Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.

html

 (https://www.facebook.com/Control-Solutions-Minnesota-Inc-272608333650812) 
(../index.html)
(https://www.linkedin.com/company/control-solutions-minnesota-inc.)  (https://www.youtube.com
/channel/UC4cfJLYA5laABCNiTG25Z3A)

Modbus 101 - Introduction to Modbus

What is Modbus?
Modbus is an industrial protocol standard that was created by Modicon, now Schneider Electric, in the
late 1970’s for communication among programmable logic controllers (PLCs). Modbus remains the most
widely available protocol for connecting industrial devices. The Modbus protocol specification is openly
published and use of the protocol is royalty-free.

Modbus protocol is defined as a master/slave protocol, meaning a device operating as a master will poll
one or more devices operating as a slave. This means a slave device cannot volunteer information; it
must wait to be asked for it. The master will write data to a slave device’s registers, and read data from a
slave device’s registers. A register address or register reference is always in the context of the slave’s
registers.

The most commonly used form of Modbus protocol is RTU over RS-485. Modbus RTU is a relatively
simple serial protocol that can be transmitted via traditional UART technology. Data is transmitted in 8-bit
bytes, one bit at a time, at baud rates ranging from 1200 bits per second (baud) to 115200 bits per
second. The majority of Modbus RTU devices only support speeds up to 38400 bits per second.

1 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

A Modbus RTU network has one Master and one or more Slaves. Each slave has a unique 8-bit device
address or unit number. Packets sent by the master include the address of the slave the message is
intended for. The slave must respond only if its address is recognized, and must respond within a certain
time period or the master will call it a "no response" error.

Each exchange of data consists of a request from the master, followed by a response from the slave.
Each data packet, whether request or response, begins with the device address or slave address, followed
by function code, followed by parameters defining what is being asked for or provided. The exact formats
of the request and response are documented in detail in the Modbus protocol specification. The general
outline of each request and response is illustrated below.

Modbus data is most often read and written as "registers" which are 16-bit pieces of data. Most often, the
register is either a signed or unsigned 16-bit integer. If a 32-bit integer or floating point is required, these
values are actually read as a pair of registers. The most commonly used register is called a Holding
Register, and these can be read or written. The other possible type is Input Register, which is read-only.

The exceptions to registers being 16 bits are the coil and the discrete input, which are each 1 bit only.
Coils can be read or written, while discrete inputs are read-only. Coils are usually associated with relay
outputs.

The type of register being addressed by a Modbus request is determined by the function code. The most
common codes include 3 for "read holding registers", and may read 1 or more. Function code 6 is used to
write a single holding register. Function code 16 is used to write one or more holding registers.

Visualizing Data in the Modbus Device

Modbus slave devices can be visualized as having an internal spread sheet filled with numbers. The
Modbus master will ask a slave for its data value or number found in a given row and column, and the
slave will respond by sending that piece of data back to the master. Of course, this process can be
reversed with the Modbus master telling the slave what number to put into its data table at a given row

2 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

and column.

The "columns" in a Modbus device's "spread sheet" are more formally known as register types. Register
type may be a coil, a discrete input (aka status input), an input register, or a holding register.

The "rows" in a Modbus device's "spread sheet" are simply the register number. Most often, these start at
1 and count up sequentially. Some devices might not have a register 1, and their first register may be
number 100 for example. If the register number does not exist in the slave device, it will send back an
"oops" message properly known as an exception. The exception provides an error code that says "no such
register" (exception code 2, illegal data address).

What is Modbus TCP?

Modbus TCP encapsulates Modbus RTU request and response data packets in a TCP packet transmitted
over standard Ethernet networks. The unit number is still included and its interpretation varies by
application – the unit or slave address is not the primary means of addressing in TCP. The address of
most importance here is the IP address, e.g. 192.168.1.100. The standard port for Modbus TCP is 502,
but port number can often be reassigned if desired.

The checksum field normally found at the end of an RTU packet is omitted from the TCP packet.
Checksum and error handling are handled by Ethernet in the case of Modbus TCP.

The TCP version of Modbus follows the OSI Network Reference Model. Modbus TCP defines the
presentation and application layers in the OSI model.

Modbus TCP makes the definition of master and slave less obvious because Ethernet allows peer to peer
communication. The definition of client and server are better known entities in Ethernet based

3 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

networking. In this context, the slave becomes the server and the master becomes the client. There can
be more than one client obtaining data from a server. In Modbus terms, this means there can be multiple
masters as well as multiple slaves. Rather than defining master and slave on a physical device by device
basis, it now becomes the system designer’s responsibility to create logical associations between master
and slave functionality.

What is Modbus ASCII?

Modbus ASCII is an older implementation that contains all of the elements of an RTU packet, but
expressed entirely in printable ASCII characters. Modbus ASCII is considered deprecated, is rarely used
any more, and is not included in the formal Modbus protocol specification.

Review of Modbus Register Types

The types of registers referenced in Modbus devices include the following:
• Coil (Discrete Output)
• Discrete Input (or Status Input)
• Input Register
• Holding Register

Whether a particular device includes all of these register types is up to the manufacturer. It is very
common to find all I/O mapped to holding registers only. Coils are 1-bit registers, are used to control
discrete outputs, and may be read or written. Discrete Inputs are 1-bit registers used as inputs, and may
only be read. Input registers are 16-bit registers used for input, and may only be read. Holding registers
are the most universal 16-bit register, may be read or written, and may be used for a variety of things
including inputs, outputs, configuration data, or any requirement for "holding" data.

Control Solutions gateways will support all register types when the gateway is the master, or when
operating in direct mode (Babel Buster SP-GW). Control Solutions gateways that connect a non-Modbus
device to a Modbus network will in some cases use only holding registers to represent the non-Modbus
device data.

Most Control Solutions I/O devices use holding registers for all types of inputs and outputs. In most
cases, the same I/O is accessible as other register types as well, with the I/O status or value being
mirrored in multiple registers.

Review of Modbus Function Codes

Modbus protocol defines several function codes for accessing Modbus registers. There are four different
data blocks defined by Modbus, and the addresses or register numbers in each of those overlap.
Therefore, a complete definition of where to find a piece of data requires both the address (or register
number) and function code (or register type).

The function codes most commonly recognized by Modbus devices are indicated in the table below. This

4 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

is only a subset of the codes available - several of the codes have special applications that most often do
not apply.

Modbus Function Codes Recognized by CSI Gateways

Function Code Register Type
1 Read Coil
2 Read Discrete Input
3 Read Holding Registers
4 Read Input Registers
5 Write Single Coil
6 Write Single Holding Register
15 Write Multiple Coils
16 Write Multiple Holding Registers

Review of Modbus Exception (error) Codes

When a Modbus slave recognizes a packet, but determines that there is an error in the request, it will
return an exception code reply instead of a data reply. The exception reply consists of the slave address
or unit number, a copy of the function code with the high bit set, and an exception code. If the function
code was 3, for example, the function code in the exception reply will be 0x83. The exception codes will
be one of the following:

The function code received in the query is not recognized by the slave or
1 Illegal Function
is not allowed by the slave.
The data address (register number) received in the query is not an
2 Illegal Data Address allowed address for the slave, i.e., the register does not exist. If multiple
registers were requested, at least one was not permitted.
The value contained in the query's data field is not acceptable to the
3 Illegal Data Value
slave.
An unrecoverable error occurred while the slave was attempting to
4 Slave Device Failure
perform the requested action
The slave is engaged in processing a long-duration command. The
6 Slave Device Busy
master should try again later.
Gateway Path Specialized use in conjunction with gateways, usually means the gateway
10
Unavailable is misconfigured or overloaded
Gateway Target
Specialized use in conjunction with gateways, indicates no response was
11 Device Failed
received from the target device.
to Respond

5 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

Where do I Start for Communicating with My Modbus Device?

Here are the first few things you need to find out:

(1) What is the physical connection?

Modbus RTU uses RS-485 or RS-232. Modbus TCP uses Ethernet. If you are looking for a Control
Solutions gateway, you will need to pick the model that matches the electrical interface of the equipment
you want to connect. If you are choosing a Control Solutions I/O device, pick one that matches your
network.

(2) How are the registers mapped?

When using a gateway to interface a Modbus device to a non-Modbus network, you need to get
documentation from the equipment manufacturer that describes the available registers and how to
address them. Modbus protocol does not provide a means for registers to automatically identify
themselves. Control Solutions cannot determine this information for you. You must consult the
equipment manufacturer.

When using Control Solutions I/O devices (such as AddMe III) you will find this information in the online
help files that came with the device, or on our web site.

(3) What are the communication parameters?

Modbus RTU requires that you know or define baud rate, character format (8 bits no parity, etc), and slave
ID (aka slave address, unit number, unit ID). A mis-match in any of these will result in no communication.

Modbus TCP requires that you know or define IP addresses on the network. In some cases, you also need
unit ID's. Control Solutions Modbus TCP devices may use the unit ID, or may ignore it, depending on the
device and the application.

Modbus: When 40001 Really Means 1, or 0 Really Means 1

Documentation for Modbus is not well standardized. Actually there is a standard, but not well followed
when it comes to documentation. You will have to do one or more of the following to decipher which
register a manufacturer is really referring to:

a) Look for the register description, such as holding register, coil, etc. If the documentation says #1, and
tells you they are holding registers, then you have holding register #1. You also have user friendly
documentation.

b) Look at the numbers themselves. If you see the first register on the list having a number 40001, that

6 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

really tells you register #1, and it is a holding register. This form of notation is often referred to as the old
Modicon convention.

c) Look for a definition of function codes to be used. If you see a register #1, along with notation telling
you to use function codes 3 and 16, that also tells you it is holding register #1.

IMPORTANT: Register 1 is address 0. Read on…

d) Do the numbers in your documentation refer to the register number or address? Register #1 is address
zero. If it is not clear whether your documentation refers to register or address, and you are not getting
the expected result, try plus or minus one for register number. All Control Solutions products refer to
register numbers in configuration software or web pages. However, some manufacturers document their
devices showing address, not register numbers. When you have addresses, you must add one when
entering that register into configuration software from Control Solutions.

40001: Modicon Convention Notation for Modbus Registers

Modbus was originally developed by Gould-Modicon, which is presently Schneider Electric. The notation
originally used by Modicon is still often used today, even though considered obsolete by present Modbus-
IDA standards. The advantage in using the Modicon notation is that two pieces of information are
included in a single number: (a) The register type; (b) The register number. A register number offset
defines the type.

Note: Only the LonWorks versions of Babel Buster gateways use this notation as short hand to conserve
CP space. Many other equipment manufacturers still use this convention in their products. Depending on
which combination of products you are using, you may have to translate between Modicon and current
conventions.

The types of registers referenced in Modbus devices, and supported by Babel Buster gateways, include
the following:
• Coil (Discrete Output)
• Discrete Input (or Status Input)
• Input Register
• Holding Register

Valid address ranges as originally defined for Modbus were 0 to 9999 for each of the above register
types. Valid ranges allowed in the current specification are 0 to 65,535. The address range originally
supported by Babel Buster gateways was 0 to 9999. The extended range addressing was later added to
all new Babel Buster products.

The address range applies to each type of register, and one needs to look at the function code in the
Modbus message packet to determine what register type is being referenced. The Modicon convention
uses the first digit of a register reference to identify the register type.

Register types and reference ranges recognized with Modicon notation are as follows:

7 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

0x = Coil = 00001-09999
1x = Discrete Input = 10001-19999
3x = Input Register = 30001-39999
4x = Holding Register = 40001-49999

On occasion, it is necessary to access more than 10,000 of a register type. Based on the original
convention, there is another de facto standard that looks very similar. Additional register types and
reference ranges recognized with Modicon notation are as follows:

0x = Coil = 000001-065535
1x = Discrete Input = 100001-165535
3x = Input Register = 300001-365535
4x = Holding Register = 400001-465535

When using the extended register referencing, it is mandatory that all register references be exactly six
digits. This is the only way Babel Buster will know the difference between holding register 40001 and coil
40001. If coil 40001 is the target, it must appear as 040001.

Registers Are 16-bits - How Do I Read Floating Point or 32-bit Data?

Modbus protocol defines a holding register as 16 bits wide; however, there is a widely used de facto
standard for reading and writing data wider than 16 bits. The most common are IEEE 754 floating point,
and 32-bit integer. The convention may also be extended to double precision floating point and 64-bit
integer data.

The wide data simply consists of two consecutive "registers" treated as a single wide register. Floating
point in 32-bit IEEE 754 standard, and 32-bit integer data, are widely used. Although the convention of
register pairs is widely recognized, agreement on whether the high order or low order register should
come first is not standardized. For this reason, many devices, including all Control Solutions gateways,
support a "swap" option. This means you simply check the "swapped" option if the other device treats
wide data in the opposite order relative to Control Solutions default order. In some cases, the “swap”
option is more explicitly identified as “high order data is in first register” or something to that effect.

Most Control Solutions Modbus products default to placing the high order register first, or in the lower
numbered register. This is known as "big endian", and is consistent with Modbus protocol which is by
definition big endian itself. The byte order for all 16-bit values is most significant byte first.

What Does Notation Like 40001:7 Mean?

This is a commonly used notation for referencing individual bits in a register. This particular example
references (Modicon notation) register 40001, bit 7. Bits are generally numbered starting at bit 0, which is
the least significant or right most bit in the field of 16 bits found in a Modbus register. If this style
notation is used, you may see 40001:0 through 40001:15.

8 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

How Do I Read Individual Bits in a Register?

Documentation tends to be slightly different for every Modbus device. But if your device packs multiple
bits into a single holding register, the documentation will note up to 16 different items found at the same
register number or address. The bits may be identified with “Bn” or “Dn” or just “bit n”. Most of the time,
the least significant bit will be called bit 0 and the most significant will be bit 15. It is possible you could
find reference to bit 1 through bit 16, in which case just subtract one from the number to reference the
table below.

You cannot read just one bit from a holding register. There is no way to do that - Modbus protocol simply
does not provide that function. You must read all 16 bits, and then test the individual bit you are
interested in for true or false (1 or 0). Babel Buster gateways provide an automatic way of doing that by
including a "mask" in each register map or rule. Each time the register is read, the mask will be logically
AND-ed with the data from the register, and the result will be right justified to yield a 1 or 0 based on
whether the selected bit was 1 or 0. Babel Buster gateways provide optimization when successive read
maps or rules are selecting different bits from the same register. The Modbus register will be read from
the slave once, and the 16-bit data will be shared with successive maps or rules, with each map or rule
selecting its bit of interest.

The bit mask shown in the expanded form of the Babel Buster RTU read map is a 4 digit hexadecimal (16
bit) value used to mask out one or more bits in a register. The selected bits will be right justified, so a
single bit regardless of where positioned in the source register will be stored locally as 0 or 1. The hex bit
mask values would be as follows:

B0/D0/bit 0 mask = 0001

B1/D1/bit 1 mask = 0002
B2/D2/bit 2 mask = 0004
B3/D3/bit 3 mask = 0008
B4/D4/bit 4 mask = 0010
B5/D5/bit 5 mask = 0020
B6/D6/bit 6 mask = 0040
B7/D7/bit 7 mask = 0080
B8/D8/bit 8 mask = 0100
B9/D9/bit 9 mask = 0200
B10/D10/bit 10 mask = 0400
B11/D11/bit 11 mask = 0800
B12/D12/bit 12 mask = 1000
B13/D13/bit 13 mask = 2000
B14/D14/bit 14 mask = 4000
B15/D15/bit 15 mask = 8000

Some Modbus devices also back two 8-bit values into a single 16-bit register. The two values will typically
be documented as “high byte” and “low byte” or simply have “H” and “L” indicated. If you run into this

9 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

scenario, the masking for bytes is as follows:

High byte mask = FF00

Low byte mask = 00FF

When the mask value in a Babel Buster gateway is more than just one bit, the mask is still logically AND-
ed with the data from the Modbus slave, and the entire resulting value is right justified to produce an
integer value of less than the original bit width of the original register.

There have been a few instances of documenting packed bits in a 32-bit register. Although Modbus
protocol is strictly 16-bit registers, some implementations force you to read pairs of registers. If your
device documents 32 packed bits, then you would insert 0000 in front of each mask above, and the
remainder of the list would be as follows:

B16/D16/bit 16 mask = 00010000

B17/D17/bit 17 mask = 00020000
B18/D18/bit 18 mask = 00040000
B19/D19/bit 19 mask = 00080000
B20/D20/bit 20 mask = 00100000
B21/D21/bit 21 mask = 00200000
B22/D22/bit 22 mask = 00400000
B23/D23/bit 23 mask = 00800000
B24/D24/bit 24 mask = 01000000
B25/D25/bit 25 mask = 02000000
B26/D26/bit 26 mask = 04000000
B27/D27/bit 27 mask = 08000000
B28/D28/bit 28 mask = 10000000
B29/D29/bit 29 mask = 20000000
B30/D30/bit 30 mask = 40000000
B31/D31/bit 31 mask = 80000000

Can I Put 2 Gateways on the Same Modbus Network?

You can not have more than one Master on a Modbus RTU (RS-485) network. Therefore, if the gateway is
to be configured as the Master, you can only have 1 gateway. You cannot use multiple gateways to read
more points from the same Modbus slave device.

Multiple gateways configured as slaves can reside on the same Modbus RS-485 network.

If you are using RS-232 devices, you can have only two devices total, regardless of how they are
configured. RS-232 is not multi-drop.

How Many Devices Can I Have on a Modbus Network?

Logically you can address over 250 devices; however, the RS-485 transceivers are not capable of

10 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

physically driving that many devices. Modbus protocol states that the limit is 32 devices, and most
RS-485 transceivers will agree with this. Only if all devices on the network have low load transceivers can
you have more than 32 devices.

Where Can I Get a Copy of the Modbus Protocol Specification?

You can get a copy of the Modbus protocol specification by visiting www.modbus.org
(http://www.modbus.org). There are three documents of primary interest: (1) The application layer
protocol which defines the function codes and addressing; (2) The definition of use over a serial line
(RTU); (3) The definition of use over Ethernet (TCP). You will be asked to accept terms of use, but there is
no cost for these specifications.

Data Logging for Modbus Devices

(DataLogging.html)

Control Solutions' Babel Buster IoT Gateways include stand-alone data logging capability. The IoT Gateway will
query your Modbus devices, log data to a CSV file, and periodically email that file to you as an email attachment.

Your Modbus data logger can collect data from your PLC or any other Modbus device using either Modbus TCP or
Modbus RTU.

Find out more about Control Solutions data logging devices here. (DataLogging.html)

Alarm Monitoring for Modbus Devices

11 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

(MonitoringDevices.html)

Control Solutions IoT devices are cloud capable, but are equally capable of being a robust stand-alone remote
monitoring device. Event rules are powerful and flexible for detecting alarm conditions and generating meaningful
text message notifications. Any Modbus device can be monitored and the remote monitoring is completely
autonomous.

Find out more about Control Solutions remote monitoring devices here. (MonitoringDevices.html)

Modbus Gateways Talks BACnet, LonWorks, SNMP

(GatewaysMB.html)

Modbus gateways are used to connect non-Modbus devices to a Modbus network, or vice versa, effectively acting

12 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

as a protocol converter. Remapping registers to make a new Modbus slave emulate an old Modbus slave is
another application of a Modbus gateway. Translating Modbus RTU to Modbus TCP or vice versa is also a
common application of a Modbus gateway.

Find out more about Control Solutions Modbus gateways here. (GatewaysMB.html)

About our Company

Control Solutions, Inc., a Minnesota corporation founded in 1995, offers a line of control
products tailored to facility management, building automation, telecommunications, and
remote monitoring & control. Control Solutions has thrived on opportunities to expand,
enhance, and support mainstream products and systems. As a result, you can find a little
bit of our equipment connected to a lot of other people's equipment, in a lot of different places, doing a lot of different
things.

Office Hours
Monday-Thursday 7:00AM-5:00PM
Central/Chicago USATime Zone

Helpful Links
 Home Page (../index.html)
 Shop Online (https://store.csimn.com)
 Support Ticket (https://ticket.csimn.com)
 Knowledgebase (https://info.csimn.com)
 Quotes (Quotes.html)
 Contact Us (ContactUs.html)
 About Us (AboutUs.html)
 Terms & Conditions (terms.html)
 Privacy Policy (privacy.html)
 Legal (legal.html)

Contact Info
Mailing Address:
PO Box 10789
St. Paul, MN 55110-0789

13 of 14 12/5/24, 16:58
Modbus Tutorial from Control Solutions https://www.csimn.com/CSI_pages/Modbus101.html

NEW Shipping Address:

10550 South Avenue
Chisago City, MN 55013

Phone Number:
651-426-4410
800-872-8613

Fax Number:
651-426-4418

E-mail:
[email protected]

Copyright 2020 Control Solutions Minnesota, Inc. All Rights Reserved.

14 of 14 12/5/24, 16:58