Modbus is a serial communications protocol published by Modicon in 1979 for use with

its programmable logic controllers (PLCs). Simple and robust, it has since become one of
the de facto standard communications protocols in the industry, and it is now amongst the
most commonly available means of connecting industrial electronic devices.[1] The main
reasons for the extensive use of Modbus in the industrial environment are:

It has been developed with industrial applications in mind

It is openly published and royalty-free
It is easy to deploy and maintain
It moves raw bits or words without placing many restrictions on vendors

Modbus allows for communication between many (approximately 240) devices

connected to the same network, for example a system that measures temperature and
humidity and communicates the results to a computer. Modbus is often used to connect a
supervisory computer with a remote terminal unit (RTU) in supervisory control and data
acquisition (SCADA) systems. Many of the data types are named from its use in driving
relays: a single-bit physical output is called a coil, and a single-bit physical input is called
a discrete input or a contact.

The development and update of Modbus protocols are managed by the Modbus
Organization, formed of independent users and suppliers of Modbus compliant devices.
Some of its prominent members are Precision Digital Corporation, Motor Protection
Electronics and FieldServer Technologies. Other companies, such as SoftDEL Systems
and SATEC Ltd., offer Modbus devices without being formal members of Modbus
Organization.

Protocol versions

Versions of the Modbus protocol exist for serial port and for Ethernet and other networks
that support the Internet protocol suite. Most Modbus devices communicate over a serial
EIA-485 physical layer [1]. There are many variants of Modbus protocols

Modbus RTU — This is used in serial communication & makes use of a compact,
binary representation of the data for protocol communication. The RTU format follows
the commands/data with a cyclic redundancy check checksum as an error check
mechanism to ensure the reliability of data. Modbus RTU is the most common
implementation available for Modbus. A Modbus RTU message must be transmitted
continuously without inter-character hesitations. Modbus messages are framed
(separated) by idle (silent) periods.

Modbus ASCII — This is used in serial communication & makes use of ASCII
characters for protocol communication. The ASCII format uses a longitudinal
redundancy check checksum. Modbus ASCII messages are framed by leading colon (':')
and trailing newline (CR/LF).
 Modbus TCP/IP or Modbus TCP — This is a Modbus variant used for
communications over TCP/IP networks, connecting over port 502.[2] It does not require a
checksum calculation as lower layers already provide checksum protection.

Modbus over TCP/IP or Modbus over TCP or Modbus RTU/IP — This is a Modbus
variant that differs from Modbus TCP in that a checksum is included in the payload as
with Modbus RTU.

Modbus over UDP — Some have experimented with using Modbus over UDP on IP
networks, which removes the overheads required for TCP [3]

Modbus Plus (Modbus+, MB+ or MBP) — An extended version, Modbus Plus

(Modbus+ or MB+), also exists, but remains proprietary to SCHNEIDER ELECTRIC. It
requires a dedicated co-processor to handle fast HDLC-like token rotation. It uses twisted
pair at 1 Mbit/s and includes transformer isolation at each node, which makes it
transition/edge triggered instead of voltage/level triggered. Special interfaces are required
to connect Modbus Plus to a computer, typically a card made for the ISA (SA85), PCI or
PCMCIA bus.

Modbus PEMEX- Modbus PEMEX is an extension of standard Modbus with support

for historical and flow data. It is widely used in process automation.

Data model and function calls are identical for the first 4 variants of protocols; only the
encapsulation is different. However the variants are not interoperable as the frame
formats are different.
[edit] Communication and devices

Each device intended to communicate using Modbus is given a unique address. In serial
and MB+ networks only the node assigned as the Master may initiate a command, but on
Ethernet, any device can send out a Modbus command, although usually only one master
device does so. A Modbus command contains the Modbus address of the device it is
intended for. Only the intended device will act on the command, even though other
devices might receive it (an exception is specific broadcastable commands sent to node 0
which are acted on but not acknowledged). All Modbus commands contain checking
information, ensuring that a command arrives undamaged. The basic Modbus commands
can instruct an RTU to change a value in one of its registers, control or read an I/O port,
as well as commanding the device to send back one or more values contained in its
registers.

There are many modems and gateways that support Modbus, as it is a very simple
protocol and often copied. Some of them were specifically designed for this protocol.
Different implementations use wireline, wireless communication, such as in the ISM
band, and even SMS or GPRS. One of the more common designs of wireless networks
makes use of the mesh topology. Typical problems the designers have to overcome
include high latency and timing problems.
Frame Format
All modbus variants choose different frame formats.

Modbus RTU Frame Format

Name Length Function

Start 3.5c idle at least 3-1/2 character times of silence (MARK condition)

Address 8 bits Station Address

Function 8 bits Indicates the function codes like read coils / inputs

Data n * 8 bits Data + length will be filled depending on the message type

CRC Check 16 bits Error checks

End 3.5c idle at least 3-1/2 character times of silence between frames

Modbus ASCII Frame Format

Name Length Function

Start 1 char starts with colon ( : ) (ASCII value is 3A hex)

Address 2 chars Station Address

Function 2 chars Indicates the function codes like read coils / inputs

Data n chars Data +length will be filled depending on the message type

LRC Check 2 chars Error checks

carriage return – line feed(CRLF) pair (ASCII values of 0D &

End 2 chars
0A hex)

Modbus TCP Frame Format

Name Length Function

Transaction Identifier 2 bytes For synchronization between messages of server

 & client
Protocol Identifier 2 bytes Zero for MODBUS/TCP
Length Field 2 bytes Number of remaining bytes in this frame
Unit Identifier 1 byte Slave Address (255 if not used)
Function code 1 byte Function codes as in other variants
Data bytes n bytes Data as response or commands

Unit identifier is used with MODBUS/TCP devices that are composites of several
MODBUS devices, e.g. on MODBUS/TCP to MODBUS RTU gateways. In such case,
the unit identifier tells the Slave Address of the device behind the gateway. Natively
MODBUS/TCP-capable devices usually ignore the Unit Identifier.

Supported Function Codes

The various reading, writing and other operations are categorised as follows.[4] The most
primitive reads and writes are shown in bold. A number of sources [5] use alternative
terminology, for example Force Single Coil where the standard uses Write Single Coil.

Function
Function Name
Code
Physical Discrete Inputs Read Discrete Inputs 2
Read Coils 1
Bit access
Internal Bits or Physical Coils Write Single Coil 5
Write Multiple Coils 15
Physical Input Registers Read Input Register 4
Read Holding
3
Registers
Data Write Single Register 6
Access 16-bit Write Multiple
Internal Registers or Physical 16
access Registers
Output Registers
Read/Write Multiple
23
Registers
Mask Write Register 22
Read FIFO Queue 24
Read File Record 20
File Record Access
Write File Record 21
Diagnostics Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Get Com Event Log 12
 Report Slave ID 17
Read Device
43
Identification
Encapsulated Interface
Other 43
Transport

Implementations
Almost all implementations have variations from the official standard. Different varieties
might not communicate correctly between equipment of different suppliers. Some of the
most common variations are:

• Data types
o Floating point IEEE
o 32-bit integer
o 8-bit data
o Mixed data types
o Bit fields in integers
o Multipliers to change data to/from integer. 10, 100, 1000, 256 ...

• Protocol extensions
o 16-bit slave addresses
o 32-bit data size (1 address = 32 bits of data returned.)
o Word swapped data

Limitations
• Since Modbus was designed in the late 1970s to communicate to programmable
logic controllers, the number of data types is limited to those understood by PLCs
at the time. Large binary objects are not supported.

• No standard way exists for a node to find the description of a data object, for
example, to determine if a register value represents a temperature between 30 and
175 degrees.

• Since Modbus is a master/slave protocol, there is no way for a field device to

"report by exception" (except over Ethernet TCP/IP, called open-mbus)- the
master node must routinely poll each field device, and look for changes in the
data. This consumes bandwidth and network time in applications where
bandwidth may be expensive, such as over a low-bit-rate radio link.

• Modbus is restricted to addressing 247 devices on one data link, which limits the
number of field devices that may be connected to a master station (once again
Ethernet TCP/IP proving the exception).
 • Modbus transmissions must be contiguous which limits the types of remote
communications devices to those that can buffer data to avoid gaps in the
transmission.

• Modbus protocol provides no security against unauthorized commands or

interception of data.

Trade group
The Modbus organization is a trade association for the promotion and development of
Modbus protocol.