Lynn's Industrial Automation Protocol Tips
Home > Modbus >
IP-Enable Blog
New iatips Wiki
White Papers
Digi Product Tips
Yahoo Group
Contact Info

The information on this web page is either Lynn's opinion or something Lynn agrees with. He has complete control over its contents. Nothing contained within this pages is approved by or represents the opinion of Digi International, The Modbus Organization, the Modbus-IDA Group, ODVA, or any other organization Lynn is associated with.

Modbus Protocol

Question? What are the minimum Modbus functions to implement?

Answer: bare min is 3 & 16, but read below.

  • Minimum set is 3 and 16 for read/write multiple registers. You can pack boolean (digital) values 16 to on register - just be aware that the normal bit-order seen is not what you'd expect so make sure you document your bit order correctly. Note that some very important "embedded masters" only can issue these 2 functions! Thus a smart slave creator makes sure ALL data is available by function 3. So answer A is 3,16.
  • Next, I'd add function #6 - write single register. It only adds a few minutes work beyond function #16. Some Masters will use #6 to write one value and #16 for more than one. Thus, if you don't do function #6 some Master may not work or may need to be configured to force use of function 16 for all writes. So NOT doing function 6 could lead to field support problems. So answer B is 3,6,16 - This is what I'd call the real minimum set!
  • If you have lots of 1-bit digital control items, then next level to add is functions 1 & 15 for read/write multiple coils. You might as well add function 5 (write single coil) while you're at it. Just be aware that Modbus is bigendian, so the value to send for function 5 is 0x0000 and 0xFF00 for Off/On. You should not send 0xFFFF nor 0x00001. Problem is some slaves treat any non-zero value as ON, while others will return an exception response if you send anything but 0x0000 or 0xFF00!!!! So answer C is 1,3,5,6,15,16 - this I'd call the "normal set".
  • You could add the function 2,4 for read-only bits/registers. Problem is these value MUST also be available by function 3 for maximum market application, so they have little value.
  • You could add function 8 (only echo function). The only value this has is some older DCS/SCADA gateways REQUIRE any Modbus/RTU slave to response to an echo before it is marked on-line. This is a Dinosaur requirement, but if it means the difference between selling 50 units to some DCS or not, a few minutes to add the echo command is money well spent.
  • A "nice to have" is function 23, which allows 1 message to both read & write the slave. This is ideal for a small I/O unit where a Master may want to fetch the value of 16 or 32 inputs and force the value of 16 or 32 outputs. It saves having to issue 2 commands (a func 3 and func 16).
  • Another "nice to have" is function 22, which allows a masked register write. This is ideal if you (correctly) allowed all of your digital/boolean to be accessed by function 3. It works like function 16, but allows writing bits selectively scattered within the registers.
  • So in summary, if *I* were to do a product, this is my list:
    • Bare Min: 3,6,8(echo only),16 (offers limited 1-bit support!)
    • Preferred: 1,3,5,6,8(echo only),15,16 (offers full 1-bit support)
    • Best: 1,2,3,4,5,6,8(echo only),15,16,22,23

return to top

Pass-thru Ethernet Bridge Note: Most MB/TCP to MB/RTU bridges are blissfully unaware of Enron-MB. They forward a poll to read ten 4x registers and happily return a response of 10 or 20 or 40 bytes. They do NOT enforce any byte size expectation and leave that to the MB/TCP Master/Client to handle.

return to top

Question? When are logical verse actual number used?

Answer: No standard - depends on vendor

There is no hard rules - some vendors do it one way, others do it the other way, and still others let you pick/configure which you want. Notation like 40001 or 4x0001 or 400001 are just for human use. The protocol (whether RTU, ASCII, or TCP) requires the offset 0 be used, not 1.

I always recommend vendors and users document things in a three column format:

400001 0 Blah Blah Description

400002 1 Blah Blah Description

and so on

It's incredible how much redo this simple trick can save. You never know which form your users will need (calling it 40001, 1 or 0). Without this aid not only does the occasional intern do an entire project off-by-one, but even seasoned engineers can goof & configure a few data points off-by-one. When faced with a vendor asking for the actual number (0 not 1) it's just hard to keep mentally decrementing hundreds of numbers without a few slips.

return to top

Question? What is exception 10 (hex 0x0A) used for?

Answer: Exception Response 10 means "Gateway Path Unavailable".

The Bridge (or proxy) could not route the request due to the destination being unconfigured. This is a HARD ERROR - your bridge should return it if retry is pointless. The only solution for a client seeing exception 10 is to notify a user to check the configuration.

return to top

Question? What is exception 11 (hex 0x0B) used for?

Answer: Exception Response 11 means "Target Device Failed to Respond".

The Bridge (or proxy) failed to obtain a response from the target device on your behalf. This is a SOFT ERROR your bridge should return it if a retry may help. We don't know if the target is off-line or just didn't answer due to a CRC error.

return to top

Question? Can a Modbus Master access 9999 or 65536 registers?

Answer: In theory 65535, but few devices have so many.

Some software applications limit you to selecting 0-9999 by using the older 4XXXX notation, which just support 4 digits. But this is an application limitation - not a Modbus protocol limitation. Others will site limits of 9999 in Modbus/ASCII or from older Modbus protocol documents. All of these MAY HAVE BEEN true at one time, but now the Modbus specification formally allows all addresses 0x0000 to 0xFFFF or 65535 to be used.

return to top

General question... can a master on the modbus access 65536 16 bit registers, (via function codes 3,4) on any slave device?

Question? What happened to data type '2x'?

Answer: I have been told ...

I have been told in the early PLC where data tables where quite literally the PLC's core memory, there was a hardware-based drum sequencer card that was accessed as 2x. However, as PLC developed it quickly became apparent that this some function could be handled more effectively by placing the drum sequencer data in 4x holding register memory.

return to top