Reference Materials#
Each blog site is missing chapters and sentences, with chaotic formatting and occasional errors, so it is not recommended for reference.
Here is the information from the Modbus Chinese website
MODBUS Protocol Chinese/English Version Preview and Download | Modbus IoT Cloud Platform
More authoritative is the official documentation
MODBUS Application Protocol 1 1 b
And other official documents can be found here
Of course, I am not very satisfied with the official documentation either. To maintain their ancient design architecture, the introduction of each frame segment is not intuitive, and there are also a few typos.
Below is the effective information I have rewritten.
Additionally, there is a library I implemented myself
stbanana/modbusX: modbus protocol support (github.com)
Protocol Features#
Overall Frame Structure#
| Message Header | Address Field | Function Code | Data Field | Check Field | |
|---|---|---|---|---|---|
| RTU | 1 byte (Slave ID) | 1 byte | n bytes variable | 2 bytes (CRC-MB16 for all other content) | |
| TCP | 6 bytes (2 bytes transaction number + 2 bytes protocol identifier - all 0 + 2 bytes total length of subsequent bytes - including Slave ID) | 1 byte (Slave ID) | 1 byte | n bytes variable |
Regarding the message header, it is classified into the address field in the overall model of the official documentation, but the actual total length of bytes includes the Slave ID. This is probably because the overall model was established when only serial protocols were available, and the newly added Modbus TCP had to be compatible with it.
I have directly reclassified it here; it is not standard, but I am happy with it.
Register Attributes#
| RW Attribute | Bit Count | |
|---|---|---|
| Coils (0x01) | Read/Write | 1 bit |
| Discrete Input Registers (0x02) | Read Only | 1 bit |
| Holding Registers (0x03) | Read/Write | 16 bits |
| Input Registers (0x04) | Read Only | 16 bits |
Overall Model#
Use software to abstract a memory structure, where each address holds data of different meanings, similar to how FPGA simulates SRAM. However, not every register address is 16 bits; it can also be 1 bit. The attributes are RO/RW.
RTU Series#
(0x01) Read Coils#
Host Request#
| Address Field | Function Code | Starting Address | Coil Count | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Byte Count | Coil Status | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 1 byte (calculated Coil Status byte count) | n bytes | 2 bytes (CRC-MB16) |
Example#
Request to read coil data from address 20 to 38; the response address is from low to high, with the final byte padded with 0 in the high position.
[!NOTE]
The final output status bytes for 38-36 are padded with zeros for the remaining 5 bits (up to the high position).
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x01 | Function Code | 0x01 |
| Starting Address High 8 bits | 0x00 | Byte Count | 0x03 |
| Starting Address Low 8 bits | 0x13 | Output Status 27-20 | 0xCD |
| Output Count High 8 bits | 0x00 | Output Status 35-28 | 0x6B |
| Output Count Low 8 bits | 0x13 | Output Status 38-36 | 0x05 |
| Check CRC Low 8 bits | 0xA9 | Check CRC Low 8 bits | 0x42 |
| Check CRC High 8 bits | 0xC8 | Check CRC High 8 bits | 0x82 |
(0x02) Read Discrete Input Registers#
Host Request#
| Address Field | Function Code | Starting Address | Discrete Input Count | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Byte Count | Discrete Input Status | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 1 byte (calculated Discrete Input Status byte count) | n bytes | 2 bytes (CRC-MB16) |
Example#
Request to read discrete input register data from address 197 to 218; the response address is from low to high, with the final byte padded with 0 in the high position.
[!NOTE]
The final input status bytes for 218-213 are padded with zeros for the remaining 2 bits (up to the high position).
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x02 | Function Code | 0x02 |
| Starting Address High 8 bits | 0x00 | Byte Count | 0x03 |
| Starting Address Low 8 bits | 0xC4 | Input Status 204-197 | 0xAC |
| Output Count High 8 bits | 0x00 | Input Status 212-205 | 0xDB |
| Output Count Low 8 bits | 0x16 | Input Status 218-213 | 0x35 |
| Check CRC Low 8 bits | 0xB8 | Check CRC Low 8 bits | 0x22 |
| Check CRC High 8 bits | 0x39 | Check CRC High 8 bits | 0x88 |
(0x03) Read Holding Registers#
Host Request#
| Address Field | Function Code | Starting Address | Holding Register Count | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Byte Count | Holding Register Status | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 1 byte (calculated Holding Register Status byte count) | n bytes | 2 bytes (CRC-MB16) |
Example#
Request to read holding register data from address 108 to 110.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x03 | Function Code | 0x03 |
| Starting Address High 8 bits | 0x00 | Byte Count | 0x06 |
| Starting Address Low 8 bits | 0x6B | Register Value High Byte (108) | 0x02 |
| Register Count High 8 bits | 0x00 | Register Value Low Byte (108) | 0x2B |
| Register Count Low 8 bits | 0x03 | Register Value High Byte (109) | 0x00 |
| Check CRC Low 8 bits | 0x74 | Register Value Low Byte (109) | 0x00 |
| Check CRC High 8 bits | 0x17 | Register Value High Byte (110) | 0x00 |
| Register Value Low Byte (110) | 0x64 | ||
| Check CRC Low 8 bits | 0x05 | ||
| Check CRC High 8 bits | 0x7A |
(0x04) Read Input Registers#
Host Request#
| Address Field | Function Code | Starting Address | Input Register Count | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Byte Count | Input Register Status | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 1 byte (calculated Input Register Status byte count) | n bytes | 2 bytes (CRC-MB16) |
Example#
Request to read holding register data from address 9 to 10.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x04 | Function Code | 0x04 |
| Starting Address High 8 bits | 0x00 | Byte Count | 0x06 |
| Starting Address Low 8 bits | 0x6B | Register Value High Byte (9) | 0x02 |
| Register Address High 8 bits | 0x00 | Register Value Low Byte (9) | 0x2B |
| Register Address Low 8 bits | 0x03 | Register Value High Byte (10) | 0x00 |
| Check CRC Low 8 bits | 0xC1 | Register Value Low Byte (10) | 0x00 |
| Check CRC High 8 bits | 0xD7 | Check CRC Low 8 bits | 0xF3 |
| Check CRC High 8 bits | 0xF4 |
(0x05) Write Single Coil#
[!NOTE]
When writing a single coil, the output value part only allows FF 00 to indicate ON, and 00 00 to indicate OFF; other values are not valid.
Host Request#
| Address Field | Function Code | Output Address | Output Value | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Address | Output Value | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Example#
Request to write the coil data at address 173 to ON.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x05 | Function Code | 0x05 |
| Register Address High 8 bits | 0x00 | Register Address High 8 bits | 0x00 |
| Register Address Low 8 bits | 0xAC | Register Address Low 8 bits | 0xAC |
| Register Value High 8 bits | 0xFF | Register Value High 8 bits | 0xFF |
| Register Value Low 8 bits | 0x00 | Register Value Low 8 bits | 0x00 |
| Check CRC Low 8 bits | 0x4C | Check CRC Low 8 bits | 0x4C |
| Check CRC High 8 bits | 0x1B | Check CRC High 8 bits | 0x1B |
(0x06) Write Single Holding Register#
Host Request#
| Address Field | Function Code | Holding Register Address | Register Value | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Holding Register Address | Register Value | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Example#
Request to write the holding register data at address 2 to 0x0003.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x06 | Function Code | 0x06 |
| Register Address High 8 bits | 0x00 | Register Address High 8 bits | 0x00 |
| Register Address Low 8 bits | 0x02 | Register Address Low 8 bits | 0x02 |
| Register Value High 8 bits | 0x00 | Register Value High 8 bits | 0x00 |
| Register Value Low 8 bits | 0x03 | Register Value Low 8 bits | 0x03 |
| Check CRC Low 8 bits | 0x2C | Check CRC Low 8 bits | 0x2C |
| Check CRC High 8 bits | 0x0B | Check CRC High 8 bits | 0x0B |
(0x0F) Write Multiple Coils#
Host Request#
| Address Field | Function Code | Starting Address | Quantity to Set | Byte Count | Set Value | Check Field |
|---|---|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 1 byte (calculated Set Value byte count) | n bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Starting Address | Quantity Set | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Example#
Request to write 10 coils starting from address 20.
[!NOTE]
A total of 2 bytes (16 bits) need to be written, with 6 remaining bits padded with zeros (up to the high position).
| Coil Address | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | — | — | — | — | — | — | 29 | 28 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Corresponding Value | 1 | 1 | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
After filling according to the specification, the actual Set Value segment should be 0xCD 0x01.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x0F | Function Code | 0x0F |
| Starting Address High 8 bits | 0x00 | Starting Address High 8 bits | 0x00 |
| Starting Address Low 8 bits | 0x13 | Starting Address Low 8 bits | 0x13 |
| Quantity High 8 bits | 0x00 | Quantity High 8 bits | 0x00 |
| Quantity Low 8 bits | 0x0A | Quantity Low 8 bits | 0x0A |
| Byte Count | 0x02 | Check CRC Low 8 bits | 0x24 |
| Set Value (Addresses 27-20) | 0xCD | Check CRC High 8 bits | 0x09 |
| Set Value (Addresses 29-28) | 0x01 | ||
| Check CRC Low 8 bits | 0x72 | ||
| Check CRC High 8 bits | 0xCB |
(0x10) Write Multiple Holding Registers#
Host Request#
| Address Field | Function Code | Starting Address | Quantity to Set | Byte Count | Set Value | Check Field |
|---|---|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 1 byte (calculated Set Value byte count) | n bytes | 2 bytes (CRC-MB16) |
Slave Response#
| Address Field | Function Code | Starting Address | Quantity Set | Check Field |
|---|---|---|---|---|
| 1 byte | 1 byte | 2 bytes | 2 bytes | 2 bytes (CRC-MB16) |
Example#
Request to write 4 holding registers starting from address 34.
| Request | Response | ||
|---|---|---|---|
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x10 | Function Code | 0x10 |
| Starting Address High 8 bits | 0x00 | Starting Address High 8 bits | 0x00 |
| Starting Address Low 8 bits | 0x22 | Starting Address Low 8 bits | 0x22 |
| Quantity High 8 bits | 0x00 | Quantity High 8 bits | 0x00 |
| Quantity Low 8 bits | 0x04 | Quantity Low 8 bits | 0x04 |
| Byte Count | 0x08 | Check CRC Low 8 bits | 0x61 |
| Set Value High 8 bits (Address 34) | 0x00 | Check CRC High 8 bits | 0xC0 |
| Set Value Low 8 bits (Address 34) | 0x40 | ||
| Set Value High 8 bits (Address 35) | 0x00 | ||
| Set Value Low 8 bits (Address 35) | 0x24 | ||
| Set Value High 8 bits (Address 36) | 0x00 | ||
| Set Value Low 8 bits (Address 36) | 0x01 | ||
| Set Value High 8 bits (Address 37) | 0xBF | ||
| Set Value Low 8 bits (Address 37) | 0x52 | ||
| Check CRC Low 8 bits | 0x5F | ||
| Check CRC High 8 bits | 0xCC |
Exception Response Frame#
| Address Field | Function Code | Exception Code | Check Field |
|---|---|---|---|
| 1 byte | 1 byte (Function Code + 0x80) | 1 byte | 2 bytes (CRC-MB16) |
| Exception Code | Name | Meaning |
|---|---|---|
| 0x01 | Illegal Function Code | The received request command function code is not allowed. It may be that the function code is not supported or it is in an error state while processing the request. |
| 0x02 | Illegal Data Address | The data address received in the inquiry is not allowed. Specifically, the combination of starting address and transmission length is invalid. For a controller with 100 registers, a request with a starting address of 96 and a length of 4 will succeed, while a request with a starting address of 96 and a length of 5 will produce exception code 0x02. |
| 0x03 | Illegal Data Value | This actually means that the data segment is illegal. For example, an illegal data segment length, or the number of registers written or read does not match the data segment. Note that this does not mean that the register was written with a value outside the expected range; actual write failures (this case is 0x04). |
| 0x04 | Slave Device Failure | An error occurred when the server (or slave) performed the requested operation on the register, such as writing a value outside the expected range. |
| 0x05 | Acknowledge | This is not actually an error, but indicates that a long-running command has been received and processing has begun. |
| 0x06 | Slave Device Busy | The slave is busy processing a long-running command. (When the slave is free, the request that caused this error should be resent.) |
| 0x08 | Memory Parity Error | An attempt was made to read a record file, but a parity error was found in the memory. |
| 0x0A | Gateway Path Unavailable | Used with gateways, indicating that the gateway cannot allocate an internal communication path from input port to output port for processing the request. Usually means the gateway is misconfigured or overloaded. |
| 0x0B | Gateway Target Device Failed to Respond | Used with gateways, indicating that no response was received from the target device. Usually means the device is not on the network. |
TCP Series#
In summary, Modbus TCP is just a wrapper for the previous message header, while removing the CRC check 👍. ==Because the TCP management layer's link transmission is already very robust, while serial transmission is not robust==
The transaction number in the message header will continuously increment when the host (TCP client) initiates a request, and the slave (TCP server) responds to the request with the same transaction number to indicate which request is being processed. Therefore, Modbus TCP inherently supports multiple frame transmissions, and the host will not misunderstand the response 👍.
Personally, I prefer this smooth communication protocol. || Let the physical link layer handle the accuracy of the information; the verification is still necessary ||
(0x01) Read Coils#
Host Request#
| Transaction Number | Protocol Identifier | Total Byte Length | Address Field | Function Code | Starting Address | Coil Count |
|---|---|---|---|---|---|---|
| 2 bytes | 2 bytes (all 0) | 2 bytes (total length of subsequent bytes) | 1 byte | 1 byte | 2 bytes | 2 bytes |
Slave Response#
| Transaction Number | Protocol Identifier | Total Byte Length | Address Field | Function Code | Byte Count | Coil Status |
|---|---|---|---|---|---|---|
| 2 bytes | 2 bytes (all 0) | 2 bytes (total length of subsequent bytes) | 1 byte | 1 byte | 1 byte (calculated Coil Status byte count) | n bytes |
Example#
Request to read coil data from address 20 to 38; the response address is from low to high, with the final byte padded with 0 in the high position.
[!NOTE]
The final output status bytes for 38-36 are padded with zeros for the remaining 5 bits (up to the high position).
| Request | Response | ||
|---|---|---|---|
| Transaction Number High 8 bits | 0x00 | Transaction Number High 8 bits | 0x00 |
| Transaction Number Low 8 bits | 0x01 | Transaction Number Low 8 bits | 0x01 |
| Protocol Identifier 16 bits (all 0) | 0x00 0x00 | Protocol Identifier 16 bits (all 0) | 0x00 0x00 |
| Total Byte Length High 8 bits | 0x00 | Total Byte Length High 8 bits | 0x00 |
| Total Byte Length Low 8 bits | 0x06 | Total Byte Length Low 8 bits | 0x06 |
| Address Field (Slave ID) | 0x01 | Address Field (Slave ID) | 0x01 |
| Function Code | 0x01 | Function Code | 0x01 |
| Starting Address High 8 bits | 0x00 | Byte Count | 0x03 |
| Starting Address Low 8 bits | 0x13 | Output Status 27-20 | 0xCD |
| Output Count High 8 bits | 0x00 | Output Status 35-28 | 0x6B |
| Output Count Low 8 bits | 0x13 | Output Status 38-36 | 0x05 |
Other protocols will not be elaborated on
Other protocols will not be elaborated on
In summary, Modbus TCP is just a wrapper for the previous message header, while removing the CRC check 👍.
This article is synchronized and updated to xLog by Mix Space. The original link is https://www.yono233.cn/posts/shoot/24_7_26_modbus