in RTU mode contains 8 bits.  The parity bit will then be set to a 0 or a 1, to result in an even (even parity), or odd (odd parity) total number of 1 bits.

Frame checking

LRC Longitudinal Redundancy Check (ASCII Mode Only) In the ASCII transmission mode, the character frame includes an LRC field as the last field preceding the CRLF characters.  This field contains two ASCII characters that represent the result of a longitudinal redundancy calculation for all the fields except the starting colon character and ending CR LF pair of characters.

CRC Error Checking (RTU Mode Only)

RTU Mode message frames include an error checking method that is based on a Cyclical Redundancy Check (CRC).  The error-checking field of a message frame contains a 16-bit value (two 8-bit bytes) that contains the result of a Cyclical Redundancy Check (CRC) calculation performed on the message contents.

Function codes Defined by Modbus:

The second byte sent by the Master is the Function code. This number tells the slave which table to access and whether to read from or write to the table.

Function Code Action Table Name
01 (01 hex) Read Discrete Output Coils
05 (05 hex) Write single Discrete Output Coil
15 (0F hex) Write multiple Discrete Output Coils
02 (02 hex) Read Discrete Input Contacts
04 (04 hex) Read Analog Input Registers
03 (03 hex) Read Analog Output Holding Registers
06 (06 hex) Write single Analog Output Holding Register
16 (10 hex) Write multiple Analog Output Holding Registers

Modbus Exception Codes

Code Name Meaning
01 ILLEGAL FUNCTION The function code received in the query is not an allowable action                        for the server (or slave). This may be because the function code is only applicable to newer devices, and was not implemented in the unit selected. It could also indicate that the server (or slave) is in the wrong state to process a request of this type, for example because it is unconfigured and is being asked to return register values.
02 ILLEGAL DATA ADDRESS The data address received in the query is not an allowable address for the server (or slave). More specifically, the combination of reference number and transfer length is invalid. For a controller with 100 registers, the PDU addresses the first register as 0, and the last one as 99. If a request is submitted with a starting register address of 96 and a quantity of registers of 4, then this request will successfully operate (address-wise at least) on registers 96, 97, 98, 99. If a request is submitted with a starting register address of 96 and a quantity of registers of 5, then this request will fail with Exception Code 0x02 “Illegal Data Address” since it attempts to operate on registers 96, 97, 98, 99 and 100, and there is no register with address 100.
03 ILLEGAL DATA VALUE A value contained in the query data field is not an allowable value for server (or slave). This indicates a fault in the structure of the remainder of a complex request, such as that the implied length is incorrect. It specifically does NOT mean that a data item submitted for storage in a register has a value outside the expectation of the application program, since the MODBUS protocol is unaware of the significance of any particular value of any particular register.
04 SLAVE DEVICE FAILURE An unrecoverable error occurred while the server (or slave) was attempting to perform the requested action.
05 ACKNOWLEDGE Specialized use in conjunction with programming commands. The server (or slave) has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the client (or master). The client (or master) can next issue a Poll Program Complete message to determine if processing is completed.
06 SLAVE DEVICE BUSY Specialized use in conjunction with programming commands. The server (or slave) is engaged in processing a long–duration program command. The client (or master) should retransmit the message later when the server (or slave) is free.
08 MEMORY PARITY ERROR Specialized use in conjunction with function codes 20 and 21 and reference type 6, to indicate that the extended file area failed to pass a consistency check The server (or slave) attempted to read record file, but detected a parity error in the memory. The client (or master) can retry the request, but service may be required on the server (or slave) device.
0A GATEWAY PATH UNAVAILABLE Specialized use in conjunction with gateways, indicates that the gateway was unable to allocate an internal communication path from the input port to the output port for processing the request. Usually means that the gateway is not configured correctly or overloaded.
0B GATEWAY TARGET DEVICE FAILED TO RESPOND Specialized use in conjunction with gateways, indicates that no response was obtained from the target device. Usually means that the device is not present on the network.