Modbus Protocol Stack Should be Known

OSI Layers Modbus RTU Modbus Plus Modbus TCP/IP ADU Application Data Unit
Application Layer (L7) Modbus Application Layer HDLC High level Data Link Control
Presentation Layer (L6) MB MODBUS Protocol
Session Layer (L5) MBAP MODBUS Application Protocol
Transport Layer (L4) TCP (Port 502) PDU Protocol Data Unit
Network Layer (L3) IP Modbus Master Modbus Client
Link Layer (L2) Master / Slave Modbus+ / HDLC Ethernet II / 802.3 / MAC / LLC Modbus Slave Modbus Server
Physical Layer (L1) RS-232 / RS-485 Physical Layer Ethernet Physical Layer

General Modbus Frame

ADU (Application Data Unit)

ADDRESS (Modbus Application Protocol Header) PDU (Protocol Data Unit) Error Check

SLAVE ID FUNTION CODE DATA CRC / LRC Modbus RTU

TRANSACTION IDENTIFIER PROTOCOL IDENTIFIER LENGTH UNIT IDENTIFIER FUNCTION CODE DATA Modbus TCP
2 bytes 2 bytes 2 bytes 1 byte

RS232 / RS485 ADU = 253 bytes + Server address (1 byte) + CRC (2 bytes) = 256 bytes.
TCP MODBUS ADU = 253 bytes + MBAP (7 bytes) = 260 bytes.

Modbus Data Types

Data References Type
Primary Tables Object Type Type of Description
(Memory Block)
Discrete Inputs Single bit Read-Only 1xxx Provided by a Modbus device’s I/O system.
Coils Outputs Single bit Read / Write 0xxx Can be alterable by Master.
Input Registers 16-bit word Read-Only 3xxx Provided by a Modbus device’s I/O system.
Holding Registers 16-bit word Read / Write 4xxx Can be alterable by Master.
by Seda Narli
 Modbus Transaction

Error Free Exception Response

Client Server Client Server

Initiate request Initiate request

Function code Data request Function code Data request

Perform the action Error detected in the action

Initiate the response Initiate an error

Function code Data response Exception Function code Exception Code

Receive the response Receive the response

The server simply echoes to the request the original function code. The server returns a code that is equivalent to the original function code from the
request PDU with its most significant bit set to logic 1 (Hex 0x80).

by Seda Narli
 Modbus Transaction State Diagram Modbus Addressing Model

Wait for a MB
indication Receive MB indication Device Application Modbus Data Model Modbus PDU Addresses
Validate function
code
Read Input 0
Invalid 1
ExceptionCode = 1
.
Valid Discrete Input .
Validate data .
address 1
.
Invalid Coils .
ExceptionCode = 2 Read Coils 4
5
Valid
1 Read Registers 1
Validate data value 2
Input Registers .
.
Invalid
ExceptionCode = 3 1
Valid .
Holding Registers . Read Registers 54
Execute MB function 55

Invalid
ExceptionCode = 4, 5, 6
Mapping
Valid Application Specific Modbus Standard
Send Modbus exception Send Modbus
response response

by Seda Narli
Modbus Function Code Categories Modbus Function Codes
Code Hex Function Operation Type
127 01 01 Read Coils Reads the bit data (N bits)
Public Function Codes 02 02 Read Discrete Inputs Reads the bit data Single Bit
110 05 05 Write Single Coil Writes the bit data (one bit) Access
15 0F Write Multiple Coils Writes the bit data (N bits)
User Defined Function Codes
100 03 03 Read Holding Registers Reads the integer type/character type/status word floating-point type data (N words)
Public Function Codes
04 04 Read Input Register Reads the integer type/character type/status word floating-point type data
72 Data
User Defined Function Codes 06 06 Write Single Register Writes the integer type/character type/status word floating-point type data (one word)
Access
16 Bit Access
65 16 10 Write Multiple Registers Writes the integer type/character type/status word floating-point type data (N words)

Public Function Codes Modifies the contents of a specified holding register using a combination of an AND
22 16 Mask Write Register mask, and OR mask, and the register’s current contents.
1 23 17 Read/Write Multiple Registers One read operation and one write operation in a single Modbus transaction.
24 18 Read FIFO queue Reads the contents of a FIFO queue of register in a remote device.
20 14 Read File Record Performs a file record read. File Record
21 15 Write File Record Performs a file record write. Access
07 07 Read Exception Status Reads contents of eight Exception Status outputs in a remote device.
08 08 Diagnostic (Serial Line) Tests for the checking to communication and internal error.
11 0B Get Com event counter Gets status word and an event count from the remote device’s comm event counter.
Diagnostics
Gets status word, event count, message count, and field of event bytes from remote
12 0C Get Com Event Log device.
17 11 Report Server ID (Serial Line) Reads the current status and other information specific to a remote device.

Modbus Exception Codes

Code Name Description
01 Illegal Function Function code is not valid or implemented.
02 Illegal Data Address Object address is not valid for the Slave.
03 Illegal Data Value Writing value is not value valid for the addressed object.
04 Slave Device Failure Fatal error ocurred during the requested operation.
05 Acknowledge The slave device may return an Acknowledge response after receiving a function query.
06 Slave Device Busy The slave device is busy processing a function or task.
08 Memory Parity Error The extended file area failed to pass a consistency check.
0A Gateway Path Unavalible The gateway is misconfigured or overloaded.
0B Gateway Target Device Failed to Respond The device is not present on the network. by Seda Narli
 Modbus Sample Transaction
The following is an example of a Modbus request for obtaining the AO value of the holding registers from registers # 40108 to 40110 with the address of the device 17.

11 03 006B 0003 7687

Modbus RTU Slave ID Inquiry CRC
Modbus RTU 11 03 006B 0003 7687
Modbus TCP 0001 0000 0006 11 03 006B 0003
Modbus TCP MBAP Header PDU
Modbus TCP ADU, Application Data Unit
Modbus TCP Request Modbus RTU Request
0001 Transaction identifier Transaction Identifier 11 Device address SlaveID ( 17 = 11 hex )
0000 Protocol identifier ( will always be 0000 for the Modbus Protocol ) Protocol Identifier 03 Function Code ( read Analog Output Holding Registers )
0006 Length (6 bytes are followed) Message Length 006B Address of the first register ( 40108-40001 = 107 = 6B hex )
11 The device address (17 = 11 hex) Unit Identifier 0003 The number of required registers ( reading 3 registers from 40108 to 40110 )
03 Function code (read Analog Output Holding Registers) Function Code 7687 Checksum CRC
006B First address register (107 = 40108-40001 = 6B hex) Data Address of the first register
0003 The number of required registers (read 3 registers 40108 by 40110) The total number of registers

Modbus TCP Response

0001 Transaction identifier Transaction Identifier
0000 Protocol identifier Protocol Identifier
Modbus TCP Response with Error
0009 The length (9 bytes are followed) Message Length
0001 Transaction Identifier
11 The device address (17 = 11 hex) Unit Identifier
0000 Protocol Identifier
03 Function code (read Analog Output Holding Registers) Function Code
0006 Message Length
06 The number of bytes later (6 bytes are followed) Byte Count (2 * The number of required registers)
11 Device Address
02 Value of the high register bit (02 hex) Register value Hi (AO0)
83 Functional code with changed bit
2B Early discharge value register (2B hex) Register value Lo (AO0)
02 Exception Code
00 Value of the high register bit (00 hex) Register value Hi (AO1)
64 Value of the low register bit (64 hex) Register value Lo (AO1)
00 Value of the high register bit (00 hex) Register value Hi (AO2)
7F Early discharge value register (7F hex) Register value Lo (AO2)
References :
• http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
• https://ipc2u.com/articles/knowledge-base/detailed-description-of-the-modbus-tcp-protocol-with-command-examples/ by Seda Narli