Modbus

Modbus is a serial communications protocol originally

published by Modicon (now Schneider Electric) in 1979
for use with its programmable logic controllers (PLCs).
Simple and robust, it has since become a de facto standard
communication protocol, and it is now a commonly available means of connecting industrial electronic devices.[1]
The main reasons for the use of Modbus in the industrial
environment are:

acknowledged). All Modbus commands contain checksum information, to allow the recipient to detect transmission errors. The basic Modbus commands can instruct
an RTU to change the value in one of its registers, control or read an I/O port, and command the device to send
back one or more values contained in its registers.

There are many modems and gateways that support Modbus, as it is a very simple protocol and often copied. Some
of them were specically designed for this protocol. Difdeveloped with industrial applications in mind
ferent implementations use wireline, wireless communication, such as in the ISM band, and even short message
openly published and royalty-free
service (SMS) or General Packet Radio Service (GPRS).
One of the more common designs of wireless networks
easy to deploy and maintain
makes use of Mesh networking. Typical problems that
designers have to overcome include high latency and timmoves raw bits or words without placing many reing issues.
strictions on vendors

Modbus enables communication among many (approxi- 2 Frame format

mately 247) devices connected to the same network, for
example a system that measures temperature and humidA Modbus frame is composed of an Application Data
ity and communicates the results to a computer. Modbus
Unit (ADU) which encloses a Protocol Data Unit
is often used to connect a supervisory computer with a
(PDU):[5]
remote terminal unit (RTU) in supervisory control and
data acquisition (SCADA) systems. Many of the data
ADU = Address + PDU + Error check
types are named from its use in driving relays: a single-bit
physical output is called a coil, and a single-bit physical
PDU = Function code + Data
input is called a discrete input or a contact.
The development and update of Modbus protocols has All Modbus variants choose one of the following frame
been managed by the Modbus Organization[2] since April formats.[1]
2004, when Schneider Electric transferred rights to that Note about the CRC:
organization.[3] The Modbus Organization is an association of users and suppliers of Modbus compliant de Polynomial: x16 + x15 + x2 + 1 (CRC-16-ANSI also
vices that seeks to drive the adoption and evolution of
known as CRC-16-IBM, normal hexadecimal algeModbus.[4]
braic polynomial being 8005 and reversed A001)
Initial value: 65,535

Communication and devices

Example of frame in hexadecimal: 01 04 02 FF

FF B8 80 (CRC-16-ANSI calculation from 01 to
FF gives 80B8 which is transmitted least signicant
byte rst)

Each device intended to communicate using Modbus is

given a unique address. In serial and MB+ networks, only
the node assigned as the Master may initiate a command.
On Ethernet, any device can send out a Modbus command, although usually only one master device does so.
A Modbus command contains the Modbus address of the
device it is intended for (1 to 247). Only the intended device will act on the command, even though other devices
might receive it (an exception is specic broadcastable
commands sent to node 0 which are acted on but not

Address, function, data, and LRC are all capital hexadecimal readable pairs of characters representing 8-bit values (0-255). For example, 122 (7x16+10) will be represented as 7A.
LRC is calculated as the sum of 8-bit values, negated
(twos complement) and encoded as an 8-bit value. Example: if address, function, and data encode as 247, 3,
1

4 FORMAT OF DATA OF REQUESTS AND RESPONSES FOR MAIN FUNCTION CODES

19, 137, 0, and 10, their sum is 416. Twos complement

Coil/discrete input values (8 coils/discrete inputs per
(416) trimmed to 8-bit is 96 (e.g. 256x2-416) which
byte)
will be represented as 60 in hexadecimal. Hence the following frame :F7031389000A60<CR><LF>
Value of each coil/discrete input is binary (0 for o, 1 for
Unit identier is used with Modbus/TCP devices that are on). First requested coil/discrete input is stored as least
composites of several Modbus devices, e.g. on Mod- signicant bit of rst byte in reply.
bus/TCP to Modbus RTU gateways. In such case, the unit If number of coils/discrete inputs is not a multiple of 8,
identier tells the Slave Address of the device behind the most signicant bit(s) of last byte will be stued with zegateway. Natively Modbus/TCP-capable devices usually ros.
For example, if eleven coils are requested, two bytes of
ignore the Unit Identier.
values are needed. Suppose states of those successive
The byte order for values in Modbus data frames is Big- coils are on, o, on, o, o, on, on, on, o, on, on, then
Endian (MSB, Most Signicant Byte of a value received data part of the response will be 02E506 in hexadecimal.
rst).

Supported function codes

4.2 Function code 5 (force/write single

coil)

The various reading, writing and other operations are Request:

categorised as follows.[6] The most primitive reads and
writes are shown in bold. A number of sources use alter Address of coil (16-bit)
native terminology, for example Force Single Coil where
Value to force/write: 0 for o and 65,280 (FF00 in
the standard uses Write Single Coil.[7]
hexadecimal) for on
Prominent entities within a Modbus slave are:
Coils: readable and writable, 1 bit (o/on)
Discrete Inputs: readable, 1 bit (o/on)
Input Registers: readable, 16 bits (0 to 65,535), essentially measurements and statuses
Holding Registers: readable and writable, 16 bits (0
to 65,535), essentially conguration values

Normal response: same as request.

4.3 Function code 15 (force/write multiple

coils)
Request:
Address of rst coil to force/write (16-bit)

Format of data of requests and

responses for main function
codes

Number of coils to force/write (16-bit)

Number of bytes of coil values to follow (8-bit)
Coil values (8 coil values per byte)

Requests and responses follow frame formats described Value of each coil is binary (0 for o, 1 for on). First
above. This section gives details of data formats of most requested coil is stored as least signicant bit of rst byte
in request.
used function codes.
If number of coils is not a multiple of 8, most signicant
bit(s) of last byte should be stued with zeros. See exam4.1 Function code 1 (read coils) and func- ple for function codes 1 and 2.
Normal response:
tion code 2 (read discrete inputs)
Request:
Address of rst coil/discrete input to read (16-bit)
Number of coils/discrete inputs to read (16-bit)
Normal response:

Address of rst coil (16-bit)

number of coils (16-bit)

4.4 Function code 4 (read input registers)

and function code 3 (read holding registers)

Number of bytes of coil/discrete input values to follow (8-bit)

Request:

4.8

Main Modbus exception codes

Address of rst register to read (16-bit)

Number of registers to read (16-bit)
Normal response:
Number of bytes of register values to follow (8-bit)

4.8 Main Modbus exception codes

5 Coil, discrete input, input register, holding register numbers

and addresses

Register values (16 bits per register)

Some conventions govern how access to Modbus entities

(coils, discrete inputs, input registers, holding registers)
Because the number of bytes for register values is 8-bit are referenced.
It is important to make a distinction between entity numwide, only 128 registers can be read at once.
ber and entity address:

4.5

Function code 6 (preset/write single

holding register)

Request:
Address of holding register to preset/write (16-bit)
New value of the holding register (16-bit)
Normal response: same as request.

4.6

Function code 16 (preset/write multiple holding registers)

Request:

Entity numbers combine entity type and entity location within their description table
Entity address is the starting address, a 16-bit value
in the data part of the Modbus frame. As such its
range goes from 0 to 65,535
In the traditional standard, numbers for those entities start
with a digit, followed by a number of four digits in range
1 - 9,999:
coils numbers start with a zero and then span from
00001 to 09999
discrete input numbers start with a one and then span
from 10001 to 19999

Address of rst holding register to preset/write (16bit)

input register numbers start with a three and then

span from 30001 to 39999

Number of holding registers to preset/write (16-bit)

holding register numbers start with a four and then

span from 40001 to 49999

Number of bytes of register values to follow (8-bit)

New values of holding registers (16 bits per register) This translates into addresses between 0 and 9,998 in data
frames.
Because the number of bytes for register values is 8-bit For example, in order to read holding registers starting at
wide, only 128 holding registers can be preset/written at number 40001, corresponding address in the data frame
once.
will be 0 with a function code of 3 (as seen above). For
holding registers starting at number 40100, address will
Normal response:
be 99. Etc.
This limits the number of addresses to 9,999 for each en Address of rst preset/written holding register (16- tity. A de facto referencing extends this to the maximum
bit)
of 65,536.[8]
It
simply consists of adding one digit to the previous list:
number of preset/written holding registers (16-bit)

4.7

Exception responses

For a normal response, slave repeats the function code.

Should a slave want to report an error, it will reply with
the requested function code plus 128 (3 becomes 131 or
83 in hexadecimal), and will only include one byte of data,
known as the exception code.

coil numbers span from 000001 to 065536

discrete input numbers span from 100001 to 165536
input register numbers span from 300001 to 365536
holding register numbers span from 400001 to
465536

When using the extended referencing, all number references must be exactly six digits. This avoids confusion
between coils and other entities. For example, to know
the dierence between holding register #40001 and coil
#40001, if coil #40001 is the target, it must appear as
#040001.

5.1

JBUS mapping
[9]

Another de facto protocol tightly related with Modbus

appeared after it and was dened by PLC brand April
Automates, resulting of a collaborative eort of French
companies Renault Automation and Merlin Gerin et Cie
in 1985:[10] JBUS. Dierences between Modbus and
JBUS at that time (number of entities, slave stations)
are now irrelevant as this protocol almost disappeared
with April PLC series which AEG Schneider Automation
bought in 1994 and then made them obsolete. However
the name JBUS survived to some extent.
JBUS supports function codes 1, 2, 3, 4, 5, 6, 15, and 16
and thus all the entities described above. However numbering is dierent with JBUS:[11]
Number and address coincide: entity #x has address
x in the data frame
Consequently, entity number does not include the
entity type. For example, holding register #40010
in Modbus will be holding register #9, located at address 9 in JBUS
Number 0 (and thus address 0) is not supported.
Slave should not implement any real data at this
number and address and it can return a null value
or throw an error when requested

Implementations

Almost all implementations have variations from the ofcial standard. Dierent varieties might not communicate correctly between equipment of dierent suppliers.
Some of the most common variations are:
Data types

MODBUS PLUS

32-bit data size (1 address = 32 bits of data

returned)
Word swapped data

7 Limitations
Since Modbus was designed in the late 1970s to
communicate to programmable logic controllers,
the number of data types is limited to those understood by PLCs at the time. Large binary objects are
not supported.
No standard way exists for a node to nd the description of a data object, for example, to determine if a
register value represents a temperature between 30
and 175 degrees.
Since Modbus is a master/slave protocol, there is no
way for a eld device to report by exception (except over Ethernet TCP/IP, called open-mbus)- the
master node must routinely poll each eld device,
and look for changes in the data. This consumes
bandwidth and network time in applications where
bandwidth may be expensive, such as over a low-bitrate radio link.
Modbus is restricted to addressing 254 devices on
one data link, which limits the number of eld devices that may be connected to a master station (once
again Ethernet TCP/IP being an exception).
Modbus transmissions must be contiguous which
limits the types of remote communications devices
to those that can buer data to avoid gaps in the
transmission.
Modbus protocol itself provides no security against
unauthorized commands or interception of data.[12]

8 Trade group
Modbus Organization, Inc. is a trade association for the
promotion and development of Modbus protocol.[2]

Floating point IEEE

32-bit integer
8-bit data
Mixed data types
Bit elds in integers
Multipliers to change data to/from integer. 10,
100, 1000, 256 ...
Protocol extensions
16-bit slave addresses

9 Modbus Plus
Despite the name, Modbus Plus[13] is not a variant of
Modbus. It is a dierent protocol, involving token passing.
It is a proprietary specication of Schneider Electric,
though it is unpublished rather than patented. It is normally implemented using a custom chipset available only
to partners of Schneider.

10

References

[1] Drury, Bill (2009). Control Techniques Drives and Controls Handbook (PDF) (2nd ed.). Institution of Engineering and Technology. pp. 508. (subscription required
(help)).

Android based Modbus TCP Master

Pymodbus: Full Modbus protocol implementation
in Python, free software
MinimalModbus: Light RTU only Modbus implementation in Python

[2] Modbus home page. Modbus. Modbus Organization,

Inc. Retrieved 2 August 2013.

modbus-tk: Fast Modbus Implementation in Python

[3] Modbus FAQ. Modbus. Modbus Organization, Inc.

Retrieved 1 November 2012.

Interesting Performance comparison of the 3 above

mentioned python modules

[4] About Modbus Organization. Modbus. Modbus Organization, Inc. Retrieved 8 November 2012.
[5] Modbus Messaging On TCP/IP Implementation Guide
(PDF). Modbus Organization. Modbus-IDA.
[6] Modbus Application Protocol V1.1b3 (PDF). Modbus.
Modbus Organization, Inc. Retrieved 2 August 2013.
[7] Clarke, Gordon; Reynders, Deon (2004). Practical Modern Scada Protocols: Dnp3, 60870.5 and Related Systems.
Newnes. pp. 4751. ISBN 0-7506-5799-5.
[8] Modbus 101 - Introduction to Modbus. Control Solutions, Inc.
[9] Dierences between JBUS and MODBUS protocols.
Schneider Electric.
[10] RENAULT AUTOMATION MERLIN GERIN ET
CIE. French Corporate.
[11] 900 Series JBUS and MODBUS Digital Communications Handbook. Eurotherm Control.
[12] Palmer; Shenoi, Sujeet, eds. (2325 March 2009). Critical Infrastructure Protection III. Third IFIP WG 11. 10
International Conference. Hanover, New Hampshire:
Springer. p. 87. ISBN 3-642-04797-1.
[13] Modbus Plus - Modbus Plus Network - Products
overview - Schneider Electric United States. Schneiderelectric.com. Retrieved 2014-01-03.

11

Further reading

Modbus Protocol; Modicon; 74 pages; 2000.

12

External links

Modbus Organization with protocol specications

Cost free Modbus RTU Device Testing Software
Free Modbus RTU source code on Protocessor website (requires signing up)
Free Modbus Guide for Field Technician
Perl module for Modbus/TCP

Tcl based Modbus RTU driver

Open Source C library of Modbus protocol for
Linux, Mac OS X, FreeBSD, QNX and Win32
Freeware Modbus Slave Simulator Application
Free PeakHMI RTU, TCP/IP and ACSII slave simulators
Jamod - Java library of Modbus protocol
ModSlave - Modbus TCP Slave Device written in
Python, Free Software
digitalpetri Modbus - A modern, asynchronous
Modbus implementation for Java
ShortBus Modbus Scanner, RTU and TCP/IP master testing , Server, RTU slave simulation freeware
Visual Studio .NET

13

13
13.1

TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

Text and image sources, contributors, and licenses

Text

Modbus Source: https://en.wikipedia.org/wiki/Modbus?oldid=677421246 Contributors: Matusz, Komap, Glenn, MariusG, Eadric, Moriori, Faught, Bobblewik, Funvill, Frau Holle, CALR, Bert490, Femto, Spalding, Remuel, Billymac00, Giraedata, Hooperbloob, Guy Harris,
Waeguy4, Calton, Theodore Kloba, Wtshymanski, Stuartyeates, Cruccone, Sega381, Bertus, FlaBot, Chungyan5, RussNelson, Voidxor,
Morpheios Melas, Xareu bs, Nelson50, SmackBot, Bluebot, DStoykov, Hongooi, Jimwelch, LynnLinse, Dicklyon, Zorbey, Kvng, Hu12,
Iridescent, Dareces, Tawkerbot2, Mtpaley, Thijs!bot, Dogaroon, Electron9, Natalie Erin, AntiVandalBot, Alshain01, Gadget1700, Jasen
betts, Zondran, .anacondabot, Schastain, Ceallachan, Calltech, XandroZ, Batman2000, Trusilver, Thomas Larsen, Jhose, CanOfWorms,
UnitedStatesian, One half 3544, Cyberparam in, Biscuittin, SoManySpammers, Fahidka, Tmwusa1, Jt, PKlammer, ClueBot, CharlesWemyss, Rajendu.choubisa, Frau K, 7, Gg-labz, HarrivBOT, Crowsnest, Darvin30dec, SilvonenBot, Failanas, Addbot, Kuttipapu, MrOllie,
Cameronbell76, Maslen, Zaphodikus, Luckas-bot, Yobot, Gorhas, AnomieBOT, Cp2020, , Okstfan03,
Jmundo, Nasa-verve, Komantian, Aarontpeterson, InntegrationExpert, Thaas00, Teuxe, Sfax.tn, Btilm, Peswriter, Mjbcswitzerland, Trappist the monk, Modbus.ug, Begoon, Ninokurtalj, Xsolarwindx, Arnoudmulder, Skamecrazy123, T. Canens, John of Reading, Dewritech,
Sbmeirow, Danmuz, HBAttila, ChuispastonBot, ClueBot NG, Anoopmgeorge, Kasirbot, Goodeq~enwiki, Oddbodz, Helpful Pixie Bot,
All Rows4, Frze, AdAstraRG, Ruscito, Yesid8, Onuralpkaratum, NichoEd, Globalkrishna, Comatmebro, Frosty, Gasbuilding, Teichsta,
Tc.guho, Viper742, FIRAT KK and Anonymous: 215

13.2

Images

File:Folder_Hexagonal_Icon.svg Source: https://upload.wikimedia.org/wikipedia/en/4/48/Folder_Hexagonal_Icon.svg License: Cc-bysa-3.0 Contributors: ? Original artist: ?

13.3

Content license

Creative Commons Attribution-Share Alike 3.0