What is Modbus RTU?
The Modbus RTU protocol is a open serial protocol that is widely used in today’s industrial monitoring and control equipment. This protocol uses an RS-232 or RS-485 serial interface for communications and is supported by almost every commercial SCADA, HMI, OPC Server and data acquisition software program in the marketplace. Thus, making it very easy to integrate Modbus compatible equipment into new or existing monitoring and control applications and have instant software support.
Modbus Master/Slave Technique
The Modbus RTU protocol uses a Master/Slave technique to communicate between devices. Meaning, any application that utilizes the Modbus RTU protocol will have a Modbus Master and at least one Modbus Slave. A Modbus Master is typically a host supervisory computer running software that will communicate with one or more Modbus Slave devices.
The Modbus slaves are the devices that perform the system parameter measurements and control the on/off devices in the system. In order to perform these tasks, the Master sends messages to a Modbus Slave requesting a specific task to be performed.
Modbus RTU protocol uses formatted messages to communicate between Masters and Slaves. Messages are initiated by the system Master and sent to a Slave device. Then, the Slave responds with the requested data, or an acknowledgement that it performed the requested function. All messages to and from the Master contain a two byte (16-bit) CRC (cyclical redundancy check) checksum value for error checking. In the event that an invalid request is transmitted to a Modbus Slave, a one byte (8-bit) error code value is returned providing a reason why the request is faulty.
The Modbus Master messages contain several important pieces of information. Each message begins with the Slave address of the device to receive the message. Next, is the function number (or command) that will be performed. Followed by any data that is required for the specified function to execute properly. The Slave address is a one byte (8-bit) value that with a usable range of values between 0-247. The Modbus function number is also a one byte value and many standardized function numbers have been defined within the protocol. Any data values required to support the requested function will be one or more bytes in length. The Modbus Slave response message will contain the responding Slave address, the function number and any necessary data requested by the master.
Modbus RTU Protocol is Royalty Free and Customizable
The Modbus RTU protocol is an open protocol and can be used royalty free. This allows manufacturers to use the general Modbus protocol structure in their equipment and add customized functions to access features within their hardware. While this can be a great benefit, it may cause compatibility problems with commercial software programs that do not support the newly defined functions.
The Modbus protocol contains a list of functions that are supported by almost all SCADA, HMI and data acquisition programs in the marketplace today. Below is an abbreviated list of protocol functions used to perform most of the reading and controlling of Modbus devices. From the list, “coils” are typically relays or digital outputs, “registers” represent anything from system status to analog input or output signal values. Each hardware vendor will have a “Register Map” that details each register location and the possible data values for that register.
Abbreviated List Of Modbus RTU Protocol Functions
Function 01 – Read Coil Status
The Modbus RTU Function 01 is used to Read Coil Status, or digital output status from a Modbus Slave data acquisition device. See a typical command and response below with usage description.
| Command: | 01 | 01 | 00 | 09 | 00 | 0A | CRC1 | CRC2 |
| Response: | 01 | 01 | 02 | 7C | 03 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Addr | 00-HI Starting Coil Address HI Byte |
| Addr | 09-LO Starting Coil Address LO Byte |
| Data | 00-HI Number of Bits |
| Data | 0A- LO Number of Bits |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Byte Qty | 02-Number of data bytes in response |
| Data HI | 7C-Data Coils (17-10) Status |
| Data LO | 03-Data Coils (19-18) Status |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each device and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 03 – Read Holding Registers
The Modbus RTU Function 03 is used to Read Holding Registers, (4x register references), in a Modbus Slave device. Registers are addressed starting at zero: meaning registers 1–10 are addressed as 0–9.
Modbus Function 03 also includes the quantity of registers to read from the Modbus slave device. See the example command below that reads one register, 40010 from Modbus Slave address 01.
| Command: | 01 | 03 | 00 | 09 | 01 | 0A | CRC1 | CRC2 |
| Response: | 01 | 03 | 02 | 7C | 93 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 03-One Byte Function Number |
| Addr | 00-Starting Register Address HI Byte |
| Addr | 09-Starting Register Address LO Byte |
| Data | 00-HI Number of Registers |
| Data | 01- LO Number of Registers |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 03-One Byte Function Number |
| Byte Qty | 02-Number of data bytes in response |
| Data HI | 7C-Data Register HI Byte |
| Data LO | 93-Data Register LO Byte |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
| Command: | 01 | 01 | 00 | 09 | 00 | 0A | CRC1 | CRC2 |
| Response: | 01 | 01 | 02 | 7C | 03 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Addr | 00-HI Starting Coil Address HI Byte |
| Addr | 09-LO Starting Coil Address LO Byte |
| Data | 00-HI Number of Bits |
| Data | 0A- LO Number of Bits |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Byte Qty | 02-Number of data bytes in response |
| Data HI | 7C-Data Coils (17-10) Status |
| Data LO | 03-Data Coils (19-18) Status |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each device and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 04 – Read Input Registers
The Modbus RTU Function 04 is used to Read Input Registers, (3x register references), in a Modbus Slave device. Registers are addressed starting at zero: meaning registers 1–10 are addressed as 0–9.
Modbus Function 04 also includes the quantity of registers to read from the Modbus slave device. See the example command below that reads one register, 30010 from Modbus Slave address 01.
| Command: | 01 | 04 | 00 | 09 | 00 | 01 | CRC1 | CRC2 |
| Response: | 01 | 04 | 02 | 7C | 93 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 04-One Byte Function Number |
| Addr | 00-Starting Register Address HI Byte |
| Addr | 09-Starting Register Address LO Byte |
| Data | 00-HI Number of Registers |
| Data | 01- LO Number of Registers |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 04-One Byte Function Number |
| Byte Qty | 02-Number of data bytes in response |
| Data HI | 7C-Data Register HI Byte |
| Data LO | 93-Data Register LO Byte |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 05 – Force Single Coil
The Modbus RTU Function 05 is used to Force a Single Coil (0x references), or turn ON/OFF a digital output in a Modbus Slave device. Coils are addressed starting at zero: meaning Coil 10 is addressed as 9.
Turn ON/OFF coils by specifying a constant in the data field. A value of FF 00 hex turns the coil ON. A value of 00 00 turns the coil OFF. All other values are illegal and will not affect the coil state. The following example will turn ON Coil number 10.
| Command: | 01 | 05 | 00 | 09 | FF | 00 | CRC1 | CRC2 |
| Response: | 01 | 05 | 00 | 09 | FF | 00 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 05-One Byte Function Number |
| Addr | 00- Coil Address HI Byte |
| Addr | 09-Coil Address LO Byte |
| Data | FF-HI Data Value |
| Data | 00- LO Data Value |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 05-One Byte Function Number |
| Byte Qty | 00-Coil Address HI Byte |
| Byte Qty | 09-Coil Address LO Byte |
| Data HI | FF-HI Data Value |
| Data LO | 00-LO Data Value |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 06 – Preset Single Register
The Modbus RTU Function 06 is used to Preset a Single Register (4x references) in a Modbus Slave device. Registers are addressed starting at zero: meaning Register 10 is addressed as 9. The Preset data values written in to a Modbus register are 16-bit values.
| Command: | 01 | 06 | 00 | 09 | FF | 7D | CRC1 | CRC2 |
| Response: | 01 | 06 | 00 | 09 | FF | 7D | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 06-One Byte Function Number |
| Addr | 00-Register Address HI Byte |
| Addr | 09-Register Address LO Byte |
| Data | FF-Preset data Value HI Byte |
| Data | 7D- Preset Data Value LO Byte |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 06-One Byte Function Number |
| Addr | 00-Register Address HI Byte |
| Addr | 09-Register Address LO Byte |
| Data HI | FF-Preset Data Value HI Byte |
| Data LO | 7D-Preset Data Value LO Byte |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 15 – Force Multiple Coils
The Modbus RTU Function 15 is used to force multiple coils or digital outputs to their ON/OFF state. See a typical command and response below with usage description.
| Command: | 01 | 0F | 00 | 13 | 00 | 0A | 02 | AA | 03 | CRC1 | CRC2 |
| Response: | 01 | 0F | 13 | 00 | 0A | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Addr | 00-HI Starting Coil Address HI Byte |
| Addr | 09-LO Starting Coil Address LO Byte |
| Quantity | 00-Coil Quantity HI Byte |
| Quantity | 0A-Coil Quantity LO Byte |
| Quantity of Bytes | 02-Byte Count |
| Data | AA-LO Data Bits |
| Data | 03- HI Data Bits |
| Checksum | Two Byte CRC |
Response Message:
Addr13-LO Starting Coil Address LO Byte
| Address: | 01-One Byte Slave Address |
| Function | 01-One Byte Function Number |
| Addr | 00-HI Starting Coil Address HI Byte |
| Bit Qty HI | 00-Quantity of Bits Written HI Byte |
| Bit Qty LO | 0A-Quantity of Bits Written LO Byte |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each device and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Function 10 – Preset Multiple Registers
The Modbus Function 10 is used to Preset Multiple Registers (4x references) in a Modbus Slave device. Registers are addressed starting at zero: meaning Register 5 is addressed as 4. The Preset data values written in to a Modbus register are 16-bit values.
| Command: | 01 | 10 | 00 | 04 | 00 | 02 | 04 | 79 | 02 | 87 | FE | CRC1 | CRC2 | |
| Response: | 01 | 10 | 00 | 04 | 00 | 02 | CRC1 | CRC2 |
Command Usage:
| Address: | 01-One Byte Slave Address |
| Function | 10-One Byte Function Number |
| Start Addr HI | 00-Starting Register Address HI Byte |
| Start Addr LO | 04-Starting Register Address LO Byte (40005) |
| Reg Qty HI | 00-Quantity of Registers to Write HI Byte |
| Reg Qty LO | 02-Quantity of Registers to Write LO Byte |
| Data Bytes | 04-Quantity of Data Bytes to Write |
| Data Reg 1 HI | 79-First Register HI Byte |
| Data Reg 1 LO | 02-First Register LO Byte |
| Data Reg 2 HI | 87-Second Register HI Byte |
| Data Reg 2 LO | FE-Second Register LO Byte |
| Checksum | Two Byte CRC |
Response Message:
| Address: | 01-One Byte Slave Address |
| Function | 10-One Byte Function Number |
| Start Addr HI | 00-Starting Register Address HI Byte |
| Start Addr LO | 04-Starting Register Address LO Byte |
| Reg Qty HI | 00-Quantity of Registers to Write HI Byte |
| Reg Qty LO | 02-Quantity of Registers to Write LO Byte |
| Checksum | Two Byte CRC |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
Exception Codes
Modbus Exception Codes are error codes that are returned by a Modbus Slave device when it has detected an problem with a command that it received. Exception codes can be generated for several reasons, including bad data values, invalid Modbus function codes, invalid register values and more. Below is a list of standardized Exception codes supported by the Modbus RTU serial protocol.
| Exception Code | Description |
| 01 – Illegal Function | The Function value in the Modbus command query is not supported by the slave device. |
| 02 – Illegal Data Address | The Register Address value in the Modbus command query is not a valid register in the slave device. There is no supported register of that value in the Slave device. |
| 03 – Illegal Data Value | The Data value in the Modbus command query is not supported by the slave device register that is being written to. |
| 04 – Slave Device Failure | An error occurred in the slave device while attempting to perform a requested Modbus function query. |
| 05 – Acknowledge | The Slave device may return an Acknowledge response after receiving a function query that typically takes a long time to execute. The Acknowledge response may be returned before the function is finished performing the request. |
| 06 – Slave Device Busy | The Slave device is busy processing a function or task. The Modbus Master should resend the command query at a later time. |
Finally, when specifying Modbus hardware or software, take a moment to review the documentation for each item and ensure that both the hardware and software will support the necessary functions to operate properly. It is a rare event that there will be problems but this review process will eliminate the possibility of surprises later.
