Modbus RTU protocol description

Modbus - communication protocol is based on the master-slave architecture.

It uses RS-485, RS-422, and RS-232 interfaces, as well as Ethernet TCP / IP
networks (Modbus TCP protocol) for data transfer.

The Modbus RTU message consists of the address of the SlaveID device, the
function code, and the special data, depending on the function code and the
CRC of the checksum.

Understanding the four types of registers:

MODBUS RTU defines four types of registers, each serving distinct purposes in industrial
automation:
 Coils (Discrete outputs): Coils represent binary outputs that can be controlled by the
master device. They have two states: ON (1) and OFF (0). Coils are read and written by
the master, allowing it to control various industrial processes.

 Discrete inputs: Discrete inputs provide binary input data to the master device. These
registers are read-only for the master and typically represent the status of sensors or
switches.

 Input registers: Input registers store analog data or data received from sensors. These
registers are read-only for the master and provide valuable information about the
external environment.

 Holding registers: Holding registers serve as a two-way communication channel,

allowing both read and write operations. They are commonly used to control slave
devices and store temporary data.

REGISTER REGISTER
TYPE NAME Symbol
NUMBER ADDRESS

1-9999 0000 to 9998 read-write Discrete Output Coils DO

10001-19999 0000 to 9998 read Discrete Input Contacts DI

30001-39999 0000 to 9998 read Analog Input Registers AI

40001-49999 0000 to 9998 read-write Analog Output Holding Registers AO

The Modbus message uses the register address.

For example, the first register of AO Holding Register has the number 40001,
but its address is 0000.

The difference between these two quantities is “offset”.

Each table has its own offset, respectively: 1, 10001, 30001 and 40001.

The Function Code

The following is an example of a Modbus RTU request for obtaining the AO

value of the holding registers from registers # 40108 to 40110 with the address
of device 17.

11 03 00 6B 00 03 76 87

11 THE ADDRESS OF THE SLAVEID DEVICE (17 = 11 HEX)

03 Functional code Function Code
006B The address of the first register (40108-40001 = 107 = 6B hex)
The number of required registers
0003 (reading 3 registers from 40108 to 40110)
7687 CRC checksum

In response to the Modbus RTU Slave device we get:

11 03 06 AE 41 56 52 43 40 49 AD

11 THE ADDRESS OF THE SLAVEID DEVICE

03 Functional code Function Code
06 The number of bytes further (6 bytes follow)
AE 41 Value of Register 1 (40108)
 5652 Value of Register 2 (40109)
4340 Value of Register 3 (40110)
49AD CRC checksum

The AE 41 HEX value is 16 bits 1010 1110 0100 0001, which can take a different
value, depending on the type of representation.

The value of register 40108 when combined with register 40109 gives a 32-bit
value.

An example of a representation.

Example in In decimal
View type Value Range
HEX form

16-bit unsigned integer 0 to 65535 AE41 44,609

16-bit signed integer -32768 to 32767 AE41 -20,927

two-character ASCII string 2 char AE41 ®A

discrete on/off value 0 and 1 0001 0001

32-bit unsigned integer 0 to 4,294,967,295 AE41 5652 2,923,517,522

-2,147,483,648 to -
32-bit signed integer AE41 5652
2,147,483,647 1,371,449,774

32-bit single precision IEEE 1,2·10−38 to -4.395978 E-

AE41 5652
floating point number 3,4×10+38 11

four-character ASCII string 4 char AE41 5652 ®AVR

How can I send a Modbus RTU command to read

discrete output? Command 0x01
This command is used to read the values of the DO digital outputs.

The PDU request specifies the start address of the first DO register and the
subsequent number of required DO values. In the PDU, the DO values are
addressed starting from zero.

The DO values in the response are in one byte and correspond to the value of
the bits.

The bit values are defined as 1 = ON and 0 = OFF.

The low bit of the first data byte contains the DO value whose address was
specified in the request. The remaining values of DO follow the increasing
value to the highest value of the byte. Those. from right to left.

If less than eight DO values were requested, the remaining bits in the response
will be filled with zeros (in the direction from the low to high byte). Byte
Count The number of bytes further indicates the number of full bytes of data in
the response.

Example of a DO query

 Read coils 20 to 56  37 coils (25 hex).

 device's SlaveID address 17.

The address of the first coil will be 19 (20-1) = 0013.

11 01 00 13 00 25 0E 84

11 THE ADDRESS OF THE SLAVEID DEVICE (17 = 11 HEX)

03 Functional code Function Code
0013 The address of the first register (20-1 = 19 = 13 hex)
The number of required registers
0025 (reading 37 registers from 20 to 56)
0E84 CRC checksum

In response to the Modbus RTU Slave device we get:

11 01 05 CD 6B B2 0E 1B 45 E6

11 THE ADDRESS OF THE SLAVEID DEVICE

03 Functional code Function Code
05 The number of bytes further (5 bytes follow)
CD Register value DO 27-20 (1100 1101)
6B Register value DO 35-28 (0110 1011)
B2 Register value DO 43-36 (1011 0010)
0E Register value DO 51-44 (0000 1110)
1B Register value DO 56-52 (0001 1011)
45E6 CRC checksum
 REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
01 Functional code 01 Functional code
00 Address of the first register Hi bytes 05 Number of bytes more
13 Address of the first register Lo bytes CD Register value DO 27-20 (1100 1101)
00 Number of registers Hi bytes 6B Register value DO 35-28 (0110 1011)
25 Number of registers Lo bytes B2 Register value DO 43-36 (1011 0010)
0E Checksum CRC 0E Register value DO 51-44 (0000 1110)
84 Checksum CRC 1B Register value DO 56-52 (0001 1011)
45 Checksum CRC
E6 Checksum CRC

The output states of DO 27-20 are shown as the values of the byte CD hex, or in
the binary system 1100 1101.

In register DO 56-52, 5 bits on the right were requested, and the remaining bits
are filled with zeros to the full byte (0001 1011).

Channels - - - DO 56 DO 55 DO 54 DO 53 DO 52
Bits 0 0 0 1 1 0 1 1
Hex 1B

How can I send a Modbus RTU command to read a

digital input? Command 0x02
This command is used to read the values of digital inputs DI.

Example of a DI request from the registers from # 10197 to 10218 for the
device's SlaveID address 17. The address of the first register will be 00C4 hex =
196, because the Account is maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
02 Functional code 02 Functional code
00 Address of the first register Hi bytes 03 Number of bytes more
C4 Address of the first register Lo bytes AC Register value DI 10204-10197 (1010 1100)
00 Number of registers Hi bytes DB Register value DI 10212-10205 (1101 1011)
16 Number of registers Lo bytes 35 Register value DI 10218-10213 (0011 0101)
BA Checksum CRC 20 Checksum CRC
A9 Checksum CRC 18 Checksum CRC

How can I send a Modbus RTU command to read

analog output? Command 0x03
This command is used to read the values of the analog outputs AO.
Example of an AO request from registers from # 40108 to 40110 for the SlaveID
of the device address 17. The address of the first register will be 006B hex = 107,
because Account is maintained from 0 address.

REQUEST ANSWER
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
03 Functional code 03 Functional code
00 Address of the first register Hi bytes 06 Number of bytes more
6B Address of the first register Lo bytes AE Register value Hi #40108
00 Number of registers Hi bytes 41 Register value Lo #40108
03 Number of registers Lo bytes 56 Register value Hi #40109
76 Checksum CRC 52 Register value Lo #40109
87 Checksum CRC 43 Register value Hi #40110
40 Register value Lo #40110
49 Checksum CRC
AD Checksum CRC

How can I send the Modbus RTU command to read

the analog input? Command 0x04
This command is used to read the values of analog inputs AI.

Example of an AI request from the register # 30009 for the SlaveID of the
device address 17. The address of the first register is 0008 hex = 8, because
Account is maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
04 Functional code 04 Functional code
00 Address of the first register Hi bytes 02 Number of bytes more
08 Address of the first register Lo bytes 00 Register value Hi #30009
00 Number of registers Hi bytes 0A Register value Lo #30009
01 Number of registers Lo bytes F8 Checksum CRC
B2 Checksum CRC F4 Checksum CRC
98 Checksum CRC

Back to contents

How can I send a Modbus RTU command to write

discrete output? Command 0x05
This command is used to record one value of the DO digital output.

The value of FF 00 hex sets the output to ON.

The value 00 00 hex sets the output to OFF.

All other values are invalid and will not be affected by the output value.

The normal response to such a request is an echo (a repeat request in the

response), is returned after the DO state has been changed.

An example of a DO record with register # 173 for the SlaveID address of the
device 17. The register address will be 00AC hex = 172, because Account is
maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
05 Functional code 05 Functional code
00 Address of the first register Hi bytes 00 Address of the first register Hi bytes
AC Address of the first register Lo bytes AC Address of the first register Lo bytes
FF Value of Hi bytes FF Value of Hi bytes
00 Value of Lo bytes 00 Value of Lo bytes
4E Checksum CRC 4E Checksum CRC
8B Checksum CRC 8B Checksum CRC

The DO173 output state has changed from OFF to ON.

How can I send a Modbus RTU command to record

analog output? Command 0x06
This command is used to record one value of the analog output AO.

Example of recording in AO with register # 40002 for SlaveID address of the

device 17. The address of the first register will be 0001 hex = 1, because Account
is maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
06 Functional code 06 Functional code
00 Address of the first register Hi bytes 00 Address of the first register Hi bytes
01 Address of the first register Lo bytes 01 Address of the first register Lo bytes
00 Value of Hi bytes 00 Value of Hi bytes
03 Value of Lo bytes 03 Value of Lo bytes
9A Checksum CRC 9A Checksum CRC
9B Checksum CRC 9B Checksum CRC

How can I send a Modbus RTU command to write

multiple discrete pins? Command 0x0F
This command is used to record multiple values of DO's digital output.
An example of writing in several DOs with registers from # 20 to # 29 for the
SlaveID address of the device 17. The register address will be 0013 hex = 19,
since Account is maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
0F Functional code 0F Functional code
00 Address of the first register Hi bytes 00 Address of the first register Hi bytes
13 Address of the first register Lo bytes 13 Address of the first register Lo bytes
00 Number of registers Hi bytes 00 Number of recorded registers Hi bytes
0A Number of registers Lo bytes 0A Number of recorded registers Lo bytes
02 Number of bytes more 26 Checksum CRC
CD Byte Value DO 27-20 (1100 1101) 99 Checksum CRC
01 Byte Value DO 29-28 (0000 0001)
BF Checksum CRC
0B Checksum CRC

The answer returns the number of registers recorded.

How can I send a Modbus RTU command to record

multiple analog outputs? Command 0x10
This command is used to record multiple values of the analog output AO.

An example of recording in several AO with registers # 40002 and # 40003 for

the SlaveID address of the device 17. The address of the first register will be
0001 hex = 1, because Account is maintained from 0 address.

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
11 Device address 11 Device address
10 Functional code 10 Functional code
00 Address of the first register Hi bytes 00 Address of the first register Hi bytes
01 Address of the first register Lo bytes 01 Address of the first register Lo bytes
00 Number of registers Hi bytes 00 Number of recorded registers Hi bytes
02 Number of registers Lo bytes 02 Number of recorded registers Lo bytes
04 Number of bytes more 12 Checksum CRC
00 Value Hi 40002 98 Checksum CRC
0A Value Lo 40002
01 Value Hi 40003
02 Value Lo 40003
C6 Checksum CRC
F0 Checksum CRC

What are the errors of the Modbus request?

If the device receives a request, but the request can not be processed, the
device will respond with an error code.
 The response will contain the modified Function code, the high-order bit will
be 1.

Example:

IT WAS IT BECOME
FUNCTIONAL CODE IN REQUEST Functional error code in response
01 (01 hex) 0000 0001 129 (81 hex) 1000 0001
02 (02 hex) 0000 0010 130 (82 hex) 1000 0010
03 (03 hex) 0000 0011 131 (83 hex) 1000 0011
04 (04 hex) 0000 0100 132 (84 hex) 1000 0100
05 (05 hex) 0000 0101 133 (85 hex) 1000 0101
06 (06 hex) 0000 0110 134 (86 hex) 1000 0110
15 (0F hex) 0000 1111 143 (8F hex) 1000 1111
16 (10 hex) 0001 0000 144 (90 hex) 1001 0000

Sample request and response with error:

REQUEST RESPONSE
(Hex) Field name (Hex) Field name
0A Device address 0A Device address
01 Functional code 81 Functional code with changed bit
04 Address of the first register Hi bytes 02 Error code
A1 Address of the first register Lo bytes B0 Checksum CRC
00 Number of registers Hi bytes 53 Checksum CRC
01 Number of registers Lo bytes
AC Checksum CRC
63 Checksum CRC

Explanation of error codes

01 FUNCTION CODE ACCEPTED CAN NOT BE PROCESSED.

02 The data address specified in the request is not available.
03 The value contained in the query data field is an invalid value.
04 An unrecoverable error occurred while the slave attempted to perform the requested action.
05 The slave has accepted the request and processes it, but it takes a long time. This response
prevents the host from generating a timeout error.
06 The slave is busy processing the command. The master must repeat the message later when the
slave is freed.
07 The slave can not execute the program function specified in the request. This code is returned
for an unsuccessful program request using functions with numbers 13 or 14. The master must
request diagnostic information or error information from the slave.
08 The slave detected a parity error when reading the extended memory. The master can repeat
the request, but usually in such cases, repairs are required.

modbus use Interfaces:

* RS-485: A common communication standard for industrial environments, supporting multiple devices on the same
network.
* RS-422: Similar to RS-485 but typically used for longer distances and higher data rates.
* RS-232: Generally used for short-distance, point-to-point communication, usually between a computer and a peripheral
device.