Modbus

Modbus is a serial communications protocol originallypublished by Modicon (now Schneider Electric) in 1979for use with its programmable logic controllers (PLCs).Simple and robust, it has since become a de facto standardcommunication protocol, and it is now a commonly avail-able means of connecting industrial electronic devices.[1]The main reasons for the use of Modbus in the industrialenvironment are:

• developed with industrial applications in mind

• openly published and royalty-free

• easy to deploy and maintain

• moves raw bits or words without placing many re-strictions on vendors

Modbus enables communication among many (approxi-mately 247) devices connected to the same network, forexample a system that measures temperature and humid-ity and communicates the results to a computer. Modbusis often used to connect a supervisory computer with aremote terminal unit (RTU) in supervisory control anddata acquisition (SCADA) systems. Many of the datatypes are named from its use in driving relays: a single-bitphysical output is called a coil, and a single-bit physicalinput is called a discrete input or a contact.The development and update of Modbus protocols hasbeen managed by the Modbus Organization[2] since April2004, when Schneider Electric transferred rights to thatorganization.[3] The Modbus Organization is an associ-ation of users and suppliers of Modbus compliant de-vices that seeks to drive the adoption and evolution ofModbus.[4]

1 Communication and devices

Each device intended to communicate using Modbus isgiven a unique address. In serial andMB+ networks, onlythe node assigned as the Master may initiate a command.On Ethernet, any device can send out a Modbus com-mand, although usually only one master device does so.AModbus command contains the Modbus address of thedevice it is intended for (1 to 247). Only the intended de-vice will act on the command, even though other devicesmight receive it (an exception is specific broadcastablecommands sent to node 0 which are acted on but not

acknowledged). All Modbus commands contain check-sum information, to allow the recipient to detect trans-mission errors. The basicModbus commands can instructan RTU to change the value in one of its registers, con-trol or read an I/O port, and command the device to sendback one or more values contained in its registers.There are many modems and gateways that support Mod-bus, as it is a very simple protocol and often copied. Someof them were specifically designed for this protocol. Dif-ferent implementations use wireline, wireless communi-cation, such as in the ISM band, and even short messageservice (SMS) or General Packet Radio Service (GPRS).One of the more common designs of wireless networksmakes use of Mesh networking. Typical problems thatdesigners have to overcome include high latency and tim-ing issues.

2 Frame format

A Modbus frame is composed of an Application DataUnit (ADU) which encloses a Protocol Data Unit(PDU):[5]

• ADU = Address + PDU + Error check

• PDU = Function code + Data

All Modbus variants choose one of the following frameformats.[1]

Note about the CRC:

• Polynomial: x16 + x15 + x2 + 1 (CRC-16-ANSI alsoknown as CRC-16-IBM, normal hexadecimal alge-braic polynomial being 8005 and reversed A001)

• Initial value: 65,535

• Example of frame in hexadecimal: 01 04 02 FFFF B8 80 (CRC-16-ANSI calculation from 01 toFF gives 80B8 which is transmitted least significantbyte first)

Address, function, data, and LRC are all capital hexadec-imal readable pairs of characters representing 8-bit val-ues (0-255). For example, 122 (7x16+10) will be repre-sented as 7A.LRC is calculated as the sum of 8-bit values, negated(two’s complement) and encoded as an 8-bit value. Ex-ample: if address, function, and data encode as 247, 3,

1

2 4 FORMAT OF DATA OF REQUESTS AND RESPONSES FOR MAIN FUNCTION CODES

19, 137, 0, and 10, their sum is 416. Two’s complement(−416) trimmed to 8-bit is 96 (e.g. 256x2-416) whichwill be represented as 60 in hexadecimal. Hence the fol-lowing frame :F7031389000A60<CR><LF>Unit identifier is used with Modbus/TCP devices that arecomposites of several Modbus devices, e.g. on Mod-bus/TCP toModbus RTU gateways. In such case, the unitidentifier tells the Slave Address of the device behind thegateway. Natively Modbus/TCP-capable devices usuallyignore the Unit Identifier.The byte order for values in Modbus data frames is Big-Endian (MSB, Most Significant Byte of a value receivedfirst).

3 Supported function codes

The various reading, writing and other operations arecategorised as follows.[6] The most primitive reads andwrites are shown in bold. A number of sources use alter-native terminology, for example Force Single Coil wherethe standard usesWrite Single Coil.[7]Prominent entities within a Modbus slave are:

• Coils: readable and writable, 1 bit (off/on)

• Discrete Inputs: readable, 1 bit (off/on)

• Input Registers: readable, 16 bits (0 to 65,535), es-sentially measurements and statuses

• Holding Registers: readable and writable, 16 bits (0to 65,535), essentially configuration values

4 Format of data of requests andresponses for main functioncodes

Requests and responses follow frame formats describedabove. This section gives details of data formats of mostused function codes.

4.1 Function code 1 (read coils) and func-tion code 2 (read discrete inputs)

Request:

• Address of first coil/discrete input to read (16-bit)

• Number of coils/discrete inputs to read (16-bit)

Normal response:

• Number of bytes of coil/discrete input values to fol-low (8-bit)

• Coil/discrete input values (8 coils/discrete inputs perbyte)

Value of each coil/discrete input is binary (0 for off, 1 foron). First requested coil/discrete input is stored as leastsignificant bit of first byte in reply.If number of coils/discrete inputs is not a multiple of 8,most significant bit(s) of last byte will be stuffed with ze-ros.For example, if eleven coils are requested, two bytes ofvalues are needed. Suppose states of those successivecoils are on, off, on, off, off, on, on, on, off, on, on, thendata part of the response will be 02E506 in hexadecimal.

4.2 Function code 5 (force/write singlecoil)

Request:

• Address of coil (16-bit)

• Value to force/write: 0 for off and 65,280 (FF00 inhexadecimal) for on

Normal response: same as request.

4.3 Function code 15 (force/write multiplecoils)

Request:

• Address of first coil to force/write (16-bit)

• Number of coils to force/write (16-bit)

• Number of bytes of coil values to follow (8-bit)

• Coil values (8 coil values per byte)

Value of each coil is binary (0 for off, 1 for on). Firstrequested coil is stored as least significant bit of first bytein request.If number of coils is not a multiple of 8, most significantbit(s) of last byte should be stuffed with zeros. See exam-ple for function codes 1 and 2.Normal response:

• Address of first coil (16-bit)

• number of coils (16-bit)

4.4 Function code 4 (read input registers)and function code 3 (read holding reg-isters)

Request:

4.8 Main Modbus exception codes 3

• Address of first register to read (16-bit)

• Number of registers to read (16-bit)

Normal response:

• Number of bytes of register values to follow (8-bit)

• Register values (16 bits per register)

Because the number of bytes for register values is 8-bitwide, only 128 registers can be read at once.

4.5 Function code 6 (preset/write singleholding register)

Request:

• Address of holding register to preset/write (16-bit)

• New value of the holding register (16-bit)

Normal response: same as request.

4.6 Function code 16 (preset/write multi-ple holding registers)

Request:

• Address of first holding register to preset/write (16-bit)

• Number of holding registers to preset/write (16-bit)

• Number of bytes of register values to follow (8-bit)

• New values of holding registers (16 bits per register)

Because the number of bytes for register values is 8-bitwide, only 128 holding registers can be preset/written atonce.Normal response:

• Address of first preset/written holding register (16-bit)

• number of preset/written holding registers (16-bit)

4.7 Exception responses

For a normal response, slave repeats the function code.Should a slave want to report an error, it will reply withthe requested function code plus 128 (3 becomes 131 or83 in hexadecimal), andwill only include one byte of data,known as the exception code.

4.8 Main Modbus exception codes

5 Coil, discrete input, input reg-ister, holding register numbersand addresses

Some conventions govern how access to Modbus entities(coils, discrete inputs, input registers, holding registers)are referenced.It is important to make a distinction between entity num-ber and entity address:

• Entity numbers combine entity type and entity loca-tion within their description table

• Entity address is the starting address, a 16-bit valuein the data part of the Modbus frame. As such itsrange goes from 0 to 65,535

In the traditional standard, numbers for those entities startwith a digit, followed by a number of four digits in range1 - 9,999:

• coils numbers start with a zero and then span from00001 to 09999

• discrete input numbers start with a one and then spanfrom 10001 to 19999

• input register numbers start with a three and thenspan from 30001 to 39999

• holding register numbers start with a four and thenspan from 40001 to 49999

This translates into addresses between 0 and 9,998 in dataframes.For example, in order to read holding registers starting atnumber 40001, corresponding address in the data framewill be 0 with a function code of 3 (as seen above). Forholding registers starting at number 40100, address willbe 99. Etc.This limits the number of addresses to 9,999 for each en-tity. A de facto referencing extends this to the maximumof 65,536.[8]It simply consists of adding one digit to the previous list:

• coil numbers span from 000001 to 065536

• discrete input numbers span from 100001 to 165536

• input register numbers span from 300001 to 365536

• holding register numbers span from 400001 to465536

4 9 MODBUS PLUS

When using the extended referencing, all number refer-ences must be exactly six digits. This avoids confusionbetween coils and other entities. For example, to knowthe difference between holding register #40001 and coil#40001, if coil #40001 is the target, it must appear as#040001.

5.1 JBUS mapping

Another de facto protocol tightly related with Modbus[9]appeared after it and was defined by PLC brand AprilAutomates, resulting of a collaborative effort of Frenchcompanies Renault Automation and Merlin Gerin et Ciein 1985:[10] JBUS. Differences between Modbus andJBUS at that time (number of entities, slave stations)are now irrelevant as this protocol almost disappearedwith April PLC series which AEG Schneider Automationbought in 1994 and then made them obsolete. Howeverthe name JBUS survived to some extent.JBUS supports function codes 1, 2, 3, 4, 5, 6, 15, and 16and thus all the entities described above. However num-bering is different with JBUS:[11]

• Number and address coincide: entity #x has addressx in the data frame

• Consequently, entity number does not include theentity type. For example, holding register #40010in Modbus will be holding register #9, located at ad-dress 9 in JBUS

• Number 0 (and thus address 0) is not supported.Slave should not implement any real data at thisnumber and address and it can return a null valueor throw an error when requested

6 Implementations

Almost all implementations have variations from the of-ficial standard. Different varieties might not communi-cate correctly between equipment of different suppliers.Some of the most common variations are:

• Data types

• Floating point IEEE• 32-bit integer• 8-bit data• Mixed data types• Bit fields in integers• Multipliers to change data to/from integer. 10,100, 1000, 256 ...

• Protocol extensions

• 16-bit slave addresses

• 32-bit data size (1 address = 32 bits of datareturned)

• Word swapped data

7 Limitations

• Since Modbus was designed in the late 1970s tocommunicate to programmable logic controllers,the number of data types is limited to those under-stood by PLCs at the time. Large binary objects arenot supported.

• No standard way exists for a node to find the descrip-tion of a data object, for example, to determine if aregister value represents a temperature between 30and 175 degrees.

• Since Modbus is a master/slave protocol, there is noway for a field device to “report by exception” (ex-cept over Ethernet TCP/IP, called open-mbus)- themaster node must routinely poll each field device,and look for changes in the data. This consumesbandwidth and network time in applications wherebandwidth may be expensive, such as over a low-bit-rate radio link.

• Modbus is restricted to addressing 254 devices onone data link, which limits the number of field de-vices that may be connected to amaster station (onceagain Ethernet TCP/IP being an exception).

• Modbus transmissions must be contiguous whichlimits the types of remote communications devicesto those that can buffer data to avoid gaps in thetransmission.

• Modbus protocol itself provides no security againstunauthorized commands or interception of data.[12]

8 Trade group

Modbus Organization, Inc. is a trade association for thepromotion and development of Modbus protocol.[2]

9 Modbus Plus

Despite the name, Modbus Plus[13] is not a variant ofModbus. It is a different protocol, involving token pass-ing.It is a proprietary specification of Schneider Electric,though it is unpublished rather than patented. It is nor-mally implemented using a custom chipset available onlyto partners of Schneider.

5

10 References[1] Drury, Bill (2009). Control Techniques Drives and Con-

trols Handbook (PDF) (2nd ed.). Institution of Engineer-ing and Technology. pp. 508–. (subscription required(help)).

[2] “Modbus home page”. Modbus. Modbus Organization,Inc. Retrieved 2 August 2013.

[3] “Modbus FAQ”. Modbus. Modbus Organization, Inc.Retrieved 1 November 2012.

[4] “About Modbus Organization”. Modbus. Modbus Orga-nization, Inc. Retrieved 8 November 2012.

[5] “Modbus Messaging On TCP/IP Implementation Guide”(PDF). Modbus Organization. Modbus-IDA.

[6] “Modbus Application Protocol V1.1b3” (PDF). Modbus.Modbus Organization, Inc. Retrieved 2 August 2013.

[7] Clarke, Gordon; Reynders, Deon (2004). Practical Mod-ern Scada Protocols: Dnp3, 60870.5 and Related Systems.Newnes. pp. 47–51. ISBN 0-7506-5799-5.

[8] “Modbus 101 - Introduction to Modbus”. Control Solu-tions, Inc.

[9] “Differences between JBUS and MODBUS protocols”.Schneider Electric.

[10] “RENAULT AUTOMATION MERLIN GERIN ETCIE”. French Corporate.

[11] “900 Series JBUS and MODBUS Digital Communica-tions Handbook”. Eurotherm Control.

[12] Palmer; Shenoi, Sujeet, eds. (23–25 March 2009). Crit-ical Infrastructure Protection III. Third IFIP WG 11. 10International Conference. Hanover, New Hampshire:Springer. p. 87. ISBN 3-642-04797-1.

[13] “Modbus Plus - Modbus Plus Network - Productsoverview - Schneider Electric United States”. Schneider-electric.com. Retrieved 2014-01-03.

11 Further reading

• Modbus Protocol; Modicon; 74 pages; 2000.

12 External links

• Modbus Organization with protocol specifications

• Cost free Modbus RTU Device Testing Software

• FreeModbus RTU source code on Protocessor web-site (requires signing up)

• Free Modbus Guide for Field Technician

• Perl module for Modbus/TCP

• Android based Modbus TCP Master

• Pymodbus: Full Modbus protocol implementationin Python, free software

• MinimalModbus: Light RTU only Modbus imple-mentation in Python

• modbus-tk: Fast Modbus Implementation in Python

• Interesting Performance comparison of the 3 abovementioned python modules

• Tcl based Modbus RTU driver

• Open Source C library of Modbus protocol forLinux, Mac OS X, FreeBSD, QNX and Win32

• Freeware Modbus Slave Simulator Application

• Free PeakHMI RTU, TCP/IP and ACSII slave sim-ulators

• Jamod - Java library of Modbus protocol

• ModSlave - Modbus TCP Slave Device written inPython, Free Software

• digitalpetri Modbus - A modern, asynchronousModbus implementation for Java

• ShortBus Modbus Scanner, RTU and TCP/IP mas-ter testing , Server, RTU slave simulation freewareVisual Studio .NET

6 13 TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

13 Text and image sources, contributors, and licenses

13.1 Text• Modbus Source: https://en.wikipedia.org/wiki/Modbus?oldid=677421246 Contributors: Matusz, Komap, Glenn, MariusG, Eadric, Mori-

ori, Faught, Bobblewik, Funvill, FrauHolle, CALR, Bert490, Femto, Spalding, Remuel, Billymac00, Giraffedata, Hooperbloob, GuyHarris,Waffleguy4, Calton, Theodore Kloba, Wtshymanski, Stuartyeates, Cruccone, Sega381, Bertus, FlaBot, Chungyan5, RussNelson, Voidxor,Morpheios Melas, Xareu bs, Nelson50, SmackBot, Bluebot, DStoykov, Hongooi, Jimwelch, LynnLinse, Dicklyon, Zorbey, Kvng, Hu12,Iridescent, Dareces, Tawkerbot2, Mtpaley, Thijs!bot, Dogaroon, Electron9, Natalie Erin, AntiVandalBot, Alshain01, Gadget1700, Jasenbetts, Zondran, .anacondabot, Schastain, Ceallachan, Calltech, XandroZ, Batman2000, Trusilver, Thomas Larsen, Jhose, CanOfWorms,UnitedStatesian, One half 3544, Cyberparam in, Biscuittin, SoManySpammers, Fahidka, Tmwusa1, Jt, PKlammer, ClueBot, CharlesWe-myss, Rajendu.choubisa, Frau K, 7, Gg-labz, HarrivBOT, Crowsnest, Darvin30dec, SilvonenBot, Failanas, Addbot, Kuttipapu, MrOllie,Cameronbell76, Maslen, Zaphodikus, Luckas-bot, Yobot, Gorhas, AnomieBOT, Cp2020, Важнов Алексей Геннадьевич, Okstfan03,Jmundo, Nasa-verve, Komantian, Aarontpeterson, InntegrationExpert, Thaas00, Teuxe, Sfax.tn, Btilm, Peswriter, Mjbcswitzerland, Trap-pist the monk, Modbus.ug, Begoon, Ninokurtalj, Xsolarwindx, Arnoudmulder, Skamecrazy123, T. Canens, John of Reading, Dewritech,Sbmeirow, Danmuz, HBAttila, ChuispastonBot, ClueBot NG, Anoopmgeorge, Kasirbot, Goodeq~enwiki, Oddbodz, Helpful Pixie Bot,All Rows4, Frze, AdAstraRG, Ruscito, Yesid8, Onuralpkaratum, NichoEd, Globalkrishna, Comatmebro, Frosty, Gasbuilding, Teichsta,Tc.guho, Viper742, FIRAT KÜÇÜK and Anonymous: 215

13.2 Images• File:Folder_Hexagonal_Icon.svg Source: https://upload.wikimedia.org/wikipedia/en/4/48/Folder_Hexagonal_Icon.svg License: Cc-by-

sa-3.0 Contributors: ? Original artist: ?

13.3 Content license• Creative Commons Attribution-Share Alike 3.0