Modbus_Application_Protocol_V1_1b.pdf

Re: MODBUS Tester - prosty program do testowania transmisji MODBUS

Widzę, że dużo większym zainteresowaniem cieszy się dokumentacja Modbus, którą tutaj umieściłem więc rozszerzę ją jeszcze o kilka dokumentów :), z których korzystam odnośnie Modbus'a i liczb zmiennoprzecinkowych. Piotrek


M odbus-IDA

M ODBUS APPLICATION PROTOCOL SPECIFICATION
V1.1b
C ONTENTS
1

I ntroduction ................................................................................................................... 2

2

1 .1 S cope of this document ........................................................................................ 2
A bbreviations ................................................................................................................ 2

3

C ontext ......................................................................................................................... 3

4

G eneral description ....................................................................................................... 3

5

4 .1 P rotocol description .............................................................................................. 3
4 .2 D ata Encoding ...................................................................................................... 6
4 .3 M ODBUS Data model ........................................................................................... 6
4 .4 M ODBUS Addressing model ................................................................................. 7
4 .5 D efine MODBUS Transaction ................................................................................ 8
F unction Code Categories ............................................................................................10

6

5 .1 P ublic Function Code Definition ........................................................................... 11
F unction codes descriptions ......................................................................................... 12
6 .1
6 .2
6 .3
6 .4
6 .5
6 .6
6 .7
6 .8

7

0 1 (0x01) Read Coils ...........................................................................................12
0 2 (0x02) Read Discrete Inputs............................................................................ 13
0 3 (0x03) Read Holding Registers ....................................................................... 15
0 4 (0x04) Read Input Registers ........................................................................... 16
0 5 (0x05) Write Single Coil .................................................................................. 17
0 6 (0x06) Write Single Register ........................................................................... 19
0 7 (0x07) Read Exception Status (Serial Line only) .............................................. 20
0 8 (0x08) Diagnostics (Serial Line only) ............................................................... 21
6 .8.1 S ub-function codes supported by the serial line devices ........................... 22
6 .8.2 E xample and state diagram ...................................................................... 24
6 .9 1 1 (0x0B) Get Comm Event Counter (Serial Line only) ......................................... 25
6 .10 1 2 (0x0C) Get Comm Event Log (Serial Line only) ............................................... 26
6 .11 1 5 (0x0F) Write Multiple Coils .............................................................................. 29
6 .12 1 6 (0x10) Write Multiple registers ........................................................................ 30
6 .13 1 7 (0x11) Report Slave ID (Serial Line only) ........................................................ 32
6 .14 2 0 (0x14) Read File Record ................................................................................. 32
6 .15 2 1 (0x15) Write File Record ................................................................................. 34
6 .16 2 2 (0x16) Mask Write Register ............................................................................. 36
6 .17 2 3 (0x17) Read/Write Multiple registers ............................................................... 38
6 .18 2 4 (0x18) Read FIFO Queue ................................................................................ 41
6 .19 4 3 ( 0x2B) Encapsulated Interface Transport ....................................................... 42
6 .20 4 3 / 13 (0x2B / 0x0D) CANopen General Reference Request and Response
PDU .................................................................................................................... 43
6 .21 4 3 / 14 (0x2B / 0x0E) Read Device Identification .................................................. 44
M ODBUS Exception Responses ................................................................................... 48

A nnex A (Informative): MODBUS RESERVED FUNCTION CODES, SUBCODES AND
MEI TYPES .................................................................................................................. 51
A nnex B (Informative): CANOPEN GENERAL REFERENCE COMMAND ............................. 51

December 28, 2006

http://www.Modbus-IDA.org

1/51

M ODBUS Application Protocol Specification V1.1b

1

Modbus-IDA

I ntroduction

1 .1

Scope of this document

M ODBUS is an application layer messaging protocol, positioned at level 7 of the OSI model,
that provides client/server communication between devices connected on different types of
buses or networks.
The industry's serial de facto standard since 1979, MODBUS continues to enable millions of
automation devices to communicate. Today, support for the simple and elegant structure of
MODBUS continues to grow. The Internet community can access MODBUS at a reserved
system port 502 on the TCP/IP stack.
MODBUS is a request/reply protocol and offers services specified by f unction codes .
MODBUS function codes are elements of MODBUS request/reply PDUs. The objective of this
document is to describe the function codes used within the framework of MODBUS
transactions.
MODBUS is an application layer messaging protocol for client/server communication between
devices connected on different types of buses or networks.
It is currently implemented using:
T CP/IP over Ethernet. See MODBUS Messaging Implementation Guide V1.0a.
A synchronous serial transmission over a variety of media (wire : EIA/TIA-232-E, EIA422, EIA/TIA-485-A; fiber, radio, etc.)
M ODBUS PLUS, a high speed token passing network.

MODBUS APPLICATION LAYER

Modbus on TCP
TCP
IP

Other

MODBUS+ / HDLC

Master / Slave

Ethernet II /802.3

Other

Physical layer

EIA/TIA-232 or
EIA/TIA-485

Ethernet
Physical layer

F igure 1:

MODBUS communication stack

R eferences
1. RFC 791, Internet Protocol, Sep81 DARPA

2

A bbreviations

A DU

A pplication Data Unit

H DLC H igh level Data Link Control
H MI

H uman Machine Interface

I ETF

I nternet Engineering Task Force

I /O

I nput/Output

December 28, 2006

http://www.Modbus-IDA.org

2/51

M ODBUS Application Protocol Specification V1.1b
IP

I nternet Protocol

M AC

M edium Access Control

MB

Modbus-IDA

M ODBUS Protocol

M BAP M ODBUS Application Protocol
P DU

P rotocol Data Unit

P LC

P rogrammable Logic Controller

T CP

T ransport Control Protocol

3

C ontext

T he MODBUS protocol allows an easy communication within all types of network
architectures.
MODBUS COMMUNICATION

Drive

PLC

HMI

I/ O

I/ O

PLC

I/ O

MODBUS ON TCP/IP

PLC
HMI

Device

Gateway

MODBUS ON RS485

Gateway

MODBUS ON RS232

MODBUS ON MB+

Gateway

PLC
I/ O
I/ O

Drive
I/ O

Device

I/ O
F igure 2:

Example of MODBUS Network Architecture

E very type of devices (PLC, HMI, Control Panel, Driver, Motion control, I/O Device...) can use
MODBUS protocol to initiate a remote operation.
The same communication can be done as well on serial line as on an Ethernet TCP/IP
networks. Gateways allow a communication between several types of buses or network using
the MODBUS protocol.

4
4 .1

G eneral description
Protocol description

T he MODBUS protocol defines a simple protocol data unit ( PDU) i ndependent of the
underlying communication layers. The mapping of MODBUS protocol on specific buses or
network can introduce some additional fields on the application data unit ( ADU) .

December 28, 2006

http://www.Modbus-IDA.org

3/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ADU
Additional address

Function code

Data

Error check

PDU
Figure 3:

General MODBUS frame

The MODBUS application data unit is built by the client that initiates a MODBUS transaction.
The function indicates to the server what kind of action to perform. The MODBUS application
protocol establishes the format of a request initiated by a client.
The function code field of a MODBUS data unit is coded in one byte. Valid codes are in the
range of 1 ... 255 decimal (the range 128 - 255 is reserved and used for exception
responses). When a message is sent from a Client to a Server device the function code field
tells the server what kind of action to perform. Function code " 0 " is not valid.
Sub-function codes are added to some function codes to define multiple actions.
The data field of messages sent from a client to server devices contains additional
information that the server uses to take the action defined by the function code. This can
include items like discrete and register addresses, the quantity of items to be handled, and
the count of actual data bytes in the field.
The data field may be nonexistent (of zero length) in certain kinds of requests, in this case
the server does not require any additional information. The function code alone specifies the
action.
If no error occurs related to the MODBUS function requested in a properly received MODBUS
ADU the data field of a response from a server to a client contains the data requested. If an
error related to the MODBUS function requested occurs, the field contains an exception code
that the server application can use to determine the next action to be taken.
For example a client can read the ON / OFF states of a group of discrete outputs or inputs or
it can read/write the data contents of a group of registers.
When the server responds to the client, it uses the function code field to indicate either a
normal (error-free) response or that some kind of error occurred (called an exception
response). For a normal response, the server simply echoes to the request the original
function code.

Client

Server

Initiate request
Function code

Data Request

Perform the action
Initiate the response
Function code

Data Response

Receive the response

F igure 4:

MODBUS transaction (error free)

F or an exception response, the server returns a code that is equivalent to the original
function code from the request PDU with its most significant bit set to logic 1.

December 28, 2006

http://www.Modbus-IDA.org

4/51

M ODBUS Application Protocol Specification V1.1b

Client

Modbus-IDA

Server

Initiate request
Function code

Data Request

Error detected in the action
Initiate an error
Exception Function code

Receive the response

F igure 5:

Exception code

MODBUS transaction (exception response)

N ote : It is desirable to manage a time out in order not to indefinitely wait for an answer which will perhaps
never arrive.

T he size of the MODBUS PDU is limited by the size constraint inherited from the first
MODBUS implementation on Serial Line network (max. RS485 ADU = 256 bytes).
Therefore:
MODBUS P DU for serial line communication = 2 56 - Server address (1 byte) - CRC (2
bytes) = 2 53 bytes .
Consequently:
RS232 / RS485 A DU = 2 53 bytes + Server address (1 byte) + CRC (2 bytes) = 2 56 b ytes .
TCP MODBUS A DU = 2 53 bytes + MBAP (7 bytes) = 2 60 bytes .
T he MODBUS protocol defines three PDUs. They are :
o

M ODBUS Request PDU, mb_req_pdu

o

M ODBUS Response PDU, mb_rsp_pdu

o

M ODBUS Exception Response PDU, mb_excep_rsp_pdu

The mb_req_pdu is defined as:
mb_req_pdu = {function_code, request_data},

where

function_code = [1 byte] MODBUS function code,
request_data = [n bytes] This field is function code dependent and usually
contains information such as variable references,
variable counts, data offsets, sub-function codes etc.
The mb_rsp_pdu is defined as:
mb_rsp_pdu = {function_code, response_data},

where

function_code = [1 byte] MODBUS function code
response_data = [n bytes] This field is function code dependent and usually
contains information such as variable references,
variable counts, data offsets, sub-function codes, etc.

December 28, 2006

http://www.Modbus-IDA.org

5/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

The mb_excep_rsp_pdu is defined as:
mb_excep_rsp_pdu = {exception-function_code, request_data},

where

exception-function_code = [1 byte] MODBUS function code + 0x80
exception_code = [1 byte] MODBUS Exception Code Defined in table
" MODBUS Exception Codes " (see section 7 ) .
4 .2
o

Data Encoding
M ODBUS uses a 'big-Endian' representation for addresses and data items. This means
that when a numerical quantity larger than a single byte is transmitted, the most
significant byte is sent first. So for example
Register size
1 6 - bits

v alue
0x1234

the first byte sent is

0x12

then 0x34

N ote : For more details, see [1] .

4 .3

MODBUS Data model

M ODBUS bases its data model on a series of tables that have distinguishing characteristics.
The four primary tables are:
P rimary tables

O bject type

T ype of

D iscretes Input

Single bit

Read-Only

C oils

Single bit

Read-Write

I nput Registers

16-bit word

Read-Only

H olding Registers

16-bit word

Read-Write

C omments
This type of data can be provided by an I/O system.
This type of data can be alterable by an application
program.
This type of data can be provided by an I/O system
This type of data can be alterable by an application
program.

T he distinctions between inputs and outputs, and between bit-addressable and wordaddressable data items, do not imply any application behavior. It is perfectly acceptable, and
very common, to regard all four tables as overlaying one another, if this is the most natural
interpretation on the target machine in question.
For each of the primary tables, the protocol allows individual selection of 65536 data items,
and the operations of read or write of those items are designed to span multiple consecutive
data items up to a data size limit which is dependent on the transaction function code.
It's obvious that all the data handled via MODBUS (bits, registers) must be located in device
application memory. But physical address in memory should not be confused with data
reference. The only requirement is to link data reference with physical address.
MODBUS logical reference numbers, which are used in MODBUS functions, are unsigned
integer indices starting at zero.
o

I mplementation examples of MODBUS model

T he examples below show two ways of organizing the data in device. There are different
organizations possible, but not all are described in this document. Each device can have its
own organization of the data according to its application
E xample 1 : Device having 4 separate blocks

December 28, 2006

http://www.Modbus-IDA.org

6/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

The example below shows data organization in a device having digital and analog, inputs and
outputs. Each block is separate because data from different blocks have no correlation. Each
block is thus accessible with different MODBUS functions.
Device application memory

MODBUS access

Input Discrete
Coils

MODBUS Request

Input Registers
Holding
Registers

MODBUS SERVER DEVICE

F igure 6

MODBUS Data Model with separate block

Example 2: Device having only 1 block
I n this example, the device has only 1 data block. The same data can be reached via several
MODBUS functions, either via a 16 bit access or via an access bit.
Device application memory

MODBUS access

Input Discrete
R
W

Coils
R

W

MODBUS Request

Input Registers
Holding
Registers

MODBUS SERVER DEVICE

F igure 7

4 .4

MODBUS Data Model with only 1 block

MODBUS Addressing model

T he MODBUS application protocol defines precisely PDU addressing rules.
I n a MODBUS PDU each data is addressed from 0 to 65535.
I t also defines clearly a MODBUS data model composed of 4 blocks that comprises several
elements numbered from 1 to n.
I n the MODBUS data Model each element within a data block is numbered from 1 to n.
December 28, 2006

http://www.Modbus-IDA.org

7/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

Afterwards the MODBUS data model has to be bound to the device application ( IEC-61131
object, or other application model).
T he pre-mapping between the MODBUS data model and the device application is totally
vendor device specific.
Device application

MODBUS data model

MODBUS PDU addresses

Read input 0
1
Discrete Input

Coils

.
.
.

1
.
5

Read coils 4

.

1
Input Registers 2
.

Read Registers 1

1
.
Holding Registers
.
55

Read Registers 54

Mapping
Application specific

MODBUS Standard

F igure 8

MODBUS Addressing model

T he previous figure shows that a MODBUS data numbered X is addressed in the MODBUS
PDU X-1.

4 .5

Define MODBUS Transaction

T he following state diagram describes the generic processing of a MODBUS transaction in
server side.

December 28, 2006

http://www.Modbus-IDA.org

8/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

Wait for a MB
indication

[Receive MB indication]
Validate function
code

ExeptionCode = 1

[Invalid]
[Valid]
Validate data
Address

ExceptionCode = 2

[Invalid]
[valid]
Validate data
value

ExceptionCode = 3

[Invalid]
[valid]
Execute MB
function

ExceptionCode = 4, 5, 6

[Invalid]
[Valid]

Send Modbus
Exception
Response

F igure 9

Send Modbus
Response

MODBUS Transaction state diagram

O nce the request has been processed by a server, a MODBUS response using the
adequate MODBUS server transaction is built.
Depending on the result of the processing two types of response are built :
A p ositive MODBUS response :
t he response function code = the request function code
A M ODBUS Exception response ( see section 7 ) :
t he objective is to provide to the client relevant information concerning the
error detected during the processing ;
t he exception function code = the request function code + 0x80 ;
a n exception code is provided to indicate the reason of the error.

December 28, 2006

http://www.Modbus-IDA.org

9/51

M ODBUS Application Protocol Specification V1.1b

5

Modbus-IDA

F unction Code Categories

T here are three categories of MODBUS Functions codes. They are :
P ublic Function Codes
o

A re well defined function codes ,

o

g uaranteed to be unique,

o

v alidated by the MODBUS-IDA.org community,

o

p ublicly documented

o

h ave available conformance test,

o

i ncludes both defined public assigned function codes as well as unassigned function
codes reserved for future use.

U ser-Defined Function Codes
o

t here are two ranges of user-defined function codes, i.e. 65 to 72 and from 100 to
110 decimal.

o

u ser can select and implement a function code that is not supported by the
specification.

o

t here is no guarantee that the use of the selected function code will be unique

o

i f the user wants to re-position the functionality as a public function code, he must
initiate an RFC to introduce the change into the public category and to have a new
public function code assigned.

o

M ODBUS Organization, Inc expressly reserves the right to develop the proposed
RFC.

R eserved Function Codes
o

F unction Codes currently used by some companies for legacy products and that
are not available for public use.

o

I nformative Note: The reader is asked refer to Annex A (Informative) MODBUS
RESERVED FUNCTION CODES, SUBCODES AND MEI TYPES.

December 28, 2006

http://www.Modbus-IDA.org

10/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

127

PUBLIC function codes
110
100

U ser Defined Function codes
PUBLIC function codes

72
65

U ser Defined Function codes

PUBLIC function codes

1
F igure 10

5 .1

MODBUS Function Code Categories

Public Function Code Definition

Physical Discrete
I nputs
B it
a ccess

I nternal Bits
Or
P hysical coils
P hysical Input
R egisters

D ata
Access
1 6 bits
a ccess

I nternal Registers
Or
P hysical Output
R egisters

F ile record access

D iagnostics

O ther
December 28, 2006

R ead Discrete Inputs

F unction Codes
c ode
Sub
(hex) Section
code
6 .2
02
02

R ead Coils
W rite Single Coil
W rite Multiple Coils

01
05
15

01
05
0F

6 .1
6 .5
6 .11

R ead Input Register

04

04

6 .4

R ead Holding Registers
W rite Single Register
W rite Multiple Registers
R ead/Write Multiple Registers
M ask Write Register
R ead FIFO queue
R ead File record
W rite File record
R ead Exception status
D iagnostic
G et Com event counter
G et Com Event Log
R eport Slave ID
R ead device Identification
E ncapsulated Interface
T ransport

03
06
16
23
22
24
20
21
07
08
11
12
17
43
43

03
06
10
17
16
18
14
15
07
0 0-18,20 0 8
OB
0C
11
14
2B
1 3,14
2B

6 .3
6 .6
6 .12
6 .17
6 .16
6 .18
6 .14
6 .15
6 .7
6 .8
6 .9
6 .10
6 .13
6 .21
6 .19

http://www.Modbus-IDA.org

11/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

C ANopen General Reference

6

43

13

2B

6 .20

F unction codes descriptions

6 .1

01 (0x01) Read Coils

T his function code is used to read from 1 to 2000 contiguous status of coils in a remote
device. The Request PDU specifies the starting address, i.e. the address of the first coil
specified, and the number of coils. In the PDU Coils are addressed starting at zero. Therefore
coils numbered 1-16 are addressed as 0-15.
The coils in the response message are packed as one coil per bit of the data field. Status is
indicated as 1= ON and 0= OFF. The LSB of the first data byte contains the output addressed
in the query. The other coils follow toward the high order end of this byte, and from low order
to high order in subsequent bytes.
If the returned output quantity is not a multiple of eight, the remaining bits in the final data
byte will be padded with zeros (toward the high order end of the byte). The Byte Count field
specifies the quantity of complete bytes of data.
R equest
F unction code
S tarting Address
Q uantity of coils

1 Byte
2 Bytes
2 Bytes

0 x01
0x0000 to 0xFFFF
1 to 2000 (0x7D0)

1 Byte
1 Byte
n B yte

0 x01
N*
n = N or N+1

R esponse
F unction code
B yte count
C oil Status

* N = Q uantity of Outputs / 8, if the remainder is different of 0 => N = N +1
E rror
F unction code
E xception code

1 Byte
1 Byte

F unction code + 0x80
01 or 02 or 03 or 04

H ere is an example of a request to read discrete outputs 20-38:
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Outputs Hi
Q uantity of Outputs Lo

( Hex)
01
00
13
00
13

R esponse
F ield Name
F unction
B yte Count
O utputs status 27-20
O utputs status 35-28
O utputs status 38-36

( Hex)
01
03
CD
6B
05

T he status of outputs 27-20 is shown as the byte value CD hex, or binary 1100 1101. Output
27 is the MSB of this byte, and output 20 is the LSB.
By convention, bits within a byte are shown with the MSB to the left, and the LSB to the right.
Thus the outputs in the first byte are '27 through 20', from left to right. The next byte has
outputs '35 through 28', left to right. As the bits are transmitted serially, they flow from LSB to
MSB: 20 . . . 27, 28 . . . 35, and so on.
In the last data byte, the status of outputs 38-36 is shown as the byte value 05 hex, or binary
0000 0101. Output 38 is in the sixth bit position from the left, and output 36 is the LSB of this
byte. The five remaining high order bits are zero filled.
N ote : The five remaining bits (toward the high order end) are zero filled.

December 28, 2006

http://www.Modbus-IDA.org

12/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0001 <= Quantity of Outputs <= 0x07D0

YES
ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Outputs == OK
YES

ExceptionCode = 02
Request Processing

NO
ReadDiscreteOutputs

== OK

YES
ExceptionCode = 04
MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 11:
6 .2

EXIT

Read Coils state diagram

02 (0x02) Read Discrete Inputs

T his function code is used to read from 1 to 2000 contiguous status of discrete inputs in a
remote device. The Request PDU specifies the starting address, i.e. the address of the first
input specified, and the number of inputs. In the PDU Discrete Inputs are addressed starting
at zero. Therefore Discrete inputs numbered 1-16 are addressed as 0-15.
The discrete inputs in the response message are packed as one input per bit of the data field.
Status is indicated as 1= ON; 0= OFF. The LSB of the first data byte contains the input
addressed in the query. The other inputs follow toward the high order end of this byte, and
from low order to high order in subsequent bytes.
If the returned input quantity is not a multiple of eight, the remaining bits in the final data byte
will be padded with zeros (toward the high order end of the byte). The Byte Count field
specifies the quantity of complete bytes of data.
R equest
F unction code

1 Byte

0 x02

S tarting Address

2 Bytes

0x0000 to 0xFFFF

Q uantity of Inputs

2 Bytes

1 to 2000 (0x7D0)

1 Byte

0 x02

B yte count

1 Byte

N*

I nput Status

N * x 1 Byte

R esponse
F unction code

* N = Q uantity of Inputs / 8 if the remainder is different of 0 => N = N +1
E rror
E rror code
December 28, 2006

1 Byte

0 x82

http://www.Modbus-IDA.org

13/51

M ODBUS Application Protocol Specification V1.1b
E xception code

1 Byte

Modbus-IDA

01 or 02 or 03 or 04

H ere is an example of a request to read discrete inputs 197 - 218:
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Inputs Hi
Q uantity of Inputs Lo

R esponse
F ield Name
F unction
B yte Count
I nputs Status 204-197
I nputs Status 212-205
I nputs Status 218-213

( Hex)
02
00
C4
00
16

( Hex)
02
03
AC
DB
35

T he status of discrete inputs 204-197 is shown as the byte value AC hex, or binary 1010
1100. Input 204 is the MSB of this byte, and input 197 is the LSB.
The status of discrete inputs 218-213 is shown as the byte value 35 hex, or binary 0011
0101. Input 218 is in the third bit position from the left, and input 213 is the LSB.
N ote : The two remaining bits (toward the high order end) are zero filled.

ENTRY
MB Server receives m b_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0001 <= Q uantity of Inputs <= 0 x07D0

YES
ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Inputs == OK
YES

ExceptionCode = 02

Request Processing

NO
ReadDiscreteInputs

= = OK

YES

ExceptionCode = 04

MB Server Sends m b_rsp

M B Server Sends m b_exception_rsp

F igure 12:

December 28, 2006

EXIT

Read Discrete Inputs state diagram

http://www.Modbus-IDA.org

14/51

M ODBUS Application Protocol Specification V1.1b
6 .3

Modbus-IDA

03 (0x03) Read Holding Registers

T his function code is used to read the contents of a contiguous block of holding registers in a
remote device. The Request PDU specifies the starting register address and the number of
registers. In the PDU Registers are addressed starting at zero. Therefore registers numbered
1-16 are addressed as 0-15.
The register data in the response message are packed as two bytes per register, with the
binary contents right justified within each byte. For each register, the first byte contains the
high order bits and the second contains the low order bits.
R equest
F unction code
S tarting Address
Q uantity of Registers

1 Byte
2 Bytes
2 Bytes

0 x03
0x0000 to 0xFFFF
1 to 125 (0x7D)

1 Byte
1 Byte
N * x 2 Bytes

0 x03
2 x N*

1 Byte
1 Byte

0 x83
01 or 02 or 03 or 04

R esponse
F unction code
B yte count
R egister value

* N = Q uantity of Registers
E rror
E rror code
E xception code

H ere is an example of a request to read registers 108 - 110:
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
N o. of Registers Hi
N o. of Registers Lo

( Hex)
03
00
6B
00
03

R esponse
F ield Name
F unction
B yte Count
R egister value
R egister value
R egister value
R egister value
R egister value
R egister value

Hi (108)
Lo (108)
Hi (109)
Lo (109)
Hi (110)
Lo (110)

( Hex)
03
06
02
2B
00
00
00
64

T he contents of register 108 are shown as the two byte values of 02 2B hex, or 555 decimal.
The contents of registers 109-110 are 00 00 and 00 64 hex, or 0 and 100 decimal,
respectively.

December 28, 2006

http://www.Modbus-IDA.org

15/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0001 <= Quantity of Registers <= 0x007D

YES
ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Registers == OK
YES

ExceptionCode = 02
Request Processing

NO
ReadMultipleRegisters

== OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

EXIT

MB Server Sends mb_exception_rsp

F igure 13:

6 .4

Read Holding Registers state diagram

04 (0x04) Read Input Registers

T his function code is used to read from 1 to 125 contiguous input registers in a remote
device. The Request PDU specifies the starting register address and the number of registers.
In the PDU Registers are addressed starting at zero. Therefore input registers numbered 1-16
are addressed as 0-15.
The register data in the response message are packed as two bytes per register, with the
binary contents right justified within each byte. For each register, the first byte contains the
high order bits and the second contains the low order bits.
R equest
F unction code
S tarting Address
Q uantity of Input Registers

1 Byte
2 Bytes
2 Bytes

0 x04
0x0000 to 0xFFFF
0x0001 to 0x007D

1 Byte
1 Byte
N * x 2 Bytes

0 x04
2 x N*

R esponse
F unction code
B yte count
I nput Registers

* N = Q uantity of Input Registers
E rror
E rror code
E xception code

1 Byte
1 Byte

0 x84
01 or 02 or 03 or 04

H ere is an example of a request to read input register 9:
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo

December 28, 2006

( Hex)
04
00
08

R esponse
F ield Name
F unction
B yte Count
I nput Reg. 9 Hi

http://www.Modbus-IDA.org

( Hex)
04
02
00

16/51

M ODBUS Application Protocol Specification V1.1b
Q uantity of Input Reg. Hi
Q uantity of Input Reg. Lo

Modbus-IDA

I nput Reg. 9 Lo

00
01

0A

T he contents of input register 9 are shown as the two byte values of 00 0A hex, or 10
decimal.
ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0001 <= Quantity of Registers <= 0x007D

YES
ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Registers == OK
YES

ExceptionCode = 02
Request Processing

NO
ReadInputRegisters

== OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

EXIT

MB Server Sends mb_exception_rsp

F igure 14:

6 .5

Read Input Registers state diagram

05 (0x05) Write Single Coil

T his function code is used to write a single output to either ON or OFF in a remote device.
The requested ON/OFF state is specified by a constant in the request data field. A value of
FF 00 hex requests the output to be ON. A value of 00 00 requests it to be OFF. All other
values are illegal and will not affect the output.
The Request PDU specifies the address of the coil to be forced. Coils are addressed starting
at zero. Therefore coil numbered 1 is addressed as 0. The requested ON/OFF state is
specified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON.
A value of 0X0000 requests the coil to be off. All other values are illegal and will not affect
the coil.
The normal response is an echo of the request, returned after the coil state has been written.
R equest
F unction code
O utput Address
O utput Value

December 28, 2006

1 Byte
2 Bytes
2 Bytes

0 x05
0x0000 to 0xFFFF
0x0000 or 0xFF00

http://www.Modbus-IDA.org

17/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

R esponse
F unction code
O utput Address
O utput Value

1 Byte
2 Bytes
2 Bytes

0 x05
0x0000 to 0xFFFF
0x0000 or 0xFF00

E rror code
E xception code

1 Byte
1 Byte

0 x85
01 or 02 or 03 or 04

E rror

H ere is an example of a request to write Coil 173 ON:
R equest
F ield Name
F unction
O utput Address Hi
O utput Address Lo
O utput Value Hi
O utput Value Lo

December 28, 2006

( Hex)
05
00
AC
FF
00

R esponse
F ield Name
F unction
O utput Address Hi
O utput Address Lo
O utput Value Hi
O utput Value Lo

http://www.Modbus-IDA.org

( Hex)
05
00
AC
FF
00

18/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

Output Value == 0x0000
OR 0xFF00
YES

ExceptionCode = 03

NO

Output Address == OK

YES
ExceptionCode = 02
Request Processing

NO
WriteSingleOutput

== OK

YES
ExceptionCode = 04
MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 15:
6 .6

EXIT

Write Single Output state diagram

06 (0x06) Write Single Register

T his function code is used to write a single holding register in a remote device.
The Request PDU specifies the address of the register to be written. Registers are addressed
starting at zero. Therefore register numbered 1 is addressed as 0.
The normal response is an echo of the request, returned after the register contents have
been written.
R equest
F unction code
R egister Address
R egister Value

1 Byte
2 Bytes
2 Bytes

0 x06
0x0000 to 0xFFFF
0x0000 to 0xFFFF

F unction code
R egister Address
R egister Value

1 Byte
2 Bytes
2 Bytes

0 x06
0x0000 to 0xFFFF
0x0000 to 0xFFFF

E rror code
E xception code

1 Byte
1 Byte

0 x86
01 or 02 or 03 or 04

R esponse

E rror

H ere is an example of a request to write register 2 to 00 03 hex:
R equest
F ield Name
F unction
R egister Address Hi
R egister Address Lo
R egister Value Hi
R egister Value Lo

December 28, 2006

( Hex)
06
00
01
00
03

R esponse
F ield Name
F unction
R egister Address Hi
R egister Address Lo
R egister Value Hi
R egister Value Lo

http://www.Modbus-IDA.org

( Hex)
06
00
01
00
03

19/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0000 <= Register Value <= 0xFFFF

YES
ExceptionCode = 03

NO

Register Address == OK

YES
ExceptionCode = 02
Request Processing

NO

WriteSingleRegister

== OK

YES
ExceptionCode = 04
MB Server Sends mb_rsp

EXIT

MB Server Sends mb_exception_rsp

F igure 16:

6 .7

Write Single Register state diagram

07 (0x07) Read Exception Status (Serial Line only)

T his function code is used to read the contents of eight Exception Status outputs in a remote
device.
The function provides a simple method for accessing this information, because the Exception
Output references are known (no output reference is needed in the function).
The normal response contains the status of the eight Exception Status outputs. The outputs
are packed into one data byte, with one bit per output. The status of the lowest output
reference is contained in the least significant bit of the byte.
The contents of the eight Exception Status outputs are device specific.
R equest
F unction code

1 Byte

0 x07

F unction code
O utput Data

1 Byte
1 Byte

0 x07
0x00 to 0xFF

E rror code
E xception code

1 Byte
1 Byte

0 x87
01 or 04

R esponse

E rror

H ere is an example of a request to read the exception status:
R equest
F ield Name
F unction

December 28, 2006

( Hex)
07

R esponse
F ield Name
F unction
O utput Data

http://www.Modbus-IDA.org

( Hex)
07
6D

20/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

In this example, the output data is 6D hex (0110 1101 binary). Left to right, the outputs are
OFF-ON-ON-OFF-ON-ON-OFF-ON. The status is shown from the highest to the lowest
addressed output.
ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
Request Processing

NO

ReadExceptionStatus == OK

YES
ExceptionCode = 04
MB Server Sends mb_rsp

EXIT

MB Server Sends mb_exception_rsp

F igure 17:

6 .8

Read Exception Status state diagram

08 (0x08) Diagnostics (Serial Line only)

M ODBUS function code 08 provides a series of tests for checking the communication system
between a client ( Master) device and a server ( Slave), or for checking various internal error
conditions within a server.
The function uses a two-byte sub-function code field in the query to define the type of test to
be performed. The server echoes both the function code and sub-function code in a normal
response. Some of the diagnostics cause data to be returned from the remote device in the
data field of a normal response.
In general, issuing a diagnostic function to a remote device does not affect the running of the
user program in the remote device. User logic, like discrete and registers, is not accessed by
the diagnostics. Certain functions can optionally reset error counters in the remote device.
A server device can, however, be forced into 'Listen Only Mode' in which it will monitor the
messages on the communications system but not respond to them. This can affect the
outcome of your application program if it depends upon any further exchange of data with the
remote device. Generally, the mode is forced to remove a malfunctioning remote device from
the communications system.
The following diagnostic functions are dedicated to serial line devices.
The normal response to the Return Query Data request is to loopback the same data. The
function code and sub-function codes are also echoed.
R equest
F unction code
S ub-function

December 28, 2006

1 Byte
2 Bytes

0 x08

http://www.Modbus-IDA.org

21/51

M ODBUS Application Protocol Specification V1.1b
D ata

Modbus-IDA

N x 2 Bytes

R esponse
F unction code
S ub-function
D ata

1 Byte
2 Bytes
N x 2 Bytes

0 x08

E rror code
E xception code

1 Byte
1 Byte

0 x88
01 or 03 or 04

E rror

6 .8.1

Sub-function codes supported by the serial line devices

H ere the list of sub-function codes supported by the serial line devices. Each sub-function
code is then listed with an example of the data field contents that would apply for that
diagnostic.
S ub-function code
H ex
D ec
00
00
01
01
02
02
03
03
04
04
0 5.. 09
0A
10
0B
11
0C
12
0D
13
0E
14
0F
15
10
16
11
17
12
18
13
19
14
20
N .A.
21
6 5535

N ame

...

Return Query Data
Restart Communications Option
Return Diagnostic Register
Change ASCII Input Delimiter
Force Listen Only Mode
RESERVED
Clear Counters and Diagnostic Register
Return Bus Message Count
Return Bus Communication Error Count
Return Bus Exception Error Count
Return Slave Message Count
Return Slave No Response Count
Return Slave NAK Count
Return Slave Busy Count
Return Bus Character Overrun Count
RESERVED
Clear Overrun Counter and Flag
RESERVED

0 0 Return Query Data
T he data passed in the request data field is to be returned (looped back) in the response. The
entire response message should be identical to the request.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 00
Any
Echo Request Data
0 1 Restart Communications Option
T he remote device serial line port must be initialized and restarted, and all of its
communications event counters are cleared. If the port is currently in Listen Only Mode, no
response is returned. This function is the only one that brings the port out of Listen Only
Mode. If the port is not currently in Listen Only Mode, a normal response is returned. This
occurs before the restart is executed.
When the remote device receives the request, it attempts a restart and executes its power-up
confidence tests. Successful completion of the tests will bring the port online.
A request data field contents of FF 00 hex causes the port's Communications Event Log to be
cleared also. Contents of 00 00 leave the log as it was prior to the restart.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 01
00 00
Echo Request Data
00 01

FF 00

Echo Request Data

0 2 Return Diagnostic Register
T he contents of the remote device's 16-bit diagnostic register are returned in the response.
December 28, 2006

http://www.Modbus-IDA.org

22/51

M ODBUS Application Protocol Specification V1.1b
S ub-function
0 0 02

Data Field (Request)
00 00

Modbus-IDA
Data Field (Response)
Diagnostic Register Contents

0 3 Change ASCII Input Delimiter
T he character 'CHAR' passed in the request data field becomes the end of message delimiter
for future messages (replacing the default LF character). This function is useful in cases of a
Line Feed is not required at the end of ASCII messages.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 03
CHAR 00
Echo Request Data
0 4 Force Listen Only Mode
F orces the addressed remote device to its Listen Only Mode for MODBUS communications.
This isolates it from the other devices on the network, allowing them to continue
communicating without interruption from the addressed remote device. No response is
returned.
When the remote device enters its Listen Only Mode, all active communication controls are
turned off. The Ready watchdog timer is allowed to expire, locking the controls off. While the
device is in this mode, any MODBUS messages addressed to it or broadcast are monitored,
but no actions will be taken and no responses will be sent.
The only function that will be processed after the mode is entered will be the Restart
Communications Option function (function code 8, sub-function 1).
S ub-function
Data Field (Request)
Data Field (Response)
0 0 04
00 00
No Response Returned
1 0 (0A Hex) Clear Counters and Diagnostic Register
T he goal is to clear all counters and the diagnostic register. Counters are also cleared upon
power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0A
00 00
Echo Request Data
1 1 (0B Hex) Return Bus Message Count
T he response data field returns the quantity of messages that the remote device has detected
on the communications system since its last restart, clear counters operation, or power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0B
00 00
Total Message Count
1 2 (0C Hex) Return Bus Communication Error Count
T he response data field returns the quantity of CRC errors encountered by the remote device
since its last restart, clear counters operation, or power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0C
00 00
CRC Error Count
1 3 (0D Hex) Return Bus Exception Error Count
T he response data field returns the quantity of MODBUS exception responses returned by the
remote device since its last restart, clear counters operation, or power-up.
Exception responses are described and listed in section 7 .
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0D
00 00
Exception Error Count
1 4 (0E Hex) Return Slave Message Count
T he response data field returns the quantity of messages addressed to the remote device, or
broadcast, that the remote device has processed since its last restart, clear counters
operation, or power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0E
00 00
Slave Message Count
December 28, 2006
http://www.Modbus-IDA.org
23/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

1 5 (0F Hex) Return Slave No Response Count
T he response data field returns the quantity of messages addressed to the remote device for
which it has returned no response (neither a normal response nor an exception response),
since its last restart, clear counters operation, or power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 0F
00 00
Slave No Response Count
1 6 (10 Hex) Return Slave NAK Count
T he response data field returns the quantity of messages addressed to the remote device for
which it returned a Negative Acknowledge (NAK) exception response, since its last restart,
clear counters operation, or power-up. Exception responses are described and listed in
section 7 .
S ub-function
Data Field (Request)
Data Field (Response)
0 0 10
00 00
Slave NAK Count
1 7 (11 Hex) Return Slave Busy Count
T he response data field returns the quantity of messages addressed to the remote device for
which it returned a Slave Device Busy exception response, since its last restart, clear
counters operation, or power-up.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 11
00 00
Slave Device Busy Count
1 8 (12 Hex) Return Bus Character Overrun Count
T he response data field returns the quantity of messages addressed to the remote device that
it could not handle due to a character overrun condition, since its last restart, clear counters
operation, or power-up. A character overrun is caused by data characters arriving at the port
faster than they can be stored, or by the loss of a character due to a hardware malfunction.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 12
00 00
Slave Character Overrun Count
2 0 (14 Hex) Clear Overrun Counter and Flag
C lears the overrun error counter and reset the error flag.
S ub-function
Data Field (Request)
Data Field (Response)
0 0 14
00 00
Echo Request Data
6 .8.2

Example and state diagram

H ere is an example of a request to remote device to Return Query Data. This uses a subfunction code of zero (00 00 hex in the two-byte field). The data to be returned is sent in the
two-byte data field (A5 37 hex).
R equest
F ield Name
F unction
S ub-function Hi
S ub-function Lo
D ata Hi
D ata Lo

( Hex)
08
00
00
A5
37

R esponse
F ield Name
F unction
S ub-function Hi
S ub-function Lo
D ata Hi
D ata Lo

( Hex)
08
00
00
A5
37

T he data fields in responses to other kinds of queries could contain error counts or other data
requested by the sub-function code.

December 28, 2006

http://www.Modbus-IDA.org

24/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO

Function code supported
AND
Subfunction code supported
YES

ExceptionCode = 01

NO

Data Value == OK
YES
ExceptionCode = 03
Request Processing

NO

Diagnostic == OK
YES
ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 18:

6 .9

EXIT

Diagnostic state diagram

11 (0x0B) Get Comm Event Counter (Serial Line only)

T his function code is used to get a status word and an event count from the remote device's
communication event counter.
By fetching the current count before and after a series of messages, a client can determine
whether the messages were handled normally by the remote device.
The device's event counter is incremented once for each successful message completion. It
is not incremented for exception responses, poll commands, or fetch event counter
commands.
The event counter can be reset by means of the Diagnostics function (code 08), with a subfunction of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic
Register (code 00 0A).
The normal response contains a two-byte status word, and a two-byte event count. The
status word will be all ones (FF FF hex) if a previously-issued program command is still being
processed by the remote device (a busy condition exists). Otherwise, the status word will be
all zeros.
R equest
F unction code

1 Byte

0 x0B

F unction code
S tatus
E vent Count

1 Byte
2 Bytes
2 Bytes

0 x0B
0x0000 to 0xFFFF
0x0000 to 0xFFFF

E rror code
E xception code

1 Byte
1 Byte

0 x8B
01 or 04

R esponse

E rror

December 28, 2006

http://www.Modbus-IDA.org

25/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

Here is an example of a request to get the communications event counter in remote device:
R equest
F ield Name
F unction

R esponse
F ield Name
F unction
S tatus Hi
S tatus Lo
E vent Count Hi
E vent Count Lo

( Hex)
0B

( Hex)
0B
FF
FF
01
08

I n this example, the status word is FF FF hex, indicating that a program function is still in
progress in the remote device. The event count shows that 264 (01 08 hex) events have been
counted by the device.
ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
Request Processing

NO

GetCommEventCounter == OK

YES
ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 19:

6 .10

EXIT

Get Comm Event Counter state diagram

12 (0x0C) Get Comm Event Log (Serial Line only)

T his function code is used to get a status word, event count, message count, and a field of
event bytes from the remote device.
The status word and event counts are identical to that returned by the Get Communications
Event Counter function (11, 0B hex).
The message counter contains the quantity of messages processed by the remote device
since its last restart, clear counters operation, or power-up. This count is identical to that
returned by the Diagnostic function (code 08), sub-function Return Bus Message Count (code
11, 0B hex).
The event bytes field contains 0-64 bytes, with each byte corresponding to the status of one
MODBUS send or receive operation for the remote device. The remote device enters the
December 28, 2006

http://www.Modbus-IDA.org

26/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

events into the field in chronological order. Byte 0 is the most recent event. Each new byte
flushes the oldest byte from the field.
The normal response contains a two-byte status word field, a two-byte event count field, a
two-byte message count field, and a field containing 0-64 bytes of events. A byte count field
defines the total length of the data in these four fields.
R equest
F unction code

1 Byte

0 x0C

R esponse
F unction code
B yte Count
S tatus
E vent Count
M essage Count
E vents

1 Byte
1 Byte
2 Bytes
2 Bytes
2 Bytes
( N -6) x 1 Byte

0 x0C
N*
0x0000 to 0xFFFF
0x0000 to 0xFFFF
0x0000 to 0xFFFF

* N = Q uantity of Events + 3 x 2 Bytes, (Length of Status, Event Count and Message Count)
E rror
E rror code
E xception code

1 Byte
1 Byte

0 x8C
01 or 04

H ere is an example of a request to get the communications event log in remote device:
R equest
F ield Name
F unction

( Hex)
0C

R esponse
F ield Name
F unction
B yte Count
S tatus Hi
S tatus Lo
E vent Count Hi
E vent Count Lo
M essage Count Hi
M essage Count Lo
E vent 0
E vent 1

( Hex)
0C
08
00
00
01
08
01
21
20
00

I n this example, the status word is 00 00 hex, indicating that the remote device is not
processing a program function. The event count shows that 264 (01 08 hex) events have
been counted by the remote device. The message count shows that 289 (01 21 hex)
messages have been processed.
The most recent communications event is shown in the Event 0 byte. Its content (20 hex)
show that the remote device has most recently entered the Listen Only Mode.
The previous event is shown in the Event 1 byte. Its contents (00 hex) show that the remote
device received a Communications Restart.
The layout of the response's event bytes is described below.
W hat the Event Bytes Contain
A n event byte returned by the Get Communications Event Log function can be any one of four
types. The type is defined by bit 7 (the high-order bit) in each byte. It may be further defined
by bit 6. This is explained below.
o R emote device MODBUS Receive Event
T he remote device stores this type of event byte when a query message is received. It
is stored before the remote device processes the message. This event is defined by
bit 7 set to logic '1'. The other bits will be set to a logic '1' if the corresponding
condition is TRUE. The bit layout is:
B it
0

Contents
N ot Used

1

Communication Error

December 28, 2006

http://www.Modbus-IDA.org

27/51

M ODBUS Application Protocol Specification V1.1b
2

Not Used

3

Not Used

4

Character Overrun

5

Currently in Listen Only Mode

6

Broadcast Received

7

Modbus-IDA

1

o R emote device MODBUS Send Event
T he remote device stores this type of event byte when it finishes processing a request
message. It is stored if the remote device returned a normal or exception response, or
no response. This event is defined by bit 7 set to a logic '0', with bit 6 set to a '1'. The
other bits will be set to a logic '1' if the corresponding condition is TRUE. The bit
layout is:
B it
0

Contents
R ead Exception Sent (Exception Codes 1-3)

1

Slave Abort Exception Sent (Exception Code 4)

2

Slave Busy Exception Sent (Exception Codes 5-6)

3

Slave Program NAK Exception Sent (Exception Code 7)

4

Write Timeout Error Occurred

5

Currently in Listen Only Mode

6

1

7

0

o R emote device Entered Listen Only Mode
T he remote device stores this type of event byte when it enters the Listen Only Mode.
The event is defined by a content of 04 hex.
o R emote device Initiated Communication Restart
T he remote device stores this type of event byte when its communications port is
restarted. The remote device can be restarted by the Diagnostics function (code 08),
with sub-function Restart Communications Option (code 00 01).
That function also places the remote device into a 'Continue on Error' or 'Stop on
Error' mode. If the remote device is placed into 'Continue on Error' mode, the event
byte is added to the existing event log. If the remote device is placed into 'Stop on
Error' mode, the byte is added to the log and the rest of the log is cleared to zeros.
The event is defined by a content of zero.

December 28, 2006

http://www.Modbus-IDA.org

28/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
Request Processing

NO

GetCommEventLog == OK

YES
ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 20:
6 .11

EXIT

Get Comm Event Log state diagram

15 (0x0F) Write Multiple Coils

T his function code is used to force each coil in a sequence of coils to either ON or OFF in a
remote device. The Request PDU specifies the coil references to be forced. Coils are
addressed starting at zero. Therefore coil numbered 1 is addressed as 0.
The requested ON/OFF states are specified by contents of the request data field. A logical '1'
in a bit position of the field requests the corresponding output to be ON. A logical '0' requests
it to be OFF.
The normal response returns the function code, starting address, and quantity of coils forced.
R equest PDU
F unction code
S tarting Address
Q uantity of Outputs
B yte Count
O utputs Value

1 Byte
2 Bytes
2 Bytes
1 Byte
N * x 1 Byte

0 x0F
0x0000 to 0xFFFF
0x0001 to 0x07B0
N*

* N = Q uantity of Outputs / 8, if the remainder is different of 0 => N = N +1
R esponse PDU
F unction code
S tarting Address
Q uantity of Outputs

1 Byte
2 Bytes
2 Bytes

0 x0F
0x0000 to 0xFFFF
0x0001 to 0x07B0

E rror code
E xception code

1 Byte
1 Byte

0 x8F
01 or 02 or 03 or 04

E rror

H ere is an example of a request to write a series of 10 coils starting at coil 20:
The request data contents are two bytes: CD 01 hex (1100 1101 0000 0001 binary). The
binary bits correspond to the outputs in the following way:
B it :
1
1
0
0
1
1
0
1
0
0
0
0
0
0
0
1
O utput :
27 26 25 24 23 22 21 20 -
-
-
-
-
-
29 28
The first byte transmitted (CD hex) addresses outputs 27-20, with the least significant bit
addressing the lowest output (20) in this set.
December 28, 2006

http://www.Modbus-IDA.org

29/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

The next byte transmitted (01 hex) addresses outputs 29-28, with the least significant bit
addressing the lowest output (28) in this set. Unused bits in the last data byte should be
zero-filled.
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Outputs Hi
Q uantity of Outputs Lo
B yte Count
O utputs Value Hi
O utputs Value Lo

R esponse
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Outputs Hi
Q uantity of Outputs Lo

( Hex)
0F
00
13
00
0A
02
CD
01

( Hex)
0F
00
13
00
0A

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported

*N = Quantity of Outputs / 8, if the
remainder is different of 0 => N = N+1

YES
ExceptionCode = 01
NO

0x0001 <= Quantity of Outputs <= 0x07B0
AND
Byte Count = N*
YES

ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Outputs == OK
YES

ExceptionCode = 02
Request Processing

NO
WriteMultipleOutputs

== OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 21:

6 .12

EXIT

Write Multiple Outputs state diagram

16 (0x10) Write Multiple registers

T his function code is used to write a block of contiguous registers (1 to 123 registers) in a
remote device.
The requested written values are specified in the request data field. Data is packed as two
bytes per register.
The normal response returns the function code, starting address, and quantity of registers
written.
R equest
F unction code
S tarting Address
Q uantity of Registers
B yte Count
R egisters Value

December 28, 2006

1 Byte
2 Bytes
2 Bytes
1 Byte
N * x 2 Bytes

0 x10
0x0000 to 0xFFFF
0x0001 to 0x007B
2 x N*
value

http://www.Modbus-IDA.org

30/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

* N = Q uantity of Registers
R esponse
F unction code
S tarting Address
Q uantity of Registers

1 Byte
2 Bytes
2 Bytes

0 x10
0x0000 to 0xFFFF
1 to 123 (0x7B)

E rror
E rror code

1 Byte

0 x90

E xception code

1 Byte

01 or 02 or 03 or 04

H ere is an example of a request to write two registers starting at 2 to 00 0A and 01 02 hex:
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Registers Hi
Q uantity of Registers Lo
B yte Count
R egisters Value Hi
R egisters Value Lo
R egisters Value Hi
R egisters Value Lo

R esponse
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Registers Hi
Q uantity of Registers Lo

( Hex)
10
00
01
00
02
04
00
0A
01
02

( Hex)
10
00
01
00
02

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
NO

0x0001 <= Quantity of Registers <= 0x007B
AND
Byte Count == Quantity of Registers x 2
YES

ExceptionCode = 03
NO

Starting Address == OK
AND
Starting Address + Quantity of Registers == OK
YES

ExceptionCode = 02
Request Processing

NO
WriteMultipleRegisters

== OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 22:

December 28, 2006

EXIT

Write Multiple Registers state diagram

http://www.Modbus-IDA.org

31/51

M ODBUS Application Protocol Specification V1.1b
6 .13

Modbus-IDA

17 (0x11) Report Slave ID (Serial Line only)

T his function code is used to read the description of the type, the current status, and other
information specific to a remote device.
The format of a normal response is shown in the following example. The data contents are
specific to each type of device.
R equest
F unction code

1 Byte

0 x11

1 Byte
1 Byte
d evice
specific
1 Byte

0 x11

0x00 = OFF, 0xFF = ON

1 Byte
1 Byte

0 x91
01 or 04

R esponse
F unction code
B yte Count
S lave ID
R un Indicator Status
A dditional Data

E rror
E rror code
E xception code

H ere is an example of a request to report the ID and status:
R equest
F ield Name
F unction

( Hex)
11

R esponse
F ield Name
F unction
B yte Count

S lave ID
R un Indicator Status
A dditional Data

( Hex)
11
Device
Specific
Device
Specific
0x00 or 0xFF
Device
Specific

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
Request Processing

NO

ReportSlaveID == OK

YES
ExceptionCode = 04
MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 23:
6 .14

EXIT

Report slave ID state diagram

20 (0x14) Read File Record

T his function code is used to perform a file record read. All Request Data Lengths are
provided in terms of number of bytes and all Record Lengths are provided in terms of
registers.
A file is an organization of records. Each file contains 10000 records, addressed 0000 to
9999 decimal or 0X0000 to 0X270F. For example, record 12 is addressed as 12.
December 28, 2006
http://www.Modbus-IDA.org
32/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

The function can read multiple groups of references. The groups can be separating (noncontiguous), but the references within each group must be sequential.
Each group is defined in a separate 'sub-request' field that contains 7 bytes:
The reference type: 1 byte (must be specified as 6)
The File number: 2 bytes
The starting record number within the file: 2 bytes
The length of the record to be read: 2 bytes.
The quantity of registers to be read, combined with all other fields in the expected response,
must not exceed the allowable length of the MODBUS PDU : 253 bytes.
The normal response is a series of 'sub-responses', one for each 'sub-request'. The byte
count field is the total combined count of bytes in all 'sub-responses'. In addition, each 'subresponse' contains a field that shows its own byte count.
R equest
F unction code
B yte Count
S ub-Req. x, Reference Type
S ub-Req. x, File Number
S ub-Req. x, Record Number
S ub-Req. x, Record Length
S ub-Req. x+1, ...

1
1
1
2
2
2

Byte
Byte
Byte
Bytes
Bytes
Bytes

0 x14
0x07 to 0xF5 bytes
06
0x0001 to 0xFFFF
0x0000 to 0x270F
N

R esponse
F unction code
R esp. data Length
S ub-Req. x, File Resp. length
S ub-Req. x, Reference Type
S ub-Req. x, Record Data
S ub-Req. x+1, ...

1 Byte
1 Byte
1 Byte
1 Byte
N x 2 B ytes

0 x14
0x07 to 0xF5
0x07 to 0xF5
6

E rror
E rror code
E xception code

1 Byte
1 Byte

0 x94
01 or 02 or 03 or 04 or
08

W hile it is allowed for the File Number to be in the range 1 to 0xFFFF, it should be noted that
interoperability with legacy equipment may be compromised if the File Number is greater than
10 (0x0A).
H ere is an example of a request to read two groups of references from remote device:
G roup 1 consists of two registers from file 4, starting at register 1 (address 0001).
G roup 2 consists of two registers from file 3, starting at register 9 (address 0009).

R equest
F ield Name
F unction
B yte Count
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 1,
S ub-Req. 2,
S ub-Req. 2,
S ub-Req. 2,
S ub-Req. 2,
S ub-Req. 2,
S ub-Req. 2,
S ub-Req. 2,

Ref. Type
File Number Hi
File Number Lo
Record number Hi
Record number Lo
Record Length Hi
Record Length Lo
Ref. Type
File Number Hi
File Number Lo
Record number Hi
Record number Lo
Record Length Hi
Record Length Lo

December 28, 2006

( Hex)
14
0E
06
00
04
00
01
00
02
06
00
03
00
09
00
02

R esponse
F ield Name
F unction
R esp. Data length
S ub-Req. 1, File resp. length
S ub-Req. 1, Ref. Type
S ub-Req. 1, Register.Data Hi
S ub-Req. 1, Register.DataLo
S ub-Req. 1, Register.Data Hi
S ub-Req. 1, Register.DataLo
S ub-Req. 2, File resp. length
S ub-Req. 2, Ref. Type
S ub-Req. 2, Register.Data H
S ub-Req. 2, Register.DataLo
S ub-Req. 2, Register.Data Hi
S ub-Req. 2, Register.DataLo

http://www.Modbus-IDA.org

( Hex)
14
0C
05
06
0D
FE
00
20
05
06
33
CD
00
40

33/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives m b_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO
0x07 <= B yte Count <= 0 xF5
For each Sub-Req
YES

ExceptionCode = 03

Reference Type == OK
AND
File Num ber == OK
AND
Record num ber == OK
AND
Starting Address + Register length == OK

NO

YES
ExceptionCode = 02
Request Processing

NO
ReadGeneralReference

= = OK

YES

ExceptionCode = 04

MB Server Sends m b_rsp

EXIT

M B Server Sends m b_exception_rsp

F igure 24:

6 .15

Read File Record state diagram

21 (0x15) Write File Record

T his function code is used to perform a file record write. All Request Data Lengths are
provided in terms of number of bytes and all Record Lengths are provided in terms of the
number of 16-bit words.
A file is an organization of records. Each file contains 10000 records, addressed 0000 to
9999 decimal or 0X0000 to 0X270F. For example, record 12 is addressed as 12.
The function can write multiple groups of references. The groups can be separate, i.e. non-
contiguous, but the references within each group must be sequential.
Each group is defined in a separate 'sub-request' field that contains 7 bytes plus the data:
The reference type: 1 byte (must be specified as 6)
The file number: 2 bytes
The starting record number within the file: 2 bytes
The length of the record to be written: 2 bytes
The data to be written: 2 bytes per register.
The quantity of registers to be written, combined with all other fields in the request, must not
exceed the allowable length of the MODBUS PDU : 253bytes.
The normal response is an echo of the request.
R equest
F unction code
R equest data length

December 28, 2006

1 Byte
1 Byte

0 x15
0x09 to 0xFB

http://www.Modbus-IDA.org

34/51

M ODBUS Application Protocol Specification V1.1b
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.

x, Reference Type
x, File Number
x, Record Number
x, Record length
x, Record data
x+1, ...

1 Byte
2 Bytes
2 Bytes
2 Bytes
N x 2 B ytes

Modbus-IDA
06
0x0001 to 0xFFFF
0x0000 to 0x270F
N

R esponse
F unction code

1 Byte

0 x15

R esponse Data length

1 Byte

0x09 to 0xFB

S ub-Req. x, Reference Type

1 Byte

06

S ub-Req. x, File Number

2 Bytes

0x0001 to 0xFFFF

S ub-Req. x, Record number

2 Bytes

0x0000 to 0x270F

S ub-Req. x, Record length

2 Bytes

N

S ub-Req. x, Record Data

N x 2 B ytes

S ub-Req. x+1, ...

E rror
E rror code

1 Byte

0 x95

E xception code

1 Byte

01 or 02 or 03 or 04 or 08

W hile it is allowed for the File Number to be in the range 1 to 0xFFFF, it should be noted that
interoperability with legacy equipment may be compromised if the File Number is greater than
10 (0x0A).
H ere is an example of a request to write one group of references into remote device:
T he group consists of three registers in file 4, starting at register 7 (address 0007).
R equest
F ield Name
F unction
R equest Data length
S ub-Req. 1, Ref. Type
S ub-Req. 1, File Number Hi
S ub-Req. 1, File Number Lo
S ub-Req. 1, Record number Hi
S ub-Req. 1, Record number Lo

S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.
S ub-Req.

1,
1,
1,
1,
1,
1,
1,
1,

Record length Hi
Record length Lo
Register Data Hi
Register Data Lo
Register Data Hi
Register Data Lo
Register Data Hi
Register Data Lo

December 28, 2006

( Hex)
15
0D
06
00
04
00
07
00
03
06
AF
04
BE
10
0D

R esponse
F ield Name
F unction
R equest Data length
S ub-Req. 1, Ref. Type
S ub-Req. 1, File Number Hi
S ub-Req. 1, File Number Lo
S ub-Req. 1, Record number Hi
S ub-Req. 1, Record number
Lo
S ub-Req. 1, Record length Hi
S ub-Req. 1, Record length Lo
S ub-Req. 1, Register Data Hi
S ub-Req. 1, Register Data Lo
S ub-Req. 1, Register Data Hi
S ub-Req. 1, Register Data Lo
S ub-Req. 1, Register Data Hi
S ub-Req. 1, Register Data Lo

http://www.Modbus-IDA.org

( Hex)
15
0D
06
00
04
00
07
00
03
06
AF
04
BE
10
0D

35/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO
0x07 <= B yte Count <= 0 xF5
For each Sub-Req
YES

ExceptionCode = 03

Reference Type == OK
AND
File Number == OK
AND
Record number == OK
AND
Starting Address + Register length == OK

NO

YES
ExceptionCode = 02
Request Processing

NO
W riteGeneralReference

= = OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

EXIT

M B Server Sends mb_exception_rsp

F igure 25:
6 .16

Write File Record state diagram

22 (0x16) Mask Write Register

T his function code is used to modify the contents of a specified holding register using a
combination of an AND mask, an OR mask, and the register's current contents. The function
can be used to set or clear individual bits in the register.
The request specifies the holding register to be written, the data to be used as the AND
mask, and the data to be used as the OR mask. Registers are addressed starting at zero.
Therefore registers 1-16 are addressed as 0-15.
The function's algorithm is:
Result = (Current Contents AND And_Mask) OR (Or_Mask AND (NOT And_Mask))
For example:
C urrent Contents=
And_Mask =
Or_Mask =

H ex
12
F2
25

Binary
0001 0010
1111 0010
0010 0101

(NOT And_Mask)=

0D

0000 1101

Result =

17

0001 0111

N ote :

I f the Or_Mask value is zero, the result is simply the logical ANDing of the current contents and
And_Mask. If the And_Mask value is zero, the result is equal to the Or_Mask value.

December 28, 2006

http://www.Modbus-IDA.org

36/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

T he contents of the register can be read with the Read Holding Registers function (function code 03).
They could, however, be changed subsequently as the controller scans its user logic program.

T he normal response is an echo of the request. The response is returned after the register
has been written.
R equest
F unction code
R eference Address
A nd_Mask
O r_Mask

1
2
2
2

Byte
Bytes
Bytes
Bytes

0 x16
0x0000 to 0xFFFF
0x0000 to 0xFFFF
0x0000 to 0xFFFF

1
2
2
2

Byte
Bytes
Bytes
Bytes

0 x16
0x0000 to 0xFFFF
0x0000 to 0xFFFF
0x0000 to 0xFFFF

R esponse
F unction code
R eference Address
A nd_Mask
O r_Mask

E rror
E rror code
E xception code

1 Byte
1 Byte

0 x96
01 or 02 or 03 or 04

H ere is an example of a Mask Write to register 5 in remote device, using the above mask
values.
R equest
F ield Name
F unction
R eference address Hi
R eference address Lo
A nd_Mask Hi
A nd_Mask Lo
O r_Mask Hi
O r_Mask Lo

December 28, 2006

( Hex)
16
00
04
00
F2
00
25

R esponse
F ield Name
F unction
R eference address Hi
R eference address Lo
A nd_Mask Hi
A nd_Mask Lo
O r_Mask Hi
O r_Mask Lo

http://www.Modbus-IDA.org

( Hex)
16
00
04
00
F2
00
25

37/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
M B Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO
Reference Address == OK

YES
ExceptionCode = 02

NO

AND_Mask == OK
AND
OR_Mask == OK
YES

ExceptionCode = 03
Request Processing

NO
MaskW riteRegister

ExceptionCode = 04

== O K

YES
M B Server Sends mb_rsp

EXIT

M B Server Sends mb_exception_rsp

F igure 26:

6 .17

Mask Write Holding Register state diagram

23 (0x17) Read/Write Multiple registers

T his function code performs a combination of one read operation and one write operation in a
single MODBUS transaction. The write operation is performed before the read.
Holding registers are addressed starting at zero. Therefore holding registers 1-16 are
addressed in the PDU as 0-15.
The request specifies the starting address and number of holding registers to be read as well
as the starting address, number of holding registers, and the data to be written. The byte
count specifies the number of bytes to follow in the write data field.
The normal response contains the data from the group of registers that were read. The byte
count field specifies the quantity of bytes to follow in the read data field.
R equest
F unction code
R ead Starting Address
Q uantity to Read
W rite Starting Address
Q uantity to Write
W rite Byte Count
W rite Registers Value

1 Byte
2 Bytes
2 Bytes
2 Bytes
2 Bytes
1 Byte
N *x 2 Bytes

0 x17
0x0000
0x0001
0x0000
0x0001
2 x N*

to
to
to
to

0xFFFF
0x007D
0xFFFF
0X0079

* N = Q uantity to Write
R esponse
F unction code
B yte Count
R ead Registers value

1 Byte
1 Byte
N ' * x 2 Bytes

0 x17
2 x N'*

* N' = Q uantity to Read
E rror
December 28, 2006

http://www.Modbus-IDA.org

38/51

M ODBUS Application Protocol Specification V1.1b
E rror code
E xception code

1 Byte
1 Byte

Modbus-IDA

0 x97
01 or 02 or 03 or 04

H ere is an example of a request to read six registers starting at register 4, and to write three
registers starting at register 15:
R equest
F ield Name
F unction
R ead Starting Address Hi
R ead Starting Address Lo
Q uantity to Read Hi
Q uantity to Read Lo
W rite Starting Address Hi
W rite Starting address Lo
Q uantity to Write Hi
Q uantity to Write Lo
W rite Byte Count
W rite Registers Value Hi
W rite Registers Value Lo
W rite Registers Value Hi
W rite Registers Value Lo
W rite Registers Value Hi
W rite Registers Value Lo

December 28, 2006

( Hex)
17
00
03
00
06
00
0E
00
03
06
00
FF
00
FF
00
FF

R esponse
F ield Name
F unction
B yte Count
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers
R ead Registers

value
value
value
value
value
value
value
value
value
value
value
value

http://www.Modbus-IDA.org

Hi
Lo
Hi
Lo
Hi
Lo
Hi
Lo
Hi
Lo
Hi
Lo

( Hex)
17
0C
00
FE
0A
CD
00
01
00
03
00
0D
00
FF

39/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01
0x0001 <= Quantity of Read <= 0x007D
AND
0x0001 <= Quantity of Write <= 0x0079
AND
Byte Count == Quantity of Write x 2

NO

YES
ExceptionCode = 03
Read Starting Address == OK
AND
Read Starting Address + Quantity of Read == OK
AND
Write Starting Address == OK
AND
Write Starting Address + Quantity of Write == OK

NO

YES
ExceptionCode = 02
Request Processing
Write operation before read operation
NO
Read/WriteMultipleRegisters == OK

YES

ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 27:

December 28, 2006

EXIT

Read/Write Multiple Registers state diagram

http://www.Modbus-IDA.org

40/51

M ODBUS Application Protocol Specification V1.1b
6 .18

Modbus-IDA

24 (0x18) Read FIFO Queue

T his function code allows to read the contents of a First-In-First-Out (FIFO) queue of register
in a remote device. The function returns a count of the registers in the queue, followed by the
queued data. Up to 32 registers can be read: the count, plus up to 31 queued data registers.
The queue count register is returned first, followed by the queued data registers.
The function reads the queue contents, but does not clear them.
In a normal response, the byte count shows the quantity of bytes to follow, including the
queue count bytes and value register bytes (but not including the error check field).
The queue count is the quantity of data registers in the queue (not including the count
register).
If the queue count exceeds 31, an exception response is returned with an error code of 03
(Illegal Data Value).
R equest
F unction code
F IFO Pointer Address

1 Byte
2 Bytes

0 x18
0x0000 to 0xFFFF

1 Byte
2 Bytes
2 Bytes
N * x 2 Bytes

0 x18

R esponse
F unction code
B yte Count
F IFO Count
F IFO Value Register

<= 31

* N = F IFO Count
E rror
E rror code
E xception code

1 Byte
1 Byte

0 x98
01 or 02 or 03 or 04

H ere is an example of Read FIFO Queue request to remote device. The request is to read the
queue starting at the pointer register 1246 (0x04DE):
R equest
F ield Name
F unction
F IFO Pointer Address Hi
F IFO Pointer Address Lo

( Hex)
18
04
DE

R esponse
F ield Name
F unction
B yte Count Hi
B yte Count Lo
F IFO Count Hi
F IFO Count Lo
F IFO Value Register
F IFO Value Register
F IFO Value Register
F IFO Value Register

Hi
Lo
Hi
Lo

( Hex)
18
00
06
00
02
01
B8
12
84

I n this example, the FIFO pointer register (1246 in the request) is returned with a queue count
of 2. The two data registers follow the queue count. These are:
1247 (contents 440 decimal -- 0x01B8); and 1248 (contents 4740 -- 0x1284).

December 28, 2006

http://www.Modbus-IDA.org

41/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES
ExceptionCode = 01

NO

0x0000 <= FIFO Pointer Address <= 0xFFFF

YES
ExceptionCode = 02

NO

FIFO Count <= 31

YES
ExceptionCode = 03
Request Processing

NO
ReadFIFOQueue

== OK
YES

ExceptionCode = 04

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

F igure 28:

6 .19

EXIT

Read FIFO Queue state diagram

43 ( 0x2B) Encapsulated Interface Transport

I nformative Note: The user is asked to refer to Annex A (Informative) MODBUS RESERVED
FUNCTION CODES, SUBCODES AND MEI TYPES.
Function Code 43 and its MEI Type 14 for Device Identification is one of two Encapsulated
Interface Transport currently available in this Specification. The following function codes and
MEI Types shall not be part of this published Specification and these function codes and MEI
Types are specifically reserved: 43/0-12 and 43/15-255.
The MODBUS Encapsulated Interface (MEI)Transport is a mechanism for tunneling service
requests and method invocations, as well as their returns, inside MODBUS PDUs.
The primary feature of the MEI Transport is the encapsulation of method invocations or
service requests that are part of a defined interface as well as method invocation returns or
service responses.

December 28, 2006

http://www.Modbus-IDA.org

42/51

M ODBUS Application Protocol Specification V1.1b

Application X
Interface Backend

MEI Type X

MEI Type Y

Interface Y
Server Interface

MEI Type X

Interface Y
Client Interface

Application Y
Interface Backend

Interface X
Server Interface

Client Application

Interface X
Client Interface

Modbus-IDA

MEI Type Y

MEI Transport (FC 43)

MEI Transport (FC 43)

Network Interface

Network Interface

Network
F igure 29:

MODBUS encapsulated Interface Transport

T he N etwork Interface c an be any communication stack used to send MODBUS PDUs, such
as TCP/IP, or serial line.
A M EI Type i s a MODBUS Assigned Number and therefore will be unique, the value between
0 to 255 are Reserved according to Annex A (Informative) except for MEI Type 13 and MEI
Type 14.
The MEI Type is used by MEI Transport implementations to dispatch a method invocation to
the indicated interface.
Since the MEI Transport service is interface agnostic, any specific behavior or policy required
by the interface must be provided by the interface, e.g. MEI transaction processing, MEI
interface error handling, etc.
R equest
F unction code
M EI Type*
M EI type specific data

1 Byte
1 Byte
n Bytes

0 x2B
0x0D or 0x0E

* M EI = MODBUS Encapsulated Interface
R esponse
F unction code
M EI Type

1 Byte
1 byte

M EI type specific data

n Bytes

F unction code

1 Byte

E xception code

1 Byte

0 x2B
echo of
Request

MEI

Type

in

E rror
0 xAB :
Fc 0x2B + 0x80
01 or 02 or 03 or 04

A s an example see Read device identification request.
6 .20

43 / 13 (0x2B / 0x0D) CANopen General Reference Request and Response PDU

T he CANopen General reference Command is an encapsulation of the services that will be
used to access (read from or write to) the entries of a CAN-Open Device Object Dictionary as
well as controlling and monitoring the CANopen system, and devices.
The MEI Type 13 (0x0D) is a MODBUS Assigned Number licensed to CiA for the CANopen
General Reference.

December 28, 2006

http://www.Modbus-IDA.org

43/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

The system is intended to work within the limitations of existing MODBUS networks.
Therefore, the information needed to query or modify the object dictionaries in the system is
mapped into the format of a MODBUS message. The PDU will have the 253 Byte limitation in
both the Request and the Response message.
I nformative: P lease refer to Annex B for a reference to a specification that provides
information on MEI Type 13.
6 .21

43 / 14 (0x2B / 0x0E) Read Device Identification

T his function code allows reading the identification and additional information relative to the
physical and functional description of a remote device, only.
The Read Device Identification interface is modeled as an address space composed of a set
of addressable data elements. The data elements are called objects and an object Id
identifies them.
The interface consists of 3 categories of objects :
B asic Device Identification. All objects of this category are mandatory : VendorName,
Product code, and revision number.
R egular Device Identification. In addition to Basic data objects, the device provides
additional and optional identification and description data objects. All of the objects of
this category are defined in the standard but their implementation is optional .
E xtended Device Identification. In addition to regular data objects, the device provides
additional and optional identification and description private data about the physical
device itself. All of these data are device dependent.
O bject
Id
0 x00
0 x01
0 x02
0 x03
0 x04
0 x05
0 x06
0 x07
...
0x7F
0 x80
...
0xFF

Object Name / Description

Type

VendorName
ProductCode
MajorMinorRevision
VendorUrl
ProductName
ModelName
UserApplicationName
R eserved

ASCII
ASCII
ASCII
ASCII
ASCII
ASCII
ASCII

P rivate objects may be o ptionally
d efined.
The range [0x80 - 0xFF] is Product
dependant.

String
String
String
String
String
String
String

M/O

category

M andatory
M andatory
M andatory
Optional
Optional
Optional
Optional
O ptional

Basic

d evice
dependant

Optional

R egular

E xtended

R equest
F unction code
M EI Type*
R ead Device ID code
O bject Id

1
1
1
1

Byte
Byte
Byte
Byte

0 x2B
0x0E
01 / 02 / 03 / 04
0x00 to 0xFF

* M EI = MODBUS Encapsulated Interface
R esponse
F unction code
M EI Type
R ead Device ID code
C onformity level

1
1
1
1

M ore Follows
N ext Object Id
N umber of objects
L ist Of
O bject ID
O bject length
O bject Value

1 Byte
1 Byte
1 Byte

December 28, 2006

Byte
byte
Byte
Byte

1 Byte
1 Byte
Object length

0 x2B
0x0E
01 / 02 / 03 / 04
0x01 or 0x02 or 0x03 or
0x81 or 0x82 or 0x83
00 / FF
Object ID number

Depending on the object ID

http://www.Modbus-IDA.org

44/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

E rror
F unction code

1 Byte

E xception code

1 Byte

0 xAB :
Fc 0x2B + 0x80
01 or 02 or 03 or 04

R equest parameters description :
A M ODBUS Encapsulated Interface assigned number 14 identifies the Read identification
request.
The parameter &quot; Read Device ID code &quot; allows to define four access types :
01:
02:
03:
04:

request
request
request
request

to get the basic device identification (stream access)
to get the regular device identification (stream access)
to get the extended device identification (stream access)
to get one specific identification object (individual access)

An exception code 03 is sent back in the response if the Read device ID code is illegal.
In case of a response that does not fit into a single response, several transactions
(request/response ) must be done. The Object Id byte gives the identification of the first
object to obtain. For the first transaction, the client must set the Object Id to 0 to obtain
the beginning of the device identification data. For the following transactions, the client
must set the Object Id to the value returned by the server in its previous response.
Remark : A n object is indivisible, therefore any object must have a size consistent with
the size of transaction response.
If the Object Id does not match any known object, the server responds as if object 0 were
pointed out (restart at the beginning).
In case of an individual access: ReadDevId code 04 , t he Object Id in the request gives
the identification of the object to obtain, and if the Object Id doesn't match to any known
object, the server returns an exception response with exception code = 02 (Illegal data
address).
If the server device is asked for a description level ( readDevice Code )higher that its
conformity level , It must respond in accordance with its actual conformity level.
R esponse parameter description :
F unction code :
Function code 43 (decimal) 0x2B (hex)
MEI Type

14 (0x0E) MEI Type assigned number for Device Identification
Interface

ReadDevId code :

Same as request ReadDevId code : 01, 02, 03 or 04

Conformity Level

Identification conformity level of the device and type of supported
access
0x01: basic identification (stream access only)
0x02: regular identification (stream access only)
0x03: extended identification (stream access only)
0x81: basic identification (stream access and individual access)
0x82: regular identification (stream access and individual access)
0x83: extended identification(stream access and individual
access)

More Follows

I n case of ReadDevId codes 01, 02 or 03 (stream access),
I f the identification data doesn't fit into a single response, several
request/response transactions may be required.
0x00 : no more Object are available
0xFF : other identification Object are available and further
MODBUS transactions are required
I n case of ReadDevId code 04 (individual access),
t his field must be set to 00.

December 28, 2006

http://www.Modbus-IDA.org

45/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

Next Object Id

If &quot; MoreFollows = FF &quot; , identification of the next Object to be
asked
for.
If &quot; MoreFollows = 00 &quot; , must be set to 00 (useless)

Number Of Objects

Number of identification Object returned in
(for an individual access, Number Of Objects = 1)

Object0.Id

Identification of the first Object returned in the PDU (stream
access) or the requested Object (individual access)

Object0.Length

Length of the first Object in byte

Object0.Value

Value of the first Object (Object0.Length bytes)

the

response

...
ObjectN.Id

Identification of the last Object (within the response)

ObjectN.Length

Length of the last Object in byte

ObjectN.Value

Value of the last Object (ObjectN.Length bytes)

E xample of a Read Device Identification request for &quot; Basic device identification &quot; : I n
this example all information are sent in one response PDU.
R equest
F ield Name
F unction
M EI Type
R ead Dev Id code
O bject Id

V alue
2B
0E
01
00

R esponse
F ield Name
F unction
M EI Type
R ead Dev Id Code
C onformity Level
M ore Follows
N extObjectId
N umber Of Objects
O bject Id
O bject Length
O bject Value
O bject Id
O bject Length
O bject Value
O bject Id
O bject Length
O bject Value

V alue
2B
0E
01
01
00
00
03
00
16
&quot; C ompany identification &quot;
01
0D
&quot; P roduct code XX &quot;
02
05
&quot; V2.11 &quot;

I n case of a device that required several transactions to send the response the following
transactions is intiated.
First transaction :
R equest
F ield Name
F unction
M EI Type
R ead Dev Id code
O bject Id

V alue
2B
0E
01
00

R esponse
F ield Name
F unction
M EI Type
R ead Dev Id Code
C onformity Level
M ore Follows
N extObjectId
N umber Of Objects
O bject Id
O bject Length
O bject Value
O bject Id
O bject Length
O bject Value

V alue
2B
0E
01
01
FF
02
03
00
16
&quot; C ompany identification &quot;
01
1C
&quot; P roduct code
XXXXXXXXXXXXXXXX &quot;

S econd transaction :

R equest
F ield Name
F unction

December 28, 2006

V alue
2B

R esponse
F ield Name
F unction

http://www.Modbus-IDA.org

V alue
2B

46/51

M ODBUS Application Protocol Specification V1.1b
M EI Type
R ead Dev Id code
O bject Id

Modbus-IDA

M EI Type
R ead Dev Id Code
C onformity Level
M ore Follows
N extObjectId
N umber Of Objects
O bject Id
O bject Length
O bject Value

0E
01
02

0E
01
01
00
00
03
02
05
&quot; V2.11 &quot;

ENTRY
MB Server receives mb_req_pdu

NO
Function code
supported
YES

NO

Object Id OK

ExceptiCode = 01

YES

NO

Read deviceId Code OK
YES

Except.Code = 02

Request Processing

Except. Code =03
Segmentation required

NO
More follows = FF
Next Object ID = XX

More follows = 00
Next Object ID = 00

MB Server Sends mb_rsp

MB Server Sends
mb_exception_rsp

F igure 30:

December 28, 2006

EXIT

Read Device Identification state diagram

http://www.Modbus-IDA.org

47/51

M ODBUS Application Protocol Specification V1.1b

7

Modbus-IDA

M ODBUS Exception Responses

W hen a client device sends a request to a server device it expects a normal response. One
of four possible events can occur from the master's query:
o

I f the server device receives the request without a communication error, and can
handle the query normally, it returns a normal response.

o

I f the server does not receive the request due to a communication error, no response
is returned. The client program will eventually process a timeout condition for the
request.

o

I f the server receives the request, but detects a communication error (parity, LRC,
CRC, ...), no response is returned. The client program will eventually process a
timeout condition for the request.

o

I f the server receives the request without a communication error, but cannot handle it
(for example, if the request is to read a non-existent output or register), the server
will return an exception response informing the client of the nature of the error.

The exception response message has two fields that differentiate it from a normal response:
F unction Code Field: I n a normal response, the server echoes the function code of the
original request in the function code field of the response. All function codes have a most-
significant bit (MSB) of 0 (their values are all below 80 hexadecimal). In an exception
response, the server sets the MSB of the function code to 1. This makes the function code
value in an exception response exactly 80 hexadecimal higher than the value would be for a
normal response.
With the function code's MSB set, the client's application program can recognize the
exception response and can examine the data field for the exception code.
D ata Field: I n a normal response, the server may return data or statistics in the data field
(any information that was requested in the request). In an exception response, the server
returns an exception code in the data field. This defines the server condition that caused the
exception.
Example of a client request and server exception response
R equest
F ield Name
F unction
S tarting Address Hi
S tarting Address Lo
Q uantity of Outputs Hi
Q uantity of Outputs Lo

( Hex)
01
04
A1
00
01

R esponse
F ield Name
F unction
E xception Code

( Hex)
81
02

I n this example, the client addresses a request to server device. The function code (01) is
for a Read Output Status operation. It requests the status of the output at address 1185
(04A1 hex). Note that only that one output is to be read, as specified by the number of
outputs field (0001).
If the output address is non-existent in the server device, the server will return the
exception response with the exception code shown (02). This specifies an illegal data
address for the slave.
A listing of exception codes begins on the next page.

December 28, 2006

http://www.Modbus-IDA.org

48/51

M ODBUS Application Protocol Specification V1.1b

Code
01

02

03

04

05

06

08

Modbus-IDA

M ODBUS Exception Codes
Name
Meanin g
The function code received in the query is not an
I LLEGAL FUNCTION
allowable action for the server (or slave). This
may be because the function code is only
applicable to newer devices, and was not
implemented in the unit selected. It could also
indicate that the server (or slave) is in the wrong
state to process a request of this type, for
example because it is unconfigured and is being
asked to return register values.
The data address received in the query is not an
I LLEGAL DATA ADDRESS
allowable address for the server (or slave). More
specifically, the combination of reference number
and transfer length is invalid. For a controller with
100 registers, the PDU addresses the first
register as 0, and the last one as 99. If a request
is submitted with a starting register address of 96
and a quantity of registers of 4, then this request
will successfully operate (address-wise at least)
on registers 96, 97, 98, 99. If a request is
submitted with a starting register address of 96
and a quantity of registers of 5, then this request
will fail with Exception Code 0x02 "Illegal Data
Address" since it attempts to operate on registers
96, 97, 98, 99 and 100, and there is no register
with address 100.
A value contained in the query data field is not an
I LLEGAL DATA VALUE
allowable value for server (or slave). This
indicates a fault in the structure of the remainder
of a complex request, such as that the implied
length is incorrect. It specifically does NOT mean
that a data item submitted for storage in a register
has a value outside the expectation of the
application program, since the MODBUS protocol
is unaware of the significance of any particular
value of any particular register.
An unrecoverable error occurred while the server
S LAVE DEVICE FAILURE
(or slave) was attempting to perform the
requested action.
Specialized use in conjunction with programming
A CKNOWLEDGE
commands.
The server (or slave) has accepted the request
and is processing it, but a long duration of time
will be required to do so. This response is
returned to prevent a timeout error from occurring
in the client (or master). The client (or master)
can next issue a Poll Program Complete message
to determine if processing is completed.
Specialized use in conjunction with programming
S LAVE DEVICE BUSY
commands.
The server (or slave) is engaged in processing a
long-duration program command. The client (or
master) should retransmit the message later when
the server (or slave) is free.
Specialized use in conjunction with function codes
M EMORY PARITY ERROR
20 and 21 and reference type 6, to indicate that
the extended file area failed to pass a consistency
check.

December 28, 2006

http://www.Modbus-IDA.org

49/51

M ODBUS Application Protocol Specification V1.1b

0A

G ATEWAY PATH UNAVAILABLE

0B

G ATEWAY
TARGET
FAILED TO RESPOND

December 28, 2006

DEVICE

Modbus-IDA

T he server (or slave) attempted to read record
file, but detected a parity error in the memory.
The client (or master) can retry the request, but
service may be required on the server (or slave)
device.
Specialized use in conjunction with gateways,
indicates that the gateway was unable to allocate
an internal communication path from the input
port to the output port for processing the request.
Usually means that the gateway is misconfigured
or overloaded.
Specialized use in conjunction with gateways,
indicates that no response was obtained from the
target device. Usually means that the device is
not present on the network.

http://www.Modbus-IDA.org

50/51

M ODBUS Application Protocol Specification V1.1b

Modbus-IDA

A nnex A (Informative): MODBUS RESERVED FUNCTION CODES, SUBCODES
AND MEI TYPES
T he following function codes and subcodes shall not be part of this published Specification
and these function codes and subcodes are specifically reserved. The format is function
code/subcode or just function code where all the subcodes (0-255) are reserved: 8/19; 8/2165535, 9, 10, 13, 14, 41, 42, 90, 91, 125, 126 and 127.
Function Code 43 and its MEI Type 14 for Device Identification and MEI Type 13 for
CANopen General Reference Request and Reponse PDU are the currently available
Encapsulated Interface Transports in this Specification.
The following function codes and MEI Types shall not be part of this published Specification
and these function codes and MEI Types are specifically reserved: 43/0-12 and 43/15-255.
In this Specification, a User Defined Function code having the same or similar result as the
Encapsulated Interface Transport is not supported.
MODBUS is a registered trademark of Schneider Automation Inc.

A nnex B (Informative): CANOPEN GENERAL REFERENCE COMMAND
P lease refer to the MODBUS-IDA website or the CiA (CAN in Automation) website for a copy
and terms of use that cover Function Code 43 MEI Type 13.

December 28, 2006

http://www.Modbus-IDA.org

51/51


Pobierz plik - link do postu
TME logo Szukaj w ofercie
Zamknij 
Wyszukaj w ofercie 200 tys. produktów TME
TME Logo