-
Notifications
You must be signed in to change notification settings - Fork 4
Understanding Modbus
While Modbus may seem complex at first—especially due to variations in addressing, function codes, Unit IDs, and differences between serial and TCP/IP communication—it becomes much simpler with a solid understanding of the basic principles.
There's often confusion about the terms "Master-Slave" and "Client-Server":
- Master corresponds to Client
- Slave corresponds to Server
A useful memory aid: both "Slave" and "Server" start with the letter "S". The Master (or Client) sends commands and requests data, while the Slave (or Server) responds to these commands and provides the requested data.
There are different variants of Modbus, each with their own configuration requirements:
- Works via serial lines, such as RS-485
- Most commonly used variant in industrial applications
- Unit IDs are always required
- Uses TCP/IP networks for communication
- Popular in modern systems using Ethernet networks
- Unit IDs are optional (but useful for RTU-TCP gateways)
Modbus has four types of registers, each with a specific purpose:
Most commonly used registers in practice.
Holding registers are versatile registers that can be both read and written by the Master (Client). This makes them particularly useful for storing configuration parameters, setpoints, or other data that needs to be managed by the Master.
Common uses:
- Settings and configurations (e.g., desired temperature in a heating system)
- Setpoints for process control (e.g., motor RPM)
- Calibration data for sensors or measurement instruments
- Status information like alarm thresholds or operational modes
Input registers are updated by the Slave (Server) and can only be read by the Master (Client). These registers are often used to collect data generated by sensors or other measurement equipment.
Common uses:
- Sensor values (temperature, pressure, humidity, flow rates)
- Status information (position, speed, voltage, current)
- Feedback from equipment (e.g., frequency converters, actual operational status)
Because Input Registers are read-only, the Master cannot modify these values, making them ideal for safely monitoring critical system parameters without risk of accidental overwrites.
Binary outputs (on/off) with a range of 0 to 65535 bits.
Binary inputs (read-only) with a range of 0 to 65535 bits.
Note: In practice, coils and discrete inputs are relatively rarely used. Most systems prefer holding or input registers because these contain 16 bits per address and can be read or written together with other numeric values.
Modbus can address registers in different ways, which often causes confusion:
Internal (Protocol) Addressing:
- All register types have addresses from 0 to 65535
- This is how Modbus actually works internally
- Some systems start at 0, others at 1 (configuration dependent)
Conventional Addressing: Manufacturers and Modbus tools often display addresses with leading digits to distinguish register types:
- Coils (0xxxx): Binary outputs, start at 00000
- Discrete Inputs (1xxxx): Binary inputs (read-only), start at 10000
- Input Registers (3xxxx): Analog inputs (read-only), start at 30000
- Holding Registers (4xxxx): Analog outputs (read/write), start at 40000
The conventional notation (e.g., 30000 for input registers) does not directly correspond to the actual register address. An input register with conventional address 30000/30001 (depending on starting at 0 or 1) refers to actual address 0 in the Modbus protocol.
Example:
- Function Code 3 (FC3) reads holding registers (conventionally starting at 40000)
- Function Code 4 (FC4) reads input registers (conventionally starting at 30000)
- When you enter 40000/40001 to read a holding register, this corresponds to actual address 0
It's important to understand that these conventions impose no technical limitations—they were introduced purely for clarity. The actual registers always have their own address within the full range of 0 to 65535.
While the Modbus protocol technically allows register addresses from 0 to 65535, some devices may only support a subset of these registers. If you try to access a register outside the allowed range, you may receive error messages like:
- Illegal Function: Function code not supported
- Illegal Data Address: Address out of range
Function codes (FCs) in Modbus specify which operations should be performed:
Most important function codes:
- FC 01: Read coils
- FC 02: Read discrete inputs
- FC 03: Read holding registers
- FC 04: Read input registers
- FC 05: Write to a single coil
- FC 06: Write to a single holding register
- FC 15: Write to multiple coils
- FC 16: Write to multiple holding registers
Unit ID usage is always required. The Unit ID identifies which device on the bus should process the message. This is necessary because in Modbus RTU, multiple devices share the same serial line, and each device has its own unique Unit ID.
Valid range: 0-247
Unit ID usage is optional. If a Unit ID is specified, it's used to identify the specific device at the same IP address. However, if no Unit ID is used, the message is usually accepted by any device, regardless of the address.
When using an RTU-to-TCP converter, you may need to specify a Unit ID to read data from a device on the RTU bus, especially when multiple devices are connected.
- If only one RTU device is connected to the converter, a Unit ID may not be needed (depending on the converter's functionality)
- Some converters translate Unit IDs to other IDs if required
- When a TCP Slave provides data to an RTU Master, the converter must assign a Unit ID to the IP address and port (usually port 502)
RS-485 is a serial communication standard commonly used in industrial applications, especially for Modbus RTU. It uses differential signaling, where data is sent via two wires with opposite voltages.
Key features:
- Multi-device support: Can support multiple devices on one network
- Long distances: Communication possible over distances up to 1.2 km at lower speeds
- Differential signaling: Reduces interference and signal degradation, important in industrial environments with electrical noise
RS-485 uses two wires (A and B or D+ and D-). Swapping these wires will prevent communication. Always verify correct polarity when troubleshooting RTU connections.
In computer architecture, big-endian and little-endian refer to how multi-byte values (like 32-bit or 64-bit numbers) are stored and ordered in memory or transmitted via protocols like Modbus.
The most significant word comes first. When storing or sending a 32-bit number, the higher word goes in the first register, and the lower word in the second register.
Example with 32-bit value 0x1234ABCD:
- Register 0 contains 0x1234 (most significant word)
- Register 1 contains 0xABCD (least significant word)
PLC code example (big-endian):
registers[0] := dword.W1; // MSW = 16#1234
registers[1] := dword.W0; // LSW = 16#ABCD
The least significant word comes first. When storing or sending a 32-bit number, the lower word goes in the first register, and the higher word in the second register.
Example with 32-bit value 0x1234ABCD:
- Register 0 contains 0xABCD (least significant word)
- Register 1 contains 0x1234 (most significant word)
PLC code example (little-endian):
registers[0] := dword.W0; // LSW = 16#ABCD
registers[1] := dword.W1; // MSW = 16#1234
Note: Modbux provides a BE/LE toggle in the toolbar to handle both formats. See the endianness table by hovering over the toggle button.