liminfo

Modbus Reference

Free reference guide: Modbus Reference

25 results

About Modbus Reference

The Modbus Reference is a complete protocol guide covering both Modbus RTU (serial RS-485) and Modbus TCP/IP communication. It documents all standard function codes: FC01 (Read Coils), FC02 (Read Discrete Inputs), FC03 (Read Holding Registers -- the most commonly used), FC04 (Read Input Registers), FC05 (Write Single Coil), FC06 (Write Single Register), FC15 (Write Multiple Coils), FC16 (Write Multiple Registers), and FC23 (Read/Write Multiple Registers in a single transaction). Each function code includes the complete request and response frame structure with byte-level hex examples.

For Modbus RTU, the reference details the serial frame format (slave address, function code, data, CRC16), RS-485 physical layer settings (baud rate 9600/19200/38400, 8-N-1 or 8-E-1 parity, frame gap of 3.5 character times), and the CRC16 error detection algorithm (initial value 0xFFFF, polynomial 0xA001, LSB-first transmission). For Modbus TCP, it covers the MBAP header structure (Transaction ID, Protocol ID, Length, Unit ID), default port 502, keep-alive connections, and the Unit ID gateway bridging concept for accessing RTU slaves through a TCP gateway.

The reference also covers critical data handling topics: the traditional 5-digit register address map (00001-09999 coils, 10001-19999 discrete inputs, 30001-39999 input registers, 40001-49999 holding registers) and protocol-to-traditional address conversion, IEEE 754 32-bit floating point encoding across 2 registers with all four byte order variants (Big Endian AB CD, Little Endian CD AB, Byte Swap BA DC, Word Swap DC BA), 32-bit integer handling, exception response codes (01-06), timeout and retry strategies, polling optimization, Modbus/TCP Security with TLS 1.2+, and practical application examples for VFD inverter control, temperature transmitter communication, and power meter register maps.

Key Features

  • All Modbus function codes with hex frame examples: FC01 Read Coils, FC02 Read Discrete Inputs, FC03 Read Holding Registers, FC04 Read Input Registers, FC05/FC06 Write Single, FC15/FC16 Write Multiple, FC23 Read/Write combo
  • RTU serial protocol: frame structure (slave + FC + data + CRC16), RS-485 settings (9600/19200/38400 baud, 8-N-1/8-E-1), CRC16 algorithm (0xFFFF init, 0xA001 polynomial, LSB-first)
  • TCP/IP protocol: MBAP header (Transaction ID, Protocol ID, Length, Unit ID), port 502, ADU size limits, keep-alive, and Unit ID gateway bridging for RTU-behind-TCP architectures
  • Register address map: traditional 5-digit notation (00001 coils, 10001 discrete, 30001 input regs, 40001 holding regs) with protocol address conversion formulas
  • IEEE 754 32-bit float encoding across 2 registers: Big Endian (AB CD), Little Endian (CD AB), Byte Swap (BA DC), Word Swap (DC BA) with worked example (25.5 = 0x41CC0000)
  • Exception response codes: 01 Illegal Function, 02 Illegal Data Address, 03 Illegal Data Value, 04 Slave Device Failure, 05 Acknowledge, 06 Slave Device Busy
  • Communication optimization: timeout strategies (RTU 100-1000ms, TCP 1000ms), 3-retry policy, polling intervals (fast 100-500ms, medium 1-5s, slow 10-60s), and Modbus/TCP Security (TLS 1.2+, port 802)
  • Real-world application examples: VFD inverter control registers (run/stop, frequency, current), temperature transmitter communication (temp, sensor status, alarm setpoints), and Eastron SDM power meter register map (voltage, current, power, energy)

Frequently Asked Questions

What is the difference between Modbus RTU and Modbus TCP?

Modbus RTU operates over RS-485 serial connections with frames containing slave address, function code, data, and CRC16 error checking. It uses baud rates of 9600-38400 and requires 3.5-character-time gaps between frames. Modbus TCP operates over Ethernet/IP using TCP port 502 with an MBAP header (Transaction ID, Protocol ID, Length, Unit ID) instead of CRC16, since TCP provides its own error checking. TCP supports multiple simultaneous clients (typically 8-16) and allows bridging to RTU slaves via gateway devices using the Unit ID field.

How do the Modbus register address ranges work?

The traditional 5-digit Modbus addressing uses four ranges: 00001-09999 for coils (digital outputs, read/write with FC01/05/15), 10001-19999 for discrete inputs (digital inputs, read-only with FC02), 30001-39999 for input registers (analog inputs, read-only with FC04), and 40001-49999 for holding registers (read/write with FC03/06/16). The actual protocol address is the traditional address minus the range base: holding register 40001 maps to protocol address 0, 40100 maps to address 99.

How do I calculate CRC16 for Modbus RTU?

The CRC16 algorithm starts with an initial value of 0xFFFF. For each byte in the message (excluding CRC): XOR the byte with the CRC, then repeat 8 times -- if the LSB is 1, right-shift CRC and XOR with polynomial 0xA001; if LSB is 0, just right-shift. The final CRC is transmitted LSB-first (low byte before high byte). For example, the frame 01 03 00 00 00 01 produces CRC 84 0A, transmitted as the full frame 01 03 00 00 00 01 84 0A.

How do I handle 32-bit floating point values across two Modbus registers?

A 32-bit IEEE 754 float occupies two consecutive 16-bit registers. The byte order varies by manufacturer -- there are four common variants. Taking 25.5 (0x41CC0000) as an example: Big Endian (AB CD) stores 0x41CC in Reg[0] and 0x0000 in Reg[1]. Little Endian (CD AB) reverses the register order. Byte Swap (BA DC) swaps bytes within each register. Word Swap (DC BA) combines both. Always check the device documentation or test with known values to determine the correct byte order.

What do the Modbus exception response codes mean?

When a slave device encounters an error, it responds with the function code OR-ed with 0x80 (e.g., FC03 error becomes 0x83) followed by an exception code: 01 Illegal Function (function not supported), 02 Illegal Data Address (register address out of range), 03 Illegal Data Value (value out of valid range), 04 Slave Device Failure (internal device error), 05 Acknowledge (request accepted but processing), 06 Slave Device Busy (device occupied, retry later).

What are the recommended timeout and polling settings?

For RTU: response timeout of 100-1000ms (depending on slave response time), frame gap of 3.5 character times (about 4ms at 9600bps, 2ms at 19200bps), and 3 retries before declaring failure. For TCP: connection timeout of 3000ms, response timeout of 1000ms, and 30-second keep-alive intervals. Polling strategy: 100-500ms for fast process variables, 1-5 seconds for status and alarms, 10-60 seconds for setpoints and accumulated counters. Read contiguous address blocks and use FC23 to combine reads and writes.

How do I control a VFD inverter via Modbus?

Typical inverter Modbus registers include: holding register 40001 as the control word (0001 = forward run, 0002 = reverse, 0003 = deceleration stop), 40002 for frequency setpoint in 0.01 Hz units (3000 = 30.00 Hz), 40003 for actual frequency monitor, and 40004 for current monitor in 0.1A units. Use FC06 to write single registers for setpoint changes and FC03 to read monitoring values. Always verify the specific register map in the inverter manual, as addresses vary by manufacturer.

What is Modbus/TCP Security and how does it work?

Modbus/TCP Security, specified in 2018, adds TLS 1.2+ encryption and X.509 certificate-based authentication to Modbus TCP on port 802 (instead of the standard 502). It includes role-based access control (RBAC) to restrict which clients can perform read vs. write operations. For legacy Modbus devices that do not support the security extension, alternatives include VPN tunneling to encrypt the connection, firewall rules to restrict access to authorized IP addresses, and VLAN segregation to isolate the Modbus network from the corporate network.