Understanding the MODBUS Standard Protocol

Understanding the MODBUS Standard Protocol

1. What is MODBUS?1. Basic Concepts

MODBUS is a communication protocol initially advocated by MODICON (now a brand of Schneider Electric). It has gradually been recognized as a standard communication protocol through practical applications by most companies. As long as data communication or transmission follows this protocol, different systems can communicate with each other. Currently, it is widely adopted in RS232/RS485 communication processes.

There are two commonly used MODBUS communication protocols: MODBUS ASCII and MODBUS RTU. Generally, MODBUS ASCII is used for communication with a small amount of data, mainly text, while MODBUS RTU is used for larger data volumes and binary values.

In practical applications, to solve specific problems, people often modify the MODBUS protocol to meet their needs (in fact, people frequently use self-defined protocols for communication, which can solve problems but are not very standardized). A more common practice is to make minor modifications to the protocol while attaching the protocol format to the software documentation or directly including it in the help section, making it easier for users to communicate.

2. Overview of the MODBUS Protocol

The ACRXXXE series instruments use the MODBUS-RTU communication protocol, which defines the checksum, data sequence, and other necessary contents for specific data exchanges. The MODBUS protocol uses a master-slave response connection (half-duplex) on a single communication line, meaning that signals are transmitted in opposite directions along the same line. First, the master computer addresses a unique terminal device (slave), and then the response signal from the terminal device is transmitted back to the master in the opposite direction.

The MODBUS protocol only allows communication between the master (PC, PLC, etc.) and terminal devices, and does not permit data exchange between independent terminal devices. This ensures that each terminal device does not occupy the communication line during initialization and is limited to responding to queries directed to it.

3. Query-Response Cycle

Query

The function code in the query message indicates what function the selected slave device should perform. The data segment contains any additional information required for the slave device to execute the function. For example, function code 03 requests the slave device to read holding registers and return their contents. The data segment must include information for the slave device: the starting register to read and the number of registers to read. The error detection field provides a method for the slave device to verify whether the message content is correct.

Response

If the slave device generates a normal response, the function code in the response message corresponds to the function code in the query message. The data segment includes the data collected by the slave device, such as register values or statuses. If an error occurs, the function code will be modified to indicate that the response message is erroneous, and the data segment will contain a code describing the error. The error detection field allows the master device to confirm whether the message content is valid.

4. Transmission Method:

The transmission method refers to a series of independent data structures within a data frame and the limited rules for transmitting data. Below is the definition of the transmission method compatible with the MODBUS protocol – RTU.

Each byte consists of:

· 1 start bit

· 8 data bits, with the least significant bit sent first

· No parity bit

· 1 stop bit

Error checking: CRC (Cyclic Redundancy Check)

5. Protocol

When a data frame reaches the terminal device, it enters the addressed device through a simple “port”. The device removes the “envelope” (data header) of the data frame, reads the data, and if there are no errors, it executes the requested task. Then, it adds its generated data to the received “envelope” and returns the data frame to the sender. The returned response data includes the following content: terminal slave address (Address), executed command (Function), requested data generated by the executed command (Data), and a checksum (Check). If any error occurs, there will be no successful response, or an error indication frame will be returned.

6. Data Frame Format

Address

Function

Data

Check

8-Bits

8-Bits

N x 8-Bits

16-Bits

7. Address (Address) Field

Understanding the MODBUS Standard Protocol

The address field is at the beginning of the frame, consisting of one byte (8 bits), with a decimal range of 0 to 255. In our system, only addresses 1 to 247 are used, while other addresses are reserved. These bits indicate the address of the terminal device specified by the user, which will receive data from the connected master. Each terminal device’s address must be unique, and only the addressed terminal will respond to queries containing that address. When the terminal sends back a response, the slave address data in the response informs the master which terminal is communicating with it.

8. Function (Function) Field

The function code in the function field tells the addressed terminal what function to perform. The table below lists the function codes used by this series of instruments, along with their meanings and functions.

Code

Meaning

Action

03

Read Holding Registers

Obtain the current binary values of one or more registers

16

Preset Multiple Registers

Set binary values to a series of multiple registers (not available for ACRXXXE)

9. Data (Data) Field

The data field contains the data required for the terminal to perform a specific function or the data collected when the terminal responds to a query. The content of this data may be values, reference addresses, or set values. For example, the function code tells the terminal to read a register, and the data field specifies which register to start reading from and how many data points to read. The embedded addresses and data vary according to the type and content between the slave devices.

10. Error Check (Check) Field

This field allows the master and terminal to check for errors during the transmission process. Sometimes, due to electrical noise and other interferences, a set of data may change while being transmitted from one device to another on the line. Error checking ensures that the master or terminal does not respond to data that has changed during transmission, thus improving system safety and efficiency. Error checking uses a 16-bit cyclic redundancy method (CRC16).

11. Error Detection Method

The error check (CRC) field occupies two bytes and contains a 16-bit binary value. The CRC value is calculated by the transmitting device and then appended to the data frame. The receiving device recalculates the CRC value upon receiving the data and compares it with the value in the received CRC field. If the two values are not equal, an error has occurred.

During CRC calculation, a 16-bit register is first initialized to all 1s, and then each byte of the data frame is processed with the current value of that register. Only the 8 bits of each byte participate in generating the CRC; the start and stop bits, as well as any parity bits used, do not affect the CRC. When generating the CRC, each byte’s 8 bits are XORed with the contents of the register, and the result is shifted to the low bit, with the high bit filled with “0”. The least significant bit (LSB) is shifted out and checked; if it is 1, the register is XORed with a preset fixed value (0A001H); if the least significant bit is 0, no action is taken.

This process is repeated until 8 shift operations are completed. After the last bit (the 8th bit) is shifted out, the next 8-bit byte is XORed with the current value of the register, and the same 8 shift XOR operations are performed. When all bytes in the data frame have been processed, the final value generated is the CRC value.

12. The process of generating a CRC is as follows:

Ø Initialize a 16-bit register to 0FFFFH (all 1s), referred to as the CRC register.

Ø XOR the 8 bits of the first byte in the data frame with the low byte of the CRC register, and store the result back in the CRC register.

Ø Shift the CRC register to the right by one bit, filling the highest bit with 0, and shifting out the lowest bit for checking.

Ø If the lowest bit is 0: repeat step three (next shift); if the lowest bit is 1: XOR the CRC register with a preset fixed value (0A001H).

Ø Repeat steps three and four until 8 shifts are completed. This processes a complete eight bits.

Ø Repeat steps two to five to process the next eight bits until all bytes are processed.

Ø The final value of the CRC register is the CRC value.

Additionally, there is a method of calculating CRC using a preset table, which is characterized by fast computation speed, but requires a large storage space for the table. This method will not be elaborated here; please refer to relevant materials.

13. Detailed Explanation of Communication Application Format

This section will use examples in the format shown in the figure (numbers are in hexadecimal).

Addr

Fun

Data start reg hi

Data start reg lo

Data #of regs hi

Data #of regs lo

CRC16 lo

CRC16 hi

01H

03H

00H

00H

00H

03H

05H

CBH

Addr: Slave address

Fun: Function code

Data start reg hi: Data starting address high byte

Data start reg lo: Data starting address low byte

Data #of reg hi: Number of registers to read high byte

Data #of reg lo: Number of registers to read low byte

CRC16 Hi: Cyclic Redundancy Check high byte

CRC16 Lo: Cyclic Redundancy Check low byte

14. Read Data (Function Code 03)

Query Data Frame

This function allows users to obtain data collected and recorded by the device and system parameters. There is no limit to the number of data points requested by the host at one time, but it cannot exceed the defined address range.

The following example reads three collected basic data points (each address occupies 2 bytes) UA, UB, UC from slave 01, where UA’s address is 0025H, UB’s address is 0026H, and UC’s address is 0027H.

Addr

Fun

Data start

Addr hi

Datastart

Addr lo

Data#of

regs hi

Data #of

regs lo

CRC16 lo

CRC16 hi

01H

03H

00H

25H

00H

03H

14H

00H

Response Data Frame

The response includes the slave address, function code, number of data points, and CRC error check.

The following example shows the response for reading UA, UB, UC (UA=082CH, UB=082AH, UC=082CH).

Addr

Fun

Byte count

Data1 hi

Data1 lo

Data2 hi

Data2 lo

Data3 hi

Data3 lo

CRC16 lo

CRC16 hi

01H

03H

06H

08H

2CH

08H

2AH

08H

2CH

94H

4EH

Error Indication Code

If the address requested by the master does not exist, an error indication code FFH will be returned.

2. FeaturesMODBUS has the following features:

1. Standard and open, users can use the MODBUS protocol freely and confidently without paying licensing fees or infringing on intellectual property rights. Currently, over 400 manufacturers support MODBUS, with more than 600 products supporting it.

2. MODBUS can support various electrical interfaces, such as RS-232, RS-485, and can also be transmitted over various media, such as twisted pair, fiber optics, and wireless.

3. The frame format of MODBUS is simple, compact, and easy to understand. It is user-friendly and easy for manufacturers to develop.

3. Function Code Definitions1. MODBUS Function Codes

01

READ COIL STATUS

02

READ INPUT STATUS

03

READ HOLDING REGISTER

04

READ INPUT REGISTER

05

WRITE SINGLE COIL

06

WRITE SINGLE REGISTER

15

WRITE MULTIPLE COIL

16

WRITE MULTIPLE REGISTER

4. Transmission Modes

In the MODBUS system, there are two transmission modes to choose from. These two transmission modes are equivalent to the communication capabilities of the slave PC. The choice should depend on the MODBUS master used, and each MODBUS system can only use one mode; mixing two modes is not allowed. One mode is ASCII (American Standard Code for Information Interchange), and the other mode is RTU (Remote Terminal Unit).

Users can select the desired mode, including serial communication parameters (baud rate, parity, etc.), when configuring each controller. All devices on a MODBUS network must select the same transmission mode and serial parameters. The selected ASCII or RTU mode applies only to standard MODBUS networks, defining each bit of the message segments transmitted continuously over these networks and determining how to package information into message fields and how to decode it. In other networks (like MAP and MODBUS Plus), MODBUS messages are converted into frames independent of serial transmission.

1. Transmission Mode Characteristics

ASCII printable characters facilitate fault detection and are suitable for master computers and PCs programmed in high-level languages (such as Fortran). RTU is suitable for computers and PC hosts programmed in machine language.

Data transmitted in RTU mode consists of 8-bit binary characters. To convert to ASCII mode, each RTU character should first be divided into high and low parts, each containing 4 bits, and then converted into hexadecimal equivalent values. The ASCII characters used to form the message are all hexadecimal characters. Although the characters used in ASCII mode are twice that of RTU mode, the decoding and processing of ASCII data are somewhat easier. Additionally, in RTU mode, message characters must be transmitted in a continuous data stream, while in ASCII mode, there can be a gap of up to 1 second between characters to accommodate slower machines.

The controller can be set to either of the two transmission modes (ASCII or RTU) for standard MODBUS network communication.

2. ASCII Mode

When the controller is set to communicate in ASCII (American Standard Code for Information Interchange) mode on the MODBUS network, each 8-bit byte in a message is transmitted as 2 ASCII characters. For example, the value 63H in ASCII mode requires sending two bytes, namely ASCII “6” (0110110) and ASCII “3” (0110011). ASCII characters occupy either 7 or 8 bits, with the internationally common 7 bits being more prevalent. The main advantage of this method is that the time interval for sending characters can reach 1 second without causing errors.

Code System

  • Hexadecimal, ASCII characters 0…9, A…F

  • Each ASCII character in the message consists of a hexadecimal character, with each byte’s bits

  • 1 start bit

  • 7 data bits, with the least significant bit sent first

  • 1 parity bit; if no parity, then no 1 stop bit (if there is parity), 2 bits (if no parity) error detection field

  • LRC (Longitudinal Redundancy Check)

3. RTU Mode

When the controller is set to communicate in RTU mode on the MODBUS network, each 8-bit byte in the message is transmitted as is, without processing. For example, 63H will be directly sent as 01100011 in RTU. The main advantage of this method is that there is no gap between data frame transmissions, and the density of data transmitted at the same baud rate is higher than that of ASCII, resulting in faster transmission speeds.

Code System

  • 8-bit binary, hexadecimal numbers 0…9, A…F

  • Each 8-bit field in the message consists of one or two hexadecimal characters

  • Each byte’s bits: 1 start bit, 8 data bits, with the least significant bit sent first

  • 1 parity bit; if no parity, then no

  • 1 stop bit (if there is parity), 2 bits (if no parity)

5. Data Verification Methods1. CRC

The CRC field is two bytes, containing a 16-bit binary value. It is calculated by the transmitting device and added to the message. The receiving device recalculates the CRC of the received message and compares it with the value in the received CRC field. If the two values differ, an error has occurred.

CRC is first initialized to a value of all “1” in a 16-bit register, and then a process is called to process the continuous 8-bit bytes in the message with the current value of the register. Only the 8-bit data in each character is valid for the CRC; the start, stop, and parity bits are invalid.

During the CRC generation process, each 8-bit character is individually XORed with the contents of the register (XOR), and the result is shifted towards the least significant bit, with the most significant bit filled with 0. The LSB is extracted for checking; if the LSB is 1, the register is XORed with a preset value; if the LSB is 0, no action is taken. This entire process is repeated 8 times. After the last bit (the 8th bit) is completed, the next 8-bit byte is XORed with the current value of the register. The final value in the register after processing all bytes in the message is the CRC value.

When the CRC is added to the message, the low byte is added first, followed by the high byte.

The CRC-16 error check program is as follows: the message (here only involving data bits, not including start bits, stop bits, and optional parity bits) is treated as a continuous binary, with the most significant bit (MSB) sent first. The message is first multiplied by X^16 (left-shifted 16 bits), and then divided by X^16 + X^15 + X^2 + 1, which can be represented in binary as 11000,0000,0000,0101. The integer quotient is ignored, and the 16-bit remainder is added to the message (MSB sent first), becoming two CRC check bytes. All 1s in the remainder are initialized to prevent all zeros from being received as a message. If the message containing the CRC bytes, when received, is processed by the same polynomial (X^16 + X^15 + X^2 + 1), it will yield a zero remainder (the receiving device verifies this CRC byte and compares it with the transmitted CRC).

All calculations are done modulo 2 (without carry).

Devices accustomed to sending data in streams will prefer to send the least significant bit (LSB) of the character first. However, in CRC generation, the first bit sent should be the most significant bit (MSB) of the dividend. To facilitate operations, the MSB is set to the rightmost position during CRC calculation. The order of the polynomial bits must also be reversed to maintain consistency. The MSB of the polynomial is omitted as it only affects the quotient and does not affect the remainder.

The steps to generate the CRC-16 check byte are as follows:

① Load a 16-bit register with all bits set to 1.

② XOR the high byte of this 16-bit register with the first 8-bit byte of the message. The result is stored in this 16-bit register.

③ Shift this 16-bit register to the right by one bit.

④ If the shifted-out bit is 1, XOR the register with the polynomial 10,1000,000,0000,001; if the shifted-out bit is 0, return to step ③.

⑤ Repeat steps ③ and ④ until 8 bits have been shifted out.

⑥ XOR the next 8 bits with this 16-bit register.

⑦ Repeat steps ③ to ⑥ until all bytes of the message have been XORed with the 16-bit register and 8 shifts have been completed.

⑧ The contents of this 16-bit register are the two-byte CRC check, which is added to the most significant bit of the message. Additionally, in some non-MODBUS communication protocols, CRC16 is often used as a check method, and several variants of CRC16 have been produced, using the CRC16 polynomial X^16 + X^15 + X^2 + 1, with the initial 16-bit register set to 0000; using the reverse CRC16 polynomial X^16 + X^14 + X^1 + 1, with the initial register value set to 0000 or FFFFH.

2. LRC

LRC error checking is used in ASCII mode. This error check is an 8-bit binary number that can be transmitted as 2 ASCII hexadecimal bytes. The hexadecimal characters are converted to binary, and the binary characters are summed without carry to generate the LRC error check (see diagram). This LRC is verified by the receiving device and compared with the transmitted LRC, ignoring colons (:), carriage return (CR), line feed (LF), and any other non-ASCII hexadecimal characters during the calculation.

Comparison of MODBUS and PROFIBUS-DP Protocols

The content of the MODBUS protocol is completely open, simple, and easy to implement. Microcontrollers, PLCs, and DCS can all easily implement it.

In contrast, PROFIBUS is more complex, requiring dedicated chips for secondary development and certification from higher organizations, resulting in significantly higher development costs.

Of course, in terms of performance, serial-based MODBUS RTU/ASCII communication cannot match PROFIBUS DP. However, for simple communication at the instrument level or small data volume communication at the controller level, MODBUS is sufficient. In simple terms, MODBUS is the “common man,” while PROFIBUS is the “rich and handsome!”

Supported Function Codes of MODBUS

Function Code

Name

Function

01

READ COIL STATUS

Obtain the current status of a group of logical coils (ON/OFF)

02

READ INPUT STATUS

Obtain the current status of a group of switch inputs (ON/OFF)

03

READ HOLDING REGISTER

Obtain the current binary values in one or more holding registers

04

READ INPUT REGISTER

Obtain the current binary values in one or more input registers

05

WRITE SINGLE COIL

Force the state of a logical coil

06

WRITE SINGLE REGISTER

Load a specific binary value into a holding register

07

READ EXCEPTION STATUS

Obtain the status of 8 internal coils, the addresses of which are determined by the controller

08

RETURN DIAGNOSTIC CHECK

Send a diagnostic check message to the slave for communication evaluation

09

PROGRAMMING (only for 484)

Simulate the programming function of the master to modify the logic of the slave PC

10

INQUIRY (only for 484)

Allows the master to communicate with a slave performing a long program task, inquiring whether the slave has completed its operation task, only after sending a message with function code 9 can this function code be sent

11

READ EVENT COUNT

Allows the master to issue a single inquiry and immediately determine whether the operation was successful, especially when the command or other responses generate communication errors

12

READ COMMUNICATION EVENT LOG

Allows the master to retrieve the communication event log of each slave’s MODBUS transaction processing. If a transaction is completed, the log will provide information about errors

13

PROGRAMMING (184/384 484 584)

Allows the master to simulate the programming function to modify the logic of the slave PC

14

INQUIRY (184/384 484 584)

Allows the master to communicate with a slave performing a task, periodically inquiring whether the slave has completed its program operation, only after sending a message with function 13 can this function code be sent

15

WRITE MULTIPLE COILS

Force the state of a series of consecutive logical coils

16

WRITE MULTIPLE REGISTERS

Load specific binary values into a series of consecutive holding registers

17

REPORT SLAVE IDENTIFICATION

Allows the master to determine the type of addressed slave and the status of the slave’s running indicator

18

(884 and MICRO 84)

Allows the master to simulate the programming function to modify the state logic of the PC

19

RESET COMMUNICATION LINK

After a non-modifiable error occurs, reset the slave to a known state, allowing the sequence byte to be reset

20

READ GENERAL PARAMETERS (584L)

Display data information in the extended memory file

21

WRITE GENERAL PARAMETERS (584L)

Write or modify general parameters in the extended storage file

22-64

Reserved for extended functions

65-72

Reserved for user functions

Reserved for user function extension codes

73-119

Illegal function

120-127

Reserved

Reserved for internal use

128-255

Reserved

Reserved for exception responses

Detailed Explanation of Function Code Commands

Among these function codes, the most commonly used are function codes 1, 2, 3, 4, 5, and 6, which can be used to perform read and write operations on digital and analog quantities of the lower machine.

1. Command 01, Read Readable and Writable Digital Registers (Coil Status):

The computer sends the command: [Device Address] [Command Number 01] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers to Read High 8 Bits] [Low 8 Bits] [CRC Check Low] [CRC Check High]

Example: [11][01][00][13][00][25][CRC Low][CRC High]

Meaning:

<1> Device Address: Multiple devices can be connected on a 485 bus, and this device address indicates which device to communicate with. In this example, it is intended to communicate with device 17 (decimal 17 is hexadecimal 11).

<2> Command Number 01: The command number for reading digital quantities is fixed at 01.

<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the switch quantity to be read (starting address is 0). For example, in this case, the starting address is 19.

<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many switch quantities to read starting from the starting address. In this example, it is 37 switch quantities.

<5> CRC Check: Checked from the beginning to this point. The device response: [Device Address] [Command Number 01] [Returned Byte Count] [Data1] [Data2] … [Data n] [CRC Check High] [CRC Check Low]

Example: [11][01][05][CD][6B][B2][0E][1B] [CRC High] [CRC Low]

Meaning:

<1> Device Address and Command Number are the same as above.

<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, 2…n.

<3> Data1…n: Since each data is an 8-bit number, each data represents the value of 8 switch quantities, where each bit being 0 indicates the corresponding switch is off, and 1 indicates it is on. For example, in this case, it indicates that switch 20 (index 19) is on, switch 21 is off, switch 22 is on, switch 23 is on, switch 24 is off, switch 25 is off, switch 26 is on, switch 27 is on… If the queried switch quantity is not a multiple of 8, the high part of the last byte is meaningless and is set to 0.

<4> CRC Check is the same as above.

2. Command 05, Write Digital Quantity (Coil Status):

The computer sends the command: [Device Address] [Command Number 05] [Register Address High 8 Bits] [Low 8 Bits] [Data High 8 Bits] [Low 8 Bits] [CRC Check Low] [CRC Check High]

Example: [11][05][00][AC][FF][00][CRC High][CRC Low]

Meaning:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing digital quantities is fixed at 05.

<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the switch to be set.

<4> Data High 8 Bits, Low 8 Bits: Indicates the state of the switch to be set. In this example, it indicates that the switch should be turned on. Note that only [FF][00] indicates on and [00][00] indicates off; other values are illegal.

<5> Note that this command can only set the state of one switch at a time.

Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.

3. Command 03, Read Readable and Writable Analog Registers (Holding Registers):

The computer sends the command: [Device Address] [Command Number 03] [Starting Register Address High 8 Bits] [Low 8 Bits] [Number of Registers High 8 Bits] [Low 8 Bits] [CRC Check High] [CRC Check Low]

Example: [11][03][00][6B][00][03] [CRC High][CRC Low]

Meaning:

<1> Device Address is the same as above.

<2> Command Number: The command number for reading analog quantities is fixed at 03.

<3> Starting Address High 8 Bits, Low 8 Bits: Indicates the starting address of the analog quantity to be read (starting address is 0). For example, in this case, the starting address is 107.

<4> Number of Registers High 8 Bits, Low 8 Bits: Indicates how many analog quantities to read starting from the starting address. In this example, it is 3 analog quantities. Note that in the returned information, one analog quantity requires two bytes to return.

Device Response: [Device Address] [Command Number 03] [Returned Byte Count] [Data1] [Data2] … [Data n] [CRC Check High] [CRC Check Low]

Example: [11][03][06][02][2B][00][00][00][64] [CRC High] [CRC Low]

Meaning:

<1> Device Address and Command Number are the same as above.

<2> Returned Byte Count: Indicates the number of data bytes, which is the value of n in Data1, 2…n. In this example, 3 analog quantities are returned, as each analog quantity requires 2 bytes, totaling 6 bytes.

<3> Data1…n: where [Data1][Data2] are the high and low bytes of the first analog quantity, [Data3][Data4] are the high and low bytes of the second analog quantity, and so on. The returned values in this example are 555, 0, and 100.

<4> CRC Check is the same as above.

4. Command 06, Write Single Analog Quantity Register (Holding Register)

The computer sends the command: [Device Address] [Command Number 06] [Register Address High 8 Bits] [Low 8 Bits] [Data High 8 Bits] [Low 8 Bits] [CRC Check High] [CRC Check Low]

Example: [11][06][00][01][00][03] [CRC High] [CRC Low]

Meaning:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing analog quantities is fixed at 06.

<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.

<4> Data High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, in this case, the value of register 1 is set to 3.

<5> Note that this command can only set the state of one analog quantity at a time.

Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response.

5. Command 16, Write Multiple Analog Quantity Registers (Holding Registers)

The computer sends the command: [Device Address] [Command Number 16] [Register Address High 8 Bits] [Low 8 Bits] [Data Count High 8 Bits] [Data Count Low 8 Bits] [Data High 8 Bits] [Low 8 Bits] […] [CRC Check High] [CRC Check Low]

Understanding the MODBUS Standard Protocol

Example: [11][16][00][01][00][01][00][05] [CRC High] [CRC Low]

Meaning:

<1> Device Address is the same as above.

<2> Command Number: The command number for writing analog quantities is fixed at 16.

<3> Register Address High 8 Bits, Low 8 Bits: Indicates the address of the analog quantity register to be set.

<4> Data Count High 8 Bits, Low 8 Bits: Indicates the number of data points to be set, which is 1 here.

<5> Data High 8 Bits, Low 8 Bits: Indicates the analog quantity data to be set. For example, in this case, the value of register 1 is set to 5.

Device Response: If the command sent by the computer is successfully returned as is, otherwise there is no response. Device response: [Device Address] [Command Number 16] [Register Address High 8 Bits] [Low 8 Bits] [Data Count High 8 Bits] [Data Count Low 8 Bits] [CRC Check High] [CRC Check Low], as in the above example: [11][16][00][01][00][01] [CRC High] [CRC Low]

(Content sourced from the internet, copyright belongs to the original author)

Disclaimer: If there are copyright issues, please contact for deletion!Neither individuals nor organizations bear any legal responsibility.

Understanding the MODBUS Standard Protocol

Related posts

  1. Understanding PLC Communication: Application and Programming of MODBUS Protocol
  2. Weekly Review of Cutting-Edge Technology: The Birth of the Smallest and Lightest Wireless Amphibious Robot; The Fastest! The Dawn of Picosecond Flash Memory Devices
  3. Learning MQTT Protocol: 006 – Subscribe Topic and Corresponding Messages (SUBSCRIBE, SUBACK, UNSUBSCRIBE, UNSUBACK)
  4. Securing HTTP-Based APIs
  5. Notes on Pitfalls Encountered with Modbus Protocol
  6. RS485 and Modbus Communication Protocol
  7. Understanding Modbus RTU, ASCII, and TCP Protocols
  8. Modbus Communication Training Tutorial
  9. Modbus TCP Programming and Experimentation
  10. Communication Case: Modbus-RTU Communication Between S7-1200 and HD20 Inverter
  11. Application of PXB-6021: Transforming Modbus IO Modules into CANopen IO Modules
  12. Summary of ModBus RTU Issues
  13. Understanding Modbus RTU Protocol
  14. Introduction to Modbus Protocol
  15. Understanding The Modbus Communication Protocol
  16. Introduction to Various Modbus Protocols
  17. Common Communication Protocols for PLCs
  18. Comprehensive Guide to Modbus RTU, ASCII, and TCP
  19. MODBUS Communication Function of Siemens S7-200 Series PLC (Part 1)

Leave a Comment