Modbus Protocol

Modbus is a widely-used industrial communication protocol for connecting electronic devices. Originally developed for PLCs, it's now a de facto standard for industrial automation and equipment integration.

Overview

Modbus provides:

Master-slave architecture
Simple request/response model
Multiple transport options (RTU, TCP)
Standard function codes
Register-based data model
Wide device support

Protocol Variants

Modbus RTU

Serial communication (RS-232/RS-485):

Binary protocol
CRC error checking
Compact and efficient
Common in industrial settings
Multi-drop bus topology

Configuration:

Baud rate: 9600, 19200, 38400, etc.
Data bits: 8
Parity: None, Even, Odd
Stop bits: 1 or 2

Modbus TCP

Ethernet-based communication:

Uses TCP/IP
Port 502 (standard)
No CRC (TCP handles integrity)
Supports multiple simultaneous connections
Point-to-point or routed

Modbus ASCII

ASCII encoding (rarely used):

Human-readable
Less efficient
LRC error checking
Easier debugging

Architecture

Master-Slave Model

Master (Client):

Initiates all communication
Sends requests
Receives responses
Controls bus access

Slave (Server):

Responds to requests
Unique address (1-247)
Cannot initiate communication
Passive listener

Communication Flow

Master sends request to slave
Slave processes request
Slave sends response
Master receives response

Only master initiates transactions

Data Model

Register Types

Coils (0x):

Type: Read/write bits
Access: Read/write
Use: Digital outputs (relays, LEDs)
Function codes: 01, 05, 15

Discrete Inputs (1x):

Type: Read-only bits
Access: Read only
Use: Digital inputs (switches, sensors)
Function code: 02

Input Registers (3x):

Type: Read-only 16-bit
Access: Read only
Use: Analog inputs (temperature, pressure)
Function code: 04

Holding Registers (4x):

Type: Read/write 16-bit
Access: Read/write
Use: Configuration, setpoints, analog outputs
Function codes: 03, 06, 16

Address Notation

Traditional Notation:

Coils:              00001 - 09999 (0-based internally)
Discrete Inputs:    10001 - 19999
Input Registers:    30001 - 39999
Holding Registers:  40001 - 49999

Modern (Protocol) Addresses:

All types: 0 - 65535
Register type determined by function code

Function Codes

Read Functions

FC01: Read Coils

Request: 
- Slave address
- Function code: 01
- Starting address: 0x0000
- Quantity: 0x000A (10 coils)

Response:
- Slave address
- Function code: 01
- Byte count: 0x02
- Coil status: 0xCD 0x01

FC02: Read Discrete Inputs Similar to FC01 but for inputs

FC03: Read Holding Registers

Request:
- Slave address: 0x01
- Function code: 0x03
- Starting address: 0x006B (register 107)
- Quantity: 0x0003 (3 registers)

Response:
- Slave address: 0x01
- Function code: 0x03
- Byte count: 0x06 (6 bytes)
- Register values: 0x022B 0x0000 0x0064

FC04: Read Input Registers Similar to FC03 but for input registers

Write Functions

FC05: Write Single Coil

Request:
- Slave address: 0x01
- Function code: 0x05
- Coil address: 0x00AC (coil 172)
- Value: 0xFF00 (ON) or 0x0000 (OFF)

Response: (Echo of request)
- Same as request

FC06: Write Single Register

Request:
- Slave address: 0x01
- Function code: 0x06
- Register address: 0x0001
- Value: 0x0003

Response: (Echo of request)

FC15: Write Multiple Coils

Request:
- Slave address: 0x01
- Function code: 0x0F
- Starting address: 0x0013
- Quantity: 0x000A (10 coils)
- Byte count: 0x02
- Coil values: 0xCD 0x01

FC16: Write Multiple Registers

Request:
- Slave address: 0x01
- Function code: 0x10
- Starting address: 0x0001
- Quantity: 0x0002 (2 registers)
- Byte count: 0x04
- Register values: 0x000A 0x0102

Message Format

Modbus RTU Frame

[Slave Address][Function Code][Data][CRC]

Slave Address: 1 byte (1-247, 0=broadcast)
Function Code: 1 byte
Data: N bytes
CRC: 2 bytes (CRC-16)

Example:

Request: 01 03 00 00 00 0A C5 CD
- Slave: 01
- Function: 03 (read holding registers)
- Start address: 00 00 (0)
- Quantity: 00 0A (10)
- CRC: C5 CD

Modbus TCP Frame

[MBAP Header][Function Code][Data]

MBAP Header:
- Transaction ID: 2 bytes
- Protocol ID: 2 bytes (0x0000)
- Length: 2 bytes
- Unit ID: 1 byte (slave address)

Function Code: 1 byte
Data: N bytes

No CRC (TCP provides integrity)

Error Handling

Exception Responses

When error occurs:

Response:
- Slave address
- Function code + 0x80 (e.g., 0x83 for FC03 error)
- Exception code

Exception Codes

01: Illegal Function

Function code not supported

02: Illegal Data Address

03: Illegal Data Value

Value out of range

04: Slave Device Failure

Slave device error

05: Acknowledge

Long operation, acknowledged

06: Slave Device Busy

Try again later

07: Memory Parity Error

Memory error

08: Gateway Path Unavailable

Gateway routing issue

Example:

Request: 01 03 00 6B 00 03 [CRC]
Error Response: 01 83 02 [CRC]
- Function: 0x83 (0x03 + 0x80)
- Exception: 02 (Illegal Address)

Data Types

16-bit Values

Single register:

INT16: -32768 to 32767
UINT16: 0 to 65535

32-bit Values

Two consecutive registers:

High-Low (Big Endian):

Register 1: High word
Register 2: Low word

Low-High (Little Endian):

Register 1: Low word
Register 2: High word

Example (value 123456):

High-Low: [0x0001][0xE240]
Low-High: [0xE240][0x0001]

Floating Point

Two registers (32-bit float):

IEEE 754 format
Byte order varies by device

Strings

Multiple registers:

Each register = 2 ASCII characters
"TEMP" = [0x5445][0x4D50]

Timing Requirements

Modbus RTU Timing

Character Timeout:

1.5 character times
Marks end of frame

Frame Timeout:

3.5 character times
Silence between frames

Response Timeout:

Typically 500ms - 2s
Device-dependent

Modbus TCP Timing

Connection Timeout:

Initial connection: 1-5s

Response Timeout:

Request response: 1-10s

Keep-Alive:

Optional TCP keep-alive

Best Practices

Polling Strategy

Sequential Polling:

Poll Slave 1
Wait for response
Poll Slave 2
Wait for response
Repeat

Optimized Polling:

Group register reads
Use multiple register read
Adjust poll rate per device
Priority-based polling

Error Recovery

Timeout:

Wait for response timeout
Retry (up to 3 times)
Log error
Continue with next slave

CRC Error:

Discard message
Retry request
Count errors
Check wiring if frequent

Performance Optimization

Reduce Transactions:

Read multiple registers at once
Batch writes when possible
Minimize polling frequency

Optimize Baud Rate:

Higher baud = faster communication
Must match all devices
Consider cable length and quality

Minimize Latency:

Reduce response timeouts
Use appropriate poll rates
Prioritize critical data

Security Considerations

Modbus has no built-in security:

Mitigations

Network Segmentation:

Isolate Modbus network
Use VLANs
Firewall rules

VPN/TLS:

Tunnel Modbus over VPN
Use Modbus Security (rare)

Access Control:

Restrict physical access
Monitor network traffic
Log all transactions

Input Validation:

Validate all data
Check ranges
Implement safety interlocks

AppBlocks Implementation

Modbus Master

Configure Modbus Master feature:

Serial or TCP settings
Poll multiple slaves
Read/write registers
Error handling

Modbus Slave

Configure Modbus Slave feature:

Slave address
Register mapping
Link to variables
Respond to requests

Blocks

Read/Write:

Modbus Read block
Modbus Write block

Events:

Use Cases

Temperature Sensor

Read Input Registers (FC04)
Address: 0
Quantity: 1
Response: Temperature in 0.1°C units
Example: 0x00E1 = 225 = 22.5°C

Control Relay

Write Single Coil (FC05)
Address: 0
Value: 0xFF00 (ON) or 0x0000 (OFF)

Read Power Meter

Read Holding Registers (FC03)
Address: 0
Quantity: 6
Returns: Voltage, Current, Power (2 registers each)

Set Temperature Setpoint

Write Single Register (FC06)
Address: 100
Value: Setpoint * 10 (e.g., 225 for 22.5°C)

Troubleshooting

Common Modbus issues:

No response:

Check slave address
Verify baud rate/parity
Check wiring and termination
Verify slave is powered

CRC errors:

Check baud rate settings
Verify cable quality
Check for EMI/noise
Proper grounding

Exception 02 (Illegal Address):

Verify register address
Check device documentation
Confirm register exists

Timeout:

Increase timeout value
Check network latency
Verify device responsiveness
Reduce poll rate

Testing Tools

Modbus Poll (Master Simulator)

Test Modbus slaves
Monitor registers
Simulate master

Modbus Slave (Slave Simulator)

Test master implementations
Simulate device responses
Protocol testing

Wireshark

Capture Modbus TCP traffic
Analyze packets
Debug communication

Monitoring

Control

Modbus Protocol

Overview​

Protocol Variants​

Modbus RTU​

Modbus TCP​

Modbus ASCII​

Architecture​

Master-Slave Model​

Communication Flow​

Data Model​

Register Types​

Address Notation​

Function Codes​

Read Functions​

Write Functions​

Message Format​

Modbus RTU Frame​

Modbus TCP Frame​

Error Handling​

Exception Responses​

Exception Codes​

Data Types​

16-bit Values​

32-bit Values​

Floating Point​

Strings​

Timing Requirements​

Modbus RTU Timing​

Modbus TCP Timing​

Best Practices​

Polling Strategy​

Error Recovery​

Performance Optimization​

Security Considerations​

Mitigations​

AppBlocks Implementation​

Modbus Master​

Modbus Slave​

Blocks​

Use Cases​

Temperature Sensor​

Control Relay​

Read Power Meter​

Set Temperature Setpoint​

Troubleshooting​

Testing Tools​

Modbus Poll (Master Simulator)​

Modbus Slave (Slave Simulator)​

Wireshark​

See Also​