MODBUS Application Protocol Specification

MODBUS.ORG
1 Introduction .......................................................................... 2
1.1 1.2 Scope of this document .......................................................... 2 References ............................................................................. 2

Content

2 3 4

Abbreviations ....................................................................... 3 Context................................................................................. 3 General description .............................................................. 5

4.1 4.2 4.3 4.4 Protocol description................................................................ 5 Data Encoding........................................................................ 7 MODBUS data model ............................................................. 7 Define MODBUS Transaction ................................................. 9 Public Function Code Definition .............................................12 01 (0x01) Read Coils .............................................................12 02 (0x02) Read Discrete Inputs..............................................14 03 (0x03) Read Holding Registers .........................................17 04 (0x04) Read Input Registers .............................................18 05 (0x05) Write Single Coil ....................................................20 06 (0x06) Write Single Register .............................................22 15 (0x0F) Write Multiple Coils................................................25 16 (0x10) Write Multiple registers ..........................................28 20 (0x14) Read File Record ...................................................29 22 (0x16) Mask Write Register ...........................................34 23 (0x17) Read/Write Multiple registers..............................35 43 (0x2B) Read Device Identification ..................................38

5 6

Function Code Categories .................................................. 11

5.1 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12

Function codes descripitons................................................ 12

MODBUS Exception Responses......................................... 43

modbus.org 8May02

http://www.modbus.org/

1/45

1
1.1

Introduction
Scope of this document

MODBUS is an application layer messaging protocol, positioned at level 7 of the OSI model, that provides client/server communication between devices connected on different types of buses or networks. The industry serial de facto standard since 1979, Modbus continues to enable millions of automation devices to communicate. Today, s support for the simple and elegant structure of MODBUS continues to grow. The Internet community can access MODBUS at a reserved system port 502 on the TCP/IP stack. MODBUS is a request/reply protocol and offers services specified by function codes. MODBUS function codes are elements of MODBUS request/reply PDUs. The objective of this document is to describe the function codes used within the framework of MODBUS transactions.

1.2
1. 2.

References
RFC 791, Internet Protocol, Sep81 DARPA MODBUS Protocol Reference Guide Rev J, MODICON, June 1996, doc # PI_MBUS_300

MODBUS is an application layer messaging protocol for client/server communication between devices connected on different types of buses or networks. It is currently implemented using: TCP/IP over Ethernet. Asynchronous serial transmission over a variety of media (wire : EIA/TIA-232-E, EIA-422, EIA/TIA-485-A; fiber, radio, etc.) MODBUS PLUS, a high speed token passing network.

MODBUS APPLICATION LAYER

Modbus on TCP TCP IP

Other Other

MODBUS+ / HDLC Physical layer

Master / Slave EIA/TIA-232 or EIA/TIA-485

Ethernet II /802.3 Ethernet Physical layer

Figure 1:

MODBUS communication stack

modbus.org 8May02

http://www.modbus.org/

2/45

MODBUS Application Protocol Specification

MODBUS.ORG

2
ADU

Abbreviations
Application Data Unit High level Data Link Control Human Machine Interface Internet Engineering Task Force Input/Output Internet Protocol Medium Access Control MODBUS Protocol Protocol Data Unit Programmable Logic Controller Transport Control Protocol

HDLC HMI IETF I/O IP MAC MB PDU PLC TCP

MBAP MODBUS Application Protocol

Context

The MODBUS protocol allows an easy communication within all types of network architectures.

MODBUS COMMUNICATION

Drive

PLC

HMI

I/ O

I/ O

PLC

I/ O

MODBUS ON TCP/IP

Gateway

Gateway

Gateway

MODBUS ON RS232

MODBUS ON RS485

MODBUS ON MB+

PLC HMI Drive

PLC I/ O I/ O
Device

Device

I/ O I/ O
Figure 2:

Example of MODBUS Network Architecture

Every type of devices (PLC, HMI, Control Panel, Driver, Motion control, I/O Device ) can use MODBUS protocol to initiate a remote operation.

modbus.org 8May02

http://www.modbus.org/

3/45

MODBUS Application Protocol Specification

MODBUS.ORG

The same communication can be done as well on serial line as on an Ethernet TCP/IP networks. Some gateway allows a communication between several types of buses or network using the MODBUS protocol.

modbus.org 8May02

http://www.modbus.org/

4/45

MODBUS Application Protocol Specification

MODBUS.ORG

4
4.1

General description
Protocol description

The MODBUS protocol defined a simple protocol data unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or network can introduce some additional fields on the application data unit (ADU).

ADU Additional address Function code PDU

Figure 3: General MODBUS frame

Data

Error check

The MODBUS application data unit is built by the client that initiates a MODBUS transaction. The function indicates to the server what kind of action to perform. The MODBUS application protocol establishes the format of a request initiated by a client. The function code field of a MODBUS data unit is coded in one byte. Valid codes are in the range of 1 ... 255 decimal (128 255 reserved for exception responses). When a message is sent from a Client to a Server device the function code field tells the server what kind of action to perform. Sub-function codes are added to some function codes to define multiple actions. The data field of messages sent from a client to server devices contains additional information that the server uses to take the action defined by the function code. This can include items like discrete and register addresses, the quantity of items to be handled, and the count of actual data bytes in the field. The data field may be nonexistent (of zero length) in certain kinds request, in this case the server does not require any additional information. The function code alone specifies the action. If no error occurs related to the MODBUS function requested in a properly received MODBUS ADU the data field of a response from a server to a client contains the data requested. If an error related to the MODBUS function requested occurs, the field contains an exception code that the server application can use to determine the next action to be taken. For example a client can read the ON / OFF states of a group of discrete outputs or inputs or it can read/write the data contents of a group of registers. When the server responds to the client, it uses the function code field to indicate either a normal (error-free) response or that some kind of error occurred (called an exception response). For a normal response, the server simply echoes the original function code.

Client
Initiate request
Function code Data Request

Server

Perform the action Initiate the response

Function code Data Response

Receive the response

modbus.org 8May02

http://www.modbus.org/

5/45

MODBUS Application Protocol Specification

MODBUS.ORG
MODBUS transaction (error free)

Figure 4:

For an exception response, the server returns a code that is equivalent to the original function code with its most significant bit set to logic 1.

Client
Initiate request
Function code Data Request

Server

Error detected in the action Initiate an error

Error code Exception code

Receive the response

Figure 5:

MODBUS transaction (exception response)

Note: It is desirable to manage a time out in order not to indefinitely wait for an answer which will perhaps never arrive.

The size of the Modbus PDU is limited by the size constraint inherited from the first Modbus implementation on Serial Line network (max. RS485 ADU = 256 bytes). Therefore, MODBUS PDU for serial line communication = 256 - Server adress (1 byte) - CRC (2 bytes) = 253 bytes. Consequently : RS232 / RS485 ADU TCP MODBUS ADU = 253 bytes + Server adress (1 byte) + CRC (2 bytes) = 256 bytes. = 249 bytes + MBAP (7 bytes) = 256 bytes .

The MODBUS protocol defines three PDUs. They are : MODBUS Request PDU, mb_req_pdu MODBUS Response PDU, mb_rsp_pdu MODBUS Exception Response PDU, mb_excep_rsp_pdu

The mb_req_pdu is defined : mb_req_pdu = { function_code, request_data), where

function_code - [1 byte] MODBUS function code request_data - [n bytes] This field is function code dependent and usually contains information such as variable references, variable counts, data offsets, sub-function codes etc.

The mb_rsp_pdu is defined :

modbus.org 8May02

http://www.modbus.org/

6/45

MODBUS Application Protocol Specification

MODBUS.ORG
where

mb_rsp_pdu = { function_code, response_ data),

function_code - [1 byte] MODBUS function code response_data - [n bytes] This field is function code dependent and usually contains information such as variable references, variable counts, data offsets, sub-function codes, etc.

The mb_excep_rsp_pdu is defined : mb_excep_rsp_pdu = { function_code, request_data), where

function_code - [1 byte] MODBUS function code + 0x80 exception_code - [1 byte] MODBUS Exception Code Defined in table below.

4.2

Data Encoding

MODBUS uses a big-Endianrepresentation for addresses and data items. This means that when a numerical quantity larger than a single byte is transmitted, the most significant byte is sent first. So for example Register size 16 - bits value 0x1234 the first byte sent is 0x12 then 0x34

F
4.3

Note: For more details, see [1] .

MODBUS data model

MODBUS bases its data model on a series of tables that have distinguishing characteristics. The four primary tables are:

Primary tables Discretes Input Coils Input Registers Holding Registers

Object type Single bit Single bit 16-bit word 16-bit word

Type of access Read-Only Read-Write Read-Only Read-Write

Comments This type of data can be provided by an I/O system. This type of data can be alterable by an application program. This type of data can be provided by an I/O system This type of data can be alterable by an application program.

The distinctions between inputs and outputs, and between bit-addressable and word-addressable data items, do not imply any application behavior. It is perfectly acceptable, and very common, to regard all four tables as overlaying one another, if this is the most natural interpretation on the target machine in question. For each of the primary tables, the protocol allows individual selection of 65536 data items, and the operations of read or write of those items are designed to span multiple consecutive data items up to a data size limit which is dependent on the transaction function code. It obvious that all the data handled via MODBUS (bits, registers) must be located in device application memory. But physical address in s memory should not be confused with data reference. The only requirement is to link data reference with physical address. MODBUS logical reference number, which are used in MODBUS functions, are unsigned integer indices starting at zero.

modbus.org 8May02

http://www.modbus.org/

7/45

MODBUS Application Protocol Specification

MODBUS.ORG

Implementation examples of MODBUS model The examples below show two ways of organizing the data in device. There are different organizations possible, all are not described in this document. Each device can have its own organization of the data according to its application Example 1 : Device having 4 separate blocks The example below shows data organization in a device having digital and analog, inputs and outputs. Each block is separate from each other, because data from different block have no correlation. Each block is thus accessible with different MODBUS functions.
Device application memory

MODBUS access

Input Discrete Coils Input Registers Holding Registers

MODBUS Request

MODBUS SERVER DEVICE

Figure 6
Example 2: Device having only 1 block

MODBUS Data Model with separate block

In this example, the device have only 1 data block. A same data can be reached via several MODBUS functions, either via a 16 bits access or via an access bit.

Device application memory

MODBUS access

Input Discrete
R W

Coils
R

MODBUS Request

Input Registers Holding Registers

MODBUS SERVER DEVICE

Figure 7

MODBUS Data Model with only 1 block

modbus.org 8May02

http://www.modbus.org/

8/45

MODBUS Application Protocol Specification

MODBUS.ORG

4.4

Define MODBUS Transaction

The following state diagram describes the generic processing of a MODBUS transaction in server side.
Wait for a MB indication

[Receive MB indication] Validate function code

ExeptionCode_1

[Invalid] [Valid] Validate data Address

ExceptionCode_2

[Invalid] [valid] Validate data value

ExceptionCode_3

[Invalid] [valid] Execute MB function

ExceptionCode_4_5_6

[Invalid] [Valid]

Send Modbus Exception Response

Send Modbus Response

Figure 8

MODBUS Transaction state diagram

Once the request has been processed by a server, a MODBUS response using the adequate MODBUS server transaction is built. Depending on the result of the processing two types of response can be built : A positive MODBUS response :

modbus.org 8May02

http://www.modbus.org/

9/45

MODBUS Application Protocol Specification

MODBUS.ORG

the response function code = the request function code A MODBUS Exception response ( see chapter 6.14): the objective is to provide to the client relevant information concerning the error detected during the processing ; the response function code = the request function code + 0x80 ;
an exception code is provided to indicate the reason of the error.

modbus.org 8May02

http://www.modbus.org/

10/45

MODBUS Application Protocol Specification

MODBUS.ORG

Function Code Categories

There are three categories of MODBUS Functions codes. They are : Public Function Codes Are well defined function codes , guaranteed to be unique, validated by the modbus.org community, publically documented have available conformance test, are documented in the MB IETF RFC, includes both defined public assigned function codes as well as unassigned function codes reserved for future use. User-Defined Function Codes there is a defined two ranges of user-defined function codes, ie 65 to 72 and from 100 to 110 decimal. user can select and implement a function code without any approval from modbus.org there is no guarantee that the use of the selected function code will be unique if the user wants to re-position the functionality as a public function code, he must initiate an RFC to introduce the change into the public category and to have a new public function code assigned. Reserved Function Codes Function Codes currently used by some companies for legacy products and that are not available for public use.

127

PUBLIC function codes

110 100 72 65

User Defined Function codes PUBLIC function codes User Defined Function codes

PUBLIC function codes

1
Figure 9 MODBUS Function Code Categories

modbus.org 8May02

http://www.modbus.org/

11/45

MODBUS Application Protocol Specification

MODBUS.ORG

5.1

Public Function Code Definition

Function Codes code Physical Discrete Inputs Read Input Discrete Bit access Internal Bits Or Physical coils Read Coils Write Single Coil Write Multiple Coils 02 01 05 15 Sub code (hex) 02 01 05 0F Page 11 10 16 37

Data Access 16 bits access

Physical Input Registers Read Input Register Read Multiple Registers Internal Registers Or Physical Output Registers Write Single Register Write Multiple Registers Read/Write Multiple Registers Mask Write Register

04 03 06 16 23 22

04 03 06 10 17 16

14 13 17 39 47 46

Read File record File record access Write File record Read Device Identification

20 21 43

6 6 14

14 15 2B

42 44

Encapsulated Interface

6
6.1

Function codes descripitons

01 (0x01) Read Coils

This function code is used to read from 1 to 2000 contiguous status of coils in a remote device. The Request PDU specifies the starting address, ie the address of the first coil specified, and the number of coils. Coils are addressed starting at zero. Therefore coils 1-16 are addressed as 0-15. The coils in the response message are packed as one coil per bit of the data field. Status is indicated as 1= ON and 0= OFF. The LSB of the first data byte contains the output addressed in the query. The other coils follow toward the high order end of this byte, and from low order to high order in subsequent bytes. If the returned output quantity is not a multiple of eight, the remaining bits in the final data byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data. Request PDU
Function code Starting Address Quantity of coils 1 Byte 2 Bytes 2 Bytes 0x01 0x0000 to 0xFFFF 1 to 2000 (0x7D0)

Response PDU
Function code 1 Byte 0x01

modbus.org 8May02

http://www.modbus.org/

12/45

MODBUS Application Protocol Specification

MODBUS.ORG
N* n = N or N+1

Byte count Coil Status

1 Byte n Byte

*N = Quantity of Outputs / 8, if the remainder is different of 0 N = N+1 Error

Function code Exception code 1 Byte 1 Byte Function code + 0x80 01 or 02 or 03 or 04

Here is an example of a request to read discrete outputs 2038:

Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Outputs Hi Quantity of Outputs Lo (Hex) 01 00 13 00 13 Response Field Name Function Byte Count Outputs status 27-20 Outputs status 35-28 Outputs status 38-36 (Hex) 01 03 CD 6B 05

The status of outputs 2720 is shown as the byte value CD hex, or binary 1100 1101. Output 27 is the MSB of this byte, and output 20 is the LSB. By convention, bits within a byte are shown with the MSB to the left, and the LSB to the right. Thus the outputs in the first byte are 27 through 20 from left to right. The next byte has outputs through 28 left to right. As the bits are transmitted serially, they flow from , 35 , LSB to MSB: 20 . . . 27, 28 . . . 35, and so on. In the last data byte, the status of outputs 38-36 is shown as the byte value 05 hex, or binary 0000 0101. Output 38 is in the sixth bit position from the left, and output 36 is the LSB of this byte. The five remaining high order bits are zero filled.

Note: The five remaining bits (toward the high order end) are zero filled.

modbus.org 8May02

http://www.modbus.org/

13/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Outputs 0x07D0

YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Outputs == OK YES ExceptionCode = 02 Request Processing

NO ReadDiscreteOutputs

== OK

YES ExceptionCode = 04 MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 10:

Read Coils state diagram

6.2

02 (0x02) Read Discrete Inputs

This function code is used to read from 1 to 2000 contiguous status of discrete inputs in a remote device. The Request PDU specifies the starting address, ie the address of the first input specified, and the number of inputs. Inputs are addressed starting at zero. Therefore inputs 1-16 are addressed as 0-15. The discrete inputs in the response message are packed as one input per bit of the data field. Status is indicated as 1= ON; 0= OFF. The LSB of the first data byte contains the input addressed in the query. The other inputs follow toward the high order end of this byte, and from low order to high order in subsequent bytes. If the returned input quantity is not a multiple of eight, the remaining bits in the final data byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data. Request PDU Function code Starting Address Quantity of Inputs 1 Byte 2 Bytes 2 Bytes 0x02 0x0000 to 0xFFFF 1 to 2000 (0x7D0)

modbus.org 8May02

http://www.modbus.org/

14/45

MODBUS Application Protocol Specification Response PDU Function code Byte count Input Status 1 Byte 1 Byte N* x 1 Byte 0x02 N*

MODBUS.ORG

*N = Quantity of Inputs / 8 if the remainder is different of 0 N = N+1 Error Error code Exception code 1 Byte 1 Byte 0x82 01 or 02 or 03 or 04

Here is an example of a request to read discrete inputs 197 218:

Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Inputs Hi Quantity of Inputs Lo (Hex) 02 00 C4 00 16 Response Field Name Function Byte Count Inputs Status 204-197 Inputs Status 212-205 Inputs Status 218-213 (Hex) 02 03 AC DB 35

The status of discrete inputs 204197 is shown as the byte value AC hex, or binary 1010 1100. Input 204 is the MSB of this byte, and input 197 is the LSB. The status of discrete inputs 218213 is shown as the byte value 35 hex, or binary 0011 0101. Input 218 is in the third bit position from the left, and input 213 is the LSB.

Note: The two remaining bits (toward the high order end) are zero filled.

modbus.org 8May02

http://www.modbus.org/

15/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Inputs 0x07D0

YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Inputs == OK YES Request Processing

ExceptionCode = 02

NO ReadDiscreteInputs

== OK

ExceptionCode = 04

YES

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 11:

Read Discrete Inputs state diagram

modbus.org 8May02

http://www.modbus.org/

16/45

MODBUS Application Protocol Specification

MODBUS.ORG

6.3

03 (0x03) Read Holding Registers

This function code is used to read the contents of a contiguous block of holding registers in a remote device. The Request PDU specifies the starting register address and the number of registers. Registers are addressed starting at zero. Therefore registers 1-16 are addressed as 0-15. The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits. Request
Function code Starting Address Quantity of Registers 1 Byte 2 Bytes 2 Bytes 0x03 0x0000 to 0xFFFF 1 to 125 (0x7D)

Response
Function code Byte count Register value 1 Byte 1 Byte N* x 2 Bytes 0x03 2 x N*

*N = Quantity of Registers Error

Error code Exception code 1 Byte 1 Byte 0x83 01 or 02 or 03 or 04

Here is an example of a request to read registers 108 110:

Request Field Name Function Starting Address Hi Starting Address Lo No. of Registers Hi No. of Registers Lo (Hex) 03 00 6B 00 03 Response Field Name Function Byte Count Register value Hi (108) Register value Lo (108) Register value Hi (109) Register value Lo (109) Register value Hi (110) Register value Lo (110) (Hex) 03 06 02 2B 00 00 00 64

The contents of register 108 are shown as the two byte values of 02 2B hex, or 555 decimal. The contents of registers 109110 are 00 00 and 00 64 hex, or 0 and 100 decimal, respectively.

modbus.org 8May02

http://www.modbus.org/

17/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Registers 0x007D

YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Registers == OK YES ExceptionCode = 02 Request Processing

NO ReadMultipleRegisters ==

OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 12:

Read Holding Registers state diagram

6.4

04 (0x04) Read Input Registers

This function code is used to read from 1 to approx. 125 contiguous input registers in a remote device. The Request PDU specifies the starting register address and the number of registers. Registers are addressed starting at zero. Therefore input registers 1-16 are addressed as 0-15. The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits. Request
Function code Starting Address Quantity of Input Registers 1 Byte 2 Bytes 2 Bytes 0x04 0x0000 to 0xFFFF 0x0001 to 0x007D

Response
Function code Byte count Input Registers 1 Byte 1 Byte N* x 2 Bytes 0x04 2 x N*

*N = Quantity of Input Registers

modbus.org 8May02

http://www.modbus.org/

18/45

MODBUS Application Protocol Specification Error

Error code Exception code 1 Byte 1 Byte 0x84 01 or 02 or 03 or 04

MODBUS.ORG

modbus.org 8May02

http://www.modbus.org/

19/45

MODBUS Application Protocol Specification

MODBUS.ORG

Here is an example of a request to read input register 9:

Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Input Reg. Hi Quantity of Input Reg. Lo (Hex) 04 00 08 00 01 Response Field Name Function Byte Count Input Reg. 9 Hi Input Reg. 9 Lo (Hex) 04 02 00 0A

The contents of input register 9 are shown as the two byte values of 00 0A hex, or 10 decimal.

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Registers 0x007D

YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Registers == OK YES ExceptionCode = 02 Request Processing

NO ReadInputRegisters

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 13:

Read Input Registers state diagram

6.5

05 (0x05) Write Single Coil

This function code is used to write a single output to either ON or OFF in a remote device.

modbus.org 8May02

http://www.modbus.org/

20/45

MODBUS Application Protocol Specification

MODBUS.ORG

The requested ON/OFF state is specified by a constant in the request data field. A value of FF 00 hex requests the output to be ON. A value of 00 00 requests it to be OFF. All other values are illegal and will not affect the output. The Request PDU specifies the address of the coil to be forced. Coils are addressed starting at zero. Therefore coil 1 is addressed as 0. The requested ON/OFF state is specified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON. A value of 0X0000 requests the coil to be off. All other values are illegal and will not affect the coil. The normal response is an echo of the request, returned after the coil state has been written. Request
Function code Output Address Output Value 1 Byte 2 Bytes 2 Bytes 0x05 0x0000 to 0xFFFF 0x0000 or 0xFF00

Response
Function code Output Address Output Value 1 Byte 2 Bytes 2 Bytes 0x05 0x0000 to 0xFFFF 0x0000 or 0xFF00

Error
Error code Exception code 1 Byte 1 Byte 0x85 01 or 02 or 03 or 04

Here is an example of a request to write Coil 173 ON:

Request Field Name Function Output Address Hi Output Address Lo Output Value Hi Output Value Lo (Hex) 05 00 AC FF 00 Response Field Name Function Output Address Hi Output Address Lo Output Value Hi Output Value Lo (Hex) 05 00 AC FF 00

modbus.org 8May02

http://www.modbus.org/

21/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO Output Value == 0x0000 OR 0xFF00 YES ExceptionCode = 03 NO Output Address == OK

YES ExceptionCode = 02 Request Processing

NO WriteSingleOutput ==

OK

YES ExceptionCode = 04 MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 14:

Write Single Output state diagram

6.6

06 (0x06) Write Single Register

This function code is used to write a single holding register in a remote device. The Request PDU specifies the address of the register to be written. Registers are addressed starting at zero. Therefore register 1 is addressed as 0. The normal response is an echo of the request, returned after the register contents have been written. Request
Function code Register Address Register Value 1 Byte 2 Bytes 2 Bytes 0x06 0x0000 to 0xFFFF 0x0000 or 0xFFFF

Response
Function code Register Address Register Value 1 Byte 2 Bytes 2 Bytes 0x06 0x0000 to 0xFFFF 0x0000 or 0xFFFF

Error
Error code Exception code 1 Byte 1 Byte 0x86 01 or 02 or 03 or 04

modbus.org 8May02

http://www.modbus.org/

22/45

MODBUS Application Protocol Specification

MODBUS.ORG

modbus.org 8May02

http://www.modbus.org/

23/45

MODBUS Application Protocol Specification

MODBUS.ORG

Here is an example of a request to write register 2 to 00 03 hex:

Request Field Name Function Register Address Hi Register Address Lo Register Value Hi Register Value Lo (Hex) 06 00 01 00 03 Response Field Name Function Register Address Hi Register Address Lo Register Value Hi Register Value Lo (Hex) 06 00 01 00 03

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0000 Register Value 0xFFFF

YES ExceptionCode = 03 NO Register Address == OK

YES ExceptionCode = 02 Request Processing

NO

WriteSingleRegister ==

OK

YES ExceptionCode = 04 MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 15:

Write Single Register state diagram

modbus.org 8May02

http://www.modbus.org/

24/45

MODBUS Application Protocol Specification

MODBUS.ORG

6.7

15 (0x0F) Write Multiple Coils

This function code is used to force each coil in a sequence of coils to either ON or OFF in a remote device. The Request PDU specifies the coil references to be forced. Coils are addressed starting at zero. Therefore coil 1 is addressed as 0. The requested ON/OFF states are specified by contents of the request data field. A logical '1' in a bit position of the field requests the corresponding output to be ON. A logical '0' requests it to be OFF. The normal response returns the function code, starting address, and quantity of coils forced. Request PDU
Function code Starting Address Quantity of Outputs Byte Count Outputs Value 1 Byte 2 Bytes 2 Bytes 1 Byte N* x 1 Byte 0x0F 0x0000 to 0xFFFF 0x0001 to 0x07B0 N*

*N = Quantity of Outputs / 8, if the remainder is different of 0 N = N+1 Response PDU

Function code Starting Address Quantity of Outputs 1 Byte 2 Bytes 2 Bytes 0x0F 0x0000 to 0xFFFF 0x0001 to 0x07B0

Error
Error code Exception code 1 Byte 1 Byte 0x8F 01 or 02 or 03 or 04

modbus.org 8May02

http://www.modbus.org/

25/45

MODBUS Application Protocol Specification

MODBUS.ORG

Here is an example of a request to write a series of 10 coils starting at coil 20: The request data contents are two bytes: CD 01 hex (1100 1101 0000 0001 binary). The binary bits correspond to the outputs in the following way: Bit: Output: 1 27 1 26 0 25 0 24 1 23 1 22 0 21 1 20 0 0 0 0 0 0 0 29 1 28

The first byte transmitted (CD hex) addresses outputs 27-20, with the least significant bit addressing the lowest output (20) in this set. The next byte transmitted (01 hex) addresses outputs 29-28, with the least significant bit addressing the lowest output (28) in this set. Unused bits in the last data byte should be zerofilled.
Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Outputs Hi Quantity of Outputs Lo Byte Count Outputs Value Hi Outputs Value Lo (Hex) 0F 00 13 00 0A 02 CD 01 Response Field Name Function Starting Address Hi Starting Address Lo Quantity of Outputs Hi Quantity of Outputs Lo (Hex) 0F 00 13 00 0A

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Outputs 0x07B0 AND Byte Count = N* YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Outputs == OK YES ExceptionCode = 02 Request Processing *N = Quantity of Outputs / 8, if the remainder is different of 0 N = N+1

NO WriteMultipleOutputs

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

modbus.org 8May02

http://www.modbus.org/

26/45

MODBUS Application Protocol Specification

MODBUS.ORG
Write Multiple Outputs state diagram

Figure 16:

modbus.org 8May02

http://www.modbus.org/

27/45

MODBUS Application Protocol Specification

MODBUS.ORG

6.8

16 (0x10) Write Multiple registers

This function code is used to write a block of contiguous registers (1 to approx. 120 registers) in a remote device. The requested written values are specified in the request data field. Data is packed as two bytes per register. The normal response returns the function code, starting address, and quantity of registers written. Request PDU
Function code Starting Address Quantity of Registers Byte Count Registers Value 1 Byte 2 Bytes 2 Bytes 1 Byte N* x 2 Bytes 0x10 0x0000 to 0xFFFF 0x0001 to 0x0078 2 x N* value

*N = Quantity of Registers Response PDU

Function code Starting Address Quantity of Registers 1 Byte 2 Bytes 2 Bytes 0x10 0x0000 to 0xFFFF 1 to 123 (0x7B)

Error
Error code Exception code 1 Byte 1 Byte 0x90 01 or 02 or 03 or 04

Here is an example of a request to write two registers starting at 2 to 00 0A and 01 02 hex:

Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Registers Hi Quantity of Registers Lo Byte Count Registers Value Hi Registers Value Lo Registers Value Hi Registers Value Lo (Hex) 10 00 01 00 02 04 00 0A 01 02 Response Field Name Function Starting Address Hi Starting Address Lo Quantity of Registers Hi Quantity of Registers Lo (Hex) 10 00 01 00 02

modbus.org 8May02

http://www.modbus.org/

28/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Registers 0x007B AND Byte Count == Quantity of Registers x 2 YES ExceptionCode = 03 NO Starting Address == OK AND Starting Address + Quantity of Registers == OK YES ExceptionCode = 02 Request Processing

NO WriteMultipleRegisters

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 17:

Write Multiple Registers state diagram

6.9

20 (0x14) Read File Record

This function code is used to perform a file record read. All Request Data Lengths are provided in terms of number of bytes and all Record Lengths are provided in terms of registers. A file is an organization of records. Each file contains 10000 records, addressed 0000 to 9999 decimal or 0X0000 to 0X270F. For example, record 12 is addressed as 12. The function can read multiple groups of references. The groups can be separating (non-contiguous), but the references within each group must be sequential. Each group is defined in a separate sub-requestfield that contains 7 bytes: The reference type: 1 byte (must be specified as 6) The File number: 2 bytes The starting record number within the file: 2 bytes The length of the record to be read: 2 bytes.

modbus.org 8May02

http://www.modbus.org/

29/45

MODBUS Application Protocol Specification

MODBUS.ORG

The quantity of registers to be read, combined with all other fields in the expected response, must not exceed the allowable length of MODBUS messages: 256 bytes. The normal response is a series of sub-responses one for each , sub-request The byte count field is the total combined count of bytes . in all sub-responses In addition, each . sub-responsecontains a field that shows its own byte count. Request PDU
Function code Byte Count Sub-Req. x, Reference Type Sub-Req. x, File Number Sub-Req. x, Record Number Sub-Req. x, Register Length Sub-Req. x+1, ... 1 Byte 1 Byte 1 Byte 2 Bytes 2 Bytes 2 Bytes 0x14 0x07 to 0xF5 bytes 06 0x0000 to 0xFFFF 0x0000 to 0x270F N

Response PDU
Function code Resp. data Length Sub-Req. x, File Resp. length Sub-Req. x, Reference Type Sub-Req. x, Record Data Sub-Req. x+1, ... 1 Byte 1 Byte 1 Byte 1 Byte N x 2 Bytes 0x14 0x07 to 0xF5 0x07 to 0xF5 6

Error
Error code Exception code 1 Byte 1 Byte 0x94 01 or 02 or 03 or 04 or 08

Here is an example of a request to read two groups of references from remote device: Group 1 consists of two registers from file 4, starting at register 1 (address 0001). Group 2 consists of two registers from file 3, starting at register 9 (address 0009).
Request Field Name Function Byte Count Sub-Req. 1, Ref. Type Sub-Req. 1, File Number Hi Sub-Req. 1, File Number Lo Sub-Req. 1, Record number Hi Sub-Req. 1, Record number Lo Sub-Req. 1, Record Length Hi Sub-Req. 1, Record Length Lo Sub-Req. 2, Ref. Type Sub-Req. 2, File Number Hi Sub-Req. 2, File Number Lo Sub-Req. 2, Record number Hi Sub-Req. 2, Record number Lo (Hex) 14 0C 06 00 04 00 01 00 02 06 00 03 00 09 Response Field Name Function Resp. Data length Sub-Req. 1, File resp. length Sub-Req. 1, Ref. Type Sub-Req. 1, Record. Data Hi Sub-Req. 1, Record. Data Lo Sub-Req. 1, Record. Data Hi Sub-Req. 1, Record. Data Lo Sub-Req. 2, File resp. length Sub-Req. 2, Ref. Type Sub-Req. 2, Record. Data Hi Sub-Req. 2, Record. Data Lo Sub-Req. 2, Record. Data Hi Sub-Req. 2, Record. Data Lo (Hex) 14 0E 05 06 0D FE 00 20 05 06 33 CD 00 40

modbus.org 8May02

http://www.modbus.org/

30/45

MODBUS Application Protocol Specification

MODBUS.ORG

Sub-Req. 2, Record Length Hi Sub-Req. 2, Record Length Lo

00 02

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x07 Byte Count 0xF5 For each Sub-Req YES ExceptionCode = 03 NO

Reference Type == OK AND File Number == OK AND Starting Address == OK AND Starting Address + Register Count == OK YES

ExceptionCode = 02 Request Processing

NO ReadGeneralReference

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 18:

Read File Record state diagram

6.9.1

21 (0x15) Write File Record

This function code is used to perform a file record write. All Request Data Lengths are provided in terms of number of bytes and all Record Lengths are provided in terms of the number of 16-bit words. A file is an organization of records. Each file contains 10000 records, addressed 0000 to 9999 decimal or 0X0000 to 0X270F. For example, record 12 is addressed as 12. The function can write multiple groups of references. The groups can be separate, ie noncontiguous, but the references within each group must be sequential. Each group is defined in a separate sub-requestfield that contains 7 bytes plus the data:

The reference type: 1 byte (must be specified as 6) The file number: 2 bytes The starting record number within the file: 2 bytes
The length of the record to be written: 2 bytes

modbus.org 8May02

http://www.modbus.org/

31/45

MODBUS Application Protocol Specification

MODBUS.ORG

The data to be written: 2 bytes per register.

The quantity of registers to be written, combined with all other fields in the query, must not exceed the allowable length of MODBUS messages: 256 bytes.

The normal response is an echo of the request. Request PDU

Function code Request data length Sub-Req. x, Reference Type Sub-Req. x, File Number Sub-Req. x, Record Number Sub-Req. x, Record length Sub-Req. x, Record data Sub-Req. x+1, ... 1 Byte 1 Byte 1 Byte 2 Bytes 2 Bytes 2 Bytes N x 2 Bytes 0x15 0x07 to 0xF5 06 0x0000 to 0xFFFF 0x0000 to 0x270F N

Response PDU
Function code Response Data length Sub-Req. x, Reference Type Sub-Req. x, File Number Sub-Req. x, Record number Sub-Req. x, Record length Sub-Req. x, Record Data Sub-Req. x+1, ... 1 Byte 1 Byte 1 Byte 2 Bytes 2 Bytes 2 Bytes N x 2 Bytes 06 0x0000 to 0xFFFFF 0x0000 to 0xFFFFF 0x0000 to 0xFFFFF N 0x15

Error
Error code Exception code 1 Byte 1 Byte 0x95 01 or 02 or 03 or 04 or 08

Here is an example of a request to write one group of references into remote device: The group consists of three registers in file 4, sta rting at register 7 (address 0007).
Request Field Name Function Request Data length Sub-Req. 1, Ref. Type Sub-Req. 1, File Number Hi Sub-Req. 1, File Number Lo Sub-Req. 1, Record number Hi Sub-Req. 1, Record number Lo (Hex) 15 0D 06 00 04 00 07 Response Field Name Function Request Data length Sub-Req. 1, Ref. Type Sub-Req. 1, File Number Hi Sub-Req. 1, File Number Lo Sub-Req. 1, Record number Hi Sub-Req. 1, Record number Lo (Hex) 15 0D 06 00 04 00 07

modbus.org 8May02

http://www.modbus.org/

32/45

MODBUS Application Protocol Specification

MODBUS.ORG
Sub-Req. 1, Record length Hi Sub-Req. 1, Record length Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Record Data Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Record Data Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Reg. Data Lo 00 03 06 AF 04 BE 10 0D

Sub-Req. 1, Record length Hi Sub-Req. 1, Record length Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Record Data Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Record Data Lo Sub-Req. 1, Record Data Hi Sub-Req. 1, Reg. Data Lo

00 03 06 AF 04 BE 10 0D

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x07 Byte Count 0xF5 For each Sub-Req YES ExceptionCode = 03 NO

Reference Type == OK AND File Number == OK AND Starting Address == OK AND Starting Address + Register Count == OK YES

ExceptionCode = 02 Request Processing

NO WriteGeneralReference

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 19:

Write File Record state diagram

modbus.org 8May02

http://www.modbus.org/

33/45

MODBUS Application Protocol Specification

MODBUS.ORG

6.10 22 (0x16) Mask Write Register

This function code is used to modify the contents of a specified holding register using a combination of an AND mask, an OR mask, and the register's current contents. The function can be used to set or clear individual bits in the register. The request specifies the holding register to be written, the data to be used as the AND mask, and the data to be used as the OR mask. Registers are addressed starting at zero. Therefore registers 1-16 are addressed as 0-15. The function algorithm is: s Result = (Current Contents AND And_Mask) OR (Or_Mask AND And_Mask) For example: Hex Current Contents = And_Mask = Or_Mask = And_Mask = Result = 12 F2 25 0D 17 Binary 0001 0010 1111 0010 0010 0101 0000 1101 0001 0111

Note: That if the Or_Mask value is zero, the result is simply the logical ANDing of the current contents and And_Mask. If the And_Mask value is zero, the result is equal to the Or_Mask value. The contents of the register can be read with the Read Holding Registers function (function code 03). They could, however, be changed subsequently as the controller scans its user logic program.

The normal response is an echo of the request. The response is returned after the register has been written. Request PDU
Function code Reference Address And_Mask Or_Mask 1 Byte 2 Bytes 2 Bytes 2 Bytes 0x16 0x0000 to 0xFFFF 0x0000 to 0xFFFF 0x0000 to 0xFFFF

Response PDU
Function code Reference Address And_Mask Or_Mask 1 Byte 2 Bytes 2 Bytes 2 Bytes 0x16 0x0000 to 0xFFFF 0x0000 to 0xFFFF 0x0000 to 0xFFFF

Error
Error code Exception code 1 Byte 1 Byte 0x96 01 or 02 or 03 or 04

Here is an example of a Mask Write to register 5 in remote device, using the above mask values.
Request Field Name Function Reference address Hi (Hex) 16 00 Response Field Name Function Reference address Hi (Hex) 16 00

modbus.org 8May02

http://www.modbus.org/

34/45

MODBUS Application Protocol Specification

MODBUS.ORG
Reference address Lo And_Mask Hi And_Mask Lo Or_Mask Hi Or_Mask Lo 04 00 F2 00 25

Reference address Lo And_Mask Hi And_Mask Lo Or_Mask Hi Or_Mask Lo

04 00 F2 00 25

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO Reference Address == OK

YES ExceptionCode = 02 NO AND_Mask == OK AND OR_Mask == OK YES ExceptionCode = 03 Request Processing

NO MaskWriteRegister

== OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 20:

Mask Write Holding Register state diagram

6.11 23 (0x17) Read/Write Multiple registers

This function code performs a combination of one read operation and one write operation in a single MODBUS transaction. Holding registers are addressed starting at zero. Therefore holding registers 1-16 are addressed as 0-15. The request specifies the starting address and number of holding registers to be read as well as the starting address, number of holding registers, and the data to be written. The byte count specifies the number of bytes to follow in the write data field. The normal response contains the data from the group of registers that were read. The byte count field specifies the quantity of bytes to follow in the read data field. Request PDU
Function code 1 Byte 0x17

modbus.org 8May02

http://www.modbus.org/

35/45

MODBUS Application Protocol Specification

MODBUS.ORG
0x0000 to 0xFFFF 0x0001 to approx.0x0076 0x0000 to 0xFFFF 0x0001 to approx. 0X0076 2 x N*

Read Starting Address Quantity to Read Write Starting Address Quantity to Write Write Byte Count Write Registers Value

2 Bytes 2 Bytes 2 Bytes 2 Bytes 1 Byte N* x 2 Bytes

*N = Quantity to Write

Response PDU
Function code Byte Count Read Registers value 1 Byte 1 Byte N'* x 2 Bytes 0x17 2 x N'*

*N' = Quantity to Read Error

Error code Exception code 1 Byte 1 Byte 0x97 01 or 02 or 03 or 04

Here is an example of a request to read six registers starting at register 4, and to write three registers starting at register 15:
Request Field Name Function Read Starting Address Hi Read Starting Address Lo Quantity to Read Hi Quantity to Read Lo Write Starting Address Hi Write Starting address Lo Quantity to Write Hi Quantity to Write Lo Write Byte Count Write Registers Value Hi Write Registers Value Lo Write Registers Value Hi Write Registers Value Lo Write Registers Value Hi Write Registers Value Lo (Hex) 17 00 03 00 06 00 0E 00 03 06 00 FF 00 FF 00 FF Response Field Name Function Byte Count Read Registers value Hi Read Registers value Lo Read Registers value Hi Read Registers value Lo Read Registers value Hi Read Registers value Lo Read Registers value Hi Read Registers value Lo Read Registers value Hi Read Registers value Lo Read Registers value Hi Read Registers value Lo (Hex) 17 0C 00 FE 0A CD 00 01 00 03 00 0D 00 FF

modbus.org 8May02

http://www.modbus.org/

36/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO 0x0001 Quantity of Read 0x007D AND 0x0001 Quantity of Write 0x0079 AND Byte Count == Quantity of Write x 2

YES ExceptionCode = 03 Read Starting Address == OK AND Read Starting Address + Quantity of Read == OK AND Write Starting Address == OK AND Write Starting Address + Quantity of Write == OK YES ExceptionCode = 02 Request Processing

NO

NO Read/WriteMultipleRegisters == OK

ExceptionCode = 04

YES MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 21:

Read/Write Multiple Registers state diagram

modbus.org 8May02

http://www.modbus.org/

37/45

MODBUS Application Protocol Specification

MODBUS.ORG

6.12 43 (0x2B) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device. The Read Device Identification interface is modeled as an address space composed of a set of addressable data elements. The data elements are called objects and an object Id identifies them. The interface consists of 3 categories of objects : Basic Device Identification. All objects of this category are mandatory : VendorName, Product code, and revision number. Regular Device Identification. In addition to Basic data objects, the device provides additional and optional identification and description data objects. All of the objects of this category are defined in the standard but their implementation is optional . Extended Device Identification. In addition to regular data objects, the device provides additional and optional identification and description private data. All of these data are device dependent. Object Id 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x7F 0x80 0xFF Request PDU
Function code MEI Type Read Device ID code Object Id 1 Byte 1 Byte 1 Byte 1 Byte 0x2B 0x0E

Object Name / Description VendorName ProductCode MajorMinorRevision VendorUrl ProductName ModelName UserApplicationName Reserved

Type ASCII String ASCII String ASCII String ASCII String ASCII String ASCII String ASCII String

M/O Mandatory Mandatory Mandatory Optional Optional Optional Optional Optional

category Basic

Regular

Private objects may be optionally defined The range [0x80 0xFF] is Product dependant.

device dependant

Optional

Extended

01 / 02 / 03 / 04 0x00 to 0xFF

Response PDU
Function code MEI Type Read Device ID code Conformity level More Folows Next Object Id Number of objects List Of Object ID 1 Byte 1 Byte 1 byte 1 Byte 1 Byte 1 Byte 1 Byte 1 Byte 00 / FF Object ID number 0x2B 0x0E

01 / 02 / 03 / 04

modbus.org 8May02

http://www.modbus.org/

38/45

MODBUS Application Protocol Specification

MODBUS.ORG

Object length Object Value

1 Byte 1 Byte

Error
Function code MEI Type Exception code 1 Byte 1 Byte 1 Byte 0xAB : Fc 0x2B + 0x80 14 01, 02, 03, 04

Request parameters decsription : A Modbus Encapsulated Interface assigned number 14 identifies the Read identification request. Four access types are defined : 01 : request to get the basic device identification (stream access) 02 : request to get the regular device identification (stream access) 03 : request to get the extended device identification (stream access) 04 : request to get one specific identification object (individual access) In the case where the identification data does not fit into a single response, several request/response transactions may be required. The Object Id byte gives the identification of the first object to obtain. For the first transaction, the client must set the Object Id to 0 to obtain the start of the device identification data. For the following transactions, the client must set the Object Id to the value returned by the server in its previous response. If the Object Id does not match any known object, the server responds as if object 0 were pointed out (restart at the beginning). In case of an individual access: ReadDevId code 04, the Object Id in the request gives the identification of the object to obtain. If the Object Id doesn't match to any known object, the server returns an exception response with exception code = 02 (Illegal data address). Response parameter description : Function code : MEI Type ReadDevId code : Conformity Level Function code 43 (decimal) 0x2B (hex) 14 (0x0E) MEI Type assigned number for Device Identification Interface Same as request ReadDevId code : 01, 02, 03 or 04 Identification conformity level of the device and type of supported access 01 : basic identification (stream access only) 02 : regular identification (stream access only) 03 : extended identification (stream access only) 81 : basic identification (stream access a nd individual access) 82 : regular identification (stream access and individual access) 83 : extended identification (stream access and individual access) In case of ReadDevId codes 01, 02 or 03 (stream access), If the identification data doesn't fit into a single response, several request/response transactions may be required. 00 : no more Object are available FF : other identification Object are available and further Modbus transactions are required In case of ReadDevId code 04 (individual access), this field must be set to 00. If "MoreFollows = FF", identification of the next Object to be asked for. if "MoreFollows = 00", must be set to 00 (useless) Number of identification Object returned in the response (for an individual access, Number Of Objects = 1) Identification of the first Object returned in the PDU (stream access) or the requested Object (individual access)

More Follows

Next Object Id Number Of Objects Object0.Id

modbus.org 8May02

http://www.modbus.org/

39/45

MODBUS Application Protocol Specification

MODBUS.ORG

Object0.Length Object0.Value ObjectN.Id ObjectN.Length ObjectN.Value

Length of the first Object in byte Value of the first Object (Object0.Length bytes) Identification of the last Object (within the response) Length of the last Object in byte Value of the last Object (ObjectN.Length bytes)

Example of a Read Device Identification request for "Basic device identification" : In this example all information are sent in one response PDU.

Request Field Name Function MEI Type Read Dev Id code Object Id Value 2B 0E 01 00

Response Field Name Function MEI Type Read Dev Id Code Conformity Level More Follows NextObjectId Number Of Objects Object Id Object Length Object Value Object Id Object Length Object Value Object Id Object Length Object Value Value 2B 0E 01 01 00 00 03 00 16 " Company identification" 01 0A " Product code " 02 05 "V2.11"

In case of a device that required several transactions to send the response the following transactions is intiated. First transaction :
Request Field Name Function MEI Type Read Dev Id code Object Id Value 2B 0E 01 00 Response Field Name Function MEI Type Read Dev Id Code Conformity Level More Follows NextObjectId Number Of Objects Object Id Object Length Object Value Value 2B 0E 01 01 FF 02 03 00 16 " Company identification"

modbus.org 8May02

http://www.modbus.org/

40/45

MODBUS Application Protocol Specification

MODBUS.ORG
Object Id Object Length Object Value 01 1A " Product code XXXXXXXXXXXXXXXX"

Second transaction :
Request Field Name Function MEI Type Read Dev Id code Object Id Value 2B 0E 01 02 Response Field Name Function MEI Type Read Dev Id Code Conformity Level More Follows NextObjectId Number Of Objects Object Id Object Length Object Value Value 2B 0E 01 01 00 00 03 02 05 "V2.11"

modbus.org 8May02

http://www.modbus.org/

41/45

MODBUS Application Protocol Specification

MODBUS.ORG

ENTRY MB Server receives mb_req_pdu

NO Function code supported YES ExceptionCode = 01 NO

Object Id OK
YES

ExceptionCode = 02 Request Processing

Segmentation required

NO More follows = FF Next Object ID = XX

More follows = 00 Next Object ID = 00

MB Server Sends mb_rsp

MB Server Sends mb_exception_rsp

EXIT

Figure 22:

Read Device Identification state diagram

modbus.org 8May02

http://www.modbus.org/

42/45

MODBUS Application Protocol Specification

MODBUS.ORG

MODBUS Exception Responses

When a client device sends a request to a server device it expects a normal response. One of four possible events can occur from the master query: s If the server device receives the request without a communication error, and can handle the query normally, it returns a normal response. If the server does not receive the request due to a communication error, no response is returned. The client program will eventually process a timeout condition for the request. If the server receives the request, but detects a communication error (parity, LRC, CRC, ...), no response is returned. The client program will eventually process a timeout condition for the request. If the server receives the request without a communication error, but cannot handle it (for example, if the request is to read a non existent output or register), the server will return an exception response informing the client of the nature of the error. The exception response message has two fields that differentiate it from a normal response: Function Code Field: In a normal response, the server echoes the function code of the original request in the function code field of the response. All function codes have a mostsignificant bit (MSB) of 0 (their values are all below 80 hexadecimal). In an exception response, the server sets the MSB of the function code to 1. This makes the function code value in an exception response exactly 80 hexadecimal higher than the value would be for a normal response. With the function code MSB set, the client's application program can recognize the exception response and can examine the data field s for the exception code. Data Field: In a normal response, the server may return data or statistics in the data field (any information that was requested in the request). In an exception response, the server returns an exception code in the data field. This defines the server condition that caused the exception. Example of a client request and server exception response
Request Field Name Function Starting Address Hi Starting Address Lo Quantity of Outputs Hi Quantity of Outputs Lo (Hex) 01 04 A1 00 01 Response Field Name Function Exception Code (Hex) 81 02

In this example, the client addresses a request to server device. The function code (01) is for a Read Output Status operation. It requests the status of the output at address 1245 (04A1 hex). Note that only that one output is to be read, as specified by the number of outputs field (0001). If the output address is nonexistent in the server device, the server will return the exception response with the exception code shown (02). This specifies an illegal data address for the slave. A listing of exception codes begins on the next page.

modbus.org 8May02

http://www.modbus.org/

43/45

MODBUS Application Protocol Specification

MODBUS.ORG

MODBUS Exception Codes Code 01 Name ILLEGAL FUNCTION Meaning The function code received in the query is not an allowable action for the server (or slave). This may be because the function code is only applicable to newer devices, and was not implemented in the unit selected. It could also indicate that the server (or slave) is in the wrong state to process a request of this type, for example because it is unconfigured and is being asked to return register values. The data address received in the query is not an allowable address for the server (or slave). More specifically, the combination of reference number and transfer length is invalid. For a controller with 100 registers, a request with offset 96 and length 4 would succeed, a request with offset 96 and length 5 will generate exception 02. A value contained in the query data field is not an allowable value for server (or slave). This indicates a fault in the structure of the remainder of a complex request, such as that the implied length is incorrect. It specifically does NOT mean that a data item submitted for storage in a register has a value outside the expectation of the application program, since the MODBUS protocol is unaware of the significance of any particular value of any particular register. An unrecoverable error occurred while the server (or slave) was attempting to perform the requested action. Specialized use in conjunction with programming commands. The server (or slave) has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the client (or master). The client (or master) can next issue a Poll Program Complete message to determine if processing is completed. 06 SLAVE DEVICE BUSY Specialized use in conjunction with programming commands. The server (or slave) is engaged in processing a long duration program command. The client (or master) should retransmit the message later when the server (or slave) is free. 08 MEMORY PARITY ERROR Specialized use in conjunction with function codes 20 and 21 and reference type 6, to indicate that the extended file area failed to pass a consistency check. The server (or slave) attempted to read record file, but detected a parity error in the memory. The client (or master) can retry the request, but service may be required on the server (or slave) device. 0A GATEWAY PATH UNAVAILABLE Specialized use in conjunction with gateways, indicates that the gateway was unable to allocate an internal communication path from the input port to the output port for processing the request. Usually means that the gateway is misconfigured or overloaded. Specialized use in conjunction with gateways, indicates that no response was obtained from the target device. Usually means that the device is not present on the network.

02

ILLEGAL DATA ADDRESS

03

ILLEGAL DATA VALUE

04 05

SLAVE DEVICE FAILURE ACKNOWLEDGE

0B

GATEWAY TARGET DEVICE FAILED TO RESPOND

modbus.org 8May02

http://www.modbus.org/

44/45

MODBUS Application Protocol Specification

MODBUS.ORG

modbus.org 8May02

http://www.modbus.org/

45/45