Modbus RTU made simple with detailed descriptions and examples

26 April 2017 Knowledge Base
ec217411deecb69bda56fce7f42a5af6.jpg

From this article you will learn about the Modbus RTU protocol, which is widely used in the process control system.

Contents:

Modbus RTU protocol description

Modbus -communication protocol is based on the master-slave architecture. It uses RS-485, RS-422, RS-232 interfaces, as well as Ethernet TCP / IP networks (Modbus TCP protocol) for data transfer.

The Modbus RTU message consists of the address of the SlaveID device, the function code, the special data, depending on the function code and the CRC of the checksum.

SlaveIDFunction codeSpecial dataCRC

If you discard the SlaveID address and the CRC checksum, you get the PDU, Protocol Data Unit.

SlaveID is the address of the device, it can take a value from 0 to 247, addresses from 248 to 255 are reserved.

Data in the module is stored in 4 tables.

Two tables are read-only and two are read-write.

9999 values are placed in each table. read-write

REGISTER NUMBERREGISTER ADDRESS HEXTYPENAMETYPE
1-99990000 to 270Eread-writeDiscrete Output CoilsDO
10001-199990000 to 270EreadDiscrete Input ContactsDI
30001-399990000 to 270EreadAnalog Input RegistersAI
40001-499990000 to 270Eread-writeAnalog Output Holding RegistersAO

The Modbus message uses the register address.

For example, the first register of AO Holding Register has the number 40001, but its address is 0000.

The difference between these two quantities is “offset”.

Each table has its own offset, respectively: 1, 10001, 30001 and 40001.

The following is an example of a Modbus RTU request for obtaining the AI value of the holding registers from registers # 40108 to 40110 with the address of the device 17.

11 03 006B 0003 7687

11THE ADDRESS OF THE SLAVEID DEVICE (17 = 11 HEX)
03Functional code Function Code
006BThe address of the first register (40108-40001 = 107 = 6B hex)
0003The number of required registers (reading 3 registers from 40108 to 40110)
7687CRC checksum

In response to the Modbus RTU Slave device we get:

11 03 06 AE41 5652 4340 49AD

Where: The value of the upper register bit

11DEVICE ADDRESS (17 = 11 hex)SlaveID
03Function codeFunction Code
06The number of bytes further (6 bytes follow)Byte Count
AEThe value of the upper register bit (AE hex)Register value Hi (AO0)
41The low-order bit of the register (41 hex)Register value Lo (AO0)
56The value of the upper register bit (56 hex)Register value Hi (AO1)
52The low-order bit of the register (52 hex)Register value Lo (AO1)
43The value of the upper register bit (43 hex)Register value Hi (AO2)
40The low-order bit of the register (40 hex)Register value Lo (AO2)
49ChecksumCRC value Hi
ADChecksumCRC value Lo

The analog output register AO0 has the value AE 41 HEX or 44609 in the decimal system.

The analog output register AO1 has a value of 56 52 HEX or 22098 in the decimal system.

The analog output register AO2 has a value of 43 40 HEX or 17216 in the decimal system.

The AE 41 HEX value is 16 bits 1010 1110 0100 0001, can take a different value, depending on the type of representation.

The value of register 40108 when combined with register 40109 gives a 32 bit value.

An example of a representation.

View typeValue rangeExample in HEXIn decimal form
16-bit unsigned integer0 to 65535AE4144,609
16-bit signed integer-32768 to 32767AE41-20,927
two character ASCII string2 charAE41® A
discrete on/off value0 and 100010001
32-bit unsigned integer0 to 4,294,967,295AE41 56522,923,517,522
32-bit signed integer-2,147,483,648 to 2,147,483,647AE41 5652-1,371,449,774
32-bit single precision IEEE floating point number1,2·10−38 to 3,4×10+38AE41 5652-4.395978 E-11
four character ASCII string4 charAE41 5652® A V R

Back to contents

What are Modbus RTU commands?

Here is a table with the codes for reading and writing the Modbus RTU registers.

FUNCTION CODEWHAT THE FUNCTION DOESVALUE TYPEACCESS TYPE
01 (0x01)Read DORead Coil StatusDiscreteRead
02 (0x02)Read DIRead Input StatusDiscreteRead
03 (0x03)Read AORead Holding Registers16 bitRead
04 (0x04)Read AIRead Input Registers16 bitRead
05 (0x05)Write one DOForce Single CoilDiscreteWrite
06 (0x06)Write one AOPreset Single Register16 bitWrite
15 (0x0F)Multiple DO recordingForce Multiple CoilsDiscreteWrite
16 (0x10)Multiple AO recordingPreset Multiple Registers16 bitWrite

Back to contents

How can I send a Modbus RTU command to read discrete output? Command 0x01

This command is used to read the values of the DO digital outputs.

The PDU request specifies the start address of the first DO register and the subsequent number of required DO values. In the PDU, the DO values are addressed starting from zero.

The DO values in the response are in one byte and correspond to the value of the bits.

The bit values are defined as 1 = ON and 0 = OFF.

The low bit of the first data byte contains the DO value whose address was specified in the request. The remaining values of DO follow the increasing value to the highest value of the byte. Those. from right to left.

If less than eight DO values were requested, the remaining bits in the response will be filled with zeros (in the direction from the low to high byte). Byte Count The number of bytes further indicates the number of full bytes of data in the response.

Example of a DO query from 20 to 56 for the device's SlaveID address 17. The address of the first register will be 0013 hex = 19, because The account is maintained from 0 address (0014 hex = 20, -1 zero offset = we get 0013 hex = 19).

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
01Functional code01Functional code
00Address of the first register Hi bytes05Number of bytes more
13Address of the first register Lo bytesCDRegister value DO 27-20 (1100 1101)
00Number of registers Hi bytes6BRegister value DO 35-28 (0110 1011)
25Number of registers Lo bytesB2Register value DO 43-36 (1011 0010)
0EChecksum CRC0ERegister value DO 51-44 (0000 1110)
84Checksum CRC1BRegister value DO 56-52 (0001 1011)
45Checksum CRC
E6Checksum CRC

The output states of DO 27-20 are shown as the values of the byte CD hex, or in the binary system 1100 1101.

In register DO 56-52, 5 bits on the right were requested, and the remaining bits are filled with zeros to the full byte (0001 1011).

Channels---DO 56DO 55DO 54DO 53DO 52
Bits00011011
Hex1B

Back to contents

How can I send a Modbus RTU command to read a digital input? Command 0x02

This command is used to read the values of digital inputs DI.

Example of a DI request from the registers from # 10197 to 10218 for the device's SlaveID address 17. The address of the first register will be 00C4 hex = 196, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
02Functional code02Functional code
00Address of the first register Hi bytes03Number of bytes more
C4Address of the first register Lo bytesACRegister value DI 10204-10197 (1010 1100)
00Number of registers Hi bytesDBRegister value DI 10212-10205 (1101 1011)
16Number of registers Lo bytes35Register value DI 10218-10213 (0011 0101)
BAChecksum CRC20Checksum CRC
A9Checksum CRC18Checksum CRC

Back to contents

How can I send a Modbus RTU command to read analog output? Command 0x03

This command is used to read the values of the analog outputs AO.

Example of an AO request from registers from # 40108 to 40110 for the SlaveID of the device address 17. The address of the first register will be 006B hex = 107, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
03Functional code03Functional code
00Address of the first register Hi bytes06Number of bytes more
6BAddress of the first register Lo bytesAERegister value Hi #40108
00Number of registers Hi bytes41Register value Lo #40108
03Number of registers Lo bytes56Register value Hi #40109
76Checksum CRC52Register value Lo #40109
87Checksum CRC43Register value Hi #40110
40Register value Lo #40110
49Checksum CRC
ADChecksum CRC

Back to contents

How can I send the Modbus RTU command to read the analog input? Command 0x04

This command is used to read the values of analog inputs AI.

Example of an AI request from the register # 30009 for the SlaveID of the device address 17. The address of the first register is 0008 hex = 8, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
04Functional code04Functional code
00Address of the first register Hi bytes02Number of bytes more
08Address of the first register Lo bytes00Register value Hi #30009
00Number of registers Hi bytes0ARegister value Lo #30009
01Number of registers Lo bytesF8Checksum CRC
B2Checksum CRCF4Checksum CRC
98Checksum CRC

Back to contents

How can I send a Modbus RTU command to write discrete output? Command 0x05

This command is used to record one value of the DO digital output.

The value of FF 00 hex sets the output to ON.

The value 00 00 hex sets the output to OFF.

All other values are invalid and will not be affected by the output value.

The normal response to such a request is an echo (a repeat request in the response), is returned after the DO state has been changed.

An example of a DO record with register # 173 for the SlaveID address of the device 17. The register address will be 00AC hex = 172, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
05Functional code05Functional code
00Address of the first register Hi bytes00Address of the first register Hi bytes
ACAddress of the first register Lo bytesACAddress of the first register Lo bytes
FFValue of Hi bytesFFValue of Hi bytes
00Value of Lo bytes00Value of Lo bytes
4EChecksum CRC4EChecksum CRC
8BChecksum CRC8BChecksum CRC

The DO173 output state has changed from OFF to ON.

Back to contents

How can I send a Modbus RTU command to record analog output? Command 0x06

This command is used to record one value of the analog output AO.

Example of recording in AO with register # 40002 for SlaveID address of the device 17. The address of the first register will be 0001 hex = 1, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
06Functional code06Functional code
00Address of the first register Hi bytes00Address of the first register Hi bytes
01Address of the first register Lo bytes01Address of the first register Lo bytes
00Value of Hi bytes00Value of Hi bytes
03Value of Lo bytes03Value of Lo bytes
9AChecksum CRC9AChecksum CRC
9BChecksum CRC9BChecksum CRC

Back to contents

How can I send a Modbus RTU command to write multiple discrete pins? Command 0x0F

This command is used to record multiple values of DO's digital output.

An example of writing in several DOs with registers from # 20 to # 29 for the SlaveID address of the device 17. The register address will be 0013 hex = 19, since Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
0FFunctional code0FFunctional code
00Address of the first register Hi bytes00Address of the first register Hi bytes
13Address of the first register Lo bytes13Address of the first register Lo bytes
00Number of registers Hi bytes00Number of recorded registers Hi bytes
0ANumber of registers Lo bytes0ANumber of recorded registers Lo bytes
02Number of bytes more26Checksum CRC
CDByte Value DO 27-20 (1100 1101)99Checksum CRC
01Byte Value DO 29-28 (0000 0001)
BFChecksum CRC
0BChecksum CRC

The answer returns the number of registers recorded.

Back to contents

How can I send a Modbus RTU command to record multiple analog outputs? Command 0x10

ЭThis command is used to record multiple values of the analog output AO.

An example of recording in several AO with registers # 40002 and # 40003 for the SlaveID address of the device 17. The address of the first register will be 0001 hex = 1, because Account is maintained from 0 address.

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
11Device address11Device address
10Functional code10Functional code
00Address of the first register Hi bytes00Address of the first register Hi bytes
01Address of the first register Lo bytes01Address of the first register Lo bytes
00Number of registers Hi bytes00Number of recorded registers Hi bytes
02Number of registers Lo bytes02Number of recorded registers Lo bytes
04Number of bytes more12Checksum CRC
00Value Hi 4000298Checksum CRC
0AValue Lo 40002
01Value Hi 40003
02Value Lo 40003
C6Checksum CRC
F0Checksum CRC

Back to contents

What are the errors of the Modbus request?

If the device receives a request, but the request can not be processed, the device will respond with an error code.

The response will contain the modified Function code, the high-order bit will be 1.

Example:

IT WASIT BECOME
FUNCTIONAL CODE IN REQUESTFunctional error code in response
01 (01 hex) 0000 0001129 (81 hex) 1000 0001
02 (02 hex) 0000 0010130 (82 hex) 1000 0010
03 (03 hex) 0000 0011131 (83 hex) 1000 0011
04 (04 hex) 0000 0100132 (84 hex) 1000 0100
05 (05 hex) 0000 0101133 (85 hex) 1000 0101
06 (06 hex) 0000 0110134 (86 hex) 1000 0110
15 (0F hex) 0000 1111143 (8F hex) 1000 1111
16 (10 hex) 0001 0000144 (90 hex) 1001 0000

Sample request and response with error:

BYTEREQUESTBYTEANSWER
(Hex)Field name(Hex)Field name
0ADevice address0ADevice address
01Functional code81Functional code with changed bit
04Address of the first register Hi bytes02Error code
A1Address of the first register Lo bytesB0Checksum CRC
00Number of registers Hi bytes53Checksum CRC
01Number of registers Lo bytes
ACChecksum CRC
63Checksum CRC

Explanation of error codes

01FUNCTION CODE ACCEPTED CAN NOT BE PROCESSED.
02The data address specified in the request is not available.
03The value contained in the query data field is an invalid value.
04An unrecoverable error occurred while the slave attempted to perform the requested action.
05The slave has accepted the request and processes it, but it takes a long time. This response prevents the host from generating a timeout error.
06The slave is busy processing the command. The master must repeat the message later when the slave is freed.
07The slave can not execute the program function specified in the request. This code is returned for an unsuccessful program request using functions with numbers 13 or 14. The master must request diagnostic information or error information from the slave.
08The slave detected a parity error when reading the extended memory. The master can repeat the request, but usually in such cases, repairs are required.

Back to contents

Programs for working with Modbus RTU protocol

The following are the programs that make it easier to work with Modbus.

DCON Utility Pro with support for Modbus RTU, ASCII, DCON. Download

c56fd3305f1bcc96bca667f3f0b76516.jpg

Modbus Master Tool with support for Modbus RTU, ASCII, TCP. Download

a718857547d9d8981b3e94b94293f129.jpg

Modbus TCP client with Modbus TCP support. Download

77b0fb43b46161eddf2a933770aaac6f.jpg

Back to contents

Equipment with Modbus RTU support

Back to contents


Fast Product Request